Speaking of Security, the RSA Blog and Podcast

Big Steps Toward Managing Security and Compliance for Virtual Infrastructure

blog@rsa.com (Steve Schlarman) — Wed, 01 Sep 2010 00:00:00 GMT

This week, the industry celebrates one of the most influential and explosive technologies influencing the world of information systems: Virtualization. At VMWorld 2010, the focus on virtualization across the enterprise and cloud computing highlights some of the most interesting and impactful technologies that our industry is utilizing. We have had...

Speaking of Security Podcast #197

blog@rsa.com (Podcast Producers) — Wed, 01 Sep 2010 00:00:00 GMT

Click to Download/Listen

This week's Speaking of Security podcast features an interesting discussion with Ira Winkler, a well-known expert on internet security and information-related crime investigation.

The Cloud has a Silver Lining

blog@rsa.com (Sam Curry) — Mon, 30 Aug 2010 00:00:00 GMT

Talking with customers every day, I hear constant concerns about lack of visibility into (and control over) security and compliance in the virtual infrastructure, lack of guidance and orchestration tools and the high cost and difficulty of meeting audits and achieving compliance.

Popularity of automated stores in the black market increase as source code is traded in "kits"

blog@rsa.com (Idan Aharoni) — Thu, 26 Aug 2010 00:00:00 GMT

In my last post, I discussed the trend of automated credit card stores proliferating in the fraudster underground. In addition to the reasons I listed...

Speaking of Security Podcast #196

blog@rsa.com (Podcast Producers) — Wed, 18 Aug 2010 00:00:00 GMT

Click to Download/Listen

This week's Speaking of Security podcast discusses the upcoming RSA Archer eGRC Road Show. We also debut the Speaking of Security Newswire, featuring the latest security and technology headlines.

Only You Can Prevent (Internet) Forest Fires: driving online safety and security home

blog@rsa.com (Sam Curry) — Wed, 18 Aug 2010 00:00:00 GMT

There's an important Messaging Convention around online consumer safety and security that wrapped up this month, put on by the National Cyber Security Alliance (NCSA), Anti-Phishing Working Group (APWG) and member organizations including RSA around communicating the central role of people in protecting themselves and, frankly...

Nation States and Mobile Devices: It's Time to Listen

blog@rsa.com (Sam Curry) — Fri, 13 Aug 2010 00:00:00 GMT

The motivations, instincts and needs of Nation States, regardless of rhetoric, are largely the same for Akkadia, Sumeria, Rome and ancient Judea as they are for the modern USA, China or European state. The theaters in which nations can act and the tools and trade-offs among tactics are very different, and this has come to light recently with some activity and demands around features and requests for mobile endpoints.

Payment Security Insight from the Verizon 2010 Data Breach Investigations Report

blog@rsa.com (Robert McMillon) — Fri, 13 Aug 2010 00:00:00 GMT

This week, Verizon released their 2010 Data Breach Investigations Report. The report is a treasure trove of statistics that illuminate all facets of what’s happening in recent compromises. I wanted to focus on the insight around the current state of payment card data breaches, which continue to make up a majority of the breaches (54%) that Verizon’s RISK team investigates and writes about.

Speaking of Security Podcast #195

blog@rsa.com (Podcast Producers) — Wed, 11 Aug 2010 00:00:00 GMT

Click to Download/Listen

The dog days of summer mean a chance to reflect on some hot industry topics with Sam Curry, Chief Technologist for RSA.

Automated Credit Card Stores and the Business of Trading in the Fraud Underground

blog@rsa.com (Idan Aharoni) — Wed, 11 Aug 2010 00:00:00 GMT

Innovation and evolution are two words that are not hard to find in blog posts and news articles about fraud. It seems that almost every day security researchers uncover new features and improvements in fraudsters’ tools and infrastructure. Many of these innovations stem from the availability of new services in the underground.

A choice of words

blog@rsa.com (Robert McMillon) — Fri, 06 Aug 2010 00:00:00 GMT

Language is important. It is the manner in which we communicate intent and meaning to each other. Thus our choice of words is important, because words have specific meanings. That is an obvious statement, but one that is frequently forgotten. All too often, we use...

Speaking of Security Podcast #194

blog@rsa.com (Podcast Producers) — Wed, 04 Aug 2010 00:00:00 GMT

Click to Download/Listen

RSA Conference Europe is fast approaching. This week's Speaking of Security podcast checks in on what to expect at this year's event.

The Wave of Cool

blog@rsa.com (Sam Curry) — Wed, 04 Aug 2010 00:00:00 GMT

What do the iPad, Cabbage Patches, Converse and The Matrix have in common? Well, to answer that we need to look at drivers for a moment, and I don't mean machine drivers and technology…I mean people drivers. Let's look at their urges, needs and wants.

Social Trojaning

blog@rsa.com (Uri Rivner) — Wed, 28 Jul 2010 00:00:00 GMT

I went to my favorite fraud underground forum, bought my favorite Trojan kit (I like Zeus), and then I looked through the Build-a-Trojan checklist for next steps.

Fraudsters enjoy a summer holiday

blog@rsa.com (Uri Rivner) — Tue, 27 Jul 2010 00:00:00 GMT

It’s now summer on Triton.

Don’t pack your holiday gear though; the average temperature on Neptune’s major moon, which is about 30 times further from the sun than Earth, is...

Looking at Visa's Tokenization Best Practices

blog@rsa.com (Robert McMillon) — Fri, 23 Jul 2010 00:00:00 GMT

Last week, Visa issued their initial guidance on tokenization best practices. Overall, I think Visa presented a good start for the industry. Several other bloggers seem to agree. However, I do have a bone or two to pick with what they propose.

Revolutionary Fever: Humanity will win the battle, and Liberty will have a network*

blog@rsa.com (Sam Curry) — Thu, 22 Jul 2010 00:00:00 GMT

The pace of life continues to accelerate and become more-and-more distracting, and today RSA announced the latest SBIC report and new research results from IDG Research Services. The IDG data and SBIC report on the clash, the conflict really, between technologies in our lives bleeding into...

Cybercriminals Now Using Public Social Networks to Give Command and Control Orders to Banking Trojans

blog@rsa.com (RSA FraudAction Research Lab) — Mon, 19 Jul 2010 00:00:00 GMT

While malware updating via public resources is nothing new in itself, the RSA FraudAction Research Lab recently witnessed this hosting method being used to operate a banking Trojan; specifically a variant of...

Call it What You Want: But it is Still the Black Market

blog@rsa.com (Idan Aharoni) — Thu, 15 Jul 2010 00:00:00 GMT

Unless you accidentally wandered here while searching for the Road Safety Authority, you’ve most likely been introduced with the “fraudster underground” or “underground economy.” A lot has been written about the criminal bowels of the Internet, either in...

Helping the merchant

blog@rsa.com (Robert McMillon) — Tue, 13 Jul 2010 00:00:00 GMT

I recently found myself in a conversation with the head of operations for a large, multinational retailer and we were discussing PCI. I made an observation that goes something like this...

Paul the Octopus - He's done it again!

blog@rsa.com (Uri Rivner) — Tue, 13 Jul 2010 00:00:00 GMT

You’ve got to love Paul the Octopus. To those of you living across the pond and not following football (soccer) news, that’s the cute octopus-turned-oracle that managed to predict each and every game Germany played in the World Cup, and foresaw that Spain would beat the Netherlands in the finals.

"You're gonna need a bigger boat"

blog@rsa.com (John McDonald) — Tue, 13 Jul 2010 00:00:00 GMT

Have you ever felt like Sheriff Brody in the movie 'Jaws' when he finally saw the shark they were hunting and realized that it was a 25' 3-ton great white? If you've ever talked to someone in the IT security business right after they've experienced a major data breach what you'll generally hear them say is something to the effect of...

Speaking of Security Podcast #193

blog@rsa.com (Podcast Producers) — Tue, 13 Jul 2010 00:00:00 GMT

Click to Download/Listen

A discussion on the current cyber security legislative landscape direct from Washington, DC on this week's Speaking of Security podcast.

The Root Cause of Advanced Persistent Threats

blog@rsa.com (Sam Curry) — Tue, 13 Jul 2010 00:00:00 GMT

The term "Advanced Persistent Threat" (or APT) has been around for a long time in the non-computer world and for a decent amount of time in the computer world behind closed doors; but as I watch the use of certain words and phrases, APT is on the ascendancy.

PCI Doesn't Take Vacations

blog@rsa.com (Branden Williams) — Fri, 09 Jul 2010 00:00:00 GMT

I was lucky enough to spend some quality time away from the tubes last week, and while I am not part of a rogue PCI enforcement militia, I do tend to observe how organizations tackle security and compliance issues. For the first time, I found a rather unique disclaimer that was mere feet away from the Point of Interaction. It shocked me so much, I snapped a picture to make sure I got the wording correct. It plainly stated...

Physical to Virtual Disaster Recovery Planning: Considerations for the Cloud

blog@rsa.com (Steve Suther) — Thu, 08 Jul 2010 00:00:00 GMT

How's your disaster recovery planning these days?

If you’re reading this, it’s pretty safe to assume that either you or someone in your organization is “tuned in” enough to have well documented DR plans that enable your company's business operations to continue...

VLANs and Segmentation

blog@rsa.com (Branden Williams) — Thu, 08 Jul 2010 00:00:00 GMT

I was following an email trail from a few colleagues and it dawned on me that I had not written about the use of VLANs with respect to PCI in this blog. If you purchased Anton & my book, you can get...

The "Should" Rule of Cloud Computing

blog@rsa.com (Branden Williams) — Tue, 06 Jul 2010 00:00:00 GMT

I’ve been asked over the last few months quite a bit about virtualization and cloud computing. Virtualization is something most people understand, but cloud computing baffles many professionals because there is often not a clear nomenclature used to describe products and services in the space¹.

Governance: The Big Problem

blog@rsa.com (Sam Curry) — Tue, 06 Jul 2010 00:00:00 GMT

I alluded to this a few weeks ago in Xanadu, but I got to thinking about the subject and realized it deserves a little more exploration and discussion. I mentioned an almost mythical "hunter-gatherer" society and the potential to...

Card Checking is Still a Booming Business

blog@rsa.com (Idan Aharoni) — Fri, 02 Jul 2010 00:00:00 GMT

For those who commit it, fraud is similar to a game of chess. You can’t reach a check-mate if you haven’t aligned all your pieces appropriately before making your big move. If you’re trying to defraud a bank through the online channel, you first need...

Are You a GRC Saboteur?

blog@rsa.com (Steve Schlarman) — Thu, 01 Jul 2010 00:00:00 GMT

We all have our own little secret hobbies that we use to escape from the craziness of our everyday life. Spend any time with someone, and most likely you will learn about their pets, their thimble collection, their penchant for...

Tokens and Standards

blog@rsa.com (Robert McMillon) — Wed, 30 Jun 2010 00:00:00 GMT

In my last post, I discussed the interesting situation that the PCI council finds itself in, where they are in the process of providing guidance on use of a technology...

Speaking of Security Podcast #192

blog@rsa.com (Podcast Producers) — Mon, 28 Jun 2010 00:00:00 GMT

Click to Download/Listen

David Kirkpatrick, author of the new book, "The Facebook Effect: The Inside Story of the Company that is Connecting the World" is the guest on a special edition of the Speaking of Security podcast.

Not Another Agent!

blog@rsa.com (Sam Curry) — Mon, 28 Jun 2010 00:00:00 GMT

One of the most important principles in the security industry, and something that we are embracing wholeheartedly at RSA is to build in security rather than bolt on agents, protocols and capabilities as an afterthought. A good example of this is the recently announced relationship between...

Good Times in Fraudland: Part II

blog@rsa.com (Uri Rivner) — Thu, 24 Jun 2010 00:00:00 GMT

In my first of three entries summarizing 2009 online fraud trends, I suggested that there had never been a better time to be a cybercriminal, and talked about the high grade Trojans currently available to fraudsters. But to use a modern warfare analogy...

Xanadu: the new landscape of the payment card industry

blog@rsa.com (Sam Curry) — Tue, 22 Jun 2010 00:00:00 GMT

Sea change, paradigm shift and disruptive technologies are all phrases used to describe things that revolutionize society or part of society. They are often marked by...

Speaking of Security Podcast #191

blog@rsa.com (Podcast Producers) — Tue, 22 Jun 2010 00:00:00 GMT

Click to Download/Listen

A new Security Brief produced by RSA explains how advanced security technologies and emerging outsourced services can relieve merchants of the growing burden of storing electronic payment card information. Hear more on the Speaking of Security podcast.

And your total is...

blog@rsa.com (John McDonald) — Mon, 21 Jun 2010 00:00:00 GMT

Twice in the last 2 months I've been privileged to present a session on security considerations for cloud computing at different industry events. In both instances there were plenty of questions and lots of detailed follow-up discussions. I got to sit down with...

Surprising surge of Phishing on nationwide banks

blog@rsa.com (Uri Rivner) — Mon, 21 Jun 2010 00:00:00 GMT

In the last couple of months the RSA Anti Fraud Command Center witnessed a dramatic surge of Phishing on nationwide US banks.

Ever since the good old days of the initial Phishing attacks in 2003-2004, the share of national banks – those that span across the entire US – has been declining, as the major banks implemented effective remedies against Phishing and the public became more aware of attacks where the fraudster posed as a major national bank. The heat moved to smaller targets: regional banks and small credit unions.

What is the Air Speed Velocity of an Unladen Swallow?

blog@rsa.com (John McDonald) — Fri, 18 Jun 2010 00:00:00 GMT

I've previously written about asking the right questions, and I've had discussions about that issue with several customers. Originally I focused on asking about risk vs. compliance, with compliance being just another risk factor...

"Red Flags" Compliance Deadline Extended...Again!

blog@rsa.com (Steve Suther) — Fri, 18 Jun 2010 00:00:00 GMT

On May 28, 2010, the FTC announced that it would again delay enforcement of the Identity Theft Red Flags Rule that was enacted as part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA).

Universal Man-In-The-Middle: Next Generation Phishing Was Already Here

blog@rsa.com (Idan Aharoni) — Thu, 17 Jun 2010 00:00:00 GMT

Over the years, phishing attacks have changed and evolved. Around 2005, it was popular to add a Javascript code to the simple HTML pages that took advantage of a vulnerability in the browser. This allowed the fraudsters to spoof the URL of the phishing attack so it would appear as...

Computing as a Public Utility: Closer than Ever

blog@rsa.com (Nirav Mehta) — Fri, 11 Jun 2010 00:00:00 GMT

There is no question cloud/utility computing has arrived and is here to stay. But, something is afoot that deserves special attention. On May 6, the Federal Communications Commission (FCC) of the United States announced a plan to...

Making the Cloud Private

blog@rsa.com (Sam Curry) — Fri, 11 Jun 2010 00:00:00 GMT

I did an interview with the guys from Wikibon (Mike Versace and David Vellante), and I wanted to sum it up in a nice written blog. Then I realized that there's so much in this one that it speaks for itself. So if you want to know what I look and sound like, and want to learn about Security and the Cloud, check out this interview! http://wikibon.org/blog/what-makes-private-cloud-private/

Playing Catch-up

blog@rsa.com (Robert McMillon) — Fri, 11 Jun 2010 00:00:00 GMT

The rise of point-to-point (or sometimes called end-to-end) encryption and tokenization has led to an interesting condition in the marketplace – the regulatory and standards bodies playing catch-up. This isn’t to say that technology adoption hasn’t predated a standard before.

Speaking of Security Podcast #190

blog@rsa.com (Podcast Producers) — Wed, 09 Jun 2010 00:00:00 GMT

Click to Download/Listen

Hear how a successful online jeweler is protecting customer transactions on this week's Speaking of Security podcast.

Fraudsters Still Earn a Paycheck from Traditional Methods: From Phishing Kits to Cash

blog@rsa.com (Idan Aharoni) — Thu, 03 Jun 2010 00:00:00 GMT

Every fraud operation consists of two main stages. In the first stage, fraudsters use various tools and sources to obtain records of stolen identities, while in the second “cash out” stage, they turn those records into cold hard cash.

42

blog@rsa.com (John McDonald) — Thu, 03 Jun 2010 00:00:00 GMT

Those of you that are Hitchhiker fans will recognize the meaning of 42 - it's the Answer to Life, the Universe and Everything. And for the non-fans out there, you may be asking 'What's the question?'; well, that's the problem - you can't know both the question and the answer in the same universe...

Speaking of Security Podcast #189

blog@rsa.com (Podcast Producers) — Wed, 02 Jun 2010 00:00:00 GMT

Click to Download/Listen

What is a Man-in-the-Browser attack and how can enterprises combat them? Hear more on this week's Speaking of Security podcast.

Preventing Fire Sales

blog@rsa.com (John McDonald) — Wed, 02 Jun 2010 00:00:00 GMT

Recently a colleague of mine (thanks, Heidi!) reminded me that a major milestone in the evolution of the NERC standards was fast approaching. By July 12, 2010, all of the Critical Infrastructure Protection (CIP) requirements defined as part of the NERC standard transition from a required status of 'Compliant' (C) to 'Auditably Compliant' (AC).

Log Management: Catalyst for Vital Functions

blog@rsa.com (Sam Curry) — Wed, 02 Jun 2010 00:00:00 GMT

First, there was SEM: Security Event Management. SEM was about sitting on masses of data. I remember once meeting someone who worked with early IDS technologies (before Gartner pronounced the death of IDS), and I met an admin who could...

Speaking of Security Podcast #188

blog@rsa.com (Podcast Producers) — Wed, 26 May 2010 00:00:00 GMT

Click to Download/Listen

Hear how one of the top credit unions in the US has deployed the RSA enVision SIEM platform to help analyze internal processes and drive greater business value, on this week's Speaking of Security podcast.

Wall of Yellow...?

blog@rsa.com (Sam Curry) — Fri, 21 May 2010 00:00:00 GMT

Symantec is on an acquisition spree.

There. I said it.

We can check the box for having many of the right dancers, but how is the choreography coming? How much can Symantec “focus on” at once? These are the real questions for me.

BSIMM2 - A Very Useful Reference for Software Security Practitioners

blog@rsa.com (Eric Baize) — Thu, 20 May 2010 00:00:00 GMT

On May 12th, Gary McGraw and his teams from Cigital and Fortify Software released version 2 of the Building Security in Maturity Model (BSIMM). It triples the size of the software security practices analyzed by the study to a total of 30. EMC was part of the nine...

Utilities are Coming of Age...has your industry?

blog@rsa.com (Sam Curry) — Thu, 20 May 2010 00:00:00 GMT

I had a conversation with a utility recently in the United States that is rushing to roll out SmartMeters as part of their spending of the government stimulus package. I had one of those conversations again...

Phishing Persists - and Persistence Pays Parasites*

blog@rsa.com (Sam Curry) — Tue, 18 May 2010 00:00:00 GMT

Phishing persists.

I was shocked to see that Cory Doctorow, a really technical author and blogger, was in fact phished recently and wrote about it this Locus article Persistence Pays Parasites

Combined Arms and Defense in Depth against MITX (aka MITM)

blog@rsa.com (Sam Curry) — Tue, 18 May 2010 00:00:00 GMT

Defense-in-depth is the only sane answer in a world where threat is presented by an intelligent opponent in a persistent and sustained manner. Eventually, as I pointed out in Nothing Can Come of Nothing, the bad guys will find a way...

Online Security is Like Football - You Need a Defensive Front Line

blog@rsa.com (Idan Aharoni) — Tue, 18 May 2010 00:00:00 GMT

A recent blog by my colleague, Seth Geftic, discussed the inability of security education to prevent fraud. The issue of security education has always been a complex one. Until an empirical study comes along that...

Good Times in Fraudland: Part I

blog@rsa.com (Uri Rivner) — Tue, 18 May 2010 00:00:00 GMT

Thirty years from now if I’ll ever look back and read my old blogs, I’m sure I’ll agree with what my current self is about to state: There was never a better time to be a cybercriminal than in good old 2009.

How many Fortune 500 Companies Compromised? Answer Inside

blog@rsa.com (Uri Rivner) — Fri, 14 May 2010 00:00:00 GMT

In the last few weeks I’ve been talking to some of the corporations hit by the infamous Operation Aurora; the attack that triggered the Google-China virtual war.

The CISOs of these companies are facing a daunting task. These incidents reached board-level attention, and left many questions unanswered. How good are the traditional defense mechanisms?

Journeys (or stripping away what we don't need and bringing only "CIA" to the cloud with us)

blog@rsa.com (Sam Curry) — Fri, 14 May 2010 00:00:00 GMT

Here it is: a security guy saying it's not about security. I am a security guy, so here goes…

It's not about security.

Wow…that didn't hurt as much as I thought it would!

The Real Cost of a Pizza - and a Social Security Number

blog@rsa.com (Idan Aharoni) — Thu, 13 May 2010 00:00:00 GMT

A good friend of mine who lives in New York engaged me in a conversation about identity theft recently where he said, “I don’t care if they steal my credit card information. For that, I’m covered. What I am worried about is my Social Security number. If that ever gets stolen – I’d be in serious trouble!”

Speaking of Security Podcast #187

blog@rsa.com (Podcast Producers) — Wed, 12 May 2010 00:00:00 GMT

Click to Download/Listen

RSA continues to expand its Speaking of Security blog team. Meet one of our newest bloggers on this week's Speaking of Security podcast.

Would the Real Cost of PCI Please Stand Up?

blog@rsa.com (Robert McMillon) — Fri, 07 May 2010 00:00:00 GMT

This week at NACStech, I spoke with several people from a large retail chain - people who are hip-deep in the PCI compliance efforts within their organization. So as we were talking, one senior person made the comment that, “PCI compliance only costs us around $30,000 a year”.

The Security Education Gap

blog@rsa.com (Seth Geftic) — Fri, 07 May 2010 00:00:00 GMT

One of the best parts of my jobs is getting to present on online threats. I get to speak at conferences, on webinars and in front of customers about the dangers that we all face when we are on the Internet due to the sophistication of cybercriminals. After giving these presentations, no matter who is in the audience, I always get someone that asks, “What about education…does it work?” These days, I’m not convinced it does.

Birds of a Feather...

blog@rsa.com (Sam Curry) — Thu, 06 May 2010 00:00:00 GMT

Brian Krebs has a great piece on the Mariposa (Spanish for butterfly) botnet that is really worth reading. I won't spoil it, but essentially it is about two criminals trying to get a job with Panda Security. There are some interesting take aways here, but what struck me most is...

Speaking of Security Podcast #186

blog@rsa.com (Podcast Producers) — Wed, 05 May 2010 00:00:00 GMT

Click to Download/Listen

Cyberklix is a leader in the field of Log Management and Security Event Management. Hear about some of its current business challenges on this week's Speaking of Security podcast.

Trumpet Your (Security) Achievements Loudly!

blog@rsa.com (Sam Curry) — Wed, 28 Apr 2010 00:00:00 GMT

The Lockheed Martin Cyber Security Alliance today announced a critical survey and data related to US government adoption of cloud services. Most importantly, it issued a related white paper on "Awareness, Trust, and Security to Shape Cloud Adoption" that address full-on the perception (as opposed to the realities) of the cloud with respect to the government.

Speaking of Security Podcast #185

blog@rsa.com (Podcast Producers) — Wed, 28 Apr 2010 00:00:00 GMT

Click to Download/Listen

New research commissioned by RSA reveals that despite known online threats, young adults seem to be choosing convenience over security when it comes to their online activity. We discuss on this week's Speaking of Security podcast.

Innovating for Profits Fraudster Style

blog@rsa.com (Idan Aharoni) — Tue, 27 Apr 2010 00:00:00 GMT

It would come as no surprise to anyone that every fraudster attempts to maximize his profits, and there are several ways to do so. First, a fraudster could increase the amount of credentials he obtains, either by using more sophisticated tools or by simply using existing tools more often.

Security by Obscurity Never Works...

blog@rsa.com (Sam Curry) — Tue, 27 Apr 2010 00:00:00 GMT

Every now and then something comes up that is, strangely, humorous. Having seen the Haiti exploits (see post on Non Illegitimi Carborundum) and the cease-fire opportunism (see Cease Fire post), I scratched my head and wondered…so where are the Eyjafjallajökull hoaxes?

Silver bullets

blog@rsa.com (Robert McMillon) — Mon, 26 Apr 2010 00:00:00 GMT

In my last post, I talked about performing encryption in hardware vs. software, and why RSA and First Data made the business decisions that we did for our payment security solution, TransArmor. Since then, I have heard from...

Putting Dogma in Front of Karma

blog@rsa.com (Sam Curry) — Fri, 23 Apr 2010 00:00:00 GMT

For those of you who were around in security then, you are probably chuckling. For those who weren't: the Furby was a toy that could "learn." Unfortunately, it was feared that it could learn too much...and that if it were in a work environment, or worse in a classified or sensitive area, that it might be a foreign spy or a cute-looking insider.

Never Give An Order You Know Won't Be Obeyed*

blog@rsa.com (Sam Curry) — Thu, 22 Apr 2010 00:00:00 GMT

The dust has settled...the worst has blown over; but what an article and what a response! Kudos to Mark Pothier at the Boston Globe for his "Please do Not Change Your Password" article that stirred up our industry like a bee's nest kicked over by a bear covered in honey!

Speaking of Security Podcast #184

blog@rsa.com (Podcast Producers) — Tue, 20 Apr 2010 00:00:00 GMT

Click to Download/Listen

Learn about RSA CyberCrime Intelligence, a new service designed to better understand the risks of malware to the enterprise on this Speaking of Security podcast.

STOP! Don't Post That! What happens on Spring Break is about to be posted to your Mom and your next 4 bosses!

blog@rsa.com (Sam Curry) — Tue, 20 Apr 2010 00:00:00 GMT

How much of what Gen Y is going through is unique to this generation and how much of it is the standard process of growing up and maturing with the added leavening of technology thrown into the mix? I remember as a Gen X-er...

Avoiding Castles in the Swamp, Part 4

blog@rsa.com (John McDonald) — Fri, 16 Apr 2010 00:00:00 GMT

In this on-going series on Security Operations, I've discussed basic foundational requirements including goals, roles and responsibilities, monitoring plans, etc. There's one final area that I'd like to cover...

A Cybercrime Self-Confession

blog@rsa.com (Sean Brady) — Thu, 15 Apr 2010 00:00:00 GMT

Yes, I am one of those Users. I am one of those Users that I spend a significant part of my job working to educate customers and the industry about. You see, as part of my job, I am issued a laptop by EMC, the parent company of RSA. I am in fact working from that laptop right now. It should also be noted...

Speaking of Security Podcast #183

blog@rsa.com (Podcast Producers) — Wed, 14 Apr 2010 00:00:00 GMT

Click to Download/Listen

KPMG provides audit, tax and advisory services as part of a global network spanning over 140 countries. Hear about their commitment to security on this week's Speaking of Security podcast.

Avoiding Castles in the Swamp, Part 3

blog@rsa.com (John McDonald) — Wed, 14 Apr 2010 00:00:00 GMT

In this blog series, I have been exploring some of the foundational requirements necessary for effectively implementing an advanced Security Operations function within an organization. We've looked at the basic...

Avoiding Castles in the Swamp, Part 2

blog@rsa.com (John McDonald) — Mon, 12 Apr 2010 00:00:00 GMT

In my last entry, I started discussing some of the foundational requirements necessary to implement a successful Security Operations (SecOps) program. I'd like to drill down a bit more into some of the most critical ones, and, ironically...

Software- vs. Hardware-based Encryption in the POS

blog@rsa.com (Robert McMillon) — Fri, 09 Apr 2010 00:00:00 GMT

A few years ago, I saw a video on the Internet about ‘lock bumping’ and ‘bump keys’. For those that don’t know, lock bumping is a frightening technique...

Avoiding Castles in the Swamp, Part 1

blog@rsa.com (John McDonald) — Thu, 08 Apr 2010 00:00:00 GMT

Here's a quote from Monty Python's, " The Holy Grail," that frequently comes to mind when I discuss Security Operations with customers...

Speaking of Security Podcast #182

blog@rsa.com (Podcast Producers) — Tue, 06 Apr 2010 00:00:00 GMT

Click to Download/Listen

RSA is hiring to fill key positions in its global product organization. Learn more about the 90 Hires in 90 Days program on this week's Speaking of Security podcast.

Matching the Last Four Keeps the Bad Guys Away

blog@rsa.com (Idan Aharoni) — Tue, 06 Apr 2010 00:00:00 GMT

Have you ever bought something at the store with your debit or credit card and the clerk hands you the card back without checking to make sure the signature matches? Or better yet...

To Each According To His Needs*

blog@rsa.com (Sam Curry) — Mon, 05 Apr 2010 00:00:00 GMT

Please forgive my using a slogan popularized by Karl Marx, but it seemed appropriate in this context: Forrester just published a fascinating paper on the Value of Corporate Secrets.

The Security Alphabet: a primer for April learning

blog@rsa.com (Sam Curry) — Tue, 30 Mar 2010 00:00:00 GMT

I was watching some children's television with my 4 year old nephew this weekend (after playing with a rubber-band powered glider I bought for him in Asia in the yard – we had nice weather this weekend), and I thought...

Why protecting payment card data is different – and the unique opportunities it creates

blog@rsa.com (Robert McMillon) — Fri, 26 Mar 2010 00:00:00 GMT

In the years I have been focusing on data security (as opposed to general ‘information security’), I have spoken to hundreds of companies about the types of data they find valuable. Invariably...

Speaking of Security Podcast #181

blog@rsa.com (Podcast Producers) — Tue, 23 Mar 2010 00:00:00 GMT

Click to Download/Listen

The 2010 Archer GRC Summit, the premiere networking event for governance, risk and compliance programs is fast approaching. Hear all about it on this week's Speaking of Security podcast.

The Connection between Age and Credit Card Fraud – and Can the EMV Standard Solve the Problem?

blog@rsa.com (Idan Aharoni) — Fri, 19 Mar 2010 00:00:00 GMT

In my last post, I discussed how fraudsters take advantage of the fact that some financial institutions still are not authenticating the CVV on credit cards. This is allowing fraudsters to...

AS-Troyak Exposes a Large Cybercrime Infrastructure

blog@rsa.com (RSA FraudAction Research Lab) — Wed, 17 Mar 2010 00:00:00 GMT

Last week, RSA and other security professionals noticed a sudden halt in the activity of an upstream Internet connectivity provider named “AS-Troyak”, thus causing...

Speaking of Security Podcast #180

blog@rsa.com (Podcast Producers) — Tue, 16 Mar 2010 00:00:00 GMT

Click to Download/Listen

RSA has announced enhancements to its RSA® Data Loss Prevention (DLP) Suite. Hear about them on this week's Speaking of Security podcast.

The Case for Supply Chain Integrity

blog@rsa.com (Eric Baize) — Mon, 15 Mar 2010 00:00:00 GMT

A couple of recent incidents are shedding some light on the complexity of ensuring software code integrity throughout the supply chain.

A Touch of Reality

blog@rsa.com (Sam Curry) — Mon, 15 Mar 2010 00:00:00 GMT

After my Aliens v. Code Breaking blog, I came across something by Tom St. Denis (a fellow Canadian who published TomLib and wrote...

Is tokenization important in a Chip & PIN world?

blog@rsa.com (Robert McMillon) — Fri, 12 Mar 2010 00:00:00 GMT

One of the questions I get asked frequently is how tokenization works in countries that use EMV, commonly known as ‘Chip & PIN’. The dialogue usually...

Speaking of Security Podcast #179

blog@rsa.com (Podcast Producers) — Thu, 11 Mar 2010 00:00:00 GMT

Click to Download/Listen

Colleges and universities in the US are now the latest target for phishing attacks. This week's Speaking of Security podcast discusses this new trend.

Are you smarter than a PC?

blog@rsa.com (Sam Curry) — Wed, 10 Mar 2010 00:00:00 GMT

A lot of hacking is playing with other people, you know, getting them to do strange things.
-Steve Wozniak

The unexamined life is not worth living
-Socrates, Sec 38.

My girlfriend Kathleen (who incidentally wants to start a food review blog with me since we've eaten at some amazing places recently)...

The CVV Loophole of Credit Card Fraud is Closed for Business

blog@rsa.com (Idan Aharoni) — Tue, 09 Mar 2010 00:00:00 GMT

One of the things I like to do when interviewing job candidates is to ask them questions about the world of fraud. I don’t expect them to prove that they’re certified fraudsters when they come in, but it can flesh out many paradigms that the candidates may already have. For example...

Aliens v. Code Breaking

blog@rsa.com (Sam Curry) — Tue, 09 Mar 2010 00:00:00 GMT

Last week, Andrea Pellegrini, Valeria Bertacco and Todd Austin published "Fault Based Attack of RSA Authentication" (I'll call it FBARA here for ease of reference) as I was boarding a plane to return from...

Videos from RSA Conference 2010

blog@rsa.com (Editor) — Thu, 04 Mar 2010 00:00:00 GMT

See what people are saying about this year's RSA Conference.