People Weak Link in Security Chain, Says New Report

If you pay any attention to infosec headlines, you’ve likely seen it’s once again that time of year when Verizon releases its Data Breach Investigations Report (DBIR). The 9th annual report was released yesterday and while much of it isn’t surprising, it is entirely disheartening.

A quick review of the findings show cybercrime continues to target what hackers obviously deem the weakest link in the chain,

> Read More

Infosec Haiku

Anata no joho sekyuritei konshu no haiku

Patch that flaw today
Phish fly with new hacking hook
Zero-day at play

 

### Notes ###
* Happy Autumnal Equinox everyone!
* This week’s haiku courtesy of Mr. Sean M. Price.

> Read More

Sloppy password-less security left 1.25 million Japanese pension records exposed

Despite have rules and compliance regulations in place, Japan’s pension system has been hit by hackers who made off with over 1.2 million records containing personally identifiable information.

According to reports, staff weren’t obeying the rules – making it far too easy for criminals to access sensitive database records.

Infosec Haiku

Anata no joho sekyuritei konshu no haiku

Middle Management:
Easy Prey for Phishing Scams
Think Before You Click!

 

### Notes ###
* Thanks to Ms. Etsuko vdH for the translation.
* Thanks to everyone who’ve contributed their haikus …

> Read More

Infosec Haiku

Anata no joho sekyuritei konshu no haiku

‘Tis the Season to
Watch Out for Phishing Email.
Do Not Click That Link!

 

### Notes ###
* Thanks to Ms. Etsuko vdH for the translation.
* Thanks to everyone who’ve contributed their haikus …

> Read More

Hackers target military, embassy and defense workers in Operation Pawn Storm

A group of organised criminal hackers, possibly backed by an unknown country, are targeting government, media and military organisations in the United States, Pakistan, and across Europe, according to new research [PDF] released by researchers at Trend Micro.

In an operation dubbed “Pawn Storm”, the hackers have targeted computers belonging to –

> Read More

What Does the Target Breach Tell Us About DSS and POS?

In the final analysis, it is going to be Target’s customers that pay the price for this winter’s breach. OK, CIO Beth Jacob has fallen on her sword and departed; but that could hardly be avoided, and “this is a good time for a change” is hardly contrition. Apart from that, the innocent will pay while the guilty will escape.

> Read More

PSA for Evernote Users: Change Your Passwords

Another day, another breach of a popular cloud-based service. This time it was Evernote, a wildly popular personal note taking app for tablets like iOS devices (iPhones, iPads and iPod Touches) and similar Android devices. The breach was apparently discovered on Thursday 02/28 and made public on Saturday (03/02) morning.

> Read More

APT1: Another Teachable Moment for Us All

March 4, 2013 UPDATE: 

When I wrote this post, I was just using the email purporting to be from FedEx as an example of how one might discern a phishing attempt from a “real” one. Had I spent just a few extra moments in my RSS feed, I would have learned that this particular phishing email has been with us for a few weeks.

> Read More

The New York Times Breach: Why AV Failed, What They Should Have Done and What We Accomplish by Letting Them Stay Inside

In yet another example in the saga of personalized malware from foreign nations, specifically China, The New York Times reported Wednesday that the Chinese had carried out an extensive malware campaign against the newspaper giant for the past four months. With this news, we see once again stand alone, signature-based defenses are completely ineffective,

> Read More

Tis the Season! Holiday Online Shopping Tips

Cyber Monday is expected to set all time high sales records this year, much to the delight of online retailers – and cyber criminals – everywhere. (Arguably, the shopping starts earlier now, with Thanksgiving Day deals.) While the readers of Optimal Security may be very well aware of steps to minimize risk, a few reminders never hurt.

> Read More

For Want of a Nail …

… the kingdom was lost.

This real-life cautionary tale, told to me by my colleague’s brother (let’s call him Mr. X), concerns a risk-reward decision gone awry. X’s company is a good-sized global in international construction services company with over $1B in revenue and around 5000 employees; they have about 7000 servers and endpoints under management.

> Read More

Smashing Smishing!

A former colleague pointed me to this video by Mike Saylor, the VP of Technology at the Texas Credit Union League. ‘Smishing’ is a portmanteau of SMS (Short Message Service – so, cell phone text messaging) and phishing (attempting to acquire by subterfuge sensitive personal information such as userIDs, passwords, credit or debit card information,

> Read More

London Olympics Ushers In IT Security Threats

The London Olympics Games will shine a bright light on the United Kingdom this summer—in more ways than one. Along with the flood of people entering the city will come a flood of security threats for which CIOs and IT admins need to prepare.

London organizers have warnedagainst increased cyber attacks and indeed,

> Read More