Tuesday, May 27, 2008

How to sell security with Bruce Schneier

Bruce Schneier in his insightful post explains why security is tough sell. He explains how this has to do with the economic theory, called Prospect Theory, developed by Daniel Kahneman and Amos Tversky in 1979, which later formed the basis of a Nobel Prize.

Of course, the best way is to read the post, and the reader is encouraged to do it, but the gist is to build security into the basic product offering. In our case, build security into the software we design.

Top 20 replies by Programmers when their programs don't work

A perennial favorite, published and republished

20. "That's weird..."
19. "It's never done that before."
18. "It worked yesterday."
17. "How is that possible?"
16. "It must be a hardware problem."
15. "What did you type in wrong to get it to crash?"
14. "There is something funky in your data."
13. "I haven't touched that module in weeks!"
12. "You must have the wrong version."
11. "It's just some unlucky coincidence."
10. "I can't test everything!"
9. "THIS can't be the source of THAT."
8. "It works, but it hasn't been tested."
7. "Somebody must have changed my code."
6. "Did you check for a virus on your system?"
5. "Even though it doesn't work, how does it feel?
4. "You can't use that version on your system."
3. "Why do you want to do it that way?"
2. "Where were you when the program blew up?"
1. "It works on my machine"

Monday, May 26, 2008

litsupport summary for the week ending on 5/25/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.


Q. Project management software off the shelf?
A. MS Project has tons of feature but complex to learn; for smaller projects - www.projjex.com online. With EDD bent, Mindmanager, CaseLawg; Free open source alternative to MS Project = OpenProj, on-line hosted version = www.projity.com; Exterro designed specifically for eDiscovery.


Q. How to take a video depo and place it on a GUI with transcribed text, so that you could jump to keywords in the text and it would take you to the time it was said on the video?
A. DepoView from inData, TimeCoder Pro from inData.


Q. How to forensically image a drive for a Sony VAIO laptop?
A. VAIO laptop are especially hard to take apart, so possible solutions are: EnCase with a crossover cable; image it by using a forensic boot CD (Helix is good) and image it using that process. It is slower but safer; Apricorn device with software;


Q. How to virus scan data received from client?
A. (EDDLabs): Two separate scans using different software: (1) on server as data is copied to working set and hashed; and (2) on workstation as individual files are accessed. Infected files are cleaned/repaired and rehashed prior to processing. Repaired file ("child" or "clone") has different hash than infected file ("parent"
or "original"). Infected files failing repair are reported as exceptions.
SVDD: Unpack to stand-alone Unix box and virus scan, creating an infected files report. Create processing corpus that excludes infected files. Before delivery, virus check on stand-alone XP box.

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (Abernstein@mwe.com).

Thursday, May 22, 2008

ESI Compliance for Credit Unions

According to Google's "Message Encryption for Financial Insititutions", data privacy and regulatory compliance have become top priorities for financial institutions. However, not all companies have the right personnel and budget to implement a what is now considered essential for the industry. Regional banks and credit unions are subject to the same laws and standards as larger financial institutions, but they do not have the same resources to implement an encryption solution on their own.

As mentioned in the "ESI Trends" report by Kroll Ontrack (resources), there is a severe lack of understanding, preparedness, and enforcement by organizations regarding how to manage their ESI and the need for an electronic evidence strategy. Less than half of companies have a policy in place on how to deal with ESI in litigation, investigations, and regulatory matters.

We designed our ESI Compliance for Credit Unions program following the Kroll Ontrack guidelines. In this program, we address the specific credits unions' needs, which includes HIPAA, Fair Credit Reporting Act, and rule 748 .

Our program addresses both the technical and the legal aspects of ESI compliance. It achieves the following goals:
  • establish an overall ESI policy;
  • clarify roles: who establishes policy, who implements it, and who is accountable in case of failures;
  • help the general counsel to keep up-to-date with all relevant regulations;
  • educate and assist the technical personnel with policy implementation.
Such service is especially important for credit unions which often lack sufficient resources to dedicate to the vital ESI policy questions. By concentrating on the issues common to credit unions, Top8 brings efficient and concentrated help effort to those who need it.

Tuesday, May 20, 2008

Data Breaches Mean More Than Bad Publicity

In this article from New York Law Journal, the author describes types of data losses that can occur, possible legal consequences, and calls the law firms to prepare their clients for the inevitable data breaches.

In the next post, I will describe the methodology that Top8 has developed to approach this problem.

Monday, May 19, 2008

Is this secure enough?

This Sunday outing had a crop of security questions. The first was at a Kroger store, where the essential id information was requested on the checkout receipt. On closer inspection, it was a credit card application. But it felt in the wrong place. How easily can a person fill all of this out and then lose it somewhere?

On the other hand, Chase bank did it just right. They scanned and printed a deposited check, and lo and behold "Part of the check image has been obscured for security reasons!". Good job Chase.
What is the advice? Often programmers ask for information just because they can, while in truth they do not need it. Today, one should start to collect as little information as possible, not as much.

litsupport summary for the week ending on 05/18/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. How to open ASCII TXT files that are about 2 GB per file?
A. Windows: UltraEdit(32) or TextPad, OS X try BBEdit, vim or emacs, AND your computer should better have at least 4 Gigs of RAM. It may also be that the files are not text but binary. Consider grep, sed, AWK, tr, cut, paste, sort, uniq, Perl and other text processing commands and tools of their ilk.

Q. Good FTP Software?
A. Filezilla, WS_FTP, Flash_FXP, CuteFTP, SmartFTP, CoreFTP, FireFTP for Firefox. BUT keep security and encryption in mind.

Q. Utility to provide word count and frequency.
A. dtSearch, DT Desktop.

Q. xcopy files to one destination folder?
A. copyrite (http://copyrite.dyndns.biz/), Upcopy from www.dmares.com - forensically good, robocopy, Upcopy, SafeCopy.

Q. View .pst files without Outlook?
A. QuickView Plus, Mail Examiner from Paraben.

Q. What is the future of Bates numbers?
A. They may be replaced by hashes, but this is debatable.

Q. Convert PDF to .doc?
A. pdfDocs with optional OCR Server, ScanSoft PDF Professional

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and reviewed by Aline Bernstein (Abernstein@mwe.com).

Tuesday, May 13, 2008

Monday, May 5, 2008

Highly recommended security book

Security Engineering by Ross Anderson

Lots of downloadable chapters from the second edition, MP3, and complete first edition.

Friday, May 2, 2008

Elephant Cemetery = Security Risk









I like looking at elephant cemeteries, which are of course security risks if not properly disposed of. Why do poor elephants deserve this comparison?