Comodo Takes Security Seriously... Wait, What?

October 04, 2019 by Marc Handelman in Security Incompetence, Security Heal Thyself, Security Failure, Information Insecurity

via Zach Whittaker, writing at Techcrunch, comes this interesting piece, describing a 'cybersecurity' company's (in this case - Comodo) abject faliure to protect it's own web presence (from a recently reported - and fixed-by-the-vendor flaw). A nearly perfect example of as to why security companies are generally distrusted (at least around here...).

Oh, and the ostensible cause? The highly reported on VBulletin Flaw (now fixed). However, the true cause was (and I assert still must be) gross incompetence displayed by Comodo, and of which, is certainly not the first time this company has appeared swimming in the murky sea of questionable practices, and behaviors indicative of criminality.

Latest Data Loss Outrage

May 01, 2019 by Marc Handelman in Database Security, Information Security, Security Failure

Chris Morris - writing at Fortune, harsh's my mid-week mellow with a report on the latest data loss outrage. Bad news for oldster's, given that (reportedly) the database contains data on 40+ year olds and older. h/t

"Among the data included on the 24 GB database is people’s full names, full street addresses, marital status, date of birth, income bracket, home ownership status and more. (Information such as income, dwelling type and gender is coded.)..." "Ran Locar and Noam Rotem of VPNMentor discovered the database and say they believe it is the first time a breach of this size has included such detailed information." via Chris Morris, writing for Fortune, files a wel crafted report detailing this data loss

via the exacting observational skills of Daniel Stori at Turnoff.us! — **via** the exacting observational skills of **Daniel Stori** at **Turnoff.us**!

Daniel Stori's 'Meltdown and Spectre Impacts' →

January 23, 2018 by Marc Handelman in Security Humor, Security Flaws, Security Failure, Sarcasm, Satire

Daniel Stori's 'Intel Bug' →

January 21, 2018 by Marc Handelman in Satire, Sarcasm, Security Failure, Security Heal Thyself, Security Humor

Securosis Firestarter: Mike Rothman and Rich Mogull's Breacheriffic EquiFail →

December 18, 2017 by Marc Handelman in Security Flaws, Security Failure, Security Operations

Certainly the most erudite discussion I've found in the secops space; in which, Messrs. Rothman and Mogull discuss recent operational failures from a security operations perspective. Enjoy!

Node Package Manager, Tribulátio, In Paradiso

August 23, 2017 by Marc Handelman in Attacks, Attack Analysis, Security Development, Security Failure, Security Flaws, Information Security, Infosec Competence

Well, looks like there is a bit of bother at npm, what with the security failures of recent import. Read Adam Shostack's well-crafted piece detailing what's broken, and what to do about it (it being fairly obvious once you read his thoughtful post). Enjoy.

"In June, security researcher ChALkeR explained how he "obtained direct publish access to 14% of npm packages (including popular ones). The estimated number of packages potentially reachable through dependency chains is 54%." Then, there was a typo-squatting attack that went undetected for two weeks. And just a few days ago, Ivan Akulov reported on malicious packages in npm." - via Adam Shostack, writing at IANS

Webroot, The Latest SNAFU →

April 25, 2017 by Marc Handelman in All is Information, Security Failure, Information Security, Governance, Security Governance, Security Heal Thyself, Security Testing, Vulnerabilities, Vulnerability Research

Iain Thomson, writng at El Reg, reports on Webroot's latest SNAFU. I'll leave it to his illustrative prose to tell the tale.

Self-Healing Endpoint

March 21, 2017 by Marc Handelman in All is Information, Blatant Stupidity, Information Security, Right to Privacy, Security Failure, Security Governance, Security Heal Thyself, Security Opinion, Demise of Privacy

Apparently, this product is now embedded in a wide range of devices (ranging from Apple Inc. to Dell Computers and more). I do architect & advise end-point security efforts in my work (agnostic that I am - I do not recommend individual products), but certainly not an embedded product in BIOS or EFI. Could it be rightly called 'The Self-Healing Endpoint of Privacy'? Has a meme been created? You be the judge - Me?, I'm going back to paper and pencil, air-gapped (of course - dammit, air-gaps are no guaranty of secure platforms either...). What to do. Tip o' the Hat.

US National Counterintelligence and Security Center, 'Not Our Job'

September 21, 2015 by Marc Handelman in All is Information, Information Security, Security Failure, Placement of Blame

Writing at The Gaurdian, Sam Thielman reports on statements made in response to questions asked. Read it and Weep.

House of Drafts →

June 04, 2015 by Marc Handelman in All is Information, Blatant Stupidity, Information Security, Security Failure

via AlienVault's Russ Spitler, comes a tale of problematic security hygiene within customer instances at Amazon Web Services. This time, evidenced and bolstered by empirical research, the AlienVault researchers discovered "there is a good chunk of the EC2 users who left their front door open'.

I am fascinated with AlienVault's findings, (consider for a moment the issues are customer-based within their respective virtual environs), the scenario boggles.

Then, there is the recently published Amazon Web Services SOC 1, 2 and 3 Reports (Acronym definition: SOC - Service Organization Control). SOC 1 is one of the component reports that comprise the awkwardly monikered SSAE 16/ISAE 3402 artifact); of which, the SOC 1 and SOC 2 Reports are available to Amazon Web Services customers upon request, whilst the SOC 3 report is available to the public on demand. In this case, the SOC 3 report targets the WebTrust and SysTrust reviews. SysTrust is germaine to the AlienVault research, as it encompasses standard information security tenets of Integrity, Availability, Security and Confidentiality; which, apparently, many customers of the AWS EC2 product are blissfully unaware (at least those that are running the offending listeners).

Over One Billion Served →

February 17, 2015 by Marc Handelman in All is Information, Cybernetic Crime, Data Security, Database Security, Financial Security, Information Security, Must Read, Network Security, Security Failure, Security Governance, Bank Security, Social Engineering, Behavioral Security, APT, Persistent Threats, Moles

Suprised by the largest heist in history? Concerned about Carbanak APT? Clearly, proof-positive that advanced persistent threats are deeply evil - and highly efficient when coupled with other complimentary and stealth-like methodologies (aka Hiding in Plain Sight). Read on...

Highly Sensitive →

January 30, 2015 by Marc Handelman in All is Information, Blatant Stupidity, Data Security, Enterprise Management, Information Security, Security Failure

GitRob, or How You Too Can Scan GitHub for Sensitive Files.

Defectum Securitas →

January 06, 2015 by Marc Handelman in All is Information, Common Sense, Data Security, Database Security, Financial Security, Information Security, Security Failure, Network Security

via VentureBeat's Evan Schuman, comes the sorry tale of enterprise security failures, and importantly, the continued failures of both security implementation and deployment in the recently high profile retail security snafus of last year [eg. Target's gargantuan credit and debit card breach] Astonishing...

Trust, Lack Thereof... →

December 29, 2014 by Marc Handelman in All is Information, Blatant Stupidity, Crime, Malware, Network Security, Racketeering, Sarcasm, Security Governance, Web Security, Security Failure

Information is Beautiful has created a diagrammatical tour de force, carving the litany of questionable security competence within the compromised companies, onto like-minded information security architects, engineers and researchers.

Read it and weep my friends...