A recent discussion on the Zecurion Group on LinkedIn.com (you may have to at least be a member of LinkedIn, if not a member of the Zecurion Group to read this–joining is free) highlights the upcoming EU mandate, and provides an extensive, detailed look at the elements of the data breach notification rules and how to implement effective compliance.
The report shared in the Zecurion Group ends with this summary:
At any rate, ENISA already provides us with useful examples of practices in Europe, helping the stakeholders in their study of the question:
- The risks should be clearly identified.
- Breaches should be evaluated and prioritised before notifying it to data protection authorities and data subjects.
- The means of notifications should be specifically decided by the operators and used without undue delay.
- Regulatory authorities should strengthen compliance.
- Private operators and data protection authorities should usefully cooperate to enforce the security through this new procedure.
A study conducted by Qualys found that 80 percent of Web browsers have holes. Or, as InformationWeek phrases it, “Roughly 80 percent of browsers today are insecure, owing to their having a known vulnerability either in the browser itself, or due to a vulnerable plug-in, such as an outdated version of Shockwave, Flash, the Java runtime environment, or QuickTime.”
The article goes on to state that more than half of the vulnerabilities stem from plug-ins, adding, “The most common insecure browser plug-ins in use are (in order): Java, Adobe Reader, QuickTime, Flash, Shockwave, and Windows Media Player. Many of these plug-ins are widespread–97 percent of computers have the Adobe Flash plug-in installed, and 95 percent have one for Windows Media Player.”
The problem is that the browsers generally have an automatic update feature of some sort, and users are pretty good about keeping the browser up to date, but forget about the plug-ins. Even with updated plug-ins, though, there are still known vulnerabilities that remain exposed in the browsers themselves as well.
You can employ third-party tools like Invincea Browser Protection for an extra layer of defense, or just exercise extreme caution when surfing the Web. Rather than treating your Web surfing like you are strolling through your own back yard with an armed security escort, think of it like you got lost on the wrong side of town, your cell phone battery is dead, and you are trying to navigate dark alleys at night to make it safely home.]]>
The Nigerian fraud scam predates the World Wide Web, email, and the Internet, yet it remains suprisingly effective. It amazes me, though, that there are still people who aren’t familiar with the concept, or that are still gullible/naive enough to believe that an exiled Nigerian prince needs your help and wants to share his millions with you in appreciation. Seriously?
There are other variations–like the scam that a man from Naperville, IL fell victim to. This man has been under the misguided impression for two years that he is in a relationship with a mysterious woman on the Internet. He never actually met the woman, but that hasn’t stopped him from sending over $200,000 to her over the two years. You would think it might have raised a red flag or two when he was wiring money to accounts in multiple countries–including the United States, England, Malaysia, and…NIGERIA!
There is some humorous irony in that the scammer went too far by claiming to be kidnapped and requiring ransom–leading the Naperville man to involve authorities for “her” rescue. Instead, the police had to sit the guy down and break it to him that he has been getting scammed for two years and his “girlfriend” doesn’t exist.]]>
Apple has reportedly invited expert security researchers to analyze an early preview release of the OS and provide feedback. Dino Dai Zovi–co-author of The Mac Hacker’s Handbook, and Charlie Miller–Dai Zovi’s co-author and perennial winner of the Pwn2Own race to hack the Mac, are among those invited to scrutinize Lion.
According to a report from ComputerWorld’s Greg Keizer, the researchers must agree to an NDA which bars them from sharing anything they might find with the public. Keizer quotes Miller, stating, “They’ve never done this before. That they’re thinking of reaching out [to researchers] is a good positive step, but whether it makes a difference, I’ll believe it when I see it.”]]>
The phishing email contains the obligatory spelling and grammatical errors that should be red flags to any recipient above the third or fourth grade level. In closing, let me just remind everyone once again not to open file attachments–especially file attachments claiming to be from some financial institution you do business with directing you to fill out some attached form. PayPal, your bank, and any other reputable business will not ask you for sensitive information via email or with a file attachment.]]>
A post from AppleInsider.com provides a detailed look at how the patent application describes the potential data security measure. Basically, the “safe deposit box” would be a folder or partition specifically designated for secure storage. Files that dragged to the safe deposit box would have additional security measures in place and require user authentication to access–a’ la verifying one’s identity and providing the necessary key in order to access a bank safe deposit box.
But, imagine if your bank somehow duplicated your sensitive and priceless possessions from your safe deposit box, and stored the copies in another safe deposit box at another bank as an added precaution? Well, Apple plans to do that as well. Files stored in the safe deposit box will be automatically copied to secure storage in the cloud.
Conceptually, it sounds nice. But, like most approaches to data protection the Achilles heel is the user. The success or value of an approach like this relies on the user’s ability to determine what data is important or sensitive, and the user’s execution to make sure the data gets stored in the right folder.
Assuming a user with the ability and willingess to follow through, the safe deposit box seems like a reasonable method of data protection.]]>
The FAQ response to the questions “What happened?” is ambiguous and elusive: “As a result of our continuous security monitoring, we identified and blocked this attack. Additionally, new security measures have been deployed to help keep this type of breach from happening in the future.”
Great, but um…..what happened?
Winamp claims that there is no evidence that any information other than email addresses was exposed, but it is directing Winamp Forums users to change their account passwords as a precaution. The FAQ also reiterates that standard security best practices suggest that users should be changing their passwords regularly anyway.]]>
At face value, giving the government the ability to shut off such a critical lifeline to the world as the Internet seems ridiculous. However, there are actually some legitimate cases where the government might want such a capability–not to oppress the people, but to defend them.
As Americans, we don’t want the government to have any undue power or control. But, a case can be made that it is in our best interests from a national security perspective to allow the government to shut off portions of the Internet in the event of a cyber attack against the nation. Shutting down the effected portions of the Internet can contain the threat and prevent any further spread or damage while responding to the attack.
According to an article on the Senate bill from USA Today, “The Cybersecurity and Internet Freedom Act aims to protect critical infrastructures that Americans rely on–the power grid, financial systems and water supply, among other things–in the event of a potentially crippling digital assault. It does not, as its authors say, give anyone the authority to choke off the Internet with the flick of a so-called “kill switch,” as some of its critics contend.”
I get it. The country is very polarized in its political alignment, and we only trust administrations we support. Armed political militias and rhetoric about defending the Constitution all but died during the Bush administration–while the government pushed through the PATRIOT Act without debate or reasonable consideration, and illegally spied on citizens, and found clever loopholes allowing prisoners to be “legally” tortured and circumventing the Fourth, Fifth, and Sixth amendments to the Constitution.
Yet, suddenly when the Obama administration wants to solve the healthcare epidemic armed militias show up at rallies, and conservative mouthpieces like Glenn Beck and Rush Limbaugh stoke the fires of tinfoil hat conspiracy theorists suggesting the President is not an American citizen, or he’s a Muslim (as if that would somehow disqualfy him for the office of President).
Conversely, I was quite sure that Bush, Cheney, and Rove had an overt disdain for the Constitution and how it got in the way of them doing what they wanted to do, and that the Bush administration did more damage to the United States and the world than any government leadership of any nation in decades. Yet, I fully support President Obama and I have faith that he is focused on the best interests of the nation.
My point is, I am sure that the reality lies somewhere in the middle, and the government has an obligation to protect and defend the nation. Cries of “kill switch” are akin to cries of “death panel” in the healthcare debate, or the “birther” movement to prove President Obama is not an American citizen. They are silly, ridiculous distractions.
I don’t know if the bill currently before the Senate is the right bill to get the job done. But, I do know it addresses a need, and that it should be considered and debated–rationally.]]>
Laptops in particular are easily lost or stolen, and often contain gigabytes upon gigabytes of confidential company information, or private client or customer data. It is critical to protect that data–and for many organizations it is mandated by compliance requirements. Seagate’s Momentus self-encrypting drives (SEDs) can help ensure that the data is not compromised or exposed.
The Seagate press release explains, “The AES encryption chip in the Momentus SEDs automatically and transparently encrypts all drive data, not just selected files or partitions. The 2.5-inch drive also eliminates disk initialization and configuration required by encryption software, allows IT administrators to instantly erase all data cryptographically so the drive can be quickly and easily redeployed, and delivers full inline-speed encryption with no impact to system performance.”
With more vendor support and industry cooperation, as well as government certifications, it may not take long for Seagate to hit that two million mark.]]>
The McAfee report–titled Global Energy Cyber Attacks: “Night Dragon”–states, “Starting in November 2009, coordinated covert and targeted cyber attacks have been conducted against global oil, energy, and petrochemical companies. These attacks have involved social engineering, spear phishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities, Microsoft Active Directory compromises, and the use of remote administration tools (RATs) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations.”
The implications are ominous. The computer and network security industry operates on a primarily reaction-based model. Attackers create threats, and security vendors discover them and create defenses to guard against them…after the fact. If the attacks fly under the radar, though–remaining undiscovered–then there is little that most of today’s security solutions can do to detect or evade them.
Attacks such as this–like the “Operation Aurora” attacks against Google and others (also a China-based effort), or the Stuxnet worm ostensibly engineered specifically to compromise the nuclear capabilities of Iran–are much harder to defend against. McAfee explains, “Our experience has shown that many other industries are currently vulnerable and are under continuous and persistent cyber espionage attacks of this type. More and more, these attacks focus not on using and abusing machines within the organizations being compromised, but rather on the theft of specific data and intellectual property.”
Technology has evolved, and cyber attacks have matured. Organizations can’t just rely on the traditional firewall and antivirus software model to protect corporate secrets and other sensitive information, or to guard against subversive coordinated attacks. IT and security admins need to be more proactive about vulnerability and risk assessment of critical assets, and more vigilant about safeguarding sensitive information and preventing it from being leaked or compromised.]]>