What is the most secure way to authenticate electronic data? Until recently,
many technical people would have answered ‘cryptographic keys' without
blinking. But recent headline events - and a ‘biggie' last year - have
raised serious doubts about the ability of cryptographic keys to protect
vital government and corporate data.
Here are two examples from February that should make CIOs, CTOs and CSOs
tremble in their boardrooms: McAfee revoking keys for signing apps on the
Apple store; and stolen keys from Bit9 being used to sign malware.
In the McAfee case, a McAfee administrator revoked (by mistake) the digital
key for certifying desktop apps that run on Apple's OS X, thereby creating
serious problems for customers who wanted to install or upgrade Mac antivirus
The original Arstechnica article (McAfee revoking keys) noted that the
administrator intended ... (more)
The Metasploit Framework is a penetration testing toolkit, exploit
development platform, and research tool. The framework includes hundreds of
working remote exploits for a variety of platforms. Payloads, encoders, and
nop slide generators can be mixed and matched with exploit modules to solve
almost any exploit-related task. A very nice feature in Metasploit is the
ability to pivot through a Meterpreter session to the network on the other
side. This tutorial walks you through how this is done once you have a
Meterpreter session on a foreign box. We begin right after a client side
exploit has been achieved from an attacker machine running Ubuntu Linux to
the victim machine running Windows XP.
The Metasploit Project is an open-source, computer security project which
provides information about security vulnerabilities that assist in performing
a penet... (more)
Conspiracy theorists and other concerned citizens will insist the government
is watching every keystroke, keeping a record of every website, transaction,
text and email. Shades of 1984’s Big Brother, right? These last few weeks,
the news has been brimming with revelations of data surveillance and
monitoring by the government (not to mention data harvesting corporations
like Google, Yahoo, Facebook etc…). Everyone, including the security buffs
at CloudAccess, is sensitive as to what is being looked at, stored, and
analyzed for hazily defined purposes. Privacy is no longer as private as you
think; and hasn’t been for many years.
Politics, ethics and debates over 4th amendment interpretation aside (as they
serve no useful purpose in this analysis), a question was asked on one the
security forums that in light of these alleged breaches of trust, whether
cloud security... (more)
Today even the smallest of businesses can generate a huge volume of emails,
payment information and other data that must be protected. Medical practices,
credit unions and independent retailers all face HIPAA, PCI and other
standards. With so many regulations and limited budgets, how can small
businesses keep up? Here are the top security mistakes that leave SMBs
vulnerable to breaches and compliance audits.
Ignoring Blind Spots
In small businesses, technical expertise is generally not deep - rather, the
folks in charge of protecting data are often performing other job functions
in the company. If your staff lacks expertise in a given area, it is
important to invest in a regular health check with subject matter experts to
ensure each solution you have in place continues to remain optimally
configured, and operating at peak performance.
Thinking Your Size Makes You ... (more)
As regulatory oversight across the financial landscape continues to drive
greater transparency and stricter penalties, outsourcing to the private cloud
has become an integral resource for hedge fund and private equity managers.
Cloud infrastructure services are now synonymous with increased efficiency,
decreased costs and added security. However, security in particular remains a
key concern for many financial services firms. The costs a cloud services
provider can incur in dealing with a security breach, both financially and to
its reputation, can be devastating.
Infrastructure providers, particularly those catering to financial services
firms such as hedge funds, must have strict policies in place and employ best
practices to ensure that their clients receive the same level of security as
they would achieve with an on-site network. While most participants in the
Computer security has become much harder to manage in recent years, and this
is due to the fact that attackers continuously come up with new and more
effective ways to attack our systems. As attackers become increasingly
sophisticated we as security professionals must ensure that they do not have
free rein over the systems that we are hired to protect. An attack vector
that many people forget to consider is the boot process, which is almost
completely controlled by the BIOS.
The BIOS is a privileged piece of software that is generally ignored by
day-to-day users and thus they are usually unable to comprehend the
importance of it in our computers. The Basic Input/Output System was first
invented by Gary Kildall for use in his operating system CP/M and this became
what we now know as the conventional BIOS system. The BIOS appeared in
IBM-compatible PCs around 1975 an... (more)
Across all industries, small businesses are increasingly facing new threats
related to cyber security. Whereas some have taken minimum steps to address
these threats but most have not. New security threats and incidents are
reported every day in news reports and a many remain unreported. This
underscores the need for cyber security education of small business owners
and managers. These threats have potentially serious consequences and could
lead to unrecoverable damage to small businesses.
What are some consequences of the lack of basic cyber security controls?
Loss or stolen customer data Loss of intellectual property Decreased
productivity Legal liability Regulatory sanctions and fines Computer systems
downtime Loss of reputation and customer confidence Loss of revenue Banking
Could this happen to you?
It is very important to understand that neither size nor i... (more)
Last week, we saw that Defensive Security is not enough to solve the $1
trillion Intellectual Property and IT theft and cybercrime problem.
This week, more about Preventive Security.
Preventive Security is a set of technologies and processes used to prevent
security incidents from even being attempted. These include awareness and
training programs, establishment of proper policies and procedures and the
use of technology solutions in support of existing laws.
In fact, this is not very different from "regular" crime and how we deal with
it. We arm ourselves with the means to catch the bad guys, we severely punish
crimes and we let people know that crime is bad, that jail is also bad and
that if they try and commit the crime they will be caught. This prevents most
people from getting into trouble.
So how severe are punishments for IT crimes?
In a case tried in March o... (more)
In a recent blog post, Art Coviello, the executive chairman at RSA, posed an
important question. How do we move from traditional security to
intelligence-driven security? In his answer he described that the quickly
interdependent exchanges between parties (B2C, B2B, B2P, etc) have grown
beyond the traditional means of securing the enterprise:
“IT organizations have continued to construct security infrastructures
around a disintegrating perimeter of increasingly ineffective controls.”
He described a new-model of cyber-security that includes five concepts:
A thorough understanding of risk The use of agile controls based on pattern
recognition and predictive analytics The use of big data analytics to give
context to vast streams of data to produce timely, actionable information
Personnel with the right skill set to operate the systems Information sharing
I hav... (more)
Vancouver-based ENC Security Systems, which is supposed to make "un-hackable"
Encrypt Stick flash drive software, has released an Encrypt Stick 5.0 Private
Browser, a digital privacy browser that it claims is the safest way to browse
Its timing couldn't be better considering the Federal Trade Commission is now
backing the development of a Do-Not-Track system for web that's got the
online ad people worried about their $23 billion sector and claiming it will
mean the end of free content and Firefox revisiting a Do-Not-Track mechanism
after Mozilla, pressured by an ad exec, killed such a tool a few months ago
for fear Madison Avenue would come up with something sneakier, the Wall
Street Journal says.
Anyway, the Encrypt Stick Private Browser runs from the user's flash drive
and applies polymorphic encryption, which creates unique encryption
algorithms ... (more)
Click Here to Download This Whitepaper Now!
For Windows environments, it is critical that organizations can delegate
administration and establish granular privileges quickly and efficiently to
restrict administrators so they only access the servers and resources
required to perform their job and only during the approved times to perform
specific tasks. This white paper examines the security, compliance and
efficiency issues surrounding least privilege management for Windows servers,
and explains where native Windows tools fall short. It then describes how
Centrify's DirectAuthorize component for Windows eliminates the problem of
too many users having broad and unmanaged administrative powers by delivering
secure delegation of privileged access and granularly enforcing who can
perform what administrative functions.
Click Here to Download This Whitepaper Now!