This is Don Franke's Typepad Profile.
Join Typepad and start following Don Franke's activity
Join Now!
Already a member? Sign In
Don Franke
Recent Activity
Great post! Bletchley Park cracked Enigma-encoded and other intercepted messages, and combined this information with signals intelligence to anticipate enemy ship routes, troop movements and planned attacks. The technology used today may be different, but there are many similarities. Bletchley Park was unlike anything else at the time, and I encourage anyone with an interest in security to read about their history. Hopefully, there are concentrated efforts like this currently underway. As Sarah points out, the people who worked there and their accomplishments exemplify the true spirit of information security.
Late last year, a nefarious banking app was discovered on the Android phone marketplace. This, I'm afraid, is just the beginning. Doing some Android phone development recently, I have gotten some hands-on experience with how an application is deployed to the Android Marketplace. One big difference between the Google and Apple mobile software stores is that Apple vets and approves each app before it is made available for public download. With Android, anyone who pays the $25 registration can upload an application to the marketplace. To upload an application, it first must be signed with your own digital signature. This... Continue reading
Posted Jan 23, 2010 at ISC2 Blog
I have been thinking about whether there are are any risks unique to remote facilities when it comes to a company's IT security design. This could be locations in different cities, near-shoring, off-shoring, etc. From the article Bad Communication Can Create Risk, the author lists four risks mitigated by effective communication: Increased employee resignations Decreased employee productivity Overt employee subversion Inability to achieve company goals From an IT security perspective, I will add: Back doors Data leakage Malicious behavior (unintentional or otherwise) The knowledge of being observed is itself a deterrent to bad behavior. There is the Observer (or Hawthorne)... Continue reading
Posted Dec 8, 2009 at ISC2 Blog
There was a story I read recently on the Times Online: French troops were killed after Italy hushed up ‘bribes’ to Taleban. What could this tragic event possibly have to do with IT security? Let me explain. First, there were allegations that the Italian government had been paying bribes to the Taliban in exchange for save haven. But Italy vehemently denied it. Then, last year, ten French troops were killed in what they had previously assessed to be a peaceful area of Afghanistan. Before France went into this deadly area, they (of course) did a risk assessment. What factored considerably... Continue reading
Posted Nov 8, 2009 at ISC2 Blog
An interesting computer security project has been underway at Wake Forest University. They have been developing threat detection software that mimics the behavior of ants. About a decade ago I read the book Turtles, Termites, and Traffic Jams: Explorations in Massively Parallel Microworlds (Complex Adaptive Systems) which, among other things, went into detail about the pherenome trail left by ants. The ants would go out on discovery missions, looking for food, leaving in their wake a scent trail. If a place of interest was discovered, the scout would return back on the same trail, making it stronger, and other ants... Continue reading
Posted Sep 26, 2009 at ISC2 Blog
Good point. Knowing just the last 4 could be good enough to launch a successful phishing attacks. Also, per the book Zero Day Threat: "A prospective borrower filling out an online loan application can submit less than nine correct digits of [a] Social Security number and just three matching letters of the first name of someone of good credit standing...The three letters of the first name don't even have to be in the same order or sequence." So for some systems just having partial information is just as good. Scary.
Toggle Commented Jul 9, 2009 on Guessing SSNs at ISC2 Blog
That would be great if update downloads were free--this should be required of all ISPs. It would take some logistical work by the OS vendors and internet providers, but would definitely address the problem. And true, many major updates are also available via CD--I just updated my Ubuntu from 8 to 9 by getting a CD off eBay. It's the customer not getting all the smaller updates and security patches that can be the problem. Thanks for the input!
Toggle Commented Jun 21, 2009 on Bandwidth Caps Means Bad Security at ISC2 Blog
Speaking from my own experience, I recently switched to a 5GB/month plan. It was a new experience to have to keep track of what and how much I was downloading. It was toward the end of the billing cycle when I got a Mac Software Update notice telling me I had over 400MB of updates ready for download. So I had to make a choice: update my OS or wait until next month and do it then. I also had the choice not to update at all. For customers on the 400MB/month plan, will they always choose to update their OS above all else? I posit that PCs of customers with bandwidth caps may be more likely to be compromised, because they are less likely to be updating their PC due to cost. I also suggest that the current update process has an unlimited bandwidth mindset. I agree a physical delivery method isn't the best either, but I do think we need at least a second (less costly) option for consumer to choose from. Thanks for a perspective from outside America!
Toggle Commented Jun 16, 2009 on Bandwidth Caps Means Bad Security at ISC2 Blog