Twenty SQL Power Tips

Here are some SQL power tips to help you write efficient and effective SQL queries:

1. Use Indexes: Properly index your tables based on the columns you frequently search or join on. Indexes can significantly improve query performance.

2. Avoid Using SELECT *: Instead of selecting all columns, specify only the columns you need. This reduces unnecessary data transfer and can speed up your queries.

3. Limit the Use of DISTINCT: Using `DISTINCT` can be computationally expensive. Try to design your schema to minimize the need for it, or use other techniques like grouping.

4. Use Joins Wisely: Be mindful of how you join tables. Use inner joins when you only need matching records, and use outer joins when you need non-matching records as well.

5. Use WHERE Clause Efficiently: Push filtering logic as early as possible in your query using the `WHERE` clause. This reduces the number of rows processed.

6. Avoid Using Subqueries: Subqueries can be slow. Whenever possible, use joins or common table expressions (CTEs) instead.

7. Aggregate Functions: Use aggregate functions like `SUM`, `COUNT`, and `AVG` to perform calculations in the database rather than fetching large datasets and performing calculations in your application code.

8. Normalize Your Data: Normalize your database to eliminate redundancy and improve data integrity. However, strike a balance between normalization and performance, as denormalization can sometimes be necessary.

9. Optimize ORDER BY: If you need to sort your results, try to avoid sorting large result sets in the database. Instead, consider sorting in your application code.

10. Batch Operations: When inserting or updating multiple rows, use batch operations like `INSERT INTO ... VALUES`, `UPDATE ... SET`, or `DELETE` rather than executing individual queries for each row.

11. Use Stored Procedures: If your database supports it, use stored procedures for frequently executed queries. They can reduce network overhead and improve security.

12. Monitor Query Performance: Regularly monitor the performance of your queries using tools like EXPLAIN (or the equivalent in your database system) to analyze query execution plans and identify bottlenecks.

13. Use Connection Pooling: If you're developing a web application, use connection pooling to efficiently manage database connections and minimize connection overhead.

14. Avoid NULLs: Use NULL sparingly. NULLs can complicate queries and indexing. Consider using default values or alternative approaches like empty strings or sentinel values.

15. Regularly Maintain Your Database: Perform routine maintenance tasks like reindexing, vacuuming, and updating statistics to keep your database running smoothly.

16. Use Proper Data Types: Choose appropriate data types for your columns to minimize storage requirements and improve query performance.

17. Consider Caching: Implement caching mechanisms at the application level to reduce the load on your database, especially for frequently accessed data.

18. Optimize Disk I/O: Ensure that your database server's disk configuration is optimized for performance. This may include using SSDs, RAID setups, and optimizing file placement.

19. Security and Prepared Statements: Always use prepared statements or parameterized queries to prevent SQL injection attacks. Additionally, follow best practices for database security.

20. Documentation: Document your database schema, query optimizations, and data flow. This can help you and your team understand and maintain the system effectively.

Remember that the best optimization strategies can vary depending on your specific database system (e.g., MySQL, PostgreSQL, SQL Server) and the nature of your application. Regularly profiling and testing your queries is crucial to achieving optimal performance.

Bi-directional Communication Between Databases

Enabling bi-directional communication between a database (DB) and an external application involves setting up mechanisms to allow data to flow between the two entities in both directions: from the database to the application and vice versa. This can be achieved through various methods, depending on your specific use case, database system, and technology stack. Here are a few common approaches:

1. APIs (Application Programming Interfaces):

   - Database APIs: Many modern databases provide APIs that allow external applications to interact with the database. These APIs often support both reading and writing data. Examples include JDBC/ODBC for relational databases and REST APIs for various database types. You would need to create API endpoints that handle different operations like querying, updating, inserting, and deleting data.

2. Change Data Capture (CDC):

   - CDC Tools: Change Data Capture tools capture and track changes made to the database. They can monitor changes in real-time or batch mode and then propagate those changes to external applications. This enables bidirectional communication by keeping the application updated with the latest changes made to the database.

3. Message Queues and Pub/Sub Systems:

   - Message Queues: Using a message queue system like RabbitMQ, Apache Kafka, or AWS SQS, you can have the database publish messages about changes or events. The external application subscribes to these messages and reacts accordingly, which can include updating data in the database.

   - Publish-Subscribe (Pub/Sub) Systems: Similar to message queues, Pub/Sub systems like Redis Pub/Sub or Google Cloud Pub/Sub allow you to publish events when data changes in the database. Subscribers can then receive these events and perform appropriate actions.

4. Stored Procedures and Triggers:

   - Stored Procedures: Some databases support stored procedures, which are pre-defined sets of SQL statements that can be executed by an external application. You can create stored procedures to handle data manipulation and interaction.

   - Triggers: Triggers are database-defined actions that are automatically executed when certain events occur, such as data insertion, deletion, or update. You can use triggers to initiate actions in response to changes in the database.

5. Websockets:

   - Websockets: Websockets provide a persistent, bidirectional communication channel between the application and the server, including the database server. This allows real-time updates from the database to the application and vice versa.

6. API Integration Platforms:

   - Integration Platforms: There are platforms like Zapier, Integromat, and Microsoft Power Automate that enable you to create automated workflows between different applications, including databases and other systems. These platforms often support bidirectional data flow.

When implementing bidirectional communication between a database and an external application, consider factors such as security, data consistency, error handling, and performance. Choose the approach that best fits your use case and technology stack, and ensure that the communication is efficient and reliable. Additionally, consider implementing proper authentication and authorization mechanisms to ensure that only authorized parties can access and modify the data in the database.

Fake Phone Apps Designed To Take Your Money

Apparently there is a very large increase in the number of smart phone apps that are designed to do one thing, steal your banking information and the rob you blind.

According to an alert published last week by the Federal Trade Commission these apps are designed to look like stores you already trust.

Source: https://www.consumer.ftc.gov/blog/theres-app-it-might-be-fake

Read the information on the link above - knowledge is power.

Ransomware

Source: https://www.us-cert.gov/ncas/alerts/TA16-091A

Ransomware and Recent Variants

Overview

In early 2016, destructive ransomware variants such as Locky and Samas were observed infecting computers belonging to individuals and businesses, which included healthcare facilities and hospitals worldwide. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it.
The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), is releasing this Alert to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.

Description

WHAT IS RANSOMWARE?

Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems. Ransomware variants have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user’s systems have been locked or that the user’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individuals varies greatly but is frequently $200–$400 dollars and must be paid in virtual currency, such as Bitcoin.
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.
Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access into an organization’s network.

WHY IS IT SO EFFECTIVE?

The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and users systems can become infected with additional malware. Ransomware displays intimidating messages similar to those below:

• “Your computer has been infected with a virus. Click here to resolve the issue.”
• “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
• “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

PROLIFERATION OF VARIANTS

In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.
This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced, including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives. These variants are considered destructive because they encrypt users’ and organizations’ files, and render them useless until criminals receive a ransom.
In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to healthcare facilities and hospitals in the United States, New Zealand, and Germany. It propagates through spam emails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip). The malicious attachments contain macros or JavaScript files to download Ransomware-Locky files.
Samas, another variant of destructive ransomware, was used to compromise the networks of healthcare facilities in 2016. Unlike Locky, Samas propagates through vulnerable Web servers. After the Web server was compromised, uploaded Ransomware-Samas files were used to infect the organization’s networks.

LINKS TO OTHER TYPES OF MALWARE

Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.
The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.

Impact

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including

• temporary or permanent loss of sensitive or proprietary information,
• disruption to regular operations,
• financial losses incurred to restore systems and files, and
• potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.
US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

• Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection.
• Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
• Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
• Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
• Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
• Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits and Safeguarding Your Data for additional details.
• Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks or the Security Publication on Ransomware for more information.

Individuals or organizations are discouraged from paying the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center.

References

• Kaspersky Lab, Kaspersky Lab detects mobile Trojan Svpeng: Financial malware with ransomware capabilities now targeting U.S. (link is external)
• Sophos / Naked Security, What’s next for ransomware? CryptoWall picks up where CryptoLocker left off (link is external)
• Symantec, CryptoDefence, the CryptoLocker Imitator, Makes Over $34,000 in One Month (link is external)
• Symantec, Cryptolocker: A Thriving Menace (link is external)
• Symantec, Cryptolocker Q&A: Menace of the Year (link is external)
• Symantec, International Takedown Wounds Gameover Zeus Cybercrime Network (link is external)
• Sophos / Naked Security, “Locky” ransomware – what you need to know (link is external)
• McAfee Labs Threat Advisory: Ransomware-Locky. March 9, 2016 (link is external)
• SamSam: The Doctor Will See You, After He Pays The Ransom (link is external)

Revisions

• March 31, 2016: Initial publication
• May 6, 2016: Clarified guidance on offline backups
• July 11, 2016: Added link to governmental interagency guidance on ransomware

Lenovo Accelerator Application Insecure Update Mechanism

Don't believe the rumor, this does not apply to ThinkPad or ThinkStation laptops.

Source: https://support.lenovo.com/us/en/product_security/len_6718

A vulnerability was identified in the Lenovo Accelerator Application software which could lead to exploitation by an attacker with man-in-the-middle capabilities. The vulnerability resides within the update mechanism where a Lenovo server is queried to identify if application updates are available.
The Lenovo Accelerator Application is used to speed up the launch of Lenovo applications and was installed in some notebook and desktop systems preloaded with the Windows 10 operating system.




Lenovo Security Advisory: LEN-6718



Potential Impact: Remote code execution by an attacker with local network access


Severity: High


Scope of Impact: Lenovo products described below


Mitigation Strategy for Customers (what you should do to protect yourself):
Lenovo recommends customers uninstall Lenovo Accelerator Application by going to the “Apps and Features” application in Windows 10, selecting Lenovo Accelerator Application and clicking on “Uninstall”.


Product Impact:
The Lenovo Accelerator Application was installed on some consumer notebook and desktop systems preloaded with the Windows 10 operating system.

MySQL Users - Update Your Servers Now

Source: Oracle


Oracle kind-a 'hid' the fact that some major security vulnerabilities were found in their MySQL product by listing the effected versions way at the bottom of their Critical Patch Advisory for April 2016.

From Oracle:

Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 136 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.

Please note that on March 23, 2016, Oracle released Security Alert for Java SE for CVE-2016-0636. Customers of affected Oracle product(s) are strongly advised to apply the fixes that were announced for CVE-2016-0636.

Please also note that the vulnerabilities in this Critical Patch Update are scored using versions 3.0 and 2.0 of Common Vulnerability Scoring Standard (CVSS). Future Critical Patch Updates and Security Alerts will be scored using CVSS version 3.0 only.

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available here.

Urgent - Uninstall Quick Time

REF: US-CERT

Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced

   

Systems Affected

Microsoft Windows with Apple QuickTime installed

Overview

According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation. [1] (link is external)

Description

All software products have a lifecycle. Apple will no longer be providing security updates for QuickTime for Windows. [1] (link is external)
The Zero Day Initiative has issued advisories for two vulnerabilities found in QuickTime for Windows. [2] (link is external) [3] (link is external)

Impact

Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems.

Solution

Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows. Users can find instructions for uninstalling QuickTime for Windows on the Apple Uninstall QuickTime (link is external) page. [4]

References

• [1] Trend Micro - Urgent Call to Action: Uninstall QuickTime for Windows Today (link is external)
• [2] Zero Day Initiative Advisory ZDI 16-241: (0Day) Apple QuickTime moov Atom Heap Corruption Remote Code Execution Vulnerabilit (link is external)
• [3] Zero Day Initiative Advisory ZDI 16-242: (0Day) Apple QuickTime Atom Processing Heap Corruption Remote Code Execution Vulner (link is external)
• [4] Apple - Uninstall QuickTime 7 for Windows

Cisco Cable Modem with Digital Voice Remote Code Execution Vulnerability

Source: Cisco

A vulnerability in the web server used in the Cisco Cable Modem with Digital Voice Model DPC2203 could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution.

The vulnerability is due to improper input validation for HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device.

Cisco has released software updates to its service provider customers that address the vulnerability described in this advisory. Prior to contacting Cisco TAC, customers are advised to contact their service providers to confirm the software deployed by the service provider includes the fix that addresses this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160309-cmre

Affected Products

• Vulnerable Products

  The following Cisco product are vulnerable:
  

  • Cisco Cable Modem with Digital Voice Model DPC2203
  • Cisco Cable Modem with Digital Voice Model EPC2203

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by this vulnerability.
  
  

Workarounds

• There are no workarounds that address this vulnerability.

Fixed Software

• Cisco has released software updates to its service provider customers that address the vulnerability described in this advisory. Prior to contacting Cisco TAC, customers are advised to contact their service providers to confirm the software deployed by the service provider includes the fix that addresses this vulnerability.
  
  By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
  http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
  
  Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
  
  When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
  
  In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  Customers Without Service Contracts
  
  Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
  http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
  
  Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

DoD Issues Cybersecurity Discipline Guidance

Source: Army Times http://www.armytimes.com/

The Defense Department recently issued a military-wide cybersecurity discipline implementation plan, a document that aims to hold leaders accountable for cybersecurity up and down the chain of command and report progress and setbacks.

The plan was originally issued in October but updated in February and made public on the DoD CIO site in early March. It shares some similarities with the Pentagon’s other large-scale cyber assessment tool, the department’s strategic cybersecurity scorecard that reports service-level compliance directly to the Defense secretary. The difference between the two is that the discipline implementation plan targets tactical-level compliance, and each has different reporting mechanisms – the discipline plan routes users to the Defense Readiness Reporting System to report their status with the requirements.

The new plan centers on four lines of effort, which actually correspond with the cybersecurity scorecard. They include:

• Strong authentication to degrade the adversaries' ability to maneuver on DoD information networks;
• Device hardening to reduce internal and external attack vectors into DoD information networks;
• Reduce attack surface to reduce external attack vectors into DoD information networks; and
• Alignment to cybersecurity/computer network defense service providers to improve detection of and response to adversary activity

"The requirements within each line of effort represent a prioritization of all existing DoD cybersecurity requirements. Each line of effort focuses on a different aspect of cybersecurity defense-in-depth that is being exploited by our adversaries to gain access to DoD information networks,” the document states. “Securing DoD information networks to provide mission assurance requires leadership at all levels to implement cybersecurity discipline, enforce accountability, and manage the shared risk to all DoD missions … this campaign forces awareness and accountability for these key tasks into the command chains and up to senior leadership, where resourcing decisions can be made to address compliance shortfalls."

Each of the four lines of effort includes a thorough explanation of the goal, followed by multiple tasks and questions designed to assess compliance, vulnerability and progress. An appendix further details prioritizes tasks from the discipline implementation and from previously issued DoD cybersecurity campaign guidance, and weights DoD’s cybersecurity objectives.

"Work on these tasks can proceed in parallel; these lists guide the application of limited resources to the most critical tasks for securing and defending segments of the network across the Department,” the document notes. “Of primary importance is implementing a healthy cybersecurity culture across all ranks, one that ingrains a self-correcting discipline similar to the nuclear enterprise or other critical, highly reliable organizations. If we fail to change the culture, we will fail to secure the enterprise regardless of any defenses installed otherwise."

Despite the use of the term ‘discipline’ in its title though, one thing the new plan seems to lack, at least in the unclassified version: consequences for failing to meet goals or maintain security. It’s not immediately clear what might happen to people who fall short of requirements or fall to cyberattacks.

IRS and US-CERT Caution Users: Prepare for Heightened Phishing Risk This Tax Season

Overview

Throughout the year, scam artists pose as legitimate entities—such as the Internal Revenue Service (IRS), other government agencies, and financial institutions—in an attempt to defraud taxpayers. They employ sophisticated phishing campaigns to lure users to malicious sites or entice them to activate malware in infected email attachments. To protect sensitive data, credentials, and payment information, US-CERT and the IRS recommend taxpayers prepare for heightened risk this tax season and remain vigilant year-round.

Remain alert

Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. In many successful incidents, recipients are fooled into believing the phishing communication is from someone they trust. An actor may take advantage of knowledge gained from research and earlier attempts to masquerade as a legitimate source, including the look and feel of authentic communications. These targeted messages can trick any user into taking action that may compromise enterprise security.

Spot common elements of the phishing lifecycle

1. A Lure: enticing email content.
   • Example 1 of actual phishing email
   • Example 2 of actual phishing email
2. A Hook: an email-based exploit.
   • Email with embedded malicious content that is executed as a side effect of opening the email
   • Email with malicious attachments that are activated as a side effect of opening an attachment
   • Email with “clickable” URLs: the body of the email includes a link, which displays as a recognized, legitimate website, though the actual URL redirects the user to malicious content
3. A Catch: a transaction conducted by an actor following a successful attempt.
   • Unexplainable charges
   • Unexplainable password changes

Understand how the IRS communicates electronically with taxpayers

• The IRS does not initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.
• This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.
• The official website of the IRS is www.irs.gov.

Take action to avoid becoming a victim

If you believe you might have revealed sensitive information about your organization or access credentials, report it to the appropriate contacts within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
Watch for any unexplainable charges to your financial accounts. If you believe your accounts may be compromised, contact your financial institution immediately and close those accounts.
If you believe you might have revealed sensitive account information, immediately change the passwords you might have revealed. If you used the same password for multiple accounts, make sure to change the password for each account and do not use that password in the future.

Report suspicious phishing communications

• Email: If you read an email claiming to be from the IRS, do not reply or click on attachments and/or links. Forward the email as-is to phishing@irs.gov (link sends e-mail), then delete the original email.
• Website: If you find a website that claims to be the IRS and suspect it is fraudulent, send the URL of the suspicious site to phishing@irs.gov (link sends e-mail) with subject line, “Suspicious website”.
• Text Message: If you receive a suspicious text message, do not reply or click on attachments and/or links. Forward the text as-is to 202-552-1226 (standard text rates apply), and then delete the original message (if you clicked on links in SMS and entered confidential information, visit the IRS’ identity protection page).

If you are a victim of any of the above scams involving IRS impersonation, please report to phishing@irs.gov (link sends e-mail), file a report with the Treasury Inspector General for Tax Administration (TIGTA), the Federal Trade Commission (FTC), and the police.

Additional Resources

For more information on phishing, other suspicious IRS-related communications including phone or fax scams, or additional guidance released by Treasury/IRS and DHS/US-CERT, visit:

• Avoiding Social Engineering and Phishing Attacks
• Recognizing and Avoiding Email Scams
• Phishing and Other Schemes Using the IRS Name
• IRS Repeats Warning about Phone Scams
• Report Phishing and Online Scams
• Tips for Taxpayers, Victims about Identity Theft and Tax Returns

To report a cybersecurity incident, vulnerability, or phishing attempt, visit US-CERT.gov/report.

Author

US-CERT and IRS

OpenSSL Security Advisory

National Cyber Awareness System:

OpenSSL Releases Security Advisory

03/01/2016 11:04 AM EST

Original release date: March 01, 2016
OpenSSL has released updates to address vulnerabilities in prior versions. Exploitation of some of these vulnerabilities may allow a remote attacker to obtain sensitive information. Updates available include:

• OpenSSL 1.0.2g for 1.0.2 users
• OpenSSL 1.0.1s for 1.0.1 users

Users and administrators are encouraged to review the OpenSSL Security Advisory and apply the necessary updates.

OpenSSL Security Advisory [1st March 2016]
=========================================

NOTE: With this update, OpenSSL is disabling the SSLv2 protocol by default, as
well as removing SSLv2 EXPORT ciphers.  We strongly advise against the use of
SSLv2 due not only to the issues described below, but to the other known
deficiencies in the protocol as described at
https://tools.ietf.org/html/rfc6176


Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
================================================================

Severity: High

A cross-protocol attack was discovered that could lead to decryption of TLS
sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
Bleichenbacher RSA padding oracle.  Note that traffic between clients and
non-vulnerable servers can be decrypted provided another server supporting
SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or
POP) shares the RSA keys of the non-vulnerable server. This vulnerability is
known as DROWN (CVE-2016-0800).

Recovering one session key requires the attacker to perform approximately 2^50
computation, as well as thousands of connections to the affected server. A more
efficient variant of the DROWN attack exists against unpatched OpenSSL servers
using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on
19/Mar/2015 (see CVE-2016-0703 below).

Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS
servers, if they've not done so already. Disabling all SSLv2 ciphers is also
sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and
1.0.2f) have been deployed.  Servers that have not disabled the SSLv2 protocol,
and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2
ciphers are nominally disabled, because malicious clients can force the use of
SSLv2 with EXPORT ciphers.

OpenSSL 1.0.2g and 1.0.1s deploy the following mitigation against DROWN:

SSLv2 is now by default disabled at build-time.  Builds that are not configured
with "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will
need to explicitly call either of:

   SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
   or
   SSL_clear_options(ssl, SSL_OP_NO_SSLv2);

as appropriate.  Even if either of those is used, or the application explicitly
uses the version-specific SSLv2_method() or its client or server variants,
SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed.
Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no
longer available.

In addition, weak ciphers in SSLv3 and up are now disabled in default builds of
OpenSSL.  Builds that are not configured with "enable-weak-ssl-ciphers" will
not provide any "EXPORT" or "LOW" strength ciphers.

OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s


More At: https://www.openssl.org/news/secadv/20160301.txt

Severity: High - OpenSSL Security Advisory

28th Jan 2016

---

NOTE: SUPPORT FOR VERSION 1.0.1 WILL BE ENDING ON 31ST DECEMBER 2016. NO SECURITY FIXES WILL BE PROVIDED AFTER THAT DATE. UNTIL THAT TIME SECURITY FIXES ONLY ARE BEING APPLIED.

DH small subgroups (CVE-2016-0701)

---

Severity: High

Historically OpenSSL usually only ever generated DH parameters based on "safe" primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Where an application is using DH configured with parameters based on primes that are not "safe" then an attacker could use this fact to find a peer's private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same private DH exponent. For example this could be used to discover a TLS server's private DH exponent if it's reusing the private DH exponent or it's using a static DH ciphersuite.

OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk.

OpenSSL before 1.0.2f will reuse the key if:
• SSL_CTX_set_tmp_dh()/SSL_set_tmp_dh() is used and SSL_OP_SINGLE_DH_USE is not set.
• SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used, and both the parameters and the key are set and SSL_OP_SINGLE_DH_USE is not used. This is an undocumted feature and parameter files don't contain the key.
• Static DH ciphersuites are used. The key is part of the certificate and so it will always reuse it. This is only supported in 1.0.2.

It will not reuse the key for DHE ciphers suites if:
• SSL_OP_SINGLE_DH_USE is set
• SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used and the callback does not provide the key, only the parameters. The callback is almost always used like this.

Non-safe primes are generated by OpenSSL when using:
• genpkey with the dh_rfc5114 option. This will write an X9.42 style file including the prime-order subgroup size "q". This is supported since the 1.0.2 version. Older versions can't read files generated in this way.
• dhparam with the -dsaparam option. This has always been documented as requiring the single use.

The fix for this issue adds an additional check where a "q" parameter is available (as is the case in X9.42 based parameters). This detects the only known attack, and is the only possible defense for static DH ciphersuites. This could have some performance impact.

Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by default and cannot be disabled. This could have some performance impact.

This issue affects OpenSSL version 1.0.2.

OpenSSL 1.0.2 users should upgrade to 1.0.2f

OpenSSL 1.0.1 is not affected by this CVE because it does not support X9.42 based parameters. It is possible to generate parameters using non "safe" primes, but this option has always been documented as requiring single use and is not the default or believed to be common. However, as a precaution, the SSL_OP_SINGLE_DH_USE change has also been backported to 1.0.1r.


This issue was reported to OpenSSL on 12 January 2016 by Antonio Sanso (Adobe). The fix was developed by Matt Caswell of the OpenSSL development team (incorporating some work originally written by Stephen Henson of the OpenSSL core team).

SSLv2 doesn't block disabled ciphers (CVE-2015-3197)

---

Severity: Low

A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2f
OpenSSL 1.0.1 users should upgrade to 1.0.1r

This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram and Sebastian Schinzel. The fix was developed by Nimrod Aviram with further development by Viktor Dukhovni of the OpenSSL development team.

An update on DHE man-in-the-middle protection (Logjam)

A previously published vulnerability in the TLS protocol allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. This vulnerability is known as Logjam (CVE-2015-4000). OpenSSL added Logjam mitigation for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits in releases 1.0.2b and 1.0.1n.

This limit has been increased to 1024 bits in this release, to offer stronger cryptographic assurance for all TLS connections using ephemeral Diffie-Hellman key exchange.

OpenSSL 1.0.2 users should upgrade to 1.0.2f
OpenSSL 1.0.1 users should upgrade to 1.0.1r

The fix was developed by Kurt Roeckx of the OpenSSL development team. Note

---

As per our previous announcements and our Release Strategy (https://www.openssl.org/policies/releasestrat.html), support for OpenSSL version 1.0.1 will cease on 31st December 2016. No security updates for that version will be provided after that date. Users of 1.0.1 are advised to upgrade.

Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates.

References

---

URL for this Security Advisory: https://www.openssl.org/news/secadv/20160128.txt

Note: the online version of the advisory may be updated with additional details over time.

For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html

IRS Releases First in a Series of Tax Security Tips

The Internal Revenue Service (IRS) has released the first in a series of tips intended to increase public awareness of how to protect personal and financial data online and at home. A new tip will be available each Monday through the start of the tax season in January, and will continue through the April tax deadline.


The first tip focuses on seven simple steps to secure your computer when conducting business online. US-CERT encourages users and administrators to review IRS Security Awareness Tax Tip Number 1 for additional information.

Remove Hidden Data from MS Office Files

When you distribute an Office document electronically, the document might contain information that you do not want to share publicly, such as information you've designated as "hidden" or information that allows you to collaborate on writing and editing the document with others.

The Remove Hidden Data add-in is a tool that you can use to remove personal or hidden data that might not be immediately apparent when you view the document in your Microsoft Office application.

You can run the Remove Hidden Data add-in on individual files from within your Office XP or Office 2003 application. Or, you can run Remove Hidden Data on multiple files at once from the command line. In either case, to run the tool you must have the application installed in which the document was created.

To download the Microsoft tool to remove hidden data click here: Micorosft Tool

Web Color Pallet

Today I would like to share with my fellow web programming enthusiasts a page I put together that I use a lot, but published it so everyone can tap into is and use it as a resource when needed.

This single page lists all the HEX color values, but also their Java names. It has a complete list along with examples of how they will appear.

It is complete and comprehensive. There is even a portion that shows how the changing values work to create the differences in the shades.

Please feel free to not only use the resource, but take a moment and share it with others. Feel free to suggest any improvements.

Web Color Pallet

Group Claims It Was 'Paid to Hack PBS,' Then Leaks a Million Sony User IDs - FoxNews.com

This is a fantastic story; but I bet most would miss why this group (whoever it was) was able to post individual’s passwords for all the world to see.

Apparently the bigger the company, the more relaxed they are about cyber security and following the very basic of rules.

Had these companies followed “Security 101” procedures they would have known to (at the very least) store passwords in either a HASH or some other encryption so that even if their database of user names and passwords is stolen they can’t be used; or at the very least be posted online somewhere for the whole world to see.

I know in my little corner of the world where I help write software applications for these big companies I have to undergo security questionnaires (sometimes over 100 pages of questions) and audits where they actually try to hack my code. The sad thing is that they are companies the size of the ones in the Fox News story (link below).

If you are about to purchase software for business or pleasure ask “Do you encrypt stored passwords?”

If you are a developer don’t think for a second that the guys doing the networking and managing the firewall and intrusion detection are doing their jobs. Follow the basics, and step one is only store passwords in their encrypted format.

Group Claims It Was 'Paid to Hack PBS,' Then Leaks a Million Sony User IDs - FoxNews.com

New Malware Simulates Hard Drive Failure

This is not new, regardless of what the article says.

Please folks, any time you open a webpage and it starts acting like it is checking your ‘system’ stop… believe me it can’t be reading your hard drive – it’s a trick to get you to give them permission to install something (like an ActiveX control) onto your computer so they can look at your system.

If ever you click on a web link and the next web page that opens says something like….

Windows Security Center Alert!

Stop… don’t fall for it …. close your  browser.

It isn’t really running a security scan… it is just some images that make you think they are  reading your computer’s hard drives and such.

Any company that needs to resort to something like tricking you so you’ll buy something from them does not deserve your money.

People fall for this all the time.

Ask anyone who repairs buggy systems – if you computer is running slow and not responding don’t install multiple virus protection programs, that is just going to make it run even buggier and slower (but that is a subject for another day).

New Malware Simulates Hard Drive Failure

Shortcut - Lock your computer

Lock Your Computer