by Michael A. Davis on April 12, 2010
I just released a report for Dark Reading on how to build a multi-enterprise vulnerability management program. If you are dealing with outsourced vendors, or an outsourced supply chain, you should definitely give the article a read.
To summarize the article:
- Get your legal contracts in order. So many firms don’t put what they need from their partners into a contract. How do you expect to get what you need then?
- Establish Communication channels that work for everyone. If you don’t get the right people on the “phone”, nothing will get done – including your security processes
- Find the person with authority at your partner and ensure they are involved, otherwise your efforts will be useless.
I offer many more details and tips within the article but step #1 is so critical that an entire article should be dedicated to just that!
Tagged as:
Business process,
enterprise vulnerability,
legal contracts,
management program,
security,
security processes,
supply chain,
Supply chain management,
vulnerability,
vulnerability management
by Michael A. Davis on April 6, 2010
I was chatting about shortened URLs, did some research and found out something I didn’t know was happening.
Here’s a test for you. Let’s say you are linked to eBay from a suspicious source. The page looks identical to ebay.com – all the graphics are the same and even the url in your address bar even reads www.ebаy.com. You’re pretty up to speed on phishing attempts, so what about this page should make you suspicious?
The answer? The “a” in ebay here may not be the Latin “a” you are used to seeing but a Cyrillic “a” that looks identical. However, since this is a different character, ebay.com with a Cyrillic “a” is a completely different website – one that could utilize old phishing scams.
ICANN, the body responsible for regulating the domain name system for web addresses, has moved ahead with this plan to internationalize domain names. While many countries are happy to see their native languages in their address bars, this creates an opportunity for age-old phishing scams to resurface.
This is a problem that we are now presented with now that domain names are now becoming internationalized. Regional top-level domains are including Russian, Chinese, and Arabic characters. As I’ve shown you, this creates an opportunity for phishing attacks that steal usernames and passwords of users of ebay or paypal.
In the past, phishing sites used common misspellings of legitimate sites to fool users. Now they can use the Cyrillic “a,” “B,” “m,” “e,” or the Arabic “l” to confuse even the most phishing-savvy users with identical spoofs. Of course, the scam also works in reverse – substituting Latin letters into Cyrillic addresses. New opportunities present themselves with the proliferation of international web addresses.
At least, so far, this trick has not been used in high frequency. But experts expect cybercriminals to catch on. This will lead to reputation problems for companies like paypal, ebay, yahoo, and other major websites that use look-alike letters in their domains.
Tagged as:
cybercriminals,
domain name system,
ebay,
paypal,
phishing scams,
spoofs
by Michael A. Davis on April 1, 2010
My friend, Lance Spitzner, founder of the Honeynet Project, has launched a new blog on securing the human. Lance focuses on providing quality cutting edge security awareness programs to private companies.
Lance does fantastic work. Go read his blog!
