Tag Archives: Education

Seeing the Light of Security…

A recent article in DFI News discusses some interesting research. The article discusses research by physicists at Heriot-Watt Univ. and Univ. of Strathclyde. They are working with tiny particles of light to create a new way of verifying electronic messages and transactions as authentic, helping address the huge cost of e-crime and avoiding potentially catastrophic fraud, online hacking and theft of digital data.

According to the article discusses how the research shows how photons can be used to verify security and authenticity of any transaction or communication with a “digital signature.” The article specifically states it does the following:

Quantum-based secure signatures mean that an “eavesdropper” — a malevolent third party listening in — cannot fake a signed message which is being sent to multiple recipients.

  • The sender writes the signature with encoded light particles and sends it to the receiver
  • The receiver cannot yet read the signature. However, it can be sure it received an authentic signature
  • To confirm a message is authentic and to also read it, the receiver has to receive both the message (the “signature”) plus additional information required to decipher it
  • The multiple receivers confirm that they have received identical signatures – only then does the sender provide the additional information required to read the signature
  • This process takes place without the user (e.g. a shopper) being required to do anything differently to current security methods

When physicist begin looking at how they can impact and improve e-commerce, you know there is a big amount of money at stake. It will be interesting to see how this can be implemented in the real-world and also how it will be circumvented…

 

Tagged , , , , , , , , , , , , , ,

Are You Satisfied With Nothing…

Are you a small business? Are you satisfied with your customer and business data security? According to a recent survey of small businesses by Symantec and National Cyber Security Alliance, 86% state that they are. In an article in SC Magazine published 10/22, some of the interesting details of the survey are discussed.

According to the article, even those 86% are satisfied with the level of security protecting the customer and business data of their businesses. In addition, 77% of those small businesses surveyed believe that their business is safe from any breach. According to the article about the survey, the following is what is most concerning:

However, 87 percent of respondents have not written a formal security policy for employees, 83 percent lack any security blueprint at all and 59 percent have no plan in place to respond to a security incident.

These statistics are very concerning. If you take this survey of 1,015 small businesses (250 employees or less) as a reasonable grouping of all small businesses this survey is frightening. Even if you take it with a grain of salt, it is scary that no planning is being put in place for most. One can only assume why a business would not put a plan, even one that is basic, in place. Is it the cost of security or the thought that “this business is too small to be hit” mindset? What ever the rationale used to make the decision, it was a decision to accept that risk of compromise and breach, but as more and more businesses begin to use cloud services and other mechanism on the Internet, they are turning from an obscure local “mom and pop” business to one with a larger footprint that can span the globe.

Preparation is always a wise decision. Regardless if you document that you buy the top of the line next-gen firewall and intrusion protection system or just change the Linksys encryption from WEP to WPA-2 and change the default admin password, the documented plan is a step in the right direction. Remember it is important to measure twice and cut once.

In closing the following quote is something for everyone to consider:

“Invincibility lies in the defence; the possibility of victory in the attack.” — Sun Tzu

Tagged , , , , , , , , , , , , , ,

Phishing for HTML 5…

The blog, Feross.org, posted a good article on using HTML5 for phishing on Oct 8th. Now, to most security professionals, this type of attack will be easily bypassed, but this type of attack is meant for the same group fo people who help feed the African Prince that is trying to pay you by transferring his money through your bank account. In addition, this also targets those people who do not validate the websites they go to or allow scripting on all sites.

This article could be used to help educate, although in a highly technical way, users in how to look for and prevent the success of this type of attack. It is important that all the technical defenses applied to a network or system can be circumvented by uneducated or unaware users that do not practice proper security principles.

Tagged , , , , , , , , , , , , , , , , ,

Java for OS X 2012-006

On October 16, 2012 Apple released yet another Java update for OS X. This update is a security update to correct multiple vulnerabilities in Java. This update applies to Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 or later, OS X Lion Server v10.7 or later, OS X Mountain Lion v10.8 or later. Specifically, the update addresses the following according to the Apple site:

Description: Multiple vulnerabilities exist in Java 1.6.0_35, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_37. Further information is available via the Java website at http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html

As usual, Java is a security concern. If you haven’t already done so, disable/uninstall Java unless you absolutely need it. In addition, make sure you update your Java if needed.

SOAP BOX: For Oracle, if Java is going to continue to be used…FIX IT…

Tagged , , , , , , , , , , , , , ,

Academics and Security Are Not Always Hand-in-Hand…

In two separate articles in SC Magazine, there seems to be a slew of issues with universities maintaining privacy and security.

In the first article, the University of Chicago sent out post cards to their 9,100 employees reminding them of their benefits open season. They added the extra bonus of including the employees social security number on the cards as well. The school stated:

A school official said there is no reason to believe outsiders had misused any of the information. The university also recommended that employees securely get rid of the postcards.

The problem is that it only takes one “outsider” to misuse the information once to potentially ruin someones life.

In the second article, the anonymous hacktivist group GhostShell posted data from multiple universities recently. The leader of the group tweeted about the hack and a link to the pastebin data.

In the Pastebin message, GhostShell said that the recent attacks were launched to bring attention to various grievances the group holds toward the educational systems in the United States, Europe and Asia. The hackers cited growing tuition fees, frequently changing laws and heavily regulated teaching.

Furthermore, the group also noted that many of the systems targeted had already been infected with malware. Since these universities are meant to educate the future in various fields, one of them computer science and technology, it would make sense for these universities to apply the concepts and principles of security within the systems they use.

While governments and other organizations make mistakes, it is understandable that similar things would occur in academia, but regardless of where it happens, the old saying “measure twice, cut once” needs to be driven home in everything we do. If it is sending out a mail merge or a network, good security practices need to be a part of the thought process and the routine.

Tagged , , , , ,
%d bloggers like this: