Update on 27 August 2012

How to Spot Fake Antivirus Software

Securing Your Mobile Device Apps

OVERVIEW

Mobile devices have become one of the primary tools we use in both our personal and professional lives. One of the things that makes mobile devices so powerful is that there are thousands of apps we can select from and use. However, with the tremendous power and flexibility of apps come a number of risks you must be aware of. In this newsletter we cover the dangers of mobile device apps and how you can install, use, and maintain them securely.

OBTAINING APPS

The first step in using apps is making sure you always download them from a secure, trusted source. Cyber criminals will create malicious apps that look real, but which may be infected with viruses or worms. If you inadvertently install one of these apps, cyber criminals can take control of your mobile device. By downloading apps from only well known, trusted sources you reduce the chance of installing an infected app. However, even in well-known online app markets, some malicious apps can still be found. This is especially true for devices like the Android where the app markets are not tightly controlled. To reduce your risk, avoid apps that are brand new, that few people have downloaded, or that have very few comments. The longer an app has been available or the more positive comments it has, the more likely that app can be trusted. Finally, install only the apps you need and use. Each additional app brings the potential for new vulnerabilities, so if you stop using an app, remove it from your mobile device. In addition, you may be tempted to jailbreak or root your own mobile device, the process of hacking into it and installing unapproved apps or changing existing functionality. We highly recommend against this, as jail breaking not only bypasses or eliminates many of the security controls built into your mobile device but often voids any warranties or support contracts.

CONFIGURING & USING APPS

Once you have installed an app from a trusted source, the next step is making sure it is safely configured and protecting your privacy as well. Installing and/or configuring certain applications requires that you grant certain privileges and permissions. Depending on the device, these applications will prompt you before authorizing. Always think before authorizing any access, does your app really need those permissions? For example, some apps use geo-location services. If you allow an app to know your location, you may be allowing the creator of that app to track your movements. In addition, any public postings you make may include your location, allowing anyone to know where you are or prove where you have been. If you do not like the permissions an app is requesting, simply find another app that better fits your requirements. Be careful when using apps that request or store sensitive information. Even if the app is legitimate, there is no guarantee that the developer used good coding practices to protect your information while stored on the device or while transmitted over the Internet. Applications that consolidate sensitive information can be very convenient, but they are also targets for cyber criminals. Read the detailed description about the app and reviews from other users to see if there have been any security issues.

UPDATING APPS

Apps, just like your computer and mobile device operating system, must be updated in order to remain current. Bad guys are constantly searching for and finding weaknesses in apps. They then develop attacks to exploit these weaknesses. The app developers that created your app also create and release updates to fix these weaknesses and protect your devices. The more often you check for and install updates, the better. We recommend that you monitor your app stores and update your apps at least once a month. In addition, some apps can be set to update automatically, but please note that this may also automatically grant additional permissions if requested by that app

IN-APP PURCHASES

Many applications today allow you to purchase additional features, new content, or the removal of advertising. A common mistake some people make is to store their app store credentials locally on their device, allowing them to easily make future purchases within an application. We highly recommend you do not allow your mobile device to save your app store credentials, log-in information, or payment information. Although convenient, this information may be available to, or misused by, anyone who has access to your mobile device, including the bad guys if your device has been remotely hacked. An alternative is to use gift cards or one-time use virtual credit card numbers instead.

CONCLUSION

We strongly encourage you to follow all the best practices discussed here. Mobile devices and apps are still a relatively new and fast growing field. In addition, one of the challenges we all face is that there are few options available for security software to help protect you and your apps. You are the best defense for your mobile devices

The key to maintaining secure mobile device apps are installing apps only from trusted secure sources and make sure they are updated.

SOURCE BY OUCH! The Monthly Security Awareness Newsletter for Computer Users

The SANS Institute 2012

http://www.securingthehuman.org

Update on 05 December 2011

Recent SQL Injection Hacks – Things You Should Know

SQL Injection, the remote root exploit for Web applications, has been the initial attack vector behind several high profile compromises over the last six months. MySQL.com, Sun.com, HBGary Federal, Comodo’s RA(GlobalTrust.it/InstantSSL.it),eHarmony, Nasdaq, Savannah GNU, PlentyOfFish, Royal Navy Website, BoingBoing, and no doubt countless others we’ll never hear about. Let’s also not forget if a website is serving up drive-by-download malware, as many thousands have already, chances are it’s because a SQL Injection exploit inserted a malicious iFrame. Clearly OWASP made a good call placing “Injection” at the top of the Top Ten.

Here are some quick tips to avoid becoming tomorrows headline and an end of the year statistic:

1. If Parameterized SQL statements, not Stored Procedures, are used everywhere in the code, the odds of SQL Injection vulnerabilities will drop dramatically. Purge all forms of concatenated database query strings and add a healthy code of input validation. There is no substitute.
2. Suppression of verbose error messages is still a good idea, but DO NOT do so just to get the vulnerability to “go away” in the application vulnerability scanner report. Fix your code. Don’t be fooled by vendors claim of Blind SQL Injection detection in scanning products. The lack of verbose error messaging remains serious hindrance to automated detection with painful side effects. Direct source code access the has advantage here on comprehensiveness — use to your advantage.
3. Hack yourself first. That means ALL your websites. Not just the “main” ones. Learn what the bad guys know or eventually will. Attackers are quite capable and smart enough to compromise  secondary websites, use them as launching pads, and then pivot around the network.
4. Detect any malware on website(s) before Google does. Failure to do so will get you black listed from search results. Give Dasient a look.

Yes there are many other things you can do to prevent SQL Injection, like detecting attacks with WAFs/IDS or database hardening procedures. Only let’s get some of the basics down first shall we?

BY JEREMIAH GROSSMAN

source by whitehat security  

Update on 8 July 2011

for more information click link below

http://gmailblog.blogspot.com/2011/06/protect-yourself-from-scams-by-knowing.html

 SKMM Defacement Advisory ( http://www.skmm.gov.my/cybersecurity )

Update on 18 October 2011

10 security problems you might not realize you have

Takeaway: It’s easy to get distracted by high profile security threats and let more subtle — but equally destructive — risks fall through the cracks.

IT administrators are often so busy just trying to keep up with the obvious security threats that many more problems fly under the radar. Here are 10 security risks you may have in your organization that you are not aware of.

1: Your employees

Your own employees are your biggest source of security risks. Sometimes, it is deliberate; sometimes, it is not. Employees have the most access and the most time. We expend a lot of effort worrying about external threats, but in all honesty, all it takes is an employee bringing in a virus from a home PC on a USB drive to nullify all your forward-facing firewalls and measures. Disgruntled employees sometimes express their anger by hurting your computer systems. And of course, it is possible for a well-meaning employee to make a major mistake. Good governance, education, setting (and enforcing) policies, and knowing your employees are your best steps to closing the holes here.

2: Common coding mistakes

Certain mistakes in programming still get made despite years of warnings and education. Most common are SQL injection and cross-site scripting vulnerabilities. I still see these issues from time to time even in major software packages that you would think are trustworthy (WordPress is a good example). It’s hard to change software once you’ve installed it, so you need to keep these packages up to date even though it is quite a hassle.

3: Unauthorized machines

I’ve seen this one too many times. Someone decides to bring in an old PC and put it on the network to do something your existing infrastructure doesn’t allow them to do. They think that they are being helpful, working around the limitations of the IT department. After all, if IT won’t build a Web site for their group, it’s just “doing them a favor” to set up an old PC in the corner with a Web server on it, right? Wrong. The best way I’ve found to keep these rogue machines in line is with rigorous IP address audits and policies and scanning the network to create a list of machines. If machines can’t get IP addresses, they can’t do much harm

4: Ancient “rock solid” servers

We all have them — that server buried deep in the data room that “just won’t quit.” Usually, it’s running some software package that is impossible to migrate to another machine. Sadly, these machines are often major security risks because they typically are no longer getting patches or we fail to patch them out of fear of breaking them. In addition, those older versions of operating systems often come with inherent security holes that no patching can fix. You need to replace these servers one way or the other. The best first step is to virtualize them. From there, it is a lot easier to try to update them.

5: Legacy applications

It’s not just the old servers that are big security risks; it is also the applications running on them, as well as other legacy applications you may have running. These applications would be a lot less problematic if they were current with their patches, but usually they aren’t. All too often, we miss a major version update because the upgrade is so difficult, and then we’re so far behind the ball that it’s impossible to catch up. Or perhaps the applications are completely discontinued. It’s painful to say it, but the best thing you can do is find a migration path to a recent version or another package entirely.

6: Local admins

We all know the dangers of allowing users to run with escalated privileges. Still, we occasionally end up with users being granted local admin rights inappropriately. In my experience, this often happens while troubleshooting a problem: We make the user a local admin to see if it fixes a problem and we forget to undo it. Regardless of how it occurs, it is a ticking time bomb for security. Use your central administration tools to make sure that the local admin list gets reset on a regular basis to the proper users and groups.

7: Incorrect share/file permissions

File permissions are tricky things, and most users are not even aware of how to set them. So what happens? Users create sensitive files in their usual networked location and those files get the default permissions, which are “collaboration friendly” to say the least. The next thing you know, everyone can read the documents, which are supposed to be confidential. Your best weapon is to pre- establish a share and file structure with the correct permissions. For example, give everyone a home directory for personal documents and create shares or directories around roles, projects, and teams with the appropriate permissions. The hard part is then educating them to use the correct locations — but that is much easier than trying to teach them permissions.

8: Hidden servers within applications

I have seen more and more applications lately that use a local Web server as an administration console. Sometimes, these applications are installed by users without permission. But occasionally, the IT department just does not realize what comes with an application. While these servers can be locked down so that they are not a risk (and with luck, they get installed like that), you need to verify that the applications are secured properly before allowing them to be installed on users’ machines.

9: VPN clients

Some users figure out how to set up VPN access on their personal machines. For a power user, it isn’t too hard to do. But you have no control over that machine, and once it is on the VPN, problems with the unauthorized machine can easily spill over onto the VPN. One thing you can do is audit the VPN systems to see who is connecting from what PCs and compare it to your list of authorized systems. Also, you can put additional firewalls around VPN clients to quarantine them. Finally, there are various systems to ensure that the clients connecting are on a preapproved list.

10: Disabled security software

 Security software often puts up roadblocks to getting work done, so the “logical response” from many users is to find a way to work around it. For example, I’ve seen people set up anonymizers at home to sidestep IT policies. Power users (especially developers and system administrators) often know how to circumvent security tools. They may also be local administrators because of a technical need, which makes disabling software and changing settings even easier.

Combatting this is tough because these users often assume that they are “too smart” to be a security risk. What they fail to realize is that the modern crop of security threats do not require the user to make a mistake, like going to an obviously suspect Web site or downloading pirated software. Every Acrobat file, for example, is a potential plague rat at this point. Start looking for unusual trends, like large amounts of consistent traffic to an IP address and use centralized tools to ensure that settings are at the right levels and are reset periodically. Also, take any unnecessary local administration rights and firewall entire groups onto their own network segment to limit damage if those groups have a legitimate need for lower security. 

        Source from TechRepublic’s free newsletters.