Monthly Archives: July 2006

To Encrypt or Not To Encrypt?

So are credit card processing companies encrypting their identification data? Sort of:
Visa U.S.A. Inc. and MasterCard International Inc. will release new security rules in the next 30 to 60 days for all organizations that handle credit card data, a Visa official said this week.

The rules will be the first major updates to the one-year-old Payment Card Industry (PCI) data security standard, which analysts said is slowly but surely being adopted.

Visa, MasterCard to unveil new security rules The updated PCI standard will cover Web apps, third-party controls, Jaikumar Vijayan, ComputerWorld 7 July 2006

Continue reading

A Stitch in Time Saves Nine

According to Avivah Litan of Gartner:
“A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention and strong security audits combined,” Litan said in an accompanying statement. “Compare [that] with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach,” she added.
So if you split the difference and spend $10/customer on security as prevention, that stitch in time really does save nine stitches fixing it later. Prevention is good risk management.

-jsq

PS: Seen on Steve Hagen’s Network Security Journal.

Two-Factor Phishing

Phishers consider nothing sacred, not even two-factor authentication: at least one has already phished for the second factor.
If you visit the site and enter bogus information to test whether the site is legit — a tactic used by some security-savvy people — you might be fooled. That’s because this site acts as the “man in the middle” — it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.

Citibank Phish Spoofs 2-Factor Authentication, Brian Krebs, 10 July 2006

This could be because the people behind such phishing scams are often pretty tech-savvy people themselves. Funny how that happens when there’s money in it.

-jsq

Is a Four-Fold Increase a Risk?

This one pretty much speaks for itself:
More than land-use changes or forest management practices, the changing climate was the most important factor driving a four-fold increase in the average number of large wildfires in the Western United States since 1970, the researchers concluded.

The average spring and summer temperatures were more than 1.5 degrees higher in Western states between 1987 and 2003 than during the previous 17 years. In fact, the seasonal temperatures were the warmest since record-keeping started in 1895, the researchers said.

While the researchers stopped short of linking increased wildfire intensity to global warming caused by rising levels of greenhouse gases, they were confident that they had documented a broad climate trend and not a fluke of natural weather variability.

Wildfire Increase Linked to Climate Higher temperatures over 34 years — rather than land-use changes — have led to more blazes, researchers say. They’re sure it’s not a fluke. By Robert Lee Hotz, Times Staff Writer, L.A. Times, July 7, 2006

Continue reading

Stemming the International Tide of Bad Spam Laws

Sure, spam is bad, and I’d like to get rid of it, too, but not at the cost of having ISPs and governments required to discard my mail based on content. That last is basically what a new ITU report, Stemming the International Tide of Spam seems to recommend.

The root problem with all such recommendations is their insistence on defining spam as commercial. I get spam from religious organizations, spam in languages I don’t even read, and, worst of all, spam from politicians. Spam is unsolicited bulk electronic mail. Confusing content with spam is, and has always been, a big mistake. If you let content leak into your definition of spam, quickly you’re into censorship and first amendment territory.

Continue reading

The arm of commerce has borne away the gates of the strong city.

Today I’ll defer to what Frederick Douglass said on the Fourth of July 154 years ago:
Nations do not now stand in the same relation to each other that they did ages ago. No nation can now shut itself up from the surrounding world, and trot round in the same old path of its fathers without interference. The time was when such could be done. Long established customs of hurtful character could formerly fence themselves in, and do their evil work with social impunity. Knowledge was then confined and enjoyed by the privileged few, and the multitude walked on in mental darkness. But a change has now come over the affairs of mankind. Walled cities and empires have become unfashionable. The arm of commerce has borne away the gates of the strong city. Intelligence is penetrating the darkest corners of the globe. It makes its pathway over and under the sea, as well as on the earth. Wind, steam, and lightning are its chartered agents. Oceans no longer divide, but link nations together. From Boston to London is now a holiday excursion. Space is comparatively annihilated. Thoughts expressed on one side of the Atlantic are, distinctly heard on the other. The far off and almost fabulous Pacific rolls in grandeur at our feet.

What to the Slave is the Fourth of July? Frederick Douglass, Rochester Ladies’ Anti-Slavery Society, Rochester Hall, Rochester, N.Y., 4 July 1852.

Today telephone, television, and the Internet are the chartered agents of intelligence, not to mention agents and drivers of the commerce whose arm has borne away the gates of the strong city. Fortifying perimeters works even less these days, for nations or for companies. Cooperation is essential for survival, not to mention risk management.

-jsq

Pipes or Bridges

I don’t usually post about specific politicians, but I did find Senator Ted Stevens’ explanation of the Internet rather remarkable:

It’s a series of tubes.

And if you don’t understand those tubes can be filled and if they are filled, when you put your message in, it gets in line and its going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material.

Now we have a separate Department of Defense internet now, did you know that?

Do you know why?

Because they have to have theirs delivered immediately. They can’t afford getting delayed by other people.

Your Own Personal Internet by Ryan Singel and Kevin Poulsen 26B Stroke 6, Thursday, 29 June 2006

This is the same senator who got Congress to approve a $223 million bridge to nowhere, that both the Sierra Club and the Heritage Foundation opposed; the latter referred to it as a National Embarrassment.

I guess he’s changed his expertise from bridge architecture to Internet pipe design. Anyway, this is why he says he voted against net neutrality.

Maybe it would be good risk management to elect some Congress members who have a clue about the Internet.

-jsq