Jingyi Zhou

My news for this week is about a new certificate authority called Let’s Encrypt supported by Mozilla. Let’s encrypt will provide free SSL/TLS certificates to website owners to encourage wide adoption of TLS. It will also automate certificate issuance, configuration and renewal processes to make the adoption process much easier. Additionally, the…[Read more]

My news for this week is about the “permacookies” Verizon and AT&T are using. The two companies use the permacookies to track users’ web browsing history and sell the information to advertisers. The permacookies is unlike regular cookies which you can delete easily. There is no way to remove the permacookis from users’ phones. The author recomme…[Read more]

My news for this week is about a malware called WireLurker targeting Apple users in China. Malicious codes are added to the legitimate IOS APPs in China’s third-party MAC OS app stores. Users’ MACs are infected if they download these APPs. What makes it worse is that if the infected Mac is connected to IPhone or IPad via USB, the IPhone or IPa…[Read more]

My news for this week is about a cyber-espionage group stealing email log-in credentials from employees of military organizations which use Office 365’s Outlook Web App. The attackers use phishing emails to trick employees to go to a third-party site. The third-party site has non-malicious JavaScript code. The code will make it appear like the e…[Read more]

My news for this week is about the 24% rise in government requests to Facebook for user data. During the first half of 2014, governments from all over the world have sent Facebook nearly 35,000 requests. Most of these requests are related to crimes like robberies and kidnappings. Facebook will provide name, email addresses, and time and date of…[Read more]

My news for this week is about a tool called Nogotofail released by Google this Tuesday. Nogotofail can be used to examine whether the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) opened by apps or devices are vulnerable to man-in-the-middle (MitM) attacks. Although SSL/TLS connections are always encrypted, it is vulnerable to…[Read more]

Key point: To achieve the security of Unix system, it is important to limit unauthorized users’ accesses via access control list and superusers’ privileges by controlling root accesses.
Question: The book says “different Unix variants or POSIX-like operating systems might implement different ACLs”. Does it mean ACL should be customized every t…[Read more]

Key point: A threat assessment plan should be focused on environmental, technical and human-related areas. A company should plan ahead and make restoration solutions.
Question: How can a company know its threat assessment plan is effective and efficient? Are there any ways to test it?

Key point: The September 11 terrorism attack results in various new laws, presidential directives and organizational actions. All of these are intended to secure the country and prepare for hazards in the future.
Question: According to the book, FBI encourages InfraGard members to exchange information. How is the information secured when being exchanged?

Key point: The September 11 terrorism attack results in various new laws, presidential directives and organizational actions. All of these are intended to secure the country and prepare for hazards in the future.
Question: According to the book, FBI encourages InfraGard members to exchange information. How is the information secured when being exchanged?

My news for this week is about President Putin’s reaction to cyber-attacks. Because of the Ukraine crisis, the cyer-attackes in Russia is rising significantly. To deal with it, President Putin is going to tighten the internet regulation. Also, he might disconnect Russia from the global web if an emergency happens. President Putin is worried a…[Read more]

Key point:
Organizations should make security policies and procedures in alignment with regulations and laws to protect its IT operations and assets. The size of the organization and the sensitivity of the information an organization owns are two important factors to be considered.
Question:
Why are the information system auditors responsible…[Read more]

My news for this week is about the mobile applications. First, let me introduce the BYOD policy. BYOD is short for bring your own device. The policy permits employees to use their own mobile devices, like tablets and smartphones, to access company network and information. According to a research released by Gartner, mobile applications become…[Read more]

Key point:
A certified security management system not only secures an organization’s computer and network resources, but also builds a healthy image for the organization.
Question:
Why forensic technicians turn off Windows XP and Windows 2003 Server in different ways?

My news for this week is about the evolution of credit cards. Major credit card companies request merchants to replace magnetic strips with microchips on the credit cards by October 2015. It is intended to deal with fraud and counterfeiting. Thirteen months later, when you make a payment with your credit card, you don’t swipe it any more. You w…[Read more]

Key Point:
Since risks are impossible to get rid of, a company should face it and generate contingency planning to withstand risks to some extent.

My news for this week is about a cyber-attack called Peter Pan pantomime in Bournemouth happened in East Europe. It is actually an email with a malicious attachment. The email looks like an email invoice asking for money for the tickets to a Peter Pan magical pantomime. However, if the user opens the attachment, a virus will be installed to the…[Read more]

KEY POINTS：
1. Vacca: Computers are powerful but insecure. If an organization wants to be secure, it has to define and mitigate the risks through various tools.
2. ISACA: IT auditors should comply with the guidelines and standards to help companies mitigate risks and achieve objectives.

One question I would ask: What kind of prevention c…[Read more]