Mac iOS Security Guide

The new Mac iOS Security Guide was released in April of 2015. As the introduction of the guide states: “Apple designed the iOS platform with security at its core. When we set out to create the best possible mobile platform, we drew from decades of experience to build an entirely new architecture.”

Many of the security features are built in by default.

“iOS and iOS devices provide advanced security features, and yet they’re also easy to use. Many of these features are enabled by default, so IT departments don’t need to perform extensive configurations. And key security features like device encryption are not configurable, so users can’t disable them by mistake. Other features, such as Touch ID, enhance the user experience by making it simpler and more intuitive to secure the device.”

Topics covered in the guide are: system security, encryption and data protection, app security, network security, Apple Pay, internet services, device controls and privacy controls.

Download or view the guide (.pdf)

Oracle Releases Patch for VENOM Vulnerability

Oracle has released a fix for a critical overflow vulnerability known as VENOM. The problem lies in QEMU’s virtual Floppy Disk Controller, which is part of some virtualization platforms and is used in certain Oracle products. Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by the Security Alert as soon as possible.

Read the Oracle Security Alert

FBI: Data Breaches Up 400%; Workforce Needs To Be “Doubled or Tripled”

As a follow up to last week’s post about the lack of cybersecurity personnel, this article talks about the increase in attacks and breaches and how it relates to the need for a more robust cybersecurity workforce.

James Trainor, acting assistant director of the FBI’s Cyber Division, said the agency used to learn about a new, large-scale data breach every two or three weeks. “Now, it is close to every two to three days.”

Trainor also said the cybersecurity industry needs to “double or triple” its workforce in order to keep up with hacking threats.

Read the story at

Cybersecurity Talent Woes

It is no secret that there is a shortage of talented cybersecurity professionals in the US. As posted in the news, this issue is worse than a skills shortage, it’s a critical gap. As an article at states: “We don’t have the workforce needed to address the challenges before us.”

The article goes on to further sum up the concern: “There are simply an inefficient number of qualified, skilled professionals available to do what’s needed to protect organizations and consumers.”

The problem becomes clear when organizations attempt to hire cybersecurity professionals. Many applicants don’t have the necessary skills for the open positions, which means it can take months to hire someone, while a short-staffed security team is trying to safeguard data and critical infrastructure.

SANS Institute is doing its part to help professionals launch cybersecurity careers and also assist companies and organizations to obtain the talent. This resource is available for employers:

This week, on May 14, SANS is also hosting SANS CyberTalent Fair, a two-day, online meeting place for top cybersecurity employers and jobseekers in the US. According to the event website, “More than 209,000 cybersecurity jobs in the US are unfilled.”

MIT is hiring cybersecurity professions to work in Information Systems & Technology. See the MIT Careers website. Contract positions for IT Risk & Security Engineers are also available. For a job description, please contact Harry Hoffman.

Microsoft Security Updates for May 2015

Microsoft released 13 updates on May 12th, Security Bulletins MS15-043 through MS15-055, to address vulnerabilities in Microsoft Windows. Three are rated critical. Some of these vulnerabilities could allow elevation of privilege, denial of service, remote code execution, information disclosure, or security feature by-pass.

All Windows operating systems are affected, as well as Microsoft Silverlight, Microsoft Office, Internet Explorer, and Microsoft SharePoint Server. It has been noted that the number of patches in this release brings the total number for the year to 53, the highest total through May of the past five years.

Patches are available via Windows Update.

Adobe Security Updates for Reader and Acrobat

This week Adobe released security updates for Adobe Reader and Acrobat for Windows and Macintosh. The updates patch 34 vulnerabilities in Acrobat X, Acrobat XI, Reader X and Reader XI that could potentially allow an attacker to take over the affected system.

Adobe recommends users update their product installations to the latest versions. Read the details in the Adobe Security Bulletin.

Vulnerabilities in Lenovo System Update

(Thanks to Rich Pieri for sharing this news.)

Months after Lenovo was found to have installed dangerous software onto its computers, major vulnerabilities were found in Lenovo’s update system, that could allow hackers to bypass validation checks, replace legitimate Lenovo programs with malicious software and run commands from afar.

What are the vulnerabilities?

1. Lenovo’s System Update software runs a service as SYSTEM and allows unprivileged processes to send it arbitrary commands to execute.

2. Lenovo’s System Update software does not correctly validate CAs of signed updates allowing for the installation of “updates” signed with fake certificates.

3. Lenovo’s System Update software downloads updates to a world writable directory creating a race condition between signature verification and running the saved executable.

The company issued a patch last month that fixes the bugs but owners will need to download the update themselves.

Learn more in the news.


Get every new post delivered to your Inbox.

Join 76 other followers