« Previous

Customer Service in Service Delivery

Published at: 10:03 pm - Saturday March 23 2013

Customer Service is a big thing to me, whether giving or receiving. No matter what area of service delivery you may be involved in when it comes to delivering Information, Communication and Technology services, customer service (and security of course) should form part of the process throughout.

This should apply to those in back-end support roles, management and so on just as fundamentally as it should within front line roles such as a Help Desk or 2nd line resolution role. Even though some may argue ‘back-end’ roles aren’t customer facing, the changes these individuals and teams implement are customer facing, these are the changes and results of decisions which will affect the customer base in accessing and using the technology in carrying out their own roles of which should be designed and would have most certainly been procured to help rather than hinder.

How can you expect, as a service or solutions provider to deliver a solution or a service as a team if you don’t have the fundamental understanding that it is for the good of the customer and to meet their needs and of course the needs of the business?

For some time I have thought that the only other industry, if industry is the ‘right’ word to call its customers or clients ‘users’ is the drugs industry.

(more…)

Posted in: Education & Training, Human Factor, Industry by Adam 1 Comment , , , , , , , , , ,

A ‘must read’ – The Mandiant APT report

Published at: 04:02 am - Tuesday February 19 2013

If you haven’t already read it, your homework for this week is the Mandiant APT1 Report.  Don’t read someone else’s interpretation until you’ve read the report yourself, in full.  Don’t read the analysis of others and consider it good.  Read the entire report yourself, read and watch the appendices and draw your own conclusions, then read what other people have to say.  READ IT!

 

 

 

Posted in: Papers/Reports, Research and Studies, Security by Adam No Comments

RFC – Digital Forensics within IaaS Environments

Published at: 06:12 pm - Wednesday December 26 2012

Request for comments – I would be interested in knowing your thoughts and opinions on the topic of “Digital Forensics within Infrastructure-as-a-Service (IaaS) Environments.

For my sins I have chosen this as the subject for my dissertation and although I could happily write thousands upon thousands of words (Plenty of practice writing forensic reports…) of my own opinion and citing quotes from the many articles, journals and papers I am reading I would like to offer some enrichment to the reader (My poor lecturer) and provide some knowledgeable and experienced primary and secondary sources from those who have gone beyond the text book.

So, I would be very grateful if you do have any thoughts (ideally experience) on this subject to get in touch. I will of course cite all contributions to the individual(s) and/or organisations (Opportunity for free publicity) however, likewise should you or your organisations wish to remain anonymous, this too can be arranged.

I’d be happy to arrange a face to face interview or (What is likely to be easier for everyone) for you to contact me via email at info@forhacsec.com and we can hopefully engage in conversation on the subject.

Current trains of thought on the subject include -

(more…)

Posted in: Digital Forensics, Education & Training, Industry, Law Enforcement, Legal/Court, Research and Studies by Adam 4 Comments , , ,

Female hackers need apply

Published at: 06:12 pm - Wednesday December 26 2012

Even when I was starting to study my degree just some 4 years ago in Digital Forensics and IT Security there appeared to be very little interest in the subject of IT as a whole, let alone Digital Forensics and Ethical Hacking from women.

Some three women appeared in the lecture hall on the first day of the course in the September  all of which had left by that Christmas as did around 25% of the male students.

This was due to various reasons including, ability, expectations of the course, motivation as well as a couple realising that they weren’t going to be learning how to ‘Hack’ bank accounts and chip and pin machines in the first week! If ever!

As an industry we need to be welcoming talent and expertise from all areas. Getting down to the basic differences of male and female gender diversity can offer so much more to subject and an industry. Not forgetting of course the experience, background, abilities and cultural enrichment both genders can offer.

So for me and as an industry it’s nice to see the University of Abertay welcoming and encouraging Female students in to the subjects of IT Security.

 

 

Posted in: Digital Forensics, Education & Training, Ethical Hacking/Pen-Testing, Hacking, Security by Adam No Comments , , , ,

BCC’d or not BCC’d – Wordfence

Published at: 11:12 pm - Thursday December 13 2012

I received the below email with nice friendly information and updates regarding the popular WordPress plugin Wordfence, a very popular and familiar to some, Security oriented plug-in for WordPress. However, this email had a nasty bite to it. In the form of having been sent to a mailing list of 5000+ recipients without using the ‘BCC’ field. There really isn’t enough spam in the world already!

From: <NAME REMOVED> <?????@wordfence.com>
Date: 13 December 2012 11:24
Subject: Wordfence mailing list

Hi All,

Just a quick note that I’ve created a Wordfence mailing list which I’ll use to let our members know about WordPress security alerts, product updates, announcements re the coming licensing change and our affiliate program which should be ready soon.

http://www.wordfence.com/subscribe-to-the-wordfence-email-list/

I’m using Aweber to manage the list, so if you see that domain name on the confirm page, don’t think you’ve been taken somewhere you shouldn’t be.

I already sent an email inviting my personal contacts a few days ago and I’ve done my best to filter out those folks and existing members, but I do apologize if you have already received this or shouldn’t have received this. I’ve created the list so I can avoid sending out these “All Contacts” emails in future – so this will be the last one from my personal inbox.

I hope Wordfence is keeping your sites secure and you’re having a great week.

Kind regards,

<NAME REMOVED>
Wordfence creator and Feedjit Inc. CEO.

This was very promptly followed 9 minutes later by -

(more…)

Posted in: Human Factor, Privacy by admin No Comments , ,

Oracle releases out of the blue out of cycle fixes for Java

Published at: 07:08 pm - Thursday August 30 2012

Out of nowhere Oracle has released an emergency update to address the zero-day vulnerabilities being exploited by many different criminal groups.

Surprisingly they included some previously unknown vulnerabilities that we can only assume may also have been in use in the wild.

The good news is customers who require Java in their environments can now deploy an official fix and proceed with less risk, the bad news is one of the fixes they shipped out affects Java 6, so everyone needs to patch not just those who were running Java 7.

Oracle officially fixed four CVEs, presumably covering five vulnerabilities. It appears that CVE 2012-4681 was actually two vulnerabilities, so it is difficult to tell for sure if they patched four or five flaws.

The first three only affect Java 7 and all have a CVSS score of 10, meaning they are remotely exploitable and result in code execution. That’s as bad as it gets folks.

The fourth affects both Java 6 and Java 7, but in and of itself does not result in code execution. Oracle have not stated precisely what kind of flaw it is, but based on its description it sounds like a privilege escalation vulnerability.

(more…)

Posted in: Linux, Microsoft/Windows, Security, Vulnerabilities by Adam No Comments , , , , , , , , , , , , , , , , , , ,

Double Trouble: Critical Java zero-day exploits TWO bugs

Published at: 06:08 am - Thursday August 30 2012

A potent Java security vulnerability that first appeared earlier this week actually leverages two zero-day flaws. The revelation comes as it emerged Oracle knew about the holes as early as April.

Windows, Mac OS X and Linux desktops running multiple browser platforms are all vulnerable to attacks. Exploit code already in circulation first uses a vulnerability to gain access the restricted sun.awt.SunToolkit class before a second bug is used to disable the SecurityManager, and ultimately to break out of the Java sandbox.

“The beauty of this bug class is that it provides 100 per cent reliability and is multi-platform,” Esteban Guillardoy, a researcher at Argentina-based security outfit Immunity explains in a technically detailed blog post here. “Hence this will shortly become the penetration test Swiss knife for the next couple of years.”

Unpatched vulnerabilities to the so-called Gondvv exploit were introduced in Java 7.0, released in July 2011. All versions of Java 7 are vulnerable but older Java 6 versions appear to be immune. This factor means that Mac OS X users who follow best practice and apply the latest version of software applications are more at risk of attack.

(more…)

Posted in: Security, Vulnerabilities by Adam No Comments , , , , , , , , , , , , , , ,

Oracle knew about critical Java flaws since April 2012

Published at: 02:08 pm - Wednesday August 29 2012

The critical Java vulnerabilities that have security experts cautioning users to disable Java in their browsers are not new discoveries, a security firm claims. On the contrary, Oracle has known about them for months, and it has probably had a patch ready since before an exploit was discovered in the wild.

Security Explorations, a startup based in Poland, says it disclosed details of a total of 31 Java security issues to Oracle in April of this year, including the ones currently under attack. Of that list, only two issues were fixed in the last Java Critical Patch Update (CPU), which was issued on June 12.

“We … expected that the most serious of them would be fixed by June 2012 Java CPU,” Security Explorations CEO and founder Adam Gowdiak stated, “But it didn’t happen and Oracle left many issues unpatched with plans to address them in the next Java CPUs.”

Ordinarily, Oracle only issues CPUs three times a year, which means the next one isn’t due to arrive until October 16.

(more…)

Posted in: Security, Vulnerabilities by Adam No Comments , , , , , , , , , , , , , , , , ,
« Previous