Thursday, November 29, 2007

IT Security Outlook for Small Companies in 2008

I had an article come out today in TechTarget's SearchSMB newsletter about the three main security issues facing smaller companies in 2008.

The three security pain points for '08 will be compliance, web application security and endpoint security.

These will be -- and have been -- key issues for all enterprises, regardless of size, but will continue to impact SMBs particularly hard next year.

Thursday, November 22, 2007

UK Data Breach May Be Biggest Ever

Here's a little Thanksgiving treat from the people who brought the Pilgrims to America. This could be the biggest data breach ever. In absolute numbers -- a mere 25 million -- it would be just another day in data loss for us here in the US.

But in relative size and scope, for a country the size of the UK, it's massive. It could possibly affect 40 percent of the population, according to The New York Times. The potential for identity theft and online bank fraud is staggering.

The data was on two disks lost by a delivery service used by Her Majesty's Customs and Revenue service.

This is a round up of more stories from The Register, which called it a "datapocalypse." I love that dry British sense of humor.

Wednesday, November 14, 2007

Government Smart Card Initiative Behind Schedule

An initiative to unify physical access to government facilities is -- not surprisingly -- behind schedule. And it's not just because, as you might expect, due to the usual bureaucracy and red tape in government.

This is an interesting account of how different government agencies are handling their HSPD-12 initiative, whose deadline passed Oct. 27. They mention how the Department of Defense, which recently installed another system, will basically have to tear it out and replace it to be HSPD-12 compliant.

But, again, it's not just about bureaucratic snafus. This is also a fascinating story about a gradual approach to merging physical and logical security and the use of smart cards to simplify access to facilities. It's something worth following for all you identity junkies. There's something in there for everyone: smart cards with a touch of biometrics and more.

I first wrote about this in one of my Ask The Expert columns for TechTarget a year ago. I'm their resident identity and access management ATE.

Friday, November 09, 2007

Video Of MySpace Hack

This is a well-done video from the Exploit Prevention Labs Blog by Roger Thompson about the recent hack of Alicia Keys' MySpace page:


Again, frankly, this isn't new, and it isn't rocket science. In fact, it's a text book web hack. It's malicious code loaded onto a web site via a social networking site, in hopes that someone will click on just the right link to download the malware, in this case, a bad ActiveX codec.

And, again, this isn't some shady porn or obscure gambling site. It's a heavily trafficked site of a major entertainer.

Here's details from Computer World, Information Week and Network World.

With that in mind, you might be thinking, especially if you're in a corporate IT department, that it would be wise to block access to social networking sites, like MySpace, from your company. Not so fast, says Paul Johns, Chief Marketing Officer for Complinet, writing in SC Magazine. Johns makes some good arguments both for and against the practice.

On the other side of the fence, Tony Bradley, gave some tips on his About.com site, Internet/Network Security, about protecting yourself when using social networking sites.

Thursday, November 08, 2007

My Latest Ask The Expert Answers For TechTarget

This is the latest batch of my Ask The Experts questions posted to TechTarget's SearchSecurity web site:

Using fingerprint door locks in a network environment
This question posed on 30 September 2007

Best practices for deploying enterprise single sign-on (SSO)
This question posed on 23 September 2007

Where did the biometric device come from?
This question posed on 18 September 2007

What are the dangers of Web-based remote access systems?
This question posed on 11 September 2007

Traditional single sign-on (SSO) products versus federated identities
This question posed on 02 September 2007

I'm the resident ATE on Identity and Access Management.

Hackers Target Top Executives

This shouldn't come as any big surprise, but hackers are doing their homework to conduct targeted attacks against wealthy individuals like CEOs.

For publicly held companies, information about top executives is easy to find in financial documents they are required by law to submit to the SEC.

Executives themselves are more mobile and likely to get into technology on their own, using devices freely and getting themselves into all kinds of trouble. This is not to mention all kinds of other juicy data they may unwittingly post proudly on social networking sites like LinkedIn.

Proudly? Yes, they're just trying to market both themselves and their companies. No harm done, but some education is needed to protect the higher ups.

Here are some tips:
  • Make sure all desktops, laptops and mobile devices in the hands of executives are already hardened, patched and have unnecessary services turned off.
  • Educate them to be careful with posting company information on web applications like Google Calendar, where data can be publicly accessible.
  • Teach them to only use VPNs while on the road (Good Luck!) and to watch for common social engineering attacks.

Another Web Security Roundup

Here's another round up of recent web exploits of note. This one is clever. Users are prompted to enter a CAPTCHA to disrobe a model. The CAPTCHAs are from legitimate Yahoo sites and may be used to gain access to accounts.

The Storm worm was recently used to send out audio spam on MP3 files and a cross-site scripting attack against VoIP was revealed.

Another Firefox URL-handling bug was discovered by a security researcher and JavaScript mashups are now a cause for concern.

And, finally, Jeremiah Grossman told his blog readers to crawl web sites to check for vulnerabilities.

My Article on Data Destruction in SearchSMB

I had an article on data destruction come out today on SearchSMB.

It was about cheap and easy ways to destroy data before disposing equipment.

Wednesday, November 07, 2007

Web Application Hacker's Handbook

This new book about web hacking is quite an encyclopedic reference. There's a few decent web security books out there, including one in the Hacking Exposed series, but I don't think I've seen anything quite like this.

The Web Application Hacker's Handbook by Dafydd Stuttard and Marcus Pinto and published last week by Wiley is a compendium of the whole universe of web hacking.

It lists not only attacks and types of attacks but how to enumerate web sites and their servers, attack methodologies, hacking tools and attacking their hosting servers, as well.

Monday, November 05, 2007

Looking For An IT Security Job?

Well, the PCI Council is looking for a technical security director.

Here's an exciting opportunity to join the swashbuckling world of credit card security.

For the right person, this could be an action packed job full of adventure.

All kidding aside, the position requires a good blend of business and technical skills, the sort of thing most companies are looking for in their IT professionals.

Go for it.

Friday, November 02, 2007

Mac Not So Tough Any More

Mac security really took a nose dive this week with both concerns about security in the latest release, Leopard, and a Trojan written specifically for Macs. And Mac users thought they were secure. So much for that.

Several commentators questioned the access controls in Leopard in this round up from Computer World. Then eWeek poked holes through its firewall.

But the big news was the Trojan that redirected users to porn sites. Now, this isn't brain surgery. Windows users have seen this nonsense before, but a Mac-specific Trojan, that's something else.

Details were on the SunbeltBLOG, Macworld, Computer World and eWeek.

Thursday, November 01, 2007

TJX Debate And Fingerpointing Continue

This was an outstanding article on SearchSecurity today about the TJX breach, and who was to blame.

Bill Brenner did an excellent job in this balanced piece, getting comments from all sides: retailers, banks and IT security consultants.

There was plenty of blame to go around for such things as storing customer data but the upshot was that TJX just didn't have even the minimal levels of security. That's the real story in a nutshell.