Archive for February 24th, 2016

Malware – MouseJack wireless mouse and keyboard vulnerabilities

This new proof-of-concept attack requires the attacker to be physically near vulnerable workstations and for the workstation to not be password protected while user is physically away. While the are impracticalities for most attacks, this may provide conduits to inject malware into a system to weaken other security controls

Countless wireless mice and keyboards can be hacked from 100 yards away leaving their host machines and the networks they are attached to open to malware, Bastille has discovered.  The problem, which is being called MouseJack, affects Amazon, Dell, Gigabyte, HP, Lenovo, Logitech and Microsoft products, the company says, and likely more vendors’ gear that they haven’t tested. Logitech alone shipped its billionth mouse in 2008, so the problem is widespread.

The weakness lies in the protocols used between the devices and the USB wireless receivers attached to host computers, says Mark Newlin, the Bastille researcher who discovered the problem. They are unencrypted, leaving the devices susceptible to keystroke injection attacks.

That can be done from a remote computer equipped with an off-the-shelf USB wireless dongle sending keystrokes, he says. He says it took between days and weeks to reverse-engineer the protocols himself so he could send the keystrokes.

The remote machine can be 100 yards away as long as it has direct line-of-sight with the target. That distance could be increased considerably by adding an auxiliary antenna, he says. Users of the machines would have to be away from them and logged in for the attack to work. If they were there they’d see the attack strokes being entered.

Dell notes that if customers use a password on their login screens and don’t walk away from their computers while logged in, the attack won’t work unless the attacker can break the password.

Security Standards – PCI DSS 3.2 update for mid-2016

PCI DSS 3.2 will be more of an incremental than major standards update when it is later released in mid-2016.

The PCI Security Standards Council announced it will publish a new version of the PCI Data Security Standard sometime in either March or April, and PCI DSS 3.2 will be the only release for the year.  The aim, according to the council, is to release early and include long sunrise dates in order to allow organizations more time to deal with changes related to the EMV (Europay, MasterCard and Visa) chip rollout.

“First, we must address the revised migration dates away from SSL and early TLS [Transport Layer Security],” Leach said. “Second, the industry recognizes PCI DSS as a mature standard now, which doesn’t require as significant updates as we have seen in the past. Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard.”

Organizations should be aware that PCI DSS 3.2 will become effective immediately when it is released, and version 3.1 will be retired a short three months later. This means any PCI DSS 3.1 assessments in progress would need to be completed by either June or July, depending on when version 3.2 is published.

Leadership – 2016 Secrets for Success RELATIONSHIPS

John Maxwell is sharing a new weekly series during 2016 called the “Secrets for Success”.  The third week focuses on building relationships with team members & other key stakeholders

Welcome to week three of my Secrets of Success blog series. If this is your first time reading, I won’t keep you in suspense: the secret of success is determined by your daily agenda. That means the key to your long-term success is found in your daily short-term decisions. When you choose to make wise decisions in key areas each day, you experience significant growth over time. That growth is what fuels your success.

Because it matters so much, I want to share four simple actions you can do each day, with everyone from your spouse to your kids to your co-workers. Hey – you can even do these four things with perfect strangers! If you want to transform all of your significant relationships for the better, you need to:

1. Listen – spend time trying to understand the perspective of others. Don’t rush to talk or solve problems; give them your full attention, your open mind, and your reservation of judgment.

2. Encourage – ask questions that draw out the opinions of others. What do they care about? What do they see? Why do they think or feel the way they do? Good questions help you uncover great insights.

3. Reason – carefully think through your response. You want to consider how the other person will react to your ideas. Don’t just rush to get an answer out; take time to reason through your ideas.

4. Respond – share your ideas with the other person, making sure to include your reasoning and how you took the other person’s ideas into account. Follow up with any action you propose