Computer News & Safety tips  – Harry Waldron MVP Rotating Header Image

December, 2015:

Adobe Flash – Critical security update release DEC 2015

Security updates have just become available for Adobe Flash Player and users should promptly apply these changes.

https://helpx.adobe.com/security/products/flash-player/apsb16-01.html

Adobe has released security updates for Adobe Flash Player.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2015-8651 is being used in limited, targeted attacks.

Release date: December 28, 2015
Last updated: December 29, 2015
Vulnerability identifier: APSB16-01

CVE number: CVE-2015-8459, CVE-2015-8460, CVE-2015-8634, CVE-2015-8635, CVE-2015-8636, CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8644, CVE-2015-8645, CVE-2015-8646, CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, CVE-2015-8650, CVE-2015-8651

Leadership – Evaluate how goals were achieved during past year

As John Maxwell reflects, the end of the year is an excellent time to evaluate how well goals were accomplished during the past year. After reflecting on the good, bad, and ugly experiences of the year, leaders can apply a “lessons learned” approach to improvements for the year 2016 ahead.

http://www.johnmaxwell.com/blog/its-still-the-most-wonderful-time-of-the-year

Most people allow their lives to simply happen to them. They float along. They wait. They react. And by the time a large portion of their life is behind them, they realize they should have been more proactive and strategic. My yearly process is just one method that I use to be strategic and intentional.

I’ve found that this is a perfect time of year for reflecting and setting goals. And it’s not too late for you to do as I’m doing. Start by sitting down with your calendar for 2015, along with any to-do lists or journals from the past 12 months. On a legal pad (if you’re old-school like me) or your computer (if you’re like everybody else), make note of each event, appointment, and activity.

Then evaluate every item on your list. What did you enjoy? What were some of your proudest moments? What did you spend too much time on? What didn’t get enough of your time? In what areas were you especially effective? Where did you fail? What can you learn from your mistakes? The key to this exercise is to use what you discover about your past year to inform and guide you in the coming year.

This type of reflective thinking can help you discover what worked and what didn’t, and what needs to change for you to become more effective. I hope you’ll join me in this exercise – whether you do it this week or sometime soon. By spending time evaluating your 2015, you’ll be better prepared to make 2016 your best year ever.

HDTV – High Dynamic Range is next major standard

In tracking new HDTV technological developments, the advent of High Dynamic Range is likely to become one of the next major standards

http://www.pcmag.com/article2/0,2817,2496390,00.asp

The next big thing in display technology is HDR (High Dynamic Range). If you thought 3D TVs were a flop, this might be worse. Not because the technology is bad or sketchy, but because this is more confusing than anything we’ve seen.  HDR TV and its cousin, HDR movies, creates a genuine wide dynamic range or huge contrast ratio that show details in areas that would normally be obliterated by the inability for a moving image to capture these details. It requires expensive gear to capture and also to project (movies) or display (TV).

You’ll soon be enjoying some fantastic HDR films in the theaters, but if anyone cares enough to buy a high-end HDR TV set remains to be seen. The way I see it the HDR technologies—which should also incorporate wide color gamut (WCG), which adds more actual colors into the TV palette—will eventually be thrown in for free in five years or so.

Juniper Networks – ISC issues rare YELLOW ALERT for critical updates

Last week the SANS Internet Storm Center raised the alert level  to YELLOW for backdoor vulnerabilities in Juniper ScreenOS products.  An out-of-band security release was issued to help resolve these critical security vulnerabilities.

https://isc.sans.edu/forums/diary/Infocon+Yellow+Juniper+Backdoor+CVE20157755+and+CVE20157756/20521/

https://www.sans.org/webcasts/101482

Juniper released an out of band update for ScreenOS late last week. The update fixes two distinct backdoor that were introduced into the ScreenOS code to provide remote access to the device, and to be able to decrypt VPN connections. As of Sunday evening, the hidden password has been released making exploitation of the flaw trivial. Also some details are now known about how the VPN encryption was weakened. In this brief webcast, we will provide a summary of what is known so far about this flaw, how to protect yourself and what this implies for devices from other manufacturers.

Ransomware – 2015 was banner year for developments

In 2015 ransomware attacks became more innovative with their code and capabilities to extort money from victims.  This trend is likely to continue in 2016 according to forecasts by security firms

http://www.darkreading.com/endpoint/2015-ransomware-wrap-up/d/d-id/1323424

It’s been a banner year for ransomware operators…and a nerve-wracking one for anybody responsible for securing endpoints.  Although some of the malware may issue empty threats, some of it has proven just as nasty as it claims. Researchers found that 30 percent of organizations admitted they’d pay ransom requests, and even multiple police departments have succumbed to them, when nobody was able to recover their encrypted files or their back-ups.

Then of course, there’s CryptoWall, the big daddy. 2015 kicked off with a new variant of CryptoWall 2.0 that was full of new tricks. It used TOR on command-and-control traffic and could execute 64-bit code from its 32-bit dropper. When CryptoWall 3.0 arrived on the scene, it was more streamlined and then spread mostly through exploit kits. CryptoWall 3.0 made $325 million in extortion payments in just the first 10 months, according to reports.  Then this fall, Cryptowall 4.0 appeared, using a very different style of ransom note. It was less of a classic “give me all your money” stick-up, and more like a combination of a welcome and threat from a particularly vicious homeowner’s association — urging community members to buy a $700 “software package” to decrypt their files…then urging more strongly.

Data Breach – Hello Kitty Vendor patches server vulnerability

While it is likely that no major impacts were experienced, the toy maker for the “Hello Kitty” brand reported an exposure that made access to over 3 million accounts potentially available.  This is documented below:

http://www.eweek.com/blogs/security-watch/hello-kitty-vendor-sanrio-admits-to-and-patches-flaw.html

Japanese toy vendor Sanrio, owner of the popular Hello Kitty brand, is admitting to a security vulnerability on its SanrioTown.com community Website. The vulnerability has already been patched, and there is no public evidence that private user information has been publicly posted.

“On Dec. 19, it was revealed through outside sources that personal information such as names, date of birth, gender and other information belonging to SanrioTown.com members was accessible if you knew the address of the vulnerable servers,” Sanrio stated in a release on Dec. 22. “The vulnerable data did not include credit card information or other payment information and passwords were securely encrypted.”  The outside sources include a report that alleged that 3.3 million Hello Kitty fans were exposed by a database leak. 

Facebook Scam – CEO is not giving away 10 percent of shares to users

A new scam circulating on Facebook claims that CEO Mark Zuckerberg will be giving away part of their fortune to the actual users in the Facebook community. Users should avoid participating in this hoax as it may lead to malware, identity theft, or other impacts. 

http://www.techinsider.io/facebook-payout-post-is-a-hoax-2015-12

Sorry, Mark Zuckerberg isn’t giving his money to you anytime soon, regardless of what you see posted on your friends’ Facebook feeds.  A new “copy and paste this now!” hoax claiming Zuck will be giving away 10% of his Facebook shares to “people like you and me!” is making its way around the social network — but don’t be fooled into sharing it.

This one comes after Zuckerberg’s announcement that he and his wife, Priscilla Chan, will be giving away nearly all of their Facebook shares — 99% — to the Chan Zuckerberg Initiative LLC.  It went hand in hand with the announcement of the birth of their daughter, Max, in late November. “Nowhere did the Facebook CEO say that a portion of that 99% would go to Facebook users for copying and pasting statuses.”

It’s worth mentioning that these types of hoaxes are nothing new. We saw a similar pranks go viral this year. Like this one promoting a “secret sister gift exchange.” Or this one promising to protect the copyright of the content in your Facebook profile. Before copy and pasting a status, it’s worth doing a quick internet search to make sure you’re not being duped.

Data Breach – Hyatt Hotels reports Credit Card malware attacks during late 2015

Hyatt recently reported their credit card payment processing system was infected with credit-card-stealing malware.  While they quickly halted the malware attacks shortly after discovery, customers are now being warned to carefully check credit card statements and quickly report all unauthorized transactions 

http://www.reuters.com/article/us-hyatt-hotels-hacking-idUKKBN0U704320151225

http://www.hyatt.com/protectingourcustomers

Hyatt Hotels Corp said on Wednesday that its payment processing system was infected with credit-card-stealing malware in an attack discovered three weeks ago, the latest in a series of breaches at hospitality firms.  Company spokeswoman Stephanie Sheppard said in an email late on Wednesday that the attack was discovered on Nov. 30.

She did not say if the attackers succeeded in stealing payment card numbers, how long its network was infected or how many of the chain’s 627 hotels were affected.  Hilton Worldwide Holdings Inc and Starwood Hotels & Resorts Worldwide Inc last month disclosed attacks on payment processing systems.. Donald Trump’s luxury hotel chain, Trump Hotel Collection, also confirmed the possibility of a data security incident.

FireEye Inc said that Hyatt had hired it to help the company investigate the attack. FireEye’s Mandiant unit is one of the biggest providers of response services to companies that are victims of cyber attacks.  Representatives at a Hyatt call center set up to handle inquiries about the breach said the malware was programmed to collect payment cardholder names, card numbers, expiration dates and internal verification codes. “We have taken steps to strengthen the security of our systems,” Sheppard said in the email. “Customers can feel confident using payment cards at Hyatt hotels worldwide.”

Leadership – Affirm and Value Team Members

John Maxwell shares excellent leadership and team building advice as follows:

http://www.johnmaxwell.com/blog/how-to-intentionally-add-value-to-others-this-christmas

I shared some specific ways to make sure you’re adding value to others every day. And I think they’ll be helpful to you as you go through your daily life. If you do so between now and Christmas, you can establish a habit that continues into the new year.  You can add value every day if you will:

1. Value People — A life of significance cannot be achieved if you think of other people as obstacles that must be overcome. This means valuing everyone – not just those close to us. We need to intentionally value others and express that value to them.

2. Think of Ways to Add Value to People — People who live intentionally think on the front end about ways to add value.

3. Look for Ways to Add Value to People — In addition to thinking ahead about ways to add value, people who live with intentionality are also on constant lookout for spontaneous ways to help others. They have an outward focus as they go through their lives, ready to do something that makes someone’s day.

4. Do Things That Add Value to People — As my mentor John Wooden often said, “Don’t tell me what you’re going to do—show me.” It’s great to think ahead and look around for ways to add value to others, but nothing beats actually doing something for another person.

5. Encourage Others to Add Value to People — Significance begins with you, but it’s meant to be shared. As you develop the daily habit of adding value to others, begin encouraging people close to you to do the same. You can begin a significance movement right in your own home or office or community.

FFA – New Drone Security Laws instituted

As the technology has evolved faster than controls were set in place, the Federal Aviation Administration is quickly attempting to catch up to better control security risks associated with this new technology which is already in use by the public 

http://bits.blogs.nytimes.com/2015/12/15/daily-report-rules-for-registering-your-drone/

The Federal Aviation Administration on Monday laid out new registration requirements for owners of recreational drones, just in time for Christmas. The rules apply to Americans with a drone weighing between half a pound and 55 pounds — which means nearly all recreational drones.  If you are an owner of one of these high-flying machines — or might be in the coming weeks — here is what you need to know:

1. Anyone who owned a drone before Dec. 21 will be required to register the machine by Feb. 19, 2016. People who get a drone after Dec. 21 will be required to register before their first flight.

2. The F.A.A. said it would introduce the website for registration, faa.gov/uas/registration, on Dec. 21; registering will be free for the first 30 days. After that period, the fee for each individual drone user will be $5 for a three-year certificate of registration. There will be an option for owners to register by mail or in person, and the rules apply only to people over the age of 13, though children are permitted to fly under a parent’s registration.

3. The users are then required to put their registration numbers on any drone they own and have their registration card on them when they take a drone out for a flight.