jump to navigation

“You Are the Weakest Link! Or Are You”- Guest Post by Dr. Heather Mark June 7, 2017

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , ,
add a comment

The incomparableYATWL Dr. Heather Mark (my wife…and compliance expert) has a new blog post…

“If you’ve been in security or compliance long enough (and by that I mean approximately a week), you’ve heard the old adage that our largest vulnerability are our people.  Firewalls don’t just randomly open ports.  Email clients don’t just decide to send proprietary and sensitive information to third parties.  These are actions, sometimes deliberate and sometimes accidental, taken by the human assets within our companies, not the technological ones. Technology is not imbued with the ability to autonomously break laws or divulge sensitive information.  Technology largely does what it’s programmed to do. People – these are the elements that cannot really be controlled or predicted.  Of course, we can implement technology to mitigate the risk presented by human nature.  But at the end of the day, a determined individual can still wreak a lot of havoc. This argument is often made just to make that point that we can’t be complacent.  And to a very large extent, it’s correct.  But I would posit that people can also be one of our biggest assets with respect to maintaining compliance and ethics programs.I watch a lot of what my husband refers to as “murder shows” – Forensic Files, 20/20, and the like.  My favorite, though, is Dateline when the story is presented by Keith Morrison.  He has a way of telling a story.  Don’t believe me?  I give you proof.”…Click here for more from Dr. Heather Mark’s Blog!

SwimOutlet.com Breached in 2016 – 51 days later..and after the holidays…we were notified. January 19, 2017

Posted by Chris Mark in Data Breach, Uncategorized.
Tags: , , , , , , , , , , ,
2 comments

swimoutletnoticeThis is a post to notify those who may be affected.  Yesterday I received the following letter in the mail.  It was sent in a nondescript envelope and nearly discarded as ‘junk mail’.  Upon opening the letter I was shocked to read that my wife’s credit card data appears to have been compromised at SwimOutlet.com.  It should be noted that the same infrastructure is used by YogaOutlet.com.  In reading the letter provided to the State of Oregon’s Attorney General, it appears that over 6,200 Oregon residents likely had their data stolen.

Within the letter there is a curious statement that says: “The information at risk as a result of this event includes the cardholder name, address, phone number, email address, card number ,expiration date, and CVV.  For those in the credit card industry the inclusion of CVV is very troubling.  Under the card brand operating regulations and PCI DSS standard, it is prohibited for a merchant to retain CVV subsequent to authorization of the charge.  This particular type of data (actually the CVV2 or equivalent data) is what is needed to authenticate a transaction.  In short, the likelihood of fraud increases exponentially when a criminal captures CVV2 type data.  It is certainly curious that this ‘prohibited data’ is listed as an element that may have been stolen.

In reviewing the SwimOutlet.com website I notice a conspicuous absence of any form of notification on their website.  Their blog is filled with helpful tips on swimming better and eating better but there is no mention of the fact that their user’s credit and/or debit card data was stolen.  A review of their Facebook page has the same conspicuous absence of any notification or information.  Their Twitter feed is also absent of any information.

If one looks at the timeline of events, there are some disturbing (to me, at least) items.  On October 31st, 2016 SwimOutlet.com “…began investigating unusual activity reported by (our) credit card processor.”  On November 28th, 2016 SwimOutlet.com received ‘confirmation’ that their systems were ‘hacked’ yet the notice states that data may have been compromised as late as November 22nd, 2016.  I have been involved in numerous data breach investigations and incidents.  “unusual activity” notifications by credit card processors are ‘notifications of fraud’.  This is a major red flag that the merchant HAS been breached.   The notice then provides a qualified statement in saying that the beach: “…may have compromised some customers’ debit and credit card data…”  Again, if notified by the credit card processor then the data ‘may not’ have been compromised it almost certainly was compromised.

What is most disturbing to me is that SwimOutlet.com had confirmation on November 28th, 2016 that they were breached.  They had confirmation as early as October 31st, 2016 of ‘unusual activity’ yet chose to wait until AFTER the holiday season to notify affected consumers.  Criminals are not stupid.  They steal credit card data before the holidays to be used over the holidays when the fraud systems are often ‘detuned’ by retailers and the volume of transactions creates noise in which fraud is often harder to identify.  By waiting until January 12th (we received the letter on January 17th, 2017) it created a situation in which we were blissfully unaware that our data had been breached.  If we had been notified before the holiday season, we could have cancelled the card immediately and been saved the inconvenience and possible cost associated with this situation.

In the notice SwimOutlet.com does: “…encourage (me) to remain vigilant against incidents of identity theft and fraud.”  This would have been sage advice BEFORE the holiday season.  It begs the question why a major online retailer would wait until after CyberMonday and after the holiday season to notify of a breach?

Finally, SwimOutlet.com reassures the recipient that “We take the security of our customers’  information extremely seriously…” and that: “…you can safely use your payment card at http://www.swimoutlet.com”.  In light of the method and delay of notification I am going to personally take my business elsewhere.

The Danger of Biometrics for Personal Use – Limited Legal Protection October 17, 2016

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,
1 comment so far

iStock_000006910296XSmall 2I have never been a proponent of using Biometrics and have frequently made jokes about  not wanting “the man” to have my finger prints.  Well, it looks like my position may have been well founded.

Recently, it was reported in Forbes.com that on May 29th, 2016 the US Government had filed a motion for the court to require residence in a Lancaster, California home to provide their fingerprints to open an iPhone.  More disturbingly, the motion called for: “authorization to depress the fingerprints and thumbprints of every person who is located at the SUBJECT PREMISES during the execution of the search and who is reasonably believed by law enforcement to be the user of a fingerprint sensor-enabled device that is located at the SUBJECT PREMISES and falls within the scope of the warrant.” In short, they didn’t just want the finger prints they wanted to force the residents to actually ‘use their finger’ to open the phone.  The warrant was not available to the public, nor were other documents related to the case.  Like many people, I asked “how can the courts do this?”  It would seem to me like an invasion of privacy (among other things).  Marina Medvin of Medvin law said: ““They want the ability to get a warrant on the assumption that they will learn more after they have a warrant. “Essentially, they are seeking to have the ability to convince people to comply by providing their fingerprints to law enforcement under the color of law – because of the fact that they already have a warrant. They want to leverage this warrant to induce compliance by people they decide are suspects later on. This would be an unbelievably audacious abuse of power if it were permitted.”  Unfortunately, it was indeed permitted.

Is it legal?  According to the article in Forbes:

“In past interpretations of the Fifth Amendment, suspects have not been compelled to hand over their passcode as it could amount to self-incrimination, but the same protections have not been afforded for people’s body data even if the eventual effect is the same. Citing a Supreme Court decision in Schmerber v. California, a 1966 case in which the police took a suspect’s blood without his consent, the government said self-incrimination protections would not apply to the use of a person’s “body as evidence when it may be material.”

It also cited Holt v. United States, a 1910 case, and United States v. Dionisio, a 1973 case, though it did point to more recent cases, including Virginia v. Baust, where the defendant was compelled to provide his fingerprint to unlock a device (though Baust did provide his biometric data, it failed to open the iPhone; after 48 hours of not using Touch ID or a reboot Apple asks for the code to be re-entered.).

As for the Fourth, the feds said protections against unreasonable searches did not stand up when “the taking of fingerprints is supported by reasonable suspicion,” citing 1985′s Hayes v. Florida. Other cases, dated well before the advent of smartphones, were used to justify any brief detention that would arise from forcing someone to open their device with a fingerprint.”

We do know that the warrant was served.  It does appear that you cannot be forced to give up a passcode as it could amount to Self Incrimination under the 5th Amendment however you do not have the same protections for biometrics. This is another instance where the law has not kept pace with technology.  For this reason, and others I will not use biometrics for personal security.

“The United States is Under Attack” – CyberWar Article May 23, 2016

Posted by Chris Mark in cyberespionage, cybersecurity, Uncategorized.
Tags: , , , , , ,
add a comment

CT2013The title was a comment made in 2011 by the US House of Representatives.

In cleaning out my house for an impending move I found a copy of The Counter Terorist Magazine for which I had written an article in 2013 titled “CyberWar”.While the article is 3 years old, it still provides some valuable information and valuable lessons on the current state of Cyber War.   The US Congress has has several sessions and working groups to discuss “The Chinese Problem” related to cyber espionage and Cyber War.  You can learn more by reading my article!

1,000,000 InfoSec Job Openings in 2016! May 10, 2016

Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy.
Tags: , , , , , , , ,
add a comment

ATT_Sec_Conf_2015-076A recent article in Forbes Magazine outlines the current and projected information security job market.  According to the article the current job market is valued at $75 billion and is expected to grow to $170 Billion by 220.  More profoundly, CISCO estimates that there are currently 1 million InfoSec job openings in the US with, according to Peninsula Press, 209,000 currently unfilled! According to Virginia Lehmkuhl-Dakhwe, director of the Jay Pinson STEM Education Center at San Jose State University “The number of jobs in information security is going to grow tenfold in the next 10 years,”

I have been fortunate to have had a great career in information security over the past 15 years.  While my experience is unique, I have had opportunity to travel the World and work with some of the largest, and most complex companies around.  I have spoken at scores of events and have published dozens of articles and white papers.

Last year I wrote a blog post about how to get into the InfoSec career field.  Two things that many people may want to know off the bat.  1) a College Degree is NOT required (although often very helpful) and 2) The pay is VERY good. (basic supply and demand).  In my experience most people could probably get into the field with anywhere from 9-18 months of self-study.  You can get in quicker if you attend course.  For more information, please read my blog post: Getting Info Information Assurance Careers.

%d bloggers like this: