A couple days ago, I saw an article posted on Facebook about smartphone security. It discussed how someone could gain information about you, your family, where you live, your habits, and a variety of other information, all from what you post through your smartphone. Several people posted online how shocked they were that they didn’t realize applications on your smartphone could make that type of information publically available.
From working in the IT security world, the article seemed common knowledge to me. Of course you need to adjust your privacy settings every couple months. Although, I realized quickly that not everyone is surrounded by security engineers (who could probably hack into my phone within minutes).
The technology in smartphones is mind-boggling. Its capabilities make my life easier, but at the same time, are extremely unnerving. Private information is now publicly accessible and the majority of people don’t even know about it. When you... read more >
An Ongoing Threat
W00t! It's trilogy time! Some stories warrant a trilogy, like Christopher Nolan's Dark Knight Trilogy or Star Wars Episodes IV to VI. Others, not so much... yeah, I'm looking at you Karate Kid II and III.
I think the Heartbleed bug in OpenSSL warrants the additional coverage. Only time will tell, I suppose.
For those of you just joining us, part one is the blog "'Heartbleed Bug' in OpenSSL Puts Data at Risk", where I covered what the vulnerability is and how to remediate it with the information that was available shortly after the release.
To recap: we are dealing with a single vulnerability in the OpenSSL library that was exploitable for over two years. It exploits a missing bounds check in the heartbeat function, which is normally used to notify a server the client is still active. The result is a leak in system memory, up to and including the private key for the SSL certificate. Bad News Bears,... read more >
#FollowFriday Top News of the Week: The Never-Ending Stories – NSA, Target, XP and Heartbleed; What Next?
Certain stories have the ability to captivate the world for great lengths of time. Stuxnet had all eyes on it back in 2010. Flame in 2012. Even Windows XP had an incredible run in the lime light and that had nothing (yet) to do with a breach. Just in the last few months, we’ve got NSA, Target, Heartbleed and now all eyes could be focused on the latest from the Michael’s data breach. It’s a never-ending carousel, but before we dive into the Michael’s data breach, let’s be fair to Heartbleed and not look beyond this week’s updates.
A Brief Impact Analysis
If you missed out on all the fun last week, there’s an issue with OpenSSL called "Heartbleed" which allows an attacker to interrogate vulnerable servers and force them to divulge sensitive information resident in server memory. Additionally, sensitive information extracted by leveraging this vulnerability can also allow an attacker to perform what is known as a man-in-the-middle attack and expose encrypted data in transit. Luckily, the announcement of the vulnerability came with a patch included.
So this is as simple as installing a new patch right?
Well, yes and no. Even with a patch, solid patch management programs are not as commonplace as we might like.
One of the key findings in our recent NTT Group 2014 Global Threat Intelligence Report (GTIR) was that over half the vulnerabilities detected... read more >
Going Beyond Compliance
File integrity monitoring (FIM) is the process of validating files, folders and registry settings against a known baseline to understand when and what changes occur. Many people view this as simply a requirement for compliance; however, FIM is a greatly underutilized tool in information security. It can provide insight into changes which may be key to detecting and stopping incorrect or unauthorized changes and threats.
FIM systems start with a known-good baseline.
The most common implementation of a FIM system is a client-server configuration. Administrators have both agent-based and agentless endpoint solutions available to them. These make comparisons against baseline information to notify the server of changes on the monitored systems. Any deviation from the baseline (addition, deletion or change) is logged for further review. Combining FIM with an appropriate change control process helps administrators easily identify unauthorized actions.
... read more >
On Monday, the Heartbleed firestorm commenced with an article written by Ars Technica’s Dan Goodin. Titled, “Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping,” Goodin opens his article by painting the grim picture of how pervasive the Heartbleed bug is and how embedded it is in the foundation of the Internet as we know it. As it turns out, Heartbleed affects approximately two-thirds of Web servers and exposes end-users to eavesdropping by any threat actor who could be interested in passwords, banking information or pretty much any other associated sensitive data.
Goodin writes in his story, “The researchers, who work at Google and software security firm Codenomicon, said even after vulnerable websites install the OpenSSL patch, they may still remain vulnerable to attacks.”... read more >
Is "Thingamageddon" an Imminent Threat?
In a recent article on www.darkreading.com, Matthew J Schwartz writes about the "Thingularity" that some security experts fear is about to be upon us.
The "Thingularity" or, perhaps more appropriately "Thingamageddon", refers to the push to create an "Internet of Things" (IoT seems to be the TLA for those so inclined) where all sorts of appliances and devices that were never previously connected to the Internet suddenly are.
But as the article discusses, the danger lies in the IoT becoming an Internet of "Thingbots". There have already been demonstrations and evidence of connected devices like media centers, refrigerators and TVs becoming bots used to send spam and participate in attacks.
Technology has a history of demonstrating that we CAN do something, often (always?) before we perhaps SHOULD do something. Call me... read more >