This is riskpundit's TypePad Profile.
Join TypePad and start following riskpundit's activity
riskpundit
I help enterprises reduce information security risks.
Recent Activity
RiskPundit is moving
As anyone who has recently come to www.riskpundit.com realizes, I have not been blogging here in awhile. For the last two years, I have done all of my blogging at www.cymbel.com/blog. I will continue to blog there mostly about information security technical controls from a risk mitigation perspective. I will be blogging about Informatin Security Risk Management issues at http://riskpundit.blogspot.com/. Continue reading
Posted Aug 5, 2012 at RiskPundit
Comment
0
Your post focuses mostly on Identity and Access Control Services. My experience is mostly on the Defensive Services side of security.
I see the main blocking factors to putting into practice what we already know related to who knows it and when.
The time it takes for new best practices to permeate through infosec teams and their management is much longer than it takes for new motives and methods to spread among bad actors.
This is because:
1. It's much easier to prove a positive (efficacy of a new offensive method) than a negative (efficacy of a new defensive measure or process).
2. It's much more expensive for organizations to effectively implement new defensive measures than it is for small teams of bad actors to implement new offensive measures.
These asymmetries are fundamental to the defensive nature of the aforementioned eponymous Defensive Services.
Commented Nov 12, 2011 on Notes on Cybersecurity Research Agenda from Dan Geer at 1 Raindrop
Notes on Cybersecurity Research Agenda from Dan Geer
A new cybersecurity reseach agenda from Dan Geer in three minutes or less - some snippets We would need a lot less research if we put into practice what we already know. But we don't. Ergo, why we don't put into practice what we already know is itself a research-grade topic. Comment: the mai...
There is no doubt that Heartland is under-performing as a company. And as a security professional, I would love to believe the cause is the breach. But the breach may just be a correlated event.
I would like to see a deeper analysis.
Commented Jan 24, 2011 on Has the Bleeding Stopped at Heartland? at 1 Raindrop
Has the Bleeding Stopped at Heartland?
Heartland's stock price have had a bad time since the breach, but what about the core business? In q3 2010, Heartland missed earnings by a mile. Analysts were looking for $0.30 earnings per share, and Heartland came in with 0.20. Worse still Heartland competitors are growing and taking market sh...
HoneyBot - Automated IRC Social Engineering
IRC-Junkie is reporting that researchers at TU Wien (Vienna University of Technology, Austria) have developed a software program that performs a "man-in-the-middle" attack between IRC users causing them to click on malicious links at a 76% click rate. As opposed to impersonating a user and attempting to perform one side of the conversation, this program sits between two users and simply makes changes to the words and inserts malicious links. The so called "HoneyBot" is capable of influencing the ongoing conversation by “dropping, inserting, or modifying messages” and the researchers assert that “if links (or questions) are inserted into such... Continue reading
Posted Jun 13, 2010 at RiskPundit
Comment
0
The End of Malware? Hardly.
Slate recently published an article entitled, "The End of Malware?" The sub-title is, "How Android, Chrome, and the iPad are shielding us from dastardly programs." The premise trotted out the usual, Windows is insecure; Android, Chrome, and the iPad are more secure because they deploy sandboxing technology, i.e. restricting an application's access to operating system resources. While this may be a good thing, it is hardly the "end of malware." Not even close.What the author is missing is the intent and motiviation of the bad guys. They go where the money is, i.e. where there is the opportunity to steal... Continue reading
Posted Jun 6, 2010 at RiskPundit
Comment
0
Massive iPhone Security Issue
ReadWriteEnterprise is reporting that: Content stored on an iPhone 3GS with passcode protection can be accessed without the passcode simply by attaching the device to a computer running the latest version of Ubuntu or a Windows or OSX system running off the shelf software such as iPhone Explorer. This flaw was discovered by Bernd Marienfeld, an information security professional and blogger, last week. Recently, the enterprise has seen a steep increase in the adoption of the iPhone and iPad. But Apple will need to aggressively address security concerns such as these in order to gain and hold market share. Read... Continue reading
Posted Jun 6, 2010 at RiskPundit
Comment
0
Tabnabbing - a new variation on phishing
Aza Raskin, the Creative Lead for Firefox, (via Ajaxian) describes a new variation on phishing called "tabnabbing," the "process of replacing the entire contents of a page while it's on a background tab." This is another example of malicious Javascript in action. Does your Secure Web Gateway vendor block this attack? Continue reading
Posted May 25, 2010 at RiskPundit
Comment
0
Identity theft the old-fashioned way
We are constantly amazed at the new levels of creativity criminals apply to achieve their goals. However, sometimes the old-fashioned approaches work just as well. From the Office of Inadequate Security comes this report: Silicon Valley Eyecare Optometry and Contact Lenses State: California Approx. # of Individuals Affected: 40,000 Date of Breach: 4/02/10 Type of Breach: Theft Location of Breached Information: Network Server An FAQ on the firm’s web site says, in part: What happened? On Friday morning April 2, 2010 at 5:30 a.m., two burglars broke an outside window to the administrative area of our office at 770 Scott... Continue reading
Posted May 22, 2010 at RiskPundit
Comment
0
Heartland settles with MasterCard for $41 million
DarkReading is reporting: In a legal settlement over its 2008 security breach, Heartland Payment Systems has agreed to pay up to $41.4 million to MasterCard Worldwide and its card issuers to repay operational costs and fraud losses attributed to the breach. The article does not state whether this is included in the $139 million they said they set aside in a recent SEC filing. Given that the filing was recent, I would think, yes. As i posted earlier this month, $139 million is a far cry from the initial expected costs of $12 million. Continue reading
Posted May 22, 2010 at RiskPundit
Comment
0
LifeLock's CEO's Identity Stolen 13 Times - Who's fault?
The Phoenix New Times (via Wired) is reporting that LifeLock's CEO Todd Davis's identity was stolen 13 times. That's 12 more than had been previously reported. The question is, who's fault is it? Clearly from a security perspective, it's not a good idea to display your Social Security Number on billboards and TV advertisements. However, from a marketing perspective it was brilliant. The actual dollar amounts lost due to these identity theft incidents were low. If those costs were simply written off as marketing expenses, it was a good deal for Todd Davis. On the other hand, the legal expenses... Continue reading
Posted May 22, 2010 at RiskPundit
Comment
0
Heartland breach expenses reach $139 million - so far
Computerworld is reporting that Heartland Payment Systems' recent quarterly financial filing revealed that the credit card payment processor's expenses related to their 2008 breach of 130 million credit cards have risen to $139.4 million. This is a far cry from the $12 million CEO Bob Carr said was the appropriate amount to set aside in December 2009 when he settled with American Express for $3.6 million. In January 2010, just one month later, Heartland settled for $60 million with Visa. The Computerworld article also reports that a recent Ponemon Institute study shows that the average cost per security breach in... Continue reading
Posted May 12, 2010 at RiskPundit
Comment
0
Simplistic attacks still work some of the time
Sunbelt has a detailed blog post of a ridiculously simple and obvious social engineering attack on Facebook users. The good news is that only 0.05% of Facebook users fell for it. The bad news is that the actual number of Facebook users is 191,372. Given the ease of creating these attacks and the rewards to the attackers, they are not going to stop anytime soon. Continue reading
Posted May 12, 2010 at RiskPundit
Comment
0
New attack bypasses all tested anti-virus products
Researchers at matousec.com, a security research and consulting group, released a paper describing a vulnerability in the way that anti-virus vendors integrate their products with Windows - System Service Descriptor Table (SSDT). They also built code that exploits this vulnerability which enables them to bypass these anti-virus programs. The Register has a good summary. My first reaction is "so what?" Anti-virus programs have become almost irrelevant as the primary attack vector has shifted to browser-based applications. On the other hand, this vulnerability could lead to a resurgence of more direct viruses. Second, how and how quickly will Microsoft and the... Continue reading
Posted May 10, 2010 at RiskPundit
Comment
1
Facebook board member's account hacked - used for phishing attack
From PEHub: Sunday morning, some of the 2,301 Facebook friends of venture capitalist and Facebook board member Jim Breyer received a message from him, through Facebook. “Would You Like a Facebook Phone Number?” it asked, presenting a link to “see more details and RSVP.” While no one would be surprised by a service that allowed users to call friends from their Facebook accounts, the message was a hack. “This was a phishing scam and Jim’s account appears to have been compromised,” says Larry Yu, a Facebook spokesman, late yesterday. “The issue has since been resolved and we’re actively trying to... Continue reading
Posted May 10, 2010 at RiskPundit
Comment
0
New New Adobe Flash privacy feature will force e-commerce sites to alternative authentication methods
Adobe Flash Player 10.1 will make "its privacy settings more prominent and explicit to the user and also supports private browsing, which lets a user browse without logging his browsing history on his machines," according to an article in Dark Reading. The side effect is that e-commerce sites which have been using Flash's Local Storage to store machine ID's without the user's consent or knowledge will no longer be a viable machine authentication method. This is actually good news because e-commerce sites will be forced to use technology designed specifically for authentication rather than relying on this Adobe externality. Continue reading
Posted May 9, 2010 at RiskPundit
Comment
0
Is there an innovation crisis in IT Security?
Peter Kuper posted an interesting article on fudsec.com claiming that there is an "Innovator's Crisis" in IT Security. I disagree. There are several new, innovative solutions coming from start-ups that do mitigate the new risks created by the explosion in "web 2.0" applications.Large enterprises are facing huge challenges though. First, capital investments made in security during the last several years must be written down because the technology is obsolete. For example, stateful inspection firewalls have become essentially useless. Second, the new solutions require these enterprises to reorganize their security staff. For example, most large enterprises have separate groups to manage... Continue reading
Posted May 1, 2010 at RiskPundit
Comment
0
Four questions to ask your firewall vendor and Gartner on the future of firewalls
Gartner's John Pescatore blogged about his view on the future of firewalls today. Many pundits have opined about enterprise deperimeterization. Not so says Pescatore, although the functionality of the firewall is changing to respond to the changes in technology and the threat landscape. Gartner calls this new technology, "next-generation firewalls." It is really just border control – we don’t declare countries “deperimeterized” because airplanes were invented, we extend border control into the airport terminals. Unfortunately every firewall vendor in the industry has jumped on the term. So in order to help you separate marketing fluff from reality, whenever you are... Continue reading
Posted Apr 30, 2010 at RiskPundit
Comment
0
Blippy's security/privacy strategy - do they deserve to survive?
Earlier this week, the CEO of Blippy posted an extensive explanation of the breach they suffered and the steps he is planning to take to improve the site's security and better protect the privacy of the users. I can only hope his explanation of the breach is accurate. As to his "Plan" going forward, it reveals a shocking, but not untypical, heretofore lax attitude toward protecting the site's users. I like their Rules page. The intent is to inform Blippy users of "Inappropriate Content and Use of Blippy," However, if I were considering signing up for Blippy, I might consider... Continue reading
Posted Apr 28, 2010 at RiskPundit
Comment
0
Treasury Department estimates up to 1.2 million hiding income by using stolen Social Security numbers
If the IRS is coming after you for not paying taxes on unreported income, it may be that someone used your Social Security Number on his W-4. According to the Treasury Department's Inspector General for Tax Administration, it happened as many as 1.2 million times in 2007. Thanks for the pointer from the Office of Inadequate Security (databreaches.net). What is worse, the full article on WebCPA says that the IRS lacks the procedures to identify this type of identity theft: TIGTA assessed whether the IRS has procedures to effectively handle collection issues related to ITINs [Individual Taxpayer Identification Number]. It... Continue reading
Posted Apr 26, 2010 at RiskPundit
Comment
0
47 health care provider breaches between 9/22/09 and 2/15/10
Health Data Management Magazine's May issue notes that the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) posted 47 breach of unsecured protected health information in the United States between September 22, 2009 and February 15, 2010. The criteria for posting is at least 500 individuals must be affected. In one case, 500,000 people were affected. The actual list is here. As of today there were seven more breaches posted. Unfortunately the information on the list is very disappointing. There are no details of any significance about the breaches. For example, here is the... Continue reading
Posted Apr 26, 2010 at RiskPundit
Comment
0
Google discovers privacy flaw in Facebook Graph API
The UK-based Guardian posted a story today that an engineer from Google discovered a flaw in Facebook's Graph API where all events you have participated in or are planning to participate in cannot be kept private. My reactions are (1) given Facebook's privacy policy trajectory, I am not surprised, and (2) given the threat that Facebook represents to Google, I am not surprised that a person from Google found the flaw. If anything is going to blunt Facebook's popularity, it's going to be privacy issues. And I say this despite the long history of consumers willingness to give up privacy... Continue reading
Posted Apr 26, 2010 at RiskPundit
Comment
0
Aurora - Why was Gmail China's Target?
Larry Seltzer has an interesting post about a conversation he had with Mikko Hypponen of F-Secure about the reason for the Operation Aurora attack in China against Google's Gmail service.I wrote about Aurora here and here. However, the question remains - why Gmail and not Yahoo or Microsoft's free email service? Perhaps it's because only Gmail offers SSL encryption which prevents sniffing on the wire to read emails. Because the other free email services don't offer SSL, you can simply sniff the wire to read the emails on those services. End users who have some level of security consciousness gravitate... Continue reading
Posted Apr 25, 2010 at RiskPundit
Comment
0
Facebook accounts for sale starting at $25 for 1,000 accounts
Dark Reading published a story based on VeriSign's iDefense's research of an underground black market for stolen social networking credentials. One criminal was selling 1,000 Facebook accounts with 10 or less friends for $25, while the price for 1,000 Facebook accounts with 10 or more friends is $45. While this should not be surprising, it is worth noting again the level of cybercrime organization. Continue reading
Posted Apr 25, 2010 at RiskPundit
Comment
0
Apache infrastructure breach analysis is a model of forthrightness and a learning experience
Last week, the Apache infrastructure team disclosed a breach to their issue tracking software where an XSS exploit led to root access which led to compromised passwords. What makes it interesting is the level of detail they provided about the breach, which security policies worked, which did not work, and what they are changing to reduce the risk of another such breach. No attempt at security by obscurity here. McAfee Labs did a nice blog post on it. Do you think the use of Apache is going to go up or down? IMHO, the breach will have no effect or... Continue reading
Posted Apr 17, 2010 at RiskPundit
Comment
0
Conventional password policy recommendations questioned
Microsoft researcher Cormac Herley recently published a paper casting doubt on the economic value of following conventional password policy recommendations. Whether you agree with Herely or not, his economic analysis is well worth reading. Security Watch has a nice summary. Continue reading
Posted Apr 15, 2010 at RiskPundit
Comment
0
More...
Subscribe to riskpundit’s Recent Activity
0 Favorites
Blogs and Sites
Around The Web
