Midway through 2010 the recovery in the corporate governance recruitment market that was evident at the start of the year is now firmly established. As recruitment consultants we have been genuinely surprised at the strength of the recovery. The recovery is focused on the financial sector and is a result of both renewed growth in the sector and greater regulatory oversight. Investment in corporate governance has clearly become a priority.blog
New security blog on the block: SecTech
Mourad Ben Lakhoua is a new blogger in the security bloggers area. His blog SecTech is focusing on IT-security and is fairly technical. However, his writing style is clear and easy to follow also for non-technical people.
I particularly like the fact that Mourad seem to have great sources of vulnerabilities.
Welcome to blogging, Mourad!
Happy holidays to all my readers!
this post is simply a wish for you to have the best possible holidays! I am very humbled by all the greetings I receive from you, and the questions about the low number of posts on my blog at the moment.
Rest assured, I have only taken a little longer vacation than normal, and I will be back strong again when we enter 2009! You will be reading more about Facebook and the social media security challenges, you will be seeing more on privacy, technology and rants on airport security. I will keep it up, I promise!
In the meanwhile, I wish you the happiest holidays with this link! Do what it says, and come back next year!
And again, thank you so much for reading, disagreeing and sharing your views! It makes it all worth while!
Kai
My new training blog
One of my passions is training - as in teaching others new skills, helping others find their potentials and being a motivator. I love this so much that I decided to make a new blog - focusing only on trainings, preparations and presentations.
My new blog is called BeBetter, and the URL is: http://www.bebetter.no
Although most trainings and tips focuses on motivation, presentation skills and personal development, I also include tips and thoughts on security trainings from time to time. If at all interested in training and motivating others, please pay my new blog a visit!
Thanks!
TJX - over reaction?
First things first: let me welcome you to the blogosphere! Taking your expertise as a laywer, I probably should just shut up and not start to argue, but then again, what is the point of a discussion if we cannot share our opinions?
To you comment, I do not agree that there has been an over reaction. I think this depends on your point of view. If you consider only the known theft of money, you might be right.
However, if you consider the theft of privacy, the costs related to renewing CCs and the potential threat to the CC holder, I think the reactions so far has been anything but over reaction. I also think it is necessary to consider the time frame of the attack - this went on for quite a while, and I think it is important to consider that this was an important "wake-up" call to many shops.
You say that the Credit card issuers over reacted. I disagree. Their alternatives where:
- say nothing (and wait for the press to find out...ticking, expensive bomb)
- say "your credit card info is just lost, but hey, who cares? It is way too expensive to issue a new card" (and wait for customer to yell, call the press and cancel their cards manually; adding potential expensive law suits to the cost)
- do as they did - cancel all cards, issue new ones. High initial cost, but low cost & risk in the long run. Just imagine the cost of loosing the trust of the credit card user...
Russia and Georgia - the Oil game continues?
These and many other questions have surfaced around the world for a while now. To many of us, Georgia is far away, thus the news are easily downgraded on our scale of importance. And this might very well be Putin's exact calculations - that Russia can go out and grab Georgia with little or no reactions from the international communities.
I hope that reactions will come. That the international community will raise it's voice and tell Russia and Putin that theft is not acceptable. That Georgia will receive support and help on their path to independence and democracy.
In our globalized market, we are all interdependent. That should also mean that we are equally responsible for each other, that we should care and that we need to voice our concerns.
Larko opened my eyes - by pointing my radar to the incident. Thus, I changed the filter mode in my brain, and interesting bits of information started to appear. Some of them are listed below.
I encourage you to spend a few seconds (as a minimum) to consider the questions I pose above. By spending that little investment of your time, you may find that you need to do something more. If you do, please go ahead! Thanks!
- Russian Business Network blog (follows the RBN, also on the cyber warfare on Georgia)
- Huffington Post - interesting considerations from the US Security Advisor for President Carter
- Swedish Foreign minister Carl Bildt on the case
- EU consider reactions
PayPal taking the side of Fraudsters?
Take this story from Chris Pirillo.
A summary: someone was able to retrieve his iTunes password thanks to lax password retrieval security over at Apple. (Apple have now resolved the issue, according to the story). Using Chris' account, the fraudster was able to deduct US$450 from Chris' PayPal account - cash spent on iTunes Gift Cards.
With this background, and the backing by Apple, you would think Chris would get his funds back, right?
Wrong!
As it turns out, PayPal deems the deduction was
and decides that they will NOT return the funds stolen.
What should PayPal do? Should they turn around?
Perhaps it is time to use the Marketing Power, and stop using PayPal until they reach a better vetted stand?
And - is this the first time PayPal does this, or is Chris' case the last in a long row?
Can we trust a banking service that does not care for it's customers?
Do you think PayPal is taking the side of the fraudsters in this case?
New kid on the block!
The few posts so far is well worth a read, and I am looking forward to Chris ramblings in the future! In his words, his blog is about:
He says he is influenced by Alex & gang, and he is found of asking his peers "What is Risk?"
Welcome, Chris!
Updates done - new look, feels great!
I have finished the update process of the CMS, currently running Drupal 5.7.
I also changed the template, I must say I like this one. It kinda grows on ya, don't ya think?
Comments and rants welcome!
ID theft – Facebook and MSN exploited
Except – this particular post was written in English, by a Norwegian. Further, the message pointed to a service I had a very hard time imagining that my contact would be promoting.
Yes, yes, I know, I am a bit too paranoid!
Anyway, I contacted my friend, and as I suspected, she had not posted this – or the 150 other messages posted to her contacts. I started to poke around a bit, and pretty soon she admitted that she had experienced other strange episodes lately.
One of the other signs where that when on MSN, MSN would disconnect her, stating that she where being loged on using a different computer. Unlike some of us, she only had one computer she used for this.
I started to suspect that a key logger or other spyware had infected her computer, and made sure that she changed her log on details (username and passwords) on all the services she uses – and that she did so from a different computer.
The next step now is to reformat and reinstall the OS and applications – just to make sure that any software that may have been hidden is gone for good. Did I mention I am paranoid?
I also told her to go to the police – not because I think they can do anything about this event – but to make sure the event ends up in the statistics.
She may have picked up the key logger while browsing the net. She might have got it through a download – or by an email from a friend. Or by a large number of other means available to hackers. She might also have left her credentials while using her friends computer.
It does not really matter in this case. What does matter is her statement when I started to ask about the spam message on Facebook:
“I received reactions from my other contacts too – and I told them I had not done it. I thought it was just a system error, and wasted no more time considering it”.
(Emphasized by me)
And here we have the base of the challenge – normal users are not able to tell a threat from an error. Heck, sometimes us pro’s have problems with the very same challenge! And as threats evolve, and gets better at hiding, the harder it gets to know for sure.
I remember reading about this a while back – how all the errors in IT-systems have taught users that when unexpected things happen, it is just an error. Just restart and get on with it. (Please provide link if you know the story – I am unable to find it…).
And the result today is that when you do not understand what is going on with the computer, you just write it off as a “system error”, and get’s back on to what you where doing.
We spend a large amount of time to teach users how to deal with security. But if we are not able to teach them the difference between a system error and a plain security threat – how can we ever expect to succeed?
Security Profile: Richard Bejtlich
It is impossible to be interested in Information security without noticing Richard Bejtlich. He is a successful blogger, author of two books, and co-author of a third. Many have also had the chance to have Richard as a trainer and teacher. And even more have him as an inspiration.
Richard is the Director of Incident Response for General Electric. Before he joined GE, he ran the TaoSecurity LLC – an Information Security consultancy based in the US. His CV includes many other interesting and impressive employers too.
Richard has a background as military intelligence officer, but that is not where he got his interest in information security. It was merely a natural extension. You see, Richard got a Timex Sinclair (ZX80) when he was 8 years old. This sounds like some other people I know. And Richard used BASIC to create Boba Fett. Graphically, of course. And some of us understand that achievement just too well!
So what happened if you where lucky enough to have Boba Fett show up on your screen? Boba would ask you a question (written). “Do you want to see me wave?” You could say yes or no. To Boba it made no difference – he would wave anyway. The reason?
R: “I didn't spend all day rendering that character to not have him wave!”
The ZX was replaced by a Commodore 64, and Richard discovered what a wonderful tool they where to create and edit papers. After his Harvard graduation and his US Air Force intelligence service, he set out to defend enterprises and teach his peers to do the same.
Richard Bejtlich is a very analytic guy. He does not mind telling you what he believes is the truth. As when I ask him about the impact IS has on business, Richard says:
R: "I don't think information security has any real impact on business. On the contrary, business has much more of an impact on information security. No IS department exists to serve its own ends. If it does, it won't last long.
Businesses exist to make money; other organizations exist to meet whatever their goal is. No one exists to "be secure" (which isn't possible, anyway). As a result the history of IS is littered with decisions by business leaders that weakened security infavor of revenue or simply convenience. Nothing changes until a severe, visible, financial- or life-damaging incident occurs."
This is almost as hearing myself speaking, Richard. Perhaps I have spent too much time on your blog…
One of the things that amazes me with Richard Bejtlich is his attention to details. You see it in his blog, you see it in his comments. You see it in his books.
R: “In my first book I defined risk as the probability of suffering harm or loss. I defined security as the process of maintaining an acceptable level of perceived risk.
Digital security applies that concept to information resources, where threats exploit vulnerabilities in assets to violate confidentiality, integrity, or availability via disclosure, alteration, or denial.“
What should a security professional do to improve security?
R: “The role of the security professional is
1) to make it more difficult for information users and resources to do expose themselves to attackers (paraphrasing Nitesh Dhanjani),
2) to increase the amount of time it takes for the threat to accomplish his objective, and
3) to detect and respond as efficiently and effectively as possible when intrusions happen.”
Richard, I have asked all the Security Profiles to comment on the largest challenges in 2007. What are your thoughts on the threats?
R: “The biggest challenge facing all organizations is visibility. A few months ago I wrote a blog post pleading for the creation of Enterprise Visibility Architects.
It's fashionable to talk about "building security in." I say we should "build visibility in" because "security" will never be achieved. It would be an incredible first step to simply know when we are being compromised, because it's going to happen no matter what preventative measures we take."
Thank you kindly, Richard!
To catch up on Richard, visit his blog!
He is the author of the following books:
And co-author of Real Digital forensics
Recent comments
1 day 10 hours ago
2 days 17 hours ago
2 days 17 hours ago
2 days 17 hours ago
2 days 17 hours ago
2 days 17 hours ago
2 days 17 hours ago
2 days 17 hours ago
1 week 2 days ago
1 week 2 days ago