If you are using pcAnywhere to remotely access your computer, you probably want to go read the “pcAnywhere Security Recommendations” posted by Symantec.
The danger is that someone so inclined could potentially access your computer through vulnerabilities exposed from old source code, and gain full access to your computer, files and your network.
To sum it up, disabling pcAnywhere is a surefire way to protect yourself and your company.
If you have questions about this or any other security issue in the Greenville or Upstate SC area, please call upon Homeland Secure IT, we can help set your mind at ease. 864.990.4748
Anonymous has made the news lately with their attacks on many sites, with the most prominent being government sites. US-CERT released this info yesterday:
National Cyber Alert System
Technical Cyber Security Alert TA12-024A
“Anonymous” DDoS Activity
Original release date: January 24, 2012
Last revised: –
Source: US-CERT
Overview
US-CERT has received information from multiple sources about
coordinated distributed denial-of-service (DDoS) attacks with
targets that included U.S. government agency and entertainment
industry websites. The loosely affiliated collective “Anonymous”
allegedly promoted the attacks in response to the shutdown of the
file hosting site MegaUpload and in protest of proposed U.S.
legislation concerning online trafficking in copyrighted
intellectual property and counterfeit goods (Stop Online Piracy
Act, or SOPA, and Preventing Real Online Threats to Economic
Creativity and Theft of Intellectual Property Act, or PIPA).
I. Description
US-CERT has evidence of two types of DDoS attacks: One using HTTP
GET requests and another using a simple UDP flood.
The Low Orbit Ion Cannon (LOIC) is a denial-of-service attack tool
associated with previous Anonymous activity. US-CERT has reviewed
at least two implementations of LOIC. One variant is written in
JavaScript and is designed to be used from a web browser. An
attacker can access this variant of LOIC on a website and select
targets, specify an optional message, throttle attack traffic, and
monitor attack progress. A binary variant of LOIC includes the
ability to join a botnet to allow nodes to be controlled via IRC or
RSS command channels (the “HiveMind” feature).
The following is a sample of LOIC traffic recorded in a web server
log:
“GET /?id=1327014400570&msg=We%20Are%20Legion! HTTP/1.1″ 200
99406 “hxxp://pastehtml.com/view/blafp1ly1.html” “Mozilla/5.0
(Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1″
The following sites have been identified in HTTP referrer headers
of suspected LOIC traffic. This list may not be complete. Please do
not visit any of the links as they may still host functioning LOIC
or other malicious code.
“hxxp://3g.bamatea.com/loic.html”
“hxxp://anonymouse.org/cgi-bin/anon-www.cgi/”
“hxxp://chatimpacto.org/Loic/”
“hxxp://cybercrime.hostzi.com/Ym90bmV0/loic/”
“hxxp://event.seeho.co.kr/loic.html”
“hxxp://pastehtml.com/view/bl3weewxq.html”
“hxxp://pastehtml.com/view/bl7qhhp5c.html”
“hxxp://pastehtml.com/view/blafp1ly1.html”
“hxxp://pastehtml.com/view/blakyjwbi.html”
“hxxp://pastehtml.com/view/blal5t64j.html”
“hxxp://pastehtml.com/view/blaoyp0qs.html”
“hxxp://www.lcnongjipeijian.com/loic.html”
“hxxp://www.rotterproxy.info/browse.php/704521df/ccc21Oi8/
vY3liZXJ/jcmltZS5/ob3N0emk/uY29tL1l/tOTBibVY/wL2xvaWM/v/b5/
fnorefer”
“hxxp://www.tandycollection.co.kr/loic.html”
“hxxp://www.zgon.cn/loic.html”
“hxxp://zgon.cn/loic.html”
“hxxp://www.turbytoy.com.ar/admin/archivos/hive.html”
The following are the A records for the referrer sites as of
January, 20, 2012:
3g[.]bamatea[.]com A 218[.]5[.]113[.]218
cybercrime[.]hostzi[.]com A 31[.]170[.]161[.]36
event[.]seeho[.]co[.]kr A 210[.]207[.]87[.]195
chatimpacto[.]org A 66[.]96[.]160[.]151
anonymouse[.]org A 193[.]200[.]150[.]125
pastehtml[.]com A 88[.]90[.]29[.]58
lcnongjipeijian[.]com A 49[.]247[.]252[.]105
www[.]rotterproxy[.]info A 208[.]94[.]245[.]131
www[.]tandycollection[.]co[.]kr A 121[.]254[.]168[.]87
www[.]zgon[.]cn A 59[.]54[.]54[.]204
www[.]turbytoy[.]com[.]ar A 190[.]228[.]29[.]84
The HTTP requests contained an “id” value based on UNIX time and
user-defined “msg” value, for example:
GET /?id=1327014189930&msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20
Other “msg” examples:
msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20
msg=:)
msg=:D
msg=Somos%20Legion!!!
msg=Somos%20legi%C3%B3n!
msg=Stop%20S.O.P.A%20:)%20%E2%99%AB%E2%99%AB HTTP/1.1″ 200 99406
“http://pastehtml.com/view/bl7qhhp5c.html”
msg=We%20Are%20Legion!
msg=gh
msg=open%20megaupload
msg=que%20sepan%20los%20nacidos%20y%20los%20que%20van%20a%20nacer
%20que%20nacimos%20para%20vencer%20y%20no%20para%20ser%20vencidos
msg=stop%20SOPA!!
msg=We%20are%20Anonymous.%20We%20are%20Legion.%20We%20do%20not%20
forgive.%20We%20do%20not%20forget.%20Expect%20us!
The “msg” field can be arbitrarily set by the attacker.
As of January 20, 20012, US-CERT has observed another attack that
consists of UDP packets on ports 25 and 80. The packets contained a
message followed by variable amounts of padding, for example:
66:6c:6f:6f:64:00:00:00:00:00:00:00:00:00 | flood………
Target selection, timing, and other attack activity is often
coordinated through social media sites or online forums.
US-CERT is continuing research efforts and will provide additional
data as it becomes available.
II. Solution
There are a number of mitigation strategies available for dealing
with DDoS attacks, depending on the type of attack as well as the
target network infrastructure. In general, the best practice
defense for mitigating DDoS attacks involves advanced preparation.
* Develop a checklist or Standard Operating Procedure (SOP) to
follow in the event of a DDoS attack. One critical point in a
checklist or SOP is to have contact information for your ISP and
hosting providers. Identify who should be contacted during a
DDoS, what processes should be followed, what information is
needed, and what actions will be taken during the attack with
each entity.
* The ISP or hosting provider may provide DDoS mitigation services.
Ensure your staff is aware of the provisions of your service
level agreement (SLA).
* Maintain contact information for firewall teams, IDS teams,
network teams and ensure that it is current and readily available.
* Identify critical services that must be maintained during an
attack as well as their priority. Services should be prioritized
beforehand to identify what resources can be turned off or
blocked as needed to limit the effects of the attack. Also,
ensure that critical systems have sufficient capacity to
withstand a DDoS attack.
* Have current network diagrams, IT infrastructure details, and
asset inventories. This will assist in determining actions and
priorities as the attack progresses.
* Understand your current environment and have a baseline of daily
network traffic volume, type, and performance. This will allow
staff to better identify the type of attack, the point of attack,
and the attack vector used. Also, identify any existing
bottlenecks and remediation actions if required.
* Harden the configuration settings of your network, operating
systems, and applications by disabling services and applications
not required for a system to perform its intended function.
* Implement a bogon block list at the network boundary.
* Employ service screening on edge routers wherever possible in
order to decrease the load on stateful security devices such as
firewalls.
* Separate or compartmentalize critical services:
* Separate public and private services
* Separate intranet, extranet, and internet services
* Create single purpose servers for each service such as HTTP,
FTP, and DNS
* Review the US-CERT Cyber Security Tip Understanding
Denial-of-Service Attacks.
III. References
* Cyber Security Tip ST04-015 -
<http://www.us-cert.gov/cas/tips/ST04-015.html>
* Anonymous's response to the seizure of MegaUpload according to
CNN -
<http://money.cnn.com/2012/01/19/technology/megaupload_shutdown/index.htm>
* The Internet Strikes Back #OpMegaupload -
<http://anonops.blogspot.com/2012/01/internet-strikes-back-opmegaupload.html>
* Twitter Post from the author of the JavaScript based LOIC code -
<http://www.twitter.com/#!/mendes_rs>
* Anonymous Operations tweets on Twitter -
<http://twitter.com/#!/anonops>
* @Megaupload Tweets on Twitter -
<http://twitter.com/#!/search?q=%2523Megaupload>
* LOIC DDoS Analysis and Detection -
<http://blog.spiderlabs.com/2011/01/loic-ddos-analysis-and-detection.html>
* Impact of Operation Payback according to CNN -
<http://money.cnn.com/2010/12/08/news/companies/mastercard_wiki/index.htm>
* OperationPayback messages on YouTube -
<http://www.youtube.com/results?search_query=operationpayback>
* The Bogon Reference – Team Cymru -
<http://www.team-cymru.org/Services/Bogons/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA12-024A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with “TA12-024A Feedback INFO#919868″ in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2012 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 24, 2012: Initial release
If you require assistance with DDoS or any other security need for your Greenville or Upstate SC business, please call upon us at 864.990.4748 or email info@homelandsecureit.com
So you have been cruising along at your business for years and all has been great, but now, out of the blue, people on your network are having trouble viewing websites.
You found that if you reboot that firewall (pull the plug on the thing since there is no power supply) that YOU get back online right away, but then later that day, someone else on the network is now having trouble accessing websites so you reboot the firewall and all is well, for a while.
What could it be? It MUST be the firewall going bad since that fixes it.
Before jumping to that conclusion and just replacing the device, think back. Has your company grown? Maybe you have added a few new employees, or, maybe you have added tablets or other connected devices.
What could be happening here is that you have added one too many devices to your network and exceeded the number of seats that your firewall appliance supports. When you originally purchased that device, a technician counted the number of computers, servers and connected devices and said “You need a 25 user firewall and it will cost $xxx.xx”, to which you agreed and promptly forgot about.
Now, flash forward to today and your 12 users and a server have grown to 15 users, two servers and many people have iPads or Android tablets or phones, taking you past the 25 user limit. The last person to connect once you go over the limit will generally be denied access to websites by the firewall, as a warning that you have exceeded the license terms, and it probably won’t “reset” just by turning that computer off, you will have to reboot the firewall to free unused seats up.
So what are you going to do about it? I guess you could tell the employees to stop connecting their personal phones to your network, or you could replace the firewall with a cheap router that has no limitations.
Both will work, but are bad ideas.
The real solution is to correct the licensing issue. Determine how many connected devices you have within your network, and estimate how many you will need for the next year, then talk to a vendor who can provide the proper licenses and apply those for you. Don’t forget to include VoIP and security systems, even copiers and connected printers, as they may require a seat too.
If you are experiencing rapid growth, consider upgrading to an unlimited license.
Just a note – If you have an old device, say 4-5 years old, now may be the time to consider upgrading the entire device to the latest technology at the same time you correct the user limitation!
Should you require help with this, Homeland Secure IT offers sales and support of most major brands of firewalls. We partner with Cisco, WatchGuard, SonicWALL, TrendNet, D-Link, NetGear and more! Call us for more information in the Greenville / Upstate SC area – 864.990.4748 or email info@homelandsecureit.com
Watchguard, provider of quality firewall and security products for small, media and enterprise business made a “Social Media Release” today that outlines a list of PCI Pitfalls for Retailers.
It is quoted below in its entirety but can be found here.
I’ll be posting about the new WatchGuard XTM 33 designed for Small/Medium businesses, and may be ideal for retailers!
Should you wish to purchase a WatchGuard product, receive more information or support, please call us at 864.990.4748 or email info@homelandsecureit.com… We are a WatchGuard partner!
—
Social Media Release:
WatchGuard Lists PCI Pitfalls for Retailers
NEW YORK (January 16, 2012) – WatchGuard Technologies
Highlights / News Facts:
Businesses that process, transmit or store cardholder data must implement security controls as defined by the latest PCI DSS standard. The following are the nine common PCI DSS compliance pitfalls that many retailers fall into and tips to avoid them.
- 1) Faulty firewall installation or configuration
Many DIY (do it yourself) projects are easy; properly configuring a firewall is not one of them. According to WatchGuard research, a majority of small business security breaches are the result of improperly configured firewalls. Best practice: Use security certified technicians or trained resellers to ensure firewall configurations are proper and up to date; regularly audit firewall configurations as people and IT resources constantly change. - 2) Relying on vendor supplied defaults for system passwords
Not only is it critical to change vendor supplied default passwords, be sure to use something other than “password” as a password. According to a recently published research report, the most common passwords are: 1) password, 2) 123456, 3) 12345678, 4) qwerty, 5) abc123, 6) monkey, 7) 1234567,
letmein, 9) trustno1, and 10) dragon. Best practice: Change vendor settings and utilize strong passwords. - 3) Failing to utilize IPS to protect stored cardholder data
There are multiple ways to help protect stored cardholder data. One key technology that is often overlooked is IPS (intrusion prevention systems). IPS is to hackers as anti-virus is to viruses. IPS keeps hackers out and helps cardholder data stay safe. Best practice: Make sure intrusion prevention systems (IPS) are up and running. - 4) Not encrypting transmission of cardholder data across open, public networks
Encryption is a key component to PCI DSS compliance. A common problem occurs in the transmission of credit card data, which is often done in unencrypted email. Best practice: Use encryption everywhere, and especially in email systems where any type of sensitive information may be transmitted. - 5) Failing to use and regularly update anti-virus software or programs
Unlike desktop/endpoint anti-virus (AV), gateway anti-virus stops threats right at the entry point of a network. Using gateway AV adds an additional layer of defense at the primary point of attack, and because it functions at the gateway, users see no degradation of performance on their local computer. Best practice: Use gateway AV in addition to endpoint AV for maximum defense in depth. - 6) Not maintaining secure systems and applications
Many businesses do a good job at maintaining secure systems, however what is often overlooked in today’s social media business world is application security. Most firewalls are incapable of distinguishing a web application from a website. Because of this, crafty cyber-crooks create web applications as a way to sneak past the firewall and steal cardholder data. Best practice: To gain control over web applications, businesses utilize the latest generation of UTMs and firewalls that include application control. - 7) Providing access to cardholder data to those who do not need to know
About 80 percent of security violations happen from within an organization. In order to reduce that figure, businesses should use the “least privilege rule,” which parallels the same concept of “need to know.” Users should be granted the minimum necessary permissions and privileges that are required for them to accomplish their jobs. When employees have access to data that they should not, bad things often result. Best practice: Use RBAC (role based access controls), separation of duties and other forms of “least privilege” to make sure data is restricted to those who absolutely must have access to it. - Forgetting to track and monitor all access to network resources and cardholder data
Unfortunately, many businesses take a “fire and forget” approach to network security; once the firewall is set, they forget to check the reports. Many security breaches can me mitigated early on simply by checking reports and logs on a regular basis. Best practice: Establish a routine of checking logs and reports to spot trouble before it blossoms into headline security news. - 9) Not having an information security policy
In order to meet PCI compliance, businesses must create an information security policy that is up to date, and that addresses the security requirements as proscribed by PCI DSS. This should also include operational security, system usage, security management and other related policies. Best practice: Get IT, HR and other business stakeholders to regularly review information security policies.
Keywords:
PCI DSS, Network Security, Firewall, Cardholder Data, Passwords, Encryption, IPS, Anti-Virus, Application Control, Next-Generation UTM, Policy
Quote:
- “The PCI DSS standard is a model that many businesses – even non-retailers can look to in order to maintain best security practices,” said Eric Aarrestad, Vice President at WatchGuard Technologies. “The devil is in the details when it comes to security. Hopefully, this quick list helps remind businesses owners and IT management that little things can make a big difference in preventing data loss.”
We have been informed by our Charter rep that starting today (January 10, 2012), Charter is starting an initiative focused on removing older generation docsis 1 and 1.1 modems from the customer user base that currently subscribes to MAX, PLUS and ULTRA.
The email included the following information:
- This is a company-wide project focused on technically positioning our customer base for advanced HSI products and increased speeds.
- The communication is handled via a browser message that will alert only those customers with older docsis 1 or 1.1 modems and asking them swap.
- Replaced at no cost to the customer, including customer owned modems. See sample screenshot image below…
- The customer will communicate with us via phone at 877.739.0427 or use the browser link to expedite the delivery.
- All modems will be sent via mail to the mailing address on the account. (again, at no cost to the customer)
- The modems will be mailed as a self install kit from a central distribution center.
Here’s the link: https://connect.charter.com/replacemodem/
If you have any questions about Charter internet, phone or television, either home or business, please call us at 864.990.4748 or email info@homelandsecureit.com
Satellite internet connections have been around for a while, and if you have used that technology, you have likely been disappointed.
Hughes probably has the highest market penetration, and those using it have been quick to complain about caps and upload speed.
This is where ViaSat comes in. They revealed their home satellite system at CES and Engadget has a pretty good write-up with a video that tells more about the 12 Mbps down/3 Mbps up service that runs $50.oo per month.
What is left out is what types of data caps they may have.
I’ve written a number of blog posts about the RIAA, and how people have been wrongfully accused of stealing (pirating) by the RIAA, and law suits threatened.
Well, it appears, that someone at the RIAA has been doing a little illegal downloading of their own, though the RIAA claims it was not them.
Here’s more information:
http://torrentfreak.com/riaa-someone-else-is-pirating-through-out-ip-addresses-111221/
So secure those access points, and disable unused network jacks in public locations to keep from receiving a nasty-gram because someone else is using your internet connection to download.
If you need help securing your business or home, we can help in the Greenville / Upstate, SC area. We can even help the RIAA. Call us at 864.990.4748 or email info@homelandsecureit.com
Visit this site http://www.youhavedownloaded.com/ and hopefully you will see something like this:
Wow!!
Are you sure you and your friends don’t work for the RIAA? Maybe Sony or Universal? Maybe you’re both just really good at covering your tracks. Either way, congratulations, neither you or your friends and family returned any results from our crawlers. Tonight, you can jump into bed, open up Netflix or iTunes and sleep comfortably knowing that you’ve been a well-behaved, law-abiding internet user. But remember, there’s always tomorrow.
There’s… always… tomorrow…
—
You Have Downloaded keeps tabs on who downloads what from torent sites. If I had a large company using one IP address, I would be checking that site regularly, in spite of having firewalls, filters, policies in place, just to make sure someone didn’t come knocking at my door because of one bad person on the network, or maybe because of a wireless access point that was not secured.
This came in email from our Charter rep and may be of interest to you if you have not already seen this:
Charter Ups Broadband Speeds Again, Bumps Top Tier to 100 Mbps –
DiGeronimo says DSL is Basically Archaic
Original Publication Date: 12/1/2011
Original News Source: Multichannel News
By Todd Spangler — Multichannel News, 12/1/2011 3:00:00 PM
Looking to kick more sand in the face of DSL, Charter Communications is increasing connection speeds of its three top broadband tiers — Express, Plus and Ultra, which will now provide downloads of up to 100 Megabits per second — at no additional cost for subscribers.
The speed boosts are the MSO’s fourth in the last three years. The faster speeds will take effect in markets with DOCSIS 3.0 technology deployed, which represents approximately 95% of Charter’s service area.
“As customers share multiple devices on a single connection, we want to send a very strong message: DSL is basically archaic,” said Rich DiGeronimo, Charter’s senior vice president of product and strategy.
Charter is increasing Internet Express downstream speeds from 12 Mbps to up to 15 Mbps, and increasing upstream speeds from 1 Mbps to up to 3 Mbps. Internet Plus downstream speeds are being increased from 18 Mbps to up to 30 Mbps, and upstream speeds are being increased from 2 Mbps to up to 4 Mbps.
In addition, Charter’s fastest residential offering is increasing from 60 Mbps to 100 Mbps — with Ultra100 providing 100 Mbps downstream and 5 Mbps upstream. Charter’s Internet Lite tier will remain 3 Mbps down.
The midlevel Plus tier, at 30/4, is now faster than the fastest AT&T U-verse Internet service available. Charter’s footprint overlap with AT&T is 60%, although U-verse is not available in all of those areas.
“We believe we have an advantage in this space,” DiGeronimo said. “The thirst for speed is only growing.”
Charter is offering Express for $19.99 per month for 12 months to new customers, Plus for $29.99 per month. Ultra100 is $40 more per month than the Express tier.
“We’re not asking for more money. It’s really about differentiation,” DiGeronimo said. About 90% of Charter’s broadband customers take either Express and Plus service.
Charter’s broadband services are subject to different usage thresholds. Customers with Lite and Express tiers are allotted at 100 Gigabytes of bandwidth usage per month, while those on the Plus and Max services have a threshold of 250 GB per month. The Ultra100 tier will be capped at 500 GB per month; previously, the Ultra60 tier did not have a maximum usage limit. Charter currently does not charge overage fees for those who exceed the thresholds; however, users’ accounts may be suspended for repeated violations.
Charter also is increasing speeds for business customers, bumping up commercial Internet speeds at no cost for two of its most popular services, Charter Business Internet Essentials16 and 25. The speed increase will take place in approximately 95% of Charter’s service areas nationwide.
Specifically, the speed increases are: Internet Essetials16, with download speeds of 16 megabits per second (Mbps) and upload speeds of 2 Mbps, will increase to up to 20 Mbps download and up to 3 Mbps upload; and Internet Essentials25, with download speeds of 25 Mbps and upload speeds of 3 Mbps, will increase to up to 30 Mbps download and up to 4 Mbps upload — which the MSO notes is at least 6 times faster than 5 Mbps DSL service and 20 times faster than T1 lines. Charter’s fastest commercial offerings, Pro50 and Pro100, remain the same, providing up to 50 Mbps download/5 Mbps upload and up to 100 Mbps download/5 Mbps upload, respectively.
—
Homeland Secure IT loves Charter! We help Greenville & Upstate South Carolina individuals & businesses get connected with high speed internet all the time and Charter, especially Charter Business, has the highest customer satisfaction of any of the ISPs we work with. If you are feeling the need for speed, email us at info@homelandsecureit.com or call 864.990.4748 and we can assist you in the search for the best service and the best price!
