East of Eden

The latest in Windows 10, end user devices and services, cyber security, data center & cloud, and all things IT.

Blog Feature

End User Devices and Services | Cyber Security

Stagefright Vulnerability Affects 95% of Phones

By: Andy Sherman
July 28th, 2015

Vulnerability On Monday, Zimperium Inc, a maker of mobile security solutions, announced that their security researcher Joshua J Drake (@jduck), had discovered a serious vulnerability in the Stagefright library in Android that allows for arbitrary remote code execution, which could be triggered just by sending a MMS message. (Related coverage here, and here.) Stagefright is Android’s library for handling certain types of media files.

Read More

Share

Blog Feature

Cyber Security

Are Data Breaches Preventable?

By: Andy Sherman
February 27th, 2015

When it comes to data breaches, 2014 was a difficult year for the U.S. retail industry. The FBI warned of this a year ago in the wake of the Target and Neiman Marcus data breaches. The increasing concern in both the industry and government was justified, as we saw many high profile attacks. Beginning with Target, there were data breaches at at least 9 prominent national brands, over half of them linked to malware installed on Point of Sale (POS) terminals.

Read More

Share

Planning for Windows 10 Starts Now

Planning for Windows 10 Starts Now

Develop a transition strategy for a successful Windows 10 upgrade, and make this migration your best.

Blog Feature

Cyber Security

New Ponemon Study: Insiders Have Too Much Access to Sensitive Data

By: Andy Sherman
December 9th, 2014

A new Ponemon Institute survey, sponsored by Varonis Systems (press release here) examined corporate internal data protection practices as seen by 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees, in a variety of industries including financial services, public sector, health & pharmaceutical, retail, industrial, and technology and software.

Read More

Share

Blog Feature

Cyber Security

Let's Encrypt, A New Free Certificate Authority (Coming Soon)

By: Andy Sherman
November 18th, 2014

Bruce Schneier has an interesting post about a new free and open Certificate Authority, called Let's Encrypt. Let's Encrypt is designed to let any web server administrator obtain a server certificate that is recognized by the major browsers at no charge and even more important automatically. Part of the Let's Encrypt model is automating the steps that can prove to the CA that the certificate request is coming from an entity that controls both the server and the domain.

Read More

Share

Blog Feature

Cyber Security

Update: Living without Flash and Browser Java

By: Andy Sherman
November 18th, 2014

Living without browser Java has been easy. The only thing I've used that wanted to use the browser plugin for Java was the download manager on a web site that also had direct SSL links. No biggie.

Read More

Share

Blog Feature

Cyber Security

Trying Life Without Flash and Browser Java

By: Andy Sherman
November 4th, 2014

Paul Ducklin has an interesting piece on HTML 5. Although browsers have been building HTML 5 support into their browsers for a while, it officially became a standard as of October 28th. As the press release from the W3C Consortium states HTML5 brings to the Web video and audio tracks without needing plugins; programmatic access to a resolution-dependent bitmap canvas, which is useful for rendering graphs, game graphics, or other visual images on the fly; native support for scalable vector graphics (SVG) and math (MathML);

Read More

Share

Blog Feature

Data Center & Cloud | Cyber Security

Dropbox: The Hack That Probably Wasn't

By: Andy Sherman
October 14th, 2014

There is a lot of attention on the posting of Dropbox user name and password combinations on Pastebin. The posters claim that the 400 accounts posted are just the first installment of almost 7 million that they hold. Spot checking by security researchers indicate that they are genuine (although a follow dump as not). Dropbox has issued a statement their servers were not hacked:

Read More

Share

Blog Feature

Cyber Security

Shellshock (Bash Vulnerability) FAQ

By: Andy Sherman
October 1st, 2014

What is the vulnerability? There was a vulnerability announcement on September 24, 2014 of a bug (CVE-2014-6271) in the Bourne-again shell, bash, that is the default command line interpreter in most Linux and many Unix distributions, including variants that form the basis of many embedded devices and appliances. The bug allows for remote code injection that can cause arbitrary commands to be run on the attacked system. There are several avenues for making this happen, but the single most potent one is by attacking web servers that can run CGI commands.

Read More

Share

Blog Feature

Cyber Security

Backoff POS Malware Affects Over 1000 Businesses

By: Andy Sherman
August 27th, 2014

Malware attacks against Point of Sale (POS) terminals came into the collective consciousness with a big splash with the Target breach late last year, and the recent disclosure of data breaches at 51 UPS franchise stores and a major data breach at major chains owned (or recently owned) by SuperValue including SuperValue, Cub Foods, Albertsons, Acme Markets, Jewel-Osco, Shaw's and Star Markets. Last week the U.S. Secret Service warned that over 1000 US business were affected by Backoff, an up-and-coming piece of POS malware. Backoff's method of operation is not new, but is very well executed. Like other POS malware, it installs a memory scraper onto the terminal to capture credit card track data as well as a keystroke logger, establishes communications with a command and control server, and exfiltrates both payment card and keystroke data. The crime syndicates using Backoff have become highly skilled at compromising systems through remote access software in order to establish a "jump server" from which to find and infect POS terminals.

Read More

Share

Blog Feature

End User Devices and Services | Cyber Security

Your Smartphone Is Your Token: A Cautionary Tale

By: Andy Sherman
August 22nd, 2014

I'm a big fan of using mobile phones, especially smart phones, as security tokens. If the user locks the phone with a passcode, then it's a pretty good bet that your token is in the right hands. And, unlike little hardware tokens, nobody leaves home without their phone anymore. In addition to applications that might send me a token by SMS, I have three token apps on my smartphone: Symantec VIP which I use for Ebay, PayPal, Symantec MSS, remote login to one of my clients, and some others. Google Authenticator for various Google accounts and for WordPress. Duo Security which I use for my own SSH logins. This was cool until I went into a swimming pool with my iPhone in my bathing suit pocket.

Read More

Share