Securosis Blog

A vulnerability in Internet Explorer has been known and unpatched for two weeks.

According to ThreatPost, an exploit module is now in Metasploit, and real attacks are growing.

I haven’t worked at Gartner for over six years now, so I’m not surprised that many people still think vendors can pay to move up the rankings in a Magic Quadrant. I mean, just look at them. Big vendors almost always show up in the top left or right, so they have to be paying for play.

Another day, another breach – that’s not novel. A bunch of personal information (including driver’s license numbers) was stolen from Virginia Tech. But having the organization own up to the fact that the breach resulted from a human error is uncommon.

Over at Network World Anton Gondalves wrote Security industry in ‘rut,’ struggling to keep up with cybercriminals:

Dramatic changes are needed in multiple fronts if the security industry hopes to move ahead of cybercriminals, who are continuously finding new ways to breach corporate systems, experts say.

Hurt back yesterday
Too much pain to write much now
Haiku easier

And don’t forget to sign up for our Black Hat cloud security training in December!

Continuous Monitoring has become an overused and overhyped term in security circles, driven by US Government mandate (now called Continuous Diagnostics and Mitigation). But that doesn’t change the fact that monitoring needs to be a cornerstone of your security program, within the context of a risk-based paradigm. So your pals at Securosis did their best to document how you should think about Continuous Security Monitoring and how to get there.

A few years ago our very own James Arlen presented at Black Hat on the security risks of high-speed trading.

Today I read in The Verge:

Brian Krebs has done some amazing investigative reporting over the years, but this story is an absolute bombshell.

An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity.

Every so often my mind wanders and I flash back to scenes from classic movies. When I remember Animal House, I can’t help but spend perhaps 15 minutes thinking about all the great scenes in that movie. I don’t even know where to begin, but one scene that still cracks me up after all these years is:

Mailbox is a very popular replacement mail app for iOS that apparently auto-executes JavaScript in incoming emails, according to a post by Italian security researcher Michele Spanuolo (@MikiSpag)