Tuesday, June 29, 2010

New CyberSecurity Study says "Most senior execs unaware of impact from cyberattacks." ISSA-LA Committed to Doing Something About It.

According to an article in USA Today, a new Ponemon Institute poll of 591 technology managers shows that 83% indicated their organization has been a recent target of advanced threats while 81% felt that senior execs lacked awareness of the seriousness of advanced threats. Our experience confirms the validity of these statistics. The cybercrime problem is only going to get worse as more and more small and medium size businesses fall victim to online bank fraud.

The biggest challenge we see is helping the men and women who have to dedicate resources (people or money) understand (1) why they need to improve the security of their information systems, (2) the basic steps involved in improving systems security, and (3) the ancillary competitive benefits they can get from improved information systems security management.

It's to meet this challenge that we in the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) have embarked on an aggressive Community Outreach Program. Our objective is nothing less than to raise information security awareness throughout the Los Angeles community. This is the most important thing we can do to help our community protect itself from the scourge of cybercrime. Having successfully concluded our 2nd Annual Information Security Summit we know the time is right to bring the community together around this problem and we are dedicated to doing so.

Security Updates for Adobe Acrobat, Reader

KrebsOnSecurity.com reports "Adobe Systems Inc. is urging users to update installations of Adobe Reader and Acrobat to fix a critical flaw that attackers have been exploiting to break into vulnerable systems. ... The update brings Adobe Acrobat and Reader to version 9.3.3 (another update for the older 8.2 line of both products brings the latest version to v. 8.2.3). Patches are available for Windows, Mac, Linux and Solaris versions of these programs. Adobe’s advisory for this update is here, and the Reader update is available from this link — or by opening the program and clicking “Help” and “Check for Updates.” If you download the update from the Adobe Reader homepage, you’ll end up with a bunch of other stuff you probably don’t want."

Users discouraged by the ongoing discovery of critical vulnerabilities in Acrobat Reader may want to consider switching to other free PDF readers may be less of a target for malicious hackers. Examples of other free PDF readers include Foxit Reader, Nitro PDF Reader, and Sumatra.

Monday, June 28, 2010

White House Unveils National Strategy for Online Identity

darkReading reports that "the White House has outlined a national strategy for trusted digital identities that could ultimately eliminate the username-and-password model and lay the groundwork for a nationwide federated identity infrastructure. ...Howard Schmidt, cybersecurity coordinator and special assistant to the president, unveiled the administration's strategy for what he called an identity "ecosystem" for users and organizations to conduct online transactions securely and privately such that identities of all parties are trusted.

"For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers -- both public and private -- to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.)," Schmidt blogged late last week."

Wednesday, June 23, 2010

Computing Now's Gary McGraw interviews Richard Clarke

From Computing Now's Website: Gary McGraw talks with Richard A. Clarke. Clarke is an internationally-recognized expert on security, including homeland security, national security, cyber security, and counterterrorism. Gary and Richard discuss what needs to change in order for the United States to focus more attention on defense against cyber war (as opposed to offense). They also discuss the importance of software security in preventing cyber crime and cyber war, network scanning as a part of Dick’s "Defensive Triad," and balancing cybersecurity against individual liberty.


Watch Cary McGraw's interview with Richard Clarke.

Thanks to John Cosgrove for this story.

Security Updates for Firefox, Opera Browsers

KrebsOnSecurity reports "Mozilla has shipped a new version of Firefox that corrects a number of vulnerabilities in the browser. ... Firefox version 3.6.4 addresses seven security holes ranging from lesser bugs to critical flaws. Mozilla says this latest version of Firefox also does a better job of handling plugin crashes, so that if a plugin causes problems when the user browses a site, Firefox will simply let the plugin crash instead of tying up the entire browser process. Firefox should auto-update (usually on your next restart of the browser), but you can force an update check by clicking “Help,” and then “Check for Updates” (when I did this, I noticed that in its place was the “Apply Downloaded Update Now,” option, indicating that Firefox had already fetched this upgrade.)"

According to Krebs, "Mozilla also shipped, 3.5.10, an update that fixes at least nine security vulnerabilities in its 3.5.x line of Firefox. The software maker will only continue to support this version of Firefox for another couple of months, so if you’re on the 3.5.x line, you might consider upgrading soon."

Krebs reports that a new version of Opera is also available that fixes at least five security flaws in the software. Opera’s update brings the browser to version 10.54. Opera is urging users to upgrade to the latest version, available here.

Tuesday, June 22, 2010

Security Risk: Time to Move Off Windows XP SP2

Microsoft will stop supporting users of Windows XP SP2 as of July 13, 2010. This means that the company will no longer provide security patches for SP2. All Windows users should immediately upgrade to SP3 or Windows 7. According to a Computerworld article, Windows XP SP2 is still in use in more than 75% of organizations with 36% of the PCs in every organization run SP2.

Wednesday, June 16, 2010

California Court Knowingly Exposes Confidential Data for 10 Days

The ABA Journal reports that a court in California's Sacramento County made 443 confidential documents available on a public kiosk. The problem wasn't fixed until June 4 even though a probate lawyer had brought the problem to the attention of the court on May 24. According to Presiding Judge Steve White, court technology employees didn’t act immediately because of another apparently more pressing computer problem.

Read the story here.

Monday, June 14, 2010

Free WiFi at Starbucks — Reminder of Cybersecurity Risk

The New York Times reports that Starbuck's will begin offering free WiFi on July 1. This makes it a good time to remind everyone about the need to be cautious when using public Wi-Fi. While the most common risk is eavesdropping, one cannot overlook the risk of computer compromise. Here are five basic rules anytime you're on a WiFi network whose security cannot be verified:
  1. No online banking or other eCommerce
  2. No email containing sensitive information except via an approved encrypted link from PC to  Mail Server
  3. Keep anti-virus or host intrusion prevention software (better) up-to-date
  4. Make sure software patches are up-to-date
  5. Use VPN for access to office

    Sunday, June 13, 2010

    "CyberWar: Sabotaging the System" on CBS 60 Minutes

    From 60 Minutes: Could foreign hackers get into the computer systems that run crucial elements of the world's infrastructure, such as the power grids, water works or even a nation's military arsenal, to create havoc? They already have. Steve Kroft reports.

    Thursday, June 10, 2010

    e-Banking Bandits Target Title and Escrow Companies

    KrebsOnSecurity.com reports that in March, computer criminals broke into the network of Redondo Beach, California based Village View Escrow Inc. and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm.The escrow firm has been the victim of on-line bank theft. Cybercriminals hijacked the firm's online bank account and stole $465,000.

    In discussions we've had with law enforcement and bank security personnel, we find that this is a cybercrime trend. Cybercriminals seem to have discovered that title and escrow companies are regular users of the ACH system while their security controls are too often easily bypassed by the advanced hacker tools now in use.

    We continue to recommend extreme caution in online banking, including
    1. When possible, have separate computer(s) used exclusively for online banking
    2. Utilize 'out-of-band' confirmation for all online bank transactions
    3. Keep systems patched and all anti-malware software up-to-date
    4. Diligently check bank accounts daily
    5. Limit use of social networking sites
    6. Be on guard for phishing and other social networking attacks

    Adobe Flash Update Plugs 32 Security Holes

    KrebsOnSecurity reports Adobe has released a new version of its Flash Player software to fix a critical security flaw that hackers have been exploiting to break into vulnerable systems. The update also corrects at least 31 other security vulnerabilities in the widely used media player software.

    According to Krebs "The latest version, v. 10.1, fixes a number of critical flaws in Adobe Flash Player version 10.0.45.2 and earlier. Don’t know what version of Flash you’ve got installed? Visit this page to find out. The new Flash version is available for Windows, Mac and Linux operating systems, and can be downloaded from this link."

    Krebs continues "If you use both Internet Explorer and non-IE browsers, you’re going to need to apply this update twice, once by visiting the Flash Player installation page with IE and then again with Firefox, Opera, or whatever other browser you use. "

    Tuesday, June 8, 2010

    Microsoft, Apple Ship Big Security Updates

    KrebsOnSecurity.com reports Microsoft today released 10 security updates to fix at least 34 security vulnerabilities in its Windows operating system and software designed to run on top of it.This is the largest patch push so far this year from Microsoft.

    Users are reminded to turn "on" Microsoft's "AutoUpdate" to download and install patches when they become available. 

    Krebs reports in the same post that Apple’s Safari 5.0 update fixes at least four-dozen security vulnerabilities in Safari on Mac OS X and Windows versions. Updates are available for Mac OS X v 10.4.11, Mac OS X v10.5.8, Mac OS X v10.6.2 or later, Windows 7, Vista, and XP. Mac users can grab the update from Software Update or Apple Downloads; Safari users on Windows will need to update using the bundled Apple Software Update utility.

    Saturday, June 5, 2010

    Adobe Warns of Critical Zero-Day Flaw in Flash, Acrobat & Reader

    KrebsOnSecurity.com reports Adobe Systems Inc. warned late Friday that malicious hackers are exploiting a previously unknown security hole present in current versions of its Adobe Reader, Acrobat and Flash Player software. ... “There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player and Adobe Reader and Acrobat,” the company said in a brief blog post published Friday evening. “This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system.” ... Krebs writes "Adobe said the vulnerability exists in Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and a component (authplay.dll) of Adobe Reader and Acrobat versions 9.x for Windows, Mac and UNIX operating systems."

    Like all Zero-Day exploits, these have a higher than  acceptable likelihood of getting past anti-malware products. That's why we recommend that management seriously consider using advanced intrusion prevention solutions capable of blocking zero-day attacks.