Microsoft Patch Advisory

December 14, 2010

eEye, a respected provider of security related software, made some tecommendations today regarding the updates released by Microsoft.

eEye says, “Administrators are advised to patch MS10-090 and MS10-091 immediately to prevent exploitation by attackers.

Next, administrators should patch MS10-092, MS10-093, MS10-094, MS10-095, MS10-096, MS10-097, MS10-098, MS10-099, MS10-100, MS10-101, MS10-102, MS10-103, MS10-104, and MS10-105 as soon as possible.

Lastly, administrators should patch MS10-106 at their earliest convenience.”

TrustCC recommends that patches be applied as soon as possible to all systems, not just those systems with sensitive information.  Any system on a network can be the weak link that leads to complete compromise.

Test updates, if possible, before applying them.  Seek vendor confirmation that software will be supported with the latest updates applied, and roll updates out slowly so you can minimize any unforeseen negative impact.


Of the 17 patches released today, 10 address remote exploits.  Failure to apply these patches as instructed above could have serious consequences.

– TrustCC


Merry Christmas – Microsoft has a gift for you!

December 14, 2010

Microsoft is releasing another 17 updates addressing 40 vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange. Of the 17, two bulletins are rated Critical, 14 are rated Important, and one is rated Moderate.

A serious remotely exploitable bug in Internet Explorer has cropped up and there is a publicly available exploit code for the new bug.  The flaw affects IE 8, IE 7 and IE 6 running on most of the currently supported versions of Windows, including Windows 7, Windows Vista and Windows XP SP3.  The vulnerability could be exploited by remote attackers and used to take complete control of a vulnerable system.


Patch management and security event monitoring is a continuous and critically important job.  Organizations should continually monitor CERT and SANs sites for the disclosure of new security vulnerabilities and updates.  “Best Practice” dictates the you log each new vulnerability/update and your determination of the applicability to your environment.  If determined to apply you should follow your methodology for applying updates and ensuring the success of their installation.

While some organizations might be tempted to say “We don’t have the resources to follow your recommendations!”, we encourage resistance to raising a white flag and instead recommend reallocation of your scarce resources to make patch management and security event monitoring an absolute priority.

Why?  Our stance is now more stringent than ever before.  In our view the game has changed.  We are know longer battling the pimple-faced script kiddie who might try and hack our systems.  We are battling the Russian Business Network, organized crime, foreign governments, criminal hackers and hacking enthusiasts.  We simply can no longer afford to be patient with your patch management.

TrustCC’s security vulnerability and penetration testing services will evaluate whether your current security patch management practices are effective.

Following are the CERT and SANs websites.

CERT:  http://www.us-cert.gov/current/

SANs Storm Center:  http://isc.sans.edu/index.html



Gawker Password Hack Fallout

December 14, 2010

This weekend, Gawker Media’s servers were hacked, leaving many user accounts and their corresponding passwords vulnerable.  Nearly 1.25 million accounts, including more than 500,000 user e-mails and more than 185,000 decrypted passwords, were posted to the web at a torrent site.  And right now, some hackers appear to be using those usernames and passwords to access systems and make false posts.

The implications are far reaching for most users whose credentials were compromised.  You see, most users re-use their passwords on multiple websites.  Do you?

A quick browse through the compromised passwords yields “123456” and “password” as the most common passwords used by those registered at Gawker Media.


Effective security starts with user education and awareness.  Users must understand that their password is the only control preventing an attacker from gaining access to their entire online world.  Once compromised an attacker can hijack email, hijack the ability to order goods and services, access credit history, read you facebook (twitter, linkedin, and any other site).  Educate your users about using strong and varied passwords.



Wikileaks “Friends” Take Down MAJOR Financial Websites

December 9, 2010

As the Wikileaks drama plays out on the news networks, the security world is cringing at the implications.

First, there is nothing new about bot-nets.  But it is “new” for people around the world to voluntarily add their systems to the botnet army.  What makes these people think the botnet operator will return control of their systems when the Wiki response is complete?  These systems could remain under the command and control of the botnet until they are re-built from scratch.  And what havoc will be had in the mean time?  Will the Anonymous Group commit other illegal acts with these systems?

Second, I am unaware of a previous instance where attackers publicly solicited botnet participation using social networks.  This sets an interesting precedent.  What would happen if attackers could organize more and more participants in a voluntary botnet?

Last, Distributed Denial-of-Service (DDOS) is also not new but slinging DDOS as retribution for corporate policy changes is new.  Can other corporations that implement unpopular policies expect the same?  Apple doesn’t allow Adobe Flash on iPhones and iPads… watch out Apple!

Let’s keep watching this as it plays out.

– TrustCC



Don’t Let Negligence Ruin Your Reputation

December 9, 2010

Recently, in a KOMO 4 News Problem Solvers Story it was reported that a personal information including Social Security numbers, dates of birth, and mother’s maiden names were found in plain sight behind a state owned building in Tacoma, WA. There were several organizations involved in this case, but to our surprise, one was a credit union.

For most financial institutions, customer/member information security is a top priority.  Most have a “Clean Desk Policy” and proper disposal procedures for sensitive information.

Remember, all paper documents needing disposal should be kept in a locked shred bin. Recycle boxes are no longer a best practice as they leave information vulnerable to malicious use.  Clean Desk Policies should also be implemented as part of an overall information security program. The policy should be accompanied by periodic, preferably quarterly, walk-throughs to enforce compliance.  Walk-throughs should be documented and include the site or area visited, date / time of visit, personnel who conducted the walk-through, and findings.  Personnel who conduct the walk-throughs should be looking for sensitive customer/member information left on desks, shelves, or countertops and other sensitive information such as usernames and passwords which have been written down and “hidden” under keyboards or stuck on monitors or other obvious places.

We hope this guidance helps.  If you need assistance or have questions about any of our services, please don’t hesitate to contact us.



Ho Ho Ho! Merry Mobile Christmas!

November 22, 2010

The shopping frenzy is here! Stores are buzzing with shoppers, online shopping will escalate by leaps and bounds and with the introduction of smart phones, people can shop from the palm of their hand. While this provides convenience for the consumer, it also introduces an increased risk of fraud. Smart  financial institutions will educate their customers and members on mobile security so that the holidays are safe and cybercrime free.

Here a few mobile safety tips for your customer and members:

  • Password-protect your mobile device and keep it in a safe place.
  • Never send account information through a text message or email, i.e. account numbers, passwords, etc.
  • Do not hack or modify your device. This will leave it susceptible to viruses and Trojans.
  • If you change your mobile number or lose your phone, contact your financial institution immediately to change your mobile banking preferences.
  • Be proactive. Monitor your account activity and financial statements. If possible, sign up for electronic alerts that can be sent to your email or cell phone. If you suspect fraudulent activity, contact your financial institution immediately.
  • Consider installing anti-virus and/or mobile security software on your phone.
  • Verify the legitimacy of any banking application with your financial institution before downloading. If possible, go the safe route and download the application through your financial institution’s web site. If a banking application appears to be malicious, report it to your financial institution as soon as possible.

If you have any questions or concerns about mobile security or any other security question, please don’t hesitate to contact us.

TrustCC would like to wish everyone a safe and secure holiday season!


Trojan Targets US Banks

November 8, 2010

In the news today, experts announced that a rare Trojan by the name of Qakbot is making its way into financial institutions specifically in the U.S. Unlike typical types of malware, it has the ability to spread like a worm, but infect users like a Trojan. This particular Trojan targets corporate accounts, is able to filter data, and prefers shared networks so that it can contaminate every computer on the corporate network.

Freaked out yet?

While this particular Trojan made the news today, new malware is launched every day. Don’t wait for alarming headlines to take action.

During many of our IT audits and security assessments we find that while banks and credit unions make IT security top priority, we still find preventable vulnerabilities such as missing security patches and lack of security awareness training a common trend. Not only does this put confidential information at risk, it can potentially lead to  financial loss and a tarnished reputation for the institution.

Don’t let a simple oversight put your organization at risk. Take action today and contact us to schedule an IT audit or security assessment. Our business is your success.

– TrustCC