November 2014 News and Updates
What’s New
- 2014 Holiday Schedule – Below is our 2014 holiday schedule. As we move into the 2014 holiday season, we want to wish everyone a Happy Thanksgiving, a Merry Christmas and a Happy New Year.
- Thanksgiving – Closed Thursday, 27 November and Friday, 28 November 2014.
- Christmas – Closed Wednesday, 24 December and Thursday, 25 Decmeber 2014.
- New Year – Closed Wednesday, 31 December [2014] and 1 January 2015.
- What do the Target Breach and Home Depot breach have in common? In December of 2013, we learned that Target had suffered a massive security breach where the identities of more than 40 million people were exposed. In September of 2014, we learned that Home Depot suffered a massive security breach where the identies of more than 50 million people were exposed. It’s widely reported that both of the breaches were the result of the BlackPOS malware. One thing that seems to have been missed in all of the excitement (and bad press for both Target and Home Depot) though is that the attacks were leveraged against Target and Home Depot by attacking smaller networks first. At Target, it was an HVAC vendor who was initially breached and the attacker leveraged that vendor to access and breach the Target network. In the case of Home Depot, it looks like the attackers were able to steal the credentials from a third party vendor to gain access to the Home Depot network and, from there, exploit a vulnerability in Microsoft Windows to gain access to the Point of Sale (POS) system. In the case of the HVAC vendor, I suspect that that vendor was a top notch HVAC company that did great work. They likely used computers because they had to (perhaps Quickbooks for bookeeping, Outlook for email, maybe some sort of internal system for scheduling, etc.) but they didn’t really focus on technology or spend a lot of time thinking about it. As a result, they were an easy target and, when the attacker found what they had access to, they were a launchpad for a much bigger attack. In the case of the Home Depot vendor, we have two problems to consider. First, how many people do you know that leave their passwords on stickie notes on their monitor or who use the same password for everything? What about shops where everyone logs on with the same username and password and that password is used for everything else (like your vendor login for Home Depot)? Second, how many times have you dismissed that update notification to finish playing a game, finishing a spreadsheet or proposal, etc.? In the case of the Home Depot, lax security for credentials (apparently, on the part of the third party vendor) and not installing updates on time led to a massive breach. These were easy mistakes to make but also easy mistakes to avoid. Be vigilant about the security of your computer at home and at your office. Use good passwords and don’t share them with anyone. If you suspect that someone knows it, change it. Install updates promptly after they’re released.
- Are you backing up (repost, again)? I mentioned this last month (and the month prior) but, especially with the continued growth of ransomware like Cryptolocker, Synolocker, etc., it’s worth mentioning again. If you’re not storing anything important (pictures that you want to keep, documents, business data, etc.), backups aren’t something that you need to worry about. If you are though (keeping digital pictures, documents, business data, etc.), you *need* to be backing it up and a backup IS NOT a $4 thumb drive that you got on sale at Staples. Those are transient storage, not a backup. If you’re going to use local storage for a backup, get an actual disk (or a pair of disks and alternate). We recommend (and use) CrashPlan Pro for our backups. It’s easy to use, they offer a 30 day free trial, they have an app for your smartphone (Did my backup run? Let me check, yup, there’s that file that I created earlier today) and they support roll-your-own encryption so you’ve got less to worry about regarding privacy. All of that plus their tech support rocks. Simple. Cheap. Easy. Done.
Updates
Executive Summary – There are critical updates available from Microsoft and Adobe this month that can allow an attacker full remote access to vulnerable systems but probably the biggest news this month (so far) is the Schannel vulnerability in all versions of Microsoft Windows. There have been no exploits being used in the wild yet but Darknet expects that we should see (at least) one within a week or so once attackers are able to reverse engineer the patch. The other big news (that seems to have skirted the radar) is the Java update from Java 7 to Java 8. We were at Java 7 update 67 from August through mid October and then, all of a sudden, Java 8 was ‘the new thing’. What’s more, we’re already at Java 8 update 25. We first mentioned Java 8 back in the April newsletter and it seems that it’s been being quietly tested and updated since then.
Microsoft – According to the Advanced Notification of November 2014, there are a total of 16 bulletins with 4 listed as critical, 8 listed as important, 2 listed as moderate and 2 (MS14-68 and MS14-75) stil lacking any details. In addition to this being a significantly larger number of bulletins than we’ve seen recently, Microsoft is patching a critical vulnerability in Schannel that affects all versions of Windows and allows remote code execution. Details of the Schannel vulnerability are available here. Affected products include Microsoft Windows (all versions), Internet Explorer, Microsoft Office, .NET Framework and SharePoint Server.
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are catagorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critial, it’s important that the updates are installed.
Additional details are available Microsoft Here.
Adobe – The latest security update from Adobe was released on 11 November and addresses Adobe Flash Player. The vulnerablity addressed affects Flash Player for Windows, Macintosh and Linux and could allow an attacker to take control of affected systems.
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Additional details are available from Adobe Here.
Java – The most up-to-date release version of Java, as of the time of this newsletter, is Java 8 update 25.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.
Additional details are available from Oracle here.
These updates will be automatically reviewed, approved and installed for MyIT Customers. If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know. The Cyber Tech Cafe MyIT services are availalbe in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold). Pricing is based on the number of physical locations, servers and workstations that you have.