Is Microsoft throwing stones in the developer glass house?

Wednesday, April 6th, 2011

Am I the only person who finished reading the Security Development Lifecycle Progress Report and immediately conjured up an image of Microsoft developers throwing stones in a big glass house?

The Microsoft SDL is, obviously, a good thing if it helps to reduce vulnerabilities in code. But I got the feeling that Microsoft was saying that Windows and Internet Explorer are such popular targets for attack because developers are not applying all the SDL techniques and technologies available to them.

(more…)

How insecure is IPv6?

Friday, March 25th, 2011

The internet has been running out of space for the best part of ten years now, address space that is. In a nutshell, the 4,294,967,296 addresses provided by IPv4 are pretty much exhausted and so we must start embracing IPv6 which can provide a few more.

How many, exactly?

How does 340,282,366,920,938,000,000,000,000,000,000,000,000 addresses sound to you?

Now I’m not going to get stuck into the whole ‘how to migrate to IPv6 thing’ here, nor even the debate about how long we really have left to make that migration (although Steve Cassidy will be examining this in issue 200 of PC Pro). Nope, I’m more interested in what the potential impact upon internet security will be when it’s a done deal and everything is connected to the internet.

(more…)

Cloud security: is Android the weakest link?

Monday, March 7th, 2011

Much has been written about the security of data in the cloud, and even more about the insecurity of the same. Until now, things have been somewhat quieter when it comes to how we access cloud-based data on the move. That, I suspect, is about to change.

Plenty of effort has been poured into securing online data stores, and plenty is made by the providers of those cloud services in making sure potential customers know about it. Which is why the bad guys are understandably looking for the soft targets, and at the moment that would appear to be Android apps.

I’ve said it before, and I will say it again: the smaller your business, the bigger the benefits of cloud computing. That rings especially true at the ‘free’ end of the cloud scale where the attraction of services such as those provided by Google can offer real bottom-line savings for hard pressed small business concerns. Security within the free or low-cost cloud isn’t somehow automatically weaker than that found at the expensive end of the cloud provision market either.

You can be sure that Google has invested heavily in securing the data at rest within those cloud bases, incorporating all the multi-layered protocols and synchronous replication processes you might expect. But perhaps it needs to invest more at the other end, the smartphone to be precise. What you need to ask yourself is whether Android could be the weak link in the cloud security chain?

(more…)

Sex and online shopping: do women need more protection?

Friday, March 4th, 2011

F-Secure is coming over all chivalrous: the security firm has decided to take us little ladies by the hand, and help the weaker sex manoeuvre the confusing and complicated world of online security.

This support comes in the form of a press release that landed in my inbox, and despite it lacking anything pink or pretty, I actually bothered to read it.  According to a survey by F-Secure and a “research” firm called OnePoll1:

(more…)

Does hacker insurance make your business a bigger liability?

Monday, February 28th, 2011

It’s a scenario that every small online business fears: site security is compromised, hackers steal customer data including credit-card details, and your brand and your reputation are left in ruins. No wonder then, that many small online businesses are looking to insure against hackers and the resulting financial impact of a security breach. But is insurance really the answer and could it even be part of the problem?

The insurance brokers are, naturally, presenting such insurance as pure common sense. A chap who works in the insurance business used car insurance as a counter argument to my suggestion that surely the best IT security insurance policy was to remain secure in the first place.

(more…)

Can you trust Google sponsored results?

Friday, February 18th, 2011

It’s a simple question, do you trust Google? My confusing answer is yes and no. Yes, I trust Google to find more relevant information in less time than other search engines. No, I don’t trust Google to filter out all the cons and scams.

Indeed, the level of trust that I associate with Google search declines dramatically when it comes to those results that appear at the top and side of the page, you know, the ones with the very light text saying ‘Ads’ next to them. I cannot recall ever clicking on a ’sponsored search result’ for a couple of very good reasons:

1. The whole point of using Google is to uncover information that has been deemed relevant courtesy of the hugely complex algorithm at the heart of the search engine’s success, and not which has been dropped onto the page simply because someone paid for it to be there.

2. The bad guys have, for as long as I can remember, been using such sponsored results to lure people to their sites and whatever nefarious activity lies within.

(more…)

The plummeting price of stolen personal data

Thursday, February 17th, 2011

How much is your data worth? You may think that the customer database your business has built is priceless, and individuals probably regard their online data as being rather valuable as well. After all, that’s why we put so much effort into securing it. Unfortunately, the basic economic laws of supply and demand exist within the criminal marketplace just as they do elsewhere.

Which means that our perception of value is hugely over-inflated when compared to the reality of the online underground economy. That reality is that as malware production and exploitation has rocketed, and stolen data has flooded the marketplace, so the price has plummeted to pretty unbelievable lows.

(more…)

How to physically secure your business hardware

Friday, January 21st, 2011

There seems to be something of a misconception, at the smaller end of the business scale at least, that data security is somehow a terribly complex thing that is also expensive to achieve properly. This myth is no doubt massaged just a little bit by small business consultants with one eye on the invoice.

The truth of the matter is somewhat different, of course, and basic data security is neither difficult nor expensive to achieve. All it takes is a little bit of technical know-how and an awful lot of common sense.

(more…)

Thousands fall victim to Facebook profile scam

Monday, November 29th, 2010

I have to admit that I really don’t care who has looked at my Facebook profile. If I didn’t want people to see it I would nuke my Facebook account. If anyone who does take a look is so impressed by my boyish good looks and the eloquent charm of my update postings, then they can request to become my friend and I can merrily ignore them.

There are, in all honesty, many other things which take priority when it comes to worrying Mr Winder: when will the central-heating boiler start working again, how much snow is going to fall today and what will my nose look like by the end of the week after surgeons have finished operating on my face, for example. Yet, for tens of thousands of Facebook users the question has obviously been weighing heavy on their minds. At least that is the only explanation I can think of to explain why a rogue Facebook app is running riot right now.

“OMG, OMG, OMG! Now you can see who viewed your Facebook profile” the scam message doing the rounds suggests, and a click on the link allows you to download an app to reveal all.

(more…)

Prince William’s wedding is more dangerous than porn

Wednesday, November 17th, 2010

It is bad enough, for someone with no great interest in the monarchy, that the engagement of Prince William and Kate Middleton has now dominated TV, print and online news outlets for the past 24 hours solid. I know I risk being verbally scolded by the twin-pronged pro-Royalty army that is the combined forces of the blue-rinsed brigade and readers of Heat magazine, but I think I can safely say that the forthcoming Royal wedding is now officially bad news. I can also say that you would be safer searching for porn than searching for news about the Royal nuptials.

Security researchers at the Websense labs have uncovered the first wave of poisoned search engine results to wash onto Google and Yahoo alike, using everything from promises of ‘Prince William Wedding Photos’ through to the much more generic, and likely all the more successful as a result, ‘Prince William Wedding’ as lures to sites which will hit the unsuspecting and unprotected visitor with the latest drive-by download attacks.

(more…)