Skip to main content

Posts

Showing posts from June, 2011

Policies and Controls are King in the IT Security world

I came across an article by Roger Grimes over at Infoworld on how security policies and controls are the real power when it comes to IT security. Roger mentions the SANS 20 Critical Security Controls for Effective Cyber Defence , which are a great read for anyone looking at updating or auditing your policies for completeness. The SANS top 20 controls are a must for any organization: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Boundary Defense Maintenance, Monitoring, and Analysis of Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access Based on the Need to Know Continuous Vulnerability Assessment and Remediation Account Monitoring and Control Malware Defenses Limitation and Control

Me Personally? I love DAOS...

I think DAOS is great, and why?   Because of the screenshot below.   A database a quarter of that size would make most admins cry, but with DAOS, it hums along beautifully. Makes me wonder if this type of scenario is what IBM had in mind when they designed DAOS. Oh, and the size is not an error.   Logically, it actually is 140GB in size, with about 53,000 attachments.

Indian users of Groupon subsidiary face password breach

An Australian security consultant, Daniel Grzelak, discovered an SQL file with over 300,000 usernames and plain text passwords from Sosasta.com by conducting a Google search. The entire user database of Groupon’s Indian subsidiary Sosasta.com was accidentally published to the Internet and indexed by Google. The database includes the e-mail addresses and clear-text passwords of the site’s 300,000 users. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs. Grzelak used Google to search for SQL database files that were web accessible and contained keywords like “password” and “gmail”. On a side note, this is the same Daniel Grzelak who created, as a side project,  shouldichangemypassword.com , a website that allows you to search a database of known-compromised e-mail address and password pairs to see if your password has been compromised.

Bioware Account Breach

I got an email the other day, one I wasn't expecting to receive, because I wasn't even aware that the organization had a data breach.  (But then, how could I?  They've been coming fast and furious for a while now.) The email looked like this: We recently learned that hackers gained unauthorized access to the decade-old BioWare server system supporting the Neverwinter Nights forums. We immediately took appropriate steps to protect our consumers' data and launched a thorough ongoing evaluation of the breach. We have determined that no credit card data was compromised from the servers, nor did we ever have or store sensitive data like social security numbers. Our investigation shows that information such as user names, encrypted passwords, email addresses, mailing addresses, names, phone numbers, CD keys and birth dates from accounts on the system  may have been compromised, as well as other information (if any) that you may have associated with this forum account. In an

Is speed a good thing in disclosing security breaches?

How quickly do you feel a company should notify you that your personal data has been exposed as the result of a security breach? There have been a number of high profile data breaches recently, such as Sony, Epsilon and Honda Canada.  Each company took a different amount of time to notify customers, but that is because they are allowed to.  There are no laws that specify how quickly they must advise you that your private information may have become public. Sony, who has lost more than 100 million records this year, took 3 days after the detection of the Sony Playstation Network breach to advise customers. Epsilon, who lost millions of customer account data belonging to more than 50 major companies, contacted people only a day after the breach was discovered. Honda Canada, who suffered a breach in March , didn't notify people until May. Reuters is reporting that a new US data breach bill would set a mandatory maximum on the amount of time a company can delay advising the public.

Basic Information Security Practices missing at most Small Businesses

As I read this article earlier today, I have to say that I am not really all that surprised. Most small businesses are more concerned with their day-to-day operations and where the next client is coming from than they are around spending the time to creating policies and processes to manage security. Although 78.6% of respondents were aware of the legal requirements of storing, keeping, and disposing confidential data, 31.1% never trained staff on the company’s information security procedures and protocols, and 35.5% of companies have no protocol in place for storing and disposing confidential data. With any small business there is only so much time and so much to get done.  Most processes exist, but are usually non-documented, and quite often verbal. “Most things are passed around in an oral tradition, rather than a written tradition. Information is imparted verbally, and companies don’t tend to have formal policies and procedures in place until that start to grow more” Without a tra

Canadian Privacy Commissioner criticizes Staples

The Canadian Privacy Commissioner, Jennifer Stoddart, has found that Staples Canada Inc. failed to fully wipe customer data from returned devices such as laptops, hard drives or USB keys prior to reselling them. The Staples audit included tests on data storage devices (ie. computers, laptops, USB hard drives and memory cards) that had undergone a "wipe and restore" process and were destined for resale.  Of the 149 data storage devices tested, over one-third (54 devices) still contained customer data - in some cases, highly sensitive personal information such as Social Insurance Numbers, and health card and passport numbers; academic transcripts; banking information and tax records. This brings a few questions to mind. Who are these individuals who would return a device to a store, and blindly trust that the store will do what is in their best interest, rather than in the store's best interest. The privacy commissioner stated that: ...although Staples generally has good

IamLUG - North American Lotus User Group

Once again, I beleive for the third year, St. Louis is opening its doors to Loti from across North America. Founded on the 'free' conference ideal, IamLUG has offered more than 25 sessions each year with the optional 'TackItOn' full day of training on specific subjects. This year's session list looks great, and the speakers rock.   It's happening on August 1st and 2nd, with the 'TackItOn' day being Aug 3rd. You can find more detail here .

Taking Security Too Far: Breaking the Business Process

Read the following statement: apparently the advent of 3D projectors is severely cutting the amount of light that reaches the screen because projectionists are not changing out the 3D lenses for 2D screenings as they should Would you believe that a poorly planned security process is at fault of our enjoyment of 3D movies?  With more and more thought being given to security, and protecting the intellectual property of the organization, it is possible for those controls to go too far. Hollywood is making a trade-off here: believing that 3D and digital are the new technologies that will get people back into theaters BUT believing that anything not locked down will be copied and redistributed without payment, the studios et al have opted to secure the projectors. Understandable. But in doing so, they've made it difficult for the people running the projectors to do their jobs properly. While it is a great idea to make sure that the business is protected, making security too much of a ch

Wikimania - Please don't post (I want to win...)

Yeah, the title is a bit tongue in cheek, but seriously... I entered an article in the Wikimania contest last year, and I even won a book, and a number of other small items. I've entered again this year , on the very day the contest opened.   I suspect that I was even pointed out for it . Sharing with the community is a great way to develop friendships and share information.  (And win prizes.  After all, who doesn't want to be recognized for their work.)

Security Review - 6/7/2011

Similar to a number of other breaches (Sony, Epsilon, Lockheed-Martin), hackers seem to mostly be targeting the 'larger' targets , that will bring a lot of public exposure. The Conservative Party of Canada site was the  target of such an attack this week, as were many branches of the Sony empire .  The Kingston Police department just got their website back online on Tuesday following a breach. It's no surprise then that Vermont Democrat Senator Patrick Leahy has introduced a bill that would set a national standard for notifying consumers of breaches, and would make it a crime to conceal a data breach. Is there any doubt why Canadian companies are wary of the cloud ? As a result, Canadian firms tend to experience fewer security lapses. On average, 43% of global companies reported a breach within the last year versus 38% in this country.

Hackers target Conservative Party website

Despite news on the Conservative Party of Canada website, Prime Minister Stephen Harper was not airlifted to a hospital in Toronto following a choking incident at breakfast with his children. In fact, it was an attack by hackers targeting the Conservative Party website. The CBC has more details .

Hackers make off with Government of Canada data

Back in April 2010, two groups ( The Citizen Lab and The SecDev Group ) discovered that government computers in 103 countries were compromised by hackers from China.  They wrote about it in a published report called Shadows in the Cloud . Fast forward to the fall of 2010 when Communications Security Establishment Canada (Canada's electronic eavesdropping agency) started looking for signs that Canada's governmental networks had been compromised. Fast forward to January 2011, when a hack was discovered in three Canadian government departments including the Department of Finance and an agency of the Department of National Defence. A memo written at the end of January 2011 states: "Indications are that data has been exfiltrated and that privileged accounts have been compromised," Moving on to February 2011, when Prime Minister Stephen Harper says that the government has a strategy to protect computer systems, but admits that cybersecurity is a "a growing issue of i

Tomorrow is IPv6 day!

Tomorrow is the Internet Society's World IPv6 day. On June 8th, many major world organizations (including Google, Akamai and Yahoo!) will be turning on IPv6 services for a 24 hour test. More information can be found here .