Categories ArchivesEnterprise Security

Think Blackberry is Safe? Think again! standard

Chris Eng at Veracode put together a pretty sweet little presentation based on a tool Tyler Shields created to infiltrate Blackberry Smartphones called BBSpy.  Blackberry’s seem to be viewed as a more secure mobile platform for a smartphone or PDA than any other, to the point of speculation about the existence and future of President Obama’s Blackberry. When I first got a Blackberry smartphone, not only did my ability to separate my personal and professional life change, but I remember as a security professional liking some of the features provided.  Remote wiping, encryption, and a password attempt bomb made me feel that should I lose my Blackberry, I would be able to prevent any sensitive data on it from falling ...

Continue Reading

Satellite Hacking, Not Just for Pros! standard

I found a great article by Stan Shyshkin last week on hacking internet satellites. Satellite networking has always interested me, especially when it comes to learning how to take advantage of foolishly trusted links.  Most of these links manifest as a form of a “carrier grade” link such as MPLS or Frame Relay.  These links are inherently considered private, even though they typically do not take advantage of encapsulated encryption. Fifteen years ago we extended our network footprint through private network links.  Companies extended their WAN in the form of a frame relay in 64-Kbit increments ((Yes I know there were 56-Kbit links too—I managed one back in the day.)). These links were rarely (if ever) encrypted partly due to ...

Continue Reading

Healthcare Security, the New Front standard

HIPAA tried to address it, HITRUST and HITECH are the newest entrants into the mix, but health care is just he latest example of an industry’s information technology significantly outpacing its ability to secure it.  If you’ve heard me speak on where I think the next big area that hackers will go after, you’ve heard some stories about what I would do if I were the bad guy. Last week I had a routine doctor checkup, and I watched my doctor type in a four digit password to access all of my records (and presumably any record in the practice).  Any security professional reading this has had a similar experience with someone in authority accessing data with weak credentials, and ...

Continue Reading

New Ponemon Study (and other fun metrics) standard

The Ponemon Institute released its latest analysis on the cost of data breaches, and this year they posit that the cost of breaches is still on the rise.  While new legislation and increased savvy and persistence from attackers is continuing to drive the cost of breaches up, I also believe that this very same legislation is forcing more breaches to be reported.  If anything, managers should take this information as a sobering reminder that the bad guys are out there and they still want your data. I’ve discussed these studies in the past, and I’m not terribly supportive of one of the key metrics that Ponemon analyzes: the cost per breached record.  Non-security managers (and unfortunately some new security managers) ...

Continue Reading

Don’t run IT as a business, run it as a business? standard

That’s what I felt like the theme of Bob Lewis’s article entitled “Run IT as a business—why that’s a train wreck waiting to happen.”  I understand that having people on different sides of an issue can lead to a more productive result, so this perspective is entertaining if nothing else. At a minimum, reading the article will expose a key problem IT organizations face, but the solution is no different than what vendors propose every single day. Have you noticed the push to “solutions” and “solution-based selling” over the last few years in the IT space?  CIOs don’t give a rip about some fancy whiz-bang technology.  What they do care is if you can solve a (business) problem for them.  ...

Continue Reading

The Power of Service standard

There is a book called The Ultimate Question by Fred Reichheld that discusses how all customer satisfaction can be boiled down to one question: How likely is it that you would recommend this company to a friend or colleague? Using the data received from a survey of your customers a metric called the Net Promoter Score (NPS) is created, measuring your customer satisfaction.  This book was a hit last year, and I even saw the NPS formula used in a kickoff presentation last week. I spent the day yesterday on the road, and had an interesting conversation when I returned my rental car.  Interesting only because I have never been asked the following question before, the topic was fresh on ...

Continue Reading

The Yes/No PCI Assessment standard

Chris Mark over at the PCI Answers blog wrote a fantastic post on The Rise of the Defensive PCI Assessment toward the end of last year.  I read it right after he posted it, and knew that I wanted to add to his thoughts.  It’s taken me about this long to get my thoughts together. I’ve been busy! I totally agree with his assessment, and I have run into some situations where this has come up with other QSAs.  Some QSAs have altered their interpretations (or made them more literal, I should say) because they realized that they were interpreting the standard incorrectly, or they priced the assessments so low to get the business that they can’t afford to understand ...

Continue Reading

Kicking Off 2010! standard

day 162 Karate Kick, by Hoggheff
Greetings everyone! 2010 is going to be a pretty interesting year if we can keep this economic momentum going.  Here are a few things to start your year off! Check out my new article “Will End to End Encryption Save Us All?” where I attempt to define various forms of End to End Encryption (E2EE) and figure out how they could be used to secure PCI DSS related data. EMC/RSA buys Archer.  This one is a game changer, folks. The January issue of Herding Cats is also available!  “Corned-Beef PCI DSS” expands and refines a blog post I did here about using hashing as a data protection method, specifically as it relates to PCI DSS (PCI DSS is the focus ...

Continue Reading

The Best of 2009 standard

2009 was an interesting year for all of us in information security.  We lived through one of the largest breaches in our short history on this spinning blue ball eclipsed only by the inauguration of a unique president-elect.  Anton Chuvakin & I published a book.  I moved my blog here amidst a divestiture of my business at VeriSign.  Apple released a new version of their operating system and a new iPhone.  MasterCard went all crazy on us. I wanted to take the opportunity to thank all of you for an amazing 2009, and I’m looking forward to fantastic things in 2010! Here are the five most popular posts in 2009: Upgrading to Snow Leopard. Ironically enough, the most popular post ...

Continue Reading

Wireless On a Plane? standard

Airplane light, by Tambako the Jaguar
Go-go-gadget WI-FI ON A PLANE! I imagine that the next two weeks will see a significant amount of Wi-Fi trials or sales as parents and children alike take to the skies to visit loved ones over the holidays.  While I am sure it has happened already, you don’t find too many documented cases of wireless attacks happening on airplanes.  There are a couple of ways that attacks can happen. The first attack does not even require an internet connection, just a lazy passenger that does not follow their airline’s electronic device policy.  I’ve seen tons of weary road warriors working on their laptops without removing their 3G data card or with that little Wi-Fi light blinking furiously.  While going after ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!