Bit of security, bit of privacy, and a bit of Kami
August 25, 2009 Leave a comment
Nice article over at Network World.
How do we resolve the issue of acknowledging (to ourselves) that some of our information assurance (IA) policies cannot, or should not, be strictly enforced, while at the same time conveying to staff the importance of always following IA policies?
August 24, 2009 Leave a comment
I found an article on Personnel Management and INFOSEC by M. E. Kabay which I like. Its basically a paper discussing managerial techniques for managing employees in an organization from an InfoSec perspective. I particularly like this analogy for how employees
What would you do if you discovered that an employee who used to occupy your current office still had the key? You would politely ask them to give it up. No one would question the reasonableness of such a request. However, when you remove access to the network server room from a system analyst who has no reason to enter that area, you may be treated to resentment, sulking and abuse. People learn about keys when they’re children; they don’t extend the principles to information security. People sometimes treat access controls as status symbols; why else would a CEO who has no technical training demand that his access code include the tape library and the wiring closet?
August 21, 2009 Leave a comment
Officers run a background check on the president.
August 4, 2009 Leave a comment
Raw Story has a story on NSA’s improper use of wiretapping technology. MSNBC interviewed a former security analyst who discussed how members of the NSA used their wiretapping abilities to read the email of private citizens. Risen reported that Bill Clinton’s emails had been read. He then clarified saying:
“It sounded like, from the former NSA analyst that we interviewed, that it was rare to access the emails of celebrities or famous people, but that it was fairly routine, according to him, for people to access the emails of girlfriends or wives or other people that they might know.â€
July 16, 2009 Leave a comment
Repost from July 16th 2009
This week I’m at the Symposium on Usable Privacy and Security. SOUPS is a conference dedicated to making security and privacy applications usable by the general public. Myself and others will be blogging the conference and I recommend those who are interested in making security and privacy more usable take a look at the current research going on.
June 19, 2009 Leave a comment
As part of their job application process the city of Bozeman Montana requires applicants to surrender login names and passwords to all social networking sites they are involved with. The list of sites includes Google, Yahoo, MySpace and Facebook. Supposedly this is so that the city can do a background check and determine that “the people that we hire have the highest moral character.†Read the article for full details but here is my favorite quote:
“You know, I can understand that concern. One thing that’s important for folks to understand about what we look for is none of the things that the federal constitution lists as protected things, we don’t use those. We’re not putting out this broad brush stroke of trying to find out all kinds of information about the person that we’re not able to use or shouldn’t use in the hiring process,†Sullivan said.
Update: Bozeman has decided to change their hiring practices and has apologized for the “honest mistake.â€
Update: Looks like North Carolina does the same thing.
June 11, 2009 Leave a comment
Interhack has a study of security breaches by industry and type. The authors categorized 925 security incidents using a taxonomy they developed. They then analyze the incidents by industry and type of incident. Two interesting points were that the Financial industry had the highest percentage of insider attacks and that incidents caused by insiders were more common than those caused by outsiders.
While the bulk of media attention on threats to private information is given to the activity of outside attackers, these breaches account for only approximately 22% of the instances in our data set. More significant is the number and type of breaches caused by people within an organization. Poor procedures, human errors by staff (Processing and Disposal), and the malicious activities of people on the inside of an organization account for greater than 35% of our observations.
June 2, 2009 Leave a comment
Slashdot has a request for information from an art student who wants to know how to let other people briefly use their laptop while still protecting the laptop from infection and the data from snooping. After glancing at the slashdot comments the answers can be roughly grouped into these categories.
May 28, 2009 Leave a comment
Security Focus has an interesting blog post on writing down passwords. The recommendation is that you then select a four character common “pin†which you memorize. For each site you then select a complex completely random unique six character password and write it down on a paper in your wallet. The password for each site is generated by appending your memorized password to the password written in your wallet to create a secure ten character password. The idea is that now you are using different passwords for each site but are not experiencing the extra cognitive load of memorizing a large number of long passwords. You are also not writing down complete passwords so someone stealing your wallet will not have your complete passwords.
I think this is an interesting idea and would be interested in any known research on its effectiveness and usability in practice.
March 27, 2009 Leave a comment
Facebook appears to have given out administrative rights to several major pages such as Microsoft and Star Wars to at least one Facebook user who is not affiliated with the companies.