Patch! Patch! Patch! What Security Pros Know that Your Barber Doesn’t

[Originally published in the Spiceworks IT Community.]

A Google security research paper was recently published on the best safety practices that hundreds of security experts recommend. This paper outlines the results of two surveys — one with 231 security experts, and another with 294 web-users who aren’t security experts — in which both groups were asked what they do to stay safe online.

> Read More

Five years after Stuxnet, your USB drive is still being patched

Yesterday was Patch Tuesday, and – as Optimal Security’s Russ Ernst described – Microsoft released fixes for a smorgasbord of vulnerabilities.

Obviously, it’s important that you roll out the patches as soon as possible, and ensure that your computers and networks are protected against threats which malicious hackers could use to target your systems,

> Read More

Windows 10 – Cause for Confusion

As of August 1, ComputerWorld reported Windows 10 global usage had climbed to 2.5%. Not too shabby for the OS that was launched just three days earlier on July 29. Those numbers easily beat early adoption rates for Windows 8.1 but, I wonder how those users are faring? A quick read of headlines shows a lot of headaches ranging from overall privacy concerns to unwanted update files being delivered to networked machines still running Windows 7 or 8.1.

> Read More

To Patch or Not To Patch, Which is Riskier?

Patching systems in an enterprise is a complex and risky activity. It’s extremely time-consuming if you do it right. It’s even more time consuming if you don’t do it right. And in either case, there is fallout to deal with after patching. The patches don’t get applied to some systems, some systems stop working after being patched.

> Read More

Hacking (Protecting) Your POS System

In the House of Cards series of posts, I walked you through gaining access to a company’s network through an online portal in order to exfiltrate credit card data. It was a lengthy process, but the target company had enough data to make the time investment worthwhile.

Most credit card data thefts come from POS systems of small- to mid-sized companies.

> Read More

Malicious ads run next to popular YouTube videos, laced with the Sweet Orange exploit kit

If you want to watch a video, you go to YouTube.  It’s as simple as that.

Although other sites exist which host videos, Google-owned YouTube is the Goliath in the market – and gets the overwhelming bulk of the net’s video-watching traffic.

And, of course, that enormous success and high traffic brings with it unwanted attention –

> Read More

Security Resiliency

Computer security is in the headlines yet again. Last week it was the bash “Shellshock” vulnerability, before that it was the Home Depot credit card breach, and now the news is all about the security breach at JP Morgan. [ed.: And since Dan wrote this post, we’re knee deep in news about the Dairy Queen data breach and the Kmart data breach.] It seems as if IT staffs are briefing senior management on how they are handling the vulnerability of the week. 

> Read More

July Java Jamboree

The latest Critical Patch Update (CPU) from Oracle has been released today. Based on the pre-release information, the July 2014 CPU contains 113 new security vulnerability fixes, covering everything from its flagship database and Fusion Middleware to Hyperion and Solaris. [See update below.]

Of particular interest to endpoint administrators will be the 20 vulnerabilities in Java SE.

> Read More

Java on XP?

Is it still supported, and what should you do about it?

Well done to Oracle, which has successfully managed to confuse everyone about what the situation is regarding whether Java (a development platform with a long history of security holes) will continue to be properly supported on Windows XP (an operating system with a long history of security holes,

> Read More

Much Ado About Java

So, have you seen the latest about Java? Seems most organizations are still running (really) old versions. And even the current version has what is technically known as a shit-ton of zero-day vulnerabilities. And so Oracle is changing their vulnerability numbering system to accommodate all of them, in addition to taking other steps surrounding Java security.

> Read More

Before, During and After Patch Tuesday: A Survival Guide

It’s been said that there are only two types of companies left in the world: those who know they’ve been hacked and those who don’t. We have to hope that there’s still a third group: those who have not been hacked. You can be sure those who belong to the third group are those who are rigorously implementing security features and,

> Read More

Keys to the Kingdom

For hackers, social media is the top malware delivery vehicle of choice right now. And why not? Social networking sites are where the people are – and their information is readily available. Sadly, many unsuspecting people fail to realize that by creating a Facebook page, they are literally handing bad guys all the necessary needed to hack their bank account.

> Read More

Novel New USB Attack

News about a new attack via USB flash drive, known as Stuxnet.B, is surfacing. The Belarusian antivirus company VirusBlokAda recently discovered it and published a report on it. There are several points about this attack which make it both novel and unique, even though infection / propagation via USB flash drives is very common.

> Read More

May 2010 Patch Tuesday Security Briefing

Microsoft has released two security bulletins this month, MS10-030 and MS10-031 to address two vulnerabilities in Microsoft Windows and Microsoft Office, both rated Critical. As both bulletins are rated as critical, they will both demand a high priority in their deployment across the enterprise.

For more information on Microsoft and other vendor patches,

> Read More