An interesting article on how research and enforcement activities of companies trying to ensure their data is not shared illegally can sometimes go awry.

[...]

While denial-of-service attacks are common occurrences on the Internet,
Revision3's investigation found that it was targeted not by
hard-to-prosecute political hacktivists or criminal groups, but by a
company known for its aggressive tactics against file sharers,
anti-piracy firm MediaDefender.

The company, a subsidiary of music firm ArtistDirect that counts a
number of record labels and movie studios as its clients, apparently
discovered that digital pirates had listed illegally-copied content on
Revision3's BitTorrent directory, Louderback learned during a
conference call with the firm this week. Rather than contacting
Revision3 to divulge the security weakness, however, MediaDefender
placed fake listings, or torrents, on the online video firm's servers
in an attempt to identify people who were downloading illegal content.

When Revision3 beefed up security last week to prevent others from
listing content on its tracker server, MediaDefender's computers
responded by repeatedly trying to access the files, overwhelming
Revision3's network, Louderback told SecurityFocus in an interview.

[...]

Excellent PC Mag article on Employee Monitoring. Personally I've worked to monitor employee's email, web and Instant messaging as part of my Forensic and Investigations work while working at several of my jobs, so this is a very real concern. See an Excerpt below:

[...]

It's possible that someone has been reading your e-mails, listening to your phone calls, and tracking your Internet use. No, it's not a foreign spy. It's not even your ex—it's your employer. And she doesn't even need to tell you she's doing it.

Employers can legally monitor their workers however they want. They can log and review all computer activity as long as they own the machines. The most popular method of keeping tabs on employees is to track Internet use: A whopping 66 percent of companies monitor employee Internet activity, according to a survey released in February by the American Management Association and the ePolicy Institute. What are they looking for? Frequent visits to sexually explicit sites, game sites, and social-networking sites like Facebook on company time. Almost a third of those who said they monitor their employees have fired someone for inappropriate Web surfing.

[...]

Off topic, if any of you are interested in automated investments with as little as $1000 and profit potential of 7% per month you should check out http://trademaster.zulutrade.com it offers automated signal services that are free to the trader. All you do is fund your account, pick a trade signal provider from their performance page and sit back and watch the trades execute. (Of course past performance is not indicative of future performance based on market conditions). If you want to learn more about the Forex and Trading, I suggest clicking on the "School" section at http://www.babypips.com

e

Today a man by the name of Harry Sintonen announced that the paypal payment processing site was exploitable by an XSS attack. In the back of my mind I was thinking how fitting his last name was "Sin"tonen. Apparently he demonstrated this to a journalist and during the "online interview" executed an XSS attack that exploited the vulnerability on the paypal website and used an alert pop-up to show the issue. The article is here

Now, I understand that its important that these types of companies (such as paypal) need to be looking for this type of bug and I'm certain that Paypal has an army of security personnel that are slated to ensure this sort of thing does not happen. What I'd like to take issue with is the fact that the public has no business executing attacks against websites on the internet and the fact that they are doing so is not only unethical but criminal. Its great that people know how to execute attacks, XSS and SQL injections are not that tough, especially given that paros proxy, web scarab and tamperdata for firefox etc allow you to easily push these to websites using your desktop. But just cause you CAN do something doesn't mean that you should and I feel publicizing this sort of this is just downright irresponsible and if its not illegal in finland, it darned well should be!

One thing that all of us forget is some of the basics in security. The following article is a survey RSA had performed in 2007 which asked security related questions about user activities. I found the numbers somewhat amusing and validated my own thinking in terms of where efforts needed to be focused. I thought it was interesting that Government employee's seem to be more on top of security (at least physical) than the corporate world.

Read the article here

Is "Intrusion Tolerance" replacing "Intrusion Detection and Prevention"? I doubt it.

Reading an article on DarkReading today about a new project started by "Aron Sood" that he's dubbed "Intrusion Tolerance". Basically the approach is simple, his idea was to take a "clean" copy of a web, dns or other server and rotate it into 1st position on the DMZ on a regular interval roughly 1 minute. He commented that this would lower the window of opportunity for a system to become breached and limit the data loss exposure.

In my humble opinion, Intrusion Detection and Prevention is not going away any time soon and here's why:

1. Web Servers don't normally store sensitive data these days (Application Databases do).
2. This does nothing to prevent zero day application exploit via the exposed web server.
3. To infect a system only takes moments and therefore any exposure for even more than 1 second can lead to a breach. Case in point - Place an unpatched Windows XP system on the internet for about 10 minutes and whammo, you'll have several worms infecting your machine in that timeframe.

Summary:

Although this technology helps aid us security folks in our endevour, its by no means a panacea. Honestly, this is only one small component that can be added to your overall security strategy and call it a day. Don't drop your Firewall, Intrustion Detection and Prevention and other compliance technologies on account of someone saying they will "limit" your data loss. I'll be keeping an eye on this technology as it has some promise if combined with the right complementary technologies. We'll see.

Read the Article here

Read about SCIT - Self Cleansing Intrusion Tolerance here

In

I hate to say it but it bothers me when people send the wrong message to the public regarding identity theft. Simply having someone's name, address and phone number is not enough to perform identity theft. I believe the media has a tendancy to embelish the idea of stealing someone's information and then having free reign to charge it up on the person's credit as this article suggests. The article says it can be used to perform phishing which is accurate and can help someone perform such a technique, but the data in question that has been so called "leaked" is public data with possibly the exception of the email address. Just trying to keep us all honest. 

I was just reading an article on the Riverside court, essentially anything disclosed in a court case is considered a matter of public record in california courts. So its important that people know that what they disclose to courts gets input into imaging software or databases and sometimes (like this case) can be viewed online. My suggestion to the public is to ensure that your documents obfiscate certain personal information that can be used incorrectly when obtained. I also would encourage local officials to pass legislation to bar courts from posting documents containing PII onto the internet. Its bad enough that we have a PII problem on system's within corporations, but having the court disclose it is a breach that should be treated the same way as a corporate breach. Of course this makes too much sense for regulators.

Main Entry:

I was cruising different ways to invest and I came across some statistics for a service that I use to lend people money. The statistics show the different types of job categories, the amount lent to the categories and the % late each of them are. The thing that I found interesting is that Clergy and Lawyers were the least likely to be late on loans. The stats are taken from prosper.com, a P2P lending service. It then occurred to me... is it possible to tell how trustworthy a person is by the way that they pay their bills? I mean, isn't a loan a promise to repay a debt, so if we were to expand this somewhat to trust, is it such a stretch? I'm sure some would disagree, but interesting none the less. Check the following stats and make your own conclusions.

Well, I knew it was coming but now it has come and we're entering a new phase of accountability at the consumer endpoint. Now consumer's in the UK are being held accountable to have properly updated AV, Firewalls and Anti-Spyware... What a concept! I'm assuming this will soon be coming to the USA. I'm fairly certain that any lawsuit involving an end consumer would be defensible in this way in the USA already but I'm not a lawyer. I'm also not sure if any bank wants this type of PR yet, but we'll see. Check the article here

I'm not sure if everyone is aware of this, but in January, SB1386 was extended to include medical information and medical insurance information breached requires notification. A copy of the law is located here coupled with other notification laws, doing business in California means that businesses must be more responsible than ever, requirements that should have existed for years in my opinion.

An interesting survey of 18 dentists was conducted to assess the compliance to HIPAA. The Health Insurance Portability and Accountability act of 1996 defines some of the protections necessary for patient confidentiality and privacy. The dentists were given 10 compliance questions by Darrell Pruitt D.D.S.

Quote:
"The range of compliancy was found to be from 0% for the requirement of a written workstation policy to 88% for that of password security. The average was 49%, meaning that less than half of the requirements are being respected by the dentists in this sample."

Read the article here

We're on the cusp of a new generation of document distribution systems utilizing central storage and there are some interesting security questions that will need to be answered in order for the transition to occur. Essentially, document managment systems are nearly integrated with the client endpoint. There are several technologies that are converging together than will change the face of how data is managed today. These technologies are "data leak/loss prevention (DLP)", "digital rights managment (DRM)". These two technologies will eventually be coupled together to form an elastic band around documents travelling throughout the corporate or personal networks. Data will eventually be controlled centrally no matter where it resides so that management of said data will be easy and more structured.

The latest idea I had was for a "stateful data object architecture" (SDOA). Once the DLP and DRM convergence occurs, the next challenge is to ensure that only "one" copy of the data exists in any given environment. This would reduce overall storage requirements and ensure that an organization's data is not duplicated, outdated, or in essence causing inefficiencies throughout the organic nature of human social groups. My best guess at this time is that one of the "content management systems (CMS) vendors will introduce an architecture that will enable distribution of "copies" of documents or artifacts, and when that artifact is changed in the central repository, the endpoints will automatically have state awareness of the document version change and will then prompt for the user to accept the "updated" document onto their system.

This presents some interesting security questions on how to authenticate and encrypt the documents in transit so that one can "trust" the centralized document repository in order to properly ensure that the document was not modified in storage or "spoofed" by a third party. To that end, I leave it to you the reader to decide where it will go from here, but for me, I'm intriegued on where we are going and what lies ahead in the "stateful data object architecture (SDOA)".


Again, I invented it and released it to you, no l0zers can claim it now. Enjoy!

I just came up with a cool idea. It could be possible to utilize google hottrends to trade stocks. Taking in the data into a database, creating dynamic signatures around the data and it's contents within the news and then automatically trading stocks based on the data and then merge it with the price data that's fed in from the market. You could technically auto trade based on google hottrends data to make money based on human news interest p-waves. Wow. Sorry for going off the topic of security, but I wanted to say something about my idea. Remember, I invented it, so no l0zer's trying to take props for it.