Wednesday, August 29, 2012

Hotel Keycard Lock Hacker Questions Firmware Fix

"... guests literally reaching for their deadbolts."

Deadbolts won't help when you're not in the room. I recall a conversation about this at an ASIS conference a few years ago. Then it was more of a privacy issue; for example, the management systems records when the door was opened, and by whom. It's not unlike using EZPass to record who goes where and when, or mobile phone GPS data to track movements. Law enforcement and divorce lawyers have a field day with this.

Because hackers can  unlock and start cars, not to mention hijack drones, why should we be surprised they can spoof keycards?

Tuesday, August 21, 2012

WeKnowYourHouse.com and PleaseRobMe.com

This is amazing. WeKnowYourHouse.com and PleaseRobMe.com. This is social media openness run amuck, and gives new meaning to "openness." Remember stories of robbers checking for wakes, funerals, and weddings to determine when no one will be home, and use that information to rob those houses. Why anyone would broadcast, or narrowcast, his or her location using something like foursquare or any location-based service is beyond me.

I'm also hearing stories of how people claim they're safe because they don't use social networking. Then, someone checks their kids Facebook page and see that daddy's going to Bentonville, Arkansas, Well, there's only one reason to go to Bentonville, and this knowledge could be corporate intelligence.

We're publishing a book on data anonymization, which deals with this from an enterprise perspective, particularly PII and PHI. Supposedly, 87% of US citizens can be linked using zipcode, data of birth, and sex. So, by using publicly available information such as voter records and supposedly clean data on health insurance, it's possible to identify and tie an individual to a health record. There are many good reasons why PHI, for example, needs to be private. Yet, it's remarkedly easy to get it.

I don't know why it's so hard to increase users awareness of the dangers of the Web, and their willingness to barter PII for free access. I guess it's the free part. 

Saturday, August 4, 2012

Cyber-security Measure Fails to Pass in Senate; RIsk Management Webinar

First, does anyone really expect anything to pass in the Senate or the House? Second, why do we need this anyway?

Dan Swanson's next  Webinar on Risk Management for Directors and Officers is scheduled for August 28th.

Thursday, August 2, 2012

Dropbox Admits Hack, Adds More Security Features

Strange, but last week I was discussing Dropbox, along with many other topics, with Tom August, who's Director of Information Security at SHARP HealthCare and co-author of The CISO Handbook. He mentioned that he's hearing that increasingly corporate data being stored at Dropbox, instead of on laptops or thumb drives, so people can work at home, or worse. Yet another attack vector created by users run amok.