A New Year Signals the End of Patch Tuesday As We Know It

The big news in today’s January Patch Tuesday is that this release marks the end of the 12-year Patch Tuesday update cycle as we know it. Last month, Microsoft announced impending changes to their security update process, which is set to begin in February. Before jumping into more detail on what the coming year will look like for your patch team however,

> Read More

Eight Ways to Stay Secure While Traveling

If you travel, you’re a target for thieves—and your digital assets are highly-prized. Thieves covet usernames and passwords that give them access to a treasure trove of information and the chance to go for a ride on your dime.

What’s a road warrior to do? Common sense dictates never entering your username or password into a hotel or business center computer—or any public computer for that matter.

> Read More

People Weak Link in Security Chain, Says New Report

If you pay any attention to infosec headlines, you’ve likely seen it’s once again that time of year when Verizon releases its Data Breach Investigations Report (DBIR). The 9th annual report was released yesterday and while much of it isn’t surprising, it is entirely disheartening.

A quick review of the findings show cybercrime continues to target what hackers obviously deem the weakest link in the chain,

> Read More

Patch! Patch! Patch! What Security Pros Know that Your Barber Doesn’t

[Originally published in the Spiceworks IT Community.]

A Google security research paper was recently published on the best safety practices that hundreds of security experts recommend. This paper outlines the results of two surveys — one with 231 security experts, and another with 294 web-users who aren’t security experts — in which both groups were asked what they do to stay safe online.

> Read More

Five years after Stuxnet, your USB drive is still being patched

Yesterday was Patch Tuesday, and – as Optimal Security’s Russ Ernst described – Microsoft released fixes for a smorgasbord of vulnerabilities.

Obviously, it’s important that you roll out the patches as soon as possible, and ensure that your computers and networks are protected against threats which malicious hackers could use to target your systems,

> Read More

Windows 10 – Cause for Confusion

As of August 1, ComputerWorld reported Windows 10 global usage had climbed to 2.5%. Not too shabby for the OS that was launched just three days earlier on July 29. Those numbers easily beat early adoption rates for Windows 8.1 but, I wonder how those users are faring? A quick read of headlines shows a lot of headaches ranging from overall privacy concerns to unwanted update files being delivered to networked machines still running Windows 7 or 8.1.

> Read More

To Patch or Not To Patch, Which is Riskier?

Patching systems in an enterprise is a complex and risky activity. It’s extremely time-consuming if you do it right. It’s even more time consuming if you don’t do it right. And in either case, there is fallout to deal with after patching. The patches don’t get applied to some systems, some systems stop working after being patched.

> Read More

Hacking (Protecting) Your POS System

In the House of Cards series of posts, I walked you through gaining access to a company’s network through an online portal in order to exfiltrate credit card data. It was a lengthy process, but the target company had enough data to make the time investment worthwhile.

Most credit card data thefts come from POS systems of small- to mid-sized companies.

> Read More

Malicious ads run next to popular YouTube videos, laced with the Sweet Orange exploit kit

If you want to watch a video, you go to YouTube.  It’s as simple as that.

Although other sites exist which host videos, Google-owned YouTube is the Goliath in the market – and gets the overwhelming bulk of the net’s video-watching traffic.

And, of course, that enormous success and high traffic brings with it unwanted attention –

> Read More

Security Resiliency

Computer security is in the headlines yet again. Last week it was the bash “Shellshock” vulnerability, before that it was the Home Depot credit card breach, and now the news is all about the security breach at JP Morgan. [ed.: And since Dan wrote this post, we’re knee deep in news about the Dairy Queen data breach and the Kmart data breach.] It seems as if IT staffs are briefing senior management on how they are handling the vulnerability of the week. 

> Read More

July Java Jamboree

The latest Critical Patch Update (CPU) from Oracle has been released today. Based on the pre-release information, the July 2014 CPU contains 113 new security vulnerability fixes, covering everything from its flagship database and Fusion Middleware to Hyperion and Solaris. [See update below.]

Of particular interest to endpoint administrators will be the 20 vulnerabilities in Java SE.

> Read More

Java on XP?

Is it still supported, and what should you do about it?

Well done to Oracle, which has successfully managed to confuse everyone about what the situation is regarding whether Java (a development platform with a long history of security holes) will continue to be properly supported on Windows XP (an operating system with a long history of security holes,

> Read More

Much Ado About Java

So, have you seen the latest about Java? Seems most organizations are still running (really) old versions. And even the current version has what is technically known as a shit-ton of zero-day vulnerabilities. And so Oracle is changing their vulnerability numbering system to accommodate all of them, in addition to taking other steps surrounding Java security.

> Read More

Before, During and After Patch Tuesday: A Survival Guide

It’s been said that there are only two types of companies left in the world: those who know they’ve been hacked and those who don’t. We have to hope that there’s still a third group: those who have not been hacked. You can be sure those who belong to the third group are those who are rigorously implementing security features and,

> Read More