My information Resource (blog.mir.net)

US-CERT warned that:

This attack works by luring users to install an app from a source other than the iOS App Store or their organizations’ provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link. 

This technique takes advantage of a security weakness that allows an untrusted app—with the same “bundle identifier” as that of a legitimate app—to replace the legitimate app on an affected device, while keeping all of the user’s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable.

The  OFFICAL CERT article follows…—

______________________________

Systems Affected

iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.

Overview

A technique labeled “Masque Attack” allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances.

Description

Masque Attack was discovered and described by FireEye mobile security researchers.[1] (link is external) This attack works by luring users to install an app from a source other than the iOS App Store or their organizations’ provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link.  

This technique takes advantage of a security weakness that allows an untrusted app—with the same “bundle identifier” as that of a legitimate app—to replace the legitimate app on an affected device, while keeping all of the user’s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable.

Impact

An app installed on an iOS device using this technique may:

• Mimic the original app’s login interface to steal the victim’s login credentials.
• Access sensitive data from local data caches.
• Perform background monitoring of the user’s device.
• Gain root privileges to the iOS device.
• Be indistinguishable from a genuine app.

Solution

iOS users can protect themselves from Masque Attacks by following three steps:

1. Don’t install apps from sources other than Apple’s official App Store or your own organization.
2. Don’t click “Install” from a third-party pop-up when viewing a web page.
3. When opening an app, if iOS shows an “Untrusted App Developer” alert, click on “Don’t Trust” and uninstall the app immediately.

Further details on Masque Attack and mitigation guidance can be found on FireEye’s blog [1] (link is external). US-CERT does not endorse or support any particular product or vendor.

 

The Microsoft Security Intelligence Report is the most comprehensive threat intelligence report in the industry. It provides data and insights on malware, exploits and vulnerabilities based on data from more than a billion systems worldwide and some of the busiest online services. It also includes actionable guidance to help IT Professionals manage risk. The latest report, Volume 17, focuses on the first half of 2014, with trend data for the last several quarters.

Where you are a PC user or not the insight here are great to read about

You can download the report HERE

 

This affects not just Windows but other operating systems Tuesday’s disclosure means that every major TLS stack—including Apple SecureTransport, GNUTLS, OpenSSL, NSS, and now Microsoft SChannel—has had a severe vulnerability this year. In some cases, the flaws merely allowed attackers to bypass encryption protections, while others—most notably the Heartbleed bug in OpenSSL and the one patched Tuesday in Windows, allowed adversaries to steal highly sensitive data and execute malicious code on vulnerable systems respectively.

Here is the Microsoft update

Published: November 11, 2014

Version: 1.0

On this page

• Executive Summary
• Affected Software
• Update FAQ
• Severity Ratings and Vulnerability Identifiers
• Microsoft Schannel Remote Code Execution Vulnerability – CVE-2014-6321
• Security Update Deployment
• Acknowledgments
• Disclaimer
• Revisions

Executive Summary

---

This security update resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server.

This security update is rated Critical for all supported releases of Microsoft Windows. For more information, see the Affected Software section.

The security update addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.

 

WireLurker: A New Era in OS X and iOS Malware

posted by: Claud Xiao on November 5, 2014 2:30 PM

filed in: Malware, Mobility, Reports, Threat Prevention, Unit 42
tagged: Apple, globalprotect, iOS, Mac OS X, Maiyadi App Store, WireLurker

Today we published a new research paper on WireLurker, a family of malware targeting both Mac OS and iOS systems for the past six months. We believe that this malware family heralds a new era in malware attacking Apple’s desktop and mobile platforms based on the following characteristics:

• Of known malware families distributed through trojanized / repackaged OS X applications, it is the biggest in scale we have ever seen
• It is only the second known malware family that attacks iOS devices through OS X via USB
• It is the first malware to automate generation of malicious iOS applications, through binary file replacement
• It is the first known malware that can infect installed iOS applications similar to a traditional virus
• It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning

WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users.

How It Works

WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken. This is the reason we call it “wire lurker”. Researchers have demonstrated similar methods to attack non-jailbroken devices before; however, this malware combines a number of techniques to successfully realize a new brand of threat to all iOS devices.

WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing. In this whitepaper, we explain how WireLurker is delivered, the details of its malware progression, and specifics on its operation.

We further describe WireLurker’s potential impact, as well as methods to prevent, detect, contain and remediate the threat. We also detail Palo Alto Networks Enterprise Security Platform protections in place to counter associated risk.

WireLurker is capable of stealing a variety of information from the mobile devices it infects and regularly requests updates from the attackers command and control server. This malware is under active development and its creator’s ultimate goal is not yet clear.

We recommend users take the following actions to mitigate the threat from WireLurker and similar threats:

• Enterprises should assure their mobile device traffic is routed through a threat prevention system using a mobile security application like GlobalProtect
• Employ an antivirus or security protection product for the Mac OS X system and keep its signatures up-to-date
• In the OS X System Preferences panel under “Security & Privacy,” ensure “Allow apps downloaded from Mac App Store (or Mac App Store and identified developers)” is set
• Do not download and run Mac applications or games from any third-party app store, download site or other untrusted source
• Keep the iOS version on your device up-to-date
• Do not accept any unknown enterprise provisioning profile unless an authorized, trusted party (e.g. your IT corporate help desk) explicitly instructs you to do so
• Do not pair your iOS device with untrusted or unknown computers or devices
• Avoid powering your iOS device through chargers from untrusted or unknown sources
• Similarly, avoid connecting iOS devices with untrusted or unknown accessories or computers (Mac or PC)
• Do not jailbreak your iOS device; If you do jailbreak it, only use credible Cydia community sources and avoid the use or storage of sensitive personal information on that device

Download “WireLurker: A New Era in OS X and iOS Malware” here.

This Article  was copied  from the Nice folks at PALOATO NETWORKS

 

I found the neat project that is all PowerShell scripts the a Security Professional can use as part of their toolbox

Account-Monitoring-Control	Updates
Authorized-Devices	Updates
Baselines	Patch to fix Start-SecDailyFunction.ps1
Forensics	Updates to Forensics Module
Log-Management	Updates
Network-Baseline	Added Reference to Get-SecOpenPorts
PoshSec-Configuration	Updating Module Versions to 1.0
PoshSec.PowerShell.Commands 3.5	Updates
PoshSec.PowerShell.Commands	PoshSec Commands for .NET 3.5
Software-Management	Updates
Utility-Functions	Added Values by Type
README.md	Update README.md
license.txt	Update license.txt
poshsec.psd1	PSD1 File Update
poshsec.psm1	Module Cleanup

To find out more go here

 

 

Here a a few PowerShell script that I use to look al logs and user accounts.

 

To finding the latest logon time

•Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName username).LastLogon } | Measure-Latest

•The following example demonstrates how to find inactive user accounts:

•Search-ADAccount -AccountInactive | where {$_.ObjectClass -eq ‘user’} | FT Name,ObjectClass –A

•The following example demonstrates how to find user accounts that have been inactive for 90 days:

•Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | where {$_.ObjectClass -eq ‘user’} | FT Name,ObjectClass –A

Retrieving Local Security Log Information

On a local computer, the PowerShell Get-EventLog cmdlet

•get-eventlog-list

•get-eventlog -list |<br>where {$_.logdisplayname -eq `<br>”security”}

Find all users who have “Password Never Expires

Search-ADAccount -PasswordNeverExpires | FT Name,ObjectClass –A

To Determine Who Has Never Logged On

get-aduser -f {-not ( lastlogontimestamp -like “*”) -and (enabled -eq $true)}

Find the Location of a Locked-Out User (jferron)

 

$DomainControllers = Get-ADDomainController -Filter *

Foreach($DC in $DomainControllers)

{

Get-ADUser -Identity jferron -Server $DC.Hostname `

-Properties AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut

}

Here is a list of updated books by subject area you can download.

Azure

• Autoscaling Application Block and Transient Fault Handling Application Block Reference
• Building an On-Demand Video Service with Microsoft Azure Media Services
• Building Elastic and Resilient Cloud Applications – Developer’s Guide to the Enterprise Library 5.0 Integration Pack for Windows Azure
• Building Cloud Apps With Microsoft Azure
• Building Hybrid Applications in the Cloud on Windows Azure
• Cloud Design Patterns: Prescriptive Architecture Guidance for Cloud Applications
• Create Your First Application – Node.js and Windows Azure
• Developing Multi-tenant Applications for the Cloud on Windows Azure (3rd Edition)
• Deploy SQL Server Business Intelligence in Windows Azure Virtual Machines
• Drupal on Windows Azure
• Introducing Windows Azure for IT Professionals
• Exploring CQRS and Event Sourcing: A journey into high scalability, availability, and maintainability with Windows Azure
• Microsoft Azure ExpressRoute
• Migrating Data-Centric Applications to Windows Azure
• Moving Applications to the Cloud, 2nd Edition
• Moving Applications to the Cloud on Windows Azure (3rd Edition)
• Rethinking Enterprise Storage: A Hybrid Cloud Model
• Using Windows Azure Mobile Services to Cloud-Enable your iOS Apps
• Using Windows Azure Mobile Services to Cloud-Enable Your Windows Phone 8 Apps
• Using Windows Azure Mobile Services to Cloud-Enable your Windows Store Apps in C#
• Using Windows Azure Mobile Services to Cloud-Enable Your Windows Store Apps in JavaScript
• Windows Azure and SQL Database Tutorials
• Windows Azure Prescriptive Guidance
• Windows Azure Service Bus Reference

Lync

• Microsoft Lync Server 2013 Step by Step for Anyone

Office

• Deployment Guide for Office 2013
• First Look: Microsoft Office 2010
• Microsoft Office 365: Connect and Collaborate Virtually Anywhere, Anytime
• Microsoft Office 365 for professionals and small businesses: Help and How To
• Security and Privacy for Microsoft Office 2010 Users

SharePoint

• Explore SharePoint 2013
• Deployment guide for SharePoint 2013
• Test Lab Guide: eBook for SharePoint Server 2013 Intranet and Team Sites
• Create a Balanced Scorecard
• Configure Kerberos Authentication for SharePoint 2010 Products
• SharePoint Server for Business Intelligence
• Get started with SharePoint Server 2010
• Deployment guide for SharePoint Server 2010
• Upgrading to SharePoint Server 2010
• Profile synchronization guide for SharePoint Server 2010
• Remote BLOB storage for Microsoft SharePoint Server 2010
• Governance guide for Microsoft SharePoint Server 2010
• Business continuity management for SharePoint Server 2010
• Integration of HTTP/ HTTPs WCF Services (REST & SOAP) in SharePoint 2013
• Technical Reference for Microsoft SharePoint Server 2010
• The Wiki Ninjas Guide to SharePoint 2013
• The Wiki Ninjas Guide to SharePoint 2013 – IDTP

SQL Server

• 5 Tips for a Smooth SSIS Upgrade to SQL Server 2012
• A Hitchiker’s Guide to Microsoft StreamInsight Queries
• Books Online: Backup and Restore of SQL Server Databases
• Books Online: Data Analysis Expressions (DAX) Reference
• Books Online: Data Mining Extensions (DMX) Reference
• Books Online: Data Quality Services
• Books Online: High Availability Solutions
• Books Online: Master Data Services
• Books Online: Monitor and Tune for Performance
• Books Online: Multidimensional Expressions (MDX) Reference
• Books Online: SQL Server Distributed Replay
• Books Online: Transact-SQL Data Definition Language (DDL) Reference
• Books Online: Transact-SQL Data Manipulation Language (DML) Reference
• Books Online: XQuery Language Reference
• Data Access for Highly-Scalable Solutions: Using SQL, NoSQL, and Polyglot Persistence Extracting and Loading SharePoint Data in SQL Server Integration Services
• Integration Services: Extending Packages with Scripting
• Introducing Microsoft SQL Server 2008 R2
• Introducing Microsoft SQL Server 2012
• Introducing Microsoft SQL Server 2014
• Master Data Services Capacity Guidelines
• Master Data Services (MDS) Operations Guide
• Microsoft SQL Server AlwaysOn Solutions Guide for High Availability and Disaster Recovery
• Microsoft SQL Server Analysis Services Multidimensional Performance and Operations Guide Multidimensional Model Programming
• Optimized Bulk Loading of Data into Oracle
• Planning Disaster Recovery for Microsoft SQL Server Reporting Services in SharePoint Integrated Mode
• QuickStart: Learn DAX Basics in 30 Minutes
• SQLCAT’s Guide to BI and Analytics
• SQLCAT’s Guide to High Availability Disaster Recovery
• SQLCAT’s Guide to Relational Engine
• SQL Server 2012 Tutorials: Analysis Services – Data Mining
• SQL Server 2012 Tutorials: Analysis Services – Multidimensional Modeling
• SQL Server 2012 Tutorials: Analysis Services – Tabular Modeling
• SQL Server 2012 Tutorials: Reporting Services
• SQL Server 2012 Tutorials: Writing Transact-SQL Statements
• SQL Server 2012 Upgrade Technical Guide
• SQL Server Community FAQs Manual
• Transact SQL by TechNet WiKi Community
• Troubleshooting SQL Server AlwaysOn

System Center

• Cmdlet Reference for App Controller in System Center 2012 SP1
• Introducing Microsoft System Center 2012 R2
• Microsoft System Center: Building a Virtualized Network Solution
• Microsoft System Center: Cloud Management with App Controller
• Microsoft System Center: Configuration Manager Field Experience
• Microsoft System Center: Designing Orchestrator Runbooks
• Microsoft System Center: Network Virtualization and Cloud Computing
• Microsoft System Center: Optimizing Service Manager
• Microsoft System Center: Troubleshooting Configuration Manager
• Technical Documentation for System Center 2012 – Virtual Machine Manager

Visual Studio

• Better Unit Testing with Microsoft Fakes
• Building a Release Pipeline with Team Foundation Server 2012
• Developer’s Guide to Dependency Injection Using Unity
• Developer’s Guide to Microsoft Enterprise Library, 2nd Edition
• Moving to Microsoft Visual Studio 2010
• .NET Technology Guide for Business Applications
• Testing for Continuous Delivery with Visual Studio 2012
• Upgrade Team Foundation Server 2012: the ultimate upgrade guide

Web Development

• Building Cloud Apps With Microsoft Azure
• ASP.NET Multi-Tier Windows Azure Application Using Storage Tables, Queues, and Blobs ASP.NET Web Deployment using Visual Studio
• ASP.NET Web Deployment with SQL Server Compact using Visual Studio 2010
• Developing Modern Mobile Web Apps The Entity Framework 4.0 and ASP.NET Web Forms – Getting Started
• Getting Started with ASP.NET 4.5 Web Forms and Visual Studio 2013
• Getting Started with the Entity Framework 4.1 using ASP.NET MVC 3
• Getting Started with Entity Framework 6 Code First using MVC 5
• Intro to ASP.NET MVC 4 with Visual Studio (Beta)
• Introducing ASP.NET Web Pages 2
• Project Silk: Client-Side Web Development for Modern Browsers

Windows

• Administrator’s Guide for Microsoft Application Virtualization (App-V) 5.0
• Administrator’s Guide for Microsoft BitLocker Administration and Monitoring 1.0
• Administrator’s Guide for Microsoft Diagnostics and Recovery Toolset (DaRT) 7
• Administrator’s Guide for Microsoft Diagnostics and Recovery Toolset (DaRT) 8.0
• Administrator’s Guide for Microsoft User Experience Virtualization (UE-V) 1.0
• Deploying Windows 7: Essential Guidance
• Developing an end-to-end Windows Store app using C++ and XAML: Hilo
• Developing an end-to-end Windows Store app using JavaScript: Hilo
• Introducing Windows 8.1 for IT Professionals
• Prism for the Windows Runtime: Developing a Windows Store business app using C#, XAML, and Prism Programming Windows 8 Apps with HTML, CSS, and JavaScript
• Programming Windows Store Apps with HTML, CSS, and JavaScript, Second Edition (Second Preview)

Windows Phone

• Developing an Advanced Windows Phone 7.5 App that Connects to the Cloud
• Programming Windows Phone 7

Windows Server

• A Guide to Claims-Based Identity and Access Control, Second Edition
• Introducing Windows Server 2008 R2
• Introducing Windows Server 2012
• Introducing Windows Server 2012 R2
• Migrate Roles and Features to Windows Server 2012 R2 or Windows Server 2012
• Understanding Microsoft Virtualization Solutions: From the Desktop to the Datacenter, Second Edition
• TCP/IP Fundamentals for Microsoft Windows
• Windows Server 2012 R2 and Windows Server 2012 TechNet Library Documentation

Career

• Own Your Future: Update Your Skills with Resources and Career Ideas from Microsoft

 

Having a DHCP Server on you network that not managed by a IT department is a security issue.

Microsoft has released a new tool for free that you can download that will show you all your DHCP servers  that are Authorized and then show you what is not approved This is a Graphic Tool that test by subnet.

Rogue detection tool is a GUI tool that checks if there are any rogue DHCP servers in the local subnet.

See what you have

Choose your network

Following are the features with this tool:

1. The tool can be run one time or can be scheduled to run at specified interval.

2. Can be run on a specified interface by selecting one of the discovered interfaces.

3. Retrieves all the authorized DHCP servers in the forest and displays them.

4. Ability to validate (not Authorize in AD) a DHCP server which is not rogue and persist this information

5. Minimize the tool, which makes it invisible. A tray icon will be present which would display the status.

You can download this tool here

 

On the Microsoft Virtual Academy site which is free, there is a bunch of training on PowerShell. since I been talk about this for a while her a blog about this.

Getting Started with PowerShell 3.0 Jump Start

This Jump Start is designed to teach the busy IT professionals, admins, and help desk persons about how to use PowerShell to improve management capabilities, automate redundant tasks, and manage the environment in scale. Learn how PowerShell works and how to make PowerShell work for you from the experts Jeffrey Snover, the inventor of PowerShell, and Jason Helmick, Senior Technologist at Concentrated Technology.

Instructors | Jeffrey Snover –  Distinguished Engineer and Lead Architect; Consultant; Jason Helmick –  Senior Technologist

Associated Course(s) | 20412: Configuring Advanced Windows Server 2012 Services; 20411: Administering Windows Server 2012; 20410: Installing and Configuring Windows Server 2012 

Link is Here

 

Advanced Tools & Scripting with PowerShell 3.0 Jump Start

IT pros, take this advanced PowerShell course to find out how to turn your real time management and automation scripts into useful reusable tools and cmdlets. You’ll learn the best patterns and practices for building and maintaining tools and you’ll pick up some special tips and tricks along the way from the architect and inventor of PowerShell, Distinguished Engineer Jeffrey Snover, and IT pro, Jason Helmick.

Instructors | Jeffrey Snover –  Distinguished Engineer and Lead Architect; Consultant; Jason Helmick –  Senior Technologist

Associated Course(s) | 20412: Configuring Advanced Windows Server 2012 Services; 20411: Administering Windows Server 2012; 20410: Installing and Configuring Windows Server 2012 

Link is Here

On the Microsoft MVA there a a great basic course on security, This course you can prepare for MTA Exam 98-367. Build an understanding of security layers, operating system security, network security, and security software. The course leverages Microsoft Official Academic Course (MOAC) material for this exam.

Topics include

Authentication, Authorization, and Accounting

Understanding Security Policies

Understanding Network Security

Protecting the Server and Client

 

The link is here for taking training