Friday, August 22, 2008

The importance of key management

As encryption and data protection becomes more prevalent, dont forget the equal importance of managing those keys. This seems to be the message from Jerome Wendt.

I think there are two sides to the story here - while I agree that managing keys is important, I think this is something users SHOULD NOT be concerned about. This is something the vendors should be focused on solving and not leave it to end users to stumble over.

Key management is hard and it makes sense to solve it at the product level rather than leaving it to implementation variances.

Thursday, August 21, 2008

And the attacks keep coming...

Seems like the intensity and frequency breaches have just started to warm up! Even as we pat ourselves about the recent indictment of criminals we see reports of increased activity. Millions of cards stolen and more loss...

Brings us back to a hard question we have to ask ourselves - are we ready to tackle this seriously? Vendors, retailers, banks, government and consumers all have a huge stake in this (and don't forget, so does organized crime). However, it seems like organized crime is living up to its name - they seem a bit more organized about this. Not having looked at the numbers, but is feels like we are being pushed back and they currently have the upper hand...

Not a very PC thing to say, I know. However, we have to wake up to the reality and get more serious about this.

Wednesday, August 13, 2008

Twelve billion dollars!

Sounds like a Dr. Evil sound bite :). In fact this could be the potential impact of the 41 million cards stolen - according to security company Jefferson Wells. The amount is a result of simple multiplication - 41 million x $300 for each card lost. On the higher end, no doubt.

While I don't think the real cost is anywhere close to that (even by an order of magnitude), it is still a large number. Even at street price of $2 per card, someone must be making 41 million x $2 = $82M!

More scary to imagine, is where this stolen data is going, what kind of money they are making and what illegal stuff is being done with it.

Tuesday, August 5, 2008

Smackdown on data criminals

The long arm of the law finally flexed in a major indictment of criminals who were charged with hacking and stealing credit cards from major retailers.

Eleven folks were charged with the crimes ranging from conspiracy, computer intrusion, fraud and identity theft.

Interesting nuggets from the report:

  • They hacked nine major U.S. retailers, stole and sold more than 40 million credit and debit card numbers...
  • Apparently this is the single largest and most complex identity theft case ever charged in this country
"While technology has made our lives much easier it has also created new vulnerabilities. This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results. Consumers, companies and governments from around the world must further develop ways to protect our sensitive personal and business information and detect those, whether here or abroad, that conspire to exploit technology for criminal gain," said U.S. Attorney Michael J. Sullivan.

I agree with the US Attorney - we need better ways to prevent such hacking. But one point is clear again in this case - those who hack work for increasingly sophisticated criminal enterprises and will deploy significant resources to steal as long as the returns are worth it.

Friday, August 1, 2008

Laptops can be seized at the US border

New rulings allow the Homeland Security to seize and analyze laptops as folks cross the border. Will this will increase the propensity of folks to encrypt their laptops or reduce it (thereby reducing suspicion)? I don't think businesses will look at this as another reason to encrypt - the majority would rather data not be stolen or lost than think about what a border agent might find on that machine.

For folks who have personal machines (maybe speaking for myself), I am not sure I would care much if a border agent looked through my laptop. But maybe I should - who knows what that information can be used for later?