Many small businesses are being dragged into the arena of IT risk assessment by larger client companies, suppliers, or regulators. Common scenarios include credit card (PCI) or HIPAA compliance. Since the Target breach, smaller vendors and supplier companies who have a network connection into the IT operations of a larger company are being required to undergo the same sort of vulnerability and risk assessment procedures ...
A recent article in Naked Security caught my eye the other day about a new web site vulnerability called HTTPoxy. This stands for HTTP requests and poisoned proxy settings. Most web site use a technology called Common Gateway Interface (CGI) to run applications such as site search, collect information submitted on web forms, display comments, run a forum, or to display database queries such as pricing in a usable form on a web page.
Cyber-criminals are encrypting your computer files and holding them for ransom. This is one of the most difficult attacks to defend, and once encrypted, impossible to overcome without paying for the decryption key. There are several new tactics appearing on the crypto-ransomware scene that we thought were worth a mention.
Here’s another look at social engineering. Another safe for everyone joke from Aaron at Miller Brothers.
A man went to his lawyer and told him, “My neighbor owes me $500 and he won’t pay up. What should I do?”
“Do you have any proof he owes you the money?” asked the lawyer.
“Nope,” replied the man.
“OK, then write him a letter asking him for the $5,000 he owed you,” said the lawyer.
“But it’s only $500,” replied the man.
“Precisely. That’s what he will reply ...
Continue Reading →
Today is the 17th anniversary of the first SysAdmin Day. If you know a SysAdmin, who would be the person you call when your computer is on the fritz, today is the day to buy them a Hallmark card, New Egg gift card, Star Wars poster or paraphernalia, or a Raspberry Pi. I am sure the electronic or the edible variety would both be enthusiastically received.
So give your computer ...
Continue Reading →
Having just discussed phishing on Monday, it makes sense to cover the social engineering practice called “baiting” today. Typically, this involves an attacker leaving removable media such as a USB flash drive or SD Media card lying around in a public location. The exploit depends entirely on the principle of “finders-keepers.” People pick these drives up, and plug them into the first computer ...
We continue to hear from security researchers and professionals that an astonishing 95% of all exploits begin with someone opening an attachment or clicking a link on a phishing email. I have a client where two different employees opened the attachment on an email from “FedEx” and became infected with crypto-malware. These incidents happened nearly a week apart, and you think that the ...
I discovered a while ago that my LG smart phone can be used fairly easily to make a surreptitious video of a meeting simply by turning on the video camera and slipping the phone into a shirt pocket. The camera lens clears the edge of the pocket nicely, and there is no indication, at least on my phone, the the camera is rolling. This is a great way to keep a record ...
Sometimes in the maelstrom of cybersecurity battles, it is helpful to step back and see where we came from, where we are, and where we are going. This year, in addition to studying for and passing the CISSP exam, I have been to a bunch of security conferences. I’ve been to MISC.conf, Secure360, B-Sides, and the Tech Security Conference. Here are some highlights and ...
