it-security

I have a strong interest in entrepreneurship. As my followers know, I am a long-time member of JCI, and I am a serial entrepreneur myself. I developed companies in both Norway, and in France, and I have had my share of success and failures.

I have decided that this blog - the Roer.com Information Security blog will change and narrow it's focus a bit, and focus on information security for entrepreneurs and start-ups. I hope that this small change in focus will not drive away my current readers, while continue to grow my readership.

By doing this change, I hope to fill what I think is a gap in the Security blogging arena - to help start-ups and SME's to adequate security. As far as I see it, most security bloggers out there are in one or more of these three groups:

• vendor or service provider, focusing on promoting their own products/services
• (enterprise) risk management, focusing on what many SMEs will consider theory and not very relevant to their everyday focus
• IT-security, focusing on technology, hacking, and "geek" stuff

I think they all have an important role to play, and that they are needed. But for myself, I do not belong directly in any of the categories, plus I am very interested in entrepreneurship. Thus, I will try to fill this gap :)

But worry not, my readers! I will continue to dish out my opinions on global security, TSA, other bloggers and whatever else even remotely securtiy related that I feel an urge to comment upon!

On a side note, I have also established a new blog, focusing on another area I love - trainings!

Do you think this is a good move? Or am I walking into a dead end? Your thoughts are highly valued!

entrepreneurship, jci, security

The TJX case, one of the largest ID- and CC-theft cases so far, has finally gone to court.

The Feds rolled up a large, international circle of criminals who are charged for hacking their way to access a wide array of personal data. According to Attorney General Michael Mukasey, this is the single largest and most complex identity theft case that's ever been charged in the US.

Companies that got hacked include major brands like the OfficeMax, Barnes & Noble, Boston Market, Sports Authority, Forever 21, DSW, BJ's Wholesale Club and TJX Companies.

"They used sophisticated computer hacking techniques that would allow them to breach security systems and then install computer programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves," Mukasey said. "They caused widespread losses by banks, retailers and customers."

The TJX Senior Vice President Sherry Lang ensures that TJX has gone a long way in order to assist the investigation:

"With our customers always being our primary focus, TJX has gone to great lengths to secure its customers' data," Lang said. "However, broader action beyond retailers alone is required to protect consumer data. Banks and the U.S. payment card industry must join retailers and work together, including installing the proven card security measures in the U.S. that are already in use throughout much of the rest of the world."

I like Lang's request - there is no doubt in my mind that the more we integrate and consolidate technology, solutions and tools - into what we consider efficient communication - the easier it is to exploit those tools. Remember - a few years back, you had to hack into each shop. A little later, you could reach the HQ, as the shops started to interconnect. Today, you can reach almost anything, anywhere - just using your brains and a computer.

Compliance is one thing that may help, better understanding of the technology and it's potential is equally important. From a business point of view, I think it is very important to consider the upside of adopting new (young) technology against the potential damage the new technology may inflict.

I am looking forward to following this case!

Other TJX related information

• TJX – you have done a great job!

• TJX gives CC advice to their customers!!!

• TJX update and "How it was done"
  

• TJX economics - the price it is easy to calculate
  

• TJX - the Wall Street Journal article
  

• All posts tagged: TJX

I am having great fun when I train people. I ramble on with all the great stuff in the book (or in my world). If you've ever been to one of my workshops, you know I do the ramble - you do the work ;)

As happens with everyone giving some kind of lectures, you get to answer loads of questions. And today, I will share a couple. Keep in mind I am the one answering, so you might not agree. That is fine too - leave your comments :)

1. Why do I have to log on to my computer again every time I leave for a ... (insert tea, smoke, donut, coffee or just about anything).

Short A: To make sure you remember it!

Long A: This is the IT-security dept. idea of creating a secure work environment. They assume that when you leave for (insert whatever you leave for here), someone might pop by and use your computer. And they might be right.

To you, this is a hassle. You need to type in your password every time. That is hard work. (Seriously).

On the other hand, if someone would love to use your computer, they would most likely hide out in the neighboring cubicle, waiting for you to leave for your (insert whatever), and then pop into your seat the minute you leave. Because the log-on happens after a while - usually 10 minutes - of inactivity. Thus, it does not really make a sense IMO.

On the other hand, forcing you to type your password that often means you learn it, right? No more post-it notes.

My solution to these challenges is simple. Add biometrics, or smart card. Let the technology do the work, and take the hassle out of way. IT is designed by geeks, for geeks. We tend to forget that today (2008) most IT-users are human - not geeks.

We need to adopt IT to them - not try to make geeks out of ordinary people. That will never work.

But - until your employer implement smart cards or biometrics, you are stuck with the password.

 

2. What is this GHz, Gb, RAM, HD letters things?

Short A: Nothing you need to care about.

Long A: Look it up. They give you hints about a computers performance. The higher the numbers, the better. You need to be a geek to really care.

All new computers today will do everything most people with throw at them. Happily. Without hesitation. Only when you throw specialist applications (games, 3D, design tools, programming etc.), will you encounter a certain level of hesitation from your computer. But hey - did I just say specialist applications? That implies geek to me.

If you are doing specialist work with a computer, you already know the abbreviations above, and will be able to make the right choice.

If you are not a specialist, you do not need to care. Period.

 

3. My boss tells me that I am not allowed to use my computer for ... (insert whatever you'd like to do - porn, reading newspaper, buying stocks, banking etc.). Can he really do that???

Short A: Sure he can. He is your boss, and he just did. Suck it up and get back to work!

Long A: As an employee, you signed a contract. The contract states (perhaps a bit indulged) that you will give up some time (usually 8 hrs a day), where your employer (boss in other words) will decide where, what and how you are to spend your time (also called work). In exchange for your time, you get some cash.

This means that when you signed the contract, you signed away your rights to decide what to use the company computer for. Most companies today implement additions to the contract. These additions dictate what, how, when and where you should use the stuff your employer let you use (computer, PDA and phone). These additions, we call Policies. You may also call them laws, regulations, pain in a dark place and much more. The point is; when you signed the contract, you also accepted to follow these policies.

And as you just found out, some bosses actually know about those policies, and what they are about.

Perhaps you'd better get back to work now?

 

-------------------- Thats it for now, folks!

The time has come to suspect any new hard disk you buy and install in your systems. According to this article, 1800 Maxtor disks of the size 500Gb comes with a bonus off the shelf.

If you install the disks, you get a virus too.  Actually, as soon as you pick it up in the store, you get the virus. It is already installed on the device.

According to the article, the virus will upload any and all data on the device to two online database.  Also according to the article, most disks of this size are bought by governmental agencies. And thus, the Chinese must have installed the virus. (The newspaper is in Taipei).

Obviously this kind of automatic back-up solution is not in the best interest of it's customers, so Seagate-Maxtor has pulled the disks from the market. 

The interesting part in my opinion is that this kind of virus is not getting caught by AV-scanners. One reason is the low volume (number of infected devices). Another reason is that the device is likely to be installed, presumed clean, and just kicked into action. Not until the server-install AV client starts its weekly scan, will the virus be detected - IF and only IF the signature of the virus is in the AV client.

What can you learn by this?

• Never trust ANY hardware you bring into your perimeter
• ALWAYS check EVERYTHING you install in your systems and network - in a safe environment. For hard drives, that means testing, low-level formating and signing them off in a secure, non-connected environment. You do have that, right?
• As security gets tighter, threats evolve and finds other ways to get to you. It is a long time since boot-virus traveled by floppies. But if slow distribution is the easiest, most cost efficient way to hit you, that is how it will be done.
  
• Targeted attacks are increasingly common. We are leaving the days where the goal was to hit as many as possible. The goal today is cash - not attention.
  

Technology gets increasingly more advanced. But the technical understanding seems to decrease. The result is companies investing large amounts in technology, without understanding the potential damage that very technology may impose when it is not doing what they expected, or open them to threats. 

To many of us, hacking WEP encryption is yesterdays news. However, to those not so technical out there, I would like to show you how easy and quick it is to hack a WEP-enabled wireless access point. 

Do not worry if you do not understand what is going on - just take notice of how quickly it is done, and how confident the hacker is. That is all you need to know and care about. 

And of course - I no longer need to beat this old dog, now, do I? You do realize it is time to review and audit your wireless security, right?

Thought so.  

Recently, I posted a question on LinkedIn. I asked LinkedIn professionals and everybody else how they define Information security. The reason behind the question is simple - I meet a lot of people thinking I am a IT-security guy. And allthough I do know what a firewall is, and how to operate an IPS, I am an Information security specialist. To me, that means I deal with information - not only the technology we use to communicate.

Not surprisingly, many answers where in the technology-sphere:

• I define it as the protection of the confidentiality, integrity and availability of sensitive data.
• interpretation is the building of a Digital Infrastructure ( D.I ) to be able to authenticate and verify the real person versus an imposter.
• the technological methods deployed by the intruders to hack this information versus technological methods used by you to protect this data

To me, technology is merely the tools we apply to get a part of the job done. So it is only important when the information itself resides or communications using technology.

A few smart comments where made as well:

• I'd rather clearly view the difference between information and desinformation.
  

Juri here points directly as one important feature of information security - the control of information, and the extension of using the same control to impact your environment. An example is from the spying business, where disinformation is used to create FUD. The same is applied by vendors in their sales process, making the customer uncertain about choosing the competitors products.

Although disinformation is not widely focused upon in the industry, I find it very interesting and important. Not necessarily to use it, but to understand that others might be.

---

Not surprisingly, Bruce Schneier's definition surfaced, in Jennifers wording:

Security is a defense against something intentional; Safety is a defense against something accidental.

 

My favorite is the definition made by Bruce Hallas. He will smile now!

"Security is about the management of commercial risk stemming from the interaction between people, both known and unknown, with an organizations information and information systems."

---

Imo, when security personal cries about not getting heard by their management, I believe they are responsible themselves. The purpose of security is not security it self, but the control of risks related to the organization.

 

You have a successful blog or a company website. You serve your visitors well, and provide good quality information that attracts a high number of visitors. Your website is hosted on one of the many ISPs, and you are confident that they have taken care of all the security for you. No need to worry about a crook hijacking your website, nor a spammer using you as a relay.

You get a complaint from one of your visitors that there are strange things going on when they visit your website, but as you never heard this before, you decide it is the visitor at fault, not the website. A few weeks go by; you see on the stats that the number of visitors decreases. One day when updating your website, you get a window popup you never saw before, and suddenly your antivirus client starts screaming and kicking. You do have an updated anti-virus client, right?