Adobe confirms new flaw, recommends turning off JavaScript - SC Magazine US
Note that this is only the Acrobat Javascript functionality, you don't need to do it system wide. However, this also makes it pretty tough in a large (i.e. more than 20 workstations) environment unless you're going to roll out a cusomized version of Acrobat. I'd suggest telling your user base not to open any PDF's from the web until this is fixed.
I found this an interesting quote:
"This is not the first time that critical vulnerabilities have been found in Adobe's software," Sophos' Graham Cluley said on Wednesday his blog. "And there is growing concern tha the vendor's dominant market share of the PDF reader market is proving extremely attractive for hackers hellbent on infecting as many PCs as possible."
It is very true, could Adobe be the next big target? The advantage to hackers is that most Adobe products are cross-platform and therefore have the potential to create a lot more havoc. If nothing else however, it will hopefully get Adobe to shape up and be a little better at dealing with this kind of thing. For all their flaws, Microsoft's reporting of vulnerabilities and patching timelines only improved as their products became significant targets.
Here is Adobe's official response:
Adobe PSIRT
Thursday, April 30, 2009
Monday, April 27, 2009
Swine Flu/Pandemic Planning - Updated
Update #4 – Not a lot new that isn’t already widely public. However the CDC has launched a new site focusing on social media tools for health emergencies in general. It’s at the bottom of this post
Update #4 – WHO raises alert level to 5, didn’t take long for the spammers to arrive, list of “spamvertised” domains
Update #3 – Canadian airlines stop flights to Mexico, First Death Reported in US
Update #2 - Follow the CDC on twitter - @CDCemergency
Update #1 – The WHO has raised their alert level to 4, additional links at the bottom of the post.
__________________________________________________________
While it is still too early to tell if the Swine Flu outbreak will turn into a pandemic, it is never too early to start your planning. There are a number of sites available with some preliminary information as well as ways to track the outbreak and suggestions for planning. I'll continue to update this page as I get more information.
From the CDC:
The CDC currently recommends that you cover your nose and mouth with a tissue when you cough or sneeze, wash your hands often with soap and water, avoid touching your eyes, nose or mouth, and try to avoid close contact with sick people.
The CDC also suggests that if one does contract an illness, they should stay home from work or school and limit contact with others to avoid spreading the infection.
If you develop an illness with fever and respiratory symptoms and you live in or near a region in which the virus has been identified, the CDC recommends that you immediately seek attention from your health care provider to determine whether further influenza testing is needed.
Skeleton plan from the SANS Institute:
Don’t Panic!
Initial monitoring stage (where we are right now)
- If you’re sick, stay home
- Family is sick, stay home
- Close contact with someone showing symptoms, stay home
- Wash your hands, cover your cough
Then, if multiple cases in your area,
- Think about telling non-essential workers to stay home
- Recommend workers take kids out of daycare
Pandemic stage
- Everyone will be staying home, how will you handle it?
- Do you have enough laptops?
- Can your VPN concentrators handle the load
Some links with valuable and/or interesting information:
2009 Swine Flu Outbreak Map - Google Maps
SANS Institute: Pandemic Watch 2009
Mashable: How to Track Swine Flu Online
TED Interview with “Virus Hunter” Nathan Wolfe
Canada Foreign Affairs Department Travel Warnings
List of domains being used by spammers
CDC Social Media Tools for Partners and Consumers
Friday, April 24, 2009
Bruce Perens - A Cyber-Attack on an American City
I have been surprised at how little this event has been reported as well. One would think that the press would run with this based on the terrorism theme. Good read, as usual.
Bruce Perens - A Cyber-Attack on an American City
Bruce Perens - A Cyber-Attack on an American City
Wednesday, April 15, 2009
The Human Factor in Laptop Encryption
The link below goes to the sign-up page for a white paper. However, the statistics on the landing page are scary enough -
"56% of business managers have disengaged their laptop’s encryption "
"61% of business managers share their passwords, compared to only 4% of IT managers."
The Human Factor in Laptop Encryption
"56% of business managers have disengaged their laptop’s encryption "
"61% of business managers share their passwords, compared to only 4% of IT managers."
The Human Factor in Laptop Encryption
Tuesday, April 14, 2009
Microsoft Security Bulletin Summary for April 2009
A pile of vulnerability fixes this month from Microsoft including a number with a very high potential for attack.
TechNet Summary
Microsoft Security Bulletin Summary for April 2009
Consumer Friendly Summary
http://www.microsoft.com/protect/computer/updates/bulletins/200904.mspx
TechNet Summary
Microsoft Security Bulletin Summary for April 2009
Consumer Friendly Summary
http://www.microsoft.com/protect/computer/updates/bulletins/200904.mspx
Monday, April 13, 2009
I’ll Be Speaking at the WCIS Conference this week.
This Thursday April 16 I’ll be speaking at the ISACA - Western Canada Information Security Conference in Winnipeg - http://www.wcisc.ca/program2009.htm
I’ll be doing the end-of-day keynote and will be teaching an excerpt from the SANS SEC401 Security Essentials course. If you’re going to the conference and are curious about SANS courses this is a perfect opportunity to evaluate one for free (well aside from the conference fees…).
Aside from SANS you can also hear talks from Microsoft, Compugen, RSA, Checkpoint, and many others.
NERC Advises Industry on Cyber Assets
So, the North American Electric Reliability Corporation took the bold step of recommending that energy companies take a comprehensive look at how they identify critical cyber assets -Before Grid Hack Reports, NERC Advises Industry on Cyber Assets
It seems to me that if they haven't even identified these assets then they have a long way to go before they can actually defend them. Let's hope the government gets involved and really forces the operators to start working on security.
Here is a list of articles relating to the infiltration of the power grid:
http://online.wsj.com/article/SB123914805204099085.html
http://fcw.com/Articles/2009/04/08/FERC-needs-to-step-up-oversight-to-safeguard-grid.aspx
http://www.nextgov.com/nextgov/ng_20090408_1423.php
http://www.washingtonpost.com/wp-dyn/content/article/2009/04/08/AR2009040803904_pf.html
http://www.cnn.com/2009/TECH/04/08/grid.threat/index.html
http://www.eweek.com/c/a/Security/Before-Grid-Hack-Reports-NERC-Advises-Industry-on-Cyber-Assets-479748/
And the letter from NERC - http://online.wsj.com/public/resources/documents/CIP-002-Identification-Letter-040609.pdf
It seems to me that if they haven't even identified these assets then they have a long way to go before they can actually defend them. Let's hope the government gets involved and really forces the operators to start working on security.
Here is a list of articles relating to the infiltration of the power grid:
http://online.wsj.com/article/SB123914805204099085.html
http://fcw.com/Articles/2009/04/08/FERC-needs-to-step-up-oversight-to-safeguard-grid.aspx
http://www.nextgov.com/nextgov/ng_20090408_1423.php
http://www.washingtonpost.com/wp-dyn/content/article/2009/04/08/AR2009040803904_pf.html
http://www.cnn.com/2009/TECH/04/08/grid.threat/index.html
http://www.eweek.com/c/a/Security/Before-Grid-Hack-Reports-NERC-Advises-Industry-on-Cyber-Assets-479748/
And the letter from NERC - http://online.wsj.com/public/resources/documents/CIP-002-Identification-Letter-040609.pdf
Wednesday, April 1, 2009
Welcome!
I'm an IT Manager with a specialty in security and a security educator on the side. I strongly believe that education is the key to making our computers and networks secure. this blog is my place to provide information, tips, and explanations for home users as well as systems admins in small companies.
There is no silver bullet in security, but if you take the time to implement basic security and educate yourself about the threats, as well as the tools available to combat them, you and your information will be much more secure.
Stay tuned...
There is no silver bullet in security, but if you take the time to implement basic security and educate yourself about the threats, as well as the tools available to combat them, you and your information will be much more secure.
Stay tuned...
Subscribe to:
Posts (Atom)