12504822
submission
yahoi writes
"Red team experts hired to social-engineer their way into a data center say they regularly find physical hacking far too easy. The most common ways to break into a data center: crawling through void spaces in the data center walls; lock-picking the door; "tailgating" into the building; posing as contractors or service repairman; and jimmying open improperly installed doors or windows. One social engineering expert who once "tailgated" into an energy firm and posed as an employee says his biggest regret is having to dupe a grandmotherly employee, who baked him homemade cookies."Link to Original Source
10983858
submission
yahoi writes
"Many organizations that have suffered hacks won't talk to law enforcement without a non-disclosure agreement to protect their privacy, and the FBI doesn't typically sign NDAs. But the FBI's acting deputy assistant director in its Cyber Division says not reporting attacks to law enforcement only helps the bad guys. The bureau is actively trying to make disclosure more attractive to companies — with promises of confidentiality and reciprocating with information it gleans from the investigations."Link to Original Source
8394630
submission
yahoi writes
"A researcher who conducted a successful spear-phishing experiment with a phony LinkedIn invitation from "Bill Gates" is about to reveal the email products and services that failed to filter the spoofed message — and that list includes Microsoft Outlook 2007, Microsoft Exchange, Outlook Express, and Cisco IronPort. The experiment was aimed at measuring the effectiveness of email security controls in several major products and services. And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."Link to Original Source
8036070
submission
yahoi writes
"There are hacks, and then there are cool hacks: 2009 saw some extreme hacks that gamed biometric face scans, weaponized iPod Touches, dug up actual missile defense data on a second-hand hard drive, replaced application updates with malware in midstream, and even found a way to silence a teenager's frenzy of text messaging. Dark Reading looks at the nine coolest hacks of the year, including a phony LinkedIn invitation from "Bill Gates" that slipped past email security and landed unscathed in corporate inboxes."Link to Original Source
6835934
submission
yahoi writes
"A first-ever security certification dedicated to cloud services is in the works that could help assuage companies concerned about sending their data to off-site service — also known as "cloud" — providers. There's no official security certification for cloud security service providers today: some use the SAS 70 or the ISO 27001 standards as their security certifications, neither of which is sufficient for providing potential cloud customers with assurances that the provider has deployed the proper security or that their data is sufficiently locked down. Details on the new certification are expected to be revealed early next year, but security experts say it's long overdue."Link to Original Source
6250511
submission
yahoi writes
"The financial crisis appears to be exacerbating fraud by bank employees: a new survey found that 70 percent of financial institutions say that in the last 12 months they have experienced a case of data theft by one of their workers. Meanwhile, most banks don't want to talk about the insider threat problem and remain in denial, says a former Wachovia Bank executive who handled insider fraud incidents at the bank and has co-authored a new book called Insidious — How Trusted Employees Steal Millions and Why It's So Hard for Banks to Stop Them that investigates several real-world insider fraud cases at banks."Link to Original Source
5910395
submission
yahoi writes
"Companies around the world are leaving themselves wide open to Web- and client-side attacks, according to a new report released today by the SANS Institute that includes real attack data gathered from multiple sources. SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat: 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications such as Microsoft Office, and Adobe Flash and other tools. Exacerbating the problem, they're taking twice as long to patch Microsoft Office and other applications than to patch their operating systems.""Link to Original Source
5910255
submission
yahoi writes
"Companies around the world are leaving themselves wide open to Web- and client-side attacks, according to a new report released today by the SANS Institute that includes real attack data gathered from multiple sources. SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat: 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications such as Microsoft Office, and Adobe Flash and other tools. Exacerbating the problem, they're taking twice as long to patch Microsoft Office and other applications than to patch their operating systems."Link to Original Source
5425811
submission
yahoi writes
"Researchers at the Defcon17 hacker conference last weekend showed off an attack that hijacks the application update process over a WiFi connection and replaces the updates with malware. They say around 100 "everyday" applications are vulnerable to the attack, including CD burners, video players, and other popular apps (although they won't name names). They also released a hacking tool that performs the attack — it basically exploits the unsecure way applications use simple HTTP transactions for update downloads. The so-called Ippon tool, which is Japanese for "game over," can also generate an attack where a victimized machine can attack other machines in its proximity over a WiFi network.
http://www.darkreading.com/insiderthreat/security/app-security/showArticle.jhtml;jsessionid=B0T235HEY2WW0QSNDLPCKHSCJUNN2JVN?articleID=218900315"
4255415
submission
yahoi writes
"Researchers have discovered a major botnet operating out of the Ukraine that has infected 1.9 million machines, including large corporate and government PCs mainly in the U.S. The botnet, which appears to be larger than the infamous Storm botnet was in its heyday, has infected machines from some 77 government-owned domains — 51 of which are in the U.S. government. Researchers from Finjan who found the botnet say it's controlled by six individuals, and includes machines in major banks.
http://www.darkreading.com/security/attacks/showArticle.jhtml;jsessionid=J2N12SRZKGSNIQSNDLRSKH0CJUNN2JVN?articleID=217000166"
