Weekly Infosec News Brief August 17-23

New Security Information Sharing Organization for the Legal Industry Begins Operation

The legal industry, facing increasing cyber threats and receiving increased client security demands, has followed the lead of many other industries in establishing a threat information sharing center. The Legal Services Information Sharing and Analysis Organization (LS-ISAO) began operating last week, with services provided by the long-standing Financial Services Information Sharing and Analysis Center (FS-ISAC).
http://www.darkreading.com/perimeter/law-firms-form-their-own-threat-intel-sharing-group/d/d-id/1321846
https://www.fsisac.com/ls-isao


Microsoft Issues Emergency Patch for Internet Explorer; Vulnerability Already Being Exploited

Last Tuesday Microsoft issued a critical out-of-cycle patch for Internet Explorer to address a memory flaw (CVE-2015-2502) that could allow an attacker to execute code remotely against a victim system. The problem affects IE versions 7 through 11 on all Windows client operating systems; on Server 2008 and 2012 it is classified as a "moderate" threat. The flaw is already being exploited "in the wild" by cyber criminals, and organizations are advised to test and install the update as quickly as possible.
https://technet.microsoft.com/library/security/MS15-093
http://www.eweek.com/security/microsoft-patches-critical-ie-flaw-affecting-windows.html


iPhone Vulnerability Potentially Exposes Corporate Information and Credentials on Devices

A vulnerability was disclosed last week in the iOS system that runs Apple's iPhone and iPad. The vulnerability is especially notable in that it particularly affects the type of Mobile Device Management software that has been the gold standard of methods to protect such devices when used for corporate information, such as in "bring your own device" (BYOD) situations. The flaw is fixed in the latest iOS software release (8.4.1), and organizations with iPhone users are advised to ensure their users install this update as soon as possible.
http://www.scmagazine.com/sandbox-violation-in-apples-ios-affects-mdm-users-could-enable-breaches/article/433917/


FAA Air Traffic Control System Outage Caused by Software Upgrade

The Federal Aviation Administration (FAA) is in the process of implementing the next generation of air traffic tracking and control software, a massive undertaking that will involve many phases of software upgrades. As part of this process, an update was installed last week that caused an extended outage of the system, grounding flights for several hours and stranding thousands of passengers. Analysts argue that the system is irreducibly complex, and that completely reliable testing of the upgrade is essentially impossible. Does your organization have a procedure for testing upgrades and updates, or are you just hoping everything works out?
http://thehill.com/policy/cybersecurity/251310-software-limits-exposed-in-air-traffic-outage

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more