Higher Education Institutions are the #1 Target of Hackers Worldwide

According to a 2013 report published by FireEye.com, higher education institutions are the #1 target of hackers worldwide. Below is the top-10 list. Click here for the report in PDF format or click here for a real-time map showing current attacks.

Top Ten Vertical Targets: Worldwide

Based on the highest number of targeted operations discovered by FireEye threat prevention platforms in 2013, the top ten industry vertical targets are listed below. Each of these verticals possesses substantial intellectual property value, and often plays an important role in national security affairs.

  1. Education: universities are home to cutting-edge research and emerging technology patents; unfortunately, their networks are large and porous.
  2. Financial Services: most financial transactions today are conducted via the Internet, whether between people, businesses, or governments.
  3. High-Tech: some hardware and software are used by millions of people; they can offer attackers an exponential return on investment.
  4. Government: these bodies organize nations, determinepolicy,enforcelaw,andmanage national security affairs.
  5. Services/Consulting: large companies often have long supply chains and large contractor bases; at the political level, this includes think tanks.
  6. Energy/Utilities: in physics, energy is required for any kind of “work,” including starting engines, turning on city lights, or launching a missile.
  7. Chemicals/Manufacturing: chemistry is the study of matter, and bridges all of the natural sciences, including their relationship to energy.
  8. Telecom (Internet, Phone & Cable): this category encompasses all long-distance communications, by electrical signals or electromagnetic waves.
  9. Healthcare/Pharmaceuticals: this category encompasses the development of medications and the provision of medical care.
  10. Aerospace/Defense/Airlines: this category includes the development of spacecraft with myriad commercial and military applications.

20150725sa-fireeye-security-suite-enterprise-business-information-malware-virus-protection

Guide to Secure Hard Drive Erasing Files and Sanitizing Computer Data

The Importance of Secure Drive Erasure

Computers are increasingly used to store financial data, healthcare information, and the keys to our personal identity. When files are placed in the recycle bin, and the recycle bin is emptied, those files can still be easily recovered. This is good news if you need to restore a file that was mistakenly deleted. It’s bad news if you donate or discard your computer and someone else recovers files you thought were long gone. It’s not sufficient to just format a hard drive or perform a complete system restoration. There will still be files left on the drive that could be recovered.

Hard Drive Erasing Cost

We provide drive erasing services at a cost of $70 per computer/drive, assuming the drive is installed in a desktop or laptop computer. If you have a drive that’s already removed from a computer, the cost is $50 per drive. We offer a quantity discounts for additional drives.

We set aside about an hour for the following:

  1. Reserve a time slot for the computer drop off, or provide pickup of the computer.
  2. Remove the drive from the computer.
  3. Install drive in docking station.
  4. Perform erase procedure. This can take several hours depending on the speed and storage capacity of the drive.
  5. Confirm the drive has been securely erased by attempting file recovery using advanced data recovery processes.
  6. Install the drive in the computer.
  7. Reserve a time slot for pickup of the computer. Or, provide delivery of the computer.

Do It Yourself

We provide the list of tools and instructions below for those wanting to perform drive erasing on their own.

What You’ll Need

Here’s the list of what you’ll need for erasing a drive.

  1. Computer Tool Kit ($20) – You’ll need the necessary tools to remove the drive from the computer. Depending on the computer, a basic computer tool kit should be sufficient, although some require advanced tips. Additional speciality tool kits are listed at the bottom of this page.
  2. Drive Docking Station ($40) – You’ll need to connect the bare drive to a working computer. A drive docking station is an easy way to do this. The Sabrent external drive bay works well.
  3. Erasing Software (Free – $40) – There are many utilities available for securely erasing a drive, such as Eraser Secure Data Removal Tool by Heidi Software. See below for a more comprehensive list. If you’re using an Apple computer, drive sanitizing is built-in and available under the Disk Utility when erasing (click the Security Options button).
  4. Available Computer ($200) – You’ll need a computer available for the task of erasing drives. While the task could run in the background of a computer you use regularly, it’s best to have a dedicated computer to ensure nothing interferes with the process. It takes a long time to securely erase drives, so whatever computer you choose will be running, and shouldn’t be restarted, until the process is complete. If you use a laptop computer for the task, you’ll have the benefit of the internal battery to keep the process going in the event of a power outage. However, some laptop computers aren’t designed to operate continuously for extended periods of time. So, a desktop computer is probably a better choice. If you use a desktop computer for the task, you’ll want to have a backup power supply listed below.
  5. Backup Power Supply ($100 – $220) – An uninterruptible power supply (UPS) provides a constant source of power for the erasing procedure. A good unit might cost $100 to $200 for a high quality pure sinewave UPS system.
  6. Hard Drive Erasing System ($300 – $400) – As an alternative to items 2, 3, and 4 above, you might consider purchasing a hard drive erasing system. The StarTech 4-bay system is a good choice. Others are also available.

Drive Erasing Instructions

These are the steps for securely erasing a computer hard drive.

  1. Remove the drive from the computer.
  2. Install drive in docking station.
  3. Perform erase procedure. This can take several hours depending on the speed and storage capacity of the drive.
  4. Confirm the drive has been securely erased by attempting file recovery using advanced data recovery processes.
  5. Install the drive in the computer.

Additional Specialty Tools

Here are some useful tool kits for this and other projects. Some computers, like Apple laptop computers, require special drivers.

Alternatives

Here are some possible, but not ideal, alternatives for data sanitizing.

  • Get a free software program to erase unused drive space. However, there may still be existing files or settings that aren’t removed.
  • Physically destroy, smash, or drill through the drive. This method isn’t ‘green’ since the drive isn’t usable again, and parts that might be properly repurposed or recycled may get damaged.

Drive Erasing Software Utility Programs

System Crashes: New York Stock Exchange, United Airlines, and Wall Street Journal

With the past few days, there have been multiple coordinated attacks on our national technology infrastructure. According to a report by the Washington Post, “FBI officials believe the attacks required expertise.”

report in USA Today states: “Repeated and successful attacks on fiber-optic cables in California have security experts warning the Internet’s physical infrastructure is ‘basically unsecured’ and vulnerable to both casual and determined attackers.”

The map below, provided by 9 News, shows numerous Comcast outages across the nation.

201530tu-comcast-national-internet-outage

Here’s a video that describes the outages:

[youtube https://www.youtube.com/watch?v=LHnG-n0-o9c?rel=0]

Today, New York Stock Exchange was taken offline, the Wall Street Journal website was taken down, and United Airlines was shut down with flights grounded from coast to coast.

One would hope that it took a sophisticated army of cyber criminals to bring down United Airlines. Yet, United Airlines claims that the nation-wide outage was due to a router failure. If we are to believe them, it’s more troubling is to think that a single point of failure, of a single component, caused a major airline to shut down.

If our infrastructure is so shoddy and fragile that it fails without any human intervention, what would happen if people tried to take it down?

The same can be said for the New York Stock Exchange and the Wall Street Journal website. It would be more comforting to know that those outages were part of a coordinated attack.

Further Reading

Here’s What You Can Do To Help

Given the rise in high-profile attacks, it would be wise for everyone to increase their own security efforts for personal and business computing.

You may think that you’re a much less important target for hackers than an air traffic controller, bank president, or nuclear power plant worker. However, any hacked account or computer is typically only a few relationships removed from a high level target. It’s estimated that we’re all about six degrees of separation from anyone else. Which means that every target is equally important to a hacker. Additionally, hackers work on building aggregate networks of hijacked computers for launching attacks on critical infrastructure.

Here are some resources for proactive security measures you can take:

  • Account Security. Be sure your accounts are setup with complex passwords and two-step authentication. Read our document on Email Safety and Online Account Security.
  • Data Redundancy. Make sure your critical data is in three places: local hard drive, backup hard drive, and cloud storage. Make sure you have a regular backup plan and don’t leave your backup drives connected to any computer since new viruses attack files on all attached drives. Be sure to have more than just a backup of your current files. Keep backup of your file versions in the event that current files become corrupted and then overwrite your only backup.
  • Computer Security. Use a high quality paid subscription antivirus and security program such as Bitdefender or Kaspersky.
  • Credit Card Security. A debit card that pulls directly from your bank account, can leave you with no money in the bank if it’s stolen. That can result in bounced checks and other fees. However a credit card creates a firewall between you and thieves. If your card is stolen, you can report it and have it cancelled.
    • Consider having several credit cards so you can use one for online transactions and higher risk purchasing while traveling. Use one for regular monthly bills. It’s less likely to get stolen if it’s only used for a few recurring monthly bills. That way, if a more exposed travel/high-risk card is stolen. You simply need to cancel it, but won’t need to contact a dozen merchants to provide them with a new number.
    • For an extra measure of security, consider purchasing no-fee American Express Prepaid Reloadable credit card for online purchases. In this way, you won’t need to give out your primary credit card numbers. You can use these cards for one time payments, or refill them for ongoing use.
  • Email Security. Follow best practices with regard to email security. Read our document on Email Safety and Online Account Security.
  • Financial Security. Use a service like Equifax to monitor your credit activity.
  • Identity Security. Use a service like LifeLock to secure your personal identity.
  • Password Safety. Consider using a password manager like 1Password that uses local encrypted storage of your password list. Do not store this in the cloud and do not synchronize through the Internet. Synchronize through your local network only. Maintain a copy of your passwords on your computer and also on a mobile device with biometric security (fingerprint reader). Alternatively, you can write your passwords and account information on paper and store them in a fireproof and waterproof safe. Using a multi-function home copier, you could make a backup copy and leave it in a safe place.
  • Redundancy. Maintain a second computer with a backup of your essential files and contacts. Have it configured to function for printing, network, email, and other functions in the event that your primary computer goes down. Create a non-computer-reliant system for your daily tasks. In other words, for all the tasks you rely on your smartphone or computer, figure out a pen and paper solution.
  • Social Media Security. Be vigilant when using social media. Don’t accept friend requests from people you don’t really know. It would mislead your friends into accepting a friend request from a person they think you know and approve of.

Apple ID Two-step Verification

Two-step verification is now available for Apple ID account holders. The information below is an overview from the Apple website. You need to sign-in to see these instruction on the Apple site, which you probably can’t do if you’re having trouble with logging in.

Two-step verification for Apple ID.

With two-step verification, your identity will be verified using one of your devices before you can make changes to your account, sign in to iCloud, or make iTunes or App Store purchases from a new device.

(1) You enter your Apple ID and password as usual.

step 1

(2) We send a verification code to one of your devices.

step 2

(3) You enter the code to verify your identity and complete sign in.

step 3

You will also get a Recovery Key for safekeeping which you can use to access your account if you ever forget your password or lose your device.

Simple and more secure.

Once enabled, the only way to make changes to your account will be to sign in with two-step verification.

  • There will be no security questions for you to remember or for other people to guess.
  • Only you will be able to reset your password.
  • If you forget your password, you can reset it with a trusted device and your Recovery Key.

For more information, read the FAQ.

Important things to remember.

Please make sure you understand the important security policies below before you turn on two-step verification.

  • With two-step verification enabled, you will always need two of the following to manage your Apple ID:
    • Your password
    • A trusted device
    • Your Recovery Key
  • If you forget your password, you will need your Recovery Key and a trusted device to reset it. Apple will not be able to reset your password on your behalf.
  • App-specific passwords will be required to use iCloud with any third party mail, contacts, or calendar apps.

How iPhone and Android Smartphone Apps Track and Access Your Private Information

The following series of four videos from AJ+ presents an introduction to the privacy issues related to using smartphone apps.

How Apps Access Your Private Information

[youtube https://www.youtube.com/watch?v=YNNulgHYAbo?rel=0]

Google Is Tracking Your Every Move

[youtube https://www.youtube.com/watch?v=2HqOdp0u7eE?rel=0]

Free Wi-Fi Terms of Use Are Broad and Invasive

[youtube https://www.youtube.com/watch?v=7hHJevLh59Q?rel=0]

Who’s Really In Control Of Your Phone?

[youtube https://www.youtube.com/watch?v=vqfgcw-v_fA?rel=0]

Multiple Security Vulnerabilities in Apple Mac OS X and Apple Safari

From: State of Iowa – Information Security Office

Date Issued:  May 5, 2015

Maximum Risk Rating/Severity:  High

Brief Summary: All Apple computers (prior to v10.10.3) are vulnerable to the 46 security exploits described below. Update to the latest version of Yosemite immediately.

Overview:

Multiple vulnerabilities have been discovered in Apple MAC OS X and Apple Safari. Mac OS X is an operating system for Apple computers. Apple Safari is a web browser available for Mac OS X and Microsoft Windows. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage, or opens a specially crafted file, including an email attachment, using a vulnerable version of OS X.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and bypass of security systems. Failed attacks may cause a Denial of Service condition within the targeted delivery method. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. 

Affected Software:

Apple Mac OS X Yosemite prior to v10.10.3

Apple Mac OS X Mavericks v10.9.5

Apple Mac OS X Mountain Lion v10.8.5

Apple Safari v8.0.5, 7.1.5, and 6.2.5

Description:

Multiple remote code execution vulnerabilities have been discovered in Mac OS X that could allow remote code execution. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file. Details of these vulnerabilities are as follows:

  • Apple Mac OS X Yosemite prior to v10.10.2 is prone to privilege escalation due to an issue with checking XPC entitlements (CVE-2015-1130).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 have multiple vulnerabilities in Apache prior to versions 2.4.10 and 2.2.29 including one that may allow a remote attacker to execute arbitrary code (CVEs 2015-1066, 2013-5704, 2013-6438, 2014-0098, 2014-0117, 2014-0118, 2014-0226, and 2014-0231).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion 10.8.5, and OS X Mavericks v10.9.5 ATS (Apple Type Services) are prone to multiple input validation issues in fontd which may allow a local user to execute arbitrary code with system privileges (CVEs 2015-1131, 2015-1132, 2015-1133, 2015-1134, and 2015-1135).
  • Apple Mac OS X Yosemite prior to v10.10.2 is prone to a cross-domain cookie issue which may result in cookies belonging to one origin may be sent to another origin (CVE-2015-1089).
  • Apple Mac OS X Yosemite prior to v10.10.2 is prone to a cross-domain HTTP request issue which may result in authentication credentials being sent to a server on another origin (CVE-2015-1091).
  • Apple Mac OS X Yosemite prior to v10.10.2 is prone to an input validation issue which may result in the execution of arbitrary code by visiting a maliciously crafted website (CVE-2015-1088).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to a use-after-free issue in CoreAnimation which may result in the execution of arbitrary code by visiting a maliciously crafted website (CVE-2015-1136).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to multiple memory corruption issues in the processing of font files, which may result in the execution of arbitrary code by processing a maliciously crafted font file (CVE-2015-1093).
  • Apple Mac OS X Yosemite prior to v10.10.2 and OS X Mavericks v10.9.5 are prone to an issue with NVIDIA graphics driver’s handling of certain IOService userclient types, which may allow a local user to execute arbitrary code with system privileges (CVE-20215-1137).
  • Apple Mac OS X Yosemite prior to v10.10.2 is prone to an input validation issue in the hypervisor framework which may allow a local application to cause a denial of service (CVE-2015-1138).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to a memory corruption issue in the handling of .sgi files which may result in the execution of arbitrary code by processing a maliciously crafted .sgi file (CVE-2015-1139).
  • Apple Mac OS X Yosemite prior to v10.10.2 is prone to a memory corruption issue which may allow a malicious HID (Human Interface Device) to cause arbitrary code execution (CVE-2015-1095).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to a buffer overflow issue which may allow a local user to execute arbitrary code with system privileges (CVE-2015-1140).
  • Apple Mac OS X Yosemite prior to v10.10.2 is prune to a kernel memory content disclosure issue which may allow a local user to determine kernel memory layout (CVE-2015-1096).
  • Apple Mac OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.5 are prone to a heap buffer overflow in the IOHIDFamily’s handling of key-mapping properties which may allow a malicious application to execute arbitrary code with system privileges (CVE-2014-4404).
  • Apple Mac OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.5 are prone to a null pointer deference issue in the IOHIDFamily’s handling of key-mapping properties which may allow a malicious application to execute arbitrary code with system privileges (CVE-2014-4405).
  • Apple Mac OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.5 are prone to an out-of-bounds issue in the IOHIDFamily driver which may allow a use to execute arbitrary code with system privileges (CVE-2014-4380).
  • Apple Mac OS X Yosemite prior to v10.10.2 is prone to an issue in the handling of virtual memory operations within the kernel which may allow a local user to cause unexpected system shutdown (CVE-2015-1141).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to a race condition in the kernel’s setreuid system call which may allow a local user to cause a system denial of service (CVE-2015-1099).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to setreuid and setregid system calls not dropping privileges permanently which may allow a local application to escalate privileges (CVE-2015-1117).
  • Apple Mac OS X Yosemite prior to v10.10.2 ICMP redirects were enabled by default, which may allow an attacker with a privileged network position to redirect user traffic to arbitrary hosts (CVE-2015-1103).
  • Apple Mac OS X Yosemite prior to v10.10.2 is prone to an issue processing TCP headers which may allow an attacker with a privileged network position to cause a denial of service (CVE-2015-1102).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to an out of bounds memory access issue which may allow a local user to cause unexpected system termination or read kernel memory (CVE-2015-1100).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to improper treatment of some IPv6 packets which may allow a remote user to bypass network filters (CVE-2015-1104).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to a memory corruption issue in the kernel which may allow a local user to execute arbitrary code with kernel privileges (CVE-2015-1101).
  • Apple Mac OS X Yosemite prior to v10.10.2 is prone to a state inconsistency issue in the handling of TCP out of band data which may allow a remote attacker to cause a denial of service (CVE-2015-1105).
  • Apple Mac OS X Yosemite prior to v10.10.2 is prone to an input validation issue in LaunchService’s handling of application localization data which may allow a local user to cause the Finder to crash (CVE-2015-1142).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to a type confusion in LaunchService’s handling of localized strings which may allow a local user to execute arbitrary code with system privileges (CVE-2015-1143).
  • Apple Mac OS X Yosemite prior to v10.10.2 is prone to a memory corruption issue in the handling of configuration profiles which may allow the processing of a maliciously crafted configuration profile to cause unepxted application termination (CVE-2015-1118).
  • Apple Mac OS X Yosemite prior to v10.10.2 is prone to weak key generation in ntpd when an authentication key is not configured which may allow a remote attacker to brute force ntpd authentication keys (CVE-2014-9298).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to multiple input validation issue in OpenLDAP which may allow a remote unauthenticated client to case a denial of service (CVEs 2015-1545 and 2015-1546).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to multiple vulnerabilities in OpenSSL 0.9.8zc, including one that may allow an attacker to intercept connections to a server that supports export-grade ciphers (CVEs 2014-3569, 2014-3570, 2014-3571, 2014-3572, 2014-8275, and 2015-0204).
  • Apple Mac OS X Yosemite prior to v10.10.2 and OSX Mavericks v10.9.5 are prone to an Open Directory Client issue which may allow an unencrypted password to be sent over the network when using Open Directory from OS X Server (CVE-2015-1147).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to multiple vulnerabilities in PHP, including one which may lead to arbitrary code execution (CVEs 2013-6712, 2014-0207, 2014-0237, 2014-0238, 2014-2497, 2014-3478, 2014-3479, 2014-3480, 2014-3487, 2014-3538, 2014-3587, 2014-3597, 2014-3668, 2014-3669, 2014-3670, 2014-3710, 20214-3981, 2014-4049, 2014-4670, 2014-4698, and 2014-5120).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to a memory corruption issue in the handling of iWork files which may allow an opened, maliciously crafted iWork file to execute arbitrary code (CVE-2015-1098).
  • Apple Mac OS X Mountain Lion v10.8.5 is prone to a heap buffer overflow which may allow viewing a maliciously crafted Collada file to lead to arbitrary code execution (CVE-2014-8830).
  • Apple Mac OS X Yosemite prior to v10.10.2 is prone to an issue that may allow a user’s password to be logged to a local file (CVE 2015-1148).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to an issue that may allow tampered applications to launch (CVEs 2015-1145 and 2015-1146).
  • Apple Mac OS X Yosemite prior to v10.10.2 is prone to a memory corruption issue in WebKit that may result in arbitrary code execution after visiting a maliciously crafted website (CVE-2015-1069).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to an issue in Safari that may allow users to be tracked by malicious websites using client certificates (CVE-2015-1129).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to an issue in Safari that may allow user’s browsing history in private browsing mode to be revealed (CVE-2015-1128).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to an issue in Safari that will cause the incomplete purging of a user’s browsing history (CVE-2015-1112).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to multiple memory corruption issues in WebKit that may result in unexpected application termination or arbitrary code execution after visiting a maliciously crafted website (CVEs 2015-1119, 2015-1120, 2015-1121,2015-1122, and 2015-1124).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to a state management issue that may result in a user’s browsing history in private mode being indexed (CVE02015-1127).
  • Apple Mac OS X Yosemite prior to v10.10.2, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.5 are prone to a an issue in WebKit’s credential handling for FTP URLs that may result in resources of another origin being accessed after visitng a maliciously crafted website (CVE-2015-1126).
  • Security Update 2015-004 (available for OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.5) also addresses an issue caused by the fix for CVE-2015-1067 in Security Update 2015-002. This issue prevented Remote Apple Events clients on any version from connecting to the Remote Apple Events server. In default configurations, Remote Apple Events is not enabled.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and bypass of security systems. Failed attacks may cause a Denial of Service condition within the targeted delivery method. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution/Recommendations:

We recommend the following actions be taken:

  • Upgrade to Apple Mac OS X Yosemite 10.10.3 immediately after appropriate testing.
  • Apply appropriate updates provided by Apple to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

Apple References:

20140226we-apple-computer-security-500x500

Ransomware Malware Virus Prevention, Protection, and Recovery

About Ransomware

Ransomware malware viruses infect a computer and make the user’s files inaccessible by encrypting them. In some cases the computer is left only partially usable. The user is given some instructions on how to get their files back. Usually this involves communicating directly with someone who will ask you for money before they will let you have access to your files again. They may also promise to fix the computer so that it will function again.

It is estimated that there are presently over 250,000 kinds of ransomware viruses. In 2013, just one of these viruses alone resulted in the extortion of an accumulated $3 million from all its victims before it was taken down by authorities. (source)

Ransomware Prevention

Some antivirus software providers, such as Kaspersky, promise that their software can protect against ransomware. This statement is on the Kaspersky website:

“To protect your computer from ransom malware, download and install Kaspersky Internet Security 2015. The application provides high-level protection against ransom malware.” (source)

Avoid Pop-Up Messages. Another important prevention measure is to be very careful with any unusual pop-up messages. Avoid clicking until you can be certain that the message is legitimate, or simply shut down the computer and restart.

Take Email Precautions. One way of getting ransomware is clicking on links in spam emails. Services like Gmail from Google examine all emails flowing through their system and monitor for malicious activity. So, for example, let’s say there is a fake message claiming to be from FedEx about a package that couldn’t be delivered. Google would likely identify that email as not having authentically been sent from Federal Express. So, it would end up in your spam folder with a notice, “We couldn’t verify that this message was really from the claimed sender” or “We’ve identified other messages like this one that are malicious.”

Use AntiVirus Software. Most antivirus software should prevent virus-like activity even from viruses that were previously unknown. Comprehensive Antivirus software can warn you of known malicious websites. In this way, they make browsing the web safer.

Use an Apple Computer. There are currently over 17 million known Windows computer viruses. The current number of Apple viruses are currently very limited. Apple computers are susceptible to security problems found in Adobe Flash and Java, so it’s important to stay updated. There have been a few fake Apple programs people have been deceived into installing, such as Mac Defender. A report of Apple viruses over the past 10 years is only a few pages long. (source) So, while Apple computers are not completely immune to viruses, they may be a better choice for security minded people.

Ransomware Protection

As described above, there are some preventative measures you can take. Ransomware protection are measures you can take to protect and limit the potential damage of a Ransomware attack.

Backups. Some backup programs run daily to maintain a backup of all your files. This is helpful, except in cases where your files have become corrupted or maliciously encrypted. In some cases, a good backup can be overwritten by a bad one. Also, a connected backup drive is accessible to viruses that might try to erase or encrypt files. In these cases, it may be best to maintain a separate manual backup of your files on a drive that remains disconnected from your computer in a safe place.

Cloud Synchronization. If you use a service like Dropbox to maintain a synchronized cloud copy of your files, make sure you have the ability to access previous versions of your files in the event they get damaged.

Ransomware Recovery

The most recent update about ransomware is an article from Sophos on 30 January 2015. (source) The article states:

Crypto-Ransomware is a family of malware that takes files on a PC or network storage, encrypts them, and then extorts money to unlock the files. … These encryptor malwares will encrypt pictures, documents, and videos, and then leave a ransom note in each directory after encrypting at least one file in that directory. They also typically attempt to do this to mapped network drives [or attached backup drives] as well. … Ransomware-encrypted files for most variants cannot be recovered at all. The encryption keys are not stored on the system. There is one variant which can be recovered, which is discussed below. … W32/VirRnsm-A infects files and changes them to .exe files, including the virus code. It still allows the file to open initially so it has a chance to spread. After a while it locks out the files. The good news is that these files, unlike most ransomware, can be recovered and cleaned by Sophos. A full system scan will fix and recover your files.” (source)

With so many variations of ransomware, it’s unlikely that encrypted files could be recovered unless they happen to be the result of the W32/VirRnsm-A variant.

Yet, some tools from Kaspersky (listed below) suggest that decryption may be possible if you have an original file that’s not encrypted and can compare this to an encrypted file.

Further Reading

Below are ransomware information pages from various sources.

Software Tools

Here are some software tools that might help with removal and/or recovery of files.

  • Kaspersky WindowsUnlocker – The Kaspersky WindowsUnlocker utility is designed to disinfect registries of all operating systems installed on the computer (including operating systems installed on different partitions or in different folders on one partition) and disinfect user registry trees. Kaspersky WindowsUnlocker does not perform any actions with files (in order to disinfect files you can use Kaspersky Rescue Disk).
  • RakhniDecryptor – utility for removing Trojan-Ransom.Win32.Rakhni
  • RannohDecryptor –  If the system is infected by a malicious program of the family Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, or Trojan-Ransom.Win32.Cryakl, all files on the computer will be encrypted. To decrypt files affected by Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola or Trojan-Ransom.Win32.Cryakl, use the RannohDecryptor utility.
  • RectorDecryptor – Kaspersky Lab specialists have developed a special utility for decrypting the data encrypted by Trojan-Ransom.Win32.Rector. Cybercriminals use Trojan-Ransom.Win32.Rector for disrupting normal performance of computers and for unauthorized modification of data making it unusable. Once the data has been “taken hostage” (blocked), its owner (user) receives a ransom demand. The victim is supposed to deliver the ransom in exchange for pirate’s promise to send a utility that would restore the data or repair the PC.
  • XoristDecryptor – There is a utility to confront malware of the family Trojan-Ransom.Win32.Xorist, Trojan-Ransom.MSIL.Vandev – XoristDecryptor. Malware of the family Trojan-Ransom.Win32.Xorist, Trojan-Ransom.MSIL.Vandev is designed for unauthorized modification of data on a victim computer. It makes computers uncontrollable or blocks its normal performance. After taking the data as a “hostage” (blocking it), a ransom is demanded from the user. The victim is supposed to deliver the ransom to the pirate, who is promising to send in return a program which would release the data or restore normal performance of the computer.

Instructional Videos

These videos refer to variants of ransomware. They may not be specific to your own experience, but the general information presented should be helpful. These videos provide an insight into the variety of ransomware and what the recovery solutions might be.

[youtube https://www.youtube.com/watch?v=_dKBXeoLIFo] [youtube https://www.youtube.com/watch?v=w_7wUXzhRD8] [youtube https://www.youtube.com/watch?v=WJagR2txHJU] [youtube https://www.youtube.com/watch?v=LKy9X–ffw8] [youtube https://www.youtube.com/watch?v=Zcj9RKO3e38]

On Facebook Use Caution When Approving Friend Requests

Today I received a friend request from someone on Facebook. Usually I would just click “Approve” and move on.

Yet, we only had one friend in common, and upon checking this person’s Facebook profile, it showed that they had only one post on their timeline (a poor quality profile pic), yet they were adding friends on Facebook at a furious rate. I couldn’t really find anything from a Google search on this person. It was as if they didn’t exist.

Many of the people who he friended are from my community — people I know, although we’re not Friends on Facebook.

I thought I’d spend a few minutes investigating this a bit, so I contacted some of the people (dozens added in the last hour) who had recently friended him.

Turns out none of these people really know anything about him.

Potential Harm

Here’s the danger in accepting friend requests too quickly:

  1. The person controlling the fake user account (a troll) gets access to your entire friend list.
  2. The troll or potential hacker sees your private timeline posts as if they are your friend or family member. They see things about you that you’ve set as not public and only viewable to friends or friends of friends.
  3. Because of your supposed friendship with this fictitious person, the troll then gains the trust of your friends, so when the friend request appears, your friends think they are a trusted and known individual. So, they accept the friend request, and the troll returns to step 1 above to become friends with everyone that person knows, and so on.

The goal of these people is to quickly build up a huge friends list on Facebook which can grow exponentially. These accounts are typically built up over time and then sold on the black market to spammers, advertisers, and hackers who attempt to use reverse social engineering to hack into Facebook accounts (and your other accounts) based on what they gather from your personal information online.

What You Can Do

While Facebook is usually a fun and safe online environment, it’s still important to be cautious.

  • Alert Your Friends. If you suspect some suspicious activity, let your friends know — the friends who have already friended a troll using a fake account.
  • Alert Others. Look at the list of people the fake account has friended. Some of them will be people you’re not friends with, but you have dozens of friends in common. In other words, they are likely legitimate users. You could also consider notifying them.
  • Notify Facebook. You can also contact Facebook about suspicious activity. Go to the profile of the person you suspect is fraudulently using Facebook. Click on the dots to the right of the Message button and choose Report to report the person. You can also Block them.

It’s everyone’s responsibility to help keep Facebook safe and secure through each person being careful about who they connect with.

UPDATE #1

Several hours ago, there was no Google image match on the Internet for the profile image that had been posted by the fictitious user. None. Now, a few hours later, that same image is showing up for multiple user accounts under different names on Twitter and other websites. On those sites, he’s also posted little or nothing, but building friend networks.

UPDATE #2

Facebook took down the fraudulent user’s account within a few more hours of this post. Another victory.

Bash Shellshock Bug Vulnerability Exploit Patch

Summary

Some people are calling the Bash Shellshock Bug the worst thing since the Heartbleed Virus. Others are saying that the vulnerability isn’t as bad as reported since it won’t directly effect most users. The truth is probably somewhere in between. This document offers an introduction into what the Bash exploit is and what you can do about it.

Bash Facts

Here are a few facts about Bash.

  • “Bash or the Bourne again shell, is a UNIX-like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, Bash has evolved from a simple terminal based command interpreter to many other fancy uses. In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consists of a name which has a value assigned to it. The same is true of the Bash shell. It is common for a lot of programs to run Bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)” (source)
  • “Bash is present on every Linux distribution, almost every UNIX system, many Android phones, thousands upon thousands of embedded OS versions on hardware devices — and on every version of Mac OS X ever shipped.” (source)
  • “This patch doesn’t even BEGIN to solve the underlying shellshock problem. This patch just continues the ‘whack-a-mole’ job of fixing parsing errors that began with the first patch. Bash’s parser is certain have many many many other vulnerabilities; it was never designed to be security-relevant.” (source)

Quick Test for Bash Vulnerability

Using Terminal, you can enter the following commands to test for Bash vulnerability.

  • env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

If you type that, and only get the message “this is a test” then your system is most likely not vulnerable (other exploits are currently being evaluated, so don’t assume you’re completely protected). However, if you also see the word “vulnerable” generated, then your system is vulnerable.

If you run the above example with the patched version of Bash, you should get an output similar to:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

Ubuntu Users

If you’re a user of the latest version of Ubuntu (14) and have been installing system updates regularly, your computer has likely already been patched.

Resources

Rather than recreating here what has already been posted elsewhere, the following resources have been gathered to provide the information you need and save you from searching the web through thousands of articles.

20140928su-computer-security-news-672x372