Saturday, September 29, 2018

ST18-004: Protecting Against Malicious Code

National Cyber Awareness System:

 

ST18-004: Protecting Against Malicious Code

09/28/2018 11:17 AM EDT

 

Original release date: September 28, 2018

 

What is malicious code?

Malicious code is unwanted files or programs that can cause harm to a computer or compromise data stored on a computer. Various classifications of malicious code include viruses, worms, and Trojan horses.

  • Viruses have the ability to damage or destroy files on a computer system and are spread by sharing an already infected removable media, opening malicious email attachments, and visiting malicious web pages.
  • Worms are a type of virus that self-propagates from computer to computer. Its functionality is to use all of your computer’s resources, which can cause your computer to stop responding.
  • Trojan Horses are computer programs that are hiding a virus or a potentially damaging program. It is not uncommon that free software contains a Trojan horse making a user think they are using legitimate software, instead the program is performing malicious actions on your computer.

How can you protect yourself against malicious code?

Following these security practices can help you reduce the risks associated with malicious code:

  • Install and maintain antivirus software. Antivirus software recognizes malware and protects your computer against it. Installing antivirus software from a reputable vendor is an important step in preventing and detecting infections. Always visit vendor sites directly rather than clicking on advertisements or email links. Because attackers are continually creating new viruses and other forms of malicious code, it is important to keep your antivirus software up-to-date.
  • Use caution with links and attachments. Take appropriate precautions when using email and web browsers to reduce the risk of an infection. Be wary of unsolicited email attachments and use caution when clicking on email links, even if they seem to come from people you know. (See Using Caution with Email Attachments for more information.)
  • Block pop-up advertisements. Pop-up blockers disable windows that could potentially contain malicious code. Most browsers have a free feature that can be enabled to block pop-up advertisements.
  • Use an account with limited permissions. When navigating the web, it is a good security practice to use an account with limited permissions. If you do become infected, restricted permissions keep the malicious code from spreading and escalating to an administrative account.
  • Disable external media AutoRun and AutoPlay features. Disabling AutoRun and AutoPlay features prevents external media infected with malicious code from automatically running on your computer.
  • Change your passwords. If you believe your computer is infected, change your passwords. This includes any passwords for websites that may have been cached in your web browser. Create and use strong passwords, making them difficult for attackers to guess. (See Choosing and Protecting Passwords and Supplementing Passwords for more information.)
  • Keep software updated. Install software patches on your computer so attackers do not take advantage of known vulnerabilities. Consider enabling automatic updates, when available. (See Understanding Patches and Software Updates for more information.)
  • Back up data. Regularly back up your documents, photos, and important email messages to the cloud or to an external hard drive. In the event of an infection, your information will not be lost.
  • Install or enable a firewall. Firewalls can prevent some types of infection by blocking malicious traffic before it enters your computer. Some operating systems include a firewall; if the operating system you are using includes one, enable it. (See Understanding Firewalls for Home and Small Office Use for more information.)
  • Use anti-spyware tools. Spyware is a common virus source, but you can minimize infections by using a program that identifies and removes spyware. Most antivirus software includes an anti-spyware option; ensure you enable it.
  • Monitor accounts. Look for any unauthorized use of, or unusual activity on, your accounts—especially banking accounts. If you identify unauthorized or unusual activity, contact your account provider immediately.
  • Avoid using public Wi-Fi. Unsecured public Wi-Fi may allow an attacker to intercept your device’s network traffic and gain access to your personal information.

What do you need to know about antivirus software?

Antivirus software scans computer files and memory for patterns that indicate the possible presence of malicious code. You can perform antivirus scans automatically or manually.

  • Automatic scans – Most antivirus software can scan specific files or directories automatically. New virus information is added frequently, so it is a good idea to take advantage of this option.
  • Manual scans – If your antivirus software does not automatically scan new files, you should manually scan files and media you receive from an outside source before opening them, including email attachments, web downloads, CDs, DVDs, and USBs.

Although anti-virus software can be a powerful tool in helping protect your computer, it can sometimes induce problems by interfering with the performance of your computer. Too much antivirus software can affect your computer’s performance and the software’s effectiveness.

  • Investigate your options in advance. Research available antivirus and anti-spyware software to determine the best choice for you. Consider the amount of malicious code the software recognizes and how frequently the virus definitions are updated. Also, check for known compatibility issues with other software you may be running on your computer.
  • Limit the number of programs you install. Packages that incorporate both antivirus and anti-spyware capabilities together are now available. If you decide to choose separate programs, you only need one antivirus program and one anti-spyware program. Installing more programs increases your risk for problems.

There are many antivirus software program vendors, and deciding which one to choose can be confusing. Antivirus software programs all typically perform the same type of functions, so your decision may be based on recommendations, features, availability, or price. Regardless of which package you choose, installing any antivirus software will increase your level of protection.

How do you recover if you become a victim of malicious code?

Using antivirus software is the best way to defend your computer against malicious code. If you think your computer is infected, run your antivirus software program. Ideally, your antivirus program will identify any malicious code on your computer and quarantine them so they no longer affect your system. You should also consider these additional steps:

  • Minimize the damage. If you are at work and have access to an information technology (IT) department, contact them immediately. The sooner they can investigate and “clean” your computer, the less likely it is to cause additional damage to your computer—and other computers on the network. If you are on a home computer or laptop, disconnect your computer from the internet; this will prevent the attacker from accessing your system.
  • Remove the malicious code. If you have antivirus software installed on your computer, update the software and perform a manual scan of your entire system. If you do not have antivirus software, you can purchase it online or in a computer store. If the software cannot locate and remove the infection, you may need to reinstall your operating system, usually with a system restore disk. Note that reinstalling or restoring the operating system typically erases all of your files and any additional software that you have installed on your computer. After reinstalling the operating system and any other software, install all of the appropriate patches to fix known vulnerabilities.

Threats to your computer will continue to evolve. Although you cannot eliminate every hazard, by using caution, installing and using antivirus software, and following other simple security practices, you can significantly reduce your risk and strengthen your protection against malicious code.


Author: NCCIC


 

ST18-004: Protecting Against Malicious Code

 

 

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

 

09/28/2018 11:17 AM EDT

 

Original release date: September 28, 2018

 

What is malicious code?

Malicious code is unwanted files or programs that can cause harm to a computer or compromise data stored on a computer. Various classifications of malicious code include viruses, worms, and Trojan horses.

  • Viruses have the ability to damage or destroy files on a computer system and are spread by sharing an already infected removable media, opening malicious email attachments, and visiting malicious web pages.
  • Worms are a type of virus that self-propagates from computer to computer. Its functionality is to use all of your computer’s resources, which can cause your computer to stop responding.
  • Trojan Horses are computer programs that are hiding a virus or a potentially damaging program. It is not uncommon that free software contains a Trojan horse making a user think they are using legitimate software, instead the program is performing malicious actions on your computer.

How can you protect yourself against malicious code?

Following these security practices can help you reduce the risks associated with malicious code:

  • Install and maintain antivirus software. Antivirus software recognizes malware and protects your computer against it. Installing antivirus software from a reputable vendor is an important step in preventing and detecting infections. Always visit vendor sites directly rather than clicking on advertisements or email links. Because attackers are continually creating new viruses and other forms of malicious code, it is important to keep your antivirus software up-to-date.
  • Use caution with links and attachments. Take appropriate precautions when using email and web browsers to reduce the risk of an infection. Be wary of unsolicited email attachments and use caution when clicking on email links, even if they seem to come from people you know. (See Using Caution with Email Attachments for more information.)
  • Block pop-up advertisements. Pop-up blockers disable windows that could potentially contain malicious code. Most browsers have a free feature that can be enabled to block pop-up advertisements.
  • Use an account with limited permissions. When navigating the web, it is a good security practice to use an account with limited permissions. If you do become infected, restricted permissions keep the malicious code from spreading and escalating to an administrative account.
  • Disable external media AutoRun and AutoPlay features. Disabling AutoRun and AutoPlay features prevents external media infected with malicious code from automatically running on your computer.
  • Change your passwords. If you believe your computer is infected, change your passwords. This includes any passwords for websites that may have been cached in your web browser. Create and use strong passwords, making them difficult for attackers to guess. (See Choosing and Protecting Passwords and Supplementing Passwords for more information.)
  • Keep software updated. Install software patches on your computer so attackers do not take advantage of known vulnerabilities. Consider enabling automatic updates, when available. (See Understanding Patches and Software Updates for more information.)
  • Back up data. Regularly back up your documents, photos, and important email messages to the cloud or to an external hard drive. In the event of an infection, your information will not be lost.
  • Install or enable a firewall. Firewalls can prevent some types of infection by blocking malicious traffic before it enters your computer. Some operating systems include a firewall; if the operating system you are using includes one, enable it. (See Understanding Firewalls for Home and Small Office Use for more information.)
  • Use anti-spyware tools. Spyware is a common virus source, but you can minimize infections by using a program that identifies and removes spyware. Most antivirus software includes an anti-spyware option; ensure you enable it.
  • Monitor accounts. Look for any unauthorized use of, or unusual activity on, your accounts—especially banking accounts. If you identify unauthorized or unusual activity, contact your account provider immediately.
  • Avoid using public Wi-Fi. Unsecured public Wi-Fi may allow an attacker to intercept your device’s network traffic and gain access to your personal information.

What do you need to know about antivirus software?

Antivirus software scans computer files and memory for patterns that indicate the possible presence of malicious code. You can perform antivirus scans automatically or manually.

  • Automatic scans – Most antivirus software can scan specific files or directories automatically. New virus information is added frequently, so it is a good idea to take advantage of this option.
  • Manual scans – If your antivirus software does not automatically scan new files, you should manually scan files and media you receive from an outside source before opening them, including email attachments, web downloads, CDs, DVDs, and USBs.

Although anti-virus software can be a powerful tool in helping protect your computer, it can sometimes induce problems by interfering with the performance of your computer. Too much antivirus software can affect your computer’s performance and the software’s effectiveness.

  • Investigate your options in advance. Research available antivirus and anti-spyware software to determine the best choice for you. Consider the amount of malicious code the software recognizes and how frequently the virus definitions are updated. Also, check for known compatibility issues with other software you may be running on your computer.
  • Limit the number of programs you install. Packages that incorporate both antivirus and anti-spyware capabilities together are now available. If you decide to choose separate programs, you only need one antivirus program and one anti-spyware program. Installing more programs increases your risk for problems.

There are many antivirus software program vendors, and deciding which one to choose can be confusing. Antivirus software programs all typically perform the same type of functions, so your decision may be based on recommendations, features, availability, or price. Regardless of which package you choose, installing any antivirus software will increase your level of protection.

How do you recover if you become a victim of malicious code?

Using antivirus software is the best way to defend your computer against malicious code. If you think your computer is infected, run your antivirus software program. Ideally, your antivirus program will identify any malicious code on your computer and quarantine them so they no longer affect your system. You should also consider these additional steps:

  • Minimize the damage. If you are at work and have access to an information technology (IT) department, contact them immediately. The sooner they can investigate and “clean” your computer, the less likely it is to cause additional damage to your computer—and other computers on the network. If you are on a home computer or laptop, disconnect your computer from the internet; this will prevent the attacker from accessing your system.
  • Remove the malicious code. If you have antivirus software installed on your computer, update the software and perform a manual scan of your entire system. If you do not have antivirus software, you can purchase it online or in a computer store. If the software cannot locate and remove the infection, you may need to reinstall your operating system, usually with a system restore disk. Note that reinstalling or restoring the operating system typically erases all of your files and any additional software that you have installed on your computer. After reinstalling the operating system and any other software, install all of the appropriate patches to fix known vulnerabilities.

Threats to your computer will continue to evolve. Although you cannot eliminate every hazard, by using caution, installing and using antivirus software, and following other simple security practices, you can significantly reduce your risk and strengthen your protection against malicious code.


Author: NCCIC


This product is provided subject to this Notification and this Privacy & Use policy.


This email was sent to gumball@gumballpro.com using GovDelivery Communications Cloud on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870

GovDelivery logo

 

IC3 Issues Alert on RDP Exploitation

 

 

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

 

09/28/2018 09:54 AM EDT

 

Original release date: September 28, 2018

The Internet Crime Complaint Center (IC3), in collaboration with DHS and the Federal Bureau of Investigation, has released an alert on cyber threat actors maliciously using legitimate remote administration tools, such as Remote Desktop Protocol (RDP). Threat actors identify and exploit vulnerable RDP sessions to facilitate credential theft and ransomware infection.

NCCIC encourages users and administrators to review the IC3 Alert and the NCCIC Tips on Securing Network Infrastructure Devices and Choosing and Protecting Passwords. If you believe you are a victim of cybercrime, file a complaint with IC3 at www.ic3.gov.

 

The best location for your router for actually good Wi-Fi

If Facebook logged you out, your account was likely attacked

Saturday, September 15, 2018

Meltdown and Spectre Vulnerabilities (Update I) | ICS-CERT

Meltdown and Spectre Vulnerabilities (Update I) | ICS-CERT

Meltdown and Spectre Vulnerabilities (Update I)

1. EXECUTIVE SUMMARY

This updated alert is a follow-up to the updated alert titled ICS-ALERT-18-011-01 Meltdown and Spectre Vulnerabilities (Update H) that was published July 10, 2018, on the NCCIC/ICS-CERT website.

NCCIC is referencing CERT/CC's vulnerability note VU#584653 CPU hardware vulnerable to side-channel attacks to enhance the awareness of critical infrastructure asset owners/operators and to identify affected product vendors that have contacted ICS-CERT for help disseminating customer notifications/recommendations to mitigate the risk associated with cache side-channel attacks known as Meltdown and Spectre. Exploitation of these vulnerabilities may allow unauthorized disclosure of information.

CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 have been assigned to these vulnerabilities.

The following product vendors have reported that they support products that use affected CPUs and have issued customer notifications with recommendations for users (NCCIC will update the list of vendors that have released customer notifications as additional information becomes available):

Please report any issues affecting control systems in critical infrastructure environments to NCCIC.

For details, please see each company's announcement:

--------- Begin Update I Part 1 of 1 --------

--------- End Update I Part 1 of 1 ----------

2. MITIGATIONS

NCCIC is currently coordinating with vendors and security researchers to identify mitigations.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Understanding Firewalls for Home and Small Office Use


Understanding Firewalls for Home and Small Office Use

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Original release date: September 10, 2018

When your computer is accessible through an internet connection or Wi-Fi network, it is susceptible to attack. However, you can restrict outside access to your computer—and the information on it—with a firewall.

What do firewalls do?

Firewalls provide protection against outside attackers by shielding your computer or network from malicious or unnecessary network traffic. Firewalls can also prevent malicious software from accessing a computer or network via the internet. Firewalls can be configured to block data from certain locations (i.e., computer network addresses), applications, or ports while allowing relevant and necessary data through. (See Understanding Denial-of-Service Attacks and Understanding Hidden Threats: Rootkits and Botnets for more information.)

What type of firewall is best?

Categories of firewalls include hardware and software. While both have advantages and disadvantages, the decision to use a firewall is more important than deciding which type you use.

  • Hardware – Typically called network firewalls, these physical devices are positioned between your computer and the internet (or other network connection). Many vendors and some internet service providers (ISPs) offer integrated small office / home office routers that also include firewall features. Hardware-based firewalls are particularly useful for protecting multiple computers and controlling the network activity that attempts to pass through them. The advantage of hardware-based firewalls is that they provide an additional line of defense against attacks reaching desktop computing systems. The disadvantage is that they are separate devices that require trained professionals to support their configuration and maintenance.
  • Software – Most OSs include a built-in firewall feature that you should enable for added protection, even if you have an external firewall. Firewall software is also available separately from your local computer store, software vendor, or ISP. If you download firewall software from the internet, make sure it is from a reputable source (i.e., an established software vendor or service provider) and offered via a secure site. (See Understanding Web Site Certificates for more information.) The advantage of software firewalls is their ability to control the specific network behavior of individual applications on a system. A significant disadvantage of a software firewall is that it is typically located on the same system that is being protected. Being located on the same system can hinder the firewall's ability to detect and stop malicious activity. Another possible disadvantage of software firewalls is that—if you have a firewall for each computer on a network—you will need to update and manage each computer's firewall individually.

How do you know what configuration settings to apply?

Most commercially available firewall products, both hardware and software based, come preconfigured and ready to use. Since each firewall is different, you will need to read and understand the documentation that comes with it to determine whether the default firewall settings are sufficient for your needs. This is particularly concerning because the "default" configuration is typically less restrictive, which could make your firewall more susceptible to compromise. Alerts about current malicious activity (e.g., NCCIC's Alerts) sometimes include information about restrictions you can implement through your firewall.

Though properly configured firewalls may effectively block some attacks, do not be lulled into a false sense of security. Firewalls do not guarantee that your computer will not be attacked. Firewalls primarily help protect against malicious traffic, not against malicious programs (i.e., malware), and may not protect you if you accidentally install or run malware on your computer. However, using a firewall in conjunction with other protective measures (e.g., anti-virus software and safe computing practices) will strengthen your resistance to attacks. (See Good Security Habits and Understanding Anti-Virus Software for more information.)


Sunday, September 09, 2018

5 things you may have missed from the Facebook and Twitter hearings

US charges N. Korean hacker in Sony, WannaCry cyberattacks

Apple is building a site to handle data requests from law enforcement agencies worldwide

Securing Enterprise Wireless Networks

U.S. Department of Homeland Security US-CERT

What is enterprise network security?

Enterprise network security is the protection of a network that connects systems, mainframes, and devices―like smartphones and tablets―within an enterprise. Companies, universities, governments, and other entities use enterprise networks to help connect their users to information and people. As networks grow in size and complexity, security concerns also increase.

What security threats do enterprise wireless networks face?

Unlike wired networks, which have robust security tools—such as firewalls, intrusion prevention systems, content filters, and antivirus and anti-malware detection programs—wireless networks (also called Wi-Fi) provide wireless access points that can be susceptible to infiltration. Because they may lack the same protections as wired networks, wireless networks and devices can fall victim to a variety of attacks designed to gain access to an enterprise network. An attacker could gain access to an organization's network through a wireless access point to conduct malicious activities—including packet sniffing, creating rouge access points, password theft, and man-in-the-middle attacks. These attacks could hinder network connectivity, slow processes, or even crash the organization's system. (See Securing Wireless Networks for more information on threats to wireless networks.)

How can you minimize the risks to enterprise Wi-Fi networks?

Network security protocols have advanced to offset the constant evolution of attacks. Wi-Fi Protected Access 2 (WPA2) incorporates Advanced Encryption Standard (AES) and is the standard employed today to secure wireless enterprises. In June 2018, the Wi-Fi Alliance began certifying devices that support Wi-Fi Protected Access 3 (WPA3), which replaces WPA2. Users should employ the new standards as WPA3 devices become available. IT security professionals and network administrators should also consider these additional best practices to help safeguard their enterprise Wi-Fi networks:

  • Deploy a wireless intrusion detection system (WIDS) and a wireless intrusion prevention system (WIPS) on every network.
  • Ensure existing equipment is free from known vulnerabilities by updating all software in accordance with developer service pack issuance.
  • Use existing equipment that can be securely configured.
  • Ensure all equipment meets Federal Information Processing Standards (FIPS) 140-2 compliance for encryption.
  • Ensure compliance with the most current National Institute of Standards and Technology. (See Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i.)
  • Establish multifactor authentication for access to your network. If this is not possible, consider other secure authentication means beyond a single shared password, such as Active Directory service authentication or an alternative method (e.g., tokens) to create multifactor authentication into your network.
  • Use Extensible Authentication Protocol-Transport Layer Security certificate-based methods (or better) to secure the entire authentication transaction and communication.
  • Use Counter Mode Cipher Block Chaining Message Authentication Code Protocol, a form of AES encryption used by Wireless Application Protocol 2 (WAP) enterprise networks sparingly. If possible, use more complex encryption technologies that conform to FIPS 140-2 as they are developed and approved.
  • Implement a guest Wi-Fi network that is separate from the main network. Employ routers with multiple Service Set Identifiers (SSIDs) or engage other wireless isolation features to ensure that organizational information is not accessible to guest network traffic or by engaging other wireless isolation features.

What else can you do to secure your network?

Employing active WIDS/WIPS enables network administrators to create and enforce wireless security by monitoring, detecting, and mitigating potential risks. Both WIDS and WIPS will detect and automatically disconnect unauthorized devices. WIDS provides the ability to automatically monitor and detect the presence of any unauthorized, rogue access points, while WIPS deploys countermeasures to identified threats. Some common threats mitigated by WIPS are rogue access points, misconfigured access points, client misassociation, unauthorized association, man-in-the-middle attacks, ad-hoc networks, Media Access Control spoofing, honeypot/evil twin attacks, and denial-of-service attacks.

The following list includes best practices to secure WIDS/WIPS sensor networks. Administrators should tailor these practices based on  local considerations and applicable compliance requirements. For more in-depth guidance, see A Guide to Securing Networks for Wi-Fi (IEEE 802.11 Family).

  • Use a rogue detection process capability. This capability should detect Wi-Fi access via a rogue client or WAP, regardless of the authentication or encryption techniques used by the offending device (e.g., network address translation, encrypted, soft WAPs).
  • Set the WIDS/WIPS sensors to
    • detect 802.11a/b/g/n/ac devices connected to the wired or wireless network and
    • detect and block multiple WAPs from a single sensor device over multiple wireless channels.
  • Enforce a "no Wi-Fi" policy per subnet and across multiple subnets.
  • Provide minimal secure communications between sensor and server, and identify a specific minimum allowable Kbps―the system shall provide automatic classification of clients and WAPs based upon enterprise policy and governance.
  • Provide automated (event-triggered) and scheduled reporting that is customizable.
  • Segment reporting and administration based on enterprise requirements.
  • Produce event logs and live packet captures over the air and display these directly on analyst workstations.
  • Import site drawings for site planning and location tracking requirements.
  • Manually create simple building layouts with auto-scale capability within the application.
  • Place sensors and WAPs electronically on building maps to maintain accurate records of sensor placement and future locations.
  • Have at least four different levels of permissions allowing WIPS administrators to delegate specific view and administrator privileges to other administrators.
  • Meet all applicable standards and, if Federal Government, comply with the Federal Acquisition Regulation.

Author: NCCIC

 

 

Everything You Should Do Before You Lose Your Phone

https://www.wired.com/story/lost-stolen-phone-what-to-do/

Apple's Biggest iPhone Launch Ever: What to Expect

https://www.tomsguide.com/us/apple-2018-iphone-event-preview,news-28010.html

Windows malware opens RDP ports on PCs for future remote access

https://www.zdnet.com/article/windows-malware-opens-rdp-ports-on-pcs-for-future-remote-access/