Technology Security

RSS Feed Homepage

Articles: 1, 2

Data Loss to the Maxx
2007-03-29 22:10:00
So you have a situation where you KNOW someone broke in and pilfered a lot of data but because of your data retention policies you are unable to accurately say how much is lost. From TJX's 10-K filing: "We are continuing to try to identify information stolen in the computer intrusion through our investigation, but other than the information provided, we believe that we may never be able to identify much of the information believed stolen." But, in reality, not even their data retention policies were  being followed because there was a nine month period where the data was supposed to be deleted and was not. Of particular interest to me is in an article by information week that states: "TJX's security may have been further compromised by the cyber criminals having access to the decryption tool for the encryption software that TJX uses. This could have been the result of an insider or a successful hack by the cyber thieves into a TJX database where the keys were ...
More About: Data , Loss , Maxx

Encryption over the LAN
2007-03-29 18:53:00
I had the opportunity to sit in on a presentation given by Mark Carboni of Utimaco discussing their product LanCrypt . I have to say I was very impressed by the functionality of the product and the thought given to its design. The product is basically a way to centrally administer the encryption of shared documents. LanCrypt allows multiple levels of administration to define various sets of policies and apply them to different users so that they are only able to access the documents that they should have access to on the network. All of it is done via the groups already in your LDAP/Active Directory/NDS infrastructure. I found the products ability to scale between very granular access to global rules to be incredibly intuitive. Additionally, key management is a snap (basic x.509 cert that can be saved on any kind of token) and it's ability to work even while the backend database is offline is a big plus. They also allow for split-authentication (or what Mark call...
More About: Encryption , Over

A few random notes from today...
2007-03-29 05:33:00
First, for all of the true geeks out there you can find some sexy geek machines in an article at computerworld.   For those who think that carrying printed data is a safe option, then you should check out what this poor sucker is going through...   Here is an article that is just crazy talk. The majority of people don't encrypt their e-mails? I just can't believe it! Man, where can I get some money to do studies like this...   This is an article that points out that VOIP is insecure. I love working in an industry that creates a technology that lacks proper security and then sells the same customer security for that product. Genius!   There's a couple more tasty morsels but I want to delve into them a little deeper tomorrow.   Enjoy!   Michael Mongold
More About: Random , Today , Note , Notes

NAC and Cheese for breakfast...
2007-03-28 18:11:00
There is an "interesting" article concerning how NAC products are "impossible to manage" on Computerworld's website today. I happen to like the concept of NAC and have seen a number of manufacturers work well in a number of environments. I have also seen it fail miserably during the very very early days of NAC, but that seems to have gone away as the products have matured. Mark Bouchard, a consultant speaking at a Computerworld breakfast covered in the article, re-labeled NAC - "Network Access Confusion". HA HA! Well, I may disagree with Mr. Bouchard's analysis of NAC but at least he has a singular wit about him. And I would agree that there is a number of individuals that are confused about Network Access Control and apparently Computerworld found a few of them to speak at this breakfast. Of course there are the obligatory numbers that come from somewhere and show NAC vendor revenue increasing from $323 million in 2005 to $3.9 billion in 2008. That is a lot of money and one that ...
More About: Breakfast , Break , Cheese , Fast , Brea

Send me my password...
2007-03-27 20:42:00
Let me know if this sounds familiar: You are visiting a website that requires you to create a profile in order to gain access to the site. So you put in your name, perhaps an address, an e-mail address, a username, and a password. Everything is great, you gain access to the website, you buy the sock monkey slippers you were dying for, whatever. Then you check your e-mail and BAM! There is an e-mail from the website you just signed up on, letting you know your username AND password that you just entered on their website. Holy credentials, Batman! This is such a poor policy and one that makes me cringe to think who is running security at these organizations. I know that they mean well and just want to make sure you have your password so you don’t forget it, but it’s really not doing you a favor. A password that is sent in a non-encrypted e-mail should be only one thing, temporary. If anyone thinks that what is in their e-mail is secure, that person needs only to Google for "ema...
More About: Word , Password , Send , Pass , Sword

NAC Defense
2007-03-26 18:00:00
With any new product technology that is introduced into an industry, there will be evangelists and naysayers, highs and lows. Network Access Control is no different. I think what I find most interesting is the amount of buzz that has been generated over the last couple of years for the technology. I have read some articles that equate NAC to a product in search of a problem. Apparently, they are not speaking to the customers I have come in contact with. I typically interact with customers that are pursuing data encryption but when I segue over to Network Access Control, they inevitably become very interested in the technology. And why wouldn't they be? If a product can help insure that devices that are connecting to your network are compliant with the security policies you have set in place, that seems like a good thing. Not to oversimplify things here, but companies are being hammered to show due diligence when it comes to their efforts towards technology security. This product ...
More About: Defense , Ense

What a tangled web we weave…
2007-03-23 18:02:00
What a tangled web we weave… I imagine that most technology security readers are aware that Oracle has sued SAP for acts of industrial espionage that represent "theft on a grand scale."  By using the credentials of Oracle's customers and generating SAP's own credentials on Oracle's website, SAP was allegedly involved in some blatantly subversive activity. Now I do not want to sentence SAP before they have responded, that is not proper. But I do want to point out that it is not a stretch to think that a large legitimate company would involve itself in an illegal activity to further its success. Oracle should be aware of this considering it was sued by J.D. Edwards in 2003 to the tune of $1.7 Billion for wrongful conduct and unfair business practices. The fact that SAP has within its organization the Apollo Group, a self-professed “Attack Oracle” group designed to combat Oracle does not bode well for SAP’s defense. In the past year we have seen...
More About: What , Hat , Tangled , Tang , Angle

This Is Harder Than I Thought...
2007-03-22 19:54:00
Within the past couple of weeks, I have come across information that indicates that some organizations sold on the value of certain hard drive encryption technologies are more problematic than they are worth. I am not going to mention them by name but there are two data encryption software companies that are in the process of being booted or are already OUT of deals that were already signed, due to the difficulty in deploying them. Now, it is important to note that encrypting a hard drive can be an invasive process that requires a number of resources and some time in order to deploy properly. And that is if it is performed correctly. Mistakes in the testing phase, misrepresentation by the sales monkeys, and over-expectations by the customer can make an installation even more complicated. Nothing too significantly different than any enterprise software deployment, right? Well, not exactly. See, hard drive encryption is a rather stressful event for a drive to endure. It touches...
More About: This , Hard , Thought

Data Incontinence Syndrome
2007-03-21 16:18:00
I have to start with saying, I am not a huge fan of the term "Data Leakage Prevention" Sorry, McAfee - I know that you can get some easy name recognition with a number of TV manufacturers promoting DLP (how they are promoting data leakage I'll never know). (wait for it) Ok, I kid I kid. Plus, we know that humans can only remember three letters at a time and if we were to go beyond that mental boundary we would immediately spin off into the abyss never to return again. So we have DLP but some manufacturers out there like Information Leakage Detection and Information Leakage Protection. Noooooooo Not another IDS/IPS mish-mash! ILD/ILP makes DLP look like a linguistic paradise. However, the real crux of the issue for me is the middle word in all of this - leakage. I am sorry but when I see that word I have an association in my brain with Depends udergarments and incontinence issues. This is not really what I want to envision when I'm plying away at work. P...
More About: Syndrome , Conti , Incontinence

Chikushou!!! Eight Million Pieces of Data Part II
2007-03-20 17:09:00
So the real hit here is the fact that the data was allowed to be copied onto removable media. I have discussed this problem with customers in the health care industry that are scared that this is going to happen to their patient/customer records. Organizations are unwittingly ordering desktops and laptops that have RW functionality. Yikes! You can fit A LOT of patient records within the confines of a 650 MB disc. Even a 1.44 MB disc can hold a huge amount of information in text, database, or spreadsheet format. I think back to some of the contracts that I have worked on and the data that I have had access to AND the lack of security that could have allowed me to just walk out of an organization with some incredibly painful data. I would say that it is amazing the amount of trust that organizations put in their employees, consultants, contractors, and vendors but the truth is that it is not trust, it is naivety. There is software that is available today that could help preven...
More About: Data , Part , Million , Piece , Eight

Chikushou!!! Eight Million Pieces of Data
2007-03-20 04:40:00
Today, Dai Nippon Printing reported over eight million pieces of data (8,637,405 to be exact) were stolen by a former subcontractor last July. Ouch. I did get a really good chuckle though considering this article that was released a few weeks ago showing how "Dai Nippon Printing Develops Security Software Against Illegal Access". I don't think that's going to be enough to spin the bad out of this bungle. So allegedly this rascal copied data to optical and magnetic media then sold parts of the data to a third party. Kind of a worst-case scenario. Now the question is, whose heads are going to roll? Once actual monetary compensation is discussed, this is going to be very unpleasant for a number of people. I imagine it would be a good time to be selling data security software in Japan. As for their current CSO, how do you say "Do you want fries with that?" in Japanese?
More About: Data , Million , Piece , Eight , Pieces