Keep Calm, Keep Encrypting — With A Few Caveats — Dark Reading

Encryption remains a key security tool despite newly leaked documents revealing the National Security Agency’s efforts to bend crypto and software to its will in order to ease its intelligence-gathering capabilities, expert say. But these latest NSA revelations serve as a chilling wake-up call for enterprises to rethink how they lock down their data.

“The bottom line is what Bruce Schneier said: for all of these [NSA] revelations, users are better off using encryption than not using encryption,” says Robin Wilton, technical outreach director of the Internet Society. “But if you’re a bank [or other financial institution] and you rely on the integrity of your transactions, what are you supposed to be doing now? Are you compromised?”

via Keep Calm, Keep Encrypting — With A Few Caveats — Dark Reading.

ISC Diary | In Defense of Biometrics

There are several good thoughts in this post:

One easy improvement: Make it “real two factor” by allowing users to require a PIN/Password in addition to the fingerprint. Could they have done better then a fingerprint? There are a few different common biometric sensors: Facial recognition, Fingerprint, Weight/Height, retina scans and iris scans. Fingerprints are probably best considering the price of the sensor and the difficulty to acquire the data.

Finally: There is probably one real big vulnerability here. A stolen iPhone is likely covered in the user’s fingerprints. It shouldn’t be too hard for an attacker to lift a finger print off the phone itself to bypass the sensor.

via ISC Diary | In Defense of Biometrics.

I hope that Apple offers more details about how the fingerprint reader works. The technology exists to deal with the latent fingerprint issue. Many corporations will want true two-factor before relying on the iPhone’s biometrics in the enterprise.

If this is strong & robust authentication I hope Apple makes it available to other manufacturers as an open standard.

Should You Bring Mom and Dad to Your Office? – WSJ.com

This is mind blowing:

A 2012 survey of more than 500 college graduates by Adecco, a human-resources organization, found that 8% of them had a parent accompany them to a job interview, and 3% had the parent sit in on the interview.

via Should You Bring Mom and Dad to Your Office? – WSJ.com.

That’s 15 applicants bringing Mom & Dad along for the interview. I was a hiring manager in some of my past professional lives. I never encountered a parent hovering over an interview. I don’t think I would care if the parent tagged along, but I would not let the parent into the actual interview. If pushed I would either say no or rank the applicant lower regardless.

… parental involvement in the U.S. doesn’t begin to match countries in Asia and South America, according to a 2013 study from the global accountancy firm PricewaterhouseCoopers LLP.

The study, which surveyed 44,000 people from more than 20 countries, found that just 6% of recent college graduates surveyed in the U.S. wanted their parents to receive a copy of their offer letters. That’s well below the global average of 13% and much less than some other countries, where it was as high as 30%. The study also found that just 2% of young employees in the U.S. want their parents to receive a copy of their performance review, compared with the global average of 8%.

Having recently gone through a job hunt I shared details with my folks and other trusted advisers but never the actual correspondence. Again as a hiring manager I don’t think I would agree to sending a copy to anyone other than the applicant.

This could be a generational thing, but as a parent I would never consider intruding into my kids’ lives to this degree.

What do you think? If you’re a manager, would you hire an applicant who brings parents along? If you’re a parent, would you want to tag along on your child’s job interview?

New gTLD security implications

The new gTLDs that are being implemented have a few security concerns already. One of the major concerns is Name Collision, which results from a single domain name being used in different places.

An example of this would be a company that uses .corp in an internal domain name. Under the new gTLD processes, the .corp gTLD could be bought by a different company for their use on the internet. If that happens, when a user tries to go to internal locations on a company network using .corp, there is a chance that they could actually get data back from the now legitimate .corp servers on the Internet.

Using an internal domain name like this is a very common practice among businesses, so any issues that may come up dealing with .corp could be widespread. In the case of these new gTLD’s, the owners of those servers could also manipulate their records, redirecting wayward queries. This opens the door to possible malware or phishing attacks on unsuspecting systems.

via New gTLD security implications.

Timing is an influential risk-factor for cyber attacks – Help Net Security

There are several dates throughout the year that are notorious for wreaking havoc on businesses via DDoS attacks, data breaches and even malware or botnet assaults.

According to Radware, there are two types of dates that hackers target: ideological and business-relevant dates. Ideological dates refer to holidays and anniversaries that have a cultural, religious or secular tie to the adversary. High-risks times for the United States include September 11th, Memorial Day, Election Day and Independence Day. Business-relevant dates involve a period of time that companies are particularly vulnerable to attacks, such as Black Friday, Cyber Monday, or even regular business hours.

Additionally, hackers commonly use important dates and holidays to disrupt specific industries. For example, retail and credit card companies see a significant rise in cyber attacks between Thanksgiving and Christmas, whereas government websites may be targeted during Election or Independence Days.

via Timing is an influential risk-factor for cyber attacks.

Good but generic advice in the article. If you work for a multinational you’ll need to keep in mind dates and events beyond the US – the football (soccer) World Cup, for example. User education is important but the returns diminish over time, especially if you cause fatigue in your users. Pen testing is good as well as a commitment in time and money to a security infrastructure life cycle management.

Update Flash, Shockwave ASAP! Adobe also patches Acrobat and Reader | ZDNet

Adobe today released security updates for Flash Player, AIR, Shockwave Player, Acrobat and Reader. The updates for Flash Player and Shockwave Player on Windows and Mac address a vulnerability which Adobe classifies as Priority 1, which indicates that it is being exploited in the wild at a high risk of exploit.

The updated versions of Flash Player on Windows and Mac are 11.8.800.168 and 11.7.700.242. Earlier 11.7 and 11.8 versions are vulnerable. Updates are also available for Flash Player on Linux and Android, as well as Adobe AIR and the Adobe AIR SDK. These are not as severe and updating is not as high a priority.

The updates for Reader and Acrobat are classified as less urgent. They are important vulnerabilities, but not being exploited.

via Update Flash, Shockwave ASAP! Adobe also patches Acrobat and Reader | ZDNet.

Microsoft releases 13 bulletins, axes .NET patch

September’s Patch Tuesday is live! The 14 bulletins predicted have been cut to 13, with the .NET patch landing on the cutting room floor. A patch getting pulled after having been included in the advance notice usually indicates that late testing revealed an undesired interaction with another product or component.

Of the 13 bulletins remaining they are split 7/6 between the MS Office family and Windows OS patches, if we are counting the Internet Explorer patch as part of the OS patching, anti-trust lawsuits notwithstanding.

via Microsoft releases 13 bulletins, axes .NET patch.