jump to navigation

More Security Theater – “CyberCops and Robbers” March 15, 2012

Posted by Chris Mark in Industry News, Risk & Risk Management, Uncategorized.
Tags: , , , , , ,
add a comment

Today in my Google alerts, I had a story from FoxNews (…ahemm) titled “CyberCops and Robbers; Digital Posses to Bust Bank Robbers”  After reading the article, I had to write a post and discuss (rant?) about the fluff that is being proposed.  The article talks about a new initiative by the FBI and select banks where banks that comply with certain rules and agree to be involved in the program get to post a “badge” on their door like the one in this post.

There are so many flaws and issues with this approach, I don’t know where to start.  This is Security Theater at its finest.  For those who are unfamiliar with the term, Bruce Schneier, in his book Beyond Fear, coined the phrase security theater.  Security theater describes security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security. (more…)

“Black and Tans”?! Really?…A Little Market Research Can Prevent Embarassment March 13, 2012

Posted by Chris Mark in Industry News, Uncategorized.
Tags: , , , , , , ,
add a comment

This is a bit off topic but relevant, nonetheless.  I was talking to some acquaintances about the upcoming US elections and somehow the topic turned Mexico, Guatemala, and finally to Che Guevara.  My friends said: “Che who?” I almost fell over but, due to my extensive Marine Corps sensitivity training, instead I replied with a loud and derisive: “What the Hell!? Are you kidding me?! You don’t know who Che Guevara is?! I didn’t really say that, but I should have 😉  How can any American now know about Che Guevara?  Again, I digress…You can read about him here.

Today, I am reading the news and there is a story about how Nike, in honor of St. Patrick’s day, named a new shoe the “Black and Tan”.  The blog readers from the UK and Ireland are probably picking themselves off the floor right about now.  My mental response to the news was: “WTH!? You named a shoe the Black and Tans?!  (more…)

The Carpenter, Not the Hammer, Builds the House March 8, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management, weapons and tactics.
Tags: , , , , ,
add a comment

I was in a discussion yesterday with a friend of mine who happens to be the Editor in Chief of The Counter Terrorist Magazine.  Chris and I served together long ago and I always enjoy talking to him as he is one of the most insightful people I know.  He mentioned what he felt was the over reliance on technology in CT operations and how it was causing people to lose sight of the fact that it is the people that matter and not the tools.

I find this particularly relevant in all areas of security but especially in information security.  In a past life I operated as a Marine Scout/Sniper.  When my civilian friends learn of this, it is not uncommon for me to hear the question: “What is the best rifle to use?”  (more…)

“Goodnight Sweetheart, Its Time To Go…” Away from Gmail…over Privacy March 1, 2012

Posted by Chris Mark in InfoSec & Privacy, Laws and Leglslation.
Tags: , , , , , ,
add a comment

Starting today, Google will consolidate over 60 (that’s right…60) privacy policies into one, big, fluffy, wonderful new privacy policy.  Unfortunately, some of the changes are less than appealing and are simply too much for me to live with.  You can read more about the changes on CNN.com.  According to Google: “We just want to use the information you already trust us with to make your experience better. “If you don’t think information sharing will improve your experience, you don’t need to sign in to use services like Search, Maps and YouTube. “If you are signed in, you can use our many privacy tools to do things like edit or turn off your search history, control the way Google tailors ads to your interests and browse the Web ‘incognito’ using Chrome.”  My beef comes from the fact that they will be compiling a personal ‘dossier’ on every user.  They crawl through Gmail to look for advertising opportunities etc.  After watching J Edgar on Vudu a few days ago, I don’t want to end up with a personal file. (that was a joke by the way)  In the event you decide to stay with Google, here is a guide published by the Electronic Frontier Foundation (EFF) that explains how to use the services while protecting your privacy to some degree.  Form more privacy related information, please visit: www.DrHeatherMark.com.

“Don’t Eat Your Hash without Salt”- Zappos Data Theft February 29, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , , ,
1 comment so far

On January 12, 2017 it was announced on MSNBC.com that an Amazon owned shoe company, Zappos, experienced a data breach of more than 24 million accounts.  According to the report, the breach captured the names, email addresses, telephone numbers, last four digits of the credit card, and the “cryptographically scrambled passwords”.   The report on MSNBC then states:  “Using the clues gleaned from Zappos accounts, the hackers may now have enough clues to gain access to a user’s e-mail or other important accounts. So while Zappos passwords may still be relatively secure, all those other pieces of information can offer clues to a user’s password. That information can also be used to answer a weak set of security questions correctly.”  Unfortunately, this article is somewhat misleading.

The description of ‘cryptographically scrambled’ passwords is referring to passwords that have been stored using one-way cryptographic functions known as ‘hashing algorithms’.   A hashing algorithm like MD5, SHA1, SHA256 is called ‘one way’ because the same input will always result in the same output.  If given the output, it approaches mathematical impossibility (because nothing is truly impossible) to derive the input.  Why would you want a ‘one way hash’ to secure passwords?  (more…)