jump to navigation

Turncoat Rolls on Anonymous March 7, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy.
Tags: , , , ,
add a comment

This is a post I struggled to write. I struggle because I do not personally agree with LulzSec’s or Anonymous’ objectives and tactics but this post is not about their tactics or views.  Rather it is a discussion in ethics and honor between people and lessons to be learned about human behavior.  The links have some very interesting stories of how “Sabu” turned on his own group.

As a young Marine I remember an old salty Gysgt. telling us: “Courage is not a lack of fear.  That’s what we call crazy.  Courage is when you are afraid and still being able to act in the face of your fear.” (more…)

(URGENT) NASA’s JPL “pwnd” (owned) by Chinese Hackers March 1, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy.
Tags: , , , , , ,
add a comment

According to a report on Foxnews, Chines hackers took control of NASA’s Jet Propulsion Labratory in November, 2011.  According to a report issued by the Inspector General the hackers had sufficient control that it: “…could have allowed them delete sensitive files, add user accounts to mission-critical systems, upload hacking tools, and more”  He further stated that: “The attackers had full functional control over these networks,” The information was released in the report released on February 26th, 2012 titled (download here): “NASA Cybersecurity; An Examination of The Agency’s Information Security.”

The report further stated: “In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorized access to its systems,” … “These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit.”

This is yet another example of the sophistication of hackers.  It is not longer feasible to rely upon network or even application layer controls.  It is imperative that companies protect the proverbial crown jewels by encryption.  On that note (I have no relation to the company at all) one of my favorite encryption vendors is a company called Vormetric.  Check out their website here or visit their blog here.  XWMDG8UN4JGC

“Don’t Eat Your Hash without Salt”- Zappos Data Theft February 29, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , , ,
1 comment so far

On January 12, 2017 it was announced on MSNBC.com that an Amazon owned shoe company, Zappos, experienced a data breach of more than 24 million accounts.  According to the report, the breach captured the names, email addresses, telephone numbers, last four digits of the credit card, and the “cryptographically scrambled passwords”.   The report on MSNBC then states:  “Using the clues gleaned from Zappos accounts, the hackers may now have enough clues to gain access to a user’s e-mail or other important accounts. So while Zappos passwords may still be relatively secure, all those other pieces of information can offer clues to a user’s password. That information can also be used to answer a weak set of security questions correctly.”  Unfortunately, this article is somewhat misleading.

The description of ‘cryptographically scrambled’ passwords is referring to passwords that have been stored using one-way cryptographic functions known as ‘hashing algorithms’.   A hashing algorithm like MD5, SHA1, SHA256 is called ‘one way’ because the same input will always result in the same output.  If given the output, it approaches mathematical impossibility (because nothing is truly impossible) to derive the input.  Why would you want a ‘one way hash’ to secure passwords?  (more…)

Security 101: “You don’t have to out run a bear…just your friends” February 22, 2012

Posted by Chris Mark in InfoSec & Privacy, Piracy & Maritime Security, Risk & Risk Management, weapons and tactics.
Tags: , , , , , , , ,
add a comment

Yesterday MSNBC had a story that discussed the “arms race” between Somali pirates and shipping companies.  The article discussed the increasing violence of the pirates.  While this should come as no surprise to anyone, it is a single statement that caught my attention. “Greater use of private armed security guards on ships and a much tougher approach by international navies is beginning to work, some… say. (more…)

“Trust but Verify”- Insider Threats & Intellectual Property Theft February 20, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

According to the US Government, intellectual property theft costs the US approximately $250 billion per year.  Unfortunately, a large and growing percentage of this theft is due to insiders.  The human element of data security is a topic that I have written on numerous times.  This article follows one I wrote in August, 2011 titled: Security 101: The Human Element.

I have worked with a number of large (and small) organizations that were very focused on risk management and information security.  It is always disheartening when you find that the companies focus solely upon external threats and ignore one of the largest threats to their intellectual property; their own employees.  Humans are social creatures.  We make friends and we want to be trusted.  We also believe in our fellow person.  Nobody likes to feel like they are not trusted and consequently, few like to make others feel like they are not trusted.  Unfortunately, where data security and the protection of intellectual property is concerned, companies are well advised to adhere to the old adage: “Trust but Verify”.

With increased responsibility often comes increased authority and increased access to sensitive systems, and information.  Companies often make the mistake of believing that with increased responsibility comes a decrease in the need to monitor activity.  (more…)