22 Arrested in Iranian Backed Plot Against US and Israeli Embassies March 14, 2012
Posted by Chris Mark in Industry News, Risk & Risk Management, terrorism.Tags: Azerbaijain, Chris Mark, Iran, risk management, security, Stuxnet, terrorism
add a comment
According to FoxNews and Agence France Presse, 22 people have been arrested inside Azerbaijan suspected of planning attacks against the US and Israeli embassies inside Baku. According to the reports, the attacks were planned for the benefit of Iran.
“Twenty-two citizens of Azerbaijan have been arrested by the national security ministry for cooperating with the Iranian Sepah,” the ministry said, referring to the Iranian Revolutionary Guards, according to AFP. “On orders of the Sepah, they were to commit terrorist acts against the US, Israeli and other Western states’ embassies and the embassies’ employees.” (more…)
The Carpenter, Not the Hammer, Builds the House March 8, 2012
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management, weapons and tactics.Tags: Chris Mark, cybersecurity, InfoSec, mark consulting group, risk management, security
add a comment
I was in a discussion yesterday with a friend of mine who happens to be the Editor in Chief of The Counter Terrorist Magazine. Chris and I served together long ago and I always enjoy talking to him as he is one of the most insightful people I know. He mentioned what he felt was the over reliance on technology in CT operations and how it was causing people to lose sight of the fact that it is the people that matter and not the tools.
I find this particularly relevant in all areas of security but especially in information security. In a past life I operated as a Marine Scout/Sniper. When my civilian friends learn of this, it is not uncommon for me to hear the question: “What is the best rifle to use?” (more…)
“A Failed State of Security”; Deterrence Theory & CyberCrime (Research Brief) March 5, 2012
Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management.Tags: Chris Mark, cybersecurity, data breach, data security, deterrence theory, markconsultinggroup.com, PCI DSS, security
add a comment
Expanding on the concept of Rational Deterrence and its effect on crime, we have published a research brief on Deterrence Theory and Its Effect on CyberCrime. The brief outlines the failing strategy of compelling companies to prevent breaches without deterring those who commit the crimes. You download the brief (all 25 pages) here. Below is a short excerpt:
“At RSA’s annual security convention, the head of the Federal Bureau of Investigation, Mr. Robert Mueller stated, on February 28th, 2012, ominously: “There are only two types of companies. Those that have been hacked and those that will be.”[1] At the same event, the CEO of RSA, told the audience: “Our networks will be penetrated. We should no longer be surprised by this.” He further stated: “The reality today is that we are in an arms race with our adversaries, and right now, more often than not, they are winning.”[2] The comments, while accurate, are late in coming. RSA, one of the worlds’ largest security vendors, was breached in 2011. The breach was more than a simple theft of customer data. The breach was a theft of intellectual property that compromised the infrastructure of RSA’s 2-factor authentication system known as SecureID. This potentially exposed thousands (if not more) of companies to a bypass of their own access control mechanism.
RSA’s CEO then continued: (more…)
“Don’t Eat Your Hash without Salt”- Zappos Data Theft February 29, 2012
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.Tags: Chris Mark, cybersecurity, data breach, hashing, InfoSec, mark consulting group, MD5, security, zappos
1 comment so far
On January 12, 2017 it was announced on MSNBC.com that an Amazon owned shoe company, Zappos, experienced a data breach of more than 24 million accounts. According to the report, the breach captured the names, email addresses, telephone numbers, last four digits of the credit card, and the “cryptographically scrambled passwords”. The report on MSNBC then states: “Using the clues gleaned from Zappos accounts, the hackers may now have enough clues to gain access to a user’s e-mail or other important accounts. So while Zappos passwords may still be relatively secure, all those other pieces of information can offer clues to a user’s password. That information can also be used to answer a weak set of security questions correctly.” Unfortunately, this article is somewhat misleading.
The description of ‘cryptographically scrambled’ passwords is referring to passwords that have been stored using one-way cryptographic functions known as ‘hashing algorithms’. A hashing algorithm like MD5, SHA1, SHA256 is called ‘one way’ because the same input will always result in the same output. If given the output, it approaches mathematical impossibility (because nothing is truly impossible) to derive the input. Why would you want a ‘one way hash’ to secure passwords? (more…)
“New cybersecurity reality: Attackers are winning” – You don’t say? February 29, 2012
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.Tags: arthur coviello, Chris Mark, cybersecurity, mark consulting group, RSA, SecureID, security
add a comment
The title of this blog was taken from a CNN article published today which quotes RSA chief executive Arthur Coviello. The article, and Mr. Coviello, finally concede that the bad guys (cyberthieves, hackers, hactivists) are “winning”. Forgive my cynicism but this has been well known for some time and loudly proclaimed by numerous people. “In the area of cybercrime, it’s the criminals who are winning.”; “The criminals are absolutely ripping us to shreds, We’re not even slowing them down.” ;“We’re losing the battle, That’s the reality of it.” This was not a comment by RSA from 2012 rather a comment by me (Chris Mark) in October 2010 at an InfraGard meeting at which I was speaking. You can read the Salt Lake Tribune Article here.
The point is not for me to attempt to say “I told you so” rather to point out that what RSA is, in 2012, finally conceding has been well known, and acknowledged for some time by numerous others within the area of cybersecurity. It is not until RSA experienced their own breach of their vaunted SecureID system that they recognize that they are as fallible as the rest. As stated by Mr. Coviello: “Our networks will be penetrated. We should no longer be surprised by this.” RSA further states: “The reality today is that we are in a race with our adversaries, and right now, more often than not, they are winning.”
The issue at hand is one that is familiar to those who have worked in the payment card or other industries for any amount of time. It is a sense of arrogance and infallibility until it is your own network that is penetrated. At that point we often see companies conceding what it appears RSA is conceding here. (not their quote) “If we can be breached then there is no hope for anyone.” The point is security should not be reactive. Companies need to recognize the threat before it hits their own networks and should take steps to address the vulnerabilities and mitigate the risk. I am personally a fan of SecureID and two-factor authentication and have recommended RSA more times than I can count. That being said, there appears to have been a degree of complacency on their part and now their mea culpa is to concede that “we are losing the battle”.