Blog

/Blog/

Ransomware! – It’s here to stay…

“My firm WILL be affected by ransomware.” If you intone that rather gloomy mantra to yourself every morning before you go to work, you might end up being prepared to deal with the situation when it happens. Ransomware is a type of malware that most often encrypts the contents of a hard drive and then rather helpfully offers you an email address or phone number to contact for removal instructions. And did I mention they’re going to ask for payment for the key to your now locked-up hard drive? They’ll ask for payment. And when the email with the funny [...]

By | 2015-10-02T08:39:49-05:00 August 28th, 2015|Compliance, Computer & Network Security, Data Breach|Comments Off on Ransomware! – It’s here to stay…

How Does Ashley Madison Threaten Your Organization?

Extortion is not usually a topic that employers have on their radar regarding their employees.  Most employers know they need to protect themselves against viruses, and "hackers", but they often don't think about the social engineering tactics that attackers may use to target employees.  However, when users put their private information on "secure" websites, they may assume this information is safe.  But, as the old adage goes, "assume anything you put online can be made public", and it is likely that all of the users of the Ashley Madison website failed to consider the implications. For more details about the Ashley [...]

By | 2015-08-27T12:05:05-05:00 August 26th, 2015|Data Breach, Information Security, Phishing, Social Engineering|Comments Off on How Does Ashley Madison Threaten Your Organization?

Android Security Flaw: Stagefright – What You Need to Know

Update: As of Thursday, August 6th, 2015, Google and some phone carriers are pushing out a security fix to address this vulnerability. Source: http://www.zdnet.com/article/after-stagefright-samsung-and-lg-join-google-with-monthly-android-patches/ What is StageFright? Stagefright is a remotely exploitable software bug in Android that can allow an attacker to perform arbitrary operations on the affected device through remote code execution and privilege escalation.  This flaw currently affects versions 2.2 and newer of the Android operating system. Source: http://arstechnica.com/security/2015/07/950-million-android-phones-can-be-hijacked-by-malicious-text-messages/ How Can This Affect Me? An attacker can send specially crafted MMS (multimedia) text messages to the victim device, which require no end-user actions upon receipt, for the vulnerability to succeed.  The [...]

By | 2015-08-06T14:42:18-05:00 July 28th, 2015|Android, Compliance, Computer & Network Security, Privacy|Comments Off on Android Security Flaw: Stagefright – What You Need to Know

Spam Email – Stop it before your users click on it

It doesn’t matter if you’ve trained them or yelled at them or had to fix their infected computers in front of them (or all of the above) ……..they’re still going to open that suspicious email, aren’t they? Because who can resist the attachment that promises funny cat pictures, and who doesn’t have a slight panic attack when faced with a fraud alert from their bank? Protecting your corporate network from malicious email is a never-ending battle and there’s no simple, one-size-fixes-all method to do so, either. There are three modes of defense, though, that are remarkably effective but we’ve recently [...]

By | 2015-07-09T12:28:05-05:00 May 19th, 2015|Information Security|Comments Off on Spam Email – Stop it before your users click on it

Java vs. Javascript

We field questions about Java security issues on a regular basis, and have noticed that users are often confused about the differences between Java and Javascript. Java is a standalone application that runs separately from your browser, although it can be called on by your browser to run Java ‘applets.’ Applets aren’t that common any more, but the Java application is a different matter. Java has a history of being exploited for vulnerabilities, and updates have historically released on a somewhat tardy basis. Even more painful is that users have to manually watch for and install those updates unless they [...]

By | 2015-07-09T12:28:50-05:00 May 11th, 2015|Computer & Network Security, Information Security|Comments Off on Java vs. Javascript

Do you really need a smart toaster?

Even though you CAN buy it, you need to ask yourself if you really SHOULD you buy that Internet-connected appliance…….. Very few people would seriously consider this question before purchasing a brand new appliance or item that has all sorts of nifty and exciting ‘up-sell’ features, such as network or direct Internet-connectivity. But for those of us who work in the computer and network security fields, this question is neither academic nor trivial. It’s easy to understand why Internet-connected gadgets are tempting. Who wouldn’t want a dog collar with a GPS in it, in case Fido runs away? Who would [...]

By | 2015-07-09T12:30:28-05:00 May 2nd, 2015|Computer & Network Security|Comments Off on Do you really need a smart toaster?

Now It’s Microsoft’s Turn, SSL Vulnerability in SCHANNEL

It's official, all major SSL stacks are now vulnerable.  There are already a number of detailed blogs written about this new vulnerability, so I am not going to rewrite all of the details.  I am going to sum it up and bottom line it for you.  Here is a good detailed account of the issue if you are interested. SCHANNEL is to Windows in the same way OpenSSL is to Linux.  It is used in almost all instances where Windows is listening for SSL traffic. Many people are claiming this is something that needs to be pushed out asap, but as [...]

By | 2014-11-21T18:20:21-05:00 November 12th, 2014|Microsoft, Microsoft Security Bulletin, Patches|Comments Off on Now It’s Microsoft’s Turn, SSL Vulnerability in SCHANNEL

The Hitlist: International Travel

International travel is common in today's business world.  Many times businesses assume that their standard policies can apply to any international destination.  We recently had a client contact us about traveling to their international office in a country that is typically known for lacking respect for other's privacy.  They asked us, considering this client would be discussing corporate trade secrets and other senstive info, what precautions they should take. We gave them a list of recommendations and explained that many of these would not make travel simple from a technological standpoint, but would provide them the most security benefit.  These [...]

By | 2015-01-28T09:21:23-05:00 October 17th, 2014|Compliance, Research, The Hitlist|0 Comments

What every organization should know about HIPAA

What Is The HIPAA Privacy Rule? Accoprding to HHS.gov, "The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically." In other words, the privacy rule sets forth standards to protect health related information specifically controlled by organizations that handle electronic forms of medical records. What is the HIPAA Security Rule? Also according to HHS.gov, "The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or [...]

By | 2014-09-30T08:25:37-05:00 September 30th, 2014|Compliance, Data Breach, HIPPA, Information Security, Research|0 Comments

Shellshock, What Does It Mean For Your Organization?

Updated: Added information about Macs and some additional reference links. This new vulnerability is much easier to exploit than heartbleed and can have a huge negative impact to your organization.  Windows Server environments are not immune either.  We have been waiting for the dust to settle before jumping on the media hype about all of this, and we wanted to make sure that information was gethered from multiple sources, official security organizations had made their opinions public, and that we weren't just posting information to try and gather web hits. According to Errata Security What is ShellShock? Shellshock is a vulnerability [...]

By | 2014-09-30T08:23:03-05:00 September 29th, 2014|Compliance, Information Security, Research|0 Comments