Archive for January, 2009

Jan 15 2009

ATM Skimmers are getting sneakier

Most of the ATM skimmers I’ve read about are reasonably easy to detect if you’re paying attention. Things like a cover that goes over the existing face of the ATM and contains a card reader and some memory.  But this one’s a new twist on the theme; the reader itself is just a small frame of plastic that wirelessly transmits the scanned card information to a ‘speaker’ a couple of feet away that also contains a video camera to capture your PIN while it’s at it.  This set up has been blamed for ten’s of thousands of dollars lost and I have to wonder how many others like it there are around the area.  If nothing else, watch the short video for the suggestions at the end for protecting yourself when using an ATM.  Found on Threat Level.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

4 responses so far

Jan 15 2009

Does Jobs stepping down affect security?

Published by under Apple/Mac

Nope.  ‘Nuff said.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jan 15 2009

DLP, the movie!

Published by under Security Advisories

Okay, it’s not really a movie, but it is a video on data leak prevention aka DLP.  I was recently invited down to the Demos on Demand studios just south of San Francisco to discuss this topic and several others with my friends Richard “ThreatChaos” Stiennon, Mike “Episteme” Murray and Amrit “TechBuddah” Williams.  Mike, Amrit and I were in the studio while Richard was in his home studio somewhere far east of California.  Rich “Securosis” Mogull opens the discussion with some thoughts of his own, but his portion had been recorded much earlier and the rest of us got to argue against him without any chance of rebuttal.

I like the idea of DLP, but I see it as another one of those really complicated technologies that has a very high likelyhood of becoming shelfware in many enterprises.  It requires a deep understanding of the data that’s being used in the business and constant care or it’s worse than useless.  Without that understanding of what’s valuable to your organization and what’s not, it can easily provide you with a false sense of security, which is worse in many ways to knowing your unsecure.

That being said, I really like the ideals behind DLP and in a company where its put in place for a specific purpose, it can be a great thing.  In the security world I inhabit, i.e. PCI, DLP is something many companies could put to good use in finding and classifying cardholder information.  Credit card numbers are easily understood and detected by DLP software and many companies will be very surprised at some of the places they’d find CCN’s if they’d just look.  But credit cards are a very small subset of the information out there and not something every business has to deal with.

If you’re planning on putting in a data leak prevention solution or already in the process, just remember ‘the devil’s in the details’.  You have to work with the business units and understand what’s valuable to your business and why.  Very few businesses want to alert on every piece of information that’s flowing out of their business.  Usually there are one or two types of information that are important and that’s what you need to concentrate on. 

Click here for Data Leak Prevention video from Demos on Demand for Security

We recorded several of these discussion at the same time, so there should be a few more coming out soon. 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

4 responses so far

Jan 14 2009

BaySec tomorrow night

Published by under Social Networking

If you’re a security professional in the San Francisco area, join us tomorrow night at Gordon Biersche Brewery & Restaurant for a couple beers and the company of like minded individuals.  Officially the whole thing kicks off at 7:00, but there’s usually a few people who get there earlier to have a bite to eat in preparation for the the socializing and drinking.  Personally I love the garlic fries, but not everyone around me appreciates that sentiment.

In this economy, even more than most of the time, keeping your social networks alive and active is vital to finding and keeping a job.  Sure, LinkedIn, FaceBook and Twitter are great, but it’s hard to beat face to face time for really cementing some of the relationships you’ve formed online.  Robert Scoble wrote a list of things to do if you’re laid off and ‘attending industry events’ was one of the more important points.  And bring business cards, either personal or business; sure most people will lose your card, but if the right person keeps yours, it’s more than worth the $20 you spent on 500 cards.

Hope to see a lot of friends and fellow security professionals there tomorrow and catch up on some of the latest industry gossip.  Or at least some of the things people aren’t willing to post on Twitter.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jan 13 2009

Network Security Podcast, Episode 134

Published by under Podcast

Rich and Martin have a bunch of news to talk about tonight, along with a little bit of rambling at the end.  We’re both getting used to the new year and getting our feet back underneath us after taking some time off for the holidays.  Why is it that if you take the time off the work still keeps piling up while you’re gone.  We’re working on some improvements for the show that aren’t quite ready, but Rich teases a little at the end of the show.

Network Security Podcast, Episode 134, January 13, 2009

Time:  32:27

Show Notes:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jan 13 2009

RSA Conference 2009 Press (incl. bloggers) registration now open

Published by under Blogging

It’s still months away, but if you’re a security blogger, now is the time to sign up for a press pass for the 2009 RSA Conference.  If you’re a security blogger who’s having a hard time justifying training in the economic downturn, apply for the press pass and see what happens.  I’m pretty certain that the passes are going to be a little harder to get than they have been in previous years, but if you get one, it goes a long way towards convincing your bosses to let you attend.  Plus you get access to the press room, where they usually serve breakfast and lunch. 

This will be my fourth RSA conference with a press pass.  I’m assuming I’m getting one at least, especially since I’m on helping organize the Security Bloggers Meetup at RSA this year.  If you’re applying for an RSA press pass, make sure you’ve put your name in to attend the Meetup as well.  And while you’re at it, nominate your favorite security blogs for a Social Security Award too. 

As my friend Michael Farnum points out, the price for getting a press pass is a deluge of press releases.  You’ll get tons of vendors who want you to come by their booths and talk to them, sometimes just to give you marketing material, sometimes to have one of their senior guys talk to you, and usually somewhere in between.  I tend to turn down most of these offers unless they’re concerning something that I’m genuinely intersted in.  Which still usually leaves me with more people to talk to than I have time for.

I’m looking forward to seeing a lot of bloggers at the event this year.  The ‘real’ press is still a little unsure of how to treat bloggers at events like this, but in general they’ve been open and friendly.  And there’s a lot to be learned from the guys who actually write for a living rather than because its fun. 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jan 09 2009

PCI related blogging

Published by under PCI

I recently asked on Twitter for names of blogs/bloggers who covered the Payment Card Industry and found a few new blogs thanks to the replies.  I started a list that came to a little under a dozen sites who cover PCI fairly regularly.  Well, my little list is blown away by a list of banking and payments blogs over at Payments News.com.  A lot of the sites they list don’t cover PCI, but the majority of them at least hit on it from time to time.

Here’s a link to their list and mine:

And to finish it off, here’s a good article about how to choose a PCI DSS QSA auditor.  James DeLuccia is basically telling potential clients to slow down and set some ground rules with the auditor and the company before you sign any paperwork.  Be certain you understand exactly what you’re getting and what you’re not getting with a particular auditor or company.  This article does assume you’re working in a company that’s big enough to have a separate Internal Audit department, but most of the lessons can scale down to a company with a security staff of one.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

10 responses so far

Jan 08 2009

Get your free Windows 7 Beta

Published by under Microsoft

This is a real offer, Microsoft is letting MSDN, TechBeta and TechNet customers download beta versions of Windows 7.  They say it’s less resource intensive than Vista, so maybe I’ll try it on my wife’s computer when we replace it.  Though I’m not sure she’d let me survive the experience if it made a new computer that’s less stable then the one she has now.  My other option is to create a virtual machine on my main system.  If my experience with Vista is any way to measure it though, Windows 7 will painfully slow and unusable.  This makes me glad I subscribed to TechNet.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jan 06 2009

Network Security Podcast, Episode 133

Published by under Apple/Mac,Podcast

Rich is San Francisco at Mac World and Martin is in his office at home this week for the first podcast of 2009.  We’re keeping it short, since both of us are still in the Christmas spirit of not getting a lot done.  Really, it’s more like Rich is on a cell phone in the center of Mac World and Martin has a lot of catching up to do after taking some time off to travel with his family. 

Network Security Podcast, Episode 133, January 6, 2009
Time 18:44

Show Notes: 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Jan 05 2009

Four information points on Twitter phishing

I don’t have a lot of time this morning, but here are four bits of information on Twitter and the phishing attack against it that started this weekend.  Haven’t there been a number of us that have been saying for a while “Don’t put your username and password into 3rd party applications on the web!”?

I asked once before “Is Twitter a security risk?“.  This isn’t a problem with twitter, this is a problem with people who are willing to give up their usernames and passwords for … what?  A little sense of an ego boost as they find they’re relevant somehow?  A pretty graphic that shows how they’re connected to other Twits? People don’t seem to realize this is another extension of their digital identity, just like a facebook account or email address.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

« Prev - Next »