Wednesday, June 27, 2012

WindowSecurity.com Newsletter of June 2012

-------------------------------------------------------
WindowSecurity.com Newsletter of June 2012
Sponsored by: SpamTitan
<http://www.spamtitan.com/cloud_anti_spam>
-------------------------------------------------------

Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: feedback@windowsecurity.com


1. Editor's Corner
-------------------------------------------------------

* Cybercrime Never Sleeps

Europe's banks are well ahead of the U.S. in the sense of security. Many
of them now require 2-factor authentication. My wife has an account at
a Swedish bank, and they sent us a card with built-in chip, and a card reader
that hooks up to the PC via USB. When she logs into her online banking
site, she needs to slip in the card and provide a pin code. Only then can she
get access to the website. You would think this is safe, and it is a
lot safer than just a user name and password. But very few banks use this,
as it's very expensive. Many rely on 2-factor authentication via SMS,
and here is where the trouble starts.

An online banking fraud tool that was recently discovered by researchers
at Trend Micro cheats two-factor authentication, fully automates the attack
and then hides out so that the victim cannot see the loss or any traces of
the theft until long after.

There is a new name for these attacks, they are called 'automatic transfer
systems' (ATS) and currently they target customers in Germany, Italy and
England where SMS is used for 2-factor authentication. Some US banks use
SMS-based 2-factor for wire transfers.

Tom Kellermann, vice president of cybersecurity for Trend Micro said: "It
also has the capacity to move funds out of the [victim's] account so that
the criminal doesn't have to sit there and wait or wait for communication
from his bot. It's totally automated." This concept is not new of course,
but they have taken the ATS module to the next level for Zeus and SpyEye.
The user sees nothing, only the transaction amount that has been taken
out of your account. Kellerman said: "...It's elegant."

Perhaps from the perspective of the malware researcher, but from the
victim's perspective it's horrific, and costs an enormous amount of
time, hassle and heartache. I would strongly recommend if you are in
IT, to create a linux bootup disk for the people in Finance that handle
online banking, and have them use that for browser-based banking
transactions. When done, reboot and go back to Windows.
---------------------------


* Meet My New Business Partner: Kevin Mitnick

Late last year the Wall Street Journal wrote an article about social
engineering. They concluded that the end-user was the weak link in IT
security, quoted some experts in the field and talked about possible
solutions. My company KnowBe4 was mentioned in the article, and so was
Kevin Mitnick, who in the mid-nineties was the World's most wanted hacker,
and who now is a successful security consultant and keynote speaker.
Kevin is now our Chief Hacking Officer. More:
http://www.knowbe4.com/products/who-is-kevin-mitnick/

PS: Did you know that I also write a weekly newsletter called CyberheistNews?
It goes to 40,000 people every Tuesday. Subscribe here:
http://www.knowbe4.com/cyberheist-news/
---------------------------


* Quotes Of The Month:

"Far and away the best prize that life offers is the chance to work
hard at work worth doing" –- Theodore Roosevelt

"Choose a job you love, and you will never have to work a day in your
life." -- Confucius
Warm regards,

Stu Sjouwerman
Editor, WindowSecurity Newsletter
Email me at feedback@windowsecurity.com


2. Prevent Email Phishing
-------------------------------------------
Want to stop Phishing Security Breaches? Did you know that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch spear-phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly "security awareness" trained.

IT Security specialists call it your phishing attack surface. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. Find out now which of your email addresses are exposed with the free Email Exposure Check (EEC). An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.

Sign Up For Your Free Email Exposure Check Now http://www.knowbe4.com/email-exposure-check/



3. Security Detail
----------------------------------------

* Welcome To The Age Of Weaponized Malware

The cyberweapon genie is out of the bottle, and the U.S. is engaged
in a cyberwar. Now it becomes clear why the Government has been trying
to get private industry to agree to certain cybersecurity standards.
They are basically like an "arsonist calling for a better fire code",
as per Jason Healey, director of the Cyber Statecraft Initiative at
the Atlantic Council.

June 2012 it was revealed that the White House decided to wage cyberwar
against Iran starting with the Bush Administration and continued in an
intensified form by the Obama Administration. President Obama was, and
I assume still is, personally involved with the details of the attacks
on the Iranian Natanz uranium enrichment facility. In David E. Sanger's
book 'Confront and Conceal: Obama's Secret Wars and Surprising Use of
American Power' this has been spelled out for the first time. Michael
D. Hayden, the former chief of the CIA, said: "This is the first attack
of a major nature in which a cyberattack was used to effect physical
destruction… you can't help but describe it as an attack on critical
infrastructure." He continued with: "Somebody has crossed the Rubicon…
in one sense at least, it's August 1945, the month that the world saw
the first capabilities of a new weapon, dropped over Hiroshima. The big
difference is that the cyberweapons that were created by the U.S.
Administrations are weapons of precise destructions, not mass destruction,
but Hayden does make a good point, in the hands of cybercriminals it
easily can become a weapon of mass destruction.

The U.S. Administration obviously wanted to keep this under wraps for as
long as possible, and even when it was discovered, hoped it would be
unattributable. So much for that. The idea was if they could damage
Iran's uranium enrichment capabilities, it would not be necessary
for Israel to bomb Natanz, and potentially spark a war in the Middle
East with disastrous consequences for oil prices. I understand all that.
But now you have highly powerful cyberweapons in the hands of every
somewhat capable hacker. Compare that to the limited nuclear
proliferation we have today and you see that this genie is impossible
to put back in the bottle.

Now, what risks are we talking here? Well, there is a spectrum of
cyberthreats that you can see in a gradient scale from nuisance to
catastrophic. Spam is a nuisance, your economic infrastructure shut
down and utilities destroyed sets you back 50 years as a country.
No, the sky is not falling. But bad guys are now getting their hands
on some mighty powerful malcode that could be used to penetrate your
organization. How to protect yourself?

ABC News investigative producer Lee Ferran argues that "human carelessness"
is more responsible for cyberthreats than technical advances: "no matter
how sophisticated the attack or how capable the defenses, the weakest
link in cybersecurity is often the human at the keyboard." He just wrote
an article called Bigger Than Flame, Stronger Than Stuxnet: Why 'Idiot'
Humans Are Best Cyber Weapon.
http://abcnews.go.com/blogs/headlines/2012/06/bigger-than-flame-
stronger-than-stuxnet-why-idiot-humans-are-best-cyber-weapon/


Microsoft warns that civilian casualties are inevitable in governments'
cyber war. Cyber attacks such as Duqu, Stuxnet and Flame will inevitably
hurt private companies and innocent people as well as governments,
according to Microsoft Trustworthy Computing (TwC) corporate vice president
Scott Charney. Here is the article at the U.K. website V3:
http://www.v3.co.uk/v3-uk/news/2185580/civilian-casualties-inevitable-
governments-cyber-war-warns-microsoft

-------------------------

* Beware Scare Tactics for Mobile Security Apps

Well known journalist Brian Krebs reported: "It may not be long before
your mobile phone is beset by the same sorts of obnoxious, screen-covering,
scaremongering ads pimping security software that once inundated desktop
users before pop-up blockers became widely-used. Richard M. Smith, a
Boston-based security consultant, was browsing a local news site with
his Android phone when his screen was taken over by an alarming message
warning of page errors and viruses. Clicking anywhere on the ad takes
users to a Web site selling SnapSecure, a mobile antivirus and security
subscription service that bills users $5.99 a month. More:
http://krebsonsecurity.com/2012/06/beware-scare-tactics-for-mobile-security-apps/
-------------------------

* With The Convergence, Mobile Security Is A Clear Focus

Ricky Magalhaes here at WindowSecurity.com had a good article
about securing all your mobile devices. He started out with: "The days
of having a single device with one specific function is over. Mobile
devices are converging; your 'mobile phone' is no longer just your
'mobile phone', it's your mobile PC. The convergence of data or
information and communication technology in a singular intelligent
mobile device has the advantages of global and abundant ease of
access to information, collaboration and communication at your
fingertips. With the exponential rate at which these mobile devices
are advancing and becoming more sophisticated, the on-going development
of mobile device enterprise application platforms and telecom
improvements, the easier it is becoming to access and manipulate
information, however on the flip-side the wider the door is being left
ajar for hackers or individuals with malicious intent to do the same."
More:
http://www.windowsecurity.com/articles/With-convergence-mobile-devices-mobile-security-clear-focus.html


4. SecureToolBox
-----------------------------------------------

* Free Service: Email Exposure Check. Find out which addresses of your
organization are exposed on the Internet and are a phish-attack target:
http://www.knowbe4.com/eec/

* Frustrated with gullible end-users causing malware infections? Find out
who the culprits are in 10 minutes. Do this Free Phishing Security Test
on your users:
http://www.knowbe4.com/phishing-security-test/


5. ViewPoint – Your Take
-------------------------------------------

Write me! This is the spot for your take on things. Let me know what you think
about Security, tools, and things that need to be improved.
Email me at feedback@windowsecurity.com

6. SecOps: What You Need To Know
--------------------------

* Passwords: Do You Like Them Plain, Hashed Or With Some Salt?

CloudFlare's @jgrahamc explains the basics of password security,
and this is a recommended read for anyone in IT.

"Over the last few weeks a number of companies have seen their password
databases leaked onto the web and found that despite having made some
effort to protect them many of the passwords were easily uncovered.
Unfortunately, the disclosure of password databases is an ugly reality
of the Internet; entire forums are dedicated to hackers who collaborate
to uncover passwords from files and specialized password cracking software
is easy to obtain. To understand password storage it's best to go back
to basics and some history." Read this blog post here:
http://blog.cloudflare.com/keeping-passwords-safe-by-staying-up-to-date
--------------------

* How To Decrypt An MD5-Hash

So simple a 5-year old can do it. Go to this site. Enter the hash.
Click on 'Decrypt'. Voila! SO that is why you need to salt and pepper
your passwords and re-encrypt them a few times. It's all about increasing
the cost to the attacker!
http://www.md5-hash.com/
-------------------------

* Fighting False Positives Is Just As Hard As Fighting Real Malware

A few weeks back Avira, a major antivirus company wreaked havoc on
Windows PCs by releasing a Service Pack that bricked machines by
blocking boots, and banning the launch of almost every Windows executable.
Ouch. Eugene Kaspersky has a good article about this, with some graphs
that compare False Positives of leading antivirus products. Very
interesting.

He started out with: "Any software vendor sometimes makes unfortunate
mistakes. We are human like everybody else and we make mistakes sometimes,
too. What's important in such cases is to publicly admit the error as
soon as possible, correct it, notify users and make the right changes
to ensure the mistake doesn't happen again (which is exactly what we
do at KL). In a nutshell, it's rather easy – all you have to do is
minimize damage to users.

But there is a problem. Since time immemorial (or rather memorial),
antivirus solutions have had a peculiarity known as false positives
or false detections. As you have no doubt guessed, this is when a
clean file or site is detected as infected. Alas, nobody has been
able to resolve this issue completely." Read this article!
http://eugene.kaspersky.com/2012/06/20/fighting-false-positives/


7. Hackers' Haven
--------------------------

* Five Generations Of Cybercrime

It helps to understand more about the history of hacking, when you need to
defend yourself against cyber criminals. So here is your Executive Summary:

Early hacking started when guys like Kevin Mitnick became 'digital delinquents'
and broke into the phone company networks. That was to a large degree to
see how far they could get with social engineering, and it got them way
further than expected. It was a game to see what could be done more
than anything else. Actual financial damage to hundreds of thousands
of businesses started only in the nineties, but has moved at rocket speed
these last 20 years. The move has been from "fame to fortune"

-- Generation ONE

Those were the teenagers in dark, damp cellars writing viruses to gain
notoriety, and to show the world they were able to do it. Relatively
harmless, no more than a pain in the neck to a large extent. We call them
sneaker-net viruses as it usually took a person to walk over from one
PC to another with a floppy disk to transfer the virus.

-- Generation TWO

These early day 'sneaker-net' viruses were followed by a much more malicious
type of super-fast spreading worms (we are talking a few minutes) like
Sasser and NetSky that started to cause multi-million dollar losses. These
were still more or less created to get notoriety, and teenagers showing
off their "elite skills".

-- Generation THREE

Here the motive moved from recognition to remuneration. These guys were
in it for easy money. This is where botnets came in, thousands of infected
PCs owned and controlled by the cybercriminal that used the botnet to
send spam, attack websites, engage in identity theft and for other nefarious activities.
The malware used was more advanced than the code of the 'pioneers' but
was still easy to find and easy to disinfect.

-- Generation FOUR

Here is where cybercrime goes professional. The malware starts to hide
itself, and they get better organized. They are mostly in eastern European
countries, and use more mature coders which results in much higher quality
malware, which is reflected by the first rootkit flavors showing up. They
are going for larger targets where more money can be stolen. This is also
the time where traditional mafias muscle into the game, and rackets like
extortion of online bookmakers starts to show its ugly face.

-- Generation FIVE

The main event that created the fifth and current generation is that an
active underground economy has formed, where stolen goods and illegal
services are bought and sold in a 'professional' manner, if there is
such a thing as honor among thieves. Cybercrime now specializes in
different markets (you can call them criminal segments), that taken
all together form the full criminal supply-chain. Note that because
of this, cybercrime develops at a much faster rate. All the tools are
for sale now, and relatively inexperienced criminals can get to work
quickly. Some examples of this specialization are:

-Cybercrime has their own social networks with escrow services
-Malware can now be licensed and gets tech support
-You can now rent botnets by the hour, for your own crime spree
-Pay-for-play malware infection services that quickly create botnets
-A lively market for zero-day exploits (unknown vulnerabilities)

The problem with this is that it both increases the malware quality,
speeds up the criminal 'supply chain' and at the same time spreads the
risk among these thieves, meaning it gets harder to catch the culprits.
We are in this for the long haul, and we need to step up our game,
just like the miscreants have done the last 10 years!
-------------------------

* Android Hackers Hone Skills In Russia

The malware business growing around Google Android -- now the leading
smartphone operating system -- is still in its infancy. Today, many of
the apps built to steal money from Android users originate from Russia
and China, so criminal gangs there have become cyber-trailblazers.
More at ComputerWorld:
http://cwonline.computerworld.com/t/8008072/987374514/563841/0/
-------------------------

* A Business Savvy Cyber Gang Driving a Massive Wave of Fraud

Rod Rasmussen wrote a great article about one gang that is very
busy generating malware: "Tucked away in a small town outside
Moscow, Russia one of the world's most prolific and effective
cybercriminals works away on the next version of malicious software
that will enable the theft of millions of dollars from unsuspecting
victims around the world.

Going by the online moniker of "Paunch," he is continuously updating
his browser exploit software, called "Black Hole" and it is wreaking
havoc daily amongst many of the world's largest brands and government
organizations.

His software doesn't actually enable the theft of money, exfiltrate
data, or keylog victims as you may suspect, but it is the premier
product in the "browser exploit pack" (BEP) software category. These
exploit "kits" are installed onto websites, some compromised, others
set up by criminals. Then, when people visit these sites using a
vulnerable browser, and large portions of them are, their computers
are immediately broken into. This allows for the installation of
any kind of malware the exploiter wants to put on them. Often times
this will be one of the very latest in crimeware like Zeus, Bugat,
or Cridex. More:
http://www.securityweek.com/black-hole-exploit-business-savvy-cyber-
gang-driving-massive-wave-fraud



8. Fave links & Cool Sites
--------------------------

This week's virtual vacation! Follow Kevin Kelly on his trip through Taiwan,
China, Singapore, Burma, India, Korea and Indonesia - all in 90 seconds:
http://www.flixxy.com/one-minute-vacation-in-asia.htm
---
An impressive aerobatics display by jet pilot Michaël Brocard at the
largest air show in Switzerland:
http://www.flixxy.com/jet-aerobatics-switzerland.htm
---
A visual explanation of how the Internet actually works. Ride with a packet
of data and follow it as it flows from your fingertips, through circuits,
wires, and cables, to a host server, and then back again, all in less than
a second. Fun to send to your employees:
http://www.flixxy.com/how-the-internet-works.htm
---
Richart Sowa lives on an island that that he made himself, using 100,000
discarded plastic bottles as a floating support structure:
http://www.flixxy.com/eco-friendly-floating-plastic-bottle-island.htm
---
Can you predict what the dominant new technology will in 75 years? Belgian
visionary Paul Otlet imagined the Internet in 1934!
http://www.flixxy.com/1934-vision-of-the-internet.htm
---
Tactical stabbing pen adds handcuff key and other stuff. I got one for
Father's day, w00t:
http://boingboing.net/2012/06/16/tactical-stabbing-pen-adds-han.html
---
-How- many hours does it take to make a flamenco guitar? Wow:
http://www.good.is/post/intermission-the-art-of-making-a-flamenco-guitar/
---
Friesian Horses are known to be beautiful, versatile, athletic, kind,
willing, and are able to do anything:
http://www.flixxy.com/the-beautiful-friesian-horse.htm
---
Dogs in cars doing what they love to do ... in California:
http://www.flixxy.com/dogs-in-cars-california.htm
---
Philosophers World Cup by Monty Python, now -that's- a way to play soccer:
http://www.flixxy.com/philosophers-world-cup.htm


TechGenix Sites
----------------------------------------------------------------
ISAserver.org <http://www.isaserver.org/>
MSExchange.org <http://www.msexchange.org/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>

----------------------------------------------------------------
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
WindowSecurity.com is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@windowsecurity.com

Copyright c WindowSecurity.com 2012. All rights reserved.

No comments:

Post a Comment