26. July 2011 · Comments Off on An Analysis of Anonymity in the Bitcoin System: Bitcoin is not Anonymous · Categories: blog · Tags:

An Analysis of Anonymity in the Bitcoin System: Bitcoin is not Anonymous.

Bitcoin is not inherently anonymous. It may be possible to conduct transactions is such a way so as to obscure your identity, but, in many cases, users and their transactions can be identified. We have performed an analysis of anonymity in the Bitcoin system and published our results in a preprint on arXiv.

This blog is written by Fergal Reid and Martin Harrigan. We are researchers with the Clique Research Cluster at University College Dublin. The results in this blog are based on a paper we wrote that considers anonymity in the Bitcoin system. A preprint of the paper is available on arXiv.

To illustrate their case, they focus on the alleged thief who stole 25,000 Bitcoins. They make extensive use of flow visualizations.


26. July 2011 · Comments Off on Zurich seeking immunity from covering Sony over breach – SC Magazine US · Categories: blog · Tags: , ,

Zurich seeking immunity from covering Sony over breach – SC Magazine US.

Zurich American Insurance, Sony’s general liability insurance carrier, is contesting any obligation for costs related to the 58 class-action lawsuits against Sony related to the 100 million user breach of Sony’s PlayStation Network.

Zurich argues that it is not liable to indemnify Sony for these costs because its policy with the company only covers claims for bodily injury, property damage or personal and advertising injury. Sony’s policy contains “certain exclusions” related to “class-action complaints and miscellaneous claims,” according to the complaint, filed Wednesday.

Maybe this is why companies like Sony do not seem to address their information security responsibilities.

25. July 2011 · Comments Off on Google+ Gets a “+1″ for Browser Security | The Barracuda Labs Internet Security Blog · Categories: blog · Tags: , , ,

Google+ Gets a “+1″ for Browser Security | The Barracuda Labs Internet Security Blog.

Barracuda compares Google+ vs Facebook with respect to SSL and Secure Headers. Google+ wins.

25. July 2011 · Comments Off on Calif. Co. Sues Bank Over $465k eBanking Heist — Krebs on Security · Categories: blog · Tags:

Calif. Co. Sues Bank Over $465k eBanking Heist — Krebs on Security.

Village View Escrow is suing Professional Business Bank for losses of $465,000 resulting from “26 consecutive fraudulent wire transfers to 20 individuals around the world who had no legitimate business with the firm.

The precedent is the Experi-Metal case against Comerica.

Charisse Castagnoli, an independent security consultant and adjunct professor at the John Marshall Law School, said the Village View lawsuit relies on similar claims made by Experi-Metal, arguing that its financial institution failed to act in good faith and that its online banking security procedures were not commercially reasonable.

25. July 2011 · Comments Off on Lenny Zeltser on Information Security — Why There Are Fewer LinkedIn Scams and Malware Than Facebook Ones · Categories: blog · Tags: , ,

Lenny Zeltser on Information Security — Why There Are Fewer LinkedIn Scams and Malware Than Facebook Ones.

Lenny Zeltser received some very good answers as to why there are fewer scams on LinkedIn than Facebook.

I think this is the best answer:

People’s LinkedIn interactions have a professional perspective. This frame of mind doesn’t generate the same social/emotional response as Facebook, which makes them more resistant to being tricked, suggested @adamshostack. In addition, @marypcbuk pointed out that people tend to pay more attention to their LinkedIn interactions, because they police their professional activities more carefully than personal ones.

Facebook interactions are much more free flowing and emotional while LinkedIn, being professionally oriented, interactions are more thoughtful. On LinkedIn people are more cautious because they are more concerned with their reputations.

The other answers definitely have merit as well.

24. July 2011 · Comments Off on Lenny Zeltser on Information Security — The Use of the Modern Social Web by Malicious Software · Categories: blog · Tags: , , ,

Lenny Zeltser on Information Security — The Use of the Modern Social Web by Malicious Software.

Lenny Zeltser posted his excellent presentation on The Use of Modern Social Web by Malicious Software.

However an increasing number of organizations are seeing real benefits to the top line by engaging in the social web. Therefore simply blocking it’s usage is no longer an option. The InfoSec team must respond to the business side by mitigating the security risks of using the modern social web.

 

24. July 2011 · Comments Off on Lenny Zeltser on Information Security — 3 Reasons Why People Choose to Ignore Security Recommendations · Categories: blog · Tags: , ,

Lenny Zeltser on Information Security — 3 Reasons Why People Choose to Ignore Security Recommendations.

Lenny Zeltser relates a general psychology paper on Information Avoidance ($30 if you want to read the paper) to why security recommendations are ignored.

Here are the three reasons outlined in the paper:

(a) the information may demand a change in beliefs,
(b) the information may demand undesired action, and
(c) the information itself or the decision to learn information may cause unpleasant emotions or diminish pleasant emotions.

On the third point, Lenny hits on one of the age old concerns – the unpleasant emotion of “I bought the wrong security products.”

While this could be true in some situations, the more likely issue is that the security landscape has changed and obsoleted the purchased security product in question before it’s fully amortized.

We are seeing this today with respect to firewalls. The changes in the way browser-based applications communicate with servers and the related attack vectors have left traditional port-based firewall policies helpless to defend the organization.

 

 

 

24. July 2011 · Comments Off on RSA FraudAction News Flash: Trojan Add-On Forces Zombie PCs into Slavery to Mine Bitcoins « Speaking of Security – The RSA Blog and Podcast · Categories: blog · Tags: ,

RSA FraudAction News Flash: Trojan Add-On Forces Zombie PCs into Slavery to Mine Bitcoins « Speaking of Security – The RSA Blog and Podcast.

RSA is reporting that SpyEye and Zeus trojans have been enhanced to use botnet zombie computers to mine Bitcoins.

This article provide a nice introduction to Bitcoin if you are not familiar with this form of digital currency and then discusses the Bitcoin “stealing” enhancements to the two botnet trojans.

24. July 2011 · Comments Off on Freakonomics » Why Has There Been So Much Hacking Lately? Or Is It Just Reported More? A Freakonomics Quorum · Categories: blog · Tags: ,

Freakonomics » Why Has There Been So Much Hacking Lately? Or Is It Just Reported More? A Freakonomics Quorum.

The short answer, yes and yes.

Stephen Dubner gathers opinions from Bruce Schneier, Tal Be’ery (Imperva), Henry Harrison (BAE Systems Detica), Julie Conroy McNellery (Aite Group), and David Jevans (IronKey).

McNellery seems to think that PCI has been a success and has reduced the number of breaches. While the number of credit card breaches has dropped, it appears that it’s because so much credit card data has been stolen that the price for credit card data has been driven down so low that cyber criminals are focusing on other types of digital information to steal.

Just ask Josh Corman.

24. July 2011 · Comments Off on End-To-End Encryption – The Rest Of The Story « PCI Guru · Categories: blog · Tags: ,

End-To-End Encryption – The Rest Of The Story « PCI Guru.

E2EE (End-To-End Encryption) is not a bad thing, but it does have its own set of risks.  And it is those risks that do not get discussed that concern me.  The reason for my concern is that if you discuss E2EE with any merchant, most see it as this panacea, something that will get them out of the PCI compliance game altogether.  However, nothing could be further from the truth.  If anything, E2EE may make PCI compliance even more daunting than it is today.

However, the end-point device that accepts the credit card is in scope! And it’s difficult to prove that the end point has not been tampered with.

The PCI Guru has a set of recommendations for securing the end point.