Security is making people NOT fly.

I’m getting old and crotchety. Apparently I’m not alone. CNN reports that 100,000 people a day are choosing NOT to fly, because of the “inconvenience” involved. That’s 41 million flights a year. ( http://www.cnn.com/2008/TRAVEL/05/30/airtravel.decline.ap/index.html )

We all started flying, commercially, 70 years ago because it was “convenient”; expensive, but convenient. Safety was poor, but convenient was more important. Over time, due in large part to the FAA, safety improved. It actually improved to the point that flying is now the safest method of travel available on the planet.

For at least some of us (some 100,000 people a day) driving has now become more convenient than flying — even though it is frequently slower (for trips over 4 hours), it is more work (you have to drive yourself), more dangerous, and potentially more expensive. For at least some of us, there is now TOO MUCH security. I’m a “security guy” and for me Air Travel now has too much of a good thing. Read more »

Filed under: Security | No Comments »

Funny story of the day…

Ever heard of LifeLock? They describe themselves as an “Identity Theft Protection” service. LifeLock put out a commercial where the CEO hands out his social security number to random people on the street, and puts it on billboards, sides of trucks, etc. Never seen it? Check out the commercial here on YouTube.

Turns out, the whole service is a scam.

An article in the Charleston Gazette, “ID theft protection firm sued” is an unfortunate story for those affected by LifeLock’s claims of protection. However, quite a few parts of the article had me laughing out loud. LifeLock’s CEO’s social security number,  457-55-5462, has been used over 20 times to fraudulently obtain driver’s licenses! Oh, and his credit profile has been so abused that the birth date associated with his Social Security number has been changed to Nov. 2, 1940. I wonder if he gets presents on both days?

Here’s a few of the other highlights from the article:

Read more »

Filed under: Identification, Legal, Privacy, Security | No Comments »

In the tragic case of a 13-year old MySpace user who committed suicide from online bullying, the AP reports in this article that Federal Prosecutors have indicted the accused “bully” on one count of conspiracy and three counts of “accessing protected computers without authorization to obtain information.”

That latter charge is based on the fact that the bully, a 49-year old woman, was posing on MySpace as a 16-year old boy. Federal Prosecutors are treating violations in MySpace’s Terms of Service (you know, that long legalese that you skip past and just click ‘I Accept’ when you register?) as a criminal act.

I have no problems with going after the perpetrator in the bullying case. It’s truly awful what happened, and a very a sad story.

However, the prosecutors are setting a dangerous prescient. Ever used a fake name when registering on a site? Read more »

Filed under: Anonymity, Identification, Legal, Privacy | No Comments »

We’ve had PCI DSS discussion on our blog for 3 days in a row. That’s one heck of a tail-wind. Computerworld’s Ben Rothke has an interesting opinion piece today, “Battling information-security Stockholm syndrome.” Yesterday I mentioned that in my opinion, organizations fail to adopt or even take PCI DSS seriously because of the lack of incentive (carrot) or penalty (stick). Take it a step further and look at the example in Ben’s article where the CIO of the National Retail Federation says that “PCI DSS… was supposed to prevent [data theft] crimes…” further leading to the perception that PCI is a “failed” standard.

I wouldn’t go as far as Ben and say that organizations sympathize with the hackers, script kiddies, and identity thieves (as he suggests using the Stockholm Syndrome-label). IT shops aren’t sympathizing with the malicious underworld — they’re just looking for guidance with measurable results. It’s not surprising they become overwhelmed, frustrated and disillusioned by the reality of threat management.

The truth is that for most small retailers, PCI is the first time they have been subject to ANY IT regulation or standard.  Compliance in IT is a new concept for them, and most have neither budget or process in place to deal with it.

As good security professionals we know that there is no “Holy Grail” to prevent theft, DoS, etc. But we need to convince organizations that they need to take a more holistic approach to security, and that doing so isn’t “hokey-poky” or ambiguous. The threats are dynamic, and the mitigation needs to be just as dynamic and multi-layered (defense-in-depth).

The PCI Security Standards council needs to get out the stick, carrot and soap box and get to work before DSS gets a bad rap.

Filed under: Privacy, Security | No Comments »

Just a quick post with a link to a timely article from Linda Musthaler today at NetworkWorld — “Is it time to abandon credit card payments and go back to cash?” — she talks about the privacy issues of cards, that I referred to in yesterday’s post on buying the iPhone.  Even with the data loss at TJX including civil penalties and fines from the industry, PCI DSS  — however well written — apparently has no teeth if retailers continue to ignore the standard.  From the outside, it just appears as if the credit card industry will not enforce (stick) or reward (carrot) merchants, either way!

Linda points out, “Many small retailers… aren’t even aware of PCI DSS, much less comply with it.”

Where’s the outrage?

Filed under: Privacy, Security | No Comments »