Robert Mullins posted an interesting article this week highlighting the tension between people who warn of impending danger from information security threats …

“Mark Bregman, chief technology officer of security company Symantec … spoke at the first-ever NASA IT Summit and said the space agency is ideally suited to promote global cooperation among nations on cybersecurity. … ‘There’s an urgent need for diplomacy to kick start international cooperation on cybersecurity,’ Bregman said.”

and people who think InfoSec vendors are just fear mongers seeking to sell products …

”comments that followed Montalbano’s story suggested Bregman was hyping the threat for the sake of Symantec sales. “See, Symantec created the panic so as to sell its products,” wrote one. “If Symantec is not the one starting all the cybersecurity mess, the whole world would be much more peaceful,” wrote another.”

As an employee of an vendor of InfoSec software, as a student of the technology of security and as a private citizen concerned about the potential for international terrorism, I tend to side with those who point out our immense vulnerability.  I hope that our technology can help combat the real-world threats that exist.

I hope the world is not lulled to passive inactivity by those who are skeptical of such threats.

Thanks to Network World for inserting a link in the middle of Dave Kearn’s article, leading to an intriguing slide show, “10 Worst Moments in Network Security.”

Ranging from

“Digital Equipment Corp. marketing guy Gary Thuerk gets technical assistance to send what’s regarded as the first ‘spam’ message to thousands on the government-funded Arpanet”

to

“Societe Generale, the large French financial services firm, discloses that one of its low-level options traders, Jerome Kerviel, has committed stock fraud worth an astonishing $7 billion, the largest in history traced to rogue trading.”

this slide show provides a somewhat nostalgic, but provocative view of bad stuff happening out there in cyberspace.

Dave Kearns of Network World posted a thought-provoking article today,  “Data breach demonstrates need for access control policies.”

Highlighting a case where a tax collector in British Columbia, Canada, used government computers to look up “private tax files of hundreds of high-income individuals, apparently in the hopes of hitting them up for a business she ran on the side,” Dave observed:

There are so many things wrong here.

1. Why weren’t controls in place to prevent, or at least raise a flag, when an agent accessed files randomly? Were they at least audited?
2. Why did it take four years for someone to realize that there were shady dealings going on?
3. How did CRA determine the "risk of injury"?
4. Why aren’t the affected parties notified whenever there’s a breach?

In light of increasing government regulations covering data breaches, and hard evidence that the number of data breaches continues to grow, companies can be well-advised to

“review your governance, oversight and access control policies now — before your organization features prominently (and ashamedly) in a newspaper headline!”

The 2010 Data Breach Investigations Report covers a study conducted by the Verizon Business RISK team in cooperation with the United States Secret Service.

In some ways, data breaches have a lot in common with fingerprints. Each is unique and we learn a great deal by analyzing the various patterns, lines, and contours that comprise each one. The main value of fingerprints, however, lies in their ability to identify a particular individual in particular circumstances. In this sense, studying them in bulk offers little additional benefit. On the other hand, the analysis of breaches in aggregate can be of great benefit; the more we study, the more prepared we are to stop them.

Not surprisingly, the United States Secret Service (USSS) is also interested in studying and stopping data breaches. This was a driving force in their decision to join us in this 2010 Data Breach Investigations Report. They’ve increased the scope of what we’re able to study dramatically by including a few hundred of their own cases to the mix. Also included are two appendices from the USSS. One delves into online criminal communities and the other focuses on prosecuting cybercrime. We’re grateful for their contributions and believe organizations and individuals around the world will benefit from their efforts.

With the addition of Verizon’s 2009 caseload and data contributed from the USSS, the DBIR series now spans six years, 900+ breaches, and over 900 million compromised records. We’ve learned a great deal from this journey and we’re glad to have the opportunity to share these findings with you. As always, our goal is that the data and analysis presented in this report proves helpful to the planning and security efforts of our readers.

This document, Open Trust Frameworks for Open Government, is about a year old, but still provides an excellent overview of how OpenID and Information Card technology are being applied to provide citizen access to government websites:

Open government requires a way for citizens to easily and safely engage with government websites. Open identity technologies—specifically OpenID and Information Cards—fit this bill. They make it easier and safer for citizens to register, login, and when necessary share personally identifiable information across different websites and services. To bring open identity technologies and open government together, the OpenID Foundation and the Information Card Foundation are working with the U.S. General Services Administration to create open trust frameworks for their respective communities.

 

Note: originally published on ILoveFreedom.com.

According to a recent post in the International Business Edge, the small town of Sequim, WA, has an Identity Crisis … big time:

“The U.S. town of Sequim, Washington has long claimed that ‘in the native language of the S’Klallam tribe, ‘S’Kwim’ means quiet waters,’ as indicated on the town website. However, a linguist recently revealed that a correct translation would actually be ‘a place for going to shoot.’”

“Quiet Waters” or “A place for going to shoot.”  Quite a contrast, don’t you think?

For more insight, you can Listen to the story on NPR.org or read the article by the Associated Press.

With shooting potentially involved, I wonder why NRA.org hasn’t picked up the story!

Note: originally published on ILoveFreedom.com.

Have you ever visited Uzbekistan?  Me neither.

I may never go if I need to rely on the Uzbeki (is that a word?) national airline, whose billboard ad wishes us “Good Luck” as an airliner disappears into a dense cloud with apparent snowy weather ahead.

Thanks to The International Business Edge for pointing out this fun example of a somewhat misguided effort at language translation.

By coincidence, I stumbled today across a second encouraging article about this fine country.  The Kansas City FBI office reported today that “an Uzbekistan national pleaded guilty in federal court today to his role in a criminal enterprise involving illegal aliens working in 14 states, including employees at hotels in the Kansas City, Missouri area and in Branson, Missouri.”

Maybe this fellow and his cohorts were so scared by the prospect of the flying Uzbekistan Airlines that they came to the United States and took up smuggling illegal aliens instead.

Presentation by Gerry Gebel of Axiomatics at Kantara workshop. Includes good overview of XACML and coverage of v3.0 enhancements.

I have added a new feature, “Source Doc”, to the Discovering Identity blog.

I frequently come across source documents on the web that are relevant to the Identity Management / Information Security community. I don’t have time to blog about each in detail, but want to provide a way to announce that I have found the documents and provide a way to easily find them again.

A new category “Source Doc” has been added to the blog, so these documents can be easily selected via the “Select Category” drop down list box.  They can also be found by searching for key words.

My previous post is an example of a Source Doc post.  It references a presentation I stumbled across this morning.  I hope you find it useful.

Presentation by Ashish Jain, Andrew Nash and Jeff Hodges of PayPal Information Risk Management at OpenID Summit, 2 November 2009.