Wednesday, June 26, 2013

WindowSecurity.com - Monthly Newsletter - June 2013

WindowSecurity.com - Monthly Newsletter - June 2013

Hi Security World,

******* EDITOR'S CORNER

* 10 IT Security Myths That Put You At Risk

Gartner Analyst Jay Heiser explained that in InfoSec, there are a
lot of "misperceptions" and "exaggerations" about both the threats
you face and the solutions you use to protect your networks. All this
false data boils down to "security myths" which are widely known and
regularly used to explain things. Here are the ten myths, and a link
to Ellen Messmer's article in InfoWorld where each of them gets busted
and/or the cure is provided. This is a good read!

Myth #1: "It won't happen to me"
Myth #2: "InfoSec budgets are 10 percent of IT spend."
Myth #3: "Security risks can be quantified"
Myth #4: "We have physical security (or SSL) so you know your data is safe"
Myth #5: "Password expiration and complexity reduces risk"
Myth #6: "Moving the CISO outside of IT will automatically ensure good security"
Myth #7: "Adhering to security practices is the CISO's problem"
Myth #8: "Buy this tool <insert tool here> and it will solve all your problems"
Myth #9: "Let's get the policy in place and we are good to go"
Myth #10: "Encryption is the best way to keep your sensitive files safe"

NOT SO! Check out the answers at InfoWorld:
http://www.infoworld.com/d/security/top-10-it-security-myths-putting-businesses-risk-220570
------------------------

* Thanks For Your Interest!

I am getting so busy in KnowBe4 that unfortunately I have to give this
newsletter to someone else. It's been a great run and thank you for your
interest and feedback. I'm sure we'll see each other in IT somewhere.
---------------------------

* Quotes Of The Month:

"Procrastination is like a credit card: it's a lot of fun until you get
the bill." - Christopher Parker

"Procrastination is opportunity's assassin." - Victor Kiam

Warm regards,

Stu Sjouwerman
Editor, WindowSecurity News
Email me at feedback@windowsecurity.com
==================================================================

**** SECURITY DETAIL

* Data Breach Costs: 10 Ways You're Making It Worse

Inadequate response plans and poorly executed procedures caused data
breach costs to rise significantly at some businesses, according to
the Ponemon Institute. Mistakes, negligence and glitches are more
likely to be responsible for computer-related security breaches than
cyber attacks, according to a Ponemon report released last week sponsored
by Symantec.

The research firm interviewed more than 1,400 individuals in 277 companies
as part of its "2013 Cost of Data Breach Study: Global Analysis." The
study, sponsored by Symantec, estimated the costs of data breaches in
nine countries. The breach costs varied by region, but Ponemon Institute
researchers found a number of common costly errors.

One short quote: "Building a sense of security into end users cannot
happen with one-off training programs -- there needs to be a systematic
and consistent security program over an extended period of time,
according to the Ponemon Institute". Here is the slide show:
http://www.crn.com/slide-shows/security/240156226/data-breach-costs-10-ways-youre-making-it-worse.htm?pgno=1
----------------------

* Citadel Botnet 'Shutdown' Makes Cybercrime Worse

It was all over the news. The Citadel botnet responsible for stealing more
than 500 million dollars out of bank accounts from both individuals and
organizations worldwide has been largely shut down or so it seems if you
read the breathless press. Citadel is a smarter and more sophisticated
cousin of the Zeus Trojan.

Citadel is an example of Crime-as-a-Service and has been sold since 2012 in
do-it-yourself crime kits that cost $2,400 or more. The malware itself is
installed on workstations using social engineering. End-users were tricked
with phishing and spear-phishing into clicking on links which infected
their workstations.

The Press Release said that Redmond aligned with the FBI and authorities in
80 other countries to take down one of the world’s biggest cyber crime rings.
Microsoft said its Digital Crimes Unit Wednesday took down at least 1,000
of an estimated 1,400 Citadel Botnets, which infected as many as five
million PCs around the world and targeted major banks.

Now, I agree that it’s about freaking time these gangsters were shut down,
but there is quite some collateral damage with all this hoopla. Let's have
a look at what Microsoft actually did. They identified about 1,400 botnets
and disturbed them by pointing the infected machines to a server operated
by Redmond instead of the Command & Control servers controlled by the bad
guys.

This is not new, technically this is called 'sinkholing', and it's been
around for a long time. Simply put, you redirect the traffic generated by
the Trojan on an infected PC to the good guys, who then warn the owner so
they can clean the machine.

It so happens that a lot of security researchers had created their own
sinkhole domains and a good chunk of these Citadel botnets had already
been sinkholed when Microsoft seized both the domains of the bad guys
but also the domains of the security researchers. Nearly a 1,000 domain
names out of the approx 4,000 domain names seized by Microsoft had already
been sinkholed by security researchers!

The problem is that sinkholing is just a game of whack-a-mole. Takedowns
like this trigger countermeasures by the bad guys who simply respond by
using a peer-to-peer architecture instead of command & control servers
making it much harder to take them down.

Cybercrime cannot be stopped with takedowns, as a matter of fact takedowns
make cybercrime worse. You need legislation in Eastern Europe, and sufficient
resources for law enforcement to take down the bad actors themselves.
(Hat Tip to Abuse.ch)
---------------------------

* Top 5 System Admin Hate Votes

May 22, the question was asked on Spiceworks: "What is your IT-related
Arch Nemesis?". More than 200 random replies came in. I thought it would
be interesting to know what the top ones were. I tabulated (and somewhat
normalized) the main things that generate support tickets and most of
the system admins came back and voted on which things they HATED the MOST!

The Top 5 most mentioned things they HATE are in sequence of percentage:
1) No Documentation: 29.7%
2) Users: 27.4%
3) Printers and Apple products tie with 25.5% each
4) Fake Antivirus: 24.5%

Some other observations: You seem not to mind Microsoft Exchange very
much, (kudos for Microsoft) and driver problems seem to have subsided
over time. Java is still causing a lot of headaches with 21.2% as the
most hated item.

======================================================================

***** SECURETOOL BOX

Free Service: Email Exposure Check. Find out which addresses of your
organization are exposed on the Internet and are a phish-attack target:
http://www.knowbe4.com/eec/

Frustrated with gullible end-users causing malware infections? Find out
who the culprits are in 10 minutes. Do this Free Phishing Security Test
on your users:
http://www.knowbe4.com/phishing-security-test/

======================================================================

****** VIEWPOINT â€" YOUR TAKE

Write me! This is the spot for your take on things. Let me know what you think
about Security, tools, and things that need to be improved.
Email me at feedback@windowsecurity.com

======================================================================

****** SECOPS: WHAT YOU NEED TO KNOW

* Android Antivirus Products A Big Flop, Researchers Say

Bob Brown at NetworkWorld reported on something a bit concerning.
"Android smartphones and tablets are under attack, and the most
popular tools developed to protect them are easily circumvented,
according to new research from Northwestern University and the
University of North Carolina".

The researchers created technology called DroidChamelon that can
be used to perform common obfuscation techniques (simple switches
in a virus' binary code or file name, for instance) to blow by
security products. Here is more, with a link to the research
paper with all the details. Yikes.
http://www.networkworld.com/news/2013/060613-android-antivirus-270573.html?
-----------------------------

* Mobile Threats Now Outpace PC Attacks

Tracy Kitten over at Government InfoSecurity interviewed Dave Jevans,
the founder and chairman of the Anti-Phishing Working Group. (APWG)

Attacks aimed at mobile devices are progressing much more rapidly
than any attacks ever waged against PCs. Organizations are in danger
if they don't pay attention. Over the past six months, the APWG has
analyzed emerging mobile security threats and pinpoints some of the
key vulnerabilities, such as jail-broken devices, open-source OSen
and sophisticated malware baked into rogue mobile applications.

Jevans, founder and chairman of the APWG, says criminals are increasingly
targeting mobile devices, building on their decades' worth of experience
through attacks waged against PCs.

"The big message here, as you look through the report, is that malicious
and fraudulent activity on the mobile platform is growing much more
quickly than it did on the PC platform over the last 10 years," Jevans
says. More:
http://www.govinfosecurity.com/interviews/mobile-threats-outpace-pc-attacks-i-1940?
------------------------------

* Phishing 2.0: Anatomy of a New Attack

This is the title of a new whitepaper by Webroot, which breaks down
to its component parts what I have been warning about for a while
now: mass customized spear phishing. They identity five stages:

Phase 1: Targeting

The first phase of a Phishing 2.0 attack involves profiling a group of
potential victims. There is actually a spectrum of targeting opportunities,
Broad categories, such as "business people who ship packages" and "managers
who book business travel"

Phase 2: Reconnaissance

Finding personal information and email addresses of the targeted victims.
For attacks targeting broad categories of victims, it might be sufficient
to obtain lists of email addresses from legitimate email houses or from
black market sources of spam addresses.

Phase 3: Creating spear phishing emails

The next step is for the cybercriminal to create spear phishing emails.
These emails will have two characteristics:
• They will mimic common business and personal emailsâ€"without using
phrases that could identify them as mass distribution spam.
• They will use details gathered during the reconnaissance phase to
make the emails convincing.

Phase 4: Plant malware on the victim’s computer

In some examples of spear phishing, the cybercriminal simply entices
the victim to fill out a web form with confidential information like
account number, Social Security number or user ID and password.
More commonly, though, the goal is to lure the victim into downloading
a malware file, either by clicking on an attachment in the email,
clicking on a link in the email that requests a file download, or
clicking on a link in a webpage.

Phase 5: Exploit the breach

The cybercriminal is now able to follow up by capturing the victim’s
keystrokes, finding and exporting files on the victim’s computer, or
burrowing into the company network using the victim’s credentials.
The last approach is the method typically used as part of advanced
persistent threats, which are systematic campaigns to capture large
quantities of confidential data over a period of time. Here is the
full whitepaper with much more data:
http://docs.healthcareinfosecurity.com/files/whitepapers/pdf/759_Phishing_and_Web_Security_WP_Mar13_revised.pdf

======================================================================

****** HACKERS’ HAVEN

* Spear-phishing Espionage Malware: NetTraveler

Researchers at Kaspersky Labs discoverd another(!) probably state-sponsored
malware known as NetTraveler. NetTraveler gains a foothold in targeted
organizations through spear-phishing campaigns and exploits a pair of
known vulnerabilities in Microsoft Word. These vulnerabilities were patched
in 2010 and 2012. The malware logs keystrokes, and grabs file system
listings, Office and PDF documents.

It has infiltrated more than 350 companies in 40 countries over the past
eight years. Those behind the malware targeted a variety of organizations,
including energy industry, scientific research facilities, universities,
governments, military contractors, and social activists. NetTraveler
has seen a burst of activity in the last three years, but there are
indications that it has been around in some form since 2004. And it was
never found by any antivirus company, you wonder what else is out there.

More recently, NetTraveler has been stealing intellectual property in the
areas of space exploration, nanotechnology, nuclear power, and energy
production. If you look at the targets, to me this sounds like China is
behind all this. All employees need security awareness training. Badly!
(Arstechnica has a pretty graph with all the attacks.):
http://arstechnica.com/security/2013/06/espionage-malware-infects-raft-of-governments-industries-around-the-world/

See how Kevin Mitnick steals a workstation password using malware hidden
in a Word File in less than 2 minutes:
http://www.knowbe4.com/video-mitnick/
-----------------------------

* Facebook Scams Of The Week

Since you are in IT, you or your webmaster may have been tasked to manage
your organization's Facebook Page. This phishing scam specifically targets
-you- with an email from 'Facebook Security.'

The scammers try to trick Page owners into starting a 'Fan Page Verification
Program.' You are asked to share your Facebook Page’s URL, login creds and
create a 10-digit number as a 'Transferring Code.' Once you have done this,
they can now post links for your followers which trust you as a source.

Oh, while we are talking Facebook, cybercriminals are now using the following
trick. They clone a whole profile, befriend the victim's friends and use
their trust to defraud them.

Cloned accounts can be used to send spam messages, initiate scams, and
steal personal information that could be used for more serious identity
theft. In the recent cases, there are reports that once the cloned
account's repeated and fraudulent friend request has been accepted, the
scammer starts soliciting money from 'friends'. Warn your users to use
Real Life verification before they agree to any transaction over Facebook.

======================================================================

***** FAVE LINKS & COOL SITES

---
* This Week's Links We Like. Tips, Hints And Fun Stuff.

Your Five Minute Virtual Vacation! Beautiful shots of the arches and red
rocks in Utah and Arizona captured and uploaded in 4K resolution. The
music and sights are just breathtaking:
http://www.flixxy.com/utah-and-arizona-in-4k-ultra-hd.htm
---
The most splashing way to discover Amsterdam - with the amphibuous bus
'The Floating Dutchman.' This is new and looks like a lot of fun!:
http://www.flixxy.com/amsterdam-splash-bus-drives-into-canals.htm

Are you a sailor, pilot, do you like whitewater Kayak, or mountain
climbing? This Breitling watch has you covered in an emergency:
http://youtu.be/IwrAkNoNYbo
---
While we are looking at watches, here is what they call the world's
smartest watch...it's called "Agent" and a cool kickstarter project:
http://www.kickstarter.com/projects/secretlabs/agent-the-worlds-smartest-watch
---
A chipmunk will store over 6,000 acorns - but he needs to keep an eye
out for pickpockets:
http://www.flixxy.com/dont-mess-with-a-chipmunks-nuts.htm
---
Breathtaking crossbow performance by Ben Blaque at the French TV
show "The Worlds's Greatest Cabaret" hosted by Patrick Sebastien:
http://www.flixxy.com/awesome-crossbows.htm
---
A flying bicycle invented by three Czech companies successfully completed
its first test flight, just like a Star Wars Jedi hover-bike:
http://www.flixxy.com/flying-bicycle.htm
---
Check out the massive accelleration of these top-of-the line electric
racing motorcycles at the recent Isle of Man championship:
http://blog.motorcycle.com/2013/06/11/motorcycle-news/not-a-fan-of-electric-motorcycles-this-might-change-your-mind/
---
A network of balloons traveling on the edge of space, designed to connect
people in rural and remote areas, help fill in coverage gaps and bring people
back online after disasters. Looking for a Tech Support job with Challenges?:
http://www.flixxy.com/balloon-powered-internet-access.htm


WindowSecurity.com Sections
-----------------------------------------------------------------
- Articles & Tutorials (http://www.windowsecurity.com/articles-tutorials/)
- Products (http://www.windowsecurity.com/software/)
- Reviews (http://www.windowsecurity.com/articles-tutorials/Product_Reviews/)
- Free Tools (http://www.windowsecurity.com/software/Free-Tools/)
- Blogs (http://www.windowsecurity.com/blogs/)
- Forums (http://forums.windowsecurity.com/)
- White Papers (http://www.windowsecurity.com/white-papers/)
- Contact Us (http://www.windowsecurity.com/pages/contact-us.html)



Techgenix Sites
-----------------------------------------------------------------
- MSExchange.org (http://www.msexchange.org/)
- WindowsNetworking.com (http://www.windowsnetworking.com/)
- VirtualizationAdmin.com (http://www.virtualizationadmin.com/)
- ISAserver.org (http://www.isaserver.org/)
- MSPanswers.com (http://www.mspanswers.com/)
- WServerNews.com (http://www.wservernews.com/)


--
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
WindowSecurity.com is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@WindowSecurity.com
Copyright WindowSecurity.com 2013. All rights reserved.

No comments:

Post a Comment