jump to navigation

2012 – Another “Massive” Credit Card Breach March 30, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy.
Tags: , , , , , , ,
add a comment

According to Krebsonsecurity, the payment card industry has been wracked by yet another massive data breach.  The story says that Visa and MasterCard are alerting companies to a US processor that was breached.  This, according to reports, is a breach of Track1 and Track2 data.  For those unfamiliar with credit cards, track1 and track 2 data is what is known as “magnetic stripe data” and is used to counterfeit cards as it contains the sensitive authentication data necessary for retail (card present) transactions.  This is the most dangerous and valuable data to criminals.

As stated on the site: “In separate non-public alerts sent late last week, VISA and MasterCard began warning banks about specific cards that may have been compromised. The card associations stated that the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012.”

“We Can’t Live in Castles” – FBI Official Concedes; CyberSecurity Policy is a Failure March 28, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, Laws and Leglslation.
Tags: , , , , , ,
add a comment

In my Google alerts  today was an article from Foxnews titled: “Retiring FBI Official Says Current US CyberSecurity Strategy ‘Unsustainable'”  Shawn Henry, the FBI’s Assistant Director for CyberSecurity refers to the increasing cyber attacks on government and corporate targets and says: “We are not winning”.  All I can say at this point is…WOW..again we are beating a dead horse!  In 2010, I said the same thing at an InfraGard event in Salt Lake City, and RSA has said the same thing.  We sound like broken records at this point.  This post will likely be a bit more pointed and blunt than most but my frustration is mounting on the subject. For a shameless plug on my own research brief, please read: “A Failed State of Security” now published by IDGA.

CyberAttacks against corporates, committed by individuals are crimes.  Crimes are human acts undertaking by living, breathing, thinking human beings.  CyberSecurity, at its core, is about more than building castles to keep the princess protected.  It is also about changing human behavior to deter the criminal behavior.

“deterrence is ultimately about decisively influencing decision making.  Achieving such decisive influence requires altering or reinforcing decision makers’ perceptions of key factors they must weigh in deciding whether to act counter to (our interests) or to exercise restraint.”[1] (more…)

Risk 102: “Security Ain’t Safefy”; Putting Risk In Context March 26, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management, terrorism.
Tags: , , , , , , ,
add a comment

In reading through the volumes of blogs, and Linkedin comments on security and risk management a common theme appeared.  When talking about risk management at it applies to security there appears to be a temptation to use the same models and methodologies as those used in safety risk management.  Make no mistake, safety risk management is critical and both aspects may overlap from time to time.  Whether analyzing auto accident risks, designing industrial equipment or other aspect, it is important to understand and analyze the risk of the activity. The difference lies in the catalyst for the events in question.  (more…)

UPDATE “Just Say No!”- to Facebook Login Request for Employment March 23, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy.
Tags: , , , , ,
add a comment

UPDATE: Kudos to Facebook for weighing in on this subject.  Facebook says that not only is the practice wrong, but it is a violation of Facebook’s terms of service.  Echoing what I (and others) have said, logging into someone’s FB page could expose the employer to a lawsuit.  “(W)e don’t think it’s right the thing to do,” she said. “But it also may cause problems for the employers that they are not anticipating. For example, if an employer sees on Facebook that someone is a member of a protected group (e.g. over a certain age, etc.) that employer may open themselves up to claims of discrimination if they don’t hire that person.”

I find myself posting on this subject occasionally because a neighbor, friend or other person will inform me that during an interview or application they were asked to provide their Facebook or other ‘social media’ login.  This topic seems to arise again, and again and was again highlighted on msnbc.com.  So, for those who are asking or saying: “Chris, if you have nothing to worry about, then why do you care?”  Valid question.  Let me answer.  First, if you are looking for a job, as a responsible professional person you should take care to not post inflammatory, racist, hateful or other items on your social media.  If you are a proud member of a hate group, you may want to keep that info private.   Pictures of you doing drugs, or being arrested in New Orleans is also probably a bad idea.  (more…)

France’s PATROIT Act? – “Visit Website; Go to Jail” March 23, 2012

Posted by Chris Mark in Industry News, Laws and Leglslation, terrorism.
Tags: , , , , , , , ,
add a comment

In the aftermath of the murder of 7 people in France by a self-proclaimed Al Qaeda militant, France’s president Nicolas Sarkozy has proposed a sweeping law that would jail those who visit extremist websites.  “Anyone who regularly consults Internet sites which promote terror or hatred or violence will be sentenced to prison,” he told a campaign rally in Strasbourg, in eastern France. “What is possible for pedophiles should be possible for trainee terrorists and their supporters, too” 

The murders of 7 people in Toulouse were horrific.  Among those killed were a Rabbi and several children at a Jewish school.  The murderer, 23 year old Mohamad Merah, was killed by French police after a standoff.  (more…)