CSU Fullerton Information Security Office

Microsoft has posted an advance notification regarding tomorrow’s “Patch Tuesday” monthly patch release.  A total of 10 bulletins will be released that address a total of  33 vulnerabilities. Of the 10 bulletins being released, 8 are rated as important and the remaining 2 are categorized as critical.

According to this post, mobile malware is getting to be such an issue that the author of the post claims his company now sees 1,000 malicious samples per day aimed at the Android platform. It is worth pointing out that this does *not* equate to 1,000 new samples every day:

Invariably, my friends – and perhaps you? – are astonished by this amount, and impressed that we handle so many new cases every day. Of course, many of those samples are not entirely ‘new’, just new instances or variants of known viruses. Indeed, those 150,000 are classified into only a bit less than 300 distinct families. Still, we need to make sure they are detected.

IP cameras are becoming popular for home monitoring as their prices have dropped considerably over the years. According to this post, and based on research from security vendor Core Security, popular IP cameras from 2 vendors both contain security vulnerabilities including backdoor passwords.

This week the verified Twitter account of the Associated Press (AP) was hacked and posts were made claiming two explosions took place in the White House and also claiming that President Barack Obama was injured. Interestingly, the Dow Industrial Average Immediately dropped about 140 which quickly recovered. More coverage here.

This article is reporting on some recently released research that shows it is possible to take control of aircraft flight systems using and Android smartphone and specialized attack code. From the article:

Teso’s attack code, dubbed SIMON, along with an Android app called PlaneSploit, can take full control of flight systems and the pilot’s displays. The hacked aircraft could even be controlled using a smartphone’s accelerometer to vary its course and speed by moving the handset about.

Fortunately the attack code has not been released and the researcher is working with the FAA and the European Aviation Safety Administration to correct the flaws in these systems.

According to this post, one year from today on April 8th, 2014, Microsoft will officially terminate extended support for Windows XP. At that point, new security patches and updates for Windows XP will no longer be provided by Microsoft. With XP still maintaining a nearly 39% hold on the desktop market, that might not be a good thing.

Happy Friday

According to this article, the encryption used in iMessages sent between iPhones is so strong that U.S. law enforcement (LE) is unable to snoop these messages. LE is still able to subpoena Apple in order to obtain these messages.

Microsoft has issued an advance notification for next Tuesday’s monthly patch release. This month nine bulletins will be issued with two of them being critical. This months bulletins will correct issues with the Windows OS itself, Internet Explorer, SharePoint, Windows Defender, and InfoPath 2010.

Anyone who even moderately follows security issues knows that Java has had its share of vulnerabilities over the years, and still continues to do so.  According to this article, and based on research by security vendor Websense, “approximately 94 percent of endpoints which run Oracle’s Java are vulnerable to at least one exploit, and we are ignoring updates at our own peril”. A key point from the article:

The researchers found that the latest version of Java, version 1.7.17, is only in use by a dismal five percent of users, and many versions are months or years out of date — just begging to be exploited.

This article covers what to do if your iPhone is ever lost or stolen. Some of the recommendation in the article need to be dealt with before you actually lose your device, such as installing a device-finder app.

This article discusses steps that can be taken to ensure that apps your friends run on Facebook are not accessing *your* private information. From the article:

If you aren’t comfortable with the information a Facebook app wants to access, don’t install the app.

But it seems that some Facebook users aren’t aware that – unless you have locked down your privacy settings correctly – the apps, games and websites that your *friends* use can also access your personal details, photos and updates.

Happy Friday.

According to this article, and based on recently released research, 78% of IT professionals admitted to plugging in USB drives that were found abandoned. This is extremely dangerous as the drives could be loaded with malware that could further compromise enterprise systems.

According to this article, ATM fraud is on the rise in California. From teh article:

FICO, a software company that provides credit scores and fraud detection services, released data on Tuesday showing a national uptick in card and PIN skimming, in which thieves steal information using electronic devices, at ATMs during 2012. California, in addition to Florida and the Northeast, was among the hardest hit, the analysis said, especially in Los Angeles, Riverside, San Diego and San Bernardino counties.

This article on using social networking safely and securely is worth reading if you use FaceBook, Twitter, or any other social networking applications. From the article:

Privacy issues are a common concern, whether the data being protected is personal, sensitive information about others, or business-related. Dangers related to privacy include cyber attacks such as identity theft, impacts of displayed information on future opportunities, and employer or business harm.

According to this article and based on a report by security vendor McAfee, cyber criminals are starting to attack “critical sectors of the economy”. From the article:

In the security giant’s fourth quarter threats report, researchers highlighted some of the new schemes being used in this regard and other high-profile attacks, including advanced persistent threats (APTs) such as Operation High Roller and Project Blitzkrieg.

Both of these methods attack financial services infrastructures, with the former aimed at manufacturing and import/export firms in the United States and Latin America, while Blitzkrieg hits both consumers and their banks through illicit electronic fund transfers.