Better Security Through Diversity of Thinking

By David Mortman
Inspired by professional pastry chef Shuna Fish Lydon:

“You do not know what a good, bad or indifferent baker/pastry chef you are until you work alongside someone who is better/worse than you. This is not at all to say that if you are an outstanding home baker, you are deluding yourself. But as far as professional cooking & baking go, it is my experience that unless you push yourself really hard to stay away from your sweet spot comfort zone of I-Know-All-I-Need-To-Know-And-I-Feel-Very-Comfy-In-This-Job/Kitchen-Thank-You-Very-Much, and move kitchens or chefs or hire people who are much closer to your level than you feel comfortable having them, you will become stagnant in your baking skill and knowledge.”

The Security Nightmare of a Flash Monoculture

From ZDNet (Larry Dignan)
Adobe’s announcements that a full version of Flash is coming to every smartphone not named Apple iPhone leave me conflicted. Full-blown Flash can be a boon to the mobile Web, but has the potential to become one huge security headache. Read the full story [zdnet.com]

Report: Phishing and Scareware on The Rise

According to a report by the Anti-Phishing Working Group (APWG), the number of phishing incidents and rogue anti-malware programs (also known as scareware) are rising at an “unprecedented rate”.
The APWG says that around four fifths of the phishing attack websites claim to offer payment and financial services and in the first half of 2009, a total of more than 485,000 strains of scareware were found. Approximately 22,000 a month were reported in January, rising to over 152,000 in June – indicating a very strong upward trend. Read the full story [h-online.com]  See the full APWG report [PDF from antiphishing.org]


The Register’s Dan Goodin has news about a belated but significant move by Google to protect its GMail and other services from CSRF (cross site request forgery) attacks.
In recent days, Google’s login pages began setting a cookie with a unique token on each user’s browser.  That same value is also embedded into the login form. If the two don’t match, the user will be unable to log in.  Read the full article [theregister.co.uk]

From eSecurityPlanet (Larry Barrett)

Securing data networks is important enough for the majority of companies to hire outside security firms to audit their systems but only about one in three bother to have their network audited every year, according to a new survey conducted by VanDyke Software and independent researcher Amplitude Research.

At time when enterprise companies, government agencies and Average Joes are doing everything they can to protect sensitive data, the survey reveals both an admirable willingness on the part of most IT departments to pony up for external expertise and an astonishing lack of follow through to keep data secure for the long haul. Read the full story [esecurityplanet.com]

Trend Micro researcher Rik Ferguson has discovered a new twist on the old social engineering attacks on Skype — the use of usernames and monikers that appear very, very convincing.
In the latest attacks, which lure computer users to fake anti-virus sites (rogueware), the attackers are using the username “Online Notification” in the Skype chat window.

The Department of Homeland Security is planning a major hiring spree, looking to fill as many as 1,000 cybersecurity positions over the course of the next three years. The department announced the new initiative Thursday, marking DHS’s first real push to hire a large number of information security experts.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.