Sunday, February 24, 2008

Failures of Disk Encryption

"Security is not a product but a skilled continuous process which requires thought..." Jorge Sebastiao, 1999.

Even for the best technologies there is always a weak point which must be addressed, in this case Disk Encryption as its weakness. The weakness is that even in memory the keys exist in some readable format, if we can get to it, then it is game over:

Sunday, February 10, 2008

Social engineering targets jobseekers

Social engineering for profit see no limits. This time the social engineer aka Hackers are targeting the job seekers by creating a fake web site which is collecting:
- personal data
- CV information
- fees for visa processing (profit motive)

Please find the links to the original site:
- Real Ministry of Labor
and the fake site
- Fake Ministry of Labor

Real site and Fake site are mirror copies of each other as pictured below.
More details about the story can also be found here.

Tuesday, February 05, 2008

Security Issues with social networks

I have been using heavily social networks for the past 3 years, started with linkedin can now reach over 7,000,000 persons online. So the power of the technology is really incredible. Theses are some of the top ones I use:
  • linkedin
  • xing
  • ecademy
  • plaxo
  • youtube
  • slideshare
  • twitter
  • mypodcast
  • lastfm
  • myspace
  • face book
  • ...
But these social networks practical experiences are bring in some important questions (which will try to address over this year posts). Some of the main security issues I see are:
  • propagation of malware (virus, trojans, keyloggers)
  • defacement of profile, impact in public image
  • who owns the data? some networks make it easy to get the data in but very difficult out (usage of images to protect contact information)
  • how to archive and backup this data? who is responsible?
  • how to delete the data permanently if required?
  • predator attacks against minors and kids (parents must learn new ropes)
  • identity theft, impersonation
  • how to maintain so many user IDs (opendID is trying to address this)
  • how to move data from one site, application to the other (open social is work on this), some users have seen this usage blocked after using automated conversion, migration tools
  • how to do investigations, forensics on so many sites to track down criminals effectively
  • how to separate between business, and personal lives?
  • effects on corporate information
  • leakages
  • effects on corporate productivity
In short network, do business, have fun, but becarefull out-there.

More details on:

Labels: , , ,

Friday, February 01, 2008

2008 Security Priorities

Just finished conducting a poll with the help of Plaxo on security priorities of 2008. About 9% of the persons requested replied (from a poll size of approximately 2000 persons 183 replied).

The top 3 areas of focus are therefore:
- Governance and compliance
- Infrastructure security
- Business Continuity and Disaster Recovery (as mentioned by some in the survey comments, the BCP, DRP issue is much bigger then being just part of security, we all agreed on this ...)

So what are your plans for security for 2008... Be ready as this year will be full of events.