January, 2015:

This study shares an awareness to be careful in this highly public environment to safeguard privacy:

http://facecrooks.com/Internet-Safety-Privacy/Facebook-Knows-You-Better-Than-Your-Friends-And-Family.html/

Researchers at the University of Cambridge and Stanford University recently conducted a study to determine how well Facebook knows you. They released the results this week, and what they found is eye-opening. It turns out that the computer model the researchers built to analyze Facebook users could predict their personality better than their own friends and family members.

The researchers gathered their information by asking over 86,000 Facebook users to conduct a personality survey. Then they analyzed those users’ Facebook Likes to determine what interests aligned with what personality types. The more Facebook Likes a user had, the easier it was for the computer model to guess their personality. For instance, the computer could make better guesses about a user than their human friend after 70 likes, and could even outperform a family member after 150.

Facecrooks Security documents a new Facebook feature surfacing this week

http://facecrooks.com/Internet-Safety-Privacy/Facebook-Launches-New-Place-Tips-Feature-But-You-Can-Opt-Out.html/

 

In a somewhat surprising release, Facebook launched a new feature called Place Tips for New York City users this week. If your location services are turned on, the Facebook mobile app will bring tips, photos and posts that pertain to your location to your News Feed.

“News Feed today is a pretty good tool at connecting you to friends and news,” wrote product manager Mike LeBeau in a blog post. “but if we’re Facebook and our job is to connect the world, what else do we want to connect you to?”

Early reports indicate that the feature is a fairly unobtrusive notification at the top of users’ News Feeds that offers them the option to click into it to find out more about a well-known nearby location. Even though the feature can’t post to your page and won’t show your friends where you are, the fact that Facebook can analyze data to figure out your exact location will likely put off some users. Thankfully, you can easily opt out of the feature. Simply go to “Settings,” then “Location,” and then “Place Tip Settings.” You can then turn the feature on and off. You can also turn off your location services for your entire phone under “Settings,” too.

Another excellent leadership article

http://www.johnmaxwell.com/blog/what-should-be-the-legacy-of-a-successful-leader

QUOTE: Legacies that matter are connected with people. A hundred years from now all that will matter is the people that you connected with in such a way that you added value and meaning to their lives. Political commentator Walter Lippmann said, “The final test of a leader is that he leaves behind in others the conviction and will to carry on.” Ultimately, if your people can’t do it without you, you haven’t been successful in raising up other leaders.

I believe the greatest legacy a leader can leave is having developed other leaders. Develop them as widely and as deeply as you can. I’ve spent more than thirty years teaching leadership to leaders from every walk of life and nearly a hundred countries. My organizations have trained millions of leaders in nearly every country. In the last few years, I’ve begun to personally invest in coaches and speakers who are actively teaching to others the values and principles I embrace. And I’m investing deeply in a handful of leaders in my inner circle.

RansomeWeb is a new malicious treat that encrypts and holds vulnerable websites hostage via sophisticated targeted attacks.

https://www.htbridge.com/blog/ransomweb_emerging_website_threat.html

QUOTE: More and more people become victims of ransomware, a malware that encrypts your data and demands money to decrypt them. A new trend on the market shows that cybercriminals will now target your website as well to get a ransom payment from you.

In December 2014, our security experts discovered a very interesting case of a financial company website compromise: the website was out of service displaying a database error, while the website owner got an email asking for a ransom to “decrypt the database”. Web application in question was pretty simple and small, but very important for business of the company that could not afford to suspend it, neither to announce its compromise.

Key research on how this new attack works:

1. The web application was compromised six months ago, several server scripts were modified to encrypt data before inserting it into the database, and to decrypt after getting data from the database. A sort of “on-fly” patching invisible to web application users.

2. Only the most critical fields of the database tables were encrypted (probably not to impact web application performance a lot). All previously existing database records were encrypted accordingly.

3. Encryption key was stored on a remote web server accessible only via HTTPS (probably to avoid key interception by various traffic monitoring systems).

4. During six months, hackers were silently waiting, while backups were being overwritten by the recent versions of the database.

5. At the day X, hackers removed the key from the remote server. Database became unusable, website went out of service, and hackers demanded a ransom for the encryption key

PC Magazine offers excellent advice and safely tips for the coming year: 

http://securitywatch.pcmag.com/security/330797-new-year-s-resolutions-for-better-security-in-2015

Before looking at my 2015 resolutions, I took a look at the list from 2014 to figure out how well I stuck to my goals. For my password I security, I resolved to use strong and complex passwords for everything, to adopt two-factor authentication where available, and to turn on protective features for mobile devices and networking gear. For networking security, I promised to download and install updates when they are ready and to run security software and tools. For my data security, I decided to encrypt my data while in transit as well as on my hard drive, and to back up data files regularly. And finally, I pledged to be careful about what kind of information I post online on social media platforms and what I save on cloud services.

I know where I have to improve, but I also have some promises for 2015. First of all, I will delete software and apps I am not using. There is no need to keep software on my machine which are outdated or vulnerable. This ties into my second goal—to audit myself so that I know what I have. Experts regularly advise businesses to make sure they know what machines are on the network, what kind of software is on each one, and to understand who has access to them. Why shouldn’t I do the same for my personal devices?

Features, performance, design and other factors were evaluted recently in this PC Magazine article:

http://www.pcmag.com/article2/0,2817,2365692,00.asp

In the biggest shakeup in the browser industry since Microsoft was forced to uncouple Internet Explorer from Windows, Google’s Chrome burst on the scene in 2008, forcing new standards in browser speed, streamlined design, and rapidly iterating software, forcing all the other players to overhaul their own sluggish software as they played catch up to the nimble newcomer. Chrome spent several years as PCMag Editor’s Choice, but it’s been surpassed in speed and features, and it has sunk to a three-way tie for second place as former favorite Firefox has reasserted its lead. With a beautifully redesigned interface, excellent performance, thrifty memory use, helpful browsing tools, and leading customizability, the independent open-source browser has reclaimed PCMag.com’s Editors’ Choice for browsers.

While Firefox is our favorite browser of the moment, there are still other excellent choices that, depending on your priorities, will server your Web browsing needs admirably, including Internet Explorer, Opera, and Maxthon. All of the browsers now provide more-than-adequate support for the new HTML5 standard for website coding—even Internet Explorer has been acknowledged by Google as now being among the ranks of “modern” Web browsers. The search kingpin did this when it withdrew its Chrome Frame product, which inserted Chrome’s page renderer inside IE.

During January, the Internet Storm Center declared a yellow alert to highlight the importance of updating Adobe Flash Player. Users should use a PATCH NOW approach to ensure they are up-to-date

http://helpx.adobe.com/security.html

https://isc.sans.edu/forums/diary/Infocon+change+to+yellow+for+Adobe+Flash+issues/19227/

We have decided to change the Infocon to yellow in order to bring attention to the multiple recent Adobe Flash Player vulnerabilities that are being actively exploited. There have been patched vulnerabilities that have an update and applying them is highly recommended. 1 of the vulnerabilities has not yet been patched, and is expected to be released as an OOB (Out of Band) next week by Adobe 3.

Our reasoning is that the Adobe Flash Player is very widely installed, the vulnerability affects multiple platforms, remote code execution gives the attacker complete control of the system, the patch is not yet available, it affects both organizational IT systems as well as home or soho users, a crimeware kit is actively exploiting the vulnerabilities, people might mistakenly believe that the patch from yesterday fixes all of the issues, and last but not least mitigation through the use of EMET or other tools/means is not normally feasible for home users or quick deployment in enterprise environments without testing. In short, the high impact of these vulnerabilities being exploited warrants raising the Infocon from now until Monday.

Independent software testing firm AV-Comparative shares their study as follows:

http://securitywatch.pcmag.com/security-software/331532-av-comparatives-names-product-of-the-year-for-2014

An antivirus testing researchers’ work is never done. As soon as the research team finishes and report on one series of tests, it’s time to start another. Once a year, though, the team at AV-Comparatives takes a moment to sit back, review the previous year’s results, and name a Product of the Year. They also flag other products for overall outstanding achievement, specifically for excellent results in specific test areas. 2014’s product of the year is Bitdefender Internet Security 2015.

That’s not to say Bitdefender totally outperformed all of the other products tested by AV-Comparatives. In fact, there was a tie for the top spot, as Kaspersky Internet Security (2015) scored just as well as Bitdefender. In a case like that, the honor goes to whichever product had not won before, or, as in this case, the product that hadn’t won as recently. With Kaspersky, AVG, Avira, Emsisoft, F-secure, and Fortinet also made the cut-off for top rated products.

Multiple zero day and other attacks led to expedient patching by Adobe to improve Flash security.  All home and corporate users should update and ensure they are on latest builds.  Abobe Flash often detects security updates and prompts users to install them.  Additional details regarding these releases are noted below

http://helpx.adobe.com/security.html

Bulletins and Advisories from this month
APSB15-03 Security updates available for Adobe Flash Player 1/27/2015 1/27/2015
APSA15-01 Security Advisory for Adobe Flash Player 1/22/2015 1/24/2015
APSB15-02 Security updates available for Adobe Flash Player 1/22/2015 1/22/2015
APSB15-01 Security updates available for Adobe Flash Player

Marriott quickly strengthened controls after discovery of a security design weaknesses in an Android based application.

http://www.tripwire.com/state-of-security/security-data-protection/marriott-web-services-flaw/

The issue, patched last week, made it simple for attackers to access the reservation and personal details of Marriott customers via its web services, exposing check-in dates, victims’ last names, and victims’ contact information including physical address, email address and partial payment card data.

It turned out that Marriott’s Android app didn’t need to use any authentication to query Marriott’s web services for reservation information. All it required was a Membership ID. Which meant that if Westergren, or someone malicious, wanted to access the details of many Marriott Rewards members all he would have to do is change the Membership ID data being used to query the web server.