Schneier on Security: Terms of Service as a Security Threat

Bruce Schneier is a cybersecurity evangelist who is on his game. I’ve read his book Secrets and Lies: Digital Security in a Networked World and I highly recommend it. Keeping current on his blog and his writing definitely should be a mandatory tool in your toolkit to help with the decision making process.

Below is a link to getting trapped with terms of service. What are you actually agreeing to when you use a tool for personal or actual business work?

https://www.schneier.com/blog/archives/2012/12/terms_of_servic.html

Posted in Security Blog | Tagged , , , , | Comments Off on Schneier on Security: Terms of Service as a Security Threat

Pablos Holman: Hacking Hardware to Kill Malaria


Well, among other things. This video is about hacking the future.

Posted in Security Blog | Tagged , , , | Comments Off on Pablos Holman: Hacking Hardware to Kill Malaria

Pablos Holman: Hacking RFID Credit Cards

RFID Credit Cards… After watching this, decide for yourself if you want or can get something more secure.

Posted in Security Blog | Tagged , , , | Comments Off on Pablos Holman: Hacking RFID Credit Cards

Information Security Awareness and Training Program

NIST Special Publication 800 – 50 is the National Institute of Standards and Technology’s guide on Building an Information Technology Security Awareness and Training Program.

It can be found here http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

4.1.1 of this document is great for some ideas on topics.

5.2 has some good techniques for delivering material.

Posted in Security Blog | Tagged , , | Comments Off on Information Security Awareness and Training Program

KeyNotes: RSA Conference 2014

Posted in Security Blog | Tagged , , | Comments Off on KeyNotes: RSA Conference 2014

Dr. Susan Loveland: How to Hack a Website

Here are the tools that are in the video, like burp suite, etc…

P.S. Top hats are cool.

http://ha.ckers.org/xss.html
https://www.carmelowalsh.com/2014/02/drone-hacking-skyjack/
https://www.carmelowalsh.com/2014/02/burp-suite/

Posted in Security Blog | Tagged , , , , , , | Comments Off on Dr. Susan Loveland: How to Hack a Website

Curiousity about RFID

This video makes me want to learn more about RFID. (Update. I posted a video about Pablos who knows exactly why. The post is here https://www.carmelowalsh.com/2014/03/pablos-holman-hacking-rfid-credit-cards/)

Perhaps it is a case of security through obscurity? You might be able to rig a badge reader off of ebay to work with arduino, as this article suggests.

Posted in Security Blog | Tagged , , , | Comments Off on Curiousity about RFID

Hacking: Movies vs. Real World

hacking

Posted in Security Blog | Tagged , , | Comments Off on Hacking: Movies vs. Real World

James Lyne on Warbiking San Francisco

Posted in Security Blog | Tagged , , , | Comments Off on James Lyne on Warbiking San Francisco

What’s the Risk?

When asked, what’s the risk? I find great pleasure in flexing my ability to break down potential loss in either qualitative or quantitative methods.

The FAIR Quantitative Risk Model was taught to me by Jack Jones, the creator. I also feel pretty masterful of the ISRA methodology.

When trying to use a qualitative methodology, a nice impromptu method one can use, is just write down the basel II categories, and think about some high/medium/low rankings.

Let’s just say that a single person would like to file an exception to use dropbox. Let’s put down the basel II categories and comment under each.

  1. Internal Fraud – misappropriation of assets, tax evasion, intentional mismarking of positions, bribery
    • Can the use use this to commit fraud? Yes, Medium loss.
  2. External Fraud- theft of information, hacking damage, third-party theft and forgery
    • Can dropbox be subject to social engineering by external hackers? Yes, Medium loss.
  3. Employment Practices and Workplace Safety – discrimination, workers compensation, employee health and safety
    • Is it discrimination of employment practices? Depends on how sensitive other workers are and the relationship between the person asking for the exception and the person granting the exception. Low to Medium loss.
  4. Clients, Products, & Business Practice- market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
    • Business practice can be definitely questioned if using an external service as opposed to a service that internal IT can provide, especially if it already provides it and has paid for it.
  5. Damage to Physical Assets – natural disasters, terrorism, vandalism
    • Does not apply
  6. Business Disruption & Systems Failures – utility disruptions, software failures, hardware failures
    • External vendors that we don’t have a contract with, may not have an acceptable SLA, this can disrupt business
  7. Execution, Delivery, & Process Management – data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets
    • Does not apply

Overall, the average of answers to the qualitative assessment above equal a moderate/medium loss.

Usually, if there is a high or critical loss, those really pushing for that particular solution, will want a quantitative risk analysis.

Posted in Security Blog | Tagged , , , , , , , , | Comments Off on What’s the Risk?