Last week I flew around the world—literally. Starting in San Francisco, I flew to Singapore, then on to Brussels, and finally back to San Francisco. The fact that I did not achieve the same frequent flyer status with United Airlines in 2010 that I did the previous five years made the trip much more uncomfortable. I was upgraded only on one relatively short flight segment. Still, I got enough sleep to be able to be sufficiently awake to stay in tune with the unfolding drama involving Google and the government of China.
You may remember that the government of China pressed Google to hand over information about dissidents in that country. Google refused. Then the Aurora incidents, almost without a doubt originating in China, involved massive break-ins into Google’s (as well as others’) computing systems. In the case of Google, speculation says that China was seeking information about dissidents in that country. After considerable deliberation (and also indignation—after all, China ostensibly rifled through Google systems at will), Google decided to move its China operations to Hong Kong, something that I believe was a move that the Chinese government had not at all anticipated.
Round four of this drama is currently underway. The Chinese government blasted Google in a communist party newspaper. Some of Google’s partners and advertising customers in China have suddenly turned against Google. For instance, China’s second-largest mobile phone company recently announced that it will no longer use Google’s search function on two of its new phones. All this threatens to drastically slash Google’s China-based revenues. Consequently, Google’s stock price has dropped six percent since January, presumably in part due to Google’s struggles in China. Read more…
I interact with information security managers all the time. I have built a healthy respect for almost all of them in the course of my interactions with them. Information security managers generally have a sound strategy that includes all the “classic” components such as information valuation and labeling, controls evaluation, vulnerability management, and more. At the same time, however, I have developed a deep concern over a too commonly observed weakness in information security practices—a lack of speed and agility. Advanced persistent threats (APTs) are a constant threat to our data and information processing resources. The threat climate is constantly changing, but I fear that many information security practices (including the one I used to manage!) are not quickly and flexibly adapting their security defenses accordingly.
Information security policy is an area in which I am confident that better speed and agility is generally needed. In many information security practices the information security policy becomes a legacy document in the matter of months. In everyone’s defense, the information security manager typically has so many fires to fight that revisiting issues such as whether an information security policy in which so much effort has been invested might need to be updated is the last thing on this person’s mind. But this document needs to be viewed as a living and breathing document that sets the tone for an organization’s security posture and that addresses the organization’s threat profile. If either changes, the policy should change accordingly and it should change sooner, not later. Read more…
Before I go any farther, I want to assure everyone that I have a lot of respect for every information security professional organization out there and I really have no gripes with any of them. But sometimes I wonder whether the relationship with vendors and these organizations has sometimes crossed the proverbial line of propriety. My musings are the result of attending meetings for which some vendor has picked up the cost of the meal or something else. I have no problem with the vendor doing this—after all, money does not grow on trees, especially with non-profit, volunteer organizations. And I also have no problem with the vendor being recognized and thanked for having picked up the cost. My problem instead comes from someone from the vendor’s organization getting up in front of attendees and hawking the vendor’s wares. In this case, the vendor has crossed the line of propriety. I consider this practice to be unethical as well as insulting to those of us who attend professional meetings. Read more…
Web application security is often viewed incorrectly as a set of server and host-based security issues, rather than code-level and configuration-based security vulnerabilities. Although servers and hosts may still be the cause for exploitations, it is critical that security professionals recognize the major impact of poorly written web applications as well as how their applications and servers are configured separately and in combination. The Internet is increasingly responsible for handling and storing information and files of a sensitive nature requiring security and protection. Keeping hackers at bay and assuring the privacy of private and proprietary documents is paramount. Below are the top ten security vulnerabilities and how Security Programmers mediate these to prevent exploitation.
Security Web Programmers are often not given the clout nor the attention they deserve. Security programmers apply a much higher degree of attention, detail, and time to programming. Secure software may require more time and money than insecure software. A comparison must be made between the cost of securing web applications, and an insecure web application bringing the business down or releasing sensitive information to potentially nefarious hackers.
Don’t be misled by security misnomers or be mistaken about your security requirements. Security factors can be well-defined and explained at any level of your corporate structure. Emagined Security employs security programmers who are trained and experienced to develop secure software, including web and database applications. Our proven security programming techniques and multi-layered security development protocols ensure your web applications are protected and your sensitive information secured. Read more…
It is likely that you already know about NSS Labs. If you don’t, you can find out about them by visiting www.nsslabs.com. This organization was created nearly five years ago to perform independent evaluation and certification of information security products. Products that meet NSS Labs’ standard criteria are approved, and ones that meet even higher criteria are awarded the NSS Labs Gold status. NSS Labs is not the only entity that does testing of this nature. What is different about this organization is that the testing is truly independent; it does not cost anything to participate in the testing. The vast majority of NSS Labs’ revenue is instead from vendor certification, although because group testing started just last year, their revenue related to testing (e.g., having vendors pay for rights to distribute the NSS group test executive Summaries) is likely to grow substantially. NSS Labs also makes revenue from evaluation reports that it produces after testing for a particular type of product is complete. NSS Labs then sells these reports.
I admit that I am biased in that I know and very much like the NSS Labs CEO and President, Rick Moy. I got to know him when I consulted for High Tower Software (before I was hired as the CTO there). Rick was the product manager, and I thought he did a very fine job in this role. He not only wrote a product requirements document that clearly stated the functionality that the High Tower SIEM tool needed, but along with Antonio Bianco also had a major hand in designing the user interface. Over the years, this product’s user interface was one of the best in any security product, and Rick had a lot to do with this accomplishment. Read more…
Just a few days ago I read an extremely interesting article titled “Update: Security industry faces attacks it cannot stop.” Written by Robert McMillan, it appeared in the March 10 issue of Computerworld. It in effect said that although we have all kinds of security technology available to us, attackers need exploit one vulnerability (often one of which we are not aware) to breach security. Success for the black hat community is thus inevitable if attackers try one exploitation vector, then another, then another, and so on—one will eventually work. Try as we may, we are losing the war against computer criminals very badly right now. Read more…
Liability Issues when Banking Transaction Fraud Occurs
Just yesterday I had a very interesting telephone conversation with someone concerning liability issues when banking transaction-related fraud occurs. If a bank customer’s savings account is drained by a fraudster, who is liable, the customer or the bank?
This issue is by no means new. You might recall the incident that occurred in 2005 in which an owner of a small business, Joe Lopez, found that funds had been transferred from his company’s Bank of America account without his authorization. He reported what had occurred to the bank, which launched an investigation that showed that a keystroke logging program had been installed on Lopez’s PC. The perpetrators gained remote access to this PC, copied the stolen information, and used it to make money transfers to a bank in Latvia that ultimately ended up in their hands. Informing Lopez that the fraud was due to Lopez’s failure to secure his computing system rather than the bank’s failure to provide suitable security, the bank initially refused to replenish the stolen funds. Lopez disagreed. The press picked up the story, making it look as if Lopez had been victimized by a gigantic, customer-indifferent bank. Fearing public relations damage, the Bank of America reversed its position and compensated Lopez for the money he had lost. Read more…
Nearly two weeks ago Admiral Mike McConnell, the former U.S. Director of National Intelligence (DNI), testified about the preparedness of the U.S. in the event of a cyberware at a meeting of the U.S. Senate Commerce, Transportation and Technology Committee. He said that if the U.S. were to be attacked in a cyber war, the U.S. would lose. Admiral McConnell’s testimony created shock waves among members of this committee, who reportedly did not have a clue that the U.S. was so dismally prepared for cyberwarfare. Jim Lewis, who heads the government’s Commission on Cybersecurity, followed Admiral McConnell by saying that most of the U.S.’s critical computing infrastructure is within the commercial sector, but this sector is not doing enough to safeguard computing assets. According to Lewis, no improvements in cybersecurity practices within private industry are likely to occur unless regulations require these improvements. Read more…
