If your security guys aren’t fixing this, you need to get new security guys. -- Alan Paller, Director of Research for SANSSrc: Cyber threats adopting new tactics | FederalTimes.com
QOTD - Paller on Security Guys
QOTD - Davidoff on SSL
TLS/SSL is like a nice sturdy two-by-four. Can you use it to build a secure infrastructure? Yes. Is it a secure infrastructure all by itself? No. -- Sherri Davidoff is the co-author of the new SANS class 'Sec558: Network Forensics' and author of PhilosecuritySrc: How SSL-encrypted Web connections are intercepted
QOTD - Northcutt on 2-factor Authentication
Asking the name of your pet really does not meet the spirit of two factor authentication. -- Stephen Nortcutt, President SANS Institute.Src: SANS NewsBites Vol 11 Num 76
QOTD - PCI is what you make out of it
PCI is what you make out of it. If you treat it strategically and get C-level executive involvement, it can turn into a very mature security program that happens to encompass PCI requirements. -- Brian Contos, Chief Security Strategist for ImpervaSrc: PCI More Of a 'Check-Box' Than Security For Most Retailers - DarkReading
QOTD - Australians & Security
Australian PC and Internet users are completely unconcerned with security in general, claiming uninstalled software updates to be more useless than a chocolate beer keg on Ayers Rock. -- Commander Neil Gaughan, Australian Federal PoliceSrc: Aussies Embroiled in Botnet Protection Debate | Internet Evolution
QOTD - Liston on HHS Harm Threshold Loophole
Tom Liston, senior security consultant & malware analyst for Inguardians, comments on a recently announced loophole that allows HIPAA-covered entities to dispense with breach notification if the harm threshold is not met. The harm threshold is met if the breach poses "significant risk of financial, reputational or other harm to [an] individual."
Ok... let me get this straight: I screw up and let someone steal your data. Then *I* (an acknowledged screw-up) get to decide if my screw-up poses any harm to you!?!? What could possibly go wrong with that? Next up: rapists, murderers, and felons get to decide if they're ready to be released from prison...Src: SANS NewsBites Vol 11 Num 74
QOTD - Liston on Malware Persistence
Tom Liston, senior security consultant & malware analyst for Inguardians, comments about a study from TrendMicro which found that 50% of infected machines remain infected 10 months later (the malware does not bring attention to itself):
Well, duh! I don't find this surprising in the least. Anymore, malware has a business model... and nothing interferes with that model more than having your malware *removed*.Src: SANS NewsBites Vol 11 Num 74
QOTD on Cybercrime Threat Landscape
The motivation for purveyors of malware used to be mostly about spite and the possibility of recognition. Now, it's about money. Botnets, zombie computers, phishing scams, spam, ID theft and corporate network intrusion all come together to form an often lucrative business model for criminally minded hackers. -- Jeff Debrosse, North American Research Director at ESETSrc: Technology News: Malware: Navigating the New Cybercrime Threatscape, Part 2
QOTD - Lieberman on the Internet
The Internet now is a global asset – a new strategic high ground - that simply must be secured just as any military commander would seize and control the high ground of a battle field. But unlike a battlefield, securing cyberspace is much more complicated to do since the Internet is an open, public entity. Security cannot be achieved by the government alone. Public-private partnership is essential. Together, business, government, law enforcement, and our foreign allies must partner to mitigate these attacks and bring these criminals to justice. -- US Senator Joe Lieberman, Homeland Security and Governmental Affairs Committee Chairman[Note: emphasis is mine]
Src: Latest Trend Targets Medium to Small Companies, HSGAC Legislation Will Address Cyber Security | Senate.gov
QOTD on Anonymity
Anonymity is not sufficient for privacy when dealing with social networks. -- Dr. Arvind Narayanan and his research advisor Dr. Vitaly ShmatikovSrc: Pulling back the curtain on "anonymous" Twitterers - Ars Technica
Infected USB shuts down London council
How much damage can ONE infected USB flash-drive do? If it's infected with Conficker-D and your IT systems are not appropriately maintained and patched (council was still running Windows 2000, requested an update to Windows XP). In addition to being out of commission for a week, "further shutdowns followed when the network was reinfected twice in the next week, and all terminals had to be rebuilt or replaced."
Src: Computer virus cripples council’s work for weeks | News
Src: Conficker borks London council | TheRegister
Src: Ealing Council facing £501,000 fine after its network was hit by a virus that crippled it for weeks | SC Magazine
Src: Computer virus cripples council’s work for weeks | News
Src: Conficker borks London council | TheRegister
Src: Ealing Council facing £501,000 fine after its network was hit by a virus that crippled it for weeks | SC Magazine
Playing 'Whac-A-Mole' with personal data
According to this article, the current legal approach to protecting Personally Identifiable Information (PII) can be compared to playing "Whac-A-Mole" with personal data. Dr. Paul Ohm, law professor at the University of Colorado Law School, writes:
Data can either be useful or perfectly anonymous but never both.Src: "Anonymized" data really isn't—and here's why not - Ars Technica
...
For almost every person on earth, there is at least one fact about them stored in a computer database that an adversary could use to blackmail, discriminate against, harass, or steal the identity of him or her. I mean more than mere embarrassment or inconvenience; I mean legally cognizable harm. Perhaps it is a fact about past conduct, health, or family shame. For almost every one of us, then, we can assume a hypothetical 'database of ruin,' the one containing this fact but until now splintered across dozens of databases on computers around the world, and thus disconnected from our identity. Reidentification has formed the database of ruin and given access to it to our worst enemies.
...
The trouble is that PII is an ever-expanding category. Ten years ago, almost nobody would have categorized movie ratings and search queries as PII, and as a result, no law or regulation did either.
ENISA Warns of Alarming Increase in ATM Crime
As the annual cost of ATM-related fraud in Europe approaches half a billion Euros, the European Network and Information Security Agency (ENISA), has issued Golden Rules to protect consumers against ATM fraud/crime:
Choosing an ATM MachineSrc: ENISA Warns of Alarming Increase in ATM Crime
1) Don't use ATMs with extra signage or warnings
2) Try to use ATMs inside banks
3) Don't use freestanding ATMs
Physical surroundings
4) Use an ATM which is in clear view and well lit
5) Be cautious of strangers and check they are at a reasonable distance away
Making Operations
6) Pay careful attention to the front of the machine for Tampering
7) Pay attention to the card reader for signs of additional devices
8) Look carefully for differences or unusual characteristics of the ATM's PIN pad
9) Look out for extra cameras
10) Protect your PIN by standing close to the ATM and shielding the key pad
11) Report confiscated cards immediately
12) Beware of ATMs that don't dispense cash and non-bank ATMs that don't charge fees
Statement Reviews
13) Frequently review your account statements
14) Report any suspicious activity immediately
QOTD on Locational Privacy
The idea of constantly monitoring the citizenry’s movements used to conjure up images of totalitarian states. Now, technology does the surveillance — generally in the name of being helpful. It’s time for a serious conversation about how much of our privacy of movement we want to give up. -- Adam Cohen, member of the Times editorial boardSrc: A Casualty of the Technology Revolution - ‘Locational Privacy’ - NYTimes.com
QOTD on Cyberwarfare
Cyberwarfare is a global chess game in which citizens, governments and corporations are the pawns. In the past an enemy came over the ocean to attack; now they come over the Internet. In modern warfare the cyber component is just as important as boots on the ground. -- John Bumgarner, Research Director for Security Technology, U.S. Cyber Consequences UnitSrc: Report: Russian mob aided cyberattacks on Georgia | CNET News
Subscribe to:
Posts (Atom)