Archive
I just won €650,000 in the Spanish Lotto!
I know everyone will be happy for me, when I tell you I just got notification from the Spanish Lotto about my winning ticket. I must have bought the ticket when I was drunk, or jetlagged, because for the life of me I can’t remember buying it, but, I was in Madrid recently so it must be true.
See you all on the Costa del Sol! Read more…
Speaking at CIO Peer Forum, Toronto Canada..
Just a reminder that this week on Friday 16th, I’ll be presenting at the CIO Peer Forum in Toronto. Feel free to drop by and say hello. My slot is 9am. The abstract is:
With the ever changing regulatory landscape, increase of novel threats, and the continuing trend to mobilize data, it becomes increasingly important to consider how to protect that information from loss or disclosure, and how to protect organizations from the onerous task of publicly disclosing a breach. Mr Hunt discusses the current regulatory trends and the practical steps you can take to secure mobile information, without creating business disruption using technologies such as endpoint encryption, data loss prevention, and network based discovery/monitoring.
Passware release Bitlocker/Truecrypt Decryption Tool
Following on from my post “10 Things You Don’t Want To Know About Bitlocker”, “TPM Undressed” and “Firewire Attacks Revisited” it recently came to my attention that Passware, Inc. A feisty California company has released a version of their forensic software which will decrypt Bitlocker and TrueCrypt protected hard disks via the classic Firewire vulnerabilities.
A full write-up can be found on the Passware site, but simply, given a machine that’s running, but has encrypted drives (for example one using Bitlocker in TPM-only mode, or a machine which is suspended, not hibernated). As to how to do it, well they have implemented the exploit in a very neat and usable way:
TJX Hacker gets 20 years…
Last week, Albert Gonzalez, the “brains” behind the TJX hack , Heartland Payment Systems, 7-Eleven and many other notable cybercrimes was sentenced to 20 years. Part of his punishment is the forfit of $1m he buried in his parents garden, a condo in Miami, a car, diamond ring and several expensive watches (Gonzalez was reported to have stolen $200m by some sources, much of which was returned).
The sentence was severe because some of the attacks were carried out while Gonzalez was working as a Secret Service informant, earning $75k per year.
You can read more on the BBC News website.
Smart power meters easily hacked…
Recently Jordan Robertson reported that serious flaws had been found in so-called “Smart” power meters which are being rolled out slowly by the utilities companies.
These meters, designed to help individuals and companies more effectively manage their electricity usage were found to have serious security flaws which could allow hackers not only to tamper with your supply, a new twist on the “Denial of Service” attack, but could also be used to fool the utility provider into thinking you’re using more power than you actually are.
French Internet Piracy law ineffective..
Perhaps uniquely, the French legal system has the means to ban people from the internet in what’s known as the “Three Strikes Law”. Passed in September 2009, it allows for a new government agency, HADOPI ( The Haute Autorite pour la Diffusion des Oeuvres et la Protection des droits sur internet, or Hight Authority fro the Diffiusion of Works and the Protection of Rights on the internet) to forcefully have individuals who flout copyright laws disconnected, and even take measures against people with “insecure connections” who allow them to be used in this manner. Read more…
Threat of hacker-obtained tax information yields $137m revenue
This week, the German Tax Authorities opened cases on 1,100 suspected tax evaders thanks to information purchased from a “hacker”. As reported on BusinessWeek and other sites, the hacker offered a CD of information of German nationals with “secret” Swiss bank accounts managed by Credit Suisse to the German authorities, who quickly snapped it up, apparently for the price of 2.5 million euros.
Reports indicate that around 400 million euros of unpaid taxes could be reclaimed. Read more…
CSO Executive Seminar Series on Data Protection and Encryption…
Just a reminder that tomorrow I will be speaking at the CSO Executive Seminar at the Hilton, Tysons Corner VA – http://public.cxo.com/conferences/index.html?conferenceID=64. The topic will be “5 practical steps for data protection”. I don’t expect it to be a McAfee sales push, I’ll be talking about technologies in general.
If you’re a reader of my blog(s) please come and say hello.
NIST 800-111. Practical Advice for Data Protection Projects
This week I want to take an opportunity to remind readers of the excellent NIST publication 800-111.
Yes, I know, another complex government sponsored report, but 800-111, for those implementing any kind of data protection project, is one of the best reports on the subject, dealing with technology, practical use of, and risk analysis. It’s really (for NIST publications anyway) a very good read.
The other reason to pay attention to 800-111, is quite simply it’s the document regulations mention when talking about “Good Practice”, “Industry Standard processes”, “Accepted Best Practice” etc. This document contains the advice that you’ll be measured against if you ever end up in court defending your Security Policy against something like Massachusetts 201 CMR 17.00. Read more…
HITECH Name-And-Shame goes up a gear…
Not content with naming-and-shaming companies who break the HIPAA/Hitech health regulations through the normal press, The U.S. Department of Health and Human Services is now reporting companies who lose control of more than 500 people’s records on their site.
A duty to do this comes via section 13402(e)(4) of the HITECH act .
4) Posting on HHS Public Website.—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.
For those not in the know – HITECH is U.S act which enforces some duty of care on people’s health information. “Covered Entities” like Health Plan providers, Care Providers (hospitals, doctors etc) need to put safeguards in place to ensure that our individual health information is not seen or accessible by unauthorized people. You can find out about HITECH on their excellent consumer web site. Read more…
Who?
 | EVP Cyber Product Innovation for Mastercard. Formally the Chief Technology Officer for Intel Secure Home Gateways, CTO for McAfee Enterprise Endpoint, CTO McAfee Innovation team, and Founder/CTO SafeBoot Corp. |
Simon Says - Musings of a Technology CTO 
Comments