Viewing posts from January, 2009
maintaining-control-over-your-teleworkers
Posted by: admin 15 years, 3 months ago
Turns out even if you don't have a teleworking offering for your workers, they probably do it anyway by loading their laptop up with private, unencrypted information and taking it home. At least that seems to be the case in the Federal government according to a recent study by the Telework Exchange:
The report found that 63 percent of respondents who worked from home unauthorized -- more half of the non-teleworkers surveyed -- used their home computers in doing that work. "People were saving documents on their home computers that were unprotected," said Josh Wolfe of Utimaco, a data security company that underwrote the study.I wonder how people get to telework if they are not authorized? I assume telework means that they are connecting via a VPN, right? Are over half of Federal employees technically able to remotely connect to their internal network, but on the honor system to not do it? Registering for the doc gets some answers. Teleworkering means that you are working away from the office. That could mean on your blackerry. However, the point of the study stands: unsanctioned teleworking occurs:
- 54% of non teleworkers carry files home
- 41% of non teleworkers log onto their agency’s network from home
When teleworkers and nonteleworkers where asked if they had antivirus protection on their laptop or desktop computers, 94 percent of teleworkers responded yes, while only 75 percent of non-teleworkers said yes.I think implementing two-factor authentication for remote access in federal government agencies would be a huge win - it would immediately eliminate the 41% of unauthorized users accessing the network.
maybe-they-will-pay-it-with-a-credit-card
Posted by: admin 15 years, 3 months ago
A credit union has sent TJX a expenses related to the breach at TJX. Interestingly, $500k is for "brand damage":
"The bill was for both direct operational costs that we incurred reissuing new debit cards to our customers, as well as the costs to us from a reputational standpoint," he said. According to Blake, the TJX breach resulted in HarborOne having to block and reissue about 9,000 cards at a cost of around $90,000. The remaining $500,000 is what Blake believes the breach cost the credit union in terms of brand damage.And it looks like more states are pursuing regulations requiring retailers to take responsibility for data breaches.
HarborOne's action comes amid growing pressure from credit unions and other financial institutions around the country to get retailers to take financial responsibility for data compromises. Credit union associations in various states are vigorously lobbying lawmakers to approve bills that would require retailers to implement stronger data-security measures and to reimburse costs associated with reissuing payment cards after a breach.Will the PCI data security requirements be too little too late?
One such bill is the Plastic Card Security Act that was signed into law in Minnesota last month after being actively pushed by the Minnesota Credit Union Network. And the California Credit Union League is now pushing a bill similar to the one in Minnesota. Other states, including Texas and Connecticut, have considered similar proposals recently.
micro-targeted-attacks-on-the-rise
Posted by: admin 15 years, 3 months ago
According to MessageLabs via ZDNet:
During March, MessageLabs intercepted 716 e-mail messages that were part of 249 targeted attacks aimed at 216 of its customers, the Gloucester, England-based provider of hosted e-mail filtering services said in a research report. Of the attacks, almost 200 consisted of a single malicious e-mail designed to infiltrate an organization, MessageLabs said.Emphasis added.
more-proof-that-mutual-authentication-is-needed
Posted by: admin 15 years, 3 months ago
The number of phishing sites soared in October. Phishers are using bot-nets to create fake domains faster than anti-phishing toolbar vendors can blacklist them. It explains why phishers haven't tried to DDOS the blacklists and it shows that getting users to the correct site via strong mutual authentication is the way to go.
mitm-attacks-tokens-vs-phishing-and-mutual
Posted by: admin 15 years, 3 months ago
Kurt at anti-virus rants has a pair of posts, one on what is man-in-the-middle attack and a follow up on why tokens won't stop phishing, which lead me to an earlier post on why safe site indicators fail.
Recent Posts
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
- WiKID Android tokens had their data deleted over the weekend by Google Chrome bug
Archive
2024
- January (1)
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)