Archive for March, 2009
Why you don’t need to worry about Conficker on April 1
The world is not going to end tomorrow. Nor is the Internet going to come to a screaching halt. Nor is everyone going to wake up with their hand in a bowl of warm water.
Everyone is worried about Conficker and the new variant “C” going into effect on April 1. [...]
Spybot Search & Destroy Scam
I recently wanted to download Spybot Search and Destroy, a free software package that tests your system for spyware and other malware. I went to Google and typed, “Spybot Search and Destroy” and the following Google results page came up.
In the sponsored links at the top, you see a site called The [...]
Financial Data Breach Study by Kevin Prince of Perimeter eSecurity
A new financial institution data breach study has recently been published by Kevin Prince of Perimeter eSecurity. It analyzes breaches between 2000 and 2008. While several aspects of the study deserve individual discussion and attention, it is interesting that Kevin Prince did a podcast interview with BankInfoSecurity. In the podcast Kevin answers [...]
PDF Reader Flaw beyond JavaScript & Adobe
Adobe promised to have a patch to fix the reader flaw that could cause the compromise of end user systems by March 11 (which they did), but as we have seen in times past, to many end user systems do not get patches to non-Microsoft 3rd party apps. This is serious because it has [...]
Data Breach Notification Expanded
California State Senator Joe Simitian has introduced legislation that would force companies that experience data security breaches to provide specific information in their disclosure letters. Currently, there is little or no specifics required which often confuses and muddies the waters for consumers. Customers want to know if their information was stolen specifically. [...]
Data Breaches by Threat Categories
A recent study breaks down the threat categories of 500+ caseloads of investigated breaches.
Error – Poor decisions, misconfigurations, omissions, non-compliance, process breakdowns, etc. Nearly 80% of breaches within this category are due to omission.
Hacking – Deliberate action against information systems.
Malcode – Malicious software or code found to contribute to breach in question. [...]
827% Increase in Malware Sites with Password-Stealing Crimeware
According to the anti-phishing working group the number of websites that contain malware/crimeware that can infect PCs with password stealing software reached an all time high of 31,173 in December which was an 827% increase from 12 months prior. December alone was nearly 3 times higher than any previous month on record.
Websense discovers Multi-iFrame Exploit Attack
A post regarding a new iFrame exploit attack discovered by Websense Threatseeker is quite interesting. The attack method itself isn’t new, but rather the use of multiple iFrames as a way to attempt to exploit any one of several vulnerable applications on the users desktop.
Regulations & IT Governance Frameworks 101
With so many regulations and IT governance frameworks out there, it can be confusing to keep them all straight. I recently saw a whitepaper put out by Qualys that had (I thought) a really go brief description of the major ones. Here it is:
Regulations
SOX – The Sarbanes-Oxley Act of 2002 requires strict internal [...]
Fidelis
Fidelis is a very advanced extrusion management platform. It encompases several devices that can be either inline or out of band at several places in your network. It is primarily designed for large enterprise and Fortune 2000 companies. Their pricing model is per device rather than per seat. They probably have [...]