Month: August 2015
32 People Charged for One of the Largest Computer Hacking and Securities Fraud Schemes in History
This is yet another example of the power and value of information and the motivations of cyber criminals.
XSS flaw put Salesforce accounts at risk of hijacking
This type of Cross Site Scripting vulnerability is concerning for a solution like Salesforce, given the business and customer content stored and managed in that solution.
http://www.tripwire.com/state-of-security/security-data-protection/xss-flaw-salesforce/
Cisco Warns Customers About Attacks Installing Malicious IOS Bootstrap Images
This article and the related Cisco security concern speaks to the value of proper credentials and access management for network devices.
Microsoft Patches USB-Related Flaw Used in Targeted Attacks
This is a more common threat than most would care to admit, but the threat is largely not the work of hard core hackers and social engineers. It is better attributed to lazy employees and poor home computer hygiene. That said, I am pleased to see Microsoft addressing this problem once again and for providing an event log for better tracking of attempted attacks.
https://threatpost.com/microsoft-patches-usb-related-flaw-used-in-targeted-attacks/114240
Black Hat USA 2015 Highlights
This is a good recap for those of us who didn’t make the trip west.
http://www.tripwire.com/state-of-security/off-topic/black-hat-2015-highlights/
Microsoft Patches Critical Vulnerabilities in New Edge Browser
Welcome to the patching cycle club Microsoft Edge!
https://threatpost.com/microsoft-patches-critical-vulnerabilities-in-new-edge-browser/114226
Krebs – Adobe, MS Push Patches, Oracle Drops Drama
This is Krebs’ recap for Patch Tuesday. It is worth noting the unusual ratings for MS Office related patches. I would certainly move those up the critical list, especially considering that Office is often left off the automated patching cycle.
http://krebsonsecurity.com/2015/08/adobe-ms-push-patches-oracle-drops-drama/
Sophos Weekly Recap
Manipulating WSUS to Own Enterprises
This concerns me. Fear associated with the patching process has the potential to be one of the greatest weaknesses in the overall security of organizations. If a business is afraid to apply patches due to potential vulnerabilities in WSUS, then a significant battle is lost and all of the organization’s end points are at risk. And from this demonstration at Black Hat, there is a solution in the form of SSL with proper certificate management, but Microsoft has placed that burden on the end user organization. This issue should be addressed and it should be addressed quickly.
https://threatpost.com/manipulating-wsus-to-own-enterprises/114168
