Categories ArchivesHeadlines

PDF Wars: The Rise of the Evil Document standard

VeriSign’s Managed Security Services group provides all kinds of services to assist organizations in the heavy lifting associated with some security tasks. Those tasks that are easy if you have one, but not easy if you have a thousand. In a recent internal email string, one of our engineers told us they are seeing a dramatic increase in the amount of PDFs that have malicious JavaScript embedded in them. These exploits use the OpenAction function (like the HTML document.onload() function) as a vehicle to obtain full machine compromise with a root kit. I’m not sure why we feel the need to embed scripting into a PDF (isn’t that what the web and offline browsing is for?), but it appears that ...

Continue Reading

65% of Oracle DBAs Pants are Down standard

According to this article from Information Week, “only 35% of Oracle users continuously monitor for suspicious activity.” Ouchtown, population YOU, bro. Well 65% of you. Let’s assume that this study is accurate (based on the installations of Oracle that I have seen, I would guess it is pretty close if not optimistic). This means that there are databases out there, probably with sensitive data in them, that are compromised and the DBAs or security teams don’t even know it. Many DBAs simply give up on patching these installations thanks to a rather messy process, so the problem could even be worse. The study specifically states that continuous monitoring (minus a definition on what that means) is performed by 35% of ...

Continue Reading

Why SSL is not the Catch-All standard

Billy Rios, application security extraordinaire, posted commentary on Sandro Gauci’s paper entitled “Surf Jacking – HTTPS will not save you.” It’s based on an attack called “Side Jacking” that was introduced during the 2007 BlackHat conference. Essentially, this type of attack allows someone to hijack a web session which would give them access to your account on a particular website. Branden… In English please… Ok, so let’s say you make use of some stretch time that the office gives you (assuming they know about it), and head down to the coffee shop of your choice to get a nice fresh cuppa. You bring your laptop with built-in WiFi with the full intention of working on that presentation for Johnson. That ...

Continue Reading

How fast will your data walk out the door? standard

Cyber-Ark has released a new study (article on ars technica) suggesting that 88% of IT workers would steal data if fired. Every 88 in 100 IT employees would steal data if they were shown the door. That’s more than the 4 out of 5 dentists that recommend chewing Trident after meals! I’m not sure who they were polling, but it sure makes IT folks look like a bunch of criminals. At a minimum it does reinforce one point that often shows up in my presentations. At the end of the article, we learn that every third administrator would write down an administrative password. Administrators are often the worst offenders when it comes to breaking security policies and procedures. This is ...

Continue Reading

The Internet is falling down (falling down, falling down)! standard

Last month, we saw Kaminsky release details around a particularly nasty flaw in the DNS infrastructure. The tubes exploded with traffic on this flaw and security pundits beat their chests, telling the masses that they have been reporting this for years. Well, it’s a new month, and we have a new flaw. Slashdot has posted a story about a BGP flaw that has been around for years that could easily bring down major portions of the internet. Wired has an article here, and the PDF of the presentation by Kapela and Pilosov is here. I was a system and network administrator in a previous life (and to date have only had one system of mine EVER hacked… that pesky IMAP ...

Continue Reading

August’s Herding Cats is now live! standard

Entitled, The Carl Method to Security, I compare CIOs to our lovable friend Carl Spackler when it comes to reacting from a breach. If you read this and don’t believe me, just troll the news for recent CIOs responding to breaches. I don’t need to make this stuff up, people do it quite nicely on their own. Just like that time I was in the Las Vegas airport and a TSA agent came over the PA and said, “To the person who left your dentures and hearing aid at the security checkpoint, if you can hear me, please return to claim your items.” See? Don’t need to make it up. Anyway, go check it out! Possibly Related Posts: Equifax is ...

Continue Reading

Oracle Zero Day standard

ZDNet is reporting that Oracle has released an emergency patch today, the first of which that has been released since their quarterly update cycle. I can just hear the Oracle DBAs of the world screaming and bitching about this. I know the Oracle code base is mammoth, but wouldn’t it be nice for them to do a full security code review (which VeriSign’s Enterprise Security Services group offers) to shore up some of these things. I don’t think anyone at Oracle is delusional enough to believe that they are extinction proof, but something like this may go a long way to ensure that the tusky software giant remains in play well into the future. Possibly Related Posts: Equifax is only ...

Continue Reading

Confused about DLP? standard

Don’t worry, you are not alone. A partnership of several companies released DLP In Depth today, a website that is set off to unravel the mystery of Digital Loss Prevention (DLP). DLP technologies have been around for some time, but last year we saw a fury of activity in that market as RSA picked up Tablus, and Symantec picked up Vontu. At VeriSign, we regularly recommend using DLP products as part of your security strategy. Knowing where your data lives is the first step to being able to secure it. So if you are looking for more info on DLP, go check out www.dlpindepth.org! Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps ...

Continue Reading

Herding Cats, July 2008 is out! standard

Before you click on the link to read the article, I should warn you. Things got a little silly with this one. I even had to edit a cleverly-placed word as my editor threw up a little when he hit publish on this one. SILLY. Anyway… I hope you enjoy the July edition of Herding Cats entitled, The Forward Looking Future! Oh, and it looks like Twitter lost me. I’m there, but you can’t see my updates. *shrug* Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Continue Reading

Mind the Storefront! standard

Dave Taylor has another guest post on StoreFrontBackTalk, this one alluding to a lack of audit resources to mind the storefront (like Minding the Gap!). Store front security continues to be an issue for retailers even outside of PCI. Take physical security for example. Realize that a major retailer’s data center tends to be a hardened facility that is not easily accessed (with the exception of a few notable ones that are for another post). There are security guards, badged access, and sometimes even man traps. Now visit that same retailer’s store front. You might find accessible Ethernet jacks, or worse, a system room door that is unlocked or left wide open. Walk into there with an official ID and ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!