[SecurityRatty] tag: till

Silent Break-Ins: How Technology Compromises Physical Security Too

Tue, 11 Nov 2008 12:17:53 +0000

I could have used this technique last night — I got home to my apartment in Oakland at 11:30, only to realize I’d left my keys in Sacramento. Two hours later a locksmith finally came and charged me $100 to let me in my own apartment. Expensive? Maybe, but comparable to other services, and compared to the havoc that a lock-breaker could wreak if he was trying to use his talents for crime rather than service, it’s a small price.

It’s kind of frightening to see how quickly a skilled lock-picker can jimmy a lock and get in. But new technology makes it even simpler — apparently all you need is a good telephoto lens to break in to someone’s house — just wait till they leave their keys out on a table, snap a picture, and take it to an unethical key maker, and wha-la, a perfect replica:

“We built our key duplication software system to show people that their keys are not inherently secret,” said Stefan Savage, the computer science professor from UC San Diego’s Jacobs School of Engineering who led the student-run project. “Perhaps this was once a reasonable assumption, but advances in digital imaging and optics have made it easy to duplicate someone’s keys from a distance without them even noticing.”

Professor Savage presents this work on October 30 at ACM’s Conference on Communications and Computer Security (CCS) 2008, one of the premier academic computer security conferences.

Read the full article here.

Is an incorrectly implemented security program better than a non-existent one ?

Wed, 03 Sep 2008 12:02:00 +0000

Think carefully before you answer that one. A large majority of you would be inclined to give a resounding 'yes' - but I really want you to think carefully on this one. Think long term. Think about implementation hurdles, think about project documentation.

The answer to this IMHO is a big "DEPENDS".

To explain:

Imagine you're working in a company that has no security controls in place - and is in desperate need of getting a security program impemented. They hire a new CISO to make sure their physical and logical controls are in place, network and applications are secured appropriately and their incident management and forensics capabilities are upto date. At this point the CISO clearly knows that he needs to create and implement a number of programs and hires a bunch of people to perform and manage a series of tasks. Till this point, things are going smoothly. Everyone understands the need, and is working towards meeting a common goal. The program is not in place yet, but people know and understand the urgency need to act immediately. The CISO's risk radar has a list of projects ranked by priority and everone begins to tackle them.

Now consider the scenario when certain security programs are not done right - say, a few of the high risk applications are not considered in the initial risk matrix or there are certain business units that have been granted an 'exception'to the process that is being put in place, with the most common excuses of:

1. This is a pilot
2. We will get to this in the next phase
3. The group has a number of high profile clients who don't want it implemented right now
4. <plug your own excuse here>

Well - initially, everyone is completely aware that they have more issues to remediate and and have honest intentions to fix that too, once the pilot and
PoC is well established and in place. But then things change. Leaders change. Managers change. People's roles change. What doesn't, is the documentation regarding the project. But documents usually tend to highlight what the project does, not what it doesn't do. Nobody seems to remember there are additional tasks that need to get completed. People take a quick look at documents detailing what was done in the program and begin to assume that it is well established, completely ignoring the fact that a very important Phase 2 still needs to be in place. A false sense of security is now well in place... and life goes on.

Till you get hacked.

..and then a forensics team attempts to determine the cause. A new CISO comes in, reviews the existing program, decides it is too complex and structureless and decides to do away with it entirely and create a new security program.. and the cycle continues.

The moral of the story: When you have no security program - be very careful while diligently working to get one in place

But when you have a partial one, be extremely careful and don't leave any loose ends while getting it completely and correctly put in place.

On a lighter note - here's an email I received from a school I was doing some courses from ..

Beautiful !! Here is your PIN (username). But we will not give you your password over email. I was sooo impressed when I got that! - Could it be that schools and universities are finally waking up and trying to understand security ? No more SSNs as IDs ? No more default 'password' passwords ? This was great. I followed the procedure outlined to receive a new password - it asked for my name, DOB and email.. and then .. I receive this:

For those who cannot see the image:

the email says:

blah blah blah blah blah blah..
your PIN:
your password: password1234

blah blah blah blah blah blah

Software to Facilitate Retail Tax Fraud

Tue, 02 Sep 2008 08:24:22 +0000

Interesting:

Thanks to a software program called a zapper, even technologically illiterate restaurant and store owners can siphon cash from computer cash registers and cheat tax officials.
[...]

Zappers alter the electronic sales records in a cash register. To satisfy tax collectors, the tally of food orders, for example, must match the register's final cash total. To hide the removal of cash from the till, a crooked business owner has to erase the record of food orders equal to the amount of cash taken; otherwise, the imbalance is obvious to any auditor.

[...]

The more sophisticated zappers are easy to use, according to several experts. A dialogue box, which shows the day's tally, pops up on the register's screen.

In a second dialogue box, the thief chooses to take a dollar amount or percentage of the till. The program then calculates which orders to erase to get close to the amount of cash the person wants to remove. Then it suggests how much cash to take, and it erases the entries from the books and a corresponding amount in orders, so the register balances.

Data breaches: Technology, process or management?

Mon, 28 Jul 2008 12:32:00 +0000

Being part of a technology company, one tends to think of solutions to data breaches as mainly to be solved by technology. Well, with a bit of process thrown in for good measure as well! Did not think much about the important role of management till now...

Just came across an interesting opinion by Jonathan Armstrong, a partner at Eversheds, a law firm. He contends that current best practices of management do not train executives how to respond to crisis - he talks about various types and data breaches is one amongst them.

I tend to agree to a point. However, I also think that it is the type of management and their core values that dictate how such a crisis be addressed. Is management concerned about the customer? Or is management just looking to save face? I can remember the Tylenol crisis and how well J&J handled it.

While I agree with Jonathan that the frequency of incidents have gone up and management needs to be trained better, I also believe if executives have the best interests of their constituents in mind, things will work out okay...

Ive got a better idea Arnold!

Thu, 24 Jul 2008 15:10:58 +0000

Why dont you and the rest of our corrupt officials start working for nothing?

clipped from www.latimes.com

Schwarzenegger seeks to slash state workers’ pay till budget passes

SACRAMENTO — –
Gov. Arnold Schwarzenegger has prepared an order to cut the pay of about 200,000 state workers to the federal minimum wage of $6.55 an hour until a budget is signed.

Your 419 Mail Roundup

Wed, 02 Jul 2008 13:11:42 +0000

A handful of scam mails currently in circulation, including one mention of "groundnut oil" that seems so bizarre I had to highlight it in bold text. All this and more, after the jump...
Subject:
FROM THE DESK OF MR. STEVEN JAMES
From:
"Steven James"
Date:
Mon, 30 Jun 2008 19:17:03 +0100
BCC:

FROM THE DESK OF MR. STEVEN JAMES
CHAIRMAN INTERNATIONAL RELATION
FIRST BANK OF NIGERIA PLC
# 1 BANK ROAD WUSE FCT
ABUJA-NIGERIA.
PHONE: +234-80-66520277
Email: stevenjames809@live.co.uk

Very Urgent Attention,

Please permit me to introduce my humble self to you, my name is Mr. Steven James, I am the Manager of International Relation with First Bank of Nigeria Plc, I 'm 38yrs old, and I got your email address from a friend of mine, and my confidence reposed on you. I hope you read this message carefully and reply me immediately. Although we have not met before, but I suggest that this transaction will bring us together.

My dear, we had a customer, a foreigner but base here in Nigeria, his Name was Mr. Hamilton Creek. He is from Atlanta Georgia United State of America, but based here with his wife and his two children, Mr. Hamilton has being banking with us for the past 4yrs and some time in August 2002, Mr. Hamilton was on his way to his house, and unfortunately ran into a Trailer load of Groundnut Oil, and died   immediately, Their car got burnt, no single soul was saved, Mr. Hamilton Creek and His entire family was confirmed dead.

My Board of Directors and the Management of First Bank has mandated and instructed me to look for Mr. Hamilton Creek? Relation(s) and his Next of Kin to come and claim his fund, Since August 2003 till date, I have been looking for his relation's or his next of Kin to come and claim his fund which he Deposited with our bank, I have contacted his Embassy and after 3days, his Ambassador told me that Mr. Hamilton Creek has no relation and no next of Kin, their Ambassador told me that he used his first son as His next of kin, but it is quite unfortunate that Mr. Hamilton Creek Died with all his family members.

The reason why I contacted you is thus, Mr. Hamilton is dead, and his only son who supposed to inherit his properties and money also died with him. As at this moment, nobody or person[s] is coming to   claim this Money from our bank. The Board of Directors and management of our bank told me that if nobody or person[s] apply for the claim of Mr. Hamilton Fund, the bank will return the entire Fund into our Federal reserve. In the Light of the above, I want you to stand as the next of kin to Late Mr. Hamilton Creek; it might interest you to know that he had a Domiciliary Bank Account with our Bank and he has a total sum of US$9.2M Nine Million Two Hundred thousand Dollars, this is the exact amount which he had in his domiciliary account before the ugly incident occurred, and this money is still in his account as unclaimed money.

This transaction is very easy and simple, and it is 100% risk free, I'm the Manager for International Relations with First Bank of Nigeria Plc, and the Management and Board of Directors of the Bank are waiting for me to provide to them the Relation or next of Kin to late Mr. Hamilton Creek, of which I told them that I am still searching the next of kin to the deceased. Finally, if you are interested with this transaction, I will front you to the bank as the only next of kin to late Mr. Hamilton Creek, and I will let the bank know that you are the only right person to inherit Late Mr. Hamilton Funds and properties. If you are interested, just email me or call me on my   direct and private line#: +234-80-27536038 and late Mr. Hamilton's Funds will be credited into your account and all his Properties will be released to you either through Courier Services or the Bank will Cargo all his properties to you in any were you want it.

So reply me immediately and feel free to ask any question with regards to this transaction. You will take 50% of the US$9.2M. Which is? US$4.600, 000.00 Four Million Six Hundred Thousand Dollars, while the Balance of the same amount will be mine.

Your swift response will be highly appreciated.

Thanks and have a nice day.

Friendly Regards

Mr. Steven James

*******************************************************************************************

Subject:
REPRESENTATIVE NEEDED
From:
DFS SALES LTD UK
Date:
Tue, 01 Jul 2008 23:00:55 +0800
To:
undisclosed-recipients: ;

COMPLIMENT OF THE DAY TO YOU.

I am PETER WOODS from DFS SALES LTD UK.(
Website: www.dfs-online.co.uk ) Visit our site

We are into furnitures and we sell shares to people in
Canada,America, Australia and Europe.

We are in need of a book keeper. someone who can represent our company
in his/her country.

Our client in your location will contact you and make the company
payment to you.

You will be entitle to 11% of every payment been made out to you.

This is because most of our officer are from china and they do not

understand english very well.its hard for them to contact our
customers.

Our head office is located in CHINA. But we have a sub-office in the
uk.

If you are interested, Kindly send the entries for more understanding.

NAME IN FULL :.........
COMPANY NAME: .....
POSITION:......
FULL ADDRESS: .......
CITY/TOWN:........
STATE:............
ZIP CODE:........
COUNTRY:.......
MOBILE:.......
HOME TEL: .....
EMAIL ADDRESS: ........
OCCUPATION: ...........
BANK NAME :.......
AGE:............

You are to send the above details to

NAME : PETER WOODS.
EMAIL : dfs_woods@yahoo.co.uk
PHONE NUMBER : +44-704-575-0212

HOPE TO HEAR FROM YOU

*****************************************************************************************

To:
undisclosed-recipients:;

Good day!!!

We have been waiting for you since to contact me for your Confirmable Bank Draft of ?18 Million (Eighteen Million Pounds sterling) but we did not hear from you since for a couple of weeks now. Then we went to the bank to confirm if the draft that expired or getting near to expire and Metropolitan Police Uk told us that before the funds will get to your hand that it will expire.So I told him to cash the ?18 Million (Eighteen Million Pounds sterling) to cash payment to avoid losing this fund under expiration as I will be out of the country for a 6 Months Course.

What you have to do now is to contact FED EX COURIER SERVICES as soon as possible to know when they will deliver of your funds to you because of the expiring date. For your information we have paid for the delivering Charge Insurance premium. The only money you will send to the FED EX COURIER SERVICES to deliver your cheque direct to your postal Address in your country is ?250.00 being Security Keeping Fee of the Courier Company so far. Again don't be deceived by anybody to pay any other money except ?250.00 for the Security Keeping Fee.We would have paid that but they said no because they don't know when you will contact them and in case of demurrage. You have to contact FED EX COURIER SERVICES now for the delivery of your Draft with this
information below:

CONTROLLER: Mrs.Helen Williams
NAME: FED EX COURIER SERVICES
ADDRESS: fedexofficeuk@gmail.com
PHONE NUMBER: +447024080684

IF YOU ARE THE OWENER OF THE FUNDS AND YOU WILL SEND YOUR INFORMATION TO US SO THAT WE CAN DELIVERY YOUR FUNDS TO YOU WITHIN THE NEXT 84HRS TIME.IF YOU DO NOT RECEIVED YOUR FUNDS WITHIN THE NEXT 72HRS TIME AND YOU REPORT US THE UK FBI AND THE METROPOLITAN POLICE (SCOTLAND YARD) or YOU CONTACT YOUR LAWYER TO TAKE UP PROCEDURES AGAINST US.

Let me repeat again try to contact them as soon as you receive this mail to avoid any further delay and remember to pay them their Security keeping fee of ?250.00 for their immediate action. The FED EX COURIER SERVICES don't know the contents of the funds. This is to avoid them delaying with the funds.

Thanks as you contact them today.

Yours Faithfully

Mrs Helen Williams.

(The above actually comes with a nifty graphic that they've thrown in, thinking it makes it all look more legitimate. It doesn't, but here it is anyway):

....altogether now: oooooh. A slightly shorter 419 roundup than usual, but I'm sure I'll have piles of the things next week.

Maybe the NAC used car salesman can claim them as a customer too? In NAC quality counts!

Fri, 27 Jun 2008 19:36:27 +0000

Dark Reading had a good article today talking about GuideWorks, the TV Guide/Comcast joint venture's 2 year odyssey with NAC, which finds them finally starting to see some good results. I immediately went to the website of the NAC used car salesman to see if they claimed them as a NAC customer too, but didn't see anything yet. But with those guys you never know.

Seriously though folks, this story is a classic NAC story. GuideWorks had guests and unmanaged users visiting their offices all the time. When they would ask to plug in they were told sorry, wait till you get back to your hotel. Over time this answer became unacceptable and they realized they needed a way to give these people a way to get on the net and get their email while keeping their network secure. This very same need drives many initial NAC deployments.

Like many other NAC customers they wanted something easy, not add major overhead or network changes and easy to administer. Again straight out of the NAC playbook. In the Summer of '06 they began a pilot of the Tipping Point NAC product which is based on the old Roving Planet technology. Now Roving Planet was more of a wireless security company, but near the end they rebranded themselves as NAC and Tipping Point uses that with their IPS devices to enforce. Best of all for GuideWorks the price was sub 10k.

Here is where the other side of NAC comes in. This is what the article says:

While NAC tools are often advertised as plug-and-play, GuideWorks found that the NAC setup required a high level of networking expertise. Fortunately, the Inglewood site had plenty of technical expertise because that’s where many of the company’s developers are stationed. In addition, GuideWorks put one of its front-desk employees in charge of setting up new accounts. But because her technical background was limited, the company had to walk her through a learning curve.

Now the company is planning to deploy the system at its Radnor office, which will be a bit more challenging since there’s less technical expertise there, and that office gets a greater number of visitors. So GuideWorks has been on the search for employees to support the NAC system there. The company expects to have NAC up and running there by the end of the summer.

So 2 years after trial they are rolled out in one office and have to hire employees to support the NAC system at the next office. This was a problem with many of the failed NAC companies over the last few years and I think the problem with this Tipping Point solution. Just providing guest access should not be that hard! Yes the StillSecure Safe Access solution would have been much easier and faster to implement, but to be fair, any of the leading NAC solutions would have been up and running easier as well.

While this article was supposed to serve as reference and case study for the Tipping Point NAC solution, it is far from inspiring. If I were a customer looking into NAC, I don't think this would make run out and look at the Tipping Point solution. Moral of the story is, just because you made a good IPS doesn't mean you have a very good NAC product. When it comes to something like NAC, quality counts and buying a 2nd tier solution can cost you in time to implementation and total cost of ownership.

Your 419 Mail Roundup

Wed, 25 Jun 2008 09:29:29 +0000

Are you ready for more 419 missives?

Of course you are. Plenty of winning lottery tickets, fictitious banks, a wonderfully sick "Robert Mugabe" themed mail and, er, someone called "Captain Frank Bojo" after the jump...
Subject:
HELLO DEAR
From:
"abavanagift13 Gazeta.pl"
Date:
Sat, 21 Jun 2008 12:26:24 +0000
BCC:

Hello Dear,

My name is Blessing Abavana, the elder daughter of Mr. paul Abavana of Zimbabwe, I am 17 years old with my younger brother (Micheal), we are in Ghana as refuge/asylum since we lost our parents because of the recent war that occurred in our country.please do go through this web page for better understanding with full details:

http://www.rte.ie/news/2000/0418/zimbabwe.html

I am looking for one who will honestly assist my younger brother and I to realize our inherited funds into your account and as well as invest it into a lucrative business.

During the recent war against the farmers in Zimbabwe from the supporters of our President, Robert Mugabe to claim all the white -owned farms to his party members and his followers, he ordered all the white farmers to surrender all their farms to his party members and his followers.

My father being one of the few rich and successful black farmers in our country was also victimized because of his opposition to Mugabe's policies. And because he did not support Mugabe's ideas, Mugabe's supporters invaded my father's farm and burnt everything in the farm, killed my father and made away with a lot of items in my father's farm. This action was taken because my late father felt the growing tension on the farm issue, but I guess he never anticipated the tragedy that brought their brutal and sudden death.

However with the benefit of hindsight, owing to the looming but deteriorating crisis in my country, Zimbabwe, my father, before his unfortunate death deposited with International Commercial Bank (ICB) here in Accra Ghana the sum of US$ 35MUsd (Thirty Five Million United States Dollars), with the sole aim of acquiring and buying some dredging equipments in setting up of a dredging firm with his partner. With his death and all his assets seized at home and accounts frozen, the family is now in a very difficult situation.

After the death of my father, my brother and I escaped to the Republic of Ghana where he had deposited the money in the Bank . And we were permitted to reside here as Political Refugees.

So Because of our present and unpleasant status here we decided to contact an overseas firm / individual that can assist us to move this money out Of Ghana because, as asylum seekers, we are not allowed to operate any financial transaction of such amount within Ghana and also to assist in providing me and my brother a permanent residential permit in your country after the money must have been transferred to your account.

We have agreed to offer you 30% of the total sum for your assistance, and the rest will be for my brother and I, to Invest in your country under your assistant

All I want you to do is to furnish me with the below information including your readiness to assist me achieve this transaction for investment purposes in your country under your supervision. Kindly re-confirm to me the followings:

1) Your Full Name:
2) Phone, Fax and Mobile
3) Profession, Age and Marital Status.
4) Nationality

I have to re-assure you that this transaction is 100% risk free and should be treated with absolute confidentiality. All the vital documentation/certification that has to do with the origin of the fund is with me for the security reasons.And I will send them to you when we progress.And I guarantee you that this fund is not government fund, drug money, or from arms deals.

I will detail you more about the bank immediately I receive your acceptance response. I hope this is the beginning of a prosperous relationship between us.Thanks and God bless you

Regards

Blessing/Micheal Abavana

(Wow, spectacularly sick. Not that we're expecting scammers to have any morals, of course).

*********************************************************************************************

Subject:
Lycos Online Lottery Notification
From:
"LHOUTY MOHAMMED HASSANE"
Date:
Sun, 22 Jun 2008 02:42:53 -0000
BCC:

LYCOS LOTTERY ONLINE
8th Floor
1 Stephen Street
London
W1T 1AL

WINNING NOTIFICATION
This is to inform you that your email address has won the Lycos Lottery for the year 2008. your email has won you the sum of ?952,350.00 (Nine Hundred And Fifty Two Thousand, Three Hundred And Fifty pounds sterling).
You are advised to keep this notice confidential to avoid misinterpretation of funds and unauthorize claims, cheating or fraud.
To claim your funds please contact us with the information below.
Name: Dr. George Stevenson
Tel:+447031991681
Email:lycosclaimsdpt@gmail.com

It is mandatory that you send us your full names, address, phone number,
age, sex and occupation to enable us arrange your claim.

Note: Winners were selected through a computer ballot system drawn from Microsoft users from company and individual email addresse users. All winning must be claimed not later than 21 working days from the time of notification. After this date all unclaimed funds will be returned to European Union Treasury as unclaimed funds.

Congratulations from mambers and staff of Lycos
Lhouty Mohammed Hassane.
Lycos Lottery Co-ordinator

(A "Lycos Lottery" and they're using a GMail address? Doh).

*********************************************************************************************

Subject:
Yukos Oil
From:
Mr. Timinskiy Vladimir
Date:
Wed, 25 Jun 2008 5:38:17 -0400
To:

I have a profiling amount in an excess of US$100.5M, which I seek you in accommodating for me. You will be rewarded with 4% .If intrested, please reply me for moredetails...
Regards
Mr. Timinskiy Vladimir

(Short. Sweet. Pointlessly fake).

*******************************************************************************

Subject:
Immediate Release of Your FUND Via ATM CARD
From:
"Mr. Mark Louis"
Date:
Wed, 25 Jun 2008 01:45:09 -0700
To:
undisclosed-recipients:;

SUBJECT: Immediate Release of Your FUND Via ATM CARD

Attention: ATM Card Beneficiary,

I wish to use this medium to inform you that your CONTRACT/INHERITANCE Paymen of USD$10,000,000.00 (Ten Million United States Dollars) from CENTRAL BANK
OF NIGERIA have been RELEASED and APPROVED for onward transfer to you via an ATM CARD which you will use to withdraw all the USD$10,000,000.00 in any
ATM SERVICE MACHINE in any part of the world, but the maximum you can withdraw in a day is USD$10,000.00 Only.

We have mandated IBTC CHARTERED BANK PLC, to send you the ATM CARD and PIN NUMBER which you will use to withdraw all your USD$10 Million Dollars in
any ATM SERVICE MACHINE in any part of the world. You are therefore advice to contact the Head of ATM CARD Department of IBTC CHARTERED BANK PLC;

Contact Person: Dr. Olu James
Office email address: pcfc_nigeria@yahoo.com
Private: +2347084501007
Office:018969906

Tell Dr. Olu James that you received a message from the CENTRAL BANK OF NIGERIA. Instructing him to send you the ATM CARD and PIN NUMBER which you will use
to withdraw your USD$10 Million Dollars in any ATM SERVICE MACHINE in any part of the world, also send him your direct phone number and contact address
where you want him to send the ATM CARD and PIN NUMBER to you. We are very sorry for the plight you have gone through in the past years. Thanks for adhering to this instruction and once again accept our congratulations.

Best Regards.
Mr. Mark Louis.
Executive Governor,

Central Bank of Nigeria {CBN}.

(Ah, the old "Let's lure them in with the magical bank card" trick).

******************************************************************************************

Subject:
CONTACT THE FEDEX COMPANY FOR YOUR FUNDS
From:
"SAMUEL DUNBAR"
Date:
Fri, 20 Jun 2008 12:33:43 +0100
BCC:

Dear Friend,

Compliment of the new year, I have been waiting for you since to come down here and pick your Bank Draft which my boss left with me before he travelled to England but I did not hear from you since that time till today. I went to the bank to confirm whether the draft is getting close to expire as it had been long time my boss issued the draft. The director of the bank told me that before the draft will get to you, that it will expire. Then I told him to help me and cash the cashier bank draft of $1,500.000.00 to cash payment.

However, I have successfully cashed the draft and packaged it in a box and have registered it in the Fedex Express Company Service here in Benin Republic because I will travell to see my boss in England and will not come back till August 20th 2008. You have to contact the Fedex Express Company Service to know when they will deliver your package to your address. I have paid for the delivering charges and insurance fees. The only money you have to send to them is their security keeping feeswhich is USD$135.00 USD to receive your package. Don't be deceived by any body.

This is their Contact Address;
Attn: Cheif Mr. George Kobra (Director)
Tel: +229-9799 2240
E-mail: fc.bj@sify.com

Send them your contacts information to enable them locate you
immediately they arrived in your country with your package.

This is the information they needed from you.

1. Your full name:.....
2. Your shipping/home address:.....
3. Your tel no #......
4. Your current office tel no #
5. A copy of your passport.

Try to contact them as soon as possible to avoid increasement of the security keeping fees Note; I didn't tell the Fedex Express Company Service that it's money inside the box, I registered it as a church of a Church Minister Materials. This is to avoid delay or any upfront problem during the delivery. So, do not let them know that the package contents money. Do let me know as soon as you received your package. You will contact me only through e-mail as my phone is no longe available now that I am out from our country. Contact me at samdunbar1986@yahoo.com and I will reply as soon as I can.
I wish you and your family Long Life,
Prosperity and Happy 2008.

Thanks and Remain Blessed.

Yours sincerely,
Mr.Samuel Dunbar
(Secretary)

(Honestly, if you contact FedEx they'll give you tons of money....)

****************************************************************************************

That's your lot for another week....

Data security and the "chasm of protection"

Tue, 17 Jun 2008 09:25:00 +0000

I was thinking a bit more about the notion of data-centric or information-centric security and why this is absolutely the future of data protection...

Say you are a retailer. You have data in your POS devices, encrypted with the POS application as cards are read in. As this data is required by another application, it has to be first decrypted so this in-store application can read it. It may then encrypt it again as it stores on in-store servers. Now assume you have another application in the data centers that is used for card settlement. Another decrypt-encrypt cycle from the store to the data-center!

This scenario is not limited to a retail environment. Consider a similar cycle repeating itself in most companies as data is moved from location to location, analyzed and processed by multiple applications and on multiple devices and multiple internal and external networks - each time being decrypted, stored or transfered in the clear till it gets encrypted again. Each time this cycle repeats, there is a weakness that can be exploited - since there is a gap in the consistent protection of data.

Being data-centric however, brings in persistence and consistency in the protection of that data element, thereby removing this "chasm".

Security Briefing: June 17th

Tue, 17 Jun 2008 07:33:11 +0000

Sleep deprivation, caffeine overload and documentation. How long till I start hallucinating? Stay tuned.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

Router-hacking Trojans spotted | Web User News
The ’secret’: Banks are freaked out by security | ZDNet
Malware not man blamed in child abuse download case | The Regsiter
Security Bonuses for Vista Programmers | eWeek
PCI DSS: Section 6.6 gets teeth – finally
IM Security’s Three Kings | CSO Online
Victim of its own success | BBC News
Dacre promises new look at rules on hacking by journalists Guardian

Tags: News, Daily Links, Security Blog, Information Security, Security News