ISC Diary | SSL is broken. So what?

It is hard to ignore the recent news about government sponsored internet surveillance campaigns, which are alleged to involve decrypting SSL traffic. In light of these news, should you do anything differently? Does it matter to your network and how? Even if today only a small group possesses the knowledge and resources to decrypt SSL, chances are that this secret will leak like so many and the resources required to apply the techniques will only get cheaper and in turn become available to well funded advisories like organized crime. The information once decrypted may also be at risk from being compromised by anyone who compromised the organization that now holds the data. So does it matter?

First of all, I don’t think there is “proof” at this point that SSL in itself has been broken. SSL and the encryption algorithms it negotiates have seen many implementation issues in the past, and it is fair to assume that broken implementations, bad random number generators and sub-optimal configurations make breaking “real live” SSL a lot easier then it should be based on the strength of the underlying algorithms. Additionally, in many high profile attacks, SSL wasn’t the problem. The end point or the SSL infrastructure was compromised instead and as a result, the encryption algorithm didn’t matter.

via ISC Diary | SSL is broken. So what?.

Understanding and defending against Denial of Service attacks

Denial of Service (DoS) attacks continue to be on the rise, which is no surprise given our ever-growing dependency on Web-based services, coupled with the fact that these attacks are relatively cheap and easy to carry out. In this article, we’ll discuss what DoS attacks are, some various types of DoS attacks, tips to keep them at bay, and references to security tools to help you mitigate vulnerabilities.

via Understanding and defending against Denial of Service attacks.

This article talks about a lot of easy to implement solutions, what I like to call “low hanging fruit”. These are things like patch management, log management, SYN protections and anti-spoofing on firewalls, and so on. Use it as inspiration for making a checklist.

What the article misses is having a plan in place to handle a DoD/DDoS attack. Do you have the emergency response number from your Internet and/or telco providers? Does the business have plans B in place in case the network is down? Many business processes can still be done via fax or phone.

Filling a BlackHole – Securelist

Today, exploiting vulnerabilities in legitimate programs is one of the most popular methods of infecting computers. According to our data, user machines are most often attacked using exploits for Oracle Java vulnerabilities. Today’s security solutions, however, are capable of effectively withstanding drive-by attacks conducted with the help of exploit packs. In this article, we discuss how a computer can be infected using the BlackHole exploit kit and the relevant protection mechanisms that can be employed.

via Filling a BlackHole – Securelist.

Know Thyself Through Data-Driven Security Q&A — Dark Reading

It’s almost an inevitability at IT security conferences that some speaker will break out the Sun Tzu quote about knowing your enemy and yourself to avoid disaster in battle. But in this day of threat intelligence feeds and cyberawareness, all too often the emphasis is put on intelligence-gathering about the adversary. Meanwhile, the more obvious and often more available data about oneself remains unharvested.

At the recent UNITED Security Summit, two banking executives from a top 25 U.S. financial institution (who shared best practices on the condition of not naming their employer) challenged that lack of self-awareness, advising fellow practitioners to take a deeper dive into readily available data about their systems, users, and patterns in their environments to improve their risk management strategies with meaningful action. That process starts and ends with what Kelly White, vice president and information security manager, called a security Q&A for an organization.

via Know Thyself Through Data-Driven Security Q&A — Dark Reading.

Is mobile privacy a bigger concern than a phone’s brand?

A new Harris Interactive study provides a valuable barometer on current consumer perceptions and mobile privacy trends by examining issues, such as data collection, geo-location tracking, mobile advertising and privacy management responsibility.

Among the top findings: many smartphone users are more concerned about mobile privacy than a phone’s brand, screen size, camera resolution or weight; more than three-quarters of smartphone users won’t download an app they don’t trust; and although the majority of those surveyed don’t like the concept of tracking, nearly half (46%) of smartphone users are still unaware it even happens.

via Is mobile privacy a bigger concern than a phone’s brand?.