Beware fake iTunes gift certificate malware

Source: FortBendNow.com

With the kickoff to holiday shopping the day after US Thanksgiving–”Black Friday” as it is commonly known–come the spammers, scammers and thieves. There will undoubtedly be waves of fake gift card deals and other “click candy” full of scams and malware. A big one floating around right now is a fake iTunes gift certificate. It arrives with the subject line “iTunes Gift Certificate” and contains an attachment that is supposedly the gift code. The attachment is a ZIP file containing malware. (Sophos detects this file as Mal/BredoZp-B.)

This is nothing new; we always see such things around the big holidays. But there are a few things you can do to avoid getting fooled. Here’s a list from Sophos’s Naked Security Blog:

Here are some other things to watch out for, adapted from a list posted by USA Today:

* Beware bogus forms. Beware emails and pop-up messages that ask you to type your account username and password, credit card number or personal information such as Social Security number and date of birth. Legitimate organizations don’t solicit sensitive information via email.

* Don’t blindly believe urgent, personalized warnings. Phishers often claim that you need to take urgent action with official organisations such as IRS (taxation), Social Security or the Department of Motor Vehicles.

* Don’t fall for that cute-baby photo. Even if you recognise the sender’s name, don’t open attachments. Distrust all email until and unless you’ve verified that the sender actually intended you to get the message and can vouch for its content.

Have a Happy Thanksgiving and stay safe out there!

Five essential steps to mitigating password attack threats

After a bit of a hiatus on my studies for various certifications, I have gotten back into the swing of things and found a bit of wisdom that I wanted to share. From a Network Admin perspective, here are five essential password policies that will help you mitigate the threat of password attacks on your network:

1. Do not allow the same password to be used on multiple resources. If an attacker manages to get one password, he will then have them all if the same password is used on more than one resource.
2. Lockout a user account after a set number of failed login attempts. This defeats brute force password cracking attempts.
3. Do not allow cleartext storage of passwords. Self-explanatory.
4. Use strong passwords. Repeat: use strong passwords. Alternative: encourage passphrases. “mykittenpreferswhiskas” is very unguessable, but easily remembered.
5. NEVER, NEVER, NEVER allow default passwords to remain on devices on your network. “Admin/admin” is too easy and is one of the first things a cracker will try. On any new device, immediately change the default username and password.

Seriously, these are so obvious that I haven’t even written about them all in one post before. I confess that I have sometimes forgotten one or more of them.

Don’t get complacent. Fix these now.

25 Worst passwords of 2011

It sometimes seems like no one is listening when it comes to good password practices. I stress best practice with end users at every opportunity and though I always get the old okey-doke head nod, they rarely listen. The problem is, people are lazy and don’t want to be bothered with creating good passwords, to say nothing of managing all of them.

It’s no surprise to find what security firm SplashData says are the top 25 worst passwords of 2011. In fact, it’s even less of a surprise that I have seen fully two-thirds of these passwords in use by people I know:

1. password

2. 123456

3. 12345678

4. qwerty

5. abc123

6. monkey

7. 1234567

8. letmein

9. trustno1

10. dragon

11. baseball

12. 111111

13. iloveyou

14. master

15. sunshine

16. ashley

17. bailey

18. passw0rd

19. shadow

20. 123123

21. 654321

22. superman

23. qazwsx

24. michael

25. football

A security Geek’s work is never done…

Microsoft releases temporary fix for critical Windows bug

Microsoft has issued a temporary fix for a critical Windows vulnerability that has already been exploited to install highly sophisticated malware that targeted manufacturers of industrial systems.

In an advisory issued late Thursday, Microsoft said the previously unknown flaw in the Win32k TrueType font-parsing engine affected every supported version of Windows, including Windows 7 and Windows Server 2008, which are the most secure to date. The critical vulnerability was recently exploited to spread Duqu, malware that some researchers say was derived from last year’s Stuxnet worm that sabotaged Iran’s uranium enrichment program.

“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode,” the advisory warned. “The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The accompanying Fix it is designed to protect against exploits until a permanent patch is issued. The company didn’t indicate when that would happen, except to say it wouldn’t be before next Tuesday’s regularly scheduled security update release.

Jerry Bryant, a spokesman in Microsoft’s Response Communications and Trustworthy Computing groups, said here that the company has already shared technical details with security partners.

“This means that within hours, anti-malware firms will roll out new signatures that detect and block attempts to exploit this vulnerability,” he explained. “Therefore, we encourage customers to ensure their antivirus software is up-to-date.”

He went on to say risk of exploitation remains low.

“However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue.” ®

Happy Halloween!

IMHO, no writer in history embodies the essence of Halloween more that Edgar Allen Poe whom I consider the creator of the horror genre (yes, I know he’s credited as the creator of detective-fiction and contributor to the science fiction genre but he dealt more in the macabre than anything else).

Poe’s short story, “The Gold Bug,” is what got me interested in ciphers and encryption as a young boy; a collection of his most popular short stories is what inspired me to become a writer.

So, on this Halloween 2011 I present a very special reading of Poe’s famous poem, “The Raven.” Enjoy!

[kml_flashembed movie="http://www.youtube.com/v/rIckeYVuMC0" width="425" height="350" wmode="transparent" /]

How to kill a zombie

Happy Halloween! In celebration of International Kill-A-Zombie Day which, apparently, I am the only one celebrating this year (c’mon Sophos, bring it back….Please?) I present to you a neat video on how you can join the fight to kill the zombies that have taken over millions of PCs.

[kml_flashembed movie="http://www.youtube.com/v/MXi_tKKePN4" width="425" height="350" wmode="transparent" /]

Celebrate International Kill-A-Zombie Day

Though announced by Sophos on Halloween Eve (Oct. 30) two years ago, International Kill-A-Zombie Day is just as relevant this Halloween as it was then. So, with Halloween 2011nigh, let’s redouble our efforts against malicious software. It’s still out there, you know. Have you noticed any drop in activity?

“Millions of computers around the world, in homes and business premises, are – without the knowledge of their owners – under the control of cybercriminals who commandeer the PCs to send spam, distribute malware, and commit identity theft,” says Graham Cluley, senior technology consultant at Sophos.

“Billions of spam messages are sent every day, with over 99% determined to be relayed from innocent users’ computers that have been hijacked and turned into a “zombie”. Hackers control networks of zombie computers, known as a botnet, in order to silently send out adverts that peddle sexual enhancement drugs or questionable financial deals, distribute scareware attacks to trick users out of their credit card details, access your social networking accounts, and spread further malicious attacks.”

[kml_flashembed movie="http://www.youtube.com/v/C6Jm_wAl668" width="425" height="350" wmode="transparent" /]

Beware of Halloween tricks

The bad guys love to trick people into downloading their malicious garbage and will use just about any tactics to do so. It’s Halloween season, so people will be searching for all kinds of scary stuff to decorate, dress up and generally celebrate the creepy. The hackers know this and have started putting up poisoned search results, such as the one below for “free halloween skeleton templates.”

The site links to a fake video site and will infect you with malware if you fall for the trick of installing Adobe Flash player. More info can be found here: http://community.websense.com/blogs/securitylabs/archive/2011/10/05/first-wave-of-halloween-scare.aspx

Yubico delivers secure two-factor authentication for Gmail and Google Apps

I love my Yubikey and I recommend it highly to everyone. I have it set up to authenticate me to LastPass and as the second factor on PayPal and eBay. Now, thanks to a small Windows app, you can use your Yubikey to provide two-factor authentication for Gmail and Google Apps.

This past Wednesday, October 26, 2011, Yubico announced that the company has successfully implemented the Initiative For Open Authentication (OATH) Time-based One-time Password (TOTP) configuration for the YubiKey USB authentication key, enabling secure access to Gmail and Google Apps.

Built into the Google account framework to supplement traditional password protection, Gmail and Google Apps users are able to authenticate their login with an additional layer of security using OATH TOTP.  The YubiKey simplifies the process of logging in with a one-time password token, as it does not require the user to re-type long passcodes from a display device into the login field of the computer.

“The OATH-TOTP configuration of the YubiKey enables Google Apps and Gmail users to authenticate with a simple click of the mouse, with a higher level of security than a smartphone application and with a minimal sized and practically indestructible token,” said Stina Ehrensvard, CEO and Founder, Yubico.

The OATH-TOTP protocol relies on using the current time to create a hash-based message authentication code for login credentials.  To utilize the YubiKey to support this protocol, Yubico has developed a small Windows app.  Once installed, the app sends the current time as a challenge to the YubiKey and the response is processed to produce the OATH-TOTP six-digit response.

You can get full details here: yubico.com/totp.

Now, I’m off to set up Google two-factor authentication on my accounts.

Why you should stop posting these five things on Facebook

If you’re not already a member of MakeUseOf, I highly suggest you join. They have a wealth of information that can make your lives and jobs easier. Today’s tip comes from a MakeUseOf email I just received. These are five things you need to stop posting on Facebook for both professional and personal reasons. Here is my take on them from a security standpoint.

1. Your current location. You want the whole world to know where you are, or a thief to know you’re not home? This is just dangerous on the web. There are people out there who don’t have your best interests in mind and letting them know where you are just doesn’t make sense.
2. New technology toys. “Wow, I love my new expensive gadget! Here’s a picture of it sitting on my bed. There is no reason for the whole world to know how you spend your money and no need to make yourself the target of thieves. This also ties in with #1 above: If the bad guys know you you aren’t at home and that you have penchant for expensive technology, you’ll be on their radar. Believe me, there are rings of people out there who take advantage of this.
3. Chain posts about Facebook’s new payment system. It’s free: always was and always will be. It is absolutely amazing to me how these things just seem to persist forever. Posting these things is an indication that you’re, well, not the brightest bulb in the lamp. Hackers target gullible people with this stuff and gullible people continue to fall for it. Stop letting them know you’re a potential target.
4. Vague or impersonal “personal” messages. You’ve seen them; you read them and go “huh?” Again, this could indicate that you are low-hanging fruit for the scammers and spammers.
5. Vacation, pictures. I’ll let you be the judge on this one. This is not only related to #1 above – you’re letting people know you’re out of town – but depending on where the vacation spot is, local bad guys who may be monitoring things could target you.

You think your security settings that only allow your friends to see your updates are going to prevent bad things from happening? Well, take a good hard look at your friends list. Anyone on there who may be questionable? Anyone on there you really don’t know and have never met?

Facebook isn’t a private telephone conversation, it’s more like a 50,000 watt radio station; it can reach into places you don’t consider. And, unlike a telephone conversation that is over when it’s over, what you post on Facebook and the web will probably never go away. It can come back to bite you.

It’s not fun to get bit…