what we're reading, week of 1/26

Zero Day… GPU-Accelerated Wi-Fi password cracking goes mainstream With GPU-Accelerated password recovery attacks, WiFi networks are even more vulnerable. Can all this be avoided with user education and strong VPN policies? From StillSecure, After all these Years… Yearning for the good old days of NAC Alan states worm outbreaks are not a valid reason for NAC anymore. He believes it has a more relevant mission. And once again, the definition of NAC has changed. Lawrence Oran from Gartner’s thinks the new definition should include “Evaluating the endpoint as it connects to the network. Those already connected, and implementing network access policies based on the state of the endpoint, the threat environment and user identity”. Washington Post: Security Fix… Obama Administration Outlines Cyber Security Strategy Brian Krebs outlines Obama’s administration new cyber security goals. Krebs finds these new goals encouraging and looks forward to the change. Do you think the goals are attainable? From Endpoint-Security Info… Monster.com data breach disclosed Another data breach… this time it’s Monster.com. Monster.com released a statement last Friday that it’s aware of the hack and has launched an investigation. Monster advises users to change their...

what we’re reading, week of 1/26

Zero Day… GPU-Accelerated Wi-Fi password cracking goes mainstream With GPU-Accelerated password recovery attacks, WiFi networks are even more vulnerable. Can all this be avoided with user education and strong VPN policies? From StillSecure, After all these Years… Yearning for the good old days of NAC Alan states worm outbreaks are not a valid reason for NAC anymore. He believes it has a more relevant mission. And once again, the definition of NAC has changed. Lawrence Oran from Gartner’s thinks the new definition should include “Evaluating the endpoint as it connects to the network. Those already connected, and implementing network access policies based on the state of the endpoint, the threat environment and user identity”. Washington Post: Security Fix… Obama Administration Outlines Cyber Security Strategy Brian Krebs outlines Obama’s administration new cyber security goals. Krebs finds these new goals encouraging and looks forward to the change. Do you think the goals are attainable? From Endpoint-Security Info… Monster.com data breach disclosed Another data breach… this time it’s Monster.com. Monster.com released a statement last Friday that it’s aware of the hack and has launched an investigation. Monster advises users to change their...

Data Privacy Day

According to Intel, today is Data Privacy Day. From their website: Designed to raise awareness and generate discussion about data privacy practices and rights, Data Privacy Day activities in the United States have included privacy professionals, corporations, government officials, and representatives, academics, and students across the country. One of the primary goals of Data Privacy Day is to promote privacy awareness and education among teens across the United States. Data Privacy Day also serves the important purpose of furthering international collaboration and cooperation around privacy issues. Shouldn’t every day be data privacy day, however? Martin McKeay supports the day of observation, because it calls people (especially younger ones) to question their own willingness to keep personal data public: […] most people are willing to give up even the illusion of privacy if you offer them a candy bar or a shiny new widget for their desktop.  I’ve come to realize that privacy is about the government and corporations keeping their nose out of our business, but we also have a responsibility to monitor what we’re making available for public consumption about ourselves.  This is the part of the equation most people forget to think about. What do you think? Is this observance really necessary? Will the younger Internet users it targets benefit from the education? Is our willingly reduced privacy online actually indicative of a lack of knowledge surrounding privacy, or does it represent an unavoidable and sweeping change in our culture’s thinking about personal...

what we're reading, week of 1/19

From around the Blogosphere… Heartland Payment Systems issued a statement Wednesday that intruders hacked into its computers that was used to process 100 million payment card transactions per month for 175,000 merchants. Security experts are saying this hack may be bigger than the 2007 TJX hack. As expected, bloggers are weighing in. We highlighted the best commentary here. Tim Wilson from Dark Reading gives a thorough overview of the Heartland situation, while Adam O’Donnell and Tim Naraine from ZD Net make the recommendation to check past credit card statements just to be safe. Too lazy to read about it? Check out the podcast by Martin McKeay of Network Security Blog. Time well spent for this podcast. Ironically, Endpoint-Security reported BEFORE Heartland that data breaches were up near 50% in 2008 (mostly due to insider threats). Doesn’t bode well for 2009. From Security Warrior… Tales From the “Compliance First!” World Dr. Anton Chuvakin touches upon the PCI DSS compliance issue several times on his blog. On a recent post he stresses the importance security has in addition to compliance. Anton’s advice to readers: ‘if compliance is your first priority, make security your second, and vice versa’ From Andy IT Guy… Requirements are required From a previous post Andy discusses some of the reasons security investments fail, and in that post he mentions the mistake of purchasing the wrong technology. Andy recommends defining your requirements prior to making a purchasing decision—knowing this prevents failures and VPNs are one area that usually is left out of planning cycles – creating ‘work arounds’ with sub-par technology is a...

what we’re reading, week of 1/19

From around the Blogosphere… Heartland Payment Systems issued a statement Wednesday that intruders hacked into its computers that was used to process 100 million payment card transactions per month for 175,000 merchants. Security experts are saying this hack may be bigger than the 2007 TJX hack. As expected, bloggers are weighing in. We highlighted the best commentary here. Tim Wilson from Dark Reading gives a thorough overview of the Heartland situation, while Adam O’Donnell and Tim Naraine from ZD Net make the recommendation to check past credit card statements just to be safe. Too lazy to read about it? Check out the podcast by Martin McKeay of Network Security Blog. Time well spent for this podcast. Ironically, Endpoint-Security reported BEFORE Heartland that data breaches were up near 50% in 2008 (mostly due to insider threats). Doesn’t bode well for 2009. From Security Warrior… Tales From the “Compliance First!” World Dr. Anton Chuvakin touches upon the PCI DSS compliance issue several times on his blog. On a recent post he stresses the importance security has in addition to compliance. Anton’s advice to readers: ‘if compliance is your first priority, make security your second, and vice versa’ From Andy IT Guy… Requirements are required From a previous post Andy discusses some of the reasons security investments fail, and in that post he mentions the mistake of purchasing the wrong technology. Andy recommends defining your requirements prior to making a purchasing decision—knowing this prevents failures and VPNs are one area that usually is left out of planning cycles – creating ‘work arounds’ with sub-par technology is a...