Category Archives: News

Why wait for a security breach to improve security?

Neiman Marcus is the victim of a security breach. Neiman Marcus provided a statement to journalist Brian Krebs:

Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorised payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.

We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensic firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result.

We have begun to contain the intrusion and have taken significant steps to further enhance information security.

The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.

I want to focus on one of Neiman Marcus’ statements:

We have … taken significant steps to further enhance information security.

Why do companies wait for a disaster to occur before making improvements that could have prevented the incident – saving the organization and its customers untold hours of lost productivity? Had Neiman Marcus taken these steps earlier,  the breach might not have occurred.  Or so we think.

Why do organizations wait until a security incident occurs before taking more aggressive steps to protect information?

  1. They don’t think it will happen to them. Often, an organization eyes a peer that suffered a breach and thinks, their security and operations are sloppy and they had it coming. But alas, those in an organization who think their security and operations are not sloppy are probably not familiar with their security and operations. In most organizations, security and systems are just barely good enough to get by. That’s human nature.
  2. Security costs too much. To them I say, “If you think prevention is expensive, have you priced incident response lately?”
  3. We’ll fix things later. Sure – only if someone is holding it over your head (like a payment processor pushing a merchant or service provider towards PCI compliance). That particular form of “later” never comes. Kicking the can down the road doesn’t solve the problem.

It is human nature to believe that another’s misfortunes can’t happen to us. Until it does.

Advertisements

Why there will always be security breaches

At the time of this writing, the Target breach is in the news, and the magnitude of the Target breach has jumped from 40 million to as high as 110 million.

More recently, we’re now hearing about a breach of Neiman Marcus.

Of course, another retailer will be the next victim.  It is not so important to know who that will be, but why.

Retailers are like herds of gazelles on the African plain, and cybercriminals are the lions who devour them.

As lions stalk their prey, sometimes they choose their victim early and target them. At other times, lions run into the herd and find a target of opportunity: one that is a little slower than the rest, or one that makes a mistake and becomes more vulnerable. The slow, sick ones are easy targets, but the healthy, fatter ones are more rewarding targets.

As long as their are lions and gazelles, there will always be victims.

As long as there are retailers that store, process, or transmit valuable data, there will always be cybercriminals that attempt to steal that data.

TSA learns redaction lesson the hard way…

Bookmark This (opens in new window)

…and we will all pay for it. Today it has been made public that the TSA’s detailed airport security procedures manual has been posted to the Internet. The TSA was putting out some services to bid, and posted what they believed to be a redacted version of the document. Well it turns out that the redaction technique they chose was ineffective.

Now that everyone can see TSA’s airport screening procedures in detail, they will have to resort to more pat-downs, wand scans, and body scans. Procedures for identifying CIA, air marshalls, and law enforcement personnel may need to change as well.

Some of the details revealed in the procedures include:

  • The size of wires that can pass through magnetometers without setting alarms
  • Procedures used for screening liquids
  • Items that do not require extra screening such as wheelchairs and casts
  • Procedures for verifying the identity of CIA, NSA, air marshalls, and other law enforcement personnel

See my earlier posting on redaction here.

Proper redaction of sensitive data in electronic documents is more than just covering up sensitive words and images. Instead, sensitive information is actually removed and replaced with solid black, so that the redacted text or images are not merely “underneath” it. I suspect that the NSA merely “covered” sensitive items without actually removing them from documents.

[picapp align=”right” wrap=”false” link=”term=tsa&iid=3702199″ src=”c/9/9/e/New_Airport_Security_d307.jpg?adImageId=8254188&imageId=3702199″ width=”234″ height=”236″ /]News stories here:

CNN

Yahoo News

Washington Post

New York Times

FBI Mystery Man ID Thief Sentenced

Bookmark This (opens in new window)

Mystery manFBI mystery man Scott Andrew Shain was sentenced to 30 months in prison.

Articles:

Seattle Times

King 5 News

Earlier articles:

FBI Mystery Man Identified

Fake Fingerprints, Multiple Aliases, who is this guy?

U.S. Passport Cards Available

U.S. Passport Card

U.S. Passport Card

Bookmark This (opens in new window)

Actually they have been available for some time. While they are not valid for air travel, they are valid for auto and ship transportation out of and into the U.S.

As a citizen of Washington State, I go to Canada now and then, as well as Mexico, and in the past year have done so by car and by ship. So I’m thinking that this could be useful for me, to be able to carry a “passport” in my wallet.

I’m ordering one and will write about the experience.

Update 5/17/09 – Seattle Times article

Information is available here:

http://travel.state.gov/passport/ppt_card/ppt_card_3926.html

Wikipedia article on U.S. Passport Cards

Washington Times article, opponents fear counterfeiting

Published authors: stop the illegal file sharing hemorrhaging

Bookmark This (opens in new window)

Recently I was made aware of a file sharing site that reportedly had digital copies of published books, as well as music and other copyright content.  I had a look for myself, and found this to be true.

The site, 4shared.com, has thousands – maybe tens of thousands – of copyrighted books, music, and other content, freely online and available for anyone who wants to browse the site and download content.

Readers: it is illegal to post copyright content in any form online, unless you are the legal owner of the content or have written permission from the owner.  It is against the law.  Do not be deceived by the lure of free content.

Professionals: if you are found to be in possession of illegally copied protected content, you may be in jeopardy of losing your professional licenses or certifications.  You can also be sued by the copyright owner.

4shared.com will remove content on request.  It is necessary to state, in detail, who the owner of each item is, and why it should be removed.  Digital copies of many of my books were on the site, and I filed removal requests for each.  Yes, it was time consuming.  To request illegal content be removed, send an e-mail (with the full URL of the offending item(s)) to abuse@4shared.com, or visit http://www.4shared.com/contact.jsp , click on the “Copyrighted Materials” link, and complete the short form there.

The extent of illegal content on 4shared.com is appalling – it is a cesspool of of illegal content.  A quick search showed that almost one-thousand “For Dummies” titles were on the site.

Browsers are compromising our privacy

Bookmark This (opens in new window)

…and it’s not just Google.  IE8 also has features that are misleading, in terms of privacy.

I’ll talk about Google first.  What’s going on: text you type in the search or URL field are sent to Google, even if you don’t press Send. In other words, if you type in the word “breasts”, and then later decide that you should not be searching on that at work (or wherever you are), it’ll be sent to Google anyway.  It’s practically a key logger.

Article here (Seattle Times)

Now back to IE8.  This new version of the browser has an InPrivate browsing mode that supposedly does not record where you’ve been.  However, according to forensic experts, the feature doesn’t work and it’s still trivially easy to see what sites a user has visited even in InPrivate mode.

Article here (Network World)