jump to navigation

Foriegn Security Team to Face Trial in Somalia February 6, 2012

Posted by Chris Mark in Industry News, Piracy & Maritime Security, Risk & Risk Management.
Tags: , , , ,
add a comment

SomaliaReport published a story today which said that six men arrested in May, 2010 for bringing $3.6 Million into Somalia as a ransom payment for a hijacked vessel will be in Banadir Court on Thursday to face charges.  The six, one American, three Britons, and two Kenyans have been held at the airport since their arrest 9 months ago.  According to the story, the money was to be used for the release of two vessels, the MV Suez and MV Yuan Xiang.

Randy Abbott’s Apology & Paralysis February 3, 2012

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,
add a comment

1marSSSchool (1)On August 23, 2014 this blog received  comment on the post titled “Randy Abbott – Paralyzed Surfer who was robbed..” from Mr. Randy Abbott. In the apology he says simply:

“Mr. Mark, I personally want to apologize to you for being dishonest and lying about what I did in the military. I apologize for dishonoring you and all other Recon Scout/Snipers with my actions and dishonesty. I do not know how to reach out to all of them, I’m asking if you could please pass on my message of apology for my dishonesty and lying.”

This apology is consistent with other apologies Mr. Abbot has provided to ThisAintHell and the WoundedTimes Blog.   After Mr. Abbott’s exposure, numerous people contacted me, and others, with stories related to his “charity” The View from 42 and other items.  Investigation into the View from 42 shows demonstrated that it was not an existing not-for profit charity.

While Mr. Abbott has acknowledged he lied  about his military service and while it has been discovered  that The View from 42 is not a recognized (by either the IRS or state of California) Non Profit charity, I do not dispute that Mr. Abbott is disabled.  I have received numerous communications from people very close to Mr. Abbott questioning his disability that have remained unpublished.  The reasons are simple.  1) I am not a doctor and cannot speak to any form of paralysis, and 2) as the father of a special needs child, I would not propose to question someone else’ disability.

My objective with the post was simply to question Mr. Abbott’s claims of being a Marine Corps Scout/Sniper, Reconnaissance Marine and Combat Veteran.  This, I felt, was a matter of public interest as Mr. Abbott had made statements and allowed numerous articles, news reports and other media to make claims of being a Scout/Sniper as well as other things.  As can be seen from the post on ThisAintHell where he was exposed for lying about his service, the statement above, as well as his apology posted here, and here, Mr. Abbott admitted he lied.  Given Mr. Abbott’s admitted lies about his military service it is certainly seems understandable to me if people were to question any other claim made by Mr. Abbott.

Chris Mark Speaking at Combating Piracy Week in Hamburg February 2, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, Piracy & Maritime Security, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

I will be speaking at the  Combating Piracy Week in Hamburg, Germany on the topic of CyberSecurity & CyberEspionage The topic will discuss the topics with a focus on who is trying to steal your data and why.  It  will also cover the technologies and tactics of how they can steal your corporate data and what the uses of such data.  You can get a preview of the topic by reading the Maritime Executive article in which I was interviewed.

If you have not attended one of the Hanson Wade Piracy events, it is worth attending.  Hanson Wade’ personnel do a great job of coordinating networking and the speakers are all very professional and very adept.  I have had opportunity to speak at nearly 100 events in the past 12 years or so and I would put the Hanson Wade events in the top 5 in terms of value for the money.  I highly recommend this event for security companies that want to meet decision makers and speak with the people who influence the industry from a security perspective.

A Rant about Risk- Rock Climbing with a 2 year old January 31, 2012

Posted by Chris Mark in Risk & Risk Management.
Tags: , , , , ,
add a comment

Today on NBC Sports there was an article about  woman rock climbing with her 2 year old strapped to her back.  The toddler is not wearing a helmet.  When asked she explained: “I can appreciate if you didn’t realize how safe the environment I was in, it could be worrying, but I was top-roping which means if you fall you don’t fall any further than where you came off.”  She further opined: “It is the safest form of climbing you can do…Health and safety legislation and the sue and blame culture mean so many people are nervous, so afraid of getting into trouble, and taking small risks. Life is all about risks, whether that’s something as simple as getting in your car every day or climbing up a rock face.”  This reminded me of a debate I had several years ago.

I was talking with a company about protecting personally identifiable information (PII) as required by law.  The company’s response was: “It is too expensive to comply.  I will take the risk.”  The problem lies in that the data that they are required to protect is not their information.  While the data itself (bits and bytes) may belong to the company the information represented by the bits and bytes is the property of the person to which it refers.  In short, it is not the company’s risk to assume as it is not their property.  If I want to publish my own personal data on the Internet, I can do so and assume the risk…it is my data.  A third party cannot assume risk for me…without my permission.   This is why companies are required to protect PII, NPI, PHI, and other forms of personal data.

In much the same way this woman can free climb naked (alone) if she chooses.  It is her risk to assume.  Whether her style of climbing is the safest does not mean it is without risk.  It is a less risky than free climbing but any form of rock climbing is an inherently risky activity.  The 2 year old does not have the ability to state whether she wanted to climb or not.  Where I have issue with the woman is her attitude of: “life is all about risks…”  Granted but some peoples’ lives are about taking more risks than others.  As adults we can make the decision to base jump, free climb, skydive, or race motorcycles.  When we include others in our risky behavior without their consent, it becomes problematic.

“These are not the droids you are looking for” – Using “geek speak” to confuse and confound January 31, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , ,
add a comment

In reading through various companies’ websites, I often take a look at their security statements to see what, if anything, is being said about security.  More often than not these statements are little more than “geek speak” written to give consumers and others a peace of mind yet don’t really provide any information on the security posture of the company.  In the vast majority of cases the statements are ‘marketing fluff’ and provide little value.  Here are some of the more common and interesting statements I have come across:

-”We use industry leading encryption, including SSL, to protect your data as it is transmitted to us.”  Encrypting transmission of credit card data is not only required by the card brands and the PCI DSS, it is also required by a number of laws and is simply good practice!  The fact that a company feels compelled to state that they are using SSL to protect transmitted data leads to more questions.  It doesn’t say anything about how your data is used (privacy discussion) or whether the stored data is adequately protected by encryption or other technologies.  SSL is a very small piece of the puzzle.

-”We use multi-tiered firewall controls to protect sensitive data.” Again, multi-tiered network architectures are required by the Payment Card Industry Data Security Standard (PCI DSS)  and being that we are now in the year 2012, operating without a multi-tiered network would be irresponsible at best.  This statement only states that the company has implemented firewalls between various segments of their network and suggests that they are not operating a ‘flat’ network in which every system can touch every other system (very 2003).  It does not state anything about whether the devices are configured correctly nor does it differentiate between application layer and network layer firewalls. (more geek speak to confuse and confound)

-”All customer data is housed in our secure data centers.” For those unfamiliar with the term, a “data center” is nothing more than a building that is used to house computer servers typically for a number of different clients.  Data centers are designed with safety, physical security, and redundancy in mind.  The fact that data is housed in a 4th generation data ceneter does not provide any information on the technical security controls implemented to protect customer data.  It simply means that if someone wanted to physically steal the computer they would be challenged.

-”we use robust encryption and change the encryption key at least annually.”  The use of ecryption technology is a good step but encryption is only as good as the algorythms used and the key management employed.  This statement simply says that once again, the company is following industry accepted controls.  While changing encryption keys periodically is good practice, it doesn’t say anything about how the keys are managed in the intervening periods nor does it say anything about what data is encrypted or what access controls are in place.

When evaluating a company with which to do business, it is suggested that you take the time to really ask the difficult questions about security.  Simply reading website information will not provide you with the assurance that the company is protecting your data.  In some cases the information provided is not simply irrelevant but may provide a false sense of security the the buyer.  By using ‘geek speak’ it is easy to convince a non-techie that they are doing the right things.  If you are not confident in your own technical skills to evaluate a vendor, it is worth taking the time to find a consultant or some other trusted party to support you in your evaluation.