Friday, April 18, 2008

Google Street View Becomes Driveway

This article on SecurityProNews describes a situation where a Google Street View camera car enters and films someone's driveway.

When The Smoking Gun tipped off Janet McKee as to Google's impromptu visit, she said it was "a little bit creepy to think of someone filming our home without me knowing about it."
The Google camera car left public property (prohibited by Google) and drove up the couple's winding driveway. The reaction would have probably been different had the images not found themselves at the fingertips of billions.

This is dumb, but I admit it does creep me out a little bit that my own house is viewable by the planet. But why? Instead of people having to physically be present to ogle my abode -- so I can see them by peeking out the window -- they can anonymously view it at any time, entirely unknown to me.

Whereas I rely on the obscurity afforded by the physical world's limitations, when those limitations go away, what is the impact to my privacy, confidentiality?

Should I throw a tarp over the Jeep lest someone stumble across my street view and find themselves a cheap source for parts?

Should I worry that criminals now have an easier time casing my house?

For now, the world's internet users still have to click their way to our houses. But as more information comes online about each of us, we'll have to rethink some basic assumptions about our security and privacy.

Tuesday, April 15, 2008

Targeting Oddball Platforms

Another article on targeted attacks. Larry Seltzer makes an interesting point towards the end of the article about the use of oddball operating systems and applications.

Some experts might recommend that you use alternative platforms like the Mac or OpenOffice, but these really don't help at all with targeted attacks. If someone's rolling out a new vulnerability for a targeted attack, it's just as easy for them to do it on OpenOffice and the Mac, which have numerous vulnerabilities, as for Windows. In fact, it's easier and cheaper for them to do it on the alternatives, where the price for a new, unpatched vulnerability is probably much cheaper than for Windows.

I'd think oddball platforms probably help with mass attacks. Those attacks are more likely to target Windows and more likely to be a bigger issue for home users. So, switching over to an alternative platform could make more sense for the home user; the cost/benefit analysis probably looks different than it would to an enterprise.

Wednesday, April 02, 2008

Advance Auto Parts Store Data Breach

From The Register:

Advance Auto Parts, the US motoring parts retailer, is the latest firm to give up customer credit card data to hackers.

The bad guys gleaned financial information on up to 56,000 customers, through an attack affecting 14 stores nationwide...

Advance Auto Parts website provides more information. So this only affects a handful of stores. Interesting. Methods and perps unknown.

I'm a big fan of companies being held accountable to standards of due care in the form of PCI standards and legal obligations. Significant penalties encourage companies to do the right thing.

Having worked at companies whose execs and upper management didn't give a rip about data security, due care, or anything that didn't involve raking in money, and having heard from more than a few infosec peers that this is the rule, not the exception, the only way my data and yours is going to stay protected is through penalties.

Penalties that significantly affect the bottom line --- or better, penalties that personally affect CEOs: in the form of wearing orange jumpsuits. The only reason SOX got any traction in companies is the threat of jail time for management. HIPAA has been largely ignored by a surprising number of healthcare companies. Bigger fines and jail time for execs would fix that fast.

And remember, we wouldn't even be hearing about these breaches in the first place if it weren't for California's SB1386 and all the copycat state laws that states created thereafter. The effect of these laws should be obvious to anyone following infosec news before and after 2003. Companies were hardly voluntarily disclosing data breaches --- until they were required to by law.

Even then, I'll bet cash money there are still companies ignoring this requirement. I've already posted about delayed notifications. Penalties and laws don't fix everyone and everything, but they do help to counter temptation and encourage honesty.

Tuesday, April 01, 2008

Radio Tracking for Backup Tapes

Fujifilm bugs backup tapes with LoJack device

Looks like it runs $150/mo to track your tapes and reduce the likelihood of tapes going missing as has happened to quite a number of organizations over the last few years.

Is this really the best solution? How often do tapes go missing and how much damage does it cause? What level of risk mitigation does this technology afford? How does encryption of the data on the tapes compare in cost? Those are the questions I'd be asking myself if I were in a position of managing this risk.

I think I'd rather know my lost tapes were unreadable than to possibly know where my readable lost tapes were. Y'know?

I say "possibly" because I am guessing the lojack thingy is probably not 100% tamper resistant.