Categories ArchivesConsumer Security

Collateral Damage is One Click Away standard

Social engineering is now recognized as one of the top threats to enterprise security. I think we all have had side conversations with security leaders inside companies validating this concept for years, but not until recently have we seen it pass other threats in such a public forum. Those same security leaders have struggled with mitigating the threat because they instinctively jump to a Draconian view of information security policy enforcement as the only solution. It certainly would be effective in some ways, but morale would plummet and the creative technophiles would find ways to free themselves from such Athenian legislation. The irony is that many of these controls are not only designed to protect our information assets, but also ...

Continue Reading

Man Up MDs! standard

Doctors have been the butt of jokes for years. But this post is no joke. Over the last five years I’ve been exposed to the back-of-house operations in healthcare in ways that helps put the front-of-house issues I observed into perspective. But one thing has always driven me batty, and I’ve never been able to figure out why. I’ve met some extremely talented doctors in my time that absolutely shocked me with their sheer intellect and problem solving abilities. But when it comes to protecting the information of the patients they serve, they just cannot be bothered. Even when they attempt to be bothered, many of them miss the point. MDs must understand that malpractice lawsuits aren’t the only thing ...

Continue Reading

Exploiting Human Trust and Complacency standard

I was speaking with an industry insider a few weeks ago and he started asking questions about supply-chain security. We kicked off a rather awkward discussion whereby I dipped into my SCM educational background and he tried to convey his actual meaning which was much closer to informational supply chains, or better yet, the flow of trusted information. This lead to a great hour of discussion about an attack vector that I call, Exploiting Human Trust and Complacency. I’ve blogged about social engineering and the new perimeter (Sally in Accounting) in the past, and this expands upon that very notion. How do attackers take advantage of this attack surface, and how are they so successful? Before we delve into that, ...

Continue Reading

Chip and PIN on the Way standard

Here comes EMV Cotton tail, hoppin’ down the PCI trail, Hippety hoppety, EMV’s on its way! While crammed in the back of a cab last night I flipped through some stuff on Twitter and found this post by Adrian Lane on Securosis describing Visa’s chip migration acceleration. Now that I am actually back in front of my computer and not bouncing around in the back of a PT Cruiser (the BACK back), I wanted to elaborate on how this impacts cardholders and merchants. If you read his post, you will learn some of the motivation for accelerating the change, but you miss a couple of key points. Chip and PIN doesn’t work if the card in your wallet doesn’t use ...

Continue Reading

The End of Subscriber Privacy standard

I’m not sure if anyone actually believes in internet privacy anymore, but what little we may have had may now be completely eroded thanks to a new bill in the US House of Representatives, Protecting Children From Internet Pornographers Act of 2011 (H.R.1981). If the bill in its current state becomes law, internet service providers must maintain the following subscriber data for a period of 18 months: Names Address(es) Temporarily-assigned IP addresses While this measure does not aim to maintain detailed activity logs of subscribers, it is designed to be a point of reference for companies to trace actions to individuals. For example, if a temporary IP address of a home internet subscriber is found to be used in an ...

Continue Reading

Security Tips for Non-Techies standard

One of the most challenging things that I regularly do is explain my job and career choice to non-techie users. Ask my Mom what I do, and you might get one of the blankest stares you have ever seen thrown right back in your face. In fact, I think this general lack of security knowledge among users contributes tremendously to the success of attacks against consumers. How else do we have millions of drones waiting for commands on unsuspecting users machines? I’ve heard the following from family members before: But I bought an anti-virus program three years ago! Why do I have to pay for it every year? But I had to disable the security settings so I could play ...

Continue Reading

iCloud Security Questions standard

I admit it, I’m a fanboy. So on Monday, I was doing what I could to keep up with the WWDC Keynote. Unfortunately, that meant reading a live-blog between phone calls, but it got enough of the job done. I’m looking forward to many of the new features in Lion and iOS 5. One announcement that caught my attention was the new iCloud replacement/enhancement for MobileMe. From the website: iCloud stores your music, photos, apps, calendars, documents, and more. And wirelessly pushes them to all your devices — automatically. It’s the easiest way to manage your content. Because now you don’t have to. Preposition ending sentences aside, this is some pretty cool stuff. I’m already familiar with MobileMe as an ...

Continue Reading

Does Security Impede Innovation? standard

Depends on who you ask, I suppose. In my experience as a security professional I have seen some security organizations in big companies that were so well oiled that patches could be rolled out in a few days after release without any impact to the larger organization. I’ve also seen some that were virtually non-existent—victims of poor leadership or political agendas. Most programs I see fall somewhere in the middle of that continuum, but for the most part are not as functional as they could (should) be. Therefore, in those companies, information security is seen as an impediment to innovation and creative people find ways around them. Imagine for a minute that you were a data center manager looking to ...

Continue Reading

I don’t need to know, I can look it up! standard

The pace at which our society produces information is staggering. Even worse, the amount of value of that information is typically only apparent after slicing it up in a particular way. Those of us that are naturally curious and problem solvers have gotten quite good at knowing where to find certain information as opposed to memorizing it. There are certain things you sometimes just need to memorize. For example, driving laws. It’s much better to remember that you must always stop at a red light then having to look it up each time you approach an intersection. We have enough trouble with distracted drivers already. Those of us that have figured out this critical skill often become technical support for ...

Continue Reading

What about Mobile Payments? standard

Thanks to a reader who gave me an idea for a blog post! You can suggest your own topics here. Mobile payments means a lot of things to a lot of people. Is it paying for things with that fancy iPhone app? Is it a Wi-Fi or cellular linked payment terminal? Is it paying for things with your cell phone using either an SMS-based payment or a Near-Field Communication (NFC) transaction? For the purposes of this post, I want to focus solely on SMS-Based or NFC transactions that would originate from the buyer’s cell phone. AT&T, T-Mobile, and Verizon announced last week the formation of ISIS, a mobile payment network that looks to capitalize on the per-transaction revenue that can ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!