PLEASE NOTE THAT ALL STERLING IT MANAGED CLIENTS WILL BE AUTOMATICALLY PATCHED.
IF YOU REQUIRE ASSISTANCE WITH THIS, PLEASE CONTACT STERLING IT.
|
|||||||||
|
|||||||||
|
|||||||||
|
|||||||||
|
|||||||||
|
PLEASE NOTE THAT ALL STERLING IT MANAGED CLIENTS WILL BE AUTOMATICALLY PATCHED.
IF YOU REQUIRE ASSISTANCE WITH THIS, PLEASE CONTACT STERLING IT.
|
|||||||||
|
|||||||||
|
|||||||||
|
|||||||||
|
|||||||||
|
Newsletter – Secure browsing for social networks, uninstalling old programs, and more – SSO-NL2012-001
16 January 2012
Newsletter January 2012 (File size: 1574Kb)
Overview
The purpose of the Newsletter is to provide general advice about online security issues and help you learn to better manage the security of your computer and information when online.
This month’s newsletter will cover how to enable secure web browsing on social networks Facebook and Twitter, how to uninstall old, unused or out of date programs from your computer, a tool which makes it easier to keep windows based computer’s software up to date, and a warning regarding unsolicited technical support phone calls often purporting to be from Microsoft.
Feedback
Thank you to those subscribers who have provided feedback to our Alerts, Advisories and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
SSL Secure web browsing for Facebook and Twitter
SSL/HTTPS provides the following security features to your web session when implemented correctly.
* The ability to check the web site digital certificate to verify the identity of the web site. The purpose of this is to help provide assurance that you are connected to the correct web site and not a fake impersonation.
* The use of encryption to conceal the content of the traffic sent between your computer and the web server (including passwords and other sensitive information).
* The ability to protect the integrity of the traffic to make sure it is not modified en route.
Facebook
In this Newsletter, we provide instructions for how to enable the use of SSL/HTTPS in Facebook. There are however a number of caveats:
* Firstly, you need to be logged in before you can turn this feature on. In some circumstances (described in the December 2010 newsletter) your personal information could already be exposed. We believe it should be on by default.
* Secondly, it can be deactivated without your knowledge, if you wish to connect to a Facebook page which does not support HTTPS.
In brief the feature, allows you to opt-in to use SSL “whenever possible”. To turn on this feature, follow these steps:
1. Log into Facebook.
2. Click on the ‘Down Arrow’ in the top right corner of the Facebook page, and then select ‘Account Settings’ from the top right menu, as shown in figure 1 below.
Figure 1 – Facebook ‘Account Settings’
3. Select ‘Security’ from the menu on the left and then click ‘Edit’ on the right side of ‘Secure Browsing’, as shown in figure 2 below.
Figure 2 – Facebook ‘Security settings’
4. Tick the box next to “Browse Facebook on a secure connection (https) when possible”, and the click the ‘Save Changes’ button, as shown in Figure 3 below.
Figure 3 – Facebook ‘Secure browsing’
We recommend you activate this feature, but be aware that if you use any number of the hundreds of Facebook applications, you may find your HTTPS settings are turned off and not automatically reactivated when HTTPS becomes possible again. The result is that you your personal identifying information could be captured in some circumstances when you think it is being protected.
Remember – if you don’t see https in the web address (only http), then the traffic is being sent without encryption and potentially can be captured by third parties.
Twitter
Similarly to Facebook, Twitter also allows the use of SSL/HTTPS, but unlike Facebook it is enabled by default for Twitter. If you browse to “https://twitter.com”, the website will automatically redirect you to “https://twitter.com”, ensuring that the login process takes place using SSL/HTTPS. However, it is still possible to deactivate secure browsing from within the Twitter ‘Settings’ page, so it is a good idea to ensure that this setting is activated at all times.
To check that this feature is enabled within Twitter, follow these steps:
1. Log into Twitter
2. Click on the ‘Head and Shoulders with Down Arrow’ in the top right corner of the Twitter page, and then select ‘Settings’, as shown in Figure 4 below.
Figure 4 – Twitter ‘Settings’
3. At the bottom of the ‘Settings’ page, ensure that the box next to ‘HTTPS Only’ is ticked to ‘Always Use HTTPS’, and then click ‘Save’, as shown in Figure 5 below.
Figure 5 – Twitter ‘HTTPS Only’ Setting
Remember, just as with Facebook – if you don’t see https in the web address (only http), then the traffic is being sent without encryption and potentially can be captured by third parties.
You can read more about SSL in the SSO Factsheet – What is a web site digital certificate and why is it important to check?
Removing old, unused or out of date programs from your computer
We have often discussed the importance of updating software that is installed on your computer to the latest version to ensure that you are protected from any potential vulnerabilities which may exist in older versions. But what about those old programs you don’t use any more, and what about old versions of software that you’ve updated but the old version hasn’t been removed automatically during the update process? For example, often Java will leave previous versions on your computer even after you upgrade. These too could contain vulnerabilities that may be exploited by criminals to attack your computer, even if you are not actively using the programs themselves.
The following instructions will help you remove old, out-of-date, unwanted or unused programs from Microsoft Windows 7, Microsoft Windows Vista, Microsoft Windows XP, Apple Mac OS X, Apple Mac OS X Lion and Ubuntu.
Microsoft Windows 7
1. Click on the Windows 7 ‘Start Menu’, and then select ‘Control Panel’, as shown in Figure 6 below.
Figure 6 – Microsoft Windows 7 ‘Start Menu’
2. Below ‘Programs’, click on ‘Uninstall a program’, as shown in Figure 7 below.
Figure 7 – Microsoft Windows 7 ‘Control Panel’
3. Select a program from the list of installed programs, and then click on ‘Uninstall’, as shown in Figure 8 below.
Figure 8 – Microsoft Windows 7 ‘Programs and Features’
Microsoft Windows Vista
1. Click on the Windows Vista ‘Start Menu’, and then select ‘Control Panel’, as shown in Figure 9 below.
Figure 9 – Microsoft Windows Vista ‘Start Menu’
2. Below ‘Programs’, click on ‘Uninstall a program’, as shown in Figure 10 below.
Figure 10 – Microsoft Windows Vista ‘Control Panel’
3. Select a program from the list of installed programs, and then click on ‘Uninstall’, as shown in Figure 11 below.
Figure 11 – Microsoft Windows Vista ‘Programs and Features’
Microsoft Windows XP
1. Click on the Windows XP ‘Start Menu’, and then select ‘Control Panel’, as shown in Figure 12 below.
Figure 12 – Microsoft Windows XP ‘Start Menu’
2. Click on ‘Add or Remove Programs’ within the Control Panel, as shown in Figure 13 below.
Figure 13 – Microsoft Windows XP ‘Control Panel’
3. Select the program you would like to uninstall and click the ‘Remove’ button, as shown in Figure 14 below.
Figure 14 – Microsoft Windows XP ‘Add or Remove Programs’
Apple Mac OS X
1. Navigate to “Applications”
2. Select the program you’d like to uninstall, and either drag the application icon to the “Trash”, or right-click and select “Move to Trash”, as shown in Figure 15 below.
Figure 15 – Apple Mac OS X ‘Applications’
While these simple instructions should cover removal of most programs under Apple Mac OS X, in some rare cases, such as some software from Adobe or Microsoft, some programs include their own uninstall applications. In these cases the specific uninstall applications for the program must be used to remove the software, and depending on the program itself, these can often be found in the original DMG file or on an original installation CD or DVD.
Apple Mac OS X Lion
1. Open the “Launchpad”
2. Click on and hold the mouse button on the icon of the application you would like to uninstall.
3. When the application icon begins to move, click on the black cross icon that appears, as shown in Figure 16 below.
Figure 16 – Apple Mac OS X Lion
As with Apple Mac OS X, in rare cases some programs installed on Apple Mac OS X Lion may include their own uninstall applications.
Ubuntu
For users of Ubuntu, the “Advanced Packaging Tool” provides functionality to check for updates to installed packages, and also to clean up unused packages from the operating system.
To check for updates to already installed software, simply type ‘apt-get check’ at the console.
To perform a clean-up of unused packages from the operating system, simply type ‘apt-get autoclean’ at the console.
Figure 17 – Ubuntu ‘Terminal Window’
Additionally, certain versions of Ubuntu also include graphical tools which can perform these actions without requiring the use of the console, however the functionality of these may vary from version to version. Most other distributions of Linux also come with similar package management solutions, either text based or graphical – users of other Linux distributions should check the appropriate documentation that accompanies their distribution.
Secunia’s Personal Software Inspector 2.0
A free tool which checks to ensure that you have the latest version of plug-ins and a wide range of other software for Microsoft Windows, is Secunia’s Personal Software Inspector (PSI) 2.0 for home users only, available from:
https://secunia.com/vulnerability_scanning/personal/
Secunia has other products for businesses. To use this tool you will need to install software on your computer, but it checks for a wide range of vulnerable software – for the operating system, applications and plug-ins. It will report changes in the vulnerability of your software over time. According to the user instructions:
It constantly monitors your system for insecure software installations, notifies you when an
insecure application is installed, and even provides you with detailed instructions for
updating the application when available.
Additionally, it will report on software, which is the latest version, but is known to contain security bugs for which the vendor has not yet released a newer version which fix the security bugs. The following screenshot provides a sample of the output which would appear as the “Scan Results” after performing a scan of your PC.
Figure 18 – PSI Results displaying a number of out of date programs and offering solutions to update
This tool covers a wide range of software and can be a useful aid to checking and keeping your software up to date. Remember that if you have plug-ins or application software installed that is less common, then these may not be routinely included in the Secunia PSI check.
Criminals contacting potential victims by telephone to “repair” their computers
We have received reports that Australian Internet users are continuing to be contacted by telephone as part of scams involving their computers.
The scammer calls people at their home by telephone and claims to have information that their computer has a problem – that it is infected with a virus, that it is running slow, or that the computer software is corrupted. In many cases, the scammer often claims to work Microsoft or for a company that can fix the problem and seeks to persuade potential victim to pay for a remote repair service via credit card and also seeks to install remote access software on the victim’s computer. Sometimes the criminals involved in these scams establish web sites to give the appearance they are a legitimate business but the web site is established to facilitate the scam.
If you agree to install such software (even on a trial basis), you will give the criminal remote access and control over your computer and all data on it and may provide them continuing access for
malicious purposes, even after the software is uninstalled. Remote access software should only be installed when you know and have good reason to trust the party concerned.
For further information about how to detect such scams refer to the information in the June 2009 Stay Smart Online Newsletter.
If you believe your computer has problems that you are unable to fix, then look up the yellow pages to find a reputable local business to investigate and fix the problem for you, or if the problem affects software or hardware that is under warranty, contact the appropriate vendor. This way, if you experience any problems, such as fraud, then knowing the physical location and identity of the business involved will give you greater rights and recourse for law enforcement action under Australian law than if you do “business” with an entity that has its presence only ‘online’.
In August 2010 Microsoft published a warning to Australians regarding scams of this nature on their website which is still very relevant:
https://www.microsoft.com/australia/presspass/post/Microsoft-issues-warning-on-phone-scam
Important information regarding DNSChanger malware – SSO-AL2012-010
21 March 2012
Software and platform affected
Windows (all versions)
Mac OS X (all versions)
What is the problem?
Malware which alters a computer’s DNS (Domain Name System) settings, known as “DNSChanger” malware, has been in circulation for some time. DNS is an Internet service which translates user-friendly domain names (e.g. ssoalertservice.net.au) into the numerical Internet Protocol (IP) addresses (e.g. 203.15.34.230) which are used by computers to communicate with each other. By infecting a victim’s computer with this type of malware, criminals are able to alter the DNS settings on a user’s computer. By controlling the DNS settings on victim’s computer, criminals force the infected computers to communicate with “bad” or “rogue” DNS servers, rather than legitimate “good” DNS servers. The criminals can then use these “bad” or “rogue” DNS servers to redirect the unsuspecting users to fraudulent websites or interfere with a user’s web browsing. For example, if a user’s computer is infected with the DNSChanger malware, a! nd the user enters “google.com” in their web browser, rather than take the user to the legitimate “google.com” website, they would be taken to a fraudulent website instead.
In November 2011, the FBI uncovered a network of rogue DNS servers and took steps to disable them. However, by disabling the rogue DNS network, victims who are infected by the DNSChanger malware could lose access to DNS services entirely. To address this issue, the FBI developed a private-sector, non-government entity to operate and maintain clean DNS servers for the infected victims for a temporary period. As of July 9th 2012 the FBI will no longer be operating this service; computers that are infected with the DNSChanger malware could lose access to DNS services, preventing access to the Internet, including access to legitimate websites.
What we recommend you do
The Australian Government has created a diagnostic website which will, in most cases, confirm whether or not a user’s computer is infected with DNSChanger malware: Australian Government DNSChanger Diagnostic
The FBI has provided a PDF document with detailed instructions (including screenshots) to manually check the DNS settings on both Windows and Mac OS X based computers: FBI DNSChanger Malware Document
As a minimum step, we recommend that you click on the Australian Government’s diagnostic website and see whether it displays a green box with the words, “You do not appear to be affected by DNSChanger”.
Then, if you want to be more certain that this diagnosis is correct, it is also recommended that you follow the detailed instructions in the FBI’s PDF document to help to determine whether your computer is infected with DNSChanger. You should also perform a thorough virus-scan of your computer using an up-to-date virus scanner to ensure that it is not infected with the DNSChanger malware.
If you do find that have been infected with the DNSChanger malware, you should seek professional assistance to ensure that the malware is removed successfully.
Additionally, this factsheet contains instructions to help detect and remove malware:
Where you can find more information
The Australian Government has also provided some additional information regarding the DNSChanger Malware here: DNSChanger Information
The FBI has also provided further information regarding internet fraud associated with the DNSChanger Malware here: Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business
Disclaimer
This Alert has been prepared by AusCERT for the Department of Broadband, Communications and the Digital Economy.
The information is intended for use by home users and small to medium sized businesses and is general information only and not intended as advice and was accurate and up to date at the time of publishing. The material and information in this Alert is not adapted to any particular person’s circumstances and therefore cannot be relied upon to be of assistance in any particular case. In any important matter, you should seek professional advice relevant to your own circumstances.
The Commonwealth, AusCERT, and all other persons associated with this Alert accept no responsibility or liability for information either included or referred to in the Alert. No responsibility or liability is accepted for any damage, loss or expense incurred as a result of the information contained in the Alert, whether by way of negligence or otherwise.
The listing of a person or organisation in any part of this site or Alert does not imply any form of endorsement by the Commonwealth of the products or services provided by that person or organisation. Similarly, links to other web sites have been inserted for your convenience and do not constitute endorsement of material at those sites, or any associated organisation, product or service.
Please note that material in this Alert, as the case may be, includes views or recommendations of third parties, which do not necessarily reflect the views of the Commonwealth, or indicate its commitment to particular course of action. Material on this site or in this Alert may also include information provided by third parties. The Commonwealth cannot verify the accuracy of information that has been provided by third parties.
Apple releases iTunes 10.5 – SSO-AD2011-030.
12 October 2011
The following software is affected
Apple iTunes prior to version 10.5
for the following operating system platforms:
Windows XP SP2
Windows Vista
Windows 7
There is a bug in Apple iTunes software which, if not fixed, could result in your computer being attacked by criminals. Your personal and/or business information may be accessed for fraudulent or illegal purposes (eg, identity theft). Apple iTunes might crash and become unusable.
The problem can be easily fixed by updating to the latest version of the Apple iTunes software by starting iTunes, and clicking “Check for Update”. Alternatively, the latest version of Apple iTunes can be downloaded from the following location:
https://www.apple.com/itunes/download
More information about these security bugs can be found here:
https://support.apple.com/kb/HT4981
This Advisory has been prepared by AusCERT for the Department of Broadband, Communications and the Digital Economy.
The information is intended for used by home users and small to medium sized businesses and is general information only and not intended as advice and was accurate and up to date at the time of publishing. The material and information in this Advisory is not adapted to any particular person’s circumstances and therefore cannot be relied upon to be of assistance in any particular case. In any important matter, you should seek professional advice relevant to your own circumstances.
The Commonwealth, AusCERT, and all other persons associated with this Advisory accept no responsibility or liability for information either included or referred to in the Advisory. No responsibility or liability is accepted for any damage, loss or expense incurred as a result of the information contained in the Advisory, whether by way of negligence or otherwise.
The listing of a person or organisation in any part of this site or Advisory does not imply any form of endorsement by the Commonwealth of the products or services provided by that person or organisation. Similarly, links to other web sites have been inserted for your convenience and do not constitute endorsement of material at those sites, or any associated organisation, product or service.
Please note that material in this Advisory, as the case may be, includes views or recommendations of third parties, which do not necessarily reflect the views of the Commonwealth, or indicate its commitment to particular course of action. Material on this site or in this Advisory may also include information provided by third parties. The Commonwealth cannot verify the accuracy of information that has been provided by third parties
“Erases” files, icons as lead up to pitch for US$80 to buy worthless utility
Gregg Keizer (Computerworld (US))
17 May, 2011 03:07
Scammers are trying to trick Windows users into paying to fix bogus hard drive errors that have apparently erased important files, a researcher said today.
The con is a variant of “scareware,” also called “rogueware,” software that pretends to be legitimate but actually is just a sales pitch based on spooking users into panicking. Most scareware masquerades as antivirus software.
But Symantec researcher Eoin Ward has found a new kind of scareware that impersonates a hard drive cleanup suite that repairs disk errors and speeds up data access.
Dubbed “Trojan.Fakefrag” by Symantec, the fake utility ends up on a Windows PC after its user surfs to a poisoned site — often because the scammers have manipulated search engines to get links near the top of a results list — and falls for a download pitch, typically because it’s presented as something quite different, like video of a hot news topic.
Fake system or disk cleanup programs aren’t new — Symantec has highlighted the scareware subcategory before — but this malware goes above and beyond the call of counterfeit duty.
“[Trojan.Fakefrag’s] aim is to increases the likelihood of you purchasing a copy of Windows Recovery by craftily convincing you that your hard drive is failing,” said Ward in a company blog Monday, referring to the name of the fake suite that the Trojan shills.
The malware kicks off the scam by moving all the files in some folders to a temporary location, by hiding others and by making desktop icons disappear. All of that is followed by a message that looks like a valid Windows warning of impending hard drive doom.
“An error occurred while reading system files,” the on-screen message reads. “Run a system diagnostic utility to check your hard disk drive for errors.”
If the user clicks “OK,” the fraudulent “Windows Recovery” application launches, runs a series of sham scans that sound technical and legit, then reports multiple problems, including disk read-write errors.
With the hook set, the scammers try to reel in the victim by trying to get them to pay $79.50 for Windows Recovery, which will supposedly fix the make-believe issues.
Since the user has just seen his files and icons vanish, he or she is much more likely to fall for the scheme.
“It does a really convincing job of making it appear as though something is wrong,” said Ward. “When it ‘deletes’ files from your desktop, it does so in a very prominent way.”
No surprise, but the files aren’t deleted; they can be found with a quick local search, said Ward.
Windows isn’t the only operating system targeted by scammers. Last week, for example, Intego Security reported finding the first-ever Mac OS X rogueware .
Scammers have upped their “scareware” game by convincing Windows users that their hard drive is ready to croak.
Symptoms
You install several Updates. After the successful installation, you notice you cannot add or remove features/roles in the Server Manager.
Error: Unexpected error refreshing Server Manager: Exception from HRESULT:0x800F0818
Alternatively you can also get:
Server Manager: Unexpected error refreshing Server Manager: No signature was present in the subject. (Exception from HRESULT: 0x800B0100)
Resolution
First you run the Microsoft Update Readiness Tool located here: https://support.microsoft.com/kb/947821
After the scan has completed check: C:WindowslogsCBSChecksur.log. You should see the following errors:
Checking Package Manifests and Catalogs
(f) CBS MUM Corrupt 0x00000000 servicingPackagesPackage_for_KB978601~31bf3856ad364e35~amd64~~6.0.1.0.mum Expected file name Package_for_KB978601_server~31bf3856ad364e35~amd64~~6.0.1.0.mum does not match the actual file name
(f) CBS MUM Corrupt 0x00000000 servicingPackagesPackage_for_KB979309~31bf3856ad364e35~amd64~~6.0.1.0.mum Expected file name Package_for_KB979309_server~31bf3856ad364e35~amd64~~6.0.1.0.mum does not match the actual file name
Or
(f) CBS MUM Corrupt 0x800B0100 servicingPackagesPackage_for_KB978601~31bf3856ad364e35~amd64~~6.0.1.0.mum servicingPackagesPackage_for_KB978601~31bf3856ad364e35~amd64~~6.0.1.0.cat Package manifest cannot be validated by the corresponding catalog
(f) CBS MUM Corrupt 0x800B0100 servicingPackagesPackage_for_KB979309~31bf3856ad364e35~amd64~~6.0.1.0.mum servicingPackagesPackage_for_KB979309~31bf3856ad364e35~amd64~~6.0.1.0.cat Package manifest cannot be validated by the corresponding catalog
Or
(f) CBS MUM Missing 0x00000002 servicingpackagesPackage_114_for_KB955839~31bf3856ad364e35~amd64~~6.0.1.0.mum
(f) CBS MUM Missing 0x00000002 servicingpackagesPackage_83_for_KB955839~31bf3856ad364e35~amd64~~6.0.1.0.mum
Further down you will see:
Unavailable repair files:
servicingpackagesPackage_for_KB978601~31bf3856ad364e35~amd64~~6.0.1.0.mum
servicingpackagesPackage_for_KB979309~31bf3856ad364e35~amd64~~6.0.1.0.mum
servicingpackagesPackage_for_KB978601~31bf3856ad364e35~amd64~~6.0.1.0.cat
servicingpackagesPackage_for_KB979309~31bf3856ad364e35~amd64~~6.0.1.0.cat
These files need to be copied into: %systemrootWindowsServicingPackages
1. You first need to gain control over that folder. In order to do this use the following commands:
This makes the current logged on user (needs to have Administrative privileges) owner of that folder:
takeown /F c:WindowsServicingPackages /D y /R
Then assign full control using:
cacls c:WindowsServicingPackages /E /T /C /G “UserName”:F
This will grant you full control over the directory.
Optionally you can download this ZIP. Inside you have 2 REG Files. If you install TakeOwnership.reg you will have a handy Take Ownership entry in the right click menu every time you use it on a Folder.
clip_image001
2. Now you need to gather the missing or corrupted files from the checksur log:
– Download the KB Files for the missing files:
servicingpackagesPackage_for_KB978601~31bf3856ad364e35~amd64~~6.0.1.0.mum
– Unpack them using the following command:
Expand -F:* UpdateKBXXXX.msu x:DestinationDirectory
After you expand you will see a UpdateKBXXXX.cab File. Expand it as well:
Expand -F:* UpdateKBXXXX.CAB x:DestinationDirectoryCAB
Inside of this cab you will need to grab 2 files: update.mum and update.cat
3. Rename the gathered update.mum and update.cab files exactly as they are specified in the checksur.log:
Ex.: update.mum for KB978601 will be:
Package_for_KB978601~31bf3856ad364e35~amd64~~6.0.1.0.mum
Do the same for all the other missing/corrupt files and place them into the directory specified in checksur.log (/servicing/packages)
After these steps the problem should be fixed. No reboot required.
If the Server Manager is not working even after doing these steps, run the Update Readiness Tool again and double-check the steps described above.
Tudor Dimboianu
– Support Engineer / Enterprise Platforms Support (Core)