Apple has left an autofill bug in Safari unpatched that could potentially expose personal information you would never intend for anyone else to see.
Apples Autofill feature allows you to quickly fill out forms that you have previously entered, including credit card information and social security numbers.
A security expert has figured out a way of getting that information by tricking you to hit two keys: the "U" key and the "tab" keys. In theory you could place a hidden form behind a game on a web page that utilizes these keys and tricks you into filling out the form, and stealing your information.
Jeremiah Grossman discovered the bug and you can see a video of the flaw being demonstrated on his site under his entry: The Safari AutoFill Hack Lives!
Updated on Monday, September 27, 2010 at 7:18PM by
Keith Erwood
Many people (most security experts aside) who work with industrial SCADA (Supervisory Control and Data Acquisition) and PLC (Programmable Logic Controllers) systems have long considered these systems safe. In fact if you check the reference sources at the bottom, you will notice a recurring theme of, if you asked me if this was possible last week, I would have said no.
I have personally had people tell me they are safe from these kinds of threats because they have multiple layers of firewall's and other "robust" cyber security in place. These people are wrong, and I hope this incident serves as a wakeup call to others who work with these systems everyday. Bottom line - All systems are vulnerable.
A worm known as Stuxnet has infected systems from several countries including those of the United States, Indonesia, India, and Iran.
I will never forget - the things I heard and saw...Not just that day, or the days after, but for the months that followed. My heart goes out to those who lost loved ones, to the workers who spent months recovering what they could, and to the soldiers still fighting overseas, I thank you. I will never, ever, ever forget.
How up to date is your business when it comes to assessing your risk exposures, contingency planning, and overall risk management? Now, what would you say if I told you the SEC is requiring ALL publicly traded companies to have a written plan detailing the risks, and how they will respond to climate change?
Even though this occurred back in January of this year, I am finding very few people who have been aware of this new reporting and disclosure requirement.
The other day in my newsletter I mentioned that the SEC had issued interpretive guidance on disclosure related to business or legal developments regarding climate change. The response has been interesting, from laughter, and dismissal, to shock. Some people wondering just how they are supposed to measure the risk and others to say they have zero risks and exposures to it altogether.
Now, I am not currently buying into the man-made climate change side of the equation as I mentioned in the newsletter, and personally believe that these events are cyclical and natural. I also recognize that the issue is basically a political hot potato at the moment, and think most people here in the United States feel the same way I do. Though I admit I could be wrong.
The real story like I stated in my newsletter, is that history shows us that the climate will change, and the impacts of those changes can be dramatic, and have a negative impact on the business community. These impacts can occur whether the climate grows colder or hotter. So, even if it is not man-made, does it matter? The impacts will remain the same.
I am not going to add my assessments here as I did in the newsletter, but I did want to mention it here on Disaster Preparedness Blog for those that may not be aware of this, and provide you the links to the information from the SEC.
Specifically, the SEC's interpretative guidance highlights the following areas as examples of where climate change may trigger disclosure requirements:
Impact of Legislation and Regulation: When assessing potential disclosure obligations, a company should consider whether the impact of certain existing laws and regulations regarding climate change is material. In certain circumstances, a company should also evaluate the potential impact of pending legislation and regulation related to this topic.
Impact of International Accords: A company should consider, and disclose when material, the risks or effects on its business of international accords and treaties relating to climate change.
Indirect Consequences of Regulation or Business Trends: Legal, technological, political and scientific developments regarding climate change may create new opportunities or risks for companies. For instance, a company may face decreased demand for goods that produce significant greenhouse gas emissions or increased demand for goods that result in lower emissions than competing products. As such, a company should consider, for disclosure purposes, the actual or potential indirect consequences it may face due to climate change related regulatory or business trends.
Physical Impacts of Climate Change: Companies should also evaluate for disclosure purposes the actual and potential material impacts of environmental matters on their business.
No matter how you look at this issue, here is one other angle to consider. When looking at future risks, be certain to look at how possible future political and regulatory decisions might impact your business.
Recently I mentioned workplace violence and the need to address that issue within the business. Another type of workplace violence on the rise over the last few years is that of the Active Shooter, which is typically, but not always a disgruntled employee, customer, student or even an acquaintance of a current or former employee.
First, what exactly is an Active Shooter? The Department of Homeland Security defines an Active Shooter as: an individual actively engaged in killing or attempting to kill people in a confined and populated area; in most cases, active shooters use firearms and there is no pattern or method to their selection of victims.
Before continuing on we need to clear up some misconceptions about active shooter scenarios and situations. First, it is not a new phenomenon. Active shooter incidents have been occurring for many years, and in the United States as far back as August 1, 1968 at the University of Texas in which 14 people were killed. I am excluding other events, and acts of violence to focus solely on active shooter type events.
Second, if we include Europe, the events go back to June 20, 1913 to an event known as the Bremen school shooting, in Bremen, Germany and in Canada as far back as October 10, 1902 in an incident known as the Altona schoolhouse shooting. So, contrary to popular notion these events are not exclusive to the United States.
Third, not all of these events occur at schools, but schools in particular have had quite a history of active shooter incidents and have security vulnerabilities that are likely to make them targets of future incidents.
What is the intention of the active shooter? The active shooter is often acting out of frustration and rage. They usually see their act as attempting to correct some event they perceive as a wrong that has been committed against them. The active shooter has a desire to kill and usually is not concerned with their own life, safety, or threat of capture. Active shooters will also usually have intended victims and will search them out. Active shooter will accept targets of opportunity while searching for or even after finding their intended victims.
Another thing to know about active shooters is that the active shooter will often move throughout a building or area until either stopped by law enforcement, they commit suicide, or are stopped by other intervention.
The active shooter situation is highly unpredictable and events involving active shooters unfold very quickly often ending within 10 to 15 minutes. This is typically before law enforcement arrives on scene. It is for these reasons that every business and school should be prepared to confront this issue and make it part of their planning process.
It is something most planners and law enforcement officials dread. The active shooter scenario is by many accounts difficult to plan for and often impossible to predict, especially the who, and when. But it is possible to prepare and train for it and even mitigate some of the potential of it occurring if done properly. Another step in preventing this scenario is dealing with work place violence and threats of violence appropriately from the onset as discussed in a previous article: .
What are some other things you can do to deter this event from taking place at your school or business?
Have an active and highly visible security force and ensure they are trained and equipped to deal with such an event.
Having both concealed and visible security cameras can also act as a deterrent.
Have an electronic security system with electronic ID access for employees.
Have all visitors, contractors, and guests to your facility sign in.
Train employees to recognize trouble or potential issues early.
Make counseling services available to those who need it.
Have a notification and alerting system, along with procedures for its use during an active shooter situation.
Post evacuation routes in hallways and near exits which are also removable so emergency response personnel can utilize them.
Include your local law enforcement and other emergency response personnel in your active shooter training exercises.
Create a respectful workplace.
What should you do if an active shooter situation does occur where you work or go to school? There are a number of ways to handle the situation, the first and often the best choice is to evacuate.
Have an escape route plan in mind and use it.
Evacuate whether or not other with you agree to follow.
Leave all your belongings behind.
If possible, help others escape.
Try to prevent others from entering an area where the active shooter may be.
Keep your hands visible.
Follow all instructions from police officers.
Do not attempt to move injured or wounded people.
When safe to do so, call 911.
If you can’t evacuate, the next best option is to hide in a place where the active shooter is not likely to find you. The place you choose to hide should be out of view of the active shooter, provide protection if shots are fired in your direction and should not trap you or restrict your options for movement. When hiding be sure to do the following.
Lock the door.
Blockade the door with heavy furniture.
Silence your cell phone and/or pager.
Turn off any other source of noise such as a radio or television.
Hide behind large items.
Remain quiet and calm.
Call 911 if you can to alert police to the active shooters location.
If you cannot speak just leave the line open for the dispatcher to listen in.
Lastly, if evacuation and hiding are not options, as a last resort and only as a last resort, you can attempt to take action against the active shooter. You can do this by taking the following actions.
Acting as aggressively as possible against the active shooter.
Yelling at the active shooter.
Throwing items and improvised weapons at the active shooter.
Attempting to overtake and subdue the active shooter, but you must commit to your actions if you take these steps.
Once the police arrive on scene to an active shooter incident they will likely take action using the Immediate Action Rapid Deployment (IARD) so it is possible only one or a small team of police officers may enter the area or building the active shooter is in. In the past it was common for the police to wait for a SWAT team, but these incidents take place so fast, additional action was needed and IARD was developed in response to active shooter situations.
Be aware that police officers arriving on scene will be heavily armed, possibly with rifles and shotguns and may be wearing heavy outer bulletproof vests, helmets, and other tactical equipment. Be prepared for the police to take the following actions.
The police will likely use pepper spray and or tear gas.
Responding officers will be shouting commands, and may push or force people to the ground for their safety.
Here are some things you should do when law enforcement arrives on the scene.
Listen for and follow the police officers instructions
Put down anything in your hands, including bags, jackets, cell phones and keys.
Immediately raise your hands and spread your fingers.
Keep your hands visible at all times.
Avoid making any quick movements.
Avoid grabbing or attempting to hold onto the officers for their safety and yours.
Do not make sudden movements towards the officers.
Avoid screaming, pointing and yelling.
Do not stop to ask officers for help or directions, just proceed in the direction from where the officers came from.
Be aware that the initial police officers in the building will not stop to aid injured victims.
If you are able to successfully call 911 and speak with a dispatcher be prepared to answer the following questions.
Location of the active shooter.
Number of shooters, if more than one is involved.
A physical description of the shooter(s).
Type and number of weapons the shooter(s) may have.
The number of potential victims that are at the location.
This is a fairly long list of things you should be aware of during any active shooting incident, and yet it is only just touching on the issue. One of the most important things is that you prepare, train, and if you can, involve local law enforcement and emergency personnel into your planning.
My name is Keith Erwood, and disasters are my life. Well, not just disasters really, but to help people like you, owners, executives and managers of businesses prepare for disasters and emergencies.