what we’re reading, week of 2/23

From around the blogosphere…
In recent months security breaches and PCI compliance have been blogged about all over the Internet …still. Here are three more we thought were insightful. P.S. check out our PCI-DSS Resource tab

ZDNet
Will the real [Breach X] please stand up?
Mike Rothman did a guest post for Zero Day this week. We all remember the Heartland breach (who could forget)…well another breach has occurred, allegedly on the same scale. Mike refers to this breach as breach X, because no information has been released. There is a high likelihood that your credit card data has been compromised as a result of either Heartland or Breach X.

Emergent Chaos
Security Breach Notification Symposium
A Security Breach Notification Symposium will be held next Friday, March 5th. Our friend from Emergent Chaos will be speaking at it. The symposium begins with a session on California’s security breach law and continues with a look at current research and proposed reforms by the state’s top policy makers and scholars.

Network Security Blog
Evaluating the cost of PCI
The cost of implanting PCI requirements add up pretty quick. Martin McKeay points us to two articles on how to implant these requirements reasonably—What are PCI “Best” practices: Saving Money or Improving Security? And Cost of PCI Compliance. Let us know what you think.

Security, privacy, and taxes

As if paying taxes wasn’t bad enough…

Recently, the Washington Post reported that the IRS expects an increase in tax-related scams and viruses leading up to the April 15 filing deadline:

The most common type of scam arrives via e-mails claiming to come from the IRS or Treasury Department. They typically try to either scare consumers into thinking there is an error with their tax filing, or that they are eligible for a tax rebate or benefit from the government economic stimulus package that just passed on Capitol Hill.

These so-called “phishing” e-mails typically arrive in an e-mail that urges users to visit a site, which in turn prompts visitors to enter their personal and financial data, information that is then sent off to identity thieves.

Though experienced users may be skeptical of their own susceptibility to a phishing scam, the IRS reiterates that they will never communicate with taxpayers via unsolicited email, and Treasury Inspector General J. Russell George explains:

“Some of these bogus e-mails are so sophisticated that people who are uninformed can and do fall prey to this type of scam. That is why it is so imperative that we continue to get this message out to people.”

The IRS urges anyone receiving a suspicious email to forward it to phishing@irs.gov.

Meanwhile, Bruce Schneier has a great post up right now about how companies and government agencies can mitigate insider threats… just in case the real security risk during tax season lies inside the IRS!

what we’re reading, week of 2/16

Security networking issues were light this week; here are two conversation starters we think are a sign of things to come.

From Rational Survivability…
Microsoft’s Windows Mobile moves: Too little, too late
Microsoft announced its My Phone at Mobile World Congress earlier this week (with more than 20,000 applications!). We see this, combined with the iPhone App Store and RIM’s soon-to-be-launched version, as the turning point for the ubiquitous adoption of mobile devices by the enterprise – more importantly, being driven by the user. Policy alone won’t be able to prevent the potential security issues network admin’s will soon have to grapple with en mass.

From ZDNet…
New Symbian-based mobile worm circulating in the wild
And what kind of security threats will mass adoption bring? VPN, portable drives and growing virus issues. It has been reported that “Sexy View” malware has a valid certificate signed by Symbian tricking the user into thinking it’s a legitimate application. Granted, these types of malicious code are not new, however what is interesting is the certificate piece. Combine this with the increasing efforts to solve the mass replication barriers, and you can see the potential headaches that are sure to arise.

VPN vendor-lock in Windows 7

For all of the good news about Windows 7, one issue has come to light as a major stumbling block for enterprises – especially from a security standpoint.

Though Microsoft doesn’t tout DirectAccess as a VPN (presumably to avoid the stigma of complexity associated with VPNs), their server setup guide calls it exactly that. What’s more, the DirectAccess IPsec connection requires enterprises to deploy Microsoft’s server… a large investment of resources and a warning sign for future vendor lock-in.

Meanwhile, Cisco has discontinued support for IPsec clients in order to promote their AnyConnect solutions. What this creates is a large divergence of product options for customers. SSL is not ideal for all VPN needs, however Cisco is aggressively pushing this on their customers. At the same time, we predict that companies are going to resist the investment to upgrade to a new server, which will hinder adoption of DirectAccess for Windows 7.  Rather than the major industry players working toward a standard, they are trying to force the market to choose one over the other. Unfortunately, security doesn’t work that way… NCP customers we’ve spoken to are angry with the situation, and many bloggers and forum posters agree that the conflicting strategies are counterproductive to the real aims of network security.

what were reading, week of 2/9

From PC Mag…
Is Windows 7 Ready for Prime Time?
Michael Miller highlights his thoughts on Windows 7 and gives us an update on where it stands. Of note, the VPN client issues he experienced with Cisco: “the Cisco VPN client wouldn’t work. But following some steps I found on the indispensable sevenforums.com, I was able to get it working on the 32-bit version. (Warning: This is complicated and not recommended for most users.).”

From Rational Survivability…
Incomplete Thought: Support of IPv6 in Cloud Providers…
Windows 7 supports IPSec, and Microsoft is actively pursuing this route. This is destined to force changes to cloud vendors, as Christopher Hoff suggests.

From Ping WiFi…
American Airlines Gogo — Mixed Review in The Journal
American Airlines is now offering WiFi service to its passengers on longer, non-stop flights. Do network administrators have yet another new concern with security & VPN?

From Emergent Chaos…
“A Scientific R&D Approach to Cyber Security”
Argonne National Labs released a report on “A Scientific R&D Approach to Cyber Security”. Adam Shostack raises two issues with the report– it places mathematics on a pedestal, and goes so far as to refer to economic analysis as a ‘metaphor’, and there’s no mention of the data acquisition problem. Do you agree with the issues Adam raises?