“Poisoned Apple?” – OSX Lion Encryption Passwords Insecure May 7, 2012
Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy, PCI DSS.Tags: Apple, Chris Mark, cybercrime, cybersecurity, encryption, FileVault, InfoSec & Privacy, mark consulting group, password, security
add a comment
For years many Apple purists (I used to be one) have been touting the inherent security of the Apple operating system. According to Techcrunch in February, 2012 it was discovered that OSX Lion (the newest OS from Apple) had a major security weakness and released widely within the last few days. It was disclosed that the FileVault encryption passwords are now visible in plain text outside of a computer’s encrypted area. This effectively renders the encryption useless as the keys (the passwords) are not secure. While it was originally believed that the vulnerability as specific to the encrypted File Vault solution, it appears now that the vulnerability is larger…potentially much larger. Sophos Naked Security blog states: “Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.” Key management and password security continue to be the weakest link in most encryption implementations.
UPDATE “Just Say No!”- to Facebook Login Request for Employment March 23, 2012
Posted by Chris Mark in Industry News, InfoSec & Privacy.Tags: cybersecurity, facebook, InfoSec & Privacy, mark consulting group, privacy, security
add a comment
UPDATE: Kudos to Facebook for weighing in on this subject. Facebook says that not only is the practice wrong, but it is a violation of Facebook’s terms of service. Echoing what I (and others) have said, logging into someone’s FB page could expose the employer to a lawsuit. “(W)e don’t think it’s right the thing to do,” she said. “But it also may cause problems for the employers that they are not anticipating. For example, if an employer sees on Facebook that someone is a member of a protected group (e.g. over a certain age, etc.) that employer may open themselves up to claims of discrimination if they don’t hire that person.”
I find myself posting on this subject occasionally because a neighbor, friend or other person will inform me that during an interview or application they were asked to provide their Facebook or other ‘social media’ login. This topic seems to arise again, and again and was again highlighted on msnbc.com. So, for those who are asking or saying: “Chris, if you have nothing to worry about, then why do you care?” Valid question. Let me answer. First, if you are looking for a job, as a responsible professional person you should take care to not post inflammatory, racist, hateful or other items on your social media. If you are a proud member of a hate group, you may want to keep that info private. Pictures of you doing drugs, or being arrested in New Orleans is also probably a bad idea. (more…)
“Warren & Brandeis Cringe”- Identification through Typing March 21, 2012
Posted by Chris Mark in InfoSec & Privacy, Laws and Leglslation.Tags: Chris Mark, DARPA, InfoSec & Privacy, mark consulting group, privacy, security, the right to privacy, typing authentication, warren and brandeis
add a comment
Several years ago a few researchers demonstrated that the way in which people type is unique enough to be used to identify that person with a high degree of confidence. It is not simply speed but includes cadence, time between particular keystrokes and other aspects. This week DARPA announced that they are working to make the solution a reality. Due to the uniqueness of a person’s typing DARPA says: “mimicking keystroke dynamics is physiologically improbable,” This means that it would increase the challenge of masquerading as another person. I mark this up as “good in theory and terrifying in practice”. In a talk last year a DARPA representative explained the process as such: “is move to a world where you sit down at a console, you identify yourself, and you just start working, and the authentication happens in the background, invisible to you, while you continue to do your work without interruptions.” This is precisely where the issue comes to life. (more…)
Turncoat Rolls on Anonymous March 7, 2012
Posted by Chris Mark in Industry News, InfoSec & Privacy.Tags: Chris Mark, cybersecurity, InfoSec, InfoSec & Privacy, security
add a comment
This is a post I struggled to write. I struggle because I do not personally agree with LulzSec’s or Anonymous’ objectives and tactics but this post is not about their tactics or views. Rather it is a discussion in ethics and honor between people and lessons to be learned about human behavior. The links have some very interesting stories of how “Sabu” turned on his own group.
As a young Marine I remember an old salty Gysgt. telling us: “Courage is not a lack of fear. That’s what we call crazy. Courage is when you are afraid and still being able to act in the face of your fear.” (more…)
Nortel Network Compromised for a Decade; Chinese Suspected February 14, 2012
Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management.Tags: armed security, Chris Mark, cybersecurity, data breach, InfoSec, InfoSec & Privacy, mark consulting group, markconsultinggroup.com, nortel breach
1 comment so far
According to MSNBC, Nortel’s network was open to hackers since at least 2000. It is suspected that the hackers are Chinese. The data thieves appear to have had nearly “unfettered access” to the network and were able to download: ” “technical papers, research-and-development reports, business plans, employee emails and other documents.” How did they access the network? Simple. (more…)
Global Security, Privacy, & Risk Management 