On October 3, Adobe was hacked and 3 million user accounts were compromised. The attack exposed customer names, encrypted credit and debit card numbers, expiration dates, and other information. Adobe is resetting the passwords on all customer accounts. Here’s the text of the notification I received early this morning:
We recently discovered that an attacker illegally entered our network and may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorized activity on your account.
To prevent unauthorized access to your account, we have reset your password. Please visit www.adobe.com/go/passwordreset to create a new password. We recommend that you also change your password on any website where you use the same user ID or password. In addition, please be on the lookout for suspicious email or phone scams seeking your personal information.
We deeply regret any inconvenience this may cause you. We value the trust of our customers and we will work aggressively to prevent these types of events from occurring in the future. If you have questions, you can learn more by visiting our Customer Alert page, which you will find here.
Adobe Customer Care
Reportedly, Adobe will also be notifying customers whose credit or debit card information was exposed. (I do not have a credit card on file with Adobe, so I just got the password reset notice.) Adobe has also promised to offer affected customers the option of enrolling in a one-year complimentary credit monitoring membership where available.
It’s that time of the month again (no pun intended). It’s Patch Tuesday. It also happens to be the 10th anniversary of the celebrated (not) monthly visitor (sorry, they just keep coming). Microsoft released eight new security bulletins—four rated as Critical and four Important. The most urgent one, however, is MS13-080—the cumulative security update for Internet Explorer. It addresses a total of 10 separate vulnerabilities affecting all supported versions of the Web browser:
This security update resolves one publicly disclosed vulnerability and nine privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Other Critical patches:
MS13-081: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008)
MS13-082: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890)
MS13-083: Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2864058)
Better get patching!
October 1 marked the start – and the 10th anniversary of – National Cyber Security Awareness Month (NCSAM). Sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center, NCSAM is an initiative aimed at making sure everyone has the resources they need to stay safer and more secure online.
We all can do our part by educating family, friends and coworkers on how to use the internet safely. The average person really has little clue about the dangers lurking in cyber space and even if they have an inkling, they are far too trusting of what their clueless friends routinely send them. In their defense, cyber security is not easy and the last ten years have shown us a wide range of security threats that test the mettle of even the most savvy cyber security professional.
Sophos has posted 10 topical tales, “in vaguely chronological order, that have burst into our collective security concerns at various times in the last decade.” It’s an interesting list and will give you some food for thought as well as real examples you can use to educate your people.
In another post, Sophos recommends that you do these 3 essential security tasks for your family today.
What are you waiting for? Git ‘er done!
Microsoft has released its Law Enforcement Requests Report for the first six months of 2013. It is the second such report they have issued. The report “…details the number of requests for data we received from law enforcement agencies around the world, and how Microsoft responds to those requests. It covers requests for data relating to all of Microsoft’s online and cloud services, including Skype.” The report is not permitted to give detailed information about the type and volume of any national security orders (e.g. FISA Orders and FISA Directives), so these are not included in the report. However, they do summarize the aggregate volume of National Security Letters received.
Most of the data is in line with the report for the year 2012, so it makes one wonder about all of the recent hype: Just how much data is really being disclosed? It’s nice to have some real facts from at least one source to help evaluate the current state of things. Here are some of the more pertinent facts:
Microsoft (including Skype) received 37,196 requests from law enforcement agencies potentially impacting 66,539 accounts in the first six months of this year. This compares to 75,378 requests and 137,424 potential accounts in the whole of 2012.
Approximately 77 percent of requests resulted in the disclosure of “non-content data”. No data at all was disclosed in nearly 21 percent of requests.
Only a small number of requests result in the disclosure of customer content data, just 2.19 percent of total requests. 92 percent of the requests that resulted in the disclosure of customer content were from United States law enforcement agencies. This is again, broadly in line with what we saw in 2012.
What is interesting is the majority of the requests come from only five countries:
While we see requests from a large number of countries, when you look at the overall number, the requests are fairly concentrated with over 73% of requests coming from five countries, the United States, Turkey, Germany, the United Kingdom, and France. For Skype the requests were similarly concentrated, with four countries, the US, UK, France and Germany, accounting for over 70 percent of requests.
One thing really stands out for me and that is the position that Microsoft is taking on the sharing of information regarding FISA requests and national security. This is encouraging.
We believe this data is valuable and useful to the community that is looking to better understand these issues. However we recognize that this report—focused on law enforcement and excluding national security—only paints part of the picture. We believe the U.S. Constitution guarantees our freedom to share more information with you and are therefore are currently petitioning the federal government for permission to publish more detailed data relating to any legal demands we may have received from the U.S. pursuant to the Foreign Intelligence Surveillance Act (FISA).
Every year, Secunia publishes its Secunia Vulnerability Review. The 2013 version results do not bode well for our state of security. Here are some of their findings from 2012:
In 2012, 2,503 vulnerable products were discovered with a total of 9,776 vulnerabilities in them.
There’s an average of 4 vulnerabilities per vulnerable product.
Vulnerabilities were discovered in 2,503 products from 421 vendors.
The number shows a 15% increase in the five year trend, and a 5% increase from 2011 to 2012.
One fifth of the criticalities discovered in all products were rated as either ‘Highly critical’ (18.3%) or ‘Extremely critical’ (0.5%).
With an 80% share, the primary attack vector for all products was Remote Network.
Two things concern me: 1. That the trend is increasing; and, 2. That remote attacks are the primary vector. This tells me that we have to get better at hardening our perimeters and educating our users to keep the doors to our network closed.
And, of course, software companies need to work harder at closing security holes.
Time to lighten up a bit. Even though this is a cutely disguised ad for Sophos products, it’s funny. Who doesn’t have someone who comes in for a daily “I forgot my password?” I’ve gotten to the point where I see the faces and know what they need.
According to this nakedsecurity blog post, “A recent investigation has concluded that 73% of the 40,000 most popular websites that use WordPress software are vulnerable to attack.” Vulnerability researchers EnableSecurity carried out the study and was reported by WordPress security firm WP WhiteSecurity. The investigators qualified their statistics a bit with this statement: “The tools used for this research are still being developed therefore some statistics might not be accurate.” Nevertheless, it warrants your attention if you are running WordPress.
Here are ten steps that Sophos recommends to bolster your WordPress security:
- Always run the very latest version of WordPress
- Always run the very latest versions of your plugins and themes
- Be conservative in your selection of plugins and themes
- Delete the admin user and remove unused plugins, themes and users
- Make sure every user has their own strong password
- Enable two factor authentication for all your users
- Force both logins and admin access to use HTTPS
- Generate complex secret keys for your wp-config.php file
- Consider hosting with a dedicated WordPress hosting company
- Put a Web Application Firewall in front of your website
No matter how much we would like to think it’s possible, perfect security is unattainable. Install a moat and 40-foot high walls around your village and the enemy will use trebuchets to throw fireballs at you. Build a stronger lock and someone will come along with stronger bolt cutters. Install the latest firewall and IDS and hackers will use social engineering to attack you from inside the perimeter. No matter what security measures you employ, someone will come up with a way to defeat them. There is no such thing as perfect security.
There is, however, such a thing as effective security for a given situation, what I call Minimum Effective Security (MES). I define MES as follows:
Minimum Effective Security is that set of surveillance, barriers and countermeasures adequate to protect against known threats that could reasonably be expected to be leveled against the protected assets.
If you think about it, the key word here is “adequate.” But adequate against what? You have to identify the threats that you could reasonably expect given the value of the assets. So, you first have to establish the impact a successful attack would have: Minor inconvenience, or major loss?
You probably wouldn’t be too concerned about putting up video surveillance cameras to monitor your backyard tool shed nor would a perimeter wall be necessary. Depending on the value of the contents, you might want to install an inexpensive audible alarm and/or motion sensor lights. More than likely, however you’ll simply have good hinges and a strong hasp with a sturdy lock. Adequate.
On the other hand, you would equip your home with a robust, monitored security and fire detection system and you would probably have at least a camera at the main entrance.
How about your home network? You certainly don’t need an expensive commercial grade firewall and IDS; a good consumer grade NAT router with built-in firewall features would probably be adequate. Of course, keeping your system and applications up to date with security patches would have to be part of that mix to qualify as adequate security. Of course, you’ll want a good backup strategy.
If your home network is also part of your business, you’ll need a bit more than the above to qualify as adequate security. You would probably want to encrypt critical data and you’ll certainly want multiple backups with at least one stored offsite.
You get the idea. You have to take a good look at the types of threats you can reasonably expect given your circumstances and then work out what would be adequate. Naturally, there is nothing wrong with going beyond adequate; it won’t hurt a bit to put stronger measures in place if that makes you feel more comfortable.
Just make sure you always achieve and maintain Minimum Effective Security.
According to USA Today, The NSA and its British counterpart, the Government Communications Headquarters (GCHQ) have cracked encryption codes and have inserted secret “back doors” into security software through covert partnerships with technology companies and ISPs.
Perhaps I’ve gotten numb over all of this because I am not surprised.
Our friends at LastPass, however, want to make it very clear that they will have nothing to do with these shenanigans. In fact, they will shut down their service before cooperating with the government goons. Here’s an excerpt from a September 10 blog post:
With news that the United States National Security Agency has deliberately inserted weaknesses into security products and attempted to modify NIST standards, questions have been raised about how these actions affect LastPass and our customers. We want to directly address whether LastPass has been or could be weakened, and whether our users’ data remains secure.
In short, we have not weakened our product or introduced a backdoor, and haven’t been asked to do so. If we were forced by law to take these actions, we’d fight it. If we were unable to successfully fight it, we would consider shutting down the service. We will not break our commitment to our customers.
This is right in line with the way I feel about covert government operations and is one of the big reasons I will continue to stick with LastPass. They conclude with this:
We have built a tradition of being open and honest with our community, and continue to put the security and privacy of our customers first. We will continue to monitor the situation and change course as needed, with updates to our community when necessary.
Microsoft’s Patch Tuesday will be a big one, with 14 patches, eight of which address remote code execution holes.
The biggest patch is Bulletin 3, rated critical, addressing remote code execution vulnerabilities in all versions of Internet Explorer from IE 6 on Windows XP to IE 10 on Windows 8, including Windows 8 RT. This patch requires a reboot.
In addition to remote code execution (RCE) vulnerabilities, the patches also address privilege elevation and denial of service flaws.