How an email hacker ruined my life and then tried to sell it back to me
As previously noted, you get what you pay for. There is a reason that one has to keep passwords secure.
The real irony in these anonymous web mail systems is what happens if you want to reset your account and you don't have your own password. One can enroll in gmail, yahoo mail, tiscali or whatever with no outlay and no identity checks. If one then, say, forgets the password and you want to close the account you end up in the bizzarre world where the mail company wants you to prove who you are.
There has to be a better way.
The problem that we have is the number of passwords we need to recall so there are bound to be overlaps.
One option is to register your own domain and then to pay £30 per month for a small company to manage your mail for you. Then if something goes wrong, you know you can speak to a real person.
InfosecChap
‘Sexting’: Perceptions, Realities & Indecent Images of Children
It is indeed a scary world. There is a toxic combination of Parent + Photographer + PC that should send a chill up all our spines.
But the combination of Adolescent+Hormones+Camera equals Register.
Scary world.
Hacking Activity Detected By Sony
Protective Monitoring and SIEM is supposed to be the new silver bullet. It's getting the governent all fired up.
Looks like Sony's attempt is working. Just in time!
InfosecChap
Where Can I Learn More About Computer And Internet Security? #2 Naked Security
Agreed. The Sophos blog is one of the best out there. They are obviously spending money to generate good content and they seem to allow their employees the freedom to pursue their own interests.
How many people do they have working for Sophos and how many on the blog. An interesting metric would the percentage of researchers vs bloggers vs staff. Even the big consultancies don't seem to have this level of commitment. I can only assume that Sophos employ people who are bloggers and who can make a name for themselves.
I do wonder what the editorial control from Sophos is, though. I know many companies that would love a high quality blog but they just won't let their staff run loose.
HP also have a good blog, though the recent Mary Anne Davison spat on the Oracle blog shows how sometimes things do get interesting.
Naked Security? Try Naked Mentalism too!
chin chin
@infosecChap
Technical Whitepaper - "Tracking Performance of Software Security Assurance - 5 Essential KPIs"
Saturday 15 October 2011
Friday 14 October 2011
I say
The True Price of Being Hacked [??]
PCI DSS only exists to protect the card issuer and the bank. It transfers risk to the merchant. What would be really interesting is how much the PCIDSS fines are. I suspect that they are not very much and I suspect that they are rarely enforced. It's all about reputation: Sony = big deal. Bikesonline site (hacked recently, lots of losses) = not so big. I wonder what else happened to deliver the drop in card fraud. chip and pin? that's not in my interests as any loss incurred through chip and pin is now my liability, whereas it used to be the bank. chin chin @infosecchap
UK government says it can attract and retain the cyber defence skills it needs
The whole problem here is that HMG don't pay the same as industry. A CLAS, CHECK or similar contractor can command around £700 per day. That's about £140K just for following orders. Even as a permie the salaries are in the £50 to £80K range. A reasonable amount when you consider that this is about what a Senior Civil Servant grade gets at Grade 7 and above.
I thought that GCHQ/CESG were getting into bed with the BCS and IISP to professionalise the industry. They should be using that in their internal teams
@infosecchap
Business survey shows ballooning security budgets
Security and information assurance has to becone a commodity item. Security As A Service. Pen testing over t'web and managed offerings are what it's all about. There are no end of vendors who do this: Vistorm (before it dissolved into HP) and Integralis for example.
As time moves on, the technology gets more sophisticated, costs get reduced and we outsource. We are always playing catch up, but being smarter means spending less and being more focussed.
chin chin
infosecchap
PCI DSS only exists to protect the card issuer and the bank. It transfers risk to the merchant. What would be really interesting is how much the PCIDSS fines are. I suspect that they are not very much and I suspect that they are rarely enforced. It's all about reputation: Sony = big deal. Bikesonline site (hacked recently, lots of losses) = not so big. I wonder what else happened to deliver the drop in card fraud. chip and pin? that's not in my interests as any loss incurred through chip and pin is now my liability, whereas it used to be the bank. chin chin @infosecchap
UK government says it can attract and retain the cyber defence skills it needs
The whole problem here is that HMG don't pay the same as industry. A CLAS, CHECK or similar contractor can command around £700 per day. That's about £140K just for following orders. Even as a permie the salaries are in the £50 to £80K range. A reasonable amount when you consider that this is about what a Senior Civil Servant grade gets at Grade 7 and above.
I thought that GCHQ/CESG were getting into bed with the BCS and IISP to professionalise the industry. They should be using that in their internal teams
@infosecchap
Business survey shows ballooning security budgets
Security and information assurance has to becone a commodity item. Security As A Service. Pen testing over t'web and managed offerings are what it's all about. There are no end of vendors who do this: Vistorm (before it dissolved into HP) and Integralis for example.
As time moves on, the technology gets more sophisticated, costs get reduced and we outsource. We are always playing catch up, but being smarter means spending less and being more focussed.
chin chin
infosecchap
Tuesday 4 October 2011
I say
Cyberspace is defined as
U.S., Russia slowly improve cybersecurity cooperation The report in this article defines cyberspace as "an electronic medium through which information is created, transmitted, received, stored, processed and deleted". I suppose that's as good a definition as we can get, if we are not to worry about the etymology as being skilled in governing! I think that the Chinese do more than just "harbour" hackers, don't they? InfosecChap
Vision 2011: Symantec set for £1bn splurge on cloud and mobile buys In the good old days they were merely AV touts. Now, they are burning their way across the infosec landscape. I'm sure that they have done the analysis, but securing "the cloud" (whatever that means) is more than just slapping a DLP box on the perimeter. I'd like to see their detailed strategy. @InfosecChap
"an electronic medium through which information is created, transmitted, received, stored, processed and deleted". (referenced) So there you go
U.S., Russia slowly improve cybersecurity cooperation The report in this article defines cyberspace as "an electronic medium through which information is created, transmitted, received, stored, processed and deleted". I suppose that's as good a definition as we can get, if we are not to worry about the etymology as being skilled in governing! I think that the Chinese do more than just "harbour" hackers, don't they? InfosecChap
Vision 2011: Symantec set for £1bn splurge on cloud and mobile buys In the good old days they were merely AV touts. Now, they are burning their way across the infosec landscape. I'm sure that they have done the analysis, but securing "the cloud" (whatever that means) is more than just slapping a DLP box on the perimeter. I'd like to see their detailed strategy. @InfosecChap
Monday 3 October 2011
I say
Former #scmagazineuk Information Security Person of the Year becomes KPMG partner
congratz!
What identity management strategies should enterprises deploy for cloud environments?
I would like to see differing federated identity for differing purposes. I despair with the number of passwords I have to remember. I despair that I have to sign up with password/email/userID credentials on multiple sites. There is no benefit to this for the end user, no benefit to the organisation and no benefit to the consumer. While the Twitter oAuth, the Google ID and the others mentioned in the article are great, they do rely on having separate identities that ultimately return back. A better approach would be (could be?) an security ring of IDs. Inner ring: the government stuff, bank accounts. It may be that the paranoid amongst us would prefer to have separate IDs for these to prevent a single loss ripping out our private hearts. Next ring: the identities that could do me financial harm. Amazon and the plethora of web sites I have a commercial relationship with or where I have submitted my credit card: I don't want to sign up to a web site in order to buy its goods. Next ring: identities that could embarrass me. Facebook, Twitter, Linked In. Next ring: identities that I use for fora or subscriptions. Next ring: the anonymous identities I use for making one-off comments on web sites. All that is needed is for more sites to accept federated IDs and for the developer community (eg phbBB, open CMS etc) to accept the multiple federated ID models. Now that's fixed we can move onto corporate user ids. A major problem is user attestation where user accounts are not deleted and user rights are never challenged. This can be addressed by auditing and team leaders signing off access every six months. No sign off: no access. Simple. The retail banks do this, so can you.
congratz!
What identity management strategies should enterprises deploy for cloud environments?
I would like to see differing federated identity for differing purposes. I despair with the number of passwords I have to remember. I despair that I have to sign up with password/email/userID credentials on multiple sites. There is no benefit to this for the end user, no benefit to the organisation and no benefit to the consumer. While the Twitter oAuth, the Google ID and the others mentioned in the article are great, they do rely on having separate identities that ultimately return back. A better approach would be (could be?) an security ring of IDs. Inner ring: the government stuff, bank accounts. It may be that the paranoid amongst us would prefer to have separate IDs for these to prevent a single loss ripping out our private hearts. Next ring: the identities that could do me financial harm. Amazon and the plethora of web sites I have a commercial relationship with or where I have submitted my credit card: I don't want to sign up to a web site in order to buy its goods. Next ring: identities that could embarrass me. Facebook, Twitter, Linked In. Next ring: identities that I use for fora or subscriptions. Next ring: the anonymous identities I use for making one-off comments on web sites. All that is needed is for more sites to accept federated IDs and for the developer community (eg phbBB, open CMS etc) to accept the multiple federated ID models. Now that's fixed we can move onto corporate user ids. A major problem is user attestation where user accounts are not deleted and user rights are never challenged. This can be addressed by auditing and team leaders signing off access every six months. No sign off: no access. Simple. The retail banks do this, so can you.
Sunday 2 October 2011
I say
NTRO’s ethical hackers to conquer China
I'd have thought that the government would have a "cyber" team on board? hiring crackers? that's a cracking good idea, but surely not news?
What would be interesting would be to know exactly what the Chinese threat is assessed to be.
chin chin
InfosecChap
Subscribe to:
Posts (Atom)