Timing is an influential risk-factor for cyber attacks – Help Net Security

There are several dates throughout the year that are notorious for wreaking havoc on businesses via DDoS attacks, data breaches and even malware or botnet assaults.

According to Radware, there are two types of dates that hackers target: ideological and business-relevant dates. Ideological dates refer to holidays and anniversaries that have a cultural, religious or secular tie to the adversary. High-risks times for the United States include September 11th, Memorial Day, Election Day and Independence Day. Business-relevant dates involve a period of time that companies are particularly vulnerable to attacks, such as Black Friday, Cyber Monday, or even regular business hours.

Additionally, hackers commonly use important dates and holidays to disrupt specific industries. For example, retail and credit card companies see a significant rise in cyber attacks between Thanksgiving and Christmas, whereas government websites may be targeted during Election or Independence Days.

via Timing is an influential risk-factor for cyber attacks.

Good but generic advice in the article. If you work for a multinational you’ll need to keep in mind dates and events beyond the US – the football (soccer) World Cup, for example. User education is important but the returns diminish over time, especially if you cause fatigue in your users. Pen testing is good as well as a commitment in time and money to a security infrastructure life cycle management.

Update Flash, Shockwave ASAP! Adobe also patches Acrobat and Reader | ZDNet

Adobe today released security updates for Flash Player, AIR, Shockwave Player, Acrobat and Reader. The updates for Flash Player and Shockwave Player on Windows and Mac address a vulnerability which Adobe classifies as Priority 1, which indicates that it is being exploited in the wild at a high risk of exploit.

The updated versions of Flash Player on Windows and Mac are 11.8.800.168 and 11.7.700.242. Earlier 11.7 and 11.8 versions are vulnerable. Updates are also available for Flash Player on Linux and Android, as well as Adobe AIR and the Adobe AIR SDK. These are not as severe and updating is not as high a priority.

The updates for Reader and Acrobat are classified as less urgent. They are important vulnerabilities, but not being exploited.

via Update Flash, Shockwave ASAP! Adobe also patches Acrobat and Reader | ZDNet.

Microsoft releases 13 bulletins, axes .NET patch

September’s Patch Tuesday is live! The 14 bulletins predicted have been cut to 13, with the .NET patch landing on the cutting room floor. A patch getting pulled after having been included in the advance notice usually indicates that late testing revealed an undesired interaction with another product or component.

Of the 13 bulletins remaining they are split 7/6 between the MS Office family and Windows OS patches, if we are counting the Internet Explorer patch as part of the OS patching, anti-trust lawsuits notwithstanding.

via Microsoft releases 13 bulletins, axes .NET patch.

Windows Picture Passwords – are they really as “easily crackable” as everyone’s saying? | Naked Security

If you’ve used Windows 8, or even just seen the ads for it, you’ll know it has a feature called Picture Passwords.

You choose a picture, any picture, and then “annotate” it with three finger movements: you can tap a point, draw a stroke, or sweep a circle.

The picture helps you to remember where you made the gestures, so you can repeat them reliably enough to pass the test and unlock your device.

If you have a touch screen tablet, Picture Passwords are surprisingly handy. (Pun intended.)

But how safe are they?

via Windows Picture Passwords – are they really as “easily crackable” as everyone’s saying? | Naked Security.

ISC Diary | SSL is broken. So what?

It is hard to ignore the recent news about government sponsored internet surveillance campaigns, which are alleged to involve decrypting SSL traffic. In light of these news, should you do anything differently? Does it matter to your network and how? Even if today only a small group possesses the knowledge and resources to decrypt SSL, chances are that this secret will leak like so many and the resources required to apply the techniques will only get cheaper and in turn become available to well funded advisories like organized crime. The information once decrypted may also be at risk from being compromised by anyone who compromised the organization that now holds the data. So does it matter?

First of all, I don’t think there is “proof” at this point that SSL in itself has been broken. SSL and the encryption algorithms it negotiates have seen many implementation issues in the past, and it is fair to assume that broken implementations, bad random number generators and sub-optimal configurations make breaking “real live” SSL a lot easier then it should be based on the strength of the underlying algorithms. Additionally, in many high profile attacks, SSL wasn’t the problem. The end point or the SSL infrastructure was compromised instead and as a result, the encryption algorithm didn’t matter.

via ISC Diary | SSL is broken. So what?.

Understanding and defending against Denial of Service attacks

Denial of Service (DoS) attacks continue to be on the rise, which is no surprise given our ever-growing dependency on Web-based services, coupled with the fact that these attacks are relatively cheap and easy to carry out. In this article, we’ll discuss what DoS attacks are, some various types of DoS attacks, tips to keep them at bay, and references to security tools to help you mitigate vulnerabilities.

via Understanding and defending against Denial of Service attacks.

This article talks about a lot of easy to implement solutions, what I like to call “low hanging fruit”. These are things like patch management, log management, SYN protections and anti-spoofing on firewalls, and so on. Use it as inspiration for making a checklist.

What the article misses is having a plan in place to handle a DoD/DDoS attack. Do you have the emergency response number from your Internet and/or telco providers? Does the business have plans B in place in case the network is down? Many business processes can still be done via fax or phone.

Filling a BlackHole – Securelist

Today, exploiting vulnerabilities in legitimate programs is one of the most popular methods of infecting computers. According to our data, user machines are most often attacked using exploits for Oracle Java vulnerabilities. Today’s security solutions, however, are capable of effectively withstanding drive-by attacks conducted with the help of exploit packs. In this article, we discuss how a computer can be infected using the BlackHole exploit kit and the relevant protection mechanisms that can be employed.

via Filling a BlackHole – Securelist.