Thursday, October 4, 2007

A "Cyberist" meets his match: Stephen Colbert

Don't the cops have some murder or rape to investigate? This is a classic case of an overzealous cop eager to pad his stats. Judge for yourself.

Wednesday, March 28, 2007

The Immaculate Hack

The web was mostly built by borrowing other people's code and images, and sometimes even their bandwidth (when one party just linked to the image residing on someone else's server and showed it on his own--this is also known as 'leeching'). Leeching may actually be illegal, because it uses someone else's resources without permission.

The John McCain crew found out the hard way its not nice to leech.

Mike Davidson, who created the template used at McCain's MySpace page was a little miffed that McCain's page was leeching the 'contact John' image from his server (and costing him bandwidth and money). So he created a new graphic, and uploaded it to his own server under the same name as the previous graphic. And just like that, McCain's position was changed).

Technically, no crime was committed: Mike changed a graphic on his own equipment. Who else was using it and how, was not his concern.

I hope the Sen. McCain will have a sense of humor about this because the FBI can, and may, cart away Mike D's hardware first and ask questions later.

Monday, February 19, 2007

Card skimming at supermarket checkouts

Card skimming is the technique of installing a fake Credit/Debit card reader to capture card information. Until now, this only existed in the Bank ATM world. But no more: now it happened at Stop & Shop checkouts.

They would not now be able to tamper with the units the way they did before," Keane said. He declined to reveal details of how the scam worked, other than to say it involved card readers being removed, tampered with, and reinstalled. "Our investigation has not uncovered any involvement or suspected involvement of any Stop & Shop personnel in the tampering.
I am a regular Stop & Shop customer, and I don't buy this. Someone can't just walk into a store, remove a card reader and reinstall it (even if the whole thing takes 2 minutes). Unless it involved the company that services the POS terminals. In that case, why isn't S&S pointing the finger at them? I think we are seeing another gradual release of bad news (like ChoicePoint and TJX).

Thursday, January 18, 2007

What was TJX thinking?

This type of thing happens so regularly its not even news. Massachusetts based TJX, the parent company of TJ-MAX, Marshalls, HomeGoods and Bobs Store, got hacked, and more than a million credit and debit card information, sometimes with drivers license information, were stolen. More than a million? It sure sounds like they don't know the exact figure, but its growing.

Data going as far back as 2003 was compromised sometime in December 2006, and TJX was working with law enforcement and kept the news hidden until then.

A story in the Boston Globe seems to indicate it was not an insider. Of course, TJX will never share the findings about how this happened, but what were they doing with this data in the first place?

And the magnitude of the breach seems to be growing. Are they playing a "gradual disclosure" game like ChoicePoint? The Massachusetts banker's association doesn't like the scope and duration of data retention.
The bankers' association also questioned why TJX kept credit- and debit-card
information on file for so long. "It appears that they may have been
capturing data that is unnecessary," Daniel J. Forte, the bankers
association president, said in a statement today.

TJX spokeswoman Sherry Lang would not comment on the bankers' association
statement. She reiterated that the company does not yet know of any acts of
fraud related to customers' personal data.
The PCI standard requires protection of stored cardholder data. So what happens if the data is not protected? A slap on the wrist? Not even that.

Oh, by the way, TJX has not offered to provide credit monitoring or any such service. I'd recommend calling TJX at (866) 484-6978 and asking for credit monitoring.

Monday, January 8, 2007

Secure coding (and 'Vulnerability Pimps')

Application security is one of my favorite areas, and as a result, secure coding techniques, and source code review. Marcus Ranum, he of the firewall fame, recently wrote an article about running an automated source code analyzer against Firewall Toolkit.

As he says in the footnote,

The Firewall Toolkit later became the core of the TIS Gauntlet firewall. For a few years after its release, the FWTK code-base was at the center of more than half of the firewalls on the Internet.
And the code had been reviewed/worked on by many people, but some security issues, including one buffer overflow, was left undiscovered in the code. Lesson? If you have a large codebase, you need to run a software like Fortify to find the quick hits that would be otherwise buried in the code.

In the same article, Ranum created a new term: Vulnerability Pimps. These are the so-called security researchers who attempt to discover flaws just to gain fame.

Monday, January 1, 2007

The psychology of risk (and why we worry about stuff we should not)

That title could sum up risk management (and will be a recurring theme at 10domains).

I just read an article on SecurityFocus about an effort by the US Department of Justice (DOJ) to standardize the format they store criminal records, and how its raising privacy fears. I am all for privacy, and a believer in the 4th amendment. But I fail to see how a standardized method for record format and access increases the privacy risk.
"Raw police files or FBI reports can never be verified and can never be corrected," Barry Steinhardt, director of the Technology and Liberty Project at the American Civil Liberties Union, told the Washington Post. "That is a problem with even more formal and controlled systems. The idea that they're creating another whole system that is going to be full of inaccurate information is just chilling."

I agree with the first statement. But Mr. Steinhardt fails to explain how a new system increases the risk. I am not pulling out the old chestnut of "if you have done nothing wrong, you have nothing to fear" but seriously, the US DoJ already knows whatever it needs to know about you, and the other LEAs (Law Enforcement Agency) can get access to all the records there are--it just takes longer now. Reducing that timeframe (and associated costs) does not make your life any less private.

Which reminds me, one of these days I will post my rant against the opposition to a US National ID Card. If you carry a driver's license or have a social security number, you are already part of the Borg collective my friend.

Why 10domains?

Someone just asked me why I picked 10domains. For people in the information security world, this is actually a pretty easy answer. (ISC)2 , the organization that runs the CISSP (and a few other) certification program. CISSP stands for Certified Information Systems Security Professional, and requires knowledge in 10 domains of information security:
  • Access Control
  • Application Security
  • Business Continuity and Disaster Recovery Planning
  • Cryptography
  • Information Security and Risk Management
  • Legal, Regulations, Compliance and Investigations
  • Operations Security
  • Physical (Environmental) Security
  • Security Architecture and Design
  • Telecommunications and Network Security
This blog will cover these 10 domains (and use them to label and classify the posts), hence the name.

YAB (Yet Another Blog) on Information Security

Call this an effort to give a little back to the world. Hopefully the signal to noise ration will be good enough for people to find this useful.

The audience for this blog will range from the merely curious to professionals, from soccer moms to industry veterans.