Adobe released a security update to address a vulnerability that may allow a remote attacker to obtain sensitive information from an affected system, said an alert from the U.S. Computer Emergency Readiness Team Tuesday. The security updates are for LiveCycle Data Services versions 4.7, 4.6.2, 4.5 and 3.0x, the alert said. Microsoft also released a critical security update to address a vulnerability in Internet Explorer, said a U.S. Computer Emergency Readiness Team alert Wednesday. Exploitation of the vulnerability could allow a remote attacker to take control of an affected system if the user viewed a specially crafted webpage, it said.
Most people haven't installed security software on personal devices, strengthened their Wi-Fi passwords or changed their passwords more frequently, despite the recent increase in reported cyberattacks, said a national survey by Wakefield Research, commissioned by Citrix. The July 6-13 survey of more than 1,000 U.S. adults was done online and by email invitation.
CTIA asked the FCC to reconsider two “discrete” aspects of updated Lifeline program rules approved in June (see 1506180029). CTIA asked the FCC to reconsider declarations that Section 222(a) of the Communications Act “imposes a duty of confidentiality upon carriers, other than with respect to Customer Proprietary Network Information” and that Section 201(b) “imposes a duty upon carriers to implement data security measures.” The petition for partial reconsideration “seeks reconsideration solely with respect to the scope of the Commission’s authority under those two subsections of the Communications Act,” CTIA said Thursday. “CTIA’s member companies protect the privacy and security of wireless consumer information because consumers deserve and expect it,” General Counsel Tom Power said in a statement. “Members also abide by a wide array of state and federal privacy regulations. But in attempting to craft new data security rules specific to the Lifeline program, the FCC relied on the wrong laws to create additional regulation not authorized by Congress. The FCC’s fractured approach to data security is why CTIA supports even-handed regulation focused on the nature of the information, not the identity of the company holding it.”
The federal government should do more to coordinate federal employees’ participation in the development of international cybersecurity standards, said the National Institute of Standards and Technology-led International Cybersecurity Standards Working Group (ICSWG) in a draft report. The working group released the report to comply with the 2014 Cybersecurity Enhancement Act, which in part required NIST to coordinate with other federal agencies on interagency coordination on cybersecurity standards development (see 1412120066). Improving U.S. government employees’ participation in international cybersecurity standards development will promote U.S. cybersecurity interests and promote U.S. critical infrastructure’s resiliency, said the draft report that was released Tuesday. The U.S. cybersecurity standards system relies on private sector-run standards development organizations, which stands in contrast to government-driven standards bodies in other nations, the working group said. U.S. objectives in developing international cybersecurity standards include ensuring that the federal government’s own standard and assessment tools are technically sound, along with enhancing U.S. national and economic security, ICSWG said.
BlackBerry joined the National Cyber Security Alliance as a board member, the group said in a Wednesday announcement. The alliance described itself as a nonprofit public-private partnership focused on helping “digital citizens stay safer and more secure online.” Consumers and businesses “increasingly rely on mobile technology, but they may not fully understand the security and privacy considerations that come with untethered, unlimited access to information," the alliance said. BlackBerry brings a “unique perspective” to the alliance, it said. Other tech companies that sit on the alliance board include AT&T, Comcast, Facebook, Google, Intel, Microsoft, Symantec and Verizon, it said.
Symantec fears ransomware could soon make an “evolutionary jump” to infect wearables, the Internet security company said in a Thursday blog post. Ransomware “has emerged as one of the most troublesome malware categories of our time,” it said. “The threat is known for locking computers or encrypting files to trick users into handing over their money.” Ransomware is a global threat, and “with the increasing spread of connected devices,” such as smartwatches and IoT products, “ransomware may be on the cusp of another evolutionary jump forward,” it said. Symantec research has found “it would not be difficult for current-generation ransomware to make the leap from mobile phones to wearable devices such as smartwatches,” it said. “So far, we have not seen any ransomware in the wild specifically designed to target smartwatches but this situation could easily change.”
The Mozilla Foundation released security updates to address a critical vulnerability in the built-in PDF Viewer for Firefox and Firefox ESR, the U.S. Computer Emergency Readiness Team said in an alert Thursday. U.S.-CERT said that exploiting the vulnerability may allow attackers to read and steal sensitive local files on the victim’s computer. Updates to Firefox are available, and U.S.-CERT recommends users and administrators apply necessary updates.
Passwords stored in Microsoft’s Group Policy Preferences may be insecurely stored due to incomplete implementations of Microsoft Security Bulletin MS14-025, the U.S. Computer Emergency Readiness Team said in an alert Friday. U.S.-CERT said that if administrators haven’t cleared previously stored passwords, the system may be vulnerable to exploitation. Attackers “may decrypt these passwords and use them to gain escalated privileges,” the alert said. U.S.-CERT recommends administrators employ the PowerShell script provided in Microsoft Knowledge Base Article 2962486 and follow the instructions to clear all “CPassword” preferences.
In 2015 more organizations will deal with more security incidents that will lead to an increase in data breaches, ID Experts predicted in December. “Unfortunately, our predictions were very much on target, as 2015 is already the year of the data breach,” ID Experts President Rick Kam wrote in a post Friday: “As companies pay more attention to data breaches, there will be a positive movement toward exchanging lessons learned and best practices.” Kam predicted the rate of data incidents and breaches -- especially in healthcare -- will rise dramatically during the second half of 2015; cross-industry sharing of threats and best practices will increase; and involvement by boards of directors in data privacy and security will increase. A 2015 Mandiant report said it takes an average of 205 days to detect a malware breach, Kam said. As more organizations hire forensic specialists to look for breaches, more breaches will be found, he said. As chip-and-pin security technology is enabled on credit cards, criminals will increasingly target healthcare fraud and identity theft, he said. The public also will start to see the impact criminal exploitation has on healthcare payers like Medicare, Medicaid and private insurers, he said, and attacks will spread to more industries. Attacks on the energy sector may be next, because “state-sponsored attacks will go wherever there’s valuable data to be found,” Kam said.
WordPress released an upgrade for WordPress 4.2.4 after discovery of vulnerabilities in WordPress 4.2.3 and prior versions that could allow a remote attacker to take control of an affected website, the U.S. Computer Emergency Readiness Team said in an alert Tuesday.