An article from Dark Reading touched on some very valid points with regards to the security at financial institutions. According to the article: Penetration testers who work with bank clients say the fragile state of the banking community is making it easier for them to dupe understandably anxious bank employees. Bank employees are overly eager or easily coerced into cooperating with “auditors,” or into clicking on links purportedly from the bank about its own financial welfare. Even though this is very bad from a security standpoint, it seems like a natural human response. However, if someone is able to walk into a bank merely posing as an auditor and without having their credentials checked or challenged, it’s possible for them[…]

This week, reports have surfaced that spammer activity is increasing on Microsoft and Google sites that employ CAPTCHA. CAPTCHA is a method for distinguishing between human users and programs used to automatically enter information. Those who would like to create large amounts of e-mail accounts or efficiently add SPAM content to blog comments or message boards are constantly scheming new methods for circumventing CAPTCHAs. Meanwhile, web site administrators continue to invent creative techniques for detecting computers masquerading as human. As the battle continues, though, it’s humans who are having more trouble reading CAPTCHAs. Speaking for myself, I find that many CAPTCHA challenges are not very easy to decipher. If it is case-sensitive, for example, there are many capital letters that can[…]

In 2007 a handful of companies (including Google, Microsoft, and Yahoo) decided to draft a set of guidelines influencing the behavior of online businesses when it comes to the subject of policies and regulations dealing with human rights. It was to be a kind of unofficial voluntary code of conduct initiative thing. According to this letter(pdf) from Yahoo to Senators Durbin and Coburn: Principles on Freedom of Expression and Privacy […] provide direction and guidance to the ICT industry and its stakeholders in protecting and advancing the enjoyment of freedom of expression and privacy globally. The Principles describe key commitments in the following areas: Freedom of Expression; Privacy; Responsible Company Decision Making; Multi-Stakeholder Collaboration; Governance, Accountability & Transparency Along with[…]

Smart security people learn from their adversary’s tactics, not shun them. Despite modern technology, broad operations, and publicity, the Mafia (particularly Italian mob) continues to survive. While the crimes they commit are deplorable, the security of the organization works using tried and true methods. Here are some you can teach your employees and enforce without having a baseball bat. “Don’t Trust Nobody” – A good place to start; employees should never give any company information to anyone except the people they’re told to. Social engineering, spoofed emails, and enticing links all apply. Your firewalls should allow what you tell them to allow and nothing else. Start by having it lock down everything and work from there. Give your users the[…]

We’ve all heard about the stories involving EIBKAC such as using the CD-ROM drive as a coffee mug holder, and erasing the C:\Windows folder to free up space on your hard drive. InfoWorld has an informative article which turns these stories on their head, and provides stories about stupid IT administrator actions. The thing that struck me is that out of the six items they highlighted, four of them were directly security (or insecurity) related, and a fifth was related to disaster recovery, which is also a security concern. Preconfiguring PCs with stone-age malware Sending computers out from the factory with a virus circa 1994 which the built-in antivirus couldn’t repair Oh, you wanted to recover those backups? An entire[…]

Information security implicitly goes against our evolutionary defenses. Humans, for much of their history have been concentrated in small groups and forced to defend external threats. Disease, predators, other groups of people; internal threats were focused at the top. Leaders changed, but the pecking order or 20-50 hunter gatherers remained relatively constant. A 13 year old couldn’t say, learn to wield a knife and kill the top guy simply by watching. Even if this were possible, it would be suicide for the individual and harm the groups chances of survival. Internal trust was built upon the fact that in order to survive, you had to trust one another…and carefully weigh your options. All of this leads us to today, where[…]