We reported a while back that a security vulnerability had been discovered in some Hewlett-Packard LaserJet printers that could render them vulnerable to unauthorized access, although HP said there had been no real-world cases of such access occurring. The problem was that the software that enables updates over the Internet doesn’t verify the authenticity of those updates, so an attacker could apply a malicious update. HP was even sued over this issue.

Now the company has release a new firmware version that it says will “mitigate” the issue – although it doesn’t claim to be a full-blown fix. HP recommends that you still take steps such as placing the printers behind firewalls and disabling remote firmware uploads to prevent an attack using this exploit.

Read more:

http://news.cnet.com/8301-1009_3-57347817-83/hp-fi...3-0-20

US-CERT has released a report on a vulnerability in Wi-Fi Protected Setup (WPS), a feature that makes it easier to set up wireless networks and devices, but – it turns out – can also expose them to the risk of an attacker gaining full access to the network by using a brute force attack to discover the PIN.

WPS is a feature on many of today’s wireless devices so researchers say millions of devices could be affected and it could take a long time to fix them all. Meanwhile, the solution is simple: disable WPS.

Read more here:

http://isc.sans.edu/diary.html?storyid=12292&rss

It’s the nightmare scenario that every business fears: having your systems hacked and data stolen. It’s bad enough if it’s the company’s own sensitive information, such as trade secrets. But it can be even worse when it’s your customers’ data – especially credit card information – that’s exposed. Thousands of angry victims of identity theft who no longer trust doing business with you can ruin a reputation fast.

That’s what happened to Subway sandwich shops all over the U.S., whose credit card payments for their food have been siphoned off from the company’s Point of Sale systems for a period of years, going back at least to 2008. An estimated $3 million in fraudulent charges was the result. And experts say this is the “crime of the future” so any business that accepts credit card payments needs to be aware of the risk and how to protect against it.

http://arstechnica.com/business/news/2011/12/how-h...ty.ars

Developers, developers, developers – they’re the ones who create the software that makes our computers do such amazing things, but they’re also the ones who (almost always unknowingly) build in vulnerabilities that attackers can take advantage of to attack our systems, bring down our networks and steal our data. Traditionally, developers haven’t been security specialists; they’re focused on making things work, not on the possibility that their code will be misused for wrongful purposes. Despite efforts such as Microsoft’s “Secure by design” objective in their trustworthy computing initiative, exploitable vulnerabilities still sneak into almost every program. This article looks at the Top 25 Flaws Developers Blindly Build Into Applications.

http://mobile.eweek.com/c/a/Security/Software-Secu...07092/

Sometimes it seems as though cybersecurity is a little bit like the weather: everybody talks about it but nobody does anything about it. We might not be able to do much about the weather (although with some of today’s technology, that’s probably not as true as it once was) but we can do something to make our infrastructures more secure, and we even know what those somethings are. But doing something requires getting serious about the subject. This series of “litmus test” questions measures whether we’re really serious about cybersecurity; read them and see what you think.

http://gcn.com/articles/2012/01/16/daconta-cyberse...px?m=1

Kerberos authentication, Microsoft style, was introduced in Windows 2000 and has been an important part of Active Directory ever since. Kerberos is used to authenticate the identity of users and machines, and is based on the concept of “tickets” that are issued and then used to authenticate with various servers. This Kerberos Survival Guide on the TechNet Wiki contains everything from Kerberos 101 to deployment, configuration and troubleshooting resources, as well as specialized subjects such as Kerberos for Microsoft BI. Check it out if you want to know all things Kerberos:

http://social.technet.microsoft.com/wiki/contents/...mation

Your organization may have already looked into cloud computing and ascertained that there are cost benefits, but if you’re in a regulated industry such as the health care field, you have to worry about security. HIPAA requirements mandate that you protect health information, so any cloud solution that you consider must be able to meet those security requirements. Office 365 specifically addresses compliance with business associate HIPAA requirements, so if you’re interested in finding out more, this post contains the link to a white paper that discusses the specific data protection policies, procedures and tools that are integrated into Office 365:

http://blogs.technet.com/b/microsoft_in_education/...y.aspx

Sure, you probably already know about the Microsoft Malicious Software Removal Tool (MSFT), and  security utilities such as Windows Defender and Microsoft Security Essentials. But Microsoft offers a plethora of other free tools that you might not be aware of, such as the Microsoft Security Compliance Manager 2 (SCM 2) and more. This post summarizes the functions of a number of these tools and provides links to the web sites where you can find out more and download each one.

http://blogs.technet.com/b/nzps/archive/2011/12/19...t.aspx

If you have computers on your network that have both wireless and wired Ethernet connections enabled, you might think you need to disable the wi-fi adapter for security purposes – but is this really an issue? Michael Platts addresses that question – along with other considerations regarding disabling wireless networking in such a scenario – in this interesting TechNet blog post:

http://blogs.technet.com/b/networking/archive/2011...k.aspx

Adobe’s Flash products are notorious for the frequency of exploits discovered, and another one has been found in the Windows and Mac versions of Flash Player with which an attacker can crash programs or, worse, take control of the system. This is similar to the recent vulnerability in Acrobat and Reader. The problem was discovered by Russian security researchers, and it’s able to bypass DEP and ASLR. Find out more:

http://reviews.cnet.com/8301-13727_7-57340665-263/...3-0-20