My second podcast has been posted, discussing security and compliance in the context of North American Bulk Power Cyber Security Standards.

In related news, the cover story in the April 2009 Popular Mechanics is “Cyber Attack: Weapon of Mass Disruption”

Hackers could use the very computer systems that keep America’s infrastructure running to bring down key utilities and industries. Just how worried should we be?

[…]

The next world war might not start with a bang, but with a blackout.

Hope you enjoy the podcast.

There is so much useless chatter on the Internet about Heartland, it is nice to see a well researched and written article by Bank Info Security. They report on a security road-show by Visa:

In tackling facts and myths about data compromises, as presented in the news media, Visa says:

• No compromised entity has been found to be PCI compliant at the time of the breach;
• Visa does support encryption for both online and batch files.

The presentation goes on to cover common compromise vulnerabilities, including:

• Failure to secure and monitor connected non-payment environment;
• Unprotected systems vulnerable to SQL injection attacks;
• Corporate websites targeted to gain access to network;
• Malware installed to capture passwords and cardholder data.

Perhaps most interesting is that Visa is estimating that each check card with track and PIN has a $1000 market value.

The first bullet in the second list should not be missed. Although many people are banging the drum on SQL vulnerabilities and web application vulnerabilities, as well as malware, the “it’s all connected” message is a tough one. I know this well because it was the basis of a campaign I ran a few years ago at a financial institution. Fortunately there is some help in publications like the FIPS 200 from 2006 (Minimum Security Requirements for Federal Information and Information Systems). It suggests that everything connected to a critical system should have same or higher levels of security.

This message is not an easy one to deliver because it is based upon the options of either raising enterprise-wide baseline security or building security on critical systems to the point where they are truly isolated. Either way, it’s a security project with costs determined by how the business wants to operate around risk.

Thus, the difference from the other three bullet points is that it is a question for management, rather than a strictly technical gap. You can patch and monitor to fix SQL, web applications, and malware but making a decision about information flow and minimum security requirements across the enterprise is a complex business decision. Incidentally, no pun intended, the utilities are currently dealing with this very same issue as corporate systems and control centers appear to be increasingly connected to critical assets and critical cyber assets throughout their infrastructure.

The big news last week was that more than twenty people in Romania had their homes raided very early in the morning based on charges of stealing financial identities with fake bank sites and unauthorized access to NASA systems. Nearly a hundred officers performed the operation with FBI support in Timisoara, Lugoj, Caransebes, Hunedoara and Pitesti.

Stirile Pro TV has more details:

Although this is an impressive sweep, it brings to mind some other recent news. Gabriel Bogdan Ionescu was arrested in 2007 for cloning the Italian Post Office to steal identities and money. He was convicted and sent to jail but now Balkan Insights reports that the District Attorney in Como, Italy has allowed him to take a job.

Ionescu is to be hired part-time by a company specialized in monitoring and intercepting online criminal activity and which has been contracted by the Italian government to assist authorities with preventing online crimes, which are becoming increasingly common in Italy.

Will he will be working against his former colleagues who seem to have copied his methods? Perhaps more to the point, I wonder if the new twenty-two or so suspects get a similar offer and substitute for hiring Italian computer security experts? The ethics of hiring convicted criminals to fight crime has always been debated. In the case of Ionescu, it seems the application to a university in Milano helped turn things around for him.

He finished the test in a record one hour and 20 minutes and received the highest score in the history of the faculty. More recently, Ionescu received maximum scores on two student exams.

“He’s not just the best in his generation,” fawned one of his professors. “He’s probably the best on the planet.”

Although it’s very likely he is super intelligent, I still have to wonder about the chances that he cheated.