Security

< Work < iTstate <
TwitterFacebook
Get flash to fully experience Pearltrees

VPN An Oft-Forgotten Attack Vector - Dark Reading

Just because a user on the road VPNs into his corporate network doesn't necessarily mean he's secure -- or that his corporate network is protected from any badness spreading from his machine. The virtual private network can give organizations a false sense of security when they assume that the encrypted tunnel is enough to lock down the communication between a traveling user and the home network. And VPNs increasingly have become an overlooked attack platform, especially in targeted attacks, security experts say. In 55 percent of the breaches investigated by Trustwave SpiderLabs this year, the attackers got in via a VPN or remote access connection. The encrypted tunnel to the corporate network secures the traffic going back and forth from the user and the company servers and resources, but it can also carry malware from the user to the enterprise via that connection, and attackers can grab a user's VPN credentials to make themselves at home in the corporate network as well. http://www.darkreading.com/authentication/167901072/security/client-security/232300464/vpn-an-oft-forgotten-attack-vector.html
http://arstechnica.com/business/news/2011/11/op-ed-live-vpn-why-vpns-are-a-must-have-for-todays-workforce.ars In this op-ed piece, Rainer Enders, CTO of Americas for VPN solution provider NCP engineering, argues that despite the ubiquity of corporate data on our smartphones and laptops, VPNs aren't going to disappear anytime soon. The recent Ars Technica article Die VPN! We’re all ‘telecommuters’ now—and IT must adjust declares that we’re all “telecommuters” now, perennially connected to our corporate data via smartphones, laptops and tablets. This is certainly true, but this reality actually flies in the face of the article’s main point that VPNs should die. One of the commenters on the piece posted: “VPN isn’t going anywhere.” And the commenter is right—VPN is indeed here to stay, especially now that we’re all telecommuters.

Op-ed: Live, VPN! Why VPNs are a must-have for today's workforce

AT&T, the second largest wireless carrier in the U.S., and Qualcomm, which dominates the market for smart-phone processors, want to give your phone a split identity. The companies are separately adopting technology that can make a smart phone secure enough to keep IT bosses happy, but open enough to allow its owner to install apps or surf the Web. AT&T will release its version of the technology, called Toggle, for Android phones this year. Someone using a device with Toggle installed taps the home button twice to flip between personal and work modes.

One Smart Phone, Two Personalities - Technology Review

http://www.technologyreview.com/communications/38865/

Why Secure Email Still Doesn't Measure Up

Well, this week marks the tenth anniversary of identity-based message encryption with more than a billion secure messages being exchanged annually, according to Voltage, one of the leaders in this space. This is certainly a surprise. Who knew so many messages were being encrypted? http://www.readwriteweb.com/enterprise/2011/08/why-secure-email-still-doesnt.php
A new computer chip will help tackle one of the Web's weak spots—the fact that most data is exchanged without any protection against hackers or eavesdroppers. For some communications, such as credit card payments and online banking transactions, it is standard to encrypt the information that users and websites send each other. But most online activity is completely unprotected, largely because encrypting communications requires extra work from Web servers and software, which is costly to implement. Search queries and social media updates, for example, are almost exclusively sent in forms easily read by a third party snooping on Web traffic.

A Chip to Encrypt the Web  - Technology Review

http://www.technologyreview.com/computing/38336/
HTTPS Everywhere is a Firefox and Chrome extension that encrypts your communications with many major websites, making your browsing more secure. Encrypt the web: Install HTTPS Everywhere today. HTTPS Everywhere is a produced as a collaboration between The Tor Project and the Electronic Frontier Foundation . Many sites on the web offer some limited support for encryption over HTTPS , but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.

HTTPS Everywhere | Electronic Frontier Foundation

https://www.eff.org/https-everywhere

'Indestructible' Zombie PC Botnet Borrows Exploit From Israeli, U.S. Cyberweapon - Technology Review

http://www.technologyreview.com/blog/mimssbits/26957/ Four and a half million PCs, many of them in the U.S., are infected with what security researchers at internet security specialists Kaspersky Lab describe as an "indestructible" form of malware . They are doing everything from taking down websites with Ddos attacks to acting as a conduit for up to 30 other pieces of malware. This malware, known as TDL4, deploys a number of clever tricks to guarantee its own survival, including one borrowed straight from the world's most sophisticated cyberweapon, Stuxnet. Stuxnet was almost certainly a joint U.S. / Israeli creation aimed at damaging the Iranian nuclear weapons program, which it did, by destroying a thousand centrifuges used for uranium enrichment.
http://cwe.mitre.org/

CWE - Common Weakness Enumeration

Status Report Version 2.1 posted September 13, 2011. There are major changes to 133 entries; 16 new entries for the CERT C++ Secure Coding Standard, changes to 97 taxonomy mappings to support the various CERT coding standards for C, C++, and Java; and modifications to over 30 entries for potential mitigations and references, in support of an updated pocket guide for mitigating the Top 25, which will be released in the future. The schema was also updated to support reference management in future CWE versions.
http://www.techmeme.com/

Techmeme

iTunes: Time to right the syncing ship — When Apple introduced iTunes in 2001, it served one purpose: As a music jukebox app. Later that year, it added its most important feature: The ability to sync tracks with the just-introduced iPod. Originally, you could just drag tracks onto …

Human Errors Fuel Hacking as Government Test Shows Nothing Prevents Idiocy - Bloomberg

http://www.bloomberg.com/news/2011-06-27/human-errors-fuel-hacking-as-test-shows-nothing-prevents-idiocy.html The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out.
The Department of Homeland Security will release a new guidance document today intended to make the software that runs the Web less susceptible to malicious hacks. DHS has teamed with security and technology experts at the SANS Institute and Mitre to create a list of the top 25 programming errors that lead to the most serious hacks, according to The New York Times . The idea is to educate companies and organizations about the channels that criminal hackers use to gain access to confidential information and servers.

Employees, Not Hackers, Are The Biggest Threat to Security

The Usability of Passwords (by @baekdal) #tips

Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones. Asking : Amazingly the most common way to gain access to someone's password is simply to ask for it (often in relation with something else).

Data Loss Plummets, Verizon Report Finds -- InformationWeek

The real world of cybercrime is very different than the virtual landscape described by security vendors, insists Bryan Sartin, director of investigative response for Verizon Business. Verizon Business on Tuesday plans to issue its 2011 Data Breach Investigations Report , which covers almost 800 cases from 2010 and includes incidents investigated by the U.S. Secret Service and the Dutch National High-Tech Crime Unit. The report finds the lowest level of data loss in 25 years, even as it covers the highest number of cases ever, almost as many in 2010 as the 900 covered in the years from 2004 through 2009. This at a time when the hacking hype is intense.
You wouldn't write your username and passwords on a postcard and mail it for the world to see, so why are you doing it online? Every time you log in to any service that uses a plain HTTP connection that's essentially what you're doing. There is a better way, the secure version of HTTP—HTTPS. That extra "S" in the URL means your connection is secure and it's much harder for anyone else to see what you're doing. But if HTTPS is more secure, why doesn't the entire Web use it?

HTTPS is more secure, so why isn't the Web using it?

Chrome 10 brings Flash sandboxing and new settings UI

Plug-ins have historically been a major attack vector for Internet malware—particularly Adobe's Flash and Acrobat plug-ins, which are notoriously insecure. Rather than seriously addressing the issue, Adobe has capitalized on the poor security of its own software by bundling unwanted McAfee crapware in Flash and Acrobat updates. Chrome 10 introduces support for Flash sandboxing, which is now enabled by default on Windows Vista and Windows 7. The feature, which attempts to limit Flash's access to sensitive system functionality, is one of several key plug-in security features that Google has delivered since it started collaborating with Adobe almost a year ago. Chrome 10 has also gained support for selective plug-in blocking and automatically blocking out-of-date plug-ins. A new settings panel introduced in Chrome 10 offers a big usability boost.