Bots never sleep, even on the night before Christmas.

After a long hiatus, I’m back. Christmas was great, and New Years is upon us. The forces of evil have been busy, and, of course, they never take a vacation or a holiday. So, let’s see what’s been going on…

From PC World: Hackers Launch Major Attack on US Military Labs. Seems like Oak Ridge and Los Alamos are constant targets, and it shouldn’t surprise anyone that someone succeeded in getting through.

http://www.pcworld.com/article/id,140390-c,hackers/article.html

From SearchSecurity.com, the use of botnets to produce spam. 61% of all email is spam? 90% of all mail emanating from some countries is spam? That’s crazy! A brief primer on becoming part of the solution rather than part of the problem.

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1277099,00.html?track=sy260&asrc=RSS_RSS-10_260

BankInfoSecurity.com has the 10 most important security stories in finance in 2007. The folks at TJX are there, of course, with their data breach now estimated to be 100 million credit card number and info. New guidelines and regulations also made the list as well.

http://www.bankinfosecurity.com/articles.php?art_id=660&pg=4

What a surprise! CIO Magazine writes that insider threats still remain a security problem. Do ya’ think? 35% of employees report circumventing company security policies just to get their job done… that’s a problem on a couple of levels.

http://www.cio.com/article/164552/Survey_Says_Insider_Threat_Remains_a_Serious_Security_Problem

A couple of very solid articles from SCMagazine will end this final post of 2007. The first is eight “New Years Resolutions” that one should make to ensure information security in the coming year.

http://www.scmagazineus.com/Eight-New-Years-security-resolutions-for-2008/article/100045/

A guide from Microsoft designed to help Office administrators secure Word, Excel and PowerPoint.

http://www.scmagazineus.com/Hot-or-not-Office-productivity-applications/article/99593/

Sorry for the long absence...

Been very busy with paying customers, which is nice. But, as you know, time marches on. Hey, yesterday I got one of those scam checks in the mail. It looked like a check from Black and Decker. They did a nice job on the check but they should have taken a second and run spell check on the accompanying letter. I can see how others, especially senior citizens, could be tricked.

Anyway, will wonders never cease? cio.com reports a researcher estimates that there are a 500,000 database servers on the net that do not have a firewall in front of them. And wait, that's no all: many of them are unpatched as well as unprotected. Morons.

http://www.cio.com/article/154701/Researcher_Half_a_Million_Database_Servers_Have_No_Firewall


SC Magazine has an interesting article on the hype surrounding PCI compliance. Many companies use PCI compliance as the lowest common denominator, while others use it as the rallying point to make their company secure as well as compliant.

http://www.scmagazineus.com/Avoid-the-PCI-hype-but-use-the-standard-as-a-rallying-point/article/58010/


Finally tonight, again from cio.com, comes an analysis of laptop value. The average value of a laptop with important information is over $500,000. Even laptops that contain just personal data have a value over $300,000. Yet most companies have no policy protecting data in transit on a laptop. Scary!

http://www.cio.com/article/153900/Lax_Laptop_Security_Can_Be_Dangerous...and_Expensive

How ya' doin' tonight?

According to IDGNET.com via Computerworld, Commerce Bank, NA suffered a web site related breach and recovered quickly. Hackers used a technique called sql injection to reach the back-end database.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9041879&source=rss_topic82

From The National Law Journal via law.com, new e-discovery rules at the state level are coming. Several states have them on the books and others are debating. This should provide some guidelines, along a wide spectrum ranging from reasonable to completely insane, for retention of electronic documents.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9041879&source=rss_topic82

Now undoubtedly there is more to this than is discussed here in Computerworld, but no matter what else is there and unknown, this is troubling. A student found confidential information on a colleges publicly accessible server, brings it to the school paper and to the attention of the college. The paper writes an article about the issue – without revealing any of the information – and the school goes after the paper, the student and the adult adviser. What a confusing time for whistle blowers.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9042098&pageNumber=1

Dark Reading editor, Tim Wilson, brings up a number of very good points in his article Hackers Prey on User Weaknesses. He contends the innate human desire to communicate and be accepted in a social context is being exploited in many hacking efforts and this cannot be mitigated through technical means alone. There have been at least one previous post on this blog about the need to watch employees and staff for suspicious behavior. Consider yourself warned.

http://www.darkreading.com/document.asp?doc_id=136090&f_src=drweekly

Morningstar News has a very interesting quote: “’The most effective ways to become more secure while reducing security spending are to avoid vulnerabilities — to ensure that security is a top requirement for every new application, process or product, whether built in-house or acquired from a vendor,’ said Ray Wagner, managing vice president for Gartner.” Gartner goes on to say there is no correlation between those enterprises that spend the most money and those that are most secure.

http://news.morningstar.com/news/ViewNews.asp?article=/BW/20071008005946_univ.xml

As if you did not know that have a good Intrusion Prevention System (IPS), word from Secureworks.com should confirm the obvious. It seems this managed security services provider is tracking a significant increase in attacks on utilities. Most of these attacks are being mitigated by well-monitored IPSs.

http://www.secureworks.com/media/press_releases/20071005-utilitiesincrease

I have a bunch of other articles, but I’m going to close up now and get these in… coming soon… the danger of internal attacks!

Finishing up the Month

You know how much I love the fallout from the data breach at TJX. Here is more info on the shear arrogance of the company. The new report out of Canada states: "... Canada's Privacy Commissioner, Jennifer Stoddart, blasted the parent of the TJ Maxx, Marshalls and A.J. Wright chain of stores, for failing to protect its customers. "The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it—putting the privacy of millions of its customers at risk," Stoddart said in releasing the report." Why aren't heads rolling here? From Baseline Magazine:

http://www.baselinemag.com/article2/0,1397,2188613,00.asp?kc=BARSS03129TX1K0000628


Good news for consumers from CNN, Equifax Fraud Solutions Help Businesses Win the Fight Against Fraud.

http://money.cnn.com/news/newsfeeds/articles/prnewswire/CLW08726092007-1.htm


IT News, Australia, has an interesting article based on a presentation by McAfee's president. The one item that sticks out is the acknowledgment that cybercrime is now a $105B business, bigger than the word-wide illegal drug trade.

http://www.itnews.com.au/News/61497,cyberthreats-outpace-security-measures-says-mcafee-ceo.aspx



Well, it had to happen at some point. I've seen this a couple of places but this is from vnunet.com.... hacking tools are now for sale on eBay... how convenient!

http://www.vnunet.com/computing/news/2199102/hackers-training-sold-ebay


IT Security explains what it sees as The Top 10 Types of Cybercriminals. I'm not sure #5, Online Loan Sharks, is really accurate, but overall, it's a keeper.

http://www.itsecurity.com/features/top-10-cybercriminals-091007/


A little more specific topic, but if you are in a manufacturing or other environment that employs SCADA (Supervisory Control and Data Acquisition), this is yet another wake up call. SCADA, for those who do not use it, is used to control machine tools, robots, etc. SC Magazine relates a simulated event where a hacked SCADA device self destructs. Cool!

http://www.scmagazineus.com/Video-shows-simulated-hacker-attack-on-electrical-grid/article/35872/


SC Mag also highlights the unique position of colleges and universities relative to the cascade of multiple regulations and compliance.

http://www.scmagazineus.com/Back-to-school-Compliance-in-higher-education/article/35684/


And, last but not least, ComputerWorld talks about creating a data-centric, as opposed to a deveice-centric environment as the only real way to defend important information.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9038960&pageNumber=1


Onward to October!

posts from vacationland!

Excellent. Sunny Florida... taking some time to recharge... the villains never take vacation, though, so I continue my reading and posting, making what little contribution I can, regardless of how inviting the resort pool and the tray of gin and tonics may look.

In working with a prospect who is active in the database protection space I came across these two article. Both emphasize the importance of protecting the corporate database itself, and perhaps paying at least as much attention to it as to reducing spam. This makes sense. An increasing amount of exploits are coming from within companies, which circumscribe perimeter defenses. And the corporate database most often represents the crown jewels of a company. Protecting the jewels from inside exploits is certainly worth additional discussion.

From eWeek:
Data Governance Rises to Top of Compliance Efforts http://www.eweek.com/article2/0,1759,2055066,00.asp?kc=EWRSS05099TX1K0001011

From SC Magazine:
CISO, Talk to Your DBA: Barriers to Database Security
http://www.scmagazineus.com/CISO-talk-to-your-DBA-Barriers-to-database-security/article/35563/

From SearchSecurity.com, an article by Ed Skoukis on the potential threats to VoIP infrastructures. When Ed writes something, most people take note. As someone working at a company that does a lot of VoIP implementations, I suggest that, if you are considering such technology, you consider the content of Plentiful VoIP Exploits Demand Careful Consideration:

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1260359,00.html?track=sy320&asrc=RSS_RSS-10_320


Also from SearchSecurity.com, a similar thesis by John Burke is a little more detailed in the threat area, and perhaps a bit more unnerving:

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1260359,00.html?track=sy320&asrc=RSS_RSS-10_320


Enough for now... the beach beckons...

three strikes, and if you think toys with lead paint are all you have to worry about, think again

Wow... from Dark Reading, the sad, sad story of Pfizer's recent security debacle, Pfizer: Strike Three. Three major security breaches in three months, the latest the result of internal employee theft. My favorite quote: "A Pfizer spokesman called the breaches "three separate and distinct incidences" that bear no relationship to each other." Really. Are you out of your mind? Of course they are related -- they are related to a failure of leadership at the highest level in the area of FIXING their problems. Lay off the Viagra over there, and start thinking with your big head.

http://www.darkreading.com/document.asp?doc_id=133028&f_src=drweekly


On a positive note, from CIO.com, the German government is taking steps to prevent further hacking of its systems by China. Germany is working in conjunction with industry to protect government and infrastructure systems from attack. Excellent.

http://www.cio.com/article/135352/Germany_Aims_to_Protect_IT_Systems_With_Security_Plan


On the other hand, from FT.com: Chinese military hacked into Pentagon. OK, China is the one of the world's largest and fastest growing economies. That counts for something. The fact that they own a sizable amount of the US debt is another. But holy crap, don't we draw the line somewhere here?

http://www.ft.com/cms/s/0/9dba9ba2-5a3b-11dc-9bcd-0000779fd2ac.html


From Dark Reading, a short entry that makes a couple of very good points. Firewalled: What Have You Got to Hide? 61% of companies survey have a data classification policy, most say it is rarely enforced and many say it is out of date. So, if you don't know what data is critical to your business, you try to protect everything. Very often that drives the price of a storage security /business continuance solution WAY up, which means you elect to protect nothing. This deserves greater consideration.

http://www.darkreading.com/blog.asp?blog_sectionid=327&doc_id=132867


Hope you've decided what's critical to a great weekend. I'll be putting up tomato sauce... about as low tech as you can get!

name and location change

The blog's name and location were just a little too close to an established publication, so it was best to change to something else.

The title is the punch line from a joke that I first heard years ago. The version I heard went something like, the were two guys camping in woods. Just after they had crawled into their sleeping bags and nodded off they were awaken by the sound of their campsite being torn apart, punctuated by the frightening roars or an irate and hungry wild animal. Through the tent they could see, cast by the light of the full moon, the shadow of a bear standing upright on its hind legs lumbering towards the tent.

As the bear's claws began ripping through the canvas the first guy throws off his sleeping bag and yells, "It's a bear, run for your life!" The second guy rolls out of his sleeping bag and calmly begins to put on his sneakers. The first guy says, "What are you doing? Are you crazy? Bears can run at 30 mph! Your sneakers won't help you run faster than the bear!" To which the second guy replies, "I don't have to run faster than the bear, I only have to run faster than you."

This is very much like the situation we have right now in the security realm. There are bears out there. Lot's of bears. They run fast. They are hungry. And, very frankly, nothing you read here or anywhere will help you run faster than these bears. If they want to catch you, they eventually will.

It may sound heartless or defeatist or cynical, but the truth is we don't have to outrun these bears, either. We only have to outrun some of the other campers out here. We only have to make getting into our network or our applications or our website or our fileservers a little more difficult than the camper with the IP address adjacent to ours. We only have to make our authentication or our authorization or our access control just a little bit better than the guy who hasn't gotten out of his sleeping bag yet.

And, oh, yes... there is no shortage of campers who feel the same way about us.



Found this very sound advice about in Consumer Reports about avoiding identity theft. The downloadable checklist is a nice touch, too.

http://www.consumerreports.org/cro/money/credit-loan/identity-theft/identity-theft-what-you-can-do-305/overview/index.htm


Wow. Talk about uncomfortable. German Chancellor Angel Merkel is visting China. While there word comes out that the Chinese have been hacking Deutschland's government computers. Chinese Premiere Wen Jiabao said this was a grave concern, and that there was no connection between this incident and the new car from Cherry QQ that looks remarkably like a BMW 745i.

From Spiegelonline:

http://www.spiegel.de/international/world/0,1518,502169,00.html

and Computerworld:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9032898&source=rss_news6