Encryption Is Not a Silver Bullet

Secure data being beamed across the Internet it? Encrypt it. Protect data at rest from being accessed? Encrypt it. It seems like encryption is the answer to all of your security concerns. That’s true to an extent, but even encryption has its limitations.

Encryption is a perfectly viable solution for securing data, but it’s not invulnerable--especially for data at rest, like files stored on backup media. Today’s unbreakable algorithm is tomorrow’s cracked encryption.

The idea of encryption dates back centuries. At its core, it’s nothing more than replacing information with other data that makes it appear to be gibberish unless you have the key that helps you reverse the process (decrypt) so you can recover the original information.

Read more »

Facebook 'Find Friends Nearby' Brings Privacy Concerns

Charles Ripley , BrandPost

It seems Facebook is preparing to roll out a new feature called “Find Friends Nearby”. The feature--which is designed to simplify the process of finding new friends and adding them to your social network--blurs the line a bit between the online social network and real life, and will probably draw the ire of privacy advocates.

First, a little about the feature itself--or at least what we think is known about the as yet unofficial feature. The name implies a feature that will alert you when one of the contacts from your Facebook social network happens to be nearby so you have an opportunity to meet up in real life. However, that isn’t really the way the feature works.

“Find Friends Nearby” isn’t about finding existing friends in your proximity, but rather for finding other “Find Friends Nearby” users in your proximity that might want to be friends. It’s a way to expand your social network by adding random strangers who are also interested in expanding their social network.

Read more »

Attackers Exploit Unpatched Windows XML Flaw

Charles Ripley , BrandPost

Hopefully you’ve applied all of the updates and fixes from Microsoft’s Patch Tuesday by now. But, have you also implemented the workarounds Microsoft published? If not, your system could end up compromised.

While organizations and individuals were busy with the Patch Tuesday security bulletins, Microsoft also released an out-of-band security advisory for a flaw in Microsoft XML Core Services that can allow an attacker to gain control of a vulnerable system from across the Internet. The vulnerability affects all supported versions of Windows, and all supported versions of Office 2003 and Office 2007.

In the security advisory, Microsoft spells out some mitigating factors that may reduce the risk this vulnerability poses for a PC. The flaw can be exploited just by loading a malicious Web page, but there’s no way an attacker can force a user to do so. The attacker has to craft the malicious site, and then convince victims to visit the website somehow in order to compromise their systems.

Read more »

Patch Now--Internet Explorer Flaw Under Attack

Charles Ripley , BrandPost

Have you applied Microsoft’s fixes and updates from the June Patch Tuesday yet? If not, you’re asking for trouble because a vulnerability that was already addressed by Microsoft is being actively exploited in the wild.

Microsoft security bulletin MS12-037 was this month’s cumulative update for Internet Explorer. It is rated as Critical, and addresses 14 separate vulnerabilities that affect every supported version of Internet Explorer in some way.

One vulnerability in particular is more urgent than the rest, though. There are multiple attacks circulating online that target CVE-2012-1875.

Read more »

Why Convenience Is the Enemy of Security

Convenience or security: pick one. It’s actually not that cut and dry, but it is a sliding scale that requires finding the right balance between the two. Tools that make your life more convenient also tend to make it less secure. Technologies that make you more secure are also generally inconvenient.

Think about your house. It would be convenient if the door didn’t even exist and you could just walk in. But, you also want some privacy and you want to prevent roaming animals and random strangers from entering, so you have a door. Of course, other people can also open the door, so you have to go a step further and put a lock on the door. Now you’re home is more secure, but you have to unlock and open the door in order to enter.

That seems like an acceptable balance. It has been embraced as a societal norm, and nobody really stops to think or complain about the “inconvenience” of closing and locking the door. We haven’t yet achieved that sense of convenience / security equilibrium in the digital world.

Read more »

How Do You Guard Against Unknown Threats?

Stuxnet was sort of like a shot heard ‘round the world when it comes to malware. It was the first attack which—for all intents and purposes—was developed with a specific strategic target and national defense objectives in mind. State-sponsored cyber warfare has been suspected for sometime, but Stuxnet was the first real indication that it is actually going on.

Then came Duqu, followed by Flame. All three of these malware threats are related in some way, and appear to have similar origins. But, the one thing that seems to stand out for all three is that these threats have been out there circulating on the Internet for years undetected.

The initial assumption by many was that Stuxnet evolved into Duqu, which eventually became Flame. One theory was that once Stuxnet was discovered and reverse-engineered it gave other developers the tools they needed to build on the foundation to create new threats. But, researchers now believe that Flame and Stuxnet were originally developed in parallel, with Stuxnet actually employing a module from the Flame code. That was back in 2009.

Read more »

Use Social Apps, But Be Careful

Charles Ripley , BrandPost

Social networks have changed the way people use the Internet, and opened up a whole new realm of opportunities to connect with family, friends, and others with similar interests. However, when you combine social networking with check-ins or location-aware features it can be risky.

Skout, an app devoted to finding people nearby to flirt with, has shut down access to minors following three separate reports of sexual assault. In all three cases—which occurred in three different states—male predators posed as teenagers to seek out victims through the social app.

Problems like this are not entirely uncommon, and certainly are not unique to Skout. Apps like Highlight and LocalMind also integrate social networks and location-aware functionality to connect you with people and events near you that might be of interest. Apps like these also have the potential to expose you to unnecessary risk.

Read more »