These Technology IT Security links are part of a weekly series, Ethical Hacker Roundup, featuring the information security and cyber security related articles that we’ve read over and thought worth sharing from the past week.
These articles have were emailed to us, shared on Twitter @pivotpointsec, Google Plus and read in RSS subscriptions this week.
Popular Web Host Hacked
Dreamhost is one of the most popular web hosting companies on the market. They host websites and SaaS for a variety of industries. If your SaaS service is hosted on a server where you do not have physical control over the box, what controls are you putting in place to mitigate the information security risk? Is your customers’ information vulnerable?
In the case of Dreamhost, they handled the situation by emailing all customers of the incident. The email states what happened, what was impacted and described the steps for changing appropriate passwords.
Our security systems detected the potential breach this morning and we immediately took the defensive precaution of expiring and resetting all FTP/shell access passwords for all Dreamhost customers and their users.
What would you have done differently? Have you discussed security controls with your hosting provider? Is your hosting provider the only third-party that your company works with or is there a third-party to the third-party? John recently presented on the subject of evolving security threats and interesting ways that organizations are leveraging new approaches to evolve with the threats.
Symantec advises customers to stop using pcAnywhere
Symantec may have been thinking of simplicity when bundling pcAnywhere into their offerings. However, by including pcAnywhere in their Altiris endpoint management product, it left countless companies open to attack.
Marc Silverman, Sr. Security Consultant at Pivot Point Security, described the situation as “purchasing a door with a door inside that they can use their own key to get in.”
When Symantec was made aware of the source code theft, they instructed all users to shut down and disable the application completely. They announced the security patches to resolve the three vulnerabilities in pcAnywhere 12.5 for Windows.
For businesses needing help mitigating the risk a technical whitepaper, Symantec pcAnywhere Security Recommendation, was published which describes the vulnerabilities and best practices security recommendations.
Securely Storing Corporate Passwords
There is a discussion on LinkedIn on the topic of securing passwords. Timing is everything – as it has been proven countless times. Just last week John published an article on how Windex now plays a role in his Mobile Device Security Policy. He has also been working on an article about the use of personal passwords in a corporate environment and the security implications of the combination.
Some questions to think about:
- How do you store your corporate passwords? Are you using a free application, a paid application or an excel spreadsheet?
- If you’re using a spreadsheet, are you password protecting it? Is it stored in a cloud?
- Are you using your browser’s built-in password storage feature?
- Why did you choose your method of password storage?
Please be on the lookout for John’s upcoming article titled Personal Passwords Endanger Corporate Security.
Privacy, Breaches & Hacks in Technology
In Network World’s article, 15 worst Internet privacy scandals of all time, they discuss incidents that have been entered into what they call the Online Privacy Hall of Shame.
In the article, they mention some of the most popular incidents (e.g., Sony’s PlayStation Network), but also others like the privacy complaints against Google’s Street View. Since releasing Street View in 2007, Google has been faced with fines and audits. Social media giant, Facebook, is usually at the top of privacy discussions as their privacy policy is often questioned.
Among the list is Apple due to their iPhone tracking criticism. Apple never made it public that they were collecting and storing iPhone user’s location information. After the public was made aware of the situation, Apple released a patch to remove the “glitch”.
The list goes on, with mention of Disney, GM, News Corp and many others.
Don’t miss out on the Ethical Hacker Roundup
The series is published on Fridays and we are open to your link suggestions. If you would like to submit an article, reach out to us through email.
Be sure to catch the weekly roundups by subscribing to the Pivot Point Security blog via RSS or email.
A Best-Practices Guide to Information Security Attestation
Risky Business Blog
Simplified Blog
Techno Blog
In The News
RSS Feed
About the Author:
Marketing at Pivot Point Security