Why do people commit crimes?

The president of a prospect was recently discussing with us whether Oracle IRM (information rights management)  was a good way of preventing data loss, and a viable alternative to a DLP (data loss prevention) system. Rights management would appear at first blush to be orthogonal to data loss prevention but it’s an interesting question that […]

Reporting to a management board that doesn’t want to listen

Like the warnings on cigarette packets – whistle blowing may be hazardous to your health. HBOS chief risk officer Paul Moore blew the whistle on the bank’s risk exposure and lost his job. Last week, the UK Treasury Select committee heard allegations from  Moore ( who was sacked by Sir James Crosby in 2005) – […]

A strategic inflection point in the security industry

Compliance is like being at all the rehearsals with a sharp pencil and playing your part perfectly – but not showing up to the gig. Being inside a strategic inflection point of change is like waking up during your own murder. Inside a strategic inflection point of change, the people inside the system are not […]

Microsoft browser vulnerabilities and the police

The Polish Police did an IT modernization project in 2008 for installing mobile terminals in police cars. The software in the mobile terminal uses Microsoft IE. Since the mobile terminals use Microsoft IE – it should be possible to attack the mobile terminal using one of the known IE software vulnerabilities

Business threat modeling

These are dangerous times for a business. Every day brings another threat. The sub-prime crisis, the crash of world financial markets, the price of oil (going way up and now going down again), an impending crash of the US sub-prime credit card market (like how long can you charge 35% over the top interest rates?), […]

To write secure code, you do have to think like an attacker

A security checklist for a developer might make it look like writing secure code is kids stuff, but even kids think like attackers sometimes. Microsoft are doing some interesting work on SDL – Secure Development Lifecycle. I’m just not sure I agree with dumbing it all down to a checklist and letting developers work without […]

When should you encrypt email?

A while back, a colleague asked me what is the best way to encrypt internal email. My first question to him was – what is the threat,  who is  the attacker and what is the asset you are protecting? Are you trying to encrypt business communications between employees and vendors/customers to protect from eavesdroppers or […]

Automated hacking of Joomla Web sites

A lot has been written about Google-aided automation of hacking. There is little I can add to this topic besides some personal and practical advice. If you’re running Joomla 1.5 you may have noticed queries of the sort  “powered by joomla .domain_name_extension” in your Apache access.log file. It’s almost certain you’ll find a few of […]

The physics of risk assessment

Quantity or quality –  that is the question! There is a great deal of debate between the supporters of quantitative risk assessment and the supporters of qualitative risk assessment in the security and compliance business. The qualitative people say that since it is impossible to estimate risk as an absolute number such as  “87 percent […]

Credit card security franchise available

just saw a post  from a month ago by Jeremiah Grossman from White Hat Security on his blog PCI-DSS references the outdated OWASP Top Ten There are actually a number of more serious technical issues with PCI DSS 1.1 than using the OWASP Top 10 from 4 years ago. Note the definition of vulnerability management […]