Tuesday, March 20, 2012

Internal issues still cause more data loss than outside attacks, says report

Internal issues still cause more data loss than outside attacks, says report

There isn't much surprise that most threats still come from the inside, whether malicious or negligent. In reality, many of the causes of the malicious/negligent/system glitches overlap and depends on how you look at them.

Looking at the report, it seems phishing seems to be under malicious, but can this also be classified as negligence? I don't know how many computers I have to get my techs to clean because someone opened a malicious pdf or file from their personal email. I guess I can see it being malicious, as ultimately, the phishing email was crafted by someone with malicious intent, whether it be to get someones bank account/PII or breach into a company.

Same goes for "theft of data bearing devices". Portable Hard Drives, Laptops, Thumb Drives, Backup Tapes, or other items. How many of these are due to someone intent on stealing from a specific company and how many of them are due to someone not following policy and leaving a laptop and portable hard drive on the passenger seat while they run inside 7/11 for a pack of smokes and to pay for gas? Most of the data on the latter probably never sees the light of day and is wiped before being sold somewhere.

Successful SQL injection or web site attack? Is this malicious or "system glitch" because the server admins didn't patch on schedule or follow procedure? Many of these could be one or the other and are probably determined by the investigation and, in some cases, whatever makes the company look better.

In general, if we could stop users from doing stupid things, and getting them to follow correct procedure, we could probably stop a lot of the current and continuing threats. Of course, the bad guys would just find another way in. :-)

Monday, March 19, 2012

My rant on overhyped RFID Credit Card Hacking

My Uncle sent me a link to this video that has been going around lately, and I thought I would post my little rant about this kind of hyped up information. I'm not saying that it doesn't happen, just that it isn't as prevalent as they want you to believe. It is happening, and technology is always evolving...on both sides of the fence. Remember the person in the video and the interviews all over the internet, is trying to sell you his wallets and Credit Card sleeves. And the news sites are trying to sell you their version of the news. It's always good to have more information. As they say....The More You Know...

It's always good to protect your cards, whether they have RFID or not. To be honest, I'm more worried about the waiter/waitress copying my card when they take it out of site at a restaurant than I am about someone grabbing my card through the air. :-) More on my opinion after the video... (Have I used ... enough yet? ;-)

I've been watching this technology for a while now, and while it may seem easy to grab your card info, it is not as easy to use it as they are making it look. Plus, the security behind the cards is always evolving. The first generation of cards sent your whole name and everything along with the date, more recent cards send just enough for the current payment to process. The second piece of security, is every "transaction" that is sent via RFID has it's own unique CVV code that is only good for that transaction. (CVV is the 3 digit code on the back of your card that you need for some transactions). Because this code is unique to the transaction, any thieves have a limited amount of time to make a purchase, depending on how often you use your card; and can only use it for one transaction. And if they don't use it before you make a purchase, the code of your next transaction will be out of order and the alert your Credit Card company that something is amiss. The list of codes are unique to the card, similar to the SecureID tokens many banks use to protect internal transactions and the Government uses for security access.

This my understanding from what I have read over the last couple of months on the subject from trusted sources in the Information Security Industry, but I have not been able to test it myself. Even so, my wife bought me one of those secure wallets that is supposed to block RFID signals, and I have been able to confirm this, as my bus pass will not scan through it, And I carry all of my IDs with RFID chips in them in special containers. I don't currently have any of the RFID Credit Cars, though not because I have said no to them. As in many things, vigilance is the key and always a good idea. If you suspect fraud, report it. Remember, even though you are not liable for fraudulent transactions, these companies have to pay for them somehow, and it comes from higher fees from both the credit cards companies and the stores we buy from that have had a chargeback because someone else bought something from them using stolen credentials.

One of my favorite places for information: