[SecurityRatty] tag: holiday

SOA Security in Real Life

Sun, 30 Nov 2008 14:29:17 +0000

I started off my last article on SOA Security this way:

When I park my car in the garage, I lock it. Why? Well, although I would hate for someone to steal my snow shovel and hockey sticks, my car is much more valuable to me. Security is about managing risk, specifically protecting valuable assets like my car. I have a higher level of protection on my car than on my garage. In dollar terms, the contents of my garage are orders of magnitude less valuable than my car. I could spend a lot of money fortifying my garage, and that would add some security to my car while it is parked there, but it is not a cost-effective investment. First, my car is the asset of value, and second the garage - no matter how well protected it is - doesn't move.
Car manufacturers know this, insurance companies know this, consumers know this. Even media publishers know, yet in the common enterprise, programmers and architects seem to roam in ignorance. Your average download of a Michael Bolton song carries a far higher level of security than valuable user data, like passwords, social security numbers, and credit card details. Why do we keep protecting critical data with point-to-point security solutions (like SSL) that protect the transmission channel, but leave the valuable assets being transported wide open everywhere else? This is a critical question that needs to be answered in order to successfully add an effective layer of security to an SOA.

Well guess what happened last weekend? I always do lock my car in the garage, but last week I came home with an armful of holiday cheer and forgot. I went out to the garage over the weekend and noticed that a local knucklehead who could see that the car was unlocked tried to jimmy the lock on my garage door, and busted off a piece of wood before giving up (probably when they saw the sign that said the garage was monitored).

The response of the police actually further supports my assertion that security is about assets not threats. I called the police and said someone tried to jimmy my garage door. They said its a holiday weekend, call back on Monday and get a case number. This disturbed me not at all. All they are going to do is record a threat (or security event) metric anyway.

Now in a hypothetical scenario if my car was compromised it would have been a completely different response from both me and the police; why is it different urgency? Not because of the threat and intent which were similar in both scenarios, but its the fact that the asset was put into motion that's what makes it important.

For infosec what do we learn? Infosec is spending waaayyyy too much time and money protecting garages and not enough protecting assets.

Tips for staying safe online this Holiday season

Fri, 28 Nov 2008 13:37:01 +0000

Great article by Mr Walling.
Take the time read the tips and maybe you wont become a statistic this season

clipped from www.marketwatch.com

Walling Data’s Top Ten Safety Tips for Online Shopping

“The Internet is safe if you follow basic, fundamental rules of
using a computer safely,” says Luke Walling, Founder and President of Walling
Data, one of the largest distributors of online security products in
the country. “Many people think of their computer much like
they would an appliance, such as a microwave or stereo that behaves in a
predictable pre-programmed way. But, in reality computers
are dynamic devices that evolve dramatically with the installation of
each new program. It’s important to remember that viruses
and spyware are programs as well.”

Mumbai terrorism, worm warning, holiday woe

Thu, 27 Nov 2008 21:00:00 +0000

A wave of coordinated terrorist attacks across Mumbai late Wednesday dominated the news this week, with bloggers and people using Twitter helping to get information to families and friends of those affected. Multinational technology companies are not expected to change their business strategies as a consequence of the stunning attacks, which targeted westerners.

FBI Stoking Fear

Thu, 27 Nov 2008 09:27:35 +0000

Another unsubstantiated terrorist plot:

An internal memo obtained by The Associated Press says the FBI has received a "plausible but unsubstantiated" report that al-Qaida terrorists in late September may have discussed attacking the subway system.
[...]

The internal bulletin says al-Qaida terrorists "in late September may have discussed targeting transit systems in and around New York City. These discussions reportedly involved the use of suicide bombers or explosives placed on subway/passenger rail systems," according to the document.

"We have no specific details to confirm that this plot has developed beyond aspirational planning, but we are issuing this warning out of concern that such an attack could possibly be conducted during the forthcoming holiday season," according to the warning dated Tuesday.

[...]

Rep. Peter King, the top Republican on the House Homeland Security Committee, said authorities "have very real specifics as to who it is and where the conversation took place and who conducted it."

"It certainly involves suicide bombing attacks on the mass transit system in and around New York and it's plausible, but there's no evidence yet that it's in the process of being carried out," King said.

Knocke, the DHS spokesman, said the warning was issued "out of an abundance of caution going into this holiday season."

Got that: "plausible but unsubstantiated," "may have discussed attacking the subway system," "specific details to confirm that this plot has developed beyond aspirational planning," "attack could possibly be conducted," "it's plausible, but there's no evidence yet that it's in the process of being carried out."

I have no specific details, but I want to warn everybody today that fiery rain might fall from the sky. Terrorists may have discussed this sort of tactic, and while there is no evidence yet that it's in the process of being carried out, I want to be extra-cautious this holiday season. Ho ho ho.

Safe Computing During The Holiday Season

Tue, 25 Nov 2008 11:32:07 +0000

The holiday season is a time of increased online activity. During the hustle and bustle that surrounds this time of year, whats more convenient than saving a little time (and money) by shopping and b...

Holiday Travel: Ways to Keep Your Laptop, Privacy Safe

Mon, 24 Nov 2008 02:00:00 +0000

If you're planning on traveling with your laptop this holiday season, you might want to travel prepared. The statistics are overwhelmingly bad: According to Gartner, one laptop is stolen every 53 seconds.

Dont get a lump of coal this season!

Tue, 18 Nov 2008 14:46:21 +0000

Make sure your online protection products are working and updated, or you may get a lump of coal this Holiday season.

clipped from www.marketwatch.com

Webroot Threat Advisory: Online Threats to Increase This Holiday Season

To protect themselves during any online
shopping experience, consumers need to be aware of the security
risks and necessary precautions they should take to avoid being a victim
of cyber crime. Since the October to December timeframe will be a key
money-making season for today’s financially
motivated cyber criminals Webroot is recommending that consumers follow
these five steps:

Most Spam Came from a Single Web Hosting Firm

Mon, 17 Nov 2008 02:11:07 +0000

Really:

Experts say the precipitous drop-off in spam comes from Internet providers unplugging McColo Corp., a hosting provider in Northern California that was the home base for machines responsible for coordinating the sending of roughly 75 percent of all spam each day.

Certainly this won't last:

Bhandari said he expects the spam volume to recover to normal levels in about a week, as the spam operations that were previously hosted at McColo move to a new home.
"We're seeing a slow recovery," Bhandari. "We fully expect this to recover completely, and to go into the highest ever spam period during the upcoming holiday season."

But with all the talk of massive botnets sending spam, it's interesting that most of it still comes from hosting services. You'd think this would make the job of detecting spam a lot easier.

Security at the Point of Sale

Sun, 02 Nov 2008 21:00:00 +0000

When thieves stole the PIN pads at a cash register in one of his company's stores, Daniel Marcotte was amazed. Not that they'd done it--such thefts can happen once a week during the holiday season. But watching it on videotape later, "I couldn't tell they had it with them when they left" the store, says Marcotte, director of systems and data security at La Senza, a Montreal retailer now owned by The Limited.

U.S. Consulate in Northern Mexico attacked with guns and grenade

Sun, 19 Oct 2008 14:53:00 +0000

The motive for last week's attack on the U.S. consulate in Mexico is being investigated but there is still no clear cut reason for the unprovoked attack.

The attack had more in common with what we have come to expect in Iraq than from just below the Southern States of the U.S. News of the attack is making me think more about the article I read in one of the Gulf papers here in the Middle East a couple of days ago.

The article read; "Mexican workers leave the U.S. disllusioned with the American Dream". The story, like so many others these days, focused on the worsening U.S. economy. That made me think; could a returning mexican worker have launched the attack on the embassy due to his frustration at not being able to do as well as he had expected North of the border?

I hope for Mexcio's sake this is not the case. Mexico's dangerous crime rate is already a concern for many people deciding where to go to spend their holiday dollars.

In this current economic climate, visitors need to be encouraged and given a reason to spend their hard earned money in your country, not made to feel like targets.