Archive for March, 2008

Macs: Not Necessarily Secure

The CanSec Conference has a reputation as one of the best information security conferences anywhere, and apparently the recent one that was held in British Columbia was no exception. One of the most interesting events at this conference was a hacking event in which white hat attacker contestants launched attacks against a variety of machines running different operating systems—Windows, Linux, Unix, and others. Interestingly, a Macintosh running Leopard OS X 10.5.2 was the first to be broken into. I know a lot of Mac fanatics who probably will not believe the news about what happened—many of them believe that Macs are very secure out-of-the-box and that vulnerabilities that are discovered in these boxes are almost always minor ones. In the past, some of my job responsibilities included issuing security alerts; more than a few times Mac users who received them bristled at the notion that any serious security vulnerability could be present in this operating system.  Read more…

Categories: Uncategorized Tags:

Indiana Legislation: Part 2

In a blog posting several weeks ago, I lamented Indiana’s not having been able to pass new and better legislation concerning protection of personal information. You may recall that current Indiana law in effect requires notifying potential data security breach victims only if a portable electronic device containing their personal data is not password-protected or if the password has been disclosed. Both the Indiana House and Senate have now passed an amendment to the existing law requiring that potential data security breach victims be notified unless the data on a portable electronic device is encrypted and the encryption key has not been disclosed. This change will become effective on July 1 this year. Read more…

Categories: Uncategorized Tags:

Vulnerability Researchers: Friends or Foes?

I’ve been in the field of information security for quite a while now, and I’ve seen quite a few trends over the years. One very noticeable trend has been the increased importance of vulnerability information. In the mid 1980’s there was relatively little emphasis on vulnerabilities other than password-related vulnerabilities. Why? For one thing, obtaining remote access was much more difficult then. PCs were just starting to become popular, and a large proportion of them were not even connected to local, let alone global networks. Unix and Windows operating systems, in which huge numbers of vulnerabilities have been found over the years, were not all that widely used at that time, and mainframes on which comprehensive, effective security tools such as RACF and ACF2 were widely deployed to greatly reduce the likelihood of security breaches more or less reigned. Additionally, the “hacker” community then was much better behaved; there was a widely shared ethic that you broke into systems only to “use spare cycles,” i.e., to gain computer access that no one else was using, and that systems accessed in this manner should not be harmed or changed in any way. Read more…

Categories: Uncategorized Tags:

More Data Security Breaches

The fact that additional data security breaches have recently occurred should come as no surprise. What is so interesting about one of the most recent ones, however, is the way 4.2 million pieces of credit and debit card information at Hannaford Supermarkets appear to have fallen into the wrong hands. This supermarket chain stores this type of information in branch servers that collect and store information sent from its many points of sale before forwarding it to central servers. Perpetrators appear to have broken in to one or more of these branch servers to gain unauthorized access to this information. Ironically, it appears Hannaford Supermarkets was compliant with PCI-DSS data security regulations. To its credit, this corporation promptly notified the credit and debit card holders. This incident shows that although the PCI-DSS regulations are basically sound from a security standpoint, they are by no means perfect; being PCI-DSS compliant is no guarantee that data security breaches will not occur. Hopefully, the PCI-DSS consortium will consider changing these regulations in a manner that will help prevent incidents such as the one that Hannaford Supermarkets experienced. Read more…

Categories: Uncategorized Tags:

Data Security Breach Insurance?

One does not have to be very observant to notice just how many data security breaches have been occurring over the last few years. It is almost as if data security breaches are becoming an epidemic. Financial losses have also mounted accordingly, and there appears to be no end in sight.

In information security governance there are four possible responses to security-related risks; to eliminate them (often by getting rid of a type of a type of vulnerability-ridden technology altogether), to mitigate/reduce them, to accept them, or to insure against them. Historically, organizations have tended to mitigate risk or accept it more than anything else. The last of these options, insurance, has not been popular for a number of reasons, including the fact that it tends to be expensive, and also that when security-related incidents occur, insurers have too often not reimbursed insurees adequately (at least according to the latter’s perception). Read more…

Categories: Uncategorized Tags:

The MTV Data Security Breach

MTV recently experienced a data security breach in which files containing the data of approximately 5,000 employees were accessed without authorization. Names, dates of birth, Social Security numbers, and salary information were all potentially compromised. Although a data security breach involving this small a number of users is normally hardly worth noticing compared to some of the massive data security breaches that have occurred in the past, something about MTV’s stands out. The cause was unauthorized access to an employee’s computer while it was connected to the Internet, not a lost or stolen laptop or breached server. Read more…

Categories: Uncategorized Tags:

Concerning Faulty Information and Advice Given to Information Security Professionals

Occasionally I hear something that strikes me as unusually incorrect. Most of this information is about world news, the stock market, and politics, but some of it is within the mainstream of information security.

Consider an example from a conference at which I recently participated in a panel on emerging security threats and risk. After a few panel members made their opening spiels, another panel member made one that contained a claim that government compliance burdens were currently the biggest information security risk of all. He asserted that the federal government is so badly overregulating organizations that the cost of security compliance exceeds the expected loss from security-related incidents. Read more…

Categories: Uncategorized Tags:

Wikileaks: Pandora’s Box Opened?

Most of us do not know very much about a Web site named “,” but recent events virtually guarantee that many if not most of us will at least learn considerably more about sites of this nature—whistleblower sites. Recently a disgruntled ex-employee of Swiss bank Julius Baer posted sensitive customer account information on Wikileaks. Last month the bank pressed for and was successful in getting the US District Court in San Francisco to issue an injunction that forced the site’s operators to take it offline. Activist organizations such as the Electronic Frontier Foundation (EFF), one of a number organizations that filed briefs on the case, and the American Civil Liberties Union as well as The Associated Press and the ACLU were unhappy with this ruling and pressed for its reversal. The ruling, they said, violated the First Amendment right to free speech and it also could have simply required that the account information be removed rather than requiring that the site be shut down altogether. Read more…

Categories: Uncategorized Tags:

Identity Theft Study Fingers Certain Banks

I read with interest a news item based on a study performed by the University of California at Berkeley’s Center for Law and Technology. This study’s findings show which US financial institutions, retail merchants, and utilities have the most complaints concerning identity theft incidents. Bank of American was first, AT&T was second, Sprint/Nextel was third, JPMorgan Chase came in fourth, and Capital One was fifth. Read more…

Categories: Uncategorized Tags:

The Governance Bandwagon – Part 2

As I said in my previous blog entry, information security governance has provided a revolutionary new approach to information security and, in particular, information security management. The governance approach has been one of the main causes for the field of information security moving from what Donn Parker once called a “folk art” to a profession that is becoming increasingly influential and respected. At the same time, however, information security governance is by no means a panacea. There are a number of inherent limitations to this approach that need to be understood if it is to be used wisely and productively in different situations and settings. Read more…

Categories: Uncategorized Tags: