Security News, Vulnerabilities, Data Breaches, Website Security
Posts tagged security
Can you protect yourself on Social Media?
Mar 1st
- Image via Wikipedia
One of the greatest challenges to privacy and security in the next several years is Social Networks and Social Media. Sites like Facebook, Twitter, LinkedIn, MySpace and others can be the downfall of valuing information. The ability to share and provide information is completely the opposite of network security requirements. This is really encouraging people to do things that are not security conscious activities. Social media encourages:
- Lack of privacy
- Encouraging information sharing
- Giving away answers to security questions
- Social engineering
As we have seen recently, a lot of spam, spyware and malware is attacking social network. Just in the past week I have probably gotten a 100 requests to be my friend on Facebook from people who i do not know and funny enough, all the message have the exact same personal message. Malicious people are attracted to social networks because of the ease of gaining trust and availability of data for social engineering. Relationship building is easier through social media which can easily lead to phishing attacks.
With these sites, people install applications without knowing what goes on in the background, and its easy to download malicious code to your computer. There are no external third party audits of these applications before the make it to your Facebook application. Your computer can be easily infected by a virus or spyware.
What does the Social Media user to to protect their information?
No Personal information – This is anti-social network, but there are things you can limit about what you post. Don’t post your Birthday! Or your address, or your mothers middle name or any really personal data.
Limit who can view and contact you – Don’t let your profile be truly public, restrict to people you know for requested users. Remember you can’t retract information you put out there.
Dont trust strangers – Your mother was right, don’t open the door to strangers. Limit who you accept chat or friend requests from and well as even communicate with.
Trust no one – People lie, its sad but true. So profiles lie, they might say they went to your college or high school. They might be interested in your groups, so dont take anyone at their word.
Restrict your privacy – There are a some configuratin setting in all the social media applications that can allow you to turn on some restrictions on your privcay. Take a minute to actually look at them. One easy example is in Facebook you can creat groups that you can place friend in, you don’t want business people seeing what your friends are posting.
Password management – An oldie but a goodie, always use a strong password and don’t share it. And change it periodically.
Layers of protection – You should be running a personal firewall and antivirus software on the machine you are viewing social networks. This will help if a malicious piece of software tries to download something to your machine. Keep your protection software up to date as well and run the patch management software on your machine, this is especially important for you Windows users.
Child protection software – You should have some kind of child protection software running on machines where children under 13 are using. This will help with all that shady software that is out there.
Gary Bahadur
http://twitter.com/kraasecurity
Address: 200 Se 1st St #601 Miami FL 33131
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
Related articles by Zemanta
- Half of Online Adults Use Social Networks at Least Monthly (seekingalpha.com)
- Firms worry about social networks, but don’t block access (arstechnica.com)
- Google Buzz proves problems with single online identities (thewayoftheweb.net)
- Are Consumers Becoming More Suspicious of Social Networks? (marketingvox.com)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=6e138ad0-af9e-40d2-ab77-da1094d4aa21)
When will Vendors provide Risk Assessments of their products?
Feb 17th
- Image via Wikipedia
If you drive a car and every week you have to get something fixed it would prove pretty annoying, disgusting, outrageous and you probably you would never buy that model again and probably wouldn’t by from that manufacturer either. So why do we accepts buggy software that is vulnerable to things like cross site scripting attacks, buffer overflows, malware and such? But we do that everyday. Everything from vulnerable operating systems such as Windows to vulnerable applications such as Adobe and weak website such as Facebook.
As stated by CIO.com, “SANS and Mitre, a Bedford, Mass.-based non-profit, federally funded technology research and development organization, today is also releasing its second annual CWE/SANS Top 25 list of the most common programming errors currently being made by software developers. The authors say the errors on the list are responsible nearly every major type of cyber attack, including the recent intrusions at Google (GOOG), and numerous utilities and government agencies.” The biggest companies are culprits.
So what are we do to about buggy software? May scream “I’m mad as hell and I am not going to take it anymore!” Might feel good for a second or two, but not going to solve the almost daily patch process we have to go through for our software. Patch management is a thriving sector!
As I see it, some theoretical things the end user can do to change the deadly cycle of poor software:
- Sue! I don’t know if that’s possible, but if you bought a car with bad acceleration problems (ahem Toyota) you might just sue the manufacturer if you got into an accident. What can we do that if some hacker breaks in through buggy software?
- Stop buying from that vendor! Apple seems to be taking this tactic by not allowing Flash on the IPad. But can we all move away from Microsoft tomorrow? Probably not.
- Make the vendors conduct Risk Assessments of their products prior to release. A third party risk assessment is probably a good idea. Something with more teeth than a SAS70 type review.
Related articles by Zemanta
- Apple vs. Microsoft: Making Platform Enemies and Friends (seekingalpha.com)
- Adobe Reader And Acrobat Get Yet Another Security Update (ghacks.net)
- Microsoft investigates new Internet Explorer flaw (news.cnet.com)
- Google readies Flash for Android devices (infoworld.com)
Gary Bahadur
http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=5940a61e-7193-4971-a98b-6547400ef860)
Ponemon Institute Cyber megatrends – Some Additions Needed
Nov 28th
Ponemon Institute recently released their Cyber megratrends as listed below. While I agree with these I think there were a couple that could easily be added to the list. First, I would either add or modify Web 2.0 into Web 3.0. Lets look to what is going to happen versus what is happening. Incremental change may not be the trend. Secondly, I suggest adding Vendor Risk Management. The vendor does not have to be offshore to pose a problem. Vendors are so integrated into companies and business processes that they are like an employee but are not subjected to the same Network Security Assessment requirements in many cases.
Its a difficult thing to try and forecast. The good thing about it is that no one really remembers your forecaste anyway.
Regards
Gary Bahadur
http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning
++++++++++++++++++++++++++++++++++++++++++++++++
Cyber Security Mega Trends Study
Prepared by Dr. Larry Ponemon, November 18, 2009
Related articles by Zemanta
- Think Tank Study Shows Top Web Trends Are Security Risks (readwriteweb.com)
- The cloud is a powder keg (myventurepad.com)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=b7fe4b47-d582-49fc-8e62-74349ac6b73d)
HIPAA Vendor Compromised Healthcare Records
Nov 12th
This is story that is several months old, but as I came across it, i thought it would make a good point. A vendor handling healthcare records has lost social security numbers of people in March of 2009. In this case, Health insurer Aetna, Inc., is reportedly providing 65,000 individuals with free credit monitoring for a year after its job application Web site was breached, the Associated Press has reported.
The Web site, which was maintained by an outside vendor, had Social security numbers of current and past employees and individuals who received job offers from the insurer, the AP reported.
The site reportedly held e-mail addresses for about 450,000 individuals who had applied for jobs or submitted resumes to the company and were waiting to be notified about job openings. Spokeswoman Cynthia Michener said Aetna doesn’t know how many were copied, but the site has been disabled and is undergoing a “thorough forensic review” or you can say network security audit by an outside company.
So here we have a health insurer compromising personal data. People already recieve so much spam email that their real email is suspect. If your provider Aeata seems to be sending ligitimate emails to you, that can get confusing.
As noted in the article “This is not the first time the Hartford, Conn.-based insurer has had to provide free credit monitoring services. In April 2006, Aetna notified approximately 38,000 members that an employee’s laptop computer containing certain personal member information was stolen from a car in a public parking lot.”
If a compromise occurs once, you would think that a lot of new HIPAA data security protections would be put in place. But as we see in almost all industries, its very hard for a company to learn from its mistakes. Maybe there will not be a third time after this second breach.
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=d25ea83e-d17c-440a-b00c-2001ab64b257)
IPhone Apps Every Road Warrior Entrepreneur Needs
Oct 22nd
The Blackberry has been the mainstay of the business world for years. But as we know, the IPhone is eating away at market share. There are over 75,000 apps for the IPhone now and growing steadily. For those who have Blackberry Thumb, you can probably look forward to IPhone Index Finger at some point in the future as you switch away from the Blackberry.
Why should you switch from the Blackberry? Well there may not be a good reason. The Blackberry has a number of apps and it is secure, it has encryption and has been beaten up on the security front like network security assessment and application security testing. It’s ingrained in businesses and Blackberry Enterprise Server is well known to many IT administrators.
The Entrepreneur can use both devices. Let’s assume there are at least some people using the IPhone, what apps should they have in their toolkit? Of the thousands of apps, how can you pick a few that would be beneficial to the Entrepreneur Road Warrior? Well the way I picked them is through word of mouth , that are of benefit to me and comes with network security assessment tools. I travel, work in my car, have meetings at all times of day, I am away from the office for days or weeks.
Take these with a grain of salt and do not send any flame emails. But please send in the apps that you think should be shared with the world or at least readers of this Blog.
Urban Spoon
First up is Urban Spoon. You are thinking, well that’s not some kind of spreadsheet or financial app. What is the business purpose? The lifeblood of the Entrepreneur is networking , managed security services, application security risk assessment and deal making. Where deal making most of the time involves some kind of meal. Urban Spoon can find you restaurants by cuisine, by neighborhood, by cost, by distance. Everything you need for a meeting is the most random city.
AroundMe
In the same vein as Urban Spoon, is AroundMe . Say you are on your way to an important lunch you have setup with a restaurant you found on Urban Spoon but you are almost out of gas. Use AroundMe to find the closed gas station. Or if you need cash to pay for that gas because your Amex Card has been cancelled, find the closest bank.
GoogleMaps
Well this is pretty obvious. But when you are traveling and maybe forgot to bring your Garmin GPS and do not feel like paying the rental company an extra $11.99 a day to rent their GPS , this is just as good.
ReQall
This is a pretty useful app. The developers were one of the www.TiE.org Top 50 companies this year at TiECon. The app captures your voice, translates it to text, organizes your calendar based on your voice messages, integrates into Outlook or Google Calendar and provides memory assistance. It’s great when you have no pen or driving in a car or need a memory reminder.
FlightAware
For the true Road Warrior, there is no road, there is the sky. So when you are rushing to the airport or think you need to rush to the airport, track down what is going on with your flight. Check out FlightAware to get an update and help you plan that trip to the airport.
TweetDeck
Social Media, the latest buzz word, actually has some teeth. Small companies and the Entrepreneur have to be connected to the work whether you like it or not. Twitter is a way of life these days even if people seem to be twittering their lives away. How do you tell your followers that you are stuck in an airport in Baltimore? Try using TweetDeck.
These Apps don’t seem very business-like, but the Entrepreneur is practical, cheap, requires network security audit tools and has to get things done today . These help you achieve your million tasks on a timely basis.
Gary Bahadur
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=c11b7e79-5319-48b5-aa18-9890ccf96cfb)
Stolen laptop with employee information- yet again
Aug 7th
Stolen laptop with employee information- yet again
The Associated Press reported that a Williams Cos. Inc. laptop containing personal and compensation information was stopen from a workers vehicle. The laptop had over 4,400 current and former employees records. Information like names, birth dates, Social Security numbers and compensation data was on it. How many times have wee seen this story?
They said the laptop was password protected. Well then lets not worry eh? A password, run for Ze Hillz! They did not say whether other security measures like application security risk assessment and network security audit tools were used in place other than the PGP Whole Disk encryption , or of any kind of remote wiping utility was in place or even if a hard disk password was used. The people with stolen data can only hope this might be the case.
So not we have the hoke pokey dance of checking credit, getting free one year membership to credit monitoring, buring down the barn now that the horse was stolen, all that good stuff.
Here is a list fo some recent thefts
| records | date | organizations |
|---|---|---|
| 1,084 | 2009-08-06 | Colorado Department of Corrections |
| 131,000 | 2009-08-04 | United States Army National Guard |
| 1,000 | 2009-08-04 | New Hampshire Department of Corrections |
| 4,400 | 2009-07-31 | Williams Companies, Inc. |
| 766 | 2009-07-28 | University of Colorado CO Springs |
| 573,928 | 2009-07-25 | Network Solutions |
| 900 | 2009-07-24 | Hampton Redevelopment and Housing Authority |
| 1,000 | 2009-07-23 | American International Group (AIG), American Life Insurance Co Japan |
| 180,000 | 2009-07-22 | HSBC Holdings plc, HSBC Life |
| 1,917 | 2009-07-22 | HSBC Holdings plc, HSBC Actuaries |
The main problem with these events is that the user is uneducated when it comes to security and don’t bother to go for a security penetration test or information security risk assessment. No matter what kind of technology you put in place, the user can find a way around it to compromise your security. First educate them, then worry about technology to protect them from their own stupidity.
Gary Bahadur
http://twitter.com/kraasecurity
o:888-KRAA-911, c: 917-568-7917, f: 866-633-6601
Address: 20801 Biscayne Blvd, Suite 403, Aventura, FL 33180
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
Related articles by Zemanta
- What do you do to protect your laptop’s data on open networks and in case of theft? (smarterware.org)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=a7d51bbc-cded-482e-8325-d419759ee940)
US to set out cyber security plan -Baha to the rescue
May 29th
Why did it takes us over 2 decades to really approach the cybersecurity topic. When I started in informatio security in in 1994, it was the wild west. People were creating processes, developing security frameworks and growing a whole new industry. I like to think I played some part in being on the early team at PriceWaterhouse and we had the first ever corporate “Hacking Lab” in NJ to test our clients security weaknesses. Those were Good time. Now we are just in Regular times.
So what can we expect from the Czar?
The White House must take the cybersecurity lead. The current approach to cybersecurity is untenable, said Hathaway at RSA in April.
Well that was obvious. When you have hackers runing around American corporations and in and out of government agencies, I would agree that is “untenable”.
Here is my plan for cybersecurity:
1) Put ME in charge of the whole thing.
Good plan right?
My point is you have to have someone with a practical approach. You to address this both straategically and tactically. Tactically in the short term and strategic in the long term.
We know government cant get out of its own way, so let the private sector have more say in how this is done. Simple way to start:
1) Have a time line, say 2 year to have every government and quasi government computer defined in a risk classification scheme.
2) Conduct continuous vulnerability assessment of the High and Medium risk systems.
3) MUST have Patch management for all systems.
4) Encrypt any data leaving a secure internal system
5) Figure out what Data Loss Prevention means!
6) FUND Cybersecurity like its part of the Defense Budget.
Baha – new Cybersecurity Czar
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
+++++++++++++++++++++++++++++++++++
BBC
US President Barack Obama is to set out plans for securing American computer networks against cyber attacks.
In a speech that follows a 60-day review, Mr Obama is expected to announce the creation of a cyber security office in the White House. Both US government and military bodies have reported repeated interference from hackers in recent years.
In a separate development, the Pentagon is to create a new military command for cyber space, the New York Times said. Mr Obama will not discuss the Pentagon plan during Friday’s announcement, the newspaper said.
But he is expected to sign a classified order to establish the military command in coming weeks, it reported, citing officials.
Laptop Encryption – Serious lack of security
Apr 30th
I believe that more personal information has been stolen than there are actual people in the US. How much was stolen from the government would prove a nice study. And has anyone in the government actually been fired?
So the employee lost the laptop. Do you blame the employee or the agency for not educating the employee and provide wholedisk encryption? The agency believes that an unencrypted harddrive, but that has a “password” is secure? Well maybe someone should explain computer hacking, windows security, encryption and the concept of intrusion prevention to DHS.
Well you will probably see that laptop on Ebay or in a pawn shop. Some halfway intelligent person who buys it might be able to get to the data. Then what?
Five Steps to Laptop Security 101:
1) Encrypt using wholedisk encryption or at a minimum encrypt your data folders. Try PGP encryption (www.auroraent.com)
2) Patch Management, use automated patch management
3) Firewall, use a managed firewall in a corporate environment or a personal firewall, lots of free ones out there and cheap ones.
4) Hard Disk password, you can protect your drive from even booting with a hard disk password. yes this can be broken and have the manufacturer resetm, but its a pain and the casual person will not know what to do
5) Dont let the government have a laptop.
regards
gary
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
* Managed Firewall
* Managed Antivirus
* Managed IDS
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Unencrypted laptop with 1 million SSNs stolen from state
SC Magazine Dan Kaplan April 24, 2009
The Oklahoma Department of Human Services (DHS) is notifying more than one million state residents that their personal data was stored on an unencrypted laptop that was stolen from an agency employee.
The computer file contained the names, Social Security numbers, birth dates and home addresses of Oklahoma’s Human Services’ clients receiving benefits from programs such as Medicaid, child care assistance, nutrition aid and disability benefits, the agency announced Thursday.
The computer, which was stolen when a thief broke into the car April 3 after the employee stopped on her way home from work, was password protected, and officials do not believe the burglar realized what he or she was stealing. Therefore, the risk of the data being accessed is minimal, according to the agency.
“We feel this was not a situation where someone was targeting the agency or that information,” DHS spokeswoman Mary Leaver told SCMagazineUS.com on Friday. “We feel it was random.”
Leaver said the state Office of Inspector General is conducting an investigation, out of which likely will come a mandatory review of information security policies. However, it is not believed the employee violated existing policy when the incident occurred, she said.
News of the theft comes one day after the Ponemon Institute, in conjunction with Intel, released a study that found the average value of a lost laptop is $49,246. About 80 percent of the cost is related to the chance that a breach could occur, the study showed.
Recent Comments