Yes, it is that time again. Time flies when you're having fun. The seventh Patch Tuesday of 2011 is next week on July 12. Microsoft predicts that we will see a meager four security bulletins next week, but don't let the small number fool you--there is a Critical security bulletin affecting Windows 7 and Windows Vista.
The light Patch Tuesday will certainly be welcome by IT admins--many of which are probably still trying to dig out and implement the updates from the 16 security bulletin avalanche that hit in June.
Amol Sarwate, Vulnerability Labs Manager for Qualys, explains, "The highest priority update is rated "Critical" and only affects Windows 7 and Windows Vista. The second highest priority will most likely be bulletin four--which fixes a remote code execution in Visio 2003 SP3."
The cat-and-mouse game between Apple and those who would "liberate" its iOS devices is back on after Wednesday's launch of JailbreakMe 3.0, a website that hacks iPhones, iPod Touches, and iPads to allow software unapproved and undistributed by Apple onto the devices.
The site is the first "jailbreak" that includes support for the iPad 2, and offers an "untethered" jailbreak, meaning that devices hacked via the site don't have to be connected to a computer to boot up, unlike other "tethered" jailbreak options.
Users spend more time on Facebook than on any other single online destination. With a pool of 700 million users sharing updates, photos, videos, and links, the social network is also a prime target for malware and phishing scams. BitDefender developed the SafeGo Facebook app to help protect you from attacks while using Facebook.
The whole point of Facebook is to be social. There is a level of inherent security expected, because the posts, links, etc. are coming from people you have a relationship with, and trust enough to include in your social circle...unless they're not. It didn't take cyber thugs long to figure out that the expectation of trust can be exploited to dupe victims into clicking on malicious links and opening malicious files.
The SafeGo Facebook page explains, "Using in-the-cloud scanning, Bitdefender Safego protects your social network account from all sorts of e-trouble: scams, spam, malware and private data exposure."
A Symantec spokesperson explains that the Android Class Loading Hijacking threat resembles a Windows DLL hijacking attack. "It relies on the fact that Android provides APIs that allow an app to dynamically load code to be executed. For example, an application may support plug-ins that are downloaded and then loaded at a later time. Unfortunately, if these plug-ins are stored in an insecure location, this process can be hijacked."
Symantec stresses that the Android Class Loading Hijacking threat is not a vulnerability in the Android OS itself, but a flaw in the way some apps are coded that can be exploited to hijack permissions.
This month Microsoft patched thirty-four vulnerabilities, several of which are highly dangerous and have an exploitability vulnerability of 1. Apple released updates for Mac OS X patching a number of vulnerabilities which could allow an attacker to gain personal or secure information. Finally, Adobe released an unusual number of patches this month which fix a number of vulnerabilities across a multitude of Adobe products including ColdFusion and LiveCycle.
Since 1997 identity theft and fraud has affected more than 5.4 million people in the United States. And that number is on the rise with, more than 1.3 million complaints to the Consumer Sentinel Network (CSN) between January and December of 2009 alone. According to the Federal Trade Commission (PDF), of the 721,418 fraud-related complaints to the CSN in 2009, this has cost customers [of various products and services] more than 1.7 billion dollars at a median payout of $399. But what can companies do to prevent fraud and identity theft?
According to Network World a 4-digit numerical PIN can create only about 10,000 combinations. Use letters of the alphabet and that increases to 45,000; use a mix of letters and numbers and you have 1.5 million possibilities. With the advancements in computing, pounding through millions of combinations only takes a short limited amount of time. Thankfully, there may be a new method to fix all of this: cell phone biometrics.
Anonymous, LulzSec, and others have demonstrated time and time again over the past few months that hacking networks and compromising data is mere child's play. Does that mean there is nothing we can do, and that organizations should just accept inadequate security? No. At least one security expert believes that the answer to defending networks and data against the rise in attacks is simple--whitelisting.
The anatomy of recent hacks, and the reliance on precision, targeted, socially-engineered attacks makes them difficult--if not impossible--to defend against. Blocking unauthorized access to the network, and protecting data from external attacks is one thing, but if the attacker dupes an authorized, internal user into executing malware that grants access or gives the attackers the keys to breach the network and compromise data, there is little that can be done.
'Little' is not the same as 'nothing', though. There is a potential solution. In a blog post on Intelligent | Whitelisting, Richard Stiennon, author of Surviving Cyberwar and analyst at IT-Harvest, an independent IT security analyst firm, points out that a common denominator of malware attacks is that the malware executable is new, unknown software. A whitelisting solution would block such attacks from working, because the malware would not be on the whitelist.