IT News, Solutions and Support

Proactive Computing | Optimizing IT for usability, performance and reliability since 1997

Category: Security Alert!

Microsoft releases 14 patches for Windows

bug-162019

Microsoft released patches for 14 vulnerabilities in its Windows operating system, Office and Internet Explorer software on Tuesday, including four it deemed critical, it’s highest severity rating.

All four of the critical bugs could allow attackers to remotely execute programs on a targeted system, something that in the past has allowed hackers to steal personal information such as passwords or take over machines for the purpose of sending spam.

The patches were released as part of the company’s monthly “patch Tuesdaysecurity update for its major software products. The company had originally planned to deliver 16 updates Tuesday, but two are marked as yet to appear. They include one that was expected to carry a critical rating.

At 14, the number of patches is a monthly record for 2013 and 2014.

They include a problem with Windows Object Linking and Embedding that could allow remote code execution if the user visits a website containing malicious code. If the user is logged in as the administrator, the attacker could gain the ability to install programs and change and delete data. A related patch for Internet Explorer fixes the vulnerability with malicious websites and 16 other problems with the software, said Microsoft.

A security update for the Microsoft Secure Channel software in Windows fixes a problem that leaves Windows Server vulnerable to attack from specially crafted packets. The fourth critical patch fixes a hole in Windows that allows attackers to invoke Microsoft XML Core Services from a malicious website and then remotely execute code on a target system.

A further seven patches are marked as important—the second highest rank.

One vulnerability in Microsoft Office allows for remote execution of code, four additional problems allow attackers to assign themselves higher privileges and two allow bypass of certain security features in Windows.

via Microsoft releases 14 patches for Windows security problems | PCWorld.

Article: 5 steps to keep your accounts safe from hackers and scammers

Throughout the flood of hacks and data breaches at retailers, restaurants, health care providers and online companies this year — Home Depot, Target, Subway, Adobe and eBay were just a handful — the one safe haven was the banks. Unlike other companies, banks had a long history of keeping bad guys away from our money and personal data.

Unfortunately, that’s no longer something we can take for granted, as JPMorgan Chase customers discovered recently when the financial giant admitted that hackers had stolen information, including checking and savings account details, from 80 million customers. Even worse, the hack went on for two months before the company noticed anything was amiss. That’s not very comforting.

There’s no way you can prevent a data breach from occurring at a company that has your business. You can, however, make sure your accounts are secure from other forms of attack.

Here are my Top 5 methods to maintain safe and secure online accounts.

1. Lock down your password

Maintaining good password security is one of the easiest ways to protect your accounts.

A strong password — eight or more characters with upper-case characters, lower-case characters, numbers and symbols in a random order — is very hard for hackers to break. Click here to learn how to create a password like this that’s still easy to remember.

Of course, you need to create a unique password for every account. That way, if hackers get one of your passwords in a data breach, they can’t immediately get into your other accounts.

While you’re making your passwords strong, don’t forget to beef up your security questions, too. A strong password is worthless if a hacker can answer your security question after a quick trip to Facebook.

2. Secure your connection

When logging into a sensitive account, the best place to do it is at home. I’m assuming here that you’ve followed my other security tips about securing your network and making sure your computer doesn’t have a data-stealing virus.

Of course, in an emergency, you might need to connect to a sensitive account when you’re on the go. For banking, it’s best to use your bank’s app and a cellular connection.

If you have to use Wi-Fi, add extra security with a Virtual Private Network. This creates a secure, encrypted link with a third-party server, and you access your sites through that link. It’s an extra level of protection that hackers shouldn’t be able to crack. On a laptop, CyberGhost is a good option. On a tablet or smartphone, check out Hotspot Shield VPN or avast! SecureLine VPN.

Know that VPNs slow down your Internet speed. Turn them off for streaming videos and general browsing.

3. Set up account alerts

Many banks will automatically send you text alerts when purchases or withdrawals on your card exceed an amount that you specify. Click here to learn more about setting up text alerts. Check your credit cards and other accounts for similar options.

Many online accounts also offer something called two-step verification, or two-factor authentication. This is great. In order to log in from an unfamiliar device or location, you need a password and a code from a separate email account or smartphone text.

Click here for instructions on setting up two-step verification for Microsoft, Facebook, Google and other online accounts. It takes just a few minutes and can save you a bunch of time and hassles.

While we’re on the subject of two-factor authentication, some banks now feature an embedded chip that generates a new pass code for every use. Ask your financial institution if it offers cards with Chip Authentication Program (CAP) or Dynamic Passcode Authentication (DPA) technology. They don’t advertise this. You have to know to ask.

4. Avoid phishing scams

Even if hackers don’t get your credit card information or account number, they usually get the next best thing: Your name and email address.

That’s exactly what they need to launch a phishing attack. A popular type of phishing attack is a fake email claiming to be from a real company that asks you to click on a link or download an attachment.

Thanks to data breaches, hackers know exactly what companies you use. You might get an email claiming to be from JPMorgan Chase telling you that your account has a problem and you need to click a link or download a file for more details. Click here to learn the warning signs of a phishing email so you aren’t fooled.

Of course, the link will take you to a malicious site disguised as a Chase page, or the email attachment will contain a data-stealing virus. Either way, hackers can get your username and password, or other sensitive information.

Remember, no legitimate company will ask you to click a link or download an email attachment to update your account details.

5. Be vigilant

The best way to make sure your online banking account, or any other account, stays safe is to pay attention. Catching small problems early can prevent hackers from making bigger ones later. Here’s why:

In the cybercriminal world there’s a term, “fullz.” A fullz is all the information a thief needs to assume the identity of someone else and apply for credit under their name.

When hackers get your fullz, they often group it with fullz from other people and sell the whole package online. Click here to learn more about fullz and how they’re bought and sold.

After buying a fullz, a criminal will test the waters. He’ll place a few small-scale purchases using your account details. If you don’t take any action, he’ll continue making small purchases until he’s earned the amount he paid for your “fullz,” and then some.

Finally, the criminal will max out your card or drain your account without a second thought. How do you stop this? Watch your accounts. If you notice a strange transaction, call your bank or credit card company immediately. Better to err on the side of caution.

Copyright 2014, WestStar Multimedia Entertainment. All rights reserved.

On the Kim Komando Show, the nation’s largest weekend radio talk show, Kim takes calls and dispenses advice on today’s digital lifestyle, from smartphones and tablets to online privacy and data hacks. For her daily tips, free newsletters and more, visit her website at Komando.com. Kim also posts breaking tech news 24/7 at News.Komando.com

http://www.foxnews.com/tech/2014/11/01/5-steps-to-keep-your-accounts-safe-from-hackers-and-scammers/

5 Million Gmail Passwords Leaked, Check Yours Now

5 Million Gmail Passwords Leaked, Check Yours Now.

5 Million Gmail Passwords Leaked, Check Yours Now

According to the Daily Dot, nearly 5 million usernames and passwords to Gmail accounts have been leaked on a Russian Bitcoin forum. Here’s what you should know.

The list has since been taken down, and there’s no evidence that Gmail itself was hacked—just that these passwords have been leaked. Most sources are saying that lots of the information is quite old, so chances are they were leaked long ago—though others are claiming 60% of the passwords are still valid (not to mention really, really horrible).

5 Million Gmail Passwords Leaked, Check Yours Now

To check if your password was one of the leaked, plug your Gmail address into this tool (which also checks against recent Yandex and Mail.ru leaks). If you’re paranoid, you may also want to change your password at this time. As always, make sure you use a strong password and enable two-factor authentication on  your account. Hit the link to read more.

Update: Looks like the IsLeaked tool is having some trouble due to unusually high traffic—if you get an error message, try reloading the page or checking back later.

5 Million Gmail Passwords Leaked to Russian Bitcoin Forum | The Daily Dot

Healthcare.gov hacked – Botnet malware discovered | PCWorld

Botnet malware discovered on Healthcare.gov server | PCWorld.

Thanks to a poor initial launch followed a few months later by the Heartbleed scare, Healthcare.gov has had its share of security problems. Now, we can add one more security snafu to the list. In early July, a hacker was able to infiltrate a server connected to Healthcare.gov, deposit malware on it, and remain undetected for about a month and a half.

The good news is no personal information was compromised and it appears the malware was never actually used, according to CNN. The compromised server was a test machine that site developers use to try out code before pushing it live on the servers hosting the actual site. The server did not contain any personally sensitive information such as names or Social Security numbers.

The problem was the test server was never supposed to be connected to the Internet and its security was not as robust as other servers on the network.

But Healthcare.gov’s inattentiveness was the anonymous hacker’s gain.

Searching government networks for vulnerable servers, the hacker was able to break-in because the server’s default password had not been changed, according to The Wall Street Journal. Even the U.S. government, it seems, can do with a refresher course every now and then on security .

From the sounds of it, this latest Healthcare.gov intrusion was little more than a close call. The malware itself was designed to add the test server to a botnet, which could then be used to attack other websites with distributed denial-of-service attacks (DDoS). Botnets are also routinely used to distribute spam email.

The hack on Healthcare.gov certainly could’ve been worse—if, for example, hackers were able to use the test server to get into other servers that did contain sensitive information.

Luckily that didn’t happen. What’s most concerning, however, is that it took site operators until August 25 to discover the intrusion. CNN reports that since the malware was not actually operational it was more difficult to discover. Nevertheless, Healthcare.gov clearly needs to audit its systems to make sure something like this doesn’t happen again, especially with the next open enrollment period slated to begin in a few months time on November 15.

healthcare.gov hacked

1000 businesses hit with Target cyberattack

Over 1,000 US businesses hit with the same cyberattack as Target

With cyber attacks happening almost daily these days, when was the last time you changed your password?

So far, only seven of the more than 1000 companies have come forward and acknowledged they were hacked, according to the Secret Service, supposing they are still unaware that they were attacked. So how safe is your data online?

Target’s massive data breach grabbed headlines right in the middle of holiday shopping that year, and the fallout continues. According to a Department of Homeland Security advisory this afternoon, the attacks that hit the red-hued retailer, along with Supervalu and UPS, are much more widespread than first reported. The so-called “Backoff” malware in various versions has actually hit more than 1,000 businesses in the States, allowing hackers to snag info from millions of credit card payments. Remote network access for contractors provides the avenue for entry, and the announcement suggests that companies have vendors take a close look at their systems for possible criminal activity. It’s also calling for businesses to put cash registers on a separate network and employ two-factor authentication to help combat would-be intruders.

[Photo credit: Joe Raedle/Getty Images]

via Over 1,000 US businesses hit with the same cyberattack as Target.

1000 businesses hit with Target cyberattack

Related: Most U.S. Businesses Don’t Know They Were Caught Up In Massive Cyberattack

Daily Report: Keeping Data Secure Is One Tough Job – NYTimes.com

Daily Report: Keeping Data Secure Is One Tough Job – NYTimes.com.

“We’re like sheep waiting to be slaughtered. We all know what our fate is when there’s a significant breach. This job is not for the fainthearted.”

~ David Jordan, the chief information security officer for Arlington County in Virginia.

Daily Report: Keeping Data Secure Is One Tough Job - NYTimes.com

Hackers Find Way to Outwit Tough Security at Banking Sites – NYTimes.com

Hackers Find Way to Outwit Tough Security at Banking Sites – NYTimes.com.

Hackers Find Way to Outwit Tough Security at Banking Sites - NYTimes.com

Even two-factor authentication can be twarted. This article has some interesting insight on the way the attacks are engineered…

Russian Hackers Probably Have Your Passwords. Now What? | TechCrunch

Time to change those passwords again…how often do you change yours?  Who doesn’t still have a few from the Stone Age? Just do it!

Russian Hackers Probably Have Your Passwords. Now What? | TechCrunch

.

Malware is now officially in the arsenal of 30 police departments worldwide | VentureBeat | Security | by Richard Byrne Reilly

Yet another reason to keep your system safe from malware: yes, the cops may be snooping around your browser history.

Malware is now officially in the arsenal of 30 police departments worldwide | VentureBeat | Security | by Richard Byrne Reilly.