Think Information. Think Security.
 
Picture
An analysis of exploit code found shortly after the first Java flawwas discovered Sunday revealed the second vulnerability. The code has been tied to attackers in China. “The beauty of this bug class is that it provides 100 percent reliability and is multiplatform,” Esteban Guillardoy, a developer at Immunity, said Tuesday in announcing the discovery of the second bug. “Hence this will shortly become the penetration test Swiss knife for the next couple of years.”

Users of Java, which is installed in billions of devices worldwide, are notorious for not staying up to date with patches. Rapid7 estimates that 65% of the installations today are unpatched. However, this time around, people with the latest version of Java were the ones most open to attack. The bugs are in Java 7 and affect Windows, Mac OS X and Linux operating systems running a Web browser with a Java plugin enabled. The flaws were introduced with the release the platform in July 28, 2011, Guillardoy said in his analysis.


 
Picture
The rise of bring your own device (BYOD) programs is the single most radical shift in the economics of client computing for business since PCs invaded the workplace, according to Gartner. Every business needs a clearly articulated position on BYOD, even if it chooses not to allow for it.

"With the wide range of capabilities brought by mobile devices, and the myriad ways in which business processes are being reinvented as a result, we are entering a time of tremendous change," said David Willis, vice president and distinguished analyst at Gartner. "The market for mobile devices is booming and the basic device used in business compared to those used by consumers is converging. Simultaneously, advances in network performance allow the personal device to be married to powerful software that resides in the cloud."


 
Picture
Cloud security skeptics were given yet another reason to doubt the fortitude of online storage when the strange tale of Mat Honan emerged earlier this month. Through the clever use of social engineering, a hacker was able to wreak havoc on the Wired journalist's digital life.

Apparently, the hacker talked Amazon tech support into providing the last four digits of Honan's credit card number. This information was then used to fool Apple into thinking the hacker was Honan and issuing a temporary password for Honan's email account. The hacker used this information to ultimately delete Honan's Gmail account, permanently reset his AppleID and Twitter passwords, and remotely wipe his iPhone, iPad and MacBook. Apple and Amazon closed the specific security holes that enabled this attack after news of Honan's problem hit the headlines. But the question remains: How secure is information in the cloud, really?


 
Picture
Hacker collective Team GhostShell leaked a cache of more than one million user account records from 100 websites over the weekend. The group, which is affiliated with hacktivists Anonymous, claimed they broke into databases maintained by banks, US government agencies and consultancy firms to leak passwords and documents. Some of the pinched data includes credit histories from banks among other files, many of which were lifted from content management systems. Some of the breached databases each contained more than 30,000 records.

An analysis of the hacks by security biz Imperva reveals that most of the breaches were pulled off using SQL injection attacks - simply tricking the servers into handing over a bit more information than they should. "Looking at the data dumps reveals the use of the tool SQLmap, one of two main SQL injection tools typically deployed by hackers," the company's researchers explained in a blog post.


 
Picture
A vulnerability in the latest version of Oracle's Java software framework is under active attack, and the damage is likely to get worse thanks to the availability of reliable exploit code that works on a variety of browsers and computer platforms, security experts warn.

The flaw in Java version 1.7 was reported on Sunday afternoon by FireEye security researcher Atif Mushtaq. A separate post published on Monday by researchers Andre M. DiMino and Mila Parkour said the number of attacks, which appear to install the Poison Ivy Remote Access Trojan, were low. But they went on to note that the typical delay in issuing Java patches, combined with the circulation of exploit code, meant it was only a matter of time until the vulnerability is exploited more widely by other attackers.


 
Picture
Social networks are both a boon and bane for online criminals: People using the networks tend to trust messages sent by "friends" and other users to whom they are connected, making social engineering that much more effective. On the other hand, the networks are gated communities, where security policies and technologies can radically change the attack landscape.MyPageKeeper, a project designed and created by computer scientists at the University of California, Riverside, does just that. Created as a Facebook application, the program searches the news feeds of its subscribers every two hours looking for suspected social malware and scams, collectively referred to as "socware" by the researchers. When it finds a suspect post, it leaves a comment indicating that the item is likely a scam or malware.


 
Picture
In the high-priced market of exploit sales, developers resist government regulations -- but are more than happy when one wants to open its coffers to them.
The debate around the sale of vulnerabilities and exploits is again playing out within the security community, and this time it comes with a new twist.

It's really an old debate, one which heated up in 2009 when a group of well-known researchers announced their "No More Free Bugs" intention to the crowd at the annual CanSecWest hacker show in Vancouver. At the time, Dino Dai Zovi, Alex Sotirov and Charlie Miller, annoyed that vulnerability hunters weren't being properly compensated for their discoveries, reacted, in true capitalistic spirit, by telling the world that they just want to get paid. 


 
Picture
Researchers at security firm Mandiant have identified a backdoor trojan, called Hikit, which has targeted a small number of defense contractors in the United States.

Ryan Kazanciyan, a principal consultant at the Washington, D.C.-based company, told SCMagazine.com on Monday that the malware, first discovered last year, falls into the category of an advanced persistent threat.
As opposed to financial fraud, the goal of the attackers behind Hikit is to conduct industrial espionage and steal sensitive data, he said.

The trojan itself is not used to initiate a breach, but to exploit an existing server vulnerability so that attackers can maintain access to victims' data. Hikit can run commands on a  targeted server, as well as transfer files to retrieve data and redirect traffic within other systems of the victims' internal network.


 
Picture
Information-security managers always have to deal with trade-offs in securing their company's data, systems, and networks. Dedicating too much time and budget to the wrong areas could leave their business vulnerable.Attackers have trade-offs, as well: A common one pits the stealthiness of an attack versus how well it can withstand the countermeasures used by defenders.

At the recent USENIX Security Conference, for example, a group of researchers from the Georgia Institute of Technology and security firm Damballa showed that domain-generation algorithms (DGA) -- a technique used by attackers to foil takedown attempts -- create an easily detectable fingerprint in the domain-name system (DNS) traffic that emanates from an infected system.


 
Picture
Although phishing is a con trick as old as the web, attackers are maintaining astonishing success by pulling the strings of victims' emotions.

Fraudsters who can persuade victims to respond to a legitimate-looking email or click on a seemingly benevolent link have already won without even having to launch a sophisticated attack on users. This week, security firm RSA released phishing attack numbers for the first half of the year that show a 19 percent increase in global incidents over the last half of 2011. Through the end of June, the monthly average for attacks was 32,581, amounting to more than $687 million in worldwide losses.