snydeq writes: "The IT security world is full of charlatans, and all of us have been 'advised' by at least one of them. From big-ticket items that solve tiny problems you don't have, to surprises about the feature set after you've already signed the dotted line, here are 14 underhanded techniques that security consultants use to drain IT security budgets and avoid accountability."
snydeq writes: "Apple was recently attacked by hackers who infected the Macintosh computers of some employees, the company said on Tuesday in an unprecedented disclosure that described the widest known cyber attacks against Apple-made computers to date, Reuters reports. 'The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers, was used to launch attacks against Facebook, which the social network disclosed on Friday.... A person briefed on the investigation into the attacks said that hundreds of companies, including defense contractors, had been infected with the same malicious software, or malware. The attacks mark the highest-profile cyber attacks to date on businesses running Mac computers.'"
snydeq writes: InfoWorld reports on a growing trend facing business executives traveling to China: government or industry spooks stealing data from their laptops and installing spyware. 'While you were out to dinner that first night, someone entered your room (often a nominal hotel staffer), carefully examined the contents of your laptop, and installed spyware on the computer — without your having a clue. The result? Exposure of information, including customer data, product development documentation, countless emails, and other proprietary information of value to competitors and foreign governments. Perhaps even, thanks to the spyware, there's an ongoing infection in your corporate network that continually phones home key secrets for months or years afterward.'
snydeq writes: "Steganography expert Peter Wayner discusses six techniques that help obscure the data and traces you leave online. 'The truth is, worrying about the trail of digital footprints and digital dustballs filled with our digital DNA is not just for raving paranoids. Sure, some leaks like the subtle variations in power consumed by our computers are only exploitable by teams of geniuses with big budgets, but many of the simpler ones are already being abused by identity thieves, blackmail artists, spammers, or worse.' What tools and techniques do you use to ensure greater privacy and better security of personal data on the Web?"
snydeq writes: "The 'write once, run anywhere' software platform has become a favorite of cyber attackers. Is it time for users to kill their Java? Security firms think so. None too gentle with Oracle's Java following the revelation this week that attackers are using two Java vulnerabilities to compromise selected targets, security pros are advising users to uninstall the Java plug-in in your browser and don't use services that require the software."
snydeq writes: "Over the years, hacking has evolved from a one-person crime of opportunity to an open market of sophisticated malware backed by crime syndicates and money launders. When describing a typical hacking scenario, these days you must begin well before the hack or even the hacker, with the organization behind the attack. Today, hacking is all crime, all the time, complete with bidding markets for malware, crime syndicates, botnets for hire, and cyber warfare gone amok. Here are the nine biggest threats facing today's IT security pros."
snydeq writes: "When it comes to IT security, FUD is more than just the tool of overhyping vendors hoping to sell their next big thing. It is the reality that seasoned IT security pros live in, thanks in large part to the shortcomings of traditional approaches to securing IT systems and data. The truth is most common IT security products and techniques don't work as advertised, leaving us far more exposed to malicious code than we know. That's because traditional IT security takes a whack-a-mole approach to threats, leaving us to catch up with the next wave of innovative malware. From the truth about antivirus scanners to the failings of PKI, here are nine popular IT security practices that don't work and 10 nontraditional IT security tricks that do."
snydeq writes: "Offer a new means for IT defense, and expect to meet resistance. Yet, sometimes going against the wave of traditional thinking on IT security is the surest path to success. From honeypots, to renaming admins, to installing to custom directories, these 10 security ideas have been shunned as too offbeat to work but function quite effectively in helping secure IT assets. 'The companies employing these methods don't care about arguing or placating the naysayers. They see the results and know these methods work, and they work well.'"
snydeq writes: "New York-based law firm Gioconda Law Group has filed a lawsuit against self-proclaimed cyber security developer Arthur Kenzie for allegedly using typosquatting tactics to set up a bogus Web domain for intercepting email messages intended for the firm. Kenzie has similarly set up so-called doppelganger domains to harvest emails intended for companies such as McDonalds, MasterCard, NewsCorp, and McAfee, the law firm alleges. According to Gioconda, which specializes in IP protection law, Kenzie registered the domain name GiocondoLaw.com, which is strikingly similar to the firm's actual domain, GiocondaLaw.com. Kenzie has allegedly used the doppelganger domain to create fake email accounts with which to intentionally intercept private emails addressed to the firm's lawyers and staff."
snydeq writes: "Hacker group Rex Mundi has made good on its promise to publish thousands of loan-applicant records it swiped from AmeriCash Advance after the payday lender refused to fork over between $15,000 and $20,000 as an extortion fee — or, in Rex Mundi's terms, an "idiot tax." The group announced on June 15 that it was able to steal AmeriCash's customer data because the company had left a confidential page unsecured on one of its servers. "This page allows its affiliates to see how many loan applicants they recruited and how much money they made," according to the group's post on dpaste.com. "Not only was this page unsecured, it was actually referenced in their robots.txt file.""
snydeq writes: "Flame has proven a complex piece of malware, but if it were to disappear today, the Internet would just as insecure, thanks to a laundry list of IT insecurities that haven't been solved. 'The state of IT security is really bad already. Flame may add more fuel to the fire, but the inferno is already raging.... The real problems are related to infrastructure and not to a particular worm or endpoint exploit. It's not as though defending ourselves against everything Flame can accomplish will address any part of the larger problem.'"
snydeq writes: "So many recent exploits have used Java as their attack vector, you might conclude Java should be shown the exit, but the reality is, Java is not the problem, writes Security Advisor's Roger Grimes. 'Sure, I could opt not to use those Java-enabled services or install Java and uninstall when I'm finished. But the core problem isn't necessarily Java's exploitability; nearly all software is exploitable. It's unpatched Java. Few successful Java-related attacks are related to zero-day exploits. Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes. 'The bottom line is that we aren't addressing the real problems. It isn't a security bug here and there in a particular piece of software; that's a problem we'll never get rid of. Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty. They almost never get caught and punished. Until we solve the problem of accountability, we will never get rid of the underlying problem.'"
snydeq writes: "With rising popularity of Internet-enabled TVs, the usual array of attacks and exploits will soon be coming to a screen near you. 'Will Internet TVs will be hacked as successfully as previous generations of digital devices? Of course they will. Nothing in a computer built into a TV makes it less attackable than a PC.... Can we make Internet TVs more secure than regular computers? Yes. Will we? Probably not. We never do the right things proactively. Instead, we as a global society appear inclined to accept half-baked security solutions that are more like Band-Aids than real protection.'"
snydeq writes: "When employees use personal devices for business purposes, too much security can create more risk than it prevents, writes Advice Line's Bob Lewis. 'Risk comes in two forms. Some risks are possibilities of increased costs; the remainder are risks of decreased revenue. The former gets the most attention because those are the ones that happen in big bites — and are the most visible,' Lewis writes. 'But risks that lead to less revenue are arguably more important. They come in such forms as customer dissatisfaction, reduced innovation, poor collaboration among employees and with business partners and customers, and employee apathy. Information security has, for the most part, focused its attention on the pitfalls of increased cost, which has led to its being one of the biggest sources of revenue risk. It doesn't have to be that way, but it will be unless and until business leaders insist on alternatives to the traditional lock-'em-down-and tie-'em-up so-called best practices'"
snydeq writes: "InfoWorld's Serdar Yegulalp provides an in-depth review of 7 password managers for Windows, OS X, iOS, and Android. 'Password vaults, aka password safes or password managers, give you a central place to store all your passwords, encrypted and protected by a passphrase or token that you provide. This way, you have to memorize a single password — the one for your password vault. All the other passwords you use can be as long and complex as possible, even randomly generated, and you don't have to worry about remembering them.' Under review are password managers 1Password, KeePass, Keeper, LastPass, Password Safe, RoboForm, and SplashID."