Many IT security folks have been
following the case of Patco Construction Company, Inc. vs. People's
United Bank in the United States District Court of Maine. As I
understand the current state of the case, a magistrate judge has
issued a recommended ruling in the case, favoring the bank. But the
judge has not yet issued a final ruling.
The heart of the case centers around
the authentication methods used to process online transactions from
the customers. Many news outlets have over-simplified the ruling
saying that the magistrate... [More]
Is Apple's screening process a reasonable control against malware on an iPad? Was hanging out with some friends at The Open Eye , Carrboro's legendary coffee shop the other day and my friend, J., was telling me about the latest app he had for sale at the iPhone store. I tell ya, he's going to make a pile of passive income there. Anyway, our conversation turned to whether he needed to incorporate or whether it's OK to register his apps as an individual and treat his side business as a sole proprietorship. We pointed out to him that the main... [More]
Greetings, This blog is being archived and I'll now be blogging at the IT Security Zone . You can read the blog online or follow the new blog by email , by rss , by twitter , or by facebook , Thanks, Calvin Powers
The mobile device security folks at IBM have released a sobering infographic about the rise of mobile security problems. It's interesting to me how the mobile security probems are being compounded by the "bring your own device" trends where people use their personal devices for business use. I also like the common sense strategy at the end for managing mobile security risks. All six elements of the mobile device security strategy make sense to me. One area that's missing is virtualization/sanboxing for mobile devices to strongly... [More]
Symantec got hacked, possibly by a member of the hacker group Anonymous.
Every IT News outlet on the planet is reporting on it. My favorite
write up is " Symantec Tells Customers to Pull the Plug on pcAnywhere Following Code Theft "
in Tech News World. That story does the best job describing the
implications for businesses. But if you are interested in the nature of
the vulnerability that the hack exposed it's best to go to this white paper published by Symantec . This seems to be the heart of the description of the... [More]
A recent report at the bankinfosecurity.com web site titled “ HSBC ATM Skimmer Arrested ”
notes a statement by the US Attorney’s Office and the U.S. Secret
Service announcing that New York law enforcement officials have arrested
and charged a Romanian man for the recent spate of ATM skimming attacks
in the New York area.
This latest series of skimming attacks is just one of several high
profile ATM skimming attacks across the country lately. It seems to be a
favorite of organized criminals and it makes sense because it requires... [More]
One of the hats I wear at IBM is one of the members of the IBM Secure Engineering team. You can read about some of our work on the IBM Secure Engineering Practices page. Our team has two main focus areas. One area is our security incident response process that IBM uses to manage the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. The other are is to foster secure engineering practices in the company. Our work efforts in this are are described in the IBM Secure Engineering... [More]
Chris Larsen, head of malware research for Blue Coat systems talks about some of the trends in end-user malware that his group has been seeing recently. We talk about search engine poisoning, malvertising, the dangers of abandoned web properties, and why image searches are currently one of the most dangerous things end users can do on the net. Blue Coat Security Blog Blue Coat Malware Trend Report IT GRaCkle #5 Chris Larsen on Web Malware Trends (MP3)
Visit www.itgrackle.com for more episodes of the podcast and to sign up for the free... [More]
I just ran across a very good video from IBM which explains the "GRC" market segment and introduces the IBM OpenPages product. It seems to be HTML5 based and I can't fugure out how to embed it. But I highly recommend following the link and watching it. The video doesn't directly address the role that IT contributes to the GRC space. It's largely focused on the financial and ERM aspects of risk management. But It's easy to see how IT contributes to the aggregation of operational risk. Offerings like Tivoli Asset Management for IT... [More]
The Open Group
a white paper describing the integration between The Open Group
Architecture Framework (TOGAF) and the Sherwood
Applied Business Security Architecture (SABSA) . Both of these standards are large, mature,
standards for their domains and it’s no small challenge to bring these two
together. While the Open Group has
fostered several security standards in the past, it doesn’t seem to me that it
has ever taken the comprehensive look at security architecture to the same
degree that SABSA has. So the... [More]
In September, the Office of the Information and Privacy
Commissioner in Ontario Canada released
a case study report titled “ Privacy
by Design: From Policy to Practice ” which describes an overview of the
three pillars of IBM’s internal privacy management practices. As stated in the report:
“One of the objectives of this case study was to inspire the
reader to adapt one or more of the ideas used at IBM for their own PbD program.”
The IBM case study dives into the three primary initiatives
of IBM’s Privacy program that... [More]
Wired Magazine has been working an exclusive story over the
past few days about a key logger
virus affecting the network the US Air Force uses to control its drone program .
Citing a “source familiar with the network infection,” it’s unknown whether the
virus is benign or specifically target to those Air Force systems. The same source reported that the Air Force’s
“Host-Based Security System” was the component that originally detected the
virus and that the key logger was found both on classified and unclassified
systems raising at... [More]
On this episode of the IT Grackle Podcast, Jonathan Barney, security architect for the IBM internal Certificate Authority, and I discuss the details of how the DigiNotar breach was discovered, the relevant certificate management protocols involved and summarize the lessons learned for the future of certificate management practices. We also walk through the key findings of the FOX IT interim report on security vulnerabilities that apparently led to the breach. FOX IT's interim report on the DigiNotar Presentation on IBM's internal... [More]
The big news this week in my world was Tuesday's
announcement that IBM is creating a separate division in IBM devoted to the
security market place. It will be called IBM Security Systems. I love the name.
First of all it's a TLA
and it's a macronym
with a hint of “ backronym ”
harkening back to our acquisition of Internet Security Systems. So the name's
got geek cred all over it.
But all joking aside, this is a great move for IBM. Over
the past few years we've seen security move from the “confidentiality,
integrity, and... [More]
Tom Cross talks about the Secure Open Wireless Access prototype.
Click the player above or download here .
-- Introductions My guest is Tom Cross, Manager of X-Force strategy and Threat Intelligence Visit the Frequency X Blog to read more about the work his group does. X-Force Trend and Risk Report -- Announcement for Black Hat 2011 Presented
a paper, presentation, and prototype code on Linux for a new wireless
access protocol you are calling Secure Open Wireless Access(SOWA) Frequency X Blog post with links to the paper,... [More]