Posted by Jonathan Thomas on Thu, Jan 28, 2010
First, thank you all so much for reading and commenting on our blog.
With the launch of our new web site we have moved our blog. This site will remain up temporarily, but will eventually be removed. You can access all the new blog posts here, as well as a number of other free resources at our new knowledge center here.
We hope you've enjoyed this blog in the last year and will continue to follow the latest information security news with us. If you are subscribing through RSS, we appreciate it if you resubscribe. If you're an email subscriber, we'll be adding the functionality to receive our blog posts in your email very soon.
Thank you again, and we hope to see you over at our new blog!
Posted by Kevin Prince on Wed, Jan 20, 2010
The GSM Algorithm apparently has been deciphered. The encryption algorithm that is used on about 80 percent of the world phones has been broken by Karsten Nohl. He demonstrated it at a conference in Germany recently. The mobile phone industry is nowhere near being able to roll out an updated encryption algorithm.
Read more here and here.
Posted by Kevin Prince on Mon, Jan 18, 2010
New legislation is being proposed in New Jersey regarding unsolicited Text Messages. They are proposing that fines between $10,000 and $30,000 be imposed when a solicitor sends text messages to people. I think this will be great. My son gets messages like this on his phone and I am left paying for TXT overages at the end of the month.
Posted by Kevin Prince on Wed, Jan 13, 2010
Google made a significant announcement on their blog recently. It has to do with Google potentially pulling out of China altogether. It states that Google is no longer willing to filter results and they appear willing to close up shop in China. According to the post, it looks like the straw that broke the camel's back was a series of successful attacks against Google originating from China. These attacks appear to be directed towards human rights activists that actively promote human rights in China. They were apparently attempting to compromise gmail accounts. They also discovered through this experience that many human rights activists have already had their gmail accounts compromised through malware, phishing, or other techniques.
I must commend Google on the way they handle the information security breach. They are forthright about it. See, Google understands that breaches happen. They also understand they are significant and must be addressed promptly. They utilize the resources to delve fully into them…which often uncover additional issues.
Posted by Kevin Prince on Tue, Jan 12, 2010
After a year or so of ACH (Automated Clearing House) hacking, the ABA (American Bankers Association) has issued guidance to businesses telling them that they should use a dedicated PC to do their online banking transactions. Malware (software that can infect a system and allow a hacker to remotely control it) is so prevalent that it is often used to hijack online banking accounts and withdraw money. They say the computer that should be used should not have access to other websites or things like email where malware often comes from.
Read more here and here.
Posted by Kevin Prince on Fri, Jan 08, 2010
Several top security companies including Perimeter E-Security have listed Adobe Acrobat Reader and Flash as a top target for hackers in 2010. Criminals write code that exploit these unpatched applications that can install malicious content on the user's computer. The malicious code can capture sensitive data, send data encrypted back to the criminal, permit remote control of the computer, relay attacks and a host of other activities.
McAfee predicts that this will be the top threat for 2010. 2009 showed that a host of these vulnerabilities exist and are exploited quite frequently. Hackers have been moving “up the stack” which is another way of saying they are moving away from network and service vulnerabilities and going after vulnerabilities in the applications specifically.
In the last year or so, Adobe has put out versions of their software that can “self patch”, but usually requires user interaction. Unsophisticated users will often skip or disable these messages and the patching doesn’t happen. Another problem is that these programs cannot be centrally managed or reported on, so it is impossible for an IT administrator to know which systems are up-to-date and which are not without going to each and every system. This is very difficult and timly because it seems a week doesn’t go by without a new patch being released for some Adobe product.
Posted by Kevin Prince on Thu, Jan 07, 2010
For those of you who still don't have a formal process for patching 3rd party applications such as Adobe software, you may want to get that figured out quick. Adobe last month released fixes for 7 security vulnerabilities. They were all for Flash with 6 of them being rated as critical.
In my upcoming "Top 10 Threats for 2010" I list malware as the top threat and these client side vulnerabilities are the perfect example of why.
Read more here and here.
Posted by Kevin Prince on Tue, Jan 05, 2010
As we discuss how attacks get more virulent, here is a good example. A newly detected SQL injection attack has now infected close to 300,000 web sites with an invisible iframe. An iFrame can pull code from an alternate web site. In this case, it can pull from a series of web sites. The malware looks for vulnerable versions of many client side applications including Adobe Flash and Internet Explorer (IE). Once installed it acts as a Trojan horse that captures and steals online banking credentials.
Posted by Kevin Prince on Tue, Dec 29, 2009
The US House of Representatives has passed the new Data Breach Accountability and Trust Act (HR 2221) which would create a national standard for the rules to follow after a data breach has occurred. The bill now goes before the Senate.
There is still some controversy about this bill. One the one hand, it would standardize all the various state data breach disclosure laws and make things much more simple. It would also cover those few states that still don't have a data breach disclosure law. On the other hand, it states that the FTC would be responsible for enforcement. There are some industries that are exempt from FTC enforcement (the government, financial institutions, insurance companies, non-profits, and institutions of higher education) so it is somewhat unclear how these organziation would fall under the new legislation.
Read More...
Posted by Kevin Prince on Wed, Dec 23, 2009
Retailers and other organizations are getting tired taking all the financial and reputational hits for data breaches. Seven restaurants in Louisiana and Mississippi are suing a vendor of point-of-sale devices that apparantely don't store credit card data in a manner compliant with PCI-DSS standards. As a result, a data breach occurred. This is similar to the outrage that many banks felt when Heartland had their data breach. We will see this type of behavior more often until all software and device vendors take all this regulatory stuff very seriously.