WindowSecurity.com Newsletter of March 2012
Sponsored by: Collective Software <http://www.collectivesoftware.com/isaserver.newsletter.201202.lockoutguard>
-------------------------------------------------------
Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: feedback@windowsecurity.com
1. Editor's Corner
-------------------------------------------------------
*Don't Wait on The RDP Patch!*
Redmond normally lets you install Patch Tuesday fixes at your own rate, but they are making an exception and urge you to hurry up with one severe fix released on Patch Tuesday. Security Update MS12-020 addresses two
vulnerabilities in Microsoft's implementation of the Remote Desktop Protocol (RDP). One of the two, CVE-2012-0002, is a Critical, remote code execution vulnerability affecting all versions of Windows. The blog
post below at TechNet has the details. There are 5 million machines with this hole, so good chance some of yours are vulnerable as well. What makes things worse is that Redmond probably has leaked attack code for this bug, meaning the bad guys are going to scan your networkreally soon. This is an epic security fail. Fix your systems fast:
-------------------------
* Hey, Is There A Patch For Stupid?
System Administrators and IT Security people have an expression that goes: "There is no patch for stupid". Observations like that about end-users are often a reflection of reality, but they don't always hold true. Here is an example of where this rule is more damaging than you might think. The technical director of Symantec Security Response said that bad guys are generally not trying to exploit technical vulnerabilities in Windows. They are going after your users instead. "You don't need as many technical skills to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content." And that gets -you- to run over and disinfect that workstation, again.
Only about 3% of the malware that Symantec runs into tries to exploit an actual technical flaw. The other 97% is trying to trick a user through some type of social engineering scheme. This means it does not matter if that
workstation is a PC or a Mac. Today, a very important line of defense actually is the end-user, and that brings us to Security Awareness Training. This is no longer a 'nice to have' but a crucial element of your IT defense-in-depth.
So let's have another look at 'is there a patch for stupid? If you train people the right way, starting off at a point that assumes zero knowledge and take it up from there, making sure all terms are defined and that you make it real to them by examples and drills, you'd be surprised how end-users suddenly perk up and see it's their responsibility to pay attention and protect your network as if it was their own.
There are pitfalls though. Are you in a company where you have to sit through sexual harassment training once a year? In that case you probably know where I am going. After a few weeks, all that training has been long forgotten, and things go back to 'normal'. This type of training is really done as a legal CYA exercise, but for Security Awareness Training, that approach does not hack it.
If you want to do it right, you create a baseline by sending a simulated phishing attack to all users, and see who clicks on it. The percentage of employees that is Phish-prone usually falls between 20 and 30 percent, which if you look at it, is gruesome. Even one is too many, as just one wrong click on a malicious zero-day phishing link can be the cause of a very expensive network penetration. Next, you train the end-users. Mandatory, driven by a
combination of HR and IT. Half an hour online training in their browser.
Last, but absolutely not least, you keep sending simulated phishing attacks once a week. You will see a dramatic drop in Phish-prone percentage, and a lot less malware infections on workstations. Internet Security Awareness Training done right, is something you really should look at as an essential element of your defense-in-depth. This is why I'm doing what I'm doing: Check out my website at:
http://www.knowbe4.com/
-------------------------
* Quotes Of The Month:
"Management is doing things right; leadership is doing the right things."
-— Peter Drucker
"Don't tell people how to do things; tell them what to do and let them
surprise you with the results." -— General George S. Patton
"The price of greatness is responsibility." -— Winston Churchill
Warm regards,
Stu Sjouwerman
Editor, WindowSecurity News
Email me at feedback@windowsecurity.com
2. Security Detail
----------------------------------------
* Stop Phishing Security Breaches
Are you aware that many of the email addresses of your organization are
exposed on the Internet and easy to find for cybercriminals? With these
addresses they can launch (spear-) phishing attacks on your organization.
This type of attack is very hard to defend against, unless your users
are highly 'security awareness' trained.
IT Security specialists call it your 'phishing attack surface'. The more
of your email addresses that are floating out there, the bigger your
attack footprint is, and the higher the risk is. It's often a surprise
how many addresses are actually out there.
Find out now which of your email addresses are exposed. The Email Exposure
Check (EEC) is a one-time free service. KnowBe4 customers with a Gold
package get an EEC sent to them regularly so they can address the issues
that are found. An example would be the email address and password of
one of your users on a crime site. Fill out the form and we will email
you back with the list of exposed addresses. The number is usually higher
than you think. Sign Up For Your Free Email Exposure Check Now:
http://www.knowbe4.com/email-exposure-check/
--------------------------
* McAfee: Malware Grows To 75 Million Unique Samples in 2011
Patrick Budmar at CSO had the write-up: "Despite McAfee predicting that
unique malware samples would hit 75 million in 2011, the security vendor
actually found that the real number actually surpassed that estimate.
The vendor's latest report, McAfee Threats Report: Fourth Quarter 2011,
finds that while new malware slowed in Q4, mobile malware was on the
rise and experienced its busiest period to date.
McAfee Labs senior vice-president, Vincent Weafer, found the thread
landscape in 2011 highly evolved, with a change in the motivation typical
for cyber attacks. "Increasingly, we've seen that no organisation,
platform or device is immune to the increasingly sophisticated and
targeted threats," he said.
While the good news in the report was that PC-based malware was found
to have declined throughout Q4 of 2011, reaching a level that was in
fact significantly lower than the same quarter a year earlier, the
fact is unique malware samples exceeded 75 million.
McAfee found that Q4 2011 was the busiest period for mobile malware,
with the victim in this case being the Android platform due to loopholes
found by hackers in the open source OS." More:
http://www.csoonline.com/article/700827/malware-grows-to-the-tune-of-75-million-samples-in-2011-mcafee
-------------------------
* The Top 13 Security Myths
I thought that this story by NetworkWorld was very much to the point.
"They're "security myths," oft-repeated and generally accepted notions
about IT security that arguably are simply not true -- in order words,
it's just a myth. We asked security experts, consultants, vendors and
enterprise security managers to share their favorite "security myths"
with us. Here are 13 of them:
Myth No. 1: "More security is always better."
Myth No. 2: "The DDoS problem is bandwidth-oriented."
Myth No. 3: "Regular expiration (typically every 90 days) strengthens
password systems."
Myth No. 4: "You can rely on the wisdom of the crowds."
Myth No. 5: "Client-side virtualization will solve the security problems
of 'bring your own device.'"
Myth No. 6: "IT should encourage users to use completely random passwords
to increase password strength and they should also require
passwords to be changed at least every 30 days."
Myth No. 7: "Any computer virus will produce a visible symptom
on the screen."
Myth No. 8: "We are not a target."
Myth No. 9: "Software today isn't any better than it used to be in terms
of security holes."
Myth No. 10: "Sensitive information transfer via SSL session is secure."
Myth No. 11: "Endpoint security software is a commodity product."
Myth No. 12: "Sure, we have a firewall on our network; of course we're
protected!"
Myth No. 13: "You should not upload malware samples found as part of a
targeted attack to reputable malware vendors or services."
Here is the article, and all these myths are explained. Warmly recommended:
http://www.infoworld.com/slideshow/33387/the-top-13-security-myths-187168
3. SecureToolBox
-----------------------------------------------
* Free Service: Email Exposure Check. Find out which addresses of your organization are exposed on the Internet and are a phish-attack target:
http://www.knowbe4.com/eec/
* Frustrated with gullible end-users causing malware infections? Find out who the culprits are in 10 minutes. Do this Free Phishing Security Test on your users:
http://www.knowbe4.com/phishing-security-test/
* Free tool silently updates most Windows Software. Secunia's PSI security scanner V3.0 hits beta and eliminates the need to run tons of update services. I run this myself and you should really check it out:
http://secunia.com/psi_30_beta_launch/
4. ViewPoint – Your Take
-------------------------------------------
Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at feedback@windowsecurity.com
5. SecOps: What You Need To Know
--------------------------
* Researchers: Digitally Signed Malware On Rise
Security companies have recently identified multiple malware threats
that use stolen digital certificates to sign their components in an
attempt to avoid detection and bypass Windows defenses. ComputerWorld
has the best write-up on this problem:
"When it was discovered in 2010, the Stuxnet industrial sabotage worm
surprised the security industry with its use of rootkit components that
were digitally signed with certificates stolen from semiconductor
manufacturers Realtek and JMicron. Security experts predicted at the
time that other malware creators would adopt the technique in order
to bypass the driver signature enforcement in 64-bit versions of
Windows Vista and 7. Given recent developments it seems that they were
right." More:
http://cwonline.computerworld.com/t/7909078/987374514/556197/0/
-------------------------
* The 19 Most Maddening Security Questions
Roger Grimes writes the Security Adviser Column, and he's very good:
"I've been immersed in IT security for more than two decades, and I've
learned a lot along the way. Yet for all the knowledge I've soaked up,
several questions still baffle me. Some of them pertain to end-users
who seem to fall for the same sorts of scams year after year. Others,
though, relate to security technologies and practices that organizations
continually embrace, though they don't work as well as they should --
if at all. The following is just a short of list the questions that nag
me day to day as I'm hunkered down in the IT security trenches." You
should really check out these questions, and see how -you- are doing!:
http://images.infoworld.com/d/security/the-19-most-maddening-security-questions-187983
-------------------------
* Antivirus: The Silent Virtualization Killer
"Life in IT is full of onerous tasks. Along with making good backups and
maintaining a solid patching regimen, you must ensure that multiple
levels of antimalware software are properly deployed. Unfortunately,
in heavily virtualized environments, antivirus can go beyond being a
pain to manage and actually become a threat in and of itself. As the
saying goes, sometimes the cure is worse than the disease.
That antivirus software can slow down a machine probably comes as no
surprise to anyone. Any software that watches each and every disk I/O
and inspects it for threats adds overhead that didn't previously exist.
In most cases, this manifests itself through marginally higher disk
latency and greater CPU load. But with careful use of scanning exclusions
(for heavily used databases and the like), it's usually not enough to
bring a system to its knees.
Recently, however, I've been presented with two excellent examples of
how antivirus run amok can have enormous sitewide impact -- and how
it can be difficult to detect the cause unless you know to look for
it and have the monitoring data necessary to do so." More:
http://www.infoworld.com/d/data-explosion/antivirus-the-silent-virtualization-killer-187253
6. Hackers' Haven
--------------------------
* 'Non-Humans' Account for 51% of All Internet Traffic
So, what is all that traffic then? Here is a breakdown.
1) Hacking Tools -- 5% of any site's traffic - causing data (including
credit card) theft, malware infection, site hijacking and other site crashes
2) Scrapers -- 5% of any site's traffic -- stealing email addresses for
spam email lists, reverse engineering of pricing and business models, and
more. Most commonly targeting travel, classifieds, news sites and forums
3) Comment Spammers -- 2% of any site's traffic -- posting irrelevant
content that annoys site visitors, inserting links to malware that cause
the site to be blacklisted, bogs down and slows website, and more.
4) Spies of sorts -- 19% of any site's traffic -- stealing of marketing
intelligence and compromising competitive advantage. Keyword and SEO
analyzers assess site information and inform competitors of proprietary
information.
Incapsula collected the data in these findings from an anonymous sample
of 1,000 Incapsula customers with an average of 50,000 to 10,000 monthly
visitors. Here is the blog post:
http://www.theatlanticwire.com/technology/2012/03/non-humans-account-51-all-interent-traffic/49967/
-------------------------
* Malware Increasingly Uses DNS As Command and Control Channel to Avoid Detection
The CSO website reported on news released at RSA which is important, as
you can see where this might be going:
"The number of malware threats that receive instructions from attackers
through DNS is expected to increase, and most companies are not currently
scanning for such activity on their networks, security experts said at
the RSA Conference 2012 on Tuesday.
There are many channels that attackers use for communicating with their
botnets, ranging from traditional ones like TCP, IRC and HTTP to more
unusual ones like Twitter feeds, Facebook walls and even YouTube comments.
Most malware-generated traffic that passes through these channels can
be detected and blocked at the network level by firewalls or intrusion
prevention systems. However, that's not the case for DNS (Domain Name
System) and attackers are taking advantage of that, said Ed Skoudis,
founder of Counter Hack Challenges and SANS fellow, during a presentation
on new attack techniques at the conference." More:
http://www.csoonline.com/article/701151/malware-increasingly-uses-dns-as-command-and-control-channel-to-avoid-detection-experts-say
-------------------------
* Android Continues To Be Most Targeted By Hackers
Security researchers compared the attractiveness of Google's Android
and Apple's iOS, and Android is still the most attractive smartphone
OS for malevolent hackers, so devices based on the platform will continue
to get compromised, researchers said at the recent Black Hat Europe.
Mobile devices are loaded up with private data, a very attractive target
for hackers, though not all information on a phone is useful. "They
won't go after 200,000 Yelp credentials, that wouldn't help them much,"
said Dan Guido, a researcher at information security company Trail of
Bits, in a combined keynote with Mike Arpaia, security consultant with
Isec Partners. More:
http://www.infoworld.com/d/mobile-technology/android-continues-be-most-targeted-hackers-188860
7. Fave links & Cool Sites
--------------------------
Top Gear Italy put spiked tires on a Peugeot 207 Super 2000 and took it
to the ski slopes. Not only did they manage to find a way to bypass
the ski lifts to get up to the top, you absolutely have to watch the
Peugeot take on fearless downhill skier Anna Andreussi in a one-to-one
race down the Italian Alps:
http://www.flixxy.com/mountain-race-car-vs-ski.htm
---
An animated short film set in a post-apocalyptic universe:
http://www.flixxy.com/ruin-animated-short-film.htm
---
A tour boat near Wilhelmina Bay, Antarctica noticed an enormous iceberg in
the distance that was started to softly crumble. Just as one of the tourist
asked, "Why don't we just stay here and watch it?" the iceberg started to
give way, and completely imploded:
http://www.flixxy.com/enormous-iceberg-implodes-in-antarctica.htm
---
A compilation of amazing clips:
http://www.flixxy.com/awesome-x-beautiful-life-compilation.htm
---
Extreme radio-controlled airplane flying over Monument Valley with HD cockpit
camera video-feed. It's like wingsuit-flying without the risk:
http://www.flixxy.com/extreme-rc-plane-flying-monument-valley.htm
---
Have you ever told your parents and friends they should stop using
Internet Explorer? You aren't alone:
http://www.flixxy.com/the-browser-you-loved-to-hate.htm
---
Clip from the Apollo 16 Video Library. Charlie drives the penetrometer into
the soil and, leaning down on it as it descends, he falls forward to the
ground. It takes three attempts for him to get back up by doing press-ups:
http://www.hq.nasa.gov/alsj/a16/video16.html
---
If you are in IT, and are solving problems for other people as one of your
hats, you might like this observation:
http://WhatHaveYouTried.com/
---
Rio's 2011 Carnival gets "tilt-shifted" in the stunning short film "The City
of Samba":
http://www.flixxy.com/rio-de-janeiro-2011-carnival-tilt-shift.htm
---
Mechanical sculptor Rob Higgs designed this amazing corkscrew contraption
which takes opening and serving wine bottles to a whole new level:
http://www.flixxy.com/mechanical-sculpture-the-corkscrew-by-robb-higgs.htm
TechGenix Sites
----------------------------------------------------------------
ISAserver.org <http://www.isaserver.org/>
MSExchange.org <http://www.msexchange.org/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
----------------------------------------------------------------
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
WindowSecurity.com is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@windowsecurity.com
Copyright c WindowSecurity.com 2012. All rights reserved.
No comments:
Post a Comment