jump to navigation

The Carpenter, Not the Hammer, Builds the House March 8, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management, weapons and tactics.
Tags: , , , , ,
add a comment

I was in a discussion yesterday with a friend of mine who happens to be the Editor in Chief of The Counter Terrorist Magazine.  Chris and I served together long ago and I always enjoy talking to him as he is one of the most insightful people I know.  He mentioned what he felt was the over reliance on technology in CT operations and how it was causing people to lose sight of the fact that it is the people that matter and not the tools.

I find this particularly relevant in all areas of security but especially in information security.  In a past life I operated as a Marine Scout/Sniper.  When my civilian friends learn of this, it is not uncommon for me to hear the question: “What is the best rifle to use?”  (more…)

Turncoat Rolls on Anonymous March 7, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy.
Tags: , , , ,
add a comment

This is a post I struggled to write. I struggle because I do not personally agree with LulzSec’s or Anonymous’ objectives and tactics but this post is not about their tactics or views.  Rather it is a discussion in ethics and honor between people and lessons to be learned about human behavior.  The links have some very interesting stories of how “Sabu” turned on his own group.

As a young Marine I remember an old salty Gysgt. telling us: “Courage is not a lack of fear.  That’s what we call crazy.  Courage is when you are afraid and still being able to act in the face of your fear.” (more…)

“A Failed State of Security”; Deterrence Theory & CyberCrime (Research Brief) March 5, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , ,
add a comment

Expanding on the concept of Rational Deterrence and its effect on crime, we have published a research brief on Deterrence Theory and Its Effect on CyberCrime.  The brief outlines the failing strategy of compelling companies to prevent breaches without deterring those who commit the crimes. You download the brief (all 25 pages) here. Below is a short excerpt:

“At RSA’s annual security convention, the head of the Federal Bureau of Investigation, Mr. Robert Mueller stated, on February 28th, 2012, ominously: “There are only two types of companies. Those that have been hacked and those that will be.”[1]  At the same event, the CEO of RSA, told the audience:  “Our networks will be penetrated. We should no longer be surprised by this.”  He further stated: “The reality today is that we are in an arms race with our adversaries, and right now, more often than not, they are winning.”[2] The comments, while accurate, are late in coming.  RSA, one of the worlds’ largest security vendors, was breached in 2011.  The breach was more than a simple theft of customer data.  The breach was a theft of intellectual property that compromised the infrastructure of RSA’s 2-factor authentication system known as SecureID.  This potentially exposed thousands (if not more) of companies to a bypass of their own access control mechanism.  

RSA’s CEO then continued: (more…)

(URGENT) NASA’s JPL “pwnd” (owned) by Chinese Hackers March 1, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy.
Tags: , , , , , ,
add a comment

According to a report on Foxnews, Chines hackers took control of NASA’s Jet Propulsion Labratory in November, 2011.  According to a report issued by the Inspector General the hackers had sufficient control that it: “…could have allowed them delete sensitive files, add user accounts to mission-critical systems, upload hacking tools, and more”  He further stated that: “The attackers had full functional control over these networks,” The information was released in the report released on February 26th, 2012 titled (download here): “NASA Cybersecurity; An Examination of The Agency’s Information Security.”

The report further stated: “In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorized access to its systems,” … “These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit.”

This is yet another example of the sophistication of hackers.  It is not longer feasible to rely upon network or even application layer controls.  It is imperative that companies protect the proverbial crown jewels by encryption.  On that note (I have no relation to the company at all) one of my favorite encryption vendors is a company called Vormetric.  Check out their website here or visit their blog here.  XWMDG8UN4JGC

“Goodnight Sweetheart, Its Time To Go…” Away from Gmail…over Privacy March 1, 2012

Posted by Chris Mark in InfoSec & Privacy, Laws and Leglslation.
Tags: , , , , , ,
add a comment

Starting today, Google will consolidate over 60 (that’s right…60) privacy policies into one, big, fluffy, wonderful new privacy policy.  Unfortunately, some of the changes are less than appealing and are simply too much for me to live with.  You can read more about the changes on CNN.com.  According to Google: “We just want to use the information you already trust us with to make your experience better. “If you don’t think information sharing will improve your experience, you don’t need to sign in to use services like Search, Maps and YouTube. “If you are signed in, you can use our many privacy tools to do things like edit or turn off your search history, control the way Google tailors ads to your interests and browse the Web ‘incognito’ using Chrome.”  My beef comes from the fact that they will be compiling a personal ‘dossier’ on every user.  They crawl through Gmail to look for advertising opportunities etc.  After watching J Edgar on Vudu a few days ago, I don’t want to end up with a personal file. (that was a joke by the way)  In the event you decide to stay with Google, here is a guide published by the Electronic Frontier Foundation (EFF) that explains how to use the services while protecting your privacy to some degree.  Form more privacy related information, please visit: www.DrHeatherMark.com.