Adobe ships 0-day patch for Flash – get it while it’s hot!

Senator Diane Feinstein may represent Silicon Valley in Washington, DC, but on the contentious issues surrounding law enforcement access to data, she seems to be out of step with some of the big technology companies.

This week, Feinstein, the vice chairwoman of the Senate Intelligence Committee, and committee chairman Richard Burr of North Carolina, released a first draft of legislation aimed at compelling companies to turn over data to the government in an “intelligible format” whenever they are ordered to do so by a court.

Called the Compliance With Court Orders Act of 2016, the bill is already drawing criticism from the tech lobby, and at least one Senator who has promised to block the bill from going forward.

The Internet Association, which represents companies including Google, Dropbox, Facebook, Twitter and other internet giants, blasted the proposal by saying it “creates a mandate that companies engineer vulnerabilities into their products and services.”

Feinstein and Burr’s draft bill says companies handling communications should protect consumers’ private data through “appropriate data security,” while respecting the “rule of law” and “comply[ing] with all legal requirements and court orders.”

That’s a contradiction, according to some Silicon Valley companies: securing data means using strong encryption, and unscrambling encrypted data under a court’s order would only weaken that security by creating a “backdoor.”

Complying with court orders to turn over data in intelligible format, even when that data has been encrypted, was exactly the problem when Apple refused to obey a judge’s order to provide technical assistance to help the FBI unlock an iPhone at the center of a terrorism investigation.

The weeks-long standoff only ended when the US government dropped its case after the FBI said it was able to hack into iPhone without Apple’s help.

FBI Director James Comey has said in a Congressional hearing on encryption and in recent speeches, that the smart people who brought us great products like the iPhone should be able to come up with a solution to the problem of keeping data secure, yet still accessible to law enforcement.

In the recent iPhone case, however, the technical solution ordered by the court would have forced Apple to create a special version of the phone’s software that would allow law enforcement to make unlimited guesses to break the security passcode.

Apple said in court filings that creating such software would be a burden to Apple, taking dozens of Apple engineers weeks to do, at considerable cost.

Feinstein and Burr’s proposed legislation includes a provision that the companies affected by court orders to provide technical assistance would be compensated for “such costs as are reasonably necessary.”

This is why the legislation is causing concern in the tech community.

While consumers want to buy technology with the best security possible, if passed in its current form, this bill could put the US government in the business of paying tech companies to break the security of their own products.

Follow @JohnZorabedian

Follow @NakedSecurity

Image of pillars of law and order courtesy of Shutterstock.com.

 

[contentblock id=71 img=gcb.png]

Data breach insurance is nothing new as it has been on the market for over 10 years. But did you know about it? Not many people do, unfortunately. Cyber Liability Insurance Cover (CLIC) insurance protects your business and clients for when you have a data breach. It is sadly the new normal and you can’t say if you have a data breach, but when you have a data breach. It is better to be prepared though and handle it than to be trying to fix the issue when you are buried and stressed.

In the United States 46 out of 50 states have mandatory data breach notification requirements. Handling a data breach can get costly in the blink of an eye. Just like a business has insurance policies for theft and fire, it will soon be the new normal for them to have data breach insurance.

What exactly does cyber liability insurance cover?

  • Network Security Liability: Costs related to data breaches and damages on third-party systems.
  • Extortion Liability: Threats of cyber extortion and the fees related to handling the situation.
  • Multimedia Liability: Damages sustained from website and intellectual property rights infringement.
  • Data Breach and Privacy Crisis Management: Covers all expenses related to the data breach incident including data subject notification, the investigation and remediation, plus the overall management of the breach. Also included are the regulatory fines, legal costs including court attendance and litigation.

Let’s talk about that last bullet point for a moment. A cyber breach was relatively unheard of until the 2000s. Before then these types of policies were to cover the losses for when a computer system went down. Those were the good ‘ol days. Then Fortune 500 companies needed an insurance policy for when their information was hacked. Fast forward to today when small businesses need the same type of insurance as a hacker typically has no boundaries on who they hack. Did you know the way hackers were able to take down Target was from a small refrigeration company that they used? Yep, find the weakest link and attack via that data point.

In 2013 only 16% of small- to mid-sized companies had cyber liability insurance in place. Today that has doubled to 33%. Unless you want your company to be on the hook for potential millions of dollars, make sure you have a data breach insurance policy in place.

 

[contentblock id=74 img=gcb.png]

 

Ransomware is big business these days. It isn’t just Russian hackers anymore, but hackers around the world realizing they can make a quick buck unleashing ransomware on people and businesses alike. It is time to protect your business from becoming a victim of ransomware.

Just this week, Crew Chief Dave Winston for NASCAR’s racing team #95 announced that his racing team was targeted with a ransomware attack just days before a big race. The attack encrypted team-critical files and information that was valued at millions of dollars. They could either pay the ransom or be at a huge disadvantage for their upcoming race. They paid it.

Nascar ransomware

One of the hardest parts of fighting ransomware is that most people don’t understand the different depths and nuances of this cyber crime. There are three main categories of ransomware. There is the ransomware that encrypts individual computers typically called Public Domain Ransomware. Then there is Cloud Space Ransomware where systems like Dropbox or Google Drive are accessed by a user’s computer to cloud-based storage systems. Finally, there is Targeted Ransomware that focuses mainly on high-profile targets that will pay higher ransoms since they are perceived to have more to lose.

The way ransomware works is that the hacker encrypts the files and demands payment, usually using online currencies like Bitcoin. Payment has a short turnaround time of 24-72 hours. As time goes up, so does the cost of the decryption key. It is an almost impossible task to trace the ransomware back to the hacker’s command and control server. This communication is routed through Tor networks and can’t be traced. The Bitcoin payment also can’t be traced. The private decryption key that unlocks the files remains on the command and control server until the payment has been made.

[contentblock id=74 img=gcb.png]

Visibility is everything as a security professional. You have to know what you are protecting before you can protect it. Going on a hunch and implementing security piece by piece as the issues arise is a sure way to find yourself in a bad situation. You could be working on something that you feel is high priority, without knowing that there are other pressing issues to handle. The following steps should be taken as soon as possible to ensure that you can cover the most ground as a security team.

Network Topology

Whether this is gathered manually, with a script or a powerful scanning tool. It is vital to the organization to get an overall map of your network systems to create a visual of what you have, where it’s at and some of the controls around these points. Now the type of method you use really depends on the type of organization you are and how your servers are configured and the size of your business. As long as it will take to manually gather the information, trying to get a group of the correct people together to implement a scanning tool may take even longer, but the results will be easily replicated in the long run when it comes time to update the topology.

Asset Management

This can be difficult for larger companies to keep track of once they have already started the process of handing out computers. Keeping track of laptops, desktops, printers, tablets and company cellphones is a must. You want to make sure there is a name associated with each computer name or device. This way if a disgruntled employee walks off the job with their laptop, you can take effective measures to ensure that they will not do harm to the company. An effective asset management program will also help in detecting unauthorized machines that may be intruding on the network. If every machine has a computer name that is tied to your network, these intruding computers will stick out like a sore thumb.

Cameras, Cameras, Cameras

Having a well laid out camera retention program will place eyes in the sky to better help document the physical security of important assets like data centers, network closets and the CEO’s office. An effective way to spread out the wealth with your camera system is to place one at every entrance and exit point. This way if an incident does occur you can go to the camera footage around the time it happened to track down all the people coming in and out of the building. Also by placing a camera anywhere there is a physical handling of sensitive information including SSN’s or credit card numbers, you can ensure that not falsifying of information will be taking place. It is too easy for a pissed off employee to snap a photo of someone’s account without any detection.

Overall no control, big or small is ineffective when it comes to gaining awareness. You don’t realize how important things like a timestamp are when doing a fraud investigation on someone at your company. All the above information should be updated once or twice a month and readily available for use at a moment’s notice.

 

[contentblock id=72 img=gcb.png]

The National Crime Agency (NCA) has failed in its second attempt to get hacktivist Lauri Love to hand over encryption keys for six devices seized during a raid on his Suffolk home in 2013. The court ruling is part of a civil action being pursued by Love to get those devices back.

Love is accused of stealing massive quantities of sensitive US Government information. Currently facing extradition to the US, he faces up to 99 years in prison if found guilty, according to his lawyers.

In February 2014, the NCA correctly used the Regulation of Investigatory Powers Act (RIPA) – a regulation specifically set up to deal with access requests such as these – to try to get Love to share the keys.

Love refused, the agency backed off and the order simply expired.

When Love later brought a civil action against the NCA to try and get his devices back, the agency used this civil action to try again to force him to decrypt those devices. According to the Telegraph:

The NCA argued the access was necessary to prove whether or not the information on the devices belonged to Love.

Quoting the Police (Property) Act of 1897, the NCA claimed it had the right to access the data since his confiscated equipment was their property. In reality, it was trying to use legislation that clearly pre-dates the digital age to sidestep RIPA.

District Judge Nina Tempia was having none of it. Delivering her judgement at Westminster Magistrates’ Court, she said:

The case management powers of the court are not to be used to circumvent specific legislation that has been passed in order to deal with the disclosure sought.

Similar attempts to use outdated legislation to gain access to data on digital devices have been more successful in the US recently.

Earlier this month, US authorities successfully obtained a search warrant to compel an alleged Armenian gang member’s girlfriend to press her finger to unlock his seized iPhone via Apple’s identification system.

Legal experts had argued that since fingerprints don’t reveal anything we know, forcing suspects to press their fingers to get into a phone doesn’t breach their Fifth Amendment rights against forced self-incrimination.

In another instant, again in the US, a suspect who refused to decrypt hard drives was jailed indefinitely. In this case the government is citing the All Writs Act – a statute that’s been around since 1789 – to compel decryption.

Strong encryption is prohibitively expensive and time consuming for police forces to break, so getting hold of the key that unlocks an encrypted device – whether its a password, encryption key or fingerprint – is, for right or wrong, the only practical way for them to get access to it.

Faced with this new and impenetrable barrier, authorities will no doubt continue to search the tools they have, including laws that pre-date the digital age, to find a way to access encrypted data.

A balance needs to be struck between giving everyone access to encryption that’s free from backdoors, and giving law enforcement the powers they need to protect us.

Follow @NakedSecurity

 

[contentblock id=74 img=gcb.png]

Wireless networks have made browsing the internet much more simple and efficient than used to be the case. Although broadband connections were a major upgrade over the slow and pestering dial-up connections that made using the internet more of a punishment than getting the job done, they still had the problem of providing multiple-connectivity. The problem with wired networks is that only one user can use it at a time.

Although one might say that that one device could be used to create a hotspot and other devices could connect to a single wired network in principle, the fact still remains that hotspots are a form of wireless networks too. Anyhow, it is known to all that Wi-Fi networks allow the capability to have multiple connections and enable people to browse the internet and get a lot done. However, it is important that you have a Wi-Fi network that is not open to all people. Before going into why it is so, we first take a look at how to tell if your Wi-Fi is open.

How to tell if your Wi-Fi is open

There are different methods for different operating systems.

Windows 8:

  • Click the Wi-Fi icon on the right corner of the taskbar
  • Click ‘View Connection Settings’ from the resulting sidebar
  • Click on your network in the PC menu
  • If it says WEP or WPA then your network is secured. If it says unsecured or no authentication then your Wi-Fi is open

Windows 7:

  • Click on Start -> Control Panel -> Network and Internet -> Network and Sharing Center
  • Click on Manage Wireless Connections
  • Check the security status next to your connection

Mac OS 10.5/10.6

  • Click on the Wi-Fi icon on the top left of your screen
  • If a lock is present next to your network then it is secured, otherwise not

Why is it dangerous to have open Wi-Fi

Now that you know how to check if your network is secure, here are a few reasons for you to be cautious and change things if your network is open:

  1. You can be victimized in malicious practises

If your wireless network is open or unsecured, it can be used by anyone who is in range. This means that you cannot choose you is connected to your Wi-Fi. People who indulge in malicious activities often are on the lookout for such networks to remain anonymous while carrying out their task. The network that is identified as theirs is actually your own and before you know it, the police are knocking on your door.

  1. It is an open invitation to Identity Thieves

People use their Wi-Fi networks to share sensitive, personal information over the internet for things like making online payments, etc. Most computer systems and other devices store a lot of sensitive information about a person as well. If an eavesdropper or snooper were to connect to your network then not only will he be able to see all that you are doing on the internet, he will also have access to all data you share and store. This can be used for anything, even sold to someone on the internet.

  1. Your monthly internet bill could shoot up

While it is possible that malicious users connect to your network, mostly it is your neighbours who use it for free and exhaust all your data for the month, resulting in you getting a huge internet bill that leaves you scratching your head. Not as harmful as the other things, but something to avoid nevertheless.

Conclusion

Securing your wireless network with a password is a simple thing and can be done in an instant. It could save you from a lot of trouble, so it is better to do that if your network is open to the world.

 

[contentblock id=73 img=gcb.png]

Are you still running Windows XP

It’s been two years since Microsoft ended support for Windows XP, the popular operating system that’s been around since 2001 and which many people just don’t seem willing to let go.

Microsoft did about all it could to drag XP-ers into the present with pop-up warnings urging them that they need to upgrade, and a free migration tool to help people transfer their files and settings to Windows 7 or Windows 8.

It’s not merely that Microsoft wants to get everybody onto the latest version of Windows, although it has certainly gone to great lengths recently to get people to upgrade to Windows 10, whether they want to or not.

But as we at Naked Security repeatedly warned XP users, the end of support means “zero-days forever,” because those vulnerabilities will never be patched – and XP computers are sitting ducks for cybercriminals to attack.

And yet there are still millions of XP computers connecting to the internet, where all manner of malware is waiting to pounce.

Windows XP was still running on 10.9% of all desktops as of March 2016, according to stats compiled by Net Applications.

To put that in perspective, according to Net Applications’ figures, Windows XP is still the third-most popular desktop OS, trailing only Windows 7 (51.9%) and Windows 10 (14.2%).

And there are more PCs running XP than Windows 8.1 (9.6%), and all versions of Mac OS X combined (7.8%).

Desktop OS market share, March 2016 (source: Netmarketshare.com).

By the way, there are some Mac OS X users who are using out-of-support versions, too, meaning they are also vulnerable to never-going-to-be-fixed security holes.

Net Applications’ stats show that just under 1% of all desktops are running OS X 10.6 (Snow Leopard), 10.7 (Lion) or 10.8 (Mountain Lion), which are no longer receiving security updates from Apple.

Things look slightly better when you look at OS market share measured by a different company, Stats Counter, but there’s still an alarming number of PCs running XP.

According to Stat Counter, Windows XP represents 7.4% of all desktops in April 2016, down from 10.9% in April 2015.

That’s an improvement.

But when you consider that Microsoft puts the number of Windows devices at more than 1 billion, we are still talking about tens of millions of computers today running a very old, very outdated, and very insecure operating system.

By Sophos

Image of obsolete computer courtesy of Shutterstock.com.

[contentblock id=74 img=gcb.png]

The US state of New Jersey may keep the inattentive amongst us from walking into brick walls or plunging into manholes, daggnabit, even if it has to throw us in jail or fine us to get the point across.

The Associated Press reports that it’s going to do this – in theory, at least – by banning walking while texting.

A new measure recently introduced by New Jersey Assemblywoman Pamela Lampitt would ban distracted walking, forbidding pedestrians on public roads from using electronic communication devices unless those devices are hands-free.

The potential penalties for violating the ban: fines of up to $50, 15 days imprisonment, or both – the same penalties handed out to jaywalkers.

As one of the majority of people (53%, according to the Pew Research Center) who’s walked into something (I admit: it was a pole) while texting, my mind turns all cartoony at the notion of distracted walking.

Imagine putting a phone into the paws of Wile E. Coyote: he’d be texting the Road Runner about dinner plans all the way down to the inevitable “Splat!” at the bottom of the mesa.

Reality is a lot nastier than that, of course.

And the reality is that pedestrians engrossed in their mobile phones are involved in a growing number of injuries in the US, as studies have shown and as Assemblywoman Lampitt brought up in her discussion with the AP about her bill.

An annual study from the Governors Highway Safety Association found that an estimated 2,368 pedestrians were killed in the first half of 2015: an increase of 10% over the same time period the previous year.

A report from the National Safety Council found that distracted walking incidents involving mobile phones accounted for an estimated 11,101 injuries from 2000 through 2011.

Most people were talking on the phone when they were injured. Twelve percent were texting. Nearly 80% of these pedestrians hurt themselves by falling, and 9% by walking into something.

It’s not like other places haven’t tried to outlaw distracted walking. But so far, bills introduced in states including Arkansas, Illinois, Nevada and New York have all failed.

The AP quotes Douglas Shinkle, transportation program director for the National Conference of State Legislatures:

Thus far, no states have enacted a law specifically targeting distracted bicyclists or pedestrians. [But] a few states continue to introduce legislation every year.

As the AP reports, one bill pending in Hawaii would fine someone $250 for crossing the street while using an electronic device.

Short of outlawing the palm-warmers of the phone-addicted, some places have tried to get creative: Antwerp in Belgium, Utah Valley University, and the Chinese city of Chongqing have all painted lanes on sidewalks for the texting walkers among us.

Other places, such as London, (unfortunately, not my home town of Boston) have tried padded lamp posts to soften seemingly inevitable collisions between distracted pedestrians and inanimate objects.

Idiotic people like me need to be protected, Lampitt said. And London’s approach – that of upholstering the landscape so as to sequester us in padded safety akin to a bouncy castle – isn’t really good enough, given the danger we pose to motorists as well as to ourselves.

Distracted pedestrians, like distracted drivers, present a potential danger to themselves and drivers on the road.

An individual crossing the road distracted by their smartphone presents just as much danger to motorists as someone jaywalking and should be held, at minimum, to the same penalty.

A hearing on the measure hadn’t yet been scheduled as of Monday.

But while we wait to see if the bill passes, I’d just like to say thank you, Assemblywoman, from the 53% of us who’d still likely be better off encased in pillows.

by From Sophos

 

[contentblock id=71 img=gcb.png]

Monthly Security brief

IRS and Tax Prep Software Applications Breached!

Tax season is stressful enough without the added concern that your personal information could be stolen. Just this past Tuesday, the IRS became aware of an automated cyber-attack directed at their e-filing system. Fortunately, they were able to stop the attack before any personal taxpayer information was compromised.

Recently, two tax preparation software publishers discovered that hackers had targeted the personal information of their users. TaxSlayer had to notify 8,800 customers last week that an unnamed third party may have gotten hold of the personal information on their tax returns. As a result, the company is attempting to make things right by offering these customers free credit monitoring and $1 million in identity theft insurance for a full year.

Another tax software company, TaxAct, announced they suspended less than one quarter of 1% of their customer accounts after they found suspicious activity. Again, an unnamed and unauthorized third party seems to be to blame. Although they were able to halt this early on, they are also offering a year of free credit monitoring and $1 million in insurance reimbursement to their customers.

Medical Data Breaches Expected To Be Even Higher In 2016

When we think of medical data breaches, we think of the personal health information (PHI) of patients being stolen, as in last year’s Anthem Insurance hack. But, as in any organization, the personal information of employees can also be targeted. Already this year, NCH Healthcare systems, which has two hospitals in the Naples, Florida area, informed employees that their personal information, stored in off-site servers, had been accessed by unauthorized personnel. It’s too soon to know if any of this information has been misused, but as a precaution NCH is giving affected employees free credit monitoring.

It’s always a good practice to check the vulnerability of your network.  Check your network’s performance now at SentreeGuard Sheild test.

Time Warner Cable Targeted By Phishing Attack

Email hacking is nothing new, but when a giant like Time Warner Cable (TWC) is hacked, it results in as many as 320,000 customers having their personal information stolen. Although TWC has not named the party responsible for the phishing attack leading up to the breach, it has contacted customers who may have been affected to recommend they change their email passwords.

First Lawsuit Filed Following Chip Scanner Deadline

With the United States joining in the migration to EMV chip payment cards, consumers are hopeful that their payment card transactions will be more secure than ever. But, with only about 40% of cards used by U.S consumers having the chips and approximately only 25% of merchants being EMV compliant, the shift will take some time.

Recently, some customers of the fast food chain Wendy’s began to find unusual activity after using their payment cards there. A patron in Orlando, Florida was the first to file a class action lawsuit against the chain.

SentreeGuard protects your critical data from being breached.  For more information on how to guard against having your personal information stolen, read our eBook; Identity Thieves, Hackers and Crooks, Oh My!

 

Contact Sentree Systems, Corp. for complete Small Business IT Security

For the second time in two months, Adobe has pushed out a patch for Flash update that’s more than just a nice-to-have.

This one, like last month’s, fixes not only a bunch of holes that crooks would almost certainly try to use if they knew about them, but also a vulnerability that’s already being exploited in the wild for criminal purposes.

That sort of active exploit is known as an 0-day, or zero-day.

The name comes from the early days of computer game piracy: a zero-day crack came out on the very same day as the official release, so that people who wanted to steal the game had zero days to wait compared to those who were prepared to pay for it.

Pirates competed to see who could produce the quickest crack, often for nothing more than bragging rights.

In modern-day cybercrime, the name is applied to an exploit that comes out before an offical patch is ready, so that even well-informed system administrators have zero days during which they could have been patched.

These days, 0-days that work reliably are usually kept as quiet as possible by the crooks.

Bragging simply draws attention to the bug and therefore reduces the amount of money the criminals can squeeze out of unprotected victims before the patch arrives.

That makes updates that fix 0-days more urgent than usual: you’re not patching to get ahead of where the crooks might soon be, but to get ahead of where they already are.

The updated Flash versions are:

  • Flash 21.0.0.213 for Windows and OS X.
  • Extended Support Release 18.0.0.34321 for Windows and OS X.
  • Flash 11.2.202.616 for Linux.

To avoid massive spikes in network demand when updates appear, many products introduce random waiting times for automatic updates,

This helps spread the load and reduces the amount of time wasted by failed updates and network congestion. (The update may reach you slightly later, but will reach everybody sooner.)

However, you can trigger a manual update check via the Flash control panel or preferences pane if you like.

Even if you are up-to-date, it’s nice to make sure.

 

by

Contact Sentree Systems, Corp. for complete Small Business IT Security

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!

GET YOUR FREE DARK WEB SCAN TODAY!!!

Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282