What you need to know about new zero day that hits most supported Windows versions

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

Microsoft issued a security advisory this week with details of a zero day vulnerability that affects every supported version of the Windows operating system with the exception of Windows Server 2003. The flaw is very similar to the OLE vulnerability patched earlier this month, which was linked to the Sandworm cyber espionage campaign.

Like the vulnerability in MS14-060, this new flaw is exploited through the use of a malicious Microsoft Office file that contains an OLE object. If successfully exploited, the flaw could allow an attacker to execute malicious code remotely on the vulnerable system, with the rights and privileges of the currently logged in user.

McAfee is credited with helping to identify the new vulnerability while investigating Sandworm. A McAfee blog post explains, “During our investigation, we found that the Microsoft’s official patch is not robust enough. In other words, attackers might still be able to exploit the vulnerability even after the patch is applied. Users who have installed the official patch are still at risk.”

Read more »

0

How a USB key drive could remove the hassles from two-factor authentication

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

We've had enough malware campaigns and data breaches to confirm the need for better data protection online. The Universal 2nd Factor (U2F) standard is a step in the right direction, and the first compatible devices are coming out now.

U2F is an open authentication standard. It was initially developed by Google, but it's now managed by the FIDO (Fast Identity Online) Alliance. The FIDO Alliance also includes household names like Microsoft, Mastercard, Visa, PayPal, Discover, Samsung, and BlackBerry among its members.

Two-factor, or multi-factor authentication has long been promoted as a more effective security mechanism, but it's a hassle, requiring you to juggle passwords with a second factor such as a texted code or an authentication app. U2F proposes to streamline the process using a U2F-enabled USB or NFC key fob, card, or mobile device alongside traditional authentication methods. All you have to do is use a Web browser with built-in support and native drivers.

Read more »

2

POODLE’s bark is bigger than its bite

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

Google researchers revealed a major flaw in the SSL encryption protocol—SSLv3 to be precise—which has been affectionately named “POODLE.” The vulnerability is more serious than the silly name might suggest, and the news has garnered a lot of attention because of the potentially broad implications. But security experts assure us the sky is not falling.

What Is POODLE?

POODLE is actually an acronym for “Padding Oracle On Downgraded Legacy Encryption.” SSLv3 is rarely used today, but most Web browsers will negotiate a compatible encryption protocol when connecting to a site or server, and are capable of downgrading to SSLv3 if necessary. The POODLE attack relies in part on forcing the target browser to fall back to the legacy protocol, which has inherent weaknesses that can be exploited to allow the attacker to access the encrypted information.

Read more »

1

3 simple ways two-factor authentication can protect you when no one else will

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

It seems like consumer data is compromised in some massive data breach every other week. You should expect the companies you do business with to do everything possible to prevent data breaches and protect your data, but it’s unreasonable to believe it will never happen. It’s up to you to take additional steps to protect your own data, and minimize the potential fallout from a breach as much as you can. One of the best ways to do that is with two-factor authentication.

Dairy Queen and Kmart are just two of the more current examples of major retail chains that have had their point-of-sale systems compromised—resulting in attackers’ capturing sensitive customer data. Target, Home Depot, and UPS have also been victims of recent data breaches. Personal information and credit card data from tens of millions of consumers is now in the hands of criminals, and at risk of being used for fraudulent activity or identity theft.

2factorauth infographic final Image: Wave Systems Corp.
Read more »

0

Spot phishing scams and don’t take the bait

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

Can you recognize a phishing scam email when you see one? Do you know what signs to look for to identify a phishing attack, and avoid becoming a victim? In honor of National Cybersecurity Awareness Month, PhishMe has developed an infographic with helpful tips to keep you safe and secure.

PhishMe points out the usual, common-sense things you should do to avoid getting compromised—by either phishing scams or malware exploits. Don’t open unknown file attachments or click on links in suspicious emails, and don’t enter your credentials on login pages linked from email messages.

Hopefully that goes without saying at this point for emails you receive from unknown sources. It doesn’t take a rocket scientist to realize that you aren’t expecting a package from UPS, or you haven’t actually conducted business that would involve a suspicious email with a cryptic “invoice” attached. Don’t let curiosity get the best of you. You can be fairly sure it’s not legitimate—and even if it is, you know it’s not for you. Just delete the message.

Read more »

0

Report: Huge spike in mobile malware targets Android, especially mobile payments

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

Two very predictable traits drive cybercriminals: First, they tend to focus on targets with the highest odds of success. Second, they prefer attacks that generate profit. A new joint report from Kaspersky Lab and INTERPOL underscores how these two factors contribute to concerning trends in mobile threats. 

The Mobile Cyber Threats report analyzes mobile malware data collected from Kaspersky’s cloud-based Kaspersky Security Network (KSN) during the period of August 1, 2013 through July 31, 2014, for over 5 million Android smartphones and tablets protected by Kaspersky security products.

It shouldn’t come as any surprise that Android is by far the biggest target for mobile malware. Recent data from IDC indicates that Android comprises about 85 percent of the overall mobile platform market, with iOS a distant second, and the remaining crumbs being shared among Windows Phone, BlackBerry, and other platforms. From a pure numbers perspective, malware designed for Android has the greatest odds of success. Android is also a more open platform, which exposes it to great potential for exploit.

Read more »

1

Survey: BYOD security remains spotty, with users unaware or unmotivated about risks

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

Many organizations have embraced the concept of BYOD (bring your own device), allowing employees to use their own personal smartphones and tablets at work. A new survey from BitDefender, however, suggests that BYOD policies and controls have a long way to go in order to be more secure.

The BitDefender study, conducted by Millward Brown, surveyed 1,045 Internet users in the United States, aged 18 and over, during August of 2014. The results of the survey should be a wake-up call for companies to examine their BYOD policies, and ensure that adequate security controls are in place to safeguard corporate data and resources.

Based on the survey responses, it seems that BYOD has transcended from a trendy buzzword to an accepted norm. The concept of connecting personal mobile devices to a company network or data is widely accepted, and half of the employees who are allowed to use their own smartphone, tablet, or laptop take advantage of that policy.

Read more »

0