security

Examples of Phishing emails that could contain Ransomware

The FS-ISAC, or the Financial Services Information Sharing and Analysis Center, is the global financial industry’s go to resource for cyber and physical threat intelligence analysis and sharing. FS-ISAC is unique in that it was created by and for members and operates as a member-owned non profit entity.

Here are some examples of phishing emails that member banks have received over the past few days.  I’m sending them to you to familiarize you with the types of emails that you might receive.  If you DO receive any emails that appear suspicious, PLEASE notify the helpdesk, or Bill or myself.  Thank you.

YOU HAVE A PACKAGE WITH DHL  – DHL / Adobe Themed Phishing Email

An FS-ISAC member reported receiving a phishing e-mail purporting to be from DHL with the subject “YOU HAVE A PACKAGE WITH DHL”, containing a .pdf file attachment with an embedded URL that leads to an Adobe Online-themed credential harvesting site.

Important Account Notification – Capital One-Themed Phishing E-mail

An FS-ISAC member reported receiving a phishing e-mail purporting to be from Capital One with subject “Important Account Notification”, containing an embedded URL.

Closing Settlement Disclosure – Google Docs-Themed Phishing Email

An FS-ISAC member reported receiving a phishing e-mail with the subject “Helmsmortgage spreedsheet”, containing a .pdf file attachment with an embedded URL that leads to a Google Docs-themed credential harvesting site.

Electronic Shipping Documents Now Ready – NanoCore-RAT Phishing Email

An FS-ISAC member reported receiving a phishing e-mail with the subject “Electronic Shipping Documents Now Ready”, containing a malicious .ace file attachment that leads to Nanocore – Remote Access Trojan.

Inv <#####>  – Ursnif Phishing Emails

An FS-ISAC member reported receiving phishing e-mails with subject lines in the following format: “Inv <#####>”, containing a malicious .docx file attachment that leads to Ursnif malware.

Your Email Will Be Blocked. – Webmail-themed Phishing E-mail

An FS-ISAC member reported receiving phishing e-mails with the subject line “Your Email Will Be Blocked.”, containing an embedded URL that leads to a Webmail-themed credential harvesting site.

the exorcists list – Phishing E-mail

An FS-ISAC member reported receiving a phishing e-mail with the subject “the exorcists list” containing a suspicious .doc file attachement and URLs.

Re:invoice – Phishing E-mail

An FS-ISAC member reported receiving a phishing e-mail with the subject “Re:invoice”, containing a malicious .ace file attachment that leads to a Trojan.

Total messages: 23 – Phishing E-mail

An FS-ISAC member reported observing a phishing email with the subject “Total messages: 23” containing a malicious URL.

MyFax message from “<COMPANY NAME>” – 4 page(s), Caller-ID: 1-516-799-6300″ – Adwind – RAT Phishing E-mail

FS-ISAC members reported receiving phishing e-mails with the subject “MyFax message from “<COMPANY NAME>” – 4 page(s), Caller-ID: 1-516-799-6300″ containing a malicious .zip file attachment that leads to the Adwind – Remote Access Trojan.

Complaint Letter  – AutoIT Wrapped-Trojan Phishing Email

An FS-ISAC member received a phishing e-mail with the subject “Complaint Letter”, containing a malicious .zip file attachment that leads to AutoIT Wrapped – Trojan.

101 Free Network Monitoring Tools

http://www.gfi.com/blog/101-free-admin-tools/

How to add Trusted Sites

We need to go to the Computer Configuration ““> Administrative Tools ““> Windows Components ““> Internet Explorer ““> Internet Control Panel ““> Security Page and then double click to the zone assignment list in the right pane as you can see below.

iegp1

After you double click on site to the zone assignment list you will see a window to enable the settings and configure it. Click enabled. Then click show. On the show contents screen click add.

iegp2

By clicking add we can add URLs and specify what zone we want them to be placed in like so:

iegp3

The number 2 denotes the number of the zone. In this case it is the trusted zone. Microsoft breaks down the settings as follows:

  1. Intranet zone – sites on your local network.
  2. Trusted Sites zone – sites that have been added to your trusted sites.
  3. Internet zone – sites that are on the Internet.
  4. Restricted Sites zone – sites that have been specifically added to your restricted sites.

After clicking OK you can wait for your default refresh of Group Policy which is 15 minutes by default or you can run gpupdate.exe from any workstation to see if it worked. You can also restart the workstations to force the update.

 

How to block outgoing SMTP with IPCOP

Edit the /etc/rc.d/rc.firewall.local file and add our new SMTP blocking rules. Open the file with vi or nano, then look for the line “## add your ‘start’ rules here” and put your new rules under it.

 

# allow smtp from some allowed ips
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 10.1.0.6 –dport 25 -j ACCEPT
# log stuff that is not the mail server
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 10.1.0.6 –dport 25 -j LOG –log-prefix “SMTP”
# block all other outgoing SMTP traffic
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 10.1.0.6 –dport 25 -j REJECT

How To Enable Remote Desktop Via Domain Group Policy Windows Server 2012 / 2008 R2 / 2008

Open the Group Policy Management and create a new GPO, and edit.

1 – Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > “Windows Firewall: Allow Inbound Remote Desktop Exception”

2 –  Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > enable the policy “Allow Users to connect remotely using Remote Desktop Services” Note: this used to be  > Windows Components > Terminal Services > “Allow users to connect remotely using Terminal Services”

Change Windows password in Remote Desktop

CTRL-ALT-END is the key combo to send a CTRL-ALT-DEL to the remote RDP desktop. Useful for changing passwords on workstations and servers remotely.

Enable SSH and TELNET login on Cisco ASA 7.x inside Interface

Configuration with ASDM 6.x

Complete these steps:

  1. Choose Configuration > Device Management > Users/AAA > User Accounts in order to add a user with ASDM.ssh-inside-out-pix7x-8.gif
  2. Choose Configuration > Device Management > Users/AAA > AAA Access > Authentication in order to set up AAA authentication for SSH with ASDM.ssh-inside-out-pix7x-9.gif
  3. Choose Configuration > Device Setup > Device Name/Password in order to change the Telnet password with ASDM.ssh-inside-out-pix7x-10.gif
  4. Choose Configuration > Device Management > Certificate Management > Identity Certificates, click Add and use the default options presented in order to generate the same RSA keys with ASDM.ssh-inside-out-pix7x-11.gif
  5. Under Add a new Identity certificate click New in order to add a default key pair if one does not exists. Then, click Generate Now.ssh-inside-out-pix7x-12.gif
  6. Choose Configuration > Device Management > Management Access > Command Line (CLI) > Secure Shell (SSH) in order to use ASDM to specify hosts allowed to connect with SSH and to specify the version and timeout options.ssh-inside-out-pix7x-13.gif
  7. Click Save on top of the window in order to save the configuration.ssh-inside-out-pix7x-14.gif
  8. When prompted to save the configuration on flash, choose Apply in order to save the configuration.

Google IS scanning your Gmail and admits it!

http://www.digitalspy.com/tech/news/a564741/google-clarifies-email-scanning-policy.html

Google has updated its terms of service to offer more transparency regarding its email-scanning practices. The web giant confirmed that Gmail messages are automatically scanned when content passes between its servers. Google has staunchly defended this policy, insisting that email scanning is necessary to provide tailored content and protect users against malware.

What you need to know about Windows XP expiring

What is end of support?

After 12 years, support for Windows XP will end on April 8, 2014. There will be no more security updates or technical support for the Windows XP operating system. Customers moving to a modern operating system will benefit from dramatically enhanced security, broad device choice for a mobile workforce, higher user productivity, and a lower total cost of ownership through improved management capabilities.

Get more here….

http://wp.me/P2YEZ7-cd

Add routes to OpenVPN on IPCOP

To add additional networks behind your IPCop firewall for OpenVPN clients you must PUSH routes to the client. To do this, in /var/ipcop/ovpn/server.conf add the following line:

push “route 10.1.0.0 255.255.0.0”

 

How to save IPTABLES rules

The following lines allow SMTP and HTTP traffic through an IPTABLES firewall. But this information is not automatically saved and reloaded if the service restarts.

iptables -I INPUT -p tcp –dport 25 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables-save

Whenever you make a change to your firewall, on a Fedora/CentOS type system, you will want to save the changes.

The output can be redirected to a file.

# iptables-save > /root/firewall-rules
The following command line restores all rules from /root/firewall-rules assuming that the file /root/firewall-rules exists.

# iptables-restore < /root/firewall-rules

By default, iptables-restore deletes all existing rules before restoring the saved rules. If the saved rules are to be appended to existing rules, use the -n or –noflush option.

Save Your Firewall and Load on Restart

You will need to edit the /etc/sysconfig/iptables-config as root to help iptables save and reload your firewall correctly. Be sure the following settings are changed to “yes”.

# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be ‘yes’ to get to a sane state for a firewall
# restart or stop. Only set to ‘no’ if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD=”yes”

# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP=”yes”

# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART=”yes”

Snapchat’s Hack: What Users Should Do Now

Snapchat’s Hack: What Users Should Do Now, http://fxn.ws/1kchy8I

Love Snapchat? Here’s a reason to stop

Love Snapchat? Here’s a reason to stop, http://fxn.ws/1g6ILEy

Four tips for creating stronger passwords

Four tips for creating stronger passwords

It’s complicated. But that’s a good thing.

http://usat.ly/1d0Z2IA

2 million Facebook, Google accounts compromised: How to protect yourself

2 million Facebook, Google accounts compromised: How to protect yourself, http://fxn.ws/1hzSCWv

How to port forward with a Cisco ASA via ASDM

Create NAT Rule

  • Click Configuration (top)
  • Click Firewall (bottom-left)
  • Click NAT Rules (middle-left)
  • Select Add->Static NAT Rule
  • Original
    • Interface: inside
    • Source: 10.80.5.47
  • Translated
    • Interface: Outside
    • Select Use Interface IP Address
  • Port Address Translation (PAT)
    • Check Enable Port Address Translation (PAT)
    • Protocol: TCP
    • Original Port: 3389
    • Translated Port: 3389
  • Click OK

asa_port1

Create Access Rule

  • Click Access Rules
  • Select Add->Add Access Rule
    • Interface: outside
    • Action: Permit
    • Source: any
    • Destination: 10.80.5.47 or the object you created
    • Service: tcp/3389
    • Enable Logging: unchecked

asa_port2

The five scariest hacks we saw last week

The five scariest hacks we saw last week
http://www.cnn.com/2013/08/05/tech/mobile/five-hacks/index.html

Hackers hit the US Department of Energy

http://news.cnet.com/8301-1009_3-57567581-83/hackers-hit-u.s-department-of-energy/

The five scariest hacks we saw last week

The five scariest hacks we saw last week
http://www.cnn.com/2013/08/05/tech/mobile/five-hacks/index.html

Hackers break into homes electronically

So you think your dvr is safe. Hackers can listen to your baby monitor and turn your lights on! Hackers break into homes — electronically
http://www.cnn.com/2013/08/02/tech/innovation/hackable-homes/index.html

FBI pressures Internet providers to install surveillance software

http://news.cnet.com/8301-13578_3-57596791-38/fbi-pressures-internet-providers-to-install-surveillance-software/

Samsung said to be near deals to supply devices to FBI, Navy

After winning Pentagon security approval, Samsung is close to a deal with the FBI and Navy.    http://news.cnet.com/8301-1035_3-57594476-94/samsung-said-to-be-near-deals-to-supply-devices-to-fbi-navy/

How to remove password from SSL key

Always backup the original key first (just in case)!

 # cp www.key www.key.orig

Then unencrypt the key with openssl. You’ll need the passphrase for the decryption process:

 # openssl rsa -in www.key -out new.key

Now copy the new.key to the www.key file and you’re done. Next time you restart the web server, it should not prompt you for the passphrase.

Wi-Fi insecurities

http://usat.ly/12usoMG

Public Wi-Fi can alarm your browser, don’t let it alarm you

Wi-Fi networks with Web logins can be a hassle, but they add security.

How to remain anonymous on the Internet

http://usat.ly/15TzBUn

How to fly under the radar online

Here are some privacy-friendly sites to help you keep a hold on your personal information.

Government orders Facebook to turn over nearly 20,000 accounts

http://usat.ly/11Oc1dg Surveillance revelations from Facebook, Microsoft Facebook says government orders for user data in latter half of 2012 involved 19,000 accounts.

Apple adding a ‘kill switch’ to iPhones

Apple adding ‘kill switch’ to iPhones http://www.cnn.com/2013/06/11/tech/mobile/iphone-ios7-kill-switch/index.html

What is the NSA’s PRISM program? (FAQ)

With all of the news of the NSA data security program, this puts the pieces of the puzzle together. http://news.cnet.com/8301-1009_3-57588253-83/what-is-the-nsas-prism-program-faq/

Microsoft and Symantec collaborate to stop botnet

http://news.cnet.com/8301-1009_3-57568067-83/microsoft-symantec-shutter-another-botnet/

How to renew a self signed certificate in Exchange Server 2007

The Exchange 2007 self signs a certificate when the server role is first added for all the Exchange services that run in unison with IIS (smtp & owa etc). The  certificate expires after one  year from the date the server was first installed or the date the certificate was assigned manually.

First, check the status of the certificate by opening the Exchange Management Shell and executing the commandGet-ExchangeCertificate |FL’ – this displays all information about the currently assigned certificates and the status of each certificate.

It is common that they may be more than one certificate listed in the display – if that is the case, find the certificate that shows an expired date in the field ‘NotAfter‘ – as this defines when each certificate becomes invalid/expired. An expired certificate may cause problems such as connectivity to web services, SMTP transport and Outlook prompting certificate security warnings.

Use the following steps to generate a new certificate and enable it to run IIS services:

1. Type ‘Get-ExchangeCertificate |FL’ – This only lists details of certificates that are assigned to Exchange Services. Then note down the Thumbprint of the expired certificate.

2. Then type ‘Get-ExchangeCertificate –Thumbprint “9E6DD4B4EA2865CA9E6C34B42329A9AC994EBF63” | New-ExchangeCertificate’ . This generates a new certificate, and you will then be prompted to confirm if you want to overwrite the expired certificate and use the new one for the SMTP service.

3. If you run the cmdlet in step 1 you will notice the new certificate is not used to secure IIS services anymore. Make a note of the new thumbprint and run the following command typing the new thumbprint between the quotation marks: ‘Enable-ExchangeCertificate – Thumbprint “7A843B04EA2865CA9E6C34B42329AEE4456F9013” –Services IIS’

4. Be sure to verify all the services are working correctly after renewing and enabling the certificate – test Outlook clients by closing and opening Outlook to esnure there are no security certificate warnings.

6. Finally, Remove the old certificate by typing the following cmdlet into the management shell: Remove-ExchangeCertificate –Thumbprint “9E6DD4B4EA2865CA9E6C34B42329A9AC994EBF63″.

Facebook virus running rampant

http://usat.ly/15yDctc

Hijacking of Facebook accounts spikes

The Koobface worm on the move again, luring Facebook users to click on tainted links

Stuck at “Preparing to configure Windows”

How do I reset Windows Update components?

http://support.microsoft.com/default.aspx/kb/971058

 

Once the Windows Update components are reset, try installing the updates again. To do so,

1. Open Windows Update by clicking the Start button, clicking All Programs, and then clicking Windows Update.

2. Click on the Change settings option in the navigation bar on the left. You will now be at a screen where you will be able to set up how Windows Vista will download and install updates on your computer.

3. Select the option Check for updates but let me choose whether to download and install them. When you are done configuring the options as you wish, press the OK button to save these settings. You will now be back at the main Windows Update screen.

4. In the left pane, click Check for updates, and then wait while Windows looks for the latest updates for your computer.

5. You may then download the updates one or two at a time.

6. Click on install updates to install the currently selected updates.

7. Repeat the steps 5 and 6 till you get all the updates you want on your PC.

Security lessons from the 2013 Verizon Data Breach Report

Verizon’s latest report on data breach statistics offers security pros a guide to the most persistent threats and where attention should be focused to defend against them.

Verizon has released the 2013 edition of their Data Breach Investigations Report (DBIR), an analysis of the data obtained from breach investigations that they and other organizations have performed during the previous year. The data for this report includes incidents from Verizon’s own investigations and 18 other organizations around the world, for a total of 621 confirmed data breaches and over 47,000 security incidents.

The report contains a wealth of information that paints a clear picture of the motives and techniques used by attackers to compromise their target organizations. It’s an interesting read and there are many lessons that can be found within.

 

http://www.techrepublic.com/blog/security/security-lessons-from-the-2013-verizon-data-breach-report/9513?tag=content;blog-list-river

Android Threats Growing

The Android threat landscape is growing in both size and complexity with cybercriminals adopting new distribution methods and building Android-focused malware services, according to a report from Finnish security vendor F-Secure.

http://www.computerworld.com/s/article/9239188/Android_threats_growing_in_number_and_complexity_report_says

Senator demands DOJ, FBI seek warrants to read e-mail

Last month, Sen. Mark Udall and a handful of other privacy-focused politicians persuaded the IRS to promise to cease warrantless searches of Americans’ private correspondence.

http://news.cnet.com/8301-13578_3-57583743-38/senator-demands-doj-fbi-seek-warrants-to-read-e-mail/

Senator demands DOJ, FBI seek warrants to read e-mail

Last month, Sen. Mark Udall and a handful of other privacy-focused politicians persuaded the IRS to promise to cease warrantless searches of Americans’ private correspondence.

http://news.cnet.com/8301-13578_3-57583743-38/senator-demands-doj-fbi-seek-warrants-to-read-e-mail/

Google Aims To Patent Policy Violation Checker, Potentially Revolutionizing Email Snooping

BEWARE!!! Google Aims To Patent Policy Violation Checker, Potentially Revolutionizing Email Snooping http://huff.to/13ZlQVa

Symantec – File System Auto-Protect is malfunctioning

File System Auto-Protect is malfunctioning

http://www.symantec.com/docs/TECH102962

symantec

Try these Steps as well.

1) Go to services.msc

2) Stop all the symantec services

3) Open task manager

4) Kill rtvscan.exe and smc.exe

5) Again, restart the service

6) If that does not fix, repairing from add/remove programs should fix the issue.

Cyber attack on daily deal site

http://usat.ly/1214yE2 Cyber attack on popular daily deals site The attack impacts 50 million customers of the daily deal site.

Hackers send bogus tweets from ’60 Minutes’ account

The Twitter accounts for CBS News programs “60 Minutes” and “48 Hours” were used by hackers earlier today to send out messages accusing the U.S. of aiding terrorists, the network confirmed.

http://news.cnet.com/8301-1009_3-57580604-83/hackers-send- bogus-tweets-from-60-minutes-account/

Security certificate problem trips up Bing Web site

A security certificate problem triggered warnings not to use Bing over a secure Web connection Friday, and Microsoft said an issue with network service provider Akamai is to blame.

Browsers displayed prominent error messages and warnings at about 9 a.m.

http://news.cnet.com/8301-1009_3-57580459-83/security-certificate-problem-trips-up-bing-web-site/

Vudu resets user passwords after hard drives lost in office burglary

Video service Vudu began warning users today that it has instituted a systemwide password reset following an office break-in last month.

A burglary March 24 resulted in the loss of hard drives that contained users’ sensitive personal information, including names, e-mail addresses, postal addresses, phone numbers, account activity, dates of birth, and the last four digits of some credit card numbers, Vudu Chief Technology Officer Prasanna Ganesan informed customers in an e-mail. He said no complete credit card numbers were stolen because the company does not store that information.

http://news.cnet.com/8301-1009_3-57578766-83/vudu-resets-user-passwords-after-hard-drives-lost-in-office-burglary/