A cautionary tale about the dangers of keeping everything in the Cloud


“Once the hacker gained access to Honan’s iCloud account, he or she
able to reset his password, before sending the confirmation email
to the
trash. Since Honan’s Gmail is linked to his .mac email address,
hacker was also able to reset his Gmail password by sending a
recovery email to his .mac address.

Minutes later, the hacker used iCloud to wipe Honan’s iPhone, iPad
Macbook Air remotely. Since the hacker had access to his email
it was effortless to access Honan’s other online accounts
such as Twitter.”

Every new technology has people, the pioneers, who buy into the vendors hype … and pay a price for that.

We should learn from them.

Computer Security

Enhanced by Zemanta

Requirements for conducting VA and PT tests

On one of the lists I subscribe to I saw someone make this alarming comment:

There may be better and cheaper ways, but I suspect that an outsider
walking in and gaining root on your core database is much more
convincing than an auditor pointing out the same vulns.

That is a very sad situation to be in, since it

  1. shows how little faith your management have in the professional capabilities of their own staff, who are the people who should know the system best, and of the auditors who are trained not only in assessing the system but assessing the business impact of the risks associated with a vulnerability
  2. has no guarantees about what collateral damage the outsider had to do to gain root.
  3. says nothing about things that are of more importance than any vulnerability, such as your Incident Response procedures
  4. indicates that your management doesn’t understand or make use of a proper development-test-deployment life-cycle

Yes, it is more dramatic, in the same way that Hollywood movies are more dramatic. Continue reading Requirements for conducting VA and PT tests