Network Security

Dramatic Spike in URL Shortening by Scammers

Back in May I wrote "Dirty URL Tricks" about the increasing risk presented by the rise of URL shortening services like Bit.ly and TinyURL, driven largely by short messaging services like Twitter.  I closed the article by predicting that scammers were going to start aggressively exploiting these services as a means of masking their malicious URLs. Judging by the dramatic spike in URL shortening service usage by spammers and phishers the following month, I'd say that the entire scamming community must be reading my blog.  However, since I'm quite in tune with the number of readers I have, and I'm fairly...

Back Online

Took longer than I expected for ComCast to bring my business-class Internet connection into the house, but I'm back online as of tonight. Oh, and for the record, my Chrysler transfered my data at the rate of 230Kb/s.  It would have been faster, but the 98mph speeding ticket I got on the way through Colorado spooked me for the rest of the trip.  I spent the rest of the drive going about 5mph over the speed limit.

Going dark for a few days

The blog will be dark for a few days while I transport my server and accoutrements from Oklahoma to Seattle, and get it set back up. I'll calculate and publish the data transfer rate of my Chrysler 300C upon my arrival (yeah, it's got a Hemi).

Ten Habits of Highly Effective InfoSec Leaders

I have been doing a lot of thinking lately, given the state of the economy and some of the discussion I've had with many of my colleagues.  What I've come to realize is that I have taken a different approach than many of my colleagues when it comes to leadership and Information Security.  It's well past time to reinvent the information security field, and reverse the impression that we are the Ministry of No, and the buzzkills that are constantly looking to shut down everyone's chat.  Our role is so much more than that. Too often we paint ourselves into...

InfoSec in the Courts

Some interesting infosec cases coming up in court cases recently. Last month, the Supreme Court agreed to hear a case challenging the constitutionality of the Sarbanes-Oxley Act of 2002 (aka SOX). More recently, Wired reports that Merrick Bank is suing PCI QSA Savvis for giving Card Systems a passing grade on a PCI audit just 3 months prior to Card Systems getting hacked and ultimately exposing 40 million credit cards to the intruders.  The breach cost Merrick nearly $18M to fend off the resulting fraud, settle claims, and replace compromised cards. While SOX has been a driver of security investments in the years...

Prevention eventually fails. What's your plan?

A recent study conducted by British Telecom claims that 94% of the companies they polled expected to suffer a compromise sometime in 2009. I guess companies are finally acknowledging one of Information Security's most sacred truths:  Prevention eventually fails.  I first heard this truism while reading Richard Bejtlich's fantastic book The Tao of Network Security Monitoring.  In it, he claims that preventive controls are doomed to eventual failure due to 2 factors: Some intruders are smarter than the people securing the systems, and intruders are unpredictable. These sobering facts recently prompted InfoSec pioneer Dan Greer to comment in an interview: [...]the world we...

Dirty URL Tricks

I've preached for years the need for users to scrutinize heavily any URLs in emails they receive, especially in emails from financial institutions.  As applications and operating systems get more and more secure, hackers are increasingly relying on tricking the end users into clicking on a hostile link or otherwise actively enable the compromise of their own system. Traditionally, one of the mechanisms you can use to determine that an email is a phishing attempt is to scrutinize the link or button the email wants you to click. For instance, you can hover your mouse over this http://www.Visa.com link, and determine pretty...

Verizon Data Breach Report for 2008, Part 1

Verizon's first report of 2009 is the 4th such report published publicly by Verizon (they have performed 28 such analyses to-date, but only recently decided to go public with them).  Verizon's goal is to release these reports on a roughly quarterly basis going forward. The report largely focuses on breaches occurring in the 2008 calendar year, but does reference data gathered from prior years.  The 2008 year saw an unprecidented number of records compromised.  Verizon alone responded to breaches representing 285 million records, more than all prior years (2004-2007) combined, and those are the focus of this report. The Actors I think we can...

ToorCamp 09 - I'm *SO* There

What do you get when you mix a bunch of techno-miscreants and a decommissioned Titan-1 Ballistic Missile Silo?  ToorCamp 2009, that's what. ToorCamp is the United State's first ever full-scale hacker camp. Modelled after the camps in Holland and Germany, ToorCamp will focus on all of the technology topics that ToorCon has become famous for but will expand out into other areas of society. ToorCamp will offer 2 days of talks on many different topics -- Security, Internet, Emerging Technologies, Hardware Hacking, and Privacy are just some of the areas we will be covering. ToorCamp will also feature 2 days of...

The Perfect Is The Enemy Of The Good

Voltaire once said "Le Mieux est l'ennemi du bien."  Which translates roughly into "The perfect is the enemy of the good." I, not being a writer of Voltaire's prolific stature, have often expressed this sentiment in my own way: "Anything worth doing is worth doing poorly."  Which usually attracts some puzzled looks from my colleagues... Yeah, Frenchy probably said it more eloquently than I ever did, but the sentiment is the same:  Don't get so wrapped up in doing something perfectly that you ultimately don't do *anything*.  This concept first hit me a few years back, when I was watching the old reality show "Project Greenlight".  The...

Full Network Security Archive