Should You Bring Mom and Dad to Your Office? – WSJ.com

This is mind blowing:

A 2012 survey of more than 500 college graduates by Adecco, a human-resources organization, found that 8% of them had a parent accompany them to a job interview, and 3% had the parent sit in on the interview.

via Should You Bring Mom and Dad to Your Office? – WSJ.com.

That’s 15 applicants bringing Mom & Dad along for the interview. I was a hiring manager in some of my past professional lives. I never encountered a parent hovering over an interview. I don’t think I would care if the parent tagged along, but I would not let the parent into the actual interview. If pushed I would either say no or rank the applicant lower regardless.

… parental involvement in the U.S. doesn’t begin to match countries in Asia and South America, according to a 2013 study from the global accountancy firm PricewaterhouseCoopers LLP.

The study, which surveyed 44,000 people from more than 20 countries, found that just 6% of recent college graduates surveyed in the U.S. wanted their parents to receive a copy of their offer letters. That’s well below the global average of 13% and much less than some other countries, where it was as high as 30%. The study also found that just 2% of young employees in the U.S. want their parents to receive a copy of their performance review, compared with the global average of 8%.

Having recently gone through a job hunt I shared details with my folks and other trusted advisers but never the actual correspondence. Again as a hiring manager I don’t think I would agree to sending a copy to anyone other than the applicant.

This could be a generational thing, but as a parent I would never consider intruding into my kids’ lives to this degree.

What do you think? If you’re a manager, would you hire an applicant who brings parents along? If you’re a parent, would you want to tag along on your child’s job interview?

New gTLD security implications

The new gTLDs that are being implemented have a few security concerns already. One of the major concerns is Name Collision, which results from a single domain name being used in different places.

An example of this would be a company that uses .corp in an internal domain name. Under the new gTLD processes, the .corp gTLD could be bought by a different company for their use on the internet. If that happens, when a user tries to go to internal locations on a company network using .corp, there is a chance that they could actually get data back from the now legitimate .corp servers on the Internet.

Using an internal domain name like this is a very common practice among businesses, so any issues that may come up dealing with .corp could be widespread. In the case of these new gTLD’s, the owners of those servers could also manipulate their records, redirecting wayward queries. This opens the door to possible malware or phishing attacks on unsuspecting systems.

via New gTLD security implications.

Timing is an influential risk-factor for cyber attacks – Help Net Security

There are several dates throughout the year that are notorious for wreaking havoc on businesses via DDoS attacks, data breaches and even malware or botnet assaults.

According to Radware, there are two types of dates that hackers target: ideological and business-relevant dates. Ideological dates refer to holidays and anniversaries that have a cultural, religious or secular tie to the adversary. High-risks times for the United States include September 11th, Memorial Day, Election Day and Independence Day. Business-relevant dates involve a period of time that companies are particularly vulnerable to attacks, such as Black Friday, Cyber Monday, or even regular business hours.

Additionally, hackers commonly use important dates and holidays to disrupt specific industries. For example, retail and credit card companies see a significant rise in cyber attacks between Thanksgiving and Christmas, whereas government websites may be targeted during Election or Independence Days.

via Timing is an influential risk-factor for cyber attacks.

Good but generic advice in the article. If you work for a multinational you’ll need to keep in mind dates and events beyond the US – the football (soccer) World Cup, for example. User education is important but the returns diminish over time, especially if you cause fatigue in your users. Pen testing is good as well as a commitment in time and money to a security infrastructure life cycle management.

Update Flash, Shockwave ASAP! Adobe also patches Acrobat and Reader | ZDNet

Adobe today released security updates for Flash Player, AIR, Shockwave Player, Acrobat and Reader. The updates for Flash Player and Shockwave Player on Windows and Mac address a vulnerability which Adobe classifies as Priority 1, which indicates that it is being exploited in the wild at a high risk of exploit.

The updated versions of Flash Player on Windows and Mac are 11.8.800.168 and 11.7.700.242. Earlier 11.7 and 11.8 versions are vulnerable. Updates are also available for Flash Player on Linux and Android, as well as Adobe AIR and the Adobe AIR SDK. These are not as severe and updating is not as high a priority.

The updates for Reader and Acrobat are classified as less urgent. They are important vulnerabilities, but not being exploited.

via Update Flash, Shockwave ASAP! Adobe also patches Acrobat and Reader | ZDNet.

Microsoft releases 13 bulletins, axes .NET patch

September’s Patch Tuesday is live! The 14 bulletins predicted have been cut to 13, with the .NET patch landing on the cutting room floor. A patch getting pulled after having been included in the advance notice usually indicates that late testing revealed an undesired interaction with another product or component.

Of the 13 bulletins remaining they are split 7/6 between the MS Office family and Windows OS patches, if we are counting the Internet Explorer patch as part of the OS patching, anti-trust lawsuits notwithstanding.

via Microsoft releases 13 bulletins, axes .NET patch.

Windows Picture Passwords – are they really as “easily crackable” as everyone’s saying? | Naked Security

If you’ve used Windows 8, or even just seen the ads for it, you’ll know it has a feature called Picture Passwords.

You choose a picture, any picture, and then “annotate” it with three finger movements: you can tap a point, draw a stroke, or sweep a circle.

The picture helps you to remember where you made the gestures, so you can repeat them reliably enough to pass the test and unlock your device.

If you have a touch screen tablet, Picture Passwords are surprisingly handy. (Pun intended.)

But how safe are they?

via Windows Picture Passwords – are they really as “easily crackable” as everyone’s saying? | Naked Security.

ISC Diary | SSL is broken. So what?

It is hard to ignore the recent news about government sponsored internet surveillance campaigns, which are alleged to involve decrypting SSL traffic. In light of these news, should you do anything differently? Does it matter to your network and how? Even if today only a small group possesses the knowledge and resources to decrypt SSL, chances are that this secret will leak like so many and the resources required to apply the techniques will only get cheaper and in turn become available to well funded advisories like organized crime. The information once decrypted may also be at risk from being compromised by anyone who compromised the organization that now holds the data. So does it matter?

First of all, I don’t think there is “proof” at this point that SSL in itself has been broken. SSL and the encryption algorithms it negotiates have seen many implementation issues in the past, and it is fair to assume that broken implementations, bad random number generators and sub-optimal configurations make breaking “real live” SSL a lot easier then it should be based on the strength of the underlying algorithms. Additionally, in many high profile attacks, SSL wasn’t the problem. The end point or the SSL infrastructure was compromised instead and as a result, the encryption algorithm didn’t matter.

via ISC Diary | SSL is broken. So what?.