Wednesday, October 31, 2012

WindowSecurity.com Newsletter - October 2012

-------------------------------------------------------
WindowSecurity.com Newsletter - October 2012
Sponsored by: SpectorSoft
<http://lp.spectorsoft.com/c/spectorsoft-server-manager-end-to-end-server-management?utm_source=TechGenix&utm_medium=Newsletter&utm_campaign=TechGenix%2BWindows%2BSecurity&cid=70170000000MfCi>
-------------------------------------------------------

Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: feedback@windowsecurity.com


1. Editor's Corner
-------------------------------------------------------

* Industrial Control Systems The Next Twin Towers?

Eugene Kaspersky a few days ago wrote a hair-raising blog post about the
reality of our Industrial Control Systems which are way more vulnerable than
the network in your office. Industrial Control Systems (ICS) are the software
that controls our nuclear power stations, transportation control and among
many others, oil refineries. He started out with bit of background on
vulnerable industrial systems and my mouth fell open.

I'm quoting Kaspersky here: "Though industrial IT systems and, say, typical
office computer networks might seem similar in many ways, they are actually
completely different beasts – mostly in terms of their priorities between
security and usability. In your average company, one of the most important
things is confidentiality of data, and IT administrators are encouraged to
isolate infected systems from non-infected systems to that end, among others.
Thus, for example, if on the corporate file server a Trojan is detected,
the simplest thing to do is disconnect the infected system from the network
and then later start to tackle the problem.

In industrial systems that can't be done, since here the highest priority for
them is maintaining constant operation come hell or high water. Uninterrupted
continuity of production is of paramount importance at any industrial object
in the world; security is relegated to second place.

Another challenge to securing an "always on" environment arises due to software
at an industrial/infrastructural installation only being updated after a
thorough check for fault-tolerance – so as to make sure not to interrupt
the working processes. And because such a check requires loads of effort
(yet still doesn't provide a guarantee of non-failure) many companies often
simply don't bother to update ICS at all – leaving it unchanged for decades.(!)
(emphasis added)

Updating software might even be expressly forbidden by an
industrial/infrastructural organization's safety policy. Just recently I
read a nice piece about this, which listed 11 ICS security rules; rule #2
is "Do not touch. Ever." What more of an illustration do you need?! [end quote]

Even if an ICS is disconnected from the Internet, they can still be penetrated
by social engineering, as was shown in the Stuxnet attack in Iran, where the
ICS of their nuclear enrichment facility was corrupted with a simple thumbdrive
attack. All employees of these industrial facilities should be stepped through
some high quality security awareness training.

It was one of the comments that caused me some thought and was the inspiration
for the title of this blog post. Prof. Larry Constantine remarked: "I was
talking with ICS security expert Ralph Langner yesterday. We agreed that
the biggest barriers to enhancing industrial cyber-security are not so much
technical–formidable though those may be–as financial. In the absence of
government mandates there are no economic incentives for operators to
improve ICS security. The large investment has no near-term payoff; it is
costly and it complicates already complex systems. Until the industrial
equivalent of the Twin Towers, we are not likely to see great strides forward
in terms of protecting critical infrastructure from cyber-attacks. Even then,
it would not be too surprising if most of the effort went into initiatives
analogous to airport security–showplace charades more about public reassurance
through the illusion of security than about the reality."

Click here for the full Kaspersky blog post:
http://eugene.kaspersky.com/2012/10/16/kl-developing-its-own-operating-system-we-confirm-the-rumors-and-end-the-speculation/
---------------------------

* Cybergeddon – New Web Series Sponsored By Symantec

Not sure how I missed this, but on Sept 25th a new webseries was
released via Yahoo Screen. The creator is CSI's Anthony E. Zuiker,
and this new series indeed has Hollywood production values we have
not seen on the web yet. The 9 (mini) episode story is about an FBI
agent (easy-on-the-eyes star Missy Peregrym) who is framed for a massive
zero-day virus attack that threatens to shut down most of the Internet.

This is by far the most expensive Web series up to now at a cost of $6
million, triple the $2 million spent on Tom Hanks' Electric City. They
translated it in 10 different languages and it was released in 25 countries.
The producers hope to get 20 million hits over time, as this thing has a long
shelf life. It has not gone viral yet, but for techies like us it's fun to
watch, and you will recognize a lot of security terms that for a change are
correctly used. Must be that Symantec's malware warriors had a hand in the
script. I spent a pleasant Sunday Morning watching this. Here are the trailer
and links to the episodes:
http://screen.yahoo.com/cybergeddon/
----------------------

* Quotes Of The Month:

"The defender needs to be perfect all the time. The attacker only needs
to succeed once." -- Securosis Blog

"Hence that general is skillful in attack whose opponent does not know what
to defend; and he is skillful in defense whose opponent does not know what
to attack. -- Sun Tzu

Warm regards,

Stu Sjouwerman
Editor, WindowSecurity News
Email me at feedback@windowsecurity.com


2. Prevent Email Phishing
-------------------------------------------
Want to stop Phishing Security Breaches? Did you know that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch spear-phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly "security awareness" trained.

IT Security specialists call it your phishing attack surface. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. Find out now which of your email addresses are exposed with the free Email Exposure Check (EEC). An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.

Sign Up For Your Free Email Exposure Check Now http://www.knowbe4.com/email-exposure-check/



3. Security Detail
----------------------------------------

* Endpoint Security: Isn't It Obvious!?

WindowSecurity blogger Derek Melber wrote: "I know we all deal with
computers on a daily basis. With so much computer use, why is security
so complex? Well, I have an answer, which might not ring a perfect
tone in your ear. My perception is that people are lazy! Of course not
everyone! However, enough for security to take a backseat to productivity
and making money. If your local bank, where you keep your retirement
funds, were to say to you "our employees keep losing their keys to
the vault and can't remember the vault passcode, so we are going to
just keep a zip-tie on the vault from now on", how would you feel about
keeping your money there? Well, why do corporations continue to use
zip-ties to secure intellectual property (IP), social security numbers,
credit card numbers, etc.? I feel that security needs to start at the
endpoint and then continue to be more secure all the way back to the
file where the data is stored. Here, we are going to discuss endpoint
security:
http://www.windowsecurity.com/articles/Endpoint-Security-Isnt-It-Obvious.html
-----------------------

* Researcher Demos Browser Extension Malware

Lucian Constantin reported that "Security researcher Zoltan Balazs has
developed a remote-controlled piece of malware that functions as a
browser extension and is capable of modifying Web pages, downloading and
executing files, hijacking accounts, bypassing two-factor authentication
security features enforced by some websites, and much more.

Balazs, who works as an IT security consultant for professional services
firm Deloitte in Hungary, created the proof-of-concept malware in order
to raise awareness about the security risks associated with browser
extensions and as a call to the antivirus industry to take this type of
threat more seriously.

The researcher plans to release the malware's source code on GitHub during
a presentation at the Hacker Halted security conference in Miami, after
having shared the code in advance with antivirus vendors. More:
http://www.computerworld.com/s/article/9232848/Researcher_to_demonstrate_feature_rich_malware_that_works_as_a_browser_extension?
------------------------

* Global Infosec Survey Finds More Talk - But Not More Action

The Chief Security Officer (CSO) site had it first. People 'talk the talk'
but don't 'walk the walk' of security.

Anyone you care to ask will likely--and reasonably--agree that the threats
against IT systems and data are serious and organizations need to take
appropriate steps to protect their infrastructure and information. But if
you look at the practices actually in use at many organizations, it becomes
painfully apparent that there's still a wide gulf between ideals and reality.

That's no shock to anyone paying attention. But the reasons for the
continuing gap between what needs to be done and what's actually done have
remained unchanged for years. Business executives and security managers
just can't get in sync. That is, CEOs and executives talk a good game
about the seriousness of protecting their data, but when it comes time
to put resources and capital into it, they're not willing.

That's just one of the findings of the Tenth Annual Global Information
Security Survey conducted by CSO and CIO magazines and PricewaterhouseCoopers.
More: http://cwonline.computerworld.com/t/8287627/987374514/587822/0/


4. SecureToolBox
-----------------------------------------------

* Free Service: Email Exposure Check. Find out which addresses of your
organization are exposed on the Internet and are a phish-attack target:
http://www.knowbe4.com/eec/

* Frustrated with gullible end-users causing malware infections? Find out
who the culprits are in 10 minutes. Do this Free Phishing Security Test
on your users:
http://www.knowbe4.com/phishing-security-test/


5. ViewPoint – Your Take
-------------------------------------------

Write me! This is the spot for your take on things. Let me know what you think
about Security, tools, and things that need to be improved.
Email me at feedback@windowsecurity.com


6. SecOps: What You Need To Know
--------------------------

* Security Manager's Journal

Computerworld has a great story about a security manager whose company
sells software and how he can't afford to ignore the potential vulnerability
of those products.

"No business wants a customer complaining about security weaknesses in
its products. If that had been the extent of what happened to my company
last week, it would have been bad enough. But it was worse, because in
this case, a customer skipped the normal means of reporting a problem
and brought a concern about one of our software products directly to
one of our senior vice presidents. Instant escalation." Ouch. More:
http://www.computerworld.com/s/article/9232556/Security_Manager_s_Journal_Security_has_to_extend_to_your_customers?
-----------------------

* Infographic: Top Password Mistakes

Some common mistakes when creating passwords, courtesy of an infographic
from SecurityCoverage, makers of Password Genie. Click on the image below
and then click on the "Enlarge" button at the top left to see a larger version:
http://cwonline.computerworld.com/t/8286224/992851963/587634/0/
----------------------

* Adobe Patches Six Critical Flaws In Shockwave Player

Adobe has fixed six critical vulnerabilities in Shockwave Player that could
potentially be exploited by attackers to execute malicious code, via the
release of version 11.6.8.638 of the software:
http://cwonline.computerworld.com/t/8287627/987374514/587823/0/


7. Hackers' Haven
--------------------------

* Fresh Twitter Attack

A few days ago I received this attack supposedly from a 14-year business
relation of mine that I know well. Typical social engineering attack and
exactly the thing we have been warning against for a few years now. Note that
the email address is spoofed as "postmaster.twitter.com", and that they are
pulling an old trick about me being in a video that might be embarrassing.
Wrong mark, guys! Warn your users that twitter accounts are being hacked
and used to send attacks. Here is the attack screenshot:
http://blog.knowbe4.com/fresh-twitter-attack/
----------------------

* 8 Facts About Banks Being Hacked

Informationweek has a good story about the background of the hacks on
banks, and if Iran is actually behind these attacks. This is a great
background article with lots of detail:
http://www.informationweek.com/security/attacks/who-is-hacking-us-banks-8-facts/240009554
----------------------

* Humans: The Weakest Link In Cyber Security? You Betcha?

Microsoft's blog hit the mark this week. Rik Ferguson, Security Director
said: "People are always the weakest link in Information Security, you
can deploy all the technology you want, but people simply cannot be
programmed and can't be anticipated. As long as an attacker makes
their delivery vehicle credible enough a target is likely to click
the link or open the file". More:
http://blogs.technet.com/b/mediumbusiness/archive/2012/10/24/human-the-weak-link.aspx

The fix for this of course is security awareness training:
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/


8. Fave links & Cool Sites
--------------------------

* This Week's Links We Like. Tips, Hints And Fun Stuff.

This week's 3-minute virtual vacation: San Francisco's most iconic
landmarks with an extra; photoshopped empty of tourists and traffic!:
http://www.flixxy.com/empty-san-francisco.htm
---
Explore a Google data center with Street View:
https://www.youtube.com/watch?feature=player_embedded&v=avP5d16wEp0
---
How To Pick Up A Girl At The Gym
http://www.youtube.com/watch?v=xyXplN23ALM
---
Flying and Rolling Robots Work Together:
http://www.technewsdaily.com/8365-flying-and-rolling-robots-work-together.html
---
The best skiers, surfers, divers, bikers, kayakers and pilots filmed
with the newly released GoPro Hero3 camera:
http://www.flixxy.com/the-best-of-gopro-hero3.htm
---
Here is a link to the T-Shirt: Social Engineering Specialist:
http://www.jinx.com/p/social_engineering_t_shirt.html?catid=
---
This up-tempo piece from the second Animusic DVD features a band of
five robots jamming on their futuristic instruments as their musical
starship cruises through outer space:
http://www.flixxy.com/animusic-starship-groove-1080p-hd.htm
---
Fantastical creatures from classic fairy tales come to live in this
magical piece that will get you in the mood for Halloween:
http://www.flixxy.com/the-green-ruby-pumpkin-halloween-short-film.htm?utm_source=4 ---
---
For the kids: From the kung-fu-bear to the marching geese and the dancing
cows, animals are awesome, too!:
http://www.flixxy.com/animals-are-awesome-too.htm
---
World Champion Of Magic For A Reason: Transparent Cups And Balls:
http://www.flixxy.com/world-champion-of-magic-transparent-cups-and-balls.htm?utm%2Bsource=fb


TechGenix Sites
----------------------------------------------------------------
ISAserver.org <http://www.isaserver.org/>
MSExchange.org <http://www.msexchange.org/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
WServerNews.com <http://www.wservernews.com/>

----------------------------------------------------------------
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
WindowSecurity.com is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@windowsecurity.com

Copyright c WindowSecurity.com 2012. All rights reserved.

No comments:

Post a Comment