jump to navigation

Update on Blogging and New Articles in TransactionWorld March 8, 2013

Posted by Chris Mark in cyberespionage, cybersecurity, Industry News.
Tags: , , , , , , , ,
add a comment

March coverI want to apologize for not blogging as frequently.  My new job has me hopping at the moment and I am writing extensively for AT&T’s Networking Exchange Blog.  You can check out my blog posts at AT&T’s Networking Exchange Blog .  In addition to my own articles, there are a number of other valable posts from other contributors.  Finally, Heather Mark and I both have articles in the March edition of TransactionWorld Magazine.  You can read Heather’s article here and Chris’ article here.

Chris Mark’s Article in “The Counter Terrorist Magazine” January 28, 2013

Posted by Chris Mark in cyberespionage, cybersecurity.
Tags: , , , , , , , ,
add a comment

CT2013I received my copy of February/March 2013 International edition of The Counter Terrorist Magazine and imagine my surprise when I am the cover article!  I have written for a number of publications but I have to say my favorite is The Counter Terrorist.  It is a great periodical for anyone interested in World affairs, Terrorism, and Counter Terrorism.  My article is titled “World Cyber War”.  In the article I talk about the differences in the perspectives of war between the East and the West, as well as provide examples of how cyber operations have already been used to further national interests.  China is highlighted for their interpretations of war and warfare in “Unlimited War”, as well as Russia, and a few others.  Overall, I think it is one of my better articles.  To read The Counter Terrorist, you must subscribe either online or in print.  Check out…The Counter Terrorist Magazine.

Beating an Old Drum October 27, 2012

Posted by Heather Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy.
Tags: , , , , , , ,
add a comment

It’s the end of what has already been a tough year for data security.  And the news just got worse.  South Carolina has announced that its Department of Revenue suffered a major breach.  The breach is so massive, in fact that more than 75% of the state’s residents have been affected.  The compromised data consisted of the (unencrypted) social security numbers of more than 3.6 million residents.  Also included in the breach were about 390,000 payment cards.  Most of those were encrypted, though.

This is disturbing on a number of levels.  I find it curious, for example, that while encryption was deployed, it was only deployed on payment cards (and not even on all of those).  Consumers have built in protections on payment cards.  As long as those cards are branded by one of the major card brands, consumers are protected against liability for fraudulent transactions.  The far more sensitive data, the social security numbers, were not encrypted, though.  This defies logic.  Consumers have little to no protection against misuse of SSNs.  Not only can very real financial damage be done, consumers have to spend enormous resources (time, money, emotions) in untangling the identity theft knot that comes with stolen SSNs.

Secondly, in the wake of the breach, Governor Nikki Haley issued an executive order that read: “I hereby direct all cabinet agencies to immediately designate an information technology officer to cooperate with the State Inspector General who is authorized to make recommendations to improve information security policies and procedures in state agencies.”  WHAT?  If I’m inferring correctly, it seems that these agencies didn’t have an information technology officer already?? That is very troubling, particularly considering the types of data that state agencies hold.  After 3.6 million (out of about 4.7 million) residents have had their sensitive data stolen is not a great time to decide that data security and privacy should become priority.

Private sector organizations have been working for years to shore up their data security, and in some cases (PCI DSS, HIPAA/HITECH, GLBA, SOX, state laws) face real consequences for failure to protect that data.  It’s long past time states put forth the same level of protection.  On the plus side, the state did comply nicely with its own data breach notification law.

Because I Said So September 23, 2012

Posted by Heather Mark in cybersecurity, Industry News, InfoSec & Privacy, Laws and Leglslation, Politics.
Tags: , , , , ,
add a comment

Last week, Democratic leaders made some minor news when they sent a letter to President Obama suggesting that he issue an executive order on Cybersecurity.  Their position is that, since Congress seems to be at loggerheads over the issue, the president should take the opportunity to force action by issuing an Executive Order.  In fact, Secretary of Homeland Security Janet Napolitano told a congressional committee that just such an order was in its final stages.  So what might we see in this forthcoming order?

According to reports, the order will attempt to regulate sixteen “critical” industries.  The guidelines will be voluntary, after a fashion.  Compliance with the standards may determine eligibility for federal contracts.  The White House has not made any secret about its intentions on Cybersecurity.  In fact, the White House website lists  “Ten Near Term Actions to Support Our Cybersecurity Strategy.”  Brevity prevents me from getting into a deep discussion about those actions here, but you can read them and draw your own conclusions.

The questions remain, however – 1) how stringent (read intrusive) will the requirements be?; 2) Will they be relevant to the threats in the landscape?; 3) How will compliance be policed? and 4) How much additional cost are we potentially adding our already stretched budgets?

Another question that merits examination is whether or not the standards will be redundant.  Many industries are already straining under the weight of a variety of infosec requirements – whether industry-regulated or government mandated?  Will another layer of regulation mean increased efficacy of data protection strategies and mandates or will it be just another layer of red tape?

 

 

 

“Why does the FBI have your UDID (and 12.4 million more)?” FBI Laptop Hacked…1 million Apple IDS posted online September 4, 2012

Posted by Chris Mark in cyberespionage, cybersecurity.
Tags: , , , , , , , ,
add a comment

*UPDATE* It was reported yesterday that the FBI laptop was not, in fact, the source of UUIDs that were hacked.  A company called Blue Toad revealed that it was the source of the stolen ids.  It’s not clear how the data was stolen from Blue Toad or what, if any relationship exists between the company and the laptop that was first identified as the source of the breach.***

According to NBC News, hackers associated with the anti-government group AntiSec have hacked an FBI Agent’s laptop and posted over 1 million Apple Unique Device Identification Number or UDIDs online.   The Apple UDID is used by Apple to determine what applications are running and to lock down the phones, IPads and computers from other applications.  Alone, they do not represent personally identifiable information but However, New Zealand-based security researcher Aldo Cortesi has shown that thanks to disregard of Apple’s security guidelines by iOS game and app developers, it’s possible to determine a user’s identity through an UDID alone.  According to the story:

“The Pastebin post claims that the UDIDs were stolen thanks to an Anonymous hack into the laptop of FBI agent Christopher Stangl, a member of a New York-based cybercrime task force. “During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,” the posting states. “During the shell session some files were downloaded from his Desktop folder one of them with the name of ‘NCFTA_iOS_devices_intel.csv’ turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts.”

Why the FBI has such a list of over 12 million UDIDs is an interesting question. Why the list would be on a laptop is another interesting question. To check whether your iPhone, iPad or iPod Touch’s UDID might be among those affected, a Unix developer based in Florida has already posted a tool: http://kimosabe.net/test.html