Account still restricted

"PayPal is a fucking liar, a cheat and a thug," says Cryptome operator John Young. The eBay-owned payment service closed the Cryptome account last week, with over $5,000 of donations intended for Young in limbo.…

Online banking losses up though

A rise in online banking fraud losses took some of the shine off the overall fall in debit and credit fraud in the UK last year.…

Every twt.tl bit helps

Twitter has tightened up security procedures in order to curtail phishing attacks against users of the micro-blogging service, which have become rampant over recent weeks.…

Kiss and don't tell

Celebrity publicist Max Clifford has agreed to accept a £1m plus payoff in exchange for dropping phone hacking allegations against the News of the World.…

Feds cuff JihadJane

A suburban Pennsylvania woman who went by the online alias JihadJane used the internet to recruit Islamic terrorists and to plot the assassination of a Swedish cartoonist who depicted the Prophet Mohammed, according to a federal indictment unsealed Tuesday.…

Agrees to safeguard customer data

An Arizona company that sells services designed to prevent identity theft has agreed to pay $12m to settle charges it oversold their effectiveness and didn't adequately protect sensitive customer data.…

The new Microsoft

Adobe's ubiquitous Reader application has replaced Microsoft Word as the program that's most often targeted in malware campaigns, according to figures compiled by F-Secure.…

IE 6 and 7 users targeted

Online thugs are exploiting a security bug in earlier versions of Internet Explorer that allows them to remotely execute malicious code, Microsoft warned on Tuesday.…

What is your recession sales strategy?

Lancaster Gate-gate

Reported attempts to sell recordings of conversations between England squad players and coaches have sparked a security breach investigation at the FA.…

WeatherFist shows phone vulnerability, devs claim

Security researchers fooled nearly 8,000 iPhone and Android users into joining a mobile smartphone "botnet" under the guise of installing an apparently innocuous weather app.…

This is a dodgy operation who went bankrupt and did not pay their bills but somehow still exist under the same name?

http://www.commander.com/

Stay away from them. Weird they exist.

Android phone comes riddled with bots

Updated Vodafone has been blamed for shipping Mariposa botnet malware and other nasties on a HTC Magic Android smartphones it supplied.…

I’m not going to go back over all the old posts to try to remember who all these mobs were, but is there a consortium still doing anything? eg; ICASI and SAFECode. etc etc…..

Some previous posts mentioning them: http://beastorbuddha.com/?s=consortium

Not much more to add that I haven’t already said in the link above and links within the posts.

Is there a Cloud one also? Sure there is.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Losses top $153m

A criminal court in Thailand has approved the extradition to the US of a Malaysian man suspected of participating in credit card thefts of more than $152m, according to a local news report.…

Threatened to drag firm 'through the muddiest of waters'

A California man was charged with extortion after he allegedly threatened to send millions of emails and social networking messages that maligned a large life insurance company unless he was paid almost $200,000.…

Protests over anti-piracy controls hobble games firm

Ubisoft has confirmed its rights management servers were hit by a fierce DDoS attack over the weekend that left some customers unable to play its games for much of Sunday.…

And sits on its cash

eBay Inc has suspended Cryptome's PayPal account, confiscating donations made to the site in the past two weeks. New York architect John Young has refunded around $5,300 to donors.…

What is your recession sales strategy?

Punching fog

The takedowns of the Mariposa and Waladec botnets last week were victories for the good guys, but security experts warn that although cybercrooks suffered a bloody nose they collectively retain the upper hand in their ongoing conflict with law enforcement and its security industry allies.…

Shh, I'm hunting wabbits

A Trojan backdoor found its way into Energizer Duo USB battery charger software downloads.…

A bit quiet lately. Sometimes I wonder if there’s more to say that I haven’t covered in the 500+ posts in Beast or Buddha. (The really interesting stuff, you can’t write about for obvious reasons). What do you do? Continue to rehash the old stuff? Sometimes!….which brings me to an interesting discussion.

We were asked to do a presentation recently on “emerging threats” at a business forum for IT Security and Risk Management professionals. Seems straightforward enough but when looking back over previous such presentations we’ve been doing over the years, nothing much was changing – in particular our recommendations on how organisations should be dealing with “emerging threats”. We could have almost just pulled out “Emerging Threats” presentation, (circa 2002) and done it word for word, (with only a few very minor wording and definition changes, eg; “Cloud”, “APT” etc ).

Should we be calling these presentations; “Emerging Responses”? It’s the response part that is in most cases yet to “emerge” effectively! The “threats” (most of them), emerged a long time ago. In many cases, we just call them different things now because we’ve failed to deal with them properly at the time, so it’s easier to rename something – makes it all seem that little bit new, and covers up to a degree for failures in the past.

Am I being unfair? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Third-party patch treadmill running too fast, warns security firm

Windows users need to patch their systems an average of every five days to stay ahead of security vulnerabilities, according to a study this week.…

Get your DEP here just in case

A security vulnerability identified in Opera can be exploited to crash users' browsers, but probably can't lead to the remote execution of malware, a company spokesman said.…

Web threats: Why conventional protection doesn't work

Help on the way

Underscoring a barrier to remaining secure online, the average Windows PC user has to install a software update every five days from 22 different providers, according to vulnerability tracking service Secunia.…

Case Study: WhatsUp keeps Legoland turnstyles ringing

Replacing pdfs with dodgy Flash files

Cybercrooks have developed a new technique for manipulating search engine results in order to promote the crud they sell, such as scareware packages.…

Laminated catalogue of errors

Catalogue firm Argos has been criticised for an email security breach that exposed customers’ credit card details and CCV security numbers.…

Light spring sprinkle follows deluge

Microsoft is planning just two bulletins next week, covering vulnerabilities rated only as "important", as part of this month's Patch Tuesday.…

Loose tweets sink fleets

Israeli military officials said they called off a planned raid on a West Bank village after a combat soldier posted its details on Facebook, according to news reports.…

Case Study: WhatsUp keeps Legoland turnstyles ringing

Content Headers

Content Length: 

33350208

Content Type: 

audio/mpeg

Risky Business is hosted by the team at Virtual.Offis in Sydney but sponsored, this week, by Tenable Network Security.

This week's feature guest is H D Moore, who'll be joining us to talk about some fun stuff he's been doing with NTP. Believe it or not you can use NTP to do massive recon on the Intertubez. H D has built a database of millions of hosts by querying NTP boxens. It's cool.

Tenable Network Security CEO Ron Gula joins us in this week's sponsor interview, and Adam "Beardy McUNIXguy" Boileau drops in to discuss the week's news.

Private keys pilfered through power supply

Computer scientists say they've discovered a "severe vulnerability" in the world's most widely used software encryption package that allows them to retrieve a machine's secret cryptographic key.…

Offloading malware protection to the cloud

Porridge for under-par golf kit

The leader of a UK-based gang who made millions selling counterfeit luxury golf kit and other knock-off goods through auction site eBay has been jailed for four years.…

Content Headers

Content Length: 

6466119

Content Type: 

audio/mpeg

This is a sponsored podcast. Symantec sponsors the RB2 podcast so once a month we get one of their staff on the line to talk about industry trends, malware... whatever, really!

And today we're speaking with Vincent Weafer, Symantec's director of security response. Regular listeners of Risky.Biz podcasts would have heard me tonking on a LOT about patch management lately, and in particular the moves by large security vendors like McAfee, Trend and Symantec into that space.

read more

Dear Recruiters,

Unless we officially approach you to work with us, ie; approve you to go out and look for candidates, please don’t go out and approach people who you think we might like to fullfill roles that we advertise. This doesn’t look good upon you. We don’t support random headhunting of people.

Securus Global Team

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Just wondering how some people would and/or do approach an Enterprise State of Security assessment? Obviously given the plethora of standards, regulatory “guidelines” etc, there’s no right answers. (Including size and scope of such an exercise…assume it is possible of course!). Do you see it as something impossible? Would you use something like PCI DSS? Do you have your own framework/methodology? Keen to hear people’s thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Content Headers

Content Length: 

4243886

Content Type: 

audio/mpeg

In this podcast we chat to a solicitor who specialises in IT. His name is Erhan Karabardak and he's with the firm Cooper Mills in Melbourne.

Erhan mostly specialises in technology-related stuff, and I wanted to get his thoughts on this so-called hacking scandal engulfing the corridors of power in New South Wales.

read more

Infrastructure needs software that is not only agile, but also rugged. Rugged software is capable of withstanding hostile actions and harsh environments while delivering value. Rugged Software Development provides a philosophical foundation for regularly and consistently creating resilient, survivable software. Rugged guides software developers to create better software without the draconian notion of security police breathing down their necks. Rugged is a value system, not a compliance system. Rugged values results over style. We don't care if you are Agile, if you use waterfall, if you employ Open SAMM, Microsoft SDL, or if you leverage BSI-MM. We don't care if...

Adrian Lane over at Securosis posted a great article on the interaction between Agile software development and secure software development. Also, the comments/discussion are particularly good (Andre Gironda adds his remarks). FireStarter: Agile Development and Security

Labels matter, especially when it comes to intangibles in the market place. Intangibles cannot be readily observed. Fuel efficiency, energy effeciency, auto-safety, and software security are all examples of intangibles. Without a label identifying the "amount" of an intangible supplied by a given manufacturer, it is troublesome for buyers to receive trustworthy, objective information from a seller because sellers are biased in the transaction. As a result, an intangible will remain undersupplied. The effect of labeling is as profound as its absence. The video below illustrates the impact of the NHTSA 5-star labeling system on the auto market. A 2009...

Show 046 - An Interview with David Rice On the bonus-length 46th episode of The Silver Bullet Security Podcast, Gary talks with David Rice, Executive Director of the Monterey Group and author of Geekonomics: The Real Cost of Insecure Software. Gary and David discuss David’s involvement with Infowar at the Naval Postgraduate School and how it impacted his thinking about software, the recent Chinese cyberattack on Google, what incentives exist to create and apply software security best practices, how users may be mistaking marketing for security, and the SANS WhatWorks in Application Security Summit. They close out by discussing unusual...

I will be interviewing Gary McGraw, CTO of Cigital, on Friday, January 22 at 1pm EDT on the impact the Building Security In Maturity Model (BSI-MM) has had on software development programs since its release in Q1 of 2009. The webcast will be delivered through the SANS Institute and is located here: The Impact of BSI-MM in Software Development Programs Gary McGraw also will be giving the opening keynote at the SANS Application Security Summit in San Francisco, February 4th. Please start planning today to attend.

Operating, but not with confidence The news that Google and 30 other U.S. companies were victims of “highly sophisticated and targeted attacks” is not new or surprising. Cyberattacks have been increasing in scope and sophistication for more than 15 years. What is interesting is the direct challenge by the U.S. Secretary of State, Hillary Clinton, and what this event reveals. On January 12th, Mrs. Clinton stated the following: "We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation. The ability to operate with confidence in...