Technology/Security/Society Musings

LinkedIn's sneaky privacy policy change

2012-01-27T20:01:00.000-08:00

[Only relevant if you are on LinkedIn]

While the world is railing against Google's privacy policy change, LinkedIn has quietly opted in its members to a policy that says they can use the members'
name/photo in advertisements.

Forwarded email below:

Some simple actions to be considered:

1. Place the cursor on your name at the top right corner of the screen. From the small pull down menu that appears, select "settings"
2. Then click "Account" on the left/bottom
3. In the column next to Account, select the option "Manage Social Advertising"
4. Finally un-tick the box "LinkedIn may use my name and photo in social advertising"
5. and Save

I normally cringe when I see "tell all your contacts" but in this case I guess it is justified. So tell all your contacts.

Malware kits becoming professional, with a ton of metrics

2011-01-17T07:04:00.000-08:00

Krebs on Security has posted an image of the administration dashboard of 2 malware kits

Here is one:

Apart from the interesting background and the mis-spelled 'Unics' the analytics is very nice. After all, every cybercriminal businessman needs metrics!

Here is the full post.

While Brian talks about these being Java exploit packs, I am more alarmed by the professional (for lack of a better word) look of the kits. This is geared towards someone who wants to see what works and what does not so attacks can be fine-tuned or changed. And I am afraid it is going to get workse

Russian spies and adhoc wi-fi

2010-06-29T05:33:00.000-07:00

On June 28, 2010, the FBI arrested 10 Russian spies. The complaint against two of them, Anna Chapman and Mikhail Semenko is fascinating. Instead of dead drops at cemeteries or brush-passes at crowded restaurants, these spies set up adhoc wireless networks between 2 laptops and exchanged information.

The complaint first describes what an adhoc wireless network is:

and then cites many examples of how when Anna Chapman opened up her laptop, and when a certain Russian government official was nearby (in a van outside a coffeeshop or standing outside a bookstore), an ad-hoc wireless network with the same two MAC addresses sprung up.

Semenko used the same technique. In one instance, he was sitting in a restaurant, while a car with diplomatic plates (issued to the Russian embassy) entered the parking lot and sat there for 20 minutes and then left.

Further down, Semenko described to an undercover FBI agent posing as a Russian diplomat how he zipped up the files, opened up his laptop to set up the adhoc wifi and transferred the files.

A number of questions and thoughts:
- Because the FBI knew enough to pose to undercover agents as Russians and arrange meets with the spies, they had penetrated the ring for a very long time. Other documents mention search warrants against safe-deposit boxes as early as 2001.
- Which brings up another question. Why did Russian agent and FBI counter-intelligence honcho Robert Hanssen, not warn them? His position in the FBI should have guaranteed he knew about this.
- Or did Hanssen, who was arrested in 2001, give them up?
- But if Hanssen knew about this team, why didn't the Russians pull them out?
- Anna Chapman must have smelled a rat, and that's why she bought a disposable phone (to call Russia?) and did not show up for the meeting the next day (June 27)
- Which must have led to the arrests on the 28th because the FBI decided the spies were on to them.

What Virustotal says about a suspicious attachment and AV products

2010-05-06T20:04:00.000-07:00

I received a $50 iTunes gift certificate today as a zip file. Yay!

I uploaded it to Virustotal, and the result is below. If the formatting is lost, you can see the report here: http://shar.es/m6tDP

First, Virustotal told me that they already have seen this file. Next, very few AVs identified it as a threat. And at the risk of beating up on McAfee again, their gateway version with a May 6 def identified it, but their regular (?) version with a May 7 def did not! In all, only 8 of 41 identified it.

AVG, which is on my laptop, did not identify it either.

My question: what happened to AV companies sharing knowledge? I would
have thought in 24 hours at least all the big boys would have shared the
signature. A 20% detection rate is pretty bad. But as McAfee's left hand
does not know what its other left hand is doing, I guess I should not be
too surprised.

Antivirus	Version	Last Update	Result
a-squared	4.5.0.50	2010.05.07	-
AhnLab-V3	2010.05.07.00	2010.05.06	-
AntiVir	8.2.1.236	2010.05.06	-
Antiy-AVL	2.0.3.7	2010.05.06	-
Authentium	5.2.0.5	2010.05.06	-
Avast	4.8.1351.0	2010.05.06	-
Avast5	5.0.332.0	2010.05.06	-
AVG	9.0.0.787	2010.05.07	-
BitDefender	7.2	2010.05.07	Gen:Variant.Bredo.4
CAT-QuickHeal	10.00	2010.05.04	-
ClamAV	0.96.0.3-git	2010.05.06	-
Comodo	4783	2010.05.06	-
DrWeb	5.0.2.03300	2010.05.07	-
eSafe	7.0.17.0	2010.05.06	-
eTrust-Vet	35.2.7472	2010.05.06	-
F-Prot	4.5.1.85	2010.05.06	-
F-Secure	9.0.15370.0	2010.05.07	Gen:Variant.Bredo.4
Fortinet	4.0.14.0	2010.05.05	-
GData	21	2010.05.07	Gen:Variant.Bredo.4
Ikarus	T3.1.1.84.0	2010.05.06	-
Jiangmin	13.0.900	2010.05.06	-
Kaspersky	7.0.0.125	2010.05.07	-
McAfee	5.400.0.1158	2010.05.07	-
McAfee-GW-Edition	2010.1	2010.05.06	Artemis!ECB1C56D7D93
Microsoft	1.5703	2010.05.06	-
NOD32	5092	2010.05.06	-
Norman	6.04.12	2010.05.06	-
nProtect	2010-05-06.02	2010.05.06	Gen:Variant.Bredo.4
Panda	10.0.2.7	2010.05.06	Suspicious file
PCTools	7.0.3.5	2010.05.06	-
Prevx	3.0	2010.05.07	-
Rising	22.46.03.04	2010.05.06	-
Sophos	4.53.0	2010.05.07	Mal/FakeAV-BW
Sunbelt	6272	2010.05.06	-
Symantec	20091.2.0.41	2010.05.06	-
TheHacker	6.5.2.0.277	2010.05.06	-
TrendMicro	9.120.0.1004	2010.05.06	PAK_Generic.001
TrendMicro-HouseCall	9.120.0.1004	2010.05.07	-
VBA32	3.12.12.4	2010.05.06	-
ViRobot	2010.5.6.2304	2010.05.06	-
VirusBuster	5.0.27.0	2010.05.06	-

Cheapest 419 scam ever

2010-04-10T06:47:00.000-07:00

Received this just now.Are they just giving up now? Or is it some sort of ultra-soft-sell?

Also notice that they are not sure about my religious affiliation

新しいメールアドレスをお知らせします

新しいメールアドレス： sadiqaliman1@yahoo.co.jp

Dearest one,

I greet you in names of our almighty allah? however let me give you brief introduction myself, My name is Aliman Keita the only surviving daughter of Mr &Mrs Sadiq Keita, he deposited ($6.5) I will give more details concerning me and the transaction.

Miss Aliman.

- Keita Sadiq Aliman

A "safe" handgun or a $9700 design fail waiting to happen?

2010-01-30T11:42:00.000-08:00

Wired is reporting that Armatix introduced a Euro 7000 (US$ 9700) handgun that can only be fired if it is armed via a wristwatch worn by the shooter.

This year, the highest-tech gun belonged to Armatix. The German firm has an electronic safety that automatically disables the pistol when it’s not within a few inches of a custom wristwatch. The watch sends a wireless arming signal to the gun. If the gun is picking up a signal from the watch, a green LED on the back lights up. Try squeezing the handle without wearing the watch, and you will see a red warning light. Anyone can pick up a limited edition version of the pistol for about 7,000 euro, which is pretty steep for a .22cal plinker. They start shipping next month.

Few inches, eh? Smells like RFID. Then we found this on Armatix's website:

The benefits of biometrics (sole allocation to specific people) are also combined with those of Radio Frequency Identification ( split- Seconf activation, hands-free operation.

"Seconf" above should be "second", but that might be the least of their problems. My problem is, given the many, many security failures I have seen in basic authorization/authentication schemes, I anticipate a slew of them in this handgun. Here are some of them:

It's not like RFID has been read or cloned. Oh wait!
RFID can be jammed. For that matter, any RF can be jammed.
Forget hightech.. throwing a bucket of water at the person holding the gun at you might work. I see a Rush Hour sequel where Chris Tucker almost gets Jackie Chan killed by spilling coffee on his wrist and rendering his gun into a paperweight.
The flip-side of jamming is arming. People have read RFID passport numbers and cloned them. Then it is just a matter of playing that back, from a more powerful transmitter, and suddenly the "safe" gun will fire a bullet.
And then ofcourse, the same RFID scanners can be used to identify who is carrying those guns and wrist-watches.

One can only hope that this gun will be completely safe because there are no morons who will pay that kind of money for a .22

Multiple Congresspeople websites defaced

2010-01-28T07:32:00.000-08:00

National Journal's Hotcall reported around 3:20 AM on Thursday, January 28 that various congress people's (both republican and democrat) websites were defaced.

The message was crude and simple:

"F--- OBAMA!! Red Eye CREW !!!!! O RESTO E HACKER!!! by HADES; m4V3RiCk; T4ph0d4 -- FROM BRASIL," the messages read.

Praetorian Prefect has some screenshots and what seems to be a pretty complete list (perhaps compiled by going through the sites manually around 4 AM!)

http://www.joewilson.house.gov/
http://bachus.house.gov/
http://www.baird.house.gov/
http://www.barrow.house.gov/
http://www.gonzalez.house.gov/
http://mcnerney.house.gov/
http://mikepence.house.gov/
http://driehaus.house.gov/
http://carson.house.gov/
http://campbell.house.gov/
http://doggett.house.gov/
http://coffman.house.gov/
http://www.kosmas.house.gov/
http://hersethsandlin.house.gov/
http://lujan.house.gov/
http://www.mccollum.house.gov/
http://teague.house.gov/
http://mitchell.house.gov/
http://www.roe.house.gov/
http://www.lofgren.house.gov/
http://carnahan.house.gov/
http://www.chrismurphy.house.gov/
http://hunter.house.gov/
http://olver.house.gov/
http://arcuri.house.gov/
http://olver.house.gov/
http://tierney.house.gov/

A few committee sites were affected as well:

http://republicans.financialservices.house.gov/
http://republicans.oversight.house.gov/
http://gop.cha.house.gov/

Ironically, one of the first defacements discovered was on Congressman (R-SC) Joe Wilson's site, who (in)famously yelled "You Lie!" at Obama. Mr. Wilson gave one of the first live responses to Obama's SOTU speech.

The websites are maintained by the House IT staff, and most of them run on identical systems and software. So it is not surprising that after the first site was found to be vulnerable, the attackers found a rich array of soft targets.

As a result, the serial defacement does not surprise me--if anything, I am surprised they did not hack 500+ sites.

Praetorian Prefect identified the Joomla CMS as the one common factor on all the defaced websites (but not all Congressional sites running Joomla were defaced)

It seems a particular Joomla component or module was vulnerable and was exploited. I just hope the knee-jerk reaction to this is not to go back to some proprietary CMS.

How mobile phone users stumbled into other people's FaceBook account

2010-01-16T09:55:00.000-08:00

AP is reporting: "Network flaw causes scary Web error":

A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers' accounts with full access to troves of private information.

The glitch -- the result of a routing problem at the family's wireless carrier, AT&T -- revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users.

True. Most internet sites that do not use secure login (https) may be vulnerable until AT&T fixes their problem. Boston Globe readers are reporting that they faced the same problem as far back in 2007, on carriers other than ATT Wireless.

As an aside, I had to laugh after reading this line in the AP article:

In each case, the Internet lost track of who was who, putting the women into the wrong accounts.

Reminds me of this AOL helpdesk gem: "This is not an AOL problem. Have
you tried calling the Internet's support department?"

To understand how this could have happened, lets take a look at how a website knows who is who once they log in. Of course, they could just have your username added to each page request. But then anyone who knew your username would be able to impersonate you. One popular mechanism is using session cookies. Here is a very simplified description:
HTTP is stateless (meaning the web server has no memory of who you are or what you just did), so the server has no way of keeping track of the users who logged in (and tying them to a specific browser).

Once a user logs in, a cookie is set with a lifetime (say, 15 minutes), and this cookie and matching userid is stored somewhere, preferably a database. It is typically a long and random string like xyn29f071bca9bf7f85da28205439fc3, so someone can not just guess it.

Every time the user tries to go to a protected page, the server reads the cookie from the browser, looks up the username that matches the cookie, and allows (or disallows) access. The cookie is also updated with each request (lifetime extended by 15 minutes). If no request is made, the cookie expires, and user gets logged out for inactivity. If the user chooses to log out or in the previous case gets logged out due to idle timeout, his/her cookie is deleted on the server, so they can not access protected pages any more.

So, if for some reason Alice gets Bob's cookie (before Bob logs out), the server will think Alice is Bob, look up pages that Bob has access to, and bada bing!--Alice will be looking at Bob's pages.

Now the million dollar question is, how would Alice get access to Bob's Facebook session cookies? Stealing session-cookies is a well-known attack; people have demonstrated this on multiple sites including Google Spreadsheets, and bad guys have used this to compromise accounts. But we can be pretty sure in this case the person who experienced this wasn't doing any such attack. So what happened?

Here we enter the murky territory of speculation. We know that AT&T is worried about the amount of data usage by it's wireless customers because their network can't keep up. So is it possible they used HTTP pipelining to improve performance?

Normally, HTTP requests are issued sequentially, with the next request being issued only after the response to the current request has been completely received. Depending on network latencies and bandwidth limitations, this can result in a significant delay before the next request is seen by the server.

HTTP/1.1 allows multiple HTTP requests to be written out to a socket together without waiting for the corresponding responses. The requestor then waits for the responses to arrive in the order in which they were requested. The act of pipelining the requests can result in a dramatic improvement in page loading times, especially over high latency connections.

What I think happened was: ATT's web proxy uses pipelining. User A and User B where both trying to log onto Facebook at the same time. When the responses came back it messed up the order, and sent the response destined for User A to User B's browser, thus giving her access to User A's facebook page.

PS: Where did the response meant for User B go? To user A? To yet another person who has not come forward yet? To User B's browser, which then discarded it because it thought it already got a response to its original request? To the bit-bucket? Who knows.

Harsh: Google Security chief's night-job

2010-01-11T18:18:00.000-08:00

Gawker has a post about Google Apps' Director of Security Eran Feigenbaum, and his not so secret identity as Eran Raven, mentalist/magician.

I had to laugh out loud after reading this:

Maybe it should come as no surprise that Google's Director of Security is also a "mentalist" magician; few can better sell the illusion of ironclad internet security, after all, than a master of deception who fooled thousands of NBC viewers.

But Eran Feigenbaum — better known as "Eran Raven" — has turned the cheese knob up awfully high, considering his buttoned-down job as the Director of Security for the putative blue-chip operation that is Google Enterprise, which is trying to sell "cloud computing" to no less uptight a customer than the federal government.

We don't need no stinking security in our digital photo frames

2010-01-05T08:03:00.000-08:00

Update (Jan 6, 2010): Looks like FrameChannel is doing something to block access to known URLs. It could be something as simple as user-agent checking, but at least it is a start.

2010's first security vulnerability (that I know of) is a doozy. But before getting into that, lets take a peek into the design meeting that resulted in it.

Person 1: Lets see.. how would each customer identify the product for activation?
Person 2: We will stick a random code on each package
Big boss: No, that is too much work
Person 3: You know, each device already has an unique identifier. This MAC address...
Person 2: Shouldn't it be random? Should we talk to the security guys?
Big Boss: Awesome. Why would a photo frame need security? This MAC thingy sure looks very unfriendly, so lets label it as a user-convenience feature. While you guys do that, I will go tell my boss I came up with the idea.

This not-so-unlikely scenario is brought to you courtesy of an excellent blog post by Casey Halverson, owner of two W820 Kodak digital picture frames.

Knowing that the frames can display pretty much any RSS feed, Mr. Halvereson discovered that the configuration screen shows a URL for the RSS feed that ends in what looks suspiciously like a MAC address, because, you guessed it--it IS a MAC address. (The link below is not clickable by choice--we don't know what will be there if you visit it)

http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:6D

Look, its an RSS feed of what my picture frame is showing now! I can send this nice URL to everyone I know so they can look at all my private content I have configured for this device. Now, under no circumstances would I recommend changing the last digits of this MAC address frame ID to another number….because you would get someone else’s picture frame content. Why would you want to do that?

If you don't know how MAC addresses are assigned and numbered, here is a quick introduction. The first 6 hexadecimal digits (in this case, 00:23:4D) designate the manufacturer of the network card, and the remaining 6 hexadecimal digits identify a serial number assigned by the manufacturer.

So if you are looking at a Kodak photoframe, who does not make network chips, it is a pretty safe bet that they buy the chip from someone else (or their outsourced manufacturer does, but same effect). It is also a near certainty that because of economies of scale, these chips will be bought from the same company. What I am leading up to is, this means virtually ALL Kodak wireless frames will have the same first 6 digits, making the remaining address-space any number from 00:00:00 to FF:FF:FF -- a total of slightly over 16 million possible numbers: trivial for a computer to generate and check. 00:23:4D:B8:07:6D is manufactured by Hon Hai Precision Ind. Co., Ltd. Obviously, all their cards will not be used on the Kodak frames. But now that we know the name of the manufacturer, a bad guy can go and find other prefixes assigned to them, and expand the search.

The frames, by the way, can not pull down RSS feeds on their own. The feeds need to be managed through a company called FrameChannel, which, as the name indicates, is in the business of creating channels for picture frames. They very conveniently list a number of frame manufacturers they support.

Could they all be vulnerable to the same attack?

They also are saying that Woot sold 100,000 Kodak frames on Dec 20, the first day they went on the market. Given the other manufacturers, the problem-size could be more than a million vulnerable frames out there.

In their FAQ, they answered (as of this writing; I expect this to change soon):

Who can see the pictures in my account?

Unless you add pictures to a public or group channel, or share them with your invited friends, you are the only one who will see images in your account. No other FrameChannel user will ever see images you upload or add to your account unless specifically approved by you (such as in the case of a public user generated or group channel, or as a contributor to your friends' accounts). (emphasis mine)

Aw.

Someone could point all the unsold/unactivated frames to pornography, or other objectionable or even illegal content like child pornography. So if you have one of these frames, what should you do? Don't feel safe because you only have nature photos. If you have the Weather channel configured, a remote viewer may be able to figure out your city and state. If your userid contains your name in some form, they may be able to narrow it down much further.

In the configuration screen, there is a URL parameter called reset=0. Any guesses as to what reset=1 will do? Yes, it gives a new activation code, and I presume it deactivates the old code. Seems like this can be used to kill feeds to a frame.

The next one is a bit more serious. One report says they saw something like:

“This frame has been preactivated” and gave the username and password and invited the user to login to framechannel.com to upload their own content.

As long as you treat this frame as something viewable by the whole world, then you are fine.

Should you return the product? Your choice. But if you want to keep it, definitely contact the manufacturer and FrameChannel, and ask them to fix this issue.

Postscript: The bad guys can point these frames to a photostream of their choice before they are activated by the actual owner. Equally easily, the good guys can load up an image containing an warning about this risk to these frames, but they will not, because that will mean breaking more than one law. So if you know anyone with one of these frames, also tell them about this.

Rant:I don't understand why the manufacturers decided to go with a 3rd party which may go out of business (a distinct possibility given this mess) instead of just allowing any random RSS feed. It is not like this 3rd party is hosting my images or creating the RSS feed any way. So why shouldn't consumers be able to use a RSS feed directly?

Update: David Stafford asked below if an already activated and used frame can be compromised. The answer is, I think so, although I have not personally tested it yet.
The known/confirmed risks are:
- Someone may be able to view private images- Someone may be able to glean private information from the images or other channels being displayed

Unconfirmed: The major risk (remote image upload) might be possible because FrameChannel lets people who knows/guesses the frameid (the MAC address) to reset the frame. The aforementioned reset=0, when changed to reset=1, will do this. I am not posting the actual URL, but it is by now widely available on the Net.

After a frame activation is reset and re-activated, I believe at least on the Kodak model it can be done.(waiting for confirmation)

For users on unencrypted (or 40-bit WEP encrypted) WiFi, an attacker who is within the WiFi range will be able to capture the PIN, but that is true about any wireless technology and not particular to this issue

Common-sense security at $0

2009-11-28T09:42:00.000-08:00

Craig and I were privileged to be invited by the fine folks at New Hampshire Local Government Information Network (NHLoGIN) to speak at New Hampshire Local Government Center's Annual Conference on Nov 19.

Special thanks to John Barker of the City of Nashua for recommending us to NHLoGIN. John made a great presentation on accepting credit cards for City Hall business.

We talked about things a non-profit, or a town or city hall can do with a very meager or non-existent information security budget. The first recommendation was policy, followed by training, and then slowly clibming the maturity curve.

Because you are getting this without us speaking, we feel it is necessary to add a disclaimer: Of course, just because something does not need money to buy does not mean it falls ready-made on your desk some day--it takes time to develop policies, or to deliver (and attend) even free training.

Check out the presentation: Budgeting for Common-Sense Computer Security in Financially Tight Times, and don't forget to use some of the great videos we linked.

Vista Comment

2009-11-05T05:57:00.000-08:00

From Rob Slade, CISSP:

If you play the Windows Vista installation CD backwards, you hear, and may be affected by, Satanic messages.

This is, of course, preferable to playing it forwards.

How to prepare for Denial of Service attacks against E-commerce sites

2009-10-27T06:35:00.000-07:00

[This is from a response I sent to someone on a mailing list earlier today]

The first thing you should know: unless you are Google or Amazon or some entity of that size and have money to burn, you really should not rely 100% on an on-premise solution against DOS attacks; let your bandwidth or hosting providers be the first defense against it.

You can (and should) have your own solution, but without the protection beginning before your perimeter, the attack will block users from ever reaching you and thus become a successful attack.

Here is why:
The general principle of a DOS attack against an e-commerce site is to send a flood of HTTP requests. Most other types of DOS attack against some known problems with various TCP stacks have been fixed a while ago (or can be handled by various on-premise solutions)

TopLayer, Tipping Point, Arbor or SourceFire (and others) makes excellent intrusion prevention systems (IPS) that can block vanilla DOS attacks launched by 1 or 10 computers. But they are not effective against distributed denial of service attacks that go after your bandwidth.

If 20,000 computers hit your website at the same time, your bandwidth is going to be saturated (unless you have a grow-on-demand pipe).

For example, I just measured the front page for Amazon.com. Images, stylesheet and everything else combines for about 77.6 KB. Let's say (for this argument's sake) that Amazon's bandwidth is 100 MBps. So that pipe can serve roughly 13,195 page requests per second for that 77.6K page before becoming 100% saturated (100 x 1024 kbps / 77.6 kb/page). I am not even counting the webserver's CPU/Memory utilization, since that is inside the perimeter.

It won't matter what IPS they have on-premise; if the pipe is full, legitimate requests are going to be denied or delayed, resulting in a successful Denial of Service attack. This is exactly what happened to Amazon, Yahoo, E-Trade, CNN and some others in Feb 2000.

The bad guys do have thousands of machines with spyware installed at their disposal for this. Some groups reportedly have millions. It is a fact that they rent them out by the hour in blocks of hundreds or thousands for as little as $200 for 10,000 bots. They are mostly used to send out spam, but it is just as easy to launch a Distributed DOS attack.

So a belts and suspenders approach would be:
- Have a good IPS--you need that any way
- If using Linux servers, look at Netfilter so you can tar-pit the attacks
- If you are in a co-lo, talk to your bandwidth providers (you should have more than 1) about DDOS protection.
- If you are on a hosted server, pick a vendor like RackSpace that provides DoS Mitigation.

I know Cable & Wireless, ATT and Verizon all offer DDOS mitigation. They route away the bad packets away from you, and even the RBN does not have enough bots to saturate those bandwidths.

Wal-Mart breach in 2005-6: a lesson on things not to do

2009-10-13T17:09:00.000-07:00

In 2006, a group of hackers targeted some Wal-Mart developers and stole source code to the Point-of-Sale (POS) system. Wired is reporting that the stolen source code ended up being sent to a server in Minsk, Belarus, in the former Soviet Union.

The Wal-Mart intrusion began unraveling on Nov. 5, 2006, when the company’s IT security group was brought in to investigate the server crash.

Wal-Mart has thousands of servers nationwide, and any one of them crashing would ordinarily be a routine event. But this one raised a red flag. Someone had installed L0phtcrack, a password-cracking tool, onto the system, which crashed the server when the intruder tried to launch the program.

Investigators found that the tool had been installed remotely by someone using a generic network administrator account. The intruder had reached the machine through a VPN account assigned to a former Wal-Mart worker in Canada, which administrators had failed to close after the worker left the company. The day the server crashed, the intruder had been connected to Wal-Mart’s network for about seven hours, originating from an IP address in Minsk, the documents show.

The security team disabled the compromised VPN account, but the intruder, who should have realized the jig was up, came back in through another account belonging to a different Canadian employee. When that VPN account was closed, the intruder grabbed yet a third account while Wal-Mart workers were still scrambling to get a fix on the scope of the breach.

When Wal-Mart reviewed its VPN logs, it found that the activity had begun at least as early as June 2005, according to memos written by Wal-Mart employees during the initial stage of the investigation. The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis.

Wired is also reporting that Wal-Mart had 4 years worth of unencrypted customer and credit card data at the time, but it was not breached. So they did not have to disclose it until now.

Wal-Mart had a number of security vulnerabilities at the time of the attack, according to internal security assessments seen by Wired.com, and acknowledged as genuine by Wal-Mart. For example, at least four years’ worth of customer purchasing data, including names, card numbers and expiration dates, were housed on company networks in unencrypted form. Wal-Mart says it was in the process of dramatically improving the security of its transaction data, and in 2006 began encrypting the credit card numbers and other customer information, and making other important security changes.

Wal-Mart's external IT/PCI auditor, CyberTrust, found some astonishing breach of common-sense security (this blog abhors the term "Security Best Practices"):

The assessment lasted six days, during which CyberTrust found numerous problems. Each of the five stores, for example, housed complete backup copies of transaction logs on network-connected UNIX servers, which included at least four years’ worth of unencrypted credit card numbers, cardholder names and expiration dates from purchases at the stores.

The auditors also discovered that servers, transaction processing systems, and other network-connected devices handling sensitive information used the same usernames and passwords across every Wal-Mart store nationwide. In some cases, the passwords could be easily guessed. A hacker or malicious insider who compromised a point-of-sale controller or in-store card processor at one store, could “access the same device at every Wal-Mart store nationwide,” CyberTrust wrote.

And ofcourse, the intrusion could be traced back to the VPN account of a system administrator who had left the company but his account was not shut down (the report does not implicate the employee)

Wal-Mart now claims that they have identified every single finding and are now PCI compliant. Fat lot of good being PCI-compliant did Hannaford.

These companies either forget, or do not understand (we suspect over strenuous objection of their security people) that being PCI complaint is only the lowest common denominator--they can, and should, do much more.

The Thursday Maxim of Security

2009-10-08T06:16:00.000-07:00

A gem from Dr. Roger Johnston at Argonne National Lab.

Thursday Maxim: Organizations and security managers will tend to automatically invoke irrational or fanciful reasons for claiming that they are immune to any postulated or demonstrated attack.

Comments: So named because if the attack or vulnerability was demonstrated on a Tuesday, it won’t be viewed as applicable on Thursday. Our favorite example of this maxim is when we made a video showing how to use GPS spoofing to hijack a truck that uses GPS tracking. In that video, the GPS antenna was shown attached to the side of the truck so that it could be easily seen on the video. After viewing the video, one security manager said it was all very interesting, but not relevant for their operations because their trucks had the antenna on the roof.

Ignore email archiving / public record laws at your own peril

2009-10-07T18:32:00.000-07:00

The saga of the deleted emails continues, with now the AG getting involved.

Prior to that, the Secretary of State stated that he was unhappy with the City Hall's continued failure to comply:

Galvin expressed frustration Tuesday over what he described as the city's failure to fully cooperate with investigators. He told the Globe he was considering taking further action against the Menino administration. Under state law, he could turn the case over to Coakley for possible prosecution.

Now state Attorney General Martha Coakley (who is running for Ted Kennedy's senate seat BTW) states that she is "involved."

Coakley said in a statement issued this afternoon that Secretary of State William F. Galvin's office has been working to ensure that public records are preserved and "to determine whether there have been any violations of the public records law by City officials."

"We are now involved in that review," Coakley said.

She said her office would continue to work with Galvin's office going forward in the effort to find mayoral aide Michael Kineavy's e-mails and "we remain prepared to conduct a full investigation and take all necessary steps to guarantee the preservation of evidence and full compliance with the law."

Apart from jokes about the Chicken being 'involved' and the Pig being 'committed' in the making of Ham and Eggs, what does that word mean, anyway?

I personally know that there are Encase-certified digital forensics experts working for Coakley's office. Since City Hall is 'cooperating', it would be trivial to have the AGs office take a look at the hard disk instead of paying an outside consultant, right?

Marketing, Uncertainty and Doubt: Information Security and Cloud Computing

2009-10-07T17:04:00.000-07:00

What is the minimum security due diligence that a company needs to do before putting it's data in the cloud?

Since 2007, Amazon has been telling us they are ".. working with a public accounting firm to ... attain certifications such as SAS70 Type II" but these have not happened in 2+ years.

On one side of the cloud security issue we have the marketing people, who hype up the existing security and gloss over the non-existing. On the other side we have security services vendors, who hawk their wares by hyping up the lack of security. And there are also Chicken Littles who are running around crying that the sky is falling.

The truth is, there is a class of data for every cloud out there, and there is also someone who will suffer a data breach because they did not secure it properly.

Can you put the New York Times on a cloud server? Of course, provided certain basic security measures are taken. After all, the Times is designed to be accessible to people (forget the stupid PayWall experiment they tried a few years ago)

On the other hand, you should not leave your customer's credit card data on Amazon EC2--they specifically suggest you don't do that.

Another problem is, people are still not sure what "cloud" is. I saw a cartoon recently: "I fell down the stairs and something white is sticking out of my arms, and it hurts like hell. Is it swine flu?"

Most cloud security questions feel like that to me, so I have been accused of ranting in a presentation I did in September. Enjoy.

Marketing, Uncertainty and Doubt: Information Security and Cloud Computing

View more documents from jikbal.

Tangled web woven at Boston City Hall

2009-10-06T08:27:00.000-07:00

The saga continues at Boston City Hall. Readers of this blog will remember that in response to public record requests, it came out that the Boston Mayor's right-hand man was deleting emails in a way that they were not getting backed up. So the Secretary of State got involved and ordered the City Hall to change the practice and also to retrieve the emails.

Today it came out that our international man of mystery actually complained in April 2009 that his computer was running too slow and as a result, received a new computer. But gosh darn, he plum forgot! And he still does not remember getting a new computer.

City corporation counsel William F. Sinnott said in an interview yesterday that he had been relying on what Kineavy had told him and that Kineavy, the mayor’s chief policy aide and key political strategist, still does not remember getting a new computer.

Fortunately for people who like sunshine on their government affairs, and possibly unfortunately for Mr. Kineavy, that computer's hard disk was not wiped clean and reissued to another user--it was just sitting in another room. Now it has gone to the forensics firm hired by the City, and presumably the emails (or their remnants from temp files) will be recovered.

Ironically, I bet that this particular PC was not recycled because the user was a powerful man, and IT suspected/feared that he will ask for some old file from the hard disk that was not accurately transferred to the new PC.

Now to the cost of recovery. The most well-known commercial software used for digital forensics, Encase (there are others), will suck out anything relevant form that disk in a few hours and nicely categorize them in emails, word documents, etc.

One might even call the work technologically trivial. If StoneTurn group is really asking for 250K for a single hard disk examination, they are either smoking weed, or abusing a single-source, no-bid contract. I know many highly reputable forensics consultants who will do this for under $10,000, probably for as low as $5,000.

There are some good lessons here.

Mr. Kineavy is every information security officer's dream. That man knows how to protect against information leakage
Mr. Kineavy is every compliance officer's nightmare. That man is costing the City Hall time, money and prestige
Not having a good decommissioning policy is hurting Mr. Kiveavy but may help make the City Hall become compliant with the public records law (or at least get away with a slap on the wrist and the hundreds of thousands of dollars in forensics expense)

Bottom line: the wheels of justice grinds slowly, but once caught in its maw, there is often no escape

Bank invents silver bullet to delete personal records from Google's evil grasp

2009-09-26T21:22:00.000-07:00

Serendipity. There is no other word to describe Rocky Mountain Bank's latest discovery. But before explaining this modern miracle, let me ask you if you are worried about Google's pervasive presence and how much they know about you?

Are you worried about Google Street View knowing where you live? Are you worried about Google combing through your Gmail account and sending you ads? Are you worried about the Biggest Brother (TM) technology patented by Google that lets them track your every search you perform on Google.com?

Then fear not! Rocky Mountain Bank (RMB) just struck a blow for freedom-loving people everywhere. And the sheer simplicity of it is pure genius. Of course, they were aided by an idiot judge, but every discovery has one such sidekick.

Lets go to the report:

On Aug. 12, the bank mistakenly sent names, addresses, social security numbers and loan information of more than 1,300 customers to a Gmail address. When the bank realized the problem, it sent a message to that same address asking the recipient to contact the bank and destroy the file without opening it. No one responded, so the bank contacted Google to ask for information about the account holder.

In keeping with its privacy policy, Google told the bank it would have to get a court order to obtain such data. The bank then filed papers asking a court to order Google to disclose the information and deactivate the account.

The bank attempted to file its papers under seal, but U.S. District Court Judge Ronald Whyte denied that request. Earlier this week, the case was transferred to Ware from Whyte.

Some lawyers say the Ware's order is problematic because it affects the Gmail account holder's First Amendment rights to communicate online, as well as his or her privacy rights.

"It's outrageous that the bank asked for this, and it's outrageous that the court granted it," says John Morris, general counsel at the Center for Democracy & Technology. "What right does the bank have and go suspend the email account of a completely innocent person?"

He adds: "At the end of the day, the bank obviously screwed up. But it should not be bringing a lawsuit against two completely innocent parties and disrupting one of the innocent party's email contact to the world."

Oh no Mr. Morris--you could not be more wrong. Don't you see RMB actually found the silver bullet to slay the behemoth that is Google? One by one, they will send emails to Gmail users. Then they will file lawsuits to shut down those accounts. Google will be forced to disclose the name of the account holder. Given the lack of privacy, very soon, people will stop using Gmail. Google's resources will be spent on lawyers. And Rockey Mountain Bank would emerge victorious, having finally crushed Google.

Idiots

Swayze-baited Malware

2009-09-19T04:32:00.000-07:00

Google searchers for news on Patrick Swayze's funeral may come across links that are loaded with malware.

Watch where you are going and what you are clicking on. More from SecurityFocus/F-Secure.

Fool me once...

2009-09-18T18:00:00.000-07:00

Hmm.. looks like this is not the first brush of data breach at Akron Children's Hospital. In our last post we wrote about how a misdirected spyware was installed on a computer there, and subsequently leaked financial and medical information.

In 2006, an intruder broke into their network and compromised a database. Here is what the FAQ says:

Akron Children's Hospital recently identified that during an expansion of its computer systems, there were unauthorized entries (breaches) into two separate computer databases. The first database contained personal information of our patients, and of the parents or guardians who provide their health insurance. This personal information included names, addresses, social security numbers and patient birth dates. We have found no evidence that any medical or financial patient information was exposed.

The second breach involved a server containing information about individuals who have made donations to the hospital. This breach may have exposed personal financial information, specifically some unencrypted bank account and routing numbers. Social security numbers were not included in this database, and credit card information was protected through the highest level of encryption.

There is a report from the local NBC affiliate that says pretty much the same thing, but adds that the intruders came in via a number of intermediate hops.

Typically, it takes a security breach to wake up a company--it is their "come to Jesus" moment. If after that 2006 breach they did not include simple things like educating employees to not open attachments and blocking outside email access, they were not doing a very good job.

Spyware causes HIPAA violation at Ohio Hospital

2009-09-18T04:22:00.000-07:00

Man emails spyware to ex girlfriend's Yahoo account. What could go wrong?

The woman happens to work at a hospital. She opened it at a work computer, and the spyware happily emailed out billing and healthcare information for 65 patients. As other people used that computer, it also emailed out their email and financial information (presumably they looked at their online accounts from there)

CIO Magazine reports:

He allegedly sent the spyware to the woman's Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department, creating a regulatory nightmare for the hospital.

The complaint does not explain how Graham managed to convince the woman to install the program, but clever attackers often trick their victims into clicking on files by saying that they are interesting videos or some kind of useful software.

Between March 19 and March 28 the spyware sent more than 1,000 screen captures to Graham via e-mail.

The hospital is also to blame. It is unclear if they provided any training to employees about not opening attachments from emails, but it is absolutely clear that they were not blocking 3rd party email access from work.

The article is also unclear about if the girlfriend is still employed at work or not.

In Oregon, a manual on Public Records is NOT Public

2009-09-16T14:40:00.000-07:00

We just wrote about how some Boston City Hall employees were deleting emails so they would not be subject to Public Record Laws. But in Oregon, Public Record laws are taking an interesting turn.

The state attorney general publishes a manual for dealing with public record requests, and sell it for $25. He (not personally, his office) also claims copyright over this (public) manual

Oh, the irony.

But lets look at the mundane issue first. He claims the $25 is the cost of publishing the hard-copy version of the manual. Yeah? Hasn't he head of PDF files, and "click here to download"? I know Oregon has lots of trees, but shouldn't he at least pretend to care?

Next: if he can not claim an exemption from the public records law, then he is required to provide this to, hey presto, THE PUBLIC. How can he (or his office) claim copyright to something created with public funds?

So a professor at University of Oregon has challenged him by posting a scanned copy of the manual on his blog.

Every 2 years the Oregon DOJ publishes the "Oregon Attorney General's Public Records and Meetings Manual", a very useful guide to public records law. It's essential reading for people trying to use their right to get public records from Oregon government agencies. The DOJ has been trying to keep me from redistributing this manual, on the grounds that they own the copyright to it. Trying to use copyright law to keep the public from getting information about how to get public records strikes me as wrong, so I've posted the manual online at my official UO faculty website. As the email below explains, I am posting this despite the fact that the AG's office has explicitly warned me not to redistribute this manual. Here are the links. (now fixed)

Any bets on when the attorney general will blink? I am predicting around 4:55 PM local time in oregon on Friday, 18th September 2009.

Records retention in local government, and Boston City Hall

2009-09-13T08:37:00.000-07:00

I have a city-hall as my client. Last month I was teaching an awareness class there, and when I mentioned that they should not have any expectation of privacy when using their computers, there was not a single raised eyebrow. Being the employees of a city government, they all knew about public record laws and freedom of information act requests.

This is different from a private enterprise, where there is always someone who will argue that point.

(as an aside, I had to throw away most of my examples of what is "confidential". Individual's salary figures? Not confidential. Next year's budget numbers? Not confidential. Agh).

Looks like the City of Boston's senior management knew all about the "no expectation of privacy" too:

The acknowledgement came after the Globe filed several requests for e-mails sent and received by Menino’s Cabinet chief of policy and planning, Michael J. Kineavy. He is one of Menino’s most powerful and trusted advisers, intimately involved in nearly everything at City Hall, but a search of city computers found just 18 e-mails he had sent or received between Oct. 1, 2008, and March 31 of this year.

The unusually low figure prompted administration officials to question him about what happened to the rest of the e-mails he was presumably sending and receiving during that period. Kineavy, who is also one of the mayor’s chief political advisers and a strategist on Menino’s reelection campaigns since 1993, told them that he deletes all his e-mails on a daily basis, in such a way that they are not saved on city backup computers, administration officials said.

There are indications that Kineavy was not the only city employee who may have violated the law. In June, the Globe filed requests for copies of six months’ worth of e-mails sent or received by five other employees, including Transportation Commissioner Thomas Tinlin. City officials said that a search for Tinlin’s e-mails turned up only those he had received, none he had sent.

How would you start a network/security consulting business?

2008-10-26T20:27:00.000-07:00

If you the typical security person, sales is not your strong suite. Heck, you may actually be very bad as a sales person. And since without sales you are not going to earn any money from this consultancy, you need someone who can actually close sales.

So what are you going to sell? Services? Do you have any software or other solution you will be offering? Go ahead, write them down in bullets. I know you know them, but you will be surprised when you try to boil each down into a soundbite. If you don't know this already, it is called an 'elevator pitch' because sometimes you will have a 10 or 20-second opportunity to make your case to a client, and that will not be the time to think up something clever to say. So know what you are selling, and know how to condense that to an elevator pitch.

Other things:
1. Now that you know what you are going to offer, and what your pitch is, get a good sales guy. Seriously. Your team may be extremely talented, but they need the contacts and they need the personality to 'close' sales. Not something techies are good at.
2. Create proposal, report and assessment templates (and get website/email/phones the usual logistics stuff)
3. More than one person? Think about the corporate structure. LLC, S-corp, C-corp? (Google for the differences and how each may effect you). Don't put this off--no matter how good friends you all are.
3. Land your first customer. Make sure s/he is willing to be a reference. Start looking for this customer now, even before the business is fully formed. The first customer is the hardest to get. Start by talking to people who are in a position to buy your offering. If you are currently working for someone else, you need to have a very clear idea about who is going to be your customer. Talk to every consulting firm, software company and VAR in your region.
4. Speak at places/seminars/conferences where potential customers show up. Stay longer and listen to them, talk to them, solve problems for them or give them pointers. People like nice people.
5. Did I say you need a sales person with a rolodex full of contacts that s/he already knows from previous jobs? You can hire someone on commission. Make a deal with a hardware sales-guy (so there is no conflict of interest)--when s/he visits a customer s/he can mention your company, make an introduction, etc.
6. Prepare for an initial dry spell. If the people can not handle no income, no health insurance, etc. for 6 months (just to be safe) then they are not ready for this. If you do hit the doldrums, look into opportunities for potential part-time contract work. It may sound strange, but this may help provide sustenance during lean periods. (for this, check out DICE, which lets you search for contract work based on W-2, corp-to-corp, etc). And don't forget, once you are at a contract gig, you are meeting a potential client who may hire your company for the next job.

Misc:
Any decent-sized clients will ask you about your workman's compensation, liability and errors/omissions insurance. This will set you back a few thousand dollars--talk to an insurance agent and find out.

Good luck.

Career Progression: How to become a CISO

2008-10-23T08:12:00.000-07:00

I am often asked about this--to the degree that this is now a frequently asked question. Sorry, there is no magic formula.

There are two parts to the answer: How to 'get' the job and How to be 'good at it' that are intermixed.

My first CISO job was through applying directly. I was a director at a financial industry giant, and became the first CISO at a 500-million-dollar financial services company.

My next CISO gig was for a company with about $1B in revenue, and I was recruited by a retained search firm.

Here is the summary of my experience:

Relevant industry sector experience: going from financial services to healthcare (or vice versa is very rare)
CISO/CSOs are typically director or above positions. If you already have a director or VP title, that helps
If you are already a CISO, that also helps. A lot.
If you are not being promoted from within, having a bachelors degree is absolutely required.
Soft skills like communication is absolutely important. So is a demonstrated business skills, budgeting, people management, etc.
If a CISO job description says you need hands-on experience configuring firewalls (or some other specific technology), tread carefully. Either the job description is wrong, or it is not a CISO job. There are exceptions, of course, but this is a good indicator.
If other C-level officers are not in the interview team, you are not getting a 'real' CISO job, regardless of what the title is
As a CISO, your job will be to make people who you have no direct influence over do things for you.
You have to have direct reports and budget experience
At the interview, you have to make them understand that [a] security will help business and [b] you understand and care about the business--you are not just a security-nazi.

If you can show most or all of the above in your resume and during the interview, that would be a huge help.

Networking definitely helps, but we all can't know the CEO, so working with recruiters is the next best thing. If it is a retained search, that is great. If it is a contingency, that is fine, too--but before you send a resume, talk to the recruiter and make sure they don't submit you before asking your permission first.

How about certifications? It is expected that the CISO will have at least one major certification. If the CISO position is asking for just A+ or Security+ certifications, see number 6 above. ISACA designed the CISM for the CISO-level professionals, but not many employers are making this the primary certification requirement. CISSP is still the certification to have for any senior security job, although it really does not cover the management of an information security program. The CISA is not directly needed, but helpful because as a true CISO you will have to deal with internal and external auditors. It is my opinion that the certifications do not indicate how good a candidate will be as a strategic leader, but they certainly show relevant job skills. On the other hand, it is easy to establish your business-friendliness if you have an MBA.

Good luck.

A "Cyberist" meets his match: Stephen Colbert

2007-10-04T08:44:00.000-07:00

Don't the cops have some murder or rape to investigate? This is a classic case of an overzealous cop eager to pad his stats. Judge for yourself.

The Immaculate Hack

2007-03-28T04:45:00.000-07:00

The web was mostly built by borrowing other people's code and images, and sometimes even their bandwidth (when one party just linked to the image residing on someone else's server and showed it on his own--this is also known as 'leeching'). Leeching may actually be illegal, because it uses someone else's resources without permission.

The John McCain crew found out the hard way its not nice to leech.

Mike Davidson, who created the template used at McCain's MySpace page was a little miffed that McCain's page was leeching the 'contact John' image from his server (and costing him bandwidth and money). So he created a new graphic, and uploaded it to his own server under the same name as the previous graphic. And just like that, McCain's position was changed).

Technically, no crime was committed: Mike changed a graphic on his own equipment. Who else was using it and how, was not his concern.

I hope the Sen. McCain will have a sense of humor about this because the FBI can, and may, cart away Mike D's hardware first and ask questions later.

Card skimming at supermarket checkouts

2007-02-19T08:11:00.000-08:00

Card skimming is the technique of installing a fake Credit/Debit card reader to capture card information. Until now, this only existed in the Bank ATM world. But no more: now it happened at Stop & Shop checkouts.

They would not now be able to tamper with the units the way they did before," Keane said. He declined to reveal details of how the scam worked, other than to say it involved card readers being removed, tampered with, and reinstalled. "Our investigation has not uncovered any involvement or suspected involvement of any Stop & Shop personnel in the tampering.

I am a regular Stop & Shop customer, and I don't buy this. Someone can't just walk into a store, remove a card reader and reinstall it (even if the whole thing takes 2 minutes). Unless it involved the company that services the POS terminals. In that case, why isn't S&S pointing the finger at them? I think we are seeing another gradual release of bad news (like ChoicePoint and TJX).

What was TJX thinking?

2007-01-18T19:20:00.000-08:00

This type of thing happens so regularly its not even news. Massachusetts based TJX, the parent company of TJ-MAX, Marshalls, HomeGoods and Bobs Store, got hacked, and more than a million credit and debit card information, sometimes with drivers license information, were stolen. More than a million? It sure sounds like they don't know the exact figure, but its growing.

Data going as far back as 2003 was compromised sometime in December 2006, and TJX was working with law enforcement and kept the news hidden until then.

A story in the Boston Globe seems to indicate it was not an insider. Of course, TJX will never share the findings about how this happened, but what were they doing with this data in the first place?

And the magnitude of the breach seems to be growing. Are they playing a "gradual disclosure" game like ChoicePoint? The Massachusetts banker's association doesn't like the scope and duration of data retention.

The bankers' association also questioned why TJX kept credit- and debit-card
information on file for so long. "It appears that they may have been
capturing data that is unnecessary," Daniel J. Forte, the bankers
association president, said in a statement today.

TJX spokeswoman Sherry Lang would not comment on the bankers' association
statement. She reiterated that the company does not yet know of any acts of
fraud related to customers' personal data.

The PCI standard requires protection of stored cardholder data. So what happens if the data is not protected? A slap on the wrist? Not even that.

Oh, by the way, TJX has not offered to provide credit monitoring or any such service. I'd recommend calling TJX at (866) 484-6978 and asking for credit monitoring.

Secure coding (and 'Vulnerability Pimps')

2007-01-08T05:03:00.000-08:00

Application security is one of my favorite areas, and as a result, secure coding techniques, and source code review. Marcus Ranum, he of the firewall fame, recently wrote an article about running an automated source code analyzer against Firewall Toolkit.

As he says in the footnote,

The Firewall Toolkit later became the core of the TIS Gauntlet firewall. For a few years after its release, the FWTK code-base was at the center of more than half of the firewalls on the Internet.

And the code had been reviewed/worked on by many people, but some security issues, including one buffer overflow, was left undiscovered in the code. Lesson? If you have a large codebase, you need to run a software like Fortify to find the quick hits that would be otherwise buried in the code.

In the same article, Ranum created a new term: Vulnerability Pimps. These are the so-called security researchers who attempt to discover flaws just to gain fame.

The psychology of risk (and why we worry about stuff we should not)

2007-01-01T10:19:00.000-08:00

That title could sum up risk management (and will be a recurring theme at 10domains).

I just read an article on SecurityFocus about an effort by the US Department of Justice (DOJ) to standardize the format they store criminal records, and how its raising privacy fears. I am all for privacy, and a believer in the 4th amendment. But I fail to see how a standardized method for record format and access increases the privacy risk.

"Raw police files or FBI reports can never be verified and can never be corrected," Barry Steinhardt, director of the Technology and Liberty Project at the American Civil Liberties Union, told the Washington Post. "That is a problem with even more formal and controlled systems. The idea that they're creating another whole system that is going to be full of inaccurate information is just chilling."

I agree with the first statement. But Mr. Steinhardt fails to explain how a new system increases the risk. I am not pulling out the old chestnut of "if you have done nothing wrong, you have nothing to fear" but seriously, the US DoJ already knows whatever it needs to know about you, and the other LEAs (Law Enforcement Agency) can get access to all the records there are--it just takes longer now. Reducing that timeframe (and associated costs) does not make your life any less private.

Which reminds me, one of these days I will post my rant against the opposition to a US National ID Card. If you carry a driver's license or have a social security number, you are already part of the Borg collective my friend.

Why 10domains?

2007-01-01T09:53:00.000-08:00

Someone just asked me why I picked 10domains. For people in the information security world, this is actually a pretty easy answer. (ISC)², the organization that runs the CISSP (and a few other) certification program. CISSP stands for Certified Information Systems Security Professional, and requires knowledge in 10 domains of information security:

Access Control
Application Security
Business Continuity and Disaster Recovery Planning
Cryptography
Information Security and Risk Management
Legal, Regulations, Compliance and Investigations
Operations Security
Physical (Environmental) Security
Security Architecture and Design
Telecommunications and Network Security

This blog will cover these 10 domains (and use them to label and classify the posts), hence the name.

YAB (Yet Another Blog) on Information Security

2007-01-01T06:33:00.000-08:00

Why?
Call this an effort to give a little back to the world. Hopefully the signal to noise ration will be good enough for people to find this useful.

The audience for this blog will range from the merely curious to professionals, from soccer moms to industry veterans.

Welcome.