ANCHOR CYBER FEED

US Army and Japanese Nuclear Plant Operator Still Running Lots of Windows XP Machines As the first anniversary of the end of support for Windows XP passed, news stories show that some large organizations still have significant numbers of Windows XP machines in operation on mission-essential systems. The US Army has been paying Microsoft $200 per computer over the past year for extended support, and is seeking bids from other companies to provide such support for another year. Does your organization still have Windows XP running? Have you assessed the risk you face as a result? What about Windows 2003 Server, which ends support this July? http://gcn.com/articles/2015/04/13/army-xp-support.aspx http://www.theregister.co.uk/2015/04/23/fukushima_nuke_plant_owner_told_to_upgrade_from_windows_xp/ Large Collection of WordPress Plugins Updated to Fix Major Vulnerabilities Wordpress is the most popular web content management platform in use today, and it has been the source of a l

Microsoft "Patch Tuesday" Includes Eleven Patches, Four of Them Critical Last Tuesday, Microsoft released their monthly batch of updates. This time there were four critical updates out of eleven total, though many of the updates address multiple vulnerabilities. The most critical of these is MS15-033, which addresses an Office vulnerability that could enable a malicious document to run code on the vulnerable system. It is believed that this flaw is being actively exploited already. The other patch that should be expedited is MS-034, which involves a vulnerability in the IIS web service on Windows 2008R2 and 2012. This flaw is also being actively exploited by attackers to crash web serves on the Internet. If your organization is running a Windows-based web server, consider testing and implementing this patch as quickly as possible. https://technet.microsoft.com/library/security/ms15-apr?f=255&MSPPError=-2147217396 http://www.symantec.com/connect/blogs/microsoft-patc

Critical Apple Mac OSX Update Released for Yosemite Only Apple released an update last Wednesday for OSX (version 10.10.3) that fixes a number of serious security vulnerabilities. The most serious is CVE-2015-1130, which could allow any user to obtain root privileges to the system. The vulnerability is present in version of OSX since at least 2011, but Apple has not issued a patch for older versions prior to Yosemite. If you haven't upgraded your Macs to the latest OS version, you should strongly consider doing so now. http://www.eweek.com/security/apple-patches-critical-backdoor-flaw-in-os-x-10.10.3.html https://support.apple.com/en-us/HT204659 Major Malicious Advertising Campaign Hits Google Ad Network A Google advertising partner, Engage Lab, was exploited last Tuesday, causing all of their advertisements to redirect users to a site running the "Nuclear" exploit kit. This exploit kit attempts to infect visitors' computers via Flash, Java, or Silverli

Citigroup Cyber Intelligence Report Highlights Risk of Attacks on Law Firms Citigroup's cyber intelligence organization issued a report warning banks of the danger of cyber attacks on law firms. Law firms often hold large volumes of confidential data pertaining to their clients, and they have increasingly come under attack by cyber espionage actors. Two of the key concerns mentioned in the report were the relatively low standard of security at law firms generally, and the reluctance of law firms to disclose attacks; this makes it difficult to know the true scope of the problem. http://www.nytimes.com/2015/03/27/business/dealbook/citigroup-report-chides-law-firms-for-silence-on-hackings.html?_r=0 https://digitalguardian.com/blog/law-firms-cyber-criminals-next-top-target PCI Standards Group Releases New Guidelines on Penetration Testing Penetration testing was introduced as a requirement for PCI compliance some time ago (depending on the organization size), but the standa

SANS surveyed the SANS community for nominations for the yearly SANS “Best of the Year” awards for products and services successfully used to provide increases in both the effectiveness and efficiency of cybersecurity programs. In 2014 the products were voted on by more than 650 security operations professionals and security managers from within the SANS community, all of whom are actual users of these products. The SANS Best of Awards are not driven by vendors, but by the people actually using these products. The Awards are an extension of the SANS WhatWorks Program which creates awareness of security programs and solutions that are actually being used to stop bad guys and improve security. SANS Best of 2014 product category winners will be recognized at the SANS 2015 Orlando training event during the evening Vendor Welcome Reception. Check it out...