From Federal News Radio:
Cars, toasters, medical devices add to DHS' cyber headaches
My personal opinion: Just because you can network something doesn't mean you should.
Friday, October 31, 2014
Changing the Way We Fight Malware
From PCMagazine:
Changing the Way We Fight Malware
"Microsoft is sitting on an absolute gold mine of information. The Malicious Software Removal Tool (MSRT) running on billions of computers worldwide and every Windows Update process sends a ton of non-personal telemetry back to Microsoft Central. This data could help antivirus companies and academic researchers develop better ways to fight malware. In a keynote speech for the 9th IEEE International Conference on Malicious and Unwanted Software (Malware 2014 for short), Microsoft's Dennis Batchelder explained just what the software giant plans to do with all that data and it's not what you might expect."
Changing the Way We Fight Malware
"Microsoft is sitting on an absolute gold mine of information. The Malicious Software Removal Tool (MSRT) running on billions of computers worldwide and every Windows Update process sends a ton of non-personal telemetry back to Microsoft Central. This data could help antivirus companies and academic researchers develop better ways to fight malware. In a keynote speech for the 9th IEEE International Conference on Malicious and Unwanted Software (Malware 2014 for short), Microsoft's Dennis Batchelder explained just what the software giant plans to do with all that data and it's not what you might expect."
The Bill for Cybersecurity: $57,600 a Year
From Bloomberg:
The Bill for Cybersecurity: $57,600 a Year
This is a very realistic breakdown of costs associated with protecting your SMB. There are ways you can reduce this expenditure. One thing I would highly recommend that is touched upon in this article is cyber insurance. This is because it is no longer a question of "if" you get hacked but "when" you do. For more info please contact me via email or through the comments section of this blog.
The Bill for Cybersecurity: $57,600 a Year
This is a very realistic breakdown of costs associated with protecting your SMB. There are ways you can reduce this expenditure. One thing I would highly recommend that is touched upon in this article is cyber insurance. This is because it is no longer a question of "if" you get hacked but "when" you do. For more info please contact me via email or through the comments section of this blog.
Welcome To My Cyber Security Nightmare
From DarkReading:
Welcome To My Cyber Security Nightmare
Some FUD but a very realistic look at the threats facing both consumers & organizations of all sizes.
Welcome To My Cyber Security Nightmare
Some FUD but a very realistic look at the threats facing both consumers & organizations of all sizes.
The security threat of unsanctioned file sharing
From Help Net Security:
The security threat of unsanctioned file sharing
More than 1,000 IT security professionals from the United States, United Kingdom, and Germany were surveyed. Key findings from the report include:
This is a very serious issue for SMB's. Whether it be open files shares on your network, employees accessing DropBox/Google Drive, copying business data to their laptop or using USB thumb drives it is very easy for this data to be mishandled. If you would like to learn more please contact me via email or leave comments on this blog.
The security threat of unsanctioned file sharing
More than 1,000 IT security professionals from the United States, United Kingdom, and Germany were surveyed. Key findings from the report include:
- Almost half (49 percent) of respondents believe their company lacks clear visibility into employees’ use of file sharing/file sync and share applications.
- Half of respondents (51 percent) aren’t convinced their organisations have the ability to manage and control user access to sensitive documents and how they are shared.
- The majority of organisations have policies governing the use of file sharing, but policies are not being communicated to employees effectively.
- Only 54 percent of respondents say their IT department is involved in the adoption of new technologies for end users, including cloud-based services.
- Accidentally forwarded files or documents to individuals not authorised to see them.
- Used their personal file-sharing/file sync-and-share apps in the workplace.
- Shared files through unencrypted email.
- Failed to delete confidential documents or files as required by policies.
This is a very serious issue for SMB's. Whether it be open files shares on your network, employees accessing DropBox/Google Drive, copying business data to their laptop or using USB thumb drives it is very easy for this data to be mishandled. If you would like to learn more please contact me via email or leave comments on this blog.
Thursday, October 30, 2014
Google Details New Security Features in Android 5.0 Lollipop
From SecurityWeek:
Google Details New Security Features in Android 5.0 Lollipop
I really like this feature. The ability to separate personal from company data is a big leap for enterprise customers adopting BYOD policies.
"Another feature that's designed with enterprise customers in mind is support for multiple user accounts. Users who rely on their personal devices for work will be able to separate work-related tasks from personal activities by creating a corporate profile.
Google Details New Security Features in Android 5.0 Lollipop
I really like this feature. The ability to separate personal from company data is a big leap for enterprise customers adopting BYOD policies.
"Another feature that's designed with enterprise customers in mind is support for multiple user accounts. Users who rely on their personal devices for work will be able to separate work-related tasks from personal activities by creating a corporate profile.
"The technology provides an elegant way of segmenting and managing corporate data without significantly impacting usability, and maintaining user privacy. For businesses, the separation of consumer and corporate profiles means much more control over corporate assets, stopping third-party apps from accessing corporate data, while letting the consumer profile act in the free environment that makes Android, well… Android," Aaron Cockerill, VP of enterprise at mobile security firm Lookout, said in a blog post."
Ferry Company Reports Card Breach
Part three of todays databreach trifecta / hat trick. From DataBreachToday:
Ferry Company Reports Card Breach
Ferry Company Reports Card Breach
CurrentC Developer Confirms Breach
Part two of today's databreach trifecta, or hat trick if you're a hockey fan. From DataBreachToday:
CurrentC Developer Confirms Breach
CurrentC Developer Confirms Breach
Phishing Attack Leads To Bank Breach
One of a trifecta of breaches announced today. From DataBreachToday:
Phishing Attack Leads To Bank Breach
Phishing Attack Leads To Bank Breach
Epidemic of medical data breaches leaking our most sensitive information
Medical/health information is much more valuable to cybercriminals than SSN and/or credit card numbers. From Sophos Naked Security:
Epidemic of medical data breaches leaking our most sensitive information
Epidemic of medical data breaches leaking our most sensitive information
Popular Science Website Infected, Serving Malware
Just goes to show you that any site, small or large, is vulnerable. From ThreatPost:
Popular Science Website Infected, Serving Malware
Popular Science Website Infected, Serving Malware
Assume ‘Every Drupal 7 Site Was Compromised’ Unless Patched By Oct. 15
A follow up to my last post. This is a bit alarmist but evidently this is a serious vulnerability in the product. From ThreatPost:
Assume ‘Every Drupal 7 Site Was Compromised’ Unless Patched By Oct. 15
Gotta love the irony here:
"The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that’s designed specifically to help prevent SQL injection attacks. Shortly after the disclosure of the vulnerability, attackers began exploiting it using automated attacks. One of the factors that makes this vulnerability so problematic is that it allows an attacker to compromise a target site without needing an account and there may be no trace of the attack afterward."
Assume ‘Every Drupal 7 Site Was Compromised’ Unless Patched By Oct. 15
Gotta love the irony here:
"The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that’s designed specifically to help prevent SQL injection attacks. Shortly after the disclosure of the vulnerability, attackers began exploiting it using automated attacks. One of the factors that makes this vulnerability so problematic is that it allows an attacker to compromise a target site without needing an account and there may be no trace of the attack afterward."
TeamDigi7al US navy hacker sentenced to 2 years in jail
Cybercrime doesn't pay. And for Pete's sake if you are dumb enough to do this stuff at least be smart enough not to mess with the DoD, Law Enforcement. military ... From Sophos Naked Security:
TeamDigi7al US navy hacker sentenced to 2 years in jail
TeamDigi7al US navy hacker sentenced to 2 years in jail
The "Dirty Dozen" SPAMPIONSHIP - who's got the biggest zombie problem?
What country sends the most spam? Find out here from Sophos Naked Security:
The "Dirty Dozen" SPAMPIONSHIP - who's got the biggest zombie problem?
The "Dirty Dozen" SPAMPIONSHIP - who's got the biggest zombie problem?
Wednesday, October 29, 2014
How Cost-Effective Is the Cybersecurity Framework?
If you want to get business onboard you MUST tell them the financial benefits. Most businesses will not invest in something unless there is a CBA or ROI associated with the expenditure.
From InfoRiskToday:
How Cost-Effective Is the Cybersecurity Framework?
From InfoRiskToday:
How Cost-Effective Is the Cybersecurity Framework?
Cybersecurity: Why It’s Not Just About Technology
Great article, make your employees security conscious & save a ton of money. From Governing.com:
Cybersecurity: Why It’s Not Just About Technology
Cybersecurity: Why It’s Not Just About Technology
Hackers Are Using Gmail Drafts to Update Their Malware and Steal Data
From Wired:
Hackers Are Using Gmail Drafts to Update Their Malware and Steal Data
"Researchers at the security startup Shape Security say they’ve found a strain of malware on a client’s network that uses that new, furtive form of “command and control”—the communications channel that connects hackers to their malicious software—allowing them to send the programs updates and instructions and retrieve stolen data. Because the commands are hidden in unassuming Gmail drafts that are never even sent, the hidden communications channel is particularly difficult to detect."
Hackers Are Using Gmail Drafts to Update Their Malware and Steal Data
"Researchers at the security startup Shape Security say they’ve found a strain of malware on a client’s network that uses that new, furtive form of “command and control”—the communications channel that connects hackers to their malicious software—allowing them to send the programs updates and instructions and retrieve stolen data. Because the commands are hidden in unassuming Gmail drafts that are never even sent, the hidden communications channel is particularly difficult to detect."
FBI says Nigerian fraudsters scamming victims of everything from laptops and routers to pharmaceuticals, safety and medical equipment
From Network World:
FBI says Nigerian fraudsters scamming victims of everything from laptops and routers to pharmaceuticals, safety and medical equipment
"The FBI said more than 85 companies and universities nationwide whose identities were used to perpetrate the scheme. Approximately 400 actual or attempted incidents have targeted some 250 vendors, and nearly $5 million has been lost so far."
FBI says Nigerian fraudsters scamming victims of everything from laptops and routers to pharmaceuticals, safety and medical equipment
"The FBI said more than 85 companies and universities nationwide whose identities were used to perpetrate the scheme. Approximately 400 actual or attempted incidents have targeted some 250 vendors, and nearly $5 million has been lost so far."
NIST SP 800-150 DRAFT Guide to Cyber Threat Information Sharing
Now we're talking! Nothing is needed more than inter & intra industry cyber threat information sharing. From the National Institute for Standards & Technology (NIST):
NIST SP 800-150 DRAFT Guide to Cyber Threat Information Sharing
NIST SP 800-150 DRAFT Guide to Cyber Threat Information Sharing - direct link to PDF
NIST SP 800-150 DRAFT Guide to Cyber Threat Information Sharing
NIST SP 800-150 DRAFT Guide to Cyber Threat Information Sharing - direct link to PDF
Retailers Facing Intensified Cyberthreat This Holiday Season
As well they should. No system is bullet proof & these days it seems like its more "when" than "if" with regards to having a databreach. That does not however mean a business, let a lone a retail one that processes credit/debit cards should sit on its laurels during the holiday season. Think like a criminal folks, if its your busiest time of the year, you implement a change freeze and your POS terminals are still running XP you're just asking for someone to compromise you.
From Dark Reading:
Retailers Facing Intensified Cyberthreat This Holiday Season
From Dark Reading:
Retailers Facing Intensified Cyberthreat This Holiday Season
North Korea Doubles Cyber War Personnel: Report
A follow up to my last post. Let me see if I understand this correctly; the DPRK has millions of people starving because they cannot feed them, has imprisoned over 100,000 of its citizens in prison camps modeled after Nazi concentration camps but they can develop a crack squad of high tech hackers. That makes perfect sense doesn't it?
From Security Week:
North Korea Doubles Cyber War Personnel: Report
From Security Week:
North Korea Doubles Cyber War Personnel: Report
South Korea Spy Agency Says North Hacking Smartphones
Mobile devices, the next weapons in cyberwarfare. From SecurityWeek:
South Korea Spy Agency Says North Hacking Smartphones
South Korea Spy Agency Says North Hacking Smartphones
Israeli Hacking School Trains Cyber Warriors
From SecurityWeek:
Israeli Hacking School Trains Cyber Warriors
" Three hooded hackers hunch over their computer screens in the control room at Israel's new state-of-the-art "Cyber Gym", where IT and infrastructure company employees train to defend against cyber attacks."
Israeli Hacking School Trains Cyber Warriors
" Three hooded hackers hunch over their computer screens in the control room at Israel's new state-of-the-art "Cyber Gym", where IT and infrastructure company employees train to defend against cyber attacks."
Placemeter monitors streets from apartment windows: time to don a mask?
This is pretty creepy. From Sophos Naked Security:
Placemeter monitors streets from apartment windows: time to don a mask?
"Florent Peyre, the co-founder of Placemeter, told the Guardian that the company's counting and measuring tool is one aspect of endowing computers with the ability to recognise objects in live video feed:
Placemeter monitors streets from apartment windows: time to don a mask?
"Florent Peyre, the co-founder of Placemeter, told the Guardian that the company's counting and measuring tool is one aspect of endowing computers with the ability to recognise objects in live video feed:
For example, this type of shape or group of pixels is most likely to be a pedestrian or a car or a bus.It's almost like giving the gift of sight to a computer, he said, which should scare the bejesus out of the privacy-minded."
Arrests made after 'specialist malware' used in £1.6 million ATM heist
From Sophos Naked Security:
Arrests made after 'specialist malware' used in £1.6 million ATM heist
"London police made three arrests last week in connection with the theft of up to £1.6 million ($2.58 million) from over 50 ATMs in cities across the UK."
Arrests made after 'specialist malware' used in £1.6 million ATM heist
"London police made three arrests last week in connection with the theft of up to £1.6 million ($2.58 million) from over 50 ATMs in cities across the UK."
Tuesday, October 28, 2014
A Data Science Approach to Detecting Insider Security Threats
This is a very interesting concept for detecting a potential insider threat. From Pivotal:
A Data Science Approach to Detecting Insider Security Threats
Note: Toward the end it gets into a slight sales pitch for Pivotal. I do not work for the company nor have I ever used any of its products. This article is presented for educational purposes only and is not an endorsement of any kind.
A Data Science Approach to Detecting Insider Security Threats
Note: Toward the end it gets into a slight sales pitch for Pivotal. I do not work for the company nor have I ever used any of its products. This article is presented for educational purposes only and is not an endorsement of any kind.
Identity Theft Protection: Key Steps
From DataBreachToday:
Identity Theft Protection: Key Steps
"As part of their breach response strategies, organizations need to establish clear guidelines in advance so they know when it's appropriate to offer victims free credit monitoring or ID theft protection services, security experts advise.
In addition, they should educate breach victims about the steps they should take to protect their identities as well as how to use the services offered to them."
Identity Theft Protection: Key Steps
"As part of their breach response strategies, organizations need to establish clear guidelines in advance so they know when it's appropriate to offer victims free credit monitoring or ID theft protection services, security experts advise.
In addition, they should educate breach victims about the steps they should take to protect their identities as well as how to use the services offered to them."
FTC Says AT&T Has Misled Millions of Consumers with ‘Unlimited’ Data Promises
From the Federal Trade Commission (FTC):
FTC Says AT&T Has Misled Millions of Consumers with ‘Unlimited’ Data Promises
"The Federal Trade Commission filed a federal court complaint against AT&T Mobility, LLC, charging that the company has misled millions of its smartphone customers by charging them for “unlimited” data plans while reducing their data speeds, in some cases by nearly 90 percent."
FTC Says AT&T Has Misled Millions of Consumers with ‘Unlimited’ Data Promises
"The Federal Trade Commission filed a federal court complaint against AT&T Mobility, LLC, charging that the company has misled millions of its smartphone customers by charging them for “unlimited” data plans while reducing their data speeds, in some cases by nearly 90 percent."
Insurers fight to bar cyber coverage under commercial general liability policies
From BusinessInsurance.com:
Insurers fight to bar cyber coverage under commercial general liability policies
This is why you need a separate and distinct cyber insurance policy. See my other posts on this topic for more info.
Insurers fight to bar cyber coverage under commercial general liability policies
This is why you need a separate and distinct cyber insurance policy. See my other posts on this topic for more info.
Shellshock Exploits Targeting SMTP Servers at Webhosts
From ThreatPost:
Shellshock Exploits Targeting SMTP Servers at Webhosts
Come on people get this thing patched. In most cases it takes one simple command & requires no downtime.
yum update bash
Simple isn't it???
Shellshock Exploits Targeting SMTP Servers at Webhosts
Come on people get this thing patched. In most cases it takes one simple command & requires no downtime.
yum update bash
Simple isn't it???
Zero-day in Samsung ‘Find My Mobile’ service allows attacker to remotely lock phone
From ComputerWorld
Zero-day in Samsung ‘Find My Mobile’ service allows attacker to remotely lock phone
"According to the National Institute of Standards and Technology (NIST):
Zero-day in Samsung ‘Find My Mobile’ service allows attacker to remotely lock phone
"According to the National Institute of Standards and Technology (NIST):
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic."
Monday, October 27, 2014
Adobe Updates Digital Editions Following Privacy Controversy
From SecurityWeek:
Adobe Updates Digital Editions Following Privacy Controversy
"Earlier this month, reports surfaced about Adobe collecting information from Digital Editions 4.0 users, including the books they read and the ones stored in their library. Researchers also noticed that all the data was sent back to Adobe's servers without being encrypted."
Adobe Updates Digital Editions Following Privacy Controversy
"Earlier this month, reports surfaced about Adobe collecting information from Digital Editions 4.0 users, including the books they read and the ones stored in their library. Researchers also noticed that all the data was sent back to Adobe's servers without being encrypted."
FTC Scam Alert: Headline news: Scammers issue bogus newspaper subscription renewal notices
From the Federal Trade Commission (FTC):
Headline news: Scammers issue bogus newspaper subscription renewal notices
"Nothing like a hot cup of coffee and the morning paper to start the day, right? Well, for many subscribers and newspaper publishers across the country, bogus renewal notices are leaving a bitter taste."
Headline news: Scammers issue bogus newspaper subscription renewal notices
"Nothing like a hot cup of coffee and the morning paper to start the day, right? Well, for many subscribers and newspaper publishers across the country, bogus renewal notices are leaving a bitter taste."
FTC publications — free and at your fingertips
From the Federal Trade Commission (FTC):
FTC publications — free and at your fingertips
"When you want free consumer information — for yourself or a group — the FTC is ready to take your order. Looking for identity theft brochures to share with your book club? We’ve got them. Online safety handouts to use in the classroom? Right here. Bookmarks about charity fraud to distribute at a community fair? Absolutely. Our new and better bulkorder site is your gateway to almost 200 free publications for consumers and businesses."
FTC publications — free and at your fingertips
"When you want free consumer information — for yourself or a group — the FTC is ready to take your order. Looking for identity theft brochures to share with your book club? We’ve got them. Online safety handouts to use in the classroom? Right here. Bookmarks about charity fraud to distribute at a community fair? Absolutely. Our new and better bulkorder site is your gateway to almost 200 free publications for consumers and businesses."
NSA-Approved Samsung Knox Stores PIN in Cleartext
Two words you NEVER want to hear in the same sentence "password" and "cleartext". From ThreatPost:
NSA-Approved Samsung Knox Stores PIN in Cleartext
"A security researcher has tossed a giant bucket of ice water on Samsung’s thumbs up from the NSA approving use of certain Galaxy devices within in the agency."
NSA-Approved Samsung Knox Stores PIN in Cleartext
"A security researcher has tossed a giant bucket of ice water on Samsung’s thumbs up from the NSA approving use of certain Galaxy devices within in the agency."
‘Replay’ Attacks Spoof Chip Card Charges
From Brian Krebs @briankrebs
‘Replay’ Attacks Spoof Chip Card Charges
"Over the past week, at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.
The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards."
‘Replay’ Attacks Spoof Chip Card Charges
"Over the past week, at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.
The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards."
US Senate calls Whisper in for serious questioning on user tracking
From Sophos Naked Security:
US Senate calls Whisper in for serious questioning on user tracking
"Earlier this month, The Guardian published three articles alleging that Whisper's supposedly anonymous messaging service tracks even those who opt out of geolocation, that it shares what's supposed to be anonymous content with the Department of Defense, and that its user data is collated and stored indefinitely in a searchable database."
US Senate calls Whisper in for serious questioning on user tracking
"Earlier this month, The Guardian published three articles alleging that Whisper's supposedly anonymous messaging service tracks even those who opt out of geolocation, that it shares what's supposed to be anonymous content with the Department of Defense, and that its user data is collated and stored indefinitely in a searchable database."
Friday, October 24, 2014
3 Enterprise Security Tenets To Take Personally
From InformationWeek:
3 Enterprise Security Tenets To Take Personally
"I recently bought a new house, and following recommended security practices, I had the door locks replaced, the security code on the garage-door opener changed, and the house alarm system upgraded. The process reminded me of what a locksmith told me years ago: You can't keep a thief from breaking in, but you can make it hard enough that he'll go where it is less risky.
Fast-forward to the Internet/cloud era, and that sage advice still holds true -- maybe even more so. The most recent breaches hitting HealthCare.gov, Home Depot, and the unfortunate theft of private photos from iCloud make it clear that even the US government, giant corporations, and advanced tech companies like Apple struggle to cope with the speed at which cyber-thieves are evolving their techniques. It's not a question of if someone can get into your accounts, but whether your security plan is a deterrent -- or makes you a target."
Couldn't have said it better myself. No matter if it's personal or your SMB's data you need to take basic measures to ensure it is secured.
3 Enterprise Security Tenets To Take Personally
"I recently bought a new house, and following recommended security practices, I had the door locks replaced, the security code on the garage-door opener changed, and the house alarm system upgraded. The process reminded me of what a locksmith told me years ago: You can't keep a thief from breaking in, but you can make it hard enough that he'll go where it is less risky.
Fast-forward to the Internet/cloud era, and that sage advice still holds true -- maybe even more so. The most recent breaches hitting HealthCare.gov, Home Depot, and the unfortunate theft of private photos from iCloud make it clear that even the US government, giant corporations, and advanced tech companies like Apple struggle to cope with the speed at which cyber-thieves are evolving their techniques. It's not a question of if someone can get into your accounts, but whether your security plan is a deterrent -- or makes you a target."
Couldn't have said it better myself. No matter if it's personal or your SMB's data you need to take basic measures to ensure it is secured.
NAT-PMP Protocol Vulnerability Puts 1.2 Million SOHO Routers At Risk
From ThreatPost:
NAT-PMP Protocol Vulnerability Puts 1.2 Million SOHO Routers At Risk
"Vulnerabilities in embedded devices, in particular small office and home office routers, have been relentless. Another serious issue was discovered this week that affects more than 1.2 million such devices due to improper NAT-PMP protocol implementations, most of which run counter to the specification under which it was designed."
NAT-PMP Protocol Vulnerability Puts 1.2 Million SOHO Routers At Risk
"Vulnerabilities in embedded devices, in particular small office and home office routers, have been relentless. Another serious issue was discovered this week that affects more than 1.2 million such devices due to improper NAT-PMP protocol implementations, most of which run counter to the specification under which it was designed."
Disaster as CryptoWall encrypts US firm's entire server installation
From Network World:
Disaster as CryptoWall encrypts US firm's entire server installation
"An admin had clicked on a phishing link which was bad enough. Unfortunately, the infected workstation had mapped drives and permissions to all seven servers and so CryptoWall had quickly jumped on to them to hand the anonymous professional a work day to forget."
Disaster as CryptoWall encrypts US firm's entire server installation
"An admin had clicked on a phishing link which was bad enough. Unfortunately, the infected workstation had mapped drives and permissions to all seven servers and so CryptoWall had quickly jumped on to them to hand the anonymous professional a work day to forget."
The 'Backoff' malware used in retail data breaches is spreading
From PCWorld:
The 'Backoff' malware used in retail data breaches is spreading
STOP! USING! WINDOWS XP! UPGRADE! TO! WINDOWS 7!
The 'Backoff' malware used in retail data breaches is spreading
STOP! USING! WINDOWS XP! UPGRADE! TO! WINDOWS 7!
Do we really need strong passwords?
From Sophos Naked Security:
Do we really need strong passwords?
The answer is yes and no. This is not a black and white issue. What users need are complex passwords that are easy to remember. This can be done in any number of ways. The best way is to use mnemonics.
What I mean by this is to use things that are easily remembered and combine them in an easy to remember way. For example, lets say this is for your Amazon account. Your name is John Q. Public and you live on 123 Main St Anytown NJ 08001 with a phone number of 856-555-1212. Your wife is named Jane and you have two children, Joe and Bertha, a dog named Spot and a cat named Tom. You can take parts of all this information and come up with a complex password that is easy to remember.
Lets begin with Amazon since this is the account the password is for. Start with "Am", the first two letters in Amazon. Just for kicks we'll throw in a "." period to separate this from the rest of the password. So now we have "Am.". Then we can add some letters from your name to this and a "." period as another separator and we come up with "Am.jQp.". Next reverse your street number and add it to the password with another "." separator and you come up with "Am.jQp.321."
At this point you now have an 11 digit somewhat complex password. We're going to keep adding info to it to make it even more complex yet easy enough to remember. Next lets add the last four digits of your phone number and the first letter of your wife, children, dog and cats names with a "." to separate them. Now we have "Am.jQp.321.1212.JjBsT.". Finally lets just throw some "!" exclamation points for kicks and come up with "!Am.jQp.321.1212.JjBsT.!"
Using simple mnemonics you now have a highly complex 24 character password. Since it is composed of things that have meaning to you, with a little work, it will be easy to remember. Another advantage is that by using slight tweaks it can be modified for your other accounts to prevent password reuse. For example:
Facebook - "!Face.jQp.321.1212.JjBsT.!"
Ebay - "!EB.jQp.321.1212.JjBsT.!"
PayPal - "!pP.jQp.321.1212.JjBsT.!"
Twitter - "!TwIt.jQp.321.1212.JjBsT.!"
Instagram - "!IGram.jQp.321.1212.JjBsT.!"
Hope this is of help to my readers.
Do we really need strong passwords?
The answer is yes and no. This is not a black and white issue. What users need are complex passwords that are easy to remember. This can be done in any number of ways. The best way is to use mnemonics.
What I mean by this is to use things that are easily remembered and combine them in an easy to remember way. For example, lets say this is for your Amazon account. Your name is John Q. Public and you live on 123 Main St Anytown NJ 08001 with a phone number of 856-555-1212. Your wife is named Jane and you have two children, Joe and Bertha, a dog named Spot and a cat named Tom. You can take parts of all this information and come up with a complex password that is easy to remember.
Lets begin with Amazon since this is the account the password is for. Start with "Am", the first two letters in Amazon. Just for kicks we'll throw in a "." period to separate this from the rest of the password. So now we have "Am.". Then we can add some letters from your name to this and a "." period as another separator and we come up with "Am.jQp.". Next reverse your street number and add it to the password with another "." separator and you come up with "Am.jQp.321."
At this point you now have an 11 digit somewhat complex password. We're going to keep adding info to it to make it even more complex yet easy enough to remember. Next lets add the last four digits of your phone number and the first letter of your wife, children, dog and cats names with a "." to separate them. Now we have "Am.jQp.321.1212.JjBsT.". Finally lets just throw some "!" exclamation points for kicks and come up with "!Am.jQp.321.1212.JjBsT.!"
Using simple mnemonics you now have a highly complex 24 character password. Since it is composed of things that have meaning to you, with a little work, it will be easy to remember. Another advantage is that by using slight tweaks it can be modified for your other accounts to prevent password reuse. For example:
Facebook - "!Face.jQp.321.1212.JjBsT.!"
Ebay - "!EB.jQp.321.1212.JjBsT.!"
PayPal - "!pP.jQp.321.1212.JjBsT.!"
Twitter - "!TwIt.jQp.321.1212.JjBsT.!"
Instagram - "!IGram.jQp.321.1212.JjBsT.!"
Hope this is of help to my readers.
How to kill a troll
Cyberbullying must be stopped. The stats in this article are eye opening. I'm not so sure ignoring a cyberbully will stop it but at least the stats bear out that it is a start. From Sophos Naked Security:
How to kill a troll
Pew surveyed 2849 internet users. Here are some of the results:
How to kill a troll
Pew surveyed 2849 internet users. Here are some of the results:
- One out of every four women between 18 years old and 24 years old reports having been stalked or sexually harassed online.
- Two out of five people reported having been victims of some form of online harassment.
- One out of four had seen someone being physically threatened.
- 27% of internet users have been called offensive names
- 22% have had someone try to purposefully embarrass them
- 8% have been physically threatened
- 8% have been stalked
- 7% have been harassed for a sustained period
- 6% have been sexually harassed
Twitter invites us to say goodbye to passwords, use Digits instead
This isn't a bad idea. From Sophos Naked Security:
Twitter invites us to say goodbye to passwords, use Digits instead
Twitter invites us to say goodbye to passwords, use Digits instead
Report: Russia, China near cybersecurity deal
What kind of deal? One where they agree not to attack each other but everyone else is fair game? What about one where Russia gets the monopoly on cybercrime and China gets the monopoly on cyberespionage? This can't be good for the US and other Western countries.
From The Hill:
Report: Russia, China near cybersecurity deal
From The Hill:
Report: Russia, China near cybersecurity deal
Thursday, October 23, 2014
Cybersecurity help coming for franchises
Better late than never. From The Hill:
Cybersecurity help coming for franchises
“Many small- and medium-sized businesses are franchises that rely on computerized networks and digital records — making them extremely vulnerable to cyber attacks,” said Michael Kaiser, executive director of NCSA.
Cybersecurity help coming for franchises
“Many small- and medium-sized businesses are franchises that rely on computerized networks and digital records — making them extremely vulnerable to cyber attacks,” said Michael Kaiser, executive director of NCSA.
Windows 10 to get two-factor authentication built-in
Speaking of Two Factor Authentication, from Network World:
Windows 10 to get two-factor authentication built-in
'Bout time!
Windows 10 to get two-factor authentication built-in
'Bout time!
Researchers Discover Dozens of Gaming Client and Server Vulnerabilities
Yet another reason employees shouldn't be putting gaming (or any other) software on company owned systems. From Threat Post:
Researchers Discover Dozens of Gaming Client and Server Vulnerabilities
Researchers Discover Dozens of Gaming Client and Server Vulnerabilities
NIST Publishes Draft Hypervisor Security Guide
If you have, or work in, an environment that leverages virtualization you're going to want to read this. From ThreatPost:
NIST Publishes Draft Hypervisor Security Guide
Direct Link to NIST Publication:
NIST Publishes Draft Hypervisor Security Guide
Direct Link to NIST Publication:
IT threat evolution Q2 2014
From Kaspersky Labs:
IT threat evolution Q2 2014
IT threat evolution Q2 2014
Q2 in figures
- According to KSN data, Kaspersky Lab products detected and neutralized a total of 995,534,410 threats in the second quarter of 2014.
- Kaspersky Lab solutions repelled 354,453,992 attacks launched from online resources located all over the world.
- Kaspersky Lab's web antivirus detected 57,133,492 unique malicious objects: scripts, web pages, exploits, executable files, etc.
- 145,386,473 unique URLs were recognized as malicious by web antivirus.
- 39% of web attacks neutralized by Kaspersky Lab products were carried out using malicious web resources located in the US and Germany.
- Kaspersky Lab's antivirus solutions detected 528,799,591 virus attacks on users' computers. A total of 114,984,065 unique malicious and potentially unwanted objects were identified in these incidents.
- In Q2 2014, 927,568 computers running Kaspersky Lab products were attacked by banking malware.
- A total of 3,455,530 notifications about attempts to infect those computers with financial malware were received.
Google goes beyond two-step verification with new USB Security Key
Granted Two Factor Authentication is a bit of a pain for most users. However it is a much more secure method of authentication. I've worked extensively with RSA's SecurID products for many years and would recommend any SMB who needs to store any type of confidential data consider implementing some type of Two Factor Authentication system for systems containing that data.
From Sophos Naked Security:
Google goes beyond two-step verification with new USB Security Key
From Sophos Naked Security:
Google goes beyond two-step verification with new USB Security Key
Wednesday, October 22, 2014
FTC Scam Alert: Operators of bogus business opportunity ordered to pay back $25 million
Why You Shouldn't Count On General Liability To Cover Cyber Risk
From DarkReading.com:
Why You Shouldn't Count On General Liability To Cover Cyber Risk
"As the legal troubles for P.F. Chang's restaurant chain kept piling up over the breach discovered this summer affecting 33 of its locations, its legal team made an insurance end-around play that many enterprises try after a breach. It filed a claim for coverage under its comprehensive general liability (CGL) policy. But a lawsuit filed earlier this month from its general liability insurer, Travelers Insurance, offers a good lesson to organizations on why this ploy rarely works."
Why You Shouldn't Count On General Liability To Cover Cyber Risk
"As the legal troubles for P.F. Chang's restaurant chain kept piling up over the breach discovered this summer affecting 33 of its locations, its legal team made an insurance end-around play that many enterprises try after a breach. It filed a claim for coverage under its comprehensive general liability (CGL) policy. But a lawsuit filed earlier this month from its general liability insurer, Travelers Insurance, offers a good lesson to organizations on why this ploy rarely works."
SourceBooks Confirms Card Breach
From DataBreachToday:
SourceBooks Confirms Card Breach
"During that time, unauthorized parties were able to gain access to customer credit card information, including card number, expiration date, cardholder name and card verification value. In addition, the cyber-attackers also were able to view billing information, such as name, phone number and address. In some cases, account passwords were obtained as well, SourceBooks says."
SourceBooks Confirms Card Breach
"During that time, unauthorized parties were able to gain access to customer credit card information, including card number, expiration date, cardholder name and card verification value. In addition, the cyber-attackers also were able to view billing information, such as name, phone number and address. In some cases, account passwords were obtained as well, SourceBooks says."
Unsecured Folder Leads to Big Breach
LOCK! DOWN! SHARES! REVIEW! PERMISSIONS! REGULARLY!
From DataBreachToday:
Unsecured Folder Leads to Big Breach
"Touchstone Medical Imaging, a Brentwood, Tenn.-based provider of diagnostic imaging services nationwide, says it became aware in May "that a seldom-used folder containing patient billing information relating to dates prior to August 2012 had inadvertently been left accessible via the internet," according to a statement posted on the company's website."
From DataBreachToday:
Unsecured Folder Leads to Big Breach
"Touchstone Medical Imaging, a Brentwood, Tenn.-based provider of diagnostic imaging services nationwide, says it became aware in May "that a seldom-used folder containing patient billing information relating to dates prior to August 2012 had inadvertently been left accessible via the internet," according to a statement posted on the company's website."
Is your phone line a '6-figure liability waiting to happen'?
Phreaking is alive and well it seems. Another from Sophos Naked Security:
Is your phone line a '6-figure liability waiting to happen'?
"Telecommunications fraud experts told the New York Times that this is how the premium-service scheme works:
Is your phone line a '6-figure liability waiting to happen'?
"Telecommunications fraud experts told the New York Times that this is how the premium-service scheme works:
- Criminals sign up to lease premium-rate phone numbers from one of dozens of web-based services that charge dialers over $1 a minute (£.62) and give the lessee a cut - as high as 24 cents (£.15) for every minute spent on the phone.
- Next, the crooks break into a business's phone system and make calls through it to their premium number. They typically do it over a weekend, when nobody's around to notice. High-speed computers enable hundreds of simultaneous calls, forwarding as many as 220 minutes' worth of phone calls a minute to the pay line.
- The intruder gets their share of the charges, typically sent via a Western Union, MoneyGram or wire transfer."
UK considering imprisoning 'cowardly, venomous trolls' for up to 2 years
Serious steps need to be taken to stop cyberbullying. From Sophos Naked Security:
UK considering imprisoning 'cowardly, venomous trolls' for up to 2 years
"A few days after trolls threatened to rape British fitness instructor Chloe Madeley, Justice Secretary Chris Grayling told the Mail on Sunday that sentences for web trolls would be quadrupled to two years in proposed changes to current law."
UK considering imprisoning 'cowardly, venomous trolls' for up to 2 years
"A few days after trolls threatened to rape British fitness instructor Chloe Madeley, Justice Secretary Chris Grayling told the Mail on Sunday that sentences for web trolls would be quadrupled to two years in proposed changes to current law."
Tuesday, October 21, 2014
Staples Launches Breach Investigation
First reported by Brian Krebs, picked up by DataBreachToday.com:
Staples Launches Breach Investigation
"The retailer confirmed the investigation after security blogger Brian Krebs reported that sources at more than six East Coast banks had seen a spike in card-related fraud that seemed to correspond with cards that were used by shoppers at 11 Staples locations across New Jersey, New York City and Pennsylvania."
Staples Launches Breach Investigation
"The retailer confirmed the investigation after security blogger Brian Krebs reported that sources at more than six East Coast banks had seen a spike in card-related fraud that seemed to correspond with cards that were used by shoppers at 11 Staples locations across New Jersey, New York City and Pennsylvania."
Selling stolen card info online? That's the least of it
Great piece by Cadie Thompson from CNBC:
Selling stolen card info online? That's the least of it
"Turns out that's the least of it. The easy availability of stolen data created a thriving underground marketplace for purloined information, and some cybercriminals are even going up the value chain and selling things like they're own hacking services."
Selling stolen card info online? That's the least of it
"Turns out that's the least of it. The easy availability of stolen data created a thriving underground marketplace for purloined information, and some cybercriminals are even going up the value chain and selling things like they're own hacking services."
Facebook prowls the internet looking for your password
Good headline but not what you think. From Sophos Naked Security:
Facebook prowls the internet looking for your password
Just a hint here, Google your password(s) and see what is returned. If they are listed with a hash for them it's time to change.
Facebook prowls the internet looking for your password
Just a hint here, Google your password(s) and see what is returned. If they are listed with a hash for them it's time to change.
Monday, October 20, 2014
Nearly Half Of Consumers Will Punish Breached Retailers During Holidays
From DarkReading.com:
Nearly Half Of Consumers Will Punish Breached Retailers During Holidays
"The results show that 45% of consumers reported that they "probably" or "definitely" would avoid a store over the holidays if they found out it had a data breach. Further, the news of retail breaches has made consumers somewhat allergic to plastic -- approximately 48% say the bad press has made them more likely to use cash in favor of cards."
Nearly Half Of Consumers Will Punish Breached Retailers During Holidays
"The results show that 45% of consumers reported that they "probably" or "definitely" would avoid a store over the holidays if they found out it had a data breach. Further, the news of retail breaches has made consumers somewhat allergic to plastic -- approximately 48% say the bad press has made them more likely to use cash in favor of cards."
Whisper CTO trashes reports that it tracks even those users who turn off geolocation
From Sophos Naked Security:
Whisper CTO trashes reports that it tracks even those users who turn off geolocation
"Furnished with an extremely simple password, we were given access to the company's vast library of texts and photographs and, in most cases, the location of their authors. The company's developers have created a back-end analytics tool to conduct more refined searches of the database, the most powerful of which pinpoints location."
Whisper CTO trashes reports that it tracks even those users who turn off geolocation
"Furnished with an extremely simple password, we were given access to the company's vast library of texts and photographs and, in most cases, the location of their authors. The company's developers have created a back-end analytics tool to conduct more refined searches of the database, the most powerful of which pinpoints location."
Dropbox used for convincing phishing attack
From ComputerWorld:
Dropbox used for convincing phishing attack
"Dropbox's file storage service was used for a tricky phishing attack, although the service was quick to shut down it down, according to Symantec."
Dropbox used for convincing phishing attack
"Dropbox's file storage service was used for a tricky phishing attack, although the service was quick to shut down it down, according to Symantec."
Defending Against Government Intrusions
Thought this was an interesting piece from govinfosecurity.com
Defending Against Government Intrusions
"Based on the ensuing discussion, here are some of the top takeaways for anyone charged with defending networks in the post-Snowden era:"
Defending Against Government Intrusions
"Based on the ensuing discussion, here are some of the top takeaways for anyone charged with defending networks in the post-Snowden era:"
New attack hides stealthy Android malware in images
From PC World:
New attack hides stealthy Android malware in images
"Because of fragmentation in the Android ecosystem, especially when it comes to firmware updates, many devices will likely remain vulnerable to this attack for a long time, giving Android malware authors ample time to take advantage of it."
New attack hides stealthy Android malware in images
"Because of fragmentation in the Android ecosystem, especially when it comes to firmware updates, many devices will likely remain vulnerable to this attack for a long time, giving Android malware authors ample time to take advantage of it."
Average person has 19 passwords - but 1 in 3 don’t make them strong enough
From Sophos Naked Security:
Average person has 19 passwords - but 1 in 3 don’t make them strong enough
Top 10 Password Managers as reviewed by InformationWeek / Darkreading.com:
Top 10 Password Managers
Average person has 19 passwords - but 1 in 3 don’t make them strong enough
Top 10 Password Managers as reviewed by InformationWeek / Darkreading.com:
Top 10 Password Managers
US-CERT Bulletin (SB14-293) - Vulnerability Summary for the Week of October 13, 2014
Round of vulnerabilities found last week from US-CERT:
US-CERT Bulletin (SB14-293) - Vulnerability Summary for the Week of October 13, 2014
US-CERT Bulletin (SB14-293) - Vulnerability Summary for the Week of October 13, 2014
Friday, October 17, 2014
OnGuardOnline.gov: Working Together to Prevent Bullying
Technically this has nothing to do with cybersecurity. Unfortunately cyberbullying is an emerging threat to our kids. Please read this and see what you can do to help:
OnGuardOnline.gov: Working Together to Prevent Bullying
OnGuardOnline.gov: Working Together to Prevent Bullying
FTC Consumer Info: How to guard against Ebola-related charity scams
Consumer Info from the Federal Trade Commission (FTC):
How to guard against Ebola-related charity scams
How to guard against Ebola-related charity scams
POODLE Info - How to disable SSL v3 in your server & browser
I came across these two links while researching how to disable SSL v3 on web browsers:
Disable SSLv3 in major browsers
SSL v3 goes to the dogs - POODLE kills off protocol
Any/all products/services are provided for informational purposes only. The author does not endorse any single product.
Disable SSLv3 in major browsers
SSL v3 goes to the dogs - POODLE kills off protocol
Any/all products/services are provided for informational purposes only. The author does not endorse any single product.
Use these products/services at your own risk.
POODLE Info - How to turn on TLS in IE, Firefox, Safari & Chrome
Many websites are disabling SSL v3.0 on their servers to protect users against the POODLE vulnerability. I found this great tutorial from the US State Dept. on how to enable TLS on the four major browsers. While you're enabling TLS you will want to disable SSL v3.0. If I come across any how to's on that I will update this post.
Any/all products/services are provided for informational purposes only. The author does not endorse any single product.
Any/all products/services are provided for informational purposes only. The author does not endorse any single product.
Use these products/services at your own risk.
Subscribe to:
Posts (Atom)