Talbot Boggs( Brandonsun - July 16, 2014 )
Identity theft is a very real and present danger. In the past 12 months some seven million Canadians became victims of identity theft with an average direct cost per victim of US$372.00, according to internet/computer security company Norton. Identity theft is the result of an unconsented or unknown use of an individual’s personal information. It often occurs in conjunction with crimes such as fraud, forgery, or theft. Likely targets for an identity thief can include a Social Insurance Number (SIN), driver’s licence number, credit cards, debit cards, cheques, phone cards, passwords, and pin numbers. In general, identity thieves look for the opportunity to make a transaction and obtain cash, merchandise, or services before their identity can be found or the true information owner can be notified. Although it may sound simple, the main way of combatting identity theft is to use caution when making any purchase or when otherwise safeguarding your personal information.
Talbot Boggs( Brandonsun - July 16, 2014 )
Lamont Wood( Computerworld - July 16, 2014 )
Getting employees to take security seriously when security is not their job is an old challenge that now has a new answer: Gamification. That’s right; game-like elements are used to enhance security awareness and modify users’ behaviors. The results are tightly connected to the real world. “Participants in our program were 50% less likely to click on a phishing link and 82% more likely to report a phishing email,” reports Patrick Heim, chief trust officer at Salesforce.com, describing the results after 18 months of an ongoing security awareness gamification effort, based on positive recognition rather than negative reinforcement, at that firm of 13,000. Building awareness of physical security was also part of the effort. A campaign to test “tailgating” (an unauthorized person following an authorized person through a secured door) drew 300 volunteers, who were rewarded if they got through a door and took something.
Andrea Peterson( Washington Post - July 16, 2014 )
Tech giant Google announced a new team of security researchers aimed at making the web a safer place by discovering “zero day” vulnerabilities Tuesday. But if you’re not a security researcher, you might be asking what exactly zero day vulnerabilities are. Don’t worry, we’re here to help.
What is a zero day vulnerability? Essentially, it’s an unknown bug in a computer application. Software companies are pretty much constantly working to find and fix problems in their programs, but coding can be a messy business and mistakes often slip through. When a company finds a problem, they release a patch for it
Steve Ragan( Network World - July 15, 2014 )
E-ZPass Group, a toll collection program consisting of 25 agencies in 15 states, has issued a warning to customers concerning a Phishing scam that is posing as a collection notice.In a notice to customers, E-ZPass stated that the messages being reported are not authorized communications, even if a person’s account is behind on payments. If that happens to be the case, payment notices are invoiced and sent to the customer directly via the United States Postal Service. “We advise you not to open or respond to such a message should you receive one,” the E-ZPass warning stated. MORE ON NETWORK WORLD: Free security tools you should try: The emails are coming from compromised WordPress installations, and have been sent in batches since July 8. The messages use the E-ZPass brand’s colors (a bold purple that is present on all toll signs in the states were the service is used), and contain a subject related to driving on toll roads. More than likely, the E-ZPass warning notes, the mes
sage is an attempt to steal sensitive information, including usernames, passwords, and financial data. However, Gary Warner, Chief Technologist and Co-Founder of Malcovery, tested the Phishing emails and discovered that the links were pointing to malware that will connect the infected host to the ASProx botnet. Based on information he has received, the infected systems are primarily being used for advertising click-fraud.
Alastair Stevenson( V3 - July 15, 2014 )
Oracle has issued an astounding 113 fixes relating to products in nearly its entire services portfolio in its latest quarterly Critical Patch Update. Oracle announced the details of its July Critical Patch Update, which was released on Tuesday, via a threat advisory on its website. The advisory details fixes for key Oracle products and services, including Fusion Middleware, Database, Server, Hyperion, Enterprise Manager Grid Control, E-Business Suite, Supply Chain, PeopleSoft, Siebel CRM, Communications, Retail, MySQL, Virtualization, Sun Systems and Java SE (JSE). Oracle urged customers to update their systems as soon as possible: “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible,” it said. Rapid7 senior manager of Security Engineering Ross Barrett highlighted the JSE and Oracle Database updates as being the most pressing. Barrett said the Oracle Database fix is dangerous as, if le
ft unpatched, the vulnerability could be exploited by hackers to steal control of a victim’s system. “The advance notice indicates that a high risk remotely exploitable issue affecting Oracle Database will be fixed and that this issue is something that would allow an attacker almost complete control of the target, and probably the underlying operating system through the database,” he said.
Leigh Thomas and Jim Finkle( Reuters - July 14, 2014 )
Insurers are eagerly eyeing exponential growth in the tiny cyber coverage market but their lack of experience and skills handling hackers and data breaches may keep their ambitions in check. High profile cases of hackers seizing sensitive customer data from companies, such as U.S. retailer Target Corp or e-commerce company eBay Inc, have executives checking their insurance policies. Increasingly, corporate risk managers are seeing insurance against cyber crime as necessary budget spending rather than just nice to have. The insurance broking arm of Marsh & McLennan Companies estimates the U.S cyber insurance market was worth $1 billion last year in gross written premiums and could reach as much as $2 billion this year. The European market is currently a fraction of that, at around $150 million, but is growing by 50 to 100 percent annually, according to Marsh. Those numbers represent a sliver of the overall insurance market, which is growing at a far more sluggish rate. Premium
s are set to grow only 2.8 percent this year in inflation-adjusted terms, according to Munich Re, the world’s biggest reinsurer.
Jeremy Kirk( ComputerWorld - July 14, 2014 )
Popular password manager LastPass said it fixed two vulnerabilities that were found last year. The disclosure comes just ahead of a security conference where a research paper describing the problems is due to be presented. Zhiwei Li, a research scientist at Shape Security, reported the flaws to LastPass in August 2013, which were “addressed immediately,” LastPass wrote on its blog. Both flaws involved “bookmarklets,” which assist in filling out stored password information when LastPass’s plugin can’t be used, such as when using a mobile browser. One flaw could be exploited if a bookmarklet was used on a website rigged to attack it, LastPass wrote. The other vulnerability could allow an attacker to create a bogus one-time password (OTP) if a LastPass user was tricked into visiting a malicious website. The OTP attack would require a hacker to know a person’s username in order to exploit it and also serve a custom attack, LastPass wrote.