Call Us (877) 740-5028
Call Us (877) 740-5028
October is National Cyber Security Awareness Month, powered by the National Cyber Security Alliance (NCSA), and the theme of Week 3 is Online Safety for Business/Industry. According to StaySafeOnline.org, smaller businesses have become bigger targets for cybercriminals due to the known lack of resources and security defenses when compared to larger organizations. Every small and medium-sized business in Michigan should be aware of the risks and understand the IT security services available to help them offered by local Michigan hosting providers. NCSA published a 2012 National Small Business Study in partnership with Symantec to study a sample of U.S. small and mid-sized businesses (SMBs) nationwide, and analyze their online and security behavior. Although 46 percent of respondents reported a safe and trusted Internet was very critical to their business’s success, a nearly identical 47 percent think there would be no impact on their business if they were to suffer a data breach, stating that a breach would be viewed as an isolated incident. However, Symantec’s 2011 SMB Disaster Preparedness Survey reports that the average cost of downtime for an SMB is $12,500 per day. Read more in 2011 SMBs & Disaster Recovery in the Cloud. When asked if SMBs had a…
Tuesday, October 9th, Capital One Financial Corp. became the latest in the string of attacks on US banks. Their services were disabled temporarily, although in a statement Pam Girardo (a spokeswoman for McLean, Virginia-based Capital One) stated that “At this point, we have no reason to believe that customers and account information is at risk”. This group of DDoS attacks on financial institutions includes groups like Wells Fargo, PNC, J.P. Morgan, Chase, and Bank of America, among others. These attacks have been happening for about a month now, and a group called Izz ad-Din al-Quassam Cyber Fighters are claiming responsibility for the action. The group posted on pastebin.com, saying the reason for their doing so was in response to a video, “Innocence of Muslims”, that has caused an upset from within the Muslim world. The attackers were using an encrypted data stream that allowed them to get around the security controls put in place by the bank, including the firewall, and by using botnets (in order to get the sheer volume of traffic they would need they took over commercial servers) they had the opportunity to disable Capital One’s services. While DDoS attacks are fairly commonplace, encrypting the data in…
Not sure where I was last year, but I somehow missed the entire Michigan Cyber Initiative launched by the State of Michigan. If you did too, you can review their efforts at www.Michigan.gov/cybersecurity. After scanning the Cybersecurity Measures for Businesses section, one thing that caught my eye was the Personnel Security Controls – ‘People, People, People’ is listed as both an asset and a threat. I’m guessing the iteration of the word makes it extra important, so let’s review what this could mean. Their three-bullet point list starts with: “People are the key ingredient to a successful organization; but people can be the weakest link for security of the environment.” It’s true. An untrained or careless staff can unknowingly be the root cause of many a data breach. A data breach is the event in which confidential data is leaked, stolen or lost. Among the tiers of security any organization should implement, administrative security is equally if not more important as the physical security and technical security of your data environment. For a Michigan hosting provider, administrative security should include audits, policies, staff training and industry-specific compliance training. If you’re a Michigan business seeking an IT vendor, it’s important to…
Microsoft just released their Security Update for October, and there’s lots to talk about. There is one ‘critical’ update, and six labelled ‘important’. Also, the Vulnerability Impact ranges from Remote Code Execution, to Denial of Service, to Elevation of Privilege. Here’s the lowdown on these vulnerabilities, and what you need to do about them: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution: This is the critical patch, actually resolving two different vulnerabilities at once within Microsoft Office. The worse of the two could allow remote code execution, and stems from a user opening (or even previewing) a specially crafted RTF file. This was successfully done, allowing the attacker the same rights as the current user. This is critical for all supported editions of Word 2007 and 2010. It’s considered ‘important’ for Word ‘03, and all supported versions of Microsoft Word Viewer, Microsift Office Compatibility Pack, Microsoft Word Automation Services on Microsoft SharePoint Server 2010, and Microsoft Office Web Apps. This patch fixes the issue by changing the way Office handles memory when parsing specially crafted files. This may require a restart. Vulnerability in Microsoft Works Could Allow Remote Code Execution: Related to the vulnerabilities above, if opening a specially…
Note that the title of this blog post is not “Building Secure Infrastructures” it is “Building Securable Infrastructures” and there is a difference. I was just fortunate enough to be on an industry panel this week at Secure World and as I was thinking about the content of this panel I started to think about a talk delivered this year at Defcon: Creating an A1 Security Kernel in the 1980s (Using “Stone Knives and Bear Skins”) by Tom Perrine. The premise of the talk was about an operating system that was always in a “known secure” state. If a malicious person was able to steal the OS code the operating system still could not be exploited. Much of our time in engineering a security solution is trying to stop an intruder from gaining insight about our networks. What if we started using that time to: Pick products that don’t have security holes backed in (read Java and Adobe) If we properly configured those devices so that they were not prone to exploit in the first place Give your application developers training on how to write secure code, the time to write secure code, and finally time in the development life…
Adobe announced on September 27th that two malicious utilities were signed by a valid Adobe digital certificate. Brad Arkin, Adobe’s products and services senior director of security, said the cause was a compromised build server. This particular server had access to the Adobe code signing infrastructure. The attackers got in and dug around until they found the server, using what Arkin calls APT-type (Advanced Persistent Threat) methods. Arkin says of the attack, “our investigations to date [have] shown no evidence that any other sensitive information- including Adobe source code or customer, financial, or employee data- was compromised”, implying that the attackers were more interested in obtaining the authority that comes with Adobe’s reputation. This affects Adobe software signed with the certificate after July 10th that are running on Windows. There were three Adobe Air applications that were affected as well, these running on either Windows or Mac. It was also noted that the build server only had access to the source code of one Adobe product. Arkin says the product was not Flash, Reader, or Shockwave. The certificate is slated to be removed October 4th. Currently, Adobe is still investigating where the weak spot was within the infrastructure that allowed…
On Wednesday, the Sophos antivirus software started detecting its own program updates as malware, and subsequently quarantined the executable files. As a result, the updating function was disabled and unable to update, according to ZDNet.com. Below is a screenshot of the false positive ‘malware’ from Sophos.com, detected as Shh/Updater-B: Sophos.com reports that by enabling Live Protection, you should no longer see the detections, since the files are now marked ‘clean’ in the Live Protection cloud. If you don’t have Live Protection enabled, once javab-jd.ide has been downloaded by your endpoint computers, you will stop seeing detections. Sophos is directing users to this knowledgebase article that provides more information about the false positives and how to update endpoints with the latest IDE files: Advisory: Shh/Updater-B False Positives. The steps, with more detail in the article, are: Confirm SUM is updated and downloaded javab-jd.ide to distributions Configuration of cleanup options Endpoints check What could have caused this bug? One theory attributes the issue to the lack of developer testing during the development cycle, and the failure to check code for bugs or security vulnerabilities. According to a survey conducted by Forrester Consulting and software vendor Coverity, more than 70 percent of respondents…
Last Tuesday, Microsoft released its security bulletin for the month of September. It’s a fairly short list with only two patches, one for their Studio Team Foundation Server, and another for their System Center Configuration Manager. Here’s a summary of the vulnerabilities: Studio Team Foundation Server: This security update resolves a privately reported vulnerability in Visual Studio Team Foundation Server. The vulnerability could allow elevation of privilege if a user clicks a specially crafted link in an email message or browses to a webpage that is used to exploit the vulnerability. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s website. System Center Configuration Manager: This security update resolves a privately reported vulnerability in Microsoft System Center Configuration Manager. The vulnerability could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL. An attacker would have no way to force users to visit such a website. Instead, an attacker would…
Social engineering is an amorphous subject. In essence, the idea is to coerce someone into giving you information and/or access that, by all accounts, you shouldn’t have. However, the ways that social engineers can maliciously get anything from credit card information to usernames and passwords is almost infinite. And why not use this method? If I had the choice between breaking a door down, or having someone from inside opening it for me, I can assure you it wouldn’t take me long to decide which one to pick. Social engineering in many cases can be easier than trying to break into a system, and could leave the hacker with less fingerprints on the proverbial door-knob. Likely, most people are at this point familiar with Mat Hunan’s story from Wired Magazine. In just half an hour he had all his passwords changed, his phone, tablet, and macbook wiped, as well as his Google account deleted. Goodbye baby pictures of his daughter, and extensive contact list (among many other things). All this because the hacker liked Hunan’s Twitter handle, and wanted to get into the account. The social engineer was able to do this by calling up the support lines of both…
Symantec’s now infamous 2011 Internet Security Threat Report is packed full of who, why, where and how when it comes to online attacks in the past year. Published in April 2012, the document highlights the latest trends in Internet security. One increasing risk, as many know, is mobile, due in part to increasing smartphone user growth – Gartner predicts sales to hit 645 million by the end of 2012. This means an increase in mobile malware that can collect, send or track data (93.3% increase in mobile vulnerabilities since 2010). Mobile devices are also at risk for loss or theft; if personal or confidential company/client data is stored locally on your device, this can result in a data breach. One way companies can safeguard a BYOD (Bring Your Own Device) environment includes creating a mobile security strategy, developing standardized user policies, and engaging in employee training. [If you’re interested in learning more about crafting a secure and compliant BYOD environment, don’t miss our Fall into IT presentation, BYOD: From Concept to Reality, presented by Kirk Larson, VP and CIO of the Children’s Hospital Central California. More details here. Recommended Reading: Keep ePHI on Secure Networks, Not Mobile Devices, Recommends OCR]. The report…