Five Sneaky Credit Card Scams

#1 Phone Fraud

The phone rings, a scammer poses as your bank's fraud department. They may have your entire card number stolen from another source.

They ask about a charge made and you deny the charge, but in order for the charge to be removed, they need your 3-4 digits CVV number off the front or back of the card.

A variation may be they only have the last 4 digits found on a receipt or statement you threw away. They can also use the same ruse to get the full 16 digits from you.

#2 Clever Clerk

You hand your card to a sales clerk, waiter or waitress and they have a card reading wedge device that looks like this.

The device may be wrapped around a band on their ankle. They bend over and make it look like they are fixing a sock, once they swipe the card through, they can make charges on your card.

#3 The Loop

You’re at an ATM that isn’t cooperating. Some nice guy injects himself into the scene to help you. During the process he watches you enter your pin.

After another attempt the ATM eats your card. After you leave all upset, he pulls the card from the ATMs card slot using a loop of VHS tape he jammed inside the machine.

#4 Risky Retailer

When searching for something on the web you come across a website with a great deal.

In the process of ordering they inform you a discount is available along with a free trial of another product. Thinking you just made out on the deal you take the bait.

Next thing you know your card is charged every month and the company makes it very difficult to cancel the charges.

#5 Cell Snap

While buying something at a store you swipe your card through the point of sale terminal.

If you are using a debit card you also need to punch your PIN into the keypad. The guy one or two people behind you filmed the entire transaction including your PIN on his mobile phone.

Robert Siciliano personal security expert to Home Security Source discussing Home Invasions on Montel Williams. Disclosures

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Five Sneaky Credit Card Scams

#1 Phone Fraud

The phone rings, a scammer poses as your bank's fraud department. They may have your entire card number stolen from another source.

They ask about a charge made and you deny the charge, but in order for the charge to be removed, they need your 3-4 digits CVV number off the front or back of the card.

A variation may be they only have the last 4 digits found on a receipt or statement you threw away. They can also use the same ruse to get the full 16 digits from you.

#2 Clever Clerk

You hand your card to a sales clerk, waiter or waitress and they have a card reading wedge device that looks like this.

The device may be wrapped around a band on their ankle. They bend over and make it look like they are fixing a sock, once they swipe the card through, they can make charges on your card.

#3 The Loop

You’re at an ATM that isn’t cooperating. Some nice guy injects himself into the scene to help you. During the process he watches you enter your pin.

After another attempt the ATM eats your card. After you leave all upset, he pulls the card from the ATMs card slot using a loop of VHS tape he jammed inside the machine.

#4 Risky Retailer

When searching for something on the web you come across a website with a great deal.

In the process of ordering they inform you a discount is available along with a free trial of another product. Thinking you just made out on the deal you take the bait.

Next thing you know your card is charged every month and the company makes it very difficult to cancel the charges.

#5 Cell Snap

While buying something at a store you swipe your card through the point of sale terminal.

If you are using a debit card you also need to punch your PIN into the keypad. The guy one or two people behind you filmed the entire transaction including your PIN on his mobile phone.

Robert Siciliano personal security expert to Home Security Source discussing Home Invasions on Montel Williams. Disclosures

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Microsoft to fix PowerPoint, Forefront vulnerabilities

Microsoft will issue three bulletins next week, repairing 11 vulnerabilities in Office and the Forefront Unified Access Gateway.

In the software giant's Advance Notification released Thursday, Microsoft said one bulletin addressing Office vulnerabilities is rated "critical." The critical bulletin affects Microsoft Office 2007 and 2010.

A bulletin addressing a flaw that could enable an elevation of privileges in the Forefront UAG 2010 is rated "Important." A third update, rated "important" will repair errors in Microsoft PowerPoint that could be exploited remotely by an attacker.

The updates will be issued Tuesday as part of Microsoft's regularly scheduled monthly patching process.

Engineers are still working on a fix for a zero-day vulnerability in Internet Explorer being actively targeted in drive-by attacks. Microsoft issued an advisory on Tuesday warning of a memory allocation error, present in Internet Explorer 6, 7, and 8 could enable an attacker to execute code and gain access to a victim's machine.

View the original article here

Microsoft to fix PowerPoint, Forefront vulnerabilities

Microsoft will issue three bulletins next week, repairing 11 vulnerabilities in Office and the Forefront Unified Access Gateway.

In the software giant's Advance Notification released Thursday, Microsoft said one bulletin addressing Office vulnerabilities is rated "critical." The critical bulletin affects Microsoft Office 2007 and 2010.

A bulletin addressing a flaw that could enable an elevation of privileges in the Forefront UAG 2010 is rated "Important." A third update, rated "important" will repair errors in Microsoft PowerPoint that could be exploited remotely by an attacker.

The updates will be issued Tuesday as part of Microsoft's regularly scheduled monthly patching process.

Engineers are still working on a fix for a zero-day vulnerability in Internet Explorer being actively targeted in drive-by attacks. Microsoft issued an advisory on Tuesday warning of a memory allocation error, present in Internet Explorer 6, 7, and 8 could enable an attacker to execute code and gain access to a victim's machine.

View the original article here

Domino Security Vulnerabilities and How to Maximize Risk

How secure is your Domino environment? Although there are few resources available for Domino security, it is important to protect your systems from threats and minimize risks by identifying weaknesses. In this expert e-guide from SearchDomino.com, learn how to monitor areas that put Domino at risk including, operating system patches and passwords. Find out about Web-centric vulnerabilities and why it is essential to perform manual analysis to ensure optimal security.

View the original article here

Domino Security Vulnerabilities and How to Maximize Risk

How secure is your Domino environment? Although there are few resources available for Domino security, it is important to protect your systems from threats and minimize risks by identifying weaknesses. In this expert e-guide from SearchDomino.com, learn how to monitor areas that put Domino at risk including, operating system patches and passwords. Find out about Web-centric vulnerabilities and why it is essential to perform manual analysis to ensure optimal security.

View the original article here

Bankrate Releases 2010 Gift Card Study

Tags » Gift Cards  » Comments (0)

Bankrate has announced key findings from a new study on gift cards. "Bankrate surveyed 54 gift card issuers to determine fees that come from major gift card providers as well as where consumers can get the most value for their money." The full 2010 Gift Card Study is available here.

View the original article here

Bankrate Releases 2010 Gift Card Study

Tags » Gift Cards  » Comments (0)

Bankrate has announced key findings from a new study on gift cards. "Bankrate surveyed 54 gift card issuers to determine fees that come from major gift card providers as well as where consumers can get the most value for their money." The full 2010 Gift Card Study is available here.

View the original article here

More PCI encryption, tokenization options emerge for compliance

The use of tokens to mask sensitive data is taking hold in the payment industry, with merchants now having the option to use third-party service providers or install their own tokenization server to protect credit card data.

The market for a combined tokenization and encryption package has been simmering, buoyed by merchants trying to find ways to simplify the payment process and meet PCI encryption requirements. The latest guidance from the PCI Security Standards Council suggests that the market for tokenization and point-to-point encryption for PCI compliance is still in its infancy.

"I think it will be a little time before we know whether the current batch of solutions can address all the potential problems," said Ramon Krikken, an analyst at Stamford, Conn.-based Gartner Inc. "The Wal-Marts and Targets of the world, or even large ecommerce retailers, are the ones that may be hesitant to jump in right now."

Krikken said vendors are slowly working toward creating standards so merchants don't get locked into a single vendor. System integration issues also need to be ironed out, Krikken said. Not all software packages can integrate with various databases used for data warehousing, analytical systems and point-of-sale applications. The PCI council is also working on tokenization guidance documents and validation standards so qualified security assessors can evaluate tokenization and encryption systems for compliance with PCI DSS.

Gary Palgon, leader of the PCI SSC Tokenization Working Group and vice president of product management at Atlanta-based tokenization vendor nuBridges Inc., said the push for standards is beginning with PCI DSS, but other requirements for a tokenization standard are needed to address other types of data. For example, many merchants use a 16-digit token when masking credit card data to ensure analytical systems function properly, but a company using tokens for personally identifiable information, such as salary data, may not need that 1:1 relationship, Palgon said.

"We've reached out to our competitors and said we need to be a little more aggressive on standards from a tokenization standpoint," he said. "There will be areas in which we will compete and there will be areas which are commoditized."

RSA is the latest vendor to offer a software package that combines encryption and tokenization capabilities. The security division of EMC Corp. released the Data Protection Manager tool this week. The tool can eliminate credit card data in payment and analytical systems by replacing them with a token. It can also be used in the medical field or other industries that deal with sensitive data.

RSA isn't the only encryption vendor offering off-the-shelf tokenization/encryption software. Protegrity Corp. and Voltage Security Inc. offer format-preserving encryption, something RSA does not. Format-preserving encryption can keep the same format of the unencrypted data, such as a credit card number string. RSA said its server enables companies to keep part of the format (several digits of a customer's credit card number). nuBridges partnered with PGP Corp., now part of Symantec, to offer encryption integration.

"You shrink the scope to applications that really need card numbers plus your tokenization server," Krikken said. "The gain with solutions like this is that you'll have the entire infrastructure under your control."

RSA Data Protection Manager is a server-side management tool and token database. It includes an interface for setup and management of the technology. The console is used to manage keys and tokens, enabling IT to set key rotation policies -- monthly or annually -- for different parts of the infrastructure. "In addition, the same server is used to manage the application environment as well as the back-end disk and storage encryption, so customers avoid the overhead of key management silos," RSA said in a statement.

RSA said the Data Protection Manager targets larger merchants who don't want to use a third-party provider for tokenization services. DPM does not require a professional services team to implement, but RSA said it frequently gets requests to tune the DPM server for performance. "A hardware appliance is also available for enterprise key management use cases, which makes for easier deployment with customer resources," RSA said.

RSA also offers a point-to-point encryption and tokenization service with payment processor First Data Corp., an option that may be popular with small and midsized merchants attempting to reduce the scope of PCI DSS by moving all payment data out of company systems. RSA has a similar arrangement with San Jose, Calif-based point-of-sale systems vendor, VeriFone Systems Inc., incorporating tokenization and encryption into VeriFone's secure payment systems software.

View the original article here

More PCI encryption, tokenization options emerge for compliance

The use of tokens to mask sensitive data is taking hold in the payment industry, with merchants now having the option to use third-party service providers or install their own tokenization server to protect credit card data.

The market for a combined tokenization and encryption package has been simmering, buoyed by merchants trying to find ways to simplify the payment process and meet PCI encryption requirements. The latest guidance from the PCI Security Standards Council suggests that the market for tokenization and point-to-point encryption for PCI compliance is still in its infancy.

"I think it will be a little time before we know whether the current batch of solutions can address all the potential problems," said Ramon Krikken, an analyst at Stamford, Conn.-based Gartner Inc. "The Wal-Marts and Targets of the world, or even large ecommerce retailers, are the ones that may be hesitant to jump in right now."

Krikken said vendors are slowly working toward creating standards so merchants don't get locked into a single vendor. System integration issues also need to be ironed out, Krikken said. Not all software packages can integrate with various databases used for data warehousing, analytical systems and point-of-sale applications. The PCI council is also working on tokenization guidance documents and validation standards so qualified security assessors can evaluate tokenization and encryption systems for compliance with PCI DSS.

Gary Palgon, leader of the PCI SSC Tokenization Working Group and vice president of product management at Atlanta-based tokenization vendor nuBridges Inc., said the push for standards is beginning with PCI DSS, but other requirements for a tokenization standard are needed to address other types of data. For example, many merchants use a 16-digit token when masking credit card data to ensure analytical systems function properly, but a company using tokens for personally identifiable information, such as salary data, may not need that 1:1 relationship, Palgon said.

"We've reached out to our competitors and said we need to be a little more aggressive on standards from a tokenization standpoint," he said. "There will be areas in which we will compete and there will be areas which are commoditized."

RSA is the latest vendor to offer a software package that combines encryption and tokenization capabilities. The security division of EMC Corp. released the Data Protection Manager tool this week. The tool can eliminate credit card data in payment and analytical systems by replacing them with a token. It can also be used in the medical field or other industries that deal with sensitive data.

RSA isn't the only encryption vendor offering off-the-shelf tokenization/encryption software. Protegrity Corp. and Voltage Security Inc. offer format-preserving encryption, something RSA does not. Format-preserving encryption can keep the same format of the unencrypted data, such as a credit card number string. RSA said its server enables companies to keep part of the format (several digits of a customer's credit card number). nuBridges partnered with PGP Corp., now part of Symantec, to offer encryption integration.

"You shrink the scope to applications that really need card numbers plus your tokenization server," Krikken said. "The gain with solutions like this is that you'll have the entire infrastructure under your control."

RSA Data Protection Manager is a server-side management tool and token database. It includes an interface for setup and management of the technology. The console is used to manage keys and tokens, enabling IT to set key rotation policies -- monthly or annually -- for different parts of the infrastructure. "In addition, the same server is used to manage the application environment as well as the back-end disk and storage encryption, so customers avoid the overhead of key management silos," RSA said in a statement.

RSA said the Data Protection Manager targets larger merchants who don't want to use a third-party provider for tokenization services. DPM does not require a professional services team to implement, but RSA said it frequently gets requests to tune the DPM server for performance. "A hardware appliance is also available for enterprise key management use cases, which makes for easier deployment with customer resources," RSA said.

RSA also offers a point-to-point encryption and tokenization service with payment processor First Data Corp., an option that may be popular with small and midsized merchants attempting to reduce the scope of PCI DSS by moving all payment data out of company systems. RSA has a similar arrangement with San Jose, Calif-based point-of-sale systems vendor, VeriFone Systems Inc., incorporating tokenization and encryption into VeriFone's secure payment systems software.

View the original article here

E-Guide: Technical Guide on Web Application Firewalls

Web application firewalls are becoming critical data protection and compliance tools that any security decision maker must understand. SearchSecurity.com presents a comprehensive guide to Web Application Firewalls in which experts examine evaluation criteria, deployment considerations and management issues.

In this guide you will learn about:

Choosing the right Web application firewallHow to choose between source code reviews or Web application firewallsHow Web application security mandates burden smaller companiesBuilding application firewall rule basesHow application security expertise is a plus when offering WAF servicesAnd more!

Sponsored by:

WatchGuardIBMImperva, Inc.GeoTrust

View the original article here

E-Guide: Technical Guide on Web Application Firewalls

Web application firewalls are becoming critical data protection and compliance tools that any security decision maker must understand. SearchSecurity.com presents a comprehensive guide to Web Application Firewalls in which experts examine evaluation criteria, deployment considerations and management issues.

In this guide you will learn about:

Choosing the right Web application firewallHow to choose between source code reviews or Web application firewallsHow Web application security mandates burden smaller companiesBuilding application firewall rule basesHow application security expertise is a plus when offering WAF servicesAnd more!

Sponsored by:

WatchGuardIBMImperva, Inc.GeoTrust

View the original article here

Tape Drive Comparison

With the Spectra Logic launch of the LTO-5, the fifth generation of the successful LTO program, examining the range of the latest tape technologies helps customers select the right tape for their backup environment. Read this informative white paper comparing backup technologies to help make your backup decision.

View the original article here

Tape Drive Comparison

With the Spectra Logic launch of the LTO-5, the fifth generation of the successful LTO program, examining the range of the latest tape technologies helps customers select the right tape for their backup environment. Read this informative white paper comparing backup technologies to help make your backup decision.

View the original article here

Windows 7 and Desktop Lockdown with Privilege Management

With the Windows XP sunset date fast approaching, plans for Windows 7 migrations are in full swing. This has prompted most organizations to also re-assess their approach to PC lockdown.  With the advanced privilege management capabilities offered by Viewfinity, enterprises have an alternative to the “all or nothing” approach to least privileges – because an “all or nothing” methodology prohibits organizations from meeting compliance, security and desktop operations goals.  This white paper discusses how Viewfinity Privilege Management allows IT professionals to reach these objectives, without sacrificing user productivity or increasing support call volume. We offer granular, multi-level user permission control, including support for endpoints that are not part of the Active Directory domain or do not regularly connect to the corporate network.

View the original article here

Windows 7 and Desktop Lockdown with Privilege Management

With the Windows XP sunset date fast approaching, plans for Windows 7 migrations are in full swing. This has prompted most organizations to also re-assess their approach to PC lockdown.  With the advanced privilege management capabilities offered by Viewfinity, enterprises have an alternative to the “all or nothing” approach to least privileges – because an “all or nothing” methodology prohibits organizations from meeting compliance, security and desktop operations goals.  This white paper discusses how Viewfinity Privilege Management allows IT professionals to reach these objectives, without sacrificing user productivity or increasing support call volume. We offer granular, multi-level user permission control, including support for endpoints that are not part of the Active Directory domain or do not regularly connect to the corporate network.

View the original article here

The Benefits of WAN Optimization – Part 2

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

The Benefits of WAN Optimization – Part 2

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

Coastal Pacific Xpress Makes the Logical Choice: Organization Replaces Three Security Products With the Astaro Security Gateway

Coastal Pacific Xpress, a leader in logistical transportation and warehousing solutions, was managing renewals, license management and updates/upgrades for each product individually.  This task became increasingly difficult and CPX looked for a new solution to protect these numerous products.

Check out this case study to learn how CPX used Astaro Security Gateway to better manage and protect all 500-plus devices in Coastal Pacific Xpress's network.

View the original article here

Coastal Pacific Xpress Makes the Logical Choice: Organization Replaces Three Security Products With the Astaro Security Gateway

Coastal Pacific Xpress, a leader in logistical transportation and warehousing solutions, was managing renewals, license management and updates/upgrades for each product individually.  This task became increasingly difficult and CPX looked for a new solution to protect these numerous products.

Check out this case study to learn how CPX used Astaro Security Gateway to better manage and protect all 500-plus devices in Coastal Pacific Xpress's network.

View the original article here

Astaro Boosts Green County Agency's Security: County Agency Selects Astaro Network Security Over SonicWall

The Greene County Board of Developmental Disabilities, an agency committed to serving individuals with mental and physical disabilities, had a small network with little network protection. The eight users were networked together through a wireless broadband access point with a wireless router as their only form of network protection.

Read this case study to learn how Greene County was able to utilize Astaro Security Gateway software to fully protect its network.

View the original article here

Astaro Boosts Green County Agency's Security: County Agency Selects Astaro Network Security Over SonicWall

The Greene County Board of Developmental Disabilities, an agency committed to serving individuals with mental and physical disabilities, had a small network with little network protection. The eight users were networked together through a wireless broadband access point with a wireless router as their only form of network protection.

Read this case study to learn how Greene County was able to utilize Astaro Security Gateway software to fully protect its network.

View the original article here

Radiology Inc. Nukes Cosco Pix: Radiological Services Company Expands with the Help of Astaro

Radiology Inc. had outgrown their Cisco Pix firewalls. The devices did not provide the radiological services company with the throughput required to conduct daily operations.

They expanded their network through VPN connections and point to point fiber circuits. Unfortunately, they also found that their current system was limiting their ability to expand as it wasn't flexible enough to handle the required number of secure VPN connections.

Read this case study to learn how Radiology Inc. utilized Astaro Security Gateway to increase both its network capacity and efficiency.

View the original article here

Radiology Inc. Nukes Cosco Pix: Radiological Services Company Expands with the Help of Astaro

Radiology Inc. had outgrown their Cisco Pix firewalls. The devices did not provide the radiological services company with the throughput required to conduct daily operations.

They expanded their network through VPN connections and point to point fiber circuits. Unfortunately, they also found that their current system was limiting their ability to expand as it wasn't flexible enough to handle the required number of secure VPN connections.

Read this case study to learn how Radiology Inc. utilized Astaro Security Gateway to increase both its network capacity and efficiency.

View the original article here

Best Practices for Virtual Infrastructure Management

There are two sides to virtualization. The positives are well known: better hardware utilization, faster application deployment and increased workload mobility, all in the service of business agility. However, with all of these positives it is easy to forget the challenges. Read this white paper to learn how to address these IT management problems.

View the original article here

Best Practices for Virtual Infrastructure Management

There are two sides to virtualization. The positives are well known: better hardware utilization, faster application deployment and increased workload mobility, all in the service of business agility. However, with all of these positives it is easy to forget the challenges. Read this white paper to learn how to address these IT management problems.

View the original article here

Headline News - November 2, 2010

Tags » Facebook, Mobile POS, Mobile Technology, Payments News - Headline News, PlaySpan, Prepaid Cards, Vindicia  » Comments (0)

Headline News is compiled by Glenbrook Partners:

Note: Throughout the day, as we spot interesting developments, this post is updated.

View the original article here

Headline News - November 2, 2010

Tags » Facebook, Mobile POS, Mobile Technology, Payments News - Headline News, PlaySpan, Prepaid Cards, Vindicia  » Comments (0)

Headline News is compiled by Glenbrook Partners:

Note: Throughout the day, as we spot interesting developments, this post is updated.

View the original article here

MasterCard Announces 3Q2010 Financial Results

Tags » MasterCard  » Comments (0)

MasterCard this morning has announced financial results for the third quarter 2010. The company reported gross dollar volume increased 8.5% on a local currency basis to $685 billion, cross border volumes increased 15.4% and processed transactions increased 0.6% compared to the same period in 2009, to 5.8 billion.

"Consumers and businesses around the world continue to recognize the benefits of electronic payments and MasterCard remains at the heart of this evolution," said Ajay Banga, MasterCard president and chief executive officer. "Our year-to-date net income is up over 22%, aided by strong volume growth from markets outside of the U.S."

Press release, supplemental operating results, and an accompanying investor presentation are available on the MasterCard website.

View the original article here

MasterCard Announces 3Q2010 Financial Results

Tags » MasterCard  » Comments (0)

MasterCard this morning has announced financial results for the third quarter 2010. The company reported gross dollar volume increased 8.5% on a local currency basis to $685 billion, cross border volumes increased 15.4% and processed transactions increased 0.6% compared to the same period in 2009, to 5.8 billion.

"Consumers and businesses around the world continue to recognize the benefits of electronic payments and MasterCard remains at the heart of this evolution," said Ajay Banga, MasterCard president and chief executive officer. "Our year-to-date net income is up over 22%, aided by strong volume growth from markets outside of the U.S."

Press release, supplemental operating results, and an accompanying investor presentation are available on the MasterCard website.

View the original article here

Aconite Announces Packaged Solution To Speed EMV Adoption

Tags » Aconite  » Comments (0)

Aconite has announced the Aconite Smart EMV Manager, an integrated package that delivers "a sophisticated, fully-featured EMV solution in a single product. With straightforward pricing, simple interfaces and a plug-in deployment model, Aconite Smart EMV Manager offers all the benefits of Aconite's world-leading EMV components in a single, easy to implement package."

View the original article here

Aconite Announces Packaged Solution To Speed EMV Adoption

Tags » Aconite  » Comments (0)

Aconite has announced the Aconite Smart EMV Manager, an integrated package that delivers "a sophisticated, fully-featured EMV solution in a single product. With straightforward pricing, simple interfaces and a plug-in deployment model, Aconite Smart EMV Manager offers all the benefits of Aconite's world-leading EMV components in a single, easy to implement package."

View the original article here

Zero Trust Security – The Technical Discussion

With the cultural issues out of the way, let us discuss some technical details. 

Given the state of security technology and where security leadership sits these days, I question if Zero Trust can be implemented.

Essentially, with a ‘Zero Trust’ approach, we are talking about DMZs.  However, instead of our usual externally facing DMZs we are also talking about DMZs that are internally facing. 

These are no ordinary DMZs, these are highly monitored and controlled DMZs with IDS/IPS, NAC, full logging and everything else required to ensure security. 

These technologies are not for the faint at heart as they require a lot of planning in order to get them right.

Where a lot of organizations get things wrong is that they believe that all of these security technologies are like a Ronco Showtime Rotisserie oven, you just “Set it and forget it.” 

If only security worked that way, but it does not.  As a result, one of the first stumbling blocks organizations interested in Zero Trust face is staffing since Zero Trust will require a significant amount of attention both from a security perspective and from their help desk. 

I do not think that we are talking about a significant increase in security and help desk personnel, but the existing staffing levels are likely to be insufficient in a Zero Trust environment.

The next issue that I see is from the technology itself.  Most security technology is designed for Internet facing use, not internal use. 

While these solutions can be used internally, they tend to create issues when used internally because of their severe responses to any perceived attacks. 

As a result, in order to use these solutions, security professionals have to turn off or turn down certain features or functions because they get in the way of getting business done.  Then there are the applications themselves. 

I cannot tell you how frustrated I get with vendor and in-house developers that cannot tell you from a networking perspective how their applications work. 

As a result, security professionals are required to do extensive research to figure out what ports/services an application requires, if they even do such research. 

That then results in what we tend to see on internal networks with internal DMZs, lots of ports/services open into the DMZ because they do not want the application to break.  In a Zero Trust approach, this is not acceptable.

Then there is logging and the management and maintenance of log data.  It still amazes me the amount of push back I still receive on logging and the management of log data.

Security professionals and managers complain and complain about the amount of data that needs to be retained and the length it needs to be retained.  Hello! 

This is the only way you will ever know what went wrong and how it went wrong so that you can fix it. 

But the security information and event management (SIEM) industry has not helped things by delivering solutions that can cost as much as a large Beverly Hills mansion and are as easy to implement as an ERP system. 

While there are open source solutions, the usability of these solutions are questionable at best.  Unfortunately, the PCI DSS is mandating that log data be reviewed at least daily. 

In order to get that done, merchants either cannot afford or do not have the time to invest to meet this requirement.  As a result, there is a lot of frustration that what merchants are being asked to do cannot be done. 

Yet, log information capture and review is possibly one of the most important aspects of an organization’s security posture.  Because if you do not stop an attack with your firewall and IPS, the only way you know that is from your log data.  Damned if you do, damned if you do not.

So a merchant implements all of the necessary technologies and procedures to make Zero Trust a reality.  Is that merchant more secure?  If a merchant makes such an investment, the reward will likely be improved security. 

But it will take continuous effort to keep Zero Trust running and that is where all organizations run into trouble with security initiatives. 

It takes consistent execution to make security work and people and organizations these days lose interest in things they think are fixed and so security gets swept to the back burner. 

As a result, it takes strong leadership to keep security off of the back burner.  Without that leadership, security will fall into a rut and an incident will occur that will make security a front burner topic again.

So while I think Zero Trust is probably the approach we should all work towards, it will take a lot of effort to make it a reality.

Cross-posted from PCI Guru

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Zero Trust Security – The Technical Discussion

With the cultural issues out of the way, let us discuss some technical details. 

Given the state of security technology and where security leadership sits these days, I question if Zero Trust can be implemented.

Essentially, with a ‘Zero Trust’ approach, we are talking about DMZs.  However, instead of our usual externally facing DMZs we are also talking about DMZs that are internally facing. 

These are no ordinary DMZs, these are highly monitored and controlled DMZs with IDS/IPS, NAC, full logging and everything else required to ensure security. 

These technologies are not for the faint at heart as they require a lot of planning in order to get them right.

Where a lot of organizations get things wrong is that they believe that all of these security technologies are like a Ronco Showtime Rotisserie oven, you just “Set it and forget it.” 

If only security worked that way, but it does not.  As a result, one of the first stumbling blocks organizations interested in Zero Trust face is staffing since Zero Trust will require a significant amount of attention both from a security perspective and from their help desk. 

I do not think that we are talking about a significant increase in security and help desk personnel, but the existing staffing levels are likely to be insufficient in a Zero Trust environment.

The next issue that I see is from the technology itself.  Most security technology is designed for Internet facing use, not internal use. 

While these solutions can be used internally, they tend to create issues when used internally because of their severe responses to any perceived attacks. 

As a result, in order to use these solutions, security professionals have to turn off or turn down certain features or functions because they get in the way of getting business done.  Then there are the applications themselves. 

I cannot tell you how frustrated I get with vendor and in-house developers that cannot tell you from a networking perspective how their applications work. 

As a result, security professionals are required to do extensive research to figure out what ports/services an application requires, if they even do such research. 

That then results in what we tend to see on internal networks with internal DMZs, lots of ports/services open into the DMZ because they do not want the application to break.  In a Zero Trust approach, this is not acceptable.

Then there is logging and the management and maintenance of log data.  It still amazes me the amount of push back I still receive on logging and the management of log data.

Security professionals and managers complain and complain about the amount of data that needs to be retained and the length it needs to be retained.  Hello! 

This is the only way you will ever know what went wrong and how it went wrong so that you can fix it. 

But the security information and event management (SIEM) industry has not helped things by delivering solutions that can cost as much as a large Beverly Hills mansion and are as easy to implement as an ERP system. 

While there are open source solutions, the usability of these solutions are questionable at best.  Unfortunately, the PCI DSS is mandating that log data be reviewed at least daily. 

In order to get that done, merchants either cannot afford or do not have the time to invest to meet this requirement.  As a result, there is a lot of frustration that what merchants are being asked to do cannot be done. 

Yet, log information capture and review is possibly one of the most important aspects of an organization’s security posture.  Because if you do not stop an attack with your firewall and IPS, the only way you know that is from your log data.  Damned if you do, damned if you do not.

So a merchant implements all of the necessary technologies and procedures to make Zero Trust a reality.  Is that merchant more secure?  If a merchant makes such an investment, the reward will likely be improved security. 

But it will take continuous effort to keep Zero Trust running and that is where all organizations run into trouble with security initiatives. 

It takes consistent execution to make security work and people and organizations these days lose interest in things they think are fixed and so security gets swept to the back burner. 

As a result, it takes strong leadership to keep security off of the back burner.  Without that leadership, security will fall into a rut and an incident will occur that will make security a front burner topic again.

So while I think Zero Trust is probably the approach we should all work towards, it will take a lot of effort to make it a reality.

Cross-posted from PCI Guru

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Will A Security Conference Help Your Company?

For people who work in the world of computers, we all get our experiences in different ways. Some of us are born to type on the keys as part of our passion and we gain most of our knowledge just from experimenting at a young age.

While others of us are late bloomers and we start to learn how a computer truly works from classes in high school and most likely college.

But no matter how good you may think that you know computers, you have to understand that the world of computer security is a different beast all together.

If you were a hacker as a kid then you can take comfort that you have at least a passing knowledge of computer security.

But if you were a person who just used to mess around on the computer and did not try to break the system, then you have a whole world that needs to be opened up to you. A lot of these people work in the IT field now.

They help make sure that the computers in the offices around the world are running like they are supposed to. They are also, for the most part, in charge of the security as well.

As I said earlier, knowing how to secure a system takes more than just knowing about computers in general. That’s why it helps if you send your IT guy to some of the computer security conferences that happen every year.

Why send them to a conference?

There is a very easy answer to this question; it is because their knowledge will increase greatly. People who go to some of the computer security conferences learn a great deal from not just the other guys on the same side that they are on but from the bad guys as well.

The security conferences are a place where both white and black hat hackers come out to show what they have discovered over the past year. The one thing that a hacker cares about more than money in this world is respect from his peers.

Bringing a new and interesting attack to the attention of his peers is the one thing that will get him noticed. Most security conferences are known as a place where it is all about the education of the individuals and not about the politics of who is a good guy and who is a bad guy.

Getting to see these kinds of attacks in person and being able to ask questions will allow your IT guy to go back home or work and set up the network to the specifications needed to defend itself from these types of attack.

There is no better way to head off an impending attack than already knowing how it works and setting your system up to counteract it. And that is the great thing about most of these conferences as well.

They will show you how to defend yourself from some of the attacks that they show. The person will walk with you step by step through the attack and afterwards they will talk to the group on how the attack can be stopped.

Does your IT guy have the knowledge to implement what he has learned at the conference?

While your IT guy might be good, he may not be able to fully comprehend some of the attacks that he witnessed at the security conference. There is a lot of high level programming that goes into one of these attacks and some of them might deal with parts of the computer that the IT guy does not know about.

If that is the case then at least he still knows what he is missing and he can help you bring in someone that will know about the attacks that the system needs to be defended from.

If he didn't go to the conference in the first place he wouldn't be able to get you this far. You can bring in a freelance consultant and your IT guy will be able to go over his work to a small degree and make sure that he checks for everything that he is supposed to.

This is all because of the knowledge that he gained from the conference.

If you want to make sure that you have all your bases covered when it comes to the security of your network, then you must make sure that the people who are in charge of guarding it are properly trained.

You do this by getting them all of the material that they need. If that material requires that you send them to a security conference then that is what you have to do. If you do not get this done, then you will be easy pickings for the bad guys out there.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Will A Security Conference Help Your Company?

For people who work in the world of computers, we all get our experiences in different ways. Some of us are born to type on the keys as part of our passion and we gain most of our knowledge just from experimenting at a young age.

While others of us are late bloomers and we start to learn how a computer truly works from classes in high school and most likely college.

But no matter how good you may think that you know computers, you have to understand that the world of computer security is a different beast all together.

If you were a hacker as a kid then you can take comfort that you have at least a passing knowledge of computer security.

But if you were a person who just used to mess around on the computer and did not try to break the system, then you have a whole world that needs to be opened up to you. A lot of these people work in the IT field now.

They help make sure that the computers in the offices around the world are running like they are supposed to. They are also, for the most part, in charge of the security as well.

As I said earlier, knowing how to secure a system takes more than just knowing about computers in general. That’s why it helps if you send your IT guy to some of the computer security conferences that happen every year.

Why send them to a conference?

There is a very easy answer to this question; it is because their knowledge will increase greatly. People who go to some of the computer security conferences learn a great deal from not just the other guys on the same side that they are on but from the bad guys as well.

The security conferences are a place where both white and black hat hackers come out to show what they have discovered over the past year. The one thing that a hacker cares about more than money in this world is respect from his peers.

Bringing a new and interesting attack to the attention of his peers is the one thing that will get him noticed. Most security conferences are known as a place where it is all about the education of the individuals and not about the politics of who is a good guy and who is a bad guy.

Getting to see these kinds of attacks in person and being able to ask questions will allow your IT guy to go back home or work and set up the network to the specifications needed to defend itself from these types of attack.

There is no better way to head off an impending attack than already knowing how it works and setting your system up to counteract it. And that is the great thing about most of these conferences as well.

They will show you how to defend yourself from some of the attacks that they show. The person will walk with you step by step through the attack and afterwards they will talk to the group on how the attack can be stopped.

Does your IT guy have the knowledge to implement what he has learned at the conference?

While your IT guy might be good, he may not be able to fully comprehend some of the attacks that he witnessed at the security conference. There is a lot of high level programming that goes into one of these attacks and some of them might deal with parts of the computer that the IT guy does not know about.

If that is the case then at least he still knows what he is missing and he can help you bring in someone that will know about the attacks that the system needs to be defended from.

If he didn't go to the conference in the first place he wouldn't be able to get you this far. You can bring in a freelance consultant and your IT guy will be able to go over his work to a small degree and make sure that he checks for everything that he is supposed to.

This is all because of the knowledge that he gained from the conference.

If you want to make sure that you have all your bases covered when it comes to the security of your network, then you must make sure that the people who are in charge of guarding it are properly trained.

You do this by getting them all of the material that they need. If that material requires that you send them to a security conference then that is what you have to do. If you do not get this done, then you will be easy pickings for the bad guys out there.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Reconnaissance Gone Retail and Security - A Challenging Duality

Reconnaissance has “gone retail.” Capabilities that used to be the costly province of nation states have been democratized.

Communications technologies have become so pervasive that a newborn's first pictures are likely to be transmitted wirelessly within moments of birth, arriving at beaming grandparents half a world away within seconds, if not in real-time.

Smart phones, digital cameras, and netbooks, are only the most recent signposts on a road of information fluidity.

Life can certainly be more pleasant and entertaining when distant events are no longer distant; when a child's birth or first steps can be shared with friends and family half a world away in mere seconds.

At a recent security conference in Tel Aviv, Yuval Diskin, the Director of Shin Beth, an Israeli intelligence agency, recently observed:[1]

“Intelligence once enjoyed only by countries and world powers can now be obtained through Internet systems like Google Earth, Internet cameras that are deployed all over the world and linked to the Web, or applications for IPhone [sic] devices that allow for quality intelligence to be received in real-time.”

Director Diskin has a point, albeit this djinni escaped its bottle long before the most recent cavalcade of portable electronic devices and network connectivity.

I noted that connectivity, accessibility and computing power created a collation hazard in 1995.[2]

In 2002, I noted a corollary of this: that the costs of data collection and correlation had decreased dramatically,[3] from the scale of a nation state to the retail level, exposing people to hazards previously feasible, but uneconomically unviable (e.g., the 1989 murder of actress Rebecca Shaeffer by an obsessed stalker who located her residence from then easily available public motor vehicle records).

Intent is difficult, if not impossible to determine. Nature is always impartial. Physics rules with draconian impartiality.

This underlies a duality that many find troubling: Connectivity brings us closer together, both friend and foe. Our great-grandparents waited anxiously for letters to arrive bearing the first pictures of a new grandchild; often weeks after the birth.

Today, the time span of anxiety is reduced to mere minutes, practically the interval between labor contractions.

This is the dilemma to which Director Diskin refers: the same technology that brings families closer together for the birth of a child, can just as easily be used to celebrate terrorism and other far less peaceful pursuits.

Recently, I had to visit someone in a nearby major hospital center. Just a few years ago, the possession of a notebook computer would have been cause for a cautionary warning that electronic devices are not allowed within the building.

Now, much, if not all of the facility is equipped with Wi-Fi, and there is an unencrypted Wi-Fi available for patients and visitors. I am almost certain that this is not merely altruism.

I expect that the connectivity provided to patients and visitors is, in effect, spare bandwidth from a properly encrypted co-network, one that directly supports patient care.[4,5]

Yet another example of the economics of the cloud; otherwise unused capacity is used for a purpose, rather than simply being discarded.

As a result, families can share precious moments with others at the press of a button. No longer is the hospital an isolating experience.

Indeed, as a visitor, I was able to use my waiting time somewhat productively, securely connected back to my office through my wireless card and virtual private network.

Regrettably, there are no good answers to the concerns raised by Director Diskin. There is no a priori way to differentiate between pictures of new homes or cars, and a pre-attack reconnaissance of the same by a terrorist group.

In the recent Mumbai attack, terrorists are reported to have used communications devices to coordinate or receive instructions; but these same communications channels were also separately being used by civilians to communicate their location for rescue, yet another example of how communications are neutral.

Notes

[1]Reuters (2010, November 1) “Google Earth and iPhone Trouble Israeli Security Chief” The New York Times

[2] Robert Gezelter (1995) “Security on the Internet”, Chapter 23 in Computer Security Handbook, Third Edition, pp 23-6, et seq.

[3] Ibid (2002) “Protecting Web Sites”, Chapter 22 in Computer Security Handbook, Fourth Edition, pp 22-20, et seq.

[4] Ibid (2003, June) “Internet Dial Tones & Firewalls: One Policy Does Not Fit All” Charleston, South Carolina chapter of the IEEE Computer Society.

[5] Ibid (2007) “Safe Computing in the Age of Ubiquitous Connectity”, Long Island Science Applications Technology 2007 References

Seymour Bosworth and Michel Kabay (2002) Computer Security Handbook, Fourth Edition WileyRobert Gezelter (1995) “Security on the Internet” (Chapter 23) in Computer Security Handbook, Third Edition Wiley(2003) “Internet Dial Tones & Firewalls: One Policy Does Not Fit All” Charleston, South Carolina chapter of the IEEE Computer Society. Slides retrieved from http://www.rlgsc.com/ieee/charleston/2003-6/internetdial.html on November 2, 2010Ibid (2007) “Safe Computing in the Age of Ubiquitous Connectity”, Long Island Science Applications Technology 2007. Retrieved from http://www.rlgsc.com/ieee/longisland/2007/ubiquitous.html on November 2, 2010Ibid (2009, December 9) “Networks Placed At Risk: By Their Providers” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/networks-placed-at-risk.html on November 2, 2010Ibid (2010, March 31) “Will Long Term Dynamic Address Allocation Record Retention Help or Hurt?” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/retain-dynamic-address-allocation-logs.html on November 2, 2010Ibid (2010, May 25) “New IRS Reporting Requirements Have Implications for Business Large and Small” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/new-irs-reporting-requirements.html on November 2, 2010Ibid (2010, August 31) “GPS Recorders and Law Enforcement Accountability” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/gps-and-law-enforcement-accountability.html on November 2, 2010Ibid (2010, October 25) “Google Street View and Unencrypted Wi-Fi: Not a Hazard” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/google-street-view-and-unencrypted-wifi.html on November 2, 2010Arthur Hutt, Seymour Bosworth, and Douglas Hoyt (1995) Computer Security Handbook, Third Edition WileyReuters (2010, November 1) “Google Earth and iPhone Trouble Israeli Security Chief” The New York Times. Retrieved from http://www.nytimes.com/reuters/2010/11/01/technology/tech-us-israel-security.html on November 2, 2010

Reproduced from Reconnaissance Gone Retail and Security: A Challenging Duality, an entry in Ruminations -- An IT Blog by Robert Gezelter. Copyright (c) 2010, Robert Gezelter. Unlimited Reproduction permitted with attribution.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Reconnaissance Gone Retail and Security - A Challenging Duality

Reconnaissance has “gone retail.” Capabilities that used to be the costly province of nation states have been democratized.

Communications technologies have become so pervasive that a newborn's first pictures are likely to be transmitted wirelessly within moments of birth, arriving at beaming grandparents half a world away within seconds, if not in real-time.

Smart phones, digital cameras, and netbooks, are only the most recent signposts on a road of information fluidity.

Life can certainly be more pleasant and entertaining when distant events are no longer distant; when a child's birth or first steps can be shared with friends and family half a world away in mere seconds.

At a recent security conference in Tel Aviv, Yuval Diskin, the Director of Shin Beth, an Israeli intelligence agency, recently observed:[1]

“Intelligence once enjoyed only by countries and world powers can now be obtained through Internet systems like Google Earth, Internet cameras that are deployed all over the world and linked to the Web, or applications for IPhone [sic] devices that allow for quality intelligence to be received in real-time.”

Director Diskin has a point, albeit this djinni escaped its bottle long before the most recent cavalcade of portable electronic devices and network connectivity.

I noted that connectivity, accessibility and computing power created a collation hazard in 1995.[2]

In 2002, I noted a corollary of this: that the costs of data collection and correlation had decreased dramatically,[3] from the scale of a nation state to the retail level, exposing people to hazards previously feasible, but uneconomically unviable (e.g., the 1989 murder of actress Rebecca Shaeffer by an obsessed stalker who located her residence from then easily available public motor vehicle records).

Intent is difficult, if not impossible to determine. Nature is always impartial. Physics rules with draconian impartiality.

This underlies a duality that many find troubling: Connectivity brings us closer together, both friend and foe. Our great-grandparents waited anxiously for letters to arrive bearing the first pictures of a new grandchild; often weeks after the birth.

Today, the time span of anxiety is reduced to mere minutes, practically the interval between labor contractions.

This is the dilemma to which Director Diskin refers: the same technology that brings families closer together for the birth of a child, can just as easily be used to celebrate terrorism and other far less peaceful pursuits.

Recently, I had to visit someone in a nearby major hospital center. Just a few years ago, the possession of a notebook computer would have been cause for a cautionary warning that electronic devices are not allowed within the building.

Now, much, if not all of the facility is equipped with Wi-Fi, and there is an unencrypted Wi-Fi available for patients and visitors. I am almost certain that this is not merely altruism.

I expect that the connectivity provided to patients and visitors is, in effect, spare bandwidth from a properly encrypted co-network, one that directly supports patient care.[4,5]

Yet another example of the economics of the cloud; otherwise unused capacity is used for a purpose, rather than simply being discarded.

As a result, families can share precious moments with others at the press of a button. No longer is the hospital an isolating experience.

Indeed, as a visitor, I was able to use my waiting time somewhat productively, securely connected back to my office through my wireless card and virtual private network.

Regrettably, there are no good answers to the concerns raised by Director Diskin. There is no a priori way to differentiate between pictures of new homes or cars, and a pre-attack reconnaissance of the same by a terrorist group.

In the recent Mumbai attack, terrorists are reported to have used communications devices to coordinate or receive instructions; but these same communications channels were also separately being used by civilians to communicate their location for rescue, yet another example of how communications are neutral.

Notes

[1]Reuters (2010, November 1) “Google Earth and iPhone Trouble Israeli Security Chief” The New York Times

[2] Robert Gezelter (1995) “Security on the Internet”, Chapter 23 in Computer Security Handbook, Third Edition, pp 23-6, et seq.

[3] Ibid (2002) “Protecting Web Sites”, Chapter 22 in Computer Security Handbook, Fourth Edition, pp 22-20, et seq.

[4] Ibid (2003, June) “Internet Dial Tones & Firewalls: One Policy Does Not Fit All” Charleston, South Carolina chapter of the IEEE Computer Society.

[5] Ibid (2007) “Safe Computing in the Age of Ubiquitous Connectity”, Long Island Science Applications Technology 2007 References

Seymour Bosworth and Michel Kabay (2002) Computer Security Handbook, Fourth Edition WileyRobert Gezelter (1995) “Security on the Internet” (Chapter 23) in Computer Security Handbook, Third Edition Wiley(2003) “Internet Dial Tones & Firewalls: One Policy Does Not Fit All” Charleston, South Carolina chapter of the IEEE Computer Society. Slides retrieved from http://www.rlgsc.com/ieee/charleston/2003-6/internetdial.html on November 2, 2010Ibid (2007) “Safe Computing in the Age of Ubiquitous Connectity”, Long Island Science Applications Technology 2007. Retrieved from http://www.rlgsc.com/ieee/longisland/2007/ubiquitous.html on November 2, 2010Ibid (2009, December 9) “Networks Placed At Risk: By Their Providers” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/networks-placed-at-risk.html on November 2, 2010Ibid (2010, March 31) “Will Long Term Dynamic Address Allocation Record Retention Help or Hurt?” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/retain-dynamic-address-allocation-logs.html on November 2, 2010Ibid (2010, May 25) “New IRS Reporting Requirements Have Implications for Business Large and Small” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/new-irs-reporting-requirements.html on November 2, 2010Ibid (2010, August 31) “GPS Recorders and Law Enforcement Accountability” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/gps-and-law-enforcement-accountability.html on November 2, 2010Ibid (2010, October 25) “Google Street View and Unencrypted Wi-Fi: Not a Hazard” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/google-street-view-and-unencrypted-wifi.html on November 2, 2010Arthur Hutt, Seymour Bosworth, and Douglas Hoyt (1995) Computer Security Handbook, Third Edition WileyReuters (2010, November 1) “Google Earth and iPhone Trouble Israeli Security Chief” The New York Times. Retrieved from http://www.nytimes.com/reuters/2010/11/01/technology/tech-us-israel-security.html on November 2, 2010

Reproduced from Reconnaissance Gone Retail and Security: A Challenging Duality, an entry in Ruminations -- An IT Blog by Robert Gezelter. Copyright (c) 2010, Robert Gezelter. Unlimited Reproduction permitted with attribution.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Top 5 Ridiculous Hacking Scenes in Movies

Like any technology-fed phenomenon with increasing public exposure, hacking is often ill-conceived and exaggerated in movie scenes.

The following are five of the most implausible and amusing scenes that have resulted from this approach to hacker depiction in movies.

Mission: Impossible

Ving Rhames plays expert computer hacker Luther Stickell in the Mission: Impossible movies. One of the most ridiculous scenes in this series comes in the first film, where Ethan Hunt (Tom Cruise) hangs upside down from the ceiling and hacks into the CIA’s system by executing Luther’s directions (given to him via earpiece).

It’s also just a little too simple when Luther hacks into the CIA Headquarters’ computer-controlled electrical system to trigger the fire alarm on a specific floor. As it turns out, all you have to do is type “ACTIVATE ALARM” and you can manipulate the CIA’s emergency alert system according to your every whim. Oh, and you can do all of this while sitting in a fire truck outside the building.

WarGames

What we can learn from this movie is that all backdoor passwords can be easily guessed if there’s an immediate family member who’s tragically died. Stephen Falken, an artificial intelligence researcher, has created a backdoor with password “Joshua” (the name of Falken’s dead son), which is hacked by a high school student and used to infiltrate the system of War Operation Plan Response (WOPR). And the rest is history - you never know whether you’re playing a game or destroying a country.

Jurassic Park

Lex is just proof that any middle school girl should know Unix. And that it’s not operated by command line, but by graphics. Sure. We can make these well-informed assumptions by watching the Jurassic Park scene in which a velociraptor tries to get into the building and eat everyone, but Lex decides that she can “hack” the security system and lock the doors.

This is irrelevant, since velociraptors can break glass, but let’s just go with it.
Lex takes one look at a graphical interface and announces, “Hey, it’s a Unix system! I know this!” She runs a program called “3D File System Navigator” and saves the day, at least for the next few seconds.

Independence Day

Obviously, there’s more dubious material in this movie than the hacking scene. But it’s still pretty laughable. Even if you accept the premise that aliens have power source technology that’s been impossible for humans to replicate, the hacker is way beyond executing a plausible command.

David Levinson (Jeff Goldblum) uses his trusty Mac to write a virus that infects and destroys the entire alien defense system. Unless the aliens used Unix, the remotest possibility that a human-written virus could affect their superior system is completely without substance. It appears that we’ve seriously underestimated the power of an Apple a day.

Swordfish

The hacker in this movie is played by Hugh Jackman and is an insult to any self-respecting programmer who doesn’t wear a dirty T-shirt every day. Both hacking scenes make the process seem far too easy and use bogus terms like “worms” and “hydras” that are essentially nonsensical.

Successful hacks are done by “visualizing code” and continuing to type despite warnings of “Access Denied.” The hacker does his thing while drinking wine, dancing obnoxiously in his chair, and having a gun pressed against his head. It doesn’t get much more ridiculous than that.

This is a guest post by Alexis Bonari. She is a freelance writer and blog junkie. She is a passionate blogger on the topic of education and free college scholarships. In her spare time, she enjoys square-foot gardening, swimming, and avoiding her laptop.

Cross-posted from ShortInfosec

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Top 5 Ridiculous Hacking Scenes in Movies

Like any technology-fed phenomenon with increasing public exposure, hacking is often ill-conceived and exaggerated in movie scenes.

The following are five of the most implausible and amusing scenes that have resulted from this approach to hacker depiction in movies.

Mission: Impossible

Ving Rhames plays expert computer hacker Luther Stickell in the Mission: Impossible movies. One of the most ridiculous scenes in this series comes in the first film, where Ethan Hunt (Tom Cruise) hangs upside down from the ceiling and hacks into the CIA’s system by executing Luther’s directions (given to him via earpiece).

It’s also just a little too simple when Luther hacks into the CIA Headquarters’ computer-controlled electrical system to trigger the fire alarm on a specific floor. As it turns out, all you have to do is type “ACTIVATE ALARM” and you can manipulate the CIA’s emergency alert system according to your every whim. Oh, and you can do all of this while sitting in a fire truck outside the building.

WarGames

What we can learn from this movie is that all backdoor passwords can be easily guessed if there’s an immediate family member who’s tragically died. Stephen Falken, an artificial intelligence researcher, has created a backdoor with password “Joshua” (the name of Falken’s dead son), which is hacked by a high school student and used to infiltrate the system of War Operation Plan Response (WOPR). And the rest is history - you never know whether you’re playing a game or destroying a country.

Jurassic Park

Lex is just proof that any middle school girl should know Unix. And that it’s not operated by command line, but by graphics. Sure. We can make these well-informed assumptions by watching the Jurassic Park scene in which a velociraptor tries to get into the building and eat everyone, but Lex decides that she can “hack” the security system and lock the doors.

This is irrelevant, since velociraptors can break glass, but let’s just go with it.
Lex takes one look at a graphical interface and announces, “Hey, it’s a Unix system! I know this!” She runs a program called “3D File System Navigator” and saves the day, at least for the next few seconds.

Independence Day

Obviously, there’s more dubious material in this movie than the hacking scene. But it’s still pretty laughable. Even if you accept the premise that aliens have power source technology that’s been impossible for humans to replicate, the hacker is way beyond executing a plausible command.

David Levinson (Jeff Goldblum) uses his trusty Mac to write a virus that infects and destroys the entire alien defense system. Unless the aliens used Unix, the remotest possibility that a human-written virus could affect their superior system is completely without substance. It appears that we’ve seriously underestimated the power of an Apple a day.

Swordfish

The hacker in this movie is played by Hugh Jackman and is an insult to any self-respecting programmer who doesn’t wear a dirty T-shirt every day. Both hacking scenes make the process seem far too easy and use bogus terms like “worms” and “hydras” that are essentially nonsensical.

Successful hacks are done by “visualizing code” and continuing to type despite warnings of “Access Denied.” The hacker does his thing while drinking wine, dancing obnoxiously in his chair, and having a gun pressed against his head. It doesn’t get much more ridiculous than that.

This is a guest post by Alexis Bonari. She is a freelance writer and blog junkie. She is a passionate blogger on the topic of education and free college scholarships. In her spare time, she enjoys square-foot gardening, swimming, and avoiding her laptop.

Cross-posted from ShortInfosec

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

SAP Disaster Recovery Solution with VMware Site Recovery Manager and EMC CLARiiON

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

SAP Disaster Recovery Solution with VMware Site Recovery Manager and EMC CLARiiON

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

Microsoft Exchange Server 2010: Best Practices

Are you ready to make the move to Exchange 2010, but concerned it’s going to be a long, complex and expensive job? One thing your company can’t afford is a costly, never-ending migration that burns countless man hours while increasing downtime and frustration.

This new Quest Software white paper gives you a better look at the power of Exchange 2010 – and takes you through some of the best practices for planning and performing the migration. Read the white paper today.

View the original article here

Microsoft Exchange Server 2010: Best Practices

Are you ready to make the move to Exchange 2010, but concerned it’s going to be a long, complex and expensive job? One thing your company can’t afford is a costly, never-ending migration that burns countless man hours while increasing downtime and frustration.

This new Quest Software white paper gives you a better look at the power of Exchange 2010 – and takes you through some of the best practices for planning and performing the migration. Read the white paper today.

View the original article here

Seven Keys to Making or Breaking Your Exchange Infrastructure

Exchange Server 2007 changed the way your communications infrastructure operated forever, delivering a potent and powerful e-mail engine. And with Exchange Server 2010, Microsoft’s upped the ante, delivering a more powerful feature set and functionality. But does all of this mean bigger management headaches?

In this Quest white paper, discover seven key aspects of the Exchange infrastructure, and learn to:

Gain control of your critical e-mail servicesGet peak performance from Exchange 2007See if your company is ready to move from Exchange 2007 to Exchange 2010

Harness the power of Exchange for your communications environment. Read the white paper today.

View the original article here

Seven Keys to Making or Breaking Your Exchange Infrastructure

Exchange Server 2007 changed the way your communications infrastructure operated forever, delivering a potent and powerful e-mail engine. And with Exchange Server 2010, Microsoft’s upped the ante, delivering a more powerful feature set and functionality. But does all of this mean bigger management headaches?

In this Quest white paper, discover seven key aspects of the Exchange infrastructure, and learn to:

Gain control of your critical e-mail servicesGet peak performance from Exchange 2007See if your company is ready to move from Exchange 2007 to Exchange 2010

Harness the power of Exchange for your communications environment. Read the white paper today.

View the original article here

DDoS Attacks Aim to Censor Human Rights Groups

A rash of distributed denial of service attacks (DDoS) were levied against the websites of at least six human rights organizations in an apparent attempt at cyber censorship and retribution for the airing of controversial video footage that allegedly shows human rights abuses on the part of the Indonesian government against several Papuan civilians.

The websites for the Free West Papua Campaign, Survival International, Friends of People Close To Nature, West Papua Media Alerts, the Asian Human Rights Commission, and West Papua Unite all suffered downtime of varying durations after airing the video footage (some sites remained disabled as this article was written, so their Twitter accounts have been linked instead).

From London's Channel 4 News:

Dave Clemente, an international security expert from Chatham House, said this appears to be a "very basic attack" and is a "poor attempt at cyber censorship", which could have been launched by any hacker around the world.  

"This attack is not even in same universe as the Stuxnet, which targeted the Iranian nuclear units. It's targeted at a handful of relatively small websites, the sort of thing governments, corporations and small businesses are used to dealing with."

While initial reports indicate a lack of sophistication employed in the DDoS attacks, the subsequent results are nonetheless noteworthy, as they demonstrate that cyber aggression as a means of gaining tactical advantages in political conflicts is more than just fodder for discussions on the viability of cyberwar.

This is yet another example of one group's technological savvy being instrumental in disrupting another group's ability to functionally disseminate information, as were the cases in Estonia in 2007 and Georgia 2008.

DoS attacks are nothing new, and are perpetrated by simply flooding a target server with simultaneous communications.

The attacks are generally performed using as many as thousands of "zombie" PC's or servers that have been compromised unbeknownst to the rightful owner, through the dissemination of botnet malware.

Techniques also include the use of multiple IP addresses in an attack from a limited number of sources which can give the appearance of wide distribution, and still others claim to be able to perform a non-distributed DoS attack from a single low-spec source.

In an email correspondence with Tim Murphy, webmaster at the Free West Papua Campaign, one of the organizations targeted by the recent DDoS attacks, Tim emphasized the effectiveness that such a campaign can have against small, non-profit organizations given their lack of financial resources:

I have just talked with the people who fixed Survival International's problem with the same DDoS attack, BUT they want lots and lots of money to fix it, and FWPC is a poor organization. In addition to dealing with the DDoS we also need to mirror this video so that the attackers get the idea that "the Internet sees any censorship as damage and reroutes around it."

Niels Groeneveld, who deserves full credit for bringing this story to our attention at Infosec Island, is recognized as an information systems security professional by the US Committee on National Security Systems (CNSS) and the US National Security Agency (NSA).

Niels has been instrumental in organizing an international response to the DDoS attacks, and indicates the momentum is building. We are looking forward to the pending investigation, and hope to share the results of their findings as soon as they are available.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

DDoS Attacks Aim to Censor Human Rights Groups

A rash of distributed denial of service attacks (DDoS) were levied against the websites of at least six human rights organizations in an apparent attempt at cyber censorship and retribution for the airing of controversial video footage that allegedly shows human rights abuses on the part of the Indonesian government against several Papuan civilians.

The websites for the Free West Papua Campaign, Survival International, Friends of People Close To Nature, West Papua Media Alerts, the Asian Human Rights Commission, and West Papua Unite all suffered downtime of varying durations after airing the video footage (some sites remained disabled as this article was written, so their Twitter accounts have been linked instead).

From London's Channel 4 News:

Dave Clemente, an international security expert from Chatham House, said this appears to be a "very basic attack" and is a "poor attempt at cyber censorship", which could have been launched by any hacker around the world.  

"This attack is not even in same universe as the Stuxnet, which targeted the Iranian nuclear units. It's targeted at a handful of relatively small websites, the sort of thing governments, corporations and small businesses are used to dealing with."

While initial reports indicate a lack of sophistication employed in the DDoS attacks, the subsequent results are nonetheless noteworthy, as they demonstrate that cyber aggression as a means of gaining tactical advantages in political conflicts is more than just fodder for discussions on the viability of cyberwar.

This is yet another example of one group's technological savvy being instrumental in disrupting another group's ability to functionally disseminate information, as were the cases in Estonia in 2007 and Georgia 2008.

DoS attacks are nothing new, and are perpetrated by simply flooding a target server with simultaneous communications.

The attacks are generally performed using as many as thousands of "zombie" PC's or servers that have been compromised unbeknownst to the rightful owner, through the dissemination of botnet malware.

Techniques also include the use of multiple IP addresses in an attack from a limited number of sources which can give the appearance of wide distribution, and still others claim to be able to perform a non-distributed DoS attack from a single low-spec source.

In an email correspondence with Tim Murphy, webmaster at the Free West Papua Campaign, one of the organizations targeted by the recent DDoS attacks, Tim emphasized the effectiveness that such a campaign can have against small, non-profit organizations given their lack of financial resources:

I have just talked with the people who fixed Survival International's problem with the same DDoS attack, BUT they want lots and lots of money to fix it, and FWPC is a poor organization. In addition to dealing with the DDoS we also need to mirror this video so that the attackers get the idea that "the Internet sees any censorship as damage and reroutes around it."

Niels Groeneveld, who deserves full credit for bringing this story to our attention at Infosec Island, is recognized as an information systems security professional by the US Committee on National Security Systems (CNSS) and the US National Security Agency (NSA).

Niels has been instrumental in organizing an international response to the DDoS attacks, and indicates the momentum is building. We are looking forward to the pending investigation, and hope to share the results of their findings as soon as they are available.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Five Ways to Create High Quality Security Policies

Security policies are the foundation of an enterprise information security program.

Without a solid foundation in place you simply cannot build a sturdy long-lasting structure; be it a building or a security program.

Below are five things that can help you ensure your foundation is strong.

1. Use a framework

By starting with a trusted framework you can avoid reinventing the wheel. A framework like ISO2700x will provide you with the areas you need to cover in your policies. Then it's your job to customize the policies so they fit your environment.

2. Make sure your policies are readable to non-technical folks

A policy is a strategic statement. It is not meant to give the details on what technology will be used, or how it will be implemented.

If you include too much detail you run the risk of making an unreadable document. A good policy can be read and understood by anyone in the organization. Leave the technical-speak for your standards and procedures.

3. Get executive buy-in

Board or senior leadership buy-in is critical to a security program. Some standards (such as GLBA) even require Board sign off on security policies.

By getting the organization's senior leadership on-board we ensure that security will have the funding, personnel and support it needs to succeed.

The senior leaders do not need to be an active part of the policy creation, but they should approve of the completed policies so they can understand and support them.

4. Communicate your policies

Too many organizations create a set of security policies, only to see those policies sit on a server, unread by anyone outside the groups who created and approved them.

Policies should be communicated widely throughout the organization. Security awareness training is the most obvious way to educate employees about the security policies, but topical posters, relevant emails, and on-going reminders at staff meetings can be effective and cost effective as well.

5. Maintain your policies

Organizations are dynamic. What worked for you in 2008 probably doesn't work in 2010. And what works for us here in 2010 will most likely not work in 2012.

As such, keeping policies up to date is a crucial task for organizations. A regular schedule should be created for reviewing and updating policies as appropriate.

Ideally, policies should be reviewed quarterly. But it should be no less than annually.

High quality policies aren't the whole story. We also need structure through quality standards, and detailed procedures, but without the foundation your program doesn't have a chance for success.

Give your security policies the time and resources they need.

Cross-posted from Enterprise InfoSec Blog from Robb Reck 

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Five Ways to Create High Quality Security Policies

Security policies are the foundation of an enterprise information security program.

Without a solid foundation in place you simply cannot build a sturdy long-lasting structure; be it a building or a security program.

Below are five things that can help you ensure your foundation is strong.

1. Use a framework

By starting with a trusted framework you can avoid reinventing the wheel. A framework like ISO2700x will provide you with the areas you need to cover in your policies. Then it's your job to customize the policies so they fit your environment.

2. Make sure your policies are readable to non-technical folks

A policy is a strategic statement. It is not meant to give the details on what technology will be used, or how it will be implemented.

If you include too much detail you run the risk of making an unreadable document. A good policy can be read and understood by anyone in the organization. Leave the technical-speak for your standards and procedures.

3. Get executive buy-in

Board or senior leadership buy-in is critical to a security program. Some standards (such as GLBA) even require Board sign off on security policies.

By getting the organization's senior leadership on-board we ensure that security will have the funding, personnel and support it needs to succeed.

The senior leaders do not need to be an active part of the policy creation, but they should approve of the completed policies so they can understand and support them.

4. Communicate your policies

Too many organizations create a set of security policies, only to see those policies sit on a server, unread by anyone outside the groups who created and approved them.

Policies should be communicated widely throughout the organization. Security awareness training is the most obvious way to educate employees about the security policies, but topical posters, relevant emails, and on-going reminders at staff meetings can be effective and cost effective as well.

5. Maintain your policies

Organizations are dynamic. What worked for you in 2008 probably doesn't work in 2010. And what works for us here in 2010 will most likely not work in 2012.

As such, keeping policies up to date is a crucial task for organizations. A regular schedule should be created for reviewing and updating policies as appropriate.

Ideally, policies should be reviewed quarterly. But it should be no less than annually.

High quality policies aren't the whole story. We also need structure through quality standards, and detailed procedures, but without the foundation your program doesn't have a chance for success.

Give your security policies the time and resources they need.

Cross-posted from Enterprise InfoSec Blog from Robb Reck 

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here