Following a publicized breach at the US Postal Service, that organization is discontinuing virtual private network (VPN) connections into its network, according to reports. The Postal Service took the unusual step after acknowledging, earlier this week, that a breach of their network security exposed data on 800,000 employees and 2.9 million customers. According to a statement from a USPS spokesman to the online publication Dark Reading, the virtual private network (VPN) service for postal employees was taken down this weekend and will not be brought back up until a version with more “robust security features can be installed.” “As a result, telecommuting has been suspended until further notice,” he said. Remote access tools including VPNs and remote desktop applications like Citrix are a frequent source of compromises of corporate networks. Most recently, compromised employee systems are believed to be the source of an attack on JP Morgan’s network. VPN software that was vulnerable to the […]
Tag: software
Microsoft Fixes 18 Year-Old Windows Hole Used In Attacks
At this late date, you’d like to think that all the really nasty vulnerabilities in legacy Windows systems have been identified. Wishful thinking. On Tuesday, Microsoft issued a patch for a critical, remotely exploitable vulnerability affecting Windows systems going back to Windows 95, one of 14 software fixes the company released. The vulnerability in Microsoft’s OLE (Object Linking and Embedding) code is associated with CVE-2014-6332 and is already being used in targeted attacks online. It is among the most serious discovered in recent years, exposing Windows systems to remote attacks that can bypass Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) and Enhanced Protected Mode sandbox in the Internet Explorer browser. The vulnerability was discovered six months ago and patched, officially, on Tuesday with MS14-064, which fixes a related OLE vulnerability, CVE-2014-6352). Microsoft has also released a stop-gap tool that customers can use in lieu of the full patch. Microsoft has also issued an […]
Discrete Malware Lures Execs At High-End Hotels
Kaspersky Lab has a fascinating write-up of malware it is calling “DarkHotel.” The information-stealing software is believed to target traveling executives. Curiously, Kaspersky says the malware may be almost a decade old and is found only on the wireless networks and business centers of select, high-end hotels. Reports about targeted attacks on traveling executives are nothing new. However, the Kaspersky report (PDF version here) may be the most detailed yet on a specific malicious software family that is devoted to hacking senior corporate executives. According to Kaspersky, the DarkHotel malicious software maintained a presence on hotel networks for years, with evidence of its operation going back as far as 2007. The malware used that persistent access to target select hotel guests, leveraging check-in/check-out and identity information on guests to limit attacks to high value targets. Targeted guests were presented with iFrame based attacks that were launched from the hotel’s website, […]
Bad News About File Sharing Apps
Sensitive enterprise data may be leaving the safety of our corporate networks at a much faster clip than we believed – with web based file sharing services a major contributor to data flight. That’s the conclusion of a survey by the firm Elastica, which analyzed 100 million files shared on leading public cloud applications. According to the research, employees each stored an average of 2,037 files in the cloud. More concerning: fully 20 percent of the files that were “broadly shared” via file sharing services contained regulated data of one sort or another. The company put together a nice little infographic that highlights some of the larger findings. You can view it here. Read more via The Bad News About File Sharing Apps | Digital Guardian.
Cyber insurance: Only fools rush in | ITworld
Cyber incidents these days tend to follow a familiar pattern: law enforcement is contacted and will begin criminal investigations. Cyber forensic investigators are hired to piece together what happened and security consultants will analyze and remove the malware from any affected systems. Finally: customers who were affected are notified and – typically -offered free credit monitoring services. All of these services come at a cost, of course, as does the business disruption that results. Current cyber insurance policies are structured to recover some or most of those costs. Now companies – from the Fortune 10 on down – are looking to hedge their online risks with various kinds of business insurance. That demand, in turn, is fueling a rapid expansion of the cyber insurance industry that was little more than a niche offering five years ago. But insurance industry experts and corporate security professionals offer words of advice for companies that think they […]
