A new version of MS14-045 has been pushed to Windows Update and the Download Center. Microsoft strongly recommends that users uninstall the old version first. Microsoft today re-released the updates for security bulletin MS14-045. This update had been released on the August Patch Tuesday, August 12, but withdrawn later in the week after user reports of blue screen crashes and disabled systems.
At the same time Microsoft withdrew MS14-045, it withdrew three non-security updates, KB2970228, KB2975719 and KB2975331. None of those have been reissued and we have no further information on them. A blog entry from Tracey Pretorius, Director of Microsoft Trustworthy Computing, implies that the problem was released to a change in the release schedules for non-security updates.
The John Maxwell Leadership blog shares ideas related to preperation of questions when interviewing business professionals
: Larry King, who has made his living speaking to people as a television talk show host, believes that asking questions is the secret of good conversation. He says, I’m curious about everything, and if I’m at a cocktail party, I often ask my favorite question: “Why
?” If a man tells me he and his family are moving to another city
” A woman is changing jobs
: “Why?” Someone roots for the Mets
The meetings I look forward to most are the learning lunches I schedule every month with people who can teach me. When we meet, I come armed with questions
. Many are specific to the individuals I’m meeting with. But there are some questions I try to ask everyone. You may want to use them too:
1. What is the greatest lesson you have learned? By asking this question I seek their wisdom.
2. What are you learning now? This question allows me to benefit from their passion.
3. How has failure shaped your life? This question gives insight into their attitude.
4. Who do you know whom I should know? This allows me to engage with their network.
5. What have you read that I should read? This question directs my personal growth.
6. What have you done that I should do? This helps me seek new experiences.
7. How can I add value to you? This shows my gratitude and desire to add value to them.
Strong password controls are recommended at Word Press sites to ensure safety as major brute force attacks are more actively circulating
Brute force attacks against WordPress have always been very common. In fact, Brute Force attacks against any CMS these days is a common occurrence, what is always interesting however are the tools employed to make it happen. You create a website, because it’s super easy these days, publish the content and within a few weeks people try to repeatedly log in. These login attempts come from botnets
, they are automated and their goal is simple “break into as many websites as they can by guessing their passwords
.” Once they find one that matches, they take over of the site and use it to distribute malware, spam and similar activities.
Here is a small example, from our own honeypots, where we see hundreds of login attempts per day
, trying various combinations. The passwords may seem silly, but after going through the most common 200/300 dictionary passwords
, they can get into many web sites.
user: admin, pass: admin
user: admin, pass: 123456
user: admin, pass: 123123
user: admin, pass 112233
user: admin, pass: pass123
Originally, these brute force attacks always happened via /wp-login.php attempts, lately however they are evolving and now leveraging the XMLRPC wp.getUsersBlogs
method to guess as many passwords as they can. Using XMLRPC is faster and harder to be detected, explaining this change in tactics. This is not to be confused with our post back in March where we reported XMLRPC being used to DDOS websites
, oh no, in this instance they are leveraging it to break into websites.
Trend Labs shares techniques for spotting targeted attacks, which are highly specific and designed to blend into corporate email or other resource functions in a highly legitimate manner.
: Targeted attacks are designed to circumvent existing policies and solutions within the target network, thus making their detection a big challenge. As we’ve stressed in our previous entry about common misconceptions about targeted attacks, there is no one-size-fits-all solution against it; enterprises need to arm themselves with protection that can provide sensors where needed, as well as IT personnel equipped enough to recognize anomalies within the network and to act accordingly.
1. Check for Injected DNS Records
2. Audit Accounts for Failed/Irregular Logins
3. Review Security Warning messages and logs
4. Check for Strange Large Files
5. Audit Network Log for Abnormal Connections
6. Abnormal Protocols
7. Increased Email Activity and Spikes
As McAfee security shares, “Trust Is the Most Valuable Asset” in protecting information resources
Traditionally, providing security has been primarily a task of the state, but who should be responsible for safeguarding cyberspace? Who will build trust in it
? Most of digital infrastructure is owned and operated by the private sector. Moreover, the majority of actors operating in the field of cybersecurity are private. The state has unique capabilities to provide security and maintain trust among people, for example, by mobilizing its unique resources and by passing and enforcing laws.
Trust is an important ingredient of security
. Doubt leads to insecurity, whereas trust builds security. When there is no certainty, people seek additional security measures. In cyberspace, these measures usually refer to technical solutions to particular problems. In other words, security is produced through technology. However, addressing the question of trust this way is only part of the solution. Regulation—standards, laws, treaties, and good practices—that establishes rules of the game for cyberspace is also important. Yet the biggest challenge remains in people’s unawareness and lack of familiarity with digital technology.
It is the shared responsibility of all online actors to reinforce trust in the digital world. Thus it lies on everyone’s shoulders to strengthen cybersecurity. The state does its part by establishing national and international regulation and administrative structures needed for cooperation. It strengthens public-private partnerships and allocates powers both upward and downward to different actors. It strives to normalize people’s relationship to cyberspace and educates them to become smart e-citizens, shares information, provides services online, and counteracts threats in the digital world. It also uses market mechanisms, for example, purchasing power and the creation of incentives for companies, other organizations, and individuals to invest in cybersecurity