Friday, November 18, 2011 | FOX 8 Eston and his colleague, Matt Neely, counsel executives around the world on how to keep criminals from violating their corporate websites. The two consultants also specialize in smartphone security.
“The bad guys are going to move on to somebody else if you just have a little bit of resistance,” Neely told Call For Action. Thursday, November 10, 2011 | PenTest Magazine This whitepaper presents background information about the Payment Card Industry’s (PCI) Payment Application Data Security Standard (PA-DSS), and discusses PA-DSS Validation by the Payment Application Qualified Security Assessor (PA-QSA). Strong PCI experience, forensics expertise, and technical writing skills are needed to perform PA-DSS Validation services for payment application software vendors. Wednesday, November 09, 2011 | Dynamic CIO You probably are familiar with the classic security assessments: internal and external penetration testing, security risk assessments, and PCI gap assessments.
You may not be as familiar with, or even aware of, other assessments that may be just as valuable for strengthening your security program.
Some of these less familiar assessments are new, the result of emerging technology and regulations, but others have been around for several years and just haven't gotten the attention they deserve. Monday, November 07, 2011 | PenTest Magazine Establishing strong policies and procedures for access to an iPad is absolutely critical to protecting sensitive information. Password enforcement is the front line of defense against unauthorized access, and can be configured and enforced over the air by using Microsoft Exchange. Additionally, there are secure methods to configure the device to an environment where specific settings, policies, and restrictions must be in place. These methods provide flexible options for establishing a standard level of protection for authorized users. Wednesday, October 26, 2011 | CSO.com In a February 2010 talk called "Social Zombies II: Your Friends Need More Brains," security practitioners Tom Eston, Kevin Johnson and Robin Wood explained how these applications are susceptible to malware pushers and those looking to steal your personal information. It's not much of a stretch for hackers to impersonate people you think are trusted, fellow players, as is the case with a lot of online gaming. Thursday, October 13, 2011 | ITWorld.com If it were just that easy: The devil sitting on one shoulder and an angel perched on the other, each offering up his/her advice on security trends. Well, after you read this blog post, you will have all the information you require on the topic, and will not need any ethereal guidance. I’ve assembled two lists: one of security trends you’d do well to avoid, the other of security trends you’d be wise to embrace. Thursday, October 13, 2011 | InfoSec Island Avoid Becoming a Security Statistic – Prioritize PCI Goals and Know Your Threats
Over the last few months the Prioritized Approach for PCI DSS Version 2.0 and Verizon 2011 Data Breach Investigations Report were released for our reading pleasure.
I took a look at the correlation between actual breach statistics within Verizon’s report and the prioritized guidance for complying with PCI DSS requirements and found that it’s spot on. Wednesday, October 12, 2011 | Pen Test Magazine Security Company Reveals Security Issues with Apple’s OS X Lion Operating System
SecureState, an information security company, announces a new security issue with Apple’s OS X Lion operating system and its captive portal functionality. Members of the SecureState Profiling Team were instrumental in researching and revealing the attack Friday, October 07, 2011 | ComputerWorld UK Protecting your smartphone from malware:
Which is the safest phone platform? Friday, October 07, 2011 | CIO.com As Spencer McIntyre of SecureState explains, there are unique differences and threats specific to each smartphone. Friday, October 07, 2011 | PC World These days, it is almost impossible to meet someone who doesn't own a cell phone. More specifically, smart phones, whether it be the trendy iPhone, corporate favored Blackberry or modern Windows Mobile, almost everyone has joined the smart phone frenzy -- and with good reason. A smart phone offers more advanced computing ability and connectivity than a contemporary phone. Friday, October 07, 2011 | DarkReading.com DerbyCon's successful first year reminds us of what the security community is all about: sharing and learning from others, promoting new ideas, and advancing the art of security. Thursday, October 06, 2011 | CSO Magazine Which smartphone is the most secure?
Not all mobile phone operating systems are created equal. As Spencer McIntyre of SecureState explains, there are unique differences and threats specific to each smartphone and, in the end, security is largely up to the user. Tuesday, October 04, 2011 | InfoSec Island Which is Easier to Find, The Holy Grail or a PA-DSS Implementation Guide?
I recently attended the PCI Community Meeting in Arizona. As both a QSA and PA-QSA one of the things I find very interesting when talking to other certified QSA's and PA-QSA's is that issues are very consistent across the board. Friday, September 30, 2011 | InfoSec Island If it were just that easy: The devil sitting on one shoulder and an angel perched on the other, each offering up his/her advice on security trends.
Well, after you read this blog post, you will have all the information you require on the topic, and will not need any ethereal guidance. Thursday, September 29, 2011 | InfoSec Island DerbyCon is almost here. With an all star line up, I anticipate that DerbyCon will truly live up to the hype. I want to take a moment to discuss a few talks that I am especially excited about. Thursday, September 29, 2011 | InfoSec Island The Browser Exploit Against SSL/TLS Tool or BEAST is a tool written by Thai Duong and Juliano Rizzo that exploits a 10 year old flaw in SSL/TLS 1.0 and its use of cipher block chaining (CBC).
Until now, exploiting the vulnerability was only thought of as theoretical. Tuesday, September 13, 2011 | Green Sheet We are all students in the payments industry. And Visa Inc. recently upped the ISO and merchant level salesperson (MLS) education ante by pushing the U.S. market to adopt Europay/MasterCard/Visa (EMV) contact and contactless chip technology. Visa stated this will "help prepare the U.S. payment infrastructure for the arrival of NFC-based mobile payments by building the necessary infrastructure to accept and process chip transactions that support either a signature or PIN at the point of sale." An EMV card uses a computer chip rather than a mag stripe for transaction authentication. ISOs now must quickly discern what EMV means, how it works, and when and where the technology should be installed. Thursday, September 08, 2011 | PC Magazine The Sept. 11 attacks brought new attention to cybersecurity. The experts weigh in what we got right, what we got wrong, and what we missed entirely in the wake of 9/11. Thursday, September 01, 2011 | InfoSec Island Data Loss (or Leakage) Protection (DLP) has been a hot topic for a while now, and while as a concept DLP has a lot of merit, most organizations are not ready to implement. Sunday, August 28, 2011 | Varanoid.com LifeSize Room appliance contains an authentication bypass and arbitrary code injection vulnerability when failing to sanitize input from unauthenticated clients. According to LifeSize’s website “LifeSize Room combines an immersive, high definition video experience with a rich set of features to deliver a powerful, flexible, and easy-to-use video communication solution.” Sunday, August 28, 2011 | Security Focus Discovered: 07-13-11
By: Spencer McIntyre (zeroSteiner) SecureState R&D Team
www.securestate.com
Background:
--
Multiple vulnerabilities within the LifeSize Room appliance.
Vulnerability Summaries:
--
Login page can be bypassed, granting administrative access to the web interface.
Unauthenticated OS command injection is possible through the web interface.
The easiest way to perform these attacks is using a web proxy. Tuesday, August 23, 2011 | The Ruby Group "We hired The Ruby Group as a trusted advisor about a year ago. Looking back on our time working together I have seen a significant amount of growth in how our sales team manages their time. One of the biggest challenges that we were facing was that our selling cycle was becoming too long. This meant we were wasting a lot of our salespeople’s time as well as our consultant’s time by bringing them into unqualified situations." Tuesday, August 16, 2011 | CSO Magazine What are the common indications that an organization's vulnerability management program is not functioning properly? Gary McCully of SecureState presents methods and suggestions for rooting them out and addressing the problems. Monday, August 08, 2011 | TMCnet.com In a press release, Rapid7 said that its senior security consultant and researcher, Joshua “Jabra (News - Alert)” Abraham, has teamed up with Tom Eston of SecureState and Kevin Johnson of Secure Ideas. In a joint session at Black Hat USA 2011 and DEF CON 19, these industry veterans are going to jointly present their ground breaking research on testing Web services. According to Rapid 7, the trio is going to disclose a new Web services testing methodology and portfolio of open source testing tools. This development answers a longstanding industry need for clarification on Web services testing and stronger testing solutions, and will provide immediate relief for penetration testers, the sources at the company revealed. Monday, June 06, 2011 | Networkworld.com Most malware still targets Microsoft platform, but Mac OS X has some security deficiencies, according to one expert.
Although Mac users are more likely to experience virus-free computing than Windows PC owners, there is nothing inherently more secure about Apple's operating system, and in certain respects Mac OS X is more vulnerable than Windows, a security expert tells Network World.
Chris Clymer, a consultant at SecureState, says the Mac's low market share still keeps it cleaner than Windows. But the recent "Mac Defender" attack illustrates the vulnerabilities in the platform, which is designed first and foremost for usability, rather than security. Monday, May 02, 2011 | www.healthcareinfosecurity.com Because so many healthcare information breaches stem from lost or stolen drives, including some that were kept in data centers, organizations are looking for ways to improve physical security. SecureState's Andrew Weidenhamer offers insights on physical security measures that can help prevent breaches. Wednesday, January 12, 2011 | Columbus Dispatch "People automatically trust that, if it's on Facebook, then it's probably secure and vetted by Facebook in some way," said Tom Eston, a senior consultant for SecureState, a security-management consulting firm.
But even Facebook admits that keeping its customers safe is difficult. Tuesday, January 11, 2011 | Accounting Today "We have seen the legal profession secure their portals, but many accounting firms are lacking in technical security and protecting client data, storage, communications, and file sharing." Friday, January 07, 2011 | ITWORLD If you are in charge of IT and/or Security and you do not have that compliance and/or auditor twinkle in your eye, you might twinge each time someone says PCI, HIPAA, ISO, GLBA, SOX, or any other regulation or evil acronym that might be thrown your way. Monday, January 03, 2011 | NationalCyberSecurity.com Facebook is the latest hot spot for swindlers in search of new victims.
And the world’s most popular social-networking website can be a gold mine for such crooks, experts say.
|
|
