Seminars
ECCInternational will be giving a Certified BCMS (ISO 25999:2007) course from Feb 9-11. They will also be giving an ITIL Practitioner Program – Configuration Management on Feb 10-11, you can check out their Training Schedule here. ISO 9001:2008 IRCA Certified Lead Auditor Seminar will also be given either on Feb 9-13 or Feb 16-20. For details and specific dates, please contact Rose, Faith or Ness at 7505671 to 73 or email training@ccinternational.com.
Webcasts
CSO Online has published a podcast interview of Jim Routh who is the CISO of the Depository Trust and Clearing Corporation (DTCC). He is a veteran technology and security executive, having held positions at American Express and American Express Financial Advisors before joining DTCC.
(Simply Continuous) How To Keep Your Business Running in the Event of a Disaster
Whitepapers
There’s a recent (Winter 2009) presentation published by the Standford Applied Crypto group by John Mitchell on Phishing and Malicious JavaScript. Aside from Phishing, the presentation talks about how JavaScript is used to obtain information from your browser. John Mitchell teaches CS 142, Web Programming and Security, at Stanford University.
(SonicWall) Bottom-line benefits of telecommuting & secure remote access
(Quest Software) Finding Complete Identity Lifecycle Management that Fits
Insider Threat
I either gotta love this… or get paranoid about this: Within 90 minutes of getting fired, a former contract worker for Fannie Mae allegedly added a malicious script hidden within a legitimate script that ran each morning on the network, which was designed to disable monitoring alerts and all log-ins, delete the root passwords to the 4,000 Fannie Mae servers, erase all data and backup data, power off all the servers and then disable the ability to remotely switch on the machines. This was fortunately found by another employee within days of the firing.
(Computerworld) Ex-Fannie Mae engineer pleads innocent to server bomb charge
(CSO Online) Alleged Fannie Mae data bomb author working for Bank of America now?
Another recent example of an Insider Threat is of a former employee that still has access to the system, as this article reports, “Mysterious Text-Message Alert at U. of Florida Scares and Angers Students.”
Psychology/Social Engineering
There’s good insight as to the psychology involved when it comes to Information Security in this article from (CSO Online) Are You Addicted to Information Insecurity?
And speaking of psychology, CSO Online’s Anatomy of a Hack is an in-depth article on how Social Engineering can be used. Also in connection to social engineering, the FBI also warns of Money Mule Scams.
A novel way of luring people to a website with malware was found in North Dakota. How? Stick a parking violation ticket on the windshield, with the supposed details of the infraction on a website.
Readers of this blog might also want to check out What the Web knows about you. Its a 6 page article on what attackers may be able to find out about you online. If you’re in the US and is considering searching your SS number, check out this article first on Search Engine Privacy Tips from the World Privacy Forum website.
Browser Security
CSO Online also did a an unscientific poll of security experts on browser security, and it turns out that IE isn’t viewed as being as insecure as it was just a few years back. In relation to browser security, Firefox just fixed a couple of vulnerabilities in their release of version 3.06 of their browser.
Also related, Browser secrets of secure connections talks about how browsers play a key part in determining the strength of cipher used between the client and the web server. The article references the Infoworld Test Center Guide to browser security.
New DNS Attack
(CSO Online) Porn Site Feud Spawns New DNS Attack – Botnet operators are adding code to launch a new type of distributed denial of service attack, security experts warn
(NetworkWorld.com) Porn Site Feud Spawns New DNS Attack – A scrap between two pornographic Web sites turned nasty when one figured out how to take down the other by exploiting a previously unknown quirk in the Internet’s DNS.
(NetworkWorld.com Slideshow) How DNS cache poisoning works – this also has tips at the end on how to defend this kind of attack.
Other Info Sec News
(CSO Online) SMB Security: Five Bright Ideas – Small businesses have to be crafty to handle security with fewer resources. Here are bright ideas for SMBs.
(Computerworld Blog) Security businesses move ahead in this economy
(Computerworld) Removing admin rights stymies 92% of Microsoft’s bugs
(Computerworld) Microsoft denies Windows 7 security feature contains bug
(Computerworld) Banks, customers feel the fallout of the Heartland breach
(Computerworld) Study: Data breaches continue to get more costly for businesses
(Computerworld) Obama health care plan said to boost security, privacy controls – Privacy advocates say $20B e-health proposal overcomes some HIPAA concerns
InfoSec Philippines 