Fresh, from Bucharest...

January 12, 2017 by Marc Handelman in Believe It Or Not, All is Information, Data Security, Database Security, DBMS Security, Information Security

Via CIO Romania correspondent Lucian Constantin, comes bad news indeed, for MongoDB users, that is:

'Five groups of attackers are competing to delete as many publicly accessible MongoDB databases as possible' - via CIO reporter Lucian Constantin

My suggestion is to, um - perhaps...not expose your database layer to external contact... Perhaps a DENY ALL to rule for your MongoDB deployment in your firewall would be helpful as well... just saying. Oh, and very good advice from Lucian at the end of his reportage: Use the MongoDB security checklist. It is - I can assure you - prietenul tău!. I also strongly suggest taking the time to read the Security Hardening documention from MongoDB; you can also download an EPUB version of the MongoDB manual. You'll be glad you did. That is all.

Tip of the Tam o'Shanter

Google's Keys to Security, Pragmatism At It's Finest →

December 26, 2016 by Marc Handelman in All is Information, Cryptography, Data Security, Information Security, Web Security

Read it (PDF) and be pleased that all-well-might-indeed-be-right-with-the-Universe, at least in user-land universal 2nd factor crypto that, is...

h/t

Microsoft Begins Selling Windows 10 Telemetry →

December 12, 2016 by Marc Handelman in All is Information, Corporate Evil, Cruft, Data Security, Feet of Clay, Information Security, Marketing Gone Wild, Right to Privacy, Demise of Privacy

News, of Microsoft Corporation (NasdaqGS: MSFT) selling of customer telemetry on Windows 10 has come to light via Martin Kauffman on GHacks. Martin superlatively details the phenomenal audacity of Microsoft in the matter of selling usage information; and, while not surprising, just another indicator of the onerous feet-of-clay syndrome now evident in Redmond. Oh, and by-the-way, the data being shared is with a security firm, simply astounding. As always, you be the judge.

ISOC 2016 Global Internet Report →

November 25, 2016 by Marc Handelman in Accountability, All is Information, Information Security, Database Security, Data Security, Web Security, WebTrust, Online Trust, ISOC

Behold, the Internet Society's 2016 Global Internet Report: 'The Economics of Building Trust Online: Preventing Data Breaches. Fascinating reading.

IoT Security in the Cloud, Best Practices →

November 09, 2016 by Marc Handelman in All is Information, Cloud Security, Data Security, Information Security, Network Security, IoT, IoT Security

Verizon's Cookie

March 08, 2016 by Marc Handelman in All is Information, Data Security, Information Security, Web Security

Super Cookie, that is...

Bad DB →

January 20, 2016 by Marc Handelman in All is Information, Database Security, Data Security, Information Security

DarkMatters takes us down the slippery-slope of poorly configured Databases, and Database Management Systems. Threats abound, yet little is accomplished to remdiate (until after data loss). Today's Must Read.

'As of this writing, there are more than 27,000 instances of MongoDB and approximately 29,000 instances of Redis on the internet that do not have authorization enabled. Misconfigured databases are just as dangerous as vulnerabilities—they provide the bad guys an easy-access, exploitable front door to user data.' via DarkMatters

TedX HK, Trampes' Data

December 17, 2015 by Marc Handelman in All is Information, Data Security, Data Leakage, Education, Information Security

Iron Tiger →

September 23, 2015 by Marc Handelman in All is Information, Alternate Attack Analysis, Business of Security, Database Security, Data Security, Information Security

You should know Graham Cluley, specifically because of his outstanding information security reporting; as evidenced, if you will, by his latest screed targeting the so-called Iron Tiger targeted attacks. Noted as today's Must Read.

BSidesCincy 2015, The Value of a Simple DLP Program →

August 06, 2015 by Marc Handelman in All is Information, Data Loss Prevention, Data Security, Data Classification, Data Driven Security, Database Security, Information Security

Timothy D. Cook, Apple Inc.'s highly respected Chief Executive Officer

Cook's Battles →

July 15, 2015 by Marc Handelman in All is Information, Common Sense, Data Security, Demise of Privacy, Information Security

In which, we shall discover why, Apple Inc.'s (NasdaqGS: AAPL) Chief Executive Officer, Tim Cook, is waging faire-la-croisade, in this case targeting the utilization of big data by Google Inc.'s (NasdaqGS: GOOG) and Facebook Inc.'s (NasdaqGS: FB), and the rationale behind this pro-consumer crusade.

Devil in the Haystack →

May 20, 2015 by Marc Handelman in All is Information, Application Security, Data Security, Information Security

Data Melt →

May 15, 2015 by Marc Handelman in All is Information, Data Driven Security, Data Security, Physical Security

Evidence, says Zack Whittaker for Zero Day, of data disappearing from solid-state storage facilities, when the storage medium is unpowered for several days. Apparently, additional degradation takes place when temperatures rise...

The money quote:

"A recent presentation by hard drive maker Seagate's Alvin Cox warned that the period of time data is retained on some solid-state drives is halved for every 9°F (or 5°C) rise in temperature where its stored. That means if a solid-state drive is stored in a warm room, say 77°F (25°C), its data can last for about two years. But, if that goes up by a mere few degrees to 86°F (30°C), that data's retention period will be cut in half." via Zack Whittaker at Zero Day

Harbortouch'ed →

May 07, 2015 by Marc Handelman in All is Information, Bank Security, Cruft, Data Security, Information Security, POS Security

via the inimitable Brian Krebs, writing at Krebs On Security, comes the latest sorry tale of attacked, and successfully breached, Point of Sale (POS) terminals manufactured by POS system purveyor Harbortouch.

IC3 Issues LEO Warning, Targeted 'Cyber' Attacks Against Public Officials

April 24, 2015 by Marc Handelman in All is Information, Behavioral Security, Common Sense, Communications, Crime, Cybersecurity, Data Security, Information Security

The Internet Crime Complaint Center (IC3) has published a warning focusing on Law Enforcement Officers (and other LEO personnel including family members). The warning explicitly states Law Enforcement Officers, personnel and public officials are at an increased risk of cyber related attacks, due to attacks committed by so-called Hactiviists; primarily focused at this time on the act of DOXING, see the etymology of Doxing here). The full text of IC3 Alert Number I-042115-PSA appears below:

Hacktivists Threaten to Target Law Enforcement Personnel and Public Officials

Summary

Law enforcement personnel and public officials may be at an increased risk of cyber attacks. These attacks can be precipitated by someone scanning networks or opening infected emails containing malicious attachments or links. Hacking collectives are effective at leveraging open source, publicly available information identifying officers, their employers, and their families. With this in mind, officers and public officials should be aware of their online presence and exposure. For example, posting images wearing uniforms displaying name tags or listing their police department on social media sites can increase an officer's risk of being targeted or attacked.

Many legitimate online posts are linked directly to personal social media accounts. Law enforcement personnel and public officials need to maintain an enhanced awareness of the content they post and how it may reflect on themselves, their family, their employer or how it could be used against them in court or during online attacks.

Threat

The act of compiling and posting an individual's personal information without permission is known as doxing. The personal information gathered from social media and other Web sites could include home addresses, phone numbers, email addresses, passwords and any other information used to target an individual during a cyber attack. The information is then posted on information sharing Web sites with details suggesting why the individual should be targeted.

Recent activity suggests family members of law enforcement personnel and public officials are also at risk for cyber attacks and doxing activity. Targeted information may include personally identifiable information and public information and pictures from social media Web sites.

Another dangerous attack often used by criminals is known as “swatting.” This involves calling law enforcement authorities to report a hostage situation or other critical incident at the victim's residence, when there is no emergency situation.

Defense

Defending Against Hacktivism

While eliminating your exposure in the current digital age is nearly impossible, law enforcement and public officials can take steps to minimize their risk in the event they are targeted.

Turn on all privacy settings on social media sites and refrain from posting pictures showing your affiliation to law enforcement.
Be aware of your security settings on your home computers and wireless networks.
Limit your personal postings on media sites and carefully consider comments.
Restrict your driver license and vehicle registration information with the Department of Motor Vehicles.
Request real estate and personal property records be restricted from online searches with your specific county.
Routinely update hardware and software applications, including antivirus.
Pay close attention to all work and personal emails, especially those containing attachments or links to other Web sites. These suspicious or phishing emails may contain infected attachments or links.
Routinely conduct online searches of your name to identify what public information is already available.
Enable additional email security measures to include two factor authentication on your personal email accounts. This is a security feature offered by many email providers. The feature will cause a text message to be sent to your mobile device prior to accessing your email account.
Closely monitor your credit and banking activity for fraudulent activity.
Passwords should be changed regularly. It is recommended to use a password phrase of 15 characters or more. Example of a password phrase: Thisisthemonthofseptember,2014.
Be aware of pretext or suspicious phone calls or emails from people phishing for information or pretending to know you. Social engineering is a skill often used to trick you into divulging confidential information and continues to be an extremely effective method for criminals.
Advise family members to turn on security settings on ALL social media accounts. Family member associations are public information and family members can become online targets of opportunity.

Crumbs, Data Breadcrumbs →

April 23, 2015 by Marc Handelman in All is Information, Data Classification, Database Security, Data Security, Information Security, Data Driven Security

Litchfield's Oracle Data Redaction Is Broken →

April 10, 2015 by Marc Handelman in Oracle DBMS Security, DBMS Security, Information Security, Database Security, Data Security, All is Information

Download Davids' slides (PDF) here

NIST Announces New Internal Report Targeting Smart Metering →

March 13, 2015 by Marc Handelman in All is Information, Communications, Compute Infrastructure, Data Security, Electrical Engineering, Hardware Security, ICS/SCADA, Infrastructure, Information Security

The National Institute of Standards and Technology (NIST) has announced a new internal report detailing a framework targeting Smart Meter Upgradability (NIST Internal Report NISTIR 7823), Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework). Authored by Michaela Iorga (a member of the Computer Security Division, in the Information Technology Laboratory (ITL) at NIST) and Scott Shorter (of Electrosoft Services, Inc. in Reston, Virgina), the document is also available at the International DOI System under NIST.IR.7823.

I reckon the document's abstract sums it up quite nicely:

"As electric utilities turn to Advanced Metering Infrastructures (AMIs) to promote the development and deployment of the Smart Grid, one aspect that can benefit from standardization is the upgradeability of Smart Meters. The National Electrical Manufacturers Association (NEMA) standard SG-AMI 1-2009, “Requirements for Smart Meter Upgradeability,” describes functional and security requirements for the secure upgrade—both local and remote—of Smart Meters. This report describes conformance test requirements that may be used voluntarily by testers and/or test laboratories to determine whether Smart Meters and Upgrade Management Systems conform to the requirements of NEMA SG-AMI 1-2009. For each relevant requirement in NEMA SG-AMI 1-2009, the document identifies the information to be provided by the vendor to facilitate testing, and the high-level test procedures to be conducted by the tester/laboratory to determine conformance." - via NIST IR 7823

Meanwhile, you can also track, examine and attempt to contain your surprise at the latest, recognized industiral control systems & supervisory control and data acquisition systems vulnerabilities from our colleagues st US-CERT, here.

Uber's Private DB Key On Public GitHub Page →

March 04, 2015 by Marc Handelman in All is Information, Blatant Stupidity, Information Security, Governance, GRC, Encryption, Database Security, Data Security, Data Loss Prevention

Meanwhile, in Blatant Stupidity news, ArsTechnica's Dan Goodin writes of the latest Uber mistep. This time, Uber decided to store an encrypted database's PRIVATE KEY (anecdotally, the DB contained sensitive data for at least fifty thousand of the company's drivers) on a GitHub public page. Apparently, there may have been a wee bit of confusion as to what a PRIVATE KEY is, in relation to a PUBLIC KEY within Uber's apaprently crack IT department... Oops.