LindaMusthaler

About Linda Musthaler

Linda Musthaler is a principal analyst with Essential Solutions Corp. She is a 30-year veteran of the IT industry. Linda has been a regular contributor to Network World magazine for nearly two decades, writing a regular opinion column as well as in-depth feature stories. She currently writes the weekly electronic newsletter Network World IT Best Practices, which has more than 30,000 subscribers worldwide.

Posts by Linda Musthaler

Department of Homeland Security Supports Anti-DDoS Efforts

Give the U.S. federal government credit for attempting to find more broad-based solutions to the global problem of DDoS attacks. We reported a few months ago that DARPA is soliciting research projects on innovative ways to create resilient defenses against DDoS attacks. Now the Department of Homeland Security (DHS) is getting in on the act as well.

Read more

Going After the People Behind DDoS Attacks

There are two aspects of fighting DDoS attacks. One is remediation—stopping the attack when it comes in. Corero and other providers have this part of the equation covered. The other aspect of stopping attacks has to do with law enforcement, which can be done only with the help and support of the victim companies.

Read more

On the Upswing: Cyber Insurance to Cover the Liability of DDoS Attacks

Cyber insurance is not a substitute for making smart investments in cyber security and following industry best practices. However, it is an important part of almost any business's risk mitigation strategy.

Read more

This new hacktivism tactic makes every organization with a web presence a potential target for a DDoS attack

Hacktivism is on the rise as a motivation behind numerous DDoS attacks. For whatever reason, groups like Anonymous, Lizard Squad, Syrian Electronic Army, Chaos Computer Club and others believe they can intimidate corporations, government agencies, and other institutions by knocking these entities' websites offline for a period of time. One of the latest victims of a hacktivist attack is the Japanese carmaker Nissan.

Read more

Someone is trying to break the Internet, and it isn't Kim Kardashian

Break the Internet? Kim Kardashian's Paper Magazine cover couldn't do it, but now someone is trying to bring it down for real using DDoS attacks on the Internet Domain Name System's root name servers. Root Server Operators (RootOps) reports that on at least two separate occasions, several of the root name servers were hit with an...

Read more

Hacker group is targeting Xbox Live and PlayStation Network with DDoS attacks, just in time for Christmas

Do you know someone who is expecting an Xbox or PlayStation game console under the Christmas tree this year? If so, you'd better tell them to make plans for doing something other than playing with their new game systems for a few days. The New York Daily News reports that the Grinch (aka, a hacker group calling itself Phantom Squad) has vowed...

Read more

Here they come – DDoS attacks via the Internet of Things

Experts have long warned that the inherent lack of security in many of the devices that make up the Internet of Things (IoT) would come back to harm us in the end. Now there is firm evidence that hackers are exploiting weak and default credentials on embedded devices to create botnets that are the sources of DDoS attacks. Closed-circuit...

Read more

Vigilante DDoS attacker goes after offensive websites

It's almost easy to empathize with someone who feels justified in using DDoS tactics to temporarily take down websites that belong to the Islamic State, pedophiles, and racist and homophobic hate groups. Then we have to remind ourselves that, no matter how offensive or repugnant the content of these websites is, it's still considered to be...

Read more

Rutgers University gets an F for its failure to prevent repeated DDoS attacks

On September 28, 2015, Rutgers University experienced another DDoS attack—the fifth such attack in less than a year. Now some students and parents are asking for a refund of a portion of the tuition they have paid, attributing the demand to the university's inability to keep services available.  You see, the university's Board...

Read more

Lizard Squad retaliates against the UK's National Crime Agency following arrests of "customers"

Lizard Squad just can't leave it alone. Last week we reported that the National Crime Agency (NCA) in the United Kingdom arrested a number of teenagers who used Lizard Squad's DDoS tool Lizard Stresser. (See Users of DDoS-as-a-Service are arrested in the UK.) Just days after those arrests, the NCA's website was attacked and...

Read more

DARPA announces the Extreme DDoS Defense Program to solicit innovative ways to thwart attacks

Do you think you have what it takes to come up with a really innovative way to mitigate the effects of DDoS attacks? If so, the Defense Advanced Research Projects Agency (DARPA) wants to hear from you. Recognizing that DDoS attacks can have serious consequences on businesses as well as government agencies and military branches, the agency...

Read more

Users of DDoS-as-a-Service are arrested in the UK

Back in January I told you about DDoS-as-a-Service, brought to you by the nefarious hacking group known as Lizard Squad.

Read more

Financial Institutions Are Seeing DDoS Extortion Campaigns

Several writers on this blog have been calling attention to recent DDoS extortion campaigns. (See DDoS extortion campaigns on the rise and FBI Warning! Businesses Are Threatened with DDoS Attacks Unless Extortion Money Is Paid.) Now the FBI is sending notice to banks and other financial institutions to be on the watch for shakedown attempts....

Read more

FBI Warning! Businesses Are Threatened with DDoS Attacks Unless Extortion Money Is Paid

If you're running an illegal business that the authorities would like to shut down, you are highly unlikely to call the police or FBI if a cyber attack is affecting your business. And so it is that online operators of "unregulated activities" such as illegal gambling sites are finding themselves to be the victims of extortion...

Read more

Denial of Service Attack Grounds Airplanes for Hours

If you're old enough to remember the turn of the millennium, then you'll recall the big Y2K scare. Many people believed that computers that were never designed to accommodate the change of the millennium – from the year 1999 to 2000 – would have such crazy problems that airplanes in flight might fall out of the...

Read more

The State of Internet Security is Getting Worse, According to Akamai

Akamai is out with its State of Internet Security report for the first quarter of 2015. This report is based on actual, observed traffic as opposed to being the result of user surveys, making it a good record of recent security conditions. The report opens with a very troubling statistic: the number of DDoS attacks recorded in the first quarter...

Read more

Computer Center Serving the UK's University System Has a Lot to Learn

We've posted several articles lately about DDoS attacks being aimed at educational institutions right about the time that important exams are being taken by a large percentage of students. (See Sorry, Kids, Your Final Exam Has Been DDoS'd and  High school student charged with a felony after DDoSing his school district.) Now comes...

Read more

High school student charged with a felony after DDoSing his school district

Sure to be voted "least popular student" in the West Ada, Idaho, school district: the 17 year old kid who took down the district's computer system, forcing students to retake the state mandated achievement test multiple times. In mid May, just as 36,000 students across the district's 52 schools were taking their Idaho Standard...

Read more

Telescope Protesters Are Not Acting With "Aloha"

Most people would consider Hawaii to be an idyllic place, but there's quite a controversy erupting over the plan to build a new telescope on Hawaii Island ("the Big island"). Not just any telescope, mind you, but one of the world's largest, known as the Thirty Meter Telescope (TMT). Construction of the $1 billion+ scientific...

Read more

Who have you pissed off lately?

One of the prime motivations for DDoS attacks today is hacktivism. That is, some individual or group is trying to inflict revenge or punishment on the targeted company because of political or social beliefs. One of the more famous uses of DDoS as a hacktivist tool is the take-down of Sony Pictures' systems in retribution for the planned...

Read more

When you fight fire with fire, you risk getting burned

Censorship watchdog GreatFire.org lit a fire that has turned into quite a conflagration. GreatFire.org is known for punching holes in China's Great Firewall, the surveillance and censorship system that attempts to prevent Chinese businesses and citizens from reaching the outside world via the Internet. GreatFire provides open access to the...

Read more

Gaming companies collaborate to fight DDoS attacks

Online game players that got new consoles or games this past Christmas might have been disappointed when they went to play. Both Microsoft's Xbox Live and Sony's PlayStation Network were down for extended times of a day or more due to DDoS attacks. The now notorious group Lizard Squad had said it would target the gaming industry with...

Read more

Industry Observations of DDoS Trends

Observing and analyzing DDoS attacks over a period of time helps us all understand trends so that we can better prepare for the future. Verisign has recently published its DDoS Trends Report for the last half of 2014, and there are some interesting observations. For one thing, attacks are growing larger in size. In the attacks observed by...

Read more

More than half of U.S. businesses were targeted by a DDoS attack last year. Was yours among them?

How pervasive have DDoS attacks become? According to research from the global network services company BT Global Services, two out of every five organizations worldwide were targeted by DDoS attacks last year. That's the global average. In the United States, more than half (58%) of all organizations were targeted. Those aren't good...

Read more

Looking for a Cheap Service for DDoS Penetration Testing? How Does $2.99 Sound to You?

Lizard Squad, the hacking group that takes credit for attacking the Sony PlayStation Network and the Microsoft Xbox network back in December, now wants to be your commercial provider of a sort of "penetration testing" toolkit. CNN recently reported that anyone can rent the Lizard Squad tool called Lizard Stresser for as little as $2.99...

Read more

The Hacker Group Anonymous as Do-Gooder?

We are usually writing about the hacker group Anonymous in terms of the harmful attacks its members launch against business and government websites. But now the BBC is reporting that Anonymous is claiming credit for knocking a terrorist recruiting website offline. Anonymous is declaring war on jihadist websites following the recent terrorist...

Read more

The Web as Equalizer in Cyber Terrorism

When the World Wide Web rose to prominence two decades ago, it was called the great equalizer. By having a Web presence, a small company could look as impressive as a large company when it came to courting prospective customers and employees. Individuals could access information that previously had been locked away in hard copy sources only....

Read more

DDoS attacks: Normally I don't blame the victim, but in this case the blame is deserved

April 2011 – Sony Playstation Network, Sony Online Entertainment (SOE), and the Sony Qriocity music service (now known as Music Unlimited) were all knocked offline by a large-scale DDoS attack. The group Anonymous claimed responsibility for this attack. Sony was so busy trying to get its services back online that it failed to notice that a...

Read more

Can we still trust email?

You'd better be extra vigilant as you read through your business emails these days. Cyber attackers are growing more tenacious in their use of corporate email systems to plant malware on networks. Here are a couple of proof points. Symantec recently posted an article on its Security Response blog about attackers behind malicious spam...

Read more

The Netherlands' Trusted Networks Initiative is an alternative means to stop DDoS attacks

While visiting the Hague Security Delta in The Netherlands last week, I learned about an interesting initiative that's being tested to provide trusted computing among select organizations. Known as the Trusted Networks Initiative, it is being touted as an alternative "last resort" means to fend off DDoS attacks. The idea is to close...

Read more

What Does a DDoS Attack Really Cost? It Depends...

In a recently released report companies estimated the average cost of a successful DDoS attack – one that actually disrupts a target's business – is $40,000 per hour. $40,000 per hour. It's a nice composite number that is easy to present to management when you need to justify a budget for preparing for the potential of a...

Read more

Why Vendor Risk Management is Critical to Your Business

You've heard the trite expression "A chain is only as strong as its weakest link." Well, it's true, and when it comes to enterprise security, the weakest link might be outside your own organization. Every since it came to light that the Target data breach originated through compromised credentials belonging to a third party...

Read more

Insights from the FBI on Fighting Cyber Crime

If your company experienced an IT security breach, would you contact law enforcement? According to an unofficial poll by the FBI and Trend Micro, about 60% of people said yes. I'd venture to guess that a portion of that 60% would only report the incident because some law or industry regulation requires them to do so. The FBI Cyber Division...

Read more

One More Type of Cyber Attack to Worry About: Redialing for Dollars—Your Dollars

Attention company cyber sleuths: here's one more type of cyber attack that criminals are using to steal billions of dollars a year, mostly from small businesses. Keep your eyes open for this one and read the phone bill closely.   An article in The New York Times details how hackers are using phone networks to direct businesses'...

Read more

Looking for a job? Cyber Aces is hosting another National Cybersecurity Career Fair in November

Last spring I wrote about Cyber Aces hosting its first National Cybersecurity Career Fair (NCCF).  Cyber Aces is a non-profit organization dedicated to identifying and encouraging individuals with an aptitude for information security to refine their skills and talent. One of the organization's missions is to grow the cybersecurity...

Read more

Software developers get SWAMP'ed, and that's good for software security assurance

October is National Cyber Security Awareness Month. The theme of this week's awareness messaging is how to build secure software products, and we've got a great tip on how you can do that. If you look at the evolution of software, it has changed quite a bit over the last 20 to 25 years. Software is more complex than ever, and the size...

Read more

SANS Institute's Webcast on Shellshock is Worth Watching

On September 25, Alan Paller, the Director of Research for the SANS Institute, sent out a FLASH report about the vulnerabilities involving Bash. This report has some very good information for security practitioners that is worth repeating here. The vulnerability, dubbed Shellshock, affects the Bash command processor which is used in most Linux...

Read more

D'oh! Get Your Hammer and Your Payment Card Hacked at "the Homer Depot"

By now the news of the massive payment card data breach at the Home Depot is well known. The company has acknowledged the theft of an estimated 56 million debit and credit card numbers, making it the largest retail breach on record. In a September 18 press release confirming the breach, the merchant says malware discovered on its systems...

Read more

Here's a Good Resource for Learning About Encryption Schemes Before You Put Data in the Cloud

If your organization is planning to have data and applications in the cloud, then you are probably planning to use encryption to secure the data. Encryption is a technology that transforms your data into an alternate format that only authorized parties with a decryption key can read. Like most technologies, encryption can be implemented in...

Read more

Promoting Voyeurism in the Name of Marketing and Advertising

About the same time the story about the celebrity photo hacking incident broke, I read another disturbing article that does not bode well for personal privacy. San Francisco tech blogger Wendy Lee wrote about advertisers trolling through personal photos that people are posting to social media sites to learn more about their customers. How creepy...

Read more

Victim Company Refuses to Pay DDoS Extortion Fee and Is Permanently Forced Out of Business

If your company relies on your website to conduct any amount of business, it's time to take notice of what has been happening lately with regards to DDoS attacks. In the past few weeks, numerous companies have experienced DDoS attacks in which there is a demand for money in order to stop the attacks. In plain words, extortion. According to...

Read more

When Trends Collide: Data Collectors Are Gathering Information from Smartphones Used for BYOD

I had an interesting conversation the other day with Rob Shavell, the co-founder and CEO of the online privacy company Abine. We talked about two big trends in mobile computing and what happens as a consequence of their intersection. This collision of trends could have big implications for companies that permit employees to use their...

Read more

Passwords Are Like Underwear—They Aren't Meant to Be Shared

In the world of IT security, perhaps nothing is so maligned as the humble computer password. End users hate jumping through hoops to create and remember complex passwords that contain letters, numbers and special characters. IT security professionals complain that end users ignore corporate policy and create obvious passwords like, well,...

Read more

Boost Your Security Posture through Membership in an Industry Information Sharing and Analysis Center (ISAC)

It's a huge responsibility to try to ensure cyber security for an organization, regardless of its size. Few companies would say they have the full complement of resources they would like to have in order to properly protect themselves from cyber threats. On the belief that there is strength in numbers, many organizations are joining an...

Read more

Six Common Sense Steps from the FFIEC to Address DDoS Attacks

Who can forget the series of distributed denial of service (DDoS) attacks on American banks back in 2012 and 2013? Some of the attacks were highly effective in knocking online banking services offline for days at a time. Over time, financial institutions (FIs) learned to bolster their defenses until the attacks grew less and less effective at...

Read more

Why Prompt Breach Notification Is Important

In a blog post last April, I wrote about a merchant that waited up to a year to notify customers that their payment card information may have been compromised in a breach. There were extenuating circumstances; the federal authorities investigating the breach asked the merchant to stay silent about the incident during the lengthy investigation. The...

Read more

Why Do We Call It Cyber Crime If We Don't Treat It Like a Crime?

My subdivision outside of Houston, Texas has a monthly newsletter, and one of the features is the neighborhood police patrol report. It's mostly stuff like items being taken from unlocked cars or suspicious people or vehicles in the neighborhood. Every now and then someone reports identity theft or fraudulent charges on their credit card. I...

Read more

Why Would a Cute Little Slow Loris Take Down a Web Server?

You've heard of the "infinite monkey theorem," which states that if you put a hundred monkeys in a room with a bunch of keyboards they will eventually type the works of Shakespeare. Is it possible that another little primate, the incredibly cute slow loris, is capable of taking down web servers with a clever type of denial of service...

Read more

DDoS Attacks Hit the World Cup. The Current Score: Anonymous 1, FIFA 0

The world’s most watched sporting event, the World Cup, is now underway in Brazil. Despite an expected audience of billions over the next few weeks, not everyone is a fan. Protesters of every ilk are using the prominence of this event to make a point. That includes hacktivists from Anonymous and other cyber groups looking for...

Read more

For Sale: Practically All the Details of Your Personal Life

When documents released by Edward Snowden showed that the National Security Agency (NSA) is collecting various types of data on ordinary American citizens, a lot of people were quick to voice their opinion that this is just wrong. Many Americans don’t believe our federal government should be able to snoop on us to learn who we choose to call...

Read more

The 2014 Verizon Data Breach Investigations Report Includes Recommendations to Control or Prevent DoS Attacks

Have you read the 2014 Verizon Data Breach Investigations Report (DBIR) yet—all 60 pages of it? Actually, if you’re pressed for time, you don’t need to read the whole report cover to cover. This year, Verizon made it easy on security practitioners by segmenting the report into 9 major incident patterns. So, you don’t...

Read more

Here’s Why Even Official Public App Stores Can’t Be Trusted

One of the first rules of protecting end user devices has always been “Install anti-virus software and keep it up to date.” Even as people have shifted from laptops and desktops to more mobile devices like smart phones and tablets, security experts advise installing AV software from a trusted app store such as the Apple App Store,...

Read more

How to Get More Value from Your Vulnerability Assessments and Penetration Testing

A lot of companies do vulnerability assessments and penetration testing of their own systems to try to head off cyber attacks. Some companies are compelled to do annual pen testing because of regulations that govern their business. Regardless of the reasons for doing the testing, companies are spending good money on the process and should look for...

Read more

The Oxymoronic Notion of “Online Privacy”: When Information is Too Private for a Search Engine to Display

There was a ruling by the Court of Justice of the European Union this week, and it’s causing quite a bit of controversy on the U.S. side of the pond. The ruling has to do with online privacy and the obligation of Internet search engine operators to respect individuals’ privacy by not displaying specific search results if requested to...

Read more

The State of PCI Compliance in 2014: Getting Better but Still Insufficient

2014 marks the 10-year anniversary of the Payment Card Industry Data Security Standards (PCI DSS). It is also the year that version 3.0 of the set of security standards was released. All merchants who accept credit and debit cards as a form of payment should now be upgrading their systems to meet the new higher standards of PCI DSS 3.0. There...

Read more

ISACA Launches Cybersecurity Nexus, a Comprehensive Program for Information Security Professionals

A few weeks ago I wrote about an opportunity for entry-level information security (infosec) professionals to get some training and “skill up” for their careers. Now there is a new option for people coming into the infosec profession. Today ISACA is launching a comprehensive new program called Cybersecurity Nexus (CSX). You may be...

Read more

Communications Teams Get a Failing Grade Over Heartbleed

First of all, let me say thank you to the security professionals who are working their butts off to develop patches and permanent fixes for problems caused by Heartbleed. I know this is an extraordinary case of the highest priority. Thank you for using your talents and your time to plug this gaping hole and make your users safe again. That...

Read more

What’s Needed Now: Supply Chain Integrity Testing

Listen up, all you security experts who want to be an entrepreneur! John Pescatore, the SANS Institute Director of Emerging Security Trends, sees an opportunity for the Next Big Thing in tech security. In Pescatore’s view, there’s a growing need for supply chain integrity testing. In the wake of all the digital spying revelations...

Read more

Who Are Breach Disclosure Laws Meant to Protect? One Merchant Held up Notifications for More Than a Year at the Request of Federal Authorities

I live in Texas, and there’s a regional retailer that has just announced a data breach that is believed to have affected more than half a million customers. The announcement is controversial because the company, Spec’s, supposedly knew about the theft of payment card data almost a year ago and is just now telling customers. As you...

Read more

Who Is Reading Your Email, and for What Purpose?

Thanks to the NSA, so much attention has been on the fact that the federal government is collecting metadata about our phone calls that we have taken our eyes off what’s happening on the email front. There have been a few stark reminders in the news recently that email isn’t private and we shouldn’t use it to transmit sensitive...

Read more

Cybersecurity Professionals Are in Big Demand as Staffing Shortages Hit Critical Levels

In a previous blog post I talked about the upcoming National Cybersecurity Career Fair (NCCF) this June 18 and 19, 2014. NCCF is an innovative virtual meeting place for the top cybersecurity employers and entry to mid level cybersecurity jobseekers in the United States. It turns out that this job fair is desperately needed by employers in...

Read more

National Cybersecurity Career Fair in June Will Connect Employers to Entry Level Cybersecurity Workers

Do you know anyone who is an aspiring cyber security professional? Here is some important information to pass along to help them get their career started. This is also big news if your organization is looking to recruit entry-level people for IT security positions. Coming up this June 18 and 19, 2014, Cyber Aces is presenting the first National...

Read more

NTP Amplification DDoS Attacks Are Skyrocketing. Do You Have Your Defense System in Place?

In his recent “Attack of the Month Video Blog Series,” Stephen Gates talks about NTP reflective traffic as the latest technique being used to launch DDoS attacks against hapless victims. This is certainly something to pay attention to. Since the beginning of 2014, the number of attacks using this method has skyrocketed, largely because...

Read more

Business Lessons from the DDoS Attacks on Social Networking Site Meetup

In early March, the social networking site Meetup was hit by a series of DDoS attacks. The attacks did some damage, not the least of which was knocking the site offline for hours at a time over a period of several days. However, I have to say that it appears that the Meetup management and technical team did a few things right to get through this...

Read more

Internet Hosting Providers that Fail to Prepare for DDoS Attacks are Derelict in Their Duties to Care for Their Clients

On February 18, 2014, the online gaming website Wurm was the victim of a DDoS attack. The company posted the following note on its website at the time of its attack: "Shortly after today's update we were the target of a DDoS attack and our hosting provider had to pull us off the grid for now. We will be back as soon as possible but...

Read more

Cybersecurity in the U.S. Healthcare System is in Critical Condition and Needs Intensive Care

Last fall my husband was visiting a relative in the hospital when he noticed an Ethernet port on the side of the bed. He asked the nurse what the hospital uses the port for. She explained that they occasionally connect patient-monitoring devices to the port on the bed to facilitate transmission of alerts to the nurses’ station. For example,...

Read more

Watch for DDoS Attacks as a Diversionary Tactic for Other Types of Cyber Crime

Have you heard of a smash-and-grab robbery? In the physical world, it usually refers to a group of thugs who storm a retail store – often a jewelry store or a pawn shop – and smash the display cases with sledge hammers. They grab all the expensive merchandise they can get and run out of the store before shocked store clerks have much...

Read more

Hacking Attacks are Practically Guaranteed at the Sochi Olympics

The winter Olympics get underway in Sochi, Russia this week, and most of the attention about security has been focused on physical security and the potential for acts of terrorism. Russian President Putin has promised a “ring of steel” around the Olympic venues to provide a high level of physical safety for the athletes and tens of...

Read more

The Role of Service Providers in Strengthening the Nation’s Cybersecurity

In November 2013, the President’s Council of Advisors on Science and Technology (PCAST) submitted a public report to U.S. President Barack Obama. The report, Immediate Opportunities for Strengthening the Nation’s Cybersecurity, provides key insights from a more comprehensive but classified assessment of the Nation’s cybersecurity...

Read more

What’s in that Refrigerator—Fish or Phish?

Well, here’s a switch. Usually televisions are bringing crap into our households. Now experts have learned that some smart TVs have been sending crap (in the form of spam) out of their owners’ houses. A recent press release from Proofpoint, Inc. details how the security service provider uncovered an Internet of Things (IoT) based...

Read more

Federal Investigators Warn Retailers: If You Have a POS System in Operation, You May be at Risk

Hang on to your credit cards and start checking your free credit reports:  The latest news about retail breaches is not good. Numerous sources are now reporting that the recent Target and Neiman Marcus data breaches may be the tip of the cyber heist iceberg, and there are likely more related breaches that have not yet been...

Read more

Survey Shows that Small Merchants Exhibit Lax Security Practices and Put Consumers’ Financial Data at Risk

Ever since news of the Target breach broke a few weeks ago, everyone from security experts to concerned consumers have been hyper-sensitive to what’s happening in retail security. If it’s true that 110 million consumers had their financial account data compromised in that one breach alone, it’s no wonder many of us are fearful...

Read more

LinkedIn Admits Being Inundated with Fake Accounts – Could that Portend a Wave of Social Engineering Attacks?

I’ve never been a fan of social media. There’s something very unnerving to me about putting personal or private information about yourself online for anyone to see. Don’t try to tell me that you can adjust who sees your content with security settings; I don’t believe for a minute that privacy settings actually keep your...

Read more

Six Ways that Most Companies Shortchange Their Enterprise Security

I recently had a conversation with Michael Sutton, vice president of security research for Zscaler and head of Zscaler ThreatLabZ. We talked about where many organizations are falling short today in defending against current threats and especially the more dangerous advanced persistent threats. I’ve singled out six common shortcomings that...

Read more

Considering a Master’s Degree Program? Look to the SANS Technology Institute for a Fully Accredited Program Focused Solely on Cybersecurity

If you are an IT security professional and you’ve been thinking about going back to school to earn a master’s degree, the SANS Technology Institute (STI) master degree program might now be a more attractive choice for you. The graduate institution is now fully accredited by The Middle States Commission of Higher Education, an...

Read more

Two DDoS Attackers are Given 5 Year Jail Terms for Blackmail, Unauthorized Impairment of Computers

Polish computer programmers Patryk Surmacki and Piotr Smirnow were recently sentenced to 5 years and 4 months in jail for perpetrating a blackmail scheme that also involved the use of a DDoS attack as intimidation. Prior to sentencing, the pair plead guilty to blackmail and they admitted to conspiracy to access, use and impair computers without...

Read more

Take the SANS Institute’s Holiday Hacking Challenge: It’s a Hackerful Life

The long holiday season is here, and if you’re one of the lucky ones, you probably have a few days off from the grind you call work. When you’ve had enough of your kids’ over excitement and your relatives’ overstaying their welcome, why not steal away by yourself for a few hours and work on the SANS Institute’s 10th...

Read more

Guilty Pleas for 13 People Involved in a PayPal DDoS Attack, and a (Strange) Call for Leniency from the Founder of PayPal’s Parent Company

On December 6, thirteen defendants pleaded guilty in U.S. federal court to charges related to their involvement in the cyber-attack of PayPal’s website as part of the group Anonymous. In pleading guilty, the defendants admitted to carrying out a Distributed Denial of Service (DDoS) attack against PayPal in December 2010. Ten of the...

Read more

Tech Titans Want Governments to Reform Their Data Surveillance Practices

The data titans of Silicon Valley have said, “Enough is enough!” A coalition of the world’s leading tech companies is asking for the U.S. and other national governments to put a stop to unfettered data collection and surveillance and other practices that inhibit the free movement of lawful data around the globe. The principal...

Read more

Consumer Electronics Manufacturer LG Has a Reprehensible Privacy Policy

I came across a blog post the other day that really angers me. British IT consultant Jason Huntley wrote the detailed article LG Smart TVs logging USB filenames and viewing info to LG servers in mid November. He outlines how he discovered that his LG brand smart TV was collecting private data about his viewing habits and using it to serve...

Read more

Malware as Performance Art? OpenDNS Shows the Dangerous “Dance” of Cryptolocker

By now practically every information security professional and thousands of unfortunate victims are aware of CryptoLocker, the dangerous malware that encrypts all of a victim’s files and holds them for ransom. Security experts say it’s relatively easy to remove the malware itself but the damage is done when entire file systems cannot...

Read more

Finally, a Detailed Set of Cybersecurity Guidelines for SMBs (But Enterprises Can Use Them Too)

Small and medium businesses (SMBs) often don’t pay enough attention to cybersecurity, but they are no less vulnerable than their enterprise counterparts are to data breaches and attacks. In fact, attackers might consider SMBs to be an easier path into larger enterprises that are the real target. In his blog post “Are Small Business...

Read more

Nobody Reads Terms and Conditions, Do They? Pay Attention To What You Agree To!

Recently I needed to download some software to my PC and, being the security-conscious person that I am, I made an attempt to read the software provider’s terms and conditions (T’s & C’s). I’ll admit that I got just so far in really reading the script. Then I started skimming the words, and then skipping entire...

Read more

A Lesson in Social Engineering: How a “Security-aware” Organization Was Completely Duped

There is a must-read article published IDG News Service and posted to Network World. (See Fake social media ID duped security-aware IT guys.) This is the story of how security experts conducting penetration tests of an unnamed European organization used a very convincing but very fake social media persona to infiltrate the targeted organization....

Read more

Official Memo Says the Lack of End-To-End Testing Poses “A High Risk” for the Federal Healthcare Exchange

In an earlier post, I speculated that the systems behind the healthcare exchange marketplace known as the Federally Facilitated Marketplace (FFM) and hosted on Healthcare.gov were not tested end-to-end and could not be trusted to ensure data security and privacy. My speculation a few days ago is now totally confirmed by the people in...

Read more

What’s the Word From Healthcare.gov? “Trust Us With Your Most Sensitive Data.”

Healthcare.gov, the website for the Affordable Care Act, has been in the news a lot this month. Ever since it was launched to the public on October 1, it has been riddled with performance problems. Administration officials have stated that the issues stem from the sheer complexity of a system that is being asked to do so much. I’m not...

Read more

Gartner VP Confirms DDoS Attacks Were Used as Smoke Screens to Hide Financial Fraud

In an article posted on BankInfoSecurity.com, Gartner Research vice president Avivah Litan confirms that some of the DDoS attacks that have rippled through the banking industry over the past year have been a cover-up for fraud. While bank cyber security personnel were distracted in combating the denial of service attacks, hackers were busy...

Read more

There’s a Bidding War For People With Good Cyber Security Skills

If you are a cyber security expert – or you are on your way to becoming one – you’d better stock up on Ray-Bans. Your future is so bright, you’re going to need them. According to an article published by NBC News, there is a global shortage of skilled cyber security professionals.     The...

Read more

The Global Industrial Cyber Security Professional Certification (GICSP) is Launching in November

There’s an important new cyber security certification coming to market at the end of November. I recently talked to Mike Assante of SANS Institute and Scott Cassity of Global Information Assurance Certification (GIAC) to get the details because I think there will be tremendous interest worldwide in this certification and the associated...

Read more

National Cybersecurity Awareness Month: The Government Agency Behind it Can’t Participate at This Time

Oh, the irony. I don’t know whether to laugh or cry. October is National Cybersecurity Awareness Month. This is the month that the U.S. federal government wants us all to take responsibility for cyber security. Public companies, private companies, individual consumers, government agencies, institutions of every ilk, hardware and software...

Read more

Collateral Damage From the NSA Spying Debacle: Trust in U.S. IT Companies is Shattered

There’s an old proverb that goes something like this: Crap rolls downhill. (Well, the proverb uses an even more crude slang word instead of “crap,” but I’m trying to be polite here.) I think this proverb aptly applies to the fallout from Edward Snowden revealing secret details of government mass surveillance programs...

Read more

Lessons Learned From the Banking Industry DDoS Attacks: Good Advice Worth Heeding

Now that the banking industry has gone through four rounds of very public DDoS attacks, experts are looking at what happened to extract some “lessons learned” to turn this negative into a positive. Even if your business isn’t a financial institution, there’s good advice here that’s certainly worth...

Read more

A Three-pronged Approach to Eliminating Phishing Emails, part 2

In my previous article I outlined the first element of the three-pronged approach to eliminating phishing emails. This involves email service providers screening and rejecting spoofed emails based on explicit policies specified by legitimate email domains. About 85% of all ESPs already observe these policies when they are provided, so now the...

Read more

A Three-pronged Approach to Eliminating Phishing Emails, part 1

According to the Verizon 2012 Data Breach Investigations Report, more than 95% of the breaches Verizon investigated in recent years started with a phishing email. You know how it goes. A worker receives an email that looks perfectly legitimate. Maybe it appears to come from his bank, or from a shipping company he does business with. There’s...

Read more

Here we go again. Another stolen laptop puts patient information at risk

It happened again—another doctor’s office, another stolen laptop laden with patient records. The Houston Chronicle is reporting that a laptop computer containing unencrypted information pertaining to nearly 600 patients has been stolen from the University of Texas Health Science Center at Houston. Sigh. When will they ever...

Read more

A new generation of IT security solutions for an evolving threat landscape

I recently had a chat with Manish Gupta, senior vice president of products at security vendor FireEye. Gupta described how the IT threat landscape has changed dramatically over the last three or four years, and how this has rendered legacy security solutions rather weak. This means that a new generation of IT security solutions has to be developed...

Read more

A must-read report for everyone involved in software development: “The State of Application Security"

If you have any role at all regarding security in the application development process – especially a leadership role that oversees development – you simply must read a new report by the Ponemon Institute and the application security company Security Innovation. You’ll find “The State of Application Security” here....

Read more

Thinking About How to Secure the Internet of Things (IoT)

Michael Cooney of Network World published a semi-silly article about malware affecting smart toilets that run the Android operating system. (See Just when you thought it was safe to go to the bathroom – toilet malware strikes.) The article reports that TrustWave SpiderLads issued a security bulletin to warn users of the...

Read more

I Spy With My Little Eye…A Scam!

If someone offered you the opportunity to secretly read your friends’ instant messages without being detected, would you want to do that? You could spy on your significant other, or your friends and coworkers—and no one would be the wiser. All you have to do is go to a discreet website and provide your cell phone number so you can...

Read more

What To Do When Ransomware Holds a PC Hostage

In my previous post, I talked about ransomware locking a user out from his PC. This article is geared toward the IT professional who may be called upon to attempt to unlock the PC and clean up the mess the malware leaves behind. For the advice below, I consulted with John Harrison, Group Manager at Symantec Security Response. His team is in the...

Read more

Your Computer Has Been Locked! Pay Money Now if You Ever Want to Use Your PC Again!

Recently I got a phone call from a friend who told me her PC had popped up a big bold warning message that told her that a virus had been detected on her computer. She couldn't get the message to clear off of her PC—the computer seemed to be frozen. The message said that she could pay $39 to load software that would completely remove the...

Read more

Privacy Double Standard: You Can Track Online But Not On Foot

There’s an article in the New York Times about how retail stores are increasingly using technology to track customers’ movements and interests when they are physically in the stores. (Check out the article’s video to see some of this technology in action.) Stores use Wi-Fi signals from customers’ mobile phones to track...

Read more

Data encryption in the cloud is not enough to keep the feds from eying your data if they want to

The New York Times reported that Microsoft has collaborated with the National Security Agency (NSA)more extensively than it previously acknowledged. According to classified internal NSA newsletters that were disclosed by the former NSA contractor Edward Snowden, Microsoft has helped the NSA find ways to circumvent its encryption on its Outlook.com...

Read more

Don’t Write Your BYOD Policy from Scratch – Check Out These Samples to Jumpstart Your Own Policy

Whether or not your organization allows employees to use their personally owned devices to access corporate resources, you need to have a written policy that covers the acceptable use of mobile devices. This policy should clearly communicate to all employees what is, and is not, acceptable use of their smartphones, tablets and other mobile devices...

Read more

Are You a Tim McGee Wannabe? Check Out the New Certified Cyber Forensics Professional Certification

If you’ve ever watched the TV show NCIS and thought how cool it would be to have a job like Tim McGee, the cyber forensics scientist, then I have good news for you. The International Information Systems Security Certification Consortium, Inc., (ISC) ², has recently announced the availability of a new certification, the Certified...

Read more

Step-By-Step Instructions to Implement DMARC in Your Organization, Part 2: Deploying the DMARC Record

In my previous article I covered the preliminary tasks that need to be done when you want to implement the DMARC standard to protect your email domain(s). This article gets into the meat of what to do for actual deployment. I’d like to thank Alec Peterson, CTO of Message Systems, for these step-by-step instructions. Remember that list of...

Read more

Step-By-Step Instructions to Implement DMARC in Your Organization, Part 1: Laying the Groundwork

A few weeks ago I wrote about a way to reduce the likelihood of having your company’s email domain abused by phishers. Alec Peterson of Message Systems and Sam Masiello of Groupon provided good information and advice for deploying the Domain-based Messaging, Authentication, Reporting and Conformance (DMARC) standard for your...

Read more

Next on the IT Security Horizon: Security Analytics

John Pescatore recently joined the SANS Institute as the Director of Emerging Security Trends. His entire 30+ year career has focused on IT security, which gives him a pretty interesting perspective on where we’ve been and where we’re headed. I talked to him recently about what’s on the horizon for IT security. Linda: ...

Read more

Many WordPress Plugin Developers Don’t Build Tight Security into Their Code, Leaving Millions of Websites Vulnerable to Hacking

A new paradigm has taken root in the word of application development. These days we have a number of application “platforms” that are supported by marketplaces where hundreds or thousands of developers post their apps or plugins for download. Some of the world’s most popular platforms are Apple’s iOS, Google’s...

Read more

IT Security Professionals Speak Frankly about “Bring Your Own” Devices, Applications, Web Services, Cloud Storage and More

Sometimes the best learning opportunities are when IT security professionals sit around and talk to each other about their challenges, what they’ve tried for their own environments, what works and what doesn’t work. People need to talk to peers outside of their own organization to get a feel for what others are doing. This is the...

Read more

Is your company vulnerable to a DNS amplification attack? Maybe, but it’s in the hands of your Internet connectivity provider

In the past few weeks, we’ve been hearing more about a type of DDoS attack called a DNS amplification attack. In sending out a general alert about this type of attack, the U.S. Computer Emergency Readiness Team (US-CERT) defined the problem as follows:   The basic attack technique consists of an attacker sending a DNS...

Read more

On Your DMARC, Get Set, Go! Putting Integrity into Your Email Security Policy, Part 2

In Part 1 of this post about the DMARC (Domain-based Message Authentication, Reporting and Conformance) standards for digital messaging integrity, Alec Peterson of Message Systems and Sam Masiello of Groupon, both representing DMARC.org, gave us great information about the new technical specification designed to reduce the phishing abuse of known...

Read more

On Your DMARC, Get Set, Go! Putting Integrity into Your Email Security Policy, Part 1

What are you doing to make the integrity of your corporate email/messaging an integral part of your information security policy? If you don’t have a definitive answer for this question, then read on. I’ve got some great advice from experts on the topic that you can take action on today to protect your company’s brand. I...

Read more

What’s Needed to Leave Your Leather Wallet at Home and Pay with Your Mobile Wallet Instead—We’re Almost There

At a recent stop at Starbucks, I pulled out my iPhone and held it up for the counter clerk to scan. With a quick beep, I paid for my frothy cold drink and put my phone back in my purse. A few customers in line behind me were intrigued by this and asked me how I used my phone to pay. I showed them the Starbucks mobile app and told them it only...

Read more

Not Just for PCs Anymore, Malware is Showing up on Offshore Drilling Rigs

I live in Houston, Texas, the undisputed Energy Capital of the World. Houston has an entire area of town nicknamed the Energy Corridor where numerous oil and gas companies have their headquarters, or at the very least, a major presence. Within those gleaming towers, geologists, chemists, engineers and a host of other highly educated professionals...

Read more

There’s BadNews, and There’s Really Bad News

By now you’ve probably heard about BadNews, a malware family that is targeting Android phones. In a blog post of April 19, the security firm Lookout reported that it had discovered BadNews in 32 apps across 4 different developer accounts in Google Play. Lookout reported its findings to Google, and the apps (and developers) have subsequently...

Read more

From US-CERT: Tips To Avoid Becoming A Victim Of Spear Phishing

We’ve often reported that spear phishing is a favorite technique that attackers use to plant malware or otherwise gain unauthorized access to networks. Now the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is part of the Department of Homeland Security, reports on a spear phishing campaign in which the attackers...

Read more

FireEye Reports That It Detected 89 Million Malware Events That Slipped Right Past Firewalls, IPSs And Other Layers Of Security

FireEye Inc. has just come out with its Advanced Threat Report for the second half of 2012. The content is based on research and intelligence conducted by the FireEye Malware Intelligence Lab and data collected from several thousand security appliances installed at the company’s customer sites around the world. FireEye threat protection...

Read more

How Do You Like This? Facebook Likes Reveal Your Private Traits And Attributes

Like us on Facebook! How many times a day do you hear or see those words? More importantly, how often do you follow the plea and click the Like button for something that interests you? Did you know that each time you Like something, you are giving up just a little bit more of your privacy? In fact, depending on your Likes, someone may be...

Read more

New Training From SANS Institute: How To Discover If Malware Is Running In RAM Only On Your Systems

Brian and I recently had an opportunity to talk with Jesse Kornblum, an instructor for the SANS Institute. Jesse has developed and just started teaching an advanced course called Windows Memory Forensics In-depth. This course would be valuable for any IT security professional working in an industry or for an organization that has a constant target...

Read more

Phishing, SMiShing And Wishing It Would Stop!

Lately it seems like I’ve been getting more than the usual number of emails that give me pause. Could this one be a phish, I wonder? What about that one? Even my husband and fellow blogger Brian showed me a curious email the other day. It certainly looked legitimate, appearing to come from a bank we do business with, but we concluded that...

Read more

Hacking Twitter Isn’t Even a Challenge. Burger King and Jeep Learned This Lesson the Hard Way.

First Burger King and now Jeep. Both prominent companies have suffered embarrassment since having their Twitter accounts hijacked this week, reportedly by Anonymous. It’s unfortunate, but these two companies join a long list of other businesses, news media outlets, politicians (including Barack Obama), celebrities and even average citizens...

Read more

The Facebook Hack Attack: Finding “No Evidence” Doesn’t Mean Data Wasn’t Compromised

On February 15, Facebook Security posted a public notice that the company “discovered that our systems had been targeted in a sophisticated attack.” Facebook Security was unusually frank about the details of the attack, including the revelation of how the compromise happened. (Facebook employees’ computers were infected with...

Read more

FTC Tells the Mobile App Ecosystem: Don’t Play Fast and Loose with Consumers’ Privacy Rights

If you read either of my previous posts about (the lack of) mobile application security and privacy, you might think we are living in the Wild West as far as the onus being on the user to look out for his or her own best interests.   Well, we are.  It’s like there’s no sheriff protecting the community. As the owner of...

Read more

Where Are You Most Likely to Pick Up Drive-by Malware? A Porn Website, a Gambling Website, or a Business News Website? The Answer Might Surprise You.

All of you porn surfers out there can just relax. Despite what your momma told you, browsing a porn website isn’t the most sure-fire way to get malware put on your PC. According to the 2013 Cisco Annual Security Report, many people (including security professionals) have preconceived notions about where they are most likely to encounter...

Read more

That Really Cool App You Put on Your Smart Phone is Probably Collecting All Sorts of Information - and You Don’t Even Know It

A few weeks ago I warned that mobile applications may not behave the way that users expect them to. As a follow-up to that post, I talked more in-depth with Domingo Guerra, president and co-founder of Appthority. Guerra’s company has analyzed hundreds of thousands of mobile apps to discover what they do, not just on the surface but...

Read more

Who to Contract Before a Data Breach Occurs

Data breaches continue to headline the news, and it’s likely to get worse before it gets better. The invasion of consumer technologies in the workplace promises to put more data at risk than ever before. There’s a growing tendency for Boards of Directors to become involved when a breach occurs. An event puts the organization at risk;...

Read more

App Happy Downloaders May Get More than They Expect

On January 7, Apple announced that customers have downloaded over 40 billion apps, with nearly 20 billion in 2012 alone. The App Store has over 500 million active accounts and had a record-breaking December with over two billion downloads during the month. Apple’s developer community has created over 775,000 apps for iPhone, iPad and iPod...

Read more

Lawsuit Asks What Rights You Have to Your Own Social Media Profile

A lawsuit filed recently in federal court begs the question, “Who is permitted to create a social media profile on someone other than himself?” It’s a sticky question but one that hangs out there in legal limbo, for now. As this article in the Pittsburgh Post Gazette indicates, Rick Senft, president and CEO of the Passavant...

Read more

As General David Petraeus Can Attest, There are No Secrets on the Internet

In his famous book 1984, George Orwell wrote, “If you want to keep a secret, you must also keep it from yourself.” With apologies to Orwell, I’m going to rewrite the quote: “If you want to keep a secret, you must also keep it from the Internet.” There’s an interesting story about online privacy – or really...

Read more

Don’t Let Employees Think Outside the Box. The Dropbox, That Is...

“Good things come in small packages.” This time of year we think about what those good things might be. Perhaps a nice piece of jewelry in a fancy little box. Or a gift card to a favorite store or restaurant. Maybe it’s a year-end bonus check in a company envelope. Or not. What if that tiny little Dropbox icon at the bottom of...

Read more

DDoS-as-a-Service? You Betcha! It’s Cheap, It’s Easy, and It’s Available to Anyone

Pssst! Hey, you there! Come over here and keep your voice down! You say you have a business rival you want to put offline? Yeah, no problem. It’ll only cost you 20 bucks an hour for a short term or long term DDoS attack. You want a little taste of how easy this is? Watch this live demo for a few minutes and see your competitor’s...

Read more

Beyond V*I*A*G*R*A - Evil Phishing Scams of 2012

You’ve heard the old saying: A chain is as strong as its weakest link. When it comes to IT security within your organization, the weakest link may well be your own workers. It’s human nature to be trusting of others. Scammers and attackers know this and use social engineering in the form of phishing to get people to reveal information...

Read more

Follow the Leader: Learn What Makes the Most Effective Security Organizations the Leaders in What They Do

In the early months of 2012, consulting firm PwC joined CIO magazine and CSO magazine to conduct a worldwide survey on the global state of information security. More than 9,300 CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents and directors of IT and information security from 128 countries took part in the survey. The full results are documented in...

Read more

Advice for E-Retailers: Don’t Let a DDoS Attack Knock Out your Profits During the Holiday Shopping Season

The holiday shopping season is underway—let the frenzy begin! This is the time of year when retailers make as much as one-third to one-half of their annual profits. If your company conducts sales over the Internet, it’s critically important to keep the website up and operating at maximum efficiency. If consumers coming to your site...

Read more

After a Breach, Be Prepared to Communicate, Communicate, Communicate

I recently wrote about how companies communicate with their customers during and after cyber attacks. Many organizations that suffer a data breach do a poor job of communicating about the incident, leaving people unaware of the level of vulnerability of their personal information. In just the past week, we received reports of two...

Read more

Would You Tell a Customer “It’s Your Fault”… Even If It Isn’t?

We’ve all been reading about the DDoS attacks that have hit most of the major American banks in the past month or two. Just for a moment, let’s put aside the technical aspects of how these attacks happened and think more about how they have affected the banks’ customers. More specifically, I want to explore how these financial...

Read more

Can You Be Shamed Into Casting Your Vote for U.S. President? Let’s Hope this Never Happens

Election campaign season is in full swing, and both major political parties are in a frenzy to get voters to cast their ballot. Technology plays a larger role in this election than any previous year. The campaigns have used blogs, emails and social networking effectively in the past, but this year’s hot technology appears to be business...

Read more

Data Breaches Happen Daily - Get Your Detailed Planning Guide for Breach Readiness

It’s Monday morning and you’ve just settled into your office to start your day. Before you can even finish your first cup of coffee, there’s a light knock at your door. You look up and see one of the regional sales managers standing there, looking rather hesitant. You invite him in and ask what’s on his mind. He hems and...

Read more

Keep some links out of LinkedIn to hold onto your intellectual capital

A column by L.M. Sixel in the Houston Chronicle points out that LinkedIn has become a recruiter’s best friend. When a company is looking to hire a qualified professional, what better way to find him or her than by looking through the networking site that provides everyone’s unofficial resumes? Even people who may not be looking for...

Read more

Encryption innovations simplify the choice to deploy cloud applications

Security vendors are heeding the siren call to create more useful solutions to protect data going into the cloud. In particular, there is some real innovation in products designed to encrypt or tokenize data before it is sent to cloud based applications. Three of the more significant developments include: Format preservation Operation...

Read more

The PCI Security Standards Council is working on clarifying, enhancing PCI DSS 2.0

The Payment Card Industry Data Security Standard (PCI DSS) was released at the tail end of 2004. The intention of the standard is to create an additional level of protection for card issuers like MasterCard and Visa by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card...

Read more

Can you get a restraining order against Web ads that stalk you?

Have you ever had that feeling that you’re being followed? How about when you’re sitting at your own desk, surfing the Web? A few months ago, I was shopping for a necklace for my daughter. I was looking at some nice choices on Overstock.com and ran out of time for shopping. I closed my session without buying anything. The next day I...

Read more

Verizon: 58% of attack vectors are Web apps. Can you defend them?

Application security represents a major paradigm shift for the security community.  In the past, security was about turning on or off a specific port. Done!  Application security is much more complex today, and for good reason: hackers have concerted tremendous effort to attack applications. According to a recent Verizon Data Breach...

Read more

Stupidity and carelessness have metastasized at Texas cancer center

One of the most revered institutions in the state of Texas is the University of Texas M.D. Anderson Cancer Center. It’s one of the most famous hospitals in the world. Depending on which list you check, M.D. Anderson is ranked either #1 or #2 in the country for cancer treatment. People have been known to travel from every corner of the world...

Read more

Ultimate in remote tech support: Updating software on the Mars rover

Don’t you hate it when you buy a new piece of computing gear and the first thing you have to do when you power it up is install an update to the operating system? Well, now you know how the NASA scientists at Jet Propulsion Laboratory feel. Since landing the amazing scientific rover Curiosity on Mars on August 5, the scientists haven’t...

Read more

Three signs that privacy in the U.S. is dead (or soon will be)

In the United States, we consider personal privacy to be sacrosanct. It is part of what makes us “free.” We don’t like the idea of companies or agencies of any sort knowing too much about our personal lives. We expect that what happens not only in Vegas but practically anywhere will remain private. Alas, the privacy genie is out...

Read more

Hard lessons learned about online banking security

Network World recently published an article about a small business owner that was a victim of online banking fraud who fought mightily to get her money back—first from the money mules working for the fraudster, and then from the bank whose lax security allowed the fraud to happen. First the highlights, and then we’ll discuss some of...

Read more

Encryption solutions for the cloud Part 5: Vaultive

This is the fifth and last in a series of posts on cloud encryption solutions. One of the issues with encrypting data is that the resulting ciphertext is difficult to work with inside of applications. The encrypted data usually can’t be sorted, searched or indexed in any meaningful way. Thus, once you put ciphertext into a SaaS...

Read more

Encryption solutions for the cloud Part 4: Vormetric

This is the fourth in a series of posts on cloud encryption solutions. Vormetric offers centrally managed encryption, key management and access control for data at rest across distributed heterogeneous environments. Vormetric Encryption supports all of the major platforms – Linux, UNIX and Windows – and can be used in physical,...

Read more

Building in mobile application security isn't easy: Follow best practices to secure apps up front

Mobile apps have been around for a few years now. We’ve passed the stage when they are just for fun and games  – anyone up for some Angry Birds?  – and are now for serious business use. There are mobile apps for practically every business function you can think of. Lately I’ve been talking to the people at...

Read more

Encryption solutions for the cloud, Part 3: PerspecSysoffers encryption, tokenization for SaaS applications

This is the third in a series of posts on cloud encryption solutions. Security vendor PerspecSys is tackling the cloud computing space from the SaaS angle. PerspecSys believes that many organizations want to enjoy the speed and ease of deployment as well as the cost advantages that SaaS solutions such as Salesforce.com provide, but issues like...

Read more

Encryption solutions for the cloud, Part 2: Gazzang is built for “big data” environments

This is the second in a series of posts on cloud encryption solutions. Gazzang is a relatively new company that is building a series of data center tools built for new cloud architectures, and specifically to take advantage of open-source infrastructure. The first product the company has brought to market is zNcrypt. It is a...

Read more

Encryption solutions for the cloud, Part 1: Encryption and the cloud data security conundrum

 In my recent conversation with Dr. Eric Cole of the SANS Institute (“Old remedies don’t work on new threats; SANS panel will discuss alternative medicine”), Cole stressed the importance of data encryption, especially in the cloud. His advice: Encrypt the data and manage the keys in such a way that no one but you has access...

Read more

Symantec's Vision: on the move and heading for the clouds

My company has sent a representative to the Symantec Vision conference for the past several years, and this year I drew the lucky straw to attend. The conference themes over the years have been some variation of “manage and protect,” but this year’s emphasis was clearly on data security, especially when it comes to data in the...

Read more

Old remedies don't work on new threats; SANS panel will discuss alternative medicine

Organizations spend lots of money on a variety of security products but they are frustrated because they are still getting compromised. Why? The threats organizations face have changed in the past year or two, but the way we approach security hasn’t. “When you’re dealing with the common cold, you wait for the first symptom to...

Read more

Fido exposed through identity verification: “Please provide name, DOB birth and species”

There’s a classic cartoon depicting a dog using a computer, with a caption that says, “On the Internet, no one knows you’re a dog.” It’s funny, but true. When you have any sort of web-based business, you really don’t know who is on the other end of the transaction. Most online businesses address the identity...

Read more

Today's Facebook post may be tomorrow's evidence; Cernam captures ephemeral web info for its day in court

Content posted to social media and found in other online sources is becoming more important in litigation. People are writing things in a casual, unguarded way on the Web, and, increasingly, litigators want that information to help win their cases.The problem with Web content as evidence, however, is that it can be very fluid. Something posted to...

Read more

Global Payments breach: Understanding the role of processors in the credit card transaction chain

The Global Payments credit card data breach investigation s still in its early stages, and right now the full extent of the situation is yet to be determined. In a press conference this morning, senior executives from GPN did say that the breach is fully contained and the company has a team of security experts and law enforcement professionals on...

Read more

FCC launches anti-bot Code of Conduct

Over the past few years, botnets have become an exceptionally egregious security issue for businesses and home computer users alike. It’s terribly difficult to know when a user’s PC has been usurped for a botnet, and it can be even harder to remove the computer from the unwanted network. By some accounts, more than 10% of U.S....

Read more

Fighting back: Is it OK to 'Unfriend' a C & C server?

It seems that illegal computer hacking has become so commonplace these days that events only make the news when they are significant. Last week’s headline was the hacking of Syrian President Bashar Assad’s email account. The group Anonymous claims credit for the attack. On the Daily Show,  Jon Stewart remarked, “Finally! A...

Read more

Don't depend on trust to protect data in cloud: Startup Porticor addresses key management

In one survey after another, we see that security concerns are a top inhibitor to cloud adoption. Companies want to get the flexibility and cost advantages of cloud computing, but there’s often trepidation about putting data on servers that are outside a company’s own data center. Cloud security is an issue of trust and...

Read more

A peek into the underground economy and the market for stolen credit cards

There’s a great article from Bloomberg (Stolen credit cards for $3.50 online) in which author Michael Riley explores the depths of the underground market for stolen credit card data. Reading this is enough to make you want to stuff all your money in a mattress for safe keeping. By some estimates, the underground digital economy has now...

Read more

Trusteer identifies “factory outlet sales” of stolen login credentials in the underground economy

I love factory outlet sales. Just last week I bought a brand name mattress for pennies on the dollar. Of course, I had to travel to a dingy part of town and wander through a cavernous old warehouse with mattresses stacked to the ceiling to find my great bargain. Last night I enjoyed a great night of sleep on my plush new pillow-top mattress, and...

Read more

Sharing BYOD (bring your own device) experience from the trenches

I recently wrote about the business social networking site Wisegate, which brings together high -evel security and IT professionals to discuss and collaborate on their top-of-mind issues. Wisegate just released a report that summarizes what members are doing about creating and implementing mobile device management (MDM) policies for personally...

Read more

Smart phones getting out of control? SANS hosts first Mobile Device Security Summit

Mobile security and application development is new territory for a lot of companies. If your organization is struggling with how to develop and implement a set of policies for managing and securing mobile devices, especially the thorny BYOD (bring your own device) issues around employee-owned smart phones and tablets, you aren’t alone. A...

Read more

Teaching a dead dog new tricks about stronger passwords

Some time ago I enjoyed a cartoon where a family was eulogizing their recently deceased pet. The caption was something like, “Rex, you were a good dog, and though you may be gone from this life, you will live on forever as our computer password.” The cartoon amused me, but it also made me uneasy because I realized I was guilty of...

Read more

Securing communications to reduce online fraud

The last decade has seen huge growth in the number of U.S. households that use online banking and online bill paying services. Some  72.5 million households participate in online banking, with 36.4 million using the Internet to pay bills, according to the Fiserv 2010 Consumer Billing and Payment Trends Survey. Those numbers represent a an 84%...

Read more

EMV – a security standard coming soon (?) to a credit card near you

In my last post , “U.S. clings to insecure magnetic stripe cards — what’s the attraction?” I talked about a security standard for credit and debit cards that is used virtually everywhere in the world except the United States. This standard, called EMV, uses a smart chip embedded in the plastic card or token to securely...

Read more

U.S. clings to insecure magnetic stripe cards — what’s the attraction?

The next time you dine out and hand your credit card to the waiter to cover the check, think of this story. In November 2011, the Manhattan District Attorney’s Office announced that law enforcement agencies had broken up a ring of 28 people, most of them waiters, who were using handheld card skimmers to steal credit card data from customers...

Read more

Feeling isolated? Wisegate social network connects senior-level security professionals

Sara Gates, founder of the social networking service Wisegate, is creating an invitation-only private community of security and IT professionals. Gates believes that senior executives, such as CIOs and CISOs, need other people at their peer level to share war stories and get firsthand feedback on what works and...

Read more

Firewall managers lack confidence in their security posture

The majority of firewall managers are concerned their change management practices put their companies at risk, according to a recent survey. How does this happen? Firewalls are generally considered the first line of defense for most networks. A firewall is the first decision point that uses a set of rules to determine whether or not outside...

Read more