Friday, June 27, 2008

ATM Thieves Caught By IT Security and Stakeout

Here's a fascinating story in Wired about how authorities grabbed a ring of ATM thieves by combining network security monitoring with an old-fashioned stakeout.

Normal Sites Like Google Host Malware

It used to be that if you avoid dicey sites, like porn, you could stay aware from malware. But that's not the case any more, as even reputable sites like Google and The New York Times get snagged by links to spyware-laden sites.

And, as online advertising grows, which it inevitably will, the problem will only get worse. The problem is called cross-linking, as major web sites have links to less reputable sites, without even knowing it.

Wednesday, June 25, 2008

Online ID Card Promoted by New Industry Group

The digital equivalent of a driver's license for identifying users online is being promoted by a new industry group whose members include Microsoft, Oracle, Google and PayPal, according to The New York Times and Computer World.

The new group called the Information Card Foundation (ICF) will work to create standards for an online digital ID. Such an ID would allow users to log on to web sites with the single digital ID without user IDs and passwords.

Tuesday, June 24, 2008

Mac Trojan on the Loose

Two Mac security firms have identified a Trojan targeted against Mac OS X, according to SC Magazine. The Trojan allows a malicious user to execute programs as root. The attacker can get complete control of the system remotely, transmit system passwords and fly under the radar by opening firewall ports and disabling logging.

The advisories were from security firms Intego and SecureMac.

Sunday, June 22, 2008

Crime Servers Discovered by Finjan

This isn't unusual these days. Finjan's Malicious Code Research Center recently found 500 megabytes of stolen data on servers in Argentina and Malaysia. Apparently, the data were for sale to the highest bidder, according to this report in SC Magazine last week.

This also isn't the first time Finjan, a web security outfit, has found a crimeware supermarket. They have a lot of interesting reports and tools on their web site.

Tips for Protecting Your Identity Online

Here are some tips from a recent Computer World article about protecting your identity online. They're pretty much common sense, but they still bear repeating.

The first, and most obvious, is to not post any personal information -- address, birthday, or phone number, for example. This is a lot different than posting about something like your musical tastes, which isn't likely to be used for either identity theft or physical assault.

Be careful about who you expose yourself to. Use privacy features, and opt out of searches, on social networking sites like Facebook.

Thirdly, be careful when dating online. Rather than just assume anybody posting is who they say they are, use a reliable and reputable service that screens its applicants.

Love can be online. It just has to be careful. It's not like a bar, where you can see and talk to potential mate in person. Even then, prudent adults would be careful. Treat the online world the same way.

Thursday, June 12, 2008

Network World Review of Little Black Book, 2E

There was a really nice review today in Network World in Mich Kabay's Security Strategies Alert column about the recently released second edition of my book, The Little Black Book of Computer Security.

Monday, June 09, 2008

Five Mistakes of Privacy Awareness Programs

Privacy has now become a buzzword linked with information security. In fact, the two seem to go hand-in-hand at some companies. And, regulatory requirements now mandate training for employees on privacy as part of the secure handling of customer data.

But the quality of training varies and according to Jay Cline in this editorial in Computer World. Cline is president of Minnesota Privacy Consultants.

He says most companies skimp on training by taking these five shortcuts:

1) Conducting separate training for privacy, security, records management and code of ethics.
2) Equating "campaign" with "program."
3) Equating "awareness" with "training."
4) Using one or two communications channels.
5) No measurement.

Adobe Growing Attack Target?

Here's a thought-provoking item from eWeek about how Adobe software could be a growing attack vector. Why Adobe, and why now?

The article gives two reasons. Adobe PDFs and other products are becoming vital parts of many companies businesses. How many times have you gotten PDFs for everything from sales brochures to white papers? I'd bet more and more.

Second, Adobe is integrating Flash into its documents, increasing the attack space tremendously. Flash has already been victimized, and the two together now increase the combined threat.

Sunday, June 08, 2008

Five Laptop Security Tips

Here are five tips from Computer World to safeguarding your laptop:

1) Dock it or lock it up
2) Tag your laptop for quick recovery
3) Use tracking software
4) Deploy a strong BIOS password
5) Back up and encrypt data

I recently had another post about the 10 security risks of laptops.

How To Choose An Application-Level Firewall

Here's how in my article on TechTarget's SearchSecurity web site last week. I explained how the issue is tied up with complying with Section 6.6 of PCI.

Section 6.6, which comes into force as a requirement on June 30, says that companies processing credit cards must either conduct a code review or intall a web application firewall.

Now, we all know, application security isn't an either-or proposition. And, unfortunately, some companies think the easy way out is to just buy an application firewall.

Read the article for more details.

Tuesday, June 03, 2008

My Article On Compliance For The Little Guy

I had an article come out yesterday on SearchCIO-Midmarket about compliance for middle market companies. I gave some tips and best practices, as well as, a list of tools for keeping tabs on compliance for smaller companies.

One product for tracking SOX compliance had the unusual name of Knock Your SOX Off.