jump to navigation

“Viva La Revolucion!”- Social Media; The New Yellow Journalism? May 3, 2012

Posted by Chris Mark in Industry News, Risk & Risk Management.
Tags: , , , ,
add a comment

In the late 19th Century, a phenomenon known as ‘yellow journalism’ took hold as newspapers battled for marketshare.  More specifically, it was the battle between Joseph Pulitzer and William Randolph Hearst which fostered the coining of the phrase.  At a high level, Yellow Journalism is defined as: “…a type of journalism that presents little or no legitimate well-researched news and instead uses eye-catching headlines to sell more newspapers.[1] Techniques may include exaggerations of news events, scandal-mongering, or sensationalism.”  In fact, Yellow journalism was blamed for the start of the Spanish American War.  In response, responsible journalists founded organizations such as the Society of Professional Journalists (founded 1909) and developed codes of ethics and responsible reporting.  Today, responsible, professional journalists adhere to a code of ethics or canons which dictate that they will report the truth accurately.  As stated in the SPJ: “Seek Truth and Report It”.   While some bend the rules, most reporters are accurate and professional.

With the rise of “bloggers”(this author included) and other social media ‘experts’ could it be that we are seeing the rise of a new wave of ‘Yellow Journalism’?  (more…)

Porn, Steganography & Al Qaeda = Bad News May 2, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management, terrorism.
Tags: , , , , , , ,
add a comment

“Believe half of what you see and nothing that you hear”…Benjamin Franklin

Recently it was disclosed that German cryptographers had managed to decipher plans taken from an Al Qaeda operator who had a memory card confiscated.  According to the story: “On May 16 last year, a 22-year-old Austrian named Maqsood Lodin was being questioned by police in Berlin. He had recently returned from Pakistan via Budapest, Hungary, and then traveled overland to Germany. His interrogators were surprised to find that hidden in his underpants were a digital storage device and memory cards.  Buried inside them was a pornographic video called “Kick Ass” — and a file marked “Sexy Tanja.” “  As stated on Gary Kessler’s website: (more…)

Random Thoughts On Piracy Summit (I have to talk about guns a little ;) May 1, 2012

Posted by Chris Mark in Industry News, Piracy & Maritime Security, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

In reflecting upon the Piracy Europe even in Hamburg that I attended last week, I was struck by a few things that were said and proposed.   The speakers were generally very good although the material is getting a bit old at this point.  With piracy at near 2007 levels, security vendors are scrambling to convince shipping companies that they are still needed.  Selling on Fear, Uncertainty, and Doubt (FUD) seems to be the new way of business development.

With regard to the security vendors, there appeared to be two distinct perspectives on how to stop pirates.  Neither seemed appropriate.  One company had a rep get up and show a picture of himself with a Barrett .50 cal SASR (special application scoped rifle) (shown in the pic above with the very skilled, handsome and smart USMC Sniper..yeah its me).  The intimation was that if you have larger guns, you have more ‘firepower’ and thus better security.  This is a very simplistic way of thinking about security and demonstrates one of the challenges of maritime security.  Security is not about technology…it is about people, strategies, and tactics.  Tools (such as weapons) are useful but only if employed correctly.  You can read the whitepaper “weapons and tactics in the prevention of piracy” here. This “goons with guns” approach was not well received and quite frankly, I felt it perpetuated what the attendees think of American security…knuckle-dragging, goons with guns. Blackwater is alive and well in the minds of most of those who attended the event. (more…)

Chris Mark Speaking in London- “Hactivists, CyberSpies, & Thieves: Risk & Data Centric Security” April 18, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , ,
add a comment

On June  19th, Chris Mark (that is me;) will be hosting a workshop at the CISO Intelligence Forum: Energy in London, England.  My particular workshop will be titled: “How to select a security vendor”Not really..that was a bad joke 😉 (security geeks get it).  The 1/2 day workshop will be titled: “Hactivists, CyberSpies, and Data Thieves: A Discussion of Risk & Data Centric Approaches to Security”.  You can download the brochure here.  While my own workshop is sure to be the most well attended (another bad joke), I do have to give some props to the other speakers.  This event has some top shelf talent shelf talent speaking including speakers from the PCI SSC, Lanco, SOCA, and Northrup Grumman, among others.  If you are looking for solid information on data security in the energy segment, this is the place to be.

“Blaming the Victim and the PCI DSS is…Passe”- PCI DSS; GlobalPayments & Data Theft April 1, 2012

Posted by Chris Mark in Data Breach, Industry News, InfoSec & Privacy, PCI DSS, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

In an effort beat the “PCI Evangelists”; “wagon jumpers”, “naysayers”, and “PCI Haters” to the punch, I am publishing my post on a Sunday evening.  By tomorrow morning the speculation on how the GlobalPayments compromise occurred will be in full swing and no doubt, many will have already condemned the company for “PCI DSS non compliance” or being “sick, lame, or lazy” when it comes to their PCI DSS compliance or information security.  Others will have published articles condemning the PCI DSS as ‘ineffective’, ‘irrelevant’, or simply ‘stupid’.

Before they are condemned I want to go on record and say it NOT a PCI DSS compliance issue that caused the compromise. Like Heartland Payment Systems, Royal Bank of Scotland Worldpay and many more before them, GlobalPayments has been held out as the paragon of PCI DSS compliance for years.  Now that they have been breached they will be expected to wear a scarlet letter for the foreseeable future. I have no doubt that by the end of next week their status as a “Level 1 PCI DSS Compliant Service Provider”  will have either been revoked by the card brands or be under “review”.In the same vein, there will be many who shout from the rooftops that the PCI DSS is “irrelevant”, “outdated” and so on.  Neither of these positions are accurate.

Here it goes…(drum roll please)…

The PCI DSS is a solid set of information security controls and represents minimum necessary controls to minimize the likelihood of data compromise through common, identified vulnerabilities. (more…)