InsecureID: No more secrets?

Update — Though I chose to keep secret the identity of the defense contractor to limit the damage it was subsequently revealed by Reuters to be Lockheed-Martin. There was one additional detail presented at the end of a story in Saturday’s New York Times.

Back in March I heard from an old friend whose job it is to protect his company’s network from attack. “Any word on just what was compromised at RSA?” he asked, referring to how the RSA Data Security division of EMC had been hacked. “I suspect it was no more than a serial number, a seed, and possibly the key generation time. The algorithm has been known for years […]

Til death do us part: Sony and the credit card companies

Remember, after the recent earthquake and tsunami in Japan, those stories about wallets filled with money being found and turned-in to the authorities, still stuffed with cash? That’s one positive aspect of Japanese culture, but does it also make them too trusting? Sony’s loss of first 77 million customer records and now another 24.6 million suggests that may be the case. A society with low crime rates and comic book criminals screams of unsophistication, which was confirmed for me this week when I heard from a reader who is a payment system auditor. He looks inside Japanese institutions and often doesn’t like what he sees.

“For whatever reason (low crime […]

Sony may be clueless in PSN hack

Sony’s huge PlayStation Network (PSN) has been down for a week now following the theft of ID and credit card data on some or all of the gaming and video entertainment network’s 77 million customer accounts. Readers have been asking for comment but I stay out of these things unless I have something new to contribute. That something finally comes a week into the crisis as gamers begin to wonder why the network is still not back in operation and speculate on what this all means to Sony? It’s a huge loss of face, if course, but beyond that the damage to Sony is minimal. And the upside for PSN members, […]

The Epsilon Syndrome

Like a lot of you, this week I received several messages telling me my e-mail address had been stolen from a company called Epsilon that provides mass e-mail services to many giant corporations. At the end of this post you’ll find what I believe is the latest list of companies affected. I have heard from four of these companies so far — Best Buy, Chase, Hilton, and Ritz-Carlton, which is interesting because I don’t recall having even stayed at a Ritz-Carlton. From a look at the master list below I’m surprised I haven’t yet heard from Verizon, where I am also a customer. The point of this post isn’t just to print a list of […]

Access Denied: How to Defend Your Systems from an Inside Job

access_deniedLast week a story broke about a former Fannie Mae IT contractor accused of planting malicious code that would have taken down systems and destroyed data right at the epicenter of today’s global financial crisis. The accused former employee has since surfaced claiming innocence so I prefer not to go into that specific case but rather use it to consider the likelihood that similar crimes could take place in other companies.

Well of course the probability is 100 percent simply because similar crimes HAVE taken place in other companies. It happens all the time at an annual cost of BILLIONS.

IT crimes go grossly under-reported because they are so embarrassing to their victims […]