cert-mu quarterly | february 2013 cert-mu esecurity newsletter newsletter/v… · cert-mu quarterly...
TRANSCRIPT
CERT-MU Quarterly | February 2013
CERT-MU eSecurity Newsletter | Volume 3 | Issue 1 | February 2013 1
Addressing the Need of Information Security for Intelligent Mauritius
Dear Readers,
Greetings from CERT-MU,
The year 2012 has seen significant developments in the cyberspace
and IT Security Industry. A number of cyber attacks have made the
headlines, ranging from phishing scams, malicious software, mobile
threats, government sponsored attacks to incidents involving social
networking sites. This eSecurity Newsletter presents the top security
breaches of 2012 and predications of 2013. It is expected that 2013
will witness more targeted malware attacks, rise in Hacktivism, gov-
ernment sponsored attacks and an increase in malware targeting Mac
devices. Organisations will also face security issues of cloud compu-
ting, Bring Your Own Device (BYOD), mobile computing and mo-
bile devices.
Other issues which are highlighted in this eSecurity newsletter are
the security concerns of tablets as their adoption is increasing rapid-
ly . This e-newsletter also presents the CERT-MU events of 2012.
We trust that you will find the articles interesting and enjoy reading!
The e-Security Newsletter Team
Volume 3 | Issue 1 | February 2013
C ERT-MU is offering a free remote
scanning service for organizations
who wish to scan their servers and
network infrastructure remotely. A full
-fledged vulnerability report including in depth
analysis of each vulnerabilities and a complete
solution guide is produced at the end of the scan-
ning. The Vulnerability Scanning report will give
an insight to the organization of what is visible
from a ‘remote attacker’ and what steps need to
be taken to secure the organization’s infrastruc-
ture with respect to external attacks.
Inside This Issue
The Growing Dark Side of Cyber Space
Is this the Year of Enterprise Tablets?
Tablets: Addressing the Security Issues
News Focus:
Windows 8: The Security Issues
Quick Response codes - a trick to drive traffic
to unreliable sites
CERT-MU Events: The Journey of 2012
2012 Information Security Guidelines
CERT-MU eSecurity Newsletter
CERT-MU Quarterly | February 2013
CERT-MU eSecurity Newsletter | Volume 3 | Issue 1 | February 2013 2
The Growing Dark Side of Cyber Space...The Growing Dark Side of Cyber Space...The Growing Dark Side of Cyber Space...
C yberspace has always been characterized by change.
With the rise of social networking, the shift to cloud
computing and the rapid emergence of mobile forms of
connectivity, there has been a major shift in the consti-
tution of cyberspace. Although each of these developments are
unique, together they have a combined effect of taking users out of
an older communications paradigm and into new ones, governed
by different rules, norms and principles. These developments bring
innovation to the cyberspace. But there is also a dark side of the
cyberspace where hidden contests and malicious threats are grow-
ing from the inside out. These developments are providing new
vectors of attack. In 2012, attackers have extended their reach to
more platforms, from social networks and cloud services to An-
droid mobile devices. They have responded to new security re-
search findings more rapidly and leveraged zero-day exploits more
effectively.
2012 has been the year of hacktivism, bring your own device
(BYOD) and cloud computing. Many organisations had already
started to deal with the implications of cloud computing in 2011
and this year was a continuation of these efforts. Hacktivism con-
quered the public stream of consciousness while there was an in-
crease in the adoption of BYOD within enterprises. Hacktivism
and the increased sophistication of threats have forced the IT secu-
rity industry to devise more layering defenses. IT security depart-
ments have never been under more pressure as breaches and inci-
dents became more visible and frequent. Cybercriminals are focus-
ing where the weak spots are and use a technique until it becomes
less effective, and then move on to the next frontier. Security is at
the heart of the revolution of BYOD and cloud. Protecting data in
a world where systems are changing rapidly, and information
flows freely, requires a coordinated ecosystem of security technol-
ogies at the endpoint, gateway, mobile devices and in the cloud.
Information security continues to grow more complex, and 2013
will be no exception. Yet, by knowing how threats have worked
during the year, will enable the IT Security Industry to be more
prepared for 2013. Security firms have started providing predic-
tions which can be used to perform necessary security evaluation
and develop specific actions plan to tighten defenses and prepare
them for the coming threats. The top security breaches of 2012 are
discussed below and a prediction for 2013 is also given.
Flashback hits Mac OS X
Although the Mac OS X Trojan Flashback/Flashfake appeared in
late 2011, it was not until April 2012 that it became really popular.
According to news sources, Flashback infected over 700,000 Macs
and it is known as the biggest known Mac OS X infection till date.
Two main factors that have contributed for this attack are Java
vulnerability and the general sense of apathy among the Mac faith-
ful when it comes to security issues. Flashback continues to be
relevant because it demolished the myth of invulnerability sur-
rounding the Mac.
Flame and Gauss: nation-state cyber-espionage campaigns
In April 2012, a series of cyber-attacks destroyed computer sys-
tems at several oil platforms in the Middle
East. The malware responsible for the at-
tacks was named “Wiper” and resembled
Duqu and Stuxnet. During the investiga-
tion, security experts stumbled upon a
huge cyber-espionage campaign known as
Flame. Flame is one of the most sophisti-
cated pieces of malware ever created.
When fully deployed onto a system, it has
more than 20 MB of modules which
Top Security Breaches of 2012Top Security Breaches of 2012Top Security Breaches of 2012
CERT-MU Quarterly | February 2013
CERT-MU eSecurity Newsletter | Volume 3 | Issue 1 | February 2013 3
perform a wide array of functions such as audio interception,
Bluetooth device scanning, document theft and the making of
screenshots from the infected machine. The most impressive part
is that it made use of a fake Microsoft certificate to perform a
man-in-the-middle attack against Windows Updates, which al-
lowed it to infect fully patched Windows 7 PCs. This attack was
suspected to be a nation state attack. According to the analysis
made by security experts, it was found that Flame developers
worked together with Stuxnet developers due to its close similari-
ty. The apparition of Flame has indicated that highly complex
malware can exist undetected for several years. The discovery of
Gauss, another highly sophisticated Trojan that was widely de-
ployed in the Middle East, added a new dimension to nation-state
cyber campaigns. Gauss is remarkable for a variety of things,
some of which remained undetected. The use of a custom font
named “Palida Narrow” or its encrypted payload which targets a
computer disconnected from the Internet are among the many
unknowns. It is also the first government-sponsored banking Tro-
jan with the ability to hijack online banking credentials from vic-
tims, primarily in Lebanon. With Flame and Gauss, a new di-
mension was injected into the Middle East battleground: cyber-
war and cyber-warfare. It appears there is a strong cyber compo-
nent to the existing geopolitical tensions.
The explosion of Android threats
During 2011, a number of malicious threats targeted the Android
platform. In June 2012, more than 7000 malicious Android pro-
grams were detected. More than 35,000 malicious Android pro-
grams were discovered which about six times greater than 2011.
The huge growth of Android is due to two reasons: economic and
platform related. Android platform has become one of the most
popular widespread Operating System for mobile phones. The
open nature of the operating system, the ease with which apps can
be created and a wide variety of application markets have com-
bined to shine a negative spotlight on the security of the Android
platform.
Linked In, Last.fm, DropBox, Gamigo and Android fo-
rum, World’s top 100 universities passwords leaks
On 5 June 2012, LinkedIn, one of the world’s biggest social net-
works for business users was hacked and the password hashes of
more than 6.4 million people were leaked on the Internet.
Through the use of fast Graphics Processing Unit (GPU) cards,
security researchers recovered 85% of the original passwords.
First of all, LinkedIn stored the passwords as SHA1 hashes. Alt-
hough better than the very popular MD5, modern GPU cards can
crack SHA1 hashes at incredible speeds. Similar type of attacks
were targeted at popular web services such as DropBox, Last.fm
and Gamingo whereby
user accounts were
leaked. More than 8
million passwords
were leaked to the pub-
lic during the Last.fm
and Gamingo attack.
Android Forums
(AndroidForum.com)
was also hacked and more than 1 million user account details
were stolen by hackers. At the end of August 2012, a group of
hackers known as ‘Team GhostShell’ published the details of
around 1 million accounts stolen from over 100 websites across
the world as part of an operation called ‘Project HellFire’.
Global Payment Breach and Operation High Roller – Biggest
Cyber bank Robbery in History
The world has also witnessed multiple attacks and security
breaches which involved financial institutions. One of the most
talked security breach was that of Global Payment, which ex-
posed about 1.5 million card accounts. Global Payments process-
es transactions for Discover, American Express Cards, Visa and
MasterCard. There was also Operation High Roller, which was
referred as the biggest cyber bank robbery in history. This attack
consisted of a
massive cyber
bank raid
whereby sixty
million euros
was stolen
from bank ac-
counts after
fraudsters at-
tacked dozens
of financial
institutions
around the
world. Accord-
ing to a joint
report by security firm McAfee and Guardian Analytics, more
than 60 firms suffered from what it called an “insider level of
understanding”. The attacks began in Europe but later spread to
Latin America and the United States.
The DNSChanger shutdown
Between 2007 and 2011, the DNSChanger virus infected four
million computers in 100 countries. Often, without the victims’
knowledge, their computers were turned into zombies that re-
ceived instructions by rogue servers to visit websites and click on
ads in a scheme to generate fraudulent advertising revenue. The
FBI succeeded in taking control of the DNS servers. However,
rather than eliminating the DNS servers to which millions of
computers were still connecting, federal agents replaced them
with legitimate ones. The replacements have sustained connectiv-
ity for infected machines and provided time for an industry con-
sortium called the DNSChanger Working Group to identify IP
addresses from infected computers and attempt to notify their
users.
CERT-MU Quarterly | February 2013
CERT-MU eSecurity Newsletter | Volume 3 | Issue 1 | February 2013 4
Shamoon Attacks
In the middle of August 2012, another malware was discovered
and used in specific targeted attacks against companies in the ener-
gy industry. The malware was used particularly in an attack
against Saudi Aramco, one of the world’s largest oil conglomer-
ates. According to reports, more than 30,000 computers were com-
pletely destroyed by the malware. The malware was known as
“Shamoon” or “W32.Disttrack” by various security firms. Sha-
moon is a destructive malware that corrupts files on a compro-
mised computer and overwrites the Master Boot Record (MBR) in
an effort to render a computer unusable. The Shamoon malware
consisted of components that reminds security analysts of the
Flame malware. It was a two-stage attack where attackers can take
control of an internal machine connected to the Web and use it as a
proxy to the external Command-and Control server, which infects
other internal machines. Once infected, Shamoon is then released,
wiping the malware and stolen data.
The DSL modems hacks
In October 2012, the details of an attack which had been taking
place in Brazil since 2011 were published by a security firm. The
attack used single firmware vulnerability, two malicious scripts
and 40 malicious DNS servers. This operation affected six hard-
ware manufacturers, resulting in millions of Brazilian internet us-
ers falling victim to a sustained and silent mass attack on DSL
modems. In March 2012, Brazil’s CERT team confirmed that more
than 4.5 million modems were compromised in the attack and were
being abused by cybercriminals for all sorts of fraudulent activity.
The Adobe certificates theft and the omnipresent Ad-
vanced Persistent Threat (APT)
In September 2012, Adobe announced the discovery of two mali-
cious programs that were signed using
a valid Adobe code signing certificate.
Adobe’s certificates were securely
stored in a Hardware Security Module
(HSM), a special cryptographic device
which makes attacks much more com-
plicated. Nevertheless, the attackers
were able to compromise a server to
perform code signing requests. This
discovery belongs to the same chain of
extremely targeted attacks performed
by sophisticated threat actors commonly described as APT. The
fact that a high profile company like Adobe was compromised in
this way redefines the boundaries and possibilities that are becom-
ing available for these high-level attackers.
As 2012 has come to an end, security firms have started to make
predictions about what Web users, organisations and security pro-
fessionals will expect to see in 2013. The predictions for 2013 as
per several security firms are as follows:
The onward march of ‘hacktivism’
The dimension of hacktivism has changed considerably. The mo-
tives behind these attacks are not solely to steal money by directly
accessing bank accounts or by stealing confidential data. Some-
times, the aim of an attack is to make a political or social point.
The year 2012 witnessed several such types of attacks. Examples
include the DDoS attacks launched by Anonymous on government
websites in Po-
land, following
the government’s
announcement
that it would sup-
port ACTA (the
Anti-
Counterfeiting
Trade Agree-
ment); the hack-
ing of the official
F1 website in
protest against
the treatment of anti-government protesters in Bahrain; the hack-
ing of various oil companies in protest against drilling in the Arc-
tic, the attack on Saudi Aramco, and the hacking of the French
Euro-millions website in a protest against gambling. Society’s
increasing reliance on the Internet makes organizations of all kinds
potentially vulnerable to attacks of this sort; therefore ‘hacktivism’
looks set to continue into 2013 and beyond.
Government-sponsored attacks will increase as new play-
ers enter
In 2013, more governments are expected to enter the cyber-
warfare arena and develop cyber weapons – designed to steal in-
formation or sabotage systems. It is also possible that we may see
‘copy-cat’ attacks by non-nation-states, with an increased risk of
‘collateral damage’
beyond the intended
victim of the attack.
The targets for such
cyber-attacks could
include energy supply
and transportation con-
trol facilities, financial
and telecommunica-
tions systems and other
‘critical infrastructure’
facilities. In the wake
of several public cyber warfare events, there are a number of con-
tributing factors that will drive more countries towards these strat-
egies and tactics as countries and individual cybercriminals all
have access to the blueprints for previous state-sponsored attacks
like Stuxnet, Flame and Shamoon.
The use of legal surveillance tools
In recent years, cybercrime has become more and more sophisti-
cated. This has not only created new challenges for anti-malware
researchers, but also for law enforcement agencies around the
world. Their efforts to keep pace with the advanced technologies
being used by cybercriminals are driving them in directions that
have obvious implications for law enforcement itself. It also in-
cludes using technology to monitor the activities of those suspect-
ed of criminal activities. The use of legal surveillance tools has
wider implications for privacy and civil liberties. Law enforcement
agencies, and governments will try to get one step ahead of the
criminals and it is likely that the use of such tools and the debate
surrounding their use will continue.
Cyber extortion
This year there was a growing numbers of ransomware Trojans
designed to extort money from their victims, either by encrypting
data on the disk or by blocking access to the system. In the past,
Security Predictions Security Predictions Security Predictions --- 201320132013
CERT-MU Quarterly | February 2013
CERT-MU eSecurity Newsletter | Volume 3 | Issue 1 | February 2013 5
this type of cybercrime was confined largely to Russia and other
former Soviet countries. But now, they have become a worldwide
phenomenon. In Russia, for example, Trojans that block access to
the system often claim to have identified unlicensed software on
the victim’s computer and ask for a payment. In Europe, where
software piracy is less common, this approach is not as successful.
Instead, they masquerade as popup messages from law enforce-
ment agencies claiming to have found child pornography or other
illegal content on the computer. This is accompanied by a demand
to pay a fine. Such attacks are easy to develop and, as with phish-
ing attacks, there seem to be no shortage of potential victims. As a
result, we are likely to see their continued growth in the future.
Mac OS malware
Despite the myth about security that Macs are immune to malware,
the year 2012 has proved it wrong. Of course, when compared to
the torrent of malware targeting Windows, the volume of Mac
based malware is small. However, the Flashback Trojan infected
over 600,000 Mac computers
over the world, forming a bot-
net. In 2013, it is expected that
the threat to Mac will likely to
grow.
Mobile malware
Mobile malware has exploded
in the last 18 months. The li-
on’s share of it targets Android-based devices more than 90 per
cent is aimed at this operating system. Android operating system is
widely targeted as it is easy to develop and those using the system
are able to download programs from wherever they choose. For
this reason, there is unlikely to be any slow-down in the develop-
ment of malicious apps for Android. To date, most malware has
been designed to get access to the device. In the future, it is likely
to see the use of vulnerabilities that target the operating system and
based on this the development of drive-by downloads. According
to security experts, there is also a high probability that the first
mass worm for Android will appear, capable of spreading itself via
text messages and sending out links to itself at some online app
store. More mobile botnets are also expected.
Cybercriminals will use bypass methods to avoid tradi-
tional sandbox detection.
More organisations are using virtual machine defenses to test for
malware and threats. As a result, more attackers are taking new
steps to avoid detection by recognizing virtual machine environ-
ments. Potential methods will attempt to identify a security sand-
box just as past attacks targeted specific Anti-Virus engines and
turned them off.
Cybercriminals will follow the crowds to legitimate con-
tent management systems and web platforms
Vulnerabilities in Wordpress have frequently been exploited with
mass compromises. As other Content Management Systems
(CMS) and service platforms increase in popularity, the bad guys
will routinely test the integrity of these systems. Attacks will con-
tinue to exploit legitimate web platforms, requiring CMS adminis-
trators to pay greater attention to updates, patches, and other secu-
rity measures. Cybercriminals compromise these platforms to host
their malware, infect users and invade organizations to steal data.
Vulnerabilities and exploits
One of the key methods used by cybercriminals to install malware
on victims’ computers is to exploit un-patched vulnerabilities in
applications. This relies on the existence of vulnerabilities and the
failure of individuals or businesses to patch their applications. Java
vulnerabilities currently account for more than 50 per cent of at-
tacks, while Adobe Reader accounts for a further 25 per cent. This
is not surprising, since cybercriminals typically focus their atten-
tion on applications that are widely used and are likely to be un-
patched for the longest time – giving them a sufficient window of
opportunity to achieve their goals. Java is not only installed on
many computers (1.1 billion, according to Oracle), but updates are
installed on demand, not automatically. For this reason, cybercrim-
inals will continue to exploit Java in the year ahead. It is likely that
Adobe Reader will also continue to be used by cybercriminals, but
probably less so because the latest versions provide an automatic
update mechanism.
Cloudy with a chance of malware
The use of cloud services will increase in the coming years. There
are two factors that are driving the development of these services –
cost and flexibility.
The economies of
scale that can be
achieved by storing
data or hosting appli-
cations in the cloud
can result in signifi-
cant savings for any
business. In terms of
flexibility, data can be
accessed any time,
any place, anywhere
and from any device,
including laptops,
t a b l e t s a n d
smartphones. But as
the use of the cloud
grows, security threats
targeting it will also increase. Firstly, the data centers of cloud
providers form an attractive target for cybercriminals. ‘The cloud’
may sound comfortable as a concept, but when looked at from the
perspective of a cybercriminal, they offer a potential single-point-
of-failure. They hold large quantities of personal data in one place
that can be stolen if the provider fall victim to a successful attack.
Secondly, cybercriminals are likely to make more use of cloud
services to host and spread their malware, typically through stolen
accounts. Thirdly, data stored in the cloud is accessed from a de-
vice in the ‘non-cloud’ world. Therefore, if a cybercriminal is able
to compromise the device, they can gain access to the data – wher-
ever it is stored. The wide use of mobile devices, while offering
huge benefits to a business, also increases the risk – cloud data can
be accessed from devices that may not be as secure as traditional
endpoint devices. When the same device is used for both personal
and business tasks, that risk increases still further.
CERT-MU Quarterly | February 2013
CERT-MU eSecurity Newsletter | Volume 3 | Issue 1 | February 2013 6
A tablet PC is a portable computer that the user controls with a
touch screen interface. It was designed to be operated by a single
user for personal computing, rather than shared among a group. In
addition to touch screens, users can make use of virtual keyboards
or a digital pen to interact with them. Microsoft introduced the
concept of a tablet PC in 2001. Today, a tablet PC refers to any
portable device with a touch screen interface. Most of today’s
tablet PCs offer WiFi and 3G/4G for connecting to the Internet.
The introduction of Quadcore to tablets, 4G, Cloud Computing
and the continuous adoption of HTML5 will make the tablet even
more integrated into the work environment. Several software ap-
plications such as web browsers, office utilities and games can be
used with a tablet PC. Several brands of tablet PCs are available
today. The most popular are Apple iPad, Samsung Galaxy tab,
BlackBerry Playbook, HP Touchpad and Dell Streak, amongst
others. There are many benefits of using tablet PCs. But there are
also potential security risks when using tablets within the enter-
prise.
Portable devices such as tablets give users convenient access to
business and personal data. As their use increase, so do the associ-
ated risks. The features that make these devices portable and ena-
ble them to have on-the-fly connection to various networks and
hosts, also make them vulnerable to losses of physical control and
network security breaches. Using tablets can increase the risk of
data loss when the physical device is lost, data exposure when
sensitive data is exposed to the public or a third party without con-
sent and increased network-based attacks to and from any system
the device is connected via networks over the Internet.
The trend of Bring Your Own Device (BYOD) has accelerated the
use of tablet PCs in corporate working environment. As a result,
most employees use their own tablets for accessing their compa-
ny’s accounts. More importantly, most companies do not actively
monitor the kind of official data the employee accesses via these
devices. The fact that the employee is allowed to gain access to all
the information he needs, is what poses the actual security threat.
Though there are many companies which do not encourage the use
of personal tablet for office use, there are many that do not actual-
ly object to employees accessing their official accounts through
these devices.
The usage of tablet PCs also raises questions about data security.
The data encryption techniques used on tablet PCs have not yet
been proven. Some security experts have shown that the encryp-
tion techniques can be easily bypassed and the data can be stolen
by a hacker. Tablets are still relatively immature as a technology.
They do not have many patches and updates and the update cycle
is not as frequent as for Windows. In addition, the user has a high
level of privilege on the device. Little research has also been
made on Tablet PCs security. New tablet PCs are released often on
completely different operating systems. With increased accessibil-
ity and new ways of interacting with the user, tablet PCs have nu-
merous ways in which hackers can gain access to data.
The third-party applications that users download to their tablet PCs
can be useful, but also they may pose problems. It is possible for
these applications to carry malware that is hidden from the user
and bypasses security tests. The malware can allow a hacker to
gain control of the device and perform illegal actions or steal user
data easily. Many applications require personal data and through
them , they can spam the user or steal the user’s identity.
Tablets have a lot of capabilities, but they are not appropriate for
everything and cannot replace notebooks. Many traditional com-
puter programs will not work on tablets, and documents sent from
By 2015 mobile app development projects will out-
number native PC projects by a ratio of 4-to-1.
Enterprise tablet adoption will grow by almost
50% per year.
The introduction of Quadcore to tablets,
4G, Cloud Computing and the continuous adop-
tion of HTML5 will make the tablet even more in-
tegrated into the work environment.
Is this the Year of Enterprise Tablets?Is this the Year of Enterprise Tablets?Is this the Year of Enterprise Tablets? Tablets: Addressing the Security Issues... Tablets: Addressing the Security Issues... Tablets: Addressing the Security Issues...
CERT-MU Quarterly | February 2013
CERT-MU eSecurity Newsletter | Volume 3 | Issue 1 | February 2013 7
a computer to a mobile device may end up losing some key charac-
teristics. Certain organisations may think that it will be easy to ob-
tain the right apps for their needs. But, most companies do not have
the means to produce and constantly update mobile applications.
Even though iPad and Android app stores have many offerings than
the stores of less popular tablets, they still have limitations. That is
why; users of tablets should take necessary measures at their end to
secure their tablets. Some useful tips to improve the security of tab-
lets are given below:
Be careful when giving out personal information
Make sure that you provide personal information only to highly
trusted parties. Providing information to untrusted applications or
websites can increase the chances of identity theft. You can also
start to receive spam messages.
Verify the information requested by applications
Several applications ask for administrative permissions on the de-
vice and for control of hardware devices. Before allowing this ac-
cess, verify that the application’s function actually requires access
to the hardware. For example, if a weather reporting application
asks for permission to access device's camera or microphone, be
suspicious. It is likely that the application contains malware.
Use banking applications that are officially released
Verify that the applications you use for financial or banking purpos-
es are officially released by the bank or the financial group. Using
unauthorized third-party applications can be dangerous because they
increase the chances of identity theft.
Regularly update your tablet PC
Updating your device with the latest software from the manufacturer
is one of the most important ways to protect it. These updates will
usually contain fixes to some of the security problems that may have
been present earlier.
Turn off various wireless features such as GPS and Wi-Fi
when not using them
When you are not using GPS or WiFi, it is advisable to turn these
features off to make sure that malicious entities and rogue applica-
tions are not able to take advantage of them.
Use Bluetooth with caution
When you are not using Bluetooth, turn it off. If you are using Blue-
tooth then make sure that it is in “non-discoverable” or “hidden”
mode by changing the settings of your device.
Download trustworthy content only
Download content from trusted websites and official application
stores. For Apple iPad, the AppStore is the official application store.
For Android based tablets, it is Google Market.
4th Annual Cybersecurity Symposium
February 22, 2013
Washington
The Second International Conference on Cyber Se-
curity, Cyber Peacefare and Digital Forensic
(CyberSec2013)
The Asia Pacific University of Technology and Innova-
tion (APU)
March 4-6, 2012
Kuala Lumpur, Malaysia
3rd Annual Cyber Security Summit
April 11-12, 2013
Prague, Czech Republic
Security Professionals Conference
April 15-17, 2013
St-Louis, Missouri
2013 IEEE Symposium on Computational Intelli-
gence in Cyber Security
April 15- 19 2013
Singapore
Cyber Security Events 2013Cyber Security Events 2013Cyber Security Events 2013
Security Tip: Avoid Default Installations
Devices or applications often come with default configurations
and this poses high security risks. Attackers can easily exploit the
default passwords. Necessary measures should be taken to change
the default passwords to better protect the devices or applications.
CERT-MU Quarterly | February 2013
CERT-MU eSecurity Newsletter | Volume 3 | Issue 1 | February 2013 8
Windows 8 is the new ver-
sion of Microsoft Windows
that follows Windows 7. The
new Windows 8 is all about
apps and completely re-
worked interface similar to
the recently released version
of Windows Phone 7. It fea-
tures a new Metro-style inter-
face that is designed for
touchscreen input. It also
adds support for the ARM
processor architecture in ad-
dition to the previously sup-
ported x86 microprocessors
from Intel and AMD. Its
server counterpart is
codenamed Windows Server 8. Windows 8 offers more features
than other existing Windows platforms and also has been hyped as
Microsoft’s most secure operating system featuring strong security
enhancements. However, there are security issues associated with
it which organisations must be aware of. According to security
experts, there are five potential loopholes on the Windows 8 plat-
form and they are discussed below:
Threats on Windows 7 will work across Windows 8
Windows 8 maintains backward compatibility with Windows 7.
Hence a vast majority of legitimate and malicious programs will
also run unaltered on Windows 8 devices. To target the large num-
ber of users, hackers typically work on malware which runs not
only on Windows 8, but also previous versions of the Operating
System, from Windows XP to Windows 7. Since the number of
PCs currently running Windows 8 is still small, there are not many
malwares designed for the operating system yet. However, cyber-
criminals will start testing Windows 8 as users slowly migrate to
the operating system.
New cyber-attacks already surfacing
Since the release of Windows 8 platform, fake antivirus and phish-
ing attacks aimed at the operating system have already been dis-
covered. Security firms discovered a fake antivirus named
TROJ_FAKEAV.EHM, which displays fake scanning results to
intimidate users to purchase its fake antivirus program packaged
as a security tool made for Windows 8. Recently, a phishing attack
was also intercepted which pretended to originate from “Microsoft
Windows 8 team”, offering free software through a web link.
When users click on the link, they are taken to a Web page on a
Slovakian Web server asking them to enter their username, pass-
word, e-mail address, and server domain name.
Social engineering not addressed
According to security experts, no steps have been taken to miti-
gate social engineering in prior versions of Windows and they
have not been addressed in Windows 8. Social engineering is one
of the biggest security threats today as the user is often an “easy
and successful target”, unable to distinguish between scams and
legitimate items. Phishing attacks that leverage social engineering
have already surfaced since the launch of Windows 8 and little
new have been done in Windows 8 to prevent such type of attacks.
This remains one of the biggest security holes.
Security additions still perimeter-based
Many of the added features in Windows 8 such as the Early
Launch Anti-Malware (ELAM) and scanning of files with Defend-
er are still based on signature-based technologies in an age where
such technologies will not be useful in protecting against these
cyber-attacks. As such, other security technologies which go be-
yond perimeter defense must be used along with Windows 8. For
example, having a security tool which can catch an attack in real-
time, based on behavior, will complement the security offerings in
Windows 8.
Vulnerabilities exist on Windows 8
In the preview release of Windows 8, vulnerabilities were discov-
ered. Even though some of these were also present in older ver-
sions operating system and applications, there will be vulnerabili-
ties in the new operating systems and attackers will try to exploit
them. Moreover, a French penetration-testing company already
found a way to bypass security mechanisms of Windows 8.
ELAM is also based on loading a trusted module during the boot
process until the full antivirus engine is loaded. However, there
were cases where valid certificates of Microsoft and Adobe had
been used by malware, which were able to evade antivirus scan-
ners.
Windows 8: The Security IssuesWindows 8: The Security IssuesWindows 8: The Security Issues
News Focus... News Focus... News Focus...
Quick Response codes
(QR codes) are two dimensional matrix barcode that can be scanned by smartphones that link users di-
rectly to a website without having to type in its address. By using QR codes as a jump-off point to unreli-
able sites, cybercriminals can disguise the ultimate destination of links. It has been observed that spam
messages are not only pointing to URLs that use embedded QR codes, but also printing out labels and
leave them in well trafficked locations. According to security firm Symantec, cybercriminals are taking
advantage since there has been a burst in the number of QR codes over the last few years. Since QR
codes resembles like pictures, it is very difficult to distinguish between the genuine and malicious ones.
This makes it easy to trick users to scan codes that may lead to an infected or phishing site. Users can
protect their smartphones by installing a QR reader that can check a website’s reliability before visiting it.
QR Codes QR Codes QR Codes --- a trick to drive traffic a trick to drive traffic a trick to drive traffic to unreliable sitesto unreliable sitesto unreliable sites
CERT-MU Quarterly | February 2013
CERT-MU eSecurity Newsletter | Volume 3 | Issue 1 | February 2013 9
CERTCERTCERT---MU Events : The 2012 JourneyMU Events : The 2012 JourneyMU Events : The 2012 Journey
C ERT-MU has been organizing a series of events in the form of workshops,
trainings and other international events throughout the year. The purpose
these events are to promote an information security culture and to educate
the general public about information security issues. The main events that
were organized during the year are:
Computer Security Day is an international and globally recognized annual event set
up to inform computer users of the significance of computer security. Computer Se-
curity Day was organized by the Computer Emergency Response Team of Mauritius
(CERT-MU), on the 30th November as a way of reminding computer users that com-
puter security and safety is a crucial responsibility. The goal of this event was to sen-
sitise people to protect their computers and information. The event provided an in-
sight into privacy and security issues surrounding electronically stored sensitive in-
formation and offered ways to keep your computer and data safe. On this occasion,
CERT-MU organized various activities such as a full day conference with the partici-
pation of high profile international and local resource persons with interactive panel
discussion on specific tracks in which Business Executives, Senior Management and
Information Security Professionals were targeted. An exhibition of computer security
based products were conducted. Two guidelines on Public Internet Access Points
(PIAPS) for users and technical persons were also launched. As part of a continua-
tion of the Computer Security Day, training programmes on Developing Security
Policies and Securing Networks were conducted by the International Multilateral
Partnership Against Cyber-threats (IMPACT).
The World IPv6 Launch represents the next step in the evolution of the Internet and
marks a milestone in its history. As the successor to the Internet Protocol IPv4, IPv6
is seen as crucial to the continued growth of the Internet as a platform for innovation
and economic development. In line with its vision for “spearheading Internet Tech-
nology in the African Region” the African Network Information Centre (AfriNIC)
has been encouraging the African Internet Community and its stakeholders to adopt
the new protocol IPv6. According to the estimation of AfriNIC, Africa will run out
of the IPv4 around 2013/2014 and it is important for Africa to build a stable Internet
Infrastructure for the future. To achieve this purpose, CERT-MU, in collaboration
with AfriNIC organised 4-days training from 29th October to 1st November 2012,
targeting IT Professionals, Network Administrators and IT Security Professionals
from both public and private sectors. The objective of this training was to provide a
hands-on exposure to IPv6 implementation with a focus on security aspects.
Computer Security Day 2012Computer Security Day 2012Computer Security Day 2012
Training on IPv6Training on IPv6Training on IPv6
Did you know?
In a recent Intel survey, 77% of respondents ranked losing their laptop
while traveling as more stressful than losing their wedding ring, and
62% were actively worried about losing a laptop or having it stolen.
This indicates how our devices have become an integral part of our
lives and therefore we must take precautionary measures to protect our infor-
mation from device loss and theft while traveling.
CERT-MU Quarterly | February 2013
CERT-MU eSecurity Newsletter | Volume 3 | Issue 1 | February 2013 10
Mobile devices have become an essential tool in most organisations. Mobile phone
deployments have increased significantly and it has been adopted by multitudes of
end users for convenient email access and for accessing organisational resources
and production applications. As mobile devices are widely adopted in organisa-
tions, they are also becoming an attractive and vulnerable target for cyber crimi-
nals. To address this issue, a workshop on Mobile Hacking and Applications Secu-
rity was organised by CERT-MU on 31st May 2012 at Cyber-City, Ebene. Several
presentations were conducted and they were focused on Mobile Risks and Counter-
measures, Design Considerations for Enterprise Mobile Security and Android Ap-
plications Security.
On this occasion, a brochure on “Tips to Secure Your Mobile Phone” was
launched by the Minister of Information and Communications Technology. A Cer-
tificate Award Ceremony was also held to award successful participants who com-
pleted ISO 27001 Implementers Course and the Lead Auditor Course which was
organized by the National Computer Board in December 2011.
Safer Internet Day is an international event organised by Insafe in February each
year to promote safer and more responsible use of online technology and mobile
phones, especially amongst children and young people across the world. The theme
for this year’s Safer Internet Day was “Connecting Generations and Educating
each other – Discover the Internet Together, safely!” where the focus was on
sensitizing Internet users of all generations irrespective of their age, culture and
communities. On this occasion, the National Computer Board organized a work-
shop targeting towards State and Private Secondary School students, rectors and
ICT teachers. Some 2600 students have already been sensitized. In addition, ICT
teachers of primary schools across the island have also been trained on the issues
of child online safety.
As a continuation of the Safer Internet Day campaign, the National Computer
Board, in collaboration with Ministry of Education and Human Resources have
been conducting awareness sessions on Internet Safety and Security in schools and
colleges in the four zones of the country. Other activities that were organized in-
clude an online Internet Security quiz competition for State and Private Secondary
School students.
Workshop on Mobile Hacking and Workshop on Mobile Hacking and Workshop on Mobile Hacking and Applications Security Applications Security Applications Security
Safer Internet Day 2012Safer Internet Day 2012Safer Internet Day 2012
Security Tip:
Even if you believe that all of your child’s online friends are genuine, the infor-
mation your child posts might still be visible to others in the wider network. A
chain of online friends is only as strong as its weakest link. Therefore:
Limit the information posted
Inform your child about the risks
Never give out address or school details
Know what to do if concerned
CERT-MU Quarterly | February 2013
CERT-MU eSecurity Newsletter | Volume 3 | Issue 1 | February 2013 11
2012 Security Guidelines 2012 Security Guidelines 2012 Security Guidelines
CERT-MU pub-
lishes Information
Security Guide-
lines on a regular
basis to help and
guide users in
adopting best
practices and im-
plement them
whenever possi-
ble. For the year
2012, CERT-MU
has published 10
security guide-
lines. The high-
lights of the
guidelines are as
follows:
Guideline on Strong Passwords and Passphrase
Passwords are an important aspect of computer security. They are
the frontline of protection for user accounts. The purpose of this
guideline is to help users to construct, protect and maintain pass-
words and passphrases.
Technical Guideline for Securing Public Internet Access
Points (Computer Clubs, Cyber Caravans, Post Offices
This guideline helps to guide technical persons working in com-
puter clubs, cyber-caravans and Public Internet Access Points
(PIAPs) to set up their infrastructures securely so as to enable
users to access the Internet safely.
Security Guideline for Users on Public Internet Access
Points (Computer Clubs, Cyber Caravans, Post Offices)
This guideline covers the security risks associated when accessing
the Internet in public places such as in post offices, computer
clubs and cyber caravans. It also focuses on the precautionary
measures required to use the Internet in those places.
Guideline on Spam Control
The purpose of the Guideline on Spam Control is to help users in
managing their email accounts and systems with a view to coun-
teract spam emails. The target audience for this guideline includes
IT managers or officers, security managers and home users.
Guideline on Auditing and Log Management
This guideline is aimed at assisting organisations in understanding
the need for sound computer auditing and log management and
the best practices that need to be followed to meet existing chal-
lenges. The target audience for this document includes computer
security staffs and program managers; system, network, and ap-
plication administrators; computer security incident response
teams; and others, who are responsible for performing duties re-
lated to computer security audit and log management.
Guideline on E-mail Best Practices
The guideline on Email Best Practices is aimed at providing users
with a secure online experience when dealing with e-mails. The
target audience for this document includes any person who makes
use of e-mail.
Guideline on Windows 7 Parental Controls
This guideline is aimed at assisting parents in protecting chil-
dren’s online interactions and activities. The target audience for
this guideline are parents, teachers, rectors and the public in gen-
eral, who can help children to stay safe and more secure on the
Internet.
Guideline on Incident Handling and Reporting
The purpose of this guideline is to provide the basis for the crea-
tion of incident response policies, plans, procedures, and teams to
handle incidents within an organisation. The guideline also con-
sists of an incident handler’s checklist template that can be used
to ensure that each incident response steps is being followed dur-
ing an incident. The guide focuses on computer security related
incidents and the target audience are IT professionals, managers
responsible for incident handling and management.
Guideline on Wireless Security
The guideline on Wireless Security is focused towards helping
organisations to secure their wireless networks against attacks. It
is also aimed at guiding individual users who make use of wire-
less networks to surf on the Internet at home and in public places.
Guideline on Debit or Credit Cards Usage
This guideline provides an overview of the bank cards available
for use and their security aspects in terms of access. The target
audience of this guideline include all users of debit and credit
bank cards.
The guidelines can be downloaded from CERT-MU website.
Security Tip:
Do not accept offers of “Free PC Scans” that pop-up when
you use the Internet
When you surf the Internet, you are likely to see pop-up win-
dows that tell users that their systems have been infected with
spyware and offer “free spyware scans”. Beware of these type
of pop-ups because such scans do not just give misleading
results; but can also install unwanted software on your PC.
Often the screen pop-ups only have a “scan” button and no
“cancel” or “quit” option. To be safe, it is better to close such
kind of pop-ups or use a pop-up blocker software.
CERT-MU Quarterly | February 2013
CERT-MU eSecurity Newsletter | Volume 3 | Issue 1 | February 2013 12
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court,
La Poudriere Street, Port Louis
Tel: 210 5520
Fax: 208 0119
Website: www.cert-mu.org.mu
Incident Reporting
Hotline: 800 2378
Email: [email protected]
Vulnerability Reporting
Email: [email protected]
For Queries
Email: [email protected]
Subscription to Mailing Lists
Email: [email protected]