RSA Security Blog: A Blog for Security Professiona

RSS Feed Homepage

Articles: 1, 2, 3, 4, 5, 6, 7

When Gods Jabber
2009-09-23 02:00:00
As befitting its name, Zeus – King of Gods - is the most powerful Trojan kit on earth. Some Trojans you cannot buy – take Sinowal, for instance; it’s a commercial grade infrastructure featuring a state-of-the-art Trojan. It’s operated by an organized crime group that invests back in the business. You won’t find Sinowal as a kit for sale.
More About: Jabber

Speaking of Security Podcast #162
2009-09-22 02:00:00
Click to Download/Listen RSA and First Data team to reduce merchant risk and cost associated with credit card data and PCI compliance. Hear all about this strategic partnership on this week's Speaking of Security podcast.
More About: Podcast

First Data's new PCI tokenization service
2009-09-22 02:00:00
Today, First Data announced the new First Data Secure Transactions service. First Data’s service will provide merchants the encryption of cardholder data at the point of capture (e.g., POS), with encryption maintained through delivery to First Data (when decryption occurs in order to continue the transaction process). Here is where things get really interesting: rather than returning the actual card number back to the merchant, First Data returns a “token” value – data that represents the cardholder data (i.e., sixteen digits), but has no real value (because the “token” is not a real credit card number). And First Data maintains the original cardholder data in a secure, PCI compliant environment.
More About: Service

Attack the Dark Cloud (not the symptom)
2009-09-21 02:00:00
I have spent most of last Friday in a meeting to enable real security communities that produce a Nash Effect for the members (think Network Effect if you like Metcalfe best): how do we get people to come together and get more social, financial and moral rewards from coming together than they can from other parts of their lives (have a look at incentives for more on the three basic kinds of rewards).
More About: Dark , The Dark , Cloud

Security is a Team Sport
2009-09-17 02:00:00
On Sept. 14 I had the privilege to speak on a panel at the InformationWeek 500 Conference moderated by IW Editor-in-Chief Alexander Wolfe. The panel was comprised of Eva Chen, CEO and Co-founder of Trend Micro, Renee Guttman, Vice President of Information Security and Privacy Officer for Time Warner, and Jerry Johnson, CIO of Pacific Northwest National Laboratory. The title and theme of the panel talk was “Strategic Security: Maximizing the Business Value of Your Security Investment.”
More About: Sport , Team

"Chat-in-the-Middle" Phishing Attack Attempts to Steal Consumers' Data via
2009-09-16 02:00:00
A new, unique type of phishing attack targeted against online banking customers was recently discovered by the RSA FraudAction Research Lab. RSA has coined this as a "Chat -in-the-Middle " phishing attack and it is first executed through routine means but then presents a more advanced layer of perpetrating online fraud. The phishing attacks may dupe bank customers into entering their usernames and passwords into an ordinary phishing site but the addition of a bogus live chat support window can obtain even more credentials via a live chat session initiated by fraudsters.
More About: Phishing , Data , Steal

Speaking of Security Podcast #161
2009-09-09 02:00:00
Click to Download/Listen This week's Speaking of Security podcast features an exclusive interview with Mischel Kwon, RSA's new VP of Public Sector Security Solutions for the Professional Services team. Prior to joining RSA, Ms. Kwon served as Director for the US CERT (Computer Emergency Readiness Team) for the Department of Homeland Security.
More About: Podcast

Getting started with security compliance for virtualization
2009-09-02 02:00:00
VMworld 2009 has been buzzing with an infectious energy since it opened this week.  One can see the very visible and strong effect that virtualization is having on the entire IT industry.  The emergence of virtualization as a major mainstream paradigm across datacenters has spawned a rich ecosystem of vendors and technologies that secure and manage virtualization.
More About: Security , Virtualization , Compliance

Speaking of Security Podcast #160
2009-09-01 02:00:00
Click to Download/Listen The latest edition of the Speaking of Security podcast features a lively discussion on the latest IT security buzz with Sam Curry, VP of Product Management for RSA.
More About: Podcast

The Devil is in the Details
2009-08-28 02:00:00
I recently read an article written by Jordan Robertson of the AP regarding a report issued this week by IBM’s X-Force that included what they found to be a reduction in phishing emails worldwide – and did a double-take. I had to read it again, and then one more time to make sure my eyes weren’t tricking me.
More About: Devil , Details , The Devil

Zeus Trojan Leverages IM Software to Forward Stolen Online Account Data
2009-08-27 02:00:00
During its investigation of several Zeus Trojan attacks over the past three months, the RSA FraudAction Research Lab discovered and tracked a new online attack method employed by criminals that can quickly leverage compromised credentials.
More About: Software , Data , Stolen , Online

Part-Time Compliance
2009-08-26 02:00:00
I recently found myself once again discussing the concept of real-time compliance reporting with a customer. Nothing was terribly unusual about this, except in this case I took a pragmatic position, and the customer voiced a decidedly idealist perspective. The genesis of the conversation was an exercise to define what compliance meant to the customer and how they would ideally like to assess adherence to regulatory requirements.
More About: Time , Part , Compliance

Speaking of Security Podcast #159
2009-08-25 02:00:00
Click to Download/Listen This edition of Speaking of Security discusses collaboration between RSA and IDC on research and a whitepaper on Insider Risk Management.
More About: Podcast

Insider risk: quantifying and overcoming the unknown
2009-08-25 02:00:00
A recent IDC survey, conducted for RSA, provides interesting insight into organizations' views and experiences of insider risk. The facts relating to financial impact and number of security incidents don’t always tally with the issues keeping IT managers awake at night. Do these findings support our fear of the unknown, I wonder? Is the answer to confront the issues with better intelligence?
More About: Risk , Unknown , Insider

A System...of Sticks and Stones
2009-08-21 02:00:00
“I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones” – Albert Einstein It’s been a while since I’ve blogged on something of a bigger scope, so I turned to physics for some fun and inspiration.
More About: System , Stones

Man-in-the-Middle (MITM) - No New Thing Under the Sun*
2009-08-21 02:00:00
Saul Hansell from the New York Times published a blog yesterday called "How Hackers Snatch Real-Time Security ID Numbers."  Now most people** are probably expecting me to launch into a robust defense of all things unassailable and security goodness here, but I am not going to do that.  Why?  Because Saul is right, and it should come as no surprise that any single security measure can be broken. If you want to know why, and also know why RSA SecurID is an essential part of a layered information-centric security system, please read-on.
More About: Middle , Thing

Internet Gangsta or Fall Guy for the Dark Cloud?
2009-08-19 02:00:00
I think most of us have heard this proverb: “It takes a village to raise a child,” (popularized by U.S. Secretary of State Hillary Clinton). It also, though, takes a community to raise a criminal, to foster him or her and to create the economies that allow criminals to “cash out” effectively.
More About: Internet , Dark , The Dark , Cloud , Fall

Payday Loan Scam Just One of Many Ways Fraudsters Can Exploit Personal Info
2009-08-18 02:00:00
The Better Business Bureau recently issued an alert that warned consumers about a scam where fraudsters are calling people who have taken out payday loans (also known as a paycheck advance or payday advance) and coercing them into paying off the loans or risk being arrested. The scary thing about the scam is the type of information the fraudsters have been able to collect on the individuals.
More About: Personal , Exploit , Info , Loan , Scam

Dark Cloud
2009-08-18 02:00:00
Everyone seems to be in the Cloud s these days. Cloud Computing is certainly something we hear about more and more. The IT industry races full steam ahead into the great shapeless nebula that promises unfathomable rewards such as vast economy of scale and unimaginable resource effectiveness.
More About: Dark

Speaking of Security Podcast #158
2009-08-17 02:00:00
Click to Download/Listen As the current economic downturn continues, global companies are evaluting outsourced solutions for many functions. This week's Speaking of Security podcast features a discussion on security in an outsourced world. Christoper Leach, SVP and CSO from Affiliated Computer Services is our guest.
More About: Podcast

How accidentally leaving your bag on the bus can cost £100m
2009-08-11 02:00:00
RSA's research shows that accidental insider risk incidents are much more common than deliberate insider threats — but many organizations underestimate their scale and potential impact.
More About: Cost , Pound

Speaking of Security Podcast #157
2009-08-10 02:00:00
Click to Download/Listen The Speaking of Security podcast this week features a discussion with Burt Kaliski from EMC's Innovation Network. He talks about how EMC is encouraging the sharing of ideas among its employees around the theme of innovation at a multi-venue event this fall.
More About: Podcast

Kwon departs government but can still contribute a lot to improving our nat
2009-08-10 02:00:00
It's true. Mischel Kwon has resigned from her post of Director of the U.S. CERT at the Department of Homeland Security. A significant loss for the Department will be a major gain for RSA, The Security Division of EMC, as Mischel is a talented, hard working senior security professional with experience in both the public and private sectors. We are delighted to have her join our company as a member of the RSA/EMC team.
More About: Government , Contribute

Although motivated by personal gain, insider theft also causes harm
2009-08-05 02:00:00
When insiders steal confidential information from their employers, they're usually thinking about personal profit. The person who sold confidential information about British MPs' expenses to the Daily Telegraph certainly seems to have been motivated primarily by financial gain — rather than public interest — given the sums of money that have been mentioned.
More About: Personal , Theft , Insider , Harm

Keep the Bar High to Avoid Clickjacking (and Anything-jacking/Anything-ishi
2009-08-04 02:00:00
Well, the arms race continues in the world of online fraud; and some of the latest hype appears to be around Clickjacking. Just last week, I had a partner call me regarding this attack vector and it was held up matter-of-factly to them as the be-all, end-all, latest and greatest attack on the Internet. I call it hype because it's a next step in a chain of incremental refinements in online attack techniques: this truly is an arms race.
More About: High , Avoid , Jacking

Dan Kaminsky's New PKI Hack Discovery - The EMC/RSA viewpoint
2009-07-30 02:00:00
At the BlackHat Conference on July 29, Dan Kaminsky from IOActive talked about new collision attacks against the global X.509 CA infrastructure. Here’s a brief vendor view about this issue with some background about the effort that went in over the last few weeks by the various vendors affected by the issue from the time Dan identified it, and the steps EMC/ RSA is taking to remediate the impact across its products and protect its customers.
More About: Discovery , Hack , Viewpoint

Defining Software Assurance
2009-07-29 02:00:00
The term “software assurance” is often used interchangeably with the term “software security” to refer to the practices of avoiding and detecting unintentional vulnerabilities during the software development process.
More About: Software

New data breach research looks at 'misuse and abuse' of corporate resources
2009-07-28 02:00:00
I recently came across the very useful '2009 Data Breach Investigations Report' from Verizon Business.  It makes some particularly interesting points about insider risk.
More About: Abuse , Resources , Research , Corporate

Securing the Software Supply Chain – Industry Releases Framework for
2009-07-27 02:00:00
I wrote in two blog posts last October that the U.S. government and other nations around the world are focusing more attention on product security and technology supply chain issues. In my blog on October 14, 2008 I stated: “Government buyers nearly everywhere are insisting on more secure products and some level of assurance that the software or hardware that you are selling them is secure.”
More About: Software , Industry , Supply Chain , Framework , Chain

Speaking of Security Podcast #156
2009-07-27 02:00:00
Click to Download/Listen This week's Speaking of Security podcast features an extended interview with Uri Rivner, Head of New Technologies for RSA's Identity Protection and Verification Solutions group. He touches upon many different topics in this podcast including some of the major trends that the RSA Anti-Fraud Center has identified in the past year.
More About: Podcast