STE WILLIAMS

AMSTERDAM and SAN FRANCISCO, Nov. 13, 2013 /PRNewswire/ — Most small businesses are still failing to appreciate the true value of their data after a new study released today by Internet and mobile security company AVG Technologies N.V.

(NYSE: AVG) revealed that 37% of small business owners and managers spend more time tidying their desks or ordering new business cards (21 percent) than they do on data backup.

The researchi, which surveyed more than 500 small business owners and managers in North America, showed that while many (75 percent) do rely on automated backup systems, a significant number, around 1-in-4 (24 percent) do not insist that employees back up at least once a week. This is in spite of the fact that

30 percent believe more than half of their data is sensitive.

Given the amount of sensitive data small businesses claim to have, the loss of employee mobile devices should cause concern. In fact, approximately half of small businesses (47 percent) say they have experienced losing a mobile device.

Interestingly, the survey showed small business owners do not think the mobile devices in their workforce have a lot of sensitive data on them. There was much more concern about trusting the security of their data to the cloud. When asked about cloud-based backup, 64% of SMB owners said security was their top concern.

“Our research shows that while the great majority of small businesses in North America are relatively savvy about the importance of backup, there is still plenty of market education to do, especially when it comes to mobile and cloud platforms,” said Mike Foreman, AVG’s General Manager, SMB. “In today’s mobile and data-driven world it’s particularly shocking to hear how business owners still spend more time on physical-world activities like tidying their desks and ordering new business cards than digital ones, which suggests that, despite evidence cybercriminals see value in small business data, business owners themselves are still failing to appreciate the true value of the data held within their systems.”

(Logo: http://photos.prnewswire.com/prnh/20120306/SF65434LOGO)

About AVG Technologies (NYSE: AVG)

AVG’s mission is to simplify, optimize and secure the Internet experience, providing peace of mind to a connected world. AVG’s powerful yet easy?to?use software and online services put users in control of their Internet experience.

By choosing AVG’s software and services, users become part of a trusted global community that benefits from inherent network effects, mutual protection and support. AVG has grown its user base to 172 million active users as of September 30, 2013 and offers a protection, performance and privacy products and services suite to consumers and small businesses including Internet security, performance optimization, mobile security, online backup, identity protection and family safety software. www.avg.com

Keep in touch with AVG

— For breaking news, follow AVG on Twitter at

www.twitter.com/officialAVGnews

— For small business security trends analysis, follow the AVG small

business blog at blogs.avg.com/business

— Join our Facebook community at www.facebook.com/AVG

— Join our LinkedIn community www.linkedin.com/groups?gid=2719797

NOTES TO EDITORS

In summary, the main findings in the study were:

— A significant proportion of SMBs routinely spend more time tidying their

desk (37%) or ordering new business cards (22% UK, 21% US) than backing

up data. It was not even the most routine computer-related task. 43% of

UK, 53% of US small businesses said they spend more time changing

passwords than backing up.

— The majority of small businesses (59% UK, 54% US) still do not insist

employees back up every day. In a high number of cases (68% UK, 75% US)

backup is automated by IT systems. Importantly, however, 26% (UK) and

24% (US) of businesses still leave longer than a week between backups or

at least do not insist that employee’s backup more regularly.

— When it comes to mobile device data around a third of SMBs (32% UK, 34%

US) have 0-10% of their workforce out of office at least once a week. At

the other end of the scale the rise of mobile device business use is

highlighted by those small businesses (11% UK and 17% US) who say

80-100% of their workforce is out more than one day a week.

— Security (50% of SMB owners in the UK and 64% in the US) remains biggest

concern when it comes to cloud backup. Other top concerns of both UK and

US SMB owners include cost, data recovery and lack of control.

— Almost 1-in-5 (19%) UK businesses (1-in-3 or 30% in the US) say that

more than half of their data is business sensitive. About 1-in-3 small

businesses in the UK (33%) and 1-in-5 (17% ) in the US – think the

overall amount of sensitive data held on their systems is more in the

region of 10-25%. The proportion who believe employees mobile devices

hold 80-100% sensitive data was relatively low at 8%, while US owners

put it at around 13%.

— Mobile device data loss has not yet happened to most small businesses –

but it’s close (51% UK, 53% US).

— Most SMBs (62% UK, 66% US) are confident that they can prevent data loss

when an employee leaves.

— Data loss impacts productivity first (37% UK, 50% US), then revenue (32%

UK, 37% US) then customer confidence (31% UK, 39% US).

— When a device is lost or stolen the priority for 39% of UK businesses

and 41% US is to ensure data cannot be viewed by unauthorised third

parties.

iResearch carried out by Atomik Research during October 2013. For access to the Executive Summary please go to AVG Media Center.

Article source: http://www.darkreading.com/management/more-than-one-in-three-small-businesses/240163881

LAS VEGAS, Nov. 13, 2013 /PRNewswire-USNewswire/ — The Cloud Security Alliance (CSA), a not-for-profit organization which promotes the use of best practices for providing security assurance within cloud computing, today announced the launch of the Software Defined Perimeter (SDP) Initiative, a project to develop an architecture for creating highly secure and trusted end-to-end networks between any IP addressable entities, allowing for systems that are highly resilient to network attacks.

Technology consumerization has resulted in the proliferation of new computer systems in use by enterprises, such as mobile devices in Bring Your Own Device

(BYOD) configurations, and non-traditional computers comprising the Internet of Things (IoT). Cloud computing infrastructure is supplanting internal IT backend systems as these employee-owned devices are becoming the primary computer of choice at the endpoint. Innovation must provide more granular and elegant solutions to mitigate security risks and enforce organizational policies across any combination of corporate-owned, public and consumer information technology.

The Software Defined Perimeter (SDP) is a collaboration between some of the world’s largest users of cloud computing within CSA’s Enterprise User Council.

SDP is a framework of security controls that mitigates network-based attacks on Internet-accessible applications by eliminating connectivity to them until devices and users are authenticated and authorized. SDP is being designed to be highly complementary to Software Defined Networks (SDN), the popular network layer construct which decouples routing and architectural decisions from the underlying equipment to create virtual networks. SDP traverses several OSI layers to tie applications and users with trusted networks, using vetted security models.

“It is critical to the future of cloud technology that it is demonstrably more secure than legacy IT systems,” said Bob Flores, former CTO of the CIA and Chief Executive Officer of Applicology Incorporated. “SDP is an important component to allow both cloud providers and customers to secure applications all the way from the back end to the consumer device, and we look forward to working with some of the worlds largest enterprises on its development.”

“CSA is making this royalty-free research publicly available in order to catalyze the development of more secure clouds and BYOD deployments,” said Jim Reavis, Executive Director of Cloud Security Alliance. “Some of the largest brands and companies have agreed to participate in this initiative, and will be disclosed in the course of this initiative.”

The Software Defined Perimeter (SDP) research working groups are now open for participation, collaboration and peer review. More information can be obtained from the SDP site at www.cloudsecurityalliance.org/SDP. CSA is announcing the following initial roadmap for delivery of SDP:

— Software Defined Perimeter Whitepaper. The SDP whitepaper and an

overview of the SDP framework will be presented at the CSA Congress,

December 4-5, 2013 in Orlando, Florida.

— Software Defined Perimeter “Deep Dive”. Detailed information about SDP

and a prototype demonstration will be delivered at the CSA Congress

Architecture Workshop, December 6, 2013 in Orlando, Florida.

— Software Defined Perimeter “Enterprise Implementation”. An

implementation case study of SDP will be presented at the CSA Summit at

the RSA Conference, February 24, 2014 in San Francisco.

— Software Defined Perimeter “Hacker Contest”. An educational contest will

be held to test SDP in a secured cloud configuration. Live reports will

be displayed at the CSA booth at the RSA Conference, February 25, 2014

in San Francisco.

— Software Defined Perimeter “Developer’s Workshop”. Case studies of SDP

will be reviewed and a workshop to help organizations seeking to

implement SDP will be held at the SecureCloud Conference, April 1-2,

2014 in Amsterdam.

A more complete one-year roadmap of SDP activities will be published at the CSA Congress. For conference and registration information for the upcoming CSA Congress please visit http://www.cloudsecuritycongress.com/us/index.

About Cloud Security Alliance

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

Article source: http://www.darkreading.com/perimeter/cloud-security-alliance-announces-softwa/240163882

TOKYO, Nov. 13, 2013 /PRNewswire/ — Trend Micro Incorporated (TSE: 4704; TYO 4704), a global leader in security software and solutions, announced earnings results for the third quarter 2013, ending September 30, 2013.

For the third quarter, Trend Micro posted consolidated net sales of 27,069 million Yen (or US $273 million, 98.96 JPY = 1USD). The company posted operating income of 14,161 million Yen (or US $143 million) and net income of 5,363 million Yen (or US $54 million) for the quarter.

As of now, the company will not revise consolidated results for the full fiscal year ending December 31, 2013 (released on May 9, 2013). Based on information currently available to the company, consolidated net sales for the year ending December 31, 2013 is expected to be 107,200 million Yen (or US $1,105 million, based on the FY2013 annual assumed exchange rate of 97 JPY = 1USD). Operating income and net income are expected to be 26,400 million Yen (or US $272 million) and 17,100 million Yen (or US $176 million), respectively.

Growth rate figures are calculated from Japanese Yen results. Some discrepancy may therefore be noted in US Dollar comparisons owing to fluctuations in currency conversion rates.

“During the third quarter, Trend Micro has significantly strengthened its collaborative relationships with key partners,” said Eva Chen, CEO, Trend Micro.
“These collaborations, along with our enhanced product and service offerings, continue to expand and fortify our ability to provide simple and effective security solutions for our customers.”

Q3 2013 Business Highlights

Trend Micro opened its new Global Operations Headquarters in Irving/Las Colinas, Texas, near Dallas. The location houses business units including: threat research, finance, legal, customer support, commercial sales and marketing, and human resources.

The company’s position as the number one provider of server security[1] was advanced with the announcement of its collaboration with VMware to integrate Trend Micro(TM) Deep Security with VMware NSX(TM), the platform for network virtualization. The collaboration creates a best-of-breed security framework for joint customers that increases protection and automates security deployment in virtualized data centers.

Trend Micro announced more than 20 leading cloud service providers, including Amazon Web Services, HP Cloud Services and Dell, have been certified in its “Trend Ready” initiative. The first-of-its-kind cloud security verification program validates a cloud infrastructure to support and operate Trend Micro’s comprehensive Cloud and Data Center Security Solution. By participating in the program, cloud service providers confirm to their customers that their cloud infrastructures will work with Trend Micro security products.

Expanding its unique social network privacy technology, Trend Micro introduced a robust personal privacy management tool that dramatically simplifies privacy settings on Twitter, Google+ and Facebook – for both Mac and PC. The management tool, featured in Trend Micro(TM) Titanium(TM) 2014 family of consumer security products, identifies privacy settings that may leave personal or inappropriate information publicly available or vulnerable to identity theft.

Trend Micro announced channel program enhancements to streamline access to Trend Micro Cloud and Data Center Security. The program enhancements are designed to support channel partners’ customer outreach and sales enablement, and include improvements to Deal Registration and Specialization Programs, as well as a new On-Demand Marketing platform.

The company announced a new global internship program that will offer students a behind-the-scenes look at Trend Micro’s product development of security and privacy solutions, as well as the latest developments in cyber threats. The interns – known as “TrendTerns” – will also have the opportunity to earn academic scholarships and other performance incentives while gaining real-world experience.

Awards and Recognitions for Q3 2013

Trend Micro(TM) Enterprise Security for Endpoints scored a 5-star rating from SC Magazine.

Nikkei Communications’ “Enterprise Internet/ICT Use and Application Factual Investigation 2013” found Trend Micro to have the highest rate of utilization among ATP solution vendors.

Patents

Trend Micro was awarded the following patents in Q3 2013:

Patent 8479294 Anti-malware scan
management in high-
availability virtualization
environments

Patent 8484734 Application programming
interface for antivirus
applications

Patent 8484732 Protecting computers against
virtual machine exploits

Patent 8490203 Fingerprinting based entity
extraction

Patent 8495144 Techniques for identifying
spam e-mail

Patent 8495733 Content fingerprinting
technology by using context
offset sequence and suffix
automata

Patent 8495060 Prioritization of reports
using content data change
from baseline

Patent 8499170 SQL injection prevention

Patent 8499152 Data positioning and
alerting system

Patent 8499349 Detection and restoration of
files by malware

Patent 8498965 Methods and apparatus for
generating difference files

Patent 8505092 Dynamic provisioning of
protection software in a
host intrusion prevention
system

Patent 8505094 Detection of malicious URLs
in a Web page

Patent 8505101 Thin client for computer
security applications

Patent 8510838 Malware protection using
file input/output
virtualization

Patent 8510835 Techniques for protecting
data in cloud computing
environments

Patent 8510791 Method and system for
dynamic protocol decoding
and analysis

Patent 8516592 Wireless hotspot with
lightweight anti-malware

Patent 8516586 Classification of unknown
computer network traffic

Patent 8516582 Method and system using
designated template hosts
for real time
classification of events in
a computer integrity system

Patent 8520848 Secure password management
using keyboard layout

Patent 8527631 Web site reputation service
using proxy auto-
configuration

Notice Regarding Forward-Looking Statements

Certain statements that are made in this release are forward-looking statements.
These forward-looking statements are based on management’s current assumptions and beliefs in light of the information currently available to it, but involve known and unknown risks and uncertainties. Many important factors could cause actual results to differ materially from those expressed in forward-looking statements. These factors include:

— Difficulties in addressing new virus and other computer security
problems
— Timing of new product introductions and lack of market acceptance for
new products
— The level of continuing demand for, and timing of sales of, existing
products
— Rapid technological change within the antivirus software industry
— Changes in customer needs for antivirus software
— Existing products and new product introductions by competitors and
pricing of those products
— Declining prices for products and services
— The effect of future acquisitions on our financial condition and results
of operations
— The effect of adverse economic trends on principal markets
— The effect of foreign exchange fluctuations on our results of operations
— An increase in the incidence of product returns
— The potential lack of attractive investment targets and
— Difficulties in successfully executing our investment strategy About Trend Micro Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging digital information. Our solutions for consumers, businesses and governments provide layered data security to protect information on mobile devices, endpoints, gateways, servers and the cloud. Trend Micro enables the smart protection of information, with innovative security technology that is simple to deploy and manage, and fits an evolving ecosystem. All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro
(TM) Smart Protection Network(TM) infrastructure, and are supported by over
1,200 threat experts around the globe. For more information, visit TrendMicro.com.

Article source: http://www.darkreading.com/endpoint/trend-micro-reports-third-quarter-2013-r/240163883

CHARLOTTESVILLE, Va. – November 12, 2013 – nPulse Technologies today announced that it has integrated the capabilities of nPulse’s Capture Probe eXtreme (CPX) 4.0 packet capture appliance with McAfee Enterprise Security Manager (ESM) security information and event management (SIEM) platform. Through nPulse’s Pivot2Pcap API integration with McAfee ESM, security operations personnel can quickly pivot from McAfee ESM’s security alerts to view the full, corresponding packets and session-level activity captured and indexed by CPX – helping them to dramatically shorten security incident response times.

By allowing McAfee ESM users to quickly locate and decode an entire session, nPulse’s CPX provides greater visibility into potential malicious activities and payloads, while also eliminating the time required to manually collate all of the packets within a session. With CPX, McAfee customers can expand searches to view network activities before and after a security event, further enhancing visibility that can be crucial for rapid incident response investigations.

“By capturing and indexing full packets reliably at extremely rapid speeds, nPulse’s CPX platform provides a powerful complement to McAfee Enterprise Security Manager’s comprehensive security management capabilities,” said Ed Barry, vice president of the McAfee Security Innovation Alliance. “In addition to receiving precise alerts and correlated threat information from McAfee Enterprise Security Manager, our customers can now call up the specific packets and sessions behind a possible attack to confirm what happened, to rapidly respond, and to apply this information to ongoing protection.”

“nPulse is equipping commercial and government organizations with breakthrough packet capture, indexing, and analysis essential for scaling security operations around today’s 10Gbps enterprise networks,” said Tim Sullivan, chief executive officer, nPulse Technologies. “Once a threat or active compromise is detected, network defenders need the ability to immediately study traffic linked to that incident. Now McAfee ESM customers can easily use our CPX appliance to jump from security alerts to specific packets and reconstructed session data including web pages, emails, and file attachments, sparing considerable time when seconds count in responding to incidents.”

CPX is the industry performance leader in packet capture, packet search, and traffic analysis. It provides the industry’s fastest packet indexing solution at up to 30 million packets per second, enabling users to significantly reduce incident response times even when faced with massive scale searches. Integration via nPulse’s Pivot2PCAP API provides McAfee users with deeper insight into network traffic and activities through simple drill-down access to captured, indexed and stored connection and packet information for network speeds up to 20Gbps.

About nPulse Technologies, Inc

nPulse Technologies is the performance leader in packet capture and Big Data security analytics. nPulse’s flagship Capture Probe eXtreme (CPX) appliance delivers sustained, lossless packet capture at 20Gbps, helping organizations counter rapidly evolving cyber threats that target faster, large enterprise networks. Leading financial institutions, government agencies, telecommunications carriers and other organizations rely on CPX and nPulse’s innovative Pivot2Pcap API to enhance security monitoring, shorten incident response times and increase returns on existing security investments.

Article source: http://www.darkreading.com/management/npulse-technologies-announces-integratio/240163885

The full story of just how the now-infamous systems administrator Edward Snowden was able to grab highly classified documents from the world’s most secretive spy agency and expose its controversial spying practices may never be public, but some clues have emerged that provide a clearer picture of how the most epic insider leak in history may have transpired.

Snowden, the former Booz Allen contractor working as a low-level systems admin for the NSA at its Hawaii post, reportedly coerced several of his colleagues to provide him with their credentials, according to a report by Reuters late last week. He may have convinced up to 25 staffers at the NSA regional operations center there to hand over their usernames and passwords under the pretext that he needed them for his job, according to the report.

Meanwhile, General Keith Alexander, the director of the NSA, in June told the House Permanent Select Committee on Intelligence that Snowden had “fabricated digital keys” to gain access to information to which he wasn’t authorized. U.S. government officials reportedly told NPR that
Snowden’s responsibilities included moving highly sensitive documents off of NSA’s intranet site, and that the documents he leaked, including memos, PowerPoint presentations, reports, court orders and opinions, had been stored in a file-sharing sector of the intranet. That provided Snowden the cover he needed to siphon the files, according to the report.

Now security firm Venafi says it has figured out how it all went down: Snowden fabricated SSH keys and self-signed digital certificates to access and ultimately steal the NSA documents. And the company — which provides security for crypto keys and digital certs — is challenging the NSA and Snowden to prove its conclusion wrong. Snowden succeeded in stealing the documents, according to Venafi, because the NSA was unable to detect Snowden’s unauthorized access to, and ultimate exfiltration of, the information.

“He took his credentials with his CAC [Common Access Card] to get onto systems and as a systems admin, he had certain levels of privilege. From that basic platform, he was able to fabricate SSH [Secure Shell] keys that allowed him to jump to another system,” says Jeff Hudson, CEO of Venafi. “He got to other systems, got elevated privileges, targeted the data and used self-signed certificates in combination with SSH keys he fabricated to exfiltrate the data out of the NSA.”

Hudson says Venafi studied and analyzed all of the public revelations about the case, including Alexander’s mention of fabricated keys, connected the dots based on its own insight into attacks exploiting digital keys at global corporations, and gathered peer review from outside industry experts before publishing its conclusion today.

“We cross-referenced this with all we know about fabricating keys in organizations, and it points to one and only thing: fabricating SSH keys to jump to other systems. Then how did he exfiltrate the data? He used encryption. In his own interview, he said encryption is the best system when it’s well-managed and it’s not breakable,” Hudson says. “And because he had elevated privileges, he could actually cover his tracks.”

SSH, a cryptographic protocol for remote access and connection using an encrypted communications channel, is a key tool for systems admins.

What about the revelation that Snowden got his co-workers’ credentials? “That absolutely ties in with” our conclusion, says Kevin Bocek, vice president of product marketing and threat intelligence for Venafi. “Insiders don’t want to be discovered, and it does take some time to go ahead and research your target, find data and vulnerabilities you want to leverage.”

Bocek says when you log into someone else’s account, you can also get their SSH key and can potentially access their certificates. “Many enterprises and the NSA have systems to changes passwords, but they don’t change keys,” he says.

So far, none of the Snowden leaks have offered any additional details on how he accessed the sensitive NSA documents, but using others’ credentials indeed was a big jump he needed, experts say.

“I don’t think just having access would be enough to get in everything he ended up getting into or that we know he got into. It’s hard to speculate on that,” or on what exactly Alexander meant by “fabricating” keys, says Jared Thorkelson, president of DLP Experts. “But any way you slice this, it’s a failure to follow widely accepted best practices across the board. It’s just a total breakdown.”

Sharing among privileged and admin account holders is fairly commonplace. More than half of organizations surveyed earlier this year by CyberArk said their “approved” users share their admin and privileged account passwords.

Snowden’s social-engineering of his colleagues to get their credentials played off of an environment of trust. “Employees want to please their co-workers, so if he said, ‘hey, I need your help because I’ve gotta get something done’ … there a trust that can be taken advantage of,” says John Worrall, chief marketing officer at CyberArk.

“What’s troubling is there are a couple of basic tenets of security that you never want to screw around with, [including] you never share your credentials,” Worrall says. “The whole access control model is based on identity and then the access model is useless and it blows up.”

Worrall says between Snowden’s own credentials and that of his co-workers, he may well have had plenty of power to get the documents he pilfered. “Just that alone is a big enough problem that may have allowed him to do what he did,” he says.

Whether Snowden fabricated credentials isn’t clear, Worrall says. “It depends on what access those other users had,” he says. “You would also have the ability to manage the key vault encryption keys and things like that that would be a whole other level of access.”

Next: Getting the NSA to come clean

Article source: http://www.darkreading.com/attacks-breaches/how-did-snowden-do-it/240163887

As is becoming the new normal, it is the second Tuesday of the month and there are a bumper crop of security updates. Today we saw announcements from Microsoft, Adobe and Google.

We will start with Microsoft which fixed three critical vulnerabilities and five important flaws.

MS13-088 is probably the most important. It fixes 10 vulnerabilities in Internet Explorer versions 6, 7, 8, 9, 10 and 11. That’s right, all currently supported versions.

As is so often the case, these fixes include remote code execution (What’s this mean? Listen to find out.) and are already in use by criminals. Waste no time applying this one.

The next one, MS13-089, addresses a flaw in the Microsoft Windows GDI that could result in remote code execution from opening a malicious document.

The vulnerability is triggered by opening a malformed .WRI (Yes, that’s Microsoft Write) file. Supporting legacy file formats often leads to security issues as we see in another one of the important vulnerabilities this month, this time WordPerfect.

The final critical flaw was disclosed by FireEye last week, but Microsoft was already aware and had created and tested the fix. This one is known to have been used in small-scale attacks in the wild against Internet Explorer users.

The remaining five fixes are all rated important and they really are. Users of Windows Server Core take note as well, you are impacted by this month’s fixes as Duck pointed out in his pre-announcement.

Adobe released updates for Flash Player, Air and ColdFusion today.

The Flash Player update fixes two critical vulnerabilities, while the ColdFusion fixes one.

Google released Chrome 31 today as well addressing seven vulnerabilities. While it is nice to see Chrome continue to improve, versions don’t mean much for a browser that keeps itself patched, but it may be worth a check to be sure that mechanism is working.

Follow @chetwisniewski

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/duaCkvvdLGY/

Tags: Adobe, AES, anonymous, arrest, breach, bust, chet chat, ECB, hackerphobia, Hackers, Microsoft, openssh, Patch Tuesday, singapore, sophos security, sscc

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UbVzPk2TUdE/

If you’ve used the same email account/password combo on Facebook and Adobe, Facebook has probably already pushed your account into a closet and locked the door.

It won’t let you out until you change that password, security journalist Brian Krebs reported on Monday.

As Krebs reports, Facebook’s security team is now mining the data leaked from the Adobe breach to find users who – let’s not mince words, here, since we should all know better by now – committed the egregious security sin of using the same password to login to both Facebook and Adobe.

Those password sinners are now receiving this message:

Recently, there was a security incident on another website unrelated to Facebook. Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places.

The accounts aren’t shut down, per se – they’re just being kept out of the public eye, where any malicious user who’s wiggled email accounts/passwords out of Adobe’s data set could have used the same login information to hijack an identically credentialed Facebook account.

After answering a handful of security questions and changing their passwords, the users’ accounts will be let out of the closet.

They’ll then be asked to answer a few security questions and then change their password.

Facebook is telling such users that for their own sake, “no one can see you on Facebook until you finish”.

Krebs reports that Diapers.com and Soap.com sent similar notices to their customers on Sunday.

It’s for our own good, of course.

The Adobe hack, which the company revealed in October, involved a huge dump of Adobe’s customer database being published online, stuffed with an eye-popping 150,000,000 breached customer records.

To make matters worse, the data included passwords that had been encrypted rather than hashed and revealing password hints stored in clear text.

In his analysis of what’s looking to be the biggest password disaster of all time, Naked Security’s Paul Ducklin details how it’s easy to recover a startling amount of information from Adobe’s encrypted-but-not-hashed data set.

Hell, I’m a crypto-idiot, and even I could see how easy it would be to crack passwords after reading Paul’s article (granted, I had to read it three times).

If you’re like a large number of commenters on Krebs’s story, you’re probably asking how Facebook is able to find users who have used the same password on both websites without repeating Adobe’s errors and storing passwords in clear text or encrypted form.

Chris Long, a security incident response manager at Facebook, actually chimed in to give this explanation in a comment on the story:

We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time.

In simple terms Facebook doesn’t store their users’ passwords, they pass them through one-way hashing functions and store the result. Passwords can be used to create hashes but hashes can’t be used to recreate the passwords that made them.

When somebody logs in to Facebook the password they hand over is passed through the same one-way hashing function and if the result matches what Facebook has on record that user is allowed in.

Facebook can use the same process on passwords that researchers have recovered from the Adobe data. If they pass an Adobe user’s recovered password through their hashing function they can see if the result matches what they have on record for that user.

Clearly, Facebook didn’t have to be Big Brotherish in its data-mining operation.

Given the easily cracked passwords and their corresponding email addresses, it seems like a no-brainer for Facebook to be able to compare the passwords post-hash.

Not only is Facebook being non-Big-Brotherish, it’s being proactive in protecting customers, for which it deserves hearty kudos. If only all companies shepherded their customers’ data in this manner.

Another good thing to come out of Facebook’s move is that, hopefully, those poor, password-sinning customers are going to take the lesson about password reuse to heart.

Make sure your family, your friends, your colleagues and anybody else you can think of are choosing strong passwords, at least 12 characters long, that mix letters, numbers and special characters.

If those passwords are impossible to remember, that’s good – all the better. That’s what they make password managers like LastPass or KeePass for.

Thanks to my password manager, I couldn’t tell a hacker any of my passwords even if they used the sweetest social engineering honey in the world.

Obviously, we’re always talking about not reusing passwords at Naked Security but it’s just one of our 3 essential security tasks. So while you’re fixing your passwords please do the other 2 tasks as well.

To stay on top of all things Facebook, consider joining up with Naked Security on our Facebook page.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oxC41o8Shq4/

5 ways to reduce advertising network latency

Adobe has released a batch of scheduled security fixes to address critical flaws in its Flash Player and ColdFusion products.

The company said the updates will tackle a pair of security vulnerabilities in the two platforms which could be exploited remotely by attackers.

For Flash Player, the update applies to Windows, Linux and OS X systems and fixes remote code execution flaws. The company warned that, if targeted, the flaws could allow an attacker to execute attack code on a targeted system without requiring any user notification or interaction.

To install the update, Adobe recommends that users update to the latest versions of Adobe Flash Player and, if necessary, Adobe AIR. The company noted that users running Google Chrome and Internet Explorer on Windows 8 and 8.1 will automatically receive the update when they update to the latest versions of their browser.

Additionally, Adobe has released an update to its ColdFusion application server. The security patch addresses a flaw in the platform which could potentially allow an attacker to remotely gain read access to a targeted system, as well as another vulnerability which could potentially allow an attacker to perform a cross-site-scripting attack.

The company said that the update be installed for all systems running Windows, Mac and Linux ColdFusion versions 10, 9.0.2 and 9.0.1.

ColdFusion was among the platforms affected last month when a major breach on Adobe’s systems lead to the mass loss of user account credentials.

An Adobe spokesperson noted that Tuesday’s update addresses an entirely different set of security risks which have yet to be targeted by attackers in the wild. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/13/adobe_follows_microsoft_with_patches_for_coldfusion_and_flash/

5 ways to reduce advertising network latency

November’s edition of Patch Tuesday brought relief from an IE zero-day exploit but a TIFF image-handling vulnerability under active attack from hackers remains unpatched.

Microsoft released a total of five bulletins, three of which are marked up as critical and five of which are designated as important. The patch batch collectively addresses 19 vulnerabilities in Windows and Office software.

MS13-088 fixes 10 vulnerabilities in all supported versions of Internet Explorer (IE 6, 7, 8, 9, 10 and 11). The second of the critical updates (MS13-089) tackles a flaw in the Microsoft Windows Graphics Device Interface (GDI) that create a means to inject malware onto vulnerable systems after tricking a user into opening a document loaded with malicious code. Every supported version of Windows is affected.

The final critical patch guards against an attack first disclosed by security firm FireEye last week. As it turns out, Microsoft was already aware of the Internet Explorer ActiveX Control-related flaw and had created and tested the fix. This is just as well because Symantec has linked abuse of the vulnerability to the notorious Hidden Lynx hacking crew, a group of “hackers for hire” based in China suspected of running APT-style attacks against targets in the US, Taiwan and elsewhere since 2009.

The remaining five bulletins deal with lesser “important” flaws in Microsoft’s software, the most noteworthy of which grapples with a denial of service vulnerability in the software giant’s virtualisation product, Hyper-V.

Wolfgang Kandek, CTO at cloud security firm Qualys, commented: “Overall, while it is only a medium-sized Patch Tuesday, pay special attention to the two 0-days and the Internet Explorer update. Browsers continue to be the favourite target for attackers, and Internet Explorer, with its leading market share, is one of the most visible and likely targets.”

The SANS Institute’s Internet Storm Centre has once again produced a graphical overview of the release, which is much easier to comprehend than Microsoft’s summary.

The release confirms, as expected, that there’s no immediate relief for a separate zero-day vulnerability involving how Office handles .TIFF graphics files. The CVE-2013-3906 flaw is being actively exploited in attacks, typically featuring booby-trapped Word files, by an increasing numbers of both profit-motivated cybercrooks and cyberspying groups. Microsoft has issued a workaround involving disabling the vulnerable graphics library that is increasingly become a must-have accessory for corporate networks.

The unpatched bug affects Microsoft Office 2003 and 2007. Office 2010 is also affected but only when the suite runs on older versions of Windows such as Windows XP or Windows Server 2003.

In other patching news, Adobe released updates for Flash Player, Air and ColdFusion. The Flash Player update is designed to resolve two critical vulnerabilities, while the ColdFusion update fixes one.

ColdFusion was among the platforms whose source code was leaked last month during a major breach of Adobe’s systems that led to the loss of 150 million user account credentials.

As previously reported, Adobe said that Tuesday’s update addresses a different set of security risks which have yet to be targeted by attackers in the wild. The software firm credits Hold Security for research that helps uncover bugs that needed patching.

Hold Security linked attacks against ColdFusion version 8 to the recent high profile theft of Adobe source code as well as attacks against LexisNexis and others.

“While Adobe did not find the precise attack effective against any of supported CF versions, they did identify a critical flaw in the same resource which led to the patch issued today [Tuesday],” Alex Holden of Hold Security told KrebsOnSecurity.

Finally Google released a new version of its browser (Chrome 31) that features 25 security fixes and other tweaks, including improvement to SSL ciphers that come with the addition of support for the AES-GCM ciphers. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/13/november_patch_tuesday/