The bigger the retailer name, brand, or product, the more likely you are to be remembered from some type of data theft or fraud. TJMaxx has been selected as the #4 Business Debacle of 2007 by the Consumerist.

The issue highlighted how retailers have been quick to adopt the convenience of wireless information systems without taking the security measures to make sure they weren’t also conveniencing potential thieves. Who would have thought you could conduct the world’s greatest bank robbery without a note, gun, or even leaving the parking lot?

We’ve written about how long it took the TJMaxx/the banks to notify their customers of the credit card thefts.

Here’s the thing, something like this happens, then the retailer/bank gives the affected new cards/some chump-change then promises better security measures. People (who even care) feel a little better then make their way to the store the next time there is a sale.

Wonder how and if the cycle will be broken in 2008…not likely it seems.

The Ernst & Young Global Information Security Survey 2007 has been released.

This report is designed to help organizations to obtain a deeper understanding of current information security trends, as well as to focus their efforts on areas where we expect improvement may be most necessary.

Not many surprises in here. Still, it’s worth a read, or at least a skimming.

One of the items on the SANS list, the Department of Defense’s Common Access Card (CAC), has lead to a 46% reduction of successful intrusions of defense systems.

The success of the CAC program has led to a broader effort to implement similar two-factor authentication systems government-wide under Homeland Security Presidential Directive-12 (HSPD-12), the SANS report said.

Something to keep an eye of for 2008, along with changing credit card rules.

Recently I had a customer ask me When would you recommend an EV Certificate over a standard SSL certificate?

My response was simple: only when the business determines that having the green address bar outweighs the additional cost. The green address bar is looking to replace the gold lock in the bottom right as the standard for secure web sites. The below picture is Microsoft’s demonstration for EV SSL graphical interface:

There is no difference between a $15 GoDaddy Standard SSL certificate and a $1500 Verisign Secure Site Pro with EV certificate, at least thinking about cryptographic strength and browser acceptance. Should there be? Yes, the EV certificate does a stronger check against the issuer and the subject, and gives you the green bar. Is it worth 100x the cost?

The CERIAS Weblog has a post entitled Looking for Trustworthy Alternatives to PDF

I commented on the article but wanted to share my comments here as well.

Then, it became clear that PDFs adopted mixed loyalties and were disloyal to the computer owner by locking features down and phoning home.

Locking features down and phoning home, are not functions of the PDF standard, but rather of the Adobe Reader. There are other reader programs out there which do not lock features, phone home, nor support javascript or downloads of ads. There is a decent list of PDF alternatives here.

Last year Adobe forced Microsoft to pull PDF creation support from Office 2007 under the threat of a lawsuit while asking them to “charge more” for Office”

This is somewhat true, as Microsoft does not include PDF creation in the base installation, but it is still available as an add-on from Microsoft for free.

Whereas it might be possible to use a PDF viewer with limited functionality and not supporting attack vectors, the format has become tainted

Again these are all optional portions of the PDF standard. There is a separate stripped-down PDF standard called PDF/A which removes all the “active” portions of PDFs and the result is a better archival format. More info at http://www.pdfa.org or http://en.wikipedia.org/wiki/PDF/A

I think that the community should be pushing for PDF/A to become the document standard of choice (as it is compatible with the widely used PDF) and to create or buy reader applications which only support the PDF/A standard.

So, Adobe, why don’t we have a PDF/A reader?

Facebook has had to change its tune regarding the “Beacon” application.

Unless instructed otherwise, the participating sites alerted Facebook, which then notified a user’s friends within the social network about items that had been bought or products that had been reviewed.

So, if you bought someone a gift on Overstock or Blockbuster, that information was posted to your Facebook news feed, giving away the secret. Oops.

This kind of tracking technology becomes interesting when you take into account things like the Feds subpoenaing Amazon.com for purchase histories. While Amazon and other online bookstores, libraries, etc. may work hard to protect your privacy and first amendment rights, a few website cookies and a financial incentive can quickly cause your privacy to disappear.

Um, botnets have been an existing problem for sometime now. According the FBI press release, here’s what you can do to protect yourself.

Make sure your anti-virus software is up to date, install a firewall, use complicated passwords and be careful opening e-mail attachments and advertisers’ links on Web sites, the bureau advised.

Sentences like that are exactly the reason the public is confused. Use complicated passwords for what? Protections need to be built into the system.

Some in the pharma industry have begun to outsource the testing phase of drug research to 3rd party companies.

With an approaching U.S. presidential election in which health care will be a major issue, the drug makers are clearly in the political cross-hairs.

What this may mean for security, in the short term, are budget cuts. Cutting security shows up in the bottom line immediately – but eventually ends up costing more in the long term.

Just rereading this article over at SecurityFocus and wondering…

An American computer security consultant on Friday admitted to using massive botnets to illegally install software on at least 250,000 machines and steal the online banking identities of Windows users by eavesdropping on them while they made financial transactions.

Out of those 250K machines, how many are not home user machines? I’m guessing a larger number than anyone expects. Having worked my inlaws through a few malware infestations personally, I can tell you that the stuff is insidious. Virus scanners can’t detect it, or are disabled by it. Out of 4 spyware scanners I tried, only a combination of a few of them were able to find and remove it.

Are you running an outbound firewall? Is every computer in your enterprise? Are you being alerted when random connections to IRC channels are made, or when HTTPS websites are being contacted while your web browser is closed? If not, yours may be one of those 250,000 machines.

The pharmaceutical industry is set to grow by 37.5% next year in India. So, what can companies do to conduct business securely with international clients and partners?

• The technology to transmit data, emails, and other information using strong encryption protocols and methods already exists. Invest in security professionals who understand the technology when get you started. Don’t be fooled into thinking you’ll have to reinvent the wheel.

• Setting up a connection with a foreign country is not unlike doing business with another city in your own country. If they’ll be handling your information, make sure that you know how that data is being protected. Have a professional do a security assessment of any international facilities that work with your data.

• The most difficult part and potential weak link are the people. In general, it’s hard to get people to take security seriously, especially if their own laws are not as stringent. After you leave, you’ll need to make sure that the technology enforces employees to select strong passwords, use their hardware tokens, and whatever else required to follow your internal policies.

I’d like to add, don’t fall into the trap in believing that your own country (which ever one it may be) has superior technology or security practices. Keep in mind that you’ll have a whole host of health care and multiple government regulations to worry about as well.