PATCH Critical MS14-066 ASAP People!
Information pertaining to a Proof of Concept for the Critical MS14-066 is reported close to being implemented. The MS14-066 is a vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows that may allow remote code execution if an attacker sends specially crafted packets to a Windows server. The Microsoft Secure Channel (Schannel) is the component that implements the secure sockets layer and transport layer security (TLS) protocols.
Microsoft has been forced to issue a critical patch for a vulnerability stated that it “had not received any information to indicate that this vulnerability had been publicly used to attack customers”.
That can be short live between active developers trying to implement an exploit and once the patch is released, is will be reverse engineered from the patch. From there it can be coded into a worm or mass botnet exploit which self-replicates causing immense damage.
A few security researchers have stated MS14-066 is actually worse than The Heartbleed Bug back in April 2014.
“If you have a windows server serving ANYTHING to the internet, patch now and save yourself a headache later. This one is going to be big!”
You can read the actual Microsoft Bulletin (MS14-066) here – Vulnerability in Schannel Could Allow Remote Code Execution (2992611)
Cyber Monday Security & Safety Tips
The weekend after Thanksgiving marks the massive start of the holiday shopping season. However, it has also become the time when hackers come out to play, creating mischief and mayhem for unsuspecting computer users and online shoppers.
The term “Cyber Monday” refers to the Monday immediately following Black Friday, the ceremonial kick-off of the holiday online shopping season in the United States between Thanksgiving Day and Christmas. Whereas Black Friday is associated with traditional brick-and-mortar stores, “Cyber Monday” symbolizes a busy day for online retailers.
The premise was that consumers would return to their offices after the Black Friday weekend, making purchases online that they were not able to make in stores. Although that idea has not survived the test of time, Cyber Monday has evolved into a significant marketing event, sponsored by the National Retail Federation’s Shop.org division, in which online retailers offer low prices and promotions.
This year “Cyber Monday” will fall on December 1, 2014 and here are 6 safety tips to help you stay safe:
- Don’t Click on Pop-up Ads – malicious pop-up ads still pose one of the largest threats to web shoppers. Be mindful of what pop-ups say, it could be evidence of a security threat.
- Keep Software Up-To-Date – Make sure your system is online ready by having the latest updated anti-virus, anti-malware installed on your PC. In addition, make sure your firewall is on too. Try to shop at home on your personal computer. Shopping on computers shared by other or a public system may have malicious software to monitor your input.
- Use a Secure Connection – all online financial transactions take place through a secure, private Wi-Fi connection, as opposed to using the more vulnerable free Wi-Fi in a coffee shop or library.
- Avoid Email Advertisements – Your inbox is likely swarming with holiday promotions from all of your favorite (and likely least favorite) brands. To avoid being hacked, the CIS recommends you always enter the shop’s URL in your browser, rather than following the links contained in an email.
- Shop at Companies You Know – Know the website you are purchasing from. Many users will conduct a search for a product, and may end up on shady looking sites. Try to stick with the notable names. A good way to check up on a merchant is to get information through the Better Business Bureau or through comparison-shopping sites such as buysafeshopping.com.
- Use Credit, Not Debit – There are more security protections on your credit card that may not exist while using your debit card and check your statements frequently.
Happy and safe shopping everyone!
Over 800,000 U.S. Postal Employee Service Records Hacked
Hackers working for the Chinese government are suspected of breaking into the US Postal Service’s network and stealing the personal information of over 800,000 workers. The breach expose employees’ names, birth-dates, Social Security numbers, addresses, dates of employment and emergency contact information.
The breach may have also exposed the names, addresses, phone numbers and email addresses of customers who contacted the Postal Service Customer Care Center by phone or email between January 1, 2014 and August 16, 2014.
The Washington Post reports that Chinese government hackers are believed to have been responsible for the attack. “For the Chinese, this is probably a way of building their inventory on U.S. persons for counterintelligence and recruitment purposes,” Center for Strategic and International Studies senior fellow James A. Lewis told the Post.
“The privacy and security of data entrusted to us is of the utmost importance,” U.S. Postal Service manager of media relations David Partenheimer said in a statement [PDF]. “We have recently implemented additional security measures designed to improve the security of our information systems, including certain actions this past weekend that caused certain systems to be offline. We know this caused inconvenience to some of our customers and partners, and we apologize for any disruption.”
The breach serves as a reminder that data is the new currency — and that’s true for both customer and employee data.
WireLurker Malware Infects Mac OS X and iOS Devices
An interesting article from eSecurityPlanet.com about a malware that targets the OSX and iOS.
Researchers at Palo Alto Networks recently uncovered a new family of malware called WireLurker, which targets both Mac OS X computers and Apple iOS mobile devices.
After first infecting a Mac OS X computer, the malware is then able to infect an iOS device by “lurking on the wire” while the device is being synced via USB — hence the name WireLurker.
The malware has been found in 467 OS X applications on China’s third-party Maiyadi App Store. Over the past six months, those 467 malicious apps were downloaded more than 356,104 times, so the malware may have already impacted hundreds of thousands of users.
Vulnerability Leaves iPhones and iPads open to Fake App Attack
Security researchers have discovered a vulnerability in iPhones and iPads that allows attackers to install fake apps that take the place of legitimate ones.
FireEye, a mobile security company, said the problem, which it calls “Masque Attack,” allows attackers to gain access to vast amounts of personal information.
In a video demonstration of the attack, an iPhone was sent a URL to install a new version of the “Flappy Bird” game. When the link was clicked, the iPhone asked the user to confirm installation of the game, but upon that confirmation what was actually downloaded and installed was a compromised version of the Gmail app.
Read more at InfoWorld.com.
Super Cookies, able to Stomp on your Privacy in a Single Bound
So you are wondering why the Ads you are seeing on your mobile device are starting to show you items that might want for Christmas, but that you haven’t been searching for. Well maybe your wife or someone in your family has been looking for those items on another mobile device on the same plan, how you may ask. Well it gets down into the dirty little secrets of tracking cookies or in this case, Perma-Cookies, or as I like calling them Super-Cookies hidden in the HTTP headers, which can make them even more devious.
Most of us know about cookie being used to track what websites or searches you have been performing in order to give us web based ads on top or off to the side of your web browsers. This has been going on for a long time and has become a norm for most search engines and others that make their living off of advertising. Well these Perma/Super cookies take that to the next level on Verizon Wireless mobile devices, basically creating a cookie that can be used across devices assigned to the same account, so the searches of your kids, wife or anyone on your plan, all of sudden become available to direct ads to everyone.
So how does this happen, you ask, well it’s due to this cookie like tracker, which is included in the HTTP header (X-UIDH). Now this only works for non SSL or unencrypted sites that you visit and allows 3rd Party advertisers to put together a pretty good portfolio of all the sites that your family visits. Now I’m not the type of person to spend the hours or days going through the end-user agreements to see if this is mentioned or if they are just doing it without any informed consent or not. There is a much more detailed write up on this issue on the Electronic Frontier Foundation (EFF) site (https://www.eff.org/deeplinks/2014/11/verizon-x-uidh), if you want to find out more.
Browsers have listened to users and for normal cookies do have some settings that can prevent normal cookies from working, but since this tracking occurs on a value that is part of the HTTP header, these settings have little to no effect at all. And since this is done in the header, it can also track the web activities of Apps installed on the devices. Verizon also chose to disregard the “Do Not Track” setting that is available in most browsers. Additionally, this is not limited to Verizon users and devices, since this tracking happens at the network level, anyone using the Verizon towers are subject to this tracking.
So what can you do? First like I said, this only works on HTTP traffic, so only use sites that are SSL enabled, but who knows when that might change and it still leaves you open to privacy issues on sites that don’t support SSL. Encrypted proxies, VPNs and TOR are options to provide much better protection in this case. In the case of proxies, this won’t protect applications installed on your devices. Lastly, in the world of highly competitive wireless providers, if this works for Verizon, you can imagine that it won’t be long until other providers start doing something similar.
