Blog

Hiring Security People: Insurance

Our (Digital Trust) quest for errors and omissions insurance has led me to discover that many of the people I’ve worked with in the past, or hired for penetration testing services, did not have adequate insurance. Given the current climate of massive compromises by hackers, it seems more obvious now that some E&O insurance for professional is a requirement, not an option. So make sure when you’re hiring security assessors who are going to have access to your network, or draft documents concerning your network security, that they have acceptable levels of E&O insurance.

Because documents detailing your security holes, or worse, data discovered during testing, like passwords, will be wandering around on someone else’s laptop, or shooting across the Internet. If those security folks make a mistake, it could cost your company big time. If you can’t get compensation out of the security company, your company eats all the expense, and your insurance company drops you. Nobody needs that. So check that your business associates are insured, before you need to rely on it.

Digital Trust
www.digitaltrustllc.com

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems. Any public republication or reuse is forbidden if the Digital Trust name is removed.

Insurance & Business Continuity

Insurance is not covering everything you think it is. You should be worried by that statement. Very worried. Most insurance policies have an exception clause specifically exempting War and other items, specifically, war, invasion, acts of foreign enemies, hostilities whether war declared or not, civil war, rebellion, revolution, insurrection, military or usurped power or confiscation or nationalisation or requisition or destruction of or damage to property by or under the order of any government or public or local authority.

What a mouthful.

And in terms of cyber attacks, it means the insurance company doesn’t have to pay you if someone hacks your computers and steals all your data. An act that can cost you your entire business. Cyber attacks can be classed as terrorist activities with little or no effort, and many originate on foreign soil.

For a thorough account of how serious this can be for businesses and individuals, check out this blog entry.

So if your policy excludes any of the above, you need to do one of two things: 1) find a better insurer, or 2) make sure you are prepared for the possibility of having to defend your company against whatever lawsuits you may be at risk for from a computer hacking activity. Your best insurance is due diligence to security needs.

Digital Trust
www.digitaltrustllc.com

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems. Any public republication or reuse is forbidden if the Digital Trust name is removed.

Antivirus Standards NOW

For 20 years we’ve had antivirus PC products, and for 20 years we’ve had no standard for comparison. A number of independent labs have tried, but nobody has established a gold standard.

The time for guessing is well past. We need a clinical, scientific gold standard, and we need it now.

The performance criteria can be documented, and the testing suite can be public. A small lab could perform the testing, setting the stage for better PC protection, and honest competition.

A transparent funding model can be used to guarantee honest reporting. AV vendors contribute a flat fee, they get tested. If they don’t contribute, they don’t get tested. This will encourage substandard vendors to either improve and be included, or stop selling AV.

No more wondering if one vendor is better, now you’ll be able to know.

Who out there can establish such a program? Find funding? Generate continuous, consistent results? Anybody?

Digital Trust

Walmart.com and COPPA

The Child Online Privacy and Protection Act is meant to protect children 13 and younger, who use the web, from providing too much information. Walmart uses it in one case to filter email customer service queries. They ask for the user’s birth year, and clearly indicate that the number won’t be retained or used in any way, which is nice, but why ask at all?

The primary question they are trying to answer is, is this user 14 or older? The way they ask it, implies they not be correctly addressing the law. Are they using 13 1/2 year olds data, in violation of the law, or are they failing to collect 14 1/2 year olds data? If the number can’t be accurately used, why use it at all? Why not simply ask the user if they are 14 or older, unless they really are hanging onto that date and using it for something else, which is not indicated in their disclaimer.

Hopefully, if your company is dealing with COPPA, you’re not doing it like Walmart.

Digital Camera Evidence Problems

Recently, an article in Evidence Magazine discussed how hot and cold pixels in a camera can be used to fingerprint images from that camera, and thereby convict a suspect based on pictures and camera equipment, one or more of which is found in the suspects’ possession.

This is a clear indicator of why the defense needs quality representation and expert witnesses, and State appointed attorneys may miss crucial arguments without proper expert representation.

The article makes it seem quite easy to match camera to image, but it omits a couple of possibilities that drastically complicate the process and likelihood of conviction. Here are two additional complications that can ruin a case, and there are likely more; each situation is unique.

First, are the criminal images captured compressed or uncompressed? While uncompressed images are used for validating the hot and cold pixel fingerprint of the camera, they can only be matched to illegal images that are likewise uncompressed, or mathematically validated if compressed. Video cameras are likely to use compression to store the images, and photographs are frequently taken using image compression or scene magnification, any of which must be accounted for when eliminating possible errors in verification of the images and camera.

Worse, the author expresses probability of error in terms that appear astronomical, using math to paint a rosy picture of probability that fails to account for additional possibilities that must be taken into account before convicting based on pixel fingerprint evidence.

An example of such an assumption is that those pixels are unique to that camera, when in fact, hot or cold pixels can be endemic to the entire product line of cameras or image sensors. Two ways manufacturing can spoil the odds is by introducing defects to the image sensors when they are being mounted in the camera, or by damaging the sensors in manufacturing of the silicon wafers.

If a production line introduced hot or cold pixels, before going to trial we need to know what the manufacturers criteria is for acceptable bad pixels, and we need to know the production statistics. In the example given, any or all of the four hot pixels could have been present since the camera was made, which skews the probability projection. If all four were manufacturers defects, or cannot be shown to not be manufacturers defects, the fingerprinting process proves nothing, not even the camera family, as imaging chips could be used in multiple camera lines.

Other factors such as the number of cameras in the geographic area complicate or simplify fingerprinting pixels for matching. For instance, if the pictures and camera are found on the person in the Outback, miles from anyone else, the probability of responsibility rises to near positive assumption. But a common camera taken in New York may mean an uphill battle to reach a probability acceptable to a jury.

Improper representation of evidence leads to false convictions of innocent people. Make sure you do it 100% right, and any argument using statistics and probability needs to be examined closely to locate additional factors not taken into account.

Digital Trust
www.digitaltrustllc.com

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided the Digital Trust name, url, and this paragraph are included. Counsel, do not list without contract.

Best Password Trick Ever!

You want a strong password, but every time you change it to something like “2rIght4*deb8” you end up spending an extra five minutes every time you have to log in, and you manage to lock out your account at least once, while getting comfortable with the new password.

Your troubles are over.

With the new Digital Trust password management idea, you’ll have great passwords that are easy to remember AND help you improve yourself at the same time.

What a deal!

Instead of tired old password tricks, like “Blbackack” or “1der-tpactiv8!” you are going to use an affirmation. Unless you don’t like affirmations, in which case, try aphorisms instead.

Pick an affirmation, like “I will have rock-solid abs.” and set your password to that. Yes, you can use blank spaces. Most people end up with mediocre passwords just trying to get past 8 characters, but with this, you can routinely have 16+ characters with complex special characters, and it’s so easy!

So give it a try, and if you like it, pass on the advice.

“Today, I will make the Internet a safer place for users, everywhere.”

Digital Trust

ING Sharebuilder Goes to Weaker Password Policy

ING Sharebuilder has elected to not allow customers to create passwords with special characters. Formerly, it was possible to use special characters, and if your password had special characters before they changed the policy, it would still work with the existing policy, but no new passwords are allowed to have special characters.

Curious, that a financial company that is exclusively web based would choose a standard lower than a previous choice. It’s not as if they ever required customers to use special characters, but they had the option. Now they don’t.

ING, step up to the security plate and bring back special characters. It just doesn’t feel as safe as it did before.

Update 8/4: A response to this question from ING simply spun the request back on its head, saying “We know our new password requirements may be an inconvenience, but we believe your personal data is safer as a result.” Well, it’s not safer, it’s less safe. Further, they pushed a software package called Trusteer, free, as an additional way of securing transactions. You can find out more about Trusteer here.

Brian@DT

Introduction

Digital Trust, LLC is an information security consulting and activities resource. We can assist with any facet of your security program. From corporate guidance and compliance efforts to system implementation and penetration testing. We can help make your security better.

Contact us at sales@digitaltrustllc.com