In case you haven’t heard, many Drupal hosting providers and users dropped the ball on getting their systems patched. Tripwire reports automated scans started compromising sites just hours after the most recent patch announcement. The lesson here: Pay attention to your installed products, especially the internet exposed ones. Attackers started hitting our systems for Shellshock a few hours after I learned of it, and luckily I read the article just after it was posted. You need to do you base level security as always, but patching is a never ending cycle. You need to stay on top of it.
If you have any Fidelity accounts, be advised the company was recently hacked and you *might* be exposed. It looks like subsidiaries Ticor Title Company and Lawyers Title were targeted by spear phishing, netting the attackers the typical personal information about their customers. How many customers were impacted is unclear, but it appears to be the subsidiary customers in Oregon, Nevada, and California. What scares me is these guys could have enough information to remortgage your property or forge a fake sale. I’m not sure how involved either of these actions are, but they would surely have enough information for this. Fidelity was unable to determine if the information was ex-filtrated, but I would assume the worst.
Tripwire also posted a guest blog discussing the need for “minors” in security teams. The blog illustrates the need to cross-train team members, resulting in “majors” for the main job duties and “minors” for the backups. Great concept and I wish more departments put this into use.
Retailers seem to be picking up the cybersecurity slack. InformationWeek’s Dark Reading discusses how retailers are now sharing information using the new R-CISC. Being a member of an ISAC/CISC makes your like a bit better by giving you information relevant to your industry, instead of having to sift through it all. However, many still suffer from a “speed to market” lag with new information. Even with this new sharing, retailers are a bit peeved at the national credit unions for misrepresenting retail security risks.
Some other links I read but didn’t have time to comment on: