Thursday, January 18, 2007

What was TJX thinking?

This type of thing happens so regularly its not even news. Massachusetts based TJX, the parent company of TJ-MAX, Marshalls, HomeGoods and Bobs Store, got hacked, and more than a million credit and debit card information, sometimes with drivers license information, were stolen. More than a million? It sure sounds like they don't know the exact figure, but its growing.

Data going as far back as 2003 was compromised sometime in December 2006, and TJX was working with law enforcement and kept the news hidden until then.

A story in the Boston Globe seems to indicate it was not an insider. Of course, TJX will never share the findings about how this happened, but what were they doing with this data in the first place?

And the magnitude of the breach seems to be growing. Are they playing a "gradual disclosure" game like ChoicePoint? The Massachusetts banker's association doesn't like the scope and duration of data retention.
The bankers' association also questioned why TJX kept credit- and debit-card
information on file for so long. "It appears that they may have been
capturing data that is unnecessary," Daniel J. Forte, the bankers
association president, said in a statement today.

TJX spokeswoman Sherry Lang would not comment on the bankers' association
statement. She reiterated that the company does not yet know of any acts of
fraud related to customers' personal data.
The PCI standard requires protection of stored cardholder data. So what happens if the data is not protected? A slap on the wrist? Not even that.

Oh, by the way, TJX has not offered to provide credit monitoring or any such service. I'd recommend calling TJX at (866) 484-6978 and asking for credit monitoring.

Monday, January 8, 2007

Secure coding (and 'Vulnerability Pimps')

Application security is one of my favorite areas, and as a result, secure coding techniques, and source code review. Marcus Ranum, he of the firewall fame, recently wrote an article about running an automated source code analyzer against Firewall Toolkit.

As he says in the footnote,

The Firewall Toolkit later became the core of the TIS Gauntlet firewall. For a few years after its release, the FWTK code-base was at the center of more than half of the firewalls on the Internet.
And the code had been reviewed/worked on by many people, but some security issues, including one buffer overflow, was left undiscovered in the code. Lesson? If you have a large codebase, you need to run a software like Fortify to find the quick hits that would be otherwise buried in the code.

In the same article, Ranum created a new term: Vulnerability Pimps. These are the so-called security researchers who attempt to discover flaws just to gain fame.

Monday, January 1, 2007

The psychology of risk (and why we worry about stuff we should not)

That title could sum up risk management (and will be a recurring theme at 10domains).

I just read an article on SecurityFocus about an effort by the US Department of Justice (DOJ) to standardize the format they store criminal records, and how its raising privacy fears. I am all for privacy, and a believer in the 4th amendment. But I fail to see how a standardized method for record format and access increases the privacy risk.
"Raw police files or FBI reports can never be verified and can never be corrected," Barry Steinhardt, director of the Technology and Liberty Project at the American Civil Liberties Union, told the Washington Post. "That is a problem with even more formal and controlled systems. The idea that they're creating another whole system that is going to be full of inaccurate information is just chilling."

I agree with the first statement. But Mr. Steinhardt fails to explain how a new system increases the risk. I am not pulling out the old chestnut of "if you have done nothing wrong, you have nothing to fear" but seriously, the US DoJ already knows whatever it needs to know about you, and the other LEAs (Law Enforcement Agency) can get access to all the records there are--it just takes longer now. Reducing that timeframe (and associated costs) does not make your life any less private.

Which reminds me, one of these days I will post my rant against the opposition to a US National ID Card. If you carry a driver's license or have a social security number, you are already part of the Borg collective my friend.

Why 10domains?

Someone just asked me why I picked 10domains. For people in the information security world, this is actually a pretty easy answer. (ISC)2 , the organization that runs the CISSP (and a few other) certification program. CISSP stands for Certified Information Systems Security Professional, and requires knowledge in 10 domains of information security:
  • Access Control
  • Application Security
  • Business Continuity and Disaster Recovery Planning
  • Cryptography
  • Information Security and Risk Management
  • Legal, Regulations, Compliance and Investigations
  • Operations Security
  • Physical (Environmental) Security
  • Security Architecture and Design
  • Telecommunications and Network Security
This blog will cover these 10 domains (and use them to label and classify the posts), hence the name.

YAB (Yet Another Blog) on Information Security

Call this an effort to give a little back to the world. Hopefully the signal to noise ration will be good enough for people to find this useful.

The audience for this blog will range from the merely curious to professionals, from soccer moms to industry veterans.