Archive for January, 2009

what we’re reading, week of 1/26

Posted: January 29, 2009 in Highlights

Zero Day…
GPU-Accelerated Wi-Fi password cracking goes mainstream
With GPU-Accelerated password recovery attacks, WiFi networks are even more vulnerable. Can all this be avoided with user education and strong VPN policies?

From StillSecure, After all these Years…
Yearning for the good old days of NAC
Alan states worm outbreaks are not a valid reason for NAC anymore. He believes it has a more relevant mission. And once again, the definition of NAC has changed. Lawrence Oran from Gartner’s thinks the new definition should include “Evaluating the endpoint as it connects to the network. Those already connected, and implementing network access policies based on the state of the endpoint, the threat environment and user identity”.

Washington Post: Security Fix…
Obama Administration Outlines Cyber Security Strategy
Brian Krebs outlines Obama’s administration new cyber security goals. Krebs finds these new goals encouraging and looks forward to the change. Do you think the goals are attainable?

From Endpoint-Security Info…
Monster.com data breach disclosed
Another data breach… this time it’s Monster.com. Monster.com released a statement last Friday that it’s aware of the hack and has launched an investigation. Monster advises users to change their passwords.

Data Privacy Day

Posted: January 28, 2009 in Posts

According to Intel, today is Data Privacy Day. From their website:

Designed to raise awareness and generate discussion about data privacy practices and rights, Data Privacy Day activities in the United States have included privacy professionals, corporations, government officials, and representatives, academics, and students across the country.

One of the primary goals of Data Privacy Day is to promote privacy awareness and education among teens across the United States. Data Privacy Day also serves the important purpose of furthering international collaboration and cooperation around privacy issues.

Shouldn’t every day be data privacy day, however? Martin McKeay supports the day of observation, because it calls people (especially younger ones) to question their own willingness to keep personal data public:

[…] most people are willing to give up even the illusion of privacy if you offer them a candy bar or a shiny new widget for their desktop.  I’ve come to realize that privacy is about the government and corporations keeping their nose out of our business, but we also have a responsibility to monitor what we’re making available for public consumption about ourselves.  This is the part of the equation most people forget to think about.

What do you think? Is this observance really necessary? Will the younger Internet users it targets benefit from the education? Is our willingly reduced privacy online actually indicative of a lack of knowledge surrounding privacy, or does it represent an unavoidable and sweeping change in our culture’s thinking about personal data?

what we’re reading, week of 1/19

Posted: January 22, 2009 in Highlights

From around the Blogosphere…
Heartland Payment Systems issued a statement Wednesday that intruders hacked into its computers that was used to process 100 million payment card transactions per month for 175,000 merchants. Security experts are saying this hack may be bigger than the 2007 TJX hack. As expected, bloggers are weighing in. We highlighted the best commentary here.

Tim Wilson from Dark Reading gives a thorough overview of the Heartland situation, while Adam O’Donnell and Tim Naraine from ZD Net make the recommendation to check past credit card statements just to be safe. Too lazy to read about it? Check out the podcast by Martin McKeay of Network Security Blog. Time well spent for this podcast. Ironically, Endpoint-Security reported BEFORE Heartland that data breaches were up near 50% in 2008 (mostly due to insider threats). Doesn’t bode well for 2009.

From Security Warrior…
Tales From the “Compliance First!” World
Dr. Anton Chuvakin touches upon the PCI DSS compliance issue several times on his blog. On a recent post he stresses the importance security has in addition to compliance. Anton’s advice to readers: ‘if compliance is your first priority, make security your second, and vice versa’

From Andy IT Guy…
Requirements are required
From a previous post Andy discusses some of the reasons security investments fail, and in that post he mentions the mistake of purchasing the wrong technology. Andy recommends defining your requirements prior to making a purchasing decision—knowing this prevents failures and VPNs are one area that usually is left out of planning cycles – creating ‘work arounds’ with sub-par technology is a mistake

Secure Entry Client Version 9.1

Posted: January 21, 2009 in 64-Bit, Posts, Windows 7

This week, NCP announces the North American availability of the latest version of our IPsec VPN Secure Entry Client for Windows (XP and Vista/32/64-bit, Windows 2000). Version 9.1 includes several new ease-of-use features, including improved IPsec gateway compatibility, WISPr and support, and a smart interface for budgeting wireless minutes.

You can download Secure Entry Client Version 9.1 here. As we prepare for beta testing of the next Secure Entry Client version – which will be Windows 7 compatible – we welcome any and all user feedback on the newest release!

what we’re reading, week of 1/12

Posted: January 15, 2009 in Highlights

From Zero Day…
RIM warns of BlackBerry PDF processing vulnerabilities
Ryan Naraine reports that hackers can use “booby-trapped PDF attachments” sent to BlackBerry devices to launch malicious code execution attacks. Raw details are included in the article. It is urged for BlackBerry users to update their devices accordingly.

From around the Blogosphere…
The SANS Institute released a list of the 25 Most Dangerous Programming Errors. The list has stirred up a lot of buzz around the topic. Here are three different perspectives that we thought were significant.

Byron Acohido from Zero Day Threat says, “For now, let’s savor the moment. Hopefully, the collaborative consensus among a diverse collection of 37 organizations — including Microsoft, Oracle, EMC, Apple, the NSA, DHS and an amalgam of tech security firms — that produced the Top 25 flaws will emerge as a model. It is an example of the type of for-the-greater-good, public-private collaboration needed to stem cybercrime.”

Adam O’Donnell from ZD Net does not think the list will make the flaws go away, but believes it’s a powerful tool. It provides organizations that are looking to purchase software a metric it can use “to beat up on potential investors”.

Lori MacVittie from DevCentral also believes the list is a powerful tool, but urges people to continue their current security habits and stay current on new security trends.