Although last week’s theft of identity data on 3.3 million people with student loans may not have been the work of hackers, it still underscores the need for organizations to safeguard their private information from every type of crime. In other words, even with the most sophisticated anti-fraud tools in place, a company’s network can still be seriously compromised by a single swipe of a briefcase.
In the article, “Data Theft Hits 3.3 Million Borrowers,” a spokesperson for the victimized Educational Credit Management Corporation (ECMC), a nonprofit company that helps with student loan financing, said the stolen information was on a portable media device. Despite being a simple old-fashioned theft, the company and federal officials believe the incident was the largest-ever breach of such information, which could potentially affect as many as 5% of all federal student-loan borrowers. Continue reading this post…
Last week, a new exploit technique was disclosed that bypasses a critical Windows security feature, DEP (data execution prevention), as well as an ASLR security enhancement for address space layout randomization.
In the article, “New exploit technique nullifies major Windows defense,” some researchers worry that a proof-of-concept code published by Google security software engineer, Berend-Jan Wever, could actually lead to more successful attacks against Microsoft’s newer operating systems.
While Wever claims the proof-of-concept doesn’t do any harm because it’s wrapped around an exploit of a bug in Internet Explorer 6 (IE6) that was patched years ago, MicroTrend’s Ria Rivera wrote in the company’s malware blog that the exposure could be used to further enhance exploits, and expects to see it used within exploits soon.
“After Wever released his heap-spraying exploit codes in 2005, a lot of new exploits started using that technique. It would thus be not far-fetched that the release of this new proof-of-concept could lead to the same scenario — new exploits could start using ‘return-to-libc’ to achieve DEP bypass.”
With so many data compromises arising from the latest disclosed vulnerability it seems so clear that now is the time to completely re-evaluate the way we approach desktop security. Vulnerabilities lose their power when you address the core issue of controlling what applications are allowed to run on your system in the first place whether these applications were added by a user or by malicious code exploiting a security hole.