Archive

Posts Tagged ‘Security/Exploits’

Founder and CEO of EBank steals 200bn to fund a downpayment on a house.

Ok, if you’re worried this is another Madoff story calm down – the likelihood is that your greens are still safe.

Following on from my recent post on Gold Farming, I thought I’d mention the case in early June of the CEO of the on line bank EBank in the game “Eve Online” – now, before you hit back in frustration about another irrelevant “game” article, think about this – CEO Ricdic cashed out some 200 billion credits of stolen virtual money from the bank he founded, and used the resulting  US$6000 hard cash to pay medical bills and put a down payment on a house – yes, a REAL house, in the REAL world. Read more…

China takes steps to criminalize “Gold Farming”

July 2, 2009 1 comment

Gold Farmers (apparently)

This week the Ministry of Commerce for The Peoples Republic Of China joins Korea in announcing a new initiative to implement controls on the conversion of virtual to physical currency. The press release on the MOFCOM site highlights the scope of the problem:

According to media reports, the virtual money trade topped several billion yuan (¥1B=US$146M)  last year after rising around 20 percent annually.

Though this move seems to be targeted towards individuals bypassing tax payments by transacting online money for real goods and services, it also touches on the greater problems of CyberLaudering and Gold Farming. Read more…

UK “has cyber attack capability”…

June 29, 2009 Leave a comment

Last week in England Lord West (Parliamentary Under-Secretary for Security and Counter-terrorism) indicated that the UK has the ability to launch cyber-attacks. Though his interview was very thin on facts and details, he made some interesting comments that GCHQ (The British Government’s communications and information systems arm in Cheltenham, UK) have former “naughty boys” in its employ, and that:

“It would be silly to say that we don’t have any capability to do offensive work from Cheltenham, and I don’t think I should say any more than that”

Interesting indeed, but I’d liked him to at least tell me something about what the government could do that the average hacker could not. Do they have more resources than the average bot net for example? Read more…

Categories: Cyber War Tags: ,

Cornell University looses 45,000 records..

June 24, 2009 1 comment

datalossdb.org entryCornell University Entry

Another typical notification of data loss by an educational establishment. In summary, the personal details of around 45,000 current and former students and staff were lost when the laptop containing them was stolen.

Cornell have been very open with the facts of the matter, their site talks about what they have, and will do about it, and the help they are offering people affected. They also mentioned that their policy is that such data should be either encrypted, or in a secure location. Two things they admit this particular member of staff violated. Read more…

Something is Rotten in the State of Data…

June 24, 2009 Leave a comment

To encrypt, or not to encrypt: that is the question.

Whether ’tis nobler in the mind to suffer

The slings and arrows of user nonacceptance,

Or to take arms against a sea of exploits,

And by opposing end them? To encrypt: to authenticate;

No more; and by authenticate to say we end Read more…

Data Loss Goes Personal…

June 18, 2009 Leave a comment

Today I received yet another of those annoying “We may have lost your personal information…” letters from my bank. No information on how it happened, or what they are doing to stop it happening again. It’s almost as though this was an inevitable and repeatable condition of doing business….

Yet again I’m going to get another bank card, yet again I’m going to have to change the numbers in my Blockbuster, Amazon, etc. accounts, and (again) I have yet another free 12 month subscription to “Identity Theft Monitoring.”

Great news indeed, but I suspect many readers of this blog have also been through this a few times as well.

Read more…

Hard Disk Encryption needs management…

March 10, 2009 1 comment

This week CNET News contributor Jon Oltsik blogged about how he believes that now there’s a unified standard for hardware disk encryption, governments should lead the transition to self-encrypting hard disks. Jon makes the point that hardware encryption is simple, fast, and generally more secure than software encryption.

While it would be admirable to see any government protect their data, Jon in my opinion missed the big point: the benefit of the standard is really common key management between all the different vendors. No one really gets any benefit from the drives doing the encryption the same way – as long as it’s a “good” way, who cares? But, if all the drives have a common key management architecture, it makes the provisioning and, more importantly, the recovery of data much simpler. Read more…

Faking Face Recognition

December 3, 2008 Leave a comment

This week CNET news reported on some interesting, new ways of bypassing facial recognition technology built into newer laptops. The reporter (Dong Ngo) published an interesting article which shows an easy way of bypassing the software from companies such as Lenovo, Toshiba and Asus that are shipped on popular laptops. By using a slightly modified picture of the correct recipient, one can easily fool the software. Read more…

Bitmap Discovery Exploits

October 8, 2008 Leave a comment

It was announced back in October 2008 that Bernd Roellgen of PMC Ciphers has “discovered” a possible exploit which can be used to reveal details of the encryption key used to protect hard disk image backups.  PMC used this information to promote the release of a new version of their software which is immune.

Some customers have asked me what I think about this, as it relates to McAfee products so I thought a blog would be a good place to start. Read more…

How to Spend Your Data Protection Dollars

September 25, 2008 Leave a comment

I was speaking last week at a panel of CISO’s when someone asked me the very reasonable question “What’s the most important thing we should do to protect our data?” – What the audience member wanted to know really was, given that he had no budget, and a state mandate impressing on him the need to protect PII (personally identifiable information), what’s the minimum he could do to comply with the regulations? Read more…