Security's Everyman

Security's Everyman

Friday, November 03, 2006

Careful who you trust

Just a personal story of how even those of us who are Security Pros can let our guard down and do the very thing that we keep telling others not to do. I want to stress that I am not suggesting that this was a malicious act. It was just a "freak" coincidence that teaches a good lesson.

Yesterday I sent Martin McKeay about a personal email asking him a question about PCI compliance. I know that in addition to being "Captain Privacy" as Shimel calls him he is very knowledgeablePCI. A little while later he replied to my email and included a link to a website that he recommended I check out (you know where this is going now don't you).

I hate to admit it but I did click on the link with out any hesitation or checking to make sure it was legitimate. After all Martin is a trusted Security Pro and I have had some contact with him over the last few months regarding the CISSP test and such. I've given him my thoughts and kudos on his podcast a few times. I had no reason not to trust him. Yet I really don't know him so I should have been more careful. Haven't we all heard similar excuses by our users?

What was really scary about this incident though is that the site that he sent me to has a pdf on it that I needed to download and read. As soon as I clicked on the pdf link FireFox crashed. :( My heart sank and I felt like such a loser. I immediately isolated my laptop from the rest of the network and spend quiet a while checking to make sure that I had not been compromised. After I was convinced that all was OK I went back to the site and downloaded the pdf and quickly became despondent because it told me just how much extra work was going to be required for me on the compliance side.

But all is well. Martin is not a hacker in hiding. :) His help was GREATLY appreciated. I just wish that I had been a little more careful. Crow doesn't taste too good. At least most of my users don't read my blog.

1 comment:

Anonymous said...

Andy,

If you have a PCI related question (as Martin mentioned on his blog) we would be happy to answer it.

The PCI Data Security Blog is authored by several people with a long history of implementing, teaching, and helping create the PCI DSS.

Check us out, comment, email, etc.
http://datasecurity.wordpress.com/

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.