You can’t hide anymore behind security obscurity. You can’t assume you aren’t a target. It’s just too easy for some of these folks to break in, so they will. But the good news is with some decisive action and a little work you won’t be the path of least resistance. There are plenty of other ostriches being disintermediated as we speak, which should keep the bad guys busy for a little while. A very little while, so get to work.

via Security Ostriches and Disintermediation – Dark Reading.

This could be quite useful:

Two years after Rapid7 acquired the Metasploit Project, the company has rolled out a free and more user-friendly version of the open-source tool that is aimed at less technical users.

The new Metasploit Community Edition is a combination of the popular open-source Metasploit Framework and a basic version of the user interface of Rapid7′s Metasploit Pro commercial product.

via Metasploit For The Masses – Dark Reading.

“To have input validation turned off on their Web servers seems crazy,” he says. “There is literally a script feature on ASP.NET that checks input validation, and it’s on by default. These people have turned it off, and I cannot wrap my head around why they’re turning it off.”

Why would you disable the safety features of your development language, and put them into production like that?

via Mass SQL Injection Attack Hits 1 Million Sites – Dark Reading.

Ah, the fun of legitimate penetration…

‘Hacker’ gets kudos from his financial services victim, as in-house security cameras go rogue and steal users’ credentials

via Strange But True Penetration-Testing Stories – Dark Reading.

First, the good news from Microsoft’s newest data on real-world Windows security incidents: Zero-day attacks are relatively rare. Now the bad news: Nintey-nine percent of all malware infections are due to organizations and users not applying security updates.

So why don’t people or organizations let the thousands of existing patches secure their machines?

via New Microsoft Data Puts Zero-Day Threat Into Perspective – Dark Reading.

Brad Causey at Dark Reading presents a summary of SQL injection, and a whitepaper about how to prevent them.

SQL injection has taken its place among the top Web threats and compromised some of the Internet’s best-known companies. Here’s a look at how SQL injection attacks happen — and what you can do about it

via As SQL Injection Attacks Surge, New Report Offers Insight On How To Prevent Them – Dark Reading.

It’s a bummer when your password service is breached.  NOTE: Not that they were breached, LastPass is being pro-active.

The “last password youll ever need” now requires a reset: LastPass is forcing users of the password manager service to change the single master password they created for accessing websites, virtual private networks, and Web mail accounts via the tool. The move comes in response to the companys discovery of unusual network activity around one of its databases.

LastPass says it detected a “network traffic anomaly” in a non-critical server that led to the discovery of a similar problem with its database that houses email addresses and salted password hashes: more traffic was going out of the server than was going in. “Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transferred and that it’s big enough to have transferred people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs,” LastPass said in its company blog.

That’s some good internal forensics right there.  We know they watch their logs!

via Password Manager Service LastPass Investigating Possible Database Breach – Darkreading.

Nobody cares more about your personal information than you do.  Unfortunately, there’s nothing we can do to keep it out of the hands of the government.

According to a report issued by the SSA’s Office of the Inspector General, some 36,657 people were erroneously included in the SSA’s Death Master List, which collects names of recently deceased individuals and is sold to the public.

The data was published between May 2007 and April 2010, according to the report. The SSA had already exposed an additional 26,930 individuals’ records between July 2006 and Jan. 2009.

via Social Security Administration Exposed Data Of 36,000 Over Three Years – Darkreading.

Unfortunately, while regulatory agencies and utilities are pushing to expand “smart grid” technologies, they don’t seem to care about how vulnerable to attack they are.

“Ninety to 95 percent of the people working on the smart grid are not concerned about security and only see it as a last box they have to check,” said Jim Woolsey, former United States Director of Central Intelligence.

The new study reveals that while the threat level to critical infrastructures has accelerated, the response level has not, even after the majority of respondents frequently found malware designed to sabotage their systems (nearly 70 percent), and nearly half of respondents in the electric industry sector reported that they found Stuxnet on their systems.

via Cyberattacks On Critical Infrastructure Are Increasing, Study Says – Darkreading.

The users with the organization’s highest and most powerful privileges are also the most likely to use their access to snoop around the network for confidential information.

A new survey from Cyber-Ark Software found that 28 percent of IT managers in North America have snooped, and 44 percent of those in Europe, the Middle East, and Africa have done so, too. Around 20 percent of respondents in North America and 31 percent in EMEA say one or more of their co-workers have used administrative privileges to reach confidential or sensitive information.

This is specifically against the SAGE Code of Ethics:

Privacy

* I will access private information on computer systems only when it is necessary in the course of my technical duties. I will maintain and protect the confidentiality of any information to which I may have access, regardless of the method by which I came into knowledge of it.

via IT Temptation To Snoop Too Great – Darkreading.