Critical zero-day vulnerability in Internet Explorer exposes Windows XP to risks (Re-post from TWCN Tech News)

Microsoft said that a critical zero-day vulnerability has been found in Internet Explorer, right from IE6 to IE11, that allows cyber-criminals to exploit it using Drive-by attacks.

Drive-by download attacks occur when vulnerable computers get infected by just visiting a website. It’s accepted that Drive-by download attacks continue to be many attackers’ favourite type of attack. This is because the attack can be easily launched through injection of a malicious code to legitimate websites. Once injected, malicious code may exploit vulnerabilities in operating systems, web browsers and web browser plugins such as Java, Adobe Reader and Adobe Flash. The initial code that gets downloaded is usually small. But once it lands on your computer, it will contact another computer and pull the rest of the malicious coder to your system.

Microsoft is expected to release a patch for this vulnerability very soon. But it will be available for supported operating systems. It will not be available for Windows XP as this operating system is no longer supported. This will leave Windows XP users exposed to risks.

Workarounds

Apart from following other steps to secure their Windows XP, users may do the following to mitigate this issue, till a patch to fix it is released:
1.Disable the Flash plug-in within IE
2.Do not click on any doubtful links and immediately close IE if they find something suspicious
3.Use Microsoft’s anti-exploit tool – Enhanced Mitigation Experience Toolkit
4.Unregister the vgx.dll file. Go here to read how to unregister dll files in Windows.
5.Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting
6.Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
7.Consider using an alternative browser on your Windows XP.

10 Ways to Protect Your Company and Employees from Hacking

10 Ways to Protect Your Company and Employees from Hacking

Here is a link to my blog posting on websitemagazine.com

Microsoft’s guidance for protecting the enterprise from attack

Microsoft has released its guidance on best practices to protect enterprises from malicious attack.  Here is a summary of the report recommendations:

1. Keep all software up-to-date:  Attackers will try to use vulnerabilities in all sorts of software from different vendors, so it is important for organizations to keep all of the software in their environment up to date and run the latest versions whenever possible.
2. Demand software that was developed with a security development lifecycle:  Until you get a software update from the affected vendor, test it, and deploy it, it’s important that you manage the risk that attackers will attempt to compromise your environment using these vulnerabilities.
3. Restrict websites: Limit web sites that your organization’s users can visit.  This likely won’t be popular in the office, but given the majority of threats found in the enterprise are delivered through malicious websites, you might have the data needed to make a business case.
4. Manage security of your websites: Many organizations don’t realize that their websites could be hosting the malicious content that is being used in these attacks.  Organizations should regularly assess their own web content to avoid a compromise that could affect their customers and their reputation.
5. Leverage network security technologies: technologies like Network Access Protection (NAP), Intrusion Prevention System (IPS), and content filtering can provide an additional layer of defense by providing a mechanism for automatically bringing network clients into compliance (a process known as remediation) and then dynamically increasing its level of network access.

Related articles

• Cisco Warns of Internet Dangers That Are Easily Preventable (eweek.com)
• Microsoft expands encryption and boosts legal protections for its data to tackle government spying (thenextweb.com)
• Microsoft expands encryption and boosts legal protections for its data to tackle government spying (alternativenewsalert.com)
• Windows XP Zero-Day Vulnerability Popular (informationweek.com)

5 ways to prevent being hacked using a public WiFi

Many people log into public WiFi without realizing the danger posed by hackers who are often monitoring their traffic and accessing sensitive information.  We’ve compiled a short list of precautions that can be taken in order to prevent hackers from accessing your private data:

1)      Do not simply log into any public network.   Only log into recognized networks.

2)      Check your computer settings so that you do not automatically log into unknown public networks.

3)      Use encryption via https when accessing a website that requires you to provide sensitive information.

4)      Disable shared access to files.

5)      Consider using a VPN if you will be accessing/sending sensitive data.

Related articles

• Tips for Using Public Wi-fi Networks. Protect Your Information!!! (spdtv1.wordpress.com)
• Stay Safe On Public Wi-Fi With Cloak [Deals] (apple4ladies.com)

Code red? only 1 in 10 managers trust their applications’ security

A new report released by Quotium Technologies reveals a widespread concern about security flaws. Of the security managers interviewed, half believe their applications vulnerable to attack. Other relevant data include:
* 80% believe off-the-shelf applications are not secure
* 11% trust their applications’ security level
* Approximately 50% do not know how often hackers targeted their software currently faced by their organization.

Here’s why email poses a significant cyber threat to your business

Emails aren’t secure and there is no commercial solution in the marketplace to address this. Here’s why:

There are two obvious points of vulnerability with respect to email: the recipient and the sender. Most malware is designed to penetrate email accounts and as we have mentioned in previous blogs, it is becoming increasingly easy to guess passwords.

The less obvious, but equally vulnerable points of entry for a hacker are the network and the server. Just say your service is Outlook.com and you send an email to someone using gmail, which are two typical email providers for small businesses. Each connection between email providers involves multiple switchers and routers which are controlled by different entities. It only takes one of the networks to be vulnerable in order to expose your sensitive email to a third party hacker. Similarly, the ISP’s store your email on servers that are also constantly under hacker attack. As a general rule, ISP’s do not spend the resources to encrypt the emails that are stored to their servers.

There are some companies with promising technologies to enable encryption, but at this point, we have not seen a solution that addresses the fundamental vulnerabilities described in this blog posting.

The latest in cybercrime: free password cracker can now guess 55 character passwords

Trying to protect your business from cyber-attack has just become a bit more difficult with the improvements in free password cracker, ocl-Hashcat-plus. The new release makes it able to tackle passwords with up to 55 characters at speeds as high as eight billion guesses per second on almost unlimited number of compromised hashes.

Long passwords have become one the last line of defense against hackers and this new feature is unwelcome news.

How to find the most updated list of network vulnerabilities and exposures

There has been a lot of discussion recently about which is the most up to date and definitive list of network vulnerabilities.  We’ve decided to list the industry standard network vulnerability lists.  Please don’t consider the order of the list:

National Vulnerability Database Version 2.2: (http://nvd.nist.gov/):  The U .S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.

 

The Common Vulnerabilities and Exposures (http://www.cve.mitre.org/):  Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.

 

SANS (Sys Admin, Audit, Network, Security) Top 20 (www.sans.org/top20):

The Critical Security Controls effort focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on “What Works” – security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness.

United States Computer Emergency Readiness Team (CERT) Vulnerability Notes Database (www.kb.cert.org/vuls/):

The Vulnerability Notes Database provides timely information about software vulnerabilities. Vulnerability notes include summaries, technical details, remediation information, and lists of affected vendors. Many vulnerability notes are the result of private coordination and disclosure efforts.

Related articles

• CVE-2013-4883 (epolicy_orchestrator, epolicy_orchestrator_agent) (web.nvd.nist.gov)
• Cve-2013-4674 (web.nvd.nist.gov)

Live from Las Vegas its Black Hat 2013

BlackHat 2013 icon

We are pressed for time so will be only blogging highlights from Black Hat 2013:

• Less interest in Windows / more interest in devices.  In past years, Microsoft Windows security has been an important topic at Black Hat.  This year, we are seeing less interest in the Windows security systems and more focus on other hacking targets such as mobile devices, home security systems and even car security systems.
• There was a mixed reception for National Security Agency director General Keith Alexander.  Calling the topic of NSA surveillance “perhaps one of the biggest issues facing our country today,” Alexander provided well-calibrated positions on cyber security issues.  Both cheers and jeers where head throughout the convention hall.

We will keep this blog updated if there are any significant developments of note.

Related articles

• Interview with Trey Ford – Black Hat 2012 (veracode.com)
• Black Hat 2013: Five Security Trends That Will Draw Most Attention (eweek.com)

Cyber Security Tip: Only Keep Essential Customer Data

Many companies collect endless amounts of private customer data which then needs to be stored and protected.    In many cases, this data is not even used or perhaps it is used only once.  Do you really need a customer’s credit card information to be stored?   If you aren’t going to be phoning or mailing a customer, then maintaining a database with phone numbers and mailing addresses has no business value.  Other customer information such as social security numbers should also be avoided.

The simple rule of thumb is to limit the amount of customer information that you keep on your system.  The more you have, the more damage can be caused by a data breach.

Related articles

• Hackers Leak Details of 6,000 Numericable Customers After Firm Refuses to Pay Up (news.softpedia.com)
• Protecting Yourself After a Data Breach (bucks.blogs.nytimes.com)
• California AG on data breaches: Companies should encrypt data (zdnet.com)