Archive for the ‘Analysis’ Category

Microsoft warned about zero-day vulnerability in Microsoft Word that is being actively exploited in targeted attacks and discovered by the Google security team. At this time limited targeted attacks directed at Microsoft Word 2010. According to Microsoft’s security advisory, Microsoft Word is vulnerable to remote code execution vulnerability (CVE-2014-1761) that can be exploited by a specially crafted Rich Text Format (RTF).

An Attacker can simply infect the victim’s system with malware if a user opens a malicious Rich Text Format (RTF), or merely preview the message in Microsoft Outlook. The issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code. Microsoft acknowledged that remote code execution flaw also exists in Microsoft Word 2003, 2007, 2013, Word Viewer and Office for Mac 2011. Microsoft is working on an official patch, which will be released with the next Patch Tuesday security updates on April 8. But in the meantime, Windows users can use temporary ‘Fix It’ tool to patch this vulnerability and also can install Enhanced Mitigation Experience Toolkit (EMET) tool that can mitigate this vulnerability.

Do not download .RTF files from the suspicious websites, and do not open or preview .RTF email attachments from strangers.

Advertisements

When considering a move to the cloud, there are a number of security questions that should be considered as you select a potential cloud provider. Almost all analyst and industry surveys list privacy and data security as top concern for CIOs and CISOs. Through our years of moving SMBs and large enterprises to the cloud, we’ve compiled a list of questions to help you determine the level of security the provider offers.

1. What is your data encryption viewpoint, and how do you encrypt data? Do you Encrypt data at rest or in transit? Is there an encryption offering and if so what level of encryption and what data protection certifications do you currently hold?
2. How do you manage the encryption keys?
3. Do you offer periodic reports confirming compliance with security requirements and SLAs?
4. What certifications for data protection have you achieved?
5. Who can see or have access to my information? How do you isolate and safeguard my data from other clients?
6. What are your disaster recovery processes?
7. What are your methods for backing up our data? What offerings are available to back up data?
8. Where is your data center, and what physical security measures are in place?
9. How do you screen your employees and contractors?
10. What actions do you have in place to prevent unauthorized viewing of customer information?
11. What actions do you do to destroy data after it is released by a customer?
12. What happens if you misplace some of my data?
13. What happens in the event of data corruption?
14. How is activity in my account monitored and documented? What auditing capabilities are provided: Admin/MGMT, Billing, System Information?
15. How much data replication is enough, and what level of data durability do you provide?
16. How much control do I retain over my data?
17. Can I leverage existing credentials and password policies? Do you offer SAML/SSO capabilities for authentication? What types of multifactor authentication is supported?
18. Can I disable access immediately to my data in the event of a breach?
19. Can you continue to provide protection as my workloads evolve? How scalable is the solution, including disaster recovery?
20. How often are backups made? How many copies of my data are stored, and where are they stored?
21. How reliable is your network infrastructure? What certifications do you currently hold for your data centers?
22. What is your current uptime and SLA option? What if SLA is not met?
23. Do you alert your customers of important changes like security practices and regulations or data center locations?
24. What country (or countries) is my data stored in – both on your infrastructure and for backups?
25. Will my needs be served by dedicated instances/infrastructure or shared instances/infrastructure?
26. Will my internal and external incident response resources be able to access your infrastructure in the event of an incident? If not, how will you perform the investigation on my behalf?
27. What third party security validation can you provide me with? How often do you have external assessments performed?
28. How do you dispose of end-of-life hardware?
29. How do you dispose of failed data storage devices?
30. What is your process for responding to a legal hold request?

Source : cloudsecurityalliance

wifi

Today almost all household and commercial environments are equipped with Wi-Fi Networks. The heart of such a network is the Wireless access point. When it comes to households and small commercial environments Wireless routers playing a major role than the Wireless Access points. Bootstrap programs and the instructions of these devices located in a special type of memory known as ”Firmware”. Recently researchers found that there is a malware in the wild which focusing on those special memories on ‘Linksys” wireless routers, and it can replicate to similar devices by itself. This happens by exploiting authentication bypass and code-execution vulnerabilities in the Linksys wireless routers. The Malware named as ‘THE MOON’, scans for other vulnerable devices to spread from router to router and the researches confirmed that the malicious worm has already infected around 1,000 Linksys E1000, E1200, and E2400 routers.

In order to hack the Router, malware remotely calls the Home Network Administration Protocol (HNAP), allows identification, configuration and management of networking devices. The Malware first request the model and firmware version of the router using HNAP and if the device founds vulnerable, it sends a CGI script exploit to get the local command execution access to the device. Linksys’s parent company has confirmed that HNAP implementation has a security flaw whose exploit code is publicly available on the Internet.

‘To what extent this worm can be dangerous’ is yet a question.

You can use the following command to verify that your device is vulnerable or not.

echo [-e] “GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n” | nc routerip 8080

If you receive an XML HNAP reply, you are likely to be victimized for the worm affecting Linksys devices and some preventive measures are to be taken. Also keep an eye on the logs of port 80 and 8080. Users are recommended to Disable Remote Administration of their device or limits the administration right to a limited number of trusted IP addresses.

Source : THN, SANS

Adobe released an emergency update today for its Flash Player to guard against a zero-day exploit, which could allow attackers to gain remote access to an affected machine. The security flaw has been elevated to “critical” status, which is Adobe’s highest threat level. Ars Technica reports the exploit can be triggered by “underlying code that could be exploited to execute arbitrary code” if a person navigates to a malicious site hosting an attack.

Windows and Mac users are affected by this zero-day exploit if running Adobe FLash Player 12.0.0.43 and earlier versions. Linux users are also affected if running 11.2.202.335 or earlier versions of Flash Player. Users running Google Chrome or Internet Explorer 10/11 will automatically be updated to the latest Adobe Flash Player version, 12.0.0.44, which will be bundled with the browser. Other users are advised to install the update as soon as possible.

Source: Adobe , softonic

Untitled

1.Smart Appliances

Smart TVs, smart fridges and other internet-connected home appliances, ranging from medical equipment to security cameras, are widely expected to become a “magnet for hackers” says Kevin Haley, director of Symantec Security Response in a blog post.

Companies building internet-connected appliances such as smart TVs often don’t recognize potential security risks, says internet security firm Symantec. (Thomas Peter/Reuters)

“The companies building gadgets that connect to the internet don’t even realize they have an oncoming security problem,” Haley wrote.

“These systems are not only vulnerable to an attack — they also lack notification methods for consumers and businesses when vulnerabilities are discovered. Even worse, they don’t have a friendly end-user method to patch these new vulnerabilities.”

One of the concerns is that hackers logging into such appliances may be able to get information about who is home at a given time of day, noted Fortiguard, adding, “This is bound to give cybercriminals new and nefarious ideas around how and when to rob someone’s home.”

Fortiguard predicts we’ll see the first mass malware for home devices such as smart TVs and appliances later in 2014.

2. Social networks

Attacks by cybercriminals are becoming more targeted, and social networks are becoming a useful source of data for crafting these types of attacks.

Websense predicts that in 2014 hackers will increasingly make use of services such as LinkedIn to lure executives and other potentially lucrative targets.

“This highly targeted method will be used to gather intelligence and compromise networks.”

Haley of Symantec adds that cybercriminals won’t just be turning to big social networks.

“Scammers, data collectors and cybercriminals will not ignore any social network, no matter how “niche” or obscure,” he wrote. “Users who feel it’s just them and their friends on these new sites are in for a big (and unpleasant) surprise.”

3. The cloud

Businesses are increasingly storing their data in the cloud and on servers outside their own network, and Websense predicts that criminals will increasingly turn their attention to that data this year.

“Hackers will find that penetrating the data-rich cloud can be easier and more profitable than getting through the ‘castle walls’ of an on-premise enterprise network,” WebSense says.

Sophos predicts that cybercriminals will target mobile devices and the credentials of individual employees to gain access to the cloud, perhaps employing blackmail via “ransomware” that threatens to go public with confidential data if the criminals aren’t given what they ask for.

4. Android

According to Sophos, malware aimed at Google’s Android grew exponentially in 2013, and is expected to keep growing in 2014 because of the operating system’s dominant share of the smartphone market.

Trend Micro predicts the number of malicious and high-risk apps for the Android operating system will hit three million in the coming year.

“While we expect that new security features in the Android platform will make a positive change in infection rates over time, their adoption will be slow, leaving most users exposed to simple social engineering attacks,” the company wrote.

It added that the mobile devices that run Android are “an attractive launching pad for attacks aimed at social networks and cloud platforms.”

Trend Micro predicts the number of malicious and high-risk Android apps will hit three million in the coming year.

Fortiguard expects Android malware to expand beyond mobile devices in 2014 to industrial control systems in devices such as smart home appliances.

5. Java

Plug-ins that allow browsers to run apps in the Java programming language – already responsible for some high-profile cyberattacks – will continue to be exploited in 2014, security experts say.

“In 2014, cybercriminals will devote more time to finding new uses for tried-and-true attacks and crafting other aspects of advanced, multi-stage attacks,” the company predicted.

Security patches for older versions of Java and Windows are no longer being issued, even when new exploits are found, despite the fact that there are many systems still using this software.

Trend Micro predicts that in the coming year, that “lack of support” will expose millions of PCs to attack.

Source : cbc.ca

Would NFC smartphones have helped at Target?

Posted: January 27, 2014 in Analysis
Tags:

Recent massive data breaches at Target and Neiman Marcus have re-ignited a campaign by retailers to get U.S. consumers to carry “PIN and chip” credit and debit cards to replace the decades-old magnetic stripe cards used by 90% of Americans.

Such PIN and chip cards would do what dozens of newer-model smartphones with NFC chips are already doing while using payment apps like Google Wallet and Isis. So why isn’t the focus on promoting near-field communication smartphones instead of PIN and chip cards?

The answer is complicated and political, primarily because there are questions over who is liable for a data breach — the retailers or the financial institutions and their associated card processing companies such as Visa and MasterCard. It is also expensive to install point-of-sale (POS) terminals in millions of retail locations and at ATMs that can read chips on the newer contactless cards, as well an NFC signal from a smartphone.

Source : CSO Online

 

(ISC)² Code Of Ethics

Posted: January 26, 2014 in Analysis
Tags: , ,

This is an interesting feeling came in to my mind while I’m a looking at the Official ISC2 guild to the CISSP CBK third edition. It’s about the code of ethics we have to adhere as CISSPs. We have code of ethics Preamble and four ethics canons.

Code of Ethics Preamble1:

  • The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
  • Therefore, strict adherence to this Code is a condition of certification.

Code of Ethics Canons1:

  • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principals.
  • Advance and protect the profession.

It’s happened me to know in-depth of the canons, then I found a nice article on eHow.com by By Jennifer Gigantino. It explains above canons in details.

First Canon

The first canon of the (ISC)2 Code of Ethics is to “protect society, the commonwealth, and the infrastructure.” In short, CISSPs must promote public trust in information and systems, as well as the understanding of proper information security measures. They must also discourage unsafe information security practices and strengthen the integrity of the public infrastructure.

Second Canon

The second canon is to “act honorably, honestly, justly, responsibly, and legally.” CISSPs must tell the truth, as well as honor all commitments and agreements. Their advice must be given prudently and without unnecessary alarming. They must be objective and fair with those they deal with and in the advice they give, and when resolving laws in different jurisdictions, the laws of the current jurisdiction must take precedence.

Third Canon

The third canon is to “provide diligent and competent service to principals.” This means that CISSPs must avoid conflicts of interest while respecting the trust placed in them as well as the value of systems and information. CISSPs are also obligated to render services only when they are fully competent and qualified to do so.

Fourth Canon

The fourth canon is to “advance and protect the profession.” A CISSP must respect the reputations of other professionals and sponsor those best qualified for advancement. Conversely, a CISSP should avoid professional association with those who degrade the profession. Above all, a CISSP should keep his own skills and knowledge sharp and current while giving generously of his time and knowledge to others.

I hope this explains everything about what a CISSP can do and cannot do from the ethical prospective.

Reference

1 https://www.isc2.org/ethics/default.aspx