The Nibble security blog had a very good post on Subverting a Cloud-based Infrastructure with XSS and BEEF. They essentially constructed an XSS attack to issue network infrastructure management commands without user knowledge.
A sports clothing retailer is suing Visa to recover a $13M fine for a potential data breach.
The suit takes on the payment card industry’s powerful money-making system of punishing merchants and their banks for breaches, even without evidence that card data was stolen. It accuses Visa of levying legally unenforceable penalties that masquerade as fines and unsupported damages and also accuses Visa of breaching its own contracts with the banks, failing to follow its own rules and procedures for…
We are big on Quick Wins at Securosis. Mostly because we know how hard it is to justify new technology (or processes or people), and that if you can’t show value quickly on a new project, every subsequent request gets harder and harder to get through. Until you have a breach, that is. Then your successor gets carte blanche for a honeymoon period to do the stuff you were trying to do the whole time.
It’s funny how you suddenly remember random conversations from months ago at the strangest times. I recall having breakfast with some of my pals at TripWire at RSA 2012 (yes, 13 months ago), and them peppering me about the vulnerability management market. Obviously they were shopping for deals, but most of the big players then seemed economically out of reach for TripWire. And there was nothing economically feasible I could recommend for them in good conscience.
As we discussed in Industrial Phishing Tactics, phishing is a precursor to many attacks in the wild. Phishing attacks are designed to get victims to click something, then to share the victim’s account credentials and download malware; and of course they leave a trail like everything else. Following that trail can help you prioritize remediation activities, identify adversaries, and ultimately take action to protect both your environment and your customers. But first you must be able to analyze…
In the immortal words of Jay-Z, you’ve got 99 problems but BYOD ain’t one of them. Colin Steele does a good job of putting the BYOD (and broader mobility) situation in proper context in You can’t solve BYOD because it’s not a problem
I was perplexed by the wording of many initial reports on the recent attacks ‘against’ Apple, Facebook, Twitter, and Microsoft. Sure, maybe they were targeted, but it seems just as likely that the attackers just picked popular developer sites and harvested some big fish.
Shiny technology objects make us happy. Admit it – you want to believe the buzzword du jour will make things better. Or less crappy. But if the capabilities and value of new technology are contingent on humans, eventually you run into the most debilitating of constraints: expertise limitations. It seems like everyone wants to talk about Big Data Analytics, but the inconvenient truth is that without the math folks Big Data doesn’t do much.
Threat Intelligence comes in many shapes and sizes, all of which are helpful for Early Warning of imminent attack. After introducing the initial Early Warning concepts, we recently delved into how network telemetry and other information about your pipes can help to identify compromised devices in Network-based Threat Intelligence. We continue discussing all sorts of threat intel by focusing on phishing in our new series, Email-based Threat Intelligence. We stay true to our naming conventions.
Thales released a 2012 survey on encryption spending trends today. In a nutshell, spending was up a modest amount for the first time in several years. From the Deep Dive post: