This week we had several more reminders that our data is only as secure as we make it, because we sure can’t rely on others to secure our data for us. Plus, we talked about encryption as the only way to make sure your data isn’t being seen by snoops.
In security news, a new zero-day threat caused Microsoft to issue a security alert and a short-term fix for a vulnerability in Word that was being exploited in targeted attacks.
On the privacy front, meanwhile, Google and Microsoft were fighting back and forth about who has the most secure free webmail.
Word zero-day attacks
Attackers are actively exploiting a previously undiscovered vulnerability in Microsoft Word that could allow them to take over a victim’s PC.
Microsoft issued a temporary fix but not a complete security patch. Because there isn’t a permanent security patch for the bug yet, this threat is called a zero-day (i.e., there have been zero days since a patch became available).
Paul Ducklin, Sophos senior security analyst, writes at Naked Security that the new threat has the telltale signs of other advanced persistent threat (APT) attacks exploiting Microsoft Office document formats.
This sounds surprisingly like two existing, well-known Word exploits that have been widely used over the past few years.
Chester Wisniewski, Sophos senior security adviser, explained that these may be related attacks from the same criminal gang.
“All of them were discovered in almost an identical manner — used in a single attack against a single organization in the wild when they were zero-days,” Chet tells CSO Online.
This latest attack leverages exploits in Word when you open an RTF from Word or preview a Word document in Outlook.
Duck offers four security tips in his article, including to avoid RTF, turn off HTML in Outlook, and make sure you update when Microsoft issues a permanent patch.
Get Duck’s security tips here at Naked Security.
Gmail gets always-on HTTPS, but Microsoft and Google will still read your emails
Google announced recently that it is adding SSL encryption (HTTPS) to its Gmail service by default, without the option to turn it off. This is good news for data privacy, but it’s not a silver bullet for secure email.
As many people know, Google’s Gmail is only free because Google scans your emails to serve you keyword-related ads.
Microsoft has launched ads for its own free webmail service Outlook.com, previously called Hotmail, that criticize Google for its data mining.
But Microsoft is no privacy saint. The company was criticized recently for reading the Hotmail emails of an employee who they thought was leaking trade secrets.
Microsoft pointed out that its terms of service made the search of the employee’s private emails completely legal. But after it was criticized, Microsoft said it would impose some restraint on its searches.
Sophos Security Chet Chat #140: 26 March 2014
In this episode of our Chet Chat podcast, listen to our experts Chester Wisniewski and Paul Ducklin discuss the Word zero-day bug, Google Gmail and HTTPS, and Microsoft’s email spying; plus Mac security and the WhatsApp acquisition by Facebook and what it means for privacy.
NSA blowback hurting U.S. businesses?
As we find out more and more about how the National Security Agency (NSA) has been subverting data privacy for years with its covert surveillance programs, companies are growing worried about what it means for them.
Chester Wisniewski, Sophos senior security adviser, says companies around the world might not want to do business with U.S. companies unless the NSA can be reined in.
“The biggest concern that the people I talk to have is around the economic impact of foreign companies being willing to trust their American counterparts to buy services,” Chet says in an interview with Bloomberg TV.
SafeGuard Encryption for complete data protection
As we have seen again and again, encryption is essential in today’s environment. In a short video, we showed you how you can get the best encryption for security and performance, while also protecting data everywhere it resides.
Learn more about how the new SafeGuard Enterprise solves the major challenge of managing encryption across multiple platforms, devices, and cloud environments.
60 Second Security: Word zero-day, Snapchat blasted, MS-DOS released
Keep up with Sophos news
You can get all the latest Sophos related news right here. Sign up for our Sophos Blog newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.