by Karl Fox on April 9, 2009
Carrying a laptop has always meant a bit of risk. If you’re like me, you watch your bag like a hawk when you’re in a restaurant or or in an airport. Laptops have always had great resale value on the black market, but with HIPAA, PCI, GLB and Sarbanes-Oxley violations costing organizations millions of dollars to recover from a single information theft incident, the danger is at an all-time high.
It doesn’t have to be that way.
There are some tried-and-true, basic steps you can take to dramatically reduce the cost to your organization of data loss due to laptop theft or malicious penetration when using your computer in a public place. Implement them all and you can come close to eliminating the possibility of a data breach. The following steps are organized by the threat they mitigate.
[click to continue…]
by Karl Fox on November 8, 2006
When I was very young, I had a recurring nightmare about a giant. It was huge, terrifying and very, very real. In the last moment of the dream I would look out the window and see him right in front of our house, then I’d wake up shaking and in a cold sweat.
Whenever I asked my father, he assured me that we were safe, as any good father would. My dad was a doctor, a Lieutenant in the Korean War, surviving a shrapnel hit in the back from a mortar round. He is also very smart and shrewd, having made more money from investing than he ever did as a doctor. So when he told me I was safe, I believed him. Kids need to hear that they are safe. It was not until I was an adult with children of my own, though, that I understood that when he said I was safe, he was able to back it up.
[click to continue…]
by Karl Fox on August 30, 2006
All I know is just what I read in the papers, and that’s an alibi for my ignorance.
— Will Rogers
There it is. Front page. Headline. Someone else has now achieved his or her 15 minutes of fame that will unfortunately become a career-defining moment. And not in a good way. Who has not read about the latest case of identity theft in the papers and wondered what really happened? Every article starts the same way; a bold headline that grabs the reader’s attention, the exaggerated surprise by those charged with safeguarding the identities that were stolen, the claims that security was and continues to be a high priority, and the all important expression of dismay and disbelief at how such an incident could possible have occurred. Of course, investigations are being conducted, and it will take some time before the full extent of the damage is known, not to mention the cause.
This organization is now in a serious public relations quagmire. Their hired PR guns weigh in next, firing phrases like “compromised information” in place of the more condemning “stolen customer identities”. Updates will be issued, still with no real information as to how the breach actually occurred or who was really responsible, since after all, that is confidential information that could disrupt the ongoing investigation. And you’ll never see a follow-up that doesn’t contain the assurance that “every effort is always made to protect customer (or alumni or patient) information.”
[click to continue…]
by Karl Fox on May 18, 2006
A Day in the Life of a Hacker
Although the weather was rainy and bleak in Sofia, Bulgaria, Yevgeny had a spring in his step as he quietly slipped up the stairs to an almost empty room above the Onda coffee shop with its valuable wireless Internet connection. He would have to wait to get his morning “Americano” coffee until he checked on the state of his “import/export” business. Sure enough, his e-mail contained an anonymous order for up to 250,000 “dolls” and an additional order for as many “cribs” as he could obtain.
Yevgeny had spent the last several days improving his software to assure a targeted, automated, consistent flow of inventory that would have a much lower percentage of “damage” as he euphemistically called it. He had developed quite a reputation for delivering reliable goods to buyers who had customers waiting to fully exploit what he sold. Yevgeny always chuckled at the use of dolls and cribs as descriptions of compromised user accounts and servers. It made him feel like the 007 that he had seen in American movies. It certainly didn’t hurt with his friends who viewed him as a very worldly, successful man. Why, this month he was on pace to make $600, three times the income of the average Bulgarian. With his new scripts, he would not only double his income, but he would begin to initiate his plan to advertise for some “entrepreneurial software engineers” to enlarge his one-man shop. Within a year his dream of a 1600 square foot, palatial luxury apartment in the Lozenets district would be realized, making him neighbors with American diplomats and foreign business executives. It would be a nice change from his 350 square foot apartment.
[click to continue…]
by Karl Fox on January 2, 2006
Online Attacks are in the News
You’ve read the articles—my favorite is the one about the business owner who was logged on to his corporate online brokerage account when he noticed the balance suddenly change. While he watched, somebody systematically wired all his company’s funds to a number of offshore banks. The brokerage washed their hands of the whole affair, pointing to their standard disclaimer signed by each client, which states that keeping passwords secure is the customer’s responsibility.
Well, they’re right—it is certainly the customer’s responsibility to practice good password hygiene. But just as the owner of an unfenced swimming pool is responsible for injuries sustained by youthful trespassers under “attractive nuisance” laws, surely the brokerage firm bears some responsibility for failing to design adequate security into their systems.
[click to continue…]
