Wednesday, May 30, 2012

WindowSecurity.com Newsletter of May 2012

-------------------------------------------------------
WindowSecurity.com Newsletter of May 2012
Sponsored by: Collective Software
<http://www.collectivesoftware.com/windowsecurity.newsletter.201205.authlite>
-------------------------------------------------------

Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: feedback@windowsecurity.com


1. Editor's Corner
-------------------------------------------------------

* Is Your Email Front Door Wide Open?

I was interviewed by Jeremy Quittner this week. Here is how he started his
article in American Banker a day later: "It took Stu Sjouwerman, the founder
and chief executive of security firm KnowBe4, of Clearwater, Fla., about
two minutes to launch a successful social engineering attack against me."

What data did I have to get that done? His first name, phone number and
the name of his publication, all of it public information. We were supposed
to do an interview, so I decided to send him a 'demo'. First I went to the
website of American Banker and found out who the Editor in Chief was, and
grabbed his email address. Then I searched for and found a recent article
that Jeremy had written. Next, I went to a site that allows me to enter a
domain name, and it reports back if there is an SPF record. (here it is:)
http://www.kitterman.com/spf/validate.html

Since there was no SPF record, I could spoof the email address of Jeremy's
boss, the Editor. I sent him a short email that came supposedly from
his boss, and asked if something was wrong with that recent story I had
found on the website. I provide a link to the article, without a redirect
or a Trojan, but that would have been relatively easy. When we were on
the phone, I asked him if he had received an email from his boss. And he
admitted he was ready to hang up the phone, click on the link, as this is
the thing that reporters fear, stories being queried by the boss.

All of that took a few minutes, and shows how easy it is to social
engineer and get an end user to click on a link. For all of you IT
security people out there, Only about 30% of sites have an SPF record
configured correctly. I strongly advise you to test your own mail server
with the link above, and see if your own SPF record is set. If not,
make that priority, as it leaves the front door wide open. And here is
the full interview with the American Banker website:
http://www.americanbanker.com/issues/177_99/
phishing-spear-phishing-hacks-1049511-1.html?zkPrintable=1&nopagination=1

---------------------------

* Quotes Of The Month:

"Passwords are like underwear. You shouldnÂ't leave them out where people
can see them. You should change them regularly. And you shouldnÂ't loan
them out to strangers." -- Unknown

"I changed all my passwords to Â'incorrectÂ'. So my computer just tells
me when I forget." -- Anonymous

Warm regards,

Stu Sjouwerman
Editor, WindowSecurity Newsletter
Email me at feedback@windowsecurity.com

2. Prevent Email Phishing
-------------------------------------------
Want to stop Phishing Security Breaches? Did you know that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch spear-phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly Â'security awarenessÂ' trained.

IT Security specialists call it your Â'phishing attack surfaceÂ'. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. Find out now which of your email addresses are exposed with the free Email Exposure Check (EEC). An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.

Sign Up For Your Free Email Exposure Check Now http://www.knowbe4.com/email-exposure-check/



3. Security Detail
----------------------------------------

* How To Avoid 5 Common Email Management Mistakes

Just as I showed in the editorial that a misconfiguration of how
email is handled can leave a hole you can drive a truck through, there
are other email management mistakes that you need to look out for.

The CSO website has a great article that I warmly recommend.
Mistake 1: Pigeonholing email as just an IT function
Mistake 2: Complacency with regard to spam and phishing
Mistake 3: Failing to consider business critical factors when trusting
email to the cloud
Mistake 4: Not protecting failover servers
Mistake 5: Failure to plan for IPv6
This is a good article to check out and see how you are doing yourself
in this regard:
http://www.csoonline.com/article/706737/
how-to-avoid-5-common-email-management-mistakes
?
-------------------------

* To Whitelist Or To Not Whitelist

Derek Melber wrote a really good article about whitelisting and it's
over at the WindowSecurity site. He started out with: "There are some key
concerns about using whitelisting in your organization to control which
applications users can use. In my opinion, whitelisting can be a very
powerful tool to help reduce the overall attack surface within your
organization. That is, to have the ability to control, one by one,
which applications can run and which canÂ't. However, some issues
arise when you start to put the rubber to the pavement in your
configuration and implementation of a whitelisting solution. If you
can overcome the hurdles that come with deploying a whitelisting
solution, I suggest you implement it as soon as possible. If you canÂ't
overcome the hurdles, there are some other settings that I always
suggest along with whitelisting that I think should be done at a minimum.
Here is the article:
http://www.windowsecurity.com/articles/To-Whitelist-or-To-Not-Whitelist.html

Recently I have written a whitepaper about whitelisting myself, and fully
agree with what Derek thinks. This is an idea whose time has come.
The whitepaper looks at whitelisting from the Admin perspective:
https://s3.amazonaws.com/knowbe4.cdn/Whitelisting_WhitePaper.pdf
-------------------------

* Still Run Vista? Redmond Sez: "Infection Rates Climb"!

Microsoft said last week that a skew toward more exploits on Windows
Vista can be attributed to the demise of support for the operating
system's first service pack. Data from the company's newest security
intelligence report showed that in the second half of 2011, Vista
Service Pack 1 (SP1) was 17% more likely to be infected by malware
than Windows XP SP3, the final upgrade to the nearly-11-year-old
operating system. That's counter to the usual trend, which holds that
newer editions of Windows are more secure, and thus exploited at a
lower rate, than older versions like XP. Some editions of Windows 7,
for example, boast an infection rate half that of XP. Story at
ComputerWorld:
http://www.computerworld.com/s/article/9227384/Windows_Vista_infection_rates_climb_says_Microsoft?


4. SecureToolBox
-----------------------------------------------

* Free Service: Email Exposure Check. Find out which addresses of your
organization are exposed on the Internet and are a phish-attack target:
http://www.knowbe4.com/eec/

* Frustrated with gullible end-users causing malware infections? Find out
who the culprits are in 10 minutes. Do this Free Phishing Security Test
on your users:
http://www.knowbe4.com/phishing-security-test/


5. ViewPoint – Your Take
-------------------------------------------

Write me! This is the spot for your take on things. Let me know what you think
about Security, tools, and things that need to be improved.
Email me at feedback@windowsecurity.com

6. SecOps: What You Need To Know
--------------------------

* Busted: When Security Tools Fail

Bill Brenner over at the CSO website had a very good post about the
problem that security tools themselves have flaws. He illustrates this
with two stories, and the first one is worrisome. Did you know this?

"The first, by Dan Goodin, IT security editor at Ars Technica, is about
a smartphone hijacking vulnerability affecting AT&T and 47 other
carriers. In what may be the mother of all ironies, the flaw was
introduced by a class of firewall products cell phone carriers use.

Goodin writes: The attack, which doesn't require an adversary to have
to have any man-in-the-middle capability over the network, can be used
to lace unencrypted Facebook and Twitter pages with code that causes
victims to take unintended actions, such as post messages or follow
new users. It can also be used to direct people to fraudulent banking
websites and to inject fraudulent messages into chat sessions in some
Windows Live Messenger apps. Ironically, the vulnerability is introduced
by a class of firewalls cellular carriers use. While intended to make
the networks safer, these firewall middleboxes allow hackers to infer
TCP sequence numbers of data packets appended to each data packet, a
disclosure that can be used to tamper with Internet connections."

Yikes: http://blogs.csoonline.com/network-security/2192/
busted-when-security-tools-fail
?
--------------------

* Tech Guns For Hire: 5 Places To Find Skilled IT Contractors

Most of you are forced to do more with less, and you usually have open
positions that are difficult to fill. Here is some help from ComputerWorld:

"Even for organizations with a stellar full-time IT staff, situations
often arise where temporary outside help is needed. A big Web project
might demand a few extra programmers to meet a tough deadline, for
example, or a rollout of tools to support a sales force bent on
capturing a broader market may require expertise not available in-house.

That's when contractors come in. With job losses and uncertain economic
times the new norm, independent contractors are on the rise in the U.S.
In 2009, the number of U.S. freelancers in all fields stood at 12
million, according to market research firm IDC. That number is expected
to reach 14 million by 2015." Here is how to find them:
http://www.computerworld.com/s/article/9227171/
Tech_guns_for_hire_5_places_to_find_skilled_IT_contractors
?
-------------------------

* Survey Finds Energy and Utility Industry Companies Weak on
Cyber Risk Management

A recent survey of 108 global companies conducted by the Carnegie Mellon
University CyLab and sponsored by RSA and Forbes found that those in the
financial sector have the best cyber and information risk management
practices, while companies in the energy and utility industries have the
worst. While more than 90 percent of respondents said that they are
actively addressing risk management at their organizations, only 33
percent said they were attending to cyber and information security, 29
percent said they were attending to information technology operations,
and just 13 percent said they were attending to managing vendors who
provide software and other services. Reported by SANS, and link here:
http://www.washingtonpost.com/blogs/checkpoint-washington/post/survey-critical-sectors-less-attuned-to-cyber-threat/2012/05/16/gIQA3lDqTU_blog.html


7. HackersÂ' Haven
--------------------------

* Adware Stages Comeback Via Browser Extensions

The Wikimedia Foundation last week warned that readers who are seeing
ads on Wikipedia articles are likely using a Web browser that has been
infected with malware. The warning points to an apparent resurgence in
adware and spyware that is being delivered via cleverly disguised browser
extensions and plugins that are bundled with other software or foisted
in social engineering schemes. More at Brian Krebs' blog:
http://krebsonsecurity.com/2012/05/adware-stages-comeback-via-browser-extensions/
-------------------------

* Android Hackers Hone Skills In Russia

The malware business growing around Google Android -- now the leading
smartphone operating system -- is still in its infancy. Today, many of
the apps built to steal money from Android users originate from Russia
and China, so criminal gangs there have become cyber-trailblazers.
More at ComputerWorld:
http://cwonline.computerworld.com/t/8008072/987374514/563841/0/
-------------------------

* Thwarted By Security At Enterprises, Cyber Criminals Target SMBs

"Big business -- at least a significant percentage of it -- has apparently
heeded the decades-long mantra from information security experts, and
invested enough in security to make it difficult, expensive and risky
for cyber criminals to attack them".

So criminals are seeking easier and safer ways to make money -- by attacking
smaller businesses, according to Verizon's 2012 Data Breach Investigations
Report (PDF), "A study conducted by the Verizon RISK Team with cooperation
from the Australian Federal Police, Dutch National High Tech Crime Unit,
Irish Reporting and Information Security Service, Police Central e-Crime
Unit, and United States Secret Service."

Verizon's security research director, Wade Baker, told London's The Inquirer
that cyber criminals were mass producing their attack techniques and
targeting small-and medium-size businesses (SMBs).

Speaking from Verizon's Security Operations Center in Dortmund, Germany,
Baker said SMBs are "easy targets" for organized cybercrime compared with
larger enterprises. "Cyber criminals have figured out that if their goal
is to make money, attacking a large organization that's well defended and
probably has ties to law enforcement that is going to pursue them, is a
high-risk solution," he said.

A mass-produced, commoditized attack against smaller organizations with
fewer defenses is, "a very low risk," Baker said. More of this story at
the Chief Security Officer (CSO) website:
http://www.csoonline.com/article/706419/
thwarted-by-security-at-enterprises-cyber-criminals-target-smbs
?


8. Fave links & Cool Sites
--------------------------

The fantastic world of steampunk technology:
http://www.networkworld.com/slideshow/47446?#slide18
---
Electric Drag Bike Breaks 200 MPH Barrier. WOW that thing is fast:
http://www.earthtechling.com/2012/05/electric-drag-bike-breaks-200-mph-barrier/
---
An entirely new way to interact with your computer - more accurate than a
mouse, as reliable as a keyboard and more sensitive than a touchscreen:
http://www.flixxy.com/say-goodbye-to-your-mouse-and-keyboard.htm
---
An 18-wheeler semi-trailer truck and a bus meet at a hairpin turn at
Trollstigen, Norway. Now there is some skillful driving...
http://www.flixxy.com/semi-vs-bus-at-a-hairpin-turn-in-norway.htm
---
Got $259,500 to spare? How about a sports car that transforms into a boat,
for real:
http://www.flixxy.com/amphibian-sports-car.htm
---
Don't watch this if you are afraid of heights! The bridge to Russky Island
will be the worldÂ's largest cable-stayed bridge with a total length of
10,200 ft when it opens in June 2012:
http://www.flixxy.com/the-bridge-to-russky-island.htm
---
On May 20, 2012 China and the Western United States saw an "annular" eclipse,
the first of its kind since 1994. An "annular" eclipse is when the moon lines
up between Earth and the Sun to create what looks like a ring of fire:
http://www.flixxy.com/solar-eclipse-20-may-2012.htm
---
Honda re-invented the wheel with its battery-powered, two-wheeled mobility
device that allows the rider to control speed, move in any direction, turn
and stop, all simply by shifting his or her weight. And what is wrong with
walking one might ask? This thing is sloooow:
http://www.flixxy.com/honda-uni-cub-personal-mobility-device.htm


TechGenix Sites
----------------------------------------------------------------
ISAserver.org <http://www.isaserver.org/>
MSExchange.org <http://www.msexchange.org/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>

----------------------------------------------------------------
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
WindowSecurity.com is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@windowsecurity.com

Copyright c WindowSecurity.com 2012. All rights reserved.

No comments:

Post a Comment