QOTD - Paller on Security Guys

If your security guys aren’t fixing this, you need to get new security guys. -- Alan Paller, Director of Research for SANS
Src: Cyber threats adopting new tactics | FederalTimes.com

QOTD - Davidoff on SSL

TLS/SSL is like a nice sturdy two-by-four. Can you use it to build a secure infrastructure? Yes. Is it a secure infrastructure all by itself? No. -- Sherri Davidoff is the co-author of the new SANS class 'Sec558: Network Forensics' and author of Philosecurity
Src: How SSL-encrypted Web connections are intercepted

QOTD - Northcutt on 2-factor Authentication

Asking the name of your pet really does not meet the spirit of two factor authentication. -- Stephen Nortcutt, President SANS Institute.
Src: SANS NewsBites Vol 11 Num 76

QOTD - PCI is what you make out of it

PCI is what you make out of it. If you treat it strategically and get C-level executive involvement, it can turn into a very mature security program that happens to encompass PCI requirements. -- Brian Contos, Chief Security Strategist for Imperva
Src: PCI More Of a 'Check-Box' Than Security For Most Retailers - DarkReading

QOTD - Australians & Security

Australian PC and Internet users are completely unconcerned with security in general, claiming uninstalled software updates to be more useless than a chocolate beer keg on Ayers Rock. -- Commander Neil Gaughan, Australian Federal Police
Src: Aussies Embroiled in Botnet Protection Debate | Internet Evolution

QOTD - Liston on HHS Harm Threshold Loophole

Tom Liston, senior security consultant & malware analyst for Inguardians, comments on a recently announced loophole that allows HIPAA-covered entities to dispense with breach notification if the harm threshold is not met. The harm threshold is met if the breach poses "significant risk of financial, reputational or other harm to [an] individual."
Ok... let me get this straight: I screw up and let someone steal your data. Then *I* (an acknowledged screw-up) get to decide if my screw-up poses any harm to you!?!? What could possibly go wrong with that? Next up: rapists, murderers, and felons get to decide if they're ready to be released from prison...
Src: SANS NewsBites Vol 11 Num 74

QOTD - Liston on Malware Persistence

Tom Liston, senior security consultant & malware analyst for Inguardians, comments about a study from TrendMicro which found that 50% of infected machines remain infected 10 months later (the malware does not bring attention to itself):
Well, duh! I don't find this surprising in the least. Anymore, malware has a business model... and nothing interferes with that model more than having your malware *removed*.
Src: SANS NewsBites Vol 11 Num 74

QOTD on Cybercrime Threat Landscape

The motivation for purveyors of malware used to be mostly about spite and the possibility of recognition. Now, it's about money. Botnets, zombie computers, phishing scams, spam, ID theft and corporate network intrusion all come together to form an often lucrative business model for criminally minded hackers. -- Jeff Debrosse, North American Research Director at ESET
Src: Technology News: Malware: Navigating the New Cybercrime Threatscape, Part 2

QOTD - Lieberman on the Internet

The Internet now is a global asset – a new strategic high ground - that simply must be secured just as any military commander would seize and control the high ground of a battle field. But unlike a battlefield, securing cyberspace is much more complicated to do since the Internet is an open, public entity. Security cannot be achieved by the government alone. Public-private partnership is essential. Together, business, government, law enforcement, and our foreign allies must partner to mitigate these attacks and bring these criminals to justice. -- US Senator Joe Lieberman, Homeland Security and Governmental Affairs Committee Chairman
[Note: emphasis is mine]

Src: Latest Trend Targets Medium to Small Companies, HSGAC Legislation Will Address Cyber Security | Senate.gov

QOTD on Anonymity

Anonymity is not sufficient for privacy when dealing with social networks. -- Dr. Arvind Narayanan and his research advisor Dr. Vitaly Shmatikov
Src: Pulling back the curtain on "anonymous" Twitterers - Ars Technica

Infected USB shuts down London council

How much damage can ONE infected USB flash-drive do? If it's infected with Conficker-D and your IT systems are not appropriately maintained and patched (council was still running Windows 2000, requested an update to Windows XP). In addition to being out of commission for a week, "further shutdowns followed when the network was reinfected twice in the next week, and all terminals had to be rebuilt or replaced."

Src: Computer virus cripples council’s work for weeks | News
Src: Conficker borks London council | TheRegister
Src: Ealing Council facing £501,000 fine after its network was hit by a virus that crippled it for weeks | SC Magazine

Playing 'Whac-A-Mole' with personal data

According to this article, the current legal approach to protecting Personally Identifiable Information (PII) can be compared to playing "Whac-A-Mole" with personal data. Dr. Paul Ohm, law professor at the University of Colorado Law School, writes:
Data can either be useful or perfectly anonymous but never both.
...
For almost every person on earth, there is at least one fact about them stored in a computer database that an adversary could use to blackmail, discriminate against, harass, or steal the identity of him or her. I mean more than mere embarrassment or inconvenience; I mean legally cognizable harm. Perhaps it is a fact about past conduct, health, or family shame. For almost every one of us, then, we can assume a hypothetical 'database of ruin,' the one containing this fact but until now splintered across dozens of databases on computers around the world, and thus disconnected from our identity. Reidentification has formed the database of ruin and given access to it to our worst enemies.
...
The trouble is that PII is an ever-expanding category. Ten years ago, almost nobody would have categorized movie ratings and search queries as PII, and as a result, no law or regulation did either.
Src: "Anonymized" data really isn't—and here's why not - Ars Technica

ENISA Warns of Alarming Increase in ATM Crime

As the annual cost of ATM-related fraud in Europe approaches half a billion Euros, the European Network and Information Security Agency (ENISA), has issued Golden Rules to protect consumers against ATM fraud/crime:

Choosing an ATM Machine
1) Don't use ATMs with extra signage or warnings
2) Try to use ATMs inside banks
3) Don't use freestanding ATMs
Physical surroundings
4) Use an ATM which is in clear view and well lit
5) Be cautious of strangers and check they are at a reasonable distance away
Making Operations
6) Pay careful attention to the front of the machine for Tampering
7) Pay attention to the card reader for signs of additional devices
8) Look carefully for differences or unusual characteristics of the ATM's PIN pad
9) Look out for extra cameras
10) Protect your PIN by standing close to the ATM and shielding the key pad
11) Report confiscated cards immediately
12) Beware of ATMs that don't dispense cash and non-bank ATMs that don't charge fees
Statement Reviews
13) Frequently review your account statements
14) Report any suspicious activity immediately
Src: ENISA Warns of Alarming Increase in ATM Crime

QOTD on Locational Privacy

The idea of constantly monitoring the citizenry’s movements used to conjure up images of totalitarian states. Now, technology does the surveillance — generally in the name of being helpful. It’s time for a serious conversation about how much of our privacy of movement we want to give up. -- Adam Cohen, member of the Times editorial board
Src: A Casualty of the Technology Revolution - ‘Locational Privacy’ - NYTimes.com

QOTD on Cyberwarfare

Cyberwarfare is a global chess game in which citizens, governments and corporations are the pawns. In the past an enemy came over the ocean to attack; now they come over the Internet. In modern warfare the cyber component is just as important as boots on the ground. -- John Bumgarner, Research Director for Security Technology, U.S. Cyber Consequences Unit
Src: Report: Russian mob aided cyberattacks on Georgia | CNET News