Patch Tuesday Blog – Cyber Security Updates

Posted on: 20 May 2015
By:
No Comments »
Filed under: Uncategorized

As many of you may be aware, the second Tuesday of the month is Microsoft’s ‘Security Patch Tuesday’ *

This also seemed like a good opportunity to share security updates, briefings and articles at the same time as ‘Patch Tuesday’ as part of my new monthly ‘Cyber Security’ blog. Though just like Microsoft, if there are urgent messages, these will be sent out as required, rather than waiting for a monthly blog.

I’ll use the blog to provide a mix of advice and guidance on how to use the virtual world in a safe and secure manner for both work and personal use, in areas of IT and data / information security.

I hope you will find them interesting and informative and I would welcome any feedback you may have.

* A monthly window for releasing security patches and updates to their products. Though they do sometimes release critical patches and updates outside of these times. If you have a personal machine running Microsoft products, then look out for the update icon on the second Tuesday of the month and be sure to update your software accordingly. If you are unsure as to the status of your security patching for Windows, then click this link to find out more.

This month:-

Cyber hacking – A brief history.

Extract from an interview with Chris Ensor, deputy director for the National Technical Authority for Information Assurance at GCHQ, Britain’s communications intelligence agency

The first recorded cyber hack was in 1986, but there’s certainly been a fair few since then. Clifford Stoll, an astronomer at the Lawrence Berkeley National Laboratory in California, couldn’t understand why there was a 75 cent difference between two sets of digital accounts. In trying to unravel this mystery, he eventually discovered that Dutch hackers were being paid by the KGB to steal from the lab’s computers.

“That was nearly 30 years ago, and very little has changed,” said Chris Ensor. He explained that while computing has vastly improved, the underlying principles of cyber-hacking are the same as they were back then.

In the first stage of a cyber-attack, the hacker hunts for a weakness in your IT. “They’re looking for holes,” be that in your software, hardware or connection.

“Once they find a potential way in, they’re thinking about delivery,” he continued. “I can connect to your computer and start using your computer without you knowing – by sending an email, PDF, word document or spread sheet, and inside that document there’s a way of exploiting a particular vulnerability in your system.” Indeed, “you may be pulling your hair out if you haven’t got USB access at work, but the reason you haven’t is because that’s a way of getting into your system.”

In the exploitation phase, hackers seek to duplicate and exploit your ability to control and access information – so they lay the groundwork by deploying software that collects your passwords when you enter them. And if it gets to that stage, it’s very difficult to spot, because viruses can use your own passwords to turn spyware or anti-virus software off, preventing detection. As the private sector has found out to its cost, the aim is often to steal intellectual property.

Given these risks, it’s crucial that organisations and individuals install updates and “patches” designed to plug vulnerabilities. There is a booming black market in selling data about software’s weaknesses, Ensor noted: a hacker can earn up to $250,000 for information about a single hole in a piece of Apple software, for example. The key vulnerabilities used to be in operating systems, but in these days of auto-updating software, cyber-hackers are more likely to seek entry through applications instead.

Simple tips can often help, Ensor noted. For example, don’t use administrator accounts for day-to-day use, and instead set up a user account with limited powers – then, “if you’re compromised as a user, [a hacker is] limited on what [they] can do.”

The day on which a software vulnerability is first found by a hacker, when it remains unknown to the rest of the world, is called a “zero day”, Ensor explained. “If you read about Stuxnet, for example – the thing that allegedly went out to stop Iranian [nuclear] enrichment – there were about four zero days, which is gold dust.” This time is so valuable because “nobody knows about them, there are no patches for them, so you can do a huge amount of things in a zero day.” It’s crucial, therefore, to keep software constantly updated

It’s vital to prevent information being stolen, Ensor argued, because these days “information is all-powerful”. Indeed, critical infrastructure is so IT-dependent and so interconnected – taking down the telecoms network could take down the electricity network, and visa versa – that our vulnerabilities are as broad as they are deep. The principles of cyber-hacking may not have changed much since the late 1980s, but the work of preventing them is becoming ever more important.

Graeme Wolfe

Information Security Officer

12/05/2015