Showing posts from January, 2015

Java Updates Fix Security Holes

This quarters Java patch will update 19 security vulnerabilities with both Java 7 and Java 8. Also to note, Oracle will be using the auto updater feature in Java 7 to automatically migrate users to Java 8. Those of you out there that have or run applications reliant on a certain version of Java 7 should make sure to stop the update until you have updated your software to run with the current version of Java. This will be a definite headache, especially if your company uses software from a vendor who's product runs using Java 7. Basically, you are at the mercy of the vendor and your users.

In any right, patch that cup of joe!

Oracle Release Notes:

Keurig K-Cup 2.0 Spoofing Hack

This hack allows the user to brew any coffee pod not just the ones with the Keurig branding on them. Evidently, if someone tries to brew coffee other than a K-Cup coffee pod, they will get the error message, "Oops, this pack was not designed for this brewer ...", well that's just not cool.  So, there is a camera in the 2.0 model that scans for a specific label before running water through the pod.  If you want to use a different brand, it is actually pretty simple to get around the camera thing.
Steps to completing the hack:
Step 1: Attacker uses a genuine K-Cup in the Keurig machine to brew coffee or hot chocolate.Step 2: After brewing is complete, attacker removes the genuine K-Cup from the Keurig and uses a knife or scissors to carefully remove the full foil lid from the K-Cup, ensuring to keep the full edges intact. Attacker keeps this for use in the attack.Step 3: Attacker inserts a non-genuine K-Cup in the Keurig, and closes the lid. Attacker should receive an "…

How a $10 USB Charger Can Record Your Keystrokes Over the Air | Threatpost | The first stop for security news

How a $10 USB Charger Can Record Your Keystrokes Over the Air | Threatpost | The first stop for security news

This little device seems pretty cool. After watching the short video, it wouldn't take much to build one of these devices. The author has made all of the information available to the public, including source code, hardware needed, and a lot of cool pictures documenting the whole process.

New Data Breach Legislation

Today President Obama proposed the formation of a national data breach notification standard. The standard will cover the private sector, making it easier for law enforcement to track cyber criminals selling stolen financial information overseas, as well as the public school system as more and more educational material is being hosted on the Internet. The President wants to be sure that the information presented to students is being use to educate not to market to them. There should be a better, faster, way to notify individuals of their data being leaked across the Web. Organizations falling victim to a data breach will have a 30 day window to notify all affected. 
"Consumes have the right to know!"             - Barack ObamaUpdate: 01.15.2015 - On the same day, Central Command's Twitter and YouTube accounts were hacked by individuals claiming to be with the ISIS group. Photos were posted appearing to contain information relating to place of residence for retired militar…

No More Microsoft Advanced Notification Services

Starting in 2015, Microsoft will stop providing Advanced notification services for Patch Tuesday alerts to non-premium users, because they feel that there are less and less organization who are reliant on the service. Full blog release here. People are turning to Microsoft Updater, Microsoft Auto Server Updater, and other avenues for their patch information. Microsoft says that if there are any premium members or organization that are still a part of their security program, Microsoft will continue to deliver ANS content.
We are making changes to how we distribute ANS to customers. Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page. It should also be noted that this decision will apply to all emergency patch releases as well that to not happen on the planned Tuesday schedule. Meaning the general public will no…