http://www.kb.cert.org/vuls/id/625617 Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable …
http://www.brisbanetimes.com.au/digital-life/consumer-security/apple-cloud-burst-how-hacker-wiped-mats-life-20120806-23orv.html “Once the hacker gained access to Honan’s iCloud account, he or she was able to reset his password, before sending the confirmation email to the trash. Since Honan’s Gmail is linked to his .mac email address, the hacker was also able to reset his Gmail password by sending a …
http://www.zdnet.com/tight-budgets-no-excuse-for-smbs-poor-security-readiness-2062305005/ From the left hand doesn’t know what the right hands is doing department: Ngair Teow Hin, CEO of SecureAge, noted that smaller companies tend to be “hard-pressed” to invest or focus on IT-related resources such as security tools due to the lack of capital. This financial situation is further …
http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/ At one level there’s the old argument about disclosure of security holes, but this is also an example of ‘driving’ security improvement. Related articles How a trio of hackers brought Google’s reCAPTCHA to its knees (arstechnica.com) Google’s reCAPTCHA briefly cracked (h-online.com) How Hackers Nearly Took Down Google’s ReCaptcha …
http://www.infosecleaders.com/2012/05/career-advice-tuesday-why-info-sec-position-go-unfilled/ There are many holes in this, but I think they miss some important points. First is setting IT HR to look for Infosec. That is because many people think InfoSec is a IT function as opposed to an organizational function. This goes in cycles: 20 years ago there was …
http://www.wired.com/threatlevel/2012/05/airport-security-id-theft/ I often get hit on by wannabes who want to – as they put it – “break into security” and get a job as a security consultant. Perhaps the media has something to do with it, making it look glamorous when in fact it is tedious and requires a …
Last month, this question came up in a discussion forum I’m involved with: Another challenge to which i want to get an answer to is, do developers always need Admin rights to perform their testing? Is there not a way to give them privilege access and yet have them get …
Someone asked: If you have a good information security awareness amongst the employees then it should not a problem what kind of attempts are made by the social engineers and to glean information from your employees. Yes but as RSA demonstrated, it is a moving target. You need to have …
http://www.forbes.com/sites/insertcoin/2012/02/03/you-will-never-kill-piracy-and-piracy-will-never-kill-you/ The full article is a bit wordy, and manages to avoid lecturing about how the media industry failed at “service” when it came to view tapes and DVDs, how they objected even those turned out to be immensely profitable. We all know that and we all know that despite …
http://www.infosecisland.com/blogview/19386-The-Death-of-Antivirus-Software.html The real issue here isn’t Ubuntu, or any other form of Linux. Its that AV software doesn’t work. PERIOD. There are over 50,000 new piece of malware developed and released daily. The very nature of the AV software models that John McAfee foisted on the industry simply can’t cope. …
http://www.zdnet.com/blog/identity/darpa-authentication-project-focuses-on-humans-as-secrets/157 So do my cats. But so what? Does this mean that DARPA/USGov will finance the supply of advanced biometrics with every PC from Microsoft or Apples and every Tablet and smartphone? Perhaps eyeball recognition like in “Minority Report“. And I’m sure there are _other_ ways to hack that than …
So to have great (subjective) protection your layered protection and controls have to be “bubbled” as opposed to linear (to slow down or impede a direct attack). I have doubts about “defence in depth” analogies with the military that many people in InfoSec use. Read what they are really talking …
Like many forms of presenting facts, not least of all about risk, reducing complex and multifaceted information to a single figure does a dis-service to those affected. The classical risk equation is another example of this; summing, summing many hundreds of fluctuating variables to one figure. Perhaps the saddest expression …
I was at a presentation yesterday. One of the vendor’s speakers, I’m sorry to say, was a CISSP. OK, he wasn’t Ian Paisley or any other radical religious zealot. BUT his was hectoring us and telling us that the Devil is out there gathering sinners (aka botnets) and tempting us …
Sometimes I wonder why we bother … The Securities and Exchange Commission doesn’t just enforce the rules that govern Wall Street. When asked, it often grants individual companies exemptions from the rules. Related articles Recently Updated “Securities Law Deskbook” – A Resource to Help Achieve Compliance and Avoid Regulatory Problems, …
http://www.vancouversun.com/news/Sony+backs+cybersecurity+legislation/5030033/story.html “If nothing else, perhaps the frequency, audacity and harmfulness of these attacks will help encourage Congress to enact new legislation to make the Internet a safer place for everyone,” the Sony executive said. “By working together to enact meaningful cybersecurity legislation we can limit the threat posed to U.S. …
http://www.informationweek.com/news/security/attacks/231000472 Does LulzSec’s nonstop hacking campaign, and apparent success at taking down everyone from Sony to the U.S. Senate, point to fundamental flaws in website security? “One of the assertions made by the recent run of high profile attacks was that all networks are vulnerable, and the groups behind these …
Soe people ae under the mistaken impression that a Pen Test simulates a hacker’s action. We get ridiculous statements in RFPs such as: The tests shall be conducted in a broader way like a hacker will do. LOL! If a real hacker is doing it then its not a test …
On one of the lists I subscribe to I saw someone make this alarming comment: There may be better and cheaper ways, but I suspect that an outsider walking in and gaining root on your core database is much more convincing than an auditor pointing out the same vulns. That …
We were discussing which should be done first and someone said: The first has to be risk assessment as it is foundation of information security. You first need to know where is the risk before putting up any controls to mitigate that risk. Putting up adhoc controls will not make …
© 2013 The InfoSec Blog
Powered by Esplanade Theme by One Designs and WordPress