Chris in October 2012 Issue of PenTest Magazine October 30, 2012
Posted by Chris Mark in Uncategorized.Tags: Chris Mark, credit card, mark consulting group, mastercard, PCI, PCI DSS, penetration testing, pentest, security, visa
add a comment
Check out the October 2012 issue of PenTest Magazine for tons of valuable information on the PCI DSS and how Pen Testing can be used to support compliance and validation. I have an article in the magazine titled: “Introduction to PCI DSS for the PenTester” You need to register as a user or subscribe to access the articles.
“Boo!” – October 2012 issue of TransactionWorld October 30, 2012
Posted by Chris Mark in Uncategorized.Tags: Chris Mark, Dr. Heather Mark, economics, PCI DSS, risk management, security, transactionworld
add a comment
I (Chris) am finally back in the US after traveling for the past two months. If you haven’t had a chance yet, please check out October’s issue of TransactionWorld and read articles by Chris Mark (Security Economics) and Heather Mark (Portable Security). If you don’t subscribe to TW, you should check it out. Everything you could want to know about payments. (well..not everything but quite a bit).
Beating an Old Drum October 27, 2012
Posted by Heather Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy.Tags: cybersecurity, data security, Dr. Heather Mark, Heather Mark, InfoSec, mark consulting group, privacy, security
add a comment
It’s the end of what has already been a tough year for data security. And the news just got worse. South Carolina has announced that its Department of Revenue suffered a major breach. The breach is so massive, in fact that more than 75% of the state’s residents have been affected. The compromised data consisted of the (unencrypted) social security numbers of more than 3.6 million residents. Also included in the breach were about 390,000 payment cards. Most of those were encrypted, though.
This is disturbing on a number of levels. I find it curious, for example, that while encryption was deployed, it was only deployed on payment cards (and not even on all of those). Consumers have built in protections on payment cards. As long as those cards are branded by one of the major card brands, consumers are protected against liability for fraudulent transactions. The far more sensitive data, the social security numbers, were not encrypted, though. This defies logic. Consumers have little to no protection against misuse of SSNs. Not only can very real financial damage be done, consumers have to spend enormous resources (time, money, emotions) in untangling the identity theft knot that comes with stolen SSNs.
Secondly, in the wake of the breach, Governor Nikki Haley issued an executive order that read: “I hereby direct all cabinet agencies to immediately designate an information technology officer to cooperate with the State Inspector General who is authorized to make recommendations to improve information security policies and procedures in state agencies.” WHAT? If I’m inferring correctly, it seems that these agencies didn’t have an information technology officer already?? That is very troubling, particularly considering the types of data that state agencies hold. After 3.6 million (out of about 4.7 million) residents have had their sensitive data stolen is not a great time to decide that data security and privacy should become priority.
Private sector organizations have been working for years to shore up their data security, and in some cases (PCI DSS, HIPAA/HITECH, GLBA, SOX, state laws) face real consequences for failure to protect that data. It’s long past time states put forth the same level of protection. On the plus side, the state did comply nicely with its own data breach notification law.
“Cyber Espionage is Alive and Well”; Motorola Employee Sentenced in theft of IP August 30, 2012
Posted by Chris Mark in cyberespionage, cybersecurity.Tags: china, cyber espionage, cybercrime, cybersecurity, Hanjuan Jin, information security, mark consulting group, motorola, security
add a comment
According to a story in CIO, a former Motorola employee was sentenced to 4 years in prison for theft of trade secrets. For more information on the cyber espionage threat, you can read my article: “The Rise of CyberEspionage” published in The Counter Terrorist Magazine.
Below is an excerpt of the CIO article.
“Hanjuan Jin, 41, a nine-year Motorola software engineer, conducted a “purposeful raid to steal technology,” U.S. District Judge Ruben Castillo said while imposing the sentence, according to a statement by the department.
The Judge did not however find her guilty of three counts of economic espionage for the benefit of China and its military, although he found by a preponderance of the evidence, that Jin “was willing to betray her naturalized country,” according to the department. Jin had earlier been convicted by the court of three counts of theft of trade secrets.
Judge Castillo’s order was not immediately available on the website of the U.S. District Court for the Northern District of Illinois, Eastern Division where Jin was on trial.
Jin, who is a naturalized U.S. citizen born in China, was stopped from traveling on a one-way ticket to China on Feb. 28, 2007 at O’Hare International Airport by U.S. customs officials who are said to have seized from her possession more than 1,000 electronic and paper documents from Motorola.”
Companies need to be vigilant and understand that the same techniques used to steal national secrets are being employed in US businesses. While not exclusive to China, they certainly represent the greatest threat today.
“Here I (we) go Again…”; GlobalCerts.net hacked August 27, 2012
Posted by Chris Mark in cybersecurity.Tags: anonymous, cyber war news, data breach, globalcert.net, hack, mark consulting group, PCI DSS, security
add a comment
On this lovely Monday morning on the opening week of College Football (WAR EAGLE!)…I open with some classic Whitesnake and their awesome song from 1987: “Here I go Again”. It seemed appropriate since here ‘we’ go again with another hack and data compromise. According to Cyber War News, GlobalCert.net was hacked and their data posted to Pastebin..according to the report, GlobalCert.net’s web database was hacked and over 1000 clients’ data posted online by Anonymous. GlobalCert.net’s website says the following about their website:
“GlobalCerts provides a comprehensive solution that meets a full range of secure messaging needs—including an automatic, transparent, inter-organizational secure messaging product, the SecureMail Gateway. GlobalCerts also offers a trusted, scalable, user friendly solution to overcome the hurdle obstructing many organizations from deploying a standards-based, secure messaging solution. SecureTier is a hands-off global, certificate management solution for key creation, discovery, and revocation. No other key distribution and discovery system is as effortless and efficient as GlobalCerts’ solution.”
Seems that GlobalCert.net should practice what they preach 😉
Global Security, Privacy, & Risk Management 