11 Tips for protecting your data when you travel

When we relayed the FBI/IC3 warning to travelers about a threat involving hotel Internet service overseas, it produced a lot of requests for advice on how to respond to the threat. In response we’ve developed a list of data security tips for travelers. These tips will help you keep your data safe while traveling and should defeat the threat.

1. Make sure your operating system and antivirus software are updated before you go on the road.
2. Backup your data before you head out (and store the backup in a safe place).
3. Consider leaving some data behind or move sensitive data from your laptop hard drive to an encrypted USB stick.
4. Make sure you have password protection and inactivity timeout engaged on all devices including laptops, tablets, and smartphones.
5. If possible, only use reputable hotel Internet service providers (ask the hotel who their provider is before you book).
6. If the hotel Internet asks you to update software in order to connect, immediately disconnect and tell the front desk.
7. If you use hotel Internet to connect to your company network use a VPN.
8. Do not use WiFi connections that are not encrypted with WPA and avoid WEP encrypted connections which are easily hacked.
9. Consider getting a 3G or 4G hotspot and using that instead of hotel Internet.
10. Avoid online banking and shopping while on any hotel or public Internet connection.
11. Disable pop-ups in your web browser

Tips for Securing Your Wi-Fi Network

Whether you’re a home user, small business or enterprise it’s important to make sure you secure your wireless network. And sadly, many people still don’t. There are plenty of resources available to help you do this and best practices you can adapt to your organization’s size. Here are some tips we recommend you consider.

1. Use strong encryption
Enable Wi-Fi protected access (WPA) and ideally WPA2. This provides much stronger encryption for securing your communications than WEP, which hackers can easily crack.

2. Create a strong password
Even WPA2 can be cracked by the bad guys if you don’t use a secure password. You can see in our video how a simple password can be cracked in a short space of time. You won’t have to type your password very often, but it could prevent criminals from watching what you do online. Remember too that cybercriminals can use cloud services to aid password cracking, so even a seemingly secure but shorter password may not be safe.

3. Consider your authentication strategy
If you are using WPA2-PSK, your employees, friends or family will all be using the same password,  and may unintentionally share it with others. Remember that any of them can see your network  traffic. If an employee leaves the company, they may retain your network key—allowing them to  later decrypt your traffic or access the network. For larger organizations, consider using a  certificate-based authentication mechanism or RADIUS so that each user has their own managed  credentials. That way they avoid accidentally sharing access to your network. There are many  strong authentication deployment modes available for you to use in a good enterprise wireless  solution.

4. Change the name of your network
It’s a little known fact that the network SSID (such as “Home” or “Free Public Wi-Fi”) is actually part of the security for encrypted networks. Using a default name can make it easy for attackers to  guess your password quickly. Try to use a unique name, but also make sure not to give too much  information away, as it may tempt attackers to target you.

5. Consider SSID hiding carefully
SSID hiding is a feature which hides your network name from the list that people in the area can  see on their computers or mobile devices. This means a user has to manually configure the network  name and password. SSID hiding reduces temptation from casual attackers, so it’s a useful feature.  However, be aware that within a few seconds any attacker with basic knowledge will reveal this  wireless network name. It is a very light defense that you shouldn’t rely on. Make sure you combine  it with strong encryption and a good password.

6. Beware of device authorization lists
MAC address filtering prevents devices that aren’t on an authorized list of allowed hardware  devices from using your network. This feature is often presumed by administrators to be a strong  defense. Unfortunately, these MAC addresses are easily forged by attackers. Having to manually  authorize these addresses within your organization can also be a significant administrative burden.  It’s a good practice to follow the principle of “defense-in-depth.” However, we recommend not using  MAC address filtering. Instead, focus your efforts on strong passwords and encryption.

7. Manage the names of networks you’ve previously used
By default, most devices will remember networks you have previously connected to. For example, if you used a hotel’s wireless connection, your device will likely remember its name and search for that network wherever you travel. Attackers’ wireless scanning tools will identify your laptop or  mobile device and see that it has previously connected to a network with this name, even if it’s not  presently in range. This may not seem like a significant issue, but wireless network names may  give away key information such as the business you work for, hotels or sites you have visited, or—in  extreme cases—your address (we’ve seen networks named after street addresses). Remember to  remove such profiles after use if they give away sensitive information.

8. Protect yourself on open networks
If you connect to an open hotspot such as those commonly provided by hotels, you need to take  additional steps to be sure your traffic isn’t visible to hackers. Make use of a strong VPN to  encrypt all of your traffic over the wireless network. You should also check the hotspot is legitimate  when providing credit card details or login information, as sometimes cybercriminals set up
fake hotspots.

9. Practice defense-in-depth
Network security is only one layer of a good security strategy. You should follow best practices  for endpoint protection, patching and web security. With the right security practices you can keep  yourself secure even if your wireless network is compromised, reducing the odds of a hacker  getting away with your data.

10. Manage visitors and restrict traffic
If you are a business that needs to provide guest or consultant access, consider offering a separate  network with restrictions on what guests can access. A hotspot registration portal can be an easy  way to restrict access without a lot of administrative effort. Wireless solutions should enable you  to easily deploy such networks, allowing visitors only access to the Internet and keeping them away  from corporate services.

11. Manage your wireless access points
Make sure that your wireless access points (particularly those of branch offices and other locations) use the correct security configuration. Many enterprises may have secure wireless at headquarters,  but then have weak access point configuration at branch offices. These can act as a back door to the enterprise, undermining your security efforts. Policy management and remote logging are therefore a priority to make sure security is consistent across your environment.

How to blunt spear phishing attacks

According to the SANS Institute, 95% of all attacks on enterprise networks are the result of successful spear phishing. In other words, somebody received an email and either clicked on a link or opened a file that they weren’t supposed to.

For example, Chinese hackers successfully broke into computers at The New York Times through spear phishing. So, what are the steps that IT execs can take to protect enterprise networks from spear phishing?

Most spear phishing attacks take one of two tacks – they either appeal to human greed or fear. In other words, either they offer money, coupons, discounts or bargains that are too good to be true. Or they announce that your checking account or eBay account has been frozen and you need to re-enter your credentials, or some other scenario in which you are required to enter personal information….or else.

While regular phishing typically involves unsophisticated mass mailings, spear phishes can appear to come from your own IT department, from your own payroll department, from a friend or colleague.

Here are some tips on how to teach employees to avoid getting spear phished.

1. Read the return url backwards, from right to left. The url might start out with “www.bankofamerica” but when it ends with 120 characters of jibberish, you might start to get suspicious. You can also place your cursor over a link in an email and will see the actual url it will take you to – DO NOT CLICK ON IT, you just hover over it to see if it matches www.bankofamerica.com.
2. Don’t fall for what’s being called the “double-barreled phish,” in which you respond to the email with a question, such as “Is this really my buddy Jim.” Phishers are now clever enough to wait a while, in order to show that the response is not automated, and then reply with, “Yes, it’s me, Jim.” Of course, it isn’t Jim.
3. Never open a PDF from someone you don’t know, since spear phishers are now hiding their malicious zip files inside seemingly innocuous PDFs.
4. Never give out your password or other personal/sensitive information in response to an unsolicited query.
5. IT managers should consider training classes targeted specifically at spear phishing.

PhishMe is one of several companies that offer a SaaS-based program whereby IT groups can send fake spear phishing emails to employees and then measure the failure rate.

PhishMe customers are often stunned to find failure rates – in other words, the percentage of end users who click on a spear phish and enter a password – in the 80% range.

The way PhishMe works, when an end user falls for a phish, a giant flash card appears on their screen announcing that they’ve been phished and detailing what they did wrong. The company offers pre-built phishing templates and customers can also customized their spear phishing emails.

Customers receive reports on the success of the spear phishing training program down to the individual end user. He says some companies might take punitive action against an employee who repeatedly clicks on fake phishes, while other companies are using gamification to reward good behavior and to keep people on their toes.

They also noticed when companies stop the training programs, employees revert back to their old behavior, so it makes sense for companies to make anti-spear phishing programs a way of life.

 

Internet Providers Launching Copyright Alert System Today to Warn Customers About Downloading Content

Five of the United States’ largest Internet service providers are launching today what they call a new system that will “educate” customers about downloading copyrighted content by issuing warnings instead of lawsuits. The program, called the Copyright Alert System, is a creation of the Internet providers and the trade associations representing the film and music industries, and is designed to reduce the amount of content obtained via file-sharing services such as BitTorrent.

Comcast, Verizon, AT&T, Cablevision, and Time Warner are all participating in the program, meaning that the so-called “six strikes” system will apply to most U.S. households with a broadband Internet connection. The trade groups involved include the Recording Industry Association of America and the Motion Picture Association of America, along with their member corporations.

Under the system’s rules, customers found to have downloaded copyrighted content without paying will be issued a series of warnings, along with an increasing chance that their Internet service will be throttled. Customers who receive those warnings may also find themselves suddenly redirected to a website scolding them for their downloads.

Users who receive these warnings may also find themselves blocked from certain “frequently visited” websites, according to documents about the plan obtained last year by Torrent Freak, a website that reports on news about file-sharing. The Copyright Alert System was originally supposed to launch last November, but was delayed until today.

The documents also state that content owners and ISPs could pursue legal action after the fifth warning, though for the most part, the Copyright Alert System is designed to be an extrajudicial program set up by Internet and entertainment companies.

Warnings, the system’s website advises, are issued when content owners find which Internet Protocol addresses are sharing copyrighted materials, then turn those addresses over to the service providers, who in turn identify the associated customer. The warnings can be challenged via the American Arbitration Association, which charges a filing fee.

Security Updates and Important Information

Mandiant Releases Report On Chinese “APT1″ Group

Incident response specialist company Mandiant released on Tuesday a groundbreaking report, citing highly detailed evidence to support a claim that the Chinese government, through Unit 61398 of the People’s Liberation Army, has been engaging in systematic attacks on American interests, as well as those of other English-speaking nations around the globe, over the course of the past 6 years. The report, which included domain names, IP addresses, SSL certificates, and MD5sums of malicious binaries, has already caused a major political stir, with the Obama administration set to impose trade penalties for cybertheft, with the Chinese government denying any involvement.

Reference: http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

Schneider Electric IGSS Buffer Overflow

Independent researcher Aaron Portnoy recently discovered a set of vulnerabilities in the widely used Schneider Electric IGSS protocol, which could be remotely exploited for full administrative privileges on target systems. The vendor has since issued a patch, and users of these systems are strongly encouraged to both apply the patch and to ensure that all electrical infrastructure is appropriately firewalled from the Internet.

PDF 0-day Being Exploited In The Wild

Adobe confirmed last week that a pair of new exploits targeting Acrobat Reader were being exploited in the wild; as of the time of writing, no patches had yet been released. The exploits were particularly nefarious, in that they used a brand-new ROP-based technique to escape Reader’s sandboxing technology, which was designed by Adobe to mitigate the impact of vulnerabilities such as these.  Users are urged to be extremely cautious when opening PDF documents from any source.

USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Detailed analysis for MS12-081:
http://blog.ptsecurity.com/2013/02/surprise-for-network-resources-from.html

TeamViewer authentication protocol:
http://blog.accuvantlabs.com/blog/bthomas/teamviewer-authentication-protocol

iOS 6.1 hack allows lock screen bypass:
http://thehackernews.com/2013/02/ios-61-hack-allows-iphone-lock-screen.html

FROST: Forensic Recovery of Scrambled Telephones:
https://www1.informatik.uni-erlangen.de/frost

Cyber attacks against Uighur Mac OS X users intensify:
https://www.securelist.com/en/blog/208194116/Cyber_Attacks_Against_Uyghur_Mac_OS_X_Users_Intensify

Practical identification of SQL injection vulnerabilities:
https://www.us-cert.gov/reading_room/Practical-SQLi-Identification.pdf

Targeted ‘phone ring flooding’ as a service going mainstream:
http://blog.webroot.com/2013/02/13/targeted-phone-ring-flooding-attacks-as-a-service-going-mainstream/

DDoS attack on bank hid $900,000 cyberheist:
http://krebsonsecurity.com/2013/02/ddos-attack-on-bank-hid-900000-cyberheist/

iOS 6.1 hack lets users see your phone app, place calls

Some sleight of hand will allow iOS 6.1 hackers to access your phone application, listen to your voice mails, and place calls.

A YouTube video showing users how to “bypass iPhone 5 passcode” on Apple’s latest iOS releases, including iOS 6.1, has been published. The person who uploaded the video shows how anyone can access the phone application on a passcode-protected iPhone.

In order to achieve the hack, users must come close to turning off the iPhone, place an emergency call, and keep their finger on the power button. We were able to re-create the hack with ease, and the YouTube user who uploaded the video provided step-by-step directions.

“For prank[ing] your friends, for a magic show. Use it as you want, at your own risk, but…please…do not use this trick to do evil,” “videosdebarraquito” posted on the YouTube page.

Apple said it is at work on a fix to the issue, but that it will require a software update.

Remote Controlled: Mobile Backdoor Spotted

Reports of a smartphone botnet with over a million bots confirm how varied mobile threats have become. The fact that these malware can avoid detection and lead to further infections makes this discovery more troubling.

Access Through Fake Apps

Malware like ANDROIDOS_KSAPP.A came from a third-party app store and were repackaged as gaming apps. Once installed, these malicious apps download and analyze a script from remote sites. This script contains commands that a remote attacker can execute on the affected device. The malicious apps can also make devices vulnerable to further infection via notifications and pop-up windows that prompt you to install other possibly malicious files.

More Sophisticated Malware

What make these particular malware notable are their abilities to analyze downloaded script and equip themselves with new ones. They can update their script to avoid antimalware detection. This behavior makes them more complicated than the typical Android malware with backdoor capabilities.

These refined routines led to a mobile trend we saw last year. Using social engineering baits, cybercriminals have since included newer attack methods. The discovery of the reported malware indicates that cybercriminals are continuously creating more complex malware to prey on mobile users like you.

Protecting Your Devices

Protect your mobile devices by scrutinizing each app before you download and install them. Cybercriminals often spoof popular apps to trick you into downloading malware. Reading app descriptions and reviews can help you sift legitimate from suspicious apps.

Installing a security app, if available, adds another layer of protection to your mobile device. Android devices have a good selection of security apps. iDevices have fewer options due to Apple’s reluctance to allow third party developers offer solutions. We beleive this will change this year. The threats are growing and manufacturers need partners to ensure security. As Windows phones gain market share, solutions will be available for them as well.