02.09
Each and every day, we get up early and tune into the information security news of the day. We check a variety of sources from all over the world. We do this to help get us in the right frame of mind as information security consultants and to be the best information security consultants that we can in order to assist our clients. We recognize that our clients have businesses to run and money to make. Our role is help our clients to that end by protecting an important asset; their information. So what are we reading today?
Well, it’s Tuesday. You have successfully made it through another Monday; now what? If you’re in Minnesota (as we are), then you probably have some shoveling and/or snowblowing to do. We built a small luge course yesterday (after we got our work done!). Information security people have a lighter side too!
Today is Safer Internet Day! Even though this is primarily a EU initiative, take a minute to visit SaferInternet.org. Maintaining information security awareness goes a long way in protecting yourself, your family and your community or business.
Quote of the day:
It is one of the severest tests of friendship to tell your friend his faults. – Henry Ward Beecher
[FRSecure] At FRSecure we consider our clients to be close friends. Even in a business friendship, Mr. Beecher’s quote can ring true.
Breaches:
SSNs Printed On Nearly 50K Envelopes
[FRSecure] Another mailing error?! Sheesh. It seems like we have found more breaches resulting from mailing errors this year than in years past. We understand that this is the time of year for sending tax and other sensitive information, but why do we continue to read about these breaches over and over?
Do you suppose that too many organizations consider information security to be an IT issue and miss significant risks in other areas of the business? We have stated this before, and we will state it again; Information security is a business issue, not an IT issue. If your organization intends to mail sensitive information, then the processes supporting the mailings must be taken into account in your risk assessments. These mailings should have been QAed better.
Comerica Phish Foiled 2-Factor Protection
[FRSecure] There is still this general sense (among business and too many information security professionals) that two-factor authentication will protect against phishing attacks. This is obviously a false assumption, and your post does a good job of driving this fact home. If a user is going to give away their credentials, there are few (if any) technological solutions to prevent unauthorized access to sensitive information.
The question of Comerica’s liability will be left to the courts, but it seems as though EMI has a point (case).
We have received the same types of emails from other banks (not to be named because some of them are now our customers) and have in turn alerted them to the risks. We have never received a response to our warnings.
ACC says sorry for botched mailout
[FRSecure] This is a case of another mailing error, but this time it occurs in New Zealand. Accident Compensation Corporation (ACC), allegedly sent 2,000 mailings to the wrong companies. The mailings contained sensitive private information about workplace injuries.
This was done by an external agency whose procedures would be reviewed – ACC general manager Dr Keith McLea
Oh how true, but ACC’s third-party information security management procedures should be reviewed as well! We mentioned in our Daily Reading post yesterday how important third-party information security management is to an effective information security program. How do you manage information security with respect to third-parties?
Other Security News:
Adobe apologizes for festering Flash crash bug
[FRSecure] Emmy Huang, product manager for Flash at Adobe writes some interesting news on her blog that might be at odds with Adobe CTO Kevin Lynch’s insistance that "we don’t ship Flash with any known crash bugs." The bug in question was reported in September, 2008 and still has not been fixed. All of this comes one week after:
Apple CEO Steve Jobs lambasted Adobe engineers as "lazy" and said when Macs crash, "more often than not it’s because of Flash."
Adobe is (and should be) on the hot seat for not properly securing their software. Have you had any problems with Flash or Reader? If not, then you probably haven’t used them.
McAfee Threats Report: Fourth Quarter 2009 (.pdf)
[FRSecure] We always find the stats in these reports to be pretty interesting. For instance, there were an average of 135,500,000,000 spam messages per day in 2009. Not surprising, but interesting when you put a number on it. Also interesting is the fact that China has now taken over the number one spot from the U.S. in terms of zombie production. We can’t say we’re upset about losing the this top spot, but it reminds us of the ever-increasing threats coming from overseas.
Search through Palin’s email
[FRSecure] We’re not sure how much value you can get from this, but it’s interesting. We can search through some of (then) Alaska Governor Sarah Palin’s emails. Read the background on the landing page for information about how these emails were obtained.
Mario Pirate Fined $1.3 Million
[FRSecure] Ouch. We recommend that you wait for the official release of software titles, and then if your interested in owning a copy for yourself, buy it!
Cops using YouTube to find criminals
[FRSecure] There sure are a lot of stupid criminals out there! It’s not the stupid ones that we worry about.
China’s largest hacker training site shuttered
[FRSecure] It’s fine with us if the Black Hawk Safety Net was shut down by Chinese authorities, but we don’t think that this is going to have any real impact on information security. We are more curious about China’s motivation for shutting the site down, and what could happen to the three individuals who were charged by Chinese officials.
Facebook ‘Cash Scam’ Continues to Grow Even Bigger
[FRSecure] We can warn people again and again, until we are blue in the face, but we can only do so much. This is a good read about how scammers will collect and aggregate information from various sources to come up with pretty accurate profiles of unsuspecting people.
Screenshot of a PDF file used in a targeted espionage attack
[FRSecure] Want to know what one of the .pdf files used in a targeted espionage attack looks like? Check it out.
Humor
Today, we thought we would add some Obama humor. Maybe we’ll add some George Buch humor tomorrow (there’s plenty to choose from).
No Comment.
Add Your Comment