CERT-MU Quarterly | February 2013 CERT-MU eSecurity Newsletter Newsletter/V… · CERT-MU Quarterly | February 2013 CERT-MU eSecurity Newsletter | Volume 3 | Issue 1 | February 2013

CERT-MU Quarterly | February 2013

CERT-MU eSecurity Newsletter | Volume 3 | Issue 1 | February 2013 1

Addressing the Need of Information Security for Intelligent Mauritius

Dear Readers,

Greetings from CERT-MU,

The year 2012 has seen significant developments in the cyberspace

and IT Security Industry. A number of cyber attacks have made the

headlines, ranging from phishing scams, malicious software, mobile

threats, government sponsored attacks to incidents involving social

networking sites. This eSecurity Newsletter presents the top security

breaches of 2012 and predications of 2013. It is expected that 2013

will witness more targeted malware attacks, rise in Hacktivism, gov-

ernment sponsored attacks and an increase in malware targeting Mac

devices. Organisations will also face security issues of cloud compu-

ting, Bring Your Own Device (BYOD), mobile computing and mo-

bile devices.

Other issues which are highlighted in this eSecurity newsletter are

the security concerns of tablets as their adoption is increasing rapid-

ly . This e-newsletter also presents the CERT-MU events of 2012.

We trust that you will find the articles interesting and enjoy reading!

The e-Security Newsletter Team

Volume 3 | Issue 1 | February 2013

C ERT-MU is offering a free remote

scanning service for organizations

who wish to scan their servers and

network infrastructure remotely. A full

-fledged vulnerability report including in depth

analysis of each vulnerabilities and a complete

solution guide is produced at the end of the scan-

ning. The Vulnerability Scanning report will give

an insight to the organization of what is visible

from a ‘remote attacker’ and what steps need to

be taken to secure the organization’s infrastruc-

ture with respect to external attacks.

Inside This Issue

The Growing Dark Side of Cyber Space

Is this the Year of Enterprise Tablets?

Tablets: Addressing the Security Issues

News Focus:

Windows 8: The Security Issues

Quick Response codes - a trick to drive traffic

to unreliable sites

CERT-MU Events: The Journey of 2012

2012 Information Security Guidelines

CERT-MU eSecurity Newsletter



The Growing Dark Side of Cyber Space...The Growing Dark Side of Cyber Space...The Growing Dark Side of Cyber Space...

C yberspace has always been characterized by change.

With the rise of social networking, the shift to cloud

computing and the rapid emergence of mobile forms of

connectivity, there has been a major shift in the consti-

tution of cyberspace. Although each of these developments are

unique, together they have a combined effect of taking users out of

an older communications paradigm and into new ones, governed

by different rules, norms and principles. These developments bring

innovation to the cyberspace. But there is also a dark side of the

cyberspace where hidden contests and malicious threats are grow-

ing from the inside out. These developments are providing new

vectors of attack. In 2012, attackers have extended their reach to

more platforms, from social networks and cloud services to An-

droid mobile devices. They have responded to new security re-

search findings more rapidly and leveraged zero-day exploits more

effectively.

2012 has been the year of hacktivism, bring your own device

(BYOD) and cloud computing. Many organisations had already

started to deal with the implications of cloud computing in 2011

and this year was a continuation of these efforts. Hacktivism con-

quered the public stream of consciousness while there was an in-

crease in the adoption of BYOD within enterprises. Hacktivism

and the increased sophistication of threats have forced the IT secu-

rity industry to devise more layering defenses. IT security depart-

ments have never been under more pressure as breaches and inci-

dents became more visible and frequent. Cybercriminals are focus-

ing where the weak spots are and use a technique until it becomes

less effective, and then move on to the next frontier. Security is at

the heart of the revolution of BYOD and cloud. Protecting data in

a world where systems are changing rapidly, and information

flows freely, requires a coordinated ecosystem of security technol-

ogies at the endpoint, gateway, mobile devices and in the cloud.

Information security continues to grow more complex, and 2013

will be no exception. Yet, by knowing how threats have worked

during the year, will enable the IT Security Industry to be more

prepared for 2013. Security firms have started providing predic-

tions which can be used to perform necessary security evaluation

and develop specific actions plan to tighten defenses and prepare

them for the coming threats. The top security breaches of 2012 are

discussed below and a prediction for 2013 is also given.

Flashback hits Mac OS X

Although the Mac OS X Trojan Flashback/Flashfake appeared in

late 2011, it was not until April 2012 that it became really popular.

According to news sources, Flashback infected over 700,000 Macs

and it is known as the biggest known Mac OS X infection till date.

Two main factors that have contributed for this attack are Java

vulnerability and the general sense of apathy among the Mac faith-

ful when it comes to security issues. Flashback continues to be

relevant because it demolished the myth of invulnerability sur-

rounding the Mac.

Flame and Gauss: nation-state cyber-espionage campaigns

In April 2012, a series of cyber-attacks destroyed computer sys-

tems at several oil platforms in the Middle

East. The malware responsible for the at-

tacks was named “Wiper” and resembled

Duqu and Stuxnet. During the investiga-

tion, security experts stumbled upon a

huge cyber-espionage campaign known as

Flame. Flame is one of the most sophisti-

cated pieces of malware ever created.

When fully deployed onto a system, it has

more than 20 MB of modules which

Top Security Breaches of 2012Top Security Breaches of 2012Top Security Breaches of 2012



perform a wide array of functions such as audio interception,

Bluetooth device scanning, document theft and the making of

screenshots from the infected machine. The most impressive part

is that it made use of a fake Microsoft certificate to perform a

man-in-the-middle attack against Windows Updates, which al-

lowed it to infect fully patched Windows 7 PCs. This attack was

suspected to be a nation state attack. According to the analysis

made by security experts, it was found that Flame developers

worked together with Stuxnet developers due to its close similari-

ty. The apparition of Flame has indicated that highly complex

malware can exist undetected for several years. The discovery of

Gauss, another highly sophisticated Trojan that was widely de-

ployed in the Middle East, added a new dimension to nation-state

cyber campaigns. Gauss is remarkable for a variety of things,

some of which remained undetected. The use of a custom font

named “Palida Narrow” or its encrypted payload which targets a

computer disconnected from the Internet are among the many

unknowns. It is also the first government-sponsored banking Tro-

jan with the ability to hijack online banking credentials from vic-

tims, primarily in Lebanon. With Flame and Gauss, a new di-

mension was injected into the Middle East battleground: cyber-

war and cyber-warfare. It appears there is a strong cyber compo-

nent to the existing geopolitical tensions.

The explosion of Android threats

During 2011, a number of malicious threats targeted the Android

platform. In June 2012, more than 7000 malicious Android pro-

grams were detected. More than 35,000 malicious Android pro-

grams were discovered which about six times greater than 2011.

The huge growth of Android is due to two reasons: economic and

platform related. Android platform has become one of the most

popular widespread Operating System for mobile phones. The

open nature of the operating system, the ease with which apps can

be created and a wide variety of application markets have com-

bined to shine a negative spotlight on the security of the Android

platform.

Linked In, Last.fm, DropBox, Gamigo and Android fo-

rum, World’s top 100 universities passwords leaks

On 5 June 2012, LinkedIn, one of the world’s biggest social net-

works for business users was hacked and the password hashes of

more than 6.4 million people were leaked on the Internet.

Through the use of fast Graphics Processing Unit (GPU) cards,

security researchers recovered 85% of the original passwords.

First of all, LinkedIn stored the passwords as SHA1 hashes. Alt-

hough better than the very popular MD5, modern GPU cards can

crack SHA1 hashes at incredible speeds. Similar type of attacks

were targeted at popular web services such as DropBox, Last.fm

and Gamingo whereby

user accounts were

leaked. More than 8

million passwords

were leaked to the pub-

lic during the Last.fm

and Gamingo attack.

Android Forums

(AndroidForum.com)

was also hacked and more than 1 million user account details

were stolen by hackers. At the end of August 2012, a group of

hackers known as ‘Team GhostShell’ published the details of

around 1 million accounts stolen from over 100 websites across

the world as part of an operation called ‘Project HellFire’.

Global Payment Breach and Operation High Roller – Biggest

Cyber bank Robbery in History

The world has also witnessed multiple attacks and security

breaches which involved financial institutions. One of the most

talked security breach was that of Global Payment, which ex-

posed about 1.5 million card accounts. Global Payments process-

es transactions for Discover, American Express Cards, Visa and

MasterCard. There was also Operation High Roller, which was

referred as the biggest cyber bank robbery in history. This attack

consisted of a

massive cyber

bank raid

whereby sixty

million euros

was stolen

from bank ac-

counts after

fraudsters at-

tacked dozens

of financial

institutions

around the

world. Accord-

ing to a joint

report by security firm McAfee and Guardian Analytics, more

than 60 firms suffered from what it called an “insider level of

understanding”. The attacks began in Europe but later spread to

Latin America and the United States.

The DNSChanger shutdown

Between 2007 and 2011, the DNSChanger virus infected four

million computers in 100 countries. Often, without the victims’

knowledge, their computers were turned into zombies that re-

ceived instructions by rogue servers to visit websites and click on

ads in a scheme to generate fraudulent advertising revenue. The

FBI succeeded in taking control of the DNS servers. However,

rather than eliminating the DNS servers to which millions of

computers were still connecting, federal agents replaced them

with legitimate ones. The replacements have sustained connectiv-

ity for infected machines and provided time for an industry con-

sortium called the DNSChanger Working Group to identify IP

addresses from infected computers and attempt to notify their

users.



Shamoon Attacks

In the middle of August 2012, another malware was discovered

and used in specific targeted attacks against companies in the ener-

gy industry. The malware was used particularly in an attack

against Saudi Aramco, one of the world’s largest oil conglomer-

ates. According to reports, more than 30,000 computers were com-

pletely destroyed by the malware. The malware was known as

“Shamoon” or “W32.Disttrack” by various security firms. Sha-

moon is a destructive malware that corrupts files on a compro-

mised computer and overwrites the Master Boot Record (MBR) in

an effort to render a computer unusable. The Shamoon malware

consisted of components that reminds security analysts of the

Flame malware. It was a two-stage attack where attackers can take

control of an internal machine connected to the Web and use it as a

proxy to the external Command-and Control server, which infects

other internal machines. Once infected, Shamoon is then released,

wiping the malware and stolen data.

The DSL modems hacks

In October 2012, the details of an attack which had been taking

place in Brazil since 2011 were published by a security firm. The

attack used single firmware vulnerability, two malicious scripts

and 40 malicious DNS servers. This operation affected six hard-

ware manufacturers, resulting in millions of Brazilian internet us-

ers falling victim to a sustained and silent mass attack on DSL

modems. In March 2012, Brazil’s CERT team confirmed that more

than 4.5 million modems were compromised in the attack and were

being abused by cybercriminals for all sorts of fraudulent activity.

The Adobe certificates theft and the omnipresent Ad-

vanced Persistent Threat (APT)

In September 2012, Adobe announced the discovery of two mali-

cious programs that were signed using

a valid Adobe code signing certificate.

Adobe’s certificates were securely

stored in a Hardware Security Module

(HSM), a special cryptographic device

which makes attacks much more com-

plicated. Nevertheless, the attackers

were able to compromise a server to

perform code signing requests. This

discovery belongs to the same chain of

extremely targeted attacks performed

by sophisticated threat actors commonly described as APT. The

fact that a high profile company like Adobe was compromised in

this way redefines the boundaries and possibilities that are becom-

ing available for these high-level attackers.

As 2012 has come to an end, security firms have started to make

predictions about what Web users, organisations and security pro-

fessionals will expect to see in 2013. The predictions for 2013 as

per several security firms are as follows:

The onward march of ‘hacktivism’

The dimension of hacktivism has changed considerably. The mo-

tives behind these attacks are not solely to steal money by directly

accessing bank accounts or by stealing confidential data. Some-

times, the aim of an attack is to make a political or social point.

The year 2012 witnessed several such types of attacks. Examples

include the DDoS attacks launched by Anonymous on government

websites in Po-

land, following

the government’s

announcement

that it would sup-

port ACTA (the

Anti-

Counterfeiting

Trade Agree-

ment); the hack-

ing of the official

F1 website in

protest against

the treatment of anti-government protesters in Bahrain; the hack-

ing of various oil companies in protest against drilling in the Arc-

tic, the attack on Saudi Aramco, and the hacking of the French

Euro-millions website in a protest against gambling. Society’s

increasing reliance on the Internet makes organizations of all kinds

potentially vulnerable to attacks of this sort; therefore ‘hacktivism’

looks set to continue into 2013 and beyond.

Government-sponsored attacks will increase as new play-

ers enter

In 2013, more governments are expected to enter the cyber-

warfare arena and develop cyber weapons – designed to steal in-

formation or sabotage systems. It is also possible that we may see

‘copy-cat’ attacks by non-nation-states, with an increased risk of

‘collateral damage’

beyond the intended

victim of the attack.

The targets for such

cyber-attacks could

include energy supply

and transportation con-

trol facilities, financial

and telecommunica-

tions systems and other

‘critical infrastructure’

facilities. In the wake

of several public cyber warfare events, there are a number of con-

tributing factors that will drive more countries towards these strat-

egies and tactics as countries and individual cybercriminals all

have access to the blueprints for previous state-sponsored attacks

like Stuxnet, Flame and Shamoon.

The use of legal surveillance tools

In recent years, cybercrime has become more and more sophisti-

cated. This has not only created new challenges for anti-malware

researchers, but also for law enforcement agencies around the

world. Their efforts to keep pace with the advanced technologies

being used by cybercriminals are driving them in directions that

have obvious implications for law enforcement itself. It also in-

cludes using technology to monitor the activities of those suspect-

ed of criminal activities. The use of legal surveillance tools has

wider implications for privacy and civil liberties. Law enforcement

agencies, and governments will try to get one step ahead of the

criminals and it is likely that the use of such tools and the debate

surrounding their use will continue.

Cyber extortion

This year there was a growing numbers of ransomware Trojans

designed to extort money from their victims, either by encrypting

data on the disk or by blocking access to the system. In the past,

Security Predictions Security Predictions Security Predictions --- 201320132013



this type of cybercrime was confined largely to Russia and other

former Soviet countries. But now, they have become a worldwide

phenomenon. In Russia, for example, Trojans that block access to

the system often claim to have identified unlicensed software on

the victim’s computer and ask for a payment. In Europe, where

software piracy is less common, this approach is not as successful.

Instead, they masquerade as popup messages from law enforce-

ment agencies claiming to have found child pornography or other

illegal content on the computer. This is accompanied by a demand

to pay a fine. Such attacks are easy to develop and, as with phish-

ing attacks, there seem to be no shortage of potential victims. As a

result, we are likely to see their continued growth in the future.

Mac OS malware

Despite the myth about security that Macs are immune to malware,

the year 2012 has proved it wrong. Of course, when compared to

the torrent of malware targeting Windows, the volume of Mac

based malware is small. However, the Flashback Trojan infected

over 600,000 Mac computers

over the world, forming a bot-

net. In 2013, it is expected that

the threat to Mac will likely to

grow.

Mobile malware

Mobile malware has exploded

in the last 18 months. The li-

on’s share of it targets Android-based devices more than 90 per

cent is aimed at this operating system. Android operating system is

widely targeted as it is easy to develop and those using the system

are able to download programs from wherever they choose. For

this reason, there is unlikely to be any slow-down in the develop-

ment of malicious apps for Android. To date, most malware has

been designed to get access to the device. In the future, it is likely

to see the use of vulnerabilities that target the operating system and

based on this the development of drive-by downloads. According

to security experts, there is also a high probability that the first

mass worm for Android will appear, capable of spreading itself via

text messages and sending out links to itself at some online app

store. More mobile botnets are also expected.

Cybercriminals will use bypass methods to avoid tradi-

tional sandbox detection.

More organisations are using virtual machine defenses to test for

malware and threats. As a result, more attackers are taking new

steps to avoid detection by recognizing virtual machine environ-

ments. Potential methods will attempt to identify a security sand-

box just as past attacks targeted specific Anti-Virus engines and

turned them off.

Cybercriminals will follow the crowds to legitimate con-

tent management systems and web platforms

Vulnerabilities in Wordpress have frequently been exploited with

mass compromises. As other Content Management Systems

(CMS) and service platforms increase in popularity, the bad guys

will routinely test the integrity of these systems. Attacks will con-

tinue to exploit legitimate web platforms, requiring CMS adminis-

trators to pay greater attention to updates, patches, and other secu-

rity measures. Cybercriminals compromise these platforms to host

their malware, infect users and invade organizations to steal data.

Vulnerabilities and exploits

One of the key methods used by cybercriminals to install malware

on victims’ computers is to exploit un-patched vulnerabilities in

applications. This relies on the existence of vulnerabilities and the

failure of individuals or businesses to patch their applications. Java

vulnerabilities currently account for more than 50 per cent of at-

tacks, while Adobe Reader accounts for a further 25 per cent. This

is not surprising, since cybercriminals typically focus their atten-

tion on applications that are widely used and are likely to be un-

patched for the longest time – giving them a sufficient window of

opportunity to achieve their goals. Java is not only installed on

many computers (1.1 billion, according to Oracle), but updates are

installed on demand, not automatically. For this reason, cybercrim-

inals will continue to exploit Java in the year ahead. It is likely that

Adobe Reader will also continue to be used by cybercriminals, but

probably less so because the latest versions provide an automatic

update mechanism.

Cloudy with a chance of malware

The use of cloud services will increase in the coming years. There

are two factors that are driving the development of these services –

cost and flexibility.

The economies of

scale that can be

achieved by storing

data or hosting appli-

cations in the cloud

can result in signifi-

cant savings for any

business. In terms of

flexibility, data can be

accessed any time,

any place, anywhere

and from any device,

including laptops,

t a b l e t s a n d

smartphones. But as

the use of the cloud

grows, security threats

targeting it will also increase. Firstly, the data centers of cloud

providers form an attractive target for cybercriminals. ‘The cloud’

may sound comfortable as a concept, but when looked at from the

perspective of a cybercriminal, they offer a potential single-point-

of-failure. They hold large quantities of personal data in one place

that can be stolen if the provider fall victim to a successful attack.

Secondly, cybercriminals are likely to make more use of cloud

services to host and spread their malware, typically through stolen

accounts. Thirdly, data stored in the cloud is accessed from a de-

vice in the ‘non-cloud’ world. Therefore, if a cybercriminal is able

to compromise the device, they can gain access to the data – wher-

ever it is stored. The wide use of mobile devices, while offering

huge benefits to a business, also increases the risk – cloud data can

be accessed from devices that may not be as secure as traditional

endpoint devices. When the same device is used for both personal

and business tasks, that risk increases still further.



A tablet PC is a portable computer that the user controls with a

touch screen interface. It was designed to be operated by a single

user for personal computing, rather than shared among a group. In

addition to touch screens, users can make use of virtual keyboards

or a digital pen to interact with them. Microsoft introduced the

concept of a tablet PC in 2001. Today, a tablet PC refers to any

portable device with a touch screen interface. Most of today’s

tablet PCs offer WiFi and 3G/4G for connecting to the Internet.

The introduction of Quadcore to tablets, 4G, Cloud Computing

and the continuous adoption of HTML5 will make the tablet even

more integrated into the work environment. Several software ap-

plications such as web browsers, office utilities and games can be

used with a tablet PC. Several brands of tablet PCs are available

today. The most popular are Apple iPad, Samsung Galaxy tab,

BlackBerry Playbook, HP Touchpad and Dell Streak, amongst

others. There are many benefits of using tablet PCs. But there are

also potential security risks when using tablets within the enter-

prise.

Portable devices such as tablets give users convenient access to

business and personal data. As their use increase, so do the associ-

ated risks. The features that make these devices portable and ena-

ble them to have on-the-fly connection to various networks and

hosts, also make them vulnerable to losses of physical control and

network security breaches. Using tablets can increase the risk of

data loss when the physical device is lost, data exposure when

sensitive data is exposed to the public or a third party without con-

sent and increased network-based attacks to and from any system

the device is connected via networks over the Internet.

The trend of Bring Your Own Device (BYOD) has accelerated the

use of tablet PCs in corporate working environment. As a result,

most employees use their own tablets for accessing their compa-

ny’s accounts. More importantly, most companies do not actively

monitor the kind of official data the employee accesses via these

devices. The fact that the employee is allowed to gain access to all

the information he needs, is what poses the actual security threat.

Though there are many companies which do not encourage the use

of personal tablet for office use, there are many that do not actual-

ly object to employees accessing their official accounts through

these devices.

The usage of tablet PCs also raises questions about data security.

The data encryption techniques used on tablet PCs have not yet

been proven. Some security experts have shown that the encryp-

tion techniques can be easily bypassed and the data can be stolen

by a hacker. Tablets are still relatively immature as a technology.

They do not have many patches and updates and the update cycle

is not as frequent as for Windows. In addition, the user has a high

level of privilege on the device. Little research has also been

made on Tablet PCs security. New tablet PCs are released often on

completely different operating systems. With increased accessibil-

ity and new ways of interacting with the user, tablet PCs have nu-

merous ways in which hackers can gain access to data.

The third-party applications that users download to their tablet PCs

can be useful, but also they may pose problems. It is possible for

these applications to carry malware that is hidden from the user

and bypasses security tests. The malware can allow a hacker to

gain control of the device and perform illegal actions or steal user

data easily. Many applications require personal data and through

them , they can spam the user or steal the user’s identity.

Tablets have a lot of capabilities, but they are not appropriate for

everything and cannot replace notebooks. Many traditional com-

puter programs will not work on tablets, and documents sent from

By 2015 mobile app development projects will out-

number native PC projects by a ratio of 4-to-1.

Enterprise tablet adoption will grow by almost

50% per year.

The introduction of Quadcore to tablets,

4G, Cloud Computing and the continuous adop-

tion of HTML5 will make the tablet even more in-

tegrated into the work environment.

Is this the Year of Enterprise Tablets?Is this the Year of Enterprise Tablets?Is this the Year of Enterprise Tablets? Tablets: Addressing the Security Issues... Tablets: Addressing the Security Issues... Tablets: Addressing the Security Issues...



a computer to a mobile device may end up losing some key charac-

teristics. Certain organisations may think that it will be easy to ob-

tain the right apps for their needs. But, most companies do not have

the means to produce and constantly update mobile applications.

Even though iPad and Android app stores have many offerings than

the stores of less popular tablets, they still have limitations. That is

why; users of tablets should take necessary measures at their end to

secure their tablets. Some useful tips to improve the security of tab-

lets are given below:

Be careful when giving out personal information

Make sure that you provide personal information only to highly

trusted parties. Providing information to untrusted applications or

websites can increase the chances of identity theft. You can also

start to receive spam messages.

Verify the information requested by applications

Several applications ask for administrative permissions on the de-

vice and for control of hardware devices. Before allowing this ac-

cess, verify that the application’s function actually requires access

to the hardware. For example, if a weather reporting application

asks for permission to access device's camera or microphone, be

suspicious. It is likely that the application contains malware.

Use banking applications that are officially released

Verify that the applications you use for financial or banking purpos-

es are officially released by the bank or the financial group. Using

unauthorized third-party applications can be dangerous because they

increase the chances of identity theft.

Regularly update your tablet PC

Updating your device with the latest software from the manufacturer

is one of the most important ways to protect it. These updates will

usually contain fixes to some of the security problems that may have

been present earlier.

Turn off various wireless features such as GPS and Wi-Fi

when not using them

When you are not using GPS or WiFi, it is advisable to turn these

features off to make sure that malicious entities and rogue applica-

tions are not able to take advantage of them.

Use Bluetooth with caution

When you are not using Bluetooth, turn it off. If you are using Blue-

tooth then make sure that it is in “non-discoverable” or “hidden”

mode by changing the settings of your device.

Download trustworthy content only

Download content from trusted websites and official application

stores. For Apple iPad, the AppStore is the official application store.

For Android based tablets, it is Google Market.

4th Annual Cybersecurity Symposium

February 22, 2013

Washington

The Second International Conference on Cyber Se-

curity, Cyber Peacefare and Digital Forensic

(CyberSec2013)

The Asia Pacific University of Technology and Innova-

tion (APU)

March 4-6, 2012

Kuala Lumpur, Malaysia

3rd Annual Cyber Security Summit

April 11-12, 2013

Prague, Czech Republic

Security Professionals Conference

April 15-17, 2013

St-Louis, Missouri

2013 IEEE Symposium on Computational Intelli-

gence in Cyber Security

April 15- 19 2013

Singapore

Cyber Security Events 2013Cyber Security Events 2013Cyber Security Events 2013

Security Tip: Avoid Default Installations

Devices or applications often come with default configurations

and this poses high security risks. Attackers can easily exploit the

default passwords. Necessary measures should be taken to change

the default passwords to better protect the devices or applications.



Windows 8 is the new ver-

sion of Microsoft Windows

that follows Windows 7. The

new Windows 8 is all about

apps and completely re-

worked interface similar to

the recently released version

of Windows Phone 7. It fea-

tures a new Metro-style inter-

face that is designed for

touchscreen input. It also

adds support for the ARM

processor architecture in ad-

dition to the previously sup-

ported x86 microprocessors

from Intel and AMD. Its

server counterpart is

codenamed Windows Server 8. Windows 8 offers more features

than other existing Windows platforms and also has been hyped as

Microsoft’s most secure operating system featuring strong security

enhancements. However, there are security issues associated with

it which organisations must be aware of. According to security

experts, there are five potential loopholes on the Windows 8 plat-

form and they are discussed below:

Threats on Windows 7 will work across Windows 8

Windows 8 maintains backward compatibility with Windows 7.

Hence a vast majority of legitimate and malicious programs will

also run unaltered on Windows 8 devices. To target the large num-

ber of users, hackers typically work on malware which runs not

only on Windows 8, but also previous versions of the Operating

System, from Windows XP to Windows 7. Since the number of

PCs currently running Windows 8 is still small, there are not many

malwares designed for the operating system yet. However, cyber-

criminals will start testing Windows 8 as users slowly migrate to

the operating system.

New cyber-attacks already surfacing

Since the release of Windows 8 platform, fake antivirus and phish-

ing attacks aimed at the operating system have already been dis-

covered. Security firms discovered a fake antivirus named

TROJ_FAKEAV.EHM, which displays fake scanning results to

intimidate users to purchase its fake antivirus program packaged

as a security tool made for Windows 8. Recently, a phishing attack

was also intercepted which pretended to originate from “Microsoft

Windows 8 team”, offering free software through a web link.

When users click on the link, they are taken to a Web page on a

Slovakian Web server asking them to enter their username, pass-

word, e-mail address, and server domain name.

Social engineering not addressed

According to security experts, no steps have been taken to miti-

gate social engineering in prior versions of Windows and they

have not been addressed in Windows 8. Social engineering is one

of the biggest security threats today as the user is often an “easy

and successful target”, unable to distinguish between scams and

legitimate items. Phishing attacks that leverage social engineering

have already surfaced since the launch of Windows 8 and little

new have been done in Windows 8 to prevent such type of attacks.

This remains one of the biggest security holes.

Security additions still perimeter-based

Many of the added features in Windows 8 such as the Early

Launch Anti-Malware (ELAM) and scanning of files with Defend-

er are still based on signature-based technologies in an age where

such technologies will not be useful in protecting against these

cyber-attacks. As such, other security technologies which go be-

yond perimeter defense must be used along with Windows 8. For

example, having a security tool which can catch an attack in real-

time, based on behavior, will complement the security offerings in

Windows 8.

Vulnerabilities exist on Windows 8

In the preview release of Windows 8, vulnerabilities were discov-

ered. Even though some of these were also present in older ver-

sions operating system and applications, there will be vulnerabili-

ties in the new operating systems and attackers will try to exploit

them. Moreover, a French penetration-testing company already

found a way to bypass security mechanisms of Windows 8.

ELAM is also based on loading a trusted module during the boot

process until the full antivirus engine is loaded. However, there

were cases where valid certificates of Microsoft and Adobe had

been used by malware, which were able to evade antivirus scan-

ners.

Windows 8: The Security IssuesWindows 8: The Security IssuesWindows 8: The Security Issues

News Focus... News Focus... News Focus...

Quick Response codes

(QR codes) are two dimensional matrix barcode that can be scanned by smartphones that link users di-

rectly to a website without having to type in its address. By using QR codes as a jump-off point to unreli-

able sites, cybercriminals can disguise the ultimate destination of links. It has been observed that spam

messages are not only pointing to URLs that use embedded QR codes, but also printing out labels and

leave them in well trafficked locations. According to security firm Symantec, cybercriminals are taking

advantage since there has been a burst in the number of QR codes over the last few years. Since QR

codes resembles like pictures, it is very difficult to distinguish between the genuine and malicious ones.

This makes it easy to trick users to scan codes that may lead to an infected or phishing site. Users can

protect their smartphones by installing a QR reader that can check a website’s reliability before visiting it.

QR Codes QR Codes QR Codes --- a trick to drive traffic a trick to drive traffic a trick to drive traffic to unreliable sitesto unreliable sitesto unreliable sites



CERTCERTCERT---MU Events : The 2012 JourneyMU Events : The 2012 JourneyMU Events : The 2012 Journey

C ERT-MU has been organizing a series of events in the form of workshops,

trainings and other international events throughout the year. The purpose

these events are to promote an information security culture and to educate

the general public about information security issues. The main events that

were organized during the year are:

Computer Security Day is an international and globally recognized annual event set

up to inform computer users of the significance of computer security. Computer Se-

curity Day was organized by the Computer Emergency Response Team of Mauritius

(CERT-MU), on the 30th November as a way of reminding computer users that com-

puter security and safety is a crucial responsibility. The goal of this event was to sen-

sitise people to protect their computers and information. The event provided an in-

sight into privacy and security issues surrounding electronically stored sensitive in-

formation and offered ways to keep your computer and data safe. On this occasion,

CERT-MU organized various activities such as a full day conference with the partici-

pation of high profile international and local resource persons with interactive panel

discussion on specific tracks in which Business Executives, Senior Management and

Information Security Professionals were targeted. An exhibition of computer security

based products were conducted. Two guidelines on Public Internet Access Points

(PIAPS) for users and technical persons were also launched. As part of a continua-

tion of the Computer Security Day, training programmes on Developing Security

Policies and Securing Networks were conducted by the International Multilateral

Partnership Against Cyber-threats (IMPACT).

The World IPv6 Launch represents the next step in the evolution of the Internet and

marks a milestone in its history. As the successor to the Internet Protocol IPv4, IPv6

is seen as crucial to the continued growth of the Internet as a platform for innovation

and economic development. In line with its vision for “spearheading Internet Tech-

nology in the African Region” the African Network Information Centre (AfriNIC)

has been encouraging the African Internet Community and its stakeholders to adopt

the new protocol IPv6. According to the estimation of AfriNIC, Africa will run out

of the IPv4 around 2013/2014 and it is important for Africa to build a stable Internet

Infrastructure for the future. To achieve this purpose, CERT-MU, in collaboration

with AfriNIC organised 4-days training from 29th October to 1st November 2012,

targeting IT Professionals, Network Administrators and IT Security Professionals

from both public and private sectors. The objective of this training was to provide a

hands-on exposure to IPv6 implementation with a focus on security aspects.

Computer Security Day 2012Computer Security Day 2012Computer Security Day 2012

Training on IPv6Training on IPv6Training on IPv6

Did you know?

In a recent Intel survey, 77% of respondents ranked losing their laptop

while traveling as more stressful than losing their wedding ring, and

62% were actively worried about losing a laptop or having it stolen.

This indicates how our devices have become an integral part of our

lives and therefore we must take precautionary measures to protect our infor-

mation from device loss and theft while traveling.



Mobile devices have become an essential tool in most organisations. Mobile phone

deployments have increased significantly and it has been adopted by multitudes of

end users for convenient email access and for accessing organisational resources

and production applications. As mobile devices are widely adopted in organisa-

tions, they are also becoming an attractive and vulnerable target for cyber crimi-

nals. To address this issue, a workshop on Mobile Hacking and Applications Secu-

rity was organised by CERT-MU on 31st May 2012 at Cyber-City, Ebene. Several

presentations were conducted and they were focused on Mobile Risks and Counter-

measures, Design Considerations for Enterprise Mobile Security and Android Ap-

plications Security.

On this occasion, a brochure on “Tips to Secure Your Mobile Phone” was

launched by the Minister of Information and Communications Technology. A Cer-

tificate Award Ceremony was also held to award successful participants who com-

pleted ISO 27001 Implementers Course and the Lead Auditor Course which was

organized by the National Computer Board in December 2011.

Safer Internet Day is an international event organised by Insafe in February each

year to promote safer and more responsible use of online technology and mobile

phones, especially amongst children and young people across the world. The theme

for this year’s Safer Internet Day was “Connecting Generations and Educating

each other – Discover the Internet Together, safely!” where the focus was on

sensitizing Internet users of all generations irrespective of their age, culture and

communities. On this occasion, the National Computer Board organized a work-

shop targeting towards State and Private Secondary School students, rectors and

ICT teachers. Some 2600 students have already been sensitized. In addition, ICT

teachers of primary schools across the island have also been trained on the issues

of child online safety.

As a continuation of the Safer Internet Day campaign, the National Computer

Board, in collaboration with Ministry of Education and Human Resources have

been conducting awareness sessions on Internet Safety and Security in schools and

colleges in the four zones of the country. Other activities that were organized in-

clude an online Internet Security quiz competition for State and Private Secondary

School students.

Workshop on Mobile Hacking and Workshop on Mobile Hacking and Workshop on Mobile Hacking and Applications Security Applications Security Applications Security

Safer Internet Day 2012Safer Internet Day 2012Safer Internet Day 2012

Security Tip:

Even if you believe that all of your child’s online friends are genuine, the infor-

mation your child posts might still be visible to others in the wider network. A

chain of online friends is only as strong as its weakest link. Therefore:

Limit the information posted

Inform your child about the risks

Never give out address or school details

Know what to do if concerned



2012 Security Guidelines 2012 Security Guidelines 2012 Security Guidelines

CERT-MU pub-

lishes Information

Security Guide-

lines on a regular

basis to help and

guide users in

adopting best

practices and im-

plement them

whenever possi-

ble. For the year

2012, CERT-MU

has published 10

security guide-

lines. The high-

lights of the

guidelines are as

follows:

Guideline on Strong Passwords and Passphrase

Passwords are an important aspect of computer security. They are

the frontline of protection for user accounts. The purpose of this

guideline is to help users to construct, protect and maintain pass-

words and passphrases.

Technical Guideline for Securing Public Internet Access

Points (Computer Clubs, Cyber Caravans, Post Offices

This guideline helps to guide technical persons working in com-

puter clubs, cyber-caravans and Public Internet Access Points

(PIAPs) to set up their infrastructures securely so as to enable

users to access the Internet safely.

Security Guideline for Users on Public Internet Access

Points (Computer Clubs, Cyber Caravans, Post Offices)

This guideline covers the security risks associated when accessing

the Internet in public places such as in post offices, computer

clubs and cyber caravans. It also focuses on the precautionary

measures required to use the Internet in those places.

Guideline on Spam Control

The purpose of the Guideline on Spam Control is to help users in

managing their email accounts and systems with a view to coun-

teract spam emails. The target audience for this guideline includes

IT managers or officers, security managers and home users.

Guideline on Auditing and Log Management

This guideline is aimed at assisting organisations in understanding

the need for sound computer auditing and log management and

the best practices that need to be followed to meet existing chal-

lenges. The target audience for this document includes computer

security staffs and program managers; system, network, and ap-

plication administrators; computer security incident response

teams; and others, who are responsible for performing duties re-

lated to computer security audit and log management.

Guideline on E-mail Best Practices

The guideline on Email Best Practices is aimed at providing users

with a secure online experience when dealing with e-mails. The

target audience for this document includes any person who makes

use of e-mail.

Guideline on Windows 7 Parental Controls

This guideline is aimed at assisting parents in protecting chil-

dren’s online interactions and activities. The target audience for

this guideline are parents, teachers, rectors and the public in gen-

eral, who can help children to stay safe and more secure on the

Internet.

Guideline on Incident Handling and Reporting

The purpose of this guideline is to provide the basis for the crea-

tion of incident response policies, plans, procedures, and teams to

handle incidents within an organisation. The guideline also con-

sists of an incident handler’s checklist template that can be used

to ensure that each incident response steps is being followed dur-

ing an incident. The guide focuses on computer security related

incidents and the target audience are IT professionals, managers

responsible for incident handling and management.

Guideline on Wireless Security

The guideline on Wireless Security is focused towards helping

organisations to secure their wireless networks against attacks. It

is also aimed at guiding individual users who make use of wire-

less networks to surf on the Internet at home and in public places.

Guideline on Debit or Credit Cards Usage

This guideline provides an overview of the bank cards available

for use and their security aspects in terms of access. The target

audience of this guideline include all users of debit and credit

bank cards.

The guidelines can be downloaded from CERT-MU website.

Security Tip:

Do not accept offers of “Free PC Scans” that pop-up when

you use the Internet

When you surf the Internet, you are likely to see pop-up win-

dows that tell users that their systems have been infected with

spyware and offer “free spyware scans”. Beware of these type

of pop-ups because such scans do not just give misleading

results; but can also install unwanted software on your PC.

Often the screen pop-ups only have a “scan” button and no

“cancel” or “quit” option. To be safe, it is better to close such

kind of pop-ups or use a pop-up blocker software.



Mauritian Computer Emergency Response Team (CERT-MU)

National Computer Board

7th Floor, Stratton Court,

La Poudriere Street, Port Louis

Tel: 210 5520

Fax: 208 0119

Website: www.cert-mu.org.mu

Incident Reporting

Hotline: 800 2378

Email: [email protected]

Vulnerability Reporting


For Queries


Subscription to Mailing Lists


Documents

CERT-MU Quarterly | February 2013 CERT-MU eSecurity Newsletter Newsletter/V… · CERT-MU Quarterly | February 2013 CERT-MU eSecurity Newsletter | Volume 3 | Issue 1 | February 2013