Basefarm SIRT Newsletter #2

Basefarm SIRT weekly newsletter #2
Year – Week: 2013 – 06

Basefarm SIRT is the Security Incident Response Team of the Basefarm Group. We are posting weekly newsletters with the latest security information which we find interesting to the Basefarm Blog.

Preface
As you remember from last week, The New York Times had been severely compromised for four months before it was noticed (during which time their anti-virus software only located 1 our of 55 malwares on their servers). The New York Times believes that the hackers gained entry through a spear-phishing attack, which means employees was sent emails containing malware attachments or links to sites with malware. Since then, Wall Street Journal, Washington Post, US Federal Reserve and Twitter (where it seems the attackers gained access to information of 250 000 accounts) has also come forward that they were compromised.

So what does this show?
Amongst other things, no matter what security systems are in place, no company can with a straight face say they are never going to be compromised. There will always be some ways in, so the goal is making sure there are as few of those as possible, which is why we try to do as much proactive security work as we can.

The reality is unfortunately that the easiest way in is usually through you – a human that clicks on a phishing mail or gets a malware payload through one of your outdated plugins. Cisco released their 2013 Annual Security Report, and it shows that most malware today gets into your system through your common news or business sites, and they do so by compromising ad networks said sites are using.

Sources:
http://www.networkworld.com/news/2013/020113-lesson-learned-in-cyberattack-on-266335.html
http://www.nytimes.com/2013/02/02/technology/washington-posts-joins-list-of-media-hacked-by-the-chinese.html
http://blog.twitter.com/2013/02/keeping-our-users-secure.html
http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html


Important Software Security updates

Java 7 (Update 13) / Java 6 (Update 39)
http://www.java.com/en/download/index.jsp

Firefox (18.0.2)
http://www.getfirefox.com/

Adobe Flash (11.5.502.149 (Win and Mac), 11.3.379.14 (Windows 8) and 11.2.202.262 (Linux))
http://get.adobe.com/flashplayer/

For those using Firefox, you can go to the following page to see if your plugins are up-to-date:
https://www.mozilla.org/en-US/plugincheck/

Security tips
In the rise of the latest plugin vulnerabilities causing havoc on the web (Java and Flash), we suggest that those who have the ability to do so should enable click-to-play in their browsers. Doing this means that plugins such as Java (which should be fully disabled by default in your main browser anyway) or Adobe Flash won’t automatically load in your browser unless you click on the object.

You can find information on click-to-play for your browser at these locations:
http://www.ghacks.net/2012/07/21/configuring-chromes-click-to-play-feature/
https://blog.mozilla.org/security/2012/10/11/click-to-play-plugins-blocklist-style/

Security news
Microsoft and Symantec hijacks the “Bamital” Botnet
http://krebsonsecurity.com/2013/02/microsoft-symantec-hijack-bamital-botnet/

Canada Joins the DNSSEC Party
http://www.darkreading.com/blog/240147786/canada-joins-the-dnssec-party.html

China is world’s most malware-ridden nation
http://www.net-security.org/malware_news.php?id=2404

Where do you get malware from?
http://www.securitybistro.com/blog/?p=5384
http://www.net-security.org/secworld.php?id=14355