Privacy Concerns With Facebook’s iPhone App

Posted on November 6, 2015 by Adam Luck

I just wanted to give everyone a quick example of why you should always exercise caution when modifying an application’s privacy settings.

Facebook is rolling out a feature in the US that allows people to automatically identify and share things they’re listening to or watching. It’s important to keep in mind that this leveraging this feature requires that you grant Facebook access to your iPhone’s microphone. This means that Facebook will turn on your microphone every time you write a status update. It is worth considering the sacrifice in privacy compared to the convenience that you gain by leveraging this feature. Is it really worth allowing an organization to hear your conversations just so you can gain the ability to easily share what TV show you’re watching?

Facebook has stated that they do not record or archive these transmissions. However, using this feature requires that you trust that a 3rd-party (Facebook) will handle your data appropriately. Do you really need to provide them with this data? Does it really save you that much time to have your background noise automatically analyzed? These are questions you should ask yourself prior to providing Facebook with this level of access.

Management Participation in the Infosec Program: A Must!

Posted on November 3, 2015 by John Davis

As a risk management guy, I’m often asked why I think information security programs fail or are less effective than they should be. There are certainly a number of answers to that question, but I think one of the main causes is lack of management participation in the program.
First, it should be recognized that these programs are driven from the top down. Upper management must demonstrate real interest in the infosec program to make it work. Right or wrong, people take all their main cues from upper management, and an apathetic CIO or CEO is a death knell for an infosec program.
Once you have achieved high level buy-in, it is very important to ensure that mid and operational level management are also properly involved in the program. Managers on these levels need to demonstrate their interest in the infosec program just as upper management does. However, beyond that, these individuals should also be involved in the program in a much more direct way.
It isn’t enough that information security policies and procedures have been established and communicated to all appropriate personnel. There also needs to be regular documented processes in place for management oversight of the information security program. Managers sometimes tend to become complacent about the information security program; they don’t really demonstrate interest in it and don’t seem to check up much. And if managers become complacent about infosec, you are safe to bet that the personnel in their purview will as well.

Old School Google Hacking Still Works…

Posted on November 2, 2015 by Brent Huston

Did some old school Google hacking last night.

“Filetype:xls & terms” still finds too much bad stuff.

Check for it lately for your organization?

Try other file types too. (doc/ppt/pdf/rtf, etc.)

Information leakage happens today, as it always has. Keeping an eye on it should be a part of your security program.

Podcast Episode 9 Available

Posted on October 28, 2015 by Brent Huston

Check out Episode 9 of the State of Security Podcast, just released!

This episode runs around an hour and features a very personal interview with me in the hot seat and the mic under control of @AdamJLuck. We cover topics like security history, my career, what I think is on the horizon, what my greatest successes and failures have been. He even digs into what I do every day to keep going. Let me know what you think, and as always, thanks for listening!

Last Week in InfoSec

Posted on October 26, 2015 by Adam Luck

In case you weren’t able to catch up on the news last week, I’ve published some of the top Information Security stories that were identified by TigerTrax.

New NTP vulnerabilities were disclosed by Cisco and Boston University http://www.securityweek.com/new-ntp-vulnerabilities-put-networks-risk
Drupal released version 7.41 to address an open-redirect vulnerability http://news.softpedia.com/news/drupal-releases-version-7-41-to-fix-open-redirect-vulnerability-495083.shtml
A new strain of ransomware is installing itself by brute force attacking Remote Desktop Services http://news.softpedia.com/news/new-ransomware-infects-computers-via-windows-remote-desktop-services-495067.shtml
Apple patched flaws in OS X, iOS and other products http://www.securityweek.com/apple-patches-flaws-os-x-ios-other-products
Oracle released security updates that addressed over 154 vulnerabilities in 54 products https://threatpost.com/oracle-quarterly-security-update-patches-154-vulnerabilities/115120/
Researchers discovered weaknesses affecting Western Digital My Passport hard drives http://news.softpedia.com/news/western-digital-my-passport-hard-drives-come-with-a-slew-of-security-holes-494990.shtml
Adobe patched a Flash zero-day that was exploited by Pawn Storm http://www.securityweek.com/adobe-patches-flash-zero-day-exploited-pawn-storm
Fake “support services” that have affected Windows users for years are now starting to target Mac users http://arstechnica.com/security/2015/10/support-scams-that-plagued-windows-users-for-years-now-target-mac-customers/
Researchers discovered over 250 iOS apps that collect user’s personal information and violate Apple’s App Store privacy policy http://arstechnica.com/security/2015/10/researchers-find-256-ios-apps-that-collect-users-personal-info/?utm_source=kwestin&utm_medium=twitter

Have a great week!

—Adam

Next CMHSecLunch is Monday, November 9th

Posted on October 23, 2015 by Brent Huston

Just a heads up that the next CMHSecLunch is scheduled for Monday, November 9th at Tuttle Mall food court.

As always, the games begin at 11:30am and continue to around 1pm. Admission is FREE and everyone is welcome. Bring a friend!

Come by, hang out, have some food and great conversation. Talk about the threats and issues your team is facing and hear what others in the community have to say on the topic. It’s like hallway conversations at security conferences, without the travel, con-flu and noise.

Check it out and see you there!

HoneyPoint Security Server Allows Easy, Scalable Deception & Detection

Posted on October 20, 2015 by Brent Huston

Want to easily build out a scalable, customizable, easily managed, distributed honey pot sensor array? You can do it in less than a couple of hours with our HoneyPoint Security Server platform.

This enterprise ready, mature & dependable solution has been in use around the world since 2006. For more than a decade, customers have been leveraging it to deceive, detect and respond to attackers in and around their networks. With “fake” implementations at the system, application, user and document levels, it is one the most capable tool sets on the market. Running across multiple operating systems (Linux/Windows/OS X), and scattered throughout network and cloud environments, it provides incredible visibility not available anywhere else.

The centralized Console is designed for safe, effective, efficient and easy management of the data provided by the sensors. The Console also features simple integration with ticketing systems, SEIM and other data analytics/management tools.

If you’d like to take it for a spin in our cloud environment, or check out our localized, basic Personal Edition, give us a call, or drop us a line via info (at) microsolved (dot) com. Thanks for reading!

Clients Finding New Ways to Leverage MSI Testing Labs

Posted on October 16, 2015 by Brent Huston

Just a reminder that MSI testing labs are seeing a LOT more usage lately. If you haven’t heard about some of the work we do in the labs, check it out here.

One of the ways that new clients are leveraging the labs is to have us mock up changes to their environments or new applications in HoneyPoint and publish them out to the web. We then monitor those fake implementations and measure the ways that attackers, malware and Internet background radiation interacts with them.

The clients use these insights to identify areas to focus on in their security testing, risk management and monitoring. A few clients have even done A/B testing using this approach, looking for the differences in risk and threat exposures via different options for deployment or development.

Let us know if you would like to discuss such an approach. The labs are a quickly growing and very powerful part of the many services and capabilities that we offer our clients around the world!

MachineTruth As a Validation of Segmentation/Enclaving

Posted on October 14, 2015 by Brent Huston

If you haven’t heard about our MachineTruth™ offering yet, check it out here. It is a fantastic way for organizations to perform offline asset discovery, network mapping and architecture reviews. We also are using it heavily in our work with ICS/SCADA organizations to segment/enclave their networks.

Recently, one of our clients approached us with some ideas about using MachineTruth to PROVE that they had segmented their network. They wanted to reduce the impacts of several pieces of compliance regulation (CIP/PCI/etc.) and be able to prove that they had successfully implemented segmentation to their auditors.

The project is moving forward and we have discussed this use case with several other organizations to date. If you would like to talk with us about it, and learn more about MachineTruth and our new bleeding edge capabilities, give us a call at 614-351-1237 or drop us a line via info <at> microsolved <dot> com.

CMHSecLunch is Monday Oct 12

Posted on October 11, 2015 by Brent Huston

Remember: ‪#‎CMHSecLunch‬ is tomorrow. 11:30, Polaris.

Come out and hang with some of your friends. This free form event is open to the public and often includes hacking stuff, lock picking, deep technical discussions, projects, etc.

Check it out at the link below & bring a friend!

http://cmhseclunch.eventbrite.com

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: General InfoSec