If you go solely by top-level stats on encryption use, you’ll come away feeling pretty secure–86% of the the 499 business technology professionals responding to our InformationWeek Analytics State of Encryption Survey employ encryption of some type. But that finding doesn’t begin to tell the real story. Only 14% of respondents say encryption is pervasive in their organizations. Database table-level encryption is in use by just 26%, while just 38% encrypt data on mobile devices. And 31%–more than any other response–characterize the extent of their use as just enough to meet regulatory requirements.
The reasons for this dismal state of affairs range from cost and integration challenges to entrenched organizational resistance exacerbated by a lack of leadership. The compliance focus is particularly galling. Encrypting a subset of data amounts to a “get-out-of-jail-free card” because it may relieve companies from having to notify customers of a breach. But knowingly doing the bare minimum to check a compliance box isn’t security; it’s a cop-out.
From an interesting post.
Cross site scripting is getting to be a common security vulnerability for online services. And Twitter that allows 140 characters per tweet wasn’t an exception.
The worms exploit a common vulnerability in Web applications called cross-site scripting, which allows someone to inject code into Web pages others are viewing.
In this instance, Twitter users who clicked on the name or image of anyone sending the worm messages would get infected and then send the message on to all that person’s followers. Anyone viewing an infected user’s profile would also get infected and pass the worm on.
While the attacks were mostly a nuisance, they could have been dangerous if spyware or other malware had been downloaded onto Twitter users’ computers, Cluley said.