Interesting Information Security Bits for June 12th, 2008

Howdy folks.

We are going to try something a little new today.

As you have all probably realized, these posts have all been built from blogger sources to date. I am going to start expanding them to include things I see in the news and from other sources that have infosec applications. As we go forward, I am interested in knowing if you would prefer to have two separate posts or if you like the combined format.

As always, leave a comment with your opinion or email me kriggins _at_ On with the show.

From the Blogosphere.

Jennifer Leggio has a post up on her new blog Feeds at ZDNET (congrats Jennifer) about privacy concerns with Company Groups on Linked. She points out some very real privacy and data leakage concerns for this type of automated grouping.

Richard Bejtlich has a good summary of the Verizon Business 2008 Data Breach Investigations Report which you should go ahead and read.

From the newsosphere.

Via Dark Reading, RSA is introducing a flexible card shaped authenticator.

Via SearchSecurity, The PCI council is launching an assessor quality assurance program. Kinda have to wonder why it has taken this long for something like this to happen.

The Register brings us an interesting article about fraudsters gaming the address verification system in use in the UK for charges.

From congressmen are saying that China is hacking their computers. Of course China is denying it.

Have a great day and remember, let me know which format you prefer, combined or separate.


Technorati Tags: , , , , , , , , ,


One Response to Interesting Information Security Bits for June 12th, 2008

  1. Kevin: Legally speaking, what is “reasonable security?” FTC punished TJX for not having it, but FTC was wrong. Verizon says 9 of 10 data breaches could have been avoided if “reasonable security” were present. That implies 9 in 10 breach victims were in violation of law. The study’s outlook is that the solution to identity theft is locking down corporate data. But a security consultant/solution provider like this Verizon unit naturally sets a high bar for what is reasonable. And when Verizon evaluates if reasonable security could have prevented a break-in, it does so with benefit of hindsight. Yet the study goes on to say that in modern systems knowing where all your data reside is “an extremely complex challenge.” In other words, the sheer problem of locating data (so you can apply security) is very expensive, and mistakes by data-holders who act in good faith are easy. The reasonable measures expected by FTC and Verizon are extravagantly hard to implement in practice. Hence, the portion of incidents preventable by FTC/Verizon’s reasonable procedures is much lower than 90%. We need to focus more attention on other solutions to identity theft. –Ben

%d bloggers like this: