aka infosec
According to a recent study by Dashlane, makers of a web-oriented password manager, Apple.com does the best job of protecting your passwords online.
The study ranked one hundred of the most popular web sites on their ability to encourage or require the use of strong passwords, to assist users in selecting strong passwords, and on their policies in relation to storing and displaying or emailing passwords. Microsoft and NewEgg scored highly, and Major League Baseball scored worst.
It looks like the warnings about passwords are being heard by users everywhere. For years, industry experts have been telling people not to use simple passwords, and not to use the same passwords everywhere. Now, research shows that the previous most-used password, “password” is no longer #1.
Unfortunately, the new #1 password is “123456”. Which was previously #2. It’s difficult to categorize this as progress, since both of those passwords are equally terrible. Don’t use them. Please.
A new variant of the nasty malware known as Cryptolocker is appearing on the Internet. Cryptolocker – once it infects your computer – encrypts all your files and then demands money to decrypt them. If you fail to pay within a specified time period, your files become permanently inaccessible.
The new version of Cryptolocker can apparently spread itself via portable media such as thumb drives. It is also often disguised as a software activation program for Photoshop and Microsoft Office on file sharing sites. The original Cryptolocker typically arrived in the form of a fake PDF file.
Disguising Cryptolocker as a software activation program is a particularly devious way to spread the malware. Every day, thousands of people who can’t afford the massively overpriced Office and Photoshop look for alternative ways to use that software, and now those people are going to be risking more than the ire of Microsoft and Adobe.
Included in a massive set of updates released yesterday by Oracle was a new version of Java. Version 7 Update 51 fixes a whopping thirty-four security vulnerabilities in previous versions.
If you use a web browser in which Java is enabled, you should install the new version as soon as possible.
Yesterday, Adobe announced new 12-series versions of the Flash player for various environments and browsers:
You can get the new version from the main Flash download site.
Flash 12 includes some new features and enhancements, as well as fixes for several security vulnerabilities.
It’s a light month for Microsoft patches, with only four bulletins, none of which are flagged as Critical. The updates fix vulnerabilities in Office, Windows, and Server software.
Patches for the Windows XP NDProxy vulnerability and Office on Vista are among those made available today.
A post on the ISC Diary blog over at SANS has a useful overview of the vulnerabilities associated with this month’s patches.
As usual, the MSRC blog has its own spin on this month’s patches.
This month’s Ouch! newsletter (PDF) from SANS covers the basics of securing your home wireless network. There’s not much here for experienced professionals, but if you’re not sure whether your home wireless network is secure, this is a good place to start.
(Correction: the original title of this post indicated that online shoppers were affected. In fact, according to Target, only customers who used credit cards for in-store purchases are at risk.)
… then you should consider cancelling the credit card you used. Data for as many as 40,000 credit cards, stolen from Target servers in early December, is already appearing on black market sites. Target says card numbers, names and expiry dates were taken, not the associated security codes, so the numbers can’t be used just anywhere. But they will be used, since not all retailers use the security code.
Update 2013Dec29: Brian Krebs of krebsonsecurity.com did some digging and has almost certainly identified one specific individual who is selling card data stolen from Target. His name is Andrey Hodirevski, and he’s been in this shady business for a while in the Ukraine. It’s not clear whether he stole the card data from Target, but he’s selling it so he probably knows who did. It will be interesting to see how this plays out…
Update 2014Jan01: Now Target is saying that PIN codes were stolen along with the rest of the card data. They insist that since the PINs are encrypted, they are of no use, but Target should not have been storing PINs in any form.
Update 2014Jan11: Target now says that additional personal information on 70 million customers was also stolen by the same attackers. This information includes names, mailing addresses, phone numbers and/or e-mail addresses.
Update 2014Mar29: Trustwave, the company that provides PCI compliance services to Target, is being sued by two banks that suffered losses in relation to the Target breach.
Additional information from Ars Technica:
A serious vulnerability affecting Windows XP and Windows Server 2003 was recently discovered. Microsoft issued advisory 2914486 to warn users about the vulnerability and recommend workarounds, but so far has not released a patch.
This vulnerability is being actively exploited, through the use of a specially-crafted PDF file. Opening such a file on a computer running Windows XP can result in an attacker gaining access to the computer.
The single workaround suggested in advisory 2914486 has some undesirable side-effects, including disabling VPN. But it may be better than the alternative, especially for users who frequently receive and open PDF files on Windows XP computers.
The usual advice applies: exercise extreme caution when browsing the web, clicking links in email, opening email attachments and opening files from unknown sources. When in doubt, don’t do it.
A post on the SANS ISC Diary blog has more, including a warning that these types of vulnerabilities may become much more common after Microsoft stops supporting Windows XP in April 2014. SANS has even coined a term for this event: Winmageddon.
Tuesday saw another stealth release of Firefox: version 26. As usual, the new version was not announced by Mozilla; I learned about it from a post on the CERT Current Activity blog. The official release notes for version 26 describe some of the changes in this version: nothing worthy of note. Version 26 does include fixes for some security issues, so you should upgrade as soon as possible.
Update 2013Dec16: One notable change in Firefox 26 is that Java is now blocked on all sites by default. This behaviour can be changed, but we recommend using the default setting.
boot13