Category: security


CAPTCHA – Being knowledgeable about security technology

Filed under: breach, infosecurity, securityLeave a comment
December 13, 2007

An early CAPTCHAAn early CAPTCHAAn early CAPTCHAAn early CAPTCHASo I ran across a blog post by Jeff Atwood, that talks about CAPTCHA which is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”.  These are those nice little images we have to decide what letters they contain.  I added a picture for reference.  An early CAPTCHAAn early CAPTCHAAn early CAPTCHAAn early CAPTCHAWikipedia has a great reference to this technology.  This blog talks about how new technology has been coming out and making these easier to break by computers.  One of the biggest websites with such a problem is Ticketmaster.  People have found a way to get around the CAPTCHAs.  One recent instance where this has been shown to be a problem is for the Hannah Montana concert “Best of Both Worlds”. Tickets were swept off Ticketmaster and started to be sold on e-Bay for on average of $237. 

This leads into talking about the necessity of Information Security employees to be tech savvy and tech forward.  Hackers and people are always looking for new and better ways to get around security features.  The security of five years ago is not as secure as it was five years ago.  Security hacks and vulnerabilities are being found everyday and circulated on-line.  (So make sure to update your software regularly.)  Being aware of these vulnerabilities is the first step.  As a security professional, you must then gauge the riskiness of the vulnerability and the cost of the fix.  (Will it be painless or will the fix have to be tweaked in order for it to keep from interfering with the current network?; will any equipment have to be replaced?; etc)   Then weigh the benefits against those costs. 

Ticketmaster should definitely re-evaluate their ticket security.  The Hannah Montana incident received a huge amount of  bad publicity.  The lack of good security may lead Ticketmaster to make more than they usually would due to overbuying by scalpers.  However, you have to weigh the increased revenues against the effects of the bad publicity when the lack of good security reaches mainstream media. Over 195 news articles show up on the subject at Google news.

Tags: , , ,
Comment

Online Security Threats of 2008

Filed under: Facebook, infosecurity, planning, security, UncategorizedLeave a comment
November 29, 2007

As we become more of an online society where we live and interact through the internet through sites like Facebook and Myspace, we add more information to our profiles and our devices.  This leads to there being more information available that hackers can exploit to gain email addresses, personal information, etc. Unless this is correctly secured and users are knowledgeable of what ploys are being used to lure people into vulnerable situations on the internet, hackers have more venues to gain information from internet users.  For example, cell phones are becoming more versatile and useful.  However, to be useful, we must start to upload information such as our contacts onto our phones.  Security professionals have already shown that many of the promenant platforms can be easily hacked.  We have already seen the iPhone security holes being taken advantage of.

I came across a great article entitled Looming Online Security Threats in 2008 that goes into some of the threats we may see in the coming year.  These included exploiting internet users’ trust through Myspace and Facebook, augmented PC attacks that steal personal information, increase in cellular attacks, attacks on corporate databases for proprietary design and engineering information that can be sold, and professionally written email virus scams.  I highly recommend reading this article for a more indepth look.  I wanted to share the following security tips with you though from the article.

— Don’t give away any valuable or sensitive personal information on your MySpace or Facebook profile, or within messages to other members of the network. And don’t click on any links in social network messages from people you don’t know.

— No reputable company will ask for your password, account number, or other log-in information via e-mail or instant message.

— Use one of the many antivirus, antispyware, and firewall programs on the market. Often, vendors offer all three functions in a single package. And many Internet service providers offer them free with your monthly subscription.

— Upgrade your browser to the most current version. From Microsoft, that’s Internet Explorer 7. Mozilla’s Firefox is on version 2, as is Apple’s Safari browser.

— Pay attention to the messages from Windows that pop up on your screen, especially in the new Vista operating system. They often contain helpful security information that many users overlook.

— Turn on Windows’ automatic-update function to get Microsoft’s regular security patches.

Education on the scams that are out there can be very helpful in reducing the effects of these “trusting techniques”.  IT professionals use the acronymn PEBKAC (Problem exists between keyboard and chair) to explain when the reason why security or a computer didn’t work is due to the person operating the computer.  Education can greatly reduce this type of error.  A person can’t be prepared for something they don’t know anything about.

Tags: , , , , , , ,
Comment

Paypal & Google Checkout Usage Increase

Filed under: business, infosecurity, security, UncategorizedLeave a comment
November 28, 2007

Paypal and Google Checkout have started to gain market share with online shopping payments.  Big vendors such as Dell are starting to allow payment through Paypal.  While e-bay is a large portion of Paypal’s transactions, this past third quarter has seen an increase in the non- ebay transactions up to almost 45%. 

 One of the new features Paypal has introduced is the ability to recieve a “dummy” Mastercard number from Paypal to use for online payments.  This helps to decrease the risk of customers when considering identity theft.  More than 15 million Americans have had their financial information stolen online between 2005 and 2006.  This number can induce alot of fear.  Since the new feature that allows people to use Paypal almost anywhere was just released on November 20th, it will be interesting to see how this fear will grow Paypal’s market share in the next quarter.

Tags: , , , , ,
Comment

Security Risk Introduced by Temporary Users

Filed under: breach, business, infosecurity, security, UncategorizedLeave a comment
November 27, 2007

I stumbled upon a great article today about the risks associated with temporary employees. This is expecially important information during the christmas season due to the large increase in temporary employees.  The article outlines three main issues faced with the addition of temporary employees.

  1. Information Leakage
  2. Lack of Basic Data Security Management
  3. Exposure to External Threats

The article outlines the results from a survey given to temporary employees about their behavior and policies at these jobs.  There are some pretty interesting statistics in the article.  Here are just a few of them.

  • 87.7% of respondents were able to access documents from the company network drive or electronic folders that permanent staff use on a day to day basis
  • 52% used someone else’s e-mail account or a general company e-mail address
  • 78.9% of temporary workers said they did not have to sign a PC or Internet use policy
  • 97% said they either didn’t understand or had never heard of the Computer Misuse Act
  • 25.5% accessed download sites during work hours
  • 67% of temporary workers used social networking sites like Facebook during working hours

The complete set of statistics and article can be found at the following link. 
Businesses are ill-prepared for the security risk introduced by temporary workers

As hackers find new and different ways to use the information found on the internet at sites such as Facebook and Myspace, we will start seeing a whole different arena of ways to gain information that we must know about and be caution.

 Salesforce.com just ran into some trouble in October. On Oct. 19, Security Fix reported that payroll giant Automatic Data Processing (ADP) and several banks — including Suntrust — were among a number of institutions that were victimized by a series of highly-targeted phishing scams.  This was done through a spoofed email that asked employees to download a file which was most likely malware to gain passwords and usernames.  More Info

This is just one of the risks of which temporary employees and full-time employees  must be aware. Management must be aware of these threats and take steps to mitigate these risks.

Tags: , , ,
Comment

New Blog Resources & a Call for Submissions

Filed under: JessRae, securityLeave a comment
November 14, 2007

Hey Everyone,

 I am trying to accumulate a library of online Information Security resources.  The beginning of this library can be found here.  Please help me to fill out this resource with any favorite resources that you use for information security. I would really appreciate it.

– Jessica

Comment

How Things DON’T Get Done In Real Life & Security Policy

Filed under: breach, business, infosecurity, planning, security, UncategorizedLeave a comment

I started this blog as a part of a independent study for my MBA and as you can see if you look at my archive, its been about 2 months since I’ve entered a blog entry.  Since this is my assignment for the semester, it can be said that I’m a little bit behind on the work for this class.  As the semester is coming to an end in less than 2 months and I realize that my time is slowly wittling away, I look into what I should be doing to jump start myself into finishing my work as well as looking into the past and analyzing why I am behind.  (I have to analyze everything i do…Thats what MBAs live and breath)   So, let’s start off with the past…

 THE PROBLEM
I have taken this independent study and have not completed the work over the summer as planned.

ANALYSIS OF THE PROBLEM
Why?

  • Stress of Moving to and from California for an Internship
  • Buying the wrong book on Half.com (delaying reading for 3 weeks)
  • On the backburner – Lack of presence in forefront of mind
  • No short term goals or milestones set for independent study
  • August – start of new semester & classes
  • Busy – work, classes, a few hours of sleep, interviews, need for down time (Value of Time & Effort)
  • September to November – interviews every week, behind on normal classes

Now you are probably wondering how this has anything to do with Information Security.  Well, don’t worry.  I’m going to go into that now.

In business, many things are happening at once.  Everyone has to multi-task and prioritize their lives in order to survive work as well as life.  Within business, many times security is put on the backburner.  Unless top executives make Info Security a priority,  businesses know they should be doing something but don’t take the time to do anything about it.  People look for ways to save time and money, and security can sometimes cost employees and the business alot of time AND money.  This link shows just one of the many ways that employees will find to short cut a system to save time while increasing risk to security. 

As I mentioned before, having top executives’ support can make or break some initiatives.  It is also important to set timelines, goals and milestones for progress.  I personnally did not do this and as you can see from the small number of blog posts, I am not accomplishing my work in this portion of my class.  By setting milestones in both Info Security and work goals, you can help to keep security work at the forefront of employees minds.

Lets move onto “Value of Time & Effort”.  In everyone’s life, they have to constantly make choices.  “Do I want to work out or do I want to watch TV”/ “Do I want to buy a new laptop or do I want to take a vacation to Hawaii?”, etc.   This happens in Info Security a great deal, just like with life.  Information Security, especially on the Internet, is an important aspect that needs to be addressed.  However, events in which data or information are comprimized are few and far between.  These events cost a great deal of money when they do happen however.  Many managers don’t want to spend that large amounts of capital needed to guard against an event in the future that may or may not even happen.  These managers sometimes don’t comprehend how expensive these types of breaches can cost.

 So I guess to sum up my key points, I believe that in life and info security, we need…

  1. senior executive prioritization
  2. key security milestones and goals
  3. complete understanding of potential risks
Tags:
Comment

Investigating the Monster.com Security Breach

Filed under: breach, business, infosecurity, monster.com, privacy, security2 Comments
September 10, 2007

During the week of August 27th, Monster.com had a major security breach.  More than 1.3 million records of resume contact information were found to have been pilfered off both the Monster.com site as well as the USAJobs.gov site.  While this information doesn’t include any highly secure informations such as financial and social security numbers, it is still information that can be used with phishing and spam email.  During the investigation, Monster found that this wasn’t the first time that information had been taken this way from their site.

 In response to this breach, Monster.com sent letters out to the victims informing them of the theft of their information.  One of my friends was one such user.  The letter is filled with corporate speech detailing their regret as well as the address to a part of the monster site that details about phishing and ways to avoid being a victim.

 Another action Monster took in response to this event was a promise to their users to step up site monitoring and to spend $80 to $100 million in site upgrades.  According to a Reuters news article, the site had lost between 200 to 300 job seekers’ support. Monster has set up a security center for people to learn more about email phishing and what happened with the security breach.

 Besides the impact this had on increased site security spending, the overall effect consumer effect does not seem to be that steep.  Losing 200 to 300 people out of 1.3 million is much less than 1%. As for internet feedback, most blog output on the matter seem to just be rehashing or adding facts about the incident as well as talking generally about the need in big business for more internet security spending.  The concensus seems to be “its happening again,…. drat”, and then they go back to their normally scheduled program.  Security breaches are becoming so common that the public is becoming less phased by the breaches and just deals with them. Is this a indication of a more tolerant public concerning internet information security?  Or is lack of large response due to the fact that only basic contact information was stolen.

Interesting indepth blog about the breach

Comment

Info Security – What Should You Think about When Setting Up a Business’ Security Plan?

Filed under: business, infosecurity, planning, securityLeave a comment
June 21, 2007

I came across a great post on what you should think about when setting up your information security plan in the A Day in the Life of an Information Security Investigator blog.  I especially agree with his first suggestion about having a security buddy look at your plan.  Its always said that two heads are better than one.  This is definitely the case with security.  You should never become too arrogant to think that you’ve thought of everything.  Another person can give you a new perspective.

I just read that the two things you have to be careful of when thinking about security are hackers and lawyers.  Hackers start the problems, but lawyers make you pay for them.  The more input you have, hopefully the better you are secure against each and maybe the better you are able to get the most out of the money the organization has available.

Comment
Design a site like this with WordPress.com
Get started