Companies are not paying enough attention to security. Even if all the usual security mechanisms are in place, there is still no way to avoid all the danger. As this Register article states: “25 [programming] flaws are the cause of almost every major cyber attack in recent history.” One approach is to hold the developers responsible. Another is for companies to take the initiative to employ additional security (i.e. threatForensics).

Computer experts from some 30 organizations worldwide have once again compiled a list of the 25 most dangerous programming errors along with a novel way to prevent them: by drafting contracts that hold developers responsible when bugs creep into applications….

The 25 flaws are the cause of almost every major cyber attack in recent history, including the ones that recently struck Google and 33 other large companies, as well as breaches suffered by military systems and millions of small business and home users….

As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you,” the introduction to Tuesday’s list states.

via Experts reboot list of 25 most dangerous coding errors • The Register.

Hackers are exploiting the vulnerabilities of PDFs. And these PDFs are not caught by virus scanners. A company may be infected with multiple viruses every week and have no means of protection. More effort needs to be made by companies to protect themselves against these kinds of attacks.

In the first quarter of 2009, malicious PDF files made up 56% of all exploits tracked by ScanSafe. That figure climbed above 60% in the second quarter, over 70% in the third and finished at 80% in the fourth quarter.”

PDF exploits are usually the first ones attempted by attackers,” said Mary Landesman, a ScanSafe senior security researcher, referring to the multi-exploit hammering that hackers typically give visitors to malicious Web sites. “Attackers are choosing PDFs for a reason. It’s not random. They’re establishing a preference for Reader exploits.”

via Rogue PDFs account for 80% of all exploits, says researcher.

Interesting behind-the-scenes look at Western Digital — a leader in the data storage and hard drive industry.

When you buy a car, you look under the hood. Given the critical importance of hard disk storage in all of our lives, we thought you might want a peek under that hood, too. Now that Western Digital is in the business of breaking new capacity records the latest Caviar Green was the first drive to hit 2TB, for example, we jumped at the chance to take a first-ever, unrestricted tour of its California R&D facilities. This is the place where magnetic technology of the 1950s meets the nano- and quantum-level technologies of the current decade.

via Great Mysteries To Be Revealed… – Picture Story – Tom’s Hardware.

Yet more evidence that the forensics community needs to be focusing on mobile devices. Join viaForensics’ Open Source Android Forensics project.

Computer scientists at Rutgers University this week are demonstrating ways that rootkits can attack new generations of smart mobile phones.

The researchers… are showing how a rootkit could cause a smartphone to eavesdrop on a meeting, track its owner’s travels, or rapidly drain its battery to render the phone useless — all without the user’s knowledge.

“Smartphones are essentially becoming regular computers,” says Vinod Ganapathy, assistant professor of computer science in Rutger’s; School of Arts and Sciences. “They run the same class of operating systems as desktop and laptop computers, so they are just as vulnerable to attack by [malware].”

via Researchers: Rootkits Work Nicely On Smartphones, Thank You – wireless security/Security – DarkReading.

Application security may still have a ways to go, but Open Source is showing promise…

Despite the relatively gloomy picture of developers still missing the mark initially on security, there were some bright spots in the report: Open-source software isn’t as risky as you’d think, and financial services organizations and government agencies tend to have more secure applications from the get-go; more than half of their apps passed as acceptable in the first submission to testing, according to Veracode’s report.

“The conventional wisdom is that open source is risky. But open source was no worse than commercial software upon first submission. That’s encouraging,” Oberg says. And it was the quickest to remediate any flaws: “It took about 30 days to remediate open-source software, and much longer for commercial and internal projects,” he says.

via State Of Application Security: Nearly 60 Percent Of Apps Fail First Security Test – DarkReading.

A recent article on Law.com (part one of a seven part series) discusses the importance of legal holds for the preservation of electronically stored information (ESI) and other documents.

Why are courts placing so much emphasis on this ministerial step in preservation of issuing a written litigation hold? It appears that patience is running thin for lost ESI in federal court. More importantly, ignorance of litigation hold requirements is no excuse. Also, the days of he-said-she-said litigation hold arguments are numbered. Courts want to see a transparent and credible process by simply looking at a few documents such as the written hold notice, distribution list, follow-up interview reports or logs, as examples.

As articulated by Judge Scheindlin in Pension Committee v. Banc of America, courts definitely do not want to wade through stacks of motions papers and days of hearings to determine if preservation efforts were sufficient to prevent the destruction of ESI and other documents. As a result, it is imperative for an organization to have in place a litigation hold policy and adequate procedures necessary to avoid going down the litigation “detour” of discovery sanctions motions.

via Law.com – Step 1 for Legal Holds: Trigger Events.

Mobile phones these days are essentially computers and are increasingly a magnet for criminal activity. Corporations and individuals need take seriously the threat against these devices. And e-forensic investigators need to learn new techniques and devise tools to combat this threat. (Hint: Take a look at viaForensics’ work on iPhone and Android forensics).

The increasing use of mobile devices for banking, money transfer, and payment is increasing the risk that criminals will target these devices for financial gain.

More banks are providing customers with the ability to access their accounts using mobile devices. In a number of cases, criminals have gained access to bank accounts by tricking cell phone providers into issuing SIM cards associated with the customer’s account…

In addition, fraudulent mobile banking applications have emerged for Android devices that attempt to steal personal financial information…

These risks will continue to grow in the coming years as more mobile devices are used to execute financial transactions…

via Identity Theft Coming to a Mobile Device Near You.