2010
02.08

What we’re reading today, February 8th

Category: Commentary, FRSecure / Tag:  / Add Comment

Each and every day, we get up early and tune into the information security news of the day.  We check a variety of sources from all over the world.  We do this to help get us in the right frame of mind as information security consultants and to be the best information security consultants that we can in order to assist our clients.  We recognize that our clients have businesses to run and money to make.  Our role is help our clients to that end by protecting an important asset; their information. So what are we reading today?

Happy Monday!  We hope you enjoyed the Superbowl, if you watched it.  Lighter reading today.

Quote of the day:

You become a champion by fighting one more round. When things are tough, you fight one more round. James Corbett

[FRSecure] James Corbett was a former heavyweight boxing champion and the "Father of Modern Boxing".  Want to be a champion?  According to "Gentleman Jim" and most others, you need to keep fighting.

Breaches:
Indian IT Mammoth "TCS" Website Hacked. Most Probable To Be ‘French Hackers’ Behind This
[FRSecure] This doesn’t look good for Tata Consultancy Services.  Like the article says, the tcs.com website is back to normal now.  There is no mention of the hijack/hack/whatever you want to call it, on Tata’s site.  A DNS hijack is suspected.  This attack appears to have been the work of a single person.  How well do you secure and manage your DNS?

UTEP: Students Social Security Numbers May Have Been Visible In Mail
[FRSecure] If you follow breaches, you know that these mailing/folding/sorting errors are fairly common.

UTEP said they notified 15,000 students but they don’t know exactly how many students were affected.

"Some of the forms were folded in such a way that the document shifted on the envelope and allowed for the Social Security number to be visible through the mailing window on the envelope," said Jose Hernandez with UTEP Business Affairs.

Hernandez said this is the first time UTEP has encountered a problem like this and said students should monitor their credit report.

This may be the first time UTEP has encountered a problem like this, but this is hardly the first time something like this has happened at other organizations.  If you expect to mail sensitive information, then you certainly should take steps to QA your mailings.

AvMed: Data of 208,000 at risk after Gainesville theft
[FRSecure] OK this may seem obvious, but it is not good to store sensitive information (including names, addresses, phone numbers, Social Security numbers and protected health information) on laptops.  Especially if the laptops are not encrypted, and we will assume these were not. These laptops were stolen from the AvMed Health Plans corporate offices and affect as many as 208,000 customers.  Tsk tsk.

Security in General
FICO security lapse scary, but not part of larger problem
[FRSecure] This is an interesting Q&A.  Apparently FICO sold a customer’s personal information on to an imposter.  The company is not offering any credit monitoring or other assistance.  Basically, they tell you that your information was accessed by an imposter and that’s that.  An interesting quote from FICO spokesman Craig Watts:

"We tend to over-alert our members about possible threats rather than under-alert, since we believe it’s much better to be safe – if possibly a little rattled – than sorry in the face of possible identity theft"

While this may seem like a noble policy on the part of FICO, we don’t suggest this approach.  If there is no real reason to concern someone, then don’t.  Remember the boy who cried wolf?  Pretty soon, nobody listens anymore.  Or, you risk the possibility of customers jumping to conclusions and misunderstandings.  If you are and organization that believes in taking the FICO approach, be sure to include enough information for people to understand their risk.

We are assuming that the information in this Q&A is legit.  We would be interested in knowing how this breach took place in the first place (what is/was the vulnerability), and what FICO plans to change in order to prevent a breach like this from happening in the future.

ShmooCon: P2P Snoopers Know What’s In Your Wallet
[FRSecure] P2P can be your friend or your worst enemy.  We suggest that if you don’t need it (which you probably don’t), then don’t use it!  According to the information in this article, an insecure P2P implementation could even get you killed!  There are numerous reports of breaches occurring through P2P networking, although not many of them seem to make it into the public domain.

Pesce described the findings as a lesson in stupidity and compared the act of stealing identities through P2P to "clubbing baby seals."

Blunt, and to the point.  Read on and consider what you should be doing to prevent P2P breaches.  If you aren’t sure, contact FRSecure.

Oracle Breaks Regular Patch Cycle Because of Zero-Day Bug
[FRSecure] Full disclosure forces Oracle to break with tradition.

The company was forced to take this step after exploit code has been publicly released by a security research company without any notification in advance.

The debate for and against full disclosure rages on.  Brian Krebs wrote a nice article that addresses the frustration some security researchers have when dealing with software vendors.  See "Firm to Release Database & Web Server 0days".  Are you for or against full disclosure?

Mass injection web hacks yield to targeted attacks
[FRSecure] Quality vs. Quantity.  It appears as though the bad guys are seeking quality.

Copiers Present Risk for Identity Theft
[FRSecure] Anything that has the ability to store data must be properly sanitized before retirement or repurpose.  Copiers with hard drives or flash drives are no exception.  Think twice before you go to a commercial copy retailer to run off a couple of copies of your tax return.  How many people know how to properly sanitize a hard drive or other data storage device?

Cellular networks breach not easily executed ‘live’
[FRSecure] No comment.

Third parties introduce many deficiencies exploited by attackers
[FRSecure] FRSecure has seen a significant amount of work around the security of third party relationships.  Either a company that engages us has recently been audited by one of thier B2B customers, or a company is seeking help on how to formalize their approach to third-party information security management.  Poor third-party information security management can be devastating.

In a striking trend, the SpiderLabs team also found that third-party vendors or their software was responsible for more than 81 percent of investigations of a security incident or compromise. It was these third parties that introduced many deficiencies exploited by the attacker, such as default vendor-supplied passwords and insecure remote access applications.

We don’t think that this is a "striking trend".  This information should not be a surprise to information security pros.

Vodafone Suspends Employee Following Homophobic Remarks
[FRSecure] At the end of the day, Vodafone’s Twitter following grew dramatically.  Hmmm, makes us think…  Naw.

Humor
Some more tasteless humor.  In order to be included in this section of our daily reading, the joke, picture, or video has to make us giggle (a manly giggle, not a girlish one).  We giggled at this one.  This video clip just ain’t cool, but it was funny enough to get us giggling.


Brutal Buttered Shower Floor FaceplantClick here for the most popular videos

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Technorati
  • Twitter

No Comment.

Add Your Comment

Your Comment

You must be logged in to post a comment.