APWG and Cyveillance publish phishing reports, data protection for mobile users on an SD card, Steve Albini on music and copyrights, and a web hacking methodology are this week's Top 5 #infosec reads.
Another fine study by Greg Aaron and Rod Rasmussen. Quick and sobering statistics: Phish domains at all time high. Top 10 most phished brands are attacked relentlessly but phishers are attacking more brands than ever. Phishing attack uptime increased. Phishing in new TLDs began slowly but is increasing.
Cyveillance produces a weekly Top 20 most targeted brands, so this is a useful report to visit regularly. This week, AOL, Apple, Paypal, Google and Dropbox filled the Top Five. This report is an indicator of weekly activity. How about business segments? Payment systems rank number one.
Vault is Google's attempt to provide secure OS with data privacy and protection features on an SD card. Google chose SD so that the OS could be used in mobile devices, especially phones. Vault complements the security features embedded in mobile phone for mobile operator use by providing a similarly secure environment for data users want to safeguard. Google's releasing an open source development kit and an enterprise product first, with a consumer product soon to come.
Why is an article about copyrights a top infosec read? Because the music industry has enormous influence in policy and legislation and many bills (SOPA, CISPA, etc.) that security communities worldwide criticize as ill conceived, impossible to implement, or riddled with unintended consequences have origins in the music industry. Why this article in particular? Because Steve Albini is informed, factful, andadmirably frank. I like frank.
Joe Giron hosts a white paper at gironsec.com that describes a methodology for tactical web application penetration. The methodology describes the sequence of pen testing actions that will rigorously examine all elements of a web application and hosting environment. Giron does a nice job of explaining not only the automated aspects of the pen test, but the manual (question asking) aspects as well. Where applicable, Joe helpfully includes links for selections of pen testing utilities that can be used to complete the phase. Use ethically please.