InfoSec News Blog

Jericho Forum: Friend or Foe?

De-perimeterization: Jericho Forum misses the mark

Hiding behind a catchy buzzword ("de-perimeterization") and a heap of undebatable aphorisms, the Jericho Forum proposes to be the thought leader on network security in the 21st century. At best, Jericho will help to raise awareness of the usefulness of a defense-in-depth network security strategy. More likely, the forum will end up on the scrap heap of unrealized ideas and wasted effort.

De-perimeterization is the way to go for network security

The Jericho Forum is all about "de-perimeterization," which involves re-appraising where security controls are positioned. Businesses moving to the Jericho world need to change their thinking away from the "edge" mentality, based on controlled denial of access through firewalls.

Jericho Forum web site.

Comparing Edwardian period "security" to Internet Security

Dave Piscitello revises and publishes an unpublished book chapter section by section.

Internet security is often described in military terms. Many of these originate from the castle building vocabulary of England during the reign of Edward II. I've always found this analogy interesting. Recently, I received an email from someone who read an article I wrote in the TISC newsletter, entitled Server vs. Client-based Protection. In that article, I made a brief reference to Edwardian period castles.

SF-Bay InfraGard meeting @ Google

Today was the SF-Bay InfraGard meeting at Google headquarters in Mountain View, CA. About 40 people convened on Building ## (censored) for a morning meeting about physical security of the Golden Gate Bridge, BART, and various threat reporting agencies.

There are blue shirted security guys all over the place yet they blend in well. If you are on Google property for more than 5 minutes without a badge you are approached by one of them. Even within the buildings they pop out of the woodwork and question who you are and why you are there.

But the environment is a very friendly place. The walls are decorated with high resolution photos of fire spinners. The hallways have huge white boards (as shown below). There are decorative book shelves throughout the building with books on all computer and 'national geographic' topics.

My favorite was the "micro kitchens". These are mini kitchens decorated like the display models in IKEA but fully stocked with Odwalla, breakfast cereals, food, drink, and even places to cook it all. We were told there is a micro kitchen no more than 150 steps from all employees! Thus resulting in the "Google 15" referring to the 15 pounds that all employees gain once employed.

Here are some photos of the Google Master Plan. (Taken from jurvetson's flickr and blogged about by Scoble.)

Cisco IOS press conference

Just found this on Ejovi:

If you are in the tech community you might have heard about the Cisco IOS vulnerability discussed at Black Hat this year. Here is a MP3 of the press conference [MP3] (26:00 total) given by the Black Hat organizers...

Listen carefully and you will learn some interesting things about the vulnerability. Did you hear someone say, "software affecting hardware"? (jump to 11:30) Yikes!

Indian call centres an Internet fraud risk: Australian report

Designerz News writes:

Workers at call centres based in India India are selling personal information which puts tens of thousands of people at risk of computer fraud, Australia's national broadcaster said.

In an investigation for ABC Television's Four Corners programme, reporters were offered banking pin numbers, passport numbers, credit card details and other personal information on thousands of Australians.

[via COTSE]

* Australian IT News
* ABC (AU)

Police files debacle

Up to 20,000 pages of confidential police files have been leaked by Victoria [Australia] Police in one of the biggest breaches of privacy in the state's history.

The Herald Sun has learned the police files of up to 1000 Victorians were sent to a prison officer-turned-whistleblower in a damaging security breach.

[via COTSE]

So You Think Your Data Is Secure?

Dan Verton, author of The Insider: A True Story (Llumina Press, 2005), in an article for ComputerWorld writes, "Everything I'm about to tell you is true..."

• A 48-hour risk assessment conducted in April at a top 20 financial institution intercepted a spreadsheet containing the names of 200 customers and their account numbers, account balances and tax identification numbers as it was being transmitted to a personal EarthLink e-mail account. Employees of this firm also routinely sent customers information in clear text that contained Social Security numbers, names, addresses, dates of birth, driver's license numbers, account numbers and balances. And while the firm has made considerable efforts to develop a strong privacy policy and build a secure e-mail system, only 12% of the data monitored was encrypted -- a specific recommendation of the Gramm-Leach-Bliley Act.


• That same month, technicians conducted a similar risk assessment at one of the biggest IT firms in the country -- a company that has a security budget to die for. In two days of monitoring, the system intercepted proprietary planning documents being e-mailed via Web mail (and yes, the company thought it had locked that down) to a direct competitor. The employee in question, along with 50 of his colleagues, had been hoping to land a new job.


• In the manufacturing sector, one of the biggest brand names in the U.S. was shocked to find what amounted to material weaknesses in its internal controls. Payroll data and hundreds of Social Security numbers were discovered leaving the network unencrypted and going to private e-mail accounts. In addition, 123 engineering and design documents had been sent to unauthorized recipients outside the network, only days before a major new product campaign was to be launched.


• Officials at various hospitals were shocked to learn that privacy-protected data on hundreds of patients was routinely leaving the network and going to unauthorized recipients. One facility recorded 2,000 violations of the Health Insurance Portability and Accountability Act in 48 hours. Another watched in horror as the names and medical information of more than 500 patients with HIV/AIDS were communicated to a private Hotmail account.

(IN)SECURE Magazine Issue 3 just released

(IN)SECURE Magazine is a freely available digital security magazine
discussing some of the hottest information security topics.

Issue 3 was just released [PDF]. Download it from: http://www.insecuremag.com

The covered topics are:

* Security vulnerabilities, exploits and patches
* PDA attacks: palm sized devices - PC sized threats
* Adding service signatures to Nmap
* CSO and CISO - perception vs. reality in the security kingdom
* Unified threat management: IT security's silver bullet?
* The reality of SQL injection
* 12 months of progress for the Microsoft Security Response Centre
* Interview with Michal Zalewski, security researcher
* OpenSSH for Macintosh
* Method for forensic validation of backup tapes

SPECIAL BONUS: This issue hosts a book contest - enter and win one of
the six new information security book titles. The contest is sponsored by the good folks at Addison-Wesley.

Florida Man Convicted in Huge Data Theft

Holey email spam! Betanews tells about a man who stole 1.5 billion contact information.

A Florida man who stole personal information from a consumer database company in what federal officials say is the largest case of data theft ever was convicted on Friday. In total, over 1.5 billion data files were stolen from the company's servers.

Scott Levine of Boca Raton stole the data files in order to use the personal information contained within to benefit his company. Levine ran Snipermail.com, Inc., a bulk e-mail service. The theft occurred over 16 months from April 2002 to August 2003.

Yahoo News also has the story.

The e-mail marketing contractor, Florida-based Snipermail.com, gathered contact information and sent bulk-email advertisements and sweepstakes offers on behalf of advertisers. But downloading 1.6 billion customer records — the equivalent of 550 telephone books filled with names, e-mail and postal addresses — wasn't part of the job.

Tools drive point-and-click crime

BBC News reports:

The easy-to-use tools are being created by malicious and criminal hackers to run the networks of compromised home computers they control, said security firm Websense.

The web-based tools put a friendly front end on managing the compromised machines making up so-called botnets.
These networks of hijacked home computers can involve as few as 100 PCs but the biggest can call on thousands of machines.

Research by mail filtering company MessageLabs suggests that up to 70% of spam is sent via compromised home computers.

Same old, same old...

Shining a Light on Enterprise Grid Security

I enjoyed reading the GRID Today post about enterprise security grids. Here's an excerpt:

Interestingly enough, and contrary to popular opinion, our initial research indicates that enterprise Grids are actually more likely to be secure than traditional computing environments, particularly over their lifetimes.

Enterprise Grid architectures do face unique security challenges ranging from access control attacks (risks associated with unauthorized entities defeating the unified access control policy) to ensuring safe object reuse (how sensitive data could be disclosed as resource sharing becomes more common) to masquerading and hijacking attacks (where a valid Grid component can be fooled into communicating with another entity masquerading as a valid Grid component).

Fundamentally, however, enterprise Grid architectures inherit the security risks of their ancestors. Individual products and services must still be properly configured, patched, secured and maintained. Similarly, platform, network, storage and application architectures must still be constructed in ways that reinforce organizational security, privacy and regulatory compliance goals. The main difference with enterprise Grid architectures is in how these elements are managed. Enterprise Grid deployments, through the use of a Grid Management Entity, enable organizations to realize greater levels of consistency, compliance, automation and optimization as compared to more traditional infrastructures. Unique to enterprise Grid architectures is the ability to safely and consistently automate the secure provisioning, sharing, reuse, assessment and monitoring of IT assets from physical devices (e.g., disk drives and processors) to dynamically constructed application components (e.g., Web services).

When it Comes to IM, First Think Security

Datamation writes:

Francis deSouza, CEO of IMlogic, an instant messaging company based in Waltham, Mass., says there are two trends rolling through the IM industry these days. One is the corporate adoption of a single, enterprise-level IM package that would replace all of the instant messaging software that end users have downloaded onto their machines over the years. The second trend, deSouza says, is that the skyrocketing threat to instant messaging software has IT administrators thinking about security.

Annual hacking game teaches security lessons

Defcon's annual Capture the Flag tournament was written up by SecurtyFocus with some nice interviews.

"We did intentionally de-emphasize defense, because it is a hacking competition, after all," said the organizer. By agreement, the group that ran the game adopted the name Kenshoto and would only speak anonymously. "However, defensive skills were tested."

I was there and noticed only two women were actually involved in the hacking. Here's a photo. According to the ShellPhish web site her name is "ViRus".

Here's an interview with Giovanni Vigna the Associate Professor, Reliable Software Group, Department of Computer Science at the University of California, Santa Barbara. He is the leader of the Shellphish team, the winners of this year's Defcon Capture The Flag competition.

The Devil's Infosec Dictionary

A funny read is the Devil's Infosec Dictionary. Here are a select few listings:

24/7: adj. The window of time in which systems are most vulnerable to attack
E-Commerce: A historical fad from the late '90s meant to generate hundreds of billions of dollars in new profits; the inciting factor that generated hundreds of billions of dollars being spent on security products
Intrusion Detection Systems (IDS): Log file generators
Mission critical: adj. Term used to help hackers identify their targets
Road warriors: Traveling employees responsible for delivering malicious code back to headquarters

Feds fund VoIP wiretapping research at GMU

Cory Doctorow of Boing Boing points out: The National Science Foundation has granted George Mason University researchers over $300,000 to develop technologies to eavesdrop on VoIP phone calls.

The technology that [assistant professor of software engineering Xinyuan Wang] and his colleagues are working on does not decrypt conversations. It tracks packets as they move from one user to another, allowing authorities to see who is talking to whom, but not to see what they are saying. Wang conceded that "from a privacy advocate's point of view, this is an attack on privacy," but he also noted that "from a police point of view, this is a way to trace things."

Update:ZDNet also has this story:

The National Science Foundation is funding the development of a tool that can be used to detect when people under law enforcement surveillance use Voice over Internet Protocol (VoIP) to communicate. The technique, which is being developed by researchers at George Mason University, involves embedding a digital watermark into the packet flow and making slight adjustments to the timing of certain packets. A paper on the research is due to be delivered at a security conference in November. The technique tries to determine the identities of those communicating via VoIP, but does not try to gather the content of their conversations.

X-Box Security

Schneier points us to an interesting article: "The Hidden Boot Code of the Xbox, or How to fit three bugs in 512 bytes of security code."

Microsoft wanted to lock out both pirated games and unofficial games, so they built a chain of trust on the X-Box from the hardware to the execution of the game code. Only code authorized by Microsoft could run on the X-box. The link between hardware and software in this chain of trust is the hidden "MCPX" boot ROM. The article discusses that ROM.

Other links on X-Box security:
MIT grad student shows how to read Xbox security key
Hacking the X-Box

Net criminals 'customise' attacks

The BBC reports:

Net criminals and hackers are increasingly targeting their attacks at specific organisations, research shows.

Worst hit, according to a worldwide survey by IBM, are government departments, financial services, manufacturing and healthcare.

Of the 237 million security attacks in the first half of 2005, 137 million were aimed at these four areas.

Scoble on Adam Barr on Monad

Scoble blogs about Adam Barr and his blogs about why Monad is not a Vista killer. After being Slashdot posted its story the comments were overwhelmingly "It's a scripting language, this is expected."

Seems even the Register had something to say and the BBC got in a word as well.

Ciscogate final tale

I assume everyone has but for those of you who haven't you really need to read Jennifer Granicks final tale of how the Mike Lynn story ends.

Online ATM/debit card fraud estimated at $2.75 billion

Marcia Savage of SC Magazine writes:

Internet fraud involving automated teller machine (ATM)/debit cards has victimized about 3 million U.S. consumers and generated losses of
$2.75 billion in the past year, according to market-research firm Gartner.

CNN Money has a similar article.

Cisco warns customers of site breach

Dan Ilett of Silicon.com and Marguerite Reardon of CNET News.com writes:

Cisco Systems' customers received e-mails Wednesday from the networking company advising them of a security breach of its Web site. The company said Cisco.com has been compromised and that customers need to change their passwords. "It has been brought to our attention that there is an issue in a Cisco.com search tool that could expose passwords for registered users," the company warned.
Posted by volubis at 12:13 AM | TrackBack

DNS servers--an Internet Achilles' heel

c|net News.com says:

Hundreds of thousands of Internet servers are at risk of an attack that would redirect unknowing Web surfers from legitimate sites to malicious ones.

In a scan of 2.5 million so-called Domain Name System machines, which act as the White Pages of the Internet, security researcher Dan Kaminsky found that about 230,000 are potentially vulnerable to a threat known as DNS cache poisoning.

"That is almost 10 percent of the scanned DNS servers," Kaminsky said in a presentation last week at the Black Hat security event in Las Vegas. "If you are not auditing your DNS servers, please start," he said.

I'm a big fan of Dan.

More Lynn/Cisco Information

"Michael Lynn looks on as he gains adminstrator privileges to a Cisco Router"

Bruce Schneier has a nice post with much more information, most of it from Boing Boing. He says:

Note that the presentation above is not the same as the one Lynn gave at BlackHat. The presentation at BlackHat didn't have the ISS logo at the bottom, as the one on the Internet does. Also, the critical code components were blacked out. (Photographs of Lynn's actual presentation slides were available here, but have been removed due to legal threats from ISS.)

There have been a bunch of commentary and analyses on the whole story. Business Week completely missed the point. Larry Seltzer at eWeek is more balanced.

Hackers are working overtime to reconstruct Lynn's attack and write an exploit. This, of course, means that we're in much more danger of there being a worm that takes use of this vulnerability.

Don't forget to check out Jennifer Granick's verbose description of the case as she handles it.

So the first question is, “what’s the secret?” The complaint says that Lynn had Cisco source code, but he didn’t. He had the binary code. The binary isn’t secret, since Cisco sells it. Is the decompiled code secret? Is it the fact that there’s a vulnerability? Would the law allow a product flaw to be a protected trade secret? I’ve had lawyers argue it to me, but I can’t believe that any court would think that’s a good idea. Imagine if we did that with cars. The fact that it blows up if someone rear ends you is a protected secret, because people wouldn’t buy the cars if they had that information? I’m not sure there’s anything here of Cisco’s that the law would protect.

...

We agreed to an injunction to settle the case, and the reason we settled the case is because all Mike has to do is stuff he’s mostly willing to do anyway, and Cisco and ISS will dismiss the lawsuit. At the point that you get sued, or even charged with a crime, it matters less what actually happened and whether you did something wrong and more what it takes to get out of the case as unscathed as possible. It’s sad, but true, that our legal system can often be more strategy than justice.

The Sniffer vs. the Cybercrooks

The NYTimes reports

The investment bank, despite billions in annual revenue and the small squadron of former police, military and security officers on its payroll, was no match for Mark Seiden.
"Tell me the things you most want to keep secret," Mr. Seiden challenged a top executive at the bank a few years back. The executive listed two. One involved the true identities of clients negotiating deals so hush-hush that even people inside the bank referred to them by using a code name. The other was the financial details of those mergers and acquisitions.

Interview: Mark Seiden [9.1MB MP3]

Univ. of Colo. has 3rd hacker attack

United Press International says:

The University of Colorado at Boulder said 29,000 students and 7,000 staff were vulnerable to identity theft from a hacker attack -- the third in two weeks. A hacker last Wednesday gained access to data from the university's identity and access card, called Buff OneCard. Buff OneCards contain Social Security numbers, names and photographs.

Data brokers - Americans need better control of personal information

The OpEd piece talks about how data brokers amass large dossiers of information about you.

Average Americans understand why identity thieves want their personal information.

It's harder for average Americans to comprehend why they have no control over the data brokers who amass cyber storehouses of data from which those thieves plunder.

[via The Arizona Republic]

People Throwing Out PCs

The New York Times reports this weekend: Corrupted PC's Find New Home in the Dumpster that many people are tossing their old computers rather than trying to repair them, a situation the NYT attributes to spyware. The users it quotes were ditching four-year-old machines.

Moreover, 68 percent said they had had computer trouble in the last year consistent with the problems caused by spyware or adware, though 60 percent of those were unsure of the problems' origins. Twenty percent of those who tried to fix the problem said it had not been solved; among those who spent money seeking a remedy, the average outlay was $129.

Wendy Seltzer, an attorney with the Electronic Frontier Foundation and a fellow with the Berkman Center for Internet & Society at Harvard Law School, blogs about this with some words you should read.

One question is: are these old computers being destroyed of properly? I'm sure attackers could easily pull the hard drive and find far too much information about the individual than expected.

CardSystems Timeline of Events

CardSystems Solutions -- the credit-card processing company that recently exposed many debit and credit-card accounts in a cyber break-in -- failed to secure its network, even though the network had been certified secure to a data security standard, according to Visa.

midrange.com has an interesting timeline of the break in. How did they get this information?

[via infosecninja]

CRYPTO-GRAM (July 15, 2005)

The latest Crypto-Gram newsletter is out. In this issue:
* London Transport Bombings
* Terrorism Defense: A Failure of Imagination
* CardSystems Exposes 40 Million Identities
* Noticing Data Misuse
* Indian Call Center Sells Personal Information
* Crypto-Gram Reprints
* Write Down Your Password
* The Adaptability of Iraqi Insurgents
* News
* Organized Retail Theft
* The Doghouse: Privacy.li
* SHA-1 Cryptanalysis
* Security Skins
* Counterpane News
* Evaluating the Effectiveness of Security Countermeasures
* Speeding Ticket Avoidance
* Redefining Spyware
* Talking to Strangers
* Comments from Readers

Interview with Fyodor of Nmap

Fyodor, aka Fyodor Vaskovich, CTO of Insecure.org, talks about himself and his work on nmap the well known port scanner, a staple of any security engineers toolkit.

I just turned 28 and live in Palo Alto, California. My hobbies
include Linux, programming, TCP/IP, reading, and working on my web
site. I hope that doesn't sound too dorky :). I do enjoy non-tech
stuff, like riding my motorcycle, hanging out with friends, go-kart
and auto racing, hiking, and skiing.

[via TUX Journal from Linux Security]

Other articles on nmap.

Have Data Breaches Reached Critical Mass?

George Hulme of CyberArk comments on the turning-of-the-tide in information security. He argues that "despite the hundreds of millions of dollars that organizations have invested in information security technology to secure their critical business-technology infrastructures, the bad news keeps breaking." Using the following stats:

According to Gartner, 9.4 million U.S. adults were identity theft victims between May 2003 and April 2004. Their financial losses totaled $11.7 billion.

Ok, this is bad but lets do some number comparisons, the US population is 295,734,134 meaning that about 3% of Americans were affected by identity theft in the last year. Also, the American GDP is $11,750,000,000,000 meaning that identity theft accounted for a whopping 0.00009% of our national GDP. Let's look at the big picture. The article continues:

Those statistics are even more alarming when one considers that in 2004, the Federal Trade Commission said 635,173 identity theft related complaints were reported. That figure is considerably higher than the 403,688 filed complaints in 2002. It’s no surprise consumers are losing trust in E-commerce and how carefully organizations protect their private information. Gartner says 1 in 20 adults are likely to become victims of some form of identity theft.

Do you really think consumers are scared off by this news? Do you think they even know about it? I'll recount a story a friend told me. He came home one day and showed his wife an article in the paper about the DSW Shoe Warehouse compromise where many credit card numbers were stolen. "Have you bought anything there lately?" he asked. She ignored the article saying only, "yes, in fact I'm going back again because they have such great deals." The fact of the matter is that when someone only effects a small percentage of the population they don't seem to care unless a very high profile person raises it as an issue.

Overall I really liked the article and recommend others read it. I know it was written to show the reader the scary side of data theft but someone needs to tell them an unbiased side (that would be me.)

I especially like his list of information security best practices at the end. Nicely put.

[via Help Net Security]

Bank of America Adds New Online Security

The Associated Press writes that Bank of America has a new authentication system. This system has been talked about for some time now and is similar to using an RSA Key Fob by providing you with one time authentication that changes every time you log into your account, but it overcomes the problem and cost associated with distributing and managing thousands of key fobs. Good going! Of course, ING Direct has had a similar system for years.

In February, Bank of America disclosed that it lost computer data tapes containing personal information on 1.2 million federal employees, including some members of the U.S. Senate. The lost data included social security numbers and account information.
In May, Bank of America and Wachovia Corp. were forced to alert more than 100,000 customers when New Jersey police charged nine people, including seven bank workers, in a plot to steal financial records of thousands of bank customers.

Instead of the traditional user name-password setup, SiteKey users select one of a thousand different images, write a brief phrase and pick three challenge questions.

The challenge questions - all things that only the customer would be able to provide, such as the year and model of their first car - are then used along with a customer ID and a passcode to guard access to the account.

Cybercrime Rates, Losses Fall, Survey Says

I like that Gregg Keizer, writer for InformationWeek, accurately portrays a recent survey on infosec trends.

The downturn in losses is because of both better management of security tools and sheer luck in the form of a 12-month run without fast-spreading, big-dollar-amount attacks. But the survey also detailed some gloomier news: Losses to identity and information theft are up--way up.

How to prevent pharming

I know that you're thinking, the answer on how to prevent pharming is simply to secure your DNS. True, so Deborah Radcliff of Network World tells us how.

Secure RSS Syndication

Joe Gregorio comes up with a way to use Greasemonkey scripts to have his browser decrypt the encrypted RSS feed. That way he doesn't have to enter his password directly into any RSS aggregator, such as Bloglines.

I have a problem. It's actually a pretty common problem. I have data that I want to syndicate to myself, but I don't want you to see it. It's private. Now this could be my credit card balance or internal bug reports for the day job. Either way, I want the information in a form suitable for syndication but not available to everyone.

Even Bruce thinks it's a good idea.

WSJ on threats to information security - "Where The Dangers Are"

David Bank and Riva Richmond, staff reporters for The Wall Street Journal, have a nice piece on threats to information security:

In the world of cybercrime, the bad guys are getting smarter -- and more ambitious.

In recent months, hackers have carried out a flurry of increasingly sophisticated attacks, highlighting the vulnerability of key computer networks around the world.

Criminals penetrated the database of CardSystems Solutions Inc., nabbing up to 200,000 Visa, MasterCard, American Express and Discover card numbers and potentially exposing tens of millions more. Leading high-tech companies in Israel allegedly planted surveillance software on the computers of their business rivals. British security officials warned of a computer attack aimed at stealing sensitive information from banks, insurers and other parts of that country's "critical infrastructure."

Security experts fear things will only get worse. As technology gets more complex, more vulnerabilities are springing up in computer networks -- and more criminals, terrorists and mischief makers are rushing to exploit them.

The WSJ tens to get their facts straigt moreso than others. For example they correctly target the number of cards stolen from CardSystems at around 200,000 instead of going for the not-so-correct, but more attention grabbing number of 20 million.

Also, they invited several "industry professionals" (aka. contacts from their rolodex) to participate on this conversation.

The Wall Street Journal and WSJ.com have invited a number of top computer security experts for a daylong discussion of these specific questions: Who should know about security breaches, and who should be held responsible?

The participants include: Paul Kurtz, Executive Director of the Cyber Security Industry Alliance; Bruce Schneier, Founder and Chief Technical Officer Counterpane (his blog); Jennifer Granick, Lecturer in Law and Executive Director of the Center for Internet and Society (CIS) at Stanford Law School (her blog The Shout).

Sarbanes-Oxley spending drains security budgets

ComputerWeekly is reporting that corporate spending on SOX diminishes their security budget.

International corporate spending on compliance with the Sarbanes-Oxley data security legislation has come at the expense of dealing with other security threats, according to the Information Security Forum (ISF).

An ISF report said that many of its members expected to spend more than $10m (£5.7m) on complying with the US Sarbanes-Oxley legislation.

Are we forgetting that money you are spending on SOX should be put towards securing your data and creating accountability?! They make it sound like the SOX legislation requires that companies pour money into a black hole that does nothing to improve the overall security posture of a company.

If you are not allocating funds properly then fire your current consultants and hire someone who knows what they are doing and can provide you with cost effective, creative and overlapping solution. Quit complaining and get with the program.

[via Help Net Security]

Security Breach 'no big deal' for Albertans

Read the following two statements and let me know what you think. How can loosing that information be "low risk"? Because there were no social security numbers? I would still consider it to be a breach of my privacy if my information was on the lost tape.

Frank Work, Alberta's Information and Privacy Commissioner, released a report on his investigation into missing Health and Wellness computer data storage tape. Work stated the incident is a low risk for potential fraud.
...
The missing computer tape of December 2004 premium billing and registration information contains names, health care numbers, premium rates, family status and some payroll/employee numbers of over 670,000 Albertans.

[via Record-Gazette from Cotse]

Employees had no role in ChoicePoint breach

Ironic... the AP is saying that the Carol DiBattiste, forer TSA administrator, is going to screen future ChoicePoint customers. I hope they do a better job with their customers than they do screening at airlines.

The new officer in charge of privacy, credentialing and compliance at ChoicePoint says employees at the company played no part in the leaking of information on about 145,000 Americans. While procedures at the data broker needed to be improved, individuals at the companies did not make any mistakes, ChoicePoint's Carol DiBattiste told the Associated Press.

[via CNet]

Identity Theft and Our 'Opt In' Mentality

Bruce Schneier was quoted in the NYTimes today for an article on identity theft.

"If we're ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions." And the only way to do that, he added, is by making the financial institutions liable for fraudulent transactions.
"I think business ingenuity is top notch," Mr. Schneier said in an interview. "And I think if you make it their problem, they will solve it."

Correct he is but we need to go beyond just making the financial institutions liable for fraudulent transactions. What about when a data clearing house is hacked and your SSN is stolen. How do you show fraudulent activity and how do you make the clearing house liable? What about when a company that tracks your spending patterns is hacked? or your hospital containing medical records?

We need to do two things:
(1) Change from an "opt out" to an "opt in" culture
Because there is no law against it everyone in the United States automatically opts in to the collection and sale of their personal information. Companies can collect, buy, sell and trade information about you such as your spending patterns, financial history, residence history, information about your dependants, income and medical history. Regulations such as GLB, HIPAA, and PCI say that companies must safeguard your personal information but they do not restrict the collection and sale of it to others.

Today credit card companies investigate you to see if you've been paying your car bill or electric bill on time to see if they should raise your interest rates. It will get to a point where any information about you can be bought or sold for the right price. And this is all being done with your "permission" because you failed to opt out. (Many companies don't even give you the opt out option!)

(2) Make the company collecting your personal information liable if it is disclosed to others without your permission.
If a bank lost your money would you not hold them liable? Why no do the same with companies that hold your personal information? If they became liable and risked fines their mentality about keeping that information safe would change overnight.

Compliance requirements without teeth are not worth a thing. But the addition of deadlines and fines changes the risk equation. Now corporate CEOs need to balance the risk of a data compromise against the cost of compliance. If a compromise of one person's personal data was associated with a fine of even $1, then the CardSystems breach of 40 million data records would send a strong message to those who didn't find it necessary to properly secure the data entrusted to them.

Michael Oxley criticises Sarbanes-Oxley legislation

It seems we all have regrets about some things. In this case there are a few well places comments about how SOX could be improved.

Harsh language was used such as Judge Leo Strine, a vice chancellor of the Delaware Court of Chancery, warning federal legislators to 'stay in their lane'. Senator Michael Oxley was also cought saying such scathing comments as 'not a perfect document' and some of SOX's reforms had been 'excessive' following the 'hothouse atmosphere' around the collapse of WordCom and Enron.

Michael Oxley told the International Corporate Governance Network (ICGN) annual conference yesterday that, 'if I had another crack at it, I would have provided a bit more flexibility for small- and medium-sized companies.

Thankfully, Michael ended by saying "After WorldCom happened it was difficult to legislate responsibly in that type of hot-house atmosphere. But I am proud of the bill. Compliance is an investment in the strength of the US capital markets."

Security roundup

Schneier is talking about a "failure of imagination" and the money we are spending on anti-terrorism.

The British government "lost" a few (150) PCs this year. (I could really use a laptop...)

Kelly Martin at SecurityFocus talks about who's to blame but failed to mention blaming: the end users or corporate administrators. I think these are the two areas we can effect security the most.

Help Net Security has a white paper on penetration testing. Let me know if it's any good.

The ID Theft Resource Center is online to help out people who hav efallen victim.

Pundits at SecurityFocus mull over issues such as who owns our personal information. The answer should be simple: we don't right now but we should enact legislation to give return control to the individual. While I was in Curacao, I talked to a guy from Holland who's company connects into the credit reporting agencies throughout Europe. He said that if they ever disclosed or sold information about an individual (and I mean name and address here) they could be fined up to $10k per incident! The courts would rule in favor of the individual and it would be an open and shut case. He said the telephone books are all "opt in" systems and that companies cannot even share information with other companies held by the same entity. This is the world I wish I lived in.

Dave Piscitello started working at ICANN and started investigating domain hijacking with the Security and Stability Advisory Committee (SSAC). Check out their report [PDF] at ICANN.

Don't know jack about DNS? Daniel Karrenberg, Chief Scientist at the RIPE NCC explains in laymens terms what DNS root name servers are. Paper in PDF.

On a funnier note, everyone's talking about how the FTC Chair’s credit card data was stolen. Ok, maybe it's not so funny. Chairwoman Deborah Platt Majoras was among those stolen from DSW Shoe Warehouse. PrivacyClue writes:

The irony, of course, is that the FTC is the federal government agency responsible for policing many of the issues related to identity theft and fraud. This is not the first instance in which FTC commissioners have gotten first-hand experience in coping with problems under the FTC’s jurisdiction. Former FTC Commissioner Orson Swindle — still the best named FTC commissioner ever — was often fond of recounting his battles with the credit bureaus over erroneous data on his credit report that was impeding his ability to get a home mortgage. At the time, the FTC was suing the credit bureaus for failure to promptly resolve complaints about errors in credit reports. (Naturally, the credit bureaus still deny any wrong-doing.)

Hacker magazine shuts up shop

The Register reminds us the end of an era with Phrack magazine.

Hacking magazine Phrack is closing after 20 years of publishing after its editorial team decided to call it a day. The final date for submissions for the special hardback last issue of the mag was Sunday 10 July. Issue 63 will be released at the Defcon and WhatTheHack2005 hacker conventions later this month.

Iron Mountain Loses More Tapes

Information Week reports that Iron Mountain lost some more tapes.

City National Bank has become the second company in two months to experience a loss of backup tapes in transit by Iron Mountain Inc. The Los Angeles-based bank disclosed Thursday that two tapes containing sensitive data, including Social Security numbers, account numbers, and other customer information, were lost during transport to a secure storage facility.

U.S. consumers want companies fined for security breaches

Finextra reports on people wanting to see criminal charges filed in cased on egregious data security violations.

The majority of US consumers want to see criminal charges levied against companies that fail to protect their personal data, as one in five individuals admit falling victim to identity theft.

A survey of more than 1850 Americans conducted by California-based Impulse Research on behalf of Chubb Group of Insurance Companies found that 65% of respondents would like to see these companies that fail to protect customer data fined and 63% want these companies charged with a crime.

Detailed survey information: One in Five Americans Has Been a Victim of Identity Fraud

With companies reporting data breaches seemingly every week, more people are becoming victims of identity theft, even as awareness rises. A survey of more than 1,850 Americans sponsored by Chubb Group of Insurance Companies found that 20% of respondents have been victims of identity fraud or theft. Ninety-five percent of respondents said they are concerned that someone might fraudulently impersonate them to ruin their credit standing and put them in debt, up almost 20% from 2000.

Twenty-seven percent of respondents reported that their or a family member’s credit card was fraudulently used to charge purchases, up from 19% in 2000. Twenty-seven percent reported that they or a family member experienced the theft of a purse or wallet, while 8% experienced fraudulent checks written on their or a family member's checking account.

Consumers Want Accountability

Eighty-seven percent of respondents think that companies that fail to adequately protect the confidential information they have on customers and others should be required by law to pay to restore consumers’ credit ratings. Sixty-five percent of those surveyed would like to see these companies fined, and 63% want these companies charged with a crime.

Giving Away Your Identity

Seventy-eight percent of respondents would give their Social Security number to a credit card company when applying for an account. Fifty-four percent of people surveyed would give their Social Security number to an auto dealer when establishing credit, 37% to a phone company when establishing service, and 53% to a college or other educational institution.

Sixty-four percent of respondents have disclosed confidential information online or by telephone in the past six months. “People need to be more protective of their personal information, particularly with whom and how they share it, whether online, over the phone or in person,” said Dan McCabe, vice president of Chubb & Son and marketing manager for Chubb Personal Insurance. Regarding pre-approved credit card solicitations, 28% of people surveyed throw them away without shredding them or tearing them up.

A Quick Fix? Or a Long, Costly Process?

Twenty-eight percent of people surveyed believe it would take more than a year to regain their identity and clear their credit. Forty percent of respondents think it would cost $1,000 or more to regain their identity and clear their credit. “The survey demonstrates not only the increased threat of identity theft but also the increased concern felt by consumers,” said McCabe.

Impulse Research of Los Angeles conducted the survey in May 2005 for Chubb. The survey provided a more extensive look at the identity theft problem than a survey Chubb sponsored in 2000.

Chubb provides free identity theft coverage to its homeowners insurance customers in nearly all 50 states, as well as in Washington, DC. The coverage reimburses customers for a variety of identity fraud expenses, up to a maximum of $25,000 for each occurrence, subject to a $500 deductible.

The member insurers of the Chubb Group of Insurance Companies form a multi-billion dollar organization providing property and casualty insurance for personal and commercial customers worldwide through 8,000 independent agents and brokers. Chubb's global network includes branches and affiliates in North America, Europe, Latin America, Asia and Australia. In addition to insuring valuable articles, Chubb is a worldwide leader in providing insurance coverage for fine homes, automobiles, yachts and wine collections and other collectibles.

Datasheet guide to Identity Theft

WindowsSecurity has a comprehensive list titled Avoiding Identity Theft. It lists the reasons for identity theft, methods of stealing an identity, avoiding identity theft, and how to report it.

Identity theft is the fastest growing crime in America. According to the Federal Trade Commission, the number of identity theft incidents reached 9.9 million in 2003, and is estimated to have taken the average victim $500 and 30 hours to resolve. This article is designed to help network administrators and consumers understand the issues surrounding the rapidly growing concern of "Identity Theft".

[via Help Net Security]

Effective Network Management for Security and Compliance

Download the full PDF here. (Requires filling out a form.)
Abstract:

The facts are astounding: Over 80% of enterprises have reported downtime due to a network security incident; over 50% of all network security break-ins occur from manual device configuration; and some companies can face up to $1M per day in fines if their network infrastructures do not comply with compliance legislation. This white paper provides an overview of network security and compliance for network managers, network architects and network security experts and outlines key solutions that help organizations employ proactive network vigilance, advanced reporting, intelligent rollback and granular control across the vendor spectrum to make network security and compliance predictable and precise.

[via Help Net Security]

Hackers for hire

security.itworld.com has an article on companies that hire hackers for industrial espionage.

What started out as an online businessman's dirty tactic lasted for almost half a year and cost victims over US$2 million.

The plan: disable the competitions' Web sites. The accomplice: a 16-year-old hacker-for-hire from New Jersey.

The U.S. Federal Bureau of Investigation arrested both businessman and hacker, but not before the damage had been done. This incident, which happened recently, demonstrates how much the nature of the cyber criminal has changed over the past few years -- from script kiddies and "cyberpunks" to hackers, crackers and cyber gangs -- according to a North American study on organized crime and the Internet.

Here's the Virtual Criminology Report [PDF] from McAfee.

More articles: Organized cybercrime has IT security experts scared

[via Security-Protocols]

Two-factor security questions raised

In a dis-information article titled Hackers crack two-factor security vnunet.com reporter Iain Thomson lets me down. There has been no compromise to 2-factor authentication. Sophos told them: "The latest generation of spyware not only includes key-loggers that trap passwords, but screen-grabbing software. This takes multiple images of what the user is doing and sends it straight to the hacker."

Ok, nice to know but aren't most 2-factor key fobs set to change the password after 60 seconds? Assuming that the user of the fob reads the number at the exact moment that it changes and that the spyware application take a screen shot at the exact second the user hits submit on a web form. How long will it take for the attacker to utilize that information?

The odds of this being a viable form of mass attack are slim to none. Remember we are not looking for something that circumvents every instance of password theft. We just want to make it so that data can't be harvested in a mass market format. I think that no matter what Bruce Schneier says about two-factor authentication, it's still a vast improvement on what we have.

Anatomy of a Hack

Slashdot says that Informit.com is running an extensive article about the anatomy of a hack against a sample network. It's an excerpt from a book titled Protect Your Windows Network: From Perimeter to Data.

Although attacking networks can be fun and informative--not to mention illegal if you do not have all the proper permissions--the fact remains that the vast majority of us do not need to know how to do so. Frankly, becoming a good penetration tester (pen tester) takes more than a week-long class. It takes commitment, dedication, intuition, and technical savvy, not to mention a blatant disregard for the rules and the right way to do things.

Death of a Firewall?

An article from Slashdot pointed me to another on The Death Of A Firewall by Security Pipeline columnist Stuart Berman. His argument against the firewall as an entity until itself is this:

The new security architecture isn't focused on our network firewall. Instead, we embed security within our internal network. This begins with separating our servers from our clients. We can do that now, thanks to layer-3 data center switches that allow for the low-cost creation of subnets. By defining simple ACLs, we further isolate our backend servers.

Can someone tell me what the difference is between this and simply using a Cisco switch/router with ACLs? How does replacing a firewall with a Layer-3 ACL protected drive increase security? Ok, so it's still a statefull, rule-based system. Please tell me what is better?

Somehow the description of the "new" system seems more complicated than a simple firewall. That said, in theory it could be more granular with its security if given the opportunity to tune rules at the web, application, middleware and database level. But do we need this level of granularity and at what cost to complexity?

The servers and their respective applications sit in their own DMZ, protected by an Application-layer firewall. We organize servers into three tiers: The first tier consists of presentation servers such as Web and e-mail servers--these are the only servers accessible to end users. The second tier, made up of application and middleware servers, is in turn only accessible to the presentation servers. Finally, the third tier, consisting of the database servers, is only accessible to the application and middleware servers.

I would like to hear Stuart Berman's feedback on this. Anyone else have thoughts on how to or if it's a good idea to eliminate the firewall?

Update
Security Curve Weblog has another perspective disussing the regulatory aspect it:

No matter what Abe says, enterprises don't install firewalls just because they're "cool" or because security folks in enterprises are ignorant - even if the security organizations could ensure equal security (for less dollars) without a firewall, they would still install one so that the regulators and auditors can check "yes" on the firewall box rather than "no." Seriously. In my experiences, auditors and regulators are usually not super tech-heavy. If you're in the security group of a bank, can you imagine explaining to a non-technical OCC auditor why you don't have a firewall? How about explaining it to DISA if you're a government entity or contractor? How about VISA - if you're a merchant, do you want to go toe-to-toe with VISA to explain why you're not in strict compliance with their rules?

He ends with my favorite quote, "Of course, this all discounts the fact that if you do get attacked and you don't have a firewall that you're going to look like an idiot."

Two Experiences Designing for Effective Security

This paper [PDF] described two applications: Vavoom, a visualization of network activity during Web browsing, and Impromptu, a direct-manipulation interface for sharing files in workgroups.

[via Usable Security]

Russia'a Black-Market Data Trade

Schneier says: Interesting story on the market for data in Moscow:

This Gorbushka vendor offers a hard drive with cash transfer records from Russia's central bank for $1,500 (Canadian).

And:

At the Gorbushka kiosk, sales are so brisk that the vendor excuses himself to help other customers while the foreigner considers his options: $43 for a mobile phone company's list of subscribers? Or $100 for a database of vehicles registered in the Moscow region?

The vehicle database proves irresistible. It appears to contain names, birthdays, passport numbers, addresses, telephone numbers, descriptions of vehicles, and vehicle identification (VIN) numbers for every driver in Moscow.

Five Myths of Credit Card Security

It's amazing how easy it is to spread incorrect information. I was at a dinner party last night when the conversation changed to that of credit card and identity theft. I smiled and perked my ears because computers are not usually discussed at social events (other than to complain about them.) I listened first, then interjected, and then listened again. People voiced their opinion on what credit card theft meant to them and from this I derived the following myths.

Myth 1: Offline transactions are more secure than online transactions
Many people confuse credit card theft with identity theft and others simply say it's too risky to use a credit card online. These people feel it's safer to use their credit card at a retail store than to use it purchasing books from Amazon or eBay, but that's simply not the case.

We have already seen a string of attacks against retailers such as DSW Shoe Warehouse, BJ's Wholesale Club, Polo Ralph Lauren Corp and
hundreds more that go unreported (or un-disclosed). It is the norm for retailers to store your credit card number on the point-of-sale (POS) software at the retail location for anywhere between two weeks and indefinitely. Polo is an example where the data was being stored for years.

Myth 2: Using 128 bit SSL will keep my online transactions safe
Some people at the party said that they use "128 bit encryption" for online transactions. I was impressed that the person even knew the 'best practice' number of 128, but this isn't true either. Using a SSL certificate will only protect the data in transit, it will not protect it at rest which is where the real risk resides.

What keeps your online transactions safe are for online merchants to adopt and enforce industry security requirements such as Visa & MasterCard's Payment Card Industry (PCI) Data Security Standard [PDF]. (Many people will say that CardSystems was considered compliant [PDF] and they still got hacked, but the reality is that they were not compliant at the time of the compromise! Continued vigilance is necessary for security.)

Myth 3: If my credit card number is stolen so is my "identity"
Stealing someone's credit card number is not the same as stealing their identity. Unfortunately our social security number has become the single point of failure to our identities being compromised because it commonly used, unique and simple to use and require. As a result, if someone has your social security number, your name, and some easy to access ancillary information (address, etc.) then can easily begin creating a new you. They can apply for federal identification, take out loans, purchase a house and ring up endless bills at your expense. If only your credit card number is compromised they cannot do these things. Imagine going to the post office and trying to apply for a passport with only a credit card number? how about applying for a drivers license? a home loan? Not going to happen!

If someone steals your credit card number you are liable for up to $50 is most cases but banks today don't even charge you that for fear of loosing your business.

Myth 4: Credit card theft is a major problem today

However much my job relies on saying that credit card theft is a major problem, I'm going to explain why it's not. Credit card theft is a major problem to our financial system the same way Saddam Hussein was a major problem to our national security. It is and it isn't.

True, credit card theft undermines consumer confidence, raises the cost of credit card use, and is a scourge on our society. But what is the actual impact?

In 2004, illegal credit-card purchases totaled $788 million in the U.S., down from $882 million in 2003, according to Nilson Report, a trade publication. That represents just 4.7 cents for $100 worth of purchases, well down from a high of 15.7 cents in 1992. [via Business Week Asia]

Credit card fraud is still low and it's percentage actually stays the same or decreases as the number of credit cards issued increases. Yes, it's a problem but who does it impact? It affects the people who don't pay of their credit card(s) each month because the cost of fraudulent transactions is paid for by higher interest rates and more fees.

Compare credit card theft with that of check fraud and it's dwarfed the way that say, the number of deaths from terrorist attack is significantly less than the number of deaths from [poor] health related issues. But people would rather look at the "terrorist problem" instead of correcting the health issue. In the same way, it's easier to look at the credit card problem than that of corporate fraud because we can relate easier to a credit card.

Myth 5: Credit card theft is NOT a major problem today
After just explaining why it's not a problem let me tell you why it is. Individually credit card theft is not a problem as much as the lack of critical (consumer) infrastructure protection. If we look at the individual numbers behind fraud originating from credit card theft, industrial espionage, insider trading and phishing to name a few they don’t add up to a significant percentage. But cumulatively each of these things affects our financial systems. We need to respond to attacks such as those listed above to prevent them from getting larger. This is exactly the mentality the payment services (credit card) industry has taken on by creating the PCI standards. By creating an industry specific security compliance program they have proactively addressed the risks facing their industry and prevented government intervention (aka. mucking around.)

More on data security.

The red herring of data protection

ZDNet's Between the Lines (BTL) has a new take on data protection. Eric Norlin feels that all the data breaches of late will result is more security products and data protection legislation, but all that will result in nothing.

We're told the solution is better network security, better encryption, better corporate safeguards, and better "data protection." Of course, all of these "solutions" are a bit specious, as they're always accompanied by the corporate lawyer caveat, "we cannot guarantee that this won't happen again."

All of this will ultimately result in some bloated piece of federal legislation around "data privacy and protection" that will impose new restrictions on corporate security practices and result in a wave of new spending on IT solutions to help solve that problem. But will we have solved it, really?

They ask, "The real question to be asked is: Why do all of these corporations need to store all of this personal data in the first place?" And a good question it is but I don't think they fully understand the payment services (aka. credit card) industry. Yes, there are many places like CardSystems and many retailers that are storing your credit card (and other personal information) for longer than they should be. And yes, they are not encrypting this data or adequately protecting it. But often times the storage of this data is critical to doing business and fraud prevention. Credit card processing companies store the data for charge back purposes, they use it to run velocity tests, and sometimes for legal reasons.

The questions are:

1. How long should each company be storing the data?


2. Where is the data being stored? At the POS terminal? In a DMZ? On the internal network?


3. What's the data retention period of each data store?


4. How is each data store being protected? Is the data hashed, encrypted, truncated?

BTL recommends the solution is "federated identity and the identity metasystem." My instinct to hit someone and call it an involuntary twitch is held in check only by my interest in educating them instead. They say that:

Federated identity is an infrastructure that makes security follow the transaction. It does this by making the identity associated with the transaction "portable" across heterogeneous security domains. In short, federated identity (whether it's SAML, Liberty Alliance or WS-Federation) is building the infrastructure necessary for identities to move around securely.

What they don't appear to understand is that (1) federated identity just means that your identity is now stored in multiple locations that all trust each other to some degree (and in my mind make it easier to compromise someone's identity) and (2) that federated identities do not answer the questions I outlined above concerning securing the data at rest.

At the end of the article the Editor discloses that Eric Norlin actually works for Ping Identity (an identity management system) and has been for "19 days after Andre Durand founded it"; however long that is.

I'm usually not this grumpy but I wish that people would understand that more legislation is not the solution and neither is federated identity or more security products.

I think that legislation such as as those prohibiting identity theft are good moves but not ones that try to expand GLBA and make it cover credit card transactions.

What we need are more industry consortiums such as Visa/MasterCard who create compliance programs specific to their industry yet grounded in best practice standards.

7 security mistakes companies make

ComputerWorld opinion by Peter H. Gregory:

1. Failure to realize that perimeter security is dead
2. Failure to protect laptop computers
3. Failure to institute effective change management
4. Failure to realize the importance of security awareness
5. Failure to implement a defense-in-depth strategy
6. Failure to take the spam and spyware threat seriously
7. Failure to implement a vulnerability management strategy

Other mistakes
Failure to get executive support for your security program.
Thinking that security is only a technology problem.
Failure to track key security metrics.
Failure to create and use a security incident response plan.

Computer passwords 'up for grabs'

Nothing new but the BBC is reminding us that we should take further measures to secure our passwords. One idea? Deploying 2-factor authentication or biometrics to all employees. Sounds costly? It is, but for many it's very much worth it to protect their data.

Half of IT managers employed by large-sized companies believe it would be relatively easy to gain the core passwords for their computer systems.

That is the warning of a survey by IT security firm Cyber-Ark. It said that 10% of firms never changed their central administrative passwords.

A further 5% did not even bother altering the manufacturer's default password that came with the system.

Worry. But Don't Stress Out

The New York Times has a NO FUD article on the recent computer break-ins:

Security experts acknowledge that while there will continue to be breaks in security, such a catastrophe is unlikely. Instead, they say, the threat is more insidious and gradual and involves more than just money, as other information like medical records are digitized and stored electronically.
"The long-term danger is extraction of self," Mr. Rotenberg said. "That others know more about you than you know about yourself."

Marc Rotenberg is executive director of the Electronic Privacy Information Center in Washington.

AT&T Plans CNN-style Security Channel

Slashdot says:

Infoworld has a story about AT&T's upcoming effort to create a CNN of network security. From the article: "Security experts at AT&T are about to take a page from CNN's playbook. Within the next year they will begin delivering a video streaming service that will carry Internet security news 24 hours a day, seven days a week, according to the executive in charge of AT&T Labs."

Identity Thieves Drain Unemployment Benefit Funds

Slashdot writes:

"According to a News.com.com article, the defrauding of state government unemployment benefit programs is the most underpublicized identity theft crime and the states are not doing much about it. Identity thieves are using stolen social security numbers to file false unemployment claims and collecting benefits because the states have no systems in place to deter fraud. In fact, it is easier to convert stolen identity data into money by filing false unemployment claims than going after the credit card companies." From the article: "File a false unemployment claim and you can receive $400 per week for 26 weeks. Do it for 100 Social Security numbers and you've made a quick $1.04 million. It's tough to make crime pay much better than that."

Indian Call Center Sells Personal Information

A call center in India sells personal banking information of UK residents. People will be outraged for all the wrong reasons. Schneir sums it up:

There was yet another incident where call center staffer was selling personal data. The data consisted of banking details of British customers, and was sold by people at an outsourced call center in India.

I predict a spate of essays warning us of the security risks of offshore outsourcing. That's stupid; this has almost nothing to do with offshoring. It's no different than the Lembo case, and that happened in the safe and secure United States.

There are security risks to outsourcing, and there are security risks to offshore outsourcing. But the risk illustrated in this story is the risk of malicious insiders, and that is mostly independent of outsourcing. Lousy wages, lack of ownership, a poor work environment, and so on can all increase the risk of malicious insiders, but that's true regardless of who owns the call center or in what currency the salary is paid in. Yes, it's harder to prosecute across national boundaries, but the deterrence here is more contractual than criminal.

The problem here is people, not corporate or national boundaries.

A Chronology of Data Breaches Reported Since the ChoicePoint Incident

Privacy Rights has a list of all public compromises since the ChoicePoint incident.
TOTAL: 49,635,830

The data breaches noted below have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers.

The catalyst for reporting data breaches to the affected individuals has been the California law that requires notice of security breaches, the only state in the nation to have such a law at this time. For more information on this law, see the following links:
www.privacyrights.org/ar/SecurityBreach.htm
www.privacy.ca.gov/recommendations/secbreach.pdf

According to the National Conference of State Legislatures, 32 states are considering security beach notification laws and many states are hoping to pass laws that enable residents to put a security freeze on their credit report:
www.ncsl.org/programs/lis/CIP/priv/breach.htm
www.ncsl.org/programs/banking/SecurityFreeze_2005.htm

In addition, U.S. Senator Dianne Feinstein has introduced a breach notice law (S. 751) at the federal level. For the full text of the bill, see http://thomas.loc.gov.

Cotse on Data Security

Cotse has a page (sorry no RSS) listing ">data security breaches worldwide.

News stories specifically focused on protecting the privacy of data or corporations who have not protected the privacy of your data. Some stories may be in other sections such as Data or ID Theft.

It's a nice list of data security breaches that you don't always see in the press. The lack of an RSS feed boggles my mind.

Dell Protects the Homeland (and TSA confiscates car keys)

Skippy says stupidity is rampant:

I purchased a Dell server today for work, through our account representative at Dell. At the end of the order process, just before confirmation, the Dell representative said: "Federal law requires that we ask what will this server be used for?"

I asked, incredulously, "Why the hell does the federal government care?" to which the Dell representative replied "PATRIOT Act."

I certainly feel a lot safer knowing that terrorist are on their honor to tell the truth when buying servers from Dell.

[via Schneier]

Update: TSA confiscates folding car key, calling it a "switchbalde"
[via BoingBoing]

(IN)SECURE Magazine issue 2 is available

(IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics. It can be distributed only in the form of the original PDF document [PDF].

The covered topics are:

* Information security in campus and open environments
* Web applications worms - the next Internet infestation
* Integrating automated patch and vulnerability management into an enterprise-wide environment
* Advanced PHP security - vulnerability containment
* Protecting an organization’s public information
* Application security: the noveau blame game
* What you need to know before migrating your applications to the Web
* Clear cut cryptography
* How to lock down enterprise data with infrastructure services

[a Help Net Security publication]

High Costs of Hacking?

One fixture of computer break-in stories is the estimated cost of these crimes.

The Department of Justice report a data broker, spent more than $7 million to repair 139 remote attacks against its database by a hacker in Boca Raton, Fla. Warehouses have burned to cinders, and the damage has been valued at less. So are these figures hype?
These estimates "are fueled by another concern: criminal prosecution, including amounts for fines and restitution." Prosecutors tend to aim high, he says, while defendants argue for dismissing some of the costs.

Most Identity Theft Cases Never Get Resolved

Interesting to know...

The buzz among the bad guys: Most identity theft cases never get resolved. And for those who do get caught, the crime doesn't count as a strike under California's tough "three-strikes" sentencing law, and sentences tend to be light.

Fed Regulator Intervention or Industry Compliance Programs

MasterCard's press release responding to the CardSystems breach. They are also saying,

While Congress continues to consider data breach notification standards, MasterCard urges them to enact wider application of Gramm-Leach-Bliley, the act that includes provisions to protect consumers' personal financial information held by financial institutions. Currently, GLBA only applies to financial institutions providing services to consumers, including MasterCard. MasterCard urges Congress to extend that application to also include any entity, such as third party processors, that stores consumer financial information, regardless of whether or not they interact directly with consumers.

I think this is a bad idea for many reasons.

1. Government (aka. the Fed) compliance requirements are slow to change.
The NCUA reviews their data security requirements every 3 years. GLBA is vague and only mandates that you must "safeguard customer information". Section 505(a) specifies the safeguards should:

(1) to insure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

2. GLBA "requirements" are not applied consistently
Each financial institution is evaluated differently based on their regulatory examiner meaning a slightly different emphasis on what is "required". Additionally, each financial institution uses a different security consultant to perform their network review in preparation for the Fed's audit. These firms use different methodologies meaning different findings.

3. GLBA is not specific to the Payment Service or Personal Information Brokerage industries
Trying to stretch GLBA over other industries is alike to using a band-aid to close the patient after heart surgery. GLBA does not come close to the specific aspects of the Payment Services space such as: not storing track data, PIN codes, and track data; specifics to payment applications; data retention and more. Industry specific security compliance programs can address these specific requirements of each vertical and better secure their unique environments.

4. The government does not understand the specific security risks to each industry.
Try as they will, the government does not understand the specific risks to each industry. Sure we can talk in broad sweeping statements and say that planes should not fly over nuclear plants, but who knows the critical aspects of those power stations that can cause a failure? What parts need the most security and where are the weaknesses? Only industry professionals know these. Each industry should have an association (i.e. Visa, MasterCard) who understands the specific risks to that industry and can draft specific security compliance requirements that are based on industry best practices.

Underhanded C Contest

Schneier posts about and underhanded C contest. not to be confused with the obfuscated C contest, this is the only security-related programming contest I know.

The object is to write clear, readable C code with hidden malicious behavior; in other words, to hide evil stuff in code that passes visual inspection of source by other programmers.
This year's challenge: covert fingerprinting.

Security Alert Humor

Schneier blogged about a clever cartoon.

CardSystems: Shouldn't Have Kept Records

I missed this over the weekend but looks like another major credit card compromise. Forbes is already on Update 3:

The head of the credit card processing company whose computer system was breached by hackers, exposing millions of credit card accounts, has acknowledged that his firm should not have been keeping the consumer records in the first place.

The official, John Perry, chief executive of Atlanta-based CardSystems Solutions Inc., said that the records known to have been stolen covered roughly 200,000 of the 40 million compromised credit card accounts, from Visa, MasterCard, and other companies.

Thank goodness they were not one of the companies on the list of Visa approved service providers [PDF].

I was just telling one of my clients today that of all the requirements [PDF] composing the PCI data security standards the requirement for encryption is the most important. If CitiGroup had encrypted its "sensitive data" they would have saved face. When news broke of the backup tapes being lost, they could have told everyone it was a non-issue because the data was safely encrypted. Instead they suffered the full wrath of the media. (Which is becoming less and less as more of these incidents occur.)

Update: The company had an onsite assessment and the assessor supposedly signed off that they were not storing cardholder data. Oops.

Update: AP News Wire says,

Consequently, several experts said they doubt that CardSystems, which annually processes some $15 billion in transactions for more than 105,000 small to mid-sized businesses, is alone among card processors in being vulnerable to hackers.

I can guarantee you that they are not alone in this problem, which will get worse before it gets better.

Also, if there's one thing I can remind everyone it's that when someone tells you there is a need to fix security holes to achieve compliance, please do not disregard them. Just because you don't understand or like a certain compliance program does not mean you can ignore it. Please don’t think you know better and can ignore the problem.

I can guarantee, if I was trying to protect the nations critical infrastructure I would replicate this industry compliance program across a multitude of other industries.

Update: NYTimes has an article as well

Gartner lambasts security FUDmongers

According to Gartner, the five most over-hyped security threats are:

* Internet Protocol (IP) telephony is unsafe
* Mobile malware will cause widespread damage
* "Warhol Worms" will make the Internet unreliable for business traffic and virtual private networks (VPNs)
* Regulatory compliance equals security
* Wireless hot spots are unsafe

Although I agree that apples-to-apples, regulatory compliance != security, but that's for people living in a microscopic world. On a larger scale, regulatory compliance of all major industries and their third parties, based on best practice security standards, does equate to better overall security.

[via The Register]

Guy hacks himself

Seems everyone has been talking about this guy who hacked himself. This isn't another bio implant either.

So funny and popular it was translated (from German) into english, spanish, italian, and dutch.

Consumers clueless about IT security

vnunet.com writes that education is the key to securing the masses:

Despite a proliferation in internet use, consumer PC owners remain dangerously unaware of the threats posed by hackers and viruses.
A newly published report from Frost & Sullivan said that one of the main dangers for residential broadband is the existence of a static IP address, which hackers can use to infiltrate systems.

Uhm.. did we really need a study to tell us this? And they think somehow that a "static IP address" is terribly riskier than a dynamic one? Isn't it true that the majority of all broadband connections are on dynamic IP addresses and just as risky of compromise and remote control?

Motorola downplays data security breach

SecurityFocus says Motorola is downplaying their security breach:

A pair of computers containing personal information on Motorola workers stolen from the office of a third party contractor has sparked a minor security flap.

Do people care?

Bruce Schneier was right saying:

This works, but there's an attenuation effect going on. As more of these events occur, the press is less likely to report them. When there's less noise in the press, there's less public shaming. And when there's less public shaming, the amount of money companies are willing to spend to avoid it goes down.

This data loss has set a new bar for reporters. Data thefts affecting 50,000 individuals will no longer be news. They won't be reported.

Let's blog about this and make sure people don't just ignore or forget it.

See what the Privacy Rights Clearinghouse has to say about the 4 million personal identities lost.

United Parcel Service in May picked up a box of tapes containing the information so it could deliver them to credit-reporting bureau Experian.
Bank of America, Wachovia, Time Warner, Boston College, and data brokers Choicepoint and LexisNexis also have compromised their customer's identity recently by losing sensitive data.

[via Wired]

Shred It!

SecurityFocus has an interesting article on document destruction, forensic recovery, and why you need to understand both!

The second worst thing you can do in the face of a government investigation is to destroy the documents relevant to that investigation. The worst thing you can do, of course, is to almost destroy these documents.

There is an axiom in the world of electronic documents and records -- "delete doesn't and restore won't."

Israel espionage case points to targeted attacks

MSNBC writes:

Israel is now reeling from what some are calling "Trojangate," a corporate scandal that has dominated news coverage there since it was revealed May 29. Already, there have been nearly 20 arrests. Published reports indicate mountains of documents have been stolen from dozens of top Israeli firms. Some 100 servers loaded with stolen data have been seized.

But the program used in Israel, now called "Rona" by anti-virus firms, takes a very different tactic. Before the Israeli investigation was revealed two weeks ago, no one in the security industry had a copy of Rona, so anti-spyware and anti-virus software didn't spot it.

The only reason authorities caught on, apparently, was jealousy. After initial confusion, Jackont suspected his computer was bugged. When police investigated Jackont's computer they say they found the "Rona" Trojan horse program and were able to trace it back to Haephrati, who now lives in Britain. The investigation quickly widened, however, as police uncovered scores of other bugged computers. In addition to what reads like a who's who of Israel's telecom industry, victims included the local divisions of Hewlett-Packard and the Ace hardware chain.

Gindin said the attackers were clever — they apparently send CD-ROMs with business proposals to the target firms. Once the CDs were loaded, the Trojan horse was secretly installed.

Gartner IDs 'Over-Hyped' Security Threats

Over-hyped security threats have made companies unnecessarily hesitant to roll out new technologies, such as Internet telephony and wireless networks, a research firm said Wednesday.

"Enterprises that diligently use security best practices to protect their IP telephony servers should not let these threats derail their plans," Gartner analyst Lawrence Orans said in a statement. "For these enterprises, the benefits of IP telephony far outweigh any security risks."

[Thanks InformationWeek]

Update: Not everyone thinks VoIP is a huge risk as it's being displayed in the news. Even one Gartner executive is saying, "current warnings about security problems are ahead of actual attacks."
Eric Marvets agrees
, "The threat is not "greatly exaggerated." It is a very real risk and if that is important to you, then you should take steps to mitigate it."

Tokyo's Geek Ghetto

Slashdot reports:

The Washington Post is running a story on Tokyo's "Geek Ghetto" which has arisen in the city's electronics retail district, "Electric Town." From the article: "We have been discriminated against for being different, but now we have come together and turned this neighborhood into a place of our own.... In Akihabara, we don't need to be ashamed of who we are and what we like.... We can feel comfortable because here, we outnumber everyone else." There are concerns, however, that the total immersion in escapist culture may be causing social problems, including a growing number of shut-ins.

World's Biggest Hacker Held

The London Evening Standard is reporting that the "worlds biggest computer hacker" has been arrested in London. Gary McKinnon, 39, was seized by the Met's extradition unit at his Wood Green home. The unemployed former computer engineer is accused of causing the US government $1billion of damage by breaking into its most secure computers at the Pentagon and Nasa. He is likely to be extradited to America to face eight counts of computer crime in 14 states and could be jailed for 70 years. Apparently he broke into US military computers to hunt for evidence of a UFO cover-up.

(Thanks /.)

From Boing Boing: Link to CNN story. Case background on findlaw here [PDF]

Boing Boing reader comment: James says, "Did you notice that in the PDF supporting the McKinnon story the IP addresses of the .mil systems are just covered by the black boxes – you can still copy and paste the text out. (None of them seem to be connected but still slack)."

Update: This story complete spin says ZDNet UK.

As a report from analyst Gartner this week claims, most security threats are over-hyped; the real problem lies with IT systems not being installed correctly: "Two out of three successful external attacks are due to mis-configured systems", the group claims. "The problems were mainly to do with people and processes rather than IT."

How Do I Get My Company To Take Security Seriously?

Eric Marvets of The Security Samurai writes an interesting article about how to understand the business of selling security to your boss or upper management. It's not for the vendor sales person, but how you, as a security professional, can understand and leverage the way that security is viewed and the spin surrounding it.

I love analogies and he has a good one here:

I found a paper here called "Unsettling Parallels Between Security and the Environment". While I don’t agree with some of his theories (minor disagreements really), he does make some interesting points. In ecology, there are two schools of thought. One constantly promotes an agenda (global warming is bad, we will run out of coal in 25 years, the rainforests are disappearing, etc.) while the says these fears are unfounded by any reasonable timeline and we should instead be looking at more important things like providing clean drinking water to 3rd world countries. In the absence of scientific data, what would normally be considered urban myths are repeated enough to become facts and speaking out against them becomes politically incorrect.

His main theory is that in terms of dollars, we spend enough money if not too much on security, we just do it improperly.

Channel 9 has new Patterns and Practices Security Wiki

The PAG team has a new security wiki up on Channel 9. Check it out here:

Welcome to the patterns & practices Security Wiki

Welcome to the patterns & practices Security Wiki. This is where we think out loud. Here youll find emerging practices, guidance for application scenarios, security engineering, threat modeling, technical guidance and more. Were looking for your experience, input and feedback to make this a useful resource for application security.

(Thanks Brianjo)

Gartner says Firewalls and IDS built into Routers by 2008

SearchSecurity.com reports on this week's Gartner IT Security Summit.

Gartner predicts that by 2008, carriers like AT&T, Verizon, MCI and others will operationalize security functions like firewalls and intrusion detection into routers and switches, leaving enterprises to concentrate on identity and access management and other security duties away from the perimeter. By extending security to the Internet cloud, denial-of-service attacks, for example, never reach the gateway.

Mainframe hackers in short supply

Cory Doctorow of Boing Boing writes that the mainframe business shows no sign of declining, despite the low cost and high power of commodity PC hardware. The problem? "All the old mainframe jocks are dying or retiring, leaving mainframe-dependents businesses without enough techs."

Companies need to better understand how to compensate for diminishing mainframe skills. Systems that offer heterogeneous management across mixed environments can eliminate the complexities traditionally associated with managing the mainframe. That makes it possible to work across both mainframe and distributed environments, regardless of one's database knowledge.
But time is slipping away. We are at a critical junction, as mainframe talent is quickly disappearing. Converting data from these systems requires a significant amount of time and a substantial monetary commitment. Often, such conversion is just not a viable option.

This poses an interesting issue because regulatory guidelines have also stayed away from the mainframe arena primarily because they don't understand it. Most regulators/examiners are trained by the auditors or other specialist consultants. If the bright young consultants are coming out of school having never used an AS/400 they will not teach the examiners who will in turn not write requirements for these systems.

It's not until we see this as a high risk area (read: a few high profile mainframes get hacked) that you will see much in regulating or securing mainframes. I'm sure by saying this I'm causing all the RACF [PDF] security junkies to have a hernia but it's true.

Perceptions and Realities of Common Security Threats

eGov monitor writes that Elaine Axby of Quocirca presents the findings from its IT security survey [PDF] which compares the perceptions and realities of common security threats in today's world. A copy of the report is available to download from this page.

Highlights:

Security understanding is still victim to the fear factor
In this post downturn age of IT, we would hope that security understanding replicates the increased drive we see towards IT efficiency and effectiveness. However, there is considerable evidence that psychological factors are still as important as they ever were. For example, companies that suffered a security attack in the recent past are significantly more aware that they might suffer a similar attack in the future. Meanwhile, newer threats such as Spyware are – incorrectly – not yet seen as high risk.
Security threats are being hyped above those of unscheduled downtime
Roughly three times as many respondents had experienced unscheduled downtime due to software or hardware failure, compared to downtime due to security issues. We should not downplay the issues caused by security, indeed, some system failures may be caused by security problems without it being that obvious. However, companies should be treating downtime in the round.

Accuracy of Commercial Data Brokers

Bruce Schneier is at it again, digging for details in personal privacy. In his recent post he interviews Deborah Pierce, the Executive Director of PrivacyActivism, and discusses the most recent research.

PrivacyActivism has released a study of ChoicePoint and Acxiom, two of the U.S.'s largest data brokers. The study looks at accuracy of information and responsiveness to requests for reports.

From the press release:

100% of the eleven participants in the study discovered errors in background check reports provided by ChoicePoint. The majority of participants found errors in even the most basic biographical information: name, social security number, address and phone number (in 67% of Acxiom reports, 73% of ChoicePoint reports). Moreover, over 40% of participants did not receive their reports from Acxiom -- and the ones who did had to wait an average of three months from the time they requested their information until they received it.

Personal Data for 3.9 Million Lost in Transit

NYTimes is reporting:

In one of the largest breaches of data security to date, CitiFinancial, the consumer finance subsidiary of Citigroup, announced yesterday that a box of computer tapes containing information on 3.9 million customers was lost by United Parcel Service last month, while in transit to a credit reporting agency.

Executives at Citigroup said the tapes were picked up by U.P.S. early in May and had not been seen since.

The tapes contained names, addresses, Social Security numbers, account numbers, payment histories and other details on small personal loans made to millions of customers through CitiFinancial's network of more than 1,800 lending branches, or through retailers whose product financing was handled by CitiFinancial's retail services division.

The company said there was no indication that the tapes had been stolen or that any of the data in them had been compromised.

It was, however, the latest in a series of recent data-security failures involving nearly every kind of institution that compiles personal information - ranging from data brokers like ChoicePoint and LexisNexis to financial institutions like Bank of America and Wachovia to the media giant Time Warner to universities like Boston College and the University of California, Berkeley.

* International Herald Tribune (via NYTimes)
* Associated Press
* ABC News (includes video)
* MSNBC

Bruce Schneier is quoted on MSNBC saying, "the public shaming effect is less and less as more and more people do it."

Customers who are concerned about identity theft should visit the local CitiFinancial branch, or call 866-452-2484.

KGB successor wants Great Firewall of Russia

Cory Doctorow of Boing Boing writes: The Russian successor to the KGB is considering a system for broad-scale Internet censorship (a la China) in order to forestall the Internet's use in political organizing, as in the Ukraine and elsewhere.

"If such attempts will be successful," he says, "if the Security Service will really carry out actions to control the internet, to block unfavourable internet sources, this will set Russia back many years in the sense of civil society."

Russia's already been widely criticised for winding back on democracy. The Kremlin controls most broadcast media, the Judiciary and the Parliament. Controlling the internet would be another sign that those in power won't brook any challenges.

How the Secret Service Busted ShadowCrew

Slaskdot writes:

In the story Hacker Hunters, BusinessWeek Online documents how the Secret Service turned a member of the ShadowCrew and was able to arrest dozens of the members of the phishing ring. From the article: 'Law enforcement officials are often loath to reveal details of their operations, but the Secret Service and Justice Dept. wanted to publicize a still-rare victory. So they agreed to reveal the inner dynamics of their cat-and-mouse chase to BusinessWeek. The case provides a window into the arcane culture of cybercriminals and the methods of their pursuers.'
...
The operation was quite sophisticated. Mantovani, who used the handle "ThnkYouPleaseDie," and Appleyard, who went by "BlackBagTricks" as well as "Black Ops," were the "administrators," according to the government's indictment. They were in charge of strategic planning, determined which ShadowCrew aspirants got access to the Web site, and collected payments from participants to keep it running. "Moderators" hosted online forums where gang members could share tips for making fake IDs or ask questions about creating credible phishing e-mail. Below them were "reviewers," who vetted stolen information such as credit-card numbers for quality and value. The largest group, the "vendors," sold the goods to other gang members, often in online auctions. Speed was essential, since credit-card numbers had to be used quickly before they were canceled.

Nice read! Next target? The HangUp Team.

Indeed, today's cybercrooks are becoming ever more tightly organized. Like the Mafia, hacker groups have virtual godfathers to map strategy, capos to issue orders, and soldiers to do the dirty work. Their omertà, or vow of silence, is made easier by the anonymity of the Web. And like legit businesses, they're going global. The ShadowCrew allegedly had 4,000 members operating worldwide -- including Americans, Brazilians, Britons, Russians, and Spaniards. "Organized crime has realized what it can do on the street, it can do in cyberspace," says Peter G. Allor, a former Green Beret who heads the intelligence team at Internet Security Systems Inc. in Atlanta.

'Unhackable' network draws nearer

I dislike it when people talk about things in terms of impossible, unbelievable, or unhackable, because as the old MIT axiom goes, 'nothing is impossible, the impossible just takes longer.'

Scientists have moved one step closer to the "unhackable" network by developing a device that can send single photons in a regular stream over a fiber optic link.

The weakness in their idea of security is not in the photos or cryptography, but in the applications that reside on the computer and the users who access them.

People love saying "cyber terrorist"

People are in love with the risqué' side of computer security. They love to use words like "cyber security", "terrorism", and "criminal mastermind". I have even caught myself talking about "critical infrastructure protection".

In this article on script-kid terrorists they discuss how Robert Graham, chief scientist with Internet Security Systems, is prompting computer security specialists to re-examine the notion of the cyber terrorist. The thing is folks, there are bad guys out there who want to do damage to your systems. They are funded by government entities or committing industrial espionage, but they are not the greatest risk.

The greatest risk to the security of computer systems comes from insiders and the persistent hackers tapping every nook and cranny of the Internet until they find a hole.

What they are not afraid of enough is 15-year-old kids. The kids that say: "What can I do? I'll just break into that computer there, and then that one and that one."

The article nails it dead on by saying:

What's the chance that a hacker coming after me will succeed? It's low, but what's the chance that a million kids going after anyone they can find can succeed? It's actually rather high.

For a terrorist with a specific goal in mind it's very tough, but for a kid looking around to see whatever he can find, it's actually very easy.

So now you can go home, protect your systems, and say things like SCADA without having to worry about me hitting you with a reality-stick.

Security Action Plans

Centralization, automation, problem prioritization--many IT-security professionals are embracing those concepts as they fight off the never-ending onslaught of threats.

To understand how companies are managing it all, InformationWeek interviewed business-technology professionals on the front lines to see how they're handling some common security issues. From the higher-level picture of risk management to the nitty-gritty details of patching, here's how they do it.

Employee Training & Education Can Mitigate Threats

My first reaction to this article is, "well, duh!"
My second reaction to this article is, "please have everyone read this over and over and over!"

Because no matter how many times we say it, people are the core of security. CIOs can set strategy, CISOs can set policy, CFOs can authorize funds, IT managers can made security decisions, and security administrators can implement all the security hardware, software, and great gizmos they want but it's the end user that decides if your network is secure or not. And you can quote me on that!

Edgar Danielyan, author of "Solaris 8 Security" and the "Information Security Qualifications Handbook," says:

“I have found that the carrot and stick approach works best, although it may sound quite cynical. Staff should be encouraged and rewarded for thinking about security, but they also should know that negligence would not be tolerated. It all comes down to whether lip service is being paid or the management really cares...

Security barometer survey - research paper

The Register has an article on Security barometer survey results. This is their monthly reader survey on security and it's very interesting. The full report is available here, with a supplementary slideset available here (both PDF).

CIA war game simulates major Internet attack

ComputerWorld reports a simulated attack. "Silent Horizon, the three-day unclassified exercise is based on a scenario set five years in the future and involves participants from government and the private sector."

To this I question the ability of anyone (even the government) to predict the type and scale of attack that will be popularized in five years. Even today with compliance as tight as it is, attackers are getting in through unprotected third parties, spyware, and keyloggers just to name a few attack vectors.

I'm very curious what they used as attack simulations. Did they try a direct attack? How do you simulate connected third parties? How to do you simulate the un-(security)-educated employee? How do you simulate an employee stealing corporate secrets or planting a virus on the inside? This sounds more like a good topic for a graduate thesis than a government simulation.

There are NO Terrorist Cybersecurity Masterminds

People talk about cybersecurity like its a direct reflection of the risks facing out physical systems but its not. The closest thing to the massive cyber attacks were small skirmishes between Korea and China several years back. The problem is that it's very hard to cause massive failures in the Internet. The closest thing a would be attacker can hope for is a situation where a physical system is controlled by computers that they can then infect/effect.

The computer systems that control our critical infrastructure are these systems. But what are the real risks here? For the Banking/Finance critical infrastructure protection (CIP) we must first be able to stem the rising credit card fraud and identity theft. To do this we need to secure all of our systems. That's right, we need to stop kids from breaking into point of sale (POS) terminals and stealing credit card numbers, stop kids from social engineering their way into T-Mobile and LexisNexis, stop kids from finding their way into consumer databases containing thousands of personal records, stop insiders from pilfering massive amounts of consumer data. These are not terrorist masterminds! They are kids and insiders and yes international organized crime is involved but even they are no more a threat than Jane Doe you hire to work in your payroll department.

The largest U.S. bankign security breach was done by insiders printing off sensitive information and selling it to a third party. They didn't walk in with a USB-token and snarf your entire database. They PRINTED it!

Let's start looking at the basics and control access to personal data before we get worried about electronic Pearl Harbor.

Lazy Boy - TV album:

Masterminds are another word that comes up all the time.
You keep hearing about these terrorists masterminds that get killed in the middle east.
Terrorists masterminds.
Mastermind is sort of a lofty way to describe what these guys do, don’t you think?
They’re not masterminds.
“OK, you take bomb, right? And you put in your backpack. And you get on bus and you blow yourself up. Alright?”
“Why do I have to blow myself up? Why can’t I just…”
“Who’s the fucking mastermind here? Me or you?”

Americans, let’s face it: We’ve been a spoiled country for a long time.
Do you know what the number one health risk in America is?
Obesity. They say we’re in the middle of an obesity epidemic.
An epidemic like it is polio. Like we’ll be telling our grand kids about it one day.
The Great Obesity Epidemic of 2004.
“How’d you get through it grandpa?”
“Oh, it was horrible Johnny, there was cheesecake and pork chops everywhere.”

Identity theft getting more sophisticated, more profitable

It is the hot crime of the 21st century - and YOU are the target.

Sophisticated super-hackers teenage hackers and organized crime are turning identity theft into a multi-billion-dollar criminal enterprise, plundering data about ordinary people from alumni directories, ATM machines, credit cards, tax returns and myriad other sources.

The massive scams are costing American businesses and consumers more than $47 billion a year, according to the Federal Trade Commission.

Nearly 10 million American identities are hijacked a year, with more stolen worldwide, according to the FTC.

UC Berkeley security blog

Several researchers at UC Berkeley have started the Usable Security weblog with the tag line of "Every system has a user."

Businesses Suffer From Lack of Security Awareness

The IT Observer writes, a new information security study highlights the following topics:

* over 50 percent of businesses do not have written IT security policies,
* two percent have no plans to implement security awareness training for their employees,
* 66 percent have no plans to hire IT security personnel in the next year,
* 27 percent require IT security training,
* 80 percent blame “Human Error” for security breaches,
* 89 percent believe that major security breaches have been reduced as a result of IT security training and certification.

Well thank goodness! Those hackers were a little worried about all the security readiness but now we know there is still hope for even the most inexperienced of hackers. ;P

Do you know what your password is?

ArsTechnica asks, Do you know what your password is?

The age old debate: you have a million-and-one passwords should you write them down or use a single common password? Jesper Johansson, a senior manager for Microsoft's security policy program, today told delegates at AusCERT that they should instead be telling users to write their passwords down. Johansson said the security industry had been giving out the wrong advice about passwords for 20 years.

Thoughts?

I say writing down passwords is still worse than using one common one in your head. From a penetration testing perspective can some other chime in on what they think is best?

HS Students Steal SSNs to Prove They Can

Slashdot says, "Local news in Chicago is reporting about two Hinsdale Central High School students who breached their school's computer system and retrieved all of their peers' (plus staff's) Social Security Numbers. They claim they have destroyed the information and haven't given it out, but the SSA and FTC have been alerted for good measure. While they claim their motive was to prove that the breach could take place and no malice was involved, they face possible school disciplinary action and criminal charges."

Information security is about to take on a whole new meaning. In the next year or two identity theft is going to take off and the lay person will have it on their radar.

The Security Samurai

Robert Scoble mentioned a new security blog The Security Samurai by Eric Marvets. Check out the security blogs he follows.

Students find personal data easily available

A class of 41 graduate students in a computer security course at Johns Hopkins University in Baltimore, MD, worked on a project finding personal information on the Internet, and proved what privacy advocates have been saying for years -- all it takes to obtain reams of personal data is Internet access, a few dollars and some spare time.

Working with a strict requirement to use only legal, public sources of information, groups of three to four students set out to vacuum up not just tidbits on citizens of Baltimore, but whole databases: death records, property tax information, campaign donations, and occupational license registries. They then cleaned and linked the databases they had collected, making it possible to enter a single name and generate multiple layers of information on individuals. Each group could spend no more than $50.

The Johns Hopkins project was conceived by Aviel D. Rubin, a professor of computer science and the technical director of the Information Security Institute at the university. He has used his graduate courses before to expose weaknesses in electronic voting technology and other aspects of a society that is increasingly dependent on - and at the mercy of - digital technology. "My expectations were that they would be able to find a lot of information, and in fact they did," he said.

Several groups managed to gather well over a million records, with hundreds of thousands of individuals represented in each database.

* NYTimes (use BugMeNot Mozilla plug-in for logging in)

Fearmongering About Bot Networks

Bruce Schneier reminds us all that media, spin, and politics control what people think, not reality. Those who choose reality over theatrical production will loose out in the end.

Bot networks are a serious security problem, but this is ridiculous. From the Independent:

The PC in your home could be part of a complex international terrorist network. Without you realising it, your computer could be helping to launder millions of pounds, attacking companies' websites or cracking confidential government codes.

This is not the stuff of science fiction or a conspiracy theory from a paranoid mind, but a warning from one of the world's most-respected experts on computer crime. Dr Peter Tippett is chief technology officer at Cybertrust, a US computer security company, and a senior adviser on the issue to President George Bush. His warning is stark: criminals and terrorists are hijacking home PCs over the internet, creating "bot" computers to carry out illegal activities.

Why the World Is Flat

Wired has a good interview with Thomas Friedman, foreign affairs columnist for The New York Times and author of the new book The World Is Flat: A Brief History of the Twenty-First Century. It's not immediately visible the relation between foreign policy and information security but it should be.

Thomas's previous book (1999), The Lexus and the Olive Tree: Understanding Globalization showed the how indeed everything is interconnected. In this book he shows how the technology, financial markets, and world trade of all nations are connected and interrelated. So to are the security of businesses and corporations. You can no longer build "good enough" security; now you have to worry about what your neighbors are doing, because if their security is one step above yours we all know where the attackers will strike first.

Information security, like globalization, is one vast interrelated mesh of paths and connections. Much like neurons in the brain, the information we are sworn to protect is eternally connected -- and thus eternally at risk.

Nietzsche stated this principle of Eternal Recurrence:

The central concept of Thus Spoke Zarathustra, which is only touched upon in this work. The eternal recurrence concerns a recognition that everything is connected and nothing is permanent, and that if one says "yes" to one thing in the universe, one must necessarily then be saying "yes" to everything. Nietzsche's ideal is the person who has the strength and courage for this universal affirmation.

While Dan Farmer was at Sun Microsystems he wrote a paper titled Improving the Security of Your Site by Breaking Into it. This received a mixed reception in the security community but today is a historical must read. It eventually (and unknowingly) gave birth to the debate over full disclosure of vulnerabilities and exploits. But the lesson here is not one of juvenile vandalism but never ending curiosity. Everyone should be a hacker. I was at Defcon VI many years ago with my girlfriend (oh yes, the envy of every attendee) and this guy asked us what we hacked. I said I was a generalist and my girlfriend said she didn't hack anything, that she was just there for fun. He insisted that everyone hacks something and it didn't have to be computers. This is a lesson to be learned by all people but especially the CEO. Staying ever vigilant and innovative is their eternal goal, but isn't that just corporate hacking? Dan Farmer said that in order to know your security, you have to start by tearing it down yourself. In the same way, CEOs today have to be hackers. They have to be able to sit in a board room and encourage their top people to throw out ideas and encourage others to tear them to shreds. Whatever is left of an idea is probably very good and innovative.

CSOs need to do the same thing with their security systems. They need to be innovative in the way that they simulate attacks against their own systems. Simply following best practices is not sufficient to protect against real world attacks because hackers don't follow the best practice guidelines. You don't hear many stories about guys saying, "Dude, you can't call up their employees and lie about working for their IT department just to get their uneducated employees to run some malicious code. That's not a best practice." Yet this is the reality of the world around us.

Earlier I spoke about the interconnectedness of everything and the security implications of that. What if everyone followed these best practice guidelines? What if, now here's the tricky part, what if everyone did the things you have been telling them to for years on improving the security of their systems? Would hackers shake their fists in anger and quit their trade to become productive members of society? NO! They would simply and quickly find another attack vector. In fact they are so good and doing this that they are usually one step ahead of the defenders. If all we ever do is follow best practice guidelines and everyone can attain the same level of best practice security then who gets hacked? It's the one who has only slightly worst security than the guy next to them. Who you might ask is that? Well, in the digital world everyone is the guy next to you because there are no boundaries. There are no walls that divide us (especially with the proliferation of wireless networks -- bringing into the physical world what the virtual world has long known.)

ZabaSearch, latest is personal search

Ok, I have to blog about it (because it's every[fucking]where) but I'll make it short. ZabaSearch, is the latest in stalker technology.

ZabaSearch is a new search engine for finding the unlisted numbers of celebrities, as well as their addresses and satellite pictures of their homes. Trouble is, you're in there too. Is ZabaSearch an invasion of privacy? Xeni Jardin quizzes the site's founders.

U.S. Government Issues Report on VoIP Security Holes

Slashdot reports:

"PC World is reporting on VoIP technology's threat of being manipulated by hackers, through call interception and DoS attacks on users' internet connections. While these threats are nothing new, the article cites an interesting government report [PDF] on the topic, as well as its author, who believes a VoIP user's best protection is security by obscurity."

Lessons of the ChoicePoint Theft

Nice essay about the implications of the ChoicePoint data theft (and all the other data thefts, losses, and disclosures making headlines).

Emergence of a Global Infrastructure for Mass Registration and Surveillance

Bruce blogs: The International Campaign Against Mass Surveillance has issued a report (dated April 2005): "The Emergence of a Global Infrastructure for Mass Registration and Surveillance." It's a chilling assessment of the current international trends towards global surveillance. Most of it you will have seen before, although it's good to have everything in one place. I am particularly pleased that the report explicitly states that these measures do not make us any safer, but only create the illusion of security.

The global surveillance initiatives that governments have embarked upon do not make us more secure. They create only the illusion of security.

Sifting through an ocean of information with a net of bias and faulty logic, they yield outrageous numbers of false positives ­ and false negatives. The dragnet approach might make the public feel that something is being done, but the dragnet is easily circumvented by determined terrorists who are either not known to authorities, or who use identity theft to evade them.

For the statistically large number of people that will be wrongly identified or wrongly assessed as a risk under the system, the consequences can be dire.

At the same time, the democratic institutions and protections, which would be the safeguards of individuals’ personal security, are being weakened. And national sovereignty and the ability of national governments to protect citizens against the actions of other states (when they are willing) are being compromised as security functions become more and more deeply integrated.

The global surveillance dragnet diverts crucial resources and efforts away from the kind of investments that would make people safer. What is required is good information about specific threats, not crude racial profiling and useless information on the nearly 100 percent of the population that poses no threat whatsoever.

The PITAC Report on CyberSecurity (summary)

Bruce summarizes the PITAC report:

I finally got around to reading the President's Information Technology Advisory Committee (PITAC) report entitled "Cyber Security: A Crisis of Prioritization" (dated February 2005). The report [PDF] looks at the current state of federal involvement in cybersecurity research, and makes recommendations for the future. It's a good report, and one which the administration would do well to listen to.

The report's recommendations are based on two observations. The observations are that 1) cybersecurity research is primarily focused on current threats, and not long-term threats, and 2) there simply aren't enough cybersecurity researchers, and no good mechanism for producing them. The federal government isn't doing enough to foster cybersecurity research, and the effects of this shortfall will be felt more in the long term than the short term.

To remedy this problem, the report makes four specific recommendations (in much more detail than I summarize here). One, the government needs to increase funding for basic cybersecurity research. Two, the government needs to increase the number of researchers working in cybersecurity. Three, the government need to better foster the transfer of technology from research to product development. And four, the government needs to improve its own cybersecurity coordination and oversight. Four good recommendations.

More specifically, the report lists ten technologies that need more research. They are (not in any priority order):

1. Authentication Technologies
2. Secure Fundamental Protocols
3. Secure Software Engineering and Software Assurance
4. Holistic System Security
5. Monitoring and Detection
6. Mitigation and Recovery Methodologies
7. Cyber Forensics
8. Modeling and Testbeds for New Technologies
9. Metrics, Benchmarks, and Best Practices
10. Non-Technology Issues that Can Compromise Cyber Security

It's a good list, and I am especially pleased to see the tenth item -- one that is usually forgotten. I would add something on the order of "Dynamic Cyber Security Systems" -- I think we need serious basic research in how systems should react to new threats and how to update the security of already fielded system -- but that's all I would change.

The report itself is a bit repetitive, but it's definitely worth skimming.

Phishing and Pharming to Keylogging

From Pfishing to Pfarming: The Top Five Spam Scams

Phishers turn their aim on corporate networks

Please be aware these are now old-school attacks. If you want to keep up with the Joneses keep your eye on keyloggers!

Security Trade-Offs

Schneier is at it again, blogging about the simple realities of the world. An essay by an anonymous CSO. This is how it begins:

On any given day, we CSOs come to work facing a multitude of security risks. They range from a sophisticated hacker breaching the network to a common thug picking a lock on the loading dock and making off with company property. Each of these scenarios has a probability of occurring and a payout (in this case, a cost to the company) should it actually occur. To guard against these risks, we have a finite budget of resources in the way of time, personnel, money and equipment—poker chips, if you will.

If we're good gamblers, we put those chips where there is the highest probability of winning a high payout. In other words, we guard against risks that are most likely to occur and that, if they do occur, will cost the company the most money. We could always be better, but as CSOs, I think we're getting pretty good at this process. So lately I've been wondering—as I watch spending on national security continue to skyrocket, with diminishing marginal returns—why we as a nation can't apply this same logic to national security spending. If we did this, the war on terrorism would look a lot different. In fact, it might even be over.

and more!

Or what about the other top 10 cause of death: accidents? Consisting primarily of automobile accidents and work-related deaths, accidents amounted to more than 100,000 deaths in 2001. In fact, more people were killed in motor vehicle accidents each month in the year 2001 (and still are) than were killed in the 9/11 attacks. Could more lives have been saved if those billions of dollars had been spent increasing automobile and traffic safety?

ending with...

Former Vermont Sen. George Aiken reportedly gave some now-famous advise to Lyndon Johnson during the Vietnam War. He told him, "Just declare victory and go home." It's time we did the same on terrorism. The sooner we stop spending more and more on security and start applying to other, more serious threats, the better off this country will be.

"The whole thing is worth reading."
You tell 'em Bruce! But while reading the 'anonymous' article, I wonder if this is really Bruce writting it. Is he blogging himself??

It frustrates me that so many people are so ill informed. This kind of rationale just does not occur to the general population, to who decisions are ruled by fear, uncertainty, and doubt. As a nation we already spend more on national security than the next 10 nations combined!

On any given day, we CSOs come to work facing a multitude of security risks. They range from a sophisticated hacker breaching the network to a common thug picking a lock on the loading dock and making off with company property. Each of these scenarios has a probability of occurring and a payout (in this case, a cost to the company) should it actually occur. To guard against these risks, we have a finite budget of resources in the way of time, personnel, money and equipment—poker chips, if you will.

If we're good gamblers, we put those chips where there is the highest probability of winning a high payout. In other words, we guard against risks that are most likely to occur and that, if they do occur, will cost the company the most money. We could always be better, but as CSOs, I think we're getting pretty good at this process. So lately I've been wondering—as I watch spending on national security continue to skyrocket, with diminishing marginal returns—why we as a nation can't apply this same logic to national security spending. If we did this, the war on terrorism would look a lot different. In fact, it might even be over.

Let's assume, first of all, that the ultimate goal of security is to prevent the loss of lives. In this risk management approach, then, the first thing to look at is the leading causes of death in the United States. The total number of deaths from all attacks on Sept. 11, 2001, was approximately 2,988, according to the National Center for Health Statistics. The top 10 causes of other deaths in the United States in 2001 were the following.

1. Heart disease: 700,142

2. Cancer: 553,768

3. Stroke: 163,538

4. Chronic lower respiratory disease: 123,013

5. Accidents: 101,537

6. Diabetes: 71,372

7. Pneumonia/flu: 62,034

8. Alzheimer's disease: 53,852

9. Kidney disease: 39,480

10. Suicide: 30,622

The 9/11 deaths were classified within a category called assaults/homicides, which was the 13th leading cause of death at 20,308.

The next thing to look at is spending. As I write this article, the president has just released his proposed federal budget for fiscal year 2006. The projected budget for the Department of Defense is $419.3 billion, and the projected budget for the Department of Homeland Security is $34.2 billion. Since 2001, defense spending has risen by more than 40 percent, and the Department of Homeland Security budget has roughly tripled. But even those billions of dollars fail to tell the whole story. Other agencies, such as the U.S. Department of Justice and the Department of Transportation, also spend money in pursuit of homeland security. The Department of Energy spends money on nuclear weapons' activities. And since 2001, Congress has approved billions of dollars for military and reconstruction costs in Iraq and Afghanistan that are not included as part of the Defense budget.

To be sure, there has not been another terrorist attack in the United States since 2001, so presumably all that additional money has prevented other lives from being taken because of terrorism. But what about the other leading causes of death? Could the money spent on additional defense and homeland security have saved more lives if it had been applied in other areas?

For example, eight of the top 10 causes of death are health-related. If one classifies suicide as a mental health problem, then nine of the top 10 causes of death are health-related. Could those billions of dollars have saved more lives if they had been spent on health research or on making health care available to a larger percentage of the population?

Or what about the other top 10 cause of death: accidents? Consisting primarily of automobile accidents and work-related deaths, accidents amounted to more than 100,000 deaths in 2001. In fact, more people were killed in motor vehicle accidents each month in the year 2001 (and still are) than were killed in the 9/11 attacks. Could more lives have been saved if those billions of dollars had been spent increasing automobile and traffic safety?

Probably. But, you might ask, what about the costs of another successful terrorist attack? Another terrorist attack using say, a nuclear device, could result in hundreds of thousands or maybe even millions of deaths—not to mention having a catastrophic effect on the nation's economy and environment. That's true. But ask yourself this question: Have the billions of dollars spent on additional security since 9/11 made this kind of attack impossible? We inspect less than 3 percent of the cargo containers coming into this country. It would be catastrophic if just one of the 97 percent that aren't checked made it through with a nuclear device. Or what about the possibility of a terrorist sailing a vessel with a nuclear device on board into the harbor of New York City, San Francisco or New Orleans, or any other port city? All the money in the U.S. Treasury might not be enough to prevent that from happening.

Security Has Its Limits
By raising these questions, I'm not trying to disparage the memories of those killed in the 9/11 attacks. I was at the base of the South Tower of the World Trade Center when it collapsed, and it is only by the grace of God that I was not listed among the dead. But as security professionals, we should be the first to face facts about the limitations of the very processes we advocate.

Spending hundreds of billions of dollars on increased security is not going to bring back the victims of 9/11, and it isn't going to improve by very much our already heightened vigilance against terrorism. Haven't we already captured two-thirds of the al-Qaida leadership? Haven't we already overthrown the Taliban and Saddam Hussein and made fledgling democracies out of Afghanistan and Iraq? As a nation, don't we already spend more on national security than the next 10 nations combined?

Yes, there are terrorists still out there in the world, but I've got news for you: There have always been terrorists in the world, and there always will be—no matter how much money we spend fighting them. In economics, there is something called the law of diminishing marginal returns, which dictates that, at some point, spending additional dollars no longer gains you as much improvement. As a nation, we have certainly reached that point with spending on security.

Sure, my natural inclination as a CSO is to believe that if some security is good, then more security is better. But logically, I can't help but think that it's time for us to turn our attention to other types of threats. There is no end to them. Deteriorating educational performance, a declining manufacturing base and a lack of medical coverage for millions of Americans are but a few of the threats facing this nation. These issues are now far more likely to cause significant damage to the future health, safety and welfare of Americans than a crippled al-Qaida hiding in the bowels of the mountains of Afghanistan.

If you don't want to spend money on those problems, fine. Save it instead. The U.S. Federal budget deficit is at a historic high. The nonpartisan Government Accountability Office recently released a study showing federal budget projections through the year 2040. The study assumed that discretionary spending grows with the economy and all expiring tax cuts are extended. The result is that, even adjusted for inflation, in the year 2040, the federal government will be spending as much of the national GDP (about 20 percent) on making interest payments on the debt as it currently does for the entire federal budget. If the growth of government continues at current rates, then by the year 2040, the total federal budget, including those interest payments, will absorb almost 45 percent of the national GDP. The money we spend fighting terrorism could be used to reduce the budget deficit and prevent future economic problems instead.

A Job for the CSO
My point is this: We CSOs know how to best allocate available resources to guard against the most likely threats. We have expertise in knowing where the government should be putting its poker chips. We should be vocal about the need to apply the same logic to our nation's security that we apply to our everyday jobs as security officers—even though advocating for less security may at times be in conflict with the best interests of our profession (just as this approach is perhaps not in the best interest of a politician looking to get reelected). Some readers of this magazine are part of the Defense and Homeland Security establishments or are helping to shape their budgets and agendas. For those people—and for the rest of us too—I would say the time has come to turn the corner on 9/11 and look to the future.

Instead of increasing Defense and Homeland Security spending, the money spent in these areas should now be reduced and the money used to fight other threats to the future of this country. This doesn't mean letting al-Qaida reconstitute as a serious threat. But it certainly doesn't require hundreds of billions of dollars in additional funding to continue that fight against a seriously crippled terrorist organization.

Former Vermont Sen. George Aiken reportedly gave some now-famous advise to Lyndon Johnson during the Vietnam War. He told him, "Just declare victory and go home." It's time we did the same on terrorism. The sooner we stop spending more and more on security and start applying to other, more serious threats, the better off this country will be.

IRS Flaws Expose Taxpayers to Snooping, Study Finds

Computer-security flaws at the U.S. tax-collection agency expose millions of taxpayers to potential identity theft or illegal police snooping, according to a congressional report released on Monday. The report was released three days after the deadline for filing personal income-tax returns, and at a time when concerns about identity theft and computer security are running high.

Editor's Note:
Any consumer data agregation hub is a primary target to attackers. Banks, credit card and information brokers, IRS, credit bureaus, associations, etc. We need to classify these data processors by the informaiton they store and then ask them the following questions:

• Where sensitive information is stored (electronic or paper)
• What information is stored there
• How long is it stored or retained
• How is the information secured in its location (encrypted, file permissions, etc)

LexisNexis and ChoicePoint Admit They Concealed Previous Breaches

LexisNexis, the data broker that last month notified 32,000 people that their personal data had been stolen from company-owned databases, now admits that a total of 310,000 people had their data stolen. The company's databases were breached nearly 60 times over the course of the past two years. At Senate Judiciary Committee hearings last week, both LexisNexis and ChoicePoint admitted to having deliberately concealed data breaches in the past because no law required them to come forward and notify those affected.
* Reuters
* The Register (UK)

[Editor's Note (Schultz): Whatever happened to ethics in the business world? So there was no law requiring these companies to report the personal data compromises--people whose data were compromised were, however, much more likely to experience identity theft and all the miseries that go with it. Apparently these companies did not care.
(Ranum: This illustrates the dilemma faced by businesses. On one hand we want them to act responsibly when they have a security problem, but on the other, they know they're going to get pilloried by the security press (among whom we number). As long as security breaches are front page news there will be an incentive for businesses to downplay the severity of their problems.]

This is just the tip of the iceberg. We saw recently with Polo that consumer data (credit cards) are easily swiped from POS terminals and that when these things happen the companies under represent the data lost, ala DSW Shoes. We also know from experience, that more often than not, during a forensic investigation the examiner will find multiple prior compromises. Remember, the hack you notice is typically the one that is poory executed and a sign that more experiences people have already been there.

I'm sorry to say that I'm not suprised by this at all. I hope the media cracks the case on this and opens up the pandoras box revealing the true epedemic this is.

Private Information Exposed

I can't keep up...

Ameritrade warns 200,000 clients of lost data

and

DSW reports 1.4 million exposed -- 10 times more than the company estimated last month. DSW has a press release listing the store locations and FAQ.

Polo Ralph Lauren and HSBC "misappropriated" credit card information

Clothing retailer Polo Ralph Lauren Corp. said late on Thursday it had learned last fall that some of its customers' credit card information "may have been misappropriated."

The comment followed a Wall Street Journal report that Global bank HSBC Holdings Plc was notifying at least 180,000 people that used MasterCards to make purchases at Polo Ralph Lauren that criminals may have had access to their credit-card information

"I can confirm that we have informed a large number of people that they should obtain new credit cards because of a security breach," an HSBC spokesman said on Thursday, declining to say when or how the apparent theft occurred.

Thomas Nicholson, an HSBC spokesman, said this morning that the problem stemmed from a faulty point-of-sale (POS) system at a national U.S. retail chain, which he didn't identify.

* Reuters (UK)
* Computerworld

Computerworld has a great 3 page update report covering the entire issue
According to Nicholson, the retailer's POS systems retained and stored credit card information rather than purging the data immediately after processing each transaction. The problem affected all credit card transactions at the retailer between June 2002 and December 2004, not just those involving HSBC-issued credit cards, he said.

UPDATE (4/15/05):
Polo Ralph Lauren says software glitch resolved

CardTech/SecureTech 2005

So, I'm at CardTech/SecureTech (CTST) this week presenting on countermeasures to top financial institution threats (email me for presentation.) It was a great session and I got to meet some interesting people.

Early on I talked to Dan B. of RSA Labs who works breaking cryptographic systems to make them better. He pointed me to some of the work his team did with RFID analysis. It's a cool site that has actual videos of them breaking ExxonMobil SpeedPass crypto.

I also had lunch with Dave Jevans (ex. Tumbleweed) currently at Teros and Chairman of the Anti-Phishing Working Group. He had some interesting things to say about phishing and its evolution into keystroke loggers. He said that attackers used Australia as a test bed for some of the very first phishing scams because it's a small area where everyone banks at one of 5-6 places. You have a much higher hit rate in an environment like that versus the US with thousands of financial institutions. He also predicts that the situation in the UK (London offices of the Japanese bank Sumitomo Mitsui) is a tip of a larger keylogger epidemic. I tend to believe what he says because when I interviewed him at RSA he accurately predicted the outbreak of DNS 'pharming'. He also has his ears plugged to the ground of some major businesses that are fighting phishing style attacks.

Cathy Allen was moderating the session and gave me a copy of her book Smart Cards: Seizing Strategic Business Opportunities. She is CEO of BITS, which is a think tank composed of the top 100 of the largest financial institutions in the United States. (The web site looks great after a recent facelift.) She asked me to assist with drawing up a certification outline, which I am very eager to work on. I've done this in the past and can do it again!

On a personal note, I'm staying at the Mandalay Bay (conference location) and they have lots of pools. From my room I can see about five of them including a wave pool and running river. Vegas is a strange place because the opulence contradicts its desert surroundings. I wonder how the locals survive.

DNS Cache Poisoning

Slashdot writes:

"Todays SANS internet storm handler has put up an excellent update of the DNS poisoning vulnerability currently doing the rounds. The main points are that only Windows DNS servers are vulnerable (degrees of vulnerability depending on patch level), provided you are not running an ancient version of bind. Also bind4 and bind8 do not clean poisoned caches if they receive them from a poisoned Windows DNS server but bind9 does."

Florian from the Daily Dave feels:

"I'm convinced that the current wave of observed DNS anomalies is just the result of heightened interested in them. According to my data, the things SANS and others have observed are not attacks on DNS, just a side effect of a trick that allows you to host virtual servers for thousands of .COM domains, without actually maintaining a DNS zone for each one."

Hacker High School Starts to Spread

Slashdot writes:

"Hacker High School, an initiative from the non-profit Institute for Security and Open Methodology, pioneers of the OSSTMM have received some media coverage for their Hacker High School Program. It's a license-free open-source program that provides security and privacy-awareness teaching materials to teachers. Here's the link to the BBC stream and article about the project."

Perhaps they should have first read ESR's "How to Become a Hacker"

Insider Attack Against Citibank

Schneier reminds us that insiders are the biggest threat:

The Pune police have unearthed a major siphoning racket involving former and serving callcentre employees.

They allegedly transferred a total of [15 million rupees (US $350,000)] from a multinational bank into their own accounts, opened under fictitious names. The money was used to splurge on luxuries like cars and mobile phones.

The call center was in India. The victim was Citibank.

iPod Forensics

There have been several discussions on the HTCIA mailing list about iPod forensics. I thought I would repost some of the data here. (Please understand that this posting is abridged due to the closed membership in HTCIA.)

A link to a PDF file from Purdue University about basic iPod forensics.

Also, a Firewire exploit.

Another person posted the following:
"There is a problem with the IEEE 1394 specification (Apple FireWire or Sony iLink). A presentation called "Owned by an IPOD" was done at the Pacific Security Conference in November 2004. Researcher Maximilian Dornseif demonstrated that the IEEE 1394 specification (Apple FireWire or Sony iLink) has full access to host memory. You can read or write arbitrary data to an arbitrary RAM location, including RAM on PCI extension cards. This can lead to privilege escalation, information leakage, and complete system compromise of any computer with a FireWire port enabled.

The PowerPoint presentation also has a section called iPod Forensics. This does not cover forensics on an iPod, but rather using the iPod as a forensic tool to do memory dumps. There is not much detail, but understanding the capabilities of an iPod is important."

The Price of Restricting Vulnerability Information

Schneier on Security has a link to an interesting law article by Jennifer Granick

There are calls from some quarters to restrict the publication of information about security vulnerabilities in an effort to limit the number of people with the knowledge and ability to attack computer systems. Scientists in other fields have considered similar proposals and rejected them, or adopted only narrow, voluntary restrictions. As in other fields of science, there is a real danger that publication restrictions will inhibit the advancement of the state of the art in computer security. Proponents of disclosure restrictions argue that computer security information is different from other scientific research because it is often expressed in the form of functioning software code. Code has a dual nature, as both speech and tool. While researchers readily understand the information expressed in code, code enables many more people to do harm more readily than with the non-functional information typical of most research publications. Yet, there are strong reasons to reject the argument that code is different, and that restrictions are therefore good policy. Code's functionality may help security as much as it hurts it and the open distribution of functional code has valuable effects for consumers, including the ability to pressure vendors for more secure products and to counteract monopolistic practices.

EPIC testimony on Choicepoint

Bruce is right that the EPIC Executive Director Marc Rotenberg's testimony (PDF) before the House Subcommittee on Commerce, Trade and Consumer Protection is worth reading.

...

"According to the Federal Trade Commission, last year 10 million Americans were affected by identity theft. Identity theft is the number one crime in the country. For the fifth year in a row, identity theft topped the list of complaints, accounting for 39 percent of the 635,173 consumer fraud complaints filed with the agency last year. And there is every indication that the level of this crime is increasing."

...

"Choicepoint is not the only company that has improperly disclosed personal information on Americans. Bank of America misplaced back-up tapes containing detailed financial information on 1.2 million employees in the federal government, including many members of congress. Lexis-Nexis made available records from its Seisint division on 32,000 Americans to a criminal ring that exploited passwords of legitimate account holders. DSW, a shoe company, announced that 103 of its 175 stores had customers’ credit and debit card information improperly accessed."

...

More information at: http://www.epic.org/privacy/choicepoint/default.html

...

"FOIA documents obtained by EPIC from the Department of State revealed the growing conflicts between the United States and foreign governments that resulted from the efforts of Choicepoint to buy data on citizens across Latin America for use by the US federal law enforcement agencies."

...

"Modest proposals such as the extension of the Gramm-Leach-Bliley Act’s Security Safeguards Rule are unlikely to prevent future Choicepoint debacles. The Safeguards Rule merely requires that financial institutions have reasonable policies and procedures to ensure the security and confidentiality of customer information. Recall that the disclosure by Choicepoint did not result from a “hack” or a “theft” but from a routine sale."

ID Theft is Inescapable?

Bruce Schneier blogs about how "ID Theft is Inescapable" while referencing an article on The Register.

The net-net is that: "...it's literally impossible for an individual to prevent identity theft and credit card fraud, and it will remain impossible until Congress sees fit to regulate the privacy invasion industry."

France Makes Finding Security Bugs Illegal

From Foiled Hats: One Ten-Millionth Of A Copy

News on CNET today about the French decision against Guillaume Tena in the Viguard case.

Over at Bruce Schneier's blog, Mr Tena himself has contributed to the discussion.

It seems that one of the arguments put forward by the Judge was that Guillaume was guilty of counterfeiting the software by virtue of having reproduced a section of the code in his own code. (The reproduced section being the XOR keys used to encrypt part of the program's data. Sidenote, more recent versions of the Viguard software no longer use this or any other key. Now the data is not encrypted.)

Furthermore the judge seems to have ruled (my French isn't up to it, so I am relying on other commentators for this one) that the action was illegal because the work was performed on an unlicensed copy of the application.

This has a number of implications for security analysts around the world (but particularly in France.) For a start, when vulnerability mailing lists are posted to (such as bugtraq) how are these lists supposted to ascertain if the vulnerability being discussed was obtained from a licensed copy of the software?

And also, going back to the title of the post, in a world of acceptable-use partial reproduction of copyright works, how can a person be prosecuted for reproducing one ten-millionth of a copyright work?

Geekfathers: CyberCrime Mobs Revealed

Ars Technica says:
Baseline is running a fascinating series on organized cybercrime, i.e., groups of hackers, phishers, phreakers, and the like who trade in stole credit card numbers, SSNs, and other forms of stolen identity.

• Lead Story: Shadowcrew: Web Mobs Online crime is getting organized in a serious way.
• Introduction
• Cyber-Forensics: Following the Trail
• Geekfather, or College Student?
• Covering Their Tracks
• The Law Closes In
• Prevention and Defense
Also check out:
• In Shadowcrew, Law Enforcement Roster, Gage profiles some of the white hats and the black, to show how cops and crooks match up.
• In Gotcha: Hack Attacks, David Carr lays out the newest scams, and shows how an old trick can still be a good one if you make it nasty enough.
• In Cybercrime's Most Wanted, we list a few of the cops' successes: Mobs tht are out of business.
• In Critical Data: A snapshot of Shadowcrew and its modus operandi.
• Calculate your own exposure and the cost of keeping the crooks at bay in Planner: Calculating the Costs of Fraud Protection.

* eWeek: CyberCrime Mobs Revealed
* eWeek: Cybercrime Special Report

RFID Reader/Writer

From Boing Boing:
"I hope they figure out a way to effectively ban these devices from my grocery store so I don't have to worry about RFID terrorists running amok and screwing up my next purchase."

* First Ever SDiD RFID Reader/Writer [MobileMag]
* Tagzapper, the RFID zapper [RFIDTimes via WMMNA]
* RFIDwasher allows you to both detect and "wash" ("cleanse", "purge", etc.) any offensive RFID tags as you see fit.

Bruce Schneier's RFID Security Analysis

Why random-number fobs can't stop Internet bank fraud

Bruce Schneier's blogged a piece he wrote for the ACM magazine on "two-factor authentication." That's systems that combine a password that you've memorized with a password that's randomly gneerated form a keyfob. Your employer may already require this for accessing your email (here at the O'Reilly Emerging Tech convention in San Diego, all the BBCers are lugging these things around) and your bank may have distributed these to you to reduce fraud.

However, the majority of Internet-based bank-frauds can't be solved by "two-factor authentication" because the attack it defends against isn't the attack that fraudsters use:

Here are two new active attacks we're starting to see:
• Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
• Trojan attack. Attacker gets Trojan installed on user's computer. When user logs into his bank's website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants.

See how two-factor authentication doesn't solve anything? In the first case, the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. And in the second case, the attacker is relying on the user to log in.

Microsoft to abandon passwords

Detlef Eckert, the senior director in charge of Microsoft's Trustworthy Computing initiative, said, "I believe that the time of password-only authentication is gone. We need to go to two-factor authentication. This is the only way to bring the level of trust business needs."

This aleviates the need for sites like RainbowCrack.com that precompute password hashes.

The strengthening of passwords means that it will no longer be the weakest link in the chain. Attacks continue to rise in the other weak links:

* A phishing wolf in sheep's clothing

* Phishing still on the rise

* Phony buyers bilk online sellers; rash of S.J. victims It's an Internet scam with international intrigue, allegedly involving Nigerians, network servers in Israel and that 1984 Toyota you're trying to sell on Craigslist.

Year of the Mass Market

UK banks in talks to tighten security
This is the headline that shows RSA is in preliminary conversations with banks in the UK to roll out secure authentication to the public in efforts to hedge financial fraud.

This is the next phase in a plan for securing authentication for the public that RSA has been rolling out since its partnership with AOL late last year.

During the Internet "bubble" every security company around was selling firewalls and IDSs faster than you can say, "will this make me secure?" Now that everyone form the Fortune 500 to your mom & pop shop have a firewall it's time to market security targeted at the mass market -- we the people!

Then there is the web referral spam...

The Silent Killer

Hackers 'poison' search engine results
In its six-monthly Web Security Trends Report, Websense noted that online criminals may be subverting search engines in a bid to direct unwitting internet users to web pages containing malware.

Editorial:
As spammers are search for new attack vectors it's being noted that they will increasingly use web sites that people visit to poison the home user's PC with a virus. This is actually easier for a browser based security system to protect against than traditional methods of attack. It will probably still work but hopefully in small enough numbers to not warrant a mass movement in this area.

This is also in contrast to another report.

ChoicePoint Takedown

The inquiry and the planned business changes, announced Friday, both come on the heels of a scandal that left thousands of consumers vulnerable to identity theft.

Last month, the company revealed that scam artists had gotten access to personal data on about 145,000 people, resulting in at least 750 cases of identity theft. The scandal has prompted calls for new legislation to protect consumers' privacy rights.

* original report
* Choicepoint

Sen. Bill Nelson of Florida seems to be wielding the threat of terrorism as a justification to target the newly embattled industry. He has already been talking [PDF] about amending the Fair Credit Reporting Act in a way that could extend regulations to data brokers.

NIST releases final security guidelines

A final version of security guidelines designed to protect federal computer systems and the information they hold was released Monday by the National Institute of Standards and Technology.

The guidelines will serve as a road map for federal agencies in meeting mandates set by the Federal Information Security Management Act (FISA). Government agencies will be required to have certain security controls, policies and procedures in place.

"This document of security guidelines is going to play a key role in helping federal agencies effectively select and implement security controls," Shashi Phoha, NIST Information Technology Laboratory director, said in a statement.

* c|net News.com

Paying Canadian telco an extra $50 makes IRC and ftp secure, somehow

Simon sez, "It was reported in Vancouver that Canadian telecom giant Telus has outlawed home servers for its customers with residential highspeed service. Ports used by such ftp, telnet and IRC servers, among others, have been blocked. According to Telus, 'These security measures are designed to reduce illicit traffic.'

"But if home users upgrade to a business account (for $84.95 a month, rather than $29.95) the blocked ports magically become unstuck. There's no mention, however, of increased security measures in the upgraded business accounts. Interpret this how you like."

* Terminal City
(via BoingBoing)

Paris Hilton's cell phone hacked?

Paris Hilton seems to be having more trouble keeping her personal life personal, and this time the socialite apparently exposed several A-list celebrities after the contents of her cell phone were published on the Internet.

The content included the phone numbers of the socialite's friends, such as rapper Eminem, actor Vin Diesel, actress Lindsay Lohan, singers Christina Aguilera and Ashlee Simpson, and tennis players Andy Roddick and Anna Kournikova.

* c|net News.com
* "This week in privacy" c|net News.com (25 Feb 2005)

US hit for $548m in fraud losses

Identity theft topped the list of complaints received by the US Federal Trade Commission for the fifth successive year, accounting for 39 per cent of consumer fraud complaints filed with the agency last year. Credit card fraud was the most common form of reported ID theft (28 per cent), followed by phone or utilities fraud (19 per cent), bank fraud (18 per cent), and employment fraud (13 per cent).

Americans reported fraud losses of $548m to the FTC last year. Of these 635,173 complaints, 246,570 concerned ID theft and 388,603 were about other forms of fraud.

* The Register (UK)
* The FTC's report, National and State Trends in Fraud and Identity Theft [PDF]

Internet-related complaints accounted for 53 per cent of fraud reports (and $265m of reported losses), with problems involving online auctions proving a particular problem. Gripes about net auctions featured in over 102,000 complaints to the FTC last year (16 per cent of total reports). The top 10 of consumer fraud complaints for 2004 also included: catalogue sales - eight per cent of total complaints; internet services and computer complaints - six per cent; foreign money offers - six per cent; prizes/sweepstakes and lotteries - five per cent; advance-fee loans and credit protection - three per cent; business opportunities and work-at-home - two per cent and telephone services - two per cent.

Consumers can file fraud and identity theft complaints on the FTC's website. The agency collates this information with data from other law enforcement and consumer protection agencies to create a comprehensive database. This information helps law enforcers co-ordinate actions, avoid duplication and spot trends in consumer fraud.

Washington DC, Las Vegas and San Jose, California were 'hot spots' for consumer fraud, according to FTC reports. Last Vegas (again); Phoenix, Arizona and San Bernardino, California generated the highest per-capita reports of ID theft.

More women turn to net security

The number of women buying programs to protect PCs from virus, spam and spyware attacks rose by 11.2% each year between 2002 and 2004.

The study, for net security firm Preventon, shows that security messages are reaching a diversity of surfers.

It is thought that 40% of those buying home net security programs are retired.

For the last three years, that has gone up by an average of 13.2%.

But more retired women (53%) were buying security software than retired men.

* BBC News

Nine out of 10 VPNs 'not secure'

A three-year research project by security firm NTA Monitor has concluded that nine out of 10 virtual private networks have exploitable vulnerabilities.

Most of the companies that had their VPNs tested as part of the project thought that they were invulnerable to hackers, but researchers found the same types of flaw repeated across the whole product range.

The report stated that, in some cases, VPNs were actually the weakest security link in an organisation.

* vnunet.com
* NTA Monitor: VPN Security Flaws White Paper

Do 'irresponsible' security researchers help or hinder security?

By making coding flaws public, are security researches exposing us all to unnecessary risk?

To many software makers and security consultants, flaw finder David Aitel is irresponsible.

The 20-something founder of vulnerability assessment company Immunity hunts down security problems in widely used software products. But unlike an increasing number of researchers, he does not share his findings with the makers of the programs he examines.

Last week, Immunity published an advisory highlighting four security holes in Apple Computer's Mac OS X -- vulnerabilities that the company had known about for seven months but had kept to itself and its customers.

"I don't believe that anyone has an obligation to do quality control for another company," Aitel said. "If you find out some information, we believe you should be able to use that information as you wish."

* ZD Net (UK)

The Perils of Deep Packet Inspection

This paper looks at the evolution of firewall technology towards Deep Packet Inspection, and then discusses some of the security issues with this evolving technology.

* SecurityFocus

Spammers' New Tactic Upends DNS

Although some ISPs and legislators are crediting the year-old CAN-SPAM Act and better technology for recent gains in the war on spam, many in the industry say the advances are forcing spammers to employ new tactics, which are destabilizing the Internet's crucial DNS.

One troublesome technique finding favor with spammers involves sending mass mailings in the middle of the night from a domain that has not yet been registered. After the mailings go out, the spammer registers the domain early the next morning.

By doing this, spammers hope to avoid stiff CAN-SPAM fines through minimal exposure and visibility with a given domain. The ruse, they hope, makes them more difficult to find and prosecute.

* eWeek

eBay Discontinues Use of Microsoft's Passport

eBay has informed its customers that it will no longer allow them to sign on using Microsoft's Passport web identity service, which allows users to store information like passwords and credit card data to be used on the Internet. An eBay spokesman said very few customers used Passport to sign on regularly. Passport has met with resistance, as evidenced by the formation of the Liberty Alliance, which hoped to develop standards for identity authentication on the Internet and promote alternatives to Passport. Microsoft has announced that it will no longer market Passport to third parties, but will continue to stand behind Passport, using it for MSN and their partners and providing support to third party sites that continue to use the service.

* Computerworld (3Jan05)
* Seattle Times (31Dec04)
* eWeek (31Dec04)
* eWeek (30Dec04)

SANS Editor's Note (Schultz):
Any kind of "one credential fits all" scheme is poor from a security perspective because it is so subject to widespread abuse by anyone who steals a credential. Electronic transactions require stronger authentication schemes than many financial and other organizations currently use.

Interview with Richard Thieme

In the field of information security, there are many useful occupations: firewall engineer, policy analyst, auditor and security architect all are popular choices. But what about information technology philosopher? There's plenty of value in describing the intersections between technology and the human experience, but I know of only one person who makes a living doing so--Richard Thieme.

Richard is an institution on the hacker convention circuit, and he is much in demand as a public speaker, business consultant and writer. He and I recently had a wide-ranging conversation about hacker culture, computer security, competitive intelligence, homeland security and Richard's singular career.

* Linux Journal

Information System Security Assessment Framework Draft 0.1

Powered by hands-on field experience of global security professionals, ISSAF constitutes a practicable and comprehensive framework for assessing security posture of organizations. ISSAF has been in the making for the past year and its first draft is available for download on the OISSG site. ISSAF stands for "Information Systems Security Assessment Framework" and details key steps that need to be considered while evaluating an organization for security weaknesses. The information in ISSAF is organized into well defined evaluation criteria, each of which has been reviewed by a domain subject-matter expert. more www.oissg.org/issaf

Download ISSAF Draft 0.1: ZIP (5.59 MB), PDF (12.6 MB)

* OISSG

Two thirds of all PCs infected with spyware

The global spyware plague has reached epidemic proportions, with the cost to global PC users set to rocket by 2,400 per cent over the next four years.

According to newly published research from IDC, the need to identify and eradicate these parasitic programs will drive anti-spyware software revenues from $12m in 2003 to $305m in 2008.

* vnunet.com

The analyst firm reported that spyware infects millions of computers with the purpose of stealing personal information, enabling identity theft, tracking online activity, and selling information back to anyone willing to pay.

Although not always malicious in nature, IDC noted that spyware still causes significant damage to legitimate software, network performance and employee productivity.

An indirect cost of spyware identified by the IDC report is that it crosses the boundary between security and system management by deluging help desks with complaints about pop-ups, application failures and poor PC performance.

At worst, spyware's ability to track keystrokes, scan hard drives and change system and registry settings is a tremendous personal and enterprise security threat leading to identity theft, data corruption and even theft of company trade secrets, IDC warned.

Brian Burke, research manager for security products at IDC, said: "Today, more malicious spyware can easily infiltrate corporate firewalls. These programs make their way into the corporate intranet under the guise of less threatening network traffic, and can wreak havoc."

The report found that spyware is often bundled with legitimate programs, allowing it to pass easily through firewalls. IDC estimated that 67 per cent of all computers (mostly consumer) contain some form of spyware.

Mobile User and Mobile PPC Security

At the recommendation of a posting at bug-traq, I listened to a 15 minute presentation on Windows Mobile Pocket PC Security by Seth Fogie of Airscanner. If you have a PPC, grab a cup of coffee and invest the time to listen to this audiocast. You'll learn quite a bit about PPC attacks such as forced resets embedded in attachments or downloads, viruses,and trojans that can be installed via removable (flash) memory when Autorun is enabled. You can also hear how attackers use PDAs as attack tools (especially over wireless LANs).

I gave a presentation on Mobile User Security [PDF] at IPcomm 2004 in Las Vegas. Hopefully, you'll find my presentation a useful complement to Seth's audiocast.

* Dave Piscitello's Personal Web Log

Guarding the grid

Deploying a grid infrastructure can help companies dramatically improve hardware utilization rates and boost computing power. But the massive resource aggregation and wider end-user access enabled by grids also have the potential to magnify security risks, implementers say.

As a result, companies that are implementing grid technologies need to pay special attention to issues such as user authentication, authorization and access control, as well as auditing and data integrity -- both when data is in storage and while it's in transit.

* Computerworld

Unprotected PCs can be hijacked in minutes

Simply connecting to the Internet — and doing nothing else — exposes your PC to non-stop, automated break-in attempts by intruders looking to take control of your machine surreptitiously.

While most break-in tries fail, an unprotected PC can get hijacked within minutes of accessing the Internet. Once hijacked, it is likely to get grouped with other compromised PCs to dispense spam, conduct denial-of-service attacks or carry out identity-theft scams.

* USA Today

Editor's Note:
Interesting article showing honeypots and attacks per day based on OS. It also has an analysis break down of a honeypot compromise.

Why "Identity" Is Central To IT Security

The increasing demand from our users to provide ‘Anywhere Access’ to our most sensitive business systems; allowing them to connect from any computing device across any public Internet or wireless link, is forcing us to take an entirely new approach to securing our networks and data.

This new approach puts the Identity of our users at the centre of our security model, with the critical question being: ‘Is each remote user really who they claim to be?’ Also, it makes us take a long hard look at how we define the policies and procedures of Identity Management: how we issue the digital identities to our users and support them over their working life to keep their identities secure and private at all times.

* Help Net Security

Talk among yourselves

We all know how helpful it can be to discuss a problem with someone. Be it through support networks, industry associations, group therapy, whatever, burdens often become lighter when we share them with others who can offer advice, information, or even just an ear.

Yet when it comes to cybercrime, a problem that's bound to get worse before it gets better, companies clam up. As detailed in the first story ("The story behind the stats") in our "Profiling Cybercrime" special section, few companies report cybercrime to law-enforcement officials.

* NetworkWorldFusion

A Commonly Overlooked Risk in Mobile User Security

Firstbase Technologies has published a useful white paper on Portable Computing Device Security [PDF], one worth finding time to read.

I noticed while reading the paper that the authors don't mention undetected or malicious data alteration or injection in their risk analysis. I think the potential for someone to change sensitive data and inject it into an enterprise from a mobile device or removable medium is significant, and deserves more attention than it commonly receives.

* Dave Piscitello's Personal Web Log

Lessons on the ISA stateful application layer inspection firewall

There are many things that set the ISA firewall apart from other firewalls in widespread use. But the one thing that stands out is the ISA firewalls unique combination of stateful filtering (stateful packet inspection) and stateful application layer inspection. Combine these features with the ISA firewall’s one of a kind VPN server and Web Proxy/caching capabilities, and you have one powerhouse firewall that causes other firewalls to pale in comparison. Check out this article for details on how the ISA firewall's Firewall client application is a critical components of the ISA firewall's comprehensive defense in depth scheme.

* ISA Server.org

UK Man Adds Second Factor of Identification to His Credit File

A UK man has requested that a "Notice of Correction" be placed on his
credit file stating that a thumbprint must accompany any credit applications made in his name. He has also submitted his fingerprint to each of the three main credit agencies. If credit is extended in is name without a fingerprint, he will not be liable for any incurred losses. Lenders would not be required to match fingerprints; if a hony fingerprint were submitted, police would have another mode of
identification when trying to catch the thief.

* The Register (UK)

SANS Editor's Note:
(Schneier): This is creative, but I wonder how practical it would be if it became more popular. If someone applying for a fraudulent credit card uses someone else's fingerprint, how will this help trace the actual culprit? And if Citibank's experiments with photos on the back of credit cards is any indication, merchants will simply ignore it.
(Grefer): More importantly, the burden of proof that it was not him is going to be minimal.

Thomson, VeriSign to build content security service

Thomson Tuesday said that it is teaming up with VeriSign to build a digital authorization and authentication service that promises to secure delivery of content such as movies, music and games.

The service, slated for launch in mid-2005, will be aimed at content providers such as online retailers, telecommunications firms, entertainment companies and technology companies. It will offer transaction reporting and other back-office functions, the companies said.

* NetworkWorldFusion

Phone Phreakers Target County Government System

Phone phreakers managed to break into the Linn County (New York) telephone system and alter the outgoing message on several voice mailboxes to sound as if they were accepting third-party charges for long distance collect phone calls. Part of the problem was that some employees used their extension numbers as their voice mailbox passwords. The system has been changed not to accept third-party collect calls.

* Gazette Times

2004: Year of the global malware epidemic - Top ten lessons

2004 is set to become the worst year on record for malware variants and their hybrids as vulnerabilities in Microsoft Windows are exploited within days of being posted on the internet. Witness the latest and ongoing Bofra malware episode, which is a hybrid of the MyDoom family. There is evidence to show that malware writers are learning from each others' code and refining carrier vectors continuously based on live-tests within the internet environment. This, in turn, encourages playground behaviour similar to monkey see, monkey do; with dangerous consequences.

The Chinese year of the Monkey has indeed come to pass across the globe as nearly 115 million computers across 200 countries have been infected at one time or another this year by rapidly proliferating malware agents including trojans, viruses and worms. As many as 11 million computers worldwide - mostly within homes and small organisations - are now believed to be permanently infected zombies that are used by criminal syndicates or malevolents to send out spam; mount Distributed Denial of Service (DDoS) attacks; carry out extortion, identity theft and phishing scams; or disseminate new malware.

The top ten lessons learnt from the malware global epidemic in 2004, which includes the costliest and fastest spreading malware families of all time, are as follows:
1. Monoculture issues and law enforcement
2. User awareness and education
3. Army of zombies
4. Unreliable computing
5. Opportunistic criminal activity
6. Data and computing separation
7. Growing economic damage
8. Early warning centres
9. Home users
10. Social responsibility

* ebcvg.com

Telecommuters seen as weakest link in network security

For so-called small- to mid-sized enterprises (SMEs), the security risk created by the proliferation of telecommuters has been especially worrying. A recent survey by WatchGuard Technologies of its own customer base of businesses with 1,000 or fewer employees found that 25% of IT administrators believe that remote workers present the biggest security challenge in their organizations.

* Posted by volubis at 06:40 PM