You can't secure what you don't acknowledge.SM

Friday, July 17, 2009

A way to keep the RF in your RFID

In case you're as concerned as I am about this, we now have a way to keep our RFID-tagged passports and driver's license secure. Just another public service announcement....

Are you a doer?

Here's a great quote from Wayne Dyer that helps explain successful people along with why the rich get richer and the poor get poorer:

"A non-doer is very often a critic - that is, someone who sits back and watches doers, and then waxes philosophically about how the doers are doing. It's easy to be a critic, but being a doer requires effort, risk, and change."

Which side are you on?

SSNs a thing of the past?

You may have already heard about this (I just got around to reading it). It's about how researchers at Carnegie Mellon have reverse engineered the Social Security Number assignment scheme. With just the birth date and state of birth SSNs can be cracked.

Yet another reason to limit what you put on Facebook and other social sites...and a good reason to freeze your credit.

Perhaps each of us can have a SSN "salt" that truly randomizes things. I suspect that'll be something in the form of an RFID chip in the side of our necks. Not my idea of a free world.

Thursday, July 16, 2009

Another ridiculous way of handling Web passwords

I use iContact's marketing service. It's an overall great app and reputable company but they've now made my list of ridiculous password requirements. I was logging in to their site today using what I consider to be a strong password and got this message:

As part of our latest application security upgrade, iContact has strengthened the criteria for account passwords. To access your account, you must first reset your password.

So I have to reset my otherwise secure password...and the darndest thing is that it wouldn't let me re-use my old what do I do? Well, I've never been a big fan of forced password changes. In the interest of keeping my passwords uniform so I can keep up with everything I set my password to something LESS secure than it was before.

Instead of forcing everyone to change their passwords perhaps the folks at iContact could've determined users who currently have weak passwords and been more targeted in their approach. Or they could've permitted me to re-use my previous password and run a complexity check against it and, if it passes, let me keep it. But no, just make everyone change their passwords...that'll do the trick.

Sure, this is a private company making their own policies. I'm all for that. The reality is people not thinking things through regarding security often end up getting in the way of it.

iContact, I love you...but golly.

Wednesday, July 15, 2009

One of the best infosec books ever written

I had the opportunity and pleasure to do the technical editing on this book by my friend and colleague Becky Herold:
The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives

This book is hands-down one of the best books out there on information security and why it matters to the business. Becky doesn't simply regurgitate the same old stuff either (not that I would expect her to). She has many original thoughts and great anecdotal stories to boot. You have to read it....and tell your CIO, CTO, and compliance manager about it as well. It should be required reading for anyone who underfunds, questions, or otherwise doubts the value of information security.

BTW, did I mention it's free? Just sign-up with (a great source of IT and security content) and it's yours for the taking.

UPS sloppiness - How's this for document security?

I just went into a bathroom behind a UPS delivery guy. He left both his handheld computer and someone's overnight package sitting on the sink counter while he went into a stall. Anyone could've walked out with both and he'd never know who did it...This helps explain how packages go missing and subsequent breach notifications ensue.

Gives you the warm fuzzies about using UPS to ship sensitive documents, huh!?