Security's Past Gives Hints To Its Future - Dark Dominion Blog - Dark Reading

Posted by Tim Wilson, May 4, 2009 12:48 AM

Julius Caesar didn't see the need for a bodyguard when he went to the floor of the Roman senate on a March day in 44 B.C.
That little oversight cost him 23 stab wounds and the throne of the empire. More than 1,900 years later, Abe Lincoln entered the presidential box at Ford's Theater in Washington, D.C. -- again, no bodyguard seemed necessary. We all know how that decision turned out.


In fact, you could argue that history is full of poor security decisions, including many that have been made over and over again. Sometimes a look back at history makes you want to go back, shake the principals by the lapels, and say, "not again! Haven't you learned anything?" 

Which brings us, inevitably, back to the subject of IT security.

This week we're celebrating the third birthday of Dark Reading, which launched its maiden story on May 1, 2006. One of the goals of the site was to cover everything that had to do with computer security, from bug reports and major breaches to best practices and product news. Our idea was to give security pros a single place to look for news and information, whether they wanted to know about the latest application vulnerabilities or develop an RFI for a new firewall.

The site still has plenty of flaws, but one thing we've successfully built is a pretty nice archive of what's happened in the industry during the past few years. If you enter the work "vulnerability" in our search bar, you'll find almost 1,000 stories. "Insider" brings up 365 articles. "XSS" -- the acronym for cross-site scripting -- will net you 84 different items. We've started to develop a little bit of searchable history on the site, giving you a bit of a window into what has happened in many different areas of IT security.

As I look back over the content we've published during our short life on the Web, I'm struck by how many times organizations have made the same mistakes over and over again.

The lost laptop that exposed the personal data of millions of soldiers at the Department of Veterans Affairs in 2006 doesn't seem very much different than the lost laptop that exposed the data of more than 225,000 individuals at the Oklahoma Housing Finance Agency this past weekend. The P2P vulnerability that exposed thousands of Pfizer employees to identity theft in 2007 is the same sort of flaw that exposed the president's Marine One helicopter plans to users in Iran just one month ago.

Clearly, malware is proliferating with a pace and sophistication that has never been seen before on the Web -- and that's scary. But shouldn't we have already fixed these problems that have been happening for years and years? After 25 years of viruses, why are we still trying to convince employees not to click on links from unknown email senders? A recent study by Verizon Business Systems indicates that more than 90 percent of security breaches are the result of hacks and vulnerabilities that are more than 2 years old.

Not again! Haven't you learned anything?  Editor's Note: The ones that are two years old don't scare me as much as the one's that are cropping up (see Torpig Botnet Harvest Bank Credentials) as I type.  Speaking of typing, did you ever hear of "key-logging?" That's like, 10 years old...and people still think it's okay to type their credit card numbers into a box at a merchant checkout.  What do you do when you purchase goods at a brick and mortar retailer?  Do you write your credit/debit card number down in a box on a sheet of paper?  No!  You swipe your card and you enter your PIN.  Why?  Because that's the safest way to do it.  

As we enter our fourth year of serving the security community, we at Dark Reading would like to thank you, our readers, for your interest and loyalty since we opened our home page in 2006. We hope we've helped to inform you of some of the newest hacks on the Web, and gave you the information you needed to protect your organization against the most innovative new threats.

At the same time, however, we invite you to take a look back through the history of attacks we're amassing on the site. See anything familiar? You're not the only one. Attackers often like to exploit old vulnerabilities, as well.

It's hard for an old newsman to admit, but maybe we ought to spend a little less time focused on the industry's newest threats and a little more time focused on the ones that have consistently come back to bite us, again and again, during the relatively short history of computer security. Maybe learning from old mistakes is just as important as avoiding new ones.


Editor's Note:  THAT is why I love this Article!  It's EXACTLY the point that HomeATM has been trying to make since DAY ONE.  There WILL be the day when EVERYONE realizes that financial transactions conducted on a PC need to be conducted outside the browser.  Our solution is PC"I" 2.0 certified, and uses a End-to-End Triple Data Encryption Standard (3DES) and further protects card holder data by employing a Derived Unique Key Per Transaction (DUKPT) key management system.  (Protected by DUKPT)   The HomeATM SafeTPIN is your vehicle baby...you can take it anywhere you wanna go.  Just as Julius Caesar was "warned" to beware of "The IDES of March",  we need to beware  of the proliferation of malicious code designed to steal our usernames, our passwords and our ID's.  We need to beware of "The March of ID's"

Continue "Dark Reading:" In any case, we at Dark Reading are committed to spending the coming year doing what we've been doing since 2006 -- bringing you the latest news, analysis, opinion, and product news that the industry has to offer. We know that in order to do your job, you need to understand the full spectrum of threats to your business, both old and new, and that your livelihood depends on getting the information you need -- when you need it. We also know that in many cases, those who don't learn from history -- even just a few years of it -- may be doomed to repeat it.

Just ask Honest Abe.

-- Tim Wilson, Site Editor, Dark Readin
g




Reblog this post [with Zemanta]

Posted by John B. Frank Tuesday, May 5, 2009

0 comments

Payments Industry News Blog

Search the PIN Debit Blog by Subject

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers