Microsoft is playing Scrooge this year for any IT admins who were hoping to relax and ride out the rest of the year. There are 14 security bulletins planned for next week’s Patch Tuesday—one that happens to fall unusually late in the month thanks to December starting on a Thursday, and leaves IT admins with little time to patch before the holidays.
The good news, if you can call it good news, is that only three of the 14 security bulletins are rated as Critical. The bad news is that all of the remaining 11 are still rated as Important, and some of the vulnerabilities addressed in the Important security bulletins could be very attractive to would-be attackers.
The 14 security bulletins are comprised of seven impacting Windows, five related to Microsoft Office, one dealing with Windows Media Player, and the consistent monthly update for Internet Explorer. As per usual, the flaws identified tend to impact legacy software like Windows XP and Internet Explorer 6 more than current products.
There are reports that the zero day flaw is being actively exploited in the wild with targeted attacks against Adobe Reader 9.x for Windows. However, the flaw itself impacts a broader range of Adobe products, including Adobe Reader X (10.1.1) and earlier versions for Windows and Mac OS X, Adobe Reader 9.4.6 and earlier for Unix, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Mac OS X.
According to Adobe, a successful exploit of the vulnerability could cause the target system to crash, or potentially allow the attacker to take control of the compromised PC.
I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.
According to data from Monetate, an ecommerce technology company, holiday shopping between Black Friday and Cyber Monday was actually down from PC Web browsers this year compared to 2010. However, holiday shopping from mobile phones more than doubled from 3.1 percent to 7.36 percent, and holiday shopping conducted from tablets skyrocketed from 1.06 percent to 4.68 percent.
Clearly, mobile devices are becoming a part of the mainstream holidays shopping arsenal. It is interesting that the Monetate data indicates click-through and conversion rates are lower on mobile phones, but tablet usage is very similar to traditional PCs.
A couple weeks ago there were reports that a water utility in Illinois had been hacked—and a water pump subsequently damaged—by attackers based in Russia. A DHS investigation determined that no such hack ever occurred, but security experts warn that more still needs to be done to protect the critical infrastructure.
As it turns out, the incident with the Curran Gardner Public Water District outside of Springfield, Illinois was not a hack at all. An exclusive report from Wired.com’s Threat Level explains that Jim Mimlitz--the founder and owner of Navionics Research, the company that set up the utility’s control system--is responsible for the “suspicious” activity.
Threat Level reports that Mimlitz was on vacation in Russia with his family when the water utility called for support, and asked him to remotely log in to check out some data-history charts stored in the SCADA (Supervisory Control and Data Acquisition) system.
Can a hacker burn down your business by remotely setting one of your printers on fire? Researchers at Columbia University have recently proposed such a scenario, although HP quickly denied that it's possible. Howver, even if your printers can’t be used as remote firestarters, there are many risks involved in networking a printer.
Businesses often overlook keeping the printing environment secure. Data security gets a lot of attention, and file servers provide encrypted, access controlled storage. Workstations are encrypted as well, with password and even biometric access required. Databases and even files often require a password just so you can see what’s inside. Then you print that sensitive data, sending it off to a printer that may not be nearly as secure as the rest of your system.
You can avoid most networked printer problems by following the first three basic steps listed below. If you deal with highly sensitive data, then you need to go beyond those by protecting your printout at every step along its journey. HP has detailed information on how to use its products to protect your data, and other printer providers offer similar solutions as well. Regardless of the vendors you use, consider all seven of these steps to keep your businesses data secure through the printing process.
If you shop at any of the Lucky Supermarts in California, you may want to check your bank card accounts. On November 23, 2011, Lucky notified customers that the company had found compromised credit/debit card readers in twenty of their stores.
In the notice, Lucky announced that it had discovered the compromised readers only in self-checkout lanes during the course of regular store maintenance, and that the tampered card readers were removed immediately. Lucky also says that they have also taken steps to improve the security of the card readers in all 234 of their stores.
It is an accepted axiom of computer and network security that the human being is the weakest link. Researchers at the University of Maryland are applying traditional criminology concepts to demonstrate that human beings may be the weakest link for the attackers as well. The insights learned may help improve computer defenses and thwart potential attacks.
The work at the University of Maryland is a unique cross-practice collaboration between Michel Cukier—associate professor of reliability engineering, and David Maimon—assistant professor of criminology. The two are working together to study cybercrime through the lens of old school criminology concepts to develop recommendations IT managers can use to prevent attacks and protect their networks.
"We believe that criminological insights in the study of cybercrime are important, since they may support the development of concrete security policies that consider not only the technical element of cybercrime but also the human component," Maimon said.