Latest Posts


From the Web

Heartland Payment Systems Reports Third Quarter Financial Results

November 03, 2009 from: Office of Inadequate Security

Heartland Payment Systems, Inc. announced a GAAP net loss of $13.6 million or ($0.36) per share for the three months ended September 30, 2009. Results for the quarter are after $35.6 million (pre-tax), or $0.59 per share, of various expenses, accruals and reserves, all of which are attributable to the processing system intrusion, including charges related to settlement offers made by the Company i...

Comments  (0)


From the Web

Man charged with developing and distributing cable network hacking tools

November 02, 2009 from: Office of Inadequate Security

Charges were unsealed in federal court in Massachusetts against an Oregon man and the company he founded, TCNISO, alleging that they developed and distributed products that allowed users to modify their cable modems and obtain internet access without paying for it.

Comments  (0)

A3e8b5e0becdbfb1b1c706b452b6c388

Road Map for an Application/Software Security Architect (Part 2)

November 02, 2009 Added by:Stephen Primost

Vulnerability testing at the acceptance stage of an application's Software Development Life Cycle (SDLC) will not compensate for the lack of an understanding of what is being done during the software development even though you may not have control over the development efforts. You need a plan that puts those controls in place and allows that governance. Ignoring vulnerabilities will not prevent b...

Comments  (0)

70e177868d7bc383ce3ea10b6f976ada

Searching for Return on Security Investments

November 02, 2009 Added by:Andrew Baker

There are several major challenges to the successful implementation of good information security in many organizations today.  It is not because business owners do not think that security is important.  No, the issues exist because they do not grasp the complexities that embody the Information Security profession, and thus make decisions that fail to account for the many nuances of a pro...

Comments  (5)


From the Web

Report: Data Breaches Hike Fraud Risk 400%

November 02, 2009 from: Office of Inadequate Security

Because data breaches have become such commonplace incidents, there is concern that people have become desensitized to the potential harm they face upon receiving a notification letter from an organization informing them that sensitive information has been lost or misappropriated.

Comments  (0)

6f611188ad4a81ffc2edab83b0705d76

A Loss of One of Our Own

October 29, 2009 Added by:Sandra Avery

I am still shocked and saddened by the very sudden loss of David Taylor, founder of PCI knowledgebase.  David passed away on Tuesday after suffering a sudden heart attack. Those of us who have anything to do with PCI compliance either know or know of David Taylor.

Comments  (1)

B32b392ce3a707f05f4838c48c67d9cf

Good enough security?

October 29, 2009 Added by:Christopher Hudel

We have had 802.1x -- CISCO + Active Directory Integration --  in place for over a year know and it is largely a success; windows systems automatically obtain machine certificates (machines automatically receive certificates when they join the domain), supplicants exist for our IP Phones, and those devices (i.e.: printers)  that are currently incapable of 802.1x are split off in a tightl...

Comments  (2)

B038fefd7a19c26505d1f0671609d8ce

IT Security - Defense in Depth Protection using a Data-centric Model

October 29, 2009 Added by:Mike Cuppett

Start aligning your security strategy to better protect your organization's most critical asset - data. While many security proponents lean toward an outside-in strategy - protect every computer in the company from the outside world first - we really need to understand that the data is the asset that must be protected first and foremost.  The outside-in strategy starts at a macro level and ov...

Comments  (5)


From the Web

Judge: FTC Cannot Make Lawyers Comply With Identity Theft Laws

October 29, 2009 from: Office of Inadequate Security

The Federal Trade Commission cannot force practicing lawyers to comply with new regulations aimed at curbing identity theft, a federal judge ruled today at the U.S. District Court for the District of Columbia.

Comments  (1)


From the Web

CalOptima Reports Potential Loss of Patient Claims Information (updated)

October 29, 2009 from: Office of Inadequate Security

ORANGE, Calif. (October 23, 2009) – CalOptima has identified the potential loss of past medical claims information for approximately 68,000 of its members that was stored on electronic media devices.

Comments  (0)


From the Web

Black Box vs White Box. You are doing it wrong.

October 28, 2009 from: Jeremiah Grossman's Blog

A longstanding debate in Web application security, heck all of application security, is which software testing methodology is the best -- that is -- the best at finding the most vulnerabilities. Is it black box (aka: vulnerability assessment, dynamic testing, run-time analysis) or white box (aka: source code review, static analysis)? Some advocate that a combination of the two will yield the most ...

Comments  (1)

14a516a8718c6b0a09598ac4f2777124

Why Infosec Languishes, Part II

October 28, 2009 Added by:Jim Anderson

Although external forces including economic downturn and market specific slowdowns do have their impact, these external forces alone often cannot explain why information security makes so little progress.   This phenomenon is often true even in situations where senior infosec leadership is experienced, holds multiple certifications, and otherwise commands an excellent grasp of the multip...

Comments  (0)


From the Web

Former Wachovia employee convicted of bank fraud and aggravated identity theft

October 28, 2009 from: Office of Inadequate Security

Juan Rombado, a former Wachovia Bank employee, has been convicted of bank fraud and aggravated identity theft arising from several schemes aimed at defrauding his employer through the theft of customer identities, United States Attorney Tim Johnson announced. Indicted and arrested in August 2009, Rombado pleaded guilty to both counts before United States District Judge Vanessa Gilmore.

Comments  (0)


From the Web

Coalition for Patient Privacy Calls on HHS to Repeal the Breach Notification Rule

October 28, 2009 from: Office of Inadequate Security

The Coalition for Patient Privacy urges the Department of Health and Human Services to revise and repeal the interim final rule (IFR) establishing requirements for notification of breaches of unsecured protected health information.

Comments  (0)

C7159a557369b66632c4b54bf746b69e

Sun Tzu quotes from The Art of War compared to Information Security

October 26, 2009 Added by:Sean Inman

I just finished up this great book The Art of War, by Sun Tzu.  There are many different versions the one I read was “The Art of War for Managers; 50 Strategic Rules”.  I wanted to share some quotes from Sun Tzu and how I think they tie to Information Security.

Comments  (0)

A3e8b5e0becdbfb1b1c706b452b6c388

Road Map for an Application/Software Security Architect (Part 1)

October 26, 2009 Added by:Stephen Primost

With the level of security concerns about security, it is interesting that there is not more concern with a holistic focus on application security. Numerous articles are citing chilling statistics about security breaches, with the majority (some use the figure of 80%) being related to applications. It is not for lack of information as to what constitutes an “application problem”. One j...

Comments  (2)


From the Web

Whitehouse Drupal and The Open Source Security Model

October 25, 2009 from: Rsnake's blog at ha.ckers.org

Have you heard the news? The Whitehouse has decided to go open source. They have decided to switch from their own proprietary in-house CMS system to Drupal. You heard me right, Drupal. The same Drupal with 12 pages of vulnerabilities at OSVDB since it’s inception. I’m sure this made the Open Source community jump for joy, but I see this as a big mistake if you take it on face value and...

Comments  (0)

8d04c13e080ecc73656118e7650fbb4c

Lies, Damn Lies, Statistics & Risk Management

October 24, 2009 Added by:Todd Zebert

Past willful risky behavior, and then outright foolishness, we have Risk Mismanagement. We’ve all head the quote “Lies, damned lies, and statistics” (author unknown) with its intention that statistics can be used to lie persuasively or lend credence to otherwise suspect arguments. With Risk Management we’ve layered Management on top of statistics - this is where things can ...

Comments  (0)

7fef78c47060974e0b8392e305f0daf0

GFI: Combating Spam

October 22, 2009

A series of interesting whitepapers from GFI on combating SPAM from the enterprise level. Many of these concepts have been best-practice recommendations for years, yet many email and anti-SPAM packages fail to implement them properly.

Comments  (0)


From the Web

LifeLock barred from placing fraud alerts in Experian settlement

October 22, 2009 from: Office of Inadequate Security

LifeLock Inc. and Experian Information Solutions Inc. have settled their lawsuit, and the agreement permanently blocks the original process LifeLock used to protect its clients.

Comments  (0)