I just released a report for Dark Reading on how to build a multi-enterprise vulnerability management program. If you are dealing with outsourced vendors, or an outsourced supply chain, you should definitely give the article a read.

To summarize the article:

  1. Get your legal contracts in order. So many firms don’t put what they need from their partners into a contract. How do you expect to get what you need then?
  2. Establish Communication channels that work for everyone. If you don’t get the right people on the “phone”, nothing will get done – including your security processes
  3. Find the person with authority at your partner and ensure they are involved, otherwise your efforts will be useless.

I offer many more details and tips within the article but step #1 is so critical that an entire article should be dedicated to just that!

Share and Enjoy:
  • Digg
  • del.icio.us
  • Technorati
  • De.lirio.us
  • email
  • Facebook
  • MySpace
  • StumbleUpon
  • LinkedIn

{ 0 comments }

I was chatting about shortened URLs, did some research and found out something I didn’t know was happening.

Here’s a test for you. Let’s say you are linked to eBay from a suspicious source. The page looks identical to ebay.com – all the graphics are the same and even the url in your address bar even reads www.ebаy.com. You’re pretty up to speed on phishing attempts, so what about this page should make you suspicious?

The answer? The “a” in ebay here may not be the Latin “a” you are used to seeing but a Cyrillic “a” that looks identical. However, since this is a different character, ebay.com with a Cyrillic “a” is a completely different website – one that could utilize old phishing scams.

ICANN, the body responsible for regulating the domain name system for web addresses, has moved ahead with this plan to internationalize domain names. While many countries are happy to see their native languages in their address bars, this creates an opportunity for age-old phishing scams to resurface.

This is a problem that we are now presented with now that domain names are now becoming internationalized. Regional top-level domains are including Russian, Chinese, and Arabic characters. As I’ve shown you, this creates an opportunity for phishing attacks that steal usernames and passwords of users of ebay or paypal.

In the past, phishing sites used common misspellings of legitimate sites to fool users. Now they can use the Cyrillic “a,” “B,” “m,” “e,” or the Arabic “l” to confuse even the most phishing-savvy users with identical spoofs. Of course, the scam also works in reverse – substituting Latin letters into Cyrillic addresses. New opportunities present themselves with the proliferation of international web addresses.

At least, so far, this trick has not been used in high frequency. But experts expect cybercriminals to catch on. This will lead to reputation problems for companies like paypal, ebay, yahoo, and other major websites that use look-alike letters in their domains.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Technorati
  • De.lirio.us
  • email
  • Facebook
  • MySpace
  • StumbleUpon
  • LinkedIn

{ 0 comments }

Lance Spitzner’s New Blog – Securing the Human

by Michael A. Davis on April 1, 2010

My friend, Lance Spitzner, founder of the Honeynet Project, has launched a new blog on securing the human. Lance focuses on providing quality cutting edge security awareness programs to private companies.

Lance does fantastic work. Go read his blog!

Share and Enjoy:
  • Digg
  • del.icio.us
  • Technorati
  • De.lirio.us
  • email
  • Facebook
  • MySpace
  • StumbleUpon
  • LinkedIn

{ 0 comments }

Obama Twitter account hacked..it was a 1 in 80 chance

March 25, 2010

President Obama’s Twitter account was easily hacked because of problems in the way security questions are asked. A new paper released talks about how an average person has a 1 in 80 chance of guessing your secret account question.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Technorati
  • De.lirio.us
  • email
  • Facebook
  • MySpace
  • StumbleUpon
  • LinkedIn
Read the full article →

We need your help! 2010 Strategic Security Survey

March 17, 2010

2010 marks the thirteenth year InformationWeek will track the evolution of security practices through our annual research and trending survey. Please join the 40,000+ security and IT professionals who’ve participated in this landmark study!

Share and Enjoy:
  • Digg
  • del.icio.us
  • Technorati
  • De.lirio.us
  • email
  • Facebook
  • MySpace
  • StumbleUpon
  • LinkedIn
Read the full article →

1 thing you have to do if you virtualize

March 11, 2010

Virtualization saves money and the environment. But it is not without a potentially major disadvantage.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Technorati
  • De.lirio.us
  • email
  • Facebook
  • MySpace
  • StumbleUpon
  • LinkedIn
Read the full article →

4 Ways to Social Engineer Face to Face

March 10, 2010

While most traditional social engineering is used to exploit the vulnerabilities of the HumanOS over phone or online communications, we can’t rule out the possibility that social engineering can be most successful when it is face-to-face (plus it is a heck of a lot of fun!). Even though it puts the social engineer at direct risk, it offers the most reward for their efforts since it gives them direct access to your company’s office and hardware. Here are the top 4 ways to social engineer some one face-to-face

Share and Enjoy:
  • Digg
  • del.icio.us
  • Technorati
  • De.lirio.us
  • email
  • Facebook
  • MySpace
  • StumbleUpon
  • LinkedIn
Read the full article →

How to Survive a DDoS Extortion Attack

February 24, 2010

Before the DDoS attack, the extortionist will contact the site webmaster and offer to spare them from the attack for a payment. If the payment is not made by the given date, then the attack begins and the price usually increases.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Technorati
  • De.lirio.us
  • email
  • Facebook
  • MySpace
  • StumbleUpon
  • LinkedIn
Read the full article →

Petition Congress to Step Up and Act

February 23, 2010

I received an email from John Zurawski at Authentify that I thought was worth posting. I personally am tired of bailing out the banks and continuing to spend tax payer money so I want to ask Congress to Step Up, start using our money for things that matter, and start to protect the end user’s [...]

Share and Enjoy:
  • Digg
  • del.icio.us
  • Technorati
  • De.lirio.us
  • email
  • Facebook
  • MySpace
  • StumbleUpon
  • LinkedIn
Read the full article →