EVENT: Security SIG Lunch on Dec. 18th

There’s still time to sign up for this week’s Security SIG Lunch. The topic is “OS Hardening Best Practices” and for this talk we’ll be hearing from several people at MIT regarding their experiences.

Where: W92-Back Bay

When: Thursday, December 18, 12:00 – 1:30

Please RSVP at security_sig_events@mit.edu by Wednesday Dec. 17 at noon, if you plan on eating lunch with us.

SANS Holiday Hack Challenge

Help save old Ebenezer Scrooge from certain doom! This year’s Holiday Hack Challenge from SANS is designed to help build your information security skills and have some holiday fun in the process. This year, match wits with an Artificially Intelligent agent, exploit a target machine, and do some detailed packet capture and file analysis, all with the goal of unraveling the mysteries of the Ghosts of Hacking Past, Present and Future.

Everyone is invited to participate. Compete for some really cool prizes:

http://pen-testing.sans.org/holiday-challenge/2014

Security Update Released for Adobe Flash Player

Last week, Adobe released a security update for Flash Player for Windows, Macintosh and Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the following affected systems:

  • Adobe Flash Player 15.0.0.242 and earlier versions
  • Adobe Flash Player 13.0.0.258 and earlier 13.x versions
  • Adobe Flash Player 11.2.202.424 and earlier versions for Linux

The recommendation by Adobe is for users to update their software with version 16.0.0.235 (Windows and Macintosh) and version 11.2.202.425 (for Linux). Instructions can be found in the Adobe Security Bulletin.

Microsoft Enables Removal of SSL 3.0 Fallback in IE

Last week, in addition to patching 14 vulnerabilities in Internet Explorer (IE), Microsoft gave Windows admins the ability to disable SSL 3.0 in IE 11 for Protected Mode sites. Doing so eliminates exposure to SSL attacks (also known as POODLE).

This change to IE 11 turns off the disabling of SSL 3.0 by default, but it will be turned on by default on February 10, 2015. This is Microsoft’s first step toward disabling SSL 3.0 by default in all of its online services.

Read the full story in the news.

See the status of disabling SSL 3.0 in the most popular browsers here.

Microsoft Security Updates for December 2014

Microsoft will be issuing seven security bulletins on Tuesday, December 9. Three are rated critical.

Systems affected are Exchange, Windows, all versions of Office, including for Mac and Internet Explorer. The Internet Explorer update affects all supported versions of IE, including the latest: IE 11. Some updates will require restarting your computer after installation.

The total number of updates from Microsoft will be 84 this year, with just 29 rated critical, which is an improvement over the past two years.

The updates will be available through the normal Windows Update process.

Read the full story in the news.

Tech Support Phone Scams

When scams come to us in the form of emails that land in our inbox, they are called “phishing” emails. But scammers don’t just use email to trick us into disclosing personal information or accessing our money. They will use other technology as well, such as phones.

One version of a phone scam comes in the form of technical support. You get a call from someone claiming to be from Microsoft, for example. They tell you they want to help to solve a computer problem or sell you a software license. But this what they are really doing:

  • They trick you into installing malicious software.
  • The software you have installed allows them to take over your computer.
  • After you install the software, they charge you to remove it.
  • They trick you to visit a fraudulent site where they ask you to enter your credit card number or other personal information.

Neither Microsoft nor any legitimate business will make these types of unsolicited phone calls. But it is easy to be fooled; the criminals use publicly available phone directories, so they might know your name when they call you.

What you can do:

Do not trust unsolicited phone calls offering tech support. Do not provide any personal information. Do not allow people making unsolicited calls to access your computer over the phone to “fix it.”

When you receive a scam phone call, you can report it to the FTC.

The numbers: A recent survey by Microsoft shows that PC owners are under constant attack for their personal information but that people are wising up and not taking the phishing bait. The report found that 42% of Americans experience attempts to gain access to their PC, while 28% reports attacks via landline phones, 22% via tablets, and 18% via mobile phones.

Find out more about how to protect yourself from this kind of phone scam.

Webinar: The Internet of Things

MS-ISAC is a multi-state information sharing group that supports the government with its cyber security mission. It offers a free national webinar each month. This month’s webinar, called “The Internet of Things” is a discussion on recent cyber-based incidents that threaten organizations through their computer systems. These threats are becoming increasingly sophisticated, better organized and more frequent. The discussion suggests a framework to protect organizations using the latest technologies and trends in the industry. Presented by Peter Romness, Business Development Manager of Cisco Systems, Inc.

The free webinar takes place on Thursday, December 11, 2014, 2:00 – 3:00 pm.

Learn more and register for this webinar.

Follow

Get every new post delivered to your Inbox.

Join 69 other followers