February 5, 2012

Posts Comments

You are here: Home / Archives for Security

Why all businesses should consider SEC Cyber Security Guidance

October 17, 2011 By Leave a Comment
Cyber Security Sandia Labs Research

Image compliments of Sandia Labs (Creative Commons)

Last week the SEC released a Disclosure Guidance Document on Cyber Security. The document was a direct response to the dependence on digital technologies and the increased risks associated with Cyber Security. While the SEC guidance was aimed at publicly traded companies, the information in and the existence of the document should raise eyebrows at any business.

An ounce of prevention truly is worth a pound of cure

The document contained extensive guidance for organizations including before, during and after a cyber security incident. Perhaps the most interesting suggestion in this particular document is the call to disclose risk:

Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.

This is something all businesses should be asking themselves, not based on guidance from the SEC or specific directives such as HIPAA but rather because it is the right thing to do. We as businesses are stewards of our clients critical information. In many cases prevention is less expensive than we might think and much less expensive than the liability associated with a failure to prevent a cyber security event.

In response to the extraordinary role that Cyber Security has played in our modern connected world Managed Solutions introduced a program called Secure Enterprise in 2002 to assist businesses with protecting critical enterprises of any size. You can join the conversation about Cyber Security on our Facebook page.

Popularity: 3% [?]

Filed Under: Business/Productivity, Featured, IT Professionals, News, Security, Technology Tagged With: , , , , ,

Why you should avoid Public Charging Kiosks

August 29, 2011 By Leave a Comment

Universal Serial Bus or USB was a extremely valuable development in the technology world. USB made consolidation of how we connect our smart phones, cameras, memory sticks and personal computers. It also created a very easy way to charge mobile devices. Like any prolific technology this high availability is not without it’s pitfalls, perhaps most significantly in the world of information security.

In January of this year I shared some insights on USB device security while covering a USB Human Interface Device (HID) security issue. While companies have made headway including a reduction in “Autorun” infections issues related to USB capable devices have been subjected to a number of additional threats. It is these threats that encouraged this update to arm you with knowledge so you can better protect yourself.

Juice Jacking

While it sounds like a way criminals might steal electricity it is actually how criminals can use charging kiosks to install malware on your portable devices. A charging kiosk is a public resource for charging your USB capable devices such as your Android Phone or iPhone. Imagine plugging into one of these kiosks and getting your smart phone or portable device infected with malware. Once infected your mobile device can then propagate said malware to your PC, Mac or any other computer you might connect it to in the future. Then using an autorun vulnerability that malware can then infect any flash drive inserted into the computer. See how this cycle can quickly spiral out of control? We can break this cycle easily:

Don’t plug your phone into any public USB outlet or charging kiosk, carry your own charger and use an electrical outlet.

Your own personal charger is your protection (pictured below, left), they convert the Alternating Current (AC) to DC suitable for charging a USB device. You can also just use your own laptop and a USB cable to accomplish this.

AC to USB Chargers - Photo by Joe Hackman

Use these!

Public USB Charging = Bad

Not these!

A survey…

In advance of this post I posted a survey via Facebook and our own blog to see if our readers and friends were using public charging stations. I’m proud to report that 70% of respondents had not used them and only 30% had. Hopefully after reading this you won’t use them, it’s just not worth the risk.

Additional related content:

  • #infosec hashtag search on Twitter (get the latest real time information)
  • The #Infosec Weekly (A summary online publication of recent content shared by Information Security related Twitter Accounts)
  • Security Investigator Brian Krebs piece on a charging kiosk located at the Defcon hacker conference. (partial inspiration for this post, also a great resource if you want to learn the ins and outs of information security)
  • Managed Solutions on Facebook (We share lots of information security related information on our page, like us to get these updates.)

Popularity: 6% [?]

Filed Under: Business/Productivity, Security, Technology Tagged With: , , , , , , , ,

International Patch Everything Week

August 10, 2011 By Leave a Comment

Security updates are really piling up this week to keep up with a number of vulnerabilities in lots of different programs and operating systems. So much so that we’ve declared this (un-officially!):

August 7-13th, 2011 is International Patch Everything Week

 

Computer Bandage

Microsoft Advisories

It started early this week when we were informed by the US-CERT that all of these products had vulnerabilities that would be addressed in updates from Microsoft:

  • Microsoft Windows
  • Microsoft Office
  • Internet Explorer
  • .NET Framework
  • Microsoft Developer Tools

That for the record is pretty much everything in the Microsoft world at least for the typical desktop user (except the developer tools of course). That was not the end of the notices for the week.

Adobe Advisories

Today we were informed of a plethora of Adobe product security updates:

  • Shockwave Player 11.6.0.626 and earlier versions for Windows and Macintosh
  • Flash Media Server 4.0.2 and earlier versions for Windows and Linux
  • Flash Media Server 3.5.6 and earlier versions for Windows and Linux
  • Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems
  • Adobe Flash Player 10.3.185.25 and earlier versions for Android
  • Adobe AIR 2.7 and earlier versions for Windows, Macintosh, and Android
  • Adobe Photoshop CS5 and CS5.1 and earlier versions for Windows and Macintosh
  • RoboHelp 9 (versions 9.0.1.232 and earlier), RoboHelp 8, RoboHelp Server 9, and RoboHelp Server 8 for Windows

This array of products covers pretty much any PC based client computer and Android to boot. So don’t delay when you are notified of new updates available this week, just run them all.

Need help finding updates?

You can refer to the original bulletins for details on your device/pc:

For Adobe Products:

Security update available for Adobe Shockwave Player

Security update available for Adobe Flash Media Server

Security update available for Adobe Flash Player

Security update available for Adobe Photoshop CS5

Security updates available for RoboHelp

For Microsoft Products:

  • Security updates are available from Microsoft Download Center. You can find them most easily by doing a keyword search for “security update”.
  • Updates for consumer platforms are available from Microsoft Update

Warning: As always consult your IT department before applying software fixes. Also be aware that some software patches can cause problems.

Popularity: 3% [?]

Filed Under: IT Professionals, News, Security Tagged With: , , , , , ,

Welcome to the post computer virus Opportunity Center

June 14, 2011 By Leave a Comment

Opportunity Center

If your computer recently got infected and you paid to get it cleaned up or restored from a backup, this article was written just for you!

Fixing avoidable problems is not “fun”

Contrary to what many might believe, we don’t enjoy or look forward to fixing broken computers. What we really love to do is prevent them from needing to be repaired or otherwise enhancing your business using technology like WordPress. Since we don’t live in that perfect utopia and things do break on occasion and systems get compromised, the intention of this article is to help you avoid some of these issues in the future.

Information Security is Challenge

There are so many threats that face you as a user (Factoid: There are 43 posts on this site that use the Security category and that is practically all we share on our Facebook page these days!). In spite of what often appears to be a swell (Tsunami?) of threats, there are certainly things that you can do to protect yourself.

Step 1 – Admit that you have a problem Opportunity.

If your computer got infected it was due to a problem. The most likely three scenarios are:

  1. Critical security updates were not installed.
  2. You believe your Antivirus software will protect you.
  3. You were careless gave the bad guys the opportunity.

Step 2 – Don’t beat yourself up

Many users find themselves in your shoes. None of us are perfect and the fact that you are still reading this you can pat yourself on the back for working to improve the situation. An opportunity has presented itself, you now have added motivation to take some important precautions and raise your awareness.

Step 3 – Make sure you are installing security updates

In April of 2010 we shared with our readers why it is important to install Security updates. In that post we recommended that you should always install the following updates as soon as you can whenever prompted:

  1. Windows Critical Updates
  2. Adobe Acrobat
  3. Flash Viewer
  4. Oracle/Sun Java

It takes a while to learn what all these updates look like, but generally speaking they remain fairly consistent so once you do learn what to look out for you only need to validate it when it changes. Don’t let the fear of the updates being part of the problem stop you. It is greatly beneficial to take the time to learn to recognize the “normal” updates and apply them when prompted. It could save you from getting your computer infected.

Step 4 – Know your Antivirus Software Limits

Have you ever heard the term Zero Day? Zero day is something brand new and you often hear it combined with exploits: “Zero Day Exploits”. Since Antivirus and Anti-Malware software work off definitions (there is also heuristics or virus like characteristics but it is not perfect) it is only good if the virus or malware that you happen to get exposed to is well defined in your Antivirus/Malware Software.  In other words, there are plenty of things that will infect your computer if you click them, particularly “new” viruses and malware. Remember Viruses are written to try to avoid being detected.

Your antivirus software won’t always protect you.

Learn how to protect yourself from Zero Day Exploits.

Step 5 – Understand the importance of your role in your security

It is not a security that without users computer viruses as we know them today would not exist. It is important to recognize that you can make a difference and to take an active role in avoiding infection by the choices you make. We covered this thoroughly in our post about the role of personal choices in information security. In that article we shared 5 areas where choices had a substantial impact on your security including:

  1. Competency/Learning
  2. Hardware and Networking Devices
  3. Security Software
  4. Participation
  5. Gullibility and Greed

It’s no secret that virus and malware authors exploit us, our weaknesses, events, and a myriad of other things to compromise us. Make sure your personal choices aren’t giving them extra opportunities.

Step 6 – Subscribe to Our Updates

A lot of the content for this article was already on our site. Let us educate you and prevent you from harm and expense whenever possible. A simple way to stay plugged in is to to sign up for updates to this site so you never miss the latest news. You can Subscribe to Managed Solutions by Email and get our Facebook exclusive updates on our Facebook page.

Opportunity Center Image credit: Jason Tester, Guerilla Futures

Popularity: 3% [?]

Filed Under: Business/Productivity, News, Security Tagged With: , , ,

Large batch of Google Chrome Vulnerabilities and How to Protect Yourself

January 24, 2011 By Leave a Comment

There is a rather large batch of critical Chrome Vulnerabilities in this weeks US CERT advisory report SB11-024. The CERT Advisories are part of a US Government effort to keep people informed of product security issues.  Most of them have a factor of 9.3 to 10 out of 10, the highest possible which means if exploited on your computer it is likely that the attacker could gain access to your computer. The actual bulletins include PDF and HTML document handling, denial of service and unknown impacts that lead to “stale pointer”. This would most likely occur when accessing a website or a PDF file with a vulnerable version of the Chrome browser.

Who should care?

Do you use the Chrome Browser or Chrome OS? If you do then you should take action to confirm that you will not be vulnerable.

How to tell

With your Chrome Browser open click the small tool icon in the top right of the browser window pictured below:

How to Open About on Google Chrome

Once the above drop-down menu appears click the “About Google Chrome” menu item. This will result in a screen that will tell you if your browser is up to date and what version it is running:

About Results Google Chrome

The critical piece of information is the green check mark at the bottom of the page. If Chrome is not update or in this case is a version older than 8.0.552 your browser is vulnerable and needs to be updated. In most cases Chrome will be up to date as it is configured to update automatically. This is actually one of the strengths of this browser platform.

Popularity: 4% [?]

Filed Under: IT Professionals, News, Security Tagged With: , , , , , , , , , ,

Joe Reviews SB10-242 Cert Report (Video)

August 30, 2010 By Leave a Comment

Here is a review of this weeks Cert Advisory. This includes issues with Adobe products, Chrome and Mozilla Firefox. Be sure to update these products if you haven’t recently. This is a weekly feature here at Managed Solutions. If you have questions about this video post a comment here or ask on our Facebook Fan Page.

Popularity: 4% [?]

Filed Under: IT Professionals, Security, Videos Tagged With: , , , , , , , ,

Dr. Dan wants to buy Real Estate (Phishing)

August 12, 2010 By 1 Comment

We’re paid to be paranoid here at Managed Solutions. When this message arrived in my inbox today it was a rarity. Rare because it is one of very few phishing Emails that have bypassed my anti-spam mechanisms. Phishing is a process by which a criminal pretends to be a legitimate entity in an effort to gain passwords, identity, bank account or other private data. Here is the text of the message:

I am interested in purchasing a private residence in your country or in any country you are well-acquainted with.

The Property must be located in a well-reserved,serene,secure and highly-hygienic environment because I am most particular about the safety and sound health of my family.
I wish to make this transaction with you in a very secret and confidential manner due to my position as a cabinet minister here in my country Ghana.

Therefore,upon response from you I will connect you with my agent here whom I trust so much to represent my interest in this purchase.franciskweme2007@[hidden].com
Thank you and accept my kindest regards,

Dr. dan

Want to complete this article?

What issues do you see with the text of this message and why would I assume that it is a Phishing Email? Complete this story via comment and we’ll feature your comment as a part of the article and link back to your website.

We have a winner, David Schur completed the article via this comment on Facebook:

David Schur – I’ll take a shot Joe.
1) does not address you by name. Nobody will buy your house, or send you millions of dollars without knowing who the heck you are
2) Total lack of pii. If this was legit, they would know your address, which is the relevant pii in this case. My bank or cc includes the last 4 digits of my account to let me know the email is real.
3) Typo’s…when will the phishers learn that simply hiring a native english speaker to proofread would make a difference (maybe there is ba business opportunity here)
4) simple common sense…to good to be true = false…100% of the time

This won’t work for a real hack…but luckily phishers these days never invest in data that connects your email to any meaningful form of pii…luckily axiom 4 will ALLWAYS be true

Joe’s comment – I really like David’s rule #4, I think Phishers best tool is exploiting people’s greed. Also David had no desire to have a link back to anywhere so I asked him what Charity he likes, here is his response:

American Red Cross…when bad stuff happens they get my money…then I can safely and with good conscience ignore the inevitable scam charity emails” – David Schur

Popularity: 6% [?]

Filed Under: News, Security, Technology Tagged With: , , , , ,

Joe Reviews SB10-221 Cert Report (Video)

August 9, 2010 By Leave a Comment

Here is a review of this weeks Cert Advisory. This update contains issues with Apple iTunes, Safari and Mozilla Firefox. Be sure to update these products if you haven’t recently. This is a weekly feature here at Managed Solutions. If you have questions about this video post a comment here or ask on our Facebook Fan Page.

Popularity: 5% [?]

Filed Under: IT Professionals, Security, Videos Tagged With: , , , , , , , , , ,

Plague of Adobe Acrobat and Reader Vulnerabilities Continues

July 7, 2010 By Leave a Comment

I seem to write a post on this once a month minimum. When I opened this weeks Cert advisory there were 14 9.3 vulnerabilities for Adobe Reader and Acrobat. This plague of vulnerabilities and the related exploits that have popped up remind me of Internet Explorer 5 years ago. So here at Managed Solutions we are once again advising our clients to apply any updates to Adobe products when prompted or to exercise extra caution with .pdf files. Here is the menacing list of vulnerabilities announced on 6/30/2010:

Click to view full size.

14 Adobe Acrobat Vulnerabilities

Enhanced by Zemanta

Popularity: 7% [?]

Filed Under: IT Professionals, Security, Technology Tagged With: , , , ,

Update your iTunes or face potential exploitation

June 28, 2010 By Leave a Comment

While reviewing this weeks CERT summary I noticed three vulnerabilities with a risk rating of 10 which is the highest. With the wide distribution of the iTunes software, these vulnerabilities have potentially serious ramifications. Since they involve remote code execution it is prudent that any and all users of iTunes upgrade to version 9.2 or newer. You can check the version you are running via help/about in the program menu. Here is a partial screen-shot of this portion of the Cert advisory followed by a link to the advisories:

iTunes Vulnerable

iTunes Vulnerable - Cert Advisories

Resources:

Related Posts Plugin for WordPress, Blogger...

Popularity: 5% [?]

Filed Under: Security Tagged With: , , , , ,
« Older Posts