Archive for the 'Security' Category

LinkedIn, Facebook, MySpace, Twitter, etc.. and your Privacy!

Published at January 1, 2009 in Technology, Privacy and Security. Comments

This online community phenomenon is catching up pretty quickly.  People are constantly putting their lives online, identity thieves and other criminal minded can very easily perform reconnaissance activities from the comfort of their homes before the unleashing their final attack.

Before the advent of social networking websites search engines were a source of wealth of information, especially Google, where all your online information if its spiders can crawl it, ends up in their databases and becomes Google “Property”.  Google has never disclosed about the retention period of this information.

So to track someone down via Google, one had to first understand the advanced Google search syntax and after that you were at their mercy.  Well, by the introduction of  SOCIAL NETWORKING sites, this whole idea of understanding search syntax andINTELLIGENTLY using it has become a way of the past.  Even the dumbest can figure out a lot about you via these SOCIAL NETWORKING sites.

Facebook’s terms and conditions state that the information you submit to their website becomes their property.  So you internet savvy user, who feels like an computer expert by spilling your guts to the internet are actually making it very easy for the various Law Enforcement Agencies (LEA) very easy to eavsdrop on you as they please, they don;t need a special warrant of any kind to get to you information, which you have so willingly posted on the internet.

Google Docs, although free also allows you to place your documents for access from anywhere on the internet, same story as above goes here.

The next big thing on the internet is CLOUD COMPUTING, which is not much safe either.

So, always think twice before uploading any private and personal information on the internet, BIG BROTHER IS WATCHING!

How safe is Virtualization?

Published at May 26, 2008 in Risk Management, Immature Technology, Technology and Security. Comments

Virtualization is the new technology all IT Departments are headed towards in order to capitalize on unused CPU cycles.  Agreed it is a good way of getting the most bang for your buck!

Initially, virtualization technology was used on the server side only.  Now it is infiltrating the desktop’s also.  With applications such has VirtualBoxfrom Sun Microsystems, a virtual machine can be installed on a corporate laptop.  Once such an application has been installed, the corporation has no control on the endpoint anymore.  To avert misuse of such technologies on the client side, whitelisting applications coupled with network based protection has to be instigated.  Then comes the realm of DLP and NAC, how successful such technologies will be in averting corporate espionage.

PCI DSS

Published at May 2, 2008 in Compliance and Security. Comment

Just attended a PCI-DSS workshop organized by VISA, wow, sure was worth it.  Have read the PCI-DSS docs a number of times but the whole classroom experience was very valuable.

Some important items worth noting:

  • The idea behind the PCI program is to “Render the credit card data unreadable”, they way you could accomplish is: encrypting, hashing, truncation.
  • PCI DSS - Is the standard itself
  • AIS - Is the enforcement program
  • Data that can never be stored, unless you are a credit card issuer:
    • Mag-stripe data
    • CVV2
    • PIN/PIN Block
  • As per the requirements, you must notify your acquirer of a possible breach within 24 hours
  • PCI DSS has about 230 requirements
  • PCI DSS is based on fundamental data security practices:
    1. Data controls
    2. Network controls
    3. System level controls
    4. Application controls (Code reviews, app testing)
    5. Policies
    6. Physical Controls
  • VISA is moving PABP from “best Practices” into a formal security starndard managed by the PCI SSC as the Payment Application Data Security Standard (PA-DSS)
  • PCI Security Standards Council, launched in September 2006, is a global forum for the ongoing development and enhancement of security standards for account data protections, including the PCI DSS

RSA2008

Published at April 12, 2008 in Security. Comments

Attended the RSA2008 Conference, wow! what an experience.

Where else would you get all Security buffs and related technologies under one roof?

As per a RSA newsletter about 17000 Security Professionals attended the event.  If you would like to get upto speed on the latest trends in security industry, RSA Conference is the place to be.  As you attend sessions and talk to people, good ideas keep on sprouting in your head, you find out all the pros and cons of doing things in a certain way.

I have never attended this conference before, but the theme(s) this year was/were:

  • Identity & Access Management
  • Encryption technologies
  • Data Leakage Protection
  • Security Event Management & Logging

Overall, I would attend this conference if I had the chance of attending it again next year.

Always delete data on old disk drives

Published at March 1, 2008 in Hacking, Legal, Privacy and Security. Comment

These days no one is immue to the “data binging”.  The reason I say that is because everyone has an MP3 player, digital camera, and or both, not forgetting resumes, personal finance spreadsheets etc..  We are constantly moving from one system to another in our quest for “better and bigger”, and in doing so leave some data behind, which if it ends up in wrong hands will cause you your credit rating or identity theft.

 If you are going to sell you laptop/desktop, please make sure to erase all data on the drive.  Delete helps, but this data is still recoverable as it only deletes the address, while the data is still in the disk.  This data can be recovered by the prying eyes.

I have come across an excellent utility DBAN, which is very helpful in erasing all the data on a particular drive. 

Warning: You have to be absolutely sure that you do not need the data, as it will not be recoverable after the above mentioned utility has been used.

GE Money looses customer private data tapes

Published at January 20, 2008 in Privacy and Security. Comments

GE Money who manage credit card operations for JCPenny and other retailers, claim that they lost a backup tape containing 650000 customers private data.  Backup tapes were being held at a large backup tape storage company Iron Mountain, who were not available to comment on the issue.  It would be interesting to find out how the tapes went missing at Iron Mountain, which would further lead to the actual process resulting in this loss.

 I feel sorry for the 650000 customers whose data is out there in the wild being exploited as we read this article, which will end up costing them their personal lives, peace of mind, and financial losses.

 When will large corporations wake up and smell the F*&^ing coffee and get their acts together.

MediaDefender’s emails exposed by hackers

Published at October 6, 2007 in Hacking, Data Classification and Security. Comments

Hackers have posted on the internet MediaDefender Inc emails sent between the company employees.  The emails contain information on how they conduct business, by trapping unsuspecting video posters and then providing that info to media companies so that appropriate action can be taken against them.  Some emails also contained passwords on how to log onto their website for administering it.

My rant…..what will it take organizations to understand importance of encryption.  First all information generated within the organization must be classified and then based on  the classification appropriate steps taken to protect it, one of them email encryption.

TD Ameritrade hacked!

Published at September 18, 2007 in Hacking, Legal, Privacy and Security. Comments

TD Ameritrade follows www.monster.com ’s footsteps.  About 6.3 million customer records were hacked, although TD Ameritrade states that the records did not contain social security numbers and account numbers.  No other details around the incident were disclosed.

As a result of this customer have started receiving phishing emails, which could lead to identity theft.

In my opinion TD Ameritrade should send the customers a Internet security 101 course to protect them from identity theft and impending law suits.

Google Maps Street View violates Canadian Privacy Laws

Published at September 13, 2007 in Privacy and Security. Comments

The new Google Maps feature “Street View” could violate Canadian Privacy Laws, which state that “businesses first obtain consent from individuals before disclosing it”.  The street level views also include individuals’ pictures making them identifiable.  These pictures were taken without individuals consent.  This feature is available for 9 major US cities, and the plans are in works to include major Canadian cities.

Good thing that Canadian Privacy Commissioner Jennifer Stoddart raised the alarm before this feature is enabled for Canadian cities.  If everyone was so responsible this world would be a different place.  Way to go Stoddart!

Parts of PATRTIOT ACT scrutinized

Published at September 10, 2007 in Legal, Privacy and Security. Comments

Finally, PATRIOT ACT is being scrutinized for being too one sided and not caring about an individuals privacy.  The questions that are being asked are “should the ISP’s relinquish their customer records on a request from FBI” without proper paperwork.  FBI has in issued NSL’s (National Security Letters) to get private & personal information from ISP’s, phone companies, and other public organizations.  Use of NSL’s should be discontinued and a proper search warrant be issues via proper channels.