Categories ArchivesConsumer Security

Exploiting Human Trust and Complacency standard

I was speaking with an industry insider a few weeks ago and he started asking questions about supply-chain security. We kicked off a rather awkward discussion whereby I dipped into my SCM educational background and he tried to convey his actual meaning which was much closer to informational supply chains, or better yet, the flow of trusted information. This lead to a great hour of discussion about an attack vector that I call, Exploiting Human Trust and Complacency. I’ve blogged about social engineering and the new perimeter (Sally in Accounting) in the past, and this expands upon that very notion. How do attackers take advantage of this attack surface, and how are they so successful? Before we delve into that, ...

Continue Reading

Chip and PIN on the Way standard

Here comes EMV Cotton tail, hoppin’ down the PCI trail, Hippety hoppety, EMV’s on its way! While crammed in the back of a cab last night I flipped through some stuff on Twitter and found this post by Adrian Lane on Securosis describing Visa’s chip migration acceleration. Now that I am actually back in front of my computer and not bouncing around in the back of a PT Cruiser (the BACK back), I wanted to elaborate on how this impacts cardholders and merchants. If you read his post, you will learn some of the motivation for accelerating the change, but you miss a couple of key points. Chip and PIN doesn’t work if the card in your wallet doesn’t use ...

Continue Reading

The End of Subscriber Privacy standard

I’m not sure if anyone actually believes in internet privacy anymore, but what little we may have had may now be completely eroded thanks to a new bill in the US House of Representatives, Protecting Children From Internet Pornographers Act of 2011 (H.R.1981). If the bill in its current state becomes law, internet service providers must maintain the following subscriber data for a period of 18 months: Names Address(es) Temporarily-assigned IP addresses While this measure does not aim to maintain detailed activity logs of subscribers, it is designed to be a point of reference for companies to trace actions to individuals. For example, if a temporary IP address of a home internet subscriber is found to be used in an ...

Continue Reading

Security Tips for Non-Techies standard

One of the most challenging things that I regularly do is explain my job and career choice to non-techie users. Ask my Mom what I do, and you might get one of the blankest stares you have ever seen thrown right back in your face. In fact, I think this general lack of security knowledge among users contributes tremendously to the success of attacks against consumers. How else do we have millions of drones waiting for commands on unsuspecting users machines? I’ve heard the following from family members before: But I bought an anti-virus program three years ago! Why do I have to pay for it every year? But I had to disable the security settings so I could play ...

Continue Reading

iCloud Security Questions standard

I admit it, I’m a fanboy. So on Monday, I was doing what I could to keep up with the WWDC Keynote. Unfortunately, that meant reading a live-blog between phone calls, but it got enough of the job done. I’m looking forward to many of the new features in Lion and iOS 5. One announcement that caught my attention was the new iCloud replacement/enhancement for MobileMe. From the website: iCloud stores your music, photos, apps, calendars, documents, and more. And wirelessly pushes them to all your devices — automatically. It’s the easiest way to manage your content. Because now you don’t have to. Preposition ending sentences aside, this is some pretty cool stuff. I’m already familiar with MobileMe as an ...

Continue Reading

Does Security Impede Innovation? standard

Depends on who you ask, I suppose. In my experience as a security professional I have seen some security organizations in big companies that were so well oiled that patches could be rolled out in a few days after release without any impact to the larger organization. I’ve also seen some that were virtually non-existent—victims of poor leadership or political agendas. Most programs I see fall somewhere in the middle of that continuum, but for the most part are not as functional as they could (should) be. Therefore, in those companies, information security is seen as an impediment to innovation and creative people find ways around them. Imagine for a minute that you were a data center manager looking to ...

Continue Reading

I don’t need to know, I can look it up! standard

The pace at which our society produces information is staggering. Even worse, the amount of value of that information is typically only apparent after slicing it up in a particular way. Those of us that are naturally curious and problem solvers have gotten quite good at knowing where to find certain information as opposed to memorizing it. There are certain things you sometimes just need to memorize. For example, driving laws. It’s much better to remember that you must always stop at a red light then having to look it up each time you approach an intersection. We have enough trouble with distracted drivers already. Those of us that have figured out this critical skill often become technical support for ...

Continue Reading

What about Mobile Payments? standard

Thanks to a reader who gave me an idea for a blog post! You can suggest your own topics here. Mobile payments means a lot of things to a lot of people. Is it paying for things with that fancy iPhone app? Is it a Wi-Fi or cellular linked payment terminal? Is it paying for things with your cell phone using either an SMS-based payment or a Near-Field Communication (NFC) transaction? For the purposes of this post, I want to focus solely on SMS-Based or NFC transactions that would originate from the buyer’s cell phone. AT&T, T-Mobile, and Verizon announced last week the formation of ISIS, a mobile payment network that looks to capitalize on the per-transaction revenue that can ...

Continue Reading

Do you know your IT? standard

This post is mostly going to apply to smaller companies as I would HOPE (tongue in cheek a bit here) that larger merchants wouldn’t have this problem. Small- and Medium-sized businesses (SMBs) have more advanced software tools available to them today than ever before. Cloud-based solutions allow for multi-million dollar software packages to be available to SMBs at affordable monthly subscription prices. This level of business analytics, automation, and intelligence can make a big difference in how a business competes.  What once would take dedicated headcount can now be automated and scaled. But with great power, comes great responsibility. SMBs that entrust their business or data to these third parties must invest time and effort to understand not only what ...

Continue Reading

Hey Friends, I’m Over Here! standard

I recently gave a presentation to a graduate advertising class about social media with ideas on how it might be used as a part of an overall marketing and advertising strategy1. One of the things I covered was the concept of geo-tagging and how it relates to social media. There are tremendous privacy concerns related to geo-tagging, but also interesting market opportunities as well. We ignored the unintended geo-tagging that occurs when people use location services in their mobile phones, or use cameras that are location aware and focused on check-in applications.  Some examples of these applications are the popular FourSquare and Gowalla2. Well, it seems Facebook has now joined the fun, and added Places. Included in the launch was ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!