jump to navigation

“Experts Around Every Corner; Part Deux” -Safes, Security, Expertise and Ignorance July 16, 2012

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , ,
add a comment

“There is nothing so stupid as an educated man. If you get him off the thing he was educated in.” – Will Rogers

This weekend I was reading a major news source and I was struck by an article on Safes.  As I have a gun safe, and other safes, I thought it would be interesting to read. I have written posts before on expertise (Experts in every room).  Various ‘expert’s are interviewed in the article.  One in particular stood out.  He said: People need to wake up. They think they are protecting themselves, but they may actually be putting themselves at more risk,”  As this was a very pointed statement (People need to wake up!)…I immediately thought that my own strategy of securing my valuables was mis directed.  I continued reading to see who this expert was…He then said: “Sure you want to have some cash at home, but more than a little feels unsafe,” (I have added the bold)…the expert was a man named Michael Cresh…what is his job?  You are probably thinking police officer, security expert, safe expert, or something similar.  You would be mistaken.  He is a Certified Financial Planner.  If I were asking for financial planning, this is the person that I would turn to. If I am considering the purchase of a safe, I can safely say (pun intended) I could not care less what a CFP has to say unless he has some other level of expertise.  His statement belie his ‘expertise’ and demonstrate he has little understanding of physical security or risk analysis as it pertains to physical security. (…feels unsafe).

When considering a security professional that proclaims expertise, take a very close look.  Whether maritime security, information security, personal security, or any other area of security there are more than a few self proclaimed experts walking the halls.

Last year I wrote a paper for companies to use when evaluating expertise in the maritime security industry.  While focused on maritime security it is relevant to all areas of expertise.  You can read the article here.

“123456, password, welcome” – Yahoo Password Posted Online July 12, 2012

Posted by Chris Mark in News, PCI DSS, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

A story today on MSNBC says that Yahoo Voices was compromised and 450,000 usernames/password posted online.  Not surprisingly, the passwords were not hashed or otherwise protected using encryption.  While the posting of passwords is nothing new what is interesting is what the researchers found when looking at user generated passwords.  The most common passwords were ‘123456’ followed by ‘password’ and ‘welcome’.  Fully 1/3 of the passwords used lower case letters only.  Here is where I get on my soapbox.  According to the story:

“Yahoo! Voices’ administrators made a big mistake storing the passwords in plaintext, but all users need to bolster their own security as well. Make passwords harder to guess by making them more than eight characters long, and pepper them with upper-case letters, numbers and punctuation marks.”

First, strong passwords would not have helped because YAHOO WAS STORING THEM IN CLEARTEXT!..and they were stolen! Second, the company should enforce strong passwords.  While all users should use strong passwords, when dealing with 450K users it is prudent to understand that either some users aht a will not understand what a strong password is or will simply ignore the directions.  Yahoo should have forced strong passwords…

“Facta Non Verba”- Controversial Study Details Islamic Extremist Objectives July 11, 2012

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,
2 comments

The Arizona State University Center for Strategic Communication (CSC) released a controversial report this week that analyzes extremist writings and provides an opinion on the goals of extremists.  As one of my favorite past times is beating up on “research” I will do the same here.

The study analyzed over 2,000 extremist writings from Al Qeada, Al Shababb and others.  According to the report CSC says: We conclude that verses extremists cite from the Qur’an do not suggest an aggressive offensive foe seeking domination and conquest of unbelievers, as is commonly assumed. Instead they deal with themes of victimization, dishonor, and retribution. This shows close integration with the rhetorical vision of Islamist extremists” (emphasis added).    The first issue is that the study simply looks at “verses cited” from the Qur’an without delving into the more esoteric aspects of communication.  It should be noted that writings by Al Qeada are propaganda.  Propoganda is defined as: “…a form of communication that is aimed at influencing the attitude of a community toward some cause or position. Propaganda is usually repeated and dispersed over a wide variety of media in order to create the chosen result in audience attitudes.”   Reading propoganda alone without analyzing the context or actions is dangerous.  History is filled with relevant examples that don’t need repeating in this post. While the “verses cited” may not suggest an aggressive offensive foe, the actions certainly do.  Between 2004 and 2000 Al Qeada claimed 313 attacks killing over 3,000 people.  I may be a bit sensitive but an average of 6.5 attacks per month killing an average of 62.5 people per month for 4 years certainly seems to suggest an aggressive offensive foe. (more…)

“NSA Says – Largest Transfer of Wealth…EVER”; CyberAttacks rose 44% in 2011 July 10, 2012

Posted by Chris Mark in cybersecurity, Industry News.
Tags: , , , , , , , , ,
add a comment

Parroting what many in the payments industry have known for years, the NSA released a statement about the dire state of cybersecurity.  According to the head of the National Security Agency cyberattacks increased 44% in 2011 and now account for the largest “transfer of wealth in history”.    According to FoxNews: 

“NSA chief Keith Alexander was speaking Monday at an American Enterprise Institute event in Washington, D.C.  He said that for every company that knows it has been hacked, another 100 do not know their systems have been breached. (emphasis added) The warning came on the same day that thousands of computer users were at risk of losing Internet access, due to malware that spread more than a year ago. Citing public and unclassified statistics, Alexander said Monday there are now 75 million unique pieces of malware on the loose.”

Those of use who have been in the industry for years have said that we are ‘losing the war’. I have personally been chastised for making such doom and gloom statements.  The facts are the facts however.  Hiding our head in the sand will not change the fact that “The criminals are absolutely ripping us to shreds,” and that “We’re losing the battle…That’s the reality of it.” (Chris Mark quoted in Salt Lake Tribune...pic at top).  In yet another push at self promotion..you can read one reason we are losing the battle in the IDGA research brief: “A Failed State of Security”.

“Are You Eating a Rotten Apple?” – Personal Data May have Been Exposed in Global Payments Breach July 9, 2012

Posted by Chris Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy, PCI DSS, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

Let me preface this post by saying this is not intended to take shots at either Global Payments or the PCI DSS.  Rather, this post is intended to generate discussion and discourse on the topic of compliance and risk management.

According to reports, it seems that the Global Payments data breach may have exposed more than payment card data.  n a June 12 update posted to its breach microsite, Global says hackers may have gained access to servers containing personal information collected from a subset of merchant customers.

“The company will notify potentially affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost,” Global says. “The notifications are unrelated to cardholder data and pertain to individuals associated with a subset of the company’s U.S. merchant applicants.”

Based upon this statement it seems fair to assume that Personally Identifiable Information (PII) such as Social Security number and Bank Account information may have been exposed, as well.

This situation exposes the danger of using a narrowly focused, static standard as a baseline of security management rather than adopting a risk based approach to data security.   I have personally conducted over 100 PCI DSS audits and have seen first hand the resources consumed by the standard.  Companies often appear so laser focused upon protecting payment card data that other systems and data may take a back seat in the pursuit of “PCI DSS compliance.”  As there are significant penalties associated with non-compliance that it is difficult to blame the merchant or service provider. The penalties are designed to compel compliance with the standard.  As such, companies are going to give precedent to the PCI DSS over any other standard that does not have equivalent penalties associated with non compliance.

As a reminder, the PCI DSS is ONLY focused protection of Cardholder Data.  Surely some are going to say that the PCI should be applied across all systems etc.etc.  This is great in theory but does not happen in practice.  Companies take great pains to minimize their cardholder data environment specifically to lessen the compliance burden.

I am sure we will continue to see breaches of payment card companies having PII exposed as companies focus on PCI to the exclusion of risk based security management.