Sunday, December 4, 2011

How can a person remove personal information from the Internet?

A Concerned Reader Wants to Know...

First, the bad news. As soon as any kind of information, including personal information, is online, anyone can copy and store or post it elsewhere. What's worse, there are tools that are constantly searching the Internet for specific types of data.

Once they find it, they can grab it, copy it, post it and store it - for any number of purposes.

4 steps you can take if something gets online that you don't want:
  1. Delete what you can yourself as soon as possible.
  2. Contact the website(s) where it is located and ask them to remove it.
  3. Enlist the help of a lawyer or online data removal service (e.g. Reputation Defender, Reputation Changer) to remove what you can't, or what the website won't.
  4. Remain diligent and check often (for instance, by setting a Google Alert) to ensure you catch any reposting of the information.

Saturday, December 3, 2011

Norway hit by major data-theft attack

Industrial secrets from companies were stolen and "sent out digitally from the country

Data from Norway's oil and defense industries may have been stolen in what is feared to be one of the most extensive data espionage cases in the country's history.

Industrial secrets from companies were stolen and "sent out digitally from the country," the Norwegian National Security Authority said, though it did not name any companies or institutions that were targeted.

At least 10 different attacks, mostly aimed at the oil, gas, energy and defense industries, were discovered in the past year, but the agency said it has to assume the number is much higher because many victims have yet to realize that their computers have been hacked.

"This is the first time Norway has unveiled such an extensive and widespread espionage attack," it said.
Spokesman Kjetil Berg Veire added it is likely that more than one person is behind the attacks.

The methods varied, but in some cases individually crafted e-mails that, armed with viruses, would sweep recipients' entire hard-drives for data and steal passwords, documents and confidential documents.

The agency said in a statement that this type of data-theft was "cost-efficient" for foreign intelligence services and that "espionage over the Internet is cheap, provides good results and is low-risk." Veire would not elaborate, but said it was not clear who was behind the attacks.

The attacks often occurred when companies were negotiating large contracts, the agency said.
Important Norwegian institutions have been targeted by hackers before.

In 2010, some two weeks after Chinese dissident and democracy activist Liu Xiaobo was named that year's Nobel Peace Prize winner, Norway's Nobel Institute website came under attack, with a Trojan Horse, a particularly potent computer virus, being installed on it.

Other attacks on the institute in that same period came via email, containing virus-infected attachments.

Refer here to read further details.

Thursday, December 1, 2011

DHS and FBI have disputed that the Springfield, Illinois incident was a cyberattack

Apparent cyberattack destroys pump at Illinois water utility

A pump at a public water utility in Springfield, Illinois was destroyed after cyberattackers gained access to a SCADA system controlling the device, according to a security expert who obtained an official report on the incident.

CS-CERT has released the following statement saying that DHS and FBI have disputed that the Springfield, Illinois incident was a cyberattack.

ICS-CERT is assisting the FBI to gather more information about the separate Houston incident.

>UPDATE - Recent Incidents Impacting Two Water Utilities
ICSJWG Communications [ICSJWG.Communications@HQ.DHS.GOV]


Greetings:

After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.

There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported. Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.

In a separate incident, a hacker recently claimed to have accessed an industrial control system responsible for water supply at another U.S. utility. The hacker posted a series of images allegedly obtained from the system. ICS-CERT is assisting the FBI to gather more information about this incident.

ICS-CERT has not received any additional reports of impacted manufacturers of ICS or other ICS related stakeholders related to these events. If DHS ICS-CERT identifies any information about possible impacts to additional entities, it will disseminate timely mitigation information as it becomes available. ICS-CERT encourages those in the industrial control systems community who suspect or detect any malicious activity against/involving control systems to contact ICS-CERT.

Regards,

ICS-CERT
E-mail: ics-cert@dhs.gov
Toll Free: 1-877-776-7585
For CSSP Information and Incident Reporting: www.ics-cert.org

Tuesday, November 29, 2011

BEWARE: Facebook Scam threatening to delete your account!

Sending a fraud request

A Facebook scam, dubbed the cleverest yet, gets users to provide their passwords and financial details by accusing them of violating the site's policy and threatens to delete their account.

Experts said the recent assault designed to steal users' Facebook details is among the most sophisticated yet because it mimics the security procedures that sites use to defend against internet trolls and other bad behaviour online.

The scam comes in an email accusing the user of insulting or annoying another Facebook user and saying their account will be deleted in 24 hours.

The email requires Facebook login details and, for "authentication" purposed, parts of a person's credit card details. The email links to a fake account disabled page that asks for personal details, including credit card information.

The access to login details helps the scam travel farther and faster by sending it to new users from trusted friends.

Expert Advice:

The emails are entirely bogus. They are not coming from Facebook. Social media venues would not request financial information, nor would they request login details. With the credit card information, fraudsters can conduct identity theft and other malicious financial activity.

Website Hoax-Slayer discovered the scam and warned against emails with the phrase: "Last warning: Your account is considered to violated the policies that are considered annoying or insulting to Facebook users."

Sunday, November 27, 2011

Department of Homeland Security (DHS) Cyber Security Audit FAIL

The DHS US-CERT office is currently plagued by at least 600 vulnerabilities

A new report warns that the Department of Homeland Security (DHS) is falling short on some cybersecurity protocols.

The news of cybersecurity shortcomings at the agency are more than slightly concerning, as DHS has been tapped to lead information security efforts nationally for both the public and private sectors.

The report, titled DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems, indicates that the DHS has failed a security audit conducted by the agency's own Inspector General:

The objective of our audit was to determine whether adequate physical and logical access controls are in place to secure the cybersecurity program systems utilized by US-CERT and safeguard the data collected and disseminated by US-CERT. Specifically, we:
  • Determined what and how cybersecurity data is collected and maintained by US-CERT

  • Evaluated the adequacy of physical security controls implemented to protect NCSD’s cybersecurity program systems

  • Determined whether US-CERT has implemented effective system security controls to safeguard the confidentiality, integrity, and availability of cybersecurity data.

  • Determined whether the system documentation for DHS’ cybersecurity program systems has been completed in compliance with DHS and FISMA requirements
"Adequate security controls have not been implemented on the [Mission Operating Environment] to protect the data processed from unauthorized access, use, disclosure, disruption, modification, or destruction," the IG concluded.
The report indicates the DHS US-CERT is grappling with more than six hundred network vulnerabilities, with more two-hundred of them having been identified as critical.

"The results of our vulnerability assessments revealed that [National Cyber Security Division] is not applying timely security and software patches on the [Mission Operating Environment]," the report continued.

DHS indicated that the agency has implemented "a software management tool [to] automatically deploy operating-system and application-security patches and updates to mitigate current and future vulnerabilities," according to a statement by DHS spokeswoman Amy Kudwa.

Friday, November 25, 2011

The FUD: Cyber Attacks on Illinois Water Systems?

US Water System Hacked: A Community-Wide Issue

On November 17th Joe Weiss, a well-known member of the Industrial Control System (ICS) community, posted on his blog about a recent US water system hack.

Joe points out that the disclosure concerning the Nov 8th supervisory control and data acquisition (SCADA) hack was made by Illinois Statewide Terrorism and Intelligence Center on Nov 10th.

Joe's post stated that the SCADA software vendor was compromised and that customer usernames and passwords were stolen as well as possible physical damage to the utility. He further states that the IP address of the attacker traced back to Russia, which does not provide any attribution but is nevertheless interesting.

The compromise of a US water facility should be concerning for a number of reasons. Firstly, the idea of anyone or any group (nation state or not) breaking into SCADA and control systems in the US highlights a weakness in our nation's infrastructure.

What is hard to discern though is how many attacks are prevented on a daily basis by the men and women taking up the very difficult challenge of cyber defense. Regardless though, this is a fight that must continue to get support and attention in the cyber community.

Secondly, a water facility has a direct impact over the health of the citizens that it provides. A compromise of such a facility, depending on the scale of the compromise, could reasonably lead to the loss of life. This is to say that the concern for security of the ICS and SCADA community is not and cannot simply be financial.

The reported attack against this water SCADA system, although it is in no way possible to determine at this time, could be this style of attack. This is important to think about in regards to what future attacks may hold, what the motives for the attacks are, and what attacks may currently be going unnoticed.

Please refer here to read more interesting analysis.

Wednesday, November 23, 2011

Will hackers continue to dominate in 2012? Join the discussion by participating in live webinars

Hackers and Threats Summit l Free Online Event

Calling 2011 the year of hackers would not be an overstatement. With high-profile system intrusions constantly making headlines worldwide, hackers, good and bad, exposed security system vulnerabilities across every industry, proving the necessity to better protect and monitor networks and data.

Will hackers continue to dominate in 2012? Will organizations be better prepared by then? Join the discussion by participating in live webinars with industry experts to prepare for a smarter 2012.

Sign up to attend the live interactive webcasts on December 7, 2011, or view them afterward on demand here: http://www.brighttalk.com/r/FLP.

PRESENTATIONS INCLUDE:

‘Advanced Persistent Threats - The Hacker's Latest Weapon or Just Marketing Spin?’

Ron Condon, Editor, SearchSecurity.co.UK (Moderator); Warwick Ashford, Editor, ComputerWeekly.com; David Perry, Trend Micro

‘Exploring the Digital Underworld: Botnets, Zero Day Threats and Phishing’
Daniel Ayoub, SonicWALL

‘Global Info Sec Landscape: Recapping 2011 and Looking Ahead to 2012’
Jay Bavisi, President, EC-Council

‘Surviving the Mobile Device Invasion – When Mobile Tries to Connect to IT’
Cameron Camp, ESET

You can view the full lineup and sign up to attend any or all presentations at
http://www.brighttalk.com/r/FLP.

This summit is part of the ongoing series of thought leadership events presented on BrightTALK(TM). I hope you are able to attend.

Sunday, November 20, 2011

Hackers attack Norway's oil, gas and defence businesses

Oil, gas and defence firms in Norway have been hit by a series of sophisticated hack attacks.

Industrial secrets and information about contract negotiations had been stolen, said Norway's National Security Agency (NSM).

It said 10 firms, and perhaps many more, had been targeted in the biggest wave of attacks to hit the country.

Norway is the latest in a growing list of nations that have lost secrets and intellectual property to cyber thieves.

The attackers won access to corporate networks using customised emails with viruses attached which did not trigger anti-malware detection systems.

Targeted attacks

The NSM said the email messages had been sent to specific named individuals in the target firms and had been carefully crafted to look like they had come from legitimate sources.


Many of the virus-laden emails were sent while the companies were in the middle of negotiations over big contracts.

It said user names, passwords, industrial drawings, contracts and documents had been stolen and taken out of the country.

The NSM believes the attacks are the work of one group, based on its analysis of the methods used to target individuals, code inside the viruses and how the data was extracted.

The agency said it was publishing information about the attacks to serve as a warning and to encourage other targeted firms to come forward.

"This is the first time Norway has revealed extensive and wide computer espionage attacks," the NSM said in a statement.

Singled out

It said it found out about the attacks when "vigilant users" told internal IT security staff, who then informed the agency.


However, the NSM said, it was likely that many of the companies that had been hit did not know that hackers had penetrated their systems and stolen documents.

Security firms report that many other nations and industrial sectors have been targeted by data thieves in recent months.

The chemical industry, hi-tech firms and utilities appear to have been singled out.

Sourced: BBC News

Thursday, November 17, 2011

How Thieves Steal Your Credit Card Data?

Some tips to avoid Identity Theft and stealing of your credit card.

Background

These days, thieves only need a minute, sometimes a second, to pilfer your credit card data.

This year criminals hacked, phished or skimmed their way into the systems of Sony, marketing firm Epsilon, Citibank and even security expert RSA, among others. In some cases, they only obtained names and emails. In the worst cases, they got credit card numbers.

Identity theft and cyber fraud cost Australia a whopping $8.5 billion every year. One in five Australians will be hit and it's getting worse every day.

The most common schemes are simpler than you think. Let's take a look at the most common ways thieves pilfer your credit card information.

Suspect 1: The Waitress At Your Local Cafe

Mode Of Operation:

When it's time to pay the waitress whisks away your credit card and swipes it through the restaurant's register. Then, she pulls out a small device, about the size of an ice cube, from her apron and swipes it through that.

While you're scraping the last of the chocolate cake from your plate, your credit card information has been stored in the device, known as a skimmer. The waitress returns your card and performs the same magic trick on dozens of credit cards in a week.

Known Whereabouts:

The data-stealing waitress has been known to moonlight as a bartender, sales assistant or at any place where she can take your credit card out of sight.

Suspect 2: The Toy Store Trio

Mode Of Operation:

Sally, Simon and Greg walk into a toy store. Sally and Simon roam the aisles, while Greg waits in line to check out. When Greg is at the register, Simon comes running up to the shop assistant, screaming that his wife has fainted.

As Sally and Simon distract the shop assistant, Greg switches the credit card reader at the register with a modified one of his own.

For the next week, the shop assistant unwittingly collects credit card data on the modified reader until the trio returns, takes back the modified reader and restores the original terminal.

Known Whereabouts:

The trio will hit other retailers and restaurants, but sometimes the threesome will instead be a duo or a solo criminal.

Suspect 3: The Petrol Prowler

Mode Of Operation:

The Petrol Prowler parks her car in front of a petrol station off the highway. It's late. There's no one around except a sleepy shop assistant at the register inside. The Petrol Prowler attaches a skimmer over the credit card reader at the pump. It's a special skimmer: It emits a Bluetooth signal to a laptop close by.

The Petrol Prowler pays, heads off to the motel next door and sets up her laptop to receive the data from the compromised pump over the next several days.

Known Whereabouts:

The Petrol Prowler installs skimmers over ATMs, parking meters, vending machines and any other places with unmanned credit card readers.

Suspect 4: Harry the Hacker and Phishing Phil

Mode Of Operation:

Harry the Hacker installs malware - a type of software that damages or infiltrates a computer or network - onto a legitimate website with low security. The malware instantly downloads onto your computer when you visit the site and allows Harry to access your information. In another scenario, Harry puts malware on public computers and gathers the information you share with that computer.

Phishing Phil uses malware to go after your laptop. He sends emails with attachments that promise dancing kittens or some other bait. When the user opens the attachment, malware instantly downloads onto the computer and leaves confidential information vulnerable.

Phil also sends emails from a familiar sender with a link to a contaminated website that installs malware onto your computer. Some malware, called spyware, allows Phil to capture every keystroke including passwords to your financial accounts.

What Happens To Your Information?

Mode Of Operation:

So what happens to these pieces of data when they're in no-good hands? They get sold.

The waitress, trio or Petrol Prowler may be able to sell each swipe for $20 to $40 a pop. Harry the Hacker and Phishing Phil could get $5 to $10 a card and often sell the information online at the eBay of credit card activity.

The person who buys the information verifies it and then sells it to a person who creates fraudulent credit cards with your account information attached to it. The card maker then sells it to other criminals who buy goods such as stereos or baby formula and sells them to regular consumers.

Identity Theft: How To Avoid It

  1. Set up mobile alerts for your phone if your financial institution provides the feature. That way, you can be aware of unusual activity as quickly as possible.

  2. Regularly monitor your accounts online, so you can identify fraudulent transactions faster.

  3. Avoid public computers. Don't log onto your email if your bank corresponds with you there. One idea is to set up an email account just for your finances and then only check it from safe locations.

  4. Avoid doing business with unfamiliar online vendors. Stick to established merchants and websites.

  5. If your information has been compromised, notify your financial institutions immediately and also inform the police what has happened.

Monday, November 14, 2011

Now you can DDOS SSL?

SSL DDOS tool released in to the wild with download

THC-SSL-DOS is a tool to verify the performance of SSL.Establishing a secure SSL connection requires 15x more processing power on the server than on the client. THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet. This problem affects all SSL implementations today.

The vendors are aware of this problem since 2003 and the topic has been widely discussed. This attack further exploits the SSL secure Renegotiation feature Comparing flood DDoS vs. SSL-Exhaustion attack. A traditional flood DDoS attack cannot be mounted from a single DSL connection.

This is because:
  • The bandwidth of a server is far superior to the bandwidth of a DSL connection
  • A DSL connection is not an equal opponent to challenge the bandwidth of a server
  • This is turned upside down for THC-SSL-DOS
  • The processing capacity for SSL handshakes is far superior at the client side
  • A laptop on a DSL connection can challenge a server on a 30Gbit link
Traditional DDoS attacks based on flooding are sub optimal. Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack. The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are not prepared to handle large amount of SSL Handshakes. The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS).

Tips & Tricks for whitehats
  1. The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
  2. Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
  3. Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, ... or the secure database port).
Counter measurements: No real solutions exists. The following steps can mitigate (but not solve) the problem:
  1. Disable SSL-Renegotiation
  2. Invest into SSL Accelerator Either of these countermeasures can be circumventing by modifying THC-SSL-DOS. A better solution is desireable. Somebody should fix this.
Download SSL DDOS Tool:

Windows binary: thc-ssl-dos-1.4-win-bin.zip

Unix Source : thc-ssl-dos-1.4.tar.gz
Source:http://www.thc.org/thc-ssl-dos/

Wednesday, November 9, 2011

Guidance to Safeguard Digital Assets in Fiscally Challenged Times

12 Core Information Security Services

To help states keep their IT security robust in these tough economic times, the National Association of State Chief Information Officers has published a taxonomy of a dozen critical IT security service.

The 12 core services identified in the report, The Heart of the Matter: A Core Services Taxonomy for State IT Security Programs, could prove useful for other government and non-government organizations working to secure their information assets under financially challenging conditions.

1. Information Security Program Management: Plans, provides oversight and coordinates all information security activities.
  • Align security program activities and staff with a generally accepted best practice framework.
  • Oversee the creation and maintenance of information security policies, standards, procedures and guidelines.
  • Create and maintain strategic and tactical plans.
  • Coordinate the movement of plans, policies, standards and other authoritative documents through a governance process.
  • Track information security risk key performance indicators.
  • Disseminate security metrics and risk information to executives and other managers for decision making.
  • Coordinate security efforts.
2. Secure System Engineering: Designs appropriate security controls in new systems or systems that are undergoing substantial redesign, including in-house and outsourced solutions.
  • Integrate information security design requirements in the system development life cycle.
  • Participate as a security consultant on significant technology projects.
  • Assist with the creation of system security plans, outlining key controls to address risks.
  • Assist with the creation of residual risk documentation for management acceptance.
  • Integrate security requirements into contracts for outsourced services.
  • Assist with the creation of information security policies, standards, procedures and guidelines.
  • Assist with the creation of secure configuration standards for hardware, software and network devices.
  • Integrate security requirements into contracts for outsourced services.
3. Information Security Awareness and Training: Provides employees at all levels with relevant security information and training to lessen the number of security incidents.
  • Coordinate general security awareness training for all employees and contractors.
  • Coordinate security training for groups with specialized needs, such as application developers.
  • Provide persistent and regular messaging relating to cybersecurity threats and vulnerabilities.
4. Business Continuity: Ensures that critical business functions will be available in a time of crisis.
  • Coordinate business impact analysis.
  • Development of appropriate recovery strategies for services.
  • Develop disaster recovery plans for identified key technologies.
  • Coordinate testing to ensure that services can be recovered in the event of an actual disaster.
5. Information Security Compliance: Validates that information security controls are functioning as intended.
  • Coordination of continuing assessments of key security controls in in-house and outsourced systems.
  • Completion of independent pre-production assessments of security controls in new systems or systems that are undergoing substantial redesign.
  • Coordination of all IT audit and assessment work done by third-party auditors.
  • Monitoring of third parties' compliance to state security requirements.
6. Information Security Monitoring: Gain situational awareness through continuous monitoring of networks and other IT assets for signs of attack, anomalies and inappropriate activities.
  • Create and implement an event logging strategy.
  • Place sensors, agents and security monitoring software at strategic locations throughout the network.
  • Monitor situational awareness information from security monitoring and event correlation tools to determine events that require investigation and response.
  • Disseminate potential security events to the information security incident response team.
7. Information Security Incident Response and Forensics: Determines the cause, scope and impact of incidents to stop unwanted activity, limit damage and prevent recurrence.
  • Manage security incident case assignments and the security investigation process.
  • Mobilize emergency and third-party investigation and response processes, when necessary.
  • Consult with system owners to help quarantine incidents and limit damage.
  • Consult with human resources on violations of appropriate use policy.
  • Communicate with law enforcement, when necessary.
8. Vulnerability and Threat Management: Continuously identify and remediate vulnerabilities before they can be exploited.
  • Strategic placement of scanning tools to continuously assess all information technology assets.
  • Implement appropriate scan schedules, based on asset criticality.
  • Communicate vulnerability information to system owners or other individuals responsible for remediation.
  • Disseminate timely threat advisories to system owners or other individuals responsible for remediation.
  • Consult with system owners on mitigation strategies.
9. Boundary Defense: Separates and controls access to different networks with different threat levels and sets of users to reduce the number of successful attacks.
  • Assist with the development of a network security architecture that includes distinct zones to separate internal, external and demilitarized-zone traffic and segments internal networks to limit damage, should a security incident occur.
  • Participate in the change management process to ensure that firewall, router and other perimeter security tools enforce network security architecture decisions.
  • Periodically re-certify perimeter security access control rules to identify those that are no longer needed or provide overly broad clearance.
10. Endpoint Defense: Protects information on computers that routinely interact with untrusted devices on the internet or may be prone to loss or theft.
  • Manage processes and tools to detect malicious software.
  • Manage processes and tools that only permits trusted software to run on a device, commonly referred to as white listing.
  • Manage processes and tools to prevent certain software from running on a device, commonly referred to as blacklisting.
  • Manage processes and tools to identity unauthorized changes to secure configurations.
  • Manage processes and tools to encrypt sensitive data.
11. Identity and Access Management: Manages the identities of users and devices and controls access to resources and data based on a need to know.
  • Maintenance of identities, including provisioning and de-provisioning.
  • Enforce password policies or more advanced multifactor mechanisms to authenticate users and devices.
  • Manage access control rules, limiting security access to the minimum necessary to complete defined responsibilities.
  • Periodically recertify access control rules to identify those that are no longer needed or provide overly broad clearance.
  • Restrict and audit the use of privileged accounts that can bypass security.
  • Define and install systems to administer access based on roles.
  • Generate, exchange, store and safeguard encryption keys and system security certificates.
12. Physical Security: Protects information systems and data from physical threats.
  • Maintain facility entry controls and badging systems.
  • Manage equipment and media destruction processes.
  • Maintain building emergency procedures.
  • Perform screening/background checks on job applicants.
  • Implement controls to mitigate facility vulnerabilities.

Monday, November 7, 2011

Free Webinar and Virtual Summit on various Information Security Issues

Mobiles, PCI, that big old cloud – what’s your poison?

I know there are so many resources out there in our profession, making it hard to know where to go for the really worthwhile insights on key issues like personal devices in the workplace, PCI, cloud security etc.

As such I have spoken to a few folk to give you a list of the 3 upcoming online events in these areas that have had the most sign-ups from people like you and have pasted details below. Take a look and see what you think….

1. Webcast: PCI DSS Demystified for SMEs

Streamed live to your desk on 17th November 2011 | 3pm GMT or 10am EST

Why is everything in Info Security always aimed at the big guys? No longer, thanks to this SC magazine webcast which was inspired by the spate of smaller companies being caught out recently by PCI loopholes and incurring massive reputational and financial damage as a result.

Ensure you don’t join the list by tuning in to the Barclaycard and Dell speakers at http://www.scwebcasts.tv/?btcommid=36601 .

2. Virtual Summit: Tackling the Big 3 - Cloud Security, Personal Devices and the Human Factor

Join CISOs from Skype, Vodafone, Canon, Travelex, HSBC and more in SC’s first truly Virtual World, which has set the information security world alight. Network with hundreds of other IS professionals (or avatars!), access whitepapers and tune into the sessions to give you everything you need to know to stay safe in 2012.

View the demo and create your own avatar now by visiting (it’s great fun!)
http://www.scvirtualsummit.com .

Or if you are a vendor interested in enquiring about speaking opportunities you can drop nicola.fulker@haymarket.com a line.

3. Webcast: Mobile Device Management - Locking down the mobile front

Streamed live to your desk on 23rd November at 3pm GMT or 10am EST

It is the big issue that many people are still wrestling with – what should we do as iPads, Smartphones and their friends continue to proliferate the workplace. Tune in to this SC webcast to hear realistic and practical advice to keep the mobile front secure, without hamstringing your productivity.

Take a look and secure your place at http://www.scwebcasts.tv/?btcommid=35629

……………………………………………..

I hope these are of relevance to you and your team! SC’s stuff tends to be very good because they take time to research the content and ensure that vendor involvement is always to the benefit of their audience (not just the vendor in question’s back pocket!).

Sunday, November 6, 2011

Facebook Rumours

New Life for Same Old Tune

A long-running rumor has resurfaced. For years, the social media scammers have been chattering about Facebook's plans to begin charging its users. They want to trick you into taking actions that will actually give them access to your personal Facebook data! Rest assured, this is one rumor that simply will not come true. Mr. Zuckerberg has said so himself many times.

Facebook has built its entire model on advertising revenue, and for that model to remain successful, it needs to maintain its enormous user base.

For more on Facebook scams and other flim-flams, read this CNN Tech article.

Friday, November 4, 2011

5 Essential Characteristics of Cloud Computing

The NIST Definition of Cloud Computing

To employ new technologies effectively, such as cloud computing, organizations must understand what exactly they're getting. With this in mind, the National Institute of Standards and Technology has issued its 16th and final version of The NIST Definition of Cloud Computing.

"When agencies or companies use this definition, they have a tool to determine the extent to which the information technology implementations they are considering meet the cloud characteristics and models," says Peter Mell, a NIST computer scientist who coauthored the report, also known as Special Publication 800-145.

"This is important because by adopting an authentic cloud, they are more likely to reap the promised benefits of cloud: cost savings, energy savings, rapid deployment and customer empowerment," Mell says. "And, matching an implementation to the cloud definition can assist in evaluating the security properties of the cloud."

The special publication includes the five essential characteristics of cloud computing:

On-demand self-service: A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.

Broad network access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops and workstations).

Resource pooling: The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state or datacenter). Examples of resources include storage, processing, memory and network bandwidth.

Rapid elasticity: Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

Measured service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth and active user accounts). Resource usage can be monitored, controlled and reported, providing transparency for the provider and consumer.

SP 800-145 also defines four deployment models - private, community, public and hybrid - that together categorize ways to deliver cloud services.

NIST says the definitions are intended to serve as a means for broad comparisons of cloud services and deployment strategies, and to provide a baseline for discussion from what is cloud computing to how to best use cloud computing.

Wednesday, November 2, 2011

WebCast: Hacking Web Servers and Countermeasures

Learn how to secure webserver!

In this on-demand IT security webcast, EC-Council Master Certified Instructor Eric Reed will address the subject of Hacking Webservers. The webcast will cover topics such as webserver architecture, webserver attack methodologies, footprinting tools, and many more critical concepts. The webcast also includes demonstrations on performing a directory traversal attack, fingerprinting a webserver with HTTPRecon, and web-based password cracking with Brutus.

This webcast is available on-demand at http://www.careeracademy.com/ceh-m12-infosec.aspx

Please feel free to forward to others in your organization who may be interested this type of training.

Details:

This free module is a part of CareerAcademy.com’s EC-Council Endorsed CEH Certification course, which gives each student in-depth knowledge and practical experience with current essential security systems.

When a student completes the course they will have hands on understanding and experience in Ethical Hacking and be fully prepared to pass EC-Council Certified Ethical Hacker Exam 312-50.

You can attend this complimentary webcast right now at:

http://www.careeracademy.com/ceh-m12-infosec.aspx