by Dave Michmerhuizen & Luis Chapetti – Security Researchers Spammers and Phishers are constantly looking for ways to convince people to type in their passwords and press “Log In”. One of the newest strategies we’ve seen them use are specially crafted login pages that appear similar to those of websites that use the increasingly popular OpenID standard. An alarming number of spammers are tailoring their phishing messages to use this new template. OpenID is way for websites to avoid having to create their own user accounts. Instead, they use authentication services offered by better known OpenID ‘providers’. You’ve very likely seen websites offering to allow you to log in using your Facebook or Google or Yahoo account
Daily Archive: May 4, 2012
Neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Adobe released a critical patch for Flash Player addressing an object confusion vulnerability (CVE-2012-0779). If exploited, it could cause the application crash and potentially allow an attacker to take control of the system. The security bulletin is posted here and the update can be downloaded here.
“You may recall the uproar a few weeks ago when the FBI seized a server used by activists to keep their information anonymized.
“The Health IT Policy Committee, a federal advisory panel, is making some recommendations for modifications in the privacy and security provisions in the proposed rules for Stage 2 of the HITECH Act electronic health record incentive program. For example, it wants more details included about the security of patient portals. The committee, in its formal comments on the rules, also plans to strongly endorse retaining in the final meaningful use rule a proposal to require participating hospitals and physicians to conduct a risk assessment that specifically addresses “the encryption/security of data at rest.”At its May 2 meeting, the committee went over a draft of a detailed matrix showing the major elements of the rules and comments on each….”
“The information security profession is a 'war for talent' today, says recruiter Kathy Lavinder.
“States worry as much about responding to the hazards presented by cybersecurity attacks as they do hurricanes. That's a key finding of a just-released report by the Federal Emergency Management Agency. Ten percent of the 56 states and territories surveyed by FEMA in its State Preparedness Report (SPR) last year cited cyberattacks as the threat or hazard that would most stress their existing response capabilities, the same percentage as hurricanes….”
“In January, ICS-CERT identified and responded to a cyber intrusion into a building Energy Management System (EMS) used to control heating and cooling for a state government facility. The incident and facility were identified by ICS-CERT after correlating a variety of information posted in open sources
“Consider this If the number one job of a security professional is to place a developers code under a microscope and highlight each and every flaw, you can appreciate why there may be some tension. The majority of solutions used by security professionals to test developer code only offer assessments of what they did wrong
“There is a very active discussion going on in security circles about understanding adversaries and how that impacts security strategy. I have taken a contrarian position in this argument and have stated that, in the scheme of things, I do not believe that you need to waste time understanding your enemy.