-------------------------------------------------------
WindowSecurity.com Newsletter - August 2012
Sponsored by: ManageEngine
<http://www.manageengine.com/products/netflow/network-security-white-paper.html?utm_source=wownsec&utm_medium=newsletter&utm_campaign=textlinkNFA&utm_term=aug12&utm_content=>
-------------------------------------------------------
Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: feedback@windowsecurity.com
1. Editor's Corner
-------------------------------------------------------
* Redmond: "Your VPN Can Be Hacked"
August 20th, Microsoft warned Windows Administrators of a so called
"man-in-the-middle" attack that is able to steal passwords for some
wireless networks and VPNs. There is no patch released, as this is
a configuration issue.
Redmond's security advisory was their response to a Defcon session by
security researcher Moxie Marlinspike. In a blog post written right
after Defcon, he explained how he had been trying to crack MS-CHAP v2
(Microsoft Challenge Handshake Authentication Protocol version 2) and
said: "Even as an aging protocol with some prevalent criticism, it's
still used quite pervasively...It shows up most notably in PPTP VPNs,
and is also used quite heavily in WPA2 Enterprise environments."
Also at Defcon, Marlinspike released "Chapcrack," which is a new tool
that parses data for passwords encrypted with MS-CHAP v2, then decodes
these passwords using the CloudCracker password cracking service.
Microsoft acknowledged that this is a vulnerability: "An attacker who
successfully exploited these cryptographic weaknesses could obtain user
credentials," the Monday advisory stated. "Those credentials could then
be re-used to authenticate the attacker to network resources, and the
attacker could take any action that the user could take on that network
resource." Here is the technet link:
http://technet.microsoft.com/en-us/security/advisory/2743314
There is no patch for this, it's a configuration change that will fix
the problem: "This issue is due to known cryptographic weaknesses in the
MS-CHAP v2 protocol and is addressed through implementing configuration
changes."
So what to do? Redmond recommended that you add PEAP (Protected Extensible
Authentication Protocol) to secure passwords for VPN sessions, and a
support document described how to configure servers and clients for PEAP.
---------------------------
* Participate in ITIC 2012 Global Server and Server OS Reliability Survey
You can win an iPad and/or an iPod when you do!
ITIC's 2012 Global Server Hardware and Server OS Reliability survey is live!
This survey consists of multiple choice questions and one essay question. It
polls corporations on their satisfaction with the reliability, uptime and
security of the major server hardware and server OS platforms. It also gauges
customer satisfaction with the pricing, service and support you receive from
your vendors.
Are the servers and server operating systems performing up to expectations?
Are they too expensive or too hard to use? Tell us what you think. We know
that you're busy. This survey should take only a few minutes to complete.
All responses are confidential. The survey is for informational purposes only.
No one will call or Email you with any sales pitches.
We are giving away a free iPad and a free iPod to the survey respondents
who provide the most insightful response to the final essay question. Be
sure to leave your email address along with your comment within the Essay
question response. Once the survey is finalized, we'll publish the Executive
Summary and survey highlights here. To further show our appreciation, anyone
who completes the survey can get a complimentary copy of the Report once
it's published by emailing: ldidio@itic-corp.com. Here's the survey link:
https://www.surveymonkey.com/s/LQHRYQW
---------------------------
* Quotes Of The Month:
"You have enemies? Good. That means you've stood up for something,
sometime in your life." -- Winston Churchill
"Death is not the worst that can happen to men." -- Plato
Warm regards,
Stu Sjouwerman
Editor, WindowSecurity News
Email me at feedback@windowsecurity.com
2. Prevent Email Phishing
-------------------------------------------
Want to stop Phishing Security Breaches? Did you know that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch spear-phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly "security awareness" trained.
IT Security specialists call it your phishing attack surface. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. Find out now which of your email addresses are exposed with the free Email Exposure Check (EEC). An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.
Sign Up For Your Free Email Exposure Check Now http://www.knowbe4.com/email-exposure-check/
3. Security Detail
----------------------------------------
* 30% Users Infected Per Year
According to the Radicati Group, a whopping 30 percent of corporate
users are infected with malware every year. By employing the
defense-in-depth strategy, taking the outer layer seriously (Policy,
Procedures and Awareness) and deploying effective security awareness
training, organizations can reduce the risk of security incidents
dramatically. The numbers are shocking. The average 1,000 employee
organization spends over $287,000 per year defending against and
cleaning up after malware attacks. In these economic times, any
measure that drives down those costs means more budget to invest
elsewhere.
Let's look at those numbers for just a moment, that's $287 per employee
per year. And that is for organizations of around 1,000 employees
which benefit from economies of scale. For smaller organizations the
cost per employee is likely to be higher. If you could spend $15 per
employee per year for effective security awareness training , which
could cut the number of malware infections dramatically, the return
on investment is likely to be the most solid of your whole security
budget. Find out how affordable the new Kevin Mitnick Security Awareness
Training is for your organization:
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
---------------------------
* Security Compliance and Microsoft SCM
The excellent Deb Schinder provides an overview of what SCM v. 2.5.40
does and how it does it. She started out with: "Compliance." It's a
word that strikes fear in the hearts of everyone from the lowly IT pro
to the folks in the executive suite. Between all the industry standards,
federal and state mandates and regulatory agency rules and regulations,
getting and staying in compliance with everything is increasingly becoming
an ongoing challenge. Depending on your organization's line of business,
you may be required to comply with PCI standards, FISMA, HIPAA, GLB or
SOX statutes, ISO standards and other requirements that you prove your
systems and network meet a specified level of security." It's a worthwhile,
in-depth article you do not want to miss:
http://www.windowsecurity.com/articles/Security-Compliance-Microsoft-SCM.html
-------------------------
* 6 Steps To Handle IT Security Incidents
New Guide from the National Institute of Standards and Technology.
The National Institute of Standards and Technology has issued a revision
of its guidance to help organizations establish programs to manage computer
security incidents. NIST, in Special Publication 800-61 Revision 2: Computer
Security Incident Handling Guide, spells out what incident-response
capabilities are necessary to rapidly detect incidents, minimize loss and
destruction, mitigate weaknesses that were exploited and restore IT services.
http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911736
4. SecureToolBox
-----------------------------------------------
* Free Service: Email Exposure Check. Find out which addresses of your
organization are exposed on the Internet and are a phish-attack target:
http://www.knowbe4.com/eec/
* Frustrated with gullible end-users causing malware infections? Find out
who the culprits are in 10 minutes. Do this Free Phishing Security Test
on your users:
http://www.knowbe4.com/phishing-security-test/
5. ViewPoint – Your Take
-------------------------------------------
Write me! This is the spot for your take on things. Let me know what you think
about Security, tools, and things that need to be improved.
Email me at feedback@windowsecurity.com
6. SecOps: What You Need To Know
--------------------------
* Mobile Security Updates 2012
WinSec author Ricky M. Magalhaes focuses on how you can improve the
security of your mobile devices against new and old threats. "The first
mobile virus was reported in 2004, a lot has happened since then with
the emergence of mobile platforms like Android and iOS devices. Mobile
devices are now the PC in your pocket so should we be applying the
same level of security to these devices?:
http://www.windowsecurity.com/articles/Mobile-security-updates-2012.html
-----------------------
* Sysinternals Tools Updated
Deb Shinder wrote: "A while back, I did an article series for
Windowsecurity.com about how to hunt down and kill malware with
popular Sysinternals tools Autorun, Process Explorer and Process
Monitor, developed by Mark Russinovich and distributed free by
Microsoft. These and a couple of other Sysinternals tools (PsKill and
RAMMap) have recently been updated with bug fixes and (in the case
of RAMMap) new features/functionality that includes support for
Windows 8. Read more here:
http://blogs.windowsecurity.com/shinder/2012/07/01/sysinternals-tools-updated/
---------------------
* 9 Popular IT Security Practices That Just Don't Work
Roger Grimes is one of my favorite IT authors. He's been writing a
column for InfoWorld for many years. This one is particularly warmly
recommended, as he makes a series of very good points. You should
really read this entertaining article:
http://www.infoworld.com/d/security/9-popular-it-security-practices-just-dont-work-199548?
7. Hackers' Haven
--------------------------
* Free IT Tool Temptation
You are an IT pro and free IT tools definitely have an appeal. There are
many positive sides like no license costs, no wait time for budget,
and you really are not committing to anything. It's really only your
time that is involved, right? Not so fast.
Granted, in a lot of cases, free tools are a great way to test a new
way to solve a nettlesome problem and see if you can get to the bottom
of something, or to see how it behaves in your network.
However, a lot of organizations get hooked on these type of tools, which
can be a time sink... your time. Over the years, these tools eat away
at your productivity, as (since they are free) they are not as stable
as real production code and you need to spend more time troubleshooting.
So, there are hidden costs connected to free tools that you need to
calculate in before you put them into a production environment. It might
ultimately be more efficient to invest in a a simple to use, effective
and flexible commercial solution that will allow you to complete your
day-to-day tasks faster and more reliably.
-----------------------
* Ex-Hacker Spills Secrets Of Fighting Social Engineering
Peter Bruzzese is an InfoWorld author with a lot of knowledge about
end-user training. He just wrote an article about social engineering
and how Kevin Mitnick has put 30 years of hacking experience in a
30-minute course. Here is the article:
http://www.infoworld.com/d/microsoft-windows/ex-hacker-spills-secrets-of-fighting-social-engineering-199040?
-----------------------
* Detect Hacking attempts with Google Analytics
Will Reynolds at SEER interactive wrote: "If someone was attempting to
break into YOUR site, use YOUR bandwidth, or even use YOUR site to launch
attacks against OTHER sites, would you know? How would you know? When
would you know? Would you be able to detect the attack and stop it
before it caused any damage? Or would you be stuck trying to cleanup
after the attack was finished?
Recently at SEER interactive while examining some unusual traffic to
a client's website, we discovered that Google Analytics was picking
up an attack against the site as legitimate traffic. With a little
digging we found several key indicators which can help you determine
if the traffic to your site is actually traffic, or if some of it is
an attack against your site. Also included in this post, is a
recommendation on how to handle an attack once discovered, and the
end of this post is an Alert you can setup in Google Analytics that
should email you if someone starts to launch attacks against your site.
http://www.seerinteractive.com/blog/detect-hacking-attempts-with-google-analytics
8. Fave links & Cool Sites
--------------------------
* This Week's Links We Like. Tips, Hints And Fun Stuff.
This hover bike flies on the pilot's intuition. It responds to one's natural
sense of balance, without the need for any flight control mechanisms. I want one:
http://www.flixxy.com/star-wars-hover-bike.htm
---
World record-holding highliner Faith Dickey crosses a slack-line between
two speeding trucks. Will she make it before the trucks reach the tunnel?
http://www.flixxy.com/volvo-trucks-the-ballerina-stunt.htm
---
It can take from six weeks to six months to build a house. Within the
next five years, we may be able to upload design specifications to a
massive 3D Printer, press print, and watch as it spits out a house in
less than a day:
http://www.flixxy.com/the-future-of-home-construction.htm
---
An ingenious way to get a boat - complete with 80ft mast - under a 65ft bridge:
http://www.flixxy.com/how-to-get-an-80ft-mast-under-a-65ft-bridge.htm
---
6 more great movies to put in your netflix queue about social engineering
and con artists:
http://www.csoonline.com/slideshow/detail/60462/6-more-great-movies-about-social-engineering-and-con-artists?
---
Classic: NASA fooled by Martians: Here is what really happened when the Mars
Rover landed. A funny ad by HP Singapore:
http://www.flixxy.com/what-really-happened-when-the-mars-rover-landed.htm
---
Timber logging with a Boeing CH-234 helicopter. From "IMAX Presents -
Straight Up: Helicopters in Action":
http://www.flixxy.com/helicopter-tree-logging.htm
---
Amy Watts has 3 cats who roam outdoors. She thought she knew them. Now
she knows them much better:
http://www.flixxy.com/kitty-cam-exposes-the-secret-lives-of-cats.htm
TechGenix Sites
----------------------------------------------------------------
ISAserver.org <http://www.isaserver.org/>
MSExchange.org <http://www.msexchange.org/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
WServerNews.com <http://www.wservernews.com/>
----------------------------------------------------------------
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
WindowSecurity.com is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@windowsecurity.com
Copyright c WindowSecurity.com 2012. All rights reserved.
No comments:
Post a Comment