Archive | Reviews RSS for this section

Obama Urged by US House Republicans to not issue Cybersecurity Order

46 US House of Representatives Republicans joined in a letter (PDF) to urge President Barack Obama not to issue the executive order on cybersecurity. The White House is currently drafting an executive order that encourages operators of critical infrastructures (like banks, power grids, etc.) to meet cybersecurity standards.

“Instead of preempting Congress’ will and pushing a top-down regulatory framework, your administration should engage Congress in an open and constructive manner to help address the serious cybersecurity challenges facing our country,” the lawmakers wrote.

The executive order is expected for release in January, which will help protect these vital systems from hackers. It’s highly important that this gets put into action, or the United States can see some issues happen such as power loss, plane crashes, train derailments, etc.

“This framework will work better than attempts to place the government in charge of overseeing minimum standards for industries seeking to invest in new and innovative security solutions,” the Republicans wrote.

The letter of urgency, led by Representatives Marsha Blackburn (Tennessee) and Steve Scalist (Louisiana) is aimed at helping to reduce the amount of government involvement in cyberwar, in hopes not to stir rages with hackers and other pests. However, if something isn’t done very soon, America as we know it could be in a lot of trouble.

 

 

Will 2013 Be a Challenging Year for Computer Security?

Much of the attention in 2013 in computer security will be mainly focused on industrial control systems (ICS), Android, and the all new Windows 8 OS. With the dealings of malware like Stuxnet and other government threats, to the normal hackers and attackers on consumer devices – it will be a challenge in both business and consumer markets.

Supervisory software runs on dedicated workstations and programmable hardware devices, and this is called a control system. They’re used to monitor and control many different operations, such as power grids, trains, airplanes, water distribution systems, military installations, and many more. Many times, control systems are used in critical infrastructures, especially systems for big populations that depend on electricity, clean water, transportation, etc.

Many worries that we’d be watching in 2013 that other security authorities are watching as well include the rise of more government malware. Especially, when it comes to control systems, which are believed to be widely targeted and surveyed.

For other problems to be faced include intense rises of mobile malware, particularly in the Android marketplace. The problem is that Android malware is becoming more widespread. It looks like hackers are retrying some old methods of Windows operating system exploitation on Android devices. This can prove to become a big problem to watch out for.

The big issue with Android attacks also seems to point at privilege escalation attacks, which like to work through malicious apps installed by the user to gain root access and take control of the device. With hundreds of millions of Android devices already infected since its birth, the size of botnets have gotten to be big, and there may still be a lot of devices infected.

Also, keep in mind that when you use a smartphone, you’re leaking a lot of information. This is mainly through App usage, which most of them collect a bit of data from your phone. It isn’t exactly personally-identifiable information, however, it’s enough to make some people nervous.

Android is very open, and you can download apps from almost anywhere for Android. This is much like Windows OS has been. But, that’s a whole different long story.

Windows 8 will be a challenge for security, because researchers, hackers, security experts, etc. want to get in on testing just how secure it is.

Read more about threats in 2013

Security Threats to Monitor throughout the beginning of the New Year

There is a lot to look out for this holiday season, and into the New Year…and many Grinches want to steal your joy. But, as long as you keep an eye on them, there shall be nothing to worry about!

 

  1. Spam – as always. Have you gotten emails from “FedEx” lately or UPS? You know, those fake emails stating you have a package to be tracked, but they need another payment method to process it? Or how about some free or cheap Rolexes? All of these are scammy spam, fraudulent, or just wanting to distribute malware! Remember, if you didn’t order it, don’t believe it! What is spam can also lead to number 2…
  2. Phishing attacks… as millions of people shop online and shoot up the revenue of online shopping to the billions of dollars, there are also tons of scammers and fraudulent websites wanting your personal data, credit card, or to waste your time. Remember, if it doesn’t look legitimate, or does not have a secure transaction process, it probably is not a good idea to make the purchase (no matter how attractive it looks). Usually, trusted stores are the best to shop from, and that’s all that’s best.

    When you go to check out and enter your personal information, first look at the address bar and make sure it highlights green in some area and has the following at the beginning of the web address: https://. By looking for that, or even looking for a padlock icon in the lower right or left corner of the browser will help ensure you have a secure connection where your personal information will be transferred privately.

  3. Social engineering attempts – you can find these on social networks. They attempt to entice you with different ads or offers, or show a shocking story in attempts to get you to click on it. Once you do, you may be asked to login to Facebook, verify personal information, or make a payment to get access to information.

    When it comes to shocking stories, safely ignore them if it didn’t come from what looks like a trusted source. Instead, stay out of trouble and don’t click. “If in doubt, throw it out”, perspectively can be used to help let you think about what you click on. Also, be careful about charity apps. On Facebook, and application called “Causes” is the only legitimately popular app to use for charity donations. Most correct charity ideas are routed through Causes because of how trusted the app is.

  4. TMI on social networks – be careful about how you tell others about places you’re currently staying, eating, or being by yourself (at the office or at home). Using apps such as Foursquare or related, don’t bother using. They are highly insecure to your personal privacy and can result in burglary or worse.
  5. ATM skimmers – fake debit or credit card readers are popping up in random ATM machines around major retailers everywhere. Always look closely before swiping your card, or pressing any buttons. If anything seems out of place, loose, or just doesn’t feel right…Don’t swipe your card, don’t press any pin number, etc. If anything seems funky, ask the cashier to run your card under the counter, or just go to a bank.

    It’s best also to either tell the bank owning the ATM or call the number on the ATM. Let them know the machine can be modified for illegitimate purposes. Lastly, always spread the word to the cashier that the ATM could be modified and to tell customers not to use it.

  6. Unprotected computers and tablets… here’s the solutions for those matters:

PC:

MAC:

ANDROID:

Buy Kaspersky Mobile Security and protect your Android smartphone for 1 Year – only $19.95

Security Awareness at Your Business, What about BYOD? (mini-whitepaper)

What exactly does it take to make your business more secure? You might ask… “Do I need to secure all the computers with antivirus software?”  – or – “Do we have to set up a network security policy?”  – or –  “Is security really necessary? It’s costly, why do we need it?”

It is possible to consider all of those questions, and possibly even answer them in your own mind. It is necessary to have antivirus software and a good security policy. It is also good to keep an eye on all of your employees as necessary to make sure they stay on task. 😉

However, let’s focus on some of the main data here…

  • Security awareness can be determined as the knowledge of how security systems work, and being able to apply them to an object. It matters to the physical and digital assets of the organization…AKA, your money, data, etc. Maybe it matters these days to say “Time is money, data is money, and so on…etc.”
  • Educate your employees on these matters, especially on the types of threats that can be seen in today’s malware world. Many things, especially on smartphones, are easy to spot. It’s good to keep an eye on the latest information about threats.
  • Password security is always important! Therefore, educate everyone on the basis of password security…including executives. Everyone you know in your business needs to be educated and re-educated. It’s so easy to become comfortable with choosing an easy password. Get out of the habit before it costs your company a fortune!
  • Protect your information and develop a policy for social media, BYOD, etc. It is important to educate your employees on how they should post on social networks anything about your company. The last things you need is for a pre-release to be leaked, private data leaked, a controversial issue light up, etc. Also, make sure to keep your employees off of non-work apps on their smartphones, and only focused on work. (BYOD at work says use smartphone for work only)
  • Back up your rules with consequences (honestly enforce them too), to make sure if security policies and procedures are broken, at least the employee will know how much trouble they’re in.
  • To scale this security awareness project further, download NIST’s Special Publication 800-50 – Building an Information Technology Security Awareness and Training Program to learn how to make your own.

 

Hackers and Virus-makers Retrying Their Luck on Android and Windows Phones

When you look at the scope of Android malware (malicious software/viruses), and then think about Windows Phone malware, it’s as if hackers and virus-makers (“cybercriminals”) are retrying their own luck. What is meant by this? Years ago when malware started gaining big time (probably around 2000), these cybercriminals tried a number of ways to hack the Windows API/kernel, causing innumerable issues for Windows users. Now, today’s market looks like it’s being done all over again.

During the 2000s era, it seemed like we had quite a few different types of malware. Here are those types explained in today’s market for smartphone malware:

  • Dialer: a trojan app/program that automatically dials premium rate numbers and attempts to rack up charges on the user’s phone bill. This can be highly costly, so removing it immediately is the best option.
  • Trojan: a common name for any type of app/program that is designed to look like it does one thing, but it’s code does something else untrustworthy. Many options trojans pick would be the stealing of personal data off of the device, or changing the settings of a device to make it behave a different way.
  • Virus: a self-replicating piece of code, infects other files, or just damages files on devices.
  • Spyware: another trojan app/program, which decides to attempt the stealing of personal data on the user’s device.
  • Adware: another trojan app/program designed to show ads to the user, sometimes flooding their screen. Commonly, these ads are personalized for the user, by getting a scope of the type of apps they have.
  • Rootkit: a piece of trojan code, designed to get administrator privileges on the device, and then take control (and manipulate) of the system.

As you can see, some of those issues are as prevalent on mobile devices as they were on Windows operating systems in the 2000s era.

To further protect your mobile device from anyone of the threats described, please consider purchasing Kaspersky Mobile Security: Buy Kaspersky Mobile Security and protect your Android smartphone for 1 Year – only $19.95 Click Here

Serious Java Vulnerabilities Have Many Things in Common (mini-whitepaper)

If you’ve seen many of our posts here, you’d know that we report about Java vulnerabilities. As often as they come, they must have something in common, right? Indeed.

Let’s discover the vulnerabilities of CVE-2012-4681 and CVE-2012-5076, what’s similar and what we can learn about these two serious vulnerabilities. These use a Java reflection mechanism that breaks applet security restrictions, and allow a malicious payload. In other words, they bypass security and execute malicious code.

Now, Java reflection is used in programs commonly, usually those requiring the examination of runtime behavior of applications running in Java Virtual Machine. It is very convenient for Java developers (despite saving time) to write Java programs, but it also opens up more opportunities for exploits.

Now, to open up for the technical part, which you can skip if you don’t understand Java or it would give you a headache. 🙂

== TECHNICAL START ==

Java reflection has many functions and they are:

  1. GET class
  2. GET all members and methods in class include private ones
  3. Invoke methods

Java’s big vulnerability in dealing with reflection is that it allows hidden fields. Obviously, this isn’t a true flaw (meaning the Java developers don’t see a problem), but it would help to change this attribute to avoid further problems.

Now, CVE-2012-4681 used Java reflection to induce a hidden field that was called statement.acc. It implemented, also, the “setfield” function, which changes the value of the ACC file (found in the hidden field).  To break the code, “Java.beans.statement” would be implemented.

So, in Java, we’d see:

SetField(Statement.class, "acc", localStatement, localAccessControlContext);

Then, as we analyze CVE-2012-5062, we see the big offender, “util. GenericContructor”, which is used to create an object from a restricted class. We would implement it like “sun.invoke.anon.AnonymousClassLoader”, and then call its function “loadclass” – that would deliver the malicious payload. Here is a breakdown of how the payload would work:

  1. GET the method “loadclass” and then invoke.
  2. GET the method “r” in payload and then invoke.
  3. Using “Class.forName” to load a target class
  4. Using “getDeclaredFields”, which would enumerate all fields (not including hidden ones).
  5. Using “setAccessible” to expose hidden/private fields.
== TECHNICAL END ==

Obviously, it’s time, researchers, to keep an eye on Java reflection vulnerabilities.

Microsoft Security Essentials FAILS latest AV-Test

AV-Test.org is mse-blockedthreat-screenshota German publisher of comparative reviews on a slew of antivirus products. They review all types of antivirus and security suite products, and the tests are very beneficial to customers and for companies. Their reviews are published bi-monthly.

The latest review shows that Microsoft Security Essentials was the only one who did not make the cut for an award. They failed to make certification during the latest review. Now, it is unclear on whether Microsoft’s Anti-Malware Team was stressed of working double on the super-improved Windows Defender for Windows 8, or if malware has just been too troublesome.

Microsoft Security Essentials is, according to Opswat’s September 2012 market share report, used by almost 14 percent of the security market worldwide. That is a lot compared to the number of antivirus product vendors available, which is over 50 vendors. It is highly difficult to maintain antivirus software during the current industry, because hackers and cybercriminals are much more numerous than the amount of security researchers and developers there are to counteract the attacks.

Many antivirus companies have employed new tactics to have robot schemes set up to do malware research on its own, rather than hire a lot of security researchers. By doing so, the antivirus company would have the risk of dealing with a lot of false positives. Some have led to believe this is the uprising trouble in companies like AVG, ESET, or Kaspersky – those of whom have seen a rise in false positives in the past couple of years.

Latest round of AV tests:

%d bloggers like this: