Archive for August, 2010

Remember that the internet is a public resource. Avoid putting anything
online that you don’t want the public to see or that you may want to

Why is it important to remember that the internet is public?

Because the internet is so accessible and contains a wealth of information,
it has become a popular resource for communicating, for researching topics,
and for finding information about people. It may seem less intimidating than
actually  interacting  with  other  people because there is a sense of
anonymity. However, you are not really anonymous when you are online, and it
is just as easy for people to find information about you as it is for you to
find information about them. Unfortunately, many people have become so
familiar and comfortable with the internet that they may adopt practices
that make them vulnerable. For example, although people are typically wary
of sharing personal information with strangers they meet on the street, they
may not hesitate to post that same information online. Once it is online, it
can be accessed by a world of strangers, and you have no idea what they
might do with that information.

What guidelines can you follow when publishing information on the internet?

* View  the  internet  as  a  novel, not a diary – Make sure you are
comfortable with anyone seeing the information you put online. Expect
that people you have never met will find your page; even if you are
keeping an online journal or blog, write it with the expectation that it
is available for public consumption. Some sites may use passwords or
other  security restrictions to protect the information, but these
methods  are  not  usually used for most websites. If you want the
information to be private or restricted to a small, select group of
people, the internet is probably not the best forum.
* Be careful what you advertise – In the past, it was difficult to find
information about people other than their phone numbers or address. Now,
an  increasing amount of personal information is available online,
especially  because  people  are  creating personal web pages with
information about themselves. When deciding how much information to
reveal, realize that you are broadcasting it to the world. Supplying
your email address may increase the amount of spam you receive (see
Reducing  Spam for more information). Providing details about your
hobbies, your job, your family and friends, and your past may give
attackers enough information to perform a successful social engineering
attack (see Avoiding Social Engineering and Phishing Attacks for more
* Realize that you can’t take it back – Once you publish something online,
it is available to other people and to search engines. You can change or
remove  information  after something has been published, but it is
possible that someone has already seen the original version. Even if you
try to remove the page(s) from the internet, someone may have saved a
copy of the page or used excerpts in another source. Some search engines
“cache” copies of web pages; these cached copies may be available after
a web page has been deleted or altered. Some web browsers may also
maintain a cache of the web pages a user has visited, so the original
version may be stored in a temporary file on the user’s computer. Think
about these implications before publishing information—once something is
out there, you can’t guarantee that you can completely remove it.

As a general practice, let your common sense guide your decisions about what
to post online. Before you publish something on the internet, determine what
value it provides and consider the implications of having the information
available to the public. Identity theft is an increasing problem, and the
more information an attacker can gather about you, the easier it is to
pretend to be you. Behave online the way you would behave in your daily
life, especially when it involves taking precautions to protect yourself.

Authors: Mindi McDowell, Matt Lytle, Jason Rafail

government organization.

Apple has released iOS 4.0.2 for the iPhone and iPod touch and iOS
3.2.2 for the iPad to address vulnerabilities in the FreeType and
IOSurface packages. Exploitation of these vulnerabilities may allow an
attacker to execute arbitrary code or gain system privileges.

iPhone and iPod touch users are encouraged to review Apple article
HT4291 and upgrade to iOS 4.0.2. iPad users are encouraged to review
Apple article HT4292 and upgrade to iOS 3.2.2. Additional information
regarding the vulnerability affecting the FreeType package can be
found in US-CERT Vulnerability Note VU#275247.

Relevant Url(s):



Passwords are a common form of protecting information, but passwords alone may not provide adequate security. For the best protection, look for sites that have additional ways to verify your identity.

Why aren’t passwords sufficient?

Passwords  are beneficial as a first layer of protection, but they are
susceptible to being guessed or intercepted by attackers. You can increase
the  effectiveness of your passwords by using tactics such as avoiding
passwords that are based on personal information or words found in the
dictionary;  using  a  combination of numbers, special characters, and
lowercase and capital letters; and not sharing your passwords with anyone
else (see Choosing and Protecting Passwords for more information). However, despite your best attempts, an attacker may be able to obtain your password. If there are no additional security measures in place, the attacker may be able to access your personal, financial, or medical information.

What additional levels of security are being used?

Many organizations are beginning to use other forms of verification in
addition to passwords. The following practices are becoming more and more common:
* two-factor authentication – With two-factor authentication, you use your
password in conjunction with an additional piece of information. An
attacker who has managed to obtain your password can’t do anything
without the second component. The theory is similar to requiring two
forms of identification or two keys to open a safe deposit box. However,
in this case, the second component is commonly a “one use” password that
is  voided  as  soon as you use it. Even if an attacker is able to
intercept the exchange, he or she will still not be able to gain access
because that specific combination will not be valid again.
* personal web certificates – Unlike the certificates used to identify web
sites (see Understanding Web Site Certificates for more information),
personal web certificates are used to identify individual users. A web
site that uses personal web certificates relies on these certificates
and the authentication process of the corresponding public/private keys
to verify that you are who you claim to be (see Understanding Digital
Signatures and Understanding Encryption for more information). Because
information identifying you is embedded within the certificate, an
additional password is unnecessary. However, you should have a password
to protect your private key so that attackers can’t gain access to your
key  and  represent  themselves as you. This process is similar to
two-factor  authentication,  but  it  differs because the password
protecting your private key is used to decrypt the information on your
computer and is never sent over the network.

What if you lose your password or certificate?

You may find yourself in a situation where you’ve forgotten your password or you’ve reformatted your computer and lost your personal web certificate. Most organizations have specific procedures for giving you access to your information in these situations. In the case of certificates, you may need to  request  that the organization issue you a new one. In the case of passwords,  you may just need a reminder. No matter what happened, the organization  needs  a  way  to verify your identity. To do this, many organizations rely on “secret questions.”

When you open a new account (email, credit card, etc.), some organizations
will prompt you to provide them with the answer to a question. They may ask you this question if you contact them about forgetting your password or you request  information about your account over the phone. If your answer matches  the  answer they have on file, they will assume that they are actually communicating with you. While the theory behind the secret question has merit, the questions commonly used ask for personal information such as mother’s maiden name, social security number, date of birth, or pet’s name.
Because so much personal information is now available online or through
other public sources, attackers may be able to discover the answers to these
questions without much effort.

Realize that the secret question is really just an additional password—when
setting it up, you don’t have to supply the actual information as your
answer. In fact, when you are asked in advance to provide an answer to this
type of question that will be used to confirm your identity, dishonesty may
be the best policy. Choose your answer as you would choose any other good
password, store it in a secure location, and don’t share it with other
people (see Choosing and Protecting Passwords for more information).

While the additional security practices do offer you more protection than a
password alone, there is no guarantee that they are completely effective.
Attackers may still be able to access your information, but increasing the
level of security does make it more difficult. Be aware of these practices
when choosing a bank, credit card company, or other organization that will
have access to your personal information. Don’t be afraid to ask what kind
of security practices the organization uses.

Authors: Mindi McDowell, Chad Dougherty, Jason Rafail

Cisco has released a security advisory to address a vulnerability in
the Cisco Internet Streamer application that is part of the Cisco
Content Delivery System. Exploitation of this vulnerability may allow
a remote, unauthenticated attacker to obtain sensitive information,
including password files and system logs. This information could be
used to leverage subsequent attacks.

Relevant Url(s):

There is  a vulnerability affecting Microsoft Windows. This
vulnerability is due to the failure of Microsoft Windows to properly
obtain icons for .LNK files. Microsoft uses .LNK files, commonly
referred to as “shortcuts,” as references to files or applications.

By convincing a user to display a specially crafted .LNK file, an
attacker may be able to execute arbitrary code that would give the
attacker the privileges of the user. Viewing the location of an .LNK
file with Windows Explorer is sufficient to trigger the vulnerability.
By default, Microsoft Windows has AutoRun/AutoPlay features enabled.
These features can cause Windows to automatically open Windows
Explorer when a removable drive is connected, thus opening the
location of the .LNK and triggering the vulnerability. Other
applications that display file icons can be used as an attack vector
for this vulnerability as well. Depending on the operating system and
AutoRun/AutoPlay configuration, exploitation can occur without any
interaction from the user. This vulnerability can also be exploited
remotely through a malicious website, or through a malicious file or
WebDAV share.

Microsoft has released Microsoft Security Advisory 2286198 in response
to this issue. Users are encouraged to review the advisory and
consider implementing the workarounds listed to reduce the threat of
known attack vectors. Please note that implementing these workarounds
may affect functionality. The workarounds include
* disabling the display of icons for shortcuts
* disabling the WebClient service
* blocking the download of .LNK and .PIF files from the internet

Microsoft has released a tool, Microsoft Fix it 50486, to assist users
in disabling .LNK and .PIF file functionality. Users and
administrators are encouraged to review Microsoft Knowledgebase
article 2286198 and use the tool or the interactive method provided in
the article to disable .LNK and .PIF functionality until a security
update is provided by the vendor.

Update: Microsoft has issued a Security Bulletin Advance Notification
indicating that it will be releasing an out-of-band security bulletin
to address this vulnerability. Release of the security bulletin is
scheduled for August 2, 2010.

In addition to implementing the workarounds listed in Microsoft
Security Advisory 2286198, US-CERT encourages users and administrators
to consider implementing the following best practice security measures
to help further reduce the risks of this and other vulnerabilities:
* Disable AutoRun as described in Microsoft Support article 967715.
* Implement the principle of least privilege as defined in the
Microsoft TechNet Library.
* Maintain up-to-date antivirus software.

Relevant Url(s):