Need Assistance? Call us at (512) 814-8044, or submit a ticket

Credential Management Vulnerabilities Exposed By Breaches

Credential Management BreachThe recent breach of OneLogin is once again shining the spotlight on the safety and sanity of entrusting sensitive data to cloud-based credential management services. OneLogin provides single sign-on for cloud-based applications.

What Is A Credential Management Service?

Credential management services that offer Single Sign-On or SSO are great, but as we are beginning to find out, it could also be a single point of entry to a treasure trove of sensitive data for cyber criminals.

How Does A Credential Management Service Work?

The way credential management services work is that after a user of these Identity and credential management services sign into their account, the service takes care of remembering and supplying the customer’s usernames and passwords for all of their other applications. It pretty much attempts to save the user the pain and stress of trying to remember numerous passwords, security questions and other hoops people normally have to jump through just to access some online services.

What Is The Problem With Credential Management Services?

While a lot of these services promise secure access to, and a simplified Identity and Access Management (IAM), the recent spate of multiple breaches of LastPass and now OneLogin makes us wonder just how efficient and  secure these credential management services really are. And here is why: a single compromise exposes the credentials of all users, especially if that data theft includes the ability to decrypt encrypted data [thanks to Mark Maunder of Wordfence for that emphasis].

A breach that allows intruders to decrypt customer data could be extremely damaging for affected customers.

The vulnerabilities in credential management services like LastPass were so bad that Tavis Ormandy, a security researcher at Google’s Project Zero wondered if people were “really using this lastpass thing” because he took a quick look and could see “a bunch of obvious critical problems”. (more…)

Share

Comments Off on Credential Management Vulnerabilities Exposed By Breaches

The DigiNotar Breach: Another Exposure of Negligence

In case you have not heard, another SSL Certificate provider, Dutch certificate authority DigiNotar, a subsidiary of Vasco Data Security, was breached recently and from the preliminary report coming from the company that did an audit, it looks pretty bad.

Some of the names in the list of bogus certificates generated by the attackers include Comodo, Google, Thawte, Microsoft, Mozilla, WindoswUpdate, WordPress’ MI6, the CIA, Facebook and Twitter. (more…)

Share

1 Comment

The Distribute IT Fiasco: Risk Management Done Wrong

“It is not the strongest species that survive, nor the most intelligent, but the ones most responsive to change” – Charles Darwin.

In today’s business world, where organizations face ever-escalating customer demands and expectations and little room for downtime, logic dictates that businesses today are seriously revamping their business continuity and risk management plans, or developing one if they did not have any.

This is even more pertinent given what we have witnessed in recent months in the areas of data breaches, hack attempts and the underground “war” being waged in cyberspace that has put most of the world’s powerful organizations on the defensive. (more…)

Share

Comments Off on The Distribute IT Fiasco: Risk Management Done Wrong

The RSA Breach: Time for Full Disclosure?

As more companies with national security interests come forward with admission of breaches related to the hacking of RSA’s SecurID technology, one wonders if it is time for RSA to break its stubborn refusal to tell the public what exactly was stolen or when the breach actually occurred. At this stage, it is not just enough to tell the public that it had been hit by a phishing email exploiting a zero-day vulnerability in Adobe Reader. (more…)

Share

Comments Off on The RSA Breach: Time for Full Disclosure?

Abusing “Free”: On Ethics And Deceptive Practices

Have you ever tried to sign up for a “free” webinar only to be bombarded with a five-page interrogation sheet that asks you for all kinds of information that you find yourself saying “I just wanted to watch a presentation”? Did you come across a report or whitepaper you wanted to look at only to end up spending two to three minutes taking an exam and then the “report” turns out to be a two-page sales sheet? How about that eBook you saw and thought would be a good read until you were made to fill out a police report on why you are trying to get educated?

This issue has bothered me for quite some time. It is the practice of vendors, publishers and everyone in between offering “free” software, whitepaper, Mp3s, “special” reports and useless one-page drivel that makes you want to do some harm to the producers of such garbage in exchange for your personal information. (more…)

Share

Comments Off on Abusing “Free”: On Ethics And Deceptive Practices

NBA Fines And Non-Compliance Lessons for SMBs

Regulations on the local, state and federal levels are on the rise and this is putting a lot of pressure on compliance efforts of Small and Medium-sized businesses (SMBs) and exposing the fact that these organizations can only avoid costly fines and/or lawsuits by maintaining strict compliance throughout their information management processes.

I found the recent fines levied by the NBA on two players – Kobe Bryant and Joachim Noah as a good lesson on the cost of non-compliance.

The NBA has consistently fined players who were in non-compliance of its rules and these violations range from the serious to what one could argue is the absurd – like kicking a ball in frustration, or throwing a basketball into the stands in celebration of a win.

Here is a sample of violations that could get an NBA entity in trouble:

  • derogatory slurs, flagrant fouls, speaking out against or complaining about poor officiating, altercations during a game, making comments about the collective bargaining negotiations, violating team rules,;
  • contact between NBA personnel and underclassmen, receiving 16,18 and 20 technical in one season [A player is automatically suspended for 1 game for his 16th, 18th, 20th etc technical foul in the regular season];
  • shoving another player in the face during a game, escalating an altercation, throwing a ball at a referee during a game, missing a shoot-around, fighting with a teammate, verbally abusing a referee;
  • leaving the court during a game, improper conduct toward a referee (whatever that means), conducting illegal draft workouts, failing to leave the court in a timely manner following an ejection;
  • removing jersey on the court, asking publicly to be traded or released, throwing a basketball into the stands during  game.

(more…)

Share

Comments Off on NBA Fines And Non-Compliance Lessons for SMBs
Close Menu
Share
Share