Latest Posts


From the Web

CalOptima Reports Potential Loss of Patient Claims Information (updated)

October 29, 2009 from: Office of Inadequate Security

ORANGE, Calif. (October 23, 2009) – CalOptima has identified the potential loss of past medical claims information for approximately 68,000 of its members that was stored on electronic media devices.

Comments  (0)


From the Web

Black Box vs White Box. You are doing it wrong.

October 28, 2009 from: Jeremiah Grossman's Blog

A longstanding debate in Web application security, heck all of application security, is which software testing methodology is the best -- that is -- the best at finding the most vulnerabilities. Is it black box (aka: vulnerability assessment, dynamic testing, run-time analysis) or white box (aka: source code review, static analysis)? Some advocate that a combination of the two will yield the most ...

Comments  (1)

14a516a8718c6b0a09598ac4f2777124

Why Infosec Languishes, Part II

October 28, 2009 Added by:Jim Anderson

Although external forces including economic downturn and market specific slowdowns do have their impact, these external forces alone often cannot explain why information security makes so little progress.   This phenomenon is often true even in situations where senior infosec leadership is experienced, holds multiple certifications, and otherwise commands an excellent grasp of the multip...

Comments  (0)


From the Web

Former Wachovia employee convicted of bank fraud and aggravated identity theft

October 28, 2009 from: Office of Inadequate Security

Juan Rombado, a former Wachovia Bank employee, has been convicted of bank fraud and aggravated identity theft arising from several schemes aimed at defrauding his employer through the theft of customer identities, United States Attorney Tim Johnson announced. Indicted and arrested in August 2009, Rombado pleaded guilty to both counts before United States District Judge Vanessa Gilmore.

Comments  (0)


From the Web

Coalition for Patient Privacy Calls on HHS to Repeal the Breach Notification Rule

October 28, 2009 from: Office of Inadequate Security

The Coalition for Patient Privacy urges the Department of Health and Human Services to revise and repeal the interim final rule (IFR) establishing requirements for notification of breaches of unsecured protected health information.

Comments  (0)

C7159a557369b66632c4b54bf746b69e

Sun Tzu quotes from The Art of War compared to Information Security

October 26, 2009 Added by:Sean Inman

I just finished up this great book The Art of War, by Sun Tzu.  There are many different versions the one I read was “The Art of War for Managers; 50 Strategic Rules”.  I wanted to share some quotes from Sun Tzu and how I think they tie to Information Security.

Comments  (0)

A3e8b5e0becdbfb1b1c706b452b6c388

Road Map for an Application/Software Security Architect (Part 1)

October 26, 2009 Added by:Stephen Primost

With the level of security concerns about security, it is interesting that there is not more concern with a holistic focus on application security. Numerous articles are citing chilling statistics about security breaches, with the majority (some use the figure of 80%) being related to applications. It is not for lack of information as to what constitutes an “application problem”. One j...

Comments  (2)


From the Web

Whitehouse Drupal and The Open Source Security Model

October 25, 2009 from: Rsnake's blog at ha.ckers.org

Have you heard the news? The Whitehouse has decided to go open source. They have decided to switch from their own proprietary in-house CMS system to Drupal. You heard me right, Drupal. The same Drupal with 12 pages of vulnerabilities at OSVDB since it’s inception. I’m sure this made the Open Source community jump for joy, but I see this as a big mistake if you take it on face value and...

Comments  (0)

8d04c13e080ecc73656118e7650fbb4c

Lies, Damn Lies, Statistics & Risk Management

October 24, 2009 Added by:Todd Zebert

Past willful risky behavior, and then outright foolishness, we have Risk Mismanagement. We’ve all head the quote “Lies, damned lies, and statistics” (author unknown) with its intention that statistics can be used to lie persuasively or lend credence to otherwise suspect arguments. With Risk Management we’ve layered Management on top of statistics - this is where things can ...

Comments  (0)

7fef78c47060974e0b8392e305f0daf0

GFI: Combating Spam

October 22, 2009

A series of interesting whitepapers from GFI on combating SPAM from the enterprise level. Many of these concepts have been best-practice recommendations for years, yet many email and anti-SPAM packages fail to implement them properly.

Comments  (0)


From the Web

LifeLock barred from placing fraud alerts in Experian settlement

October 22, 2009 from: Office of Inadequate Security

LifeLock Inc. and Experian Information Solutions Inc. have settled their lawsuit, and the agreement permanently blocks the original process LifeLock used to protect its clients.

Comments  (0)

Abceedf5017915685f379075f00a5ccd

Useless Account Control

October 22, 2009 Added by:Sudha Nagaraj

In these days of heightened security awareness, I would think any and every operating system should boast of a robust anti-virus software suite. The fact that Microsoft released its much-awaited and highly proclaimed Windows 7 OS today without built-in anti-virus software continues to puzzle me.

Comments  (0)

Abceedf5017915685f379075f00a5ccd

A Host of Insecurities about Security

October 21, 2009 Added by:Sudha Nagaraj

Security concerns will continue to dominate the IT sphere for a while. Governments are crying hoarse to put in preventive measures, the security industry is struggling to make up for losses suffered in a recessionary environment, enterprises are growing paranoid about the ‘insider threat’ and the small and medium enterprises are waking up to the need for security management.

Comments  (0)


From the Web

October 2009 Critical Patch Update Released

October 20, 2009 from: The Oracle Global Product Security Blog

Today's Oracle Critical Patch Update (CPU) provides 38 new security fixes across a number of product groups including: Oracle Database Server, Oracle Application Server, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle JD Edwards Tools, Oracle WebLogic and Oracle JRockit (formerly from BEA), and Oracle Communications Order and Service Management. Of these 38 vulnerabilities, 19 are re...

Comments  (0)

B038fefd7a19c26505d1f0671609d8ce

Mitigating Risks by Leveraging a Core Business Process

October 20, 2009 Added by:Mike Cuppett

When it comes to audits and other compliance requirements - think Sarbanes-Oxley, PCI-DSS, internal and external audits, etc. - people tend to get a bit uptight and flustered. Fortunately, by keeping a calm head and a rational perspective, your reaction to these challenges can be cool and calm, allowing you to leverage a methodology you already know - risk mitigation.

Comments  (0)


From the Web

FTC settles latest charges against ChoicePoint

October 19, 2009 from: Office of Inadequate Security

ChoicePoint, Inc., one of the nation’s largest data brokers, has agreed to strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order. This failure left the door open to a data breach in 2008 that co...

Comments  (0)


From the Web

Retail sales associates sentenced for role in credit card, bank fraud

October 16, 2009 from: Office of Inadequate Security

Four men from Atlanta Georgia were sentenced this week by United States District Judge Orinda D. Evans on charges of bank fraud, credit card fraud and aggravated identity theft.

Comments  (0)


From the Web

PayChoice Suffers Another Data Breach

October 16, 2009 from: Office of Inadequate Security

Payroll services provider PayChoice took its Web-based service offline for the second time in a month on Wednesday in response to yet another data breach caused by hackers.

Comments  (0)


From the Web

DNSSEC + Certs As a Replacement For SSL’s Transport Security

October 15, 2009 from: Rsnake's blog at ha.ckers.org

RSnake discusses the feasability of using DNSSEC to provide transport-layer security in a more reliable fashion than the current SSL Certificate Authority site authentication model.

Comments  (0)


From the Web

Lawsuit: 29,000 say Kaiser hid security breach

October 15, 2009 from: Office of Inadequate Security

Twenty-nine thousand Kaiser employees say the company did not inform them for more than a year about a security breach that left their personal information vulnerable to thieves. One employee says a woman stole her identity and used it to run up credit-card charges and “commit crimes across the country.”

Comments  (0)