Have you unknowingly purchased a fake antivirus from a cyberswindler? Getting rid of it is not an easy feat! Here is an article (french) that was published in Protégez-Vous magazine’s October issue to help you resolve this problem.
The PCI Security Standards Council (PCI SSC) published PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) 3.0 change highlights, as a preview of the new version of the standards coming in November 2013.
The changes will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility.
The seven-page document is part of the Council’s commitment to provide as much information as possible during the development process and eliminate any perceived surprises for organizations in their PCI security planning.
A quick word to our Network and Systems Monitoring service: NSM’s PCI option will take into account all changes in the new version of the standard and therefore will continue to ensure that your compliance requirements are met. If you have any questions, please contact Virtual Guardian ay 450-933-7774 or by email at firstname.lastname@example.org.
It’s a well documented fact that humans are often the weak link in the quest for the perfect information security posture. Rémy Baccino, IT security analyst for Virtual Guardian, has studied this phenomenon and published his observations in the following article titled “La psyché humaine comme première faille de sécurité” (french article). You may reach the author, by phone at 450-933-7774 or by email at email@example.com.
The original article was written in french only. For information about this article in english, please feel free to contact its author, Mr. Marc Seguin, who is Virtual Guardian’s resident specialist in IT forensic investigations. Mr. Seguin is GIAC (GIAC Certified Forensics Analyst) and CCNA certified. He can be reached at firstname.lastname@example.org.
Since 2003, application security researchers and experts from all over the world at the Open Web Application Security Project (OWASP) have carefully monitored the state of web application security and produced an awareness document that is acknowledged and relied on by organizations worldwide.
OWASP has released its 2013 top 10 list of risks associated with the use of web applications in an enterprise, and they are as follows:
2) Broken Authentication and Session Management
3) Cross-Site Scripting (XSS)
4) Insecure Direct Object References
5) Security Misconfiguration
6) Sensitive Data Exposure
7) Missing Function Level Access Control
8) Cross-Site Request Forgery (CSRF)
9) Using Known Vulnerable Components
10) Unvalidated Redirects and Forwards
For additional explanations about the risks, example attack scenarios, mitigation and prevention techniques, tips for developers, and to compare the new list with the previous one released in 2010, download the full report.
Only 36% of small firms apply security patches. No wonder cybercrooks are stealing their cash
Small businesses are under constant attack from malware, scams and online fraud. They are not only losing money directly to fraud, but also in costs associated with maintaining security. Small businesses are simply woefully under-prepared to keep their assets safe. Despite reorganisation and redirected priorities, the police can still do little to help.
This all emerges from a report on the threat of online fraud to small UK businesses, released by the FSB. No, not Russia’s slightly cuddlier successor to the KGB; this is the Federation of Small Businesses, a UK pressure group representing the needs of small businesses, and providing a range of services to them, boasting over 200,000 members.
The study takes the form of a survey of a subset of that membership, covering their experiences of online fraud, their attitudes to how it affects them, and what actions they’ve taken to protect themselves. Now, such studies are notoriously biased – asking people with a vested interest and minimal specialist knowledge what they think of a complex technical issues will always give some off-the-wall results. This report contains some useful data though, both on what small business owners think has happened to them in the past, and on the parlous state of their cyber defences.
For the full article, click here.
Laval (Quebec), January 23rd, 2013. Virtual Guardian Inc, a company specializing in IT security, is proud to announce that it is celebrating its 10th anniversary this January. Here are some company highlights:
• January 2003: Patrick Boucher founds Virtual Guardian Inc.
• December 2008: The company reaches 1M $ in sales for the first time in its history.
• April 2009: Virtual Guardian is the first IT security company in Canada to receive the prestigious ISO 27001 certification.
• April 2010: The company is expanding. Its head office moves from a 600 square foot office to a 3000 square foot business condo on de l’Avenir boulevard in Laval, near the new Montmorency metro station.
• May 2010: Virtual Guardian’s 24/7 Security Monitoring service is launched.
• January 2013: Virtual Guardian celebrates its 10th anniversary.
To read the official press release, click here (french version only).
The article below explains why and how smaller companies are not immune to hackers and data loss. If you operate a small or medium business and have concerns about information security, contact Virtual Guardian today. We have custom-made packages with prices tailored to fit tighter budgets.
It’s become fashionable to assume that all cybercriminality these days is about money. In other words, attacks that aren’t likely to be worth anything aren’t likely.
It’s also fashionable to assume that the attackers are increasingly and exclusively after rich and fruitful targets, such as multinationals and governments. In other words, if you’re a little guy, you’re off the radar and can stay safe online simply by keeping your head down. Sure, cracking into systems just for the fun of it – the lulz – was briefly popular a couple of years ago, thanks to the appositely-named Lulzsec crew, but a bunch of arrests seemed to put paid to all of that. But those arrests didn’t stamp out cracking for the sake of it. There’s still plenty of gratuitous, “because it’s there” digital break-and-enter going on.
Even if you run a tiny website and don’t have much to hide, you (and your customers) are nevertheless at risk from criminals, like the apppositely named @JokerCracker, who openly gives his reason for hacking as, “It’s just a personal challenge.” JokerCracker has announced a number of hack-and-reveals over the past few days. That’s where he digs around on your website for holes, probably using automated tools to find what software you’re running, and what vulnerabilities he can most easily exploit.
Once he knows a likely way of tricking your webserver into dumping one or more of its databases, instead of simply answering one of your pre-arranged queries, he’ll extract what he can, and upload anything that looks like Personally Identifiable Information (PII) to a public drop site, where data-theft voyeurs can grab it at will. The final step is a tweet to let the world know. A sad example over the weekend was his hack of a boutique Australian babycare site. He only made off with about 900 records, perhaps because that’s the whole database collected by the site owner. (Only email, screen name and passwords were leaked. Your full name, your child’s name and birthday, requested on signup, didn’t appear in the dump. That’s a small mercy, I suppose.)
The passwords, as you may have guessed already, weren’t hashed or obscured at all. They were all stored in plain text.
- If you are a user of a website that gets hacked this way, and you shared your password with any other sites, change those passwords immediately, and stop re-using passwords.
- If you’re the owner of a website that gets hacked this way, consider publishing a warning on your main page and alerting your users.
- If you’re the operator of any sort of web site or similar online property, don’t keep plaintext passwords.
- If you think a site is storing plaintext passwords, consider withdrawing from it until it stops doing so.
Note that the last point implies that you can easily tell whether a site is doing the right thing with your passwords.
Fortunately, many sites publish, or will tell you if you ask, how they deal with password storage and reset. But others won’t, and often that’s because they know they have bad news, or don’t even realise the importance of the question. In that case, you may be able to find out simply by trying a password reset. If you get back a password reset link, they probably haven’t been storing your password in plaintext. But if you get your old password back in an email, then clearly the site must have been storing it. Babycare Advice, for what it’s worth, doubles up on its insecure behaviour because doesn’t use HTTPS during its login phase; worse still, it doesn’t even use HTTP “challenge-response” password verification, which at least prevents your password going out unencrypted. Your password is there, in the clear, waiting to be sniffed. Web site users, be vigilant. If you think a site is not treating your PII with the respect it deserves, even for so-called casual or throwaway logins, then consider working, shopping or playing somewhere else. Web site operators, don’t be happy with the security standards of ten, five or even two years ago. Show that you care about PII and help to build and maintain the trust of your customers.
Source: Paul Ducklin, January 21st 2013, Naked Security
An article about the ins and outs of being an IT security specialist was published in La Presse today. The interview was conducted by Émilie Laperrière who interview company Presient, Patrick Boucher. To read the article (french only), please click here.
Did you know that the SANS institute publishes a free, monthly security awareness newsletter? This newsletter, called “OUCH!” gives readers a bunch of useful tips and trics to help them reach a better IT security posture. This month’s issue’s topic is a well known classic: how to secure your computer. You’ll find the newsletter (PDF format) called “Seven steps to a secure computer” in the DOCUMENTS page of this website. Enjoy!