I’ve Got A Secret…

OK, so it’s not me, it is now well known that there is a(nother) flaw in DNS. The flaw was due to be ‘revealed’ next month at a security conference, but someone else reverse-engineered the threat based on the small amount of information that was leaked out and let the cat-out-of-the-bag. (There was another one as well this week, relating to WiFi devices… so, in case you were wondering, these things are a regular occurrence.)

So, the question is should such information be made public and if so when? In this case, at least it was a friendly hacker who pieced together the information and then went public with it. Of course there might be some other cyber-criminals who have also done this - perhaps we won’t know (until its too late).

The reason that the vulnerability wasn’t publically released was to give various vendors time to patch their software and for users to deploy it. More often than not the vulnerability is public (or is being sold in the underground economy) before a fix is available and this tends to act as a catalyst for a fix to be made rapidly available. Of course, having a fix available and having users deploy it are very different things.

Companies need to consider whether to have someone watch for these vulnerabilities and patches. This usually falls to someone in an IT department - and while it was popular a few years ago, it seems to have waned. As with most threats, this is something which SMB/SME also needs to be aware of and can appear to be a huge effort. In fact CERT (www.us-cert.gov) has a great site and even has an RSS feed on the latest activity. It does take time (and effort) to be able to separate the wood from the trees as far as your organization is concerned, but the effort is worth it.

On balance it is better to know about potential problems before they occur (even if there isn’t an immediate fix available): Forewarned is forearmed.

July 24, 2008 | Filed Under security | Leave a Comment 

Just One Cotton Picking Moment

Cotton Traders revealed that their website had been hacked and details of 38,000 transactions had been stolen. They have now worked with experts to fix the problem. OK, so this is ‘yet another’ case of data loss - however, for me I find it interesting that the size of the target organization is relatively small and yet it is obviously still worth the criminals attacking it. Is this because smaller organizations do not necessarily have the security expertise to secure their environments, or because their website was unpatched and therefore open to a well known attack? We don’t know, all we know was that they were attacked and they have now fixed the problem.

Smaller companies seem to think that they will not be a target for an attack… “It won’t happen to me, I’m too small to be on the radar” - this just goes to prove that this is not the case. Hopefully other smaller companies will now sit up and take notice of the potential threats and associated consequences and look how they can prevent it from happening to them.

June 13, 2008 | Filed Under data-loss, security | Leave a Comment