The Biggest Security Vulnerability: The Wetware – Input Output
If you try to keep up on the latest in security developments, then you know those three dreaded words: Zero-day threat. It has become a commonly-used phrase, one that makes for great headlines.
A zero-day exploit is one where there is no time – zero days – between the time the vulnerability is discovered by hackers and when the first attack takes place. There is usually no defense against these security vulnerabilities since no one has invented a patch or other fix – or even knew, until today, that one was necessary.
So you’d think that with all the screaming headlines on tech news sites about new zero-day exploits found in the wild, along with reports about how Microsoft (or whichever company) is scrambling to find a fix, that these security breaches would be a major source of computer security problems IT has to deal with on a daily basis.
And you’d be wrong, says Microsoft.
Twice a year, the company releases…..
via The Biggest Security Vulnerability: The Wetware – Input Output.
Should Organizations Retire FTP for Security?
Web hosting firm DreamHost made headlines this past weekend when it opted to reset the file transfer protocol (FTP) and shell access passwords of its customers after uncovering a possible data breach. But it wasn’t just the prospect of the company adding its name to the list of organizations affected by data breaches that had some talking.
Instead, the move led to Adam Bosnian, executive vice president at password and identity management vendor Cyber-Ark Software, to question whether or not it’s officially time to put FTP on the shelf for good. more….
via Should Organizations Retire FTP for Security? | SecurityWeek.Com.
Newfangled graphics engine for browsers fosters data theft
The shady truth behind CSS shaders
Software developers at Google, Apple, Adobe, and elsewhere are grappling with the security risks posed by an emerging graphics technology, which in its current form could expose millions of web users’ sensitive data to attackers.
The technology, known as CSS shaders is designed to render a variety of distortion effects, such as wobbles, curling, and folding. It works by providing programming interfaces web developers can call to invoke powerful functions from an end user’s graphics card. But it could also be exploited by malicious website operators to steal web-browsing history, Facebook identities, and other private information from unsuspecting users, Adam Barth, a security researcher on Google’s Chrome browser warned recently….. read more >>
www.theregister.co.uk
Top Five Security Settings for Apple iPhones and iPads
Apple mobile devices are among the most popular gadgets today. In fact, Apple reports that 250 million iOS devices have been sold and 18 million apps downloaded.
I often find that, while the popularity of these devices increases, many don’t understand the basic security features that Apple makes available to them.
Some of you may not even realize that these features exist and how easy they are to use. Let’s walk through the top five security settings for these devices:
Infosec Island: Top Five Security Settings for Apple iPhones and iPads.
The Evercookie: Like trying to kill Steven Seagal • The Register
Part 2 In part one of this series, I explored the privacy threats presented by targeted advertising, and asked why we should care. Browser referral, social media buttons and cookies were examined as examples of basic methods used to track our movements across the internet.I also explored why advertisers track us, and examined browser plugins that allow us to prevent it. Those plugins come in a few flavours, depending on the threat they are countering and whether or not they trust advertisers to play ball and honour our polite requests not to be tracked.Not all advertisers play by the rules. Some legitimate websites belong to organisations that gather your personal information not for their corporate advertising use, but to sell it at a profit. These companies rarely play nice, and they certainly don’t limit themselves to the basic tracking methods discussed in part one.
via The Evercookie: Like trying to kill Steven Seagal • The Register.
Typo-squatting domains can harvest corporate emails
Typo-squatting domains might easily be used to intercept misdirected corporate emails, according to new research.Domain typo‐squatting has long been used as a means to expose butter-fingered users who accidentally misspell a legitimate domain to malware. So-called doppelganger domains take advantage of an omission instead of a misspelling, for example missing the dot between host/subdomain and domain.Security researchers at Godai Group profiled companies in the Fortune 500 for susceptibility to attacks based on this ruse, and found that 151 30 per cent were vulnerable.
via Typo-squatting domains can harvest corporate emails • The Register.
How we found the file that was used to Hack RSA – F-Secure Weblog
Posted by Mikko @ 09:29 GMT | Comments RSA was hacked in March.
This was one of the biggest hacks in history.
The current theory is that a nation-state wanted to break in to Lockheed-Martin and Northrop-Grumman to steal military secrets. They couldnt do it, since these companies were using RSA SecurID tokens for network authentication. So, the hackers broke into RSA with a targeted email attack. They planted a backdoor and eventually were able to gain access to SecurID information that enabled them to go back to their original targets and succesfully break into there. In the aftermath of the attack, RSA was forced to replace SecurID tokens for their customers around the world.
via How we found the file that was used to Hack RSA – F-Secure Weblog : News from the Lab.
10 Risky default settings in social media that you need to check
As online industry grows, and we sign up for one social network after the other, we can’t forget that we’re trusting our sensitive information to corporations. Most TOS include a clause that allows companies to change their TOS whenever they need to. So, in an effort to not be paranoid, but cautious, here’s a list of 8 things to check up on in social media. Who knows? Maybe you’ll be surprised by what you’ve agreed too…..
via 10 risky default settings in social media that you need to check – TNW Social Media.
Putting all of Your Eggs in One Basket – or How NOT to do Layoffs
The recent story about Jason Cornish, a disgruntled employee of pharmaceutical company Shionogi is getting a lot of attention this week. In a nutshell, he resigned after a dispute with management, and was kept on as a consultant for a few months after.The story then goes that he logged into the network remotely ie – VPNd in using his legitimate credentials, then logged into a “secret vSphere console” Id call “foul” on that one – there would be no reason to have a “secret” console – my guess is he used the actual corporate vCenter console or used a direct client against ESX, which you can download from any ESX server, so he had rights there as well then proceeded to delete a large part of the company infrastructure 88 servers in the story I read. The company was offline for “a number of days”, and Jason is now facing charges.This diary isnt about the particulars of this case, its much more of a common occurrence than you might think. Well talk a bit about what to do, a bit about what NOT to do, and most important, wed love to hear your insights and experiences in this area.First of all, my perspective …Separation of duties is super-critical. Unless you are a very small shop, your network people shouldnt have your windows domain admin account, and vice versa. In a small company this can be a real challenge – if youve only got 1 or two people in IT, we generally see a single password that all the admins have. Separation of duties is simple to do in vmWare vSphere – for instance, you can limit the ability to create or delete servers to the few people who should have that right. If you have web administrators or database administrators who need access to the power button, you can give them that and ONLY that.
via ISC Diary | Putting all of Your Eggs in One Basket – or How NOT to do Layoffs.
Dealing with Fake Tech Support & Phone Scams
On this blog, we’ve discussed the ways that scammers can attack your PC, through malicious software, rogue security alerts, phishing attacks and more. But the bad guys have now devised a new vector: the phone. I first learned about this when I heard my parents had received a call that they had been identified as having rogue software on their PC. The caller, who said he was from Microsoft, needed to remote access their PC to resolve the issue. Turns out scammers like these were simply taking the time to prey on potential victims by calling them and masquerading as a representative from a trusted institution to trick them into giving up valuable and personal information. Sometimes, as in my parents’ case and others, they even advise installing a remote access code so scammers will have full access to the PC…….