Wednesday Nov 18, 2015

PeopleTools CPU analysis and supported versions of PeopleTools (update for October 2015 CPU)

Questions often arise on the PeopleTools versions for which Critical Patch Updates have been published, or if a particular PeopleTools version is supported. 

The attached page shows the patch number for PeopleTools versions associated with a particular CPU publication. This information will help you decide which CPU to apply and when to consider upgrading to a more current release.

The link in "CPU Date" goes to the landing page for CPU advisories, the link in the individual date, e.g. Apr-10, goes to the advisory for that date.

The page also shows the CVE's addressed in the CPU, a synopsis of the issue and the Common Vulnerability Scoring System (CVSS) value.

To find more details on any CVE, simply replace the CVE number in the sample URL below.

Common Vulnerability Scoring System Version 2 Calculator

This page shows the components of the CVSS score

Example CVSS response policy

All the details in this page are available on My Oracle Support and public sites.

The RED column indicates the last patch for a PeopleTools version and effectively the last support date for that version.

Applications Unlimited support does NOT apply to PeopleTools versions.

Monday Nov 02, 2015

Cryptowall, USB's, emailed malware and "honor among thieves"

 I'm sure many of you have heard recently of the rising prevalence of ransomware, particularly Cryptolock/Cryptowall and the growing prominence of walk-in Bitcoin exchanges and Buttonwood meetups.

 Cryptowall is a case in point of the malware. Spread mainly by infected email and "found" or shared USB memory sticks.

What is CryptoWall?

What is CryptoWall?
The CryptoWall ransomware virus infiltrates users' operating systems via infected email messages and fake downloads (for example, rogue video players or fake Flash updates). After successful infiltration, this malicious program encrypts files stored on users' computers (*.doc, *.docx, *.xls, *.ppt, *.psd, *.pdf, *.eps, *.ai, *.cdr, *.jpg, etc.) and demands payment of a $500 ransom (in Bitcoins) to decrypt them. Cyber criminals responsible for releasing this rogue program, ensure that it executes on all Windows versions (Windows XP, Windows Vista, Windows 7, and Windows 8). CryptoWall ransomware creates HELP_DECRYPT.PNG, HELP_DECRYPT.HTML and HELP_DECRYPT.TXT files within each folder containing the encrypted files.

"Note that at time of writing, there were no known tools capable of decrypting files encrypted by CryptoWall without paying the ransom." 12 September 2015 

There is generally no good business reason why typical corporate workstation/laptop users should:
- have local administrator access
- have enabled USB ports
- need to open office productivity tools documents containing macros

These features should be disabled.

My "honor among thieves" statement relates to the tendency, as observed, that payment of the "ransom" in Bitcoins has been the only current successful way of retrieving the encrypted data/disks. The alternative is frequent backups.

Friday Oct 16, 2015

New PeopleTalk on Security

So it looks like I've gone mainstream!

I had the opportunity to have a talk with Marc Weintraub which has been posted on the PeopleSoft YouTube channel, here:

In this episode of PeopleSoft Talk, Marc talks with Greg Kelly about PeopleSoft security.

Don't forget to review the links in the associated My Oracle Support document:
My Oracle Support - Useful PeopleSoft Security Links: DocID 2060772.1


See other videos on the PeopleSoft channel


Friday Dec 19, 2014

Consumer Security for the season and Today's World

Just to go beyond my usual security sessions, I was asked recently to talk to a local business and consumer group about personal cyber security. Here is the document I used for the session and you might find some useful tips.

Protecting your online shopping experience

- check retailer returns policy

- use a credit card rather than debit card, or check the protection on the debit card

- use a temporary/disposable credit card e.g. ShopSafe from Bank of America

- use a low limit credit card - with protection, e.g. AMEX green card

- check your account for random small amount charges and charitable contributions

- set spending and "card not present" alerts

Protecting email

- don't use same passwords for business and personal accounts

- use a robust email service provider

- set junk/spam threshold in your email client

- only use web mail for low risk accounts (see Note below)

- don't click on links in the email, DON’T click on links in email – no matter who you think sent it

Protecting your computer

- if you depend on a computer/laptop/tablet for business, ONLY use it for business

- don't share your computer with anyone, including your children

- if you provide your children with a computer/laptop, refresh them from "recovery disks" on a periodic basis

- teach children value of backing up important data

- if possible have your children only use their laptops/devices in family rooms where the activity can be passively observed

- use commercial, paid subscription, antivirus/anti malware on all devices (see Note below)

- carry and use a security cable when traveling or away from your office

Protecting your smart phone/tablet

- don't share your device

- make sure you have a secure lock phrase/PIN and set the idle timeout

- don't recharge it using the USB port on someone else's laptop/computer

- ensure the public Wi-Fi which you use is a trusted Wi-Fi (also - see Note below)

- store your data in the cloud, preferably not (or not only) the phone/tablet

- don't have the device "remember" your password, especially for sensitive accounts

- exercise caution when downloading software e.g. games/apps, especially "free" software (see Note below)

Protect your social network

- don't mix business and personal information in your social media account

- use separate passwords for business and personal social media accounts

- ensure you protect personal information from the casual user

- check what information is being shared about you or photos tagged by your "friends"

- don't share phone numbers or personal/business contact details,
e.g. use the "ask me for my ..." feature

General protection and the “Internet of Things”

- be aware of cyber stalking

- be aware of surreptitious monitoring
e.g. “Google Glass” and smart phone cameras

- consider “nanny” software, especially for children’s devices

- be aware of “click bait” – e.g. apparently valid “news” stories which are really sponsored messages

- be aware of ATM “skimming”, including self serve gas pumps

- be aware of remotely enabled camera and microphone (laptop, smart phone, tablet)

Note: Remember, if you’re not paying for the product, you ARE the product

Sunday Jul 04, 2010

Security Testing and Defect Discovery

[Read More]

Sunday Jun 21, 2009

RSA Sign and Verify using PeopleSoft [pluggable] Encryption Technology (PET)

[Read More]

This blog provides information to the PeopleSoft community, about PeopleSoft Technology, otherwise PeopleTools.

For information about PeopleSoft see the PeopleSoft Strategy Blog.

For information about PeopleTools 8.53 and 8.54 see the PeopleTools Patch Updates.


« December 2015