I posted this also to the securitymetrics.org mailing list. Sorry if discussing in multiple venues ticks you off. The Not Obvious blog has an interesting write up on the Heartland Breach and impact. From the blog post: “Heartland has had to pay other fines to Visa and MasterCard, but the total of $12.6 million they [...]
The supplement provides case studies, involving anonymous Verizon clients, that detail some of the tools and methods hackers used to compromise the more than 285 million sensitive records that were breached in 90 forensic cases Verizon handled last year.
(quietly, wistfully singing “Yesterday” by the Beatles) From my favorite Swedish Infosec Blog, Crowmoor.se. I don’t speak Swedish, so I couldn’t really read the fine article they linked to. Do go read their blog post, I’ll wait here. Back? Great. Here are my thoughts on those numbers: SWEDISH FRAUD STATISTICS RELEASED The World Bank estimates [...]
Adam recently sent me a link to a paper titled, “Understanding scam victims: seven principles for systems security.” The paper examines a number of real-world (i.e. face-to-face) frauds and then extrapolates security principles which can be applied generically to both face-to-face and information or IT security problems. By illustrating these principles with examples taken from [...]
I also posted about this on Emergent Chaos, but since our readership doesn’t fully overlap, I’m commenting on it here as well. Chis Soghoian, has just posted some of his new research into government electronic surveillance here in the US. The numbers are truly astounding (Sprint for instance provided geo-location data on customers eight million [...]
Cormac Herley at Microsoft Research has done us all a favor and released a paper So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users which opens its abstract with: It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore [...]
According to Kim Zetter at Wired, in Senate testimony, Richard Schaeffer, the information assurance director at NSA, claimed that “If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could be prevented.” I’m trying to find if that’s the FDCC (Federal Desktop Core Configuration), [...]
In the book, Andrew and I wrote about trading data for credibility. If Verizon’s enthusiasm for sharing their learning is any indication, the approach seems to be paying off in spades. At the Verizon Business blog, Wade Baker writes: Today ICSA Labs (an independent division of Verizon Business) released a report based on testing results [...]