In Keyloggers: Why Banks Need Two-Factor Authentication I described how some banks in Asia use SMS-based one-time-passwords (OTP) to authenticate on-line transactions. I followed up with The Magical ATM Card and SMS Message in Thailand where I described how one airline company in Thailand is fighting back against credit card fraud using an SMS PayCode coupled with an ATM transfer to pay for booked flights. More and more banks in Asia are offering anti-fraud services for users where they receive an SMS message that details any change in their account balance and/or point-of-sale (POS) transaction with both debit and credit... Read more →
« July 2008 | Main | September 2008 »
Posts from August 2008
30 August 2008
Fraud Detection and SMS-Based Transaction Notification Services
Posted by Tim Bass on 30 August 2008 at 03:17 AM in IT Security | Permalink
|
Comments (0)
|
TrackBack (0)
27 August 2008
Securing DNS Servers
Introduction The Domain Name System (DNS) is vital to the Internet, providing a mechanism for resolving host names into Internet Protocol (IP) addresses. Insecure underlying protocols and lack of authentication and integrity checking of the information within the DNS threaten the proper functionality of the DNS. The DNS plays a critical role in supporting the Internet infrastructure by providing a distributed and fairly robust mechanism that resolves Internet host names into IP addresses and IP addresses back into host names. The DNS also supports other Internet directory-like lookup capabilities to retrieve information pertaining to DNS Name Servers, Canonical Names, Mail... Read more →
Posted by Alexandre Cezar on 27 August 2008 at 12:04 PM in IT Security | Permalink
|
Comments (1)
Firefox's Bold Move
The blog at Pingdom.com discusses the change Firefox made recently to how it reacts to invalid certificates. Actually, the post is more concerned about how the user will react to this change, because now when Firefox (version 3.01) comes across a page using SSL with an invalid certificate (expired, non-FQDN used, etc.) the user gets the very user-unfriendly error "Secure Connection Failed. [site address] uses an invalid security certificate." It isn't a warning in a small pop-up window or a bar at the top that is easily dismissed. No, this is an in-your-face, impossible to ignore, error. Which, I think,... Read more →
Posted by Don Franke on 27 August 2008 at 08:07 AM in IT Security | Permalink
|
Comments (0)
|
TrackBack (0)
26 August 2008
Proving the Value of Qualitative Risk Assessments
Qualitative risk assessments are a cornerstone security management tool. This type of assessment process is characterized by estimates of asset values, threats, vulnerabilities, and costs from anticipated exposures. Risk management frameworks are a way for managers to determine where to allocate resources when risk is at an unacceptable level. It is a process which relies heavily on the opinions, suppositions, and hunches of its participants. It is not formal, in the mathematical sense, and is very subjective. Essentially, it cannot be measured. It is fascinating that qualitative risk assessments are accepted with little opposition when their results are based on... Read more →
Posted by Sean M. Price on 26 August 2008 at 02:40 PM in Risk | Permalink
|
Comments (0)
|
TrackBack (0)
25 August 2008
Processes Matter
A familiar refrain of any user that has dealt with IT security is "it wouldn't be security if it didn't get in the way." Even though that's exactly the point--to prevent certain users getting at certain things--to most users these processes are just nuisances to get around, making users feel like a mouse in a maze. An unfortunate consequence of these restrictions is the occasional user who gnaws through a wall to make a short cut to the cheese (or in this case bypass a security process to get access to an IT resource). For example, at a large organization... Read more →
Posted by Don Franke on 25 August 2008 at 08:47 AM in IT Security | Permalink
|
Comments (0)
|
TrackBack (0)
24 August 2008
The Looming Dangers of Security Vulnerability Sensationalism
I am feeling a bit "long in the tooth" today, because like many of our honorable colleagues here at the (ISC)² blog, I remember computer security before there was an (ISC)² and before there was a World-Wide-Web. Yes, there was security professionals before terms like "firewalls" became popular, believe-it-or-not. Back in "the old days" we had to set up sniffers on both sides of a router to figure out how to set up access control lists. If we needed to change the passwords on all our network devices when someone left our "big telecom company" we launched a shell script,... Read more →
Posted by Tim Bass on 24 August 2008 at 11:15 AM in IT Security, Risk, Software Development | Permalink
|
Comments (0)
|
TrackBack (0)
22 August 2008
A message from the Executive Director
Hello, I'm Hord Tipton. As the new executive director of (ISC)², I would like to first express how honored I am to be leading the world's preeminent group of information security professionals. This is a very exciting time in (ISC)²'s history. As we approach our 20th anniversary as an organization next year, I hope to build on the tremendous success (ISC)² has experienced in recent years and increase awareness beyond the security community about the contributions that you, the member, and our organization as a whole, offer each and every day in order to make the cyber world a safer... Read more →
Posted by Hord Tipton on 22 August 2008 at 05:03 PM | Permalink
|
Comments (0)
|
TrackBack (0)
20 August 2008
Security metrics: more is not better
I've been fascinated by the issue of measuring and improving information security management practices and controls for several years now and despite thinking long and hard about security metrics, I'm still not confident that I even fully understand the problem let alone have anything like a solution. But, that said, it's hard not to poke holes in security metrics proposed by others, usually because most of those who gets into metrics seem to end up creating tedious lists of "Security Things That Can Be Measured" (STTCBM), as if that was what was needed. It isn't. Take for example a recently-updated... Read more →
Posted by Gary Hinson on 20 August 2008 at 03:17 AM in IT Security | Permalink
|
Comments (4)
|
TrackBack (0)
11 August 2008
CNN phishers trawl for victims
Many of us have seen a slew of spams over the past week or so claiming to be a new service from CNN giving links to top 10 stories. Here's one I received today: These are spams associated with malware-infecting websites. Somone is trawling the Internet for gullible victims. To those of us who are sufficiently alert and aware, there are several warning signs. Since you are interested enough in information security to be reading this blog, I doubt you need the hints but anyway I've numbered the clues in the email above (needless to say, the spammer didn't provide... Read more →
Posted by Gary Hinson on 11 August 2008 at 05:53 PM in Malware | Permalink
|
Comments (0)
|
TrackBack (0)
09 August 2008
Cybersecurity Law in Thailand Criminalizes Noncompliance with Archiving Requirements
On 18 July 2007 a new law became effective in Thailand known as the Computer-Related Crime Act B.E. 2550 (A.D. 2007). The law, specifying criminal penalties for computer misuse, is similar to computer crime act (“CCA”) legislation in other countries. However, the CCA in Thailand goes substantively further, specifying all businesses that provide Internet access or Internet-related content to their employees or customers must maintain evidence that authenticates online activity to an individual. In addition, businesses must retain and maintain those records for not less than 90 days. There are criminal penalties, including prison and fines, for noncompliance. On 21... Read more →
Posted by Tim Bass on 09 August 2008 at 01:39 PM in IT Security | Permalink
|
Comments (0)
|
TrackBack (0)
08 August 2008
Malware trends
The anti-malware company I work for has just published its half-yearly report on threat trends, based on automated malware tracking systems. Already I hear the more cynical among you muttering "Aha! Product pitch!" and, of course, this kind of document does have a marketing purpose. However, at 50-odd pages, it's a bit more than a press release, and many of those pages actually consist of near-raw localized data (included for the benefit of our distributors). All that aside, there are some conclusions that may interest you. Well, they interested me - just as well, considering how long I spent on... Read more →
Posted by David Harley on 08 August 2008 at 11:01 AM in IT Security, Malware, Software Development | Permalink
|
Comments (1)
|
TrackBack (0)
06 August 2008
Primary Lessons Learned from the TSA Laptop Mess
Last Christmastime, I was walking around Reagan National Washington Airport. I walked by a booth for the Clear program. I asked about the program which promises to help you clear security at the airport in much less time if you provide your personal information so the TSA contractors can conduct a background check. Since I already had a Top Secret security clearance, I thought it would be no problem. However, I had some nagging doubts and decided that I should wait and see how the program works out. Fortunately for me, I trusted my instincts. Yesterday, I read the e-mail... Read more →
Posted by John Dittmer on 06 August 2008 at 04:54 PM in Insider Risk | Permalink
|
Comments (3)
|
TrackBack (0)
Search
Categories
- (ISC)² Chapters (22)
- (ISC)² Events (159)
- Center for Cyber Safety and Education (52)
- Cloud Security (132)
- Cybersecurity Certifications (376)
- Cybersecurity Training (310)
- Cybersecurity Workforce (242)
- Digital Forensics (29)
- Ethics (52)
- Government (123)
- Insider Risk (56)
- IT Security (372)
- Legal (45)
- Malware (112)
- Network Security (175)
- Operations Security (140)
- Privacy (116)
- Ransomware (83)
- Risk (195)
- Software Development (44)
- Spotlight (71)