boot13This month’s Ouch! newsletter (PDF) from SANS covers the basics of securing your home wireless network. There’s not much here for experienced professionals, but if you’re not sure whether your home wireless network is secure, this is a good place to start.
Oracle announces upcoming patches for Java
Oracle will issue another massive batch of updates for its products in its next Critical Patch Update, on January 14. From the pre-release announcement:
This Critical Patch Update contains 36 new security fixes for Oracle Java SE. 34 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Advance notification for January Patch Tuesday
Microsoft has issued its usual notification of the upcoming Patch Tuesday. This month’s updates will become available around 10am PST on January 14. There will be four bulletins, addressing issues in Windows, Office and Server software. The NDProxy vulnerability affecting Windows XP will be patched via bulletin MS14-002. The MSRC blog has additional details.
No more updates for Security Essentials on Windows XP after April 8
Update 2014Jan16: Microsoft must have decided it could use some positive press, because they just decided to extend Security Essentials support on Windows XP until July 14, 2015.
Microsoft has confirmed that they will stop issuing updates for its anti-malware software Security Essentials on Windows XP systems after support for Windows XP expires on April 8, 2014.
While I’m sure this comes as no surprise to anyone, since Microsoft will no longer be issuing any patches for Windows XP past April 8, it’s an important consideration for anyone who plans to run Windows XP after that date. Anyone doing so should also stop using Security Essentials and install anti-malware software that will continue to receive updates.
Free alternatives to Security Essentials
If you needed another reason not to visit yahoo.com…
Advertisements containing malware started appearing on yahoo.com on December 30, 2013 – or possibly even earlier. Anyone visiting the site with a browser running an unpatched version of Java risked infecting their computer. If that includes you, a full malware scan of the computer you used should be your next task. One of the following (or both) should do the trick:
Opera 18.0.1284.68 released
In fact, two new versions of the Webkit-based Opera browser were released recently. I missed both of them because Opera moved their announcement blog to blogs.opera.com/desktop.
Version 18.0.1284.63 was released on December 6. It includes fixes for GMail compatibility issues.
Version 18.0.1284.68 was released on December 16. It fixes several crashing issues.
If you’ve ever bought from Target (NOT online)…
(Correction: the original title of this post indicated that online shoppers were affected. In fact, according to Target, only customers who used credit cards for in-store purchases are at risk.)
… then you should consider cancelling the credit card you used. Data for as many as 40,000 credit cards, stolen from Target servers in early December, is already appearing on black market sites. Target says card numbers, names and expiry dates were taken, not the associated security codes, so the numbers can’t be used just anywhere. But they will be used, since not all retailers use the security code.
Update 2013Dec29: Brian Krebs of krebsonsecurity.com did some digging and has almost certainly identified one specific individual who is selling card data stolen from Target. His name is Andrey Hodirevski, and he’s been in this shady business for a while in the Ukraine. It’s not clear whether he stole the card data from Target, but he’s selling it so he probably knows who did. It will be interesting to see how this plays out…
Update 2014Jan01: Now Target is saying that PIN codes were stolen along with the rest of the card data. They insist that since the PINs are encrypted, they are of no use, but Target should not have been storing PINs in any form.
Update 2014Jan11: Target now says that additional personal information on 70 million customers was also stolen by the same attackers. This information includes names, mailing addresses, phone numbers and/or e-mail addresses.
Update 2014Mar29: Trustwave, the company that provides PCI compliance services to Target, is being sued by two banks that suffered losses in relation to the Target breach.
Additional information from Ars Technica:
Is your Windows XP computer booting slowly?
Windows XP computers with autoupdate enabled are taking longer and longer to boot. Microsoft has discovered a flaw in Windows Update that is slowing down the update process. As the list of available patches for Windows XP has grown over the years, the delays have increased exponentially. Microsoft tried to fix this flaw with recent updates to little effect. Ars Technica has more.
More holiday scam emails
SANS reports on a holiday-themed scam email showing up in inboxes recently. This one purports to be from a major retailer such as Costco or Walmart, and tries to trick the recipient into clicking a link related to a phony undelivered package.
If you receive such an email, just delete it. If you think the message may be legitimate, don’t click the link; contact the retailer by telephone or go to their official web site and contact them using information provided there.
Two posts on the SANS ISC blog dig into the technical details of this scam.
Adobe License Key Email Scam
Adobe recently issued a warning about a new scam email making the rounds. This one appears to contain license information for Adobe products, but is not legitimate and may contain malicious attachments and/or links to malicious web sites. Recently-compromised Adobe systems may have provided recipient addresses for this email.