David Forrestall

/David Forrestall
David Forrestall

About David Forrestall

This author has not yet filled in any details.
So far David Forrestall has created 84 blog entries.

How Does Ashley Madison Threaten Your Organization?

Extortion is not usually a topic that employers have on their radar regarding their employees.  Most employers know they need to protect themselves against viruses, and "hackers", but they often don't think about the social engineering tactics that attackers may use to target employees.  However, when users put their private information on "secure" websites, they may assume this information is safe.  But, as the old adage goes, "assume anything you put online can be made public", and it is likely that all of the users of the Ashley Madison website failed to consider the implications. For more details about the Ashley [...]

By | 2015-08-27T12:05:05-05:00 August 26th, 2015|Data Breach, Information Security, Phishing, Social Engineering|Comments Off on How Does Ashley Madison Threaten Your Organization?

Android Security Flaw: Stagefright – What You Need to Know

Update: As of Thursday, August 6th, 2015, Google and some phone carriers are pushing out a security fix to address this vulnerability. Source: http://www.zdnet.com/article/after-stagefright-samsung-and-lg-join-google-with-monthly-android-patches/ What is StageFright? Stagefright is a remotely exploitable software bug in Android that can allow an attacker to perform arbitrary operations on the affected device through remote code execution and privilege escalation.  This flaw currently affects versions 2.2 and newer of the Android operating system. Source: http://arstechnica.com/security/2015/07/950-million-android-phones-can-be-hijacked-by-malicious-text-messages/ How Can This Affect Me? An attacker can send specially crafted MMS (multimedia) text messages to the victim device, which require no end-user actions upon receipt, for the vulnerability to succeed.  The [...]

By | 2015-08-06T14:42:18-05:00 July 28th, 2015|Android, Compliance, Computer & Network Security, Privacy|Comments Off on Android Security Flaw: Stagefright – What You Need to Know

Spam Email – Stop it before your users click on it

It doesn’t matter if you’ve trained them or yelled at them or had to fix their infected computers in front of them (or all of the above) ……..they’re still going to open that suspicious email, aren’t they? Because who can resist the attachment that promises funny cat pictures, and who doesn’t have a slight panic attack when faced with a fraud alert from their bank? Protecting your corporate network from malicious email is a never-ending battle and there’s no simple, one-size-fixes-all method to do so, either. There are three modes of defense, though, that are remarkably effective but we’ve recently [...]

By | 2015-07-09T12:28:05-05:00 May 19th, 2015|Information Security|Comments Off on Spam Email – Stop it before your users click on it

Java vs. Javascript

We field questions about Java security issues on a regular basis, and have noticed that users are often confused about the differences between Java and Javascript. Java is a standalone application that runs separately from your browser, although it can be called on by your browser to run Java ‘applets.’ Applets aren’t that common any more, but the Java application is a different matter. Java has a history of being exploited for vulnerabilities, and updates have historically released on a somewhat tardy basis. Even more painful is that users have to manually watch for and install those updates unless they [...]

By | 2015-07-09T12:28:50-05:00 May 11th, 2015|Computer & Network Security, Information Security|Comments Off on Java vs. Javascript

Do you really need a smart toaster?

Even though you CAN buy it, you need to ask yourself if you really SHOULD you buy that Internet-connected appliance…….. Very few people would seriously consider this question before purchasing a brand new appliance or item that has all sorts of nifty and exciting ‘up-sell’ features, such as network or direct Internet-connectivity. But for those of us who work in the computer and network security fields, this question is neither academic nor trivial. It’s easy to understand why Internet-connected gadgets are tempting. Who wouldn’t want a dog collar with a GPS in it, in case Fido runs away? Who would [...]

By | 2015-07-09T12:30:28-05:00 May 2nd, 2015|Computer & Network Security|Comments Off on Do you really need a smart toaster?

Now It’s Microsoft’s Turn, SSL Vulnerability in SCHANNEL

It's official, all major SSL stacks are now vulnerable.  There are already a number of detailed blogs written about this new vulnerability, so I am not going to rewrite all of the details.  I am going to sum it up and bottom line it for you.  Here is a good detailed account of the issue if you are interested. SCHANNEL is to Windows in the same way OpenSSL is to Linux.  It is used in almost all instances where Windows is listening for SSL traffic. Many people are claiming this is something that needs to be pushed out asap, but as [...]

By | 2014-11-21T18:20:21-05:00 November 12th, 2014|Microsoft, Microsoft Security Bulletin, Patches|Comments Off on Now It’s Microsoft’s Turn, SSL Vulnerability in SCHANNEL

The Hitlist: International Travel

International travel is common in today's business world.  Many times businesses assume that their standard policies can apply to any international destination.  We recently had a client contact us about traveling to their international office in a country that is typically known for lacking respect for other's privacy.  They asked us, considering this client would be discussing corporate trade secrets and other senstive info, what precautions they should take. We gave them a list of recommendations and explained that many of these would not make travel simple from a technological standpoint, but would provide them the most security benefit.  These [...]

By | 2015-01-28T09:21:23-05:00 October 17th, 2014|Compliance, Research, The Hitlist|0 Comments

What every organization should know about HIPAA

What Is The HIPAA Privacy Rule? Accoprding to HHS.gov, "The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically." In other words, the privacy rule sets forth standards to protect health related information specifically controlled by organizations that handle electronic forms of medical records. What is the HIPAA Security Rule? Also according to HHS.gov, "The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or [...]

By | 2014-09-30T08:25:37-05:00 September 30th, 2014|Compliance, Data Breach, HIPPA, Information Security, Research|0 Comments

Shellshock, What Does It Mean For Your Organization?

Updated: Added information about Macs and some additional reference links. This new vulnerability is much easier to exploit than heartbleed and can have a huge negative impact to your organization.  Windows Server environments are not immune either.  We have been waiting for the dust to settle before jumping on the media hype about all of this, and we wanted to make sure that information was gethered from multiple sources, official security organizations had made their opinions public, and that we weren't just posting information to try and gather web hits. According to Errata Security What is ShellShock? Shellshock is a vulnerability [...]

By | 2014-09-30T08:23:03-05:00 September 29th, 2014|Compliance, Information Security, Research|0 Comments

HHS Enforces Penalties for Losing Less Than 500 Patient Records

The Hospice of Northern Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.html HONI reported that an unencrypted laptop was stolen in 2010 and that it contained 441 patient records.  HHS began an investigation and discovered that HONI had not performed a risk analysis to safeguard their PHI nor did it have any policies or procedures in place regarding mobile device security which is required by HIPAA. The HITECH breach notification rule requires covered entities [...]

By | 2014-09-17T08:59:20-05:00 September 16th, 2014|Compliance, Data Breach, HIPPA, Information Security|0 Comments