OUCH! | December 2011–E-mail Phishing and Scams

OUCH! | December 2011

IN THIS ISSUE…

• Phishing
• Scams
• Protecting Yourself

E-mail Phishing and Scams

GUEST EDITOR

Pieter Danhieux is the guest editor for this issue. He works
for BAE Systems stratsec in Australia (www.stratsec.net)
and is an instructor for the penetration testing courses at
the SANS Institute.

 

OVERVIEW

E-mail is one of the primary ways we communicate. We not
only use it every day for work, but also to stay in touch with
our friends and family. In addition e-mail is how companies
provide many products or services, such as confirmation of
an online purchase or updates to our bank account. Since
so many people around the world depend on e-mail, it has
also become one of the primary methods cyber criminals
use to attack others. In this newsletter we explain these
dangers and steps you can take to protect yourself.

PHISHING

Phishing is one of the most common e-mail based attacks.
It uses social engineering, a technique where cyber
attackers attempt to fool you into taking an action. Phishing
was a term originally used to describe an attack designed to
steal your online banking login details. However, the term
has evolved and now refers to almost any cyber attack sent
by e-mail. A phishing attack begins with an e-mail
pretending to be from someone or something you know or
trust, such as your bank or your favorite online store.
These e-mails then try to entice you into taking an action,
such as clicking on a link, opening an attachment, or
responding to a message. Cyber criminals craft these
convincing e-mails and then send them out to thousands, if
not millions, of people around the world. The criminals do
not have a specific target in mind, nor do they know exactly
who will fall victim. They simply know the more e-mails
they send out, the more people they may be able to fool.
Phishing attacks often have one of the following objectives:

 
. Harvesting Information: The cyber attacker’s
   goal is to fool you into clicking on a link and taking
   you to a website that asks for your login and
   password or perhaps your favorite color or mother’s
   maiden name. These websites may look legitimate
   with exactly the same look and feel of your online
   bank, but they are designed to steal information
   that could give them access to your online account.

. Controlling your computer through malicious
   links: Once again, the cyber attacker’s goal is for
   you to click on a link. However, instead of
   harvesting your information, the goal is to infect
   your computer. If you click on the link, you are
   directed to a website that silently launches an
   attack against your browser, and, if successful,
   these cyber criminals have full control over your
   computer.

. Controlling your computer through malicious
   attachments: These are phishing e-mails that have
   infected attachments, such as infected PDF files or
   Microsoft Office documents. If you open these
   attachments they attack your computer, and if
   successful, give the attacker complete control.

SCAMS:

Scams are nothing new; these are attempts by criminals to
defraud you. Classic examples include notices that you’ve
won the lottery (even though you never entered it) or that a
dignitary needs to transfer millions of dollars into your
country and would like to pay you to help with the transfer.
They will then tell you that you have to pay a processing fee
before you can get your money. After you pay these fees
the criminals disappear, never to be heard from again.

PROTECTING YOURSELF

In most cases simply opening an e-mail is safe. For most
attacks to work you have to do something after reading the
e-mail (such as opening the attachment, clicking on the link,
or responding to the request for information). If after
reading an e-mail you think it is a phishing attack or scam,
simply delete the message. Here are some indications if an
e-mail is an attack.

. Be suspicious of any e-mail that requires
   immediate action or creates a sense of urgency.
   This is a common method used to trick people.

. Be suspicious of e-mails addressed to “Dear
   Customer” or some other generic salutation.

. Be suspicious of grammar or spelling mistakes,
   most businesses proofread their messages very
   carefully.

. If a link in an e-mail seems suspicious, hover your
   mouse over the link. This will show you the true
   destination where you would go if you actually clicked
   it. The link that is written in the e-mail may be very
   different than where it will actually send you.

. Do not click on links. Instead copy the URL from the
   email and paste it into your browser. Even better is
   to simply type the destination name into your
   browser. For example, if you get an email from UPS
   telling you your package is ready for delivery, do not
   click on the link. Instead, go to the UPS website and
   then copy and paste the tracking number.

. Be suspicious of attachments; only open attachments
   that you were expecting.

. Just because you got an e-mail from your friend does
   not mean they sent it. Your friend’s computer may
   have been infected or their account may have been
   compromised, and malware is sending the e-mail to
   all of your friend’s contacts. If you get a suspicious email
   from a trusted friend or colleague, call them to
   confirm that they sent it.

Ultimately, using e-mail safely is all about common sense. If
something seems suspicious or too good to be true, it is most
likely an attack. Simply delete the e-mail.

RESOURCES

Some of the links shown below have been shortened for
greater readability using the TinyURL service. To mitigate
security issues, OUCH! always uses TinyURL’s preview
feature, which shows you the ultimate destination of the link
and asks your permission before proceeding to it.

How Phishing Works: http://preview.tinyurl.com/853xj85

OnGuard Online – Avoiding Scams:
http://preview.tinyurl.com/6vfoljs

Anti-Phishing Working Group: http://www.apwg.org
Phishtank: http://www.phishtank.org

Security Terms & Definitions:

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the
Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter
as long as you reference the source, the distribution is not modified and it is not used for
commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Carmen Ruyle Hardy

© The  S A N S  Institute 2011                                                    http://www.securingthehuman.org

 

#computers #e-mail #email #internet #security #phishing

 

Blog posted using Windows Live Writer

OUCH! | November 2011–Browser Security & Privacy

OUCH! | November 2011

 

IN THIS ISSUE…

• Staying Current
• Plugins and Add-Ons
• Security Features
• Privacy

Browser Security and Privacy

GUEST EDITOR

Mike Poor is the guest editor for this issue. He is a senior
security analyst for the consulting firm InGuardians Inc.
(www.inguardians.com). Mike is also a senior instructor for
the SANS Institute and the track lead for one of SANS’ top
courses, SEC503: Intrusion Detection In-Depth.

 

OVERVIEW

Your Internet browser, such as Internet Explorer, Firefox,
Chrome, or Safari, is one of the primary tools you use to
interact with the Internet. Cyber attackers know this, which
makes your browser one of their primary targets. Also, your
browser may collect a great deal of personal information
about you that you may not be aware of. In this newsletter
we cover the steps you can take to protect both your
computer and your privacy.

KEEPING YOUR BROWSER CURRENT

The first step to protecting yourself is always using the
latest version of your browser. It does not matter which
browser you use; what is important is that you use the most
recent version of your browser. Cyber attackers are
constantly searching for, and finding, programming errors
and other flaws in browsers. These mistakes (often called
vulnerabilities) can be exploited, giving attackers access to,
and sometimes even complete control, over your system.
The companies that developed your browser (such as
Microsoft, Google, or Apple) release patches to fix these
vulnerabilities. By always having the latest version, you
ensure your browser has these known issues fixed. To
ensure your browser is updated, make sure the auto-
update feature is always enabled in your browser and
operating system. Some browsers, such as Chrome,
automatically update themselves every time you restart the
browser.

PLUGINS AND ADD-ONS

Plugins (sometimes called Add-Ons) are additional
programs you can install in your browser. The problem
with these additional programs is they can expose you and
your system to greater risk. Each program you add to your
browser has its own unique vulnerabilities or weaknesses.
Install only the plugins you absolutely need and be sure you
download them from well known, trusted sites. At times a
website may ask you to install a plugin. Be careful –these
can be attempts to fool you to install infected software.
When possible, always download and install a plugin from
the original vendor’s site. For example, always download
or update your Flash player from the Adobe site
http://www.adobe.com. Once you have installed a plugin you
have to ensure that you keep it up to date, just like your
browser. This can be challenging as many plugins have
no automatic updating capability; you have to manually
check and update them yourself. If that is the case, we
recommend you check the status of your browser plugins at
least once a month. In the resources section are several
trusted websites that will help you do this.

SECURITY FEATURES

Each browser has its own unique security features. Be
sure to take a moment and review your browser’s security
preferences or options. A key feature that almost all
browsers support is warning you when you visit potentially
malicious websites. Your browser maintains an updated list
of thousands of known websites that are malicious or
attempt to harm people. If you attempt to visit any of these
known malicious websites, your browser will stop you and
present a warning banner. When you get a warning
banner do not proceed to the site. Keep in mind, though,
you still always have to be careful about the websites you
visit. Your browser cannot keep up with cyber criminals; it
will not know all sites that are malicious.

PRIVACY

You may not realize it, but your browser may store a great
deal of information about your online activities, including
cookies, cached pages, and history. Cookies are small
data files that websites send to your browser and can make
using the web easier, such as storing your preferences.
But cookies also allow companies to track your movements
across the web. Cached pages are stored copies of
websites you have recently visited. They are used to
improve your system’s performance but also might be
accessed by unauthorized users. Finally, many browsers
save the history of all the websites you have visited to take
you more quickly to the websites you visit the most.
To protect your privacy you can disable some or all these
features. In addition, some browsers support the ability to
manually erase any stored data, or automatically erase stored
data every time you close your browser. Finally most
browsers support a privacy mode where all data collection is
turned off, including caching, cookies, and history. This
ensures no information is collected about your browsing
activities; however, this can also limit your ability to interact
with some sites. Check your browser’s privacy settings to
change any of these features.

Finally, whenever possible make sure your browser
connections are encrypted. This helps ensure your online
activity cannot be monitored or captured. Encrypted
connections are often called HTTPS. For example, sites
such as Twitter, Facebook, and Google allow you to set your
personal settings to ensure you are always using HTTPS
(encryption) when communicating to these sites. In addition,
whenever banking or shopping online, make sure your
connections are encrypted. To confirm this, look for https:// in
the browser and a lock.

RESOURCES

Some of the links shown below have been shortened for
greater readability using the TinyURL service. To mitigate
security issues, OUCH! always uses TinyURL’s preview
feature, which shows you the ultimate destination of the link
and asks your permission before proceeding to it.

Browser Plugin Check:
http://preview.tinyurl.com/3m9gjr5

Firefox Plugin Check:
http://preview.tinyurl.com/3ojhl69

Chrome Browser Security:
http://preview.tinyurl.com/36sgakv

Internet Explorer 9 Security:
http://preview.tinyurl.com/3ly6wyv

Safari Browser Security:
http://preview.tinyurl.com/aesqpl

Firefox Browser Security:
http://preview.tinyurl.com/6ee3kx6

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the
Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter
as long as you reference the source, the distribution is not modified and it is not used for
commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Carmen Ruyle Hardy

© The  S A N S  Institute 2011                                                    http://www.securingthehuman.org

 

#computers #browsers #internet #security

 

Blog posted using Windows Live Writer

OUCH! | October 2011 – Backup and Recovery

OUCH! | October 2011

IN THIS ISSUE…

• What To Back Up and When
• How To Perform a Backup
• Recovery
• Key Points

Backup and Recovery

GUEST EDITOR

Dr. Eric Cole is the guest editor for this issue of OUCH! Eric
focuses on consulting services that help organizations
deploy solutions that protect themselves. He also is an
author and teacher for the SANS Institute.

 

OVERVIEW

Backups are one of the most important steps you can take
to protect your information. They are your last line of
defense when something goes wrong, such as hard drive
failures, accidental file deletions, or malware infections. In
this issue, we focus on ways that you can back up your
data and develop a strategy that’s right for you.

WHAT TO BACK UP AND WHEN

There are two basic approaches when deciding what to
back up: (1) any data that you have created or that is
important to you, such as documents, pictures, or videos or
(2) everything, including your operating system and any
programs you have installed in addition to your unique data.
The first approach streamlines your backup process;
however, the second approach makes it easier to recover in
the event of a complete system failure. If you are not sure
what to back up, then back up everything.

Your next decision will be deciding how often to back up
your data. Common options include hourly, daily, weekly,
etc. For home users, personal backup programs, such as
Apple’s Time Machine or Microsoft’s Windows Backup and
Restore, will allow you to create an automatic “set it and
forget it” backup schedule. Other solutions offer continuous
protection, in which new or altered files are immediately
backed up as soon as they’re closed. If you’re part of an
organization with multiple computers, you may wish to
define your own schedule. A good approach is to consider
how much information you can afford to lose in a worst-
case scenario. For example, by backing up daily, you
might lose one day’s work if your computer crashes late in
the day. Many organizations schedule daily backups during
off-peak hours to minimize the impact on normal
operations.

HOW TO PERFORM A BACKUP

In general there are two destinations to which you can back
up your information: physical media or cloud-based
storage. Examples of physical media include DVDs, USB
drives, magnetic tape, or additional hard drives. Avoid
backing up to the same device that holds the original files.
When using physical media, be sure to label it both
internally (in the file name) and externally (on the medium)
so that you can easily identify a backup from a particular
date and time. You can store a local backup copy in a
lockable, fireproof and waterproof container designed for
your chosen media. A more robust option is to store
copies of your backups off site. For personal backups this
can be as simple as storing them at a family member’s
house or in a safe deposit box. Organizations may want to
hire a professional service to securely transport and store
backups. Depending on the sensitive nature of your
backups and where they are being stored, you may also
want to encrypt them.

Many of these issues are addressed for you with cloud
backups. Performing cloud backups is often as simple as
installing and configuring an application on your computer.
After you configure your backup options, new and altered
files are backed up automatically over the Internet to
servers in the provider’s data center.

Finally, you need to decide how far back in time your
backups need to go. Home users most likely do not need
to go back more than thirty days. Some organizations may
have policy or legal requirements for longer retention
periods and may also mandate the destruction of old
backups. If you are backing up organizational data, check
with your information technology, legal, or records
management group to be sure. Cloud backup services may
charge based on the amount of data that is backed up, so
take care not to run up a big bill.

RECOVERY

Backing up your data is only half the battle; you have to be
certain that you can easily recover it. Practice your recovery
process regularly, just as you would a fire drill, to help ensure
that everything will work properly should you need to use it.
Check at least once a month that your backup program is
working. If nothing else, try recovering a file. For more robust
testing, especially in organizations, consider making a full
system recovery, and verify that it is restorable. If you don’t
have spare hardware to use for testing a full system recovery,
restore key files and folders to a different location and then
verify that you have and can open everything.

KEY POINTS

.. Automate your backup process as much as possible, but
verify that it runs correctly.

.. When rebuilding an entire system or recovering key
operating system files, be sure you reapply security patches
and updates before putting it back into service.

.. Outdated or obsolete backups may become a liability and
should be destroyed in order to prevent them from being
accessed by unauthorized users.

.. If you are using a cloud solution, research the policies and
reputation of the organization. For example, do they encrypt
your data when it is stored? Who has access to your
backups? Do they support strong authentication?

.. For robust backup practices, consider the 3-2-1 rule:

… Three: If something is worth keeping, keep the
original plus two backup copies.

… Two: Use different types of media for your two
backup copies. If you must use the same medium
for both, use different vendors to mitigate
manufacturing defects.

.. One: Store one copy off-site, away from the
original and the second copy.

RESOURCES

Some of the links shown below have been shortened for
greater readability using the TinyURL service. To mitigate
security issues, OUCH! always uses TinyURL’s preview
feature, which shows you the ultimate destination of the link
and asks your permission before proceeding to it.

Apple Time Machine:
http://preview.tinyurl.com/3wkytqs

Windows 7 Backup and Restore:
http://preview.tinyurl.com/ylghqgp

Cloud Backup:
http://preview.tinyurl.com/3reftgv

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the
Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter
as long as you reference the source, the distribution is not modified and it is not used for
commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Carmen Ruyle Hardy

© The  S A N S  Institute 2011                                                    http://www.securingthehuman.org

 

#computers #data #internet #security #backup #restore

 

Blog posted using Windows Live Writer

OUCH! | September 2011 – Social Networking Safety

OUCH! | September 2011

IN THIS ISSUE…

• Overview
• Privacy
• Security

Social Networking Safety

GUEST EDITOR

Lenny Zeltser is the guest editor for this issue of OUCH!
Lenny focuses on safeguarding customers’ IT operations at
Radiant Systems and teaches malware combat at the
SANS Institute. Lenny is active on Twitter as @lennyzeltser
and writes a security blog at blog.zeltser.com.

OVERVIEW

This month we’ll look at social networking sites, such as
Facebook, Twitter, Google+ and LinkedIn. Sites such as
these are powerful tools, allowing you to meet, interact with,
and share with people around the world. However with all
these capabilities come considerable risks, not to just you
but your employer, family, and friends. In this newsletter
we will discuss what these dangers are and how to use
these sites safely.

PRIVACY

A common concern about social networking sites is your
privacy, the risk of you or others sharing too much
information about yourself. These dangers of oversharing
include:

.. Damaging Your Career: Embarrassing information
may harm your future. Many organizations search social
networking sites as part of a new employee background
check to see what has been posted about you. Any
embarrassing or incriminating posts, no matter how old they
are, may prevent you from getting that new job. In addition,
many universities conduct similar checks for new student
applications.

.. Attacks Against You: Cyber criminals can harvest
your information and use it for attacks against you. For
example, they can harvest your personal information to
guess the answers to “secret questions” that websites
use to reset your passwords or perhaps apply for a credit
card using your personal information.

.. Attacks Against Your Employer: Criminals may
gather information that you share on social networking sites
when compiling competitive data or preparing for a cyber
attack on your employer. Moreover, your actions online
may inadvertently reflect badly on your employer. Be sure
to consult your employer’s social networking policy for
guidelines on how you are expected to safeguard your
organization’s data and reputation.

The most effective way to protect yourself against these
dangers is to be cautious about what information you post
about yourself. Consider whether the data you are sharing
now could be used against you some time later. Also,
tighten the privacy settings of your social networking profile
to limit who can see the personal information you might
share on the site. Keep in mind that your data may be
inadvertently leaked by the website or your friends, so it is
best to assume that any information you post will at some
point become public knowledge. Also, be aware of what
others post about you. If you have friends posting
information, pictures, or other data you do not want made
public, ask them to remove it.

SECURITY

In addition to being the source of damaging information
leaks, social networking sites can be used as a platform for
attacking your system or conducting scams. Here are
some steps to protect yourself.

..Login: Protect your social networking account with
a strong password. (See OUCH May 2011) Do not share
this password with anyone or use it for other sites. In
addition, some social networking sites, such as Facebook
or Google+, support features for stronger authentication,
such as using one-time passwords when logging in from
public computers or using your phone as part of the login
process. Enable these features where possible.

..Encryption: Many sites, such as Facebook,
Google+, and Twitter, allow you to force all communications
with the website to be encrypted (called HTTPS).
Whenever possible, enable this option.

..E-mail: Be cautious when clicking on links in e-mail
messages that claim to originate from a social networking
site. Instead, access the site using a saved bookmark and
check any messages or notifications using the website
directly.

.. Links: Be careful of clicking on links posted on
people..s walls or public pages. Viruses and worms spread
easily on such sites. If a link seems odd, suspicious, or too
good to be true, do not click on it..even if the link is on your
most trusted friend..s page. Your friend’s account may have
been hijacked or infected and now be spreading malware.

.. Scams: Criminals take advantage of the open nature
of social networking sites to defraud individuals. Such scams
sometimes use the pretext of an offer for a job or money that
is too good to be true. Another common scam uses hijacked
accounts to contact the victim’s friends with requests for help,
claiming that the person got robbed in a foreign country and
needs money. Be cautious when approached by a friend or a
stranger on a social networking site with a request for money
or with an offer that’s surprisingly good.

.. Apps: Some social networking sites give you the
ability to add or install third party applications, such as
games. Keep in mind there is little or no quality control or
review of these applications and they may have full access to
your account and the data you share. Malicious apps can
use this access to interact with your friends on your behalf
and to steal and misuse personal data. Be careful, and only
install apps that come from trusted, well-known sites. Once
they are installed, make sure you keep them updated. If you
are no longer using the app, then remove it.

Social networking sites are a powerful and fun tool; they
allow you to communicate with the world. If you follow the
tips outlined here, you should be able to enjoy a much safer
online experience.
 
RESOURCES

Some of the links shown below have been shortened for
greater readability using the TinyURL service. To mitigate
security issues, OUCH! always uses TinyURL’s preview
feature, which shows you the ultimate destination of the link
and asks your permission before proceeding to it.

OnGuard Online: http://preview.tinyurl.com/5yjgjt
Microsoft: http://preview.tinyurl.com/3q4qzzr
US CERT: http://preview.tinyurl.com/df9f2d
Facebook: http://www.facebook.com/safety
Twitter: http://preview.tinyurl.com/3mb92rp

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the
Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter
as long as you reference the source, the distribution is not modified and it is not used for
commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Carmen Ruyle Hardy

© The  S A N S  Institute 2011                                                    http://www.securingthehuman.org

 

 

Blog posted using Windows Live Writer

Register to Attend DotNetNuke World 2011–In ORLANDO, FL!!

 

Every year since the first North American DotNetNuke conference (then named OpenForce), it was nothing short of the who’s who of the DotNetNuke community and ecosystem.  The buzz resulting from people before, during, and after the event was simply gravitating, and was sure to make anyone who didn’t attend jealous of those that did.  If you pay any attention to the blogs, forums, and twitter during this time, this proves true every year.

 

For more on this story, you’ll find all the original blog by Will Strohl here:

DNN Blog – DotNetNuke World

 

Blog posted using Windows Live Writer

Considering Using A Mover? Read This First

 

A Short Story of Why We Will NEVER Use Allied Ever Again

Cyber Security Tip ST06-001 – Understanding Hidden Threats: Rootkits and Botnets

National Cyber Alert System

Cyber Security Tip ST06-001

Understanding Hidden Threats: Rootkits and Botnets

Attackers are continually finding new ways to access computer systems. The

use of hidden methods such as rootkits and botnets has increased, and you

may be a victim without even realizing it.

What are rootkits and botnets?

A rootkit is a piece of software that can be installed and hidden on your

computer without your knowledge. It may be included in a larger software

package or installed by an attacker who has been able to take advantage of a

vulnerability on your computer or has convinced you to download it (see

Avoiding Social Engineering and Phishing Attacks for more information).

Rootkits are not necessarily malicious, but they may hide malicious

activities. Attackers may be able to access information, monitor your

actions, modify programs, or perform other functions on your computer

without being detected.

Botnet is a term derived from the idea of bot networks. In its most basic

form, a bot is simply an automated computer program, or robot. In the

context of botnets, bots refer to computers that are able to be controlled

by one, or many, outside sources. An attacker usually gains control by

infecting the computers with a virus or other malicious code that gives the

attacker access. Your computer may be part of a botnet even though it

appears to be operating normally. Botnets are often used to conduct a range

of activities, from distributing spam and viruses to conducting

denial-of-service attacks (see Understanding Denial-of-Service Attacks for

more information).

Why are they considered threats?

The main problem with both rootkits and botnets is that they are hidden.

Although botnets are not hidden the same way rootkits are, they may be

undetected unless you are specifically looking for certain activity. If a

rootkit has been installed, you may not be aware that your computer has been

compromised, and traditional anti-virus software may not be able to detect

the malicious programs. Attackers are also creating more sophisticated

programs that update themselves so that they are even harder to detect.

Attackers can use rootkits and botnets to access and modify personal

information, attack other computers, and commit other crimes, all while

remaining undetected. By using multiple computers, attackers increase the

range and impact of their crimes. Because each computer in a botnet can be

programmed to execute the same command, an attacker can have each of them

scanning multiple computers for vulnerabilities, monitoring online activity,

or collecting the information entered in online forms.

What can you do to protect yourself?

If you practice good security habits, you may reduce the risk that your

computer will be compromised:

* Use and maintain anti-virus software – Anti-virus software recognizes

and protects your computer against most known viruses, so you may be

able to detect and remove the virus before it can do any damage (see

Understanding Anti-Virus Software for more information). Because

attackers are continually writing new viruses, it is important to keep

your definitions up to date. Some anti-virus vendors also offer

anti-rootkit software.

* Install a firewall – Firewalls may be able to prevent some types of

infection by blocking malicious traffic before it can enter your

computer and limiting the traffic you send (see Understanding Firewalls

for more information). Some operating systems actually include a

firewall, but you need to make sure it is enabled.

* Use good passwords – Select passwords that will be difficult for

attackers to guess, and use different passwords for different programs

and devices (see Choosing and Protecting Passwords for more

information). Do not choose options that allow your computer to remember

your passwords.

* Keep software up to date – Install software patches so that attackers

can’t take advantage of known problems or vulnerabilities (see

Understanding Patches for more information). Many operating systems

offer automatic updates. If this option is available, you should enable

it.

* Follow good security practices – Take appropriate precautions when using

email and web browsers to reduce the risk that your actions will trigger

an infection (see other US-CERT security tips for more information).

Unfortunately, if there is a rootkit on your computer or an attacker is

using your computer in a botnet, you may not know it. Even if you do

discover that you are a victim, it is difficult for the average user to

effectively recover. The attacker may have modified files on your computer,

so simply removing the malicious files may not solve the problem, and you

may not be able to safely trust a prior version of a file. If you believe

that you are a victim, consider contacting a trained system administrator.

As an alternative, some vendors are developing products and tools that may

remove a rootkit from your computer. If the software cannot locate and

remove the infection, you may need to reinstall your operating system,

usually with a system restore disk that is often supplied with a new

computer. Note that reinstalling or restoring the operating system typically

erases all of your files and any additional software that you have installed

on your computer. Also, the infection may be located at such a deep level

that it cannot be removed by simply reinstalling or restoring the operating

system.

_________________________________________________________________

Author: Mindi McDowell

_________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Note: This tip was previously published and is being

re-distributed to increase awareness.

Terms of use

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/ST06-001.html

For instructions on subscribing to or unsubscribing from this

mailing list, visit

http://www.us-cert.gov/cas/signup.html.

 

Blog posted using Windows Live Writer

OUCH! | August 2011 – Updating Your Software

OUCH! | August 2011

IN THIS ISSUE…

• Overview
• Operating Systems
• Applications
• Browser Plug-ins

Updating Your Software

GUEST EDITOR

Mike Poor is the guest editor for this issue of OUCH! He is
a senior security analyst for the consulting firm InGuardians
Inc. (www.inguardians.com). Mike is also a senior instructor
for the SANS Institute and the track lead for one of SANS’
top courses, SEC503: Intrusion Detection In-Depth.

OVERVIEW

This month we will look at why updating your operating
system, applications, and browser plug-ins is essential to
maintaining your privacy and security. We will also provide
tools and techniques to help you keep your software
updated and secure. Vulnerabilities are bugs or
weaknesses in your software that cyber attackers can
exploit, and unfortunately, new vulnerabilities are being
discovered constantly. Software vendors, such as Microsoft
and Apple, issue updates (or patches) regularly to correct
these vulnerabilities. As a result, updating your software is
a key step to protecting yourself.

OPERATING SYSTEMS

Computers and mobile devices have operating systems,
which is the software that allows you to interact with your
system. Examples of operating systems for computers
include Microsoft Windows and Mac OS X. Operating
systems for mobile devices include Apple’s iOS and
Android OS. Microsoft Windows, long the favorite target for
attackers, includes a utility for checking and updating your
system automatically. Microsoft Update covers not only
Windows but also many Microsoft applications you have
installed, such as Office. Mac OS X has a similar autoupdating
feature for OS X and Apple applications.

Keep in mind that even if you have auto-updating enabled,
your computer must be able to download and install the
updates, and some updates require rebooting your system
before they take effect. For auto-updating to be most
effective, we recommend you set your system to check for
updates every day. Pick a time of day when your system
will be powered on, awake, and connected to the Internet.
When prompted, restart your computer without delay. You
can also use the auto-updating tool in Windows and OS X
to check for and install updates manually if you so choose.

iOS, for mobile devices like the iPhone and iPad, does not
include an auto-updating tool. Users must check for and
apply updates manually using iTunes. Android 2.x has an
auto-updater that covers both the OS and installed apps. It
requires your permission when they are ready to install.

SOFTWARE APPLICATIONS

Applications are additional programs you download and
install on your computer or mobile device. The key to
keeping your computer and mobile device apps updated
and secure is to know which ones you have installed,
whether or not they have a built-in auto-update utility, and if
that utility is enabled. In addition, the more apps you have
installed, the greater the risk you run of having a vulnerable
system–a compelling reason to install only the apps that
you need and use and to uninstall those unneeded and
unused. Several of the most common applications, such as
MS Office, Adobe Acrobat Reader, and Java, include an
auto-updater, but most do not. When in doubt, check the
software maker’s website to determine what you need to do
to keep an app updated.

We know and understand that keeping track of all your
computer applications and their update status can be
challenging. Good thing there are tools to help. One we
recommend is Secunia’s Personal Software Inspector
(PSI). PSI scans your computer for known applications and
attempts to determine which are out of date and provides
links so you can update them. Unfortunately, there is no
comparable tool for OS X we can recommend at this time.

Auto-updating is not built into iOS apps. It is up to the user
to download app updates through iTunes manually. Android
2.x has an auto-updater that covers both installed apps and
the OS. It will require your permission when updates are
ready to be installed.

BROWSER PLUG-INS

Finally, there are plug-ins (commonly called Add-ons).
These are small software applications that enhance the
functionality of your browser, such as Adobe Flash Player,
Apple QuickTime, and Microsoft Silverlight. As plug-ins
have proliferated, they have become a popular target for
cyber attackers because they are difficult to keep updated.
Again, the key to protecting yourself is to know which plug-ins
you have installed and whether or not they are current. Most
browsers give you the ability to see which plug-ins you have
installed and their current version. Some popular plug-ins
update themselves automatically.

It can be time-consuming to determine if your plug-ins are up
to date. Qualys’s Browser Check is a simple, easy-to-use,
web-based tool that enables you to determine quickly which
plug-ins you have installed, which are out-of-date, and how to
update them. In addition, most common browsers contain a
built-in tool for checking and updating plug-ins.

–>  Mozilla provides a web-based tool for Firefox that
detects third-party plug-ins and provides links to updates.
http://preview.tinyurl.com/ylhbg7v

–>  Chrome disables out-of-date plug-ins automatically.
Clicking on “Update plug-in” takes you to that plug-in’s
website where you can download its latest version.
http://preview.tinyurl.com/444vc59

–>  Safari has automatic updating for plug-ins
(extensions), but by default it is not enabled. To activate it,
open the Preferences window in Safari and select
Extensions. Then select the Updates link at the bottom of the
extensions list, and put a check in the Install Updates
Automatically box. http://preview.tinyurl.com/3bou9z6

RESOURCES

Some of the links in this newsletter have been shortened
for greater readability using the TinyURL service. To
mitigate security issues, OUCH! uses TinyURL’s preview
feature, which shows you the ultimate destination of the link
and asks your permission before proceeding to it.

Windows Updating: http://preview.tinyurl.com/26glz4q
OS X Updating: http://preview.tinyurl.com/4qmuqs
iOS Updating: http://preview.tinyurl.com/55freg
Android Updating: http://preview.tinyurl.com/3ycw2zr
Secunia’s Personal Software Inspector (PSI):
http://preview.tinyurl.com/5wu6xo
Qualys’s Browser Check:
http://preview.tinyurl.com/3m9gjr5

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the

Creative Commons BY-­‐NC-­‐ND 3.0 license. Permission is granted to distribute this newsletter

as long as you reference the source, the distribution is not modified and it is not used for
commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Carmen Ruyle Hardy

© The  S A N S  Institute 2011                                                    http://www.securingthehuman.org

OUCH! | July 2011–Understanding Encryption

OUCH! | July 2011

IN THIS ISSUE…

• What is Encryption?
• Encrypting Stored Information
• Encrypting Information In Transit
• Best Practices and Caveats

Understanding Encryption

GUEST EDITOR

Fred Kerby is the guest editor for this issue of OUCH! He
recently retired from the Naval Surface Warfare Center
Dahlgren Division where he served as the information
assurance manager for the past 16 years. Fred is a senior
instructor with the SANS Institute.

 

WHAT IS ENCRYPTION?

Encryption is a mechanism that protects your valuable
information, such as your documents, pictures, or online
transactions, from unwanted people accessing or changing
it. Encryption works by using a mathematical formula called
a cipher and a key to convert readable data (plain text) into
a form that others cannot understand (cipher text). The
cipher is the general recipe for encryption, and your key
makes your encrypted data unique. Only people with your
unique key and the same cipher can unscramble it. Keys
are usually a long sequence of numbers protected by
common authentication mechanisms, such as passwords,
tokens, or biometrics (like your fingerprint).

ENCRYPTING STORED INFORMATION

Sensitive information, including medical, financial, or
business records, may reside on your mobile devices, such
as your laptop, USB stick, smartphone, or tablet. These
devices are easily lost or stolen, and if not encrypted, their
contents can be read by anyone who has access to them.
One of the best ways to protect data on a mobile device is
to encrypt it.

In general, there are three ways to encrypt data stored on
your mobile devices. You can encrypt specific files, encrypt
entire folders, or encrypt the entire hard drive. Most
operating systems support one, if not all three, options.
Encrypting your entire disk, commonly called full disk
encryption (FDE), is often considered the most secure. FDE
encrypts all data on your hard drive, including any
temporary files. It also simplifies the process as you do not
have to decide what to encrypt and not to encrypt. If you
cannot encrypt your entire hard drive, encrypt any files or
folders that contain sensitive information.

Mobile devices, such as USB thumb drives, may come with
encryption capabilities built into them, or you can encrypt
them by installing additional software on your computer.
Smartphones and tablets may have encryption capabilities
built into them as well. Otherwise, you will have to install
encryption apps; consult your phone vendor’s app store or
marketplace for information on what’s available.

ENCRYPTING INFORMATION IN TRANSIT

Information is also vulnerable when it’s in transit. If the data
is not encrypted, it can be monitored and captured online.
This is why you want to ensure that any sensitive online
communications, such as online banking, sending e-mails,
or perhaps even accessing your Facebook account, are
encrypted. The most common type of online encryption is
HTTPS, or connecting to secured websites. This means the
traffic between your browser and the website is encrypted.
Look for https:// in the URL or the lock icon in your browser.
Many sites support this by default (such as Google Apps),
and websites like Facebook and Twitter give you the option
in your account settings to force HTTPS. In addition, when
you connect to a public Wi-Fi network, use an encrypted
network whenever possible. WPA2 is currently one of the
strongest encryption mechanisms and the type you should
choose. Finally, whenever sending or receiving e-mail,
make sure your email client is set up to use encrypted
channels. One of the most commonly used is SSL (Secure
Socket Layer); many e-mail clients use SSL by default.

BEST PRACTICES AND CAVEATS

Regardless of which type of encryption you are using or
how you use it, almost all forms of encryption share some
common issues you need to be aware of.

• Your encryption is only as strong as your keys. If
your key is compromised, so is your data. If you are using
passwords to protect your keys, make sure you use strong
passwords and protect them well. (See the May 2011
edition of OUCH! on passwords).

• Don’t lose or lose access to your keys. If you lose
your encryption keys or can’t access them because you’ve
forgotten the password that protects them, you most likely
cannot recover your data.

• Your encryption is only as strong as the security of
your computer. If your computer is infected, the bad guys
can compromise your encryption.

• Maintain the overall security of your computer.
Encryption does nothing to protect against viruses, worms,
Trojans, unpatched vulnerabilities, or social engineering
attacks.

• Always be sure to back up any confidential data
securely. This ensures that if you lose your device or your
encryption keys protecting your data, you can still recover
your data.

• Use encryption based on publicly known algorithms,
such as AES (Advanced Encryption Standard) or Blowfish,
rather than proprietary algorithms. Also, always be sure you
are using the latest version of your encryption programs.

• Consult an IT professional if you need help.
Incorrectly installing, configuring, or using encryption can
render your information permanently inaccessible.

RESOURCES

Some of the links shown below have been shortened for
greater readability using the TinyURL service. To mitigate
security issues, OUCH! always uses TinyURL’s preview
feature, which shows you the ultimate destination of the link
and asks your permission before proceeding to it.

Full Disk Encryption Tools:

TrueCrypt: http://www.truecrypt.org/

PGP: http://www.pgp.com

Windows 7 Bitlocker: http://preview.tinyurl.com/3xaubbr

File and Folder Encryption:

TrueCrypt: http://www.truecrypt.org/

Windows: http://preview.tinyurl.com/yb29rzn

Mac: http://preview.tinyurl.com/6c2q3cy

USB Encryption

TrueCrypt: http://www.truecrypt.org/

SanDisk: http://preview.tinyurl.com/3nl4g2p

IronKey: https://www.ironkey.com/products

Encryption Standards

AES: http://preview.tinyurl.com/ku33x

WiFi: WPA and WPA2 http://preview.tinyurl.com/am5oa

How HTTPS works: http://preview.tinyurl.com/ya9se7f

How VPN works: http://preview.tinyurl.com/rfc9f

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program
and is distributed under the Creative Commons BY-­-NC-­-ND
3.0 license.

Permission is granted to distribute this newsletter as long
as you reference the source, the distribution is not modified
and it is not used for commercial purposes. For translating or
more information, please contact ouch@securingthehuman.org.

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman,
Lance Spitzner, Carmen Ruyle Hardy

© The SANS Institute 2011 http://www.securingthehuman.org

 

Blog posted using Windows Live Writer

Cyber Security Tip ST04-024 – Understanding ISPs

             Cyber Security Tip ST04-024

              Understanding ISPs

   ISPs offer services like email and internet access. In addition to
   availability, you may want to consider other factors so that you find an ISP
   that supports all of your needs.

What is an ISP?

   An  ISP,  or internet service provider, is a company that provides its
   customers access to the internet and other web services. In addition to
   maintaining a direct line to the internet, the company usually maintains web
   servers. By supplying necessary software, a password-protected user account,
   and  a  way to connect to the internet (e.g., modem), ISPs offer their
   customers the capability to browse the web and exchange email with other
   people. Some ISPs also offer additional services. With the development of
   smart phones, many cell phone providers are also ISPs.

   ISPs can vary in size—some are operated by one individual, while others are
   large corporations. They may also vary in scope—some only support users in a
   particular city, while others have regional or national capabilities.

What services do ISPs provide?

   Almost all ISPs offer email and web browsing capabilities. They also offer
   varying degrees of user support, usually in the form of an email address or
   customer support hotline. Most ISPs also offer web hosting capabilities,
   allowing users to create and maintain personal web pages; and some may even
   offer the service of developing the pages for you. Some ISPs bundle internet
   service with other services, such as television and telephone service. Many
   ISPs offer a wireless modem as part of their service so that customers can
   use devices equipped with Wi-Fi.

   As part of normal operation, most ISPs perform backups of email and web
   files. If the ability to recover email and web files is important to you,
   check  with  your ISP to see if they back up the data; it might not be
   advertised as a service. Additionally, most ISPs implement firewalls to
   block some portion of incoming traffic, although you should consider this a
   supplement  to  your  own security precautions, not a replacement (see
   Understanding Firewalls for more information).

How do you choose an ISP?

   Traditional, broadband ISPs typically offer internet access through cable,
   DSL, or fiberoptic options. The availability of these options may depend
   where you live. In addition to the type of access, there are other factors
   that you may want to consider:
     * security – Do you feel that the ISP is concerned about security? Does it
       use  encryption  and  SSL  (see  Protecting  Your Privacy for more
       information) to protect any information you submit (e.g., user name,
       password)? If the ISP provides a wireless modem, what wireless security
       standards does it support, and are those standards compatible with your
       existing devices?
    * privacy  –  Does  the ISP have a published privacy policy? Are you
       comfortable with who has access to your information and how it is being
       handled and used?
     * services – Does your ISP offer the services you want? Do they meet your
       requirements? Is there adequate support for the services? If the ISP
       provides a wireless modem, are its wireless standards compatible with
       your existing devices?
    * cost – Are the ISP’s costs affordable? Are they reasonable for the
       number of services you receive, as well as the level of those services?
       Are you sacrificing quality and security to get the lowest price?
    * reliability – Are the services your ISP provides reliable, or are they
       frequently unavailable due to maintenance, security problems, a high
       volume of users, or other reasons? If the ISP knows that services will
       be unavailable for a particular reason, does it adequately communicate
       that information?
     * user support – Are there published methods for contacting customer
       support? Do you receive prompt and friendly service? Do their hours of
       availability  accommodate  your needs? Do the consultants have the
       appropriate level of knowledge?
    * speed  –  How  fast is your ISP’s connection? Is it sufficient for
       accessing your email or navigating the internet?
    * recommendations – Have you heard or seen positive reviews about the ISP?
       Were they from trusted sources? Does the ISP serve your geographic area?
       If you’ve uncovered negative points, are they factors you are concerned
       about?
     _________________________________________________________________

     Author: Mindi McDowell
     _________________________________________________________________

     Produced 2004 by US-CERT, a government organization.

     Note: This tip was previously published and is being
     re-distributed to increase awareness.

     Terms of use

     http://www.us-cert.gov/legal.html

     This document can also be found at

     http://www.us-cert.gov/cas/tips/ST04-024.html

     For instructions on subscribing to or unsubscribing from this
     mailing list, visit http://www.us-cert.gov/cas/signup.html.

 

Blog posted using Windows Live Writer