Security: Opinions

China's financial markets have paralleled the rapid growth and development of the country and for a time were regarded as something of a 'Wild West' environment, where the risks were significant but the rewards were immense. Rapid growth in cities like Shanghai and the handover of Hong Kong and Macau have provided ample opportunities for investment and the development of a form of capitalist communism has created an environment where the potential rewards seemed to justify the risk.

With recent reporting showing the ineffectiveness of breach disclosure laws on the rate and scope of data losses, what sort of teeth will HIPAA and similar laws have when electronic health records are compromised in similar numbers and scope.

A well known Information Security researcher who is best known for his recent work in collating and archiving reports of the often-inextricably linked forerunner to identity theft, data loss, has recently spoken out against the seemingly poor standard of compensation generally offered by the affected companies to their consumers.

A less known part of the recent ARP attack against H D Moore's MetaSploit site was an attempted Denial of Service attack that coincided with the successful ARP attack.

Remaining platform and technology agnostic in Information Security is a progressively more difficult task as people and companies develop the skills and abilities to form professional fee-based relationships with the vendors that they previously reported about.

Following TJX's major loss of credit card data last year, the company implemented a series of internal changes that were meant to make it more difficult for theft to take place again in the future. The only problem was that the implementation was not exactly ideal and at least one TJX employee identified this and made an effort to report the situation internally. When faced with no response from the company, he chose to release the information publicly.

Recent reporting from AP and The Charleston Gazette demonstrates that selling snake oil will eventually catch up with you. LifeLock, an identity theft protection company based in Arizona, is facing a class-action lawsuit alleging that their services are 'inept' at preventing identity theft from taking place.

I've had the pleasure of speaking and attending this year's AusCERT 2008 security conference held in Gold Coast, Australia. If you've never been to Australia, you're missing some of the best that life has to offer, and I feel the same way about the conference. Although a bit smaller than most US security conferences, it's intentionally kept small (around 1,000 participants) and makes up in quality speaker presentations and vendor participation what it lacks in headcount. One of the great attributes of the typical Aussie is their aversion to marketing hype, along with their ability to "cut the fat off a chicken" (as my grandmother used to say) and pull out the salient points. If a vendor tries to push marketing fluff about their product too much, they are likely to get verbally assailed rugby-style. Here are some of my favorite notes and quotes from selected speakers:

Antivirus and antimalware developers have been in the spotlight for the last month or so and have been the focus of malware developers for much longer over the plan to run the Race to Zero contest at this year's DefCon in Las Vegas. Now, it might be the turn of companies that produce and promote 'This Site is Safe from Hackers'-style certification and coverage for their clients to share the spotlight.

If you are running a Debian-based Linux system and haven't already caught up with the announcement [1] that there was a major flaw with the generation of SSH, OpenVPN, DNSSEC, SSL/TLS session keys and X.509 certificate key material, you might want to update your system to address the problem.

Many Information Security practices have outcomes that are difficult to quantify. How do you prove that your measure is effective at preventing whatever malicious activity is out there from being effective against your system?