ANCHOR CYBER FEED

Dell Laptops Shipped with Unsecure Certificate Authority Installed Dell laptops shipped since this August included, pre-installed, a root certificate authority from Dell called "eDellRoot" that also included the authority's own private key. Even deleting the root certificate does not solve the problem, as the "Dell Foundation Services" Windows service will re-install the certificate if it is deleted. The Dell System Detect service has also been found to install its own root certificate, including the private key. Because these certificates include their own private keys and are installed as root certificate authorities in the OS, an attacker could create their own certificates signed by these and the relevant computers would see them as legitimate signed certificates for websites, drivers, and other software. Lenovo was found last year to similarly install their own root certificates for pre-installed software. Because of the difficulty of avoiding these typ...

Growing Concern About Java Deserialization Bug as a Working Exploit is Demonstrated A long-standing concern about how Java handles serialized objects is drawing increased concern because of a practical exploit demonstrated by Foxglove Security last week. The exploit potentially affects a large number of Java web applications (Java Server Pages), and has been proven to affect common middleware layers including JBoss, WebSphere, and WebLogic. The flaw's exploitability is highly dependent on how applications are developed; if your enterprise has any externally-exposed Java-based web applications, you should ensure your developers are checking for this flaw. http://www.darkreading.com/informationweek-home/why-the-java-deserialization-bug-is-a-big-deal/d/d-id/1323237 http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#thevulnerability Dell Laptops Shipped with Unsecure Certificate Autho...

Microsoft Issues Twelve Updates, Including Four to Fix Critical IE and Windows Vulnerabilities Last week, on “Patch Tuesday,” Microsoft issued a new batch of updates for its products. Four of these are classified as “critical,” including one for Internet Explorer, one for their new Edge browser (part of Windows 10), and one for the Windows kernel. The Internet Explorer vulnerability, MS15-112, is the most likely to be exploited in the wild, and should be a priority for organizations to patch as quickly as possible. The Windows patch, MS15-115, was modified and re-released on Wednesday after some users experienced problems following its installation. If you have not installed security update 3097877 yet, ensure you have the version from November 11th before installing. https://support.microsoft.com/en-us/kb/3097877 http://www.computerworld.com/article/3004464/application-security/four-critical-patches-for-november-patch-tuesday-update-core-windows-and-office-components.html http:/...

Microsoft to Start Blocking SHA-1 Certificates Earlier than Planned Following the announcement last month that the SHA-1 hashing algorithm is even easier to defeat than previously believed, tech companies are moving up their timetables to stop using certificates based on the outdated algorithm. Microsoft is now following Google (with Chrome) and Mozilla (with Firefox) in announcing that their products will stop accepting SHA-1 certificates in June of 2016, rather than at the end of 2016 as originally planned. Websites and applications still using SHA-1 certificates will soon be causing users to receive security warnings from most popular browsers. You can check your site’s certificate (or others sites’ certificates) at Qualys’ SSL Labs . http://www.computerworld.com/article/3001681/security/microsoft-follows-mozilla-in-considering-early-ban-on-sha-1-certificates.html Flaw in TrueCrypt Software Allows for Potential Full System Compromise TrueCrypt is a popular tool available ...

Google Gives Symantec an Ultimatum on Certificate Security Procedures Last Thursday, Google laid out several conditions to Symantec for the transparency and security of their certificate authority. The ultimatum comes after Google's discovery in September that Symantec had issued several invalid test certificates for Google domains. Google stated that if their conditions were not met, Google may begin showing warnings in the Chrome browser, and/or in search results, for sites using Symantec-issued certificates. Symantec purchased Verisign, until this year the largest issuer of security certificates, in 2010, and continues to be one of the most widely-used and trusted issuers of such certificates for validating websites and software, as well as enabling encryption. These types of certificates are the foundation of many security functions, so if they are not being issued in a trust-worthy fashion it negatively affects the reliability of many controls. http://www.computerworld.co...

Keeping your computer and information secure is challenging all the time, but is especially challenging when you are on the go. Both your device(s) and data can be at risk, and some of the protections you may be used to having on your corporate and/or home networks are not present. Extra vigilance is warranted in such situations. Whether you're traveling out-of-town or just working at a table in the Starbucks down the street, here are a few things to keep in mind to keep secure while traveling: Avoid Wi-Fi hotspots in cafes, hotels, restaurants, etc., especially “open” hotspots (which most publicly-accessible ones are.) iPhones have a built-in capability to connect to a VPN , so this is a way of more safely using open Wi-Fi. A wired connection in your hotel is better than Wi-Fi — less subject to monitoring.  When you work over non-secure networks (and any network you don’t control should be treated as such), a good practice is to work over a VPN connection or other remote...

Social media is a vastly popular use of the Internet today, and a source for a huge interchange of data. This ability to upload and download many forms of data can make social media a conduit for illegitimate information flow in and out of an organization. Social media can also allow malicious individuals to seek out and connect with people by name or by interest. Foreign intelligence services and cyber criminals have been known to create fake profiles, sometimes based on those of real people, in order to connect with and gather information on persons in an area or field of interest. Key tips for security on social media include: Use two-factor authentication; most social networks have this option. Be careful who you accept "friend" requests or connections from. Check who they are already connected with, especially, to see if their connection make sense in light of what you know of this person. Avoid connecting with people you don’t know well. Use care in sharing pe...