The Biggest Security Vulnerability: The Wetware – Input Output
If you try to keep up on the latest in security developments, then you know those three dreaded words: Zero-day threat. It has become a commonly-used phrase, one that makes for great headlines.
A zero-day exploit is one where there is no time – zero days – between the time the vulnerability is discovered by hackers and when the first attack takes place. There is usually no defense against these security vulnerabilities since no one has invented a patch or other fix – or even knew, until today, that one was necessary.
So you’d think that with all the screaming headlines on tech news sites about new zero-day exploits found in the wild, along with reports about how Microsoft (or whichever company) is scrambling to find a fix, that these security breaches would be a major source of computer security problems IT has to deal with on a daily basis.
And you’d be wrong, says Microsoft.
Twice a year, the company releases…..
via The Biggest Security Vulnerability: The Wetware – Input Output.
Should Organizations Retire FTP for Security?
Web hosting firm DreamHost made headlines this past weekend when it opted to reset the file transfer protocol (FTP) and shell access passwords of its customers after uncovering a possible data breach. But it wasn’t just the prospect of the company adding its name to the list of organizations affected by data breaches that had some talking.
Instead, the move led to Adam Bosnian, executive vice president at password and identity management vendor Cyber-Ark Software, to question whether or not it’s officially time to put FTP on the shelf for good. more….
via Should Organizations Retire FTP for Security? | SecurityWeek.Com.
Newfangled graphics engine for browsers fosters data theft
The shady truth behind CSS shaders
Software developers at Google, Apple, Adobe, and elsewhere are grappling with the security risks posed by an emerging graphics technology, which in its current form could expose millions of web users’ sensitive data to attackers.
The technology, known as CSS shaders is designed to render a variety of distortion effects, such as wobbles, curling, and folding. It works by providing programming interfaces web developers can call to invoke powerful functions from an end user’s graphics card. But it could also be exploited by malicious website operators to steal web-browsing history, Facebook identities, and other private information from unsuspecting users, Adam Barth, a security researcher on Google’s Chrome browser warned recently….. read more >>
www.theregister.co.uk
How To Hide Almost Anything On Facebook
Are you tired of seeing what all of your friends are reading on Yahoo News, the Washington Post, Wall Street Journal Social Edition, or the U.K. Guardian? Do you not care to see what people are listening to on Spotify, Mog, or Rdio?
Facebook’s expansion beyond the like button has expanded the amount of content coming into our news feeds, yet we’ve got more choices than ever for getting unwanted items off of our screens: hide, delete, unsubscribe, unfriend, report or block.
I’ve long advocated hiding over all the others, and more recently became a fan of unsubscribing with the advent of the subscribe button. Consider these two options before doing anything more drastic like unfriending or blocking. more..
Top Five Security Settings for Apple iPhones and iPads
Apple mobile devices are among the most popular gadgets today. In fact, Apple reports that 250 million iOS devices have been sold and 18 million apps downloaded.
I often find that, while the popularity of these devices increases, many don’t understand the basic security features that Apple makes available to them.
Some of you may not even realize that these features exist and how easy they are to use. Let’s walk through the top five security settings for these devices:
Infosec Island: Top Five Security Settings for Apple iPhones and iPads.
The Evercookie: Like trying to kill Steven Seagal • The Register
Part 2 In part one of this series, I explored the privacy threats presented by targeted advertising, and asked why we should care. Browser referral, social media buttons and cookies were examined as examples of basic methods used to track our movements across the internet.I also explored why advertisers track us, and examined browser plugins that allow us to prevent it. Those plugins come in a few flavours, depending on the threat they are countering and whether or not they trust advertisers to play ball and honour our polite requests not to be tracked.Not all advertisers play by the rules. Some legitimate websites belong to organisations that gather your personal information not for their corporate advertising use, but to sell it at a profit. These companies rarely play nice, and they certainly don’t limit themselves to the basic tracking methods discussed in part one.
via The Evercookie: Like trying to kill Steven Seagal • The Register.
Skype’s future under Microsoft: integration everywhere?
Microsoft has big plans for Skype; we just don’t know exactly what they are. But with Microsoft gaining both US and European regulatory approval for its $8.5 billion acquisition, the merger is likely to be completed in the near future, letting Microsoft integrate Skype into various product lines.
The most obvious places for integration are Lync, Microsoft’s unified communications platform, and Windows Phone. But over time, Skype could be baked into more products like Outlook, Windows Live Essentials, and Xbox Live, or even become a pre-installed component of Windows on the desktop, analysts are speculating. While users of the current Skype service probably won’t see any major changes immediately, future versions integrated with Microsoft products could get the Metro interface that dominates Windows Phones and the upcoming Windows 8 desktop software.
via Skype’s future under Microsoft: integration everywhere?.
Here come hypervisors you can trust
Virtualisation has always bothered me. This is perhaps an odd statement to make; after all, I am personally responsible for virtualising thousands of servers.
But the truth of it lies in the special status the IT community has ascribed to hypervisors.
When we nerds talk about virtualisation, especially with relation to servers, we don’t talk about loading an operating system onto a server, we load a hypervisor. It’s a dangerous distinction and one that often leads systems administrators up a dark path of forgetting that a hypervisor is just as much of a security risk as any other operating system.
Indeed, hypervisors should be considered a bigger security risk than the traditional bare-metal operating system for the simple reason that we have become reliant upon them to host dozens, or even hundreds, of virtual machines per physical server.
Yet by and large, we tend to neglect the hypervisor, trusting it to just work. …..
Typo-squatting domains can harvest corporate emails
Typo-squatting domains might easily be used to intercept misdirected corporate emails, according to new research.Domain typo‐squatting has long been used as a means to expose butter-fingered users who accidentally misspell a legitimate domain to malware. So-called doppelganger domains take advantage of an omission instead of a misspelling, for example missing the dot between host/subdomain and domain.Security researchers at Godai Group profiled companies in the Fortune 500 for susceptibility to attacks based on this ruse, and found that 151 30 per cent were vulnerable.
via Typo-squatting domains can harvest corporate emails • The Register.
IPv6: The End of Security As We Know It
Many people have seen IPv6 as a simple addressing extension to the existing internet and see few changes to the way we secure systems.These people cannot be further from the truth. IPv6 will change the way we think about security. We need to start planning now or we will be left in the dust.This is another topic I will be addressing in the coming weeks and months so many security topics, so little time.IPv6 substantially changes how IP interacts with the link layer, in particular Ethernet. ARP will go away and be replaced by NDP, which is ICMPv6 based and we also need to look to protocols such as SEND to secure NDP or we will fall prey to the same class of attacks we faced in IPv4 over hub shared networks….
via Infosec Island IPv6: The End of Security As We Know It.