Surprise! Microsoft issues Flash patches for Internet Explorer, Edge

Microsoft sent an email to its largest customers on Monday, alerting them that Adobe Flash Player patches for Internet Explorer and Edge will be coming today. Apparently Microsoft’s announcement last week that it would delay February patches until March 14 didn’t tell the whole story.

Yesterday’s email says in part:

Microsoft is planning to release security updates for Adobe Flash Player. These updates will be offered to the following operating systems: Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016…

To read this article in full or to leave a comment, please click here


Source: Infoworld.com | Security

Would killing Bitcoin end ransomware?

Ransomware is running rampant. The SonicWall GRID Threat Network detected an increase from 3.8 million ransomware attacks in 2015 to 638 million in 2016. According to a Radware report, 49 percent of businesses were hit by a ransomware attack in 2016. Quite often the attacker asks for some amount of cybercurrency – usually Bitcoin – in exchange for providing a decryption key.

To read this article in full or to leave a comment, please click here

(Insider Story)
Source: Infoworld.com | Security

True privacy online is not viable

Privacy-concerned consumers desperately want a magic bullet, some simple thing they can use that will protect their identities and their web activity. And although there are a plethora of offerings today that make such a claim — VPNs, privacy-focused browsers such as Tor, privacy search engines such as DuckDuckGo, quite a few services that claim to anonymize anyone’s activity — the practical realities of human behavior make such privacy claims bogus.

Let me stress that almost all of these services do indeed help a person remain anonymous from the casual, untrained observer (the typical roommate, spouse, co-worker, boss, etc.). But any consumer who thinks that these tools will thwart a law enforcement agent, motivated cyberthief or identity thief, or anyone who is willing to spend the time to track you down is in for unhappiness.

To read this article in full or to leave a comment, please click here


Source: Computerworld.com | Security

5 open source security tools too good to ignore

Open source is a wonderful thing. A significant chunk of today’s enterprise IT and personal technology depends on open source software. But even while open source software is widely used in networking, operating systems, and virtualization, enterprise security platforms still tend to be proprietary and vendor-locked. Fortunately, that’s changing. 

If you haven’t been looking to open source to help address your security needs, it’s a shame—you’re missing out on a growing number of freely available tools for protecting your networks, hosts, and data. The best part is, many of these tools come from active projects backed by well-known sources you can trust, such as leading security companies and major cloud operators. And many have been tested in the biggest and most challenging environments you can imagine. 

To read this article in full or to leave a comment, please click here


Source: Infoworld.com | Security

Build your security defense on data, not guesswork

One of the biggest problems with security defenses is the lack of concrete data to measure the effectiveness of mitigations against threats. In almost any other industry, the dearth of data would be embarrassing.

As I’ve noted before, every organization needs to develop a data-driven security defense. Such a defense uses a company’s own threat intelligence to align mitigations with the most relevant threats a company faces. The idea is to prioritize your own local threat experiences over outside data sets, focusing on root-cause analysis and using that data to drive all deployed mitigations.

To read this article in full or to leave a comment, please click here


Source: Infoworld.com | Security

Hackers behind bank attack campaign use Russian decoy

The hackers behind a sophisticated attack campaign that has recently targeted financial organizations around the world have intentionally inserted Russian words and commands into their malware in an attempt to throw investigators off.

Researchers from cybersecurity firm BAE Systems have recently obtained and analyzed additional malware samples related to an attack campaign that has targeted 104 organizations — most of them banks — from 31 different countries.

They found multiple commands and strings in the malware that appear to have been translated into Russian using online tools, the results making little sense to a native Russian speaker.

To read this article in full or to leave a comment, please click here


Source: Computerworld.com | Security

Uber to investigate female engineer’s ‘abhorrent’ sexual harassment claims

If you are a woman then working at Uber sounds like hell, based upon allegations made by Susan Fowler. She worked as a site reliability engineer at Uber from Nov. 2015 to Dec. 2016; now that she works at Stripe, she has come forward with a sickening tale of sexual harassment, discrimination and an HR department that just let it happen.

Uber CEO Travis Kalanick ordered an “urgent investigation” into Fowler’s harassment and discrimination complaints, promising to fire the people who believe the disgusting behavior is permissible at Uber.

To read this article in full or to leave a comment, please click here


Source: Computerworld.com | Security

Nowhere to hide: 9 new hacks coming to get you

Securitywise, the internet of things is going as badly as most computer security experts predicted. In fact, most vendors don’t fully appreciate the potential threats IoT devices pose. Anything connected to the internet and running code can be taken over for malicious purposes. Given the accelerating proliferation of internet-connected devices, we could be hurtling toward catastrophe. Personal security cameras, for example, are being used to conduct the largest denial-of-service attacks the world has ever seen, not to mention allowing strangers to spy on the very people the cameras are supposed to protect.

To read this article in full or to leave a comment, please click here


Source: Infoworld.com | Security

February Updates from Adobe, Microsoft

A handful of readers have inquired as to the whereabouts of Microsoft‘s usual monthly patches for Windows and related software. Microsoft opted to delay releasing any updates until next month, even though there is a zero-day vulnerability in Windows going around. However, Adobe did push out updates this week as per usual to fix critical issues in its Flash Player software.

brokenwindowsIn a brief statement this week, Microsoft said it “discovered a last minute issue that could impact some customers” that was not resolved in time for Patch Tuesday, which normally falls on the second Tuesday of each month. In an update to that advisory posted on Wednesday, Microsoft said it would deliver February’s batch of patches as part of the next regularly-scheduled Patch Tuesday, which falls on March 14, 2017.

On Feb. 2, the CERT Coordination Center at Carnegie Mellon University warned that an unpatched bug in a core file-sharing component of Windows (SMB) could let attackers crash Windows 8.1, and Windows 10 systems, as well as server equivalents of those platforms. CERT warned that exploit code for the flaw was already available online.

The updates from Adobe fix at least 13 vulnerabilities in versions of Flash Player for Windows, Mac, ChromeOS and Linux systems. Adobe said it is not aware of any exploits in the wild for any of the 13 flaws fixed in this update.

The latest update brings Flash to v. 24.0.0.221. The update is rated “critical” for all OSes except Linux; critical flaws can be exploited to compromise a vulnerable system through no action on the part of the user, aside from perhaps browsing to a malicious or hacked Web site.

Flash has long been a risky program to leave plugged into the browser. If you have Flash installed, you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page.

brokenflash-aThe smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. An extremely powerful and buggy program that binds itself to the browser, Flash is a favorite target of attackers and malware. For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player.

If you choose to keep and update Flash, please do it today. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.


Source: KrebsOnSecurity

Predict – Prevent – Detect – Analyse – Respond | Cyber Security