In previous posts "Security quotes : a FSB (successor to the KGB) analyst on Google Earth", "Suri Pluma - a satellite image processing tool and visualizer", "The "threat" by Google Earth has just vanished in the air" I talked about various issues related to satellite imagery and security.
Moreover, I'm also actively covering various emerging Space Warfare issues, and with the recent speculation that the Okno ELINT complex in Tajikistan is becoming Russian and different "schools of thought", there's a lot to come for sure. Google Maps/Earth did not only restart the real estate industry, it made the world a smaller place, a more competitive one, and hopefully a safer one if security counts here.
As of today, I decided to start posting a weekly section, the "Travel Without Moving" series, presenting interesting and publicly obtained imagery of sights that somehow made me an impression. The other day I came across to a (perhaps scraped by now) Typhoon Class Submarines at GoogleSightseeing.com -- the largest and quietest types of submarines.
That's perhaps the perfect moment to mention the cool pictures of a Soviet Underground Submarine Base in the Nuclear Submarine Base that "Until the collapse of the Soviet Union in 1991 Balaklava was one of the most secret towns in Russia. 10km south eas of Sevastopol on the Black Sea Coast, this small town was the home to a Nuclear Submarine Base." Take a tour for yourself!
Thursday, May 04, 2006
Travel Without Moving - Typhoon Class Submarines
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Wednesday, May 03, 2006
Biased Privacy Violation
This is a very interesting initiative, going beyond the usual MySpace's teen heaven privacy issues, but directly exposing the mature audience in a way I find as a totally biased one. Girls writing stories on men that supposedly chated on them. DontDateHimGirl.com aims to :
"DontDateHimGirl.com is an online resource for women who have shared the experience of dating a no-good man! Browse our search engine of alleged cheaters, liars and cads right now! This controversial site has been featured on MSNBC, the Today Show, ABC News, CNN and Entertainment Tonight! There is finally a way for women to check a guy out BEFORE dating, marrying or otherwise committing to him! Warn other women about the men who have cheated, lied or used you! Register and become a member today! You'll receive our free newsletter and other valuable goodies! It's fast, easy and best of all, it's free! You'll be doing your sisters around the world an invaluable service! Don't Date Him Girl!"
Basically stuff like, "post a cheating man", "search for a cheating man", or browse through the 3593 ones already "categorized" as cheaters with personal stories and photos whenever available. What I feel they shouldn't do, is aggregate that kind of community powered personal details for third-parties, and making it searchable. Some stories are pretty fun and average enough to make you think :
"Quite a charmer in the beginning, as all guys tend to be. Called me beautiful, gorgeous.. kissed my forehead.. He did all the right things. He could do no wrong. We "dated" for a good 6 months, and things seemed to be going good. He was the love of my life. Lots of firsts with him, then he did a total 180. He stopped calling and didn't respond to my phone calls and/or messages. I was so distraught. I thought I did something to fuck things up. "
Perhaps she did, didn't she?! Still, that's entirely between them given they actually respect each other.
Don't get me wrong, there are pathological polygamists, but what's next, Local Google Maps to pin point the cheating areas around town?
To balance the powers, and make it even worse there's even a DontDateHerMan.com coming along, but try not to bring your personal life stuff to such an end, or is it just me? :)
"DontDateHimGirl.com is an online resource for women who have shared the experience of dating a no-good man! Browse our search engine of alleged cheaters, liars and cads right now! This controversial site has been featured on MSNBC, the Today Show, ABC News, CNN and Entertainment Tonight! There is finally a way for women to check a guy out BEFORE dating, marrying or otherwise committing to him! Warn other women about the men who have cheated, lied or used you! Register and become a member today! You'll receive our free newsletter and other valuable goodies! It's fast, easy and best of all, it's free! You'll be doing your sisters around the world an invaluable service! Don't Date Him Girl!"
Basically stuff like, "post a cheating man", "search for a cheating man", or browse through the 3593 ones already "categorized" as cheaters with personal stories and photos whenever available. What I feel they shouldn't do, is aggregate that kind of community powered personal details for third-parties, and making it searchable. Some stories are pretty fun and average enough to make you think :
"Quite a charmer in the beginning, as all guys tend to be. Called me beautiful, gorgeous.. kissed my forehead.. He did all the right things. He could do no wrong. We "dated" for a good 6 months, and things seemed to be going good. He was the love of my life. Lots of firsts with him, then he did a total 180. He stopped calling and didn't respond to my phone calls and/or messages. I was so distraught. I thought I did something to fuck things up. "
Perhaps she did, didn't she?! Still, that's entirely between them given they actually respect each other.
Don't get me wrong, there are pathological polygamists, but what's next, Local Google Maps to pin point the cheating areas around town?
To balance the powers, and make it even worse there's even a DontDateHerMan.com coming along, but try not to bring your personal life stuff to such an end, or is it just me? :)
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Tuesday, May 02, 2006
April's Security Streams
Hi folks, it's about time to quickly summarize April's Security Streams. As of today, my blog is officially six months old and the feeling of witnessing change and improvements has always been a pleasant one. Blogging "my way" takes a lot of time, that is, posts going beyond "preaching" but emphasizing on "teaching", a little bit of investigative research, full-disclosure, and constructive key points on emerging or possible future trends related to infosec. Thanks for everyone's feedback, and actually reading not just going my posts as far as the average visitors' time spent is concerned!
1. "Wanna get yourself a portable Enigma encryption machine?"Already sold, but auctioned on Ebay, it's remarkable how the seller managed to preserve an original Enigma in such a condition, and the bids were worth it!
2. "The "threat" by Google Earth has just vanished in the air" Coming across Microsoft's Windows Live Local Street-Side Drive-by provoked contradictive thoughts, so I've decided to sum up recent ideas on the issue. The use of public satellite imagery for conducting OSINT is inevitable, while on the other hand the providers are simply making the world a smaller place. It is also questionable whether potential terrorists are "abroad" or within the countries themselves, that is knowing each and every corner of a possible "attack location", but with the ability to syndicate and share maps it would be naive not to think that they way you chat, they also do, and the way you plan activities while "zooming-out", they also do. At the bottom line, snooping from above might actually deal more with self-confidence than anything else. Have an opinion? Feel free to comment on the topic
3. "Insider fined $870" Virtual worlds are emerging and so are security techniques to steal someone's sword, be it through insiders, phishing, or trojan horse attacks. What's important to keep in mind when it comes to insiders is that on the majority of occasions you're are never aware that there's an ongoing potential breach on its way, and moreover, that the quantitative losses due to insiders are totally based on a company's sales projections, rather than successfully (if one can) measuring the value of intellectual property
4. "Securing political investments through censorship" We constantly talk on how the Internet is changing our daily lifes, our attitudes, and giving us the opportunity to tap into the biggest think-tank in the world -- on the majority of occasions for free. Internet censorship is still a very active practice by well-known regimes, while this post was trying to emphasize on the current situation - securing political investments through censorship
5. "Heading in the opposite direction" Companies and financial institutions are the most often targets of phishing attacks, and it's getting hard for them to both, convince their users and society that they're working on fighting the problem, and most importantly where's the real problem and how to fight it. In this post, I try to emphasize that building communications over a broken channel Bank2Customer over email is the worst possible strategy you could start executing. The irony in here is how in the way both, phishers and any bank in question may sometimes be using images stored on the banks server -- altogether!
6. "IM me" a strike order" It's a common myth that the military have came up with a Über secret and secure communications network, going beyond the Internet. And while there're such, they all suffer the same weakness, lack of usability, and budget deficits compared to IP based communications, that is the Internet. The post goes through research surveys on IMs in the military, and tries to bring more awareness on how age-old IM threats can easily exploit military IM communications as well
7. "Catching up on how to lawfully intercept in the digital era" On as daily basis we discuss security breaches, threats, privacy violations, whereas constantly misses the fact that there's a practice called lawful interception, namely that even if the NSA's domestic spying program got so much attention and concerns, it doesn't mean they aren't going to continue keeping themselves up-to-date with what is going wherever OSINT, SIGINT and HUMINT are applicable. The bottom line is that a person behind a CCTV camera's network is also under surveillance, so I advise you go through a very good resource on the topic, the Surveillance and Society Journal
8. "On the Insecurities of the Internet" IP spoofing by default, DNS and BGP abuses, Distributed Reflection Denial of Service Attacks, are among the ones worth mentioning, while perhaps the biggest insecurity lies in the fact that the Internet we're all striving to adapt for E-commerce and E-business, was developed as a scientific network we got used to so fast
9. "Distributed cracking of a utopian mystery code" Continuing the "distributed concepts" series of posts, this one deals with virtual worlds, and a wise idea on how to keep the players coming back for more -- let them even bruteforce the next part of the puzzle
10. "Fighting Internet's email junk through licensing" China's Internet population is about to surpass the U.S one and it would continue to grow resulting in China becoming the "novice" king of insecure networks. Trying to centrally control spam, they you can control the flow of traffic going out and coming in the country is a typical, but weak approach that could have worked years ago as no one needs a mail server to generate spam of phishing attacks these days. In respect to their concerns of users learning more about infosec, in China a cyber dissident is a heroic potential hacker, one that can easily bypass the Great Firewall and spread the word on how it can be done. As a matter of fact, PBS has done an outstanding job in their Tank Man episode, and while many considered the Chinese students' inability to recognize the infamous photo, what they were actually afraid of is showing a face-gesture that they indeed recognized it -- as they did of course.
11. "Would somebody please buy this Titan 1 ICBM Missile Base?" I think the buyer of this base should have better though of what he's buying, or let's just say how on Earth was he expecting to break-even given he missed the post-cold war momentum itself? It's indeed once in a lifetime purchase that you would think twice before not purchasing, and so I hope the auction would continue to attract visitors the way it is -- high-profit margins whenever the momentum is lost is a "lost case" by itself
12. "Spotting valuable investments in the information security market" An in-depth post on current market and vendor trends, as well as more info on the, now fully realistic acquisition of SiteAdvisor my McAfee, something I've blogged about in January. It's great to know that both parties came across the posts themselves, and to witness how such a wide-scale community power, but still backed by technology, startup got so easily acquired. What the acquirer must now ensure, is that it doesn't cannibalize the culture at SiteAdvisor -- every day is a startup day for us type of attitude is a permanent generator of creativity and attitude
13. "Digital forensics - efficient data acquisition devices" A resourceful post mentioning on the release of the CellDEK, no, it's not a portable DJs one, but a acquisition device detecting over 160 cell phone models and having the capacity to simultaneously acquire it from numerous devices all at once. Virtual cyber crime is all about quality forensics, whereas different legislations and approaches for gathering and coordinating such data across various countries remains a problem
14. "The anti virus industry's panacea - a virus recovery button" Try to get this on the Super Bowl and watch a generating falling for the lack of complexity in this "solution". Gratefully, I got many comments from readers with cheers on mentioning this and how useless the button is at the bottom line
15. "Why's that radar screen not blinking over there?" Quite some sites picked up the story, yet we can always question, and than again, so what? In a crucial situation a scenario like this could prove invaluable for the final outcome, but right now it's just a PR activity from the other side of the camp. Symmetric warfare is a tangible defense/offensive concept, whereas asymmetric warfare is fully capable of balancing powers -- to a certain extend as no matter how much NCW you put on the ground, you would still need "tangible" forces on the finish line
16. "25 ways to distinguish yourself -- and be happy?" A little bit of self-esteem is never too much and that's what these series can help you with
17. "Wild Wild Underground" An in-depth summary of some findings I intended to post for quite some time, but didn't have the time to. If you just take yourself some time to rethink over, you would hopefully realize that a guy like this is capable of recruiting people who actually come up with their own algorithms -- beyond their will in one way or another. Moreover, responding to comments I received, of course I did report the links, which are now down, as well as some of the forum posts I managed to digg. Ryan1918 is rather active though
18. "In between the lines of personal and sensitive information" Government reclassification of documents isn't the most pragmatic way, as these have already been online once, therefore someone out there still keeps a copy, and is now more than ever motivated to disseminate it, given someone is trying to censor it. I feel a common structure of the different types of information, formal training for those dealing with that type of info etc. and putting in place risk management solutions, considering that humans are totally not to be trusted (are computers to be?) is a way to mitigate these risks. Trying to censor something you end up making it even more popular that it could have been without you censoring it, just a thought
19. "DIY Marketing Culture" Personalization and Customization are emerging by default, and so is virtual viral marketing. In this post I mention the possibility to get your own custom MMs, and FireFox's FireFlicks initiative
20. "A comparison of US and European Privacy Practices" You can rarely come across a infosec survey with well formulated questions, ones that are the basis of a quality one. I think this company did a very good job in formulating and summarizing the outcome of a very trendy topic
Updated to add the averages for each month since I've started tracking my readers, looks nice, and in case you're interested you can also go through the summaries of previous months.
1. "Wanna get yourself a portable Enigma encryption machine?"Already sold, but auctioned on Ebay, it's remarkable how the seller managed to preserve an original Enigma in such a condition, and the bids were worth it!
2. "The "threat" by Google Earth has just vanished in the air" Coming across Microsoft's Windows Live Local Street-Side Drive-by provoked contradictive thoughts, so I've decided to sum up recent ideas on the issue. The use of public satellite imagery for conducting OSINT is inevitable, while on the other hand the providers are simply making the world a smaller place. It is also questionable whether potential terrorists are "abroad" or within the countries themselves, that is knowing each and every corner of a possible "attack location", but with the ability to syndicate and share maps it would be naive not to think that they way you chat, they also do, and the way you plan activities while "zooming-out", they also do. At the bottom line, snooping from above might actually deal more with self-confidence than anything else. Have an opinion? Feel free to comment on the topic
3. "Insider fined $870" Virtual worlds are emerging and so are security techniques to steal someone's sword, be it through insiders, phishing, or trojan horse attacks. What's important to keep in mind when it comes to insiders is that on the majority of occasions you're are never aware that there's an ongoing potential breach on its way, and moreover, that the quantitative losses due to insiders are totally based on a company's sales projections, rather than successfully (if one can) measuring the value of intellectual property
4. "Securing political investments through censorship" We constantly talk on how the Internet is changing our daily lifes, our attitudes, and giving us the opportunity to tap into the biggest think-tank in the world -- on the majority of occasions for free. Internet censorship is still a very active practice by well-known regimes, while this post was trying to emphasize on the current situation - securing political investments through censorship
5. "Heading in the opposite direction" Companies and financial institutions are the most often targets of phishing attacks, and it's getting hard for them to both, convince their users and society that they're working on fighting the problem, and most importantly where's the real problem and how to fight it. In this post, I try to emphasize that building communications over a broken channel Bank2Customer over email is the worst possible strategy you could start executing. The irony in here is how in the way both, phishers and any bank in question may sometimes be using images stored on the banks server -- altogether!
6. "IM me" a strike order" It's a common myth that the military have came up with a Über secret and secure communications network, going beyond the Internet. And while there're such, they all suffer the same weakness, lack of usability, and budget deficits compared to IP based communications, that is the Internet. The post goes through research surveys on IMs in the military, and tries to bring more awareness on how age-old IM threats can easily exploit military IM communications as well
7. "Catching up on how to lawfully intercept in the digital era" On as daily basis we discuss security breaches, threats, privacy violations, whereas constantly misses the fact that there's a practice called lawful interception, namely that even if the NSA's domestic spying program got so much attention and concerns, it doesn't mean they aren't going to continue keeping themselves up-to-date with what is going wherever OSINT, SIGINT and HUMINT are applicable. The bottom line is that a person behind a CCTV camera's network is also under surveillance, so I advise you go through a very good resource on the topic, the Surveillance and Society Journal
8. "On the Insecurities of the Internet" IP spoofing by default, DNS and BGP abuses, Distributed Reflection Denial of Service Attacks, are among the ones worth mentioning, while perhaps the biggest insecurity lies in the fact that the Internet we're all striving to adapt for E-commerce and E-business, was developed as a scientific network we got used to so fast
9. "Distributed cracking of a utopian mystery code" Continuing the "distributed concepts" series of posts, this one deals with virtual worlds, and a wise idea on how to keep the players coming back for more -- let them even bruteforce the next part of the puzzle
10. "Fighting Internet's email junk through licensing" China's Internet population is about to surpass the U.S one and it would continue to grow resulting in China becoming the "novice" king of insecure networks. Trying to centrally control spam, they you can control the flow of traffic going out and coming in the country is a typical, but weak approach that could have worked years ago as no one needs a mail server to generate spam of phishing attacks these days. In respect to their concerns of users learning more about infosec, in China a cyber dissident is a heroic potential hacker, one that can easily bypass the Great Firewall and spread the word on how it can be done. As a matter of fact, PBS has done an outstanding job in their Tank Man episode, and while many considered the Chinese students' inability to recognize the infamous photo, what they were actually afraid of is showing a face-gesture that they indeed recognized it -- as they did of course.
11. "Would somebody please buy this Titan 1 ICBM Missile Base?" I think the buyer of this base should have better though of what he's buying, or let's just say how on Earth was he expecting to break-even given he missed the post-cold war momentum itself? It's indeed once in a lifetime purchase that you would think twice before not purchasing, and so I hope the auction would continue to attract visitors the way it is -- high-profit margins whenever the momentum is lost is a "lost case" by itself
12. "Spotting valuable investments in the information security market" An in-depth post on current market and vendor trends, as well as more info on the, now fully realistic acquisition of SiteAdvisor my McAfee, something I've blogged about in January. It's great to know that both parties came across the posts themselves, and to witness how such a wide-scale community power, but still backed by technology, startup got so easily acquired. What the acquirer must now ensure, is that it doesn't cannibalize the culture at SiteAdvisor -- every day is a startup day for us type of attitude is a permanent generator of creativity and attitude
13. "Digital forensics - efficient data acquisition devices" A resourceful post mentioning on the release of the CellDEK, no, it's not a portable DJs one, but a acquisition device detecting over 160 cell phone models and having the capacity to simultaneously acquire it from numerous devices all at once. Virtual cyber crime is all about quality forensics, whereas different legislations and approaches for gathering and coordinating such data across various countries remains a problem
14. "The anti virus industry's panacea - a virus recovery button" Try to get this on the Super Bowl and watch a generating falling for the lack of complexity in this "solution". Gratefully, I got many comments from readers with cheers on mentioning this and how useless the button is at the bottom line
15. "Why's that radar screen not blinking over there?" Quite some sites picked up the story, yet we can always question, and than again, so what? In a crucial situation a scenario like this could prove invaluable for the final outcome, but right now it's just a PR activity from the other side of the camp. Symmetric warfare is a tangible defense/offensive concept, whereas asymmetric warfare is fully capable of balancing powers -- to a certain extend as no matter how much NCW you put on the ground, you would still need "tangible" forces on the finish line
16. "25 ways to distinguish yourself -- and be happy?" A little bit of self-esteem is never too much and that's what these series can help you with
17. "Wild Wild Underground" An in-depth summary of some findings I intended to post for quite some time, but didn't have the time to. If you just take yourself some time to rethink over, you would hopefully realize that a guy like this is capable of recruiting people who actually come up with their own algorithms -- beyond their will in one way or another. Moreover, responding to comments I received, of course I did report the links, which are now down, as well as some of the forum posts I managed to digg. Ryan1918 is rather active though
18. "In between the lines of personal and sensitive information" Government reclassification of documents isn't the most pragmatic way, as these have already been online once, therefore someone out there still keeps a copy, and is now more than ever motivated to disseminate it, given someone is trying to censor it. I feel a common structure of the different types of information, formal training for those dealing with that type of info etc. and putting in place risk management solutions, considering that humans are totally not to be trusted (are computers to be?) is a way to mitigate these risks. Trying to censor something you end up making it even more popular that it could have been without you censoring it, just a thought
19. "DIY Marketing Culture" Personalization and Customization are emerging by default, and so is virtual viral marketing. In this post I mention the possibility to get your own custom MMs, and FireFox's FireFlicks initiative
20. "A comparison of US and European Privacy Practices" You can rarely come across a infosec survey with well formulated questions, ones that are the basis of a quality one. I think this company did a very good job in formulating and summarizing the outcome of a very trendy topic
Updated to add the averages for each month since I've started tracking my readers, looks nice, and in case you're interested you can also go through the summaries of previous months.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Thursday, April 27, 2006
A comparison of US and European Privacy Practices
A new study on "US and European Corporate Privacy Practices" was released two days ago, and as I constantly monitor the topic knowing EU's stricter information sharing and privacy violations laws comparing to the U.S, thought you might find this useful. To sum up the findings :
"European companies are much more likely to have privacy practices that restrict or limit the sharing of customer or employees' sensitive personal information and are also more likely to provide employees with choice or consent on how information is used or shared," said David Bender, head of White & Case's Global Privacy practice." still at the "sharing sensitive information is bad"
promotional stage, I feel the research reasonable points out the lack of a systematic technical approach, bureaucracy can also be an issue, but with so many CERTs in Europe there's potential for lots of developments I think. Established in 2004, ENISA is the current body overseeing and guiding the Community towards data protection practices -- slowly, but steadily gaining grounds.
"But the research also revealed that US companies are engaging in more security and control-oriented compliance activities than their European counterparts. As a result, US corporations scored higher in five of the eight areas of corporate privacy practice." - structured implementation on a technical level, that is people auditing networks and being accountable in case of not doing so, and privacy policies by default. A little something bringing more insight from the Safe Harbor framework :
"The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin."
Of course there are differences and there should always be as they provoke constructive discussions, but among the many well-developed survey questions, some made me a quick impression :
"Is there a process for communicating the privacy policy to all customers and consumers?" Europe - 33% United States - 69%
"Is privacy training mandatory for key employees (those who handle, manage or control personal information)?" Europe - 22% United States - 62%
"Do you use technologies to prevent unauthorized or illegal movement or transfer of data or documents?" Europe - 17% Unites States - 45%
"Will the company notify individuals when their personal information is lost or stolen?" Europe 33% United States - 62%
Perimer based defenses naturally dominate as a perception of being secure, still, I feel that the growing infosec market and IT infrastructures in both the U.S and Europe would continue to fuel the growth of new technologies and also result in more informed decision makers -- at the bottom line it's always about a common goal and better information sharing.
"European companies are much more likely to have privacy practices that restrict or limit the sharing of customer or employees' sensitive personal information and are also more likely to provide employees with choice or consent on how information is used or shared," said David Bender, head of White & Case's Global Privacy practice." still at the "sharing sensitive information is bad"
promotional stage, I feel the research reasonable points out the lack of a systematic technical approach, bureaucracy can also be an issue, but with so many CERTs in Europe there's potential for lots of developments I think. Established in 2004, ENISA is the current body overseeing and guiding the Community towards data protection practices -- slowly, but steadily gaining grounds.
"But the research also revealed that US companies are engaging in more security and control-oriented compliance activities than their European counterparts. As a result, US corporations scored higher in five of the eight areas of corporate privacy practice." - structured implementation on a technical level, that is people auditing networks and being accountable in case of not doing so, and privacy policies by default. A little something bringing more insight from the Safe Harbor framework :
"The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin."
Of course there are differences and there should always be as they provoke constructive discussions, but among the many well-developed survey questions, some made me a quick impression :
"Is there a process for communicating the privacy policy to all customers and consumers?" Europe - 33% United States - 69%
"Is privacy training mandatory for key employees (those who handle, manage or control personal information)?" Europe - 22% United States - 62%
"Do you use technologies to prevent unauthorized or illegal movement or transfer of data or documents?" Europe - 17% Unites States - 45%
"Will the company notify individuals when their personal information is lost or stolen?" Europe 33% United States - 62%
Perimer based defenses naturally dominate as a perception of being secure, still, I feel that the growing infosec market and IT infrastructures in both the U.S and Europe would continue to fuel the growth of new technologies and also result in more informed decision makers -- at the bottom line it's always about a common goal and better information sharing.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
DIY Marketing Culture
Problem - big name advertising agencies, and self forgotten copywriters easily turn into an obstacle for a newly born startup, the way marketing researchers can easily base your entire service/product development efforts on a single survey's results. Generating content, thinking content is the king, trying to sense and understand your customers' needs or where the market is heading to for the sake of responding with profitable propositions, I think is a self-centered, in-the-box mode of thinking that would cease to exist with customers becoming more informed.
Solution - Don't get too "product-concept" centered, instead solve a problem profitably and retain their satisfaction for as long as possible. Let your customers dictate the rules, and perhaps even generate your entire marketing promotional efforts themselves -- literally. Did you know you could get yourself custom printed MM's? I recently found out I can, and I'm already expecting the packs.
Or how the successfully positioned as a secure alternative to IE, FireFox browser actually invested pennies in spreading the word about it? Moreover, a $5000 bounty can indeed promote creativity, given they are comfortable with the idea, and with the 280 user-generated ads generated at FireFox Flicks I think they did it again, no wait, their users did it. Take your time to go through the flicks, it's worthwhile.
Question the concepts, rethink them, and disrupt with whatever the outcome.
Solution - Don't get too "product-concept" centered, instead solve a problem profitably and retain their satisfaction for as long as possible. Let your customers dictate the rules, and perhaps even generate your entire marketing promotional efforts themselves -- literally. Did you know you could get yourself custom printed MM's? I recently found out I can, and I'm already expecting the packs.
Or how the successfully positioned as a secure alternative to IE, FireFox browser actually invested pennies in spreading the word about it? Moreover, a $5000 bounty can indeed promote creativity, given they are comfortable with the idea, and with the 280 user-generated ads generated at FireFox Flicks I think they did it again, no wait, their users did it. Take your time to go through the flicks, it's worthwhile.
Question the concepts, rethink them, and disrupt with whatever the outcome.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Wednesday, April 26, 2006
In between the lines of personal and sensitive information
In a previous post, "Give it back!" I mentioned the ongoing re-classification of declassified information and featured some publicly known sources for information on government secrecy. Today I came across to a news item relating to the topic in another way, "States Removing Personal Data from Official Web Sites", more from the article :
"At least six states use redaction software, which digitally erases information. It can be tailored to excise nine-digit entries such as SSNs. Chips Shore, circuit court clerk for Florida's Manatee County, removed SSNs and bank account numbers from 3 million public records on the Web site. Another 2.5 million court records were redacted before going online."
That's an interesting way to fight the problem from the top of it, namely personal data security breaches that never stop growing, but I wish they came up with the practice either by default years ago, or understand today's dynamics of the threat. Even if they start implementing this on a wide scale, it doesn't mean identity theft would stop occuring, or that phishing attacks wouldn't trick them into giving the complete details. Having implemented a process for securely storing, accessing and trasfering such sensitive customers' bank data, often results in complexities, but using "redaction software" when you can actually take advantage of a risk management solution, isn't the smartest move here -- yet again that's the effect of today's dynamics and ever-changing attack vectors. What's the point of putting so much efforts into sanitizing the data before going online with it, when an outsourcer, or an employee whose responsibilities include working with it will somehow expose it?
Wait, forgot the naive customer who's still taking all the phishing emails received "personally". Don't think SSNs and bank accounts "redaction", but insiders and storage/database security.
In respect to removing sensitive information from the Web, I feel the unability of successfully classifying information and balancing the accountability in front of society to a certain extend, generates contradictive responses. If you try to take down a document that has been somehow listed on the Internet or available in digital format, what you're doing is actually inspiring people to disseminate it, that include news agencies as well, so make sure it doesn't appear there at the first place. Recent cases such as these :
"DOD removes missile defense system report from Web site"
"NORAD orders Web deletion of transcript"
"Air Force One data removed from Web Site revealed details of security measures on president's jets"
"Leaks of Military Files Resume"
bring more insights on the issue. It is well known that the entire Chinese information warfare doctrine is backed up by the NCW visions of U.S's military -- they still have Sun Tzu's legacy though -- and that Al Qaeda's manuals actually quote U.S military's documents. If you know what exactly you're looking for, you will find it one way or another, just make sure information-sharing doesn't end up as an information leakage event.
Going beyond achieving the balance between usability, accountability, and secrecy, I also feel that disinformation and deception are reasonably taking place as well, given the reader is actually identified and consequently influenced.
"At least six states use redaction software, which digitally erases information. It can be tailored to excise nine-digit entries such as SSNs. Chips Shore, circuit court clerk for Florida's Manatee County, removed SSNs and bank account numbers from 3 million public records on the Web site. Another 2.5 million court records were redacted before going online."
That's an interesting way to fight the problem from the top of it, namely personal data security breaches that never stop growing, but I wish they came up with the practice either by default years ago, or understand today's dynamics of the threat. Even if they start implementing this on a wide scale, it doesn't mean identity theft would stop occuring, or that phishing attacks wouldn't trick them into giving the complete details. Having implemented a process for securely storing, accessing and trasfering such sensitive customers' bank data, often results in complexities, but using "redaction software" when you can actually take advantage of a risk management solution, isn't the smartest move here -- yet again that's the effect of today's dynamics and ever-changing attack vectors. What's the point of putting so much efforts into sanitizing the data before going online with it, when an outsourcer, or an employee whose responsibilities include working with it will somehow expose it?
Wait, forgot the naive customer who's still taking all the phishing emails received "personally". Don't think SSNs and bank accounts "redaction", but insiders and storage/database security.
In respect to removing sensitive information from the Web, I feel the unability of successfully classifying information and balancing the accountability in front of society to a certain extend, generates contradictive responses. If you try to take down a document that has been somehow listed on the Internet or available in digital format, what you're doing is actually inspiring people to disseminate it, that include news agencies as well, so make sure it doesn't appear there at the first place. Recent cases such as these :
"DOD removes missile defense system report from Web site"
"NORAD orders Web deletion of transcript"
"Air Force One data removed from Web Site revealed details of security measures on president's jets"
"Leaks of Military Files Resume"
bring more insights on the issue. It is well known that the entire Chinese information warfare doctrine is backed up by the NCW visions of U.S's military -- they still have Sun Tzu's legacy though -- and that Al Qaeda's manuals actually quote U.S military's documents. If you know what exactly you're looking for, you will find it one way or another, just make sure information-sharing doesn't end up as an information leakage event.
Going beyond achieving the balance between usability, accountability, and secrecy, I also feel that disinformation and deception are reasonably taking place as well, given the reader is actually identified and consequently influenced.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Comments (Atom)