May 21, 2012

Posts Comments

You are here: Home / Archives for Joe Hackman

About Joe Hackman

Chief Information Officer to many. Technology Advocate, Entrepreneur, Blogger, Podcaster, Gadget and Tech Enthusiast. Celebrating my 15th year as founder of Managed Solutions.

Phishing Email from FDIC targets Businesses

February 8, 2012 By Leave a Comment

It’s tax season and we’ve already seen the tax related phishing Emails showing up in our inbox. Early this morning a new phishing scheme was detected that is targeting businesses with Emails purportedly from the FDIC. If you take the time to evaluate the link it can be easily determined to be just that. Here is a screenshot of the message:

FDIC Phishing Email Screenshot

For your convenience and to learn more on how to protect yourself you can also check out this video:

Video not displaying? You can also view it on Youtube.

Here is the entire text of the message (added to properly index this article with the search engines):

Attn: Financial Department

By this message we would like to inform you about the recent alterations in the FDIC insurance coverage for transaction accounts.

During the period from December 31, 2010 to December 31, 2012 all the money in a “noninterest-bearing transaction account” are insured in full by the Federal Deposit Insurance Corporation. Please note, that this measure is temporary and separate from the FDIC’s common deposit insurance regulations.

The term “noninterest-bearing transaction account” includes a traditional checking account or demand deposit account on which no interest is paid by the insured depository institution.

For detailed information about temporary FDIC insurance coverage of transaction accounts, please view the official site link.

Yours sincerely,
Tad Melendez.

Federal Deposit Insurance Corporation

Popularity: 3% [?]

Filed Under: Business/Productivity, News, Security, Videos Tagged With: , , , , , ,

Twitter Phishing DM and Fake Twitter Website in the Wild

January 14, 2012 By 14 Comments

Please be very careful following any hyperlinks on Twitter. Tonight I received a direct message from someone I am following on one of my accounts. The message includes a link to a fake Twitter website that appears to be the way this user was originally compromised. Watch the video (updated 1/16/2012) if you want to see exactly how it looks and works.

Browser doesn’t show flash or video not displaying? You can also view it on Youtube.

Updated 1/14/2012 10:25PM UTC-8: Chrome is already reporting the URL in the video as a suspected phishing site. Phishing Site

Updated 1/15/2012 7:05PM UTC-8: The fake site is still up and running. I decided to go and report it to the ISP, unfortunately it’s in China and they probably won’t do anything about it.
Who Owns it?

Updated 1/16/2012 11:33PM UTC-8: This thing is picking up steam in spite of efforts to build awareness. If you receive one of these messages be sure to tell the person who sent it to you to change their twitter password. Presently whoever is pharming these accounts is not locking the owner out by changing the password. This could change at any point. Also just keep in mind if you use the same password for multiple things you should change the others also as this password list is likely to circulate in nefarious circles. Here is a Tweet spotted tonight after just glancing at the Twitter stream.

Warning about DM Spam

Updated 1/17/2012 2:39PM UTC-8: Surprisingly something simple that would be dead if it wasn’t hosted in China (any ISP in the USA/Western Countries would have taken this site offline within 6-8 hours) appears to be gaining steam. A coalition of humorous and fed up folks setup a gag site about it. I won’t ruin it for you, you can check it out at didyouseewhattheysaid.com. I will say this, I got a chuckle out of it.

Popularity: 5% [?]

Filed Under: Security Tagged With: , , , ,

2 Things Everyone Needs to Know about the WPS Vulnerability

January 6, 2012 By 4 Comments

I Promise Not to Own your WifiYou may have heard recently that there is a vulnerability affecting many wireless access points. It has to do with Wi-Fi Protected Setup (WPS) which is supposed to make it easier to configure devices to use your wireless network. The problem is the WPS system is vulnerable to a brute force attack that will allow a malicious attempt within range of your wireless signal to access and change settings on your device. Once the foot is in the door there are many other things that can be done, especially if you have un-protected devices on your network.

The two things you should know if you own or are responsible for any wireless access points are:

  1. There is no practical universal solution to the problem.
  2. You may have to use the hacking tools themselves to be 100% certain you are not vulnerable.

If you feel you have anything someone might want to steal, the smartest thing might be to just disconnect the wireless access point or turn it off. Then live without it until the manufacturer has clear information on your make and model of wireless device. Of course if your wireless access point is also your Internet Router this could be problematic.

There are more questions than answers right now and while you can’t tell with certainty if you are not vulnerable a list is being compiled of devices that have been confirmed to be vulnerable. You can access the WPS Vulnerability Testing Document to find devices that have been confirmed.

Known and potential solutions

Solutions to this issue will be updated here as they become available

Belkin (Does not note if this fully disables WPS!)

Netgear (Home Routers)

Additional Resources

Vulnerability Note VU#723755 (US-Cert)

Special thanks to @Shonali for sharing the Bart Simpson Chalkboard Generator.

Popularity: 8% [?]

Filed Under: Featured, Hardware, IT Professionals, Security, Technology Tagged With: , , , , , , , ,

Critical Java update and a stark reminder to update JAFO

October 21, 2011 By Leave a Comment

Java LogoThe latest advisory for Oracle Java addresses a total of 20 vulnerabilities 19 of those 20 may be remotely exploitable. Remotely exploitable vulnerabilities are very high information security priorities because they can allow rapid propagation of a malware or computer viruses.

It’s time to add a new acronym

For some time now we’ve all learned that windows/operating system updates are pretty important but there are emerging threat vectors that also need to be addressed. Back in early 2009 a huge ramp up in volume of Adobe PDF and Java updates occurred. Since that time those two have become two very popular sources of computer exploitation. Add that to some recent nasty Flash exploits and you have the makings of a new acronym:

Always update JAFO:

Java
Acrobat
Flash
Operating System (Critical Updates Windows, etc)

Extra credit for the techie types, remember when Microsoft had their own Java Virtual Machine?

 

Popularity: 4% [?]

Filed Under: IT Professionals, News, Security, Technology Tagged With: , , , , ,

Duqu in the wild, not the drivers you were looking for.

October 19, 2011 By Leave a Comment
Duqu not Dooku

Duqu not Dooku, Image Credit Tracheotomy Bob

The Duqu Remote Access Trojan (RAT) that hit the wild in Europe this week is not a character in the latest Star Wars movie. While it sounds like a George Lucas inspired character duqu comes from the ~DQ prefix that researchers noticed this previously unknown malware was adding to files it creates when it was discovered. I am sure Dairy Queen is happy with their choice. Joking aside this virus is no laughing matter. It seems to have been written by the authors of or with the benefit of the Stuxnet source code. Stuxnet is the virus that was believed to have setback the Iranian nuclear program last year. It’s smaller and appears to be designed to spy on infected computers with a combination of a key stroke logger, a data siphon and remove itself after eluding detection for 36 days.

A new breed of threat

One disconcerting aspect of this particular Trojan is that one of the drivers in a variant used a signed certificate of a known organization in Taiwan. That means that a windows machine will treat that driver as a legitimate driver, just like one you’d download to access a new hardware device on your Windows PC. Luckily the certificate has been revoked. This particular malware mask’s it’s presence on the infected machine quite well providing a challenge to detect.

What can you do to protect yourself?

All of the best practices that apply to information security will help you avoid Duqu. This includes:

  1. Keeping your critical components up to date.
  2. Cautious web surfing and Email habits.
  3. Avoid public charging kiosks.
  4. Avoid flash drives from unknown sources.
Did you already get infected? You might want to visit the post virus opportunity center.

Can we prevent this?

Seeing as the machines that were infected with this Trojan were hit when it was “Zero-Day” it is prudent to consider what other means may have prevented the infection. If it ends up that this virus communicates with hosts in remote countries that a security solution I recently proposed would prevent the infection from transferring or downloading any information rendering it useless.

More information

If you found this article helpful or interesting please share it with your friends.

Popularity: 4% [?]

Filed Under: Business/Productivity, IT Professionals, News, Security, Technology Tagged With: , , , , , ,

Why all businesses should consider SEC Cyber Security Guidance

October 17, 2011 By Leave a Comment
Cyber Security Sandia Labs Research

Image compliments of Sandia Labs (Creative Commons)

Last week the SEC released a Disclosure Guidance Document on Cyber Security. The document was a direct response to the dependence on digital technologies and the increased risks associated with Cyber Security. While the SEC guidance was aimed at publicly traded companies, the information in and the existence of the document should raise eyebrows at any business.

An ounce of prevention truly is worth a pound of cure

The document contained extensive guidance for organizations including before, during and after a cyber security incident. Perhaps the most interesting suggestion in this particular document is the call to disclose risk:

Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.

This is something all businesses should be asking themselves, not based on guidance from the SEC or specific directives such as HIPAA but rather because it is the right thing to do. We as businesses are stewards of our clients critical information. In many cases prevention is less expensive than we might think and much less expensive than the liability associated with a failure to prevent a cyber security event.

In response to the extraordinary role that Cyber Security has played in our modern connected world Managed Solutions introduced a program called Secure Enterprise in 2002 to assist businesses with protecting critical enterprises of any size. You can join the conversation about Cyber Security on our Facebook page.

Popularity: 5% [?]

Filed Under: Business/Productivity, Featured, IT Professionals, News, Security, Technology Tagged With: , , , , ,

Why did the RSA allow traffic to a known Malware site?

September 7, 2011 By 1 Comment

SecureID Tokens

Samples of the ~40 million SecureID Tokens the RSA replaced as a result of the hack.


I am frustrated, the information disclosed by F-Secure about how the RSA was hacked is appalling.

There are lots of layers to security and in all fairness I hold no technical information security certifications. I do know that the weakest link is usually the human being sitting at the keyboard. In this case someone at RSA – a security firm opened an Email that had just:

I forward this file to you for review. Please open and view it.

No signature, nothing, nada. It had an Excel file attached 2011 Recruitment plan. They opened it. They got infected by a zero day flash exploit embedded in the Excel file.

The RSA got “Owned”

I am frustrated because I know this happens every day all over the world and were it not so sad it would almost be laughable how easy it is to compromise computer systems. I could talk about all the apparatus that failed the RSA in this case, but in the interest of time I am going to focus on one:

Why did the RSA allow traffic to a known Malware site?

The site that the payload (Poison Ivy) contacted was mincesur.com which according to F-Secure:

“The domain mincesur.com has been used in similar espionage attacks over an extended period of time.”

WHAT?!?!?

Then why on earth is the RSA allowing it’s systems to access that site? I did an arin.net lookup for the IP address for mincesur.com (119.70.119.30):
whois for 119.70.119.30 mincesur.com
I can understand a company like the RSA needing access to the APNIC space, though most of us do not. Specifically though, why would they route traffic to a address/domain that is known to be used in espionage attacks? Since we already established that the user failed to identify a threat what about the other devices and mechanisms in the transaction that occurred between the computer that was infected?

Touch #1 – DNS Lookup

When the Poison Ivy payload asked the DNS system what IP address micensur.com had, the DNS servers at RSA promptly gave them the known threat’s IP address. It is possible and useful to add records for known malicious domains to resolve to something harmless such as loopback 127.0.0.1 (basically the payload would try to connect to local machine itself). Failed.

Bonus info: This can even be over-ridden and handled by a hosts file on an individual computer. (An example is at Malwarehelp.org)

Touch #2 – Antivirus Software

Endpoint Security software can block access to known malware websites. Failed.

Touch #3 – Router

One or more RSA Routers were touched in the process. Without a router a computer cannot communicate with systems outside of its own network. Routers can maintain black lists or null routes to avoid traffic coming from or going to known malicious sites. The router(s) in this case happily sent and received traffic from the known malicious host. Failed.

Touch #4 – Proxy Server (Optional)

Many companies use a proxy server or transparent proxy server to store copies of frequently accessed files to avoid them from having to be downloaded every time. A Proxy server can optionally be used to provide additional protection including domain based filtering. Since micensur.com was a known malware domain this could easily have been blocked by a proxy server. Failed.

Touch #5 – Intrusion Detection/Prevention Device (IDP – Optional)

These are usually definition based devices that look for traffic that matches a known malicious definition. Such as traffic coming from or going to a known malicious website. Failed.

Touch #6 – Firewall

Even many small companies have firewall hardware. Firewalls allow for much more complex rules about what kind of traffic can go where and even when. Firewalls are the ultimate traffic cops for networks. There are a number of ways that a properly configured firewall could have prevented this infection. Failed.

Is it time to re-prioritize?

With so many chances to block this from happening, how is it that a company like RSA, that is involved with security products is not better protecting themselves from threats? I’m sure they have made changes as a result but with a reputation for having things locked down, I find it excruciatingly curious that they allowed traffic to a known malicious site, don’t you?

Is it time push information security higher up the priority list?

Image credit br1dotcom, creative commons.

Popularity: 4% [?]

Filed Under: IT Professionals, Security, Technology Tagged With: , , , , , ,

Why you should avoid Public Charging Kiosks

August 29, 2011 By Leave a Comment

Universal Serial Bus or USB was a extremely valuable development in the technology world. USB made consolidation of how we connect our smart phones, cameras, memory sticks and personal computers. It also created a very easy way to charge mobile devices. Like any prolific technology this high availability is not without it’s pitfalls, perhaps most significantly in the world of information security.

In January of this year I shared some insights on USB device security while covering a USB Human Interface Device (HID) security issue. While companies have made headway including a reduction in “Autorun” infections issues related to USB capable devices have been subjected to a number of additional threats. It is these threats that encouraged this update to arm you with knowledge so you can better protect yourself.

Juice Jacking

While it sounds like a way criminals might steal electricity it is actually how criminals can use charging kiosks to install malware on your portable devices. A charging kiosk is a public resource for charging your USB capable devices such as your Android Phone or iPhone. Imagine plugging into one of these kiosks and getting your smart phone or portable device infected with malware. Once infected your mobile device can then propagate said malware to your PC, Mac or any other computer you might connect it to in the future. Then using an autorun vulnerability that malware can then infect any flash drive inserted into the computer. See how this cycle can quickly spiral out of control? We can break this cycle easily:

Don’t plug your phone into any public USB outlet or charging kiosk, carry your own charger and use an electrical outlet.

Your own personal charger is your protection (pictured below, left), they convert the Alternating Current (AC) to DC suitable for charging a USB device. You can also just use your own laptop and a USB cable to accomplish this.

AC to USB Chargers - Photo by Joe Hackman

Use these!

Public USB Charging = Bad

Not these!

A survey…

In advance of this post I posted a survey via Facebook and our own blog to see if our readers and friends were using public charging stations. I’m proud to report that 70% of respondents had not used them and only 30% had. Hopefully after reading this you won’t use them, it’s just not worth the risk.

Additional related content:

  • #infosec hashtag search on Twitter (get the latest real time information)
  • The #Infosec Weekly (A summary online publication of recent content shared by Information Security related Twitter Accounts)
  • Security Investigator Brian Krebs piece on a charging kiosk located at the Defcon hacker conference. (partial inspiration for this post, also a great resource if you want to learn the ins and outs of information security)
  • Managed Solutions on Facebook (We share lots of information security related information on our page, like us to get these updates.)

Popularity: 7% [?]

Filed Under: Business/Productivity, Security, Technology Tagged With: , , , , , , , ,

A quick survey – Have you used a public charging Kiosk?

August 25, 2011 By 2 Comments

We are collecting data for an upcoming blog post, please help us by answering this poll:

Poll not showing up in your RSS reader? Follow this link.

There is a follow-up to this poll located here.

Popularity: 2% [?]

Filed Under: General Tagged With: , , ,

International Patch Everything Week

August 10, 2011 By Leave a Comment

Security updates are really piling up this week to keep up with a number of vulnerabilities in lots of different programs and operating systems. So much so that we’ve declared this (un-officially!):

August 7-13th, 2011 is International Patch Everything Week

 

Computer Bandage

Microsoft Advisories

It started early this week when we were informed by the US-CERT that all of these products had vulnerabilities that would be addressed in updates from Microsoft:

  • Microsoft Windows
  • Microsoft Office
  • Internet Explorer
  • .NET Framework
  • Microsoft Developer Tools

That for the record is pretty much everything in the Microsoft world at least for the typical desktop user (except the developer tools of course). That was not the end of the notices for the week.

Adobe Advisories

Today we were informed of a plethora of Adobe product security updates:

  • Shockwave Player 11.6.0.626 and earlier versions for Windows and Macintosh
  • Flash Media Server 4.0.2 and earlier versions for Windows and Linux
  • Flash Media Server 3.5.6 and earlier versions for Windows and Linux
  • Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems
  • Adobe Flash Player 10.3.185.25 and earlier versions for Android
  • Adobe AIR 2.7 and earlier versions for Windows, Macintosh, and Android
  • Adobe Photoshop CS5 and CS5.1 and earlier versions for Windows and Macintosh
  • RoboHelp 9 (versions 9.0.1.232 and earlier), RoboHelp 8, RoboHelp Server 9, and RoboHelp Server 8 for Windows

This array of products covers pretty much any PC based client computer and Android to boot. So don’t delay when you are notified of new updates available this week, just run them all.

Need help finding updates?

You can refer to the original bulletins for details on your device/pc:

For Adobe Products:

Security update available for Adobe Shockwave Player

Security update available for Adobe Flash Media Server

Security update available for Adobe Flash Player

Security update available for Adobe Photoshop CS5

Security updates available for RoboHelp

For Microsoft Products:

  • Security updates are available from Microsoft Download Center. You can find them most easily by doing a keyword search for “security update”.
  • Updates for consumer platforms are available from Microsoft Update

Warning: As always consult your IT department before applying software fixes. Also be aware that some software patches can cause problems.

Related Posts Plugin for WordPress, Blogger...

Popularity: 4% [?]

Filed Under: IT Professionals, News, Security Tagged With: , , , , , ,
« Older Posts