Cyber Criminals attacking Java

There is a significant security flaw in Java and it is being exploited fast and furiously by cyber criminals. Sophos’ Naked Security blog has a fantastic post on the vulnerability and especially its effect on Oracle users. Their solution: Disable Java immediately. Check out the post here.

And why is Java so problematic you ask? Graham Cluley states the following:

“In fact, it has become increasingly common to see malware authors exploiting vulnerabilities in Java – as it is so commonly installed, and has been frequently found to be lacking when it comes to security.

Cybercriminals also love Java because it is multi-platform – capable of running on computers regardless of whether they are running Windows, Mac OS X or Linux. As a result it’s not unusual for us to see malicious hackers use Java as an integral part of their attack before serving up an OS-specific payload.”

For easy reference, here’s how to disable Java on the most popular web browsers.

Lean Security 101: The Comic Book!

Whether embracing the 80×5 rule or learning how to effectively solicit outside advice, there’s a way to make your security strategy work smarter, not harder. Perfect security is a pipedream. So use what you have and learn from what works.

Follow the principles and strategy detailed in our very own “Lean Security 101″ comic book and you can build your own lean security model within your organization!

Follow this link to download Lean Security 101: The Comic Book.

And don’t forget … you can get a lean security review for free, just by requesting one here.


How do you respond when a moose is on the loose?

What would you do if you discovered that attackers had taken over your server and were in the process of stealing all your data?

What would you do if law enforcement came to your place of work and demanded all of your computers as part of an investigation?

What would you do if a tornado hit your building and spread all of your computers across a mile-wide radius?

If you are like most organizations, you don’t have a plan for everything. You can think of security (in an over-simplified way) of having three areas of control: Detective, Preventative and Reactive. We tend to start with Detective. When antivirus was new, it just alerted you when you had a problem. As the technology improved, it became preventative and would stop bad applications from running. Most security technology, in fact, has followed this pattern. Intrusion Detection moved to Intrusion Prevention. Patch Detection moved to Patch Management. Log Analysis moved to full-fledged SEIM systems.

However, this progression ignores a very powerful tool. As an example, here’s a video:

What would you do if you woke up one morning to find a moose in your swingset? Odds are you’d either deal with it yourself or call someone to deal with it for you. Response is key. When things happen, whether it involves an attacker taking over a system, an external agency taking your stuff or a natural disaster, reacting to the situation is important. You can either do it in an ad hoc way, or try to plan everything out.

In general, organizations that trust their people, just let their people do what they need to do. Organizations that do not trust their people, invest in planning and procedures. What’s interesting is that both methods work… though not always particularly well. Sometimes people hide behind policy and avoid doing the right thing. Sometimes, people hide behind uncertainty and avoid doing the right thing.

The problem here is that “right” and “wrong” are not always clear cut. Consider recent occurrences involving United Airlines, Penn State and FedEx. A reasonable response to events like these would be “we can’t trust our people,” and to address the issue by creating policies.

But, for an even more horrifying view of the world, check out this Google News search on “followed policy.” A wider search on this shows that people who follow policy result in death, brain death and murder suspects being released.

So it would seem that this is a “damned if you do, damned if you don’t” situation, right?

It turns out to err is human… but human error can happen whether or not we are constrained by policy. Using policy to prevent bad things from happening requires not only that you have people who will always follow the policy, but also that you have policies that are 100% correct and written by people who can see the future. Perhaps a better approach would be to use policies as guides that people can refer to when they’re confused. Then, build a culture around the fact it’s okay to make mistakes so long as you’re willing to apologize, attempt to fix things and learn from your error.

Not everything can be avoided. Sometimes you just have to deal.

More on the moose is here.

In the News

Here are three security articles we found rather interesting this week.

Researcher Wows Black Hat with NFC-based Smartphone Hacking Demo (CIO)

Accuvant Labs researcher Charlie Miller has figured out how to break into the Google/Samsung Nexus S and the Nokia 9 smartphones by using Near Field Communication (NFC).

I can read all the files, said Miller about how he managed to break into the Nokia 9 when his home-made NFC-based device is in very close proximity to the targeted smartphone. I can make phone calls, too. Vulnerabilities he identified in the Android-powered Nexus S were located in the browser surface, he said.

The truth behind those Nigerian 419 scammers

419 Advanced Fee Fraud (also known as the Nigerian 419 scam) is still being used quite frequently to steal money from gullible victims via fraudulent emails. But are these emails really coming from Nigeria, or are they perpetrated by attackers from other countries?

Researchers from the University of Ibadan found the following IP locations within 400 scam emails tested:

The Wisconsin Department of Revenue: A Bargain for the Identity Theft Collective (The Huffington Post)

Adam Levin of wrote an interesting story documenting Wisconsin’s complete inability to secure public information.

Last week, the Wisconsin Department of Revenue revealed that it had accidentally made public 110,795 Social Security numbers and tax ID numbers of Wisconsin residents. The numbers were mistakenly embedded in a real estate report and posted to the department’s website for almost three months before being removed.

This is the fourth time since 2006 that Wisconsin state agencies have been involved in the public release of Social Security numbers.