Microsoft Patch Advisory

eEye, a respected provider of security related software, made some tecommendations today regarding the updates released by Microsoft.

eEye says, “Administrators are advised to patch MS10-090 and MS10-091 immediately to prevent exploitation by attackers.

Next, administrators should patch MS10-092, MS10-093, MS10-094, MS10-095, MS10-096, MS10-097, MS10-098, MS10-099, MS10-100, MS10-101, MS10-102, MS10-103, MS10-104, and MS10-105 as soon as possible.

Lastly, administrators should patch MS10-106 at their earliest convenience.”

TrustCC recommends that patches be applied as soon as possible to all systems, not just those systems with sensitive information.  Any system on a network can be the weak link that leads to complete compromise.

Test updates, if possible, before applying them.  Seek vendor confirmation that software will be supported with the latest updates applied, and roll updates out slowly so you can minimize any unforeseen negative impact.

Implications:

Of the 17 patches released today, 10 address remote exploits.  Failure to apply these patches as instructed above could have serious consequences.

– TrustCC

Merry Christmas – Microsoft has a gift for you!

Microsoft is releasing another 17 updates addressing 40 vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange. Of the 17, two bulletins are rated Critical, 14 are rated Important, and one is rated Moderate.

A serious remotely exploitable bug in Internet Explorer has cropped up and there is a publicly available exploit code for the new bug.  The flaw affects IE 8, IE 7 and IE 6 running on most of the currently supported versions of Windows, including Windows 7, Windows Vista and Windows XP SP3.  The vulnerability could be exploited by remote attackers and used to take complete control of a vulnerable system.

Implications:

Patch management and security event monitoring is a continuous and critically important job.  Organizations should continually monitor CERT and SANs sites for the disclosure of new security vulnerabilities and updates.  “Best Practice” dictates the you log each new vulnerability/update and your determination of the applicability to your environment.  If determined to apply you should follow your methodology for applying updates and ensuring the success of their installation.

While some organizations might be tempted to say “We don’t have the resources to follow your recommendations!”, we encourage resistance to raising a white flag and instead recommend reallocation of your scarce resources to make patch management and security event monitoring an absolute priority.

Why?  Our stance is now more stringent than ever before.  In our view the game has changed.  We are know longer battling the pimple-faced script kiddie who might try and hack our systems.  We are battling the Russian Business Network, organized crime, foreign governments, criminal hackers and hacking enthusiasts.  We simply can no longer afford to be patient with your patch management.

TrustCC’s security vulnerability and penetration testing services will evaluate whether your current security patch management practices are effective.

Following are the CERT and SANs websites.

CERT:  http://www.us-cert.gov/current/

SANs Storm Center:  http://isc.sans.edu/index.html

– TAG

Gawker Password Hack Fallout

This weekend, Gawker Media’s servers were hacked, leaving many user accounts and their corresponding passwords vulnerable.  Nearly 1.25 million accounts, including more than 500,000 user e-mails and more than 185,000 decrypted passwords, were posted to the web at a torrent site.  And right now, some hackers appear to be using those usernames and passwords to access systems and make false posts.

The implications are far reaching for most users whose credentials were compromised.  You see, most users re-use their passwords on multiple websites.  Do you?

A quick browse through the compromised passwords yields “123456” and “password” as the most common passwords used by those registered at Gawker Media.

Implications:

Effective security starts with user education and awareness.  Users must understand that their password is the only control preventing an attacker from gaining access to their entire online world.  Once compromised an attacker can hijack email, hijack the ability to order goods and services, access credit history, read you facebook (twitter, linkedin, and any other site).  Educate your users about using strong and varied passwords.

 

Wikileaks “Friends” Take Down MAJOR Financial Websites

As the Wikileaks drama plays out on the news networks, the security world is cringing at the implications.

First, there is nothing new about bot-nets.  But it is “new” for people around the world to voluntarily add their systems to the botnet army.  What makes these people think the botnet operator will return control of their systems when the Wiki response is complete?  These systems could remain under the command and control of the botnet until they are re-built from scratch.  And what havoc will be had in the mean time?  Will the Anonymous Group commit other illegal acts with these systems?

Second, I am unaware of a previous instance where attackers publicly solicited botnet participation using social networks.  This sets an interesting precedent.  What would happen if attackers could organize more and more participants in a voluntary botnet?

Last, Distributed Denial-of-Service (DDOS) is also not new but slinging DDOS as retribution for corporate policy changes is new.  Can other corporations that implement unpopular policies expect the same?  Apple doesn’t allow Adobe Flash on iPhones and iPads… watch out Apple!

Let’s keep watching this as it plays out.

– TrustCC

 

Don’t Let Negligence Ruin Your Reputation

Recently, in a KOMO 4 News Problem Solvers Story it was reported that a personal information including Social Security numbers, dates of birth, and mother’s maiden names were found in plain sight behind a state owned building in Tacoma, WA. There were several organizations involved in this case, but to our surprise, one was a credit union.

For most financial institutions, customer/member information security is a top priority.  Most have a “Clean Desk Policy” and proper disposal procedures for sensitive information.

Remember, all paper documents needing disposal should be kept in a locked shred bin. Recycle boxes are no longer a best practice as they leave information vulnerable to malicious use.  Clean Desk Policies should also be implemented as part of an overall information security program. The policy should be accompanied by periodic, preferably quarterly, walk-throughs to enforce compliance.  Walk-throughs should be documented and include the site or area visited, date / time of visit, personnel who conducted the walk-through, and findings.  Personnel who conduct the walk-throughs should be looking for sensitive customer/member information left on desks, shelves, or countertops and other sensitive information such as usernames and passwords which have been written down and “hidden” under keyboards or stuck on monitors or other obvious places.

We hope this guidance helps.  If you need assistance or have questions about any of our services, please don’t hesitate to contact us.

-TrustCC

Ho Ho Ho! Merry Mobile Christmas!

The shopping frenzy is here! Stores are buzzing with shoppers, online shopping will escalate by leaps and bounds and with the introduction of smart phones, people can shop from the palm of their hand. While this provides convenience for the consumer, it also introduces an increased risk of fraud. Smart  financial institutions will educate their customers and members on mobile security so that the holidays are safe and cybercrime free.

Here a few mobile safety tips for your customer and members:

• Password-protect your mobile device and keep it in a safe place.

• Never send account information through a text message or email, i.e. account numbers, passwords, etc.

• Do not hack or modify your device. This will leave it susceptible to viruses and Trojans.

• If you change your mobile number or lose your phone, contact your financial institution immediately to change your mobile banking preferences.

• Be proactive. Monitor your account activity and financial statements. If possible, sign up for electronic alerts that can be sent to your email or cell phone. If you suspect fraudulent activity, contact your financial institution immediately.

• Consider installing anti-virus and/or mobile security software on your phone.

• Verify the legitimacy of any banking application with your financial institution before downloading. If possible, go the safe route and download the application through your financial institution’s web site. If a banking application appears to be malicious, report it to your financial institution as soon as possible.

If you have any questions or concerns about mobile security or any other security question, please don’t hesitate to contact us.

TrustCC would like to wish everyone a safe and secure holiday season!

Trojan Targets US Banks

In the news today, experts announced that a rare Trojan by the name of Qakbot is making its way into financial institutions specifically in the U.S. Unlike typical types of malware, it has the ability to spread like a worm, but infect users like a Trojan. This particular Trojan targets corporate accounts, is able to filter data, and prefers shared networks so that it can contaminate every computer on the corporate network.

Freaked out yet?

While this particular Trojan made the news today, new malware is launched every day. Don’t wait for alarming headlines to take action.

During many of our IT audits and security assessments we find that while banks and credit unions make IT security top priority, we still find preventable vulnerabilities such as missing security patches and lack of security awareness training a common trend. Not only does this put confidential information at risk, it can potentially lead to  financial loss and a tarnished reputation for the institution.

Don’t let a simple oversight put your organization at risk. Take action today and contact us to schedule an IT audit or security assessment. Our business is your success.

– TrustCC

ATM Fraud: Shift in Technology Makes US Cardholders a Target

According to recent media coverage and expert prediction, ATM skimming is anticipated to escalate in 2011.  As Europe and other countries convert from magnetic-stripe technology to EMV chip standard or smart card technology, criminals are focusing on the US as a prime target.

The EMV chip stores information on an embedded microchip rather than on a magnetic-stripe, making it extremely difficult for criminals to obtain stored data. This new technology has stopped criminals in their tracks – forcing them to focus elsewhere.  As Europe and other countries convert to this technology, criminals are setting their sights on countries such as the US where magnetic-stripe technology continues to be the norm. This shift in technology and increasing threat makes it critical for financial institutions and their customers/members to protect their PIN information.

Knowledge plays a vital role in preventing financial fraud. Make sure employees and customers/members  are up-to-date on effective security practices through consistent security awareness training and educational campaigns.

In addition to education, make sure physical systems and software security is current and up-to-par. Start by performing regularly scheduled TR-39 reviews.

The TR-39 review is designed to make sure keys, key components, and key loading or storage devices are properly managed. Improper key management creates a security exposure that could result in significant losses to consumers and financial institutions. In addition, it puts the security of all users of the ATM network at risk, creating potentially serious liability for your organization.

The proper certification to perform TR-39 reviews is the CTGA certification.  TrustCC is one of only a handful of firms with this certification and with experience evaluating compliance with ATM network security requirements.  And unlike any of our competitors, we are the only firm that will conduct a vulnerability scan of our clients’ ATMs to detect missing security updates on the ATM.

If you have questions or need assistance with your TR-39 review or security awareness training, please don’t hesitate to reach us through our contact form at the bottom of our homepage at www.trustcc.com.

– TrustCC

Don’t Get Tricked This Holiday Season

Halloween parties, Thanksgiving festivities, and holiday gatherings are just around the corner! Soon online invites, picture sharing, and shopping will spike as will the effort of cyber criminals to get your confidential information. Keep your organization and employees safe this holiday season by practicing and preaching the following steps to keep sensitive information safe and secure:

• Never click links in emails unless the origin of the email is verifiable and trusted.
• Never provide information when solicited (especially usernames, passwords, account information, etc.) Financial institutions and legitimate online stores and services don’t  ask you for this type of information via  email.
• Inspect links to ensure they originate from reliable sources. Often, malicious  links will take you to a fraudulent site that looks legitimate.  Instead of clicking the link, go the company’s website directly or call the company to verify the email is authentic.
• If you are ordering products online, make sure the website is secure. If the web server is secure, the web address will begin with https:// instead of http://.

If you have questions about email phishing or security awareness training,  fill out our contact form on our homepage  at http://www.trustcc.com.

-TrustCC

Record Number of Patches to be Released – Is Your Organization Prepared?

Today, Microsoft is releasing a record number of patches -16 bulletins addressing 49 vulnerabilities. Four of the 16 bulletins will be rated as “critical,” Microsoft’s highest severity rating.

This week’s release will include fixes for security flaws in the Windows operating system, the Internet Explorer browser, Microsoft Office and the .NET Framework. The flaws in this month’s release affect all versions of Windows, including Windows 7 and Windows Server 2008.

Is your organization ready?

One of the most common security liabilities we encounter while conducting IT audits for our clients is missing security patches. A single missing patch can easily lead to the complete compromise of systems by viruses, worms, and manual attacks – putting confidential customer/member and organization information at risk.

A proactive patch management process is critical to keeping your organization’s most valuable information safe and secure. Customers and members depend on you to stay on top of the security game. It is vital that your patch management process includes timely updates and successful installation of patches to operating systems and patch software provided by vendors.

In light of Microsoft’s record breaking patch release, we would like to emphasize that all organizations should review their patch management processes to make sure all systems and software are updated with current patches and security updates.

If you need assistance identifying vulnerabilities in your patch management process or want to confirm its effectiveness please don’t hesitate to contact us. We are here to help. Our business is devoted to your security.

To address questions specifically about the bulletins being released on Tuesday, Microsoft is hosting a webcast on Wednesday. Microsoft’s security experts will be available to discuss concerns and answer questions.

-TrustCC