Visa just announced the expansion of their No Signature program. Citing its "popularity", Visa notes that: "According to a Visa Inc. survey, 69 percent of participants surveyed cited either convenience or speed as the primary reason for using their credit or debit card."  Wow.

What this seems to signal is that Visa, and perhaps the other card brands, feel that they will make more money by eliminating barriers to the sale, such as the 2.2 seconds needed to sign your name, than it would lose in fraudulent transactions, considering this program is for transactions of US$25 or less. Also, it appears that people no longer know how to sign their names.

I have often heard (in low, barely audible whispers) that US consumers were too lazy to care about security, which is why the US will probably never have CHIP and PIN transactions for enhanced credit card authentication.  We Americans are too darn busy to push 4 numbers on a key pad (4.3 second).  This drives folks in the other parts of the world crazy as they are in love with CHIP and PIN and, mistakenly, think that this technology eliminates all transaction risk.  CHIP and PIN cards still have a mag stripe that can be scanned, and skimming is still a problem. It's a great authentication method, however, and would really help reduce some of the smaller, card-present CC frauds were we to adopt it.

Americans need more paranoia about credit card theft. We are much more likely to suffer some type of credit card fraud or be affected by a major credit card breach than a terrorist attack, but for some reason we are unwilling to punch in a few numbers to help protect ourselves.

Google called again after I posted the latest follow up to the Google hack story. Wow, two calls from Google AR in the span of an hour! They were uncomfortable about the way I characterized the involvement of the corporate VPN in the Google attack. The official on-the-record word from Google is: "This is not accurate." So, I should rephrase how the attack happened:

a) A Google employee's machine that was running IE v6 was compromised via the IE vulnerability.

b) The attacker used the compromised machine to somehow gain access to Google servers (some of which housed critical information). The method of access, at some point, may have involved VPN, but Google does not agree with the characterization that "the compromised client used their corporate VPN to gain access to the servers." At Google's request, I retract that particular statement.

This is what we do know factually:

1) The attack on the Google server happened.

2) Google immediately decided to do an emergency update of their entire corporate VPN infrastructure.

Could these two things be entirely unrelated? I doubt it. But Google isn't going on the record to say that the attack came in via the VPN, and that's their official position.

On a positive note, Google is actively trying to schedule the security interview with me. So hopefully I'll have more to report shortly.

A while back, I blogged on how researchers have developed tools to intercept streaming video from video conferencing systems and IP surveillance cameras. Today I feel so prescient with the Wall Street Journal's article on how Iraqi insurgents are using similar software to intercept the video feed of Predator Drones.

The article has the catchy subtitle "$26 Software Is Used to Breach Key Weapons in Iraq; Iranian Backing Suspected." It discusses how the insurgents are using the software to intercept the Drone's unencrypted video stream, "potentially providing them with information they need to evade or monitor U.S. military operations."

According to the article, the military has been aware that this type of attack was posssible for some time: "The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said."

Let's hope that the Pentagon has learned what happens when you ass-u-me things...

I’d like to take a small commercial break from your regularly scheduled security & risk programming to bring you the following observation . . .

I was recently in a client session with one of our great infrastructure & operations (I&O) analysts, Glenn “Automation” O’Donnell. His research on IT automation is extremely interesting — both tactically (advice for improving IT operations) as well as philosophically (a call to arms for IT professionals to update their skill set — or risk obsolescence).

Anyway, in this session Glenn made a great observation: IT is at a key inflection point in 2009 and it’s never going back. He was distilling the result of three IT macro-level events colliding: 

• Business Technology (BT) architecture redefining how we define IT services
• Cloud computing and virtualization redefining how we build IT services
• Automation and ITIL redefining how we run IT services

But the big takeaway form me was automation. It’s the main ingredient in transforming information technology.

And now as we return to our regularly scheduled security & risk programming I’d like to pose the following question: What is automation doing for information security? My take: Not much.

Sure, we see pockets of automaton in information security. I’ve seen: