Category Archives: News

Google Drive slashes storage prices, costs way less than Dropbox

One more benefit of doing business in the cloud: inexpensive upgrades.

When Google introduced Drive two years ago, it offered 5GB for free, 25GB for $2.49 per month, 100GB for $4.99 per month, and 1TB for $49.99 per month. Google boosted the free tier to 15GB last year, and now users can rent much more than a terabyte. 10TB costs $99.99 per month, 20TB costs $199.99 per month, and 30TB costs $299.99 per month.

via Google Drive slashes storage prices, costs way less than Dropbox | Ars Technica.

Reminder: You’re more likely to catch a hack from a legit site

iPhoneDevSDK—the site apparently responsible for the hacks at Facebook, Apple, and Twitter—says it was not aware it was being used to attack visitors until it read press reports this week. In a news post do not click if you’re wary of security breaches on Wednesday, site admins said they had no knowledge of the breach and were not contacted by any of the affected companies. Though, iPhoneDevSDK is now working with Facebook’s security team in order to share information about what happened.

Also, this is a great reminder to log and monitor, or SIEM.  An admin’s account was compromised, then their website was hacked.

Tripwire would have caught the changes, and login auditing would have caught the hacker/admin’s actions.

via Dev site behind Apple, Facebook hacks didn’t know it was booby-trapped | Ars Technica.

Chinese hackers attacked New York Times computers for four months

This is why you employ defense-in-depth and full network monitoring, even if you don’t care what websites your employees visit at work.

But while the company was informed by AT&T of suspicious activity over its network connection on October 25—the day the Wen story was published—the attack had begun weeks earlier and appears to have been focused on getting into the e-mail accounts of Times Shanghai Bureau Chief David Barboza and South Asia Bureau Chief Jim Yardley. The attack used 45 different pieces of custom malware code, including remote access tools that gave Chinese hackers the run of the Times’ network.

The attackers used a botnet of computers compromised at US universities to obscure the source of the attack. They then infected computers at the Times with malware, most likely through e-mail “spear phishing” attacks, and used the malware to install remote access tools on at least three target systems that allowed them to gather more information from the network—finally finding the Windows network domain controller and grabbing its user directory and password tables. The hackers then used the cracked passwords to access other systems and created a custom program built to infiltrate the Times‘ mailserver to search all the e-mails and documents sent to Barboza and Yardley’s accounts—apparently searching for the names of people who may have spoken to Barboza as he reported on the Wen family.

via Chinese hackers attacked New York Times computers for four months | Ars Technica.

Extremely critical Ruby on Rails bug threatens more than 200,000 sites

Bad news for RoR sites… it’ll probably be years before they’re all upgraded and patched.

Hundreds of thousands of websites are potentially at risk following the discovery of an extremely critical vulnerability in the Ruby on Rails framework that gives remote attackers the ability to execute malicious code on the underlying servers.

The bug is present in Rails versions spanning the past six years and in default configurations gives hackers a simple and reliable way to pilfer database contents, run system commands, and cause websites to crash, according to Ben Murphy, one of the developers who has confirmed the vulnerability. As of last week, the framework was used by more than 240,000 websites, including Github, Hulu, and Basecamp, underscoring the seriousness of the threat.

via Extremely critical Ruby on Rails bug threatens more than 200,000 sites | Ars Technica.

Nine out of 10 hospitals lost personal data in last two years

These are pretty dismal statistics…

Ponemon Institute and security firm ID Experts … surveyed 80 health care organizations and found that 94 percent had experienced a data-loss incident in the past two years. Another 45 percent sustained more than five breaches during that period.

via Nine out of 10 hospitals lost personal data in last two years – SC Magazine.

All the requirements in the world won’t make a difference if the organizations do not allocate the resources to ensure compliance, and if the employees continue to fail to comply.

Surveillance and Security Lessons From the Petraeus Scandal

It’s interesting seeing how extensive our police-state surveillance is:

While the details of this investigation that have leaked thus far provide us all a fascinating glimpse into the usually sensitive methods used by FBI agents, this should also serve as a warning, by demonstrating the extent to which the government can pierce the veil of communications anonymity without ever having to obtain a search warrant or other court order from a neutral judge.

The guest lists from hotels, IP login records, as well as the creative request to email providers for “information about other accounts that have logged in from this IP address” are all forms of data that the government can obtain with a subpoena. There is no independent review, no check against abuse, and further, the target of the subpoena will often never learn that the government obtained data (unless charges are filed, or, as in this particular case, government officials eagerly leak details of the investigation to the press). Unfortunately, our existing surveillance laws really only protect the “what” being communicated; the government’s powers to determine “who” communicated remain largely unchecked.

via Surveillance and Security Lessons From the Petraeus Scandal.

Security Monitoring On A Budget: Security Knowhow Needed

Every company can afford – and must afford – some security monitoring.

Even three years ago, small businesses shied away from security monitoring as too complex and too difficult to deploy, with a 2009 article calling such systems “not for the faint of heart.”

Now, log-management services in the cloud, easier-to-use managed security services, and simpler security information and event management (SIEM) solutions have made security monitoring possible for all but the smallest firms. For such businesses, gathering intelligence on security events can be an offshoot of network monitoring or the other way around, but each can give companies better visibility into what is going on with their information systems, says Nicole Pauls, director of product management for SolarWinds, an information-technology provider.

via Security Monitoring On A Budget: Security Knowhow Needed – Dark Reading.