East of Eden

The latest in Windows 10, end user devices and services, cyber security, data center & cloud, and all things IT.

Andy Sherman

Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.

Blog Feature

Cyber Security

How Can You Prevent Wire Transfer Fraud?

By: Andy Sherman
August 19th, 2015

In its most recent quarterly filing with the Securities and Exchange Commission (SEC), Ubiquity, Inc, a Silicon Valley networking equipment company, revealed that they had been the victim of a $46.7 million cyberheist. The swindle is an increasingly common one, known variously as CEO fraud, business email compromise (BEC) or man in the email (MITE) attacks, and it targets companies that make a lot of wire transfers, especially to overseas business partners.

Read More

Share

Blog Feature

Cyber Security

Extortion R Us - Ashley Madison, OPM and the Changing Face of Data Breaches

By: Andy Sherman
August 10th, 2015

On July 19th security blogger Brian Krebs broke a story on a security breach at adultery hookup site AshleyMadison.com. Actually AM is just the largest of three “adult” web properties owned by Avid Life Media (ALM), all having to do with hooking people up for sexual encounters. Credit was claimed by the “Impact Team” who have threatened to publish data on millions of users unless the Ashley Madison site is shut down. To date neither has happened, except for the identification of two hapless users, one in the US and one near Toronto (where ALM is based). While ALM’s websites remain online, their planned London IPO is said to be in trouble.

Read More

Share

Planning for Windows 10 Starts Now

Planning for Windows 10 Starts Now

Develop a transition strategy for a successful Windows 10 upgrade, and make this migration your best.

Blog Feature

End User Devices and Services | Cyber Security

Stagefright Vulnerability Affects 95% of Phones

By: Andy Sherman
July 28th, 2015

Vulnerability On Monday, Zimperium Inc, a maker of mobile security solutions, announced that their security researcher Joshua J Drake (@jduck), had discovered a serious vulnerability in the Stagefright library in Android that allows for arbitrary remote code execution, which could be triggered just by sending a MMS message. (Related coverage here, and here.) Stagefright is Android’s library for handling certain types of media files.

Read More

Share

Blog Feature

Cyber Security

Are Data Breaches Preventable?

By: Andy Sherman
February 27th, 2015

When it comes to data breaches, 2014 was a difficult year for the U.S. retail industry. The FBI warned of this a year ago in the wake of the Target and Neiman Marcus data breaches. The increasing concern in both the industry and government was justified, as we saw many high profile attacks. Beginning with Target, there were data breaches at at least 9 prominent national brands, over half of them linked to malware installed on Point of Sale (POS) terminals.

Read More

Share

Blog Feature

Cyber Security

New Ponemon Study: Insiders Have Too Much Access to Sensitive Data

By: Andy Sherman
December 9th, 2014

A new Ponemon Institute survey, sponsored by Varonis Systems (press release here) examined corporate internal data protection practices as seen by 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees, in a variety of industries including financial services, public sector, health & pharmaceutical, retail, industrial, and technology and software.

Read More

Share

Blog Feature

Cyber Security

Let's Encrypt, A New Free Certificate Authority (Coming Soon)

By: Andy Sherman
November 18th, 2014

Bruce Schneier has an interesting post about a new free and open Certificate Authority, called Let's Encrypt. Let's Encrypt is designed to let any web server administrator obtain a server certificate that is recognized by the major browsers at no charge and even more important automatically. Part of the Let's Encrypt model is automating the steps that can prove to the CA that the certificate request is coming from an entity that controls both the server and the domain.

Read More

Share

Blog Feature

Cyber Security

Update: Living without Flash and Browser Java

By: Andy Sherman
November 18th, 2014

Living without browser Java has been easy. The only thing I've used that wanted to use the browser plugin for Java was the download manager on a web site that also had direct SSL links. No biggie.

Read More

Share

Blog Feature

Cyber Security

Trying Life Without Flash and Browser Java

By: Andy Sherman
November 4th, 2014

Paul Ducklin has an interesting piece on HTML 5. Although browsers have been building HTML 5 support into their browsers for a while, it officially became a standard as of October 28th. As the press release from the W3C Consortium states HTML5 brings to the Web video and audio tracks without needing plugins; programmatic access to a resolution-dependent bitmap canvas, which is useful for rendering graphs, game graphics, or other visual images on the fly; native support for scalable vector graphics (SVG) and math (MathML);

Read More

Share

Blog Feature

Data Center & Cloud

SSL, Again

By: Andy Sherman
November 4th, 2014

Let's start with a story. We recently were estimating the effort to fix up a client's audit findings, when I read "update web server configurations to upgrade SSL support from SSLv2 to SSLv3." To be fair to the auditor, the findings were probably reported before the vulnerability I will describe below (POODLE) was announced. However, SSLv3 was already viewed with suspicion, and had to be disabled if a system needed to be FIPS 140-2 compliant. While not every system needs that, it's indicative that SSLv3 is disallowed from the standard. (By the way the auditor was correct that SSLv2 needed to be disabled. In addition to its many weaknesses, SSLv2 is not compliant with either FIPS 140-2 or the PCI DSS.) Moral: the fact that one version of a protocol is bad doesn't make the next version acceptable. A recent announcement of a new vulnerability in SSLv3 (CVE-2014-3566) when using ciphers operating in cipher block chaining (CBC) mode. Because of how SSLv3 handles the block structure and padding out plain text to the block size, it is possible to construct attacks that manipulate padding to disclose plain text.

Read More

Share

Blog Feature

Data Center & Cloud | Cyber Security

Dropbox: The Hack That Probably Wasn't

By: Andy Sherman
October 14th, 2014

There is a lot of attention on the posting of Dropbox user name and password combinations on Pastebin. The posters claim that the 400 accounts posted are just the first installment of almost 7 million that they hold. Spot checking by security researchers indicate that they are genuine (although a follow dump as not). Dropbox has issued a statement their servers were not hacked:

Read More

Share