It was a pretty typical day. I was settled into my seat at Starbucks writing something or other. Then I saw the AmEx notification pop up on my phone. $240.45, Ben Sherman, on the card I use for Securosis expenses. Huh? Who’s Ben Sherman? Pretty sure my bookie’s name isn’t Ben. So using my trusty Google fu I saw they are a highbrow mens clothier (nice stuff, BTW). But I didn’t buy anything from that store.

My well-worn, “Crap. My card number got pwned again.” process kicked in. Though I was far ahead of the game this time. I found the support number for Ben Sherman and left a message with the magic words, “blah blah blah fraudulent transaction blah blah,” and amazingly, I got a call back within 10 minutes. They kindly canceled the order (which saved them money) and gave me some details on the transaction.

The merchandise was evidently ordered by a “Scott Rothman,” and it was to be shipped to my address. That’s why the transaction didn’t trigger any fraud alerts – the name was close enough and the billing and shipping addresses were legit. So was I getting punked? Then I asked what was ordered.

She said a pair of jeans and a shirt. For $250? Damn, highbrow indeed. When I inquired about the size that was was the kicker. 30 waist and 32 length on the jeans. 30×32. Now I’ve dropped some weight, but I think the last time I was in size 30 pants was third grade or so. And the shirt was a Small. I think I outgrew small shirts in second grade. Clearly the clothes weren’t for me. The IP address of the order was Cumming, GA – about 10 miles north of where I live, and they provided a bogus email address.

I am still a bit perplexed by the transaction – it’s not like the perpetrator would benefit from the fraud. Unless they were going to swing by my house to pick up the package when it was delivered by UPS. But they’ll never get the chance, thanks to AmEx, whose notification allowed me to cancel the order before it shipped. So I called up AmEx and asked for a replacement card. No problem – my new card will be in my hands by the time you read this.

The kicker was an email I got yesterday morning from AmEx. Turns out they already updated my card number in Apple Pay, even though I didn’t have the new card yet. So I could use my new card on my fancy phone and get a notification when I used it.

And maybe I will even buy some pants from Ben Sherman to celebrate my new card. On second thought, probably not – I’m not really a highbrow type…


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Applied Threat Intelligence

Network Security Gateway Evolution

Security and Privacy on the Encrypted Network

Newly Published Papers

Incite 4 U

  1. It’s about applying the threat intel: This post on the ThreatConnect blog highlights an important aspect that may get lost in the rush to bring shiny threat intelligence data to market. As lots of folks, notably Rick Holland and yours truly, have been saying for a while. It’s not about having the data. It’s about using it. The post points out that data is data. Without understanding how it can be applied to your security program, it’s just bits. That’s why my current series focuses on using threat intel within security monitoring, incident response, and preventative controls. Rick’s written a bunch of stuff making similar points, including this classic about how vendors always try to one-up each other. I’m not saying you need (yet another) ‘platform’ to aggregate threat intel, but you definitely need a strategy to make the best use of data within your key use cases. – MR
  2. Good enough: I enjoyed Gilad Parann-Nissany’s post on 10 Things You Need To Know about HIPAA Compliance in the Cloud as generic guidance for PHI security in the cloud. But his 10th point really hits the mark: HIPAA is not feared at all. The vast majority of HIPAA fines have been for physical disclosure of PHI, not electronic. While a handful of firms go out of their way to ensure their cloud infrastructure is secure (which we applaud), they aren’t doing security because of HIPAA. Few cloud providers go beyond encrypting data stores (whatever that means) and securing public network connections, because that’s good enough to avoid major fines. Sometimes “good enough” is just that. – AL
  3. 20 Questions: Over the years I have been management or, at Gartner, part of a hiring committee at various times. I have not, however, had to really interview for most of my jobs (at least not normal interviews). The most interesting situation was the hiring process at the FBI. That interview was so structured that the agents had to go through special training just to give it. They tested me not only on answering the questions, but answering them in the proper way, as instructed at the beginning, in the proper time window. (I passed, but was cut later either due to budget reductions at the time, or some weirdness in my background. Even though I eliminated all witnesses, I swear!). But I have always struggled a bit a getting technical hires right, especially in security. The best security pros I know have broad knowledge and an ability to assimilate and correlate multiple kinds of information. I really like Richard Bejtlich’s hiring suggestion. Show them a con video, and have them explain the ins and outs and interpret it. That sure beats the programming tests I used when running dev shops because it gives you great insight into their thought process and what they think is important. – RM
  4. Mixed results: IBM is touting a technology called Identity Mixer as a way for users to both conceal sensitive attributes of their identity, and as a secure content delivery mechanism. But this approach is really Digital Rights Management – which essentially means encryption. This approach has been tried many times for both content delivery and user data protection. The issue is that when allowing a third party to decrypt or access any protected data, the data must be decrypted and removed from its protection. If you use this technology to deliver videos or music it is only as secure as the users who access the data. This approach works well enough for DirecTV because they control the hardware and software ecosystem, but falls apart in conventional cases where the user controls the endpoint. Similarly, sharing encrypted data and keys with a third party defeats the point. – AL
  5. Follow the money: I thought about calling this one “Protection racket”, but even the CryptoLocker guys actually unlock your stuff when you pay them, as promised. It turns out the AdBlock Plus folks take money from Microsoft, Google, and Amazon to allow their ads through. The company’s business model is built on whitelisting ‘good’ ads that comply with their policies (which often includes payment to the AdBlock Plus developers). And they do acknowledge this on their site. That change was made around the end of January 2014 (thank you, Internet Archive). I get it, everyone needs to make money, and not all ads are bad. Many good sites rely on them, although that’s a rough business. I would actually stop blocking most ads if they would stop tracking me even when I don’t click on them. But a business model like this is dangerous. A company becomes beholden to financial interests which don’t necessarily align with its users’. That’s one reason I have been so excited by Apple seeing privacy of customer data as a competitive advantage – as much as companies commit to grand ideals (such as “Don’t be evil.”), it sure is easier to stick to them when they help you make piles of money. – RM
  6. Hack your apps (before the other guys do): This has been out there for a while, but it’s disturbing nonetheless. Marriott collected lots of private information about customers, which isn’t a problem. Unless that information is accessible via a porous mobile app – as it was. I know many organizations take their mobile apps seriously, treating them just like other Internet-facing assets in terms of security. It may be a generalization but that last statement cuts both ways. Organizations that take security seriously do so on any customer-facing technology – with security assessments and penetration tests. And those that don’t… probably don’t. Just understand that mobile apps are a different attack vector, and we will see different ways to steal information. So hack your own apps – otherwise an adversary will. – MR