May 21, 2012

Posts Comments

You are here: Home / Archives for Blog / Security

The Era of Mobile Security has begun

February 17, 2011 By Leave a Comment

The era of mobile security has begun officially this February 2011. Some downright outrageous security flaws are being exposed for our growing fleet of mobile electronic devices such as Smart Phones and iPads. For the first time ever we posted two articles about security issues with substantial mobile security implications on our Facebook page:

Mobile Security Related Posts

Either one of those articles by themselves would have huge implications in the security of mobile devices, but the startling thing is that there are others popping up in the last 24 hours as well, and that is what compelled me to write this article for the Managed Solutions blog.

HongTouTou Android Trojan

A Chinese localized (targeting Chinese language users) Trojan emerged for the Android platform this week. The Trojan rode onto unsuspecting users via Android App marketplaces and forums.

$2,000 worth of equipment can extract Crypto Keys from Mobile Device Signals

Threatpost did an amazing job of describing a problem with how Cryptography is implemented on mobile devices. The problem results in the ability to actually capture and mimic the cryptographic key that could be for say your mobile phones payment system. This is particularly important because a lot of people see mobile as having a bright future in the payment arena.

iPhone Hacked and Passwords Stolen in Six Minutes

Fraunhofer has a video and press release demonstrating the ability to hack an iPhone and recover passwords in just 6 minutes. You don’t have to be an information security professional to realize that this is not good news for iPhone or iPad users that store anything of sensitive nature on their devices. Here is the video if you’re interested:

Thanks for the Wakeup calls today and kudos to Threatpost, Ben Jun, Cryptography Research and Fraunhofer.

Popularity: 4% [?]

Filed Under: IT Professionals, News, Security, Technology, Videos Tagged With: , , , , , , , , ,

Busy week for Adobe 52 Vulnerabilities on Current US Cert Advisory

February 15, 2011 By Leave a Comment

Adobe Reader LogoIt must be a very busy week at Adobe, with 52 vulnerability bulletins affecting Flash Player, Shockwave Player and Acrobat on today’s US Cert Cyber SecurityAdvisory bulletin SB11-045. These vulnerabilities all fall under the high end of the high vulnerability scoring range of 7-10 at 9.3 out of 10 which means that updates should definitely be applied without delay. In many cases these updates are applied automatically but to be safe we have made additional resources available here.

How do you test to see if you need updates? Follow these instructions:

For Shockwave Player Make sure you have version 11.5.9.620 or above (Update)

For Flash Player make sure you have version 10.2.152.26 or above (Update)

For Adobe Acrobat and Adobe Reader you will need to run the program and choose “About Adobe Reader # or About Adobe Acrobat” from the Help Menu at the upper right portion of the menu:

Help About Adobe Acrobat Reader

Make sure the resulting version of Adobe Reader and Acrobat 10.x is 10.0.1 or above, 9.x is 9.4.2 or above, and 8.x is 8.2.6 or above. (Update Windows or Mac)

Popularity: 3% [?]

Filed Under: IT Professionals, News, Security Tagged With: , , , , ,

Windows and Mac both vulnerable to potential USB Vulnerability

January 31, 2011 By 2 Comments

USB (in)security

There are bulletins at us-cert.gov today for both Windows and Mac OS X being vulnerable to potential Human Interface Device (HID) functionality over USB exploit. The simplest way to explain this vulnerability is that both OS X and Windows lack a warning when you connect a USB connected device such as a smart phone when it is given keyboard or mouse capability. This could lead to a number of different compromises of the host system. This vulnerability has existed since USB HID support was added to both operating environments but was only publicly demonstrated recently. An example was demonstrated at the Black Hat DC conference, Cnet ran an article about it on January 19th.

Other USB related risks

USB connected devices have become a more common source of virus and malware infections. In 2010 there was actually a worm that spread via USB memory sticks called “Conficker” worm. As early as 2008 USB was becoming recognized as a much more common vector for virus propagation.

Protecting yourself

Since USB devices involve user interaction, it is an area where user education and caution is key. We can count on Apple and Microsoft to respond to this HID issue, but we can also say with certainty that there will be others that will come up in the future. Here are some simple suggestions to prevent becoming a victim:

Tips for individuals

  1. Store your USB storage devices in a safe place.
  2. Use memory sticks only from extremely trusted sources.
  3. Do not allow others to use your computer to charge their USB devices.
  4. Purchase memory sticks from trusted sources in clearly sealed packaging.

Extra tips for businesses

  1. Include an area that governs USB devices in your Acceptable Usage Policy (AUP).
  2. Do not allow third parties to use USB devices or charge phones on your corporate systems.
  3. Consider implementing software or software policies that control access to USB ports on your systems.

You might also want to read these related articles on how you can function more securely:

Education: the Answer to Zero Day Exploits
Good Personal Choices – the most powerful Information Security Tool

Popularity: 8% [?]

Filed Under: Business/Productivity, Hardware, IT Professionals, Security Tagged With: , , , , , ,

Large batch of Google Chrome Vulnerabilities and How to Protect Yourself

January 24, 2011 By Leave a Comment

There is a rather large batch of critical Chrome Vulnerabilities in this weeks US CERT advisory report SB11-024. The CERT Advisories are part of a US Government effort to keep people informed of product security issues.  Most of them have a factor of 9.3 to 10 out of 10, the highest possible which means if exploited on your computer it is likely that the attacker could gain access to your computer. The actual bulletins include PDF and HTML document handling, denial of service and unknown impacts that lead to “stale pointer”. This would most likely occur when accessing a website or a PDF file with a vulnerable version of the Chrome browser.

Who should care?

Do you use the Chrome Browser or Chrome OS? If you do then you should take action to confirm that you will not be vulnerable.

How to tell

With your Chrome Browser open click the small tool icon in the top right of the browser window pictured below:

How to Open About on Google Chrome

Once the above drop-down menu appears click the “About Google Chrome” menu item. This will result in a screen that will tell you if your browser is up to date and what version it is running:

About Results Google Chrome

The critical piece of information is the green check mark at the bottom of the page. If Chrome is not update or in this case is a version older than 8.0.552 your browser is vulnerable and needs to be updated. In most cases Chrome will be up to date as it is configured to update automatically. This is actually one of the strengths of this browser platform.

Popularity: 5% [?]

Filed Under: IT Professionals, News, Security Tagged With: , , , , , , , , , ,

Chilling Introduction to the Cyber Crime Black Market

January 21, 2011 By 1 Comment

Cyber Crime CloudPanda Security recently released an excellent document entitled “The Cyber-Crime Black Market: Uncovered” that is probably the easiest to read and best piece that has been made available to the general public in recent years about these underground criminal enterprises. The picture that this document presents is of an illicit industry that is trying desperately to grow and earn more income at all of our expense. Here is a sobering view of the “competition”:

Price wars, numerous ‘special offers’ and the diversification of the business are all indications of how these mafias are desperately trying to drive up revenue. A few years ago, it was just a question of the sale of a few credit card details. Now, in addition to offering all types of information about victims -even the name of the family pet-, other services are available, including physical cloning of cards or making anonymous purchases and forwarding the goods to the buyer.

The document also integrates key information integrated from the FBI, perhaps the most interesting aspect is how they categorize the professional positions within these organizations. Here are the most common positions per the FBI:

  1. Programmers. Who develop the exploits and malware used to commit cyber-crimes.
  2. Distributors. Who trade and sell stolen data and act as vouchers for the goods provided by other specialists.
  3. Tech experts. Who maintain the criminal enterprise’s IT infrastructure, including servers, encryption technologies, databases, and the like.
  4. Hackers. Who search for and exploit applications, systems and network vulnerabilities.
  5. Fraudsters. Who create and deploy various social engineering schemes, such as phishing and spam.
  6. Hosted systems providers. Who offer safe hosting of illicit content servers and sites.
  7. Cashiers. Who control drop accounts and provide names and accounts to other criminals for a fee.
  8. Money mules. Who complete wire transfers between bank accounts. The money mules may use student and work visas to travel to the U.S. to open bank accounts.
  9. Tellers. Who are charged with transferring and laundering illicitly gained proceeds through digital currency services and different world currencies.
  10. Organization Leaders. Often “people persons” without technical skills. The leaders assemble the team and choose the targets.

Perhaps the most chilling aspect of this document begins on Page 18 “The Sales Process” where real examples of price lists, resources (as in how much are in the bank accounts, etc) ordering details:

Prices vary according to the vendor, although the average is $150 for a complete card and a minimum order of five units. There is an additional cost for the plastic: $30 white plastic, and $80 for color printing. You also have to add to the cost of the information (the card number, PIN and other details) for which, as we’ve seen before, there are various offers.

If you have the time it might be a good opportunity to better educate yourself on the operations of these organizations, this should be a “must read” for any aspiring information security professionals. Understanding the enterprise behind the malware, botnets and other security risks is a key aspect of understanding how to prevent it.

Disclosure – we are not a Panda Software reseller, nor were we paid to post this. We are not in any way advocating a product or service in this post. Please review our Product and Partner Policy for more information.

Popularity: 7% [?]

Filed Under: Featured, IT Professionals, Security

Why 2011 may be the Year of Privacy

January 4, 2011 By 3 Comments

As we roll into our 14th year here at Managed Solutions taking stock of the last 14 years many trends have dominated our priority list. In 2010 the focus was extending the life of under-maintained hardware, Cloud Computing and Security. Signs are pointing to privacy being a very relevant issue for 2011. The Wall Street Journal really started the ball rolling with their privacy series in 2010. That really set the tone with many consumers learning and becoming much more concerned about their data privacy. Also it seems like everywhere you looked in 2010 Facebook was being criticized for their at times what appeared to be utter contempt for the privacy of their users. See also “Frustrated by the new Facebook groups? So am I, and something you can do.” on amplify for some additional discussion on that.

Photo credit Opensourceway, Creative Commons

Spokeo.com got “spinsucked”

Gini Dietrich posted a great article this week that struck a chord with the readers. It’s been viewed, shared and commented on heavily since it came out. The post was about “Deleting Your Spokeo Profile” and it detailed what information could be found on Spokeo.com and how to delete the profile. I thought based on the comments that it was worthy of a screencast so I recorded it and shared it with Gini. You can view it on Youtube. At one point Spokeo was not able to process requests, so I joked with her on her blog that there is a new /. in town and that spokeo had gotten “spinsucked” so henceforth that will be my story, and I will stick to it.

As further proof that this issue really resonated with many of us, I had one person completely disconnected from the matter ask me on Facebook last night if I had “heard of Spokeo” at that point I realized this was really circulating far and wide.

Learning from the debate

Some debates did come up over the spinsucks post, here were the opposition arguments to removing your profile from spokeo:

  1. There are many other sites that mirror the same data
  2. They are probably harvesting the required email address to sell
  3. The information is public domain only, readily available

One less site is better

In response to argument #1, one less site is certainly better is it not? Not to mention Spokeo actually did a bang up job of getting a lot more data than other sites seem to have to offer. I’d rather not be listed there.

Avoid the harvest

Avoiding the email harvesting concept is easy, you should use either an alias that can be tracked and later deleted or a “junk” email that is only checked in these circumstances.

The information is public domain only

I don’t think this is the case, it appears that Spokeo has found or paid for some really unique data or at least their paid for service touts that. If it is all public domain it’s usually not in one place. If someone is going to go after it, let’s make them work for it, does that sound like a decent strategy?

What does it mean?

I think these developments solidify the position that 2011 is the year of privacy, why? We know now, and we care, and we’re reading and watching and opting out to the tune of disabling a website. Our current privacy laws are not reacting fast enough for the changes in this digital world. This disparity is creating a vacuum that will be filled one way or another.

What happen’s next? Predictions

So the question is do the companies that are gathering this information and making it available cave from the pressure cooker that is likely to develop from consumers this year? Does the government step in and pass new privacy legislation more geared to our digital and interconnected age? Or does a group of entrepreneurs put together a service that opts out and erases data that can be masked, opts you out of junk mail and create an opportunistic menu of other privacy features?

I’ll be talking privacy a lot more this year and making it a priority to educate and discuss both here on Managed Solutions and also on my blog. Please join the conversation and share your thoughts. The most compelling comments will be added to the post and the authors cited. Or perhaps you’d like to guest post about this, if so please contact me.

Popularity: 4% [?]

Filed Under: Business/Productivity, IT Professionals, News, Security Tagged With: , , , , , , ,

American Honda warns their customers of Privacy Breach

December 24, 2010 By 1 Comment

American Honda Motor Company, Inc. is warning their customers today of a privacy breach that resulted in the compromise of private information about their customers. In this instance they are advising their clients of the following client information being compromised:

  1. Email Addresses
  2. Names
  3. Vehicle Identification Number (VIN)
  4. User ID

Their formal statement to their customers claims that no other information such as password, address where included in the breach. Hopefully a more thorough investigation will occur to verify the claim because if customer physical addresses were also compromised this would be a major concern.

Here is the entire message:

Honda Logo

Dear Customer,

American Honda Motor Co., Inc. recently became aware of unauthorized access to an email list used by a vendor to create a welcome email to customers who have an Owner Link or My Acura vehicle account. The data that was obtained included your email address, your name, Vehicle Identification Number (VIN) and User ID. Your password was not included and no other sensitive information was contained in that list.

We apologize for any inconvenience this may cause. As a company, we believe that all customer relationships must be built on trust. That is why we believe it is important to inform you of this incident. You may be aware of attacks on email marketing systems, therefore we want to assure you that we take the safeguarding of your information seriously and that the appropriate authorities have been contacted regarding this incident. Additionally, we have taken steps to minimize this type of exposure in the future.

As a Company, we encourage you to continue to be aware of the increasingly common email scams that may use your email address to contact you and ask for personal or sensitive information — Be cautious when opening links or attachments from unsolicited third parties. Also, know that American Honda Motor Co., Inc. will not send you emails asking for your credit card number, social security number or other personal information. If ever asked for this information, you can be confident it is not from us.

Again, let us reassure you that we are taking necessary steps to safeguard your personal information.

If you would like further information on this topic please visit honda.com/info/b

Thank you.

American Honda Motor Co., Inc.

Popularity: 4% [?]

Filed Under: IT Professionals, News, Security Tagged With: , , , ,

Good Personal Choices – the most powerful Information Security Tool

October 25, 2010 By 15 Comments

Korean Road Sign

Dali Burgado posted a really interesting article from infosecurity.com today about combating Twitter worm threats being personal. The gist of the article was that the best way to combat these information security threats was by reporting them. We’ll take this idea a step farther in this article, that information security really centers around making good personal choices. Unfortunately a lot of people are not very cautious in their experience and bad choices lead to big compromises, expenses and a bevy of other problems. In fact did you read about the man in Australia who had one of his investment properties sold as the result of identity theft?

What areas do these personal choices affect your information security?

  • Competency – learning.
  • Hardware and networking devices (especially wireless!).
  • Security software.
  • Participation.
  • G Factor

Competency and learning – the core of information security

At the core of information security is what you as a user are willing to do to educate and protect yourself. Do you take a cautious and guarded approach or do you throw caution to the wind and click every link in sight? Perhaps one of the biggest challenges for new users is there are not many best practices training programs available for end users (know of some, please share the wealth as a comment to this post!). You really have to actively seek out the information. There are a number of paths for professionals to get the training including Sans Institute (Dali Burgado who inspired this post works for them!) among others. We provide end user information security and best practices training to our small business clients and you can always inquire at my “speaking” page on my personal blog to inquire on behalf of a group.

Hardware, Wireless and networking device choices

wifiA little bit of prior planning in the hardware arena can close some huge gaps in information security. The biggest risk and most difficult choice the average home owner or business can make is the decision to have wifi on premises. You may have read this week that Google Street View Cars were collecting a lot more than pictures of the streets in your neighborhood. I don’t think the information Google collected will be used against you but to that point if they can do it anyone can do it. The decision to add wireless to your home or business network should not be taken lightly. Educate yourself on the security best practices and realize that even if you do a reasonable job of securing the device it is just one more thing that could be compromised at some point. Any networking gear you add to your network needs to be updated from time to time, do you have the ability to do that? Does the benefit of that hardware outweigh the expense of hiring a professional to provide you with the updates? These are questions that are best asked in advance.

Security software choices

Computers need extra protection against threats, the simplest protection is keeping your software updated. Think about this when you decide to install a new application, it is another spoke in the growing wheel that you will need to keep updated. Software updates are a fact of life in our modern age, be prepared to understand what they are and how to upgrade them. A great resource for finding out about new threats is CERT in fact I highly recommend you sign up for their weekly alerts or feed. In fact I used to do a weekly feature here that will give you an idea of what to look for at the CERT website.

In addition to keeping your software up to date, it is a great idea to protect your system with antivirus and/or a security suite. We became a reseller of Eset NOD32 a number of years ago and have found over time that they continue to provide a quality product. Do not for a minute think that antivirus/security suite software will protect you from everything. It is the “last resort” and even the best products will not catch everything. The personal choices you make will have more to do with your information security that the anti virus software you choose. (In the interest of disclosure we are an affiliate of Eset, and if you use the link provided below to purchase the software we will get royalties, see our product and partner policy.


Click Here - Free Trial of ESET NOD32 Antivirus

Participation choices

Where you choose to be present can have a direct impact on your information security. The allure of social media sites like Facebook is great, and there are a number of advantages, but any place you choose to participate has it’s own risk, practices and learning curve. You should be aware and remain aware of these risks and practices, never assume that because a lot of people are using something that it is safe. The opposite is often true, the criminals often go where the people are because they have more potential targets. I have an article that I’ve started to work on that goes into detail about how social media has really become a vulnerable spot for many internet users. I will add a link to this post when it is done.

The Gullibility and Greed Factor

Gullibility and greed are major contributors to information security compromise. I think Facebook is a great example of where this occurs, I have seem more hacked Facebook accounts than I imagined I ever would, why? People thought that their really easy password was fine or they clicked a link or installed a rogue app. Now some malicious app or user is posting things to their friends walls, sending messages, etc trying to further perpetuate the compromise.

Beyond the gullibility of individuals that help their stranded friend at
greed is an often overlooked factor in information security. Do people really believe they will get something for nothing? Judging by the ongoing “Nigerian”, “419″ or “advanced fee fraud” scams, they do. If it didn’t work they would not be so prolific. Some very senior executives have been caught by these scams in the past, it is believed that many more have been victimized as well but did not come forward due to embarrassment.

Keep in mind the oldest trick in the book by con artists (pre-dating the internet) is to exploit a persons gullibility or greed. If you’re going to be information secure you’re going to also have to learn to be a little street wise.

Summary

Hopefully this will be a good primer and starting point for people to start to move towards a more information secure computing experience. While there are links to a number of great resources we’d be happy to have your feedback about other possible resources, we’ll also feature the best of the suggestions to the article itself. You can share your feedback, suggestions or questions in the comments below.

Popularity: 8% [?]

Filed Under: Business/Productivity, Eset, IT Professionals, Security Tagged With: , , , , , ,

Joe Reviews SB10-242 Cert Report (Video)

August 30, 2010 By Leave a Comment

Here is a review of this weeks Cert Advisory. This includes issues with Adobe products, Chrome and Mozilla Firefox. Be sure to update these products if you haven’t recently. This is a weekly feature here at Managed Solutions. If you have questions about this video post a comment here or ask on our Facebook Fan Page.

Popularity: 4% [?]

Filed Under: IT Professionals, Security, Videos Tagged With: , , , , , , , ,

Dr. Dan wants to buy Real Estate (Phishing)

August 12, 2010 By 1 Comment

We’re paid to be paranoid here at Managed Solutions. When this message arrived in my inbox today it was a rarity. Rare because it is one of very few phishing Emails that have bypassed my anti-spam mechanisms. Phishing is a process by which a criminal pretends to be a legitimate entity in an effort to gain passwords, identity, bank account or other private data. Here is the text of the message:

I am interested in purchasing a private residence in your country or in any country you are well-acquainted with.

The Property must be located in a well-reserved,serene,secure and highly-hygienic environment because I am most particular about the safety and sound health of my family.
I wish to make this transaction with you in a very secret and confidential manner due to my position as a cabinet minister here in my country Ghana.

Therefore,upon response from you I will connect you with my agent here whom I trust so much to represent my interest in this purchase.franciskweme2007@[hidden].com
Thank you and accept my kindest regards,

Dr. dan

Want to complete this article?

What issues do you see with the text of this message and why would I assume that it is a Phishing Email? Complete this story via comment and we’ll feature your comment as a part of the article and link back to your website.

We have a winner, David Schur completed the article via this comment on Facebook:

David Schur – I’ll take a shot Joe.
1) does not address you by name. Nobody will buy your house, or send you millions of dollars without knowing who the heck you are
2) Total lack of pii. If this was legit, they would know your address, which is the relevant pii in this case. My bank or cc includes the last 4 digits of my account to let me know the email is real.
3) Typo’s…when will the phishers learn that simply hiring a native english speaker to proofread would make a difference (maybe there is ba business opportunity here)
4) simple common sense…to good to be true = false…100% of the time

This won’t work for a real hack…but luckily phishers these days never invest in data that connects your email to any meaningful form of pii…luckily axiom 4 will ALLWAYS be true

Joe’s comment – I really like David’s rule #4, I think Phishers best tool is exploiting people’s greed. Also David had no desire to have a link back to anywhere so I asked him what Charity he likes, here is his response:

American Red Cross…when bad stuff happens they get my money…then I can safely and with good conscience ignore the inevitable scam charity emails” – David Schur

Related Posts Plugin for WordPress, Blogger...

Popularity: 7% [?]

Filed Under: News, Security, Technology Tagged With: , , , , ,
« Older Posts
Newer Posts »