Not good enough, Oracle – promises to secure Java are too little, too late
An interesting article from Naked security: Oracle has promised to work harder to make Java more secure.
Given the constant flood of high-profile, heavily-exploited vulnerabilities, are Oracle’s new ideas going to be enough to save this piece of software from drowning in bad vibes?
In a lengthy blog post last week, the head of Java development, Nandini Ramani, summed up what’s been done to “address issues with the security-worthiness of Java”.
To read more click here:
Social Engineering: Tips to Protecting Yourself
In the world of information security, ‘social engineering’ is a term that describes a non-technical way of hacking that relies on the hacker to collect information to bypass normal security controls. It is the art of manipulating users into performing actions or divulging confidential information.
Hackers find social engineering tactics very useful because it is usually easier to exploit user’s natural inclination to trust than it is to actually compromise your system. For example, it is much easier to fool someone into giving their password than it is for to try hacking their password.
SecurityOrb.com has provided a list of common tricks and ways to avoid them below:
GovSec – The SecurityOrb Show: Interview with Curtis KS Levinson about GovSec
GovSec
The Security Orb Show: Interview with Curtis KS Levinson about GovSec
Hear from Curtis about putting together the GovSec program, the panel presentation that he participated in at GovSec and other hot cybersecurity topics!
Check it out here.
APT Attacks Trace To India, Researcher Says
A posting from information week on APT Attacks : A multi-year advanced persistent threat (APT) campaign that targeted the government of Pakistan, as well as global businesses operating in mining, automotive, engineering, military and finance sectors, among others, appears to have been run from India. Organizations targeted for industrial espionage were located in numerous countries, including the United States, Iran, China and Germany.
Those findings come from “Unveiling an Indian Cyberattack Infrastructure,” a new report from Norwegian security software vendor Norman that documents an APT campaign that began in 2010, if not earlier. According to the report, the APT campaign and related, malicious infrastructure has served “primarily as a platform for surveillance against targets of national security interest that are mostly based in Pakistan and possibly in the United States.”
To read more click here:
3 Lessons From Layered Defense’s Missed Attacks
a posting from Dark Reading in there Vulnerability Management section:
Layering security measures typically protects systems better: Research) by three University of Michigan graduate students in 2008, for example, found that using multiple antivirus engines result in much better protection than using a single program.
Yet, recent analysis by NSS Labs highlights that layering security devices rarely catches all attacks, and the attacks that manage to dodge defenses do so with regularity. The analysis–a survey of the company’s past tests of next-generation firewalls, intrusion prevention systems, and endpoint protection software–found that the tested products tended to fail in similar ways. While two products always performed better together than individually, their combined performances varied tremendously.
Overall, the lesson is that companies need to carefully select technologies to derive the greatest benefits from overlapping security measures, says Stefan Frei, research director at NSS Labs and the author of the analysis.
To read more click here:
Gathering More Security Data From Your Endpoints
A posting from Dark Reading in there Endpoint Security section:
Even though many of the most troublesome and advanced threats hitting enterprise networks originate from the endpoint, most organizations today aren’t investing in the same kind of visibility and control over these devices as they spend on network-based controls. This disparity is leaving organizations with a huge blind spot where they need it most, experts say.
“We’ve seen this advancement in techniques for network-based detection, but we haven’t seen quite that much advancement on the endpoint,” says Scott Crawford, research director for Enterprise Management Associates. “And, yet, if you look at what the target is in most of these cases, the strategic target may be the users’ privileges to sensitive data, so the tactical objective in a lot of cases is the endpoint. You’re going to focus on compromising endpoint functionality to gain visibility into the users’ activities and get access to their credentials.”
According to Crawford, enterprises are missing this to a large degree, with most organizations maintaining a huge dependence on legacy techniques, such as antivirus. Part of it is the scale and distribution of endpoints — it is much more difficult to deploy technology that will give centralized views of what’s happening across the endpoint infrastructure, compared to network visibility. But if organizations don’t try, they’re going to miss a lot of the threat detection picture.
To read more click here:
