If I wanted to steal Identities, I
would set up this kind of system, “Tell me your Social Security
Account Number so I can see if your data has been breached. Also
tell me your Credit/Debit card number, your driver's license number,
etc. etc. etc.
Got
Pwned? PwnedList.com Knows
October 28, 2011 by admin
Paul Roberts writes:
With more and more
victims of identity theft minted every day, figuring out
if you’re one of the unlucky masses with a leaked email password is
yeoman’s work. Now one security researcher is trying to make it
easy with PwnedList.com,
a Web site that collects leaked and stolen data, then tells Internet
users whether their information is in it.
PwnedList
is the brainchild of Alen Puzic, a security researcher who works for
HP’s TippingPoint DVLabs on the Advanced
Security Intelligence team. The biggest challenge, he says, is
staying on top of the tsunami of leaked records – which are pouring
in at a rate of 40,000 to 50,000 a week. Puzic chatted(*) with
Threatpost editor Paul Roberts via Skype this week.
Read more on ThreatPost.
A manager's job is to plan, direct,
organize and CONTROL the organization. It constantly
disappoints me to see how frequently managers fail in the control
part...
October 28, 2011
NIST
Publishes Guide for Monitoring Security in Information Systems
Information
Security Continuous Monitoring (ISCM) for Information Systems and
Organizations (NIST Special Publication [SP] 800-137)
- "Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance (i.e., is the control implemented in accordance with the security plan to address threats and is the security plan adequate).3 Organizational security status is determined using metrics established by the organization to best convey the security posture of an organization’s information and information systems, along with organizational resilience given known threat information."
(Related) “We don't want to change!”
Nor do we want to go back and implement all the security controls we
should have designed into our systems in the first place...
Would
a federal data breach law really be too costly for the private
sector?
October 28, 2011 by admin
Are you curious about the cost of a
data breach notification law? Here’s the analysis
of S. 1151, the Personal
Data Privacy and Security Act of 2011, proposed by Senator Leahy.
It appears that the biggest added cost to the
private sector would be on improving security and not from
breach notification since 46 states already require them to notify
consumers of breaches.
The cost per
entity of the data privacy and security requirements would depend on
the rules to be established by the FTC, the size of the entity, and
its current ability to secure, record, and monitor access to data, as
well as on the amount of sensitive, personally identifiable
information maintained by the entity. The majority of states already
have laws requiring business entities to utilize data security
programs, and it is the current practice of many businesses to use
security measures to protect sensitive data. However, some of the
new standards for data security in the bill could impose additional
costs on a large number of private-sector entities.
For example, under
the bill, businesses covered under subtitle A would be required to
enhance their security standards to include the ability to trace
access and transmission of all records containing sensitive
personally identifiable information. [In other words, turn on their
logs! Bob] The current industry standard on data
security has not reached that level. According to industry experts,
information on a particular individual can be collected from several
places and, for large companies, can be accessed by thousands of
people from several different locations. The ability to trace each
transaction involving data containing personally identifiable
information would require a significant enhancement of data
management hardware [Only the storage of the log
files Bob' and software for the majority of businesses.
Further, the bill’s definition of sensitive personally identifiable
information is broader than the current industry standard.
This definition
would significantly increase the number of entities that would be
required to implement new or enhanced data security standards. The
aggregate cost of implementing such changes could be substantial.
Okay, but if they invest in what would
be mandated security and save on breach-related costs, that doesn’t
sound like a bad deal to me. Aren’t we constantly reminded how
high breach clean-up costs are? And the trade-off here also seems to
involve prohibiting a private cause of action for violation of
contractual agreements – and isn’t that something that Facebook,
Zynga, and others are fighting for?
I’m not saying that I particularly
like or want this bill to be enacted. I’m just saying that from a
cost standpoint, it doesn’t appear to be excessive when one
considers what would be gained or off-set.
What do you think?
Ontology recapitulates phylogeny, as I
always say. Each evolutionary step in computing requires management
to re-learn the lessons of the previous generation...
October 27, 2011
Research
Study - All Your Clouds are Belong to us – Security Analysis of
Cloud Management Interfaces
All
Your Clouds are Belong to us – Security Analysis of Cloud
Management Interfaces - Juraj Somorovsky, Mario Heiderich, Meiko
Jensen, Jörg Schwenk, Nils Gruschka, Luigi Lo Iacono. In Proceedings
of the ACM Cloud Computing Security Workshop (CCSW), 2011.
- "Cloud Computing resources are handled through control interfaces. It is through these interfaces that the new machine images can be added, existing ones can be modified, and instances can be started or ceased. Effectively, a successful attack on a Cloud control interface grants the attacker a complete power over the victim’s account, with all the stored data included. In this paper, we provide a security analysis pertaining to the control interfaces of a large Public Cloud (Amazon) and a widely used Private Cloud software (Eucalyptus). Our research results are alarming: in regards to the Amazon EC2 and S3 services, the control interfaces could be compromised via the novel signature wrapping and advanced XSS techniques. Similarly, the Eucalyptus control interfaces were vulnerable to classical signature wrapping attacks, and had nearly no protection against XSS. As a follow up to those discoveries, we additionally describe the countermeasures against these attacks, as well as introduce a novel ”black box” analysis methodology for public Cloud interfaces."
“Obviously we have been so successful
at keeping terrorists (and leprechauns) away from airports that they
must be looking for alternate means of transportation. Therefore...”
"TSA's VIPR
program may be expanding. According to the Washington Times, 'TSA
has always
intended to expand beyond the confines of airport terminals. Its
agents have been conducting more and more surprise groping sessions
for women, children and the elderly in locations that have nothing to
do with aviation.' In Tennessee earlier this month, bus passengers
in Nashville and Knoxville were searched in addition to the
truck searches discussed here previously. Earlier this year in
Savannah, Georgia, TSA forced
a group of train travelers, including young children, to be patted
down. (They were getting off the train, not on.) Ferry
passengers have also been targeted. According to TSA
Administrator John Pistole's testimony before the Senate last June,
'TSA conducted more than 8,000 VIPR operations in the [previous] 12
months, including more than 3,700 operations in mass-transit and
passenger-railroad venues.' He wants a 50% budget increase for VIPR
for 2012. Imagine what TSA would do with the extra funding."
You don't have to do business with
black-listed nations to have your products show up in those
countries. That's what eBay and Amazon are for...
A few weeks ago, in reaction to claims
that Blue
Coat systems were being used to track internet use in Syria, a
company
spokesman denied the charges here, saying "To our knowledge,
we do not have any customers in Syria," and that the company
followed the web of regulations that would prohibit sale to certain
countries, Syria among them. In response to the logs on which the
claims were based, he said "it appears that these logs came from
an appliance in a country where there are no trade restrictions."
A report at the Wall Street Journal says that the company has now
acknowledged
that Blue Coat devices are being used in Syria after all; the
paper reports that at least 13 of the censorware boxes are in use
there, and cites an unnamed source who says "as many as 25
appliances have made their way into Syria since the mid-2000s, with
most sold through Dubai-based middlemen."