Network Lighthouse

Online privacy and the implications of data aggregation is a bit of a passion of mine, that’s part of what inspired me to write the thunderbird plugin.

Here’s an interesting story about one journalists discovery of what he found out about himself.

What the Web knows about you.

People wonder why identity theft happens, so much of our personal data is available online these days that it’s possible to build a fairly complete profile of anyone you want.  Just one of the reasons everyone needs to be careful needs to be careful of what they post on social networking sites.

-Daniel

Here’s an interesting twist on an old scam.   In a town in the US someone has been issuing fake parking tickets.   The fake tickets instruct the victim to go to a website to pay their fine, the website in turn says that you have to download a ‘toolbar’ to see the details and pay their fine.

Needless to say the toolbar is really a trojan infested piece of malware, which will continue to spawn popups including the notorious Antivirus 2009.

Viruses: Hackers Using Fake Parking Tickets to Infect Computers.

Yet another example of how the bad guys are changing their tactics to stay ahead of the curve.

Data Loss Prevention is one of the hot topics in Information Security at the moment, largely brought about by the numerous accidental losses of sensitive information that have been in the press over the last few years.

Here is a decent article that covers what it is and how it works:

What You Really Need To Know About Data Loss Prevention - insider threats/Management - DarkReading.

While this is not my usual topic, there’s something very wrong with this story, it pays to remember how closely information security is tied to physical security:

Former Energy Worker Admits Trying To Sell Nuclear Secrets - Insider threats/Attacks - DarkReading.

The short of it is that a janitor managed to walk out of a US DoD site with a number of components developed as part of a nuclear research project.   After successfully getting them on site, he tried selling them to the French Government.  Fortunately it was the French, not some semi-hostile government, and so they reported him to the FBI who arrested him.

What can we learn from this story?  Firstly treat your cleaners as if they are privy to your most sensitive secrets, because in all likelihood they are. Things get left on desks, in photocopiers, ’secure’ document disposal bins  all the time, and cleaners often have unsupervised access to all parts of your offices.

Secondly, a number of vital security controls were either missing or failed for him to take them.  Inventory control should have noticed that sensitive items were missing,and so sparked a full scale investigation.  Secondly it shows the weakness  of manual security searches, why was he taking equipment on and offsite anyway.

Somewhere in the region of 100 million credit cards numbers have been acquired from payment processor Heartland by cyber-criminals in what is likey to be the largest breach of its kind to date.

Payment Processor Breach May Be Largest Ever - Security Fix.

What makes this worse is that Heartland was PCI DSS compliant, having passed the audit April 2008.    Undoubtedly this will bring about even further debate about the validity of the PCI standard.

-Daniel