Last year, I wrote about a ransomware infection that encrypted the hard drive of one of my company's employees. In that situation, a live, in-person scammer called the employee, claiming to be from "technical support," and tricked the employee into visiting a website that infected his computer. As with a similar situation I wrote about in 2012, the infection came from an advertisement on the front page of a major news service's website. The website runs rotating ads, one of which was compromised and hit the victim with a drive-by malware infection (without any intervention by or even the knowledge of the victim). I thought that because the infection was on the victim's personal computer, not on my company's network, we were pretty safe. I thought that if it had been on my network, the attempt probably would have failed, or would at least have been detected right away.
By By J.F. Rice | 19 May, 2015 23:08
Some things are just so predictable. A retailer is told about a mobile security hole and dismisses it, saying it could never happen in real life -- and then it happens. A manufacturer of passenger jets ridicules the risk posed by a wireless security hole in its aircraft, saying defensive mechanisms wouldn't let it happen -- and then it happens.
By Evan Schuman | 19 May, 2015 19:09
The feedback from our last article, in which we laid out what we call the Irari Rules for classifying a cyberattack as "sophisticated," was overwhelmingly positive. Nonetheless, a few people we respect disagreed with us. Ironically, examining why they disagreed demonstrates why the Irari Rules are relevant.
By By Ira Winkler and Araceli Treu Gomes | 14 May, 2015 02:45
One thing that we security managers can be sure of is this: There is no guarantee that our company will not suffer a security breach. In fact, the odds are increasing all the time, helped along by the proliferation of mobile devices, companies' heavy use of software as a service and the consumerization of IT. And let's face it: Creating a culture that fosters innovation and attracts talent exacts a cost in defensibility.
By By Mathias Thurman | 12 May, 2015 07:08
Microsoft is set to upend a 12-year practice of providing security patches on the same day each month to everyone. Or not.
By Gregg Keizer | 08 May, 2015 07:00
It's always a good idea to point the car in the right direction before pressing the gas pedal, right? Why is it, then, that so many people lose sight of that simple concept?
By By Kenneth van Wyk | 29 April, 2015 05:40
Organizations hit by a cyberattack have reason to call the attack "sophisticated." But calling an attack sophisticated doesn't make it sophisticated. We have put our heads together and come up with some rules for determining whether an attack is sophisticated, and we have put our names together (Ira and Ari) to give these rules a name: the Irari rules. If any of the following conditions occur, the attack is not sophisticated:
By By Ira Winkler and Araceli Treu Gomes | 23 April, 2015 01:24
Sony is reliving the nightmare that its hacked databases gave rise to late last year, now that Wikileaks has thoughtfully published all of the leaked documents in a searchable database. Really, they are the most courteous hoodlums ever.
By Evan Schuman | 21 April, 2015 19:11
Last week, I was horrified to discover a problem with my vulnerability scanner. The product I use relies on a user account to connect to our Microsoft Windows servers and workstations to check them for vulnerable versions of software, and that user account had never been configured properly. As a result, the scanner has been blind to a lot of vulnerabilities. And this has been going on for a long time.
By By J.F. Rice | 13 April, 2015 23:47
I mentioned in a previous article that we are using a "loaner" Palo Alto Networks firewall, with all the bells and whistles. Our testing led to all sorts of interesting discoveries, and I certainly hope that the executive staff will agree that the increased visibility makes this sort of new-generation firewall well worth the investment.
By By Mathias Thurman | 09 April, 2015 23:51
It's a time-honored tradition: U.S. businesses find ways to skirt inconvenient or expensive laws by moving operations to other countries. Thus we have had U.S. corporations operating overseas to exploit child labor, run sweatshops or avoid taxes and rigorous health and safety inspections. Now the U.S. government says something similar is happening in regards to email.
By Evan Schuman | 18 March, 2015 01:56
Though she may have broken no laws, Hillary Clinton acted irresponsibly in using a personal email account to conduct official U.S. government business in her capacity as secretary of State.
By Kenneth van Wyk | 13 March, 2015 08:01
Having been at my new company for several months now, this week I was invited to inform executive management about the state of our security. I had half an hour to formally introduce myself and talk about my philosophy, my initial findings and the priorities I think we need to have.
By By Mathias Thurman | 11 March, 2015 03:46
Lenovo pre-installing Superfish software was a security disaster. Whether Lenovo was evil, or, as they eventually claimed, merely incompetent, it's hard to trust them going forward. If nothing else, their initial denials that anything was wrong, leave a lasting impression. Of course, Superfish, along with the software that they bundled from Komodia, also deserve plenty of blame for breaking the security of HTTPS and SSL/TLS.
By Michael Horowitz | 10 March, 2015 00:07
Several electronic and mobile payment options have become available, but most of us in the U.S. are still using plain-vanilla credit and debit cards with magnetic stripes. They use technology that dates to the first Nixon administration. That's not a problem in itself; I have no problem with time-tested security measures that work effectively. But just look around: Data breaches are everywhere, and those magnetic-stripe cards are often implicated.
By Kenneth van Wyk | 27 February, 2015 03:07
As the White House and Congress consider new cybersecurity legislation, some middle-market companies may still be questioning whether the cybersecurity crisis is a real threat for their businesses.
By By Matthew F. Prewitt | 17 February, 2015 21:08
Sometimes I wonder whether any company will ever fall victim to an unsophisticated cyberattack. Because after every attack that comes to light, we hear that same excuse: It was a sophisticated attack.
By Ira Winkler | 11 February, 2015 03:26
The downside of email, chat, text and messaging apps is that they make you feel like you're communicating privately, with only the intended recipients. And that your messages are private. Until they're not.
By Mike Elgan | 07 February, 2015 23:07
By Evan Schuman | 06 February, 2015 06:08
The following report, is based on a global survey of 706 IT and security professionals conducted in the United States, Canada, Germany, United Kingdom, Australia and New Zealand. The goal of the survey was to capture data on current attitudes and trends with mobile devices and IT security. This is the third survey on this topic and this report evaluates differences in responses to similar questions asked over the past two years.
The way corporations operate around mobile devices is currently shifting—employees are starting to use their own devices for business purposes, rather than company-owned devices. With no direct control of the endpoints, IT departments have generally had to prohibit this or risk insecure access inside the firewall. But as more mobile devices appear on the corporate network, mobile device management has become a key IT initiative.
- DHS data centre consolidation almost completed
- Amazon.com may be working on Etsy competitor
- BlackBerry cutting staff in smartphone unit
- In Pictures: The 8 things we’re looking for at Google I/O 2015
- In Pictures: Hot stuff - The coolest drones
- Hacked Adult Friend Finder database offered for $17,000
- Design thinking, agile development at heart of building control system
- CSIRO opens $6m metal 3D printing centre
- Telstra, Racing Victoria sign 10-year partnership
- Apple to wind back the clock to '09 with focus on quality, not features, in next OS X
- US Senate blocks NSA surveillance reform bill
- Amazon rules Gartner's magical box
- Google gives Android developers new tools for tracking app performance
- Microsoft offers Windows 10 carrot, threatens with stick
- US Senate leader pushes to extend NSA phone dragnet