Security News

The McCain-Palin campaign has offered a rather muted response to the Yahoo! email account breach of Gov. Palin, and so far, the grand jury has opted not to indict the hacker. Is this the end to this sordid tale? Not quite. I believe that the average citizen has been left with a myriad of questions as to the security in as basic a utility as free email.

What’s going on?

“Rubico”, as the hacker called himself, used an automated password recovery tool where he was asked fairly simple questions to identify himself as Gov. Palin [birthday, zip code, etc.]. Rubico found answers to these within 45 minutes on Google and Wikipedia! Wow! Is it really that easy to hack into email or messaging services that the common person uses globally?…

Click to Download/Listen (07:03)

Recent updates to the Fair and Accurate Credit Transactions Act (FACTA) of 2003 mandate that U.S. financial institutions and creditors must comply with the Identity Theft Red Flag provisions by November 1, 2008. Amanda Van Veen speaks with EMC’s resident FACTA expert, Dennis Mayer from EMC Consulting about the upcoming deadline and what it means to those who must comply.

Last week I made a flying visit to NYC to appear on a panel at Interop with John Pironti of Getronics, Khalid Kark of Forrester, Jennifer Mack of the PCI Standards Council and Jim Routh of DTCC. The subject was "Security By Compliance – A Discussion of Information Risk Management’s Greatest Challenge".

As reported in the Boston Globe on September 23rd, the Massachusetts Office of Consumer Affairs and Business Regulation issued regulations earlier this week that will place new requirements on businesses to safeguard personally-identifiable information (PII)…

The numbers behind Google’s processing are staggering. Indexing over one trillion URLs, the Internet search giant reported in January that it processes 20 Petabytes of data per day.

Turns out a Petabyte is 1000 Terbytes. So Google processes over 20,000 Terabytes of data per day. Supporting all of this impossibly massive data crunching is a huge network of proprietary servers and custom made storage. It’s the mythical Google grid.

Google conceals the exact nature of the grid; it’s one of their trade secrets.

So, what if I told you Google is abandoning its mythical, proprietary, custom-made processing and storage grid, and is moving to an off-the-shelf third party processing platform?

Any boffin would have choked on this scoop.

OK, relax. Google isn’t ditching its proprietary grid. But its eCrime equivalent is certainly doing exactly that.

Click to Download/Listen (06:29)

Paul Joyal welcomes back Linda Lynch, RSA® Conference Europe Manager, to talk about the session highlights for the upcoming conference from October 27-29. The early bird registration deadline is fast approaching on September 26. Learn more or register today: www.rsaconference.com/2008/europe.

Identity Assurance was a hot topic at DigitalIDWorld this year, but as with many terms (such as policy or governance), it means different things to different people.According to the Liberty Alliance Project, “Identity” is “A unique name for single person” [sic] and “Assurance level” is “A degree of certainty that a claimant has presented a credential that refers to the claimant’s identity.” The Identity Assurance Expert Group (IAEG)’s goal is to “provide public and private sector organizations with a uniform means of relying on digital credentials…

What a week it was in the financial markets! With Lehman Brothers filing for bankruptcy, and Barclays subsequently buying up some of the assets; with Merrill Lynch finding a safe harbour at Bank Of America; and then, closer to home (for me at least) the merger of two of the biggest UK retail banks, HBOS and LloydsTSB.

During this coming period, it is a reasonably safe bet that we may be in for a flurry of phishing attacks targeting the customers of these institutions using ruses like share “windfalls” and the like to tempt individuals into disclosing their credentials. However, in this blog, that’s not what I want to talk about. The implications for the employees of these organisations are, of course, also huge, and the degree of uncertainty and change that will ensue for a period of time will provide ample opportunity for the criminal fraternity to exploit….

I’ve recently been looking at the implications of the second phase of the EU Data Retention Directive which will shortly be coming into force: as well as requiring telcos to keep call logs of who we called and when, ISPs will also now be required to keep logs of when we logged on and from where. Let’s leave the debate on whether all this logging is an invasion of our privacy or not – and whether that compromise of our personal freedom is justified in the global war on terror – for another time. For now, let’s just have a think about all that log data sitting around, waiting to be called upon…

Last week I was at a conference where security folks get together and vent their spleens about the problems they’re facing. On day one, us vendors weren’t allowed near the place, but on day two we got to pitch our products to potential buyers, and they got to shoot arrows at us. The highlight of the day for me, though, was the roundtable discussion on log management and SIEM.

Different people in the room talked about some of their experiences with log management and SIEM – some were very positive, others not so much. Either way, though, what struck me was the disparity between what people wanted to do with their SIEM products, and what they were actually managing to do…

Compliance, Compliance, Compliance.  It’s the word that’s on everybody’s lips in the security industry these days.   Companies of all shapes & sizes are spending big bucks to ensure compliance, but what are they trying to be compliant to?  Regulatory issues, legal issues, internal policies & procedures or all of the above???    Unfortunately, trying to be compliant in any of these areas brings challenges but there are some ways to make it a little easier…

Click to Download/Listen (05:48)

RSA’s reseller community is part of RSA SecurWorld program. In order to help these channel partners become better trained in our solutions and products, RSA host several conferences throughout the year. Listen in to find out how your reseller works hard to become your trusted advisor for IT security.

As part of my various duties here at RSA, I get the privilege of speaking with customers on a regular basis about how they can implement an Information Risk Management strategy. One of the most frequently asked questions that follow this discussion is: “how does this process change when I start to virtualize my environment?” So in this guest blog post, I thought I’d answer this question and talk a little about RSA’s collaboration with VMware for securing their virtual infrastructure solutions.

Before we get to security implications, we should start with a basic discussion of what virtualization does to the overall information infrastructure…

I’ve just attended a PCI special interest group meeting for the payments community in Europe, run by one of the key trade associations in that industry over here, Vendorcom. It was an interesting session with a number of different presentations from various vendors, QSAs and a special guest, the Head of IS Governance and Security from one of the UK’s top five retailers on their path to PCI compliance…

Last week I did a podcast with Glenn Williamson of Canadian MSSP Cyberclix. I put forward what I thought a SOC ought to look like, and then Glenn talked about some
of the things he and his team were doing with RSA enVision in his SOC.

We’ve had some good feedback on the event, and if anyone missed it, it’s available here.

What’s New with PCI

Speaking of Security co-host, Paul Joyal, discusses the latest developments in the Payment Card Industry data security standards with Brad Davenport, Compliance and Solutions Marketing Manager at RSA.