Roer.com

Midway through 2010 the recovery in the corporate governance recruitment market that was evident at the start of the year is now firmly established. As recruitment consultants we have been genuinely surprised at the strength of the recovery. The recovery is focused on the financial sector and is a result of both renewed growth in the sector and greater regulatory oversight. Investment in corporate governance has clearly become a priority.

Following on from our annual report in January, Barclay Simpson has not only produced Market Reports for the Internal Audit, Compliance, Risk Management, Information Security and the Legal recruitment markets, we have also produced a Corporate Governance Market Report providing an overview of the entire market.

The reports can be read or downloaded free of charge at http://www.barclaysimpson.com/interim-market-report/

Imperva uncovered a new, automated, cloud-based phishing kit.  Our Application Defense Center found this kit on a hacker forum.

Unlike previous phishing kits that have been available for years, this new approach lives in the cloud and relies on hackers exploiting other hackers.  And with the new cloud-based approach the infrastructure for this phishing kit never goes away.  Why?  In traditional schemes when you take down a server you take down not only the web page but also the back end data collection capability. In this cloud version, data collection is hosted separately from the phishing web sites which means hackers only need to repost the web front end in a new location to be back in business.  (It's like whackamole).

Also, and perhaps what's more interesting, this attack highlights that there’s no honor among thieves.  Two master hackers wrote and then posted a phishing kit into hacker forums.  The irony is that anyone using this kit becomes an unknowing member of the master hacker’s army.  When hackers use this kit and deploy a successful phishing campaign, all the stolen credentials and information goes straight back to the master hacker without the proxy hacker’s knowledge.  It’s very clever.  The master hacker never needs to conduct a campaign to see financial gain.

Read More.

(img: blog.imperva.com)

Dell said human error was to blame for mistakes which led it to ship a number of replacement server motherboards to customers pre-loaded with spyware.

The company declined to say whether it was running anti-virus software at its factory but said it had taken 16 steps to improve processes.

The infection hit replacement PowerEdge 310, 410, 510 and T410 boards. The direct seller said less than one per cent of boards were affected and complete new server systems were quite safe.

Dell is still not admitting how the W32.Spybot worm got into its systems and onto its hardware.

A Dell spokesman said the problem was worldwide but all infected motherboards had now been removed from the supply chain and it was already shipping clean boards.

Read More.

Facebook  has revamped the way its users share information with third-party applications and Web sites in an effort to make the process easier, the company said Wednesday.

With the changes, a new permissions box will pop up whenever a Facebook user installs a new application or first logs into an external Web site through their Facebook account, wrote Bret Taylor, the social-networking site's CTO, in a blog post.

About 550,000 applications work within Facebook and about 1 million Web sites are integrated with the site, Facebook said.

"In order for these applications and Web sites to provide social and customized experiences, they need to know a little bit about you," Taylor wrote. "We understand, however, that it's important you also have control over what you're sharing."

With the new authorization process, applications will have access to the public parts of Facebook users' profiles by default. To access the private parts of profiles, the applications will have to ask for permission, Taylor said.

Read More.

Nearly a month after a Google engineer released details of a new Windows XP flaw, criminals have dramatically ramped up online attacks that leverage the bug.

Microsoft reported Wednesday that it has now logged more than 10,000 attacks. "At first, we only saw legitimate researchers testing innocuous proof-of-concepts. Then, early on June 15th, the first real public exploits emerged," Microsoft said in a blog posting.

"Those initial exploits were targeted and fairly limited. In the past week, however, attacks have picked up."

The attacks, which are being launched from malicious Web pages, are concentrated in the U.S., Russia, Portugal, Germany and Brazil, Microsoft said.

PCs based in Russia and Portugal, in particular, are seeing a very high concentration of these attacks, Microsoft said.

Security vendor Symantec said these attacks peaked late last week. "Symantec has seen increased activity around this vulnerability. The increased activity started around June 21 and peaked around June 26 and 27," a company spokesman said on Wednesday. Attacks have leveled out since then, he added.

Read More.

Google's encrypted search engine, launched in May, has moved to a new Web address that isn't as convenient as its original one but that gives organizations the option to block the site for their users without locking them out of other Google services.

Originally offered at google.com, the encrypted search engine has been relocated to encrypted.google.com, a move prompted primarily by the requirement of schools and universities to block encrypted search engines for their students.

Educational institutions often ban encrypted search engines because students can use them to bypass the Web content filters of their schools and universities.

However, blocking google.com also interferes with other encrypted Google products, like the hosted Apps communication and collaboration suite, which many educational institutions offer for their staff and students.

Read more.

The Kraken botnet, believed by many to be the single biggest zombie network until it was dismantled last year, is staging a comeback that has claimed almost 320,000 PCs, a security researcher said.

Since April, this son-of-Kraken botnet has infected an estimated 318,058 machines - about half as big as the original Kraken was at its height in the middle of 2008, according to Paul Royal, a research scientist at the Georgia Tech Information Security Center.

Like its predecessor, the new botnet is a prodigious generator of spam, with a single machine with average bandwidth able to send more than 600,000 junk mails per day.

Curiously, the malware spawning the new zombie network is being spread by a separate botnet that uses the Butterfly framework, a for-hire software kit for infecting Windows PCs. The collaboration between operators of the two networks is generating some head-scratching among researchers.

Read More.

Microsoft's creaking Internet Explorer 6 is more secure and popular than either Google's Chrome or Opera US banking giant Chase has determined.

The bank's therefore decided its online baking services will continue to support aging the IE 6 but drop support for Chrome and Opera.

IE 6 is nine years old and even Microsoft is now desperately speaking out against the browser, to get individuals and businesses to move on to IE 8.

Micosoft's Australian business unit recently equated using IE 6 to being as risky as drinking - or maybe, eating - a carton of nine-year-old milk as it lacked up-to-date cross-site scripting and anti-malware protection among other defenses.

Chase has said it will support later versions of Microsoft's browser, such as IE 8, that does offer greater protection. Also making the cut are Mozilla's Firefox 2.0 and higher and version 3.0 and higher of Apple's Safari on the Mac - but not the PC.

Read More.

The Software

Blackberry ER an application by PocketMac was primarily designed to locate a stolen BlackBerry handset. The application is designed to send a text message to the registered phone number in case the SIM is changed. It goes a step further by including the GPS location in the text.

The owner may use this information and with the help of local authorities, recover his stolen Blackberry.

VeriSign and one of its partners have come under fire for publicly exposing webpages used to process customer security certificates, a practice a competitor claims puts some of the biggest names on the web at risk of serious targeted attacks.

According to Melih Abdulhayoglu, CEO of internet security firm Comodo, publicly accessible pages such as those here and here needlessly disclose sensitive internal information about VeriSign customers Bank of America and the Commonwealth of Massachusetts respectively. By exposing the email address of the organizations' security certificate managers and providing a comprehensive list of web addresses that use secure sockets layer protection, VeriSign puts them at risk of targeted phishing attacks, he said.

Read More.

I once read a book that said, among other things, “You can never truly give money away.” The point it was making was that the act of giving has a certain responsibility – if you hand a large wad of cash to a charity, for example, you will want to know that the money is being spent wisely.

A good theory perhaps, but it doesn’t fit very well with the golden rule of IT security – that the things we dislike, or don’t know how to deal with, can quickly be categorised as somebody else’s problem. In business as in daily life, people will – in principle – pay to have certain problems dealt with by others, with a flick of the hand and a cry of “make it go away”.

Just how much does this principle apply in security today? Well, like all good researchers, we thought we would ask the Reg audience in the form of a mini-poll.

The first question we asked in our most recent poll was: "Exactly who is involved in security decisions?" We asked questions around general security and information security, and the results came out much the same. As you can see from Figure 1, it certainly isn’t the case that the business leaves IT to just get on with it.

Read More.

Security research teams monitoring the relative strength and activity of some of the world's largest botnets  are confined by legal restraints making them virtually powerless to stop them, according to a researcher at Kaspersky Lab Japan.

The botnet ecosystem is flourishing as a result of ineffective measures being undertaken by security researchers to get them shut down, Vitaly Kamluk, chief security expert at Kaspersky, told hundreds of incident response team members, Wednesday, at the Forum of Incident Response and Security Teams (FIRST) Conference 2010. Kamluk painted a bleak picture of the rising sophistication of botnets and the underground business environment that fuels them.

"We have to do more and more on the technical side," Kamluk said. "We have to introduce more technical solutions to break the loop and destroy the infrastructures that make the malware usable."

Kamluk explained how cybercriminals have undertaken measures to oversee deal making between the botnet owners and the users who are renting them out. A guarantor or mediator, who typically is the owner of an established Web forum for cybercriminal activity, oversees deals and gets a cut of the action. The goal is to build a level of trust between the two and rule out cheaters who don't pay for the botnet services, he said.

"Guarantors kind of have respect and a profile," Kamluk said. "They're more trusted than a newly registered person on the forum and they provide the reliability of the deal."

Read More

According to Goode Intelligence's Mobile Security Survey (Part Three) 40 percent of organisations are planning to deploy mobile phone data encryption. Of these organisations, one hundred percent plan to include encryption on employees’ mobile phones from September 2010 onwards.

This survey, carried out in partnership with Acumin Consulting is the most comprehensive vendor-independent survey on mobile phone security to date and provides a snapshot of the state of mobile security within organisations across the globe.

“The threat of data loss from a mobile phone is still relatively low but with the rising adoption of data-centric applications on smartphones, including enterprise applications and financial services, we feel that the threat will rise from the second-half of 2010 onwards” said Alan Goode, Managing Director, Goode Intelligence.

“Research for the new GI Analyst Report on Smartphone Security has discovered that enterprises still do not feel that the threat to company data stored on mobile phones is high enough to warrant protection in the same manner that a laptop or a USB memory stick is. Only 33 percent of organisations polled are protecting their mobile phones with encryption products and services. However, you can now store gigabytes of information on mobile phones that is as business critical as the information that employees are storing on their laptops or USB memory sticks.”

The survey reveals that while nearly 43 percent of organisations currently feel that the threat from mobile phone data loss is low, this number changes significantly for the perceived threat by 2011 with only 29 percent continuing to believe that the risk is low while 29 percent forecast that the risk will be medium and 28 percent feel that the risk will be high or very high.

Read More

I say nothing. Just watch for yourself!

Commenting on my own post on http://bebetter.no/node/288 - «When Communication creates barriers» - a post about some of the challenges communication (or lack thereof) may create - I wanted to comment on the security implications when communication fails.

In this particular scenario, communication between two parties create havoc, resulting in lost trust and confidence, and the possiblility of insults and personal attacks. Beside of the (for some) obvious personal effects, this kind of communication create many security challenges too. Below I list some of these:

Lost control over the organisation
if such quarrels occur between shareholders/key partners, one party may «win», and take over control. This is seen in any hostile takeover, and the risk for the business is the changes imposed by the «winning» team - be it continuing the current direction; changing direction; or put it all down.

Loosing a vital partner
quarrels may also result in one or more partners leaving the company. If such partners have vital competences or skills, it may be hard for the company to survive. At a minimum, the company may experience loss of income, failed delivery; and worst case scenario is the death of the company.

Creating a warzone
If noone is cooling off the debate, and make an effort to calm things down, a warzone may occure. In this scenario, both parties dig their trenches and start shooting at each other. Obviously, this creates great challenges for the organization - who is forced to choose side, and to sustain the focus on interal fighting instead of building the great success. Warzones usually creates only loosers, and many key people may decide to leave.

Reduced/wrecked trust in the market
Another risk of communication challenges is lost trust in the market space. This may occur by the company´s own communication - faulty, erronymous or just not hitting the target. Reduced or lost trust inevitably leads us to the next point:

Lost clients / cases
If your customers get the impression that you and your organization is not able to communicate your value proposition to them, most likely they will turn your offer down. If the internal communication is wrong, they may recieve different, oposing answers to their questions, loosing trust in you. And if your public communication is wrong, they may (if you are lucky) start to ask questions, but in most cases you will just not hear from them again.

Possible attacks (physical, logical, verbally) private or public
Most quarrels involve emotions. Strong emotions. And strong emotions can make you do things you normally would not do, like scream, yell or use words you regret. Some people may not have your level of self control, and may deside to hurt you or your organization. This can be done in many ways - from physical attacks on you or the office building, sabotage, computer hacking, or by way of black PR.

These examples are only a few of the risk an organization have regarding bad communication. To mitigate these risks, I suggest organizations to train their (key) personal in communication (including listening skills), crisis management, group- and individual psycology, as well as in understanding anger and anger management.

In addition, it is important to create a setting where indifferences are allowed and accepted, and where everyone stands behind the organizations decisions.

Humbleness and understanding that there are different routes to the same target is equally vital.

What are your thoughts on these kinds of communiction challenges? What are your suggestions to mitigate them? How can we learn to learn from such mistakes?