Tag: vulnerabilities

Infographic: After A Year of Breaches, Are Retailers More Secure?

After a year in which some of the U.S.’s top retailers found themselves on the wrong side of sophisticated, cyber criminal hacking groups, you may be tempted to search for a silver lining. Maybe the up side of all the attacks on retail networks and point of sale systems is an improved security posture overall? After all: if your neighbors to the left and right have their house broken into, you may well beef up your locks and alarms, even if your house hasn’t been targeted. Or, at least, that’s how the thinking goes. But Boston-based BitSight took a look at how the retail sector is faring security-wise as 2014 draws to a close. BitSight is an interesting company. They market a kind of reputation monitoring service: assessing security posture for companies by observing how they look from the outside. Think of it as a kind of Experian or TransUnion for security. […]

Continue Reading

Biggest Threat to Critical Infrastructure? Lack of Imagination

The threats to critical infrastructure in the U.S. and elsewhere are so plentiful that even trying to enumerate them is futile (and not a bit depressing). But – if we were to rank them in order of importance – what would be at the top of that list? Clearly, as this blog has noted, software security is a major concern. Recently, the Industrial Control System CERT (ICS-CERT) warned about a sophisticated malware campaign targeting users of HMI (human-machine-interface) technology from leading vendors.  In at least some cases, the systems targeted were exposed directly to the Internet, making compromise simple. In other cases, industrial control system software is deployed with default administrator credentials, or easy to guess passwords. In other words: while some attackers are persistent and clever, many critical infrastructure owners make their job pretty easy. So, perhaps, its not software insecurity that belongs at the top of the list, […]

Continue Reading

US Postal Service Suspends Telecommuting Following Massive Data Breach

Following a publicized breach at the US Postal Service, that organization is discontinuing virtual private network (VPN) connections into its network, according to reports. The Postal Service took the unusual step after acknowledging, earlier this week, that a breach of their network security exposed data on 800,000 employees and 2.9 million customers. According to a statement from a USPS spokesman to the online publication Dark Reading, the virtual private network (VPN) service for postal employees was taken down this weekend and will not be brought back up until a version with more “robust security features can be installed.” “As a result, telecommuting has been suspended until further notice,” he said. Remote access tools including VPNs and remote desktop applications like Citrix are a frequent source of compromises of corporate networks. Most recently, compromised employee systems are believed to be the source of an attack on JP Morgan’s network. VPN software that was vulnerable to the […]

Continue Reading

Microsoft Fixes 18 Year-Old Windows Hole Used In Attacks

At this late date, you’d like to think that all the really nasty vulnerabilities in legacy Windows systems have been identified. Wishful thinking. On Tuesday, Microsoft issued a patch for a critical, remotely exploitable vulnerability affecting Windows systems going back to Windows 95, one of 14 software fixes the company released. The vulnerability in Microsoft’s OLE (Object Linking and Embedding) code is associated with CVE-2014-6332 and is already being used in targeted attacks online. It is among the most serious discovered in recent years, exposing Windows systems to remote attacks that can bypass Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) and Enhanced Protected Mode sandbox in the Internet Explorer browser. The vulnerability was discovered six months ago and patched, officially, on Tuesday with MS14-064, which fixes a related OLE vulnerability, CVE-2014-6352). Microsoft has also released a stop-gap tool that customers can use in lieu of the full patch. Microsoft has also issued an […]

Continue Reading

Supply Chain Risk Escapes Notice At Many Firms

Online attacks that come by way of suppliers and other third party business partners are one of the biggest threats that modern organizations face. But too few firms are giving supply chain security the attention it deserves, a panel of legal and information security experts told attendees at a cyber security forum in Boston on Wednesday. Companies need to protect their exposure through third parties better, according to the panel: beefing up auditing of internal- and partner assets and including contractual protections that will indemnify them in the event that a breach at a supplier or business partner exposes data that materially affects their firm. The panel, “Fortifying the Supply Chain,” was part of a day long event at The Federal Reserve in Boston and sponsored by the Advanced Cyber Security Center, a technology industry consortium. It brought together top legal and information security experts, including FireEye researcher Alex Lanstein and Jim Halpert, the […]

Continue Reading
1 97 98 99 100 101 148