ANCHOR CYBER FEED

Survey Shows Many Federal Government Workers Ignore Mobile Security Rules A survey by mobile security software vendor Lookout indicates that a large proportion of government employees ignore their agencies' rules concerning mobile devices, web services, and security. Twenty-four percent of respondents indicated they forwarded work documents to their personal email accounts, 17% used cloud-based file sharing services for work documents, and nearly half used their personal mobile devices for work documents, despite policies prohibiting these behaviors (and annual training to reinforce these policies). While it is important to have policies governing these types of employee behaviors, without technical controls to prevent or monitor them you are likely to experience high levels of non-compliance. https://www.lookout.com/resources/reports/federal-byod http://www.eweek.com/small-business/mobile-device-security-ignored-by-federal-workers.html Google to Configure Chrome Browser

This post is one in a series of blog posts on the fundamentals of an information security program. You can see the complete list of posts in this series here . Account management is a basic security function, but not all accounts are created equal. Generally, any network or system has a few key accounts that have privileges or capabilities beyond those of "regular" users accounts. Administrative functions must be performed, and it is unavoidable that accounts and credentials for this purpose must exist. However, if these privileges are abused, the potential for destruction or loss is enormous. Administrative privileges can be abused by an insider who has rightful access to the account(s) in question, or the credentials may be compromised and used by a malicious outside attacker. Stealing or otherwise obtaining administrative credentials is one of the top objectives of any hacker upon gaining initial access to a system, because these will allow them to deepen and bro

New Security Information Sharing Organization for the Legal Industry Begins Operation The legal industry, facing increasing cyber threats and receiving increased client security demands, has followed the lead of many other industries in establishing a threat information sharing center. The Legal Services Information Sharing and Analysis Organization (LS-ISAO) began operating last week, with services provided by the long-standing Financial Services Information Sharing and Analysis Center (FS-ISAC). http://www.darkreading.com/perimeter/law-firms-form-their-own-threat-intel-sharing-group/d/d-id/1321846 https://www.fsisac.com/ls-isao Microsoft Issues Emergency Patch for Internet Explorer; Vulnerability Already Being Exploited Last Tuesday Microsoft issued a critical out-of-cycle patch for Internet Explorer to address a memory flaw (CVE-2015-2502) that could allow an attacker to execute code remotely against a victim system. The problem affects IE versions 7 through 11 on all Wi

Microsoft Issues Fourteen Patches, Three for Critical Vulnerabilities Last week was the first "Patch Tuesday" since the full release of Windows 10, and sure enough the new OS gets six patches of its own (which are bundled into a single installer, so it's essentially impossible to pick and choose which of them you want to install). The critical vulnerabilities patched include one ( MS15-079 ) in Internet Explorer that could result in remote code execution from a malicious webpage, one in Office ( MS15-081 ) that could allow code execution from a malicious document, and yet another vulnerability in a Windows graphics component ( MS15-080 ) that could be exploited by a malicious font file (potentially embedded in a web page). MS15-081 https://technet.microsoft.com/en-us/library/security/ms15-aug.aspx http://www.computerworld.com/article/2970493/microsoft-windows/its-alive-patch-tuesday-survives-for-windows-10.html Adobe Issues Flash Updates, Patches 34 Vulnerabilit

This post is one in a series of blog posts on the fundamentals of an information security program. You can see the complete list of posts in this series here . U.S. Healthworks, a California-based healthcare provider, reported a breach recently where a company laptop was stolen from an employee's car. The laptop drive was not encrypted, and it is believed that the personal information of a significant number of customers/patients was stored on this machine. This is an old, old story, heard many times over. The need to encrypt laptop hard drives first became widely publicized due to an incident in June of 2006 . An employee from the Department of Veteran's Affairs had a department laptop containing personal information on large numbers of veterans (as many as 26 million) at his home, and the laptop was stolen in a burglary. The most widely-recommended measure for reducing risk of data loss due to a lost or stolen computer is full-disk encryption. Once the drive is e

Serious Firefox Vulnerability Potentially Exposes Local Files to Unauthorized Access Last Thursday, Mozilla released a security update for FIrefox (v 39.0.3) to patch a serious vulnerability that was being actively exploited by hackers apparently out of Russia or Ukraine. The flaw is in the built-in PDF reader, allowing arbitrary JavaScript execution with access to the local file system. The flaw affects Firefox on all operating systems. This allowed the attackers to search for and upload files, and they used this capability to steal common files that would contain login information on Windows and Linux systems. If your organization runs Firefox at all, it is important to update to the latest version as soon as possible. https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/ http://arstechnica.com/security/2015/08/0-day-attack-on-firefox-users-stole-password-and-key-data-patch-now/ Yahoo's Ad Network Hijacked to Deliver Malware Malwarebytes di

Many small businesses and organizations use Microsoft's WSUS (Windows Server Update Services) to deliver updates to PCs throughout the organization. This service was introduced in 2005 as an improvement upon the older SUS (Software Update Service) product, which debuted 2002. Corporate IT can run its own server to distribute Microsoft updates inside the network, and can use Group Policy to point all the organizational PCs to download updates from there instead of directly from Microsoft. This allows IT to determine which updates are installed and when, allowing for testing and validation prior to patch deployment. While WSUS does not make for a complete organizational patch management solution, it meets many organizations' biggest needs at an attractive price (free). Like anything else in a corporate network, however, WSUS can become a liability if not configured securely. In fact, given that it is trusted to distribute software for installation throughout the network, an i

This post is one in a series of blog posts on the fundamentals of an information security program. You can see the complete list of posts in this series here . Weak passwords, stolen passwords, cracked passwords, guessed passwords -- passwords figure in some way in a large share of breaches. So what is the best way to make sure that your passwords don't lead to a breach? The answer is: stop relying on passwords. Passwords are a technology that changed very little in the past several decades, and they are simply not a sufficiently secure mechanism for establishing identity for accessing an information system (authentication). This may be illustrated in many ways: Verizon's 2015 Data Breach Investigations Report says that 95% of web application compromises involve the use of stolen credentials. Lack of authentication security beyond username and password was cited as a key factor in the OPM breach of 2015. The effort to make passwords more secure has resulted

Critical Vulnerability in BIND DNS Service Creates Potential Threat of Major Internet Outages A bug in the BIND DNS service was announced this week. The vulnerability (CVE-2015-5477) allows an attacker to use a vulnerable DNS server to launch crippling denial of service attacks against other systems. Patches are now available for most UNIX and Linux distributions. If your organization is running a UNIX or Linux DNS server, you should check to see if it vulnerable. http://www.scmagazine.com/critical-bind-vulnerability-could-snuff-out-large-parts-of-internet/article/429843/ http://www.zdnet.com/article/remote-denial-of-service-vulnerability-exposes-bind-servers/ New Phishing Campaign Targets US and UK Businesses A new phishing attack targeting US and UK businesses poses as an email delivering a voice mail message. The malicious attachment is in the form of a .LNK file, which is an unusual format for malicious phishing messages. http://www.scmagazine.com/phishing-campaign-