Homeland Secure IT Alert
Secure IT Alert for Thursday, February 2, 2012
If you are running a current version of Apple Mac OS X, 10.6.x or OS X 10.7.x (Snow Leopard & Lion respectively), then you are vulnerable to exploits that these patches correct.
These security flaws could potentially allow an attacker to execute code on your computer after you visit a malicious web site or download/view affected documents or files, or allow Denial of Service (DoS) or even elevation of privileges.
How do you fix this? Apple has released OS X Security Update 2012-001 and OS X 10.7.3 to fix these security problems – UPDATE ASAP.
The 52 security vulnerabilities affect 27 components that are part of OS X and OS X server. Some of the affected software includes: Apache, OpenGL, PHP, QuickTime and Time Machine.
A few examples:
Buffer overflow vulnerability in ImageIO – View a malicious image and it could result in a crash of an application, or code to be executed on your computer. The upside is, it would only execute with your privileges.
Buffer overflow vulnerability in CoreAudio – Play a malicious audio file and experience a crash of your system, or execute code with your privileges.
QuickTime vulnerabilities – Six of these babies could mean that if you open a malicious image or video in QT, code could be executed with your privileges.
The full update information can be found at http://support.apple.com/kb/HT5130
Should you require assistance in applying these updates, do not hesitate to call us in the Greenville or Upstate SC area at 864.990.4748 or email info@homelandsecureit.com
Homeland Secure IT Alert
If you are using pcAnywhere to remotely access your computer, you probably want to go read the “pcAnywhere Security Recommendations” posted by Symantec.
The danger is that someone so inclined could potentially access your computer through vulnerabilities exposed from old source code, and gain full access to your computer, files and your network.
To sum it up, disabling pcAnywhere is a surefire way to protect yourself and your company.
If you have questions about this or any other security issue in the Greenville or Upstate SC area, please call upon Homeland Secure IT, we can help set your mind at ease. 864.990.4748
Anonymous has made the news lately with their attacks on many sites, with the most prominent being government sites. US-CERT released this info yesterday:
National Cyber Alert System
Technical Cyber Security Alert TA12-024A
“Anonymous” DDoS Activity
Original release date: January 24, 2012
Last revised: –
Source: US-CERT
Overview
US-CERT has received information from multiple sources about
coordinated distributed denial-of-service (DDoS) attacks with
targets that included U.S. government agency and entertainment
industry websites. The loosely affiliated collective “Anonymous”
allegedly promoted the attacks in response to the shutdown of the
file hosting site MegaUpload and in protest of proposed U.S.
legislation concerning online trafficking in copyrighted
intellectual property and counterfeit goods (Stop Online Piracy
Act, or SOPA, and Preventing Real Online Threats to Economic
Creativity and Theft of Intellectual Property Act, or PIPA).
I. Description
US-CERT has evidence of two types of DDoS attacks: One using HTTP
GET requests and another using a simple UDP flood.
The Low Orbit Ion Cannon (LOIC) is a denial-of-service attack tool
associated with previous Anonymous activity. US-CERT has reviewed
at least two implementations of LOIC. One variant is written in
JavaScript and is designed to be used from a web browser. An
attacker can access this variant of LOIC on a website and select
targets, specify an optional message, throttle attack traffic, and
monitor attack progress. A binary variant of LOIC includes the
ability to join a botnet to allow nodes to be controlled via IRC or
RSS command channels (the “HiveMind” feature).
The following is a sample of LOIC traffic recorded in a web server
log:
“GET /?id=1327014400570&msg=We%20Are%20Legion! HTTP/1.1″ 200
99406 “hxxp://pastehtml.com/view/blafp1ly1.html” “Mozilla/5.0
(Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1″
The following sites have been identified in HTTP referrer headers
of suspected LOIC traffic. This list may not be complete. Please do
not visit any of the links as they may still host functioning LOIC
or other malicious code.
“hxxp://3g.bamatea.com/loic.html”
“hxxp://anonymouse.org/cgi-bin/anon-www.cgi/”
“hxxp://chatimpacto.org/Loic/”
“hxxp://cybercrime.hostzi.com/Ym90bmV0/loic/”
“hxxp://event.seeho.co.kr/loic.html”
“hxxp://pastehtml.com/view/bl3weewxq.html”
“hxxp://pastehtml.com/view/bl7qhhp5c.html”
“hxxp://pastehtml.com/view/blafp1ly1.html”
“hxxp://pastehtml.com/view/blakyjwbi.html”
“hxxp://pastehtml.com/view/blal5t64j.html”
“hxxp://pastehtml.com/view/blaoyp0qs.html”
“hxxp://www.lcnongjipeijian.com/loic.html”
“hxxp://www.rotterproxy.info/browse.php/704521df/ccc21Oi8/
vY3liZXJ/jcmltZS5/ob3N0emk/uY29tL1l/tOTBibVY/wL2xvaWM/v/b5/
fnorefer”
“hxxp://www.tandycollection.co.kr/loic.html”
“hxxp://www.zgon.cn/loic.html”
“hxxp://zgon.cn/loic.html”
“hxxp://www.turbytoy.com.ar/admin/archivos/hive.html”
The following are the A records for the referrer sites as of
January, 20, 2012:
3g[.]bamatea[.]com A 218[.]5[.]113[.]218
cybercrime[.]hostzi[.]com A 31[.]170[.]161[.]36
event[.]seeho[.]co[.]kr A 210[.]207[.]87[.]195
chatimpacto[.]org A 66[.]96[.]160[.]151
anonymouse[.]org A 193[.]200[.]150[.]125
pastehtml[.]com A 88[.]90[.]29[.]58
lcnongjipeijian[.]com A 49[.]247[.]252[.]105
www[.]rotterproxy[.]info A 208[.]94[.]245[.]131
www[.]tandycollection[.]co[.]kr A 121[.]254[.]168[.]87
www[.]zgon[.]cn A 59[.]54[.]54[.]204
www[.]turbytoy[.]com[.]ar A 190[.]228[.]29[.]84
The HTTP requests contained an “id” value based on UNIX time and
user-defined “msg” value, for example:
GET /?id=1327014189930&msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20
Other “msg” examples:
msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20
msg=:)
msg=:D
msg=Somos%20Legion!!!
msg=Somos%20legi%C3%B3n!
msg=Stop%20S.O.P.A%20:)%20%E2%99%AB%E2%99%AB HTTP/1.1″ 200 99406
“http://pastehtml.com/view/bl7qhhp5c.html”
msg=We%20Are%20Legion!
msg=gh
msg=open%20megaupload
msg=que%20sepan%20los%20nacidos%20y%20los%20que%20van%20a%20nacer
%20que%20nacimos%20para%20vencer%20y%20no%20para%20ser%20vencidos
msg=stop%20SOPA!!
msg=We%20are%20Anonymous.%20We%20are%20Legion.%20We%20do%20not%20
forgive.%20We%20do%20not%20forget.%20Expect%20us!
The “msg” field can be arbitrarily set by the attacker.
As of January 20, 20012, US-CERT has observed another attack that
consists of UDP packets on ports 25 and 80. The packets contained a
message followed by variable amounts of padding, for example:
66:6c:6f:6f:64:00:00:00:00:00:00:00:00:00 | flood………
Target selection, timing, and other attack activity is often
coordinated through social media sites or online forums.
US-CERT is continuing research efforts and will provide additional
data as it becomes available.
II. Solution
There are a number of mitigation strategies available for dealing
with DDoS attacks, depending on the type of attack as well as the
target network infrastructure. In general, the best practice
defense for mitigating DDoS attacks involves advanced preparation.
* Develop a checklist or Standard Operating Procedure (SOP) to
follow in the event of a DDoS attack. One critical point in a
checklist or SOP is to have contact information for your ISP and
hosting providers. Identify who should be contacted during a
DDoS, what processes should be followed, what information is
needed, and what actions will be taken during the attack with
each entity.
* The ISP or hosting provider may provide DDoS mitigation services.
Ensure your staff is aware of the provisions of your service
level agreement (SLA).
* Maintain contact information for firewall teams, IDS teams,
network teams and ensure that it is current and readily available.
* Identify critical services that must be maintained during an
attack as well as their priority. Services should be prioritized
beforehand to identify what resources can be turned off or
blocked as needed to limit the effects of the attack. Also,
ensure that critical systems have sufficient capacity to
withstand a DDoS attack.
* Have current network diagrams, IT infrastructure details, and
asset inventories. This will assist in determining actions and
priorities as the attack progresses.
* Understand your current environment and have a baseline of daily
network traffic volume, type, and performance. This will allow
staff to better identify the type of attack, the point of attack,
and the attack vector used. Also, identify any existing
bottlenecks and remediation actions if required.
* Harden the configuration settings of your network, operating
systems, and applications by disabling services and applications
not required for a system to perform its intended function.
* Implement a bogon block list at the network boundary.
* Employ service screening on edge routers wherever possible in
order to decrease the load on stateful security devices such as
firewalls.
* Separate or compartmentalize critical services:
* Separate public and private services
* Separate intranet, extranet, and internet services
* Create single purpose servers for each service such as HTTP,
FTP, and DNS
* Review the US-CERT Cyber Security Tip Understanding
Denial-of-Service Attacks.
III. References
* Cyber Security Tip ST04-015 -
<http://www.us-cert.gov/cas/tips/ST04-015.html>
* Anonymous's response to the seizure of MegaUpload according to
CNN -
<http://money.cnn.com/2012/01/19/technology/megaupload_shutdown/index.htm>
* The Internet Strikes Back #OpMegaupload -
<http://anonops.blogspot.com/2012/01/internet-strikes-back-opmegaupload.html>
* Twitter Post from the author of the JavaScript based LOIC code -
<http://www.twitter.com/#!/mendes_rs>
* Anonymous Operations tweets on Twitter -
<http://twitter.com/#!/anonops>
* @Megaupload Tweets on Twitter -
<http://twitter.com/#!/search?q=%2523Megaupload>
* LOIC DDoS Analysis and Detection -
<http://blog.spiderlabs.com/2011/01/loic-ddos-analysis-and-detection.html>
* Impact of Operation Payback according to CNN -
<http://money.cnn.com/2010/12/08/news/companies/mastercard_wiki/index.htm>
* OperationPayback messages on YouTube -
<http://www.youtube.com/results?search_query=operationpayback>
* The Bogon Reference – Team Cymru -
<http://www.team-cymru.org/Services/Bogons/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA12-024A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with “TA12-024A Feedback INFO#919868″ in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2012 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 24, 2012: Initial release
If you require assistance with DDoS or any other security need for your Greenville or Upstate SC business, please call upon us at 864.990.4748 or email info@homelandsecureit.com
Watchguard, provider of quality firewall and security products for small, media and enterprise business made a “Social Media Release” today that outlines a list of PCI Pitfalls for Retailers.
It is quoted below in its entirety but can be found here.
I’ll be posting about the new WatchGuard XTM 33 designed for Small/Medium businesses, and may be ideal for retailers!
Should you wish to purchase a WatchGuard product, receive more information or support, please call us at 864.990.4748 or email info@homelandsecureit.com… We are a WatchGuard partner!
—
Social Media Release:
WatchGuard Lists PCI Pitfalls for Retailers
NEW YORK (January 16, 2012) – WatchGuard Technologies
Highlights / News Facts:
Businesses that process, transmit or store cardholder data must implement security controls as defined by the latest PCI DSS standard. The following are the nine common PCI DSS compliance pitfalls that many retailers fall into and tips to avoid them.
- 1) Faulty firewall installation or configuration
Many DIY (do it yourself) projects are easy; properly configuring a firewall is not one of them. According to WatchGuard research, a majority of small business security breaches are the result of improperly configured firewalls. Best practice: Use security certified technicians or trained resellers to ensure firewall configurations are proper and up to date; regularly audit firewall configurations as people and IT resources constantly change. - 2) Relying on vendor supplied defaults for system passwords
Not only is it critical to change vendor supplied default passwords, be sure to use something other than “password” as a password. According to a recently published research report, the most common passwords are: 1) password, 2) 123456, 3) 12345678, 4) qwerty, 5) abc123, 6) monkey, 7) 1234567,
letmein, 9) trustno1, and 10) dragon. Best practice: Change vendor settings and utilize strong passwords. - 3) Failing to utilize IPS to protect stored cardholder data
There are multiple ways to help protect stored cardholder data. One key technology that is often overlooked is IPS (intrusion prevention systems). IPS is to hackers as anti-virus is to viruses. IPS keeps hackers out and helps cardholder data stay safe. Best practice: Make sure intrusion prevention systems (IPS) are up and running. - 4) Not encrypting transmission of cardholder data across open, public networks
Encryption is a key component to PCI DSS compliance. A common problem occurs in the transmission of credit card data, which is often done in unencrypted email. Best practice: Use encryption everywhere, and especially in email systems where any type of sensitive information may be transmitted. - 5) Failing to use and regularly update anti-virus software or programs
Unlike desktop/endpoint anti-virus (AV), gateway anti-virus stops threats right at the entry point of a network. Using gateway AV adds an additional layer of defense at the primary point of attack, and because it functions at the gateway, users see no degradation of performance on their local computer. Best practice: Use gateway AV in addition to endpoint AV for maximum defense in depth. - 6) Not maintaining secure systems and applications
Many businesses do a good job at maintaining secure systems, however what is often overlooked in today’s social media business world is application security. Most firewalls are incapable of distinguishing a web application from a website. Because of this, crafty cyber-crooks create web applications as a way to sneak past the firewall and steal cardholder data. Best practice: To gain control over web applications, businesses utilize the latest generation of UTMs and firewalls that include application control. - 7) Providing access to cardholder data to those who do not need to know
About 80 percent of security violations happen from within an organization. In order to reduce that figure, businesses should use the “least privilege rule,” which parallels the same concept of “need to know.” Users should be granted the minimum necessary permissions and privileges that are required for them to accomplish their jobs. When employees have access to data that they should not, bad things often result. Best practice: Use RBAC (role based access controls), separation of duties and other forms of “least privilege” to make sure data is restricted to those who absolutely must have access to it. - Forgetting to track and monitor all access to network resources and cardholder data
Unfortunately, many businesses take a “fire and forget” approach to network security; once the firewall is set, they forget to check the reports. Many security breaches can me mitigated early on simply by checking reports and logs on a regular basis. Best practice: Establish a routine of checking logs and reports to spot trouble before it blossoms into headline security news. - 9) Not having an information security policy
In order to meet PCI compliance, businesses must create an information security policy that is up to date, and that addresses the security requirements as proscribed by PCI DSS. This should also include operational security, system usage, security management and other related policies. Best practice: Get IT, HR and other business stakeholders to regularly review information security policies.
Keywords:
PCI DSS, Network Security, Firewall, Cardholder Data, Passwords, Encryption, IPS, Anti-Virus, Application Control, Next-Generation UTM, Policy
Quote:
- “The PCI DSS standard is a model that many businesses – even non-retailers can look to in order to maintain best security practices,” said Eric Aarrestad, Vice President at WatchGuard Technologies. “The devil is in the details when it comes to security. Hopefully, this quick list helps remind businesses owners and IT management that little things can make a big difference in preventing data loss.”
Microsoft rings in the new year with updates! HAPPY NEW YEAR!!!!
The Advance Notification outlines 7 bulletins that cover updates from “important” to “critical” in Microsoft Windows (XP / Server 2003 / Vista / Server 2008) and Microsoft Developer Tools & Software.
Most will require a restart, or at least MAY require a restart.
On the Advance Notification page you can find out more about the updates coming your way on January 10th.
If you require assistance with these updates or any other security issue in the Greenville / Upstate SC area please call us at 864.990.4748 or email info@homelandsecureit.com
This is kind of old news, but seeing a blog post by someone else today reminded me that it is not patched yet…
Apple Safari web browser can be used as an avenue that would allow malicious code on a web site to be run with whatever privileges you have on that computer.
Here’s an actual security bulletin you can read about this:
https://secunia.com/advisories/47237/
Until this is patched for sure, I believe I would not be using the Apple Safari browser on a Windows 7 machine. Just my two cents.
Remember the flaw that was announced around the beginning of December 2011, where hackers could possibly cause HP printers to burst into flames?
Well, HP released a fix for that a week or so back… However, they didn’t mention fire issue.
None-the-less, you may wish to consider upgrading.
Should you require assistance applying updates to your devices, servers or computers in the Greenville or Upstate SC area, you can call upon us at 864.990.4748 or email info@homelandsecureit.com
I’ve written a number of blog posts about the RIAA, and how people have been wrongfully accused of stealing (pirating) by the RIAA, and law suits threatened.
Well, it appears, that someone at the RIAA has been doing a little illegal downloading of their own, though the RIAA claims it was not them.
Here’s more information:
http://torrentfreak.com/riaa-someone-else-is-pirating-through-out-ip-addresses-111221/
So secure those access points, and disable unused network jacks in public locations to keep from receiving a nasty-gram because someone else is using your internet connection to download.
If you need help securing your business or home, we can help in the Greenville / Upstate, SC area. We can even help the RIAA. Call us at 864.990.4748 or email info@homelandsecureit.com
Visit this site http://www.youhavedownloaded.com/ and hopefully you will see something like this:
Wow!!
Are you sure you and your friends don’t work for the RIAA? Maybe Sony or Universal? Maybe you’re both just really good at covering your tracks. Either way, congratulations, neither you or your friends and family returned any results from our crawlers. Tonight, you can jump into bed, open up Netflix or iTunes and sleep comfortably knowing that you’ve been a well-behaved, law-abiding internet user. But remember, there’s always tomorrow.
There’s… always… tomorrow…
—
You Have Downloaded keeps tabs on who downloads what from torent sites. If I had a large company using one IP address, I would be checking that site regularly, in spite of having firewalls, filters, policies in place, just to make sure someone didn’t come knocking at my door because of one bad person on the network, or maybe because of a wireless access point that was not secured.
In the last 24hrs, I have spoken with or assisted at least 3 people who have become infected due to opening a malicious email.
One of them was my wifey, Pamela, who received an email from the US Postal Service stating that her package had been refused and to open the attached file for details. Due to her old Microsoft Windows Vista system which without question should be updated, the payload from the trojan was dropped and she was without her computer for 3 hours while over 300,000 items were scanned again and again and her icons restored so she could use her desktop.
What is happening is a bit of social engineering. The emails appear to come from someone you trust, in this case the Post Office, and they appear to have important information, just too good to pass up. A busy worker may be momentarily fooled, and likely, at the very moment they click on the item, they think, “Ohhh I bet I shouldn’t have done that”, but it is too late.
- How can you keep from becoming a victim of this type of exploit?
- Avoid using unpatched Microsoft Windows systems! When updates are released, install them.
- Install all updates to important applications, such as Microsoft Office.
- Install all updates to Adobe Reader, Flash, Acrobat, and to JAVA.
- Keep current and trustworthy anti-virus such as Trend Micro Titanium 2012 on all your computers.
- Use caution when opening attachments. Ask yourself why the USPS would be sending you and email and why would the information be in an attachment before clicking on it.
Before I get responses such as “Macs do not have that problem”, yes, Apple Mac OS X does have that problem. We have dealt with almost as many Mac security issues this year as we have Windows 7. Regardless of the Operating System, a little common sense and preventative maintenance goes a long way!
Should you need help with a virus cleanup or virus removal for your personal computer or your business, we can help. We also partner with Trend Micro to offer Worry-Free, Trend Micro Titanium, and the entire outstanding line of Trend Micro anti-virus, anti-spyware, anti-spam and anti-everything software, just give us a call at 864.990.4748 or email info@homelandsecureit.com.
