Friday, November 21, 2008

Protecting Your Privacy While Job Hunting

Job hunting online can be a huge boon to identity thieves. And, this is especially important now, in a down economy, when more people are out of work and looking.

Some tips, including not putting your address for resumes posted online, and being cautious with public job boards, are in this tip from The Wall Street Journal.

Do You Trust That IT Security Consultant?

Have you ever had second thoughts about that IT security consultant you just hired? Are you concerned about not only their expertise but their integrity?

Here's a neat little 10-question quiz from the IT Security web site that might put your mind at ease -- at least a little bit.

Making Headway in Cracking Cybercrime

Have you noticed less spam in your e-mail inbox these days? Well, it isn't gone completely, but not only spam but other cyberthreats are getting nicked due to some recent law enforcement efforts.

The FBI and Secret Service have been quietly making some high-profile arrests of web crime perpetrator. The reasons, according to this article in USA Today, including not only better cyberlaws with more teeth, but improved international cooperation from places like Eastern Europe, which are notoriously difficult for foreigner to police.

One law helping cybercrime fighters is The Identity Theft Enforcement and Restitution Act of 2008, according to a post by Douglas Schweitzer on Computer World's The Security Sector blog.

Wednesday, November 19, 2008

DNS Security Still an Issue

Just when you thought the recent DNS cache poisoning exploit had blown over, this little tidbit from TechRepublic says otherwise.

They did a real nice job in this succinct review of DNS security issues and how they relate to its basic structure. The overview of DNS at the beginning and the difference between internal and external resolution was also helpful.

Monday, November 17, 2008

Cleaning Up Your Online Reputation

Many people have posted things online, or made inappropriate comments quoted on someone else's blog, and later regretted it. The conventional wisdom is that once something goes online, it's forever online.

But help is available, according to this article in Computer World, which portrays three scenarios of attempts at taking down unwanted or unflattering online material.

It isn't easy, but online reputation management experts -- a growing field these days -- like ReputationDefender and ReputationHawk, is decidedly low-tech -- try to get to the human being owning the online material and call them.

So, why hire a service when you can just get on the phone yourself to a blog author or ISP? The services can do the detective work to track down a site owner and then handle all the leg work from there. They're the professionals. They do this all the time, while you might only have to do it once.

Sunday, November 16, 2008

Some Ask The Experts and a Tip

Here's my latest batch of stuff from TechTarget, including some Ask The Expert answers on identity and access management and a tip on security and cloud computing:

What are the options for a mechanical (not electrical) door security system on a server room door?
This question posed on 28 October 2008

What's the difference between access control mechanisms and identity management techniques? This question posed on 23 October 2008

What courses can improve fundamental knowledge of infrastructure systems (Active Directory, LDAP, etc.)?
This question posed on 13 October 2008

What tools provide user provisioning and single sign-on for PeopleSoft- and Unix-based products?
This question posed on 08 October 2008

Cyberthieves Targeting Corporations

This is a non-technical piece from USA Today this week about how hackers are moving from stealing personal data directly from individuals to stealing data from corporations.

What's interesting here is that the cyberthieves are breaking into what has been sancrosant, internal networks. They're getting past corporate firewalls and their DMZs through employees web surfing and using Web 2.0 tools.

That doesn't mean corporations, many of which are resistant to technological change, should shy away from Web 2.0 -- new employees entering the workforce are demanding it -- they should keep security in mind when granting web access to employees.

Your First Information Security Job

I often get asked, as do other IT security professionals, about how to get started in the field.

While some of the advice in this blog post from Kees Leune are applicable to any career changer, there's some interesting advice specific to prospective new job seekers in IT security.

Eight Social Engineering Tactics

CSO had an article recently with some common social engineering tactics. Some of these are old, some of these are new, but the article still points out the importance of these low-tech attacks.

Read on for more details:
  1. Ten degrees of separation
  2. Learning your corporate language
  3. Borrowing your 'hold' music
  4. Phone-number spoofing
  5. Using the news against you
  6. Abusing faith in social networking sites
  7. Typo Squatting
  8. Using FUD to affect the stock market

Thursday, November 06, 2008

Credit Card Security at Point of Sale

This is an interesting article in CSO about Point of Sale (POS) security for credit cards. Credit card security is regulated by the well-known industry standard, PCI. But PCI covers retailers, merchants, banks and others who either issue or use credit cards in their business.

Partly due to tightening of security from PCI, hackers are aiming their sites at payment application systems, like those where people swipe their cards when making purchases. Often the security of these applications, which sit on POS systems, themselves striped down mini-computers, aren't as tenderly secured as full-blown systems and their applications.

As a result, the PCI council has another standard for these applications, the Payment Application Data Security Standard (PA-DSS).

This article also mentions a type of insider attack, called "under-ringing," where store clerks collude with card thieves. This type of human attack isn't cover by PA-DSS, but the article still makes for good security reading.

Has WPA Finally Been Cracked?

Two security researchers working together have partially cracked Wi-Fi Protected Access (WPA), a wireless encryption technology that had been considered secure. Details are to be unveiled at the PacSec conference in Tokyo next week.

The breach is significant, since WPA has been touted as a secure replacement for WEP, which itself had been breached by German researchers back in April 2007.

The researchers, Erik Tews and Martin Beck, were able to break the Temporal Key Integrity Protocol (TKIP) in less than 15 minutes by fooling a WPA router into sending them enough packets to crack the encryption key. TKIP is used by WPA for part of the encryption process.

They didn't use a dictionary attack, where heavy computing power is used to guess at keys, a type of attack of which TKIP is susceptible.

The researchers still haven't been able to decrypt data that goes from the PC to the router, so they haven't completely broken in the castle yet.

Wireless users could upgrade their access points and routers to WPA2, the next generation of WPA, which can't be hacked yet by the TKIP compromise. But that may not be easy for the many enterprises who have adopted WPA to replace leaky WEP encryption.

Tuesday, November 04, 2008

Common Sense IT Security and Lipstick on a Pig

Here are two articles, one from SC Magazine and the other from Tech Republic's IT Security blog, that have some common sense approaches to network security.

The blog post quotes an official in the UK who suggests distributing its government databases as a way to protect sensitive data. The official was responding to suggestions that the databases be centralized to avoid bureaucratic and other delays in using multiple databases.

The post's author, Tom Olzak, argues the issue is basic security, not whether the databases are distributed or not. If such simple security controls as least privilege and segregation of duties aren't enforced, nothing else matters. The database or databases won't be secure, in any case.

Calum Macleod, Cyber-Ark's Western Europe director, quoted in SC Magazine, said security at most companies today is like Barack Obama's comment about "lipstick on a pig." He listed a balanced approach to technical controls as an approach to meeting both compliance and security.

His approach was based on business and user needs, neither too tight to restrict business but not too weak, at the same time.

Sunday, November 02, 2008

Growing Problem of Health Data Breaches

This is a comprehensive article in SC Magazine about the growing problem of data breaches in the health care industry. Now, granted the article has a heavy HIPAA spin, it's got lots of other details related to the handling of data breaches, in general.

The point is that health care is next on the breach bullseye. Health care is way behind the curve in terms of IT technology for the handling, storage and -- yes -- securing of data.

We're not talking just about the privacy around whether it's anybody's business that you had a kidney stone or a baby, but that health care data has other juicy bits -- like Social Security Numbers -- that identity thieves love.

And HIPAA, unlike its compliance cousin, PCI, is not as prescriptive or tough.