aka infosec
It’s update time again. This month Microsoft is making available nine updates, affecting Windows, Internet Explorer, Edge, and Office. Five of the updates are flagged as Critical. A total 38 vulnerabilities are addressed with these updates.
The associated bulletin from Microsoft has additional details.
There’s also one new security advisory: Update for Kernel Mode Blacklist.
The details are still not clear, but there is strong evidence of a breach of Oracle’s MICROS Point Of Sale (POS) software.
This software is used by many popular companies, and could affect as many as 200,000 food and beverage outlets, 100,000 retail sites, and 30,000 hotels. The primary danger to customers of these companies is theft of credit card information.
Affected companies include Starbucks, Sonic, IHOP, Hard Rock Cafe, and Burger King.
Update 2016Aug21: Brian Krebs’ ongoing analysis reveals that the breach may be much larger than originally thought, possibly even affecting Oracle’s corporate network. Oracle remains largely silent on the issue, which is prompting a lot of backlash from MICROS users.
Security researchers at Bastille tested a variety of wireless keyboards and found several that are vulnerable to keystroke interception and injection techniques.
The researchers developed a specific attack called Keysniffer, and used it to both read user keystrokes and inject their own keystrokes remotely, from as far away as 250 feet. The attack is possible because the affected keyboards don’t encrypt communications with the host computer.
Bastille obviously didn’t test every wireless keyboard out there, but they did provide a list of those they found to be vulnerable.
Chrome 52.0.2743.116 fixes ten security bugs. The change log lists fifty-nine changes in total, but none of them are particularly noteworthy.
Oracle released Java 8 Update 101 a couple of weeks ago, and I somehow managed to miss it. The Oracle Critical Patch Update Advisory for July 2016 includes the details, and I’m still subscribed to the Oracle Security Alerts RSS feed, so I can only assume that I failed to notice it. Mea culpa.
The new version includes fixes for at least thirteen security vulnerabilities, as well as several other bug fixes.
Anyone with Java enabled in their web browser should update Java as soon as possible. Hopefully most of you noticed the update and installed it before I did.
This month’s ‘Ouch!’ (PDF) is about Ransomware, that nasty type of malware that encrypts your data files and (if you’re lucky) allows for their decryption, once you pay a ransom.
It’s definitely a worthwhile read, especially if you’re not familiar with the term. Ransomware is real, and affecting increasing numbers of users.
Also see Ransomware update, recently posted on this site.
The latest version of Joomla is causing problems for web servers running older versions of PHP. Affected Joomla sites are still accessible, but users and administrators are unable to log in.
An announcement on the Joomla web site, and another in the Joomla documentation, provide details and workarounds for problems caused by the update, but web servers running PHP 5.3 won’t find them particularly helpful. If you administer a web server running PHP 5.3, the solution is to either wait for Joomla 3.6.2, or make some changes to a single Joomla file, as outlined in this fix on Github.
In case you’re wondering why any diligent web server administrator would still be running a version of PHP that is known to be insecure, what’s actually going on in most cases is that the admin is running a custom build of PHP that has had all relevant security fixes applied. For example, these custom builds of PHP are provided for Ubuntu LTS (Long Term Support) releases to allow for maximum security and stability.
Update 2016Aug05: That was fast. Joomla 3.6.2 is now available, and it fixes the PHP 5.3 compatibility issue.
Lorrie Cranor, chief technologist at the US Federal Trade Commission, recently made news by warning that frequent password changes may actually reduce security.
This does not mean that you should stop changing your passwords. Cranor is actually referring to the enforced password change policy in place at many organizations. When users are forced to change their passwords at regular intervals (eg. every 60 days), they tend to use patterns, like incrementing a number at the end of a password.
Related research shows that once common patterns are allowed for, password cracking success rates increase markedly. You can be sure that the people writing password cracking software know about this as well.
When you change your passwords (whether enforced or not), don’t use a simple variation of the previous password. Instead, think of an entirely new one, or use one of the many excellent password database programs and services to generate one.
By now, you’ve probably encountered the term “Internet of Things”, usually abbreviated as IoT. It refers to the rapidly increasing number of devices that are capable of connecting to the Internet. Cars, fridges, thermostats, lights… basically, anything that can be built to include a few microchips can be made to talk to the Internet. Usually wirelessly. Often silently, by default.
Which of course is a perfect scenario for a whole new category of security breaches, privacy concerns, and other, related issues.
Recommendations:
Bruce Schneier’s recent analysis of the dangers of IoT is excellent, and definitely worth reading.
Fixes for at least forty-eight security issues highlight the release of Chrome 52.0.2743.82.
According to the full change log (warning: may kill your browser), almost 10,000 changes were made for this version. That’s a few too many for any kind of summary, so we’ll just have to hope that Google provides a list of notable changes, as hinted at in the announcement.
boot13