Wednesday, December 18, 2013

New Auerbach Series on Critical Infrastructure and Cybersecurity Engineering

Edited by Ross Leo, Chief Systems and Security Architect at Cirrus Informatics, Inc., the objectives of this series include providing timely, well-researched, and informative pieces on the specific areas and issues associated with safeguarding America's critical infrastructures.

Critical Infrastructure and Cybersecurity Engineering Series

If you're interested in finding out more about the series and participating in it, contact Ross Leo.

Tuesday, December 17, 2013

How Hackers Made Minced Meat of Department of Energy Networks

In this case, as reported on Ars Technica, it came down to little or no patch management. How simple?

If they had bothered to apply a little common sense, and had Felicia Nicastro's book, Security Patch Management, a lot of this could have been avoided.

Wednesday, December 11, 2013

FCC in-flight call plan meets political and public opposition

Yet, as reported by Mobile World Live, FCC chairman Tom Wheeler doesn't care, and won't act to ban calls. I can think of few things worse than the agony of air travel compounded by rude, obnoxious, self-obsessed people making phone calls at 30,000 feet. As if bad music that filters out of earbuds isn't bad enough. There is legislation pending to ban calls, but because it depends on Congress acting, I'm not counting on it going anywhere. Noise cancelling headphones anyone?

Tuesday, December 10, 2013

Cross-Platform Malware: A Growing Threat for Computers

There's a new infographic from Mobistealth that uses Koobface to highlight cross-platform malware. The Koobface worm hits social networks like Facebook. According to Wired, the Koobface virus uses the private messaging systems of Facebook and other social media sites to infect computers via a shared video.

We have some new books to help you defend against attacks:

Automatic Defense against Zero-day Polymorphic Worms in Communication Networks

Android Security: Attacks and Defenses

Thursday, November 14, 2013

GAO Says TSA Should Limit Future Funding for Behavior Detection Activities

The GAO found that "Available evidence does not support whether behavioral indicators, which are used in the Transportation Security Administration's (TSA) Screening of Passengers by Observation Techniques (SPOT) program, can be used to identify persons who may pose a risk to aviation security."
So, TSA's Screening of Passengers by Observation Techniques (SPOT) program is useless.
Bruce Schneier has long said that profiling is worse than useless; it’s dangerous.
However, with DHA and TSA being laws onto themselves, they’ll continue with this security theater regardless of GAO recommends. So, here we have taxes wasted in two ways: by TSA in continuing programs that don’t work, and by GAO in conducting reviews that no one act on.

Related Books:
and even though GAO has its doubts, for those believers:

Friday, November 1, 2013

The emerging turf battle between information and physical security pros

Oh, the problems with slow news days.

This is not a new issue. It's been going on for a long time. Battle of the retired government agent or cop security manager--white socks, black shoes, definitely analog--facing an increasing digital physical security world versus the IT security pro who ensures that all the digital safeguards are working. (ASIS vs ISSA.)

The books we publish on security management largely have an analog focus as well.

We first covered this in 2006. Really, nothing has changed and likely won't. There's a comfort level in hiring an ex-agent for physical security, regardless of digital competence.

Thursday, October 31, 2013

The lady doth protest too much, methinks.

From the headlines of the worldwide press:

Chinese DM urges stronger information security
China says it will take measures to uphold its information security in ...
China to step up own security after new NSA allegations

This is getting old. All countries spy on each other, and, IMHO, German (and France and Israel, for that matter) has never been a good ally, just a benefactor of American largess. And, China ... well, it's China.

I suspect much of this is theater for local enjoyment. No government can appear soft on something as "ungentlemanly" as this.

Tuesday, October 22, 2013

TSA Expanding Its Screening of Passengers before They Arrive at the Airport

So, according to the NY Times, the TSA "is expanding its screening of passengers before they arrive at the airport by searching a wide array of government and private databases that can include records like car registrations and employment information."

I find this far more worrisome than the masses of information the NSA is capturing, or Google, Apple, Facebook, and others of their ilk. It won't be long before the TSA is screening rail travel, buses, using the ubiquitous roadway surveillance cameras to prevent us from driving, (use your imagination here), ...

Unfortunately, it'll never stop. Like the DEA, which has a vested interest in ensuring that the war on drugs never ends, the TSA needs to insinuate itself into every aspect of our lives in order to guarantee its existence beyond the Rapture. God help us all.

Friday, October 18, 2013

GAO: Centers for Medicare and Medicaid Services Needs to Pursue a Solution for Removing Social Security Numbers from Cards

The GAO recommends that CMS initiate an IT project to develop a solution for SSN removal and incorporate such a project into plans for ongoing IT modernization initiatives. HHS agreed with GAO's recommendations, if certain constraints were addressed. However, GAO maintains that its recommendations are warranted as originally stated.

What they really need to do is de-identify and anonymize data.

Of course, we have books that will help solve the problem.

Guide to the De-Identification of Personal Health Information 

In this book Khaled El Emam, the founder and CEO of Privacy Analytics, Inc., offers compelling practical and legal reasons why de-identification should be one of the main approaches to protecting patients’ privacy, this book outlines a proven, risk-based methodology for the de-identification of sensitive health information. It situates and contextualizes this risk-based methodology and provides a general overview of its steps. The book supplies a detailed case for why de-identification is important as well as best practices to help you pin point when it is necessary to apply de-identification in the disclosure of personal health information.

The Complete Book of Data Anonymization: From Planning to Implementation

Data anonymization provides a systematic and integrated approach to privacy protection that goes far beyond simple data-masking or network security from external or internal theft. In book, Balaji Raghunathan of Infosys Ltd. discusses the analysis, planning, set-up, and governance, this timely manual illuminates the entire process of adapting and implementing anonymization tools and programs to increase the success of privacy protection in vulnerable organizations. Providing a 360 degree view of data privacy protection, it details data anonymization patterns, automation/tool capabilities, and the key factors for success in disguising the person behind the data.

Wednesday, October 9, 2013

Jay Trinckes to Speak at Financial, Operations Management/Information Technology Conference

Jay Trinckes will speak at the Financial, Operations Management/Information Technology Conference, November 12-14, 2013.

His topic is “Avoid Penalties: Ensuring Compliance with the September23, 2103 HIPAA Privacy and Security Omnibus Rule.”

Jay is the author of The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules and The Executive MBA in Information Security.

Thursday, September 19, 2013

CRC Press Books on IEEE Best Readings in Communications and Information Systems Security List

The IEEE recently added the following book to its Best Readings in Communications and Information Systems Security List.

Alessandro Acquisti, Stefanos Gritzalis, Costos Lambrinoudakis, and Sabrina di Vimercati  (eds.), Digital Privacy: Theory, Technologies and Practices 


Thursday, August 22, 2013

Just Published! Information Security Management Handbook, Sixth Edition, Volume 7

This is the first annual edition of the Information Security Management Handbook since 1994 without the guidance and the insight of Hal Tipton. Hal passed away in March 2012. He will be missed by a lot of people for a lot of reasons.

It seems that every year is an interesting one for information security, and 2012 was no different. It is interesting, too, how perceptive Kaspersky Labs, for example, was with its forecast. It also foreshadows the end of online trust and privacy. If you cannot trust digital certificates, what is left to trust?

Cyberwarfare has jumped to the front pages of every newspaper, both print and virtual. Stuxnet spawned Flame, Duqu, and Gauss. While we were all focused on attacks and espionage by China, France, and Israel, Iran mounted a DDoS (Distributed Denial of Service) attack against US banks in retaliation for sanctions that appear to be working. At the same time, Iran’s central bank was attacked. Added to the online attacks is the growing threat of supply chain security, and products shipped with back doors or embedded systems that let them phone home. Witness the difficulty Chinese telecom equipment suppliers like Huawei are having with gaining toeholds in the United States by purchasing the US suppliers.

While Russians and Eastern Europeans are not singled out for cyberwarfare, crime syndicates based there continue to threaten commerce and privacy.

Theft of passwords from LinkedIn and Dropbox, and what seems like daily reports of attacks on or by Facebook show (not to mention Zuckerberg's Facebook page being hacked) the lure of social media to hackers, and the dangers to the rest of us. And while Facebook and others do not install rootkits as Sony did, their data collection efforts, combined with the apparent insecurity of the site emphasizes the growing dangers of Big Data and the Cloud.

We saw a huge increase in hacktivism as Anonymous and LulzSec launched various attacks on both government and private sites around the world.

It was only a matter of time until Mac OS X became a profitable target. Once critical mass was reached, hackers could not resist investing the time to own it. As with Mac OS X, mobile devices are becoming even more alluring targets. We have seen the same types of attacks and malware used against PCs adapted to mobile, plus new threats like SMS (short message service) spoofing. Not surprisingly, Android, Google’s open platform, has suffered the most. Plus, the growing number of apps for all platforms introduces a level of threat that is hard to estimate, but definitely growing.

M2M and the Internet of Things are creating more opportunities for hackers. From NFC (near field communication) payments to utility sensors sending unencrypted data, this is a potentially lucrative area for fraud and identity theft. Sensor networks are now in the DIY (do-it-yourself) arena, which creates yet a new class of threats.

BYOD (Bring Your Own Device), IT consumerization, whatever you call it, is making life so much more fun for black hats. It has given new meaning to “insider threats.” With portable digital devices being introduced into the enterprise, both with and without permission, we are seeing a manifold increase in threats. Clearly, policies alone are not sufficient to deal with this, and it is unclear how draconian management wants to be with forcing compliance. The products exist, but does the will to use them?

Looking at 2013, the promise of more surveillance, both from governments and online data collectors, means less privacy, even for the most careful users. Short of totally disconnecting from the grid, if such a thing is possible now, it is apparent we do not and would not have privacy.

This edition of the Information Security Management Handbook addresses many of these trends and threats, plus new areas such as security SDLC (software development life cycle), as well as forensics, cloud security, and security management. Chris Hare takes an in-depth look at hacktivism, identifying the motivations and the players, and providing advice on how to protect against it. Becky Herold analyzes the security and privacy challenges of social media. Sandy Bacik looks at the security implication of BYOD, and the challenges of managing user expectations. The Smart Grid offers its own security and privacy challenges as Terry Komperda explains. Noureddine Boudriga explains attacks in mobile environments.

There is new guidance on PCI and HIPAA/HITECH compliance. In addition to forensics and e-discovery, a chapter looks at cell phone protocols and operating systems from the perspective of a forensic investigator.

I have heard it said, “You can’t patch stupid.” So many of these attacks are successful because of clueless or irresponsible users. In what I hope is not a vain effort, Ken Shaurette and Tom Schleppenbach look at human firewall testing, social engineering, and security awareness. We also look at security and resilience in the software development life cycle, managing the security testing process, and SOA (service-oriented architecture) security.

Here is a shout out to my friend Jim Tiller, head of Security Consulting, Americas for HP Enterprise Security Services, for his help in preparing this edition. Jim’s done a lot for the Handbook over the years, and I am hoping he will continue.

All-in-all, this is a good volume of the Information Security Management Handbook. We are working on the next edition now. If you would like to contribute, please contact me at

You can order a copy here.

Wednesday, August 21, 2013

Is there anything really new happening?

I just received a flyer for another information security conference. Is there anything really new happening? I'm seeing sessions on the same old stuff, mostly at a introductory level. Sure, there are new threats and vulnerabilities popping up every day, but how different are they really? Even cloud, mobile, and big data are getting old, and we'll never solve the user problem. I mean, who doesn't know about this 

I've been trying for a long time to get someone to write books on DLP, SEIM, APT, GRC, ..., but am beginning to believe that these topics have jumped the shark. Aside from, maybe, identity and access management, what's going to drive people's need for information and, one can hope, books sales?

BTW, if anyone wants to accept the challenge of writing a book identity and access management, let me know. It's a sure way to immortality (or at least as long as the Library of Congress exists).

Monday, July 22, 2013

US information leakage shows sloppiness in managing secrets

An interesting piece in Japan News in defense of Snowden and, by implication, Bradley Manning, Julian Assange, and others. I wonder if Snowden ever read about Kim Philby and how much he enjoyed life in the worker's paradise after fleeing England? It's a cold, lonely life.

Speaking of insider threats, you might want to take a look at Managing the Insider Threat: No Dark Corners. It identifies new management, security, and workplace strategies for categorizing and defeating insider threats.

Monday, July 1, 2013

Hong Kong university warns students and staff about US hackers

The India Times reports that following the Snowden leaks, the Chinese University in Hong Kong warned students and staff about basic computer security to ward off an onslaught of US hackers. Is this calling the pot calling the kettle black, or another skirmish in the  new Cold War?

Friday, June 21, 2013

The Price of Loyalty

Some interesting comments by the Informer about Amdocs research on consumers attitudes towards privacy. Basically, privacy is good, but they're willing to sell it for a pittance.

BTW, subscription to this is free, and if you have any interest at all in the communications world, I suggest you sign up. It's really entertaining, too. The Informer, who works for Informa, is a very funny bloke, indeed.

Tuesday, June 4, 2013

U.S. Cellular Jumps on Landline Replacement Bandwagon

Just $20 a month!  Not too attractive to me, though. I had a problem with my landline recently. When Verizon came, instead of repairing the old copper connection, they connected me to fiber, including installation of a battery backup. This is the part of fiber phones that I don't like. The copper phones carried a current that enabled them to work during power failures, which where I live a fairly common. During the past year I lost power a few times for more than a day, and lost phone service, too. Cell service where I live is spotty at the best of times. I've learned by trial and error which parts of the house and yards get signals, and which don't. So, with the fiber landline down and no way to charge a cell phone, I had no phone service. Is this progress?

Wednesday, May 29, 2013

Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies

Surprise! PLA hackers have stolen weapons plans from the military.

Why does every system have to be Internet facing? I can see commerical enterprises wanting to save money but using public networks, but government and the military? For them, money is merely a way to keep score. It's not real.

Just as two can keep a secret if one of them is dead, if you want a secure system, segregate it; take it offline. While I'm pained to think of the lost information, it's even more painful to know that it could have been prevented.

The Time Machine Investigates the First-sale Doctrine

The Time Machine Investigates the First-sale Doctrine

Talk about being on the horns of a dilemma. As a publisher, I know there are far too many pirated versions of what I publish freely available to anyone who wants to spend a few seconds searching. Do I want to make it even easier to share? On the other hand, as a consumer I want to own, and lend, what I buy. The music industry seems to have resigned itself to this. If I buy music online, I download it and for all intents and purposes own it. I can burn it to a CD, or it send as an email attachment. Movies, too, are like music. Should I buy a DVD, I can lend it like a book, although I'm more likely to rent a movie online than buy and download it.

EBooks, as we know, aren't nearly as consumer friendly. Amazon keeps everyone imprisoned its inaptly named 'walled garden.' And while there's limited sharing within the Amazon and B&N universes, it's not true sharing. And I really don't understand the limitations on library lending. It seems the controls are similar to those for print books; a library can only lend as many copies as it has rights. Once the ebook limit is reached, I go on a waiting list, just as for print books.

Wednesday, May 22, 2013

BitTorrent traffic dropping sharply in US, as VOD wins favor

As reported by,  it seems people are starting to pay for content rather than steal it. As much as I hate Apple, they did get consumers to buy music. While the focus of BitTorret traffic is largely audio and video, I can only hope the decrease applies to books, too. I really hope people will start buying professional books.

I've had authors related tales of 1,000s of downloads of their books from pirate sites. I suspect that most of those downloads don't really represents lost sales. Still, I'm seeing a steady decline in book purchases, in any format. That needs to change.

Monday, May 20, 2013

Drug Companies and Doctors Collaborate to Mine Patient Data

The NY Times reported this story on Friday. Sure, this is a great thing for Big Pharma, but sucks for the rest of us. The article mentions how data in so-called anonymous databases can be matched back to patients.

I saw a presentation by Purdue's Prof. Tiancheng Li on how easily this can be done. Here's an example.

The Massachusetts Group Insurance Commission (GIC), which is responsible for purchasing health insurance for state employees, publishes for each employee zip, dob, sex, diagnosis, procedure, ... A researcher then purchased the Massachusetts Voter registration list, which contained name, party, ..., zip, dob, sex. Using three attributes--dob, sex, zip--the researcher was able to identify the medical record of then Governor William Weld.

This was a fairly benign example. But consider, for example, insurance companies using similar techniques to identify pre-existing conditions, or employers using them to dig into backgrounds of present or potential employees.

We know we can't trust industry to self-regulate, or place PII about its own self-interests.

It just so happens that we have two new books that deal with this problem, should you care to solve it.

Guide to the De-Identification of Personal Health Information by Khaled El Emam and

The Complete Book of Data Anonymization: From Planning to Implementation by Balaji Raghunathan.

Click here to read An Overview of Data Anonymization.

Friday, May 3, 2013

Infosecworld 2013

Last week was Infosecworld. Not surprisingly, as in 2012 the main topics were Big Data, BYOD, mobility and cloud security, and risk. Jeff Crume had several sessions on access control and identity management, including Federated identity management and single sign-on. It’s interesting to think that the big social networking sites—Facebook, Twitter, LinkedIn, Yahoo—use Federated identity. Now, I can log into Yahoo mail using Facebook or Google, not that I want to do it. I’m not sure whether this is good or bad, but it is interesting that while this is being discussed within the enterprise, the social world went ahead and implemented it. Of course, the security and privacy concerns are vastly different between the two worlds.
I heard a lot of talk about cyber espionage, both in sessions and in keynotes. Also, that the defensive focus has changed from cyber crime to cyber espionage and warfare. Of course, APT came into the discussion, although there was some disagreement about what it was. There was even a demo session on hacking SCADA, ICS, programmable controllers, etc.
Jay LaRosa and a colleague from ADP gave an interesting presentation on its next-generation security management platform system. It integrated passive data access network, SIEM, GRC tools, and massively scalable data warehouse; added advanced threat modeling, and provided real-time analysis and reporting. I recall from an earlier presentation about SEIM that between hardware, software, and personnel requirements it was out of reach of most places.  This presentation confirmed that observation, but it is a very impressive system.
BTW, I still need proposal for books on DLP, SEIM, BYOD, APT.  

Monday, April 29, 2013

China’s Hackers Shifting Focus

According to the Taipei Times, Taiwan's National Security Bureau (NSB) estimates that the PLA’s cyberarmy now numbers more than 100,000, has a budget of more than US$2.71 million and targets telecoms and think tanks. It also believes that the Chinese military has shifted the emphasis of cyberattacks on Taiwan from government institutions to civilian think tanks, telecommunications service providers, Internet node facilities and traffic signal control systems.

This doesn't seem to agree with US evaluations. PRC has long engaged in espionage with the other APT: humans. It's only recently, it seems, that attention has been directed to government, critical infrastructur, and military targets.

Tuesday, April 23, 2013

IoT, IPv6: IT Issues? Security Problems? Anything?

A recent issue of Networkworld teased The Internet of Things: Coming to a Network Near You on its cover.

We’ve been following, and publishing books on, IoT for a long time now. Speakers at last week’s Infosecworld mentioned IoT, along with Smart Grid, in sessions and keynotes. My question is, does anyone really know or care? Based on readership of articles and excerpts we’ve published and book sales, I’d say no.

Yet, like IPv6, another topic that doesn’t seem important to many people, IoT is going to become an IT problem, and an major security issue as well. It’s not just your smart refrigerator telling you to pick up milk on the way home from work. As the Smart Grid rolls out with essentially billions of sensor nodes, and vehicular networks, bandwidth demands will jump sharply and Big Data will inundate everything.

As a test, here are some books, articles, and excerpts covering IoT, IPv6, and Smart Grid. I’m going to monitor to see if there’s any increase in interest.

Articles and Excerpts
Internet of Things: A Context-Awareness Perspective
The Internet of Things in the Cloud: A Middleware Perspective
Communication Middleware for the Internet of Things
Smart Grids
Basic IPv6 Security Considerations


Unit and Ubiquitous Internet of Things
The Internet of Things in the Cloud: A Middleware Perspective
The Internet of Things: From RFID to the Next-Generation Pervasive Networked Systems
Security in an IPv6 Environment
IPv6: An Introduction and Overview
Handbook of IPv4 to IPv6 Transition: Methodologies for Institutional and Corporate Networks

Friday, April 12, 2013

Reading Is So 20th Century

I received this pitch yesterday for 2 - 3 minutes videos.

"Reading is so 20th century. That's why MaaS360 has created quick hit videos to make you a master in mobility management. You'll know so much about mobile device, app and doc management, people will actually think you read a white paper."

Then there was this this from Spectrum. Videos and slideshows are taking the place of print in presenting technical information.

What's more, there has been a lot of news about new 'long-form' websites publishing pieces longer than magazine artiles and shorter than books. Sign of things to come? Does anyone read books anymore?

It took USA Today to dumb-down newspapers. What's next?

Wednesday, April 10, 2013

O-TTPS and Huawei

The Open Group Releases Global Technology Supply Chain Security Standard
From the press release, "Specifically intended to prevent maliciously tainted and counterfeit products from entering the supply chain, this first release of the O-TTPS codifies best practices across the entire COTS ICT product lifecycle, including the design, sourcing, build, fulfilment, distribution, sustainment, and disposal phases."

Meanwhile, the head of Huawei admits "challenges and problems" in America.

So, even though the new O-TTPS is supposed to create trust within the supply chain for COTS, could Huawei, even if it were a software company, ever use it? I doubt any type of certification will overcome the deep mistrust of enterprises owned by either the PRC or the PLA.

Tuesday, April 9, 2013

To Hack Health Care Costs, Employers Can Now Track How You Grocery Shop

"'Your boss will never know what you’re eating,' says NutriSavings CEO."

Sure. I believe that. 

I think because I buy so little at the grocery store, and because whatever savings I get from use of the store card is minimal, I should consider not using it. It should be a simple habit to break.

Don't you wish you could see the aggregated data about you? Or maybe not. Life off the grid is looking better and better. I'm already starting to use cash more often, and hit the 'net anonymously.

There was a story in the local paper this morning about a town who surrendered citizens' email addresses
because of a FOIA request. Strange, though, how easily government gives up information like this, but is willing to fight to the death against providing information pertaining to its own perfidy.

It's a scary world.

Thursday, April 4, 2013

Use of Personal Data on Internet Is ‘Out of Control’

86% of Consumers Think They Have Little or No Say About How Corporations Use Personal Information; 81% Want More Control Back
TETTNANG, Germany--(BUSINESS WIRE)--Security expert Avira announced today the results of its latest online research survey that found that 86 percent of consumers worldwide felt they had little or no control over how corporations use their personal information online.

The personal information survey was presented to a random sample of Avira’s website visitors during February and March of 2013. There were 950 respondents with a margin of error of +/- of 3.18 percent. The two-part question asked:

How much of a say do you feel you have today over your personal information on the Internet?
A) 54.53% - I feel like I have almost no say over how companies use my personal information online.
B) 32.11% - I feel like I have a little say over how companies use my personal information online.
C) 7.16% - I feel like I have a lot of say over how companies use my personal information online.
D) 6.21% - I feel like I have an almost complete say over how companies use my personal information online.

A follow-up question asked:
How much control would you like to have over your personal information on the Internet?
A) 80.95% - I'd like more control.
B) 16.53% - I'm happy with how much control I have.
C) 2.53% - I’d like less control.

“Most consumers don’t really understand what is happening with the information about them and this scares many of them. The reality is that they have more control than they think,” said Sorin Mustaca, IT security expert at Avira. “For example, only few know that they can disable the advertising tracker in their iPhones, they can install a do-not-track extension into their web browsers, and that they can control many privacy and security settings in Facebook and other social networking websites. Last but not least, no tool or security solution is able to replace a healthy common sense: do not share information about you which you don’t want to be public.

While I agree with these findings, I wonder about the respondents. If they were mostly European, it could skew the findings. In general, Europeans are much more aware of privacy issues than Americans; and European privacy protection laws are very tough, especially when compared to American laws, which are basically non-existent.
I posted here about a NY Times story that consumers would sell their privacy very cheaply.
So, who really cares about online privacy, the dangers of aggregators of personal information, and intrusive advertising?

Tuesday, April 2, 2013

Monday, April 1, 2013

It's Official. Consumers Don't Care Much Online Privacy

This interesting NY Times story  focuses on the reseach of Alessandro Acquisti, co-editor of Digital Privacy: Theory, Technologies, and Practices.

And, if they don't care much about their own privacy, they likely care less about security at work.

Friday, March 29, 2013

Mainframe Masters: Students Bring New Blood to Venerable IBM Units

We used to joke about all the old IBM programmers retiring, and the world coming to a screaching halt. This was also a fear surrounding Y2K. Who was going to change all the two-digit date fields to four to accomodate the new millennium? It was time to reprint all the IBM programming books and make a killing. Well, obviously there was no Y2K disaster and we didn't make a killing on mainframe books.

So now the Journal News, my local newspaper (yes, I still read physical newspapers), reports that IBM has a mainframe contest. Yes, big iron still rules, and MIPS is still a "meaningless indicator of processor speed."

I should run a contest to see who can expand acronmys like CICS, REXX, VSE, MVS TSO, DASD, RACF. Anyone care to try?

Wednesday, March 27, 2013

Friday, March 22, 2013

Narrowcasting: Making the world a smaller, and dumber place

I’m noticing that the new Yahoo is starting to present news items and stories based on past clicks. This totally kills the serendipitous discovery of interesting stories. The last thing I need to see are articles that don’t broaden and add depth to what I know, or think I know.

Regardless of their algorithmic cleverness, I doubt Yahoo, Google, Amazon and their ilk know me well enough. When's the last time you acted on one of their recommendations?

Wednesday, March 20, 2013

NATO cyberwar manual: Civilian hackers can be targets

Salon reports that the handbook is first attempt to codify how international law applies to state-sponsored online attacks.

Use kinetic force against cyber aggressors? Yes! Make the cost of playing too dear.

Tuesday, March 19, 2013

Wednesday, March 13, 2013

Cyber attacks and cyber espionage have surpassed terrorism as the top security threat

According to a Reuters report, intelligence officials said for the first time on Tuesday that cyber attacks and cyber espionage have surpassed terrorism as the top security threat facing the United States.

... until the next terrorist attack.

A DDoS attack on Chase yesterday prevented access to the website, including by me. So far, the Chinese have not been blamed.

Tuesday, March 5, 2013

Leaky Apps and Cloud Data Insecurities Are the New Corporate Norm

London, March 5, 2013 – Commenting on a  New York Times story about the governance issues that portable devices and their leaky apps create for companies, Varonis Systems  says that mobile access to cloud-based data - and replication to the device itself - has become the new corporate norm. “Organisations are losing track of where their critical data is stored, so controlling, monitoring and auditing that data is becoming more and more difficult. IT must be able to offer the functionality that its end users need to collaborate, but without losing control”, says David Gibson, VP of Strategy with the data governance specialist.

"I've actually lost count of the number of times this New York Times business editorial references leading edge IT concepts such as apps and cloud services, but the reality is that - as witnessed by the business pages this article appears - this really is the new norm. This creates a raft of security headaches in the shape of unsecured devices, as well as the aforementioned leak apps and cloud services. And it's against this backdrop that critical data needs to be identified, managed and protected with an effective data governance platform - without hindering employees’ work," he says.

"I think it's very revealing that the NYT feature notes that, even without proof of compromised accounts, data losses can prove costly in terms of money and reputation - especially given that the US Securities and Exchange Commission mandates that data leaks caused by unsecured devices, leaky apps or poor cloud security, must be announced publicly if the information potentially affects a company’s share price," he added.

Tuesday, February 12, 2013

TV station hacker warns of zombies in Montana

The Walking Dead? Really? The scary thing about this is "The Great Falls Tribune reports the hoax alert generated at least four calls to police to see if it was true."

Seems like something Orson Welles might do, although he wouldn't have had to hack in because he already had access to the airwaves. I guess people today are just as guiible as people in the 1930s.

Wednesday, February 6, 2013

Pentagon to Expand Cyber Force

And it's on!

Pentagon to Drastically Expand Cyber Force

As Adam B. Lowther, a Research Professor at the Air Force Research Institute and co-author with Panayotis A Yannakogeorgos of "Conflict and Cooperation in Cyberspace: The Challenge to National Security," to be published by Auerbach in August 2013, said, "With governments and societies believing that cyber attack is something less than an act of war, it should come as no surprise that President Obama is preparing for what may be the opening salvo in America's next confrontation. In fact, it may be the United States that attacks first. Given the cyber vulnerabilities of American society, preemption may be the only option."

Thursday, January 24, 2013

Iran as Latest Cyberthreat. Payback's a Bitch.

This article quotes  the head of the Air Force cyber command on Iran's growing cyberthreat.

Well, the Air Force has its cyberwarriors, and wants more, so it stands to reason all our enemies and frenemies want the same. Iran's already hit the financial sector.  Only 17 critical infrastructure sectors  left to go.

Friday, January 18, 2013

Researchers Expose New Vulnerabilities in the Security of Personal Genetic Information

The NY Times covered this story today, too. Basically, using public information, they we able to match people to their DNA.

Here's an interesting demonstration on how this can be done.

This is scary for a lot of reasons, not least of which is health insurance and employment. Forget HIPAA. Your life is an open book. Be worried. Be very worried.

We have two books publishing soon that address this.
The Complete Book of Data Anonymization: From Planning to Implementation by Balaji Raghunathan publishing on February 25, 2013 and Guide to the De-Identification of Personal Health Information by Khaled El Emam publishing on April 29, 2013.