Dark Market: Cybercrime, Cybercops and You, By Misha Glenny
I'm confused. do we really need a book to tell us that the crackers have grown up and moved into crime, rather than publicity? Surely this is obvious. Police forces are not joined up: part of their strength and the greatest weakness is the federated nature of police forces and the bickering between. Police can't (won't) investigate all these crimes: of course not. They prioritise resources like the rest of us, a credit card stolen just does not register.
So, I for one won't be reading this book.
Betfair is in for a rough ride over data theft
Betfair hides credit card data hack from customers
A crying shame. We all know how truly hard it is to get the "business" to deal with IT risk. High impact, low probability equals medium risk which is ignored. the article mentions file integrity: a product like Tripewire (or an open source equivalent) is peanuts. Of course the back-end support needed by the security operations centre is where the big money lies, which is why there are n number of outsources, system integrators and managed services companies who will do this for you.
The point about the broken crypto made me laugh. If they are so certain it's broken, I wonder what the implementation was? Again proper monitoring and robust procedures are needed. I suspect that the betfair world isn't populated by HSMs.
Betfair now has a choice: deal with this, engage a CISO, invest in a robiust set of controls, or dodge the issue until next time. I'd expect that they are PCI DSS compliant already ... surely? If they are, then this is another blow to the PCI DSS silver bullet. If not, then there's a lesson I think.
Congrats to Mr Osborne for spotting the line in the report and getting to the truth. I bet it wasn't easy.
chin chin
infosecchap
Former #scmagazineuk Information Security Person of the Year becomes KPMG partner
congratz!
Friday 30 September 2011
Wednesday 28 September 2011
I say
HP Expands Enterprise Security Solutions
Arcsight is certainly the best regarded SIEM tool, but it comes at a cost and it comes with a requirement for a dedicated (and expensive) team.
But, fair play to HP for recognising this, setting up the marketing and going for the solution.
Seems that their legacy of puchasing ViStorm worked!
chin chin
@InfosecChap
Take charge of your online reputation
I'm not wholly convinced that Identity Theft per se is a criminal activity. I can see that it could lead to fraud (which is specifically a criminal offence in the UK at least) but simply impersonating someone with no material gain and no material loss can't be a criminal act.
Perhaps the best advice is to not be public, then no one can hold it against you.
Tuesday 27 September 2011
I say
A Short Guide to Company Email Management
One of the biggest issues with email, sure, is its persistence. Delete. Delete. Delete. And make sure that you have a policy that supports this. The last thing you want is an investigation to be run on your corporate email servers looking for miscreants.
Purging your mail is the best way to avoid libel, employment laws and simply getting caught. As Andersons!
But for the individual, the major problem is searching the damnable stuff. Copy and paste into Microsoft Access or write your own macro to turn into text (which I've had to do). I must publish that one day! Suggest we keep our own copies on our own personal storage devices but we can put email in the corporate cloud and let the security team purge it just before the compliance wonks find out.
chin chin
@InfosecChap
Mac malware disguised as Adobe Flash update ... Proving that malware propagation depends as much on people as technology. It's not their fault. Let's face it, the whole point about the Mac is that it can be used by anyone. The same holds true for other systems not supported by the vendor: for example if you want to play Lego games, you need the Unity player. Which doesn't work for the ipad (or linux). The solution ... the dodgy site offering you a solution for which you need to resolve your malware infestation. The answer? Gawd knows. ditigally sign stuff? Perhaps. Educate users? Perhaps? Revert to pen and paper? certainly! But, so far its not widespread. The final solution? Gulp ... anti malware. What, even on the Mac? chin chin @InfosecChap
Mac malware disguised as Adobe Flash update ... Proving that malware propagation depends as much on people as technology. It's not their fault. Let's face it, the whole point about the Mac is that it can be used by anyone. The same holds true for other systems not supported by the vendor: for example if you want to play Lego games, you need the Unity player. Which doesn't work for the ipad (or linux). The solution ... the dodgy site offering you a solution for which you need to resolve your malware infestation. The answer? Gawd knows. ditigally sign stuff? Perhaps. Educate users? Perhaps? Revert to pen and paper? certainly! But, so far its not widespread. The final solution? Gulp ... anti malware. What, even on the Mac? chin chin @InfosecChap
Monday 26 September 2011
I say
She’ll be right mate
It's all about risk perception. "it's can't - won't - happen to me". The fact is, it's probably true. High impact, low probability equals, not medium risk but low risk. It's not the end of the story. in the example of the restaurant owner, didn't they buy insurance? In the UK, a visit to the doctor and medication is free: there's a whole psychology or the ill in there too. If the effect is two steps away from the cause, it's quite understandable that the two are not correlation in vernacular risk assessments. chin chin @infosecchap
Is SIEM security technology dead and buried?
>> SIEM: Dead or alive?
Some companies view cloud computing as a threat to their IT security
Hmm. I wonder what a cloud actually is ... a datacentre but we won't tell you where the data it. Cloud services can be used to nick data in ways hitherto undreamt of. Organisations need good protection against this and they need to take the threats seriously. Main problem, though, is where on earth is your data and how do you know it's safe? chin chin @InfosecChap
9 hot IT skills for 2012
Phew, my skills are still in demand ... ish. The problem, of course, is that as the technology matures it becomes commoditised, which makes it cheaper and liable to outsourcing. We move away from the pure techie and into business and therein lies the problems. How to turn a commodity into business value. I suspect that the skill set is changing. Moving into specific monitoring and becoming more corporate chin chin @infosecchap
The Threat Landscape in Africa & the Internet Governance Forum
I wonder if the spread of malware is related to the OS penetration? I'd be intrigued to know who is using what. And what is licenced! The 419 scam, while not technical, surely should be registered here? Where are the botnets, and what about the same information for China? chin chin @infosecchap
It's all about risk perception. "it's can't - won't - happen to me". The fact is, it's probably true. High impact, low probability equals, not medium risk but low risk. It's not the end of the story. in the example of the restaurant owner, didn't they buy insurance? In the UK, a visit to the doctor and medication is free: there's a whole psychology or the ill in there too. If the effect is two steps away from the cause, it's quite understandable that the two are not correlation in vernacular risk assessments. chin chin @infosecchap
Is SIEM security technology dead and buried?
>> SIEM: Dead or alive?
Some companies view cloud computing as a threat to their IT security
Hmm. I wonder what a cloud actually is ... a datacentre but we won't tell you where the data it. Cloud services can be used to nick data in ways hitherto undreamt of. Organisations need good protection against this and they need to take the threats seriously. Main problem, though, is where on earth is your data and how do you know it's safe? chin chin @InfosecChap
9 hot IT skills for 2012
Phew, my skills are still in demand ... ish. The problem, of course, is that as the technology matures it becomes commoditised, which makes it cheaper and liable to outsourcing. We move away from the pure techie and into business and therein lies the problems. How to turn a commodity into business value. I suspect that the skill set is changing. Moving into specific monitoring and becoming more corporate chin chin @infosecchap
The Threat Landscape in Africa & the Internet Governance Forum
I wonder if the spread of malware is related to the OS penetration? I'd be intrigued to know who is using what. And what is licenced! The 419 scam, while not technical, surely should be registered here? Where are the botnets, and what about the same information for China? chin chin @infosecchap
Friday 23 September 2011
I say
GCHQ appoints cyber skills consortiumhttp://www.publicservice.co.uk/news_story.asp?id=17523
"Good news that Royal Holloway is giving some intellectual credibility to the whole thing. I was rather concerned that it might end up as a CISSP show boat. Shame that GCHQ can't offer decent salaries, but you know the people who want to work at Google might just not get the DV .. chin chin infosecchap"
Data centre security: how safe is your data?
Relentless Intrusion Detection? That's a new term to me. But it sounds (a) effective; and (b) expensive. I've never yet found a cheap solution to IDS, log reviewing or protective monitoring (as required in the UK by GPG 13). I'd be really interested in how the service model works, especially what the incident response is. For generic hosting it's going to be hard to do anything other than alert-on-a-port-scan and you get that all the time. chin chin InfosecChap
Boot up: iPads in journalism, teach kids to code, celeb phone hacking and more
HTML5 standard may neglect important security issues eh? well that's par for the course. I don't think that the RFCs really take a holistic view of security. But then why would they? It's only one aspect and to be fair, it's probably not the most important one. What is important? Getting your standard approved! Call me an old cynic, but most people don't "get" security so, it's not surprising when it fails to materialise. They have other things to worry about and, let's face it, IA is an ever evolving beast and quite simply hard to get right. chin chin @InfosecChap
SIEM: Dead or alive?
Good lord, another one dies? SIEM is an expensive solution, expensive in terms of people and potentially expensive in terms of technology. Though one can do SIEM with notepad and Excel (thought the proper IA wonks amongst us would only use Vi), a nice aggregation tool really helps. The issue is the investigation, the remediation, the incident handling. On an estate of anything above a couple of hosts, it's a nightmare to do properly. Of course most solution providers will say that they have a jolly old SOC, but one has to peer behind the curtain to see exactly what's going on there. This is exactly why GPG13 is so hard to get right, that and the fact that the IA community keep changing their minds. It does have its place, so rumours of its death are, I think, exaggerated. For now, until the next killer solution comes along. chin chin infosecchap
Defence Firm Probably Hit By Spear-Phishing Attack
Well, what do you know? A defence company attacked! Look Over There, you know China is on the no fly zone for UK HMG employees. it's there for a reason. We see this again and again. State sponsored hackety-cracketty. You really would think that a defence company would have its defences in place. There are standards for this, penetration testing, audting, yadda yadda. Makes you wonder what is happening that no one has found out yet. chin chin @infosecchap
Graduates sign in at PwC
Ah, bless 'em. little itty bitty young consultants. Now they are in for a shock. it's not all shaking tins on the high street. no, it's all about what you can get on expenses. In a couple of years they'll be on the CLAS scheme and probably be my boss ... chin chin @infosecchap
(ISC)2 launches awareness foundation and member chapters
Ah, bless 'em. I do like my CISSP, but I often wonder why I need to keep "in good standing". If they really want to "move the profession forward" then they should stop acting like a trade and be professional, unfortunately there are other organisations willing to be the professional arbiters: BCS (CITP); IISP; IEEE to name but a few. So, where's the beer then? chin chin @InfosecChap
Government invests €8.6m in an eLearning Solution
Good lord 8.6 million for on line training. has the emperor no clothes? call me old fashioned, but Aristotle managed perfectly well in his academy without a browser. 8m will buy a whole lot of books. "even learning outside school time" as if. give 'em hacking exposed and let 'em get on with it. I can't understand where the 8m is going. chin chin @InfosecChap
Not another password
For the love of God. The Birmingham Post have a "you must register to post a comment". Fair enough, I want to comment, you want to spam me. But that's what mailinator is for (I mean, you don't really expect me to give you my work email address do you?).
But, get this, they have a different password policy to most of the other sites. This means I now need a whole new password.
They want an upper case and a number. Mind you, they don't want mixed case, so all upper case is just fine.
Why why why? They also want a post code. Now this is just silly. you want my address? hmm have you never heard of security? Now I've got to write another password down !!!!!
And the ultimate irony? Once signed up, you get to link to Twitter. Why bother, just use Twitter for the love of God!
But, get this, they have a different password policy to most of the other sites. This means I now need a whole new password.
They want an upper case and a number. Mind you, they don't want mixed case, so all upper case is just fine.
Why why why? They also want a post code. Now this is just silly. you want my address? hmm have you never heard of security? Now I've got to write another password down !!!!!
And the ultimate irony? Once signed up, you get to link to Twitter. Why bother, just use Twitter for the love of God!
Thursday 22 September 2011
i say
I say
Fall Brings More Hiring
http://blogs.cio.com/careers/16519/fall-brings-more-hiring
"I wonder what Delaware North had before this CIO chappie? Anyway, good to see that someone in this hospitality group takes information security seriously."
http://www.securityinfowatch.com/node/1322699
"A brave admission. I wonder how exactly conficker is to disrupt the production of beer?
that's a pretty sophisticated attack, unless it's just that the systems are so finely balanced that any slight error causes the chemicals to pour down.
still, sage advice to know your business.
chin chin
infosechap"
Fall Brings More Hiring
http://blogs.cio.com/careers/16519/fall-brings-more-hiring
"I wonder what Delaware North had before this CIO chappie? Anyway, good to see that someone in this hospitality group takes information security seriously."
http://www.securityinfowatch.com/node/1322699
"A brave admission. I wonder how exactly conficker is to disrupt the production of beer?
that's a pretty sophisticated attack, unless it's just that the systems are so finely balanced that any slight error causes the chemicals to pour down.
still, sage advice to know your business.
chin chin
infosechap"
i had to say
Mitsubishi Heavy falls victim to cyber attack
http://www.securityinfowatch.com/node/1322699
Friday 16 September 2011
Tuesday 13 September 2011
Saturday 10 September 2011
Infosec sites
Who's Tweeting Whom
http://twitterpowersearch.com/?q=infomation+security&q2=infosec
And Who To Follow
@awilsong Andrew Wilson Blog
@jpettorino Jeff Pettorino Blog
@theprez98 Blog
Interesting Infosec Blogs
Dr Infosec
R
CSO Blog with #FF list ( http://blogs.csoonline.com/blog/306/feed)
David Lacey ( http://feeds2.feedburner.com/computerweekly/davidlacey)
Rafal Los (Wh1t3Rabbit) ( http://feeds.feedburner.com/Wh1t3Rabbit)
Google Online Security ( http://feeds.feedburner.com/GoogleOnlineSecurityBlog)
SC Magazine ( http://www.scmagazineuk.com/pages/rss.aspx?sectionid=314)
Mary Anne Davidson ( http://blogs.oracle.com/maryanndavidson/feed/entries/rss)
Microsoft Security
Out-Law News
Roger's Blog
El Reg
http://www.security-faqs.com/ faq rsshttp://feeds.feedburner.com/security-faqs
http://twitterpowersearch.com/?q=infomation+security&q2=infosec
And Who To Follow
@awilsong Andrew Wilson Blog
@jpettorino Jeff Pettorino Blog
@theprez98 Blog
Interesting Infosec Blogs
Dr Infosec
RCSO Blog with #FF list (
http://blogs.csoonline.com/blog/306/feed)David Lacey (
http://feeds2.feedburner.com/computerweekly/davidlacey)Rafal Los (Wh1t3Rabbit) (
http://feeds.feedburner.com/Wh1t3Rabbit)Google Online Security (
http://feeds.feedburner.com/GoogleOnlineSecurityBlog)SC Magazine (
http://www.scmagazineuk.com/pages/rss.aspx?sectionid=314)Mary Anne Davidson (
http://blogs.oracle.com/maryanndavidson/feed/entries/rss)Microsoft Security
Out-Law News
Roger's Blog
El Reg
http://www.security-faqs.com/ faq rsshttp://feeds.feedburner.com/security-faqs
Thursday 8 September 2011
Subscribe to:
Posts (Atom)