scobb's information security blog

Chinese hacks and Anonymous hacking: Lessons of the end game when nothing is 100% secure

2012-01-02T19:33:00.000-05:00

I read about the hacking of the California State Law Enforcement Association or CSLEA website by Anonymous "for fun and m4yh3m!"just after reading about the latest round of hacking of Chinese websites. Nota Bene: I am NOT saying Anonymous hacked the Chinese websites; I'm NOT talking abut Chinese hacking of U.S. websites; and I'm NOT writing as an employee of any organization.

Cartoon depicting hacking in China Daily

What I am saying is that a new age of understanding may be dawning for those who seek to exploit unauthorized system access. For example, if the Chinese government has been turning a blind eye to hacking in China in the hopes of harnessing those hacking skills for state purposes--which is what some commentators have alleged--then the hacking of Chinese commercial entities by Chinese hackers seeking justice or attention (or both) should be raising serious doubts in government circles.

Here's the sort of thing that happens when you don't enforce strict laws against unauthorized system access and rules requiring protection of personal data:

The website of China Mengniu Dairy Co Ltd was hacked on Wednesday night after the country's biggest dairy operator admitted some of its milk products contained a cancer-causing substance, Chinese media reported. (Reuters)

Or this:

The Qihoo 360 Technology, an anti-virus company that claimed to offer free Internet security services to more than 300 million netizens, issued a red alert on Dec 22, saying that the databases of many websites were hacked recently, causing the leakage of more than 50 million Internet users' registered accounts and codes. (China Daily)

Of course, such things can happen even when you have strong laws and regulations in place, but laws tend to be obeyed in proportion to the degree to which they are enforced and the severity of punishment suffered by those judged to have broken them. The FBI and other U.S. authorities indicted scores of people for cybercrimes in 2011 and dozens are in jail awaiting trial. If the Chinese government begins to feel public pressure to clamp down on illegal hacking within China to a similar degree, that may prompt reassessment of its stance towards Chinese nationals who hack public and private entities outside China.

Putting Internet scam artists behind bars strikes me as a noble undertaking in any country and the law enforcement folks who do this for a living deserve our thanks. Anyone who disapproves of some actions taken by some law enforcement agencies would be wise to show they understand that not all law enforcement is worthy of contempt. There's a good sci-fi story to be written about a 911 system that filters calls for help based on comments you have made about law enforcement on social networks. (How about a mandatory 10 minute response time penalty for people who habitually refer to law enforcement officers as scum?)

As for hacking law enforcement agencies and security companies, here's something to consider: One of the first things you learn when you study information system security is that no information system is 100 percent secure. Not even the proverbial "box buried in the ground" with no power or connectivity is safe (because if someone digs it up I'm betting we can get the data off the hard drive if there was ever any written to it). Ergo, any use of any computer system anywhere involves risks to the data on the system. Connection = exposure.

Can you hack my system? Can I hack your system? Can entity Y hack system X? The answer is always Yes! The only variable is the means required.

When you study human behavior as a relationship between ends and scarce means that have alternative uses you realize the reason that most IT systems and websites are not hacked is because doing so would require too many means or have too few uses. Your home wireless network protected with WPA is less likely to be hacked than the WiFi belonging to the small business on the next block that employs WEP. The data on that network is likely to have more uses, and hacking WEP requires less means than hacking WPA. Of course, if you personally happen to be a high value target, that equation changes.

And you do need to be savvy about the quantification of means and uses. Several decades ago we learned that teenagers with time on their hands can have, in the aggregate, greater means than a large software company (if said teenagers apply that time to try every possible way to break a piece of software). We also learned that defacing a website is "useful" to some people, for some meaning of useful (think 1996 CIA website hack used to send a message to the Swedish prosecutor Bo Skarinder). In other words, the uses of unauthorized access extend well beyond theft of data, IP, personal credentials, etc.

Exposing the security weaknesses of a system you have hacked is a use of unauthorized access that might, one could argue, have redeeming virtues (in some cases it amounts to a free penetration test for the victim). However, there are diminishing returns to this type of hactivity. The main reason most systems fail penetration tests is not the stupidity of the system's operators, but the reality of scarce resources. And that goes 10X for non-commercial entities. Try securing a state or local government system on a shrinking budget that caps salaries for technical skills well below market rates. That's a real hacking challenge.

Here is another great hacking challenge: Explain to the owner of a system whose security you have breached how they can maintain the profitability of their operation while improving security to a level you deem appropriate. I am not suggesting that anyone engage in attempting illegal system access, I'm just making the point that just because you can break into a system does not mean the owner of that system, or the people whose data are stored on the system, are worthy of scorn and public exposure.

So when we see personal data pertaining to law officers or the clients of companies in the security space shared for any random scam artist to abuse, it is natural to wonder: Where's the fun in that? And if the point is mayhem (m4yh3m) one has to wonder what the end game is. In China they are now learning valuable lessons about the value of good information security. They are also learning about the need to respect other people's data privacy. We wish them well and trust our fellow citizens will provide examples of that kind of respect.

Etymologically Speaking: Cracking or hacking, mobile phones or voicemail?

2011-08-14T09:21:00.002-04:00

In the wake of the News of The World (NOTW) scandal in which "journalists" are alleged to have listened to, and sometimes erased, messages left on phones that did not belong to said journalists, the term phone hacking has shot up the charts of widely misused phrases.

As this very helpful article on Geek News Central points out, the NOTW scandal is not really about phone hacking, it is about voicemail hacking, which the article's title tries to make clear: How To Hack Mobile Phone Voicemail.

Like the proverbial Trojan Horse, which was really neither horse nor Trojan, we are probably stuck with phone hacking as a phrase hacked together by hacks to describe some types of phone system manipulation and/or phone user duping. Such subtle distinctions may not matter to some people, but I think they matter to information security professionals. Why? Because part of our role in society, one that I personally take very seriously, is trying to bring clarity to matters involving the theft of information, unwarranted invasions of privacy through the abuse of information systems, use of computer systems to commit fraud, and so on.

And perhaps no word in recent memory has been more abused and hacked than hackers. As Steven Levy firmly established more than 25 years ago in his book, Hackers: Heroes of the Computer Revolution, the word started out with a positive connotation, a subject he addressed at the recent DefCon hacker conference in Las Vegas.

For almost as many years, my good friend Dr. Mich Kabay has tried to maintain a consistent distinction between hackers and criminal hackers. In his copious writings and teachings on information assurance, Mich diligently avoids omitting the word criminal from the phrase, either for convenience or brevity (see these Google results for examples).

(In the 1990s, some people tried to get criminal hackers shortened to crackers but that was doomed by ambiguity, between the decidedly non-technical use of the term cracker in the Southern states and people who specialize in cracking encryption codes.)

While criminal hackers are generally to be reviled for the mess they are making of otherwise beneficial technology, some hackers may be deserving of praise. You can get a personal perspective on this distinction by watching the excellent documentary made by another good friend, Ashley Schwartau, titled "Hackers Are People Too."

All of which underlines the ambiguity--some might say neutrality--of information technology, and the need to use care, as well as clear and specific language, when discussing its use or abuse. Voicemail can be incredibly useful, but it can be abused and cause pain when "hacked" by people of questionable ethics. Encryption can protect your private information from prying eyes, or allow a criminal hacker to hold your data for ransom. Cracking encryption can save lives or expose people to their enemies.

You might say that the problem with technology is the people who abuse it. We need to distinguish them from the people who try to improve it. And choosing our words wisely is one way of making that distinction.

Footnote: I will have a lot more to say about this and other aspects of information security after September 1, which is when I transition to a new position: Security Evangelist for ESET.

The NOTW Phone Hacking Scandal: Lessons for risk managers keep coming

2011-07-12T22:57:00.004-04:00

In the context of data privacy, cyber security, and risk management I once wrote: "Failure to police your employees and sub-contractors can have serious consequences."

In the last 6 days we have seen massive proof of that as the News of the World (NOTW) phone hacking scandal has erupted onto the world stage, spewing a toxic mix of consequences, the like of which we have never seen before.

Consider anyone who owned stock in BSkB. I documented their bad news yesterday. And consider any innocent employees of the News of the World who are suddenly without a job. If those people find it hard to get new jobs because of the stigma of being ex-NOTW employees, they could argue that NOTW robbed them of their professional reputation and possibly sue NOTW and its executives on that basis.

I will admit that the possibility of getting sued for running a company in such a disreputable manner that you drag down your employees with you is not a risk that I had previously considered. But we now see that such a thing could play out as a consequence of a company hiring people to do illegal hacking, or turning a blind eye to hacking, in other words, failure to enforce ethical business practices and appropriate privacy policies. Here's what the Guardian wrote on the subject around the 1.52pm mark on their July 10 live blogging of the NOTW scandal:

Dismissed News of the World journalists who are unable to find replacement jobs and feel their professional reputations have been severely damaged could have legal grounds for suing News International, according to one employment law source. Owen Bowcott, who is the Guardian's acting legal affairs correspondent, writes about a Lords ruling that could have implications:

"There is a precedent in a 1997 House of Lords judgment that covers the predicament of two former employees of the collapsed Bank of Credit and Commerce International who claimed they suffered the "stigma" of being associated with the ex-employer that put them at a "serious disadvantage" of finding new work. "In [Malik vs BCCI] the House of Lords upheld, in principle, the right of innocent ex-employees to sue a former employer for common law damages where revelations concerning the employer's corrupt practices had damaged their prospects of future employment in the industry," one employment expert suggested. "Corruption was assumed as a hypothesis for purposes of the decision"."

Bowcott went on to say "Loss of reputation, the 1997 judgment pointed out, is "inherently difficult to prove" but it added that there is an implied mutual obligation of trust and confidence between employer and employee." The House of Lords judgment concluded. "Difficulties of proof cannot alter the legal principles which permit, in appropriate cases, such claims for financial loss caused by breach of contract being put forward for consideration."

So, there you have one more risk of bad corporate governance: Revelation of the company's corrupt practices damaging the employment prospects of your employees, leading to lawsuits. And to think it all started with a voicemail PIN number being guessed or social engineered.

Hacking Costs Billons in Stock Losses: 2.88 billion more reasons to enforce security policies

2011-07-11T22:30:00.003-04:00

The negative impact of information security incidents on stock prices has been documented numerous times over the past ten years, but I think we are now witnessing the most dramatic hacking-related stock losses ever seen, as reported in the Guardian last Friday under the headline BSkyB shares fall £1.8bn. For American readers:

BSkyB is British Sky Broadcasting, a satellite TV company
BSkyB is like DirecTV only bigger (based on Market Cap),
the Guardian is a very reputable British newspaper,
one British pound is worth about $1.6,
that share drop erased $2.88 billion from the company's value.

What information security incident at BSkyB triggered this share drop? That's a trick question! The stock dropped because of the illegal hacking of voicemail by a person or persons hired by a British newspaper, News of the World, often referred to as NOTW.

The owner of NOTW is Rupert Murdoch's News International (NASDAQ:NWS) which has been looking to buy BSkyB, pending approval by regulators, who may not be so keen to approve the deal given the mess that News International is now in as a result of the scandal surrounding the voicemail hacking. When you look at how the stock of NWS fared today you see where the term "fell off a cliff" comes from:

Bear in mind that NWS owns the Wall Street Journal, the New York Post and Fox everything, from movies to TV channels to TV stations.

So what we have here is an amazing example of how a few people committing acts of hacking on behalf of one relatively small part of a big company can cause massive damage that extends beyond the company itself, not to mention the victims of the hacking, like the parents of deceased soldiers and at least one murder victim.

And the collateral damage will roll on. People who own shares of BSkyB and NWS may sue the company executives. People laid off by the News of the World, which has been closed for good, may sue for loss of reputation by association. Victims of the hacking may sue.

All of which could have been avoided if the News of the World had adhered to privacy standards and ethical business standards. But the company allowed this to happen, over a period of years, so there can be no defense based on the existence of policies. (If you have your company network password taped to the bottom of your keyboard, in violation of company security policy, there is legal precedent for saying that is not grounds for dismissal if the company has tolerated everyone doing the same thing for some time.)

There will be much more about this hacking-induced upheaval as the days roll on...including the huge irony of hacking closing a major British newspaper, not because of outside criminal hackers breaking in, but because of insiders illegally hacking people outside the company.

BTW, if you want the whole sordid story of this hacking debacle prior to this latest development, including police corruption and royal family secrets, this Wikipedia article is a good source. I will end with a footnote on the BSkyB share value: the amount wiped out by the end of today was $3.84 billion.

CIA Website Hack Recalls Early Days of eCommerce

2011-06-18T13:12:00.003-04:00

Recent hacking of the CIA website brings back memories of the earliest days of eCommerce on the Web and the first wave of website hacking. The first defacing of the CIA website was carried out in September 1996. For those too young to remember, here's what it looked like:

The hacking was done by Swedish hackers using the name "Group Power Through Resistance" and their goals went beyond embarrassing the CIA. According to TechWorld Sweden:

"The attack messages were primarily intended for the then Swedish state prosecutor [Bo Skarinder] who accused members of the Swedish Hackers Association of hacking. The sentence "Stop lying Bo Skarinder!" is remembered to this day."

The most recent CIA website hack, as of this post, was the following effort by an Indian hacker who goes by “lionaneesh":

Lionaneesh claims to have gained access by exploiting an XSS or cross-site scripting vulnerability (here's a detailed explanation of XSS written by my brother Mike).

When Lionaneesh tweeted about his exploits on a Twitter account his name was listed as Aneesh Dogra (that name has since been removed, but the Twitter account is still active). Posting a "follow me" message on a hacked CIA web page is one of the more interesting ways to gain followers (of which @lionaneesh now has 206).

Via Twitter, Aneesh expressed affinity with LulzSec, the hacker group that claimed responsibility for an attack on the CIA earlier in the week.The page defaced by Mr. Dogra was taken down quite quickly, but a screenshot of it was posted on The Hacker News (as reported on GMA NEWS, the Filipino news site).

That first round of government agency website hacks in 1996 served as a wakeup call to eCommerce sites which were starting to come on line at that time (a time when I was providing consulting services to such companies, via the NCSA that later became ICSA Labs, and the Miora Systems Consulting company that later became InfoSec Labs, founded by Michael Miora, Vincent Schiavone, David Brussin, and of course me).

When I was writing my first paper on the topic of Internet Commerce, delivered at a conference in Hong Kong in early 1996, I struggled to find examples of website defacing. The one that does stick with me is a fur dealer who was targeted by animal rights activists. That sent a strong message about brand-tarnishing and activist-hacking, which became known as hacktivism. It also alerted companies to the truly global nature of the world wide web. you might write your website content for your customers, but the entire world can read it if they choose to do so.

To this day I would advise companies against publishing content on their websites that advocates an unpopular point-of-view or employs insensitive language, unless they are well-prepared to repel attacks from people who do not share that point of view. An example I used to cite was a timber industry website that was thinking of putting its newsletters online, the content of which was standard stuff within the industry, but a red flag to environmental extremists (who would be able to find it much more easily on the web than by getting a copy of the printed edition.)

A quick read of the Wikipedia page on hactivism will tell you the term is still emotion-laden because both hacking and activism remain ambiguous terms, seen as the illegal actions of bad actors by those on the receiving end, and the right thing, done for good reason, by the doers. The issue is not made any easier by the pugnacious "shoot-the-messenger" reaction of many organizations to news that their systems are vulnerable.

My wife encountered this when she questioned a suspicious network connection at a government facility containing highly sensitive classified data. She was angrily asked: "What do you think you're doing probing this network?" As a graduate of the Stephen Cobb School of Tact and Diplomacy she avoided snapping back with the obvious: "My job!" Instead, she calmly explained that her boss had asked her to create a map of the network for which he was responsible and, in doing so, she had found an undocumented connection to an insecure network. Thanks to a boss who stood by his employee [my wife] the issue was resolved, but not before the threat of prosecution was raised by the "offended" party who owned the insecure network (and who chose to remain in denial of its insecurity).

Many such stories are documented on the web and one can imagine a hacker finding a flaw in the CIA website wondering what to do about it. Tell the CIA? Who may come looking for you because they can't accept that a. their site is insecure, b. your intentions are honorable. Clearly this is a dilemma. When you exploit the vulnerability that you have found you create an example that can be used to remind governments and companies that web security is not a fix-and-forget challenge but an ongoing effort. Nevertheless, the right thing to do is NOT hack the site. And hacking it for personal glory does nothing to help your claim that you were trying to do the right thing.

Finally, it has to be said that if any federal government agency ought to be a showcase of website security best practices it is the CIA. I'm NOT saying they deserved to be hacked, but they deserve to be on the receiving end of probing questions. As do other government entities. For example, the method that Private Bradley Manning used to remove copies of classified government documents from SIPRNET, the ones that ended up on Wikileaks, was clearly a violation of policies and procedures that my wife laid down over ten years ago to address such problems. It is hard to argue that the people who chose not to enforce such policies are entirely blameless for what their actions, or inaction, allowed to transpire.

Internet Security and Satellite Internet: A gap that needs to be patched?

2011-05-07T22:33:00.002-04:00

Today there are over a million computers in America that connect to the Internet via a satellite connection, and the number continues to grow. During this past winter I used my spare time to write a white paper on satellite Internet connectivity, mainly to drive home the point that it is no substitute for DSL/cable/fiber when it comes to broadband access for rural communities. The white paper has just been published by the Rural Mobile and Broadband Alliance (RuMBA).

However, an interesting security issue came up in the course of writing this 22-page paper and I thought I would highlight it here. If you like, you can download the full report at no charge from this link.

One of the reasons nobody should seriously consider defining satellite Internet as broadband is the daily download limit that satellite services impose, typically about 400 megabytes a day, which is less than some operating system upgrades we have seen in recent years. These capacity limits are not just a serious inconvenience, they have serious implications for computer security.

Basically, satellite Internet users have to turn off automated updating of operating systems and applications to prevent incurring costs and usage restrictions arising from bandwidth caps. However, as I am sure you know, computer and software makers increasingly rely on these automated processes to distribute the security “patches” required to prevent exploitation of computers by criminal hackers.

Computers with unpatched operating systems and applications are a prime target for hackers as these machines are more easily exploited and turned into “zombies” under the control of attackers. Zombies are then orchestrated into “botnets” that are used to attack other systems, from commercial and government websites to utility systems and entire sections of the Internet itself. The Department of Homeland Security today considers unpatched consumer computers a threat to national security and the problem has been openly discussed by cyber-security officials at the federal level since at least 2002.

Some might argue that computers on a relatively slow satellite connection (you're lucky to get above 256Kbps when uploading) are not attractive to botnet builders, But some botnet attacks don't need much speed or capacity to be effective. The fact that the IP address blocks occupied by these "at risk" systems are relatively easy to identify may also be considered an added risk factor.

Solutions are possible, like special exemptions on bandwidth caps for authorized OS and application patches, but so far I have not heard any talk of these being implemented. Since the federal government is currently handing over tens of millions of taxpayer dollars to satellite Internet service providers to help them build their subscriber base, maybe that money should come with strings, like better provision for prompt security patching.

Twitter Spam Getting Bad, Now Poisoning Health-Related Search Results

2011-05-01T16:48:00.002-04:00

What is Twitter spam? A whole bunch of "people" tweeting the same thing from accounts that are likely automated. These bogus accounts have a human name followed by a number, like Colettaj339. When you check out the profile you see this person has:

Sent many tweets (all pushing links),
Not followed anyone (Following=0).

In other words, the account merely exists to direct clicks to a promotion in return for money. Following the pattern of previous forms of spam this Twitter-spam is growing fast and targeting vulnerable people.

For example, I have been encountering more and more of this stuff when searching Twitter for the term "hemochromatosis" which is a scary and potentially fatal genetic condition that causes iron overload, a toxic buildup of iron in joints and organs like the liver, heart, brain, thyroid and so on.

Given the pathetically poor level of knowledge about this condition that exists in the general medical population it is very common for people who find they have hemochromatosis to turn to various channels on the Internet for information, including Twitter.

My hemochromatosis search on Twitter today found a bunch of tweeted links leading to a pitch page for an eBook on Iron Overload priced at $37. Bear in mind that the highly regarded and medically reviewed Iron Disorders Institute Guide to Hemochromatosis can be purchased in paperback on Amazon.com for a lot less than half that price, and can be had as an eBook on Kindle for $9.89.

Maybe the tweet-spammed book is brilliant and worth $37 but the large number of spam Tweets makes me doubtful. And this is by no means the first targeting of hemochromatosis sufferers on Twitter. Tweet spam leading people to an article site has also used this hook. In fact, I'm willing to bet that whenever you search a nasty disease, for example multiple sclerosis, you will see this Tweet spam. Here are some observations about this depressing phenomenon:

Cobb's First Law of Communications Technology: Every new communications technology will quickly be abused, most likely by people lying in the hopes of making money.
Twitter has not done enough to make sure new accounts are opened by real people.
Twitter is not doing enough to remove blatant spam accounts (email me as scobb[at]scobb[dot]net for the algorithm to identify these accounts guys, it's not that complicated)
A depressingly large number of people need to ask themselves whether what they are doing with their computers is helping or hurting their fellow man, woman, or child.
Until the median level of morality among computer literate humans starts to rise, we will see spam, scams, fraud, and the like continuing to poison the technology and waste precious resources (like the energy that email spam wastes, enough to power millions of homes).

BTW, if you want solid information about hemochromatosis, visit The Iron Disorders Institute. If you want Twitter to do more to stop Twitter-spam contact the company. I find that a fax to the CEO is a good communications channel to use: Mr. Evan Williams, CEO, Twitter, Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, fax 415-222-0922.

Cost of a data breach climbs higher

2011-04-30T15:02:00.000-04:00

Well worth paying attention, whether you are in privacy or security, in business or investing in businesses, CIPP or CISSP:

Cost of a data breach climbs higher - Dr. Ponemon's blog

"The latest U.S. Cost of a Data Breach report, which was just released today, shows that costs continue to rise. This year, they reached $214 per compromised record and averaged $7.2 million per data breach event. The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it.

It’s not only direct costs of a data breach, such as notification and legal defense costs that impact the bottom line for companies, but also indirect costs like lost customer business due to abnormal churn. This year’s study showed some very interesting results. In my view, there are a few standout trends."

Mobile Payments: One Trillion More Reasons to Think About Mobile Security

2011-01-30T15:03:00.004-05:00

It is hard to think of anything more attractive to hackers than a widely-deployed digital payment system. And the world is now witnessing the fastest rollout of a digital payment system ever, to your mobile phone, a.k.a. smartphone, cellphone, iPhone, tablet/slate, i-device. Consider just two stories that appeared one day last week:

"With corporate behemoths such as Starbucks Coffee Co. and McDonald's Corp. leading the way, 50 percent of consumers will have made a mobile payment of some kind by 2014, according to Juniper Research."

And "according to this report, U.S. mobile payments could reach $1 trillion by 2015."

That's one trillion dollars with a "T' headed to a bunch of devices that are, from an historical IT perspective, barely out of beta testing. Consider a couple of random stories I found hanging around in my browser cache when I sat down to write this post:

November, 2, 2010: An analysis of the kernel used in Google’s Android smartphone software has turned up 88 high-risk security flaws that could be used to expose users’ personal information, security firm Coverity said in a report published on Tuesday.

December 29, 2010: Mobile security firm Lookout is sounding the alarm about a Trojan targeting Android devices that, while confined to China so far, represents one of the most sophisticated pieces of malware it has seen to date. The malware, named “Geinimi” is the first Trojan to display botnet-like capabilities, allowing it to receive remote commands...

And don't think that using an iPhone or Blackberry will eliminate security risks. Just check out this page of stories about password cracking software available from Russia. Something to bear in mind when you read that "MasterCard's PayPass wallet application can be password-protected so that a lost or stolen handset cannot be used to make payments"

But let's get back to what I meant when I said it's hard to think of anything more attractive to hackers than a widely-deployed digital payment system. Notice I didn't qualify "hacker" in this context. That's because hackers of all stripes find computerized payment technology fascinating. Back in 1995, when I spoke for the first time at DefCon, the now legendary annual hacker convention in Las Vegas, the speaker ahead of me presented a detailed explanation of just how easy it was to make fake credit cards that worked.

When I cited that presentation as an example of the damage that hacking could do, the response was vociferous and articulate and could be summed up like this: The banks are to blame for using such lame technology when a few tweaks to the system and a little more effort could actually make it a lot more secure, as shown in the presentation.

That was a valuable lesson for me. Not everyone who hacks payment systems is out to steal your money. Hence the useful qualifier "criminal" as used by my friend and colleague Mich Kabay who is always careful to say criminal hackers when that is the type of hackers to whom he is referring. A lot of people see a spectrum of hackers. One can describe it, if you leave out the nuances, like this: black hat hackers who are criminally-minded, gray hat hackers who may hack for profit, and white hat hackers who are trying to find solutions to hacks before the hacks are widely exploited (and may profit professionally for so doing).

What I'm saying is that every shade of hacker is likely to look long and hard at hacking mobile payment systems, from those who want to hack the system for illegal gain to those who seek to gain fame for finding the holes. The question is: Can the systems now being rolled out withstand the scrutiny? History gives me a clear answer: No.

Unless some fundamental changes have occurred in the technology and banking industries, changes of which I am unaware, that negative answer has a high probability of being right. I predict holes will be found and some of those holes will be exploited for illegal gain before they are plugged. I also predict that:

Mobile payment systems will still be rolled out, and
Companies that already have a good track record in mobile security will do very well this decade.

One to Watch: MAD's MECS is mobile security made real

2011-01-25T22:33:00.001-05:00

There is no doubt in my mind that the new information security frontier is mobile, as in mobile phones and mobile pads/slates/tablets. More and more data is going to be processed by, stored on, and accessed from mobile devices. You can see this very clearly if you spend any time in the world of consumer marketing where the biggest buzzword right now is "mobile" as in mobile advertising, mobile shopping, and mobile payments.

And where the money goes, criminal hacking is sure to follow, along with scams, spammers, phishing and fraud. Which is why I've been very interested for a while now in a mobile security company called MAD, a company of which my good friend Winn Schwartau is Chairman.

MAD's flagship product has already won several awards like this. And I can assure you that awards like these don't grow on trees. Industry analysts don't like to get burned by endorsing flash-in-the-pan products that leave them looking all egg-faced in 12 months if the product peters out. Bear that in mind when you read this assessment:

“The Mobile Enterprise Compliance and Security Server (MECS) innovative solution focuses primarily on delivering a new dimension of security, management and compliance to enterprises. Compared to standard mobile device management (MDM) solutions, which are not regarded to be viable security platforms, M.A.D.’s offering promises to provide the utmost protection for mobile enterprise devices.” and goes on to state that “Owing to the extensive capacity offered by M.A.D.’s solution, Frost & Sullivan feels that the company has gained a significant advantage compared to its competitors...”

Pretty impressive! MAD's MECS is definitely one to watch as the struggle to secure the mobile frontier heats up in 2011.

Wikileaks, Assange, Cyberwar and the Real Information Security Story

2010-12-11T08:04:00.036-05:00

Time for some perspective on Wikileaks, the cyber attacks against it, and for it, and the real informaton security story that may get lost in the mix. (Note: I am not under any illusion that the world has been holding its breath waiting for me to weigh in on this subject, this is more of a "memo to the file" undertaking).

For me, the real meat of the Wikileaks story is the content of the documents that are being leaked. Coming a close second is the pathetic state of information security within the US government in general and military/intel systems in particular.

(BTW, I commented on this in the context of a Danger Room story on Wired which apparently was not deemed worthy of approval--one reason I am repeating myself here: American taxpayers have been thoroughly ripped off when it comes to the money spent protecting state secrets.There used to be policies and procedures in place to prevent something like Pfc Manning recording secret documents on a CD-RW labeled Lady Ga Ga, but the army brass likes its tunes too much to put up with that kind of inconvenience, part of the same mindset that leads so many of them to use the same lame password for everything).

However, the BIG story may be the implications of hactivists taking up cyber-arms against the perceived foes of Wikileaks. It reminded me of a Network World column by my friend Mark Gibbs in 2005 titled "The selfish 'Net and the Big One." In that piece I reiterated my longstanding opinion that "the Internet continues to function at the whim of those who know how to bring it down."

As the hactivist fans of Wikileaks tone down their attacks on dot com sites there may be a temptation to dismiss them as a sideshow. However, it would be a big mistake to just say "Those guys couldn't take down Amazon.com" and leave it at that. I would argue that the only reason Amazon.com or any other website is still online is that the people who know how to take it down have decided not to do so. Remember: "the Internet continues to function at the whim of those who know how to bring it down."

To put it another way, the world's virtual economy is built upon a web of trust and mutual self interest, not a bullet-proof framework of resilient technology. To think otherwise is to risk massive losses should a real cyberwar break out.

Of Satellites and Zombies and Recurring Security Themes

2010-10-23T17:38:00.004-04:00

I recently came across some archival security wordage while writing a whitepaper about satellite Internet service. Because it still seems relevant, I thought I would reprint it. But first, some background on satellite Internet. America's telecom companies are fending off demands for universal broadband service requirements by telling politicians that satellite Internet is broadband. It most certainly is not.

Satellite Internet does provide an “always on” connection that is faster than dialup, but one problem with this service is that you have to turn off those automatic software updates that sometimes patch security holes in applications and operating systems (this is because of tight bandwidth caps, as low as 300 megabytes a day, with penalties for going over your limit). So you have these “always on” connections that are not getting patched promptly.

A few years back in the history of computer security it emerged that "always on computing" in the form of consumer computing devices connected to high speed Internet connections created the potential for large-scale attacks on corporate and government systems through compromised hosts (zombies) organized into malicious networks (botnets) by criminal hackers or cyber-terrorists. A prime strategy for turning personal computing devices into zombies is to exploit software vulnerabilities before they are fixed or “patched” by users downloading and installing updates.

Software companies responded to this threat by developing automated distribution systems for security updates. Turning off these automated patching systems increases the risk that consumer Internet devices will be compromised and used in botnet attacks. This threat appears in government reports as early as 2004 (National Infrastructure Advisory Council, Hardening the Internet: Final report and Recommendations by the Council, October, 2004).

I know that it was openly discussed during FTC hearings on computer security in 2002 because I was part of the discussion. The Consumer Information Security Workshop, held May 21-22, 2002, in Washington was addressed by Dick Clarke, then the President's special advisor on cyber security issues and chair of the President's commission on critical infrastructure protection. At that time he was formulating the national strategy for cyber security, a multi-pronged strategy to improve the security of government agencies, businesses and consumers.

(Before his appointment as special advisor to the President, Clarke served as national coordinator for security infrastructure protection and counter-terrorism on the National Security Council. As national coordinator, he led the U.S. government's efforts on counter-terrorism, cyber security, continuity of government operations, domestic preparedness for weapons of mass destruction and international organized crimes. In the George H. W. Bush Administration, Clarke was the assistant secretary of state for political military affairs. In that capacity, he coordinated State Department support for Desert Storm and led efforts to create post war security architecture. In 1992, General Scowcroft appointed Mr. Clarke to the National Security Council staff.)

So here's what Clarke said about the 2002 FTC Consumer Information Security Workshop:

"We see this two-day workshop as part of the national outreach effort that we are making as we develop the national strategy to secure cyberspace. How can the home user, without knowing it, hurt other people? Tim mentioned distributed denial of service attacks, and we've seen that happen already. This is not a theoretical possibility where the home user, without knowing it, has their computer attacked. A part of their computer is then covertly taken over by an automated program, and it sits waiting for instructions or it sits waiting for a time, and then when that time comes, it launches what's called a distributed denial of service attack, firing messages out many times a second, and it does it in concert with hundreds or thousands of other computers, and those messages from all of those computers are aimed at one site on the Internet. The effect can be that the site closes down under the volume, that the routers and the servers crash under the wave.

"...In point of fact, denial of service attacks occur every day. There are hundreds a month aimed at all sorts of different sites all over the Internet and all over the world, and many of them are happening because the home consumer hasn't been told how to prevent his or her computer from becoming a zombie. Many people don't even know when their computer has become a zombie."

Later, the same FTC workshop heard from Tatiana Gau, Vice President of Integrity Assurance at America Online about "one of the approaches that we took earlier this year with the National Cyber Security Alliance."

This was a Call to Action that went like this:

"As a citizen of the United States it is your duty to do your part in trying to protect the nation's infrastructure. Yes, there's other elements that need to play a role in protecting our nation's infrastructure, but you as a consumer need to make sure that you don't unwittingly become the mechanism through which an organized group or a disorganized group could, in fact, attack a government web site or some other system in our country by having your computer become a robot simply because you had a password that was too easy to guess."

So, here we are, eight years later. The average consumer is probably a little better informed about cyber security than they were back then, but not much. And America's telecomm companies are trying to avoid serving rural areas by touting an "always on" consumer Internet service that arguably has a higher risk profile than cable, DSL, or fiber optic. Good job we're less reliant on computers these days...no wait, we're a lot more reliant, pity we're not a lot more aware of the risks.

Enterprise PDF Attack Prevention Best Practices: As commended by SANS

2010-06-16T12:40:00.001-04:00

"According to McAfee Avert Labs, as of Q1 2010, malicious malformed PDF files are now involved with 28% of all malware directly connected to exploits." So states Mike Cobb in this very handy article on Enterprise PDF Attack Prevention Best Practices (free registration may be required but is totally worth it).

Of course, you may be thinking: Stephen Cobb says it's worth reading because Mike Cobb wrote it. So here's an objective opinion: "very good refresher on best practices for protecting against any malware spread by using any number of compromised attachments." That's Deb Hale of Long Lines, writing in SANS Internet Storm Center Diary.

True, Mike Cobb is my brother, but he is also Mike Cobb, CLAS, CISSP-IASSP, MCDBA. (BTW, for the acronymically-minded, CLAS = CESG Listed Adviser Scheme. CESG is the Communications-Electronics Security Group, which describes itself as the Information Assurance (IA) arm of GCHQ (as in Government Communications Headquarters) which is basically the UK equivalent of the USA's NSA/NRO). In other words, Mike knows quite a bit about security, as well as initials and acronyms.

The Feed to Read When You Need Cyber-Security Info

2010-04-23T15:57:00.006-04:00

I think I have mentioned David Kennedy's information security updates before. I get them on FriendFeed but you can read them on Google as well (and that might be more convenient for some people).

David consistently flags the most interesting cyber-security stories out there and is a great resource if you want to stay current. Here's just one example, a very elaborate phishing scam recently perpetrated via Gmail, as written up by Cyveillance.

So why is there a Dilbert comic in this post? Well, reading a constant stream of breaches and scams and cyber-crimes is not much fun and can be somewhat overwhelming when you are responsible for fighting an uphill and inherently asymmetric battle to keep your systems safe.

But what else are you going to do? If you don't stay informed, you could fall prey to a "known attack" and that is no fun at all.

So I pasted in some Dilbert for light relief. I actually licensed this strip and several others for the 1996 edition of my guide to PC and LAN security. As I recall, Dilbert creator Scott Adams was a lot more helpful than some other cartoonists I contacted back then. Thanks Scott!

Dumb and Dumber: School district spying, assisted burglary

2010-02-21T17:48:00.005-05:00

This post was supposed to contain further details of the CAFE cycle that I outlined in my previous post but no, two dumb things cropped up this past week on which I feel obliged to comment.

First, we have the school district in Pennsylvania that gave all its high school students laptops with built in cameras that could be remotely activated by teachers to take pictures of the students without the students' knowledge. Sounds like a really dumb idea? Yes, it was a really dumb idea, particularly in light of the high statistical probability that at least one of those teachers is a paedophile (no, I'm not accusing anyone of paedophilia, but statistically I'm right--it was true in my high school and it is/was probably true in yours).

So yes, a dumb idea, and what makes it particularly shocking is that this school district is not in some backwater town. The Lower Merion School District is one of the most affluent in the country, located in an upscale suburb of Philadelphia (after all, it was rich enough to out 2,300 Apple laptops with built in cameras).

This monumentally dumb idea came to light when a student was upbraided by a teacher for inappropriate behavior. The evidence? A snapshot taken remotely by one of those laptops with a built in camera that could be remotely activated by teachers to take pictures of the student without his or her knowledge. Talk about the the beam in thine eye versus the mote in mine. Here's more of what has been reported:

The Assistant Principal of Harriton High School reprimanded 15-year-old student Blake Robbins for "improper behavior in his home," according to the lawsuit. Matsko cited as evidence a photograph from the webcam on the boy's school-issued laptop. Harriton High School student Blake Robbins, claims that an assistant principal reprimanded the 15-year-old for "improper behavior in his home" that was captured by the embedded camera on Robbins' school-issued Apple MacBook. Robbins told reporters that the improper behavior he was cited for was eating Mike & Ike candies, which he said the school mistook for illegal pills.

Just how inappropriate was the assistant prinicipal's action? Well, the logic behind the remote picture taking was to aid in the recovery of a stolen laptop. In other words, it was a "security feature." There has been no claim that Robbins' laptop was stolen, but more importantly, one of the basics that any decent class in computer security teaches you is that all security features can be abused.

The example I normally use in my classes is a company deploying data encryption and a disgruntled employee encrypting company data, then demanding a ransom to decrypt it. That is why security features must deployed very carefully, with controls to prevent abuse, like a master key to the encryption scheme that prevents data ransoming.

In the case of Lower Merion School District the abuse was to invade the student's privacy and the point of failure was a lack of sufficient controls to prevent such abuse (i.e. a strong permissioning process for the use of the remote viewing capability, e.g. requiring two teachers and the principal signing off on the activation after a documented evidence of theft).

Part of the stupidity in Lower Merion School District was the commission of this particular act of privacy invasion within this particular demographic. This is a place where many parents are well-educated, tech-savvy, and probably more inclined to outrage than most. When you read the complaint filed by parents of the student you will know what I mean. Given the international attention this case has received, not to mention FBI involvement, I would say it is destined for the textbooks. It sure looks like omitting this security feature and taking the risk of losing a few laptops would have been a much better decision.

So, there was one more stupid thing I wanted to mention, a web site created to show how stupid people can be. Yes, that's right. Some people in the Netherlands created a web site called PleaseRobMe that shows how you could target a home for low-risk burglary by monitoring social media sites where people mention their comings and goings. Talk about a pointless exercise, the only point apparently being media attention for the people who created the site (and yes, the media loved this story, playing it on the evening news along these lines: "Be scared oh you sheep, burglars can now use Facebook and Twitter to rob you!"

Well, let's see how that might work. I'm going out of town to a trade show tomorrow. I will be gone for several days. This is well known to my friends and family and colleagues. It can also be deduced from any number of web sites about the show, the company, or me. But you'd have to be an exceptionally stupid burglar to try robbing my place next week. Apart from the dog and the attack cats that will be in residence, there will be one heavily-armed lady at home who is an excellent shot. Do you feel lucky?

I will pick up the CAFE cycle next post.

Do They Ride the Same Cycle? Criminal hacking, terrorists, and other security threats

2010-02-06T15:39:00.011-05:00

I have written this post/article/paper because I see a pattern of human behavior, the understanding of which may have some potential to improve the security of data and data subjects in the virtual world, as well as the security of persons and property in the real world. Because my thoughts about this pattern came together while I was in my favorite coffee shop, I coined the term “CAFE cycle” to describe a cycle of behavior that goes like this:

Cause-Action-Frustration-Exposure/Extremism

I will describe the cycle in generic terms then present two examples. Generically, a person becomes motivated by a Cause and takes Action to achieve the goal of that cause. Frustrated by failure to achieve the goal through legal means, the person takes illegal action, exposing him or her to three potentially problematic experiences: illicit thrills, illegal gains, and group membership. Continued failure to achieve the goal leads the person to pursue extreme forms of these experiences until they become an end in their own right, an Extremism that supplants the original Cause for Action, essentially rendering it irrelevant.

For a basic example consider an adolescent male who wants to learn, through direct experience, the workings of large computer networks. He exhausts the limited avenues of legal access to a large network and so he makes repeated attempts to gain unauthorized access, breaking the law as he does so.

The hacker is now a criminal hacker and part of a criminal hacking sub-culture which has a certain appeal, partly due to irresponsible and ill-informed media coverage of criminal hacking. He did not try to break into the network for the thrill of it, or for financial gain, or to join a sub-culture. His cause was education. His goal was knowledge. But through the CAFE cycle all that can change. He may pursue illegal acts for kicks, for gain, or for the feeling of belonging that comes from participation in a group committed to this lifestyle.

Consider another adolescent male. He perceives an injustice in the world and he wants to change it. He exhausts the limited avenues of legal redress such as peaceful demonstrations and goes one step further, throwing a stone at a police barricade, breaking the law as he does so. He is now a part of a sub-culture of violent protest which has a certain appeal, partly due to irresponsible and ill-informed media coverage of such protests. He did not throw the stone for the thrill of it, or for financial gain, or to join a sub-culture. His cause was justice. His goal was redress. But through the CAFE cycle all that can change. He may pursue illegal acts for kicks, for gain, or for the feeling of belonging that comes from participation in a group committed to this lifestyle. And the lifestyle can become extreme, going as far as violence against innocent persons for its own sake.

The CAFE cycle indicates that, for a certain percentage of people, the repetition of illegal acts committed to achieve a desired goal leads to one or more forms of motivational displacement, the three most worrying of which are: kicks, gain, and membership. Over time these can become sociopathic thrill-seeking, greed, and fanatical attachment. An example: terrorists who kill innocent civilians, extortion gangs that feed off innocent civilians in regions of political instability, and suicide bombers who kill themselves for the cause.

Note that I am not equating criminal hackers with terrorists or suicide bombers, but I think the underlying pattern is the same. Some criminal hackers get hooked on the thrill, others get hooked on the growing profits to be made from their skills. Some form groups by which the thrills and/or the profits can be enhanced through collaboration, and to which there is satisfaction in belonging. Likewise, some people who adopt virtuous causes go through the CAFE cycle so many times they become addicted to the life of the freedom-fighter-terrorist, a life driven by thrills, or greed, or bonding or some combination thereof.

The CAFE cycle has the power to produce, from the totality of supporters of a legitimate cause, some subset of persons who engage in illegal activity for reasons other than furtherance of the cause. This power can be seen when a cause gets close to achieving its goal, and also when the goal has been achieved and the cause is moot. Some criminal hackers just can't stop hacking. Some terrorists can't handle the outbreak of peace and continue to commit acts of greed, violence, extortion, and so on.

Clearly there are many variables involved in the CAFE cycle and these can vary greatly from one community to another or between communities. Analysis of this phenomenon is further complicated when there is lack of consensus within a community as to what constitutes a reasonable goal. The phenomenon takes on its most difficult form when the “community” is the world community. Global consensus is hard to reach. For advocates of some causes who are perpetually frustrated the CAFE cycle generates multiple subsets of persons acting primarily for the perpetuation of an illegal lifestyle.

In my next post I will outline implications of the CAFE cycle for security. (And I will probably post something about the use of hacking versus criminal hacking, terms that are fraught with potential to upset some people.)

2 Security Tips: David Kennedy and the Symantec Threat Forecast 2010 Webinar Recording

2010-02-04T18:13:00.001-05:00

Just a quick post to point to the archived version of the Symantec MessageLabs Threat Forecast 2010 Webinar/webcast that I mentioned in my previous post: A Good Way to Start the Year. Definitely worth watching.

Also worth watching as we make our way forward into a fresh decade of information system security challenges, are the updates from David Kennedy. You can catch them on FriendFeed and for me they are just the right mix of security alert. Not too granular, but most likely to include the stuff you don't want to miss. David's been at this a long time and become wise in the ways of the security world (for a short time in the mid-nineties we were co-workers at NCSA, later ISCA Labs and TruSecure). You can also catch David's blog at Verizon Business.

Symantec Threat Forecast 2010 Webinar: A Good Way to Start the Year

2010-01-15T16:18:00.004-05:00

Okay, so the year has already started, but how many hours have you spent pondering your information security strategy for 2010? If the answer is zero, then there's a webinar on January 19 you should sign up for here. If your answer was greater than zero then: a. Good for you, seriously! b. Ask yourself if you could use some well-informed speculation about what is coming down the pike in 2010, threat-wise, seriously. Consider:

"With compromised computers issuing 83% of the 107 billion spam messages distributed globally each day, the shutdown of botnet hosting ISPs, such as McColo in 2008 and Real Host in 2009, appear to have made botnets re-evaluate and enhance their backup strategy to enable recovery in just hours.

"It is predicted that in 2010 botnets will become autonomously intelligent, with each node containing an inbuilt self-sufficient coding in order to coordinate and extend its own survival."

*Source: MessageLabs Intelligence 2009 Annual Security Report

Not that all the threats to your data in 2010 are botnets, far from it, but the continued rise of botnets puts pressure on all levels of security, from end points to servers and even analog attack points like employee compromise. In 2010 we will continue to experience the knock-on effects of the marketization of compromised systems and personal data that can pry open system access. Register for the webinar now and you can get the MessageLabs Intelligence 2009 Annual Security Report. See you on the 19th.

Network Auditing Article on TechTarget

2009-12-15T16:36:00.000-05:00

Just a quick post to help folks find the recent article on network auditing on TechTarget's SearchSecurity.

Think of it like this: There's at least a 50/50 chance you have one or more significant network security problems, and an audit is good way to find them. In fact, 43% of survey respondents felt their organizations should audit their networks more frequently...Read more...

Here's Another Great Source of Cobb Security Smarts: Mike Cobb, CISSP ISSAP

2009-11-14T14:50:00.001-05:00

In addition to his work for a certain government agency, my brother Mike continues to find time to put out some very helpful security articles, webcasts, and tutorials. Here is just a smattering from Mike Cobb's Page at Search Security:

Why Denial of Service is the Dumbest "Hack"

2009-08-06T11:53:00.010-04:00

Large chunks of Web 2.0 are not working this morning, apparently because of one or more denial of service attacks. Users of Twitter, Facebook--and many apps and blogs which rely on those services for authorization credentials--are feeling understandably frustrated, yours truly included.

While reports that this DoS event is DefCon-related appear to be mere rumor at this point, it bears repeating: Denial of Service is the Dumbest Hack!

Since the first computer was plugged in, anyone with opposable thumbs has been able to execute a denial of service attack. DoS attacks are like the boiled egg of hacking. The fact that computers connected into a network can be disrupted is old news. Proving it with a DoS attack proves nothing new. So what is the point? Do we want the world to sit up and say "Gosh! All this stuff is connected, and if one part goes down many others are also affected."

Yawn! That is known, proven, accepted, it's history. All you gain by executing such an attack is a lot of anger directed at you by the millions of people whose lives you are messing about. You do not win any prizes for figuring out how to do this. The people who lead the field in figuring out how to execute DoS attacks are the kind of folks who do not execute them.

I watched one of those people demonstrate, in 1996, how to take down any web site with a 386 PC and 28Kbps modem. That was not at DefCon but in a tiny lab somewhere. But I did speak at DefCon that year and gained a lot of respect for serious hackers, not because they wrecked things, but because they had figured out how to, yet they refrained from using that knowledge for gain or fame or to piss people off. Would that all hackers followed that code.

Old News? Researchers predict SSNs, crack algorithm

2009-07-08T14:10:00.001-04:00

This story is curious to me. About 13 years ago I taught some banking security classes with a chap who could do this in his head. I always assumed the algorithm was widely known in certain circles.

"Social Security numbers have a predictable pattern, according to researchers at Carnegie Mellon University, who have developed a reliable method of cracking a person's SSN based on data gleaned from multiple sources, including profiles on social networking sites."

Search Security Coverage: Researchers predict SSNs, crack algorithm putting identities at risk

TJX to pay $9.75 million for data breach investigations

2009-07-02T14:20:00.001-04:00

As reported by SearchSecurity: "TJX Companies, Inc., which has undergone a barrage of lawsuits as a result of a massive data breach of its systems, agreed to pay $9.75 million, settling a lawsuit brought on by Attorneys Generals from 41 states."

That's on top of many previous costs arising from the fact that "over an 18-month period, hackers exploited a hole in TJX's Wi-Fi network and used a modified sniffer program to monitor and capture data from TJX's transaction systems."

Consider: "In December 2007, TJX settled a lawsuit from dozens of banks, agreeing to pay out $40.9 million to cover costs connected to the retailer's massive data breach."

Better Twitter Signup Could Stall Twitter Woes and Twitter Worms: Why delay the inevitable?

2009-04-13T12:54:00.011-04:00

When they say "anyone can get a Twitter account" they mean anyone and anything can get a Twitter account, including malicious 'bots and worms.

I'm all for equality, open access, and ease of access, but I'm not keen to share my social-network-of-choice with machines and anonymous jerks. History tells us that sort of thing eventually leads to spam and worms, both of which threaten to hobble Twitter as they hobbled email. And a lot of the problems now looming with Twitter are preventable, or at least containable, if the folks at Twitter act now, before things get out of hand.

(As for the hobbling of email, make no mistake, email could be very much better than it is right now if it were less prone to abuse. Securing email, which could be done if the large providers would drop their petty greed-based differences, would make it way more useful and productive than the pale shadow it is today--in other words, spammers and worm-writers cost the world billions in lost productivity, on top of the ongoing cost of blocking with their irresponsible crap).

The first step in prevention and protection for Twitter is to require email confirmation for Twitter signup. That would make it harder to do things like this. Right now the Twitter signup process is irresponsibly open, as in "open to abuse" and we are seeing the first Twitter worms right now. Consider what happened recently when I had the pleasure of participating in an elaborate April Fool's caper.

To increase the credibility of our hoax I created a Twitter account in the name of the fake product we launched. I was shocked at how easy this was. Although the Twitter signup process asks for an email address it does not check to make sure the address is real. There is no "confirmation email" such as most forums, bulletin boards, and social networks require. And although Twitter signup uses a captcha, we know captchas can be beaten by any entity who is motivated enough to create fake accounts. (The "fake"account that I created used a valid email address but tests show this is not required--Twitter does try to validate your email address after signup and lets you know if they have a problem with it, but they don't kick you off the system.)

The point is, and I say this with love--because I love to Twitter--the folks at Twitter could do more to prevent abuse. Right now they have a chance to save Twitter from worms and I'm hoping they will learn from the mistakes made by email providers and act now rather than later, when it will be that much harder. I predict email verification will eventually come to Twitter, so why not do it now? The email industry missed several golden opportunities to keep the bad guys and bullies out. Twitter can do better, and I hope it will. I would happily give up the ability to make fake Twitter accounts for April Fool's Day.

Power Grid Hacking Story = New Low for Journalism

2009-04-09T12:37:00.004-04:00

Surely April 8 will be flagged as a new low in the history of American journalism. Why? The "power grid may be hacked" story, and I use the word "story" very intentionally. Everything I heard and saw about this yesterday--from CNN to NBC--was, to put it politely: trash. About the only thing I've seen written about this that made sense was former hacker Kevin Poulsen blogging at Wired:

"The unspoken lesson here is obvious: Chinese Superhackers Are Our Superiors. No, wait. That's not it. I know...Only the intelligence agencies are equipped to protect us from foreign cyber attacks."

See: Put NSA in Charge of Cyber Security, Or the Power Grid Gets It | Threat Level from Wired.com

My own theory was that the large power companies, fearful of localized, alternative power generation, were trying to scare people away from "smart grids." This theory is based on the fact that a lot of the "reporting" suggested smart grids would make our power supply more vulnerable. Yeah, like that's why they're called smart. Does nobody out there in mainstream media remember why the Internet was designed like it is?

I recall, nine, maybe ten years ago, when someone on our penetration testing team said "Can I let some water out of the dam, please, that would be so cool?" Because Yes, we had reached the power company's hydro-electric control panel. We said No to that particular demonstration of how far we had penetrated. After all, it was the power company that had hired us to test their security. And the power company fixed the holes we found. AFAIK they've regularly checked for, and fixed, new ones ever since. The grid is not impenetrable, but this whole legend that "Russian and Chinese hackers are all up in our systems and can pull killer moves at the click of a mouse" just seems like scare-mongering. And people normally carry out scare-mongering for a reason.

Did anyone hear any journalist ask "Why?" As in why would people, foreign or domestic, want to mess with the grid? After all, anyone with a backhoe could drive into the field near my house today and cut the prominently labeled Verizon fiber optic trunk that runs through here (here being a place where lots of people own backhoes). But for years people have somehow avoided the temptation to do this (even deranged broadband addicts bummed out on dialup and convinced by voices in their fillings that cutting the cable was a cheap way to get FIOS, the fastest Internet and best TV picture ever).

Sure, there are some gifted hackers in Russia and China, but there is zero doubt in my mind that America could bring both of those countries to their knees in a matter of minutes if any kind of cyber-war were to break out.

So, as far as I can tell no mainstream journalists bothered to ask Why? Or bothered to think about where this story came from and how come it appeared at this time. The grid was no more or less susceptible on April 8, 2009 than it was on April 7, 2009. And I don't know whether to pity or impugn the talking heads they trotted out to comment on this "story."

Please let me know if you heard anyone in the media, besides Mr. Poulsen, raising the possibility that this story was part of the push by NSA to take over cyber-security from DHS (that's NSA as in "Not Safe Agency" that worked with companies like AT&T to suck the Internet into massive servers so they can read our email and blog posts).

And if you have heard anything to suggest that the Obama administration is about to kick some serious cyber-butt and bring sanity to our secret agencies and critical infrastructure protection programs, I'd really appreciate hearing about it, because frankly I'm getting pretty depressed here.

Vast Spy System Loots Computers in 103 Countries

2009-03-28T18:06:00.000-04:00

Vast Spy System Loots Computers in 103 Countries - NYTimes.com:
By JOHN MARKOFF, Published: March 28, 2009

"TORONTO — A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded."

5 Years After CAN-SPAM

2008-12-11T10:37:00.000-05:00

Larry Seltzer at eWeek: "The other big thing that CAN-SPAM did was to set rules for businesses to follow in order to do mass-mailings. These were the most controversial part of CAN-SPAM because they were opt-out instead of opt-in. This is why critics said, and continue to say, CAN-SPAM 'legalized spam.'"

I think the current state of commercial email is largely determined by market forces exerted via new media. Smart companies have found out that customer relations and marketing outreach goes much better if you don't send people email they don't ask for.

The Internet is not only a uniquely self-documenting phenomenon, is self-reflective and self-monitoring. If GM were to start sending out a mass of unsolicited commercial email asking consumers to support the federal bailout, I bet it would be canceled before it was completed. The feedback loops through Twitter and social networks are instant and effective (see the whole Motrim baby debacle: "Motrin Learns: Hell Hath No Fury Like Baby-Wearing Moms").

And hell hath no furry like consumers spammed. Any spammer with a detectable street address, traceable web site, or list phone number would be in big trouble. Not only because of the spam he or she sent, but as a target on which to vent the pent up anger generated by the thousands of spammers who have no detectable street address, traceable web site, or list phone number.

Did CAN-SPAM help or hurt? Five years on I would say it didn't hurt. And it has probably helped. (It certainly gave me something I could wave at companies who were not getting the message; today they all have the message --"Thou shalt not send unsolicited email"--engraved in their policies).

Underground Data Market Tops $275 Million

2008-11-30T20:55:00.003-05:00

The market for buying and selling stolen credit card numbers and access to financial accounts has reached the $276 million mark, according to Symantec (as reported by TechTarget).

"Symantec said the total value of the stolen data has risen sharply in recent years as spam gangs and individual phishers sell credit card information in bulk on Web forums and bulletin boards right in the public eye. The market has become so big that phishers have to fight for credibility in a seedy underground where it's common for cybercriminals to phish other phishers."

So, after we sort out the world financial crisis and the fossil fuel crisis and global warming and international terrorism, we will still have these immoral scumbags to deal with? Great!

A new phish frontier: Domain registrar accounts

2008-11-02T14:41:00.000-05:00

A new phish frontier: Phishing of domain registrar accounts--Sophos Report
New and expanded attempted to get personal data via domain names warnings--n0w includes Networks Solutions.

WARNING: Enom Phishing Scam

2008-10-29T11:08:00.000-04:00

WARNING: Enom Phishing Scam Domain Name News: "We have received several reports of phishing scam emails that at first glance appear to be coming from domain name registrar Enom.com. The emails warn of a complaint for invalid whois information and ask the user to login. Of course the link that the email directs you to is not a valid Enom domain name. The site is likely harvesting user names and passwords to access legitimate Enom accounts."

These are very nasty messages--I just got a couple and they make your heart race at first read because you are informed someone has bought your domain. A pox on the perpetrators!

Medical Alert: HIPAA gets six figure teeth

2008-09-01T15:00:00.009-04:00

Ten years ago I started to alert my clients to the emergence of privacy as the new "driver" of data security. Eight years ago I started to warn them about the specific implications of the Health Insurance Portability and Accountability Act ( HIPAA). In the slide deck that I created for my first HIPAA seminar I made sure my audiences were aware of the penalties built into HIPAA, such as fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.

I can't tell you how many doctors and hospital administrators greeted that slide with disbelief. And, given the lingering arrogance so endemic to America's crumbling health care community, some doctors went so far as to suggest I was simply scare-mongering to scrounge up security consulting work. The attitude among many was something like this: "Nobody would dare to levy fines on us because of some esoteric aspect of patient data storage."

Well, here we are in the Summer of 2008 and the penny has finally dropped. In fact, ten million pennes have dropped. because the HHS, the U.S. Department of Health & Human Services, has collected $100,000 from a hospital that allowed unencrypted personal health data to leave the premises, as detailed in this this comprehensive posting by Sara Kraus over on the privacy law blog.

Providence Health & Services, a Seattle-based not-for-profit health system, was forced to paid $100,000 to HHS and enter into a Corrective Action Plan with the government to avoid a “civil monetary penalty.” That three-year plan is like probation and is no cake walk. Failure to comply could result in more penalties and Providence could still face criminal liability.

The immediate trigger fort this HHS action was "five incidents in 2005 and 2006 in which unencrypted electronic protected health information (“ePHI”) of Providence patients was stored on backup tapes, optical disks and laptops that were taken off-site from Providence by members of its workforce, and then misplaced or stolen, potentially compromising the health information of over 386,000 patients."

So if you are in any way responsbile for health care data, I urge you to read the details in the blog post linked above. You do not want to be next on the HHS hit list. Also note that, as I predicted, there is a cumulative effect to the various and diverse privacy legislation passed during the last ten years. The incidents at Providence might have been hushed up but state notification laws required patients be advised of the loss of their information. Further note that there was no evidence that any personal information was wrongfully used as a result of these incidents. When HHS investigated it focused on Providence's failure to implement policies and procedures to safeguard the ePHI. And that failure cost $100,000.

(FYI, the picture is a hippo skull on which the massive teeth of the beast can be clearly seen -- thanks to Wikimedia for the image.)

News Spam Rolls On: First CNN, now MSNBC

2008-08-13T14:21:00.003-04:00

The outbreak of spam that pretends to be a news alert from CNN has now morphed into "BREAKING NEWS" from MSNBC, like this message proclaiming that trading in McDonalds has been suspended.

However, the message is not part of a dump-n-pump stock scam, merely a variant of the basic take-me-to-your-Trojan attack. Indeed, another one of these that I received has the strangely amusing headline: "Study reveals bass players 'every bit as dull as golfers.'" What bass playing recipient could resist checking out that story?

This type of attack looks like it will run for some time (I predict Google will be the next patsy). So information security staff might want to send out a generalized alert to employees warning them to

a. disregard [and delete without reading] any news alerts they have not specifically requested,
b. decline to install any new video players.

And so the world grinds on, with each new technology benefit poisoned by selfish, twisted souls. Sigh...

Nasty New Form of Spam: CNN News Alerts

2008-08-12T21:23:00.003-04:00

I have received a handful of these in the past few days, messages that look like they could be a CNN news alert that I had signed up for, except I hadn't.

The subject = "Breaking news" and spammers have designed them like this because many of us humans find it hard to resist a breaking news story. This means a lot of people may open these messages before the spam filters and malware detectors are updated and the security staff get out the word to the troops.

The link inside these messages can be quite goofy, like "Titanic sinks again in 2008." But some people will fall for them. And when they click on the story link they will probably find themselves on a web site in Russian or China. They will then get a message saying that, in order to view the video of the news story, they need to download new video player software. A convenient download is provided, but the software it sends you is a Trojan that takes compromises your system. These messages come hot on the heals of the "Daily Top Ten" from CNN that were very convincingly crafted (including an unsubscribe link that actually appeared to work).

There are only two things that will stem the tide of this garbage:

a. Widespread improvement in the general standards of human behavior.
b. Widespread adoption of new email standards.

Sadly both a and b still appear to be a long way off.

Laptops in Peril at the Airport

2008-08-04T18:29:00.000-04:00

My brother, Mike, has been busy this week, responding to questions about the latest Ponemom Institute survey, which suggests a heck of a lot of laptops are separated from their owners at airports. He did more than a dozen radio interviews in one day!

I've worked with Larry Ponemon in the past and he does a pretty mean survey. So if he says 3,800 computers go missing each week from Europe's 24 busiest airports, I'm inclined to believe that's the case. An even more shocking finding is that more than half of these laptops are never retrieved. People traveling with their laptops should take note.

One of the first things I do when I get a new laptop is tape my business card to the bottom of it (taking care not to block any ventilation ports).

Travelers' Laptops May Be Detained At Border

2008-08-01T15:31:00.000-04:00

If this wasn't in the Washington Post I would think it was a hoax: Travelers' Laptops May Be Detained At Border. More than anything else, this should awaken those who so far have been complacent to the reality of what our government has been doing to our rights these last 7.5 years.

Scobbs Blog on Hiatus

2007-08-30T13:36:00.000-04:00

There won't be any new posts here for a while, but you can catch the latest news and views at Cobbsblog.com.

Trust in Banks Declines: UK distrust rises 47% to 71%

2007-06-22T22:17:00.000-04:00

Interesting study indicates banks cannot substitute a virtual presence for local branches and a commitment to community.

Nearly three-quarters of UK customers do not trust their retail bank, and the more virtual a bank is, the lower the level of trust, according to a survey by Unisys.,..When Unisys asked the same questions in 2005 and 2006, 47 per cent of customers indicated that they did not trust their retail bank. This year the figure had risen to 71 per cent....the attributes most cited for eroding trust are 'disrespectful attitudes', 'poor privacy', 'weak IT' (such as websites), 'poor corporate governance' and a 'lack of investment in the local community'.

I'm just speculating here, but I'd say the constant drumbeat of security breaches and phishing scams involving online banking are having an erosive effect on trust.

What SMBs Need to Know About Computer Security Threats

2007-05-22T08:00:00.000-04:00

I found a handy set of pages by a Victor Ng titled What SMBs Need to Know About Computer Security Threats in a publication called SMBedge which describes itself as "The Pulse of SMBs in Asia Today."

It is basic infosec 101 material that is handy because you can send that link to someone who doesn't know what infosec is--but should--just to get them started. Ng's material is more current than some of the 'intro' articles I had been using for this purpose in the past. You know, when someone says "So, you're a computer security consultant? I got a question. Should I renew that Symantec software that came with the PC I bought last year for inventory? I heard there are zombies out there." What do you tell them? Ask for their email address and send them a link.

Of course, this may be someone to whom you have just paid money for services rendered at the rate of $1 a minute and they are now inviting you to donate about $20 of your time given them a basic education (although they probably won't see it like that). As a CISSP, I always try to strike a balance between politely doing my civic duty and giving them that 10 minute intro and telling them to just go buy a book (valuing my time at $2 per hour minimum).

Usually it takes less than 5 minutes talking to the SMB to figure out if it is in more immediate danger than the rest of us, i.e. doing something really dumb with their systems. If they are, I am obliged, I think, to advise them to call in a professional. If I have the time I might be the professional and do a 10 minute fix for free, but then you start to encounter others issues, like: the problem you are fixing is just the tip of the iceberg; they have no budget; and what about liability if there is no formal contract?

TJX Discovering Cost of Security Failure

2007-05-19T14:08:00.000-04:00

Here is a pretty good reason to make sure your company is doing a good job of protecting customer data: TJX: Data breach damage $25 million and counting.

That's right, according to SearchSecurity, the bottom line for TJX Companies Inc. took a big hit in the first quarter of 2007, thanks to a $12 million charge tied to the security breach that exposed at least 45.7 million credit and debit card holders to identity fraud. In total, the breach has cost the company about $25 million to date. And that doesn't include the cost of customers who decided to shop elsewhere.

TJX executives better hope that they can document the security policies and practices they had in place to prevent the hacking that took place. If a judge deems them to be up to par, they may avoid censure even though they were hacked. An active and well-documented security program is a good defense against charges of negligence or failure to meet the standard of due care.

As Predicted: Lawsuits up the security stakes

2007-05-18T09:25:00.000-04:00

As predicted, by myself and numerous other information security experts, lawsuits are becoming an increasingly common response to a security breach. The latest example: The American Federation of Government Employees is suing the Transportation Security Administration after the TSA lost a hard drive containing employment records for some 100,000 individuals, including names, social security numbers, dates of birth, payroll information and bank account routing information,

The drive went missing from the TSA Headquarters Office of Human Capital. The names included various personnel and even U.S. Sky Marshals. The law suit is AFGE, et al v. Kip Hawley and TSA (AFGE = American Federation of Government Employees and Kip Hawley is the TSA Administrator). The AFGE claims, that by failing to establish safeguards to ensure the security and confidentiality of personnel records, the TSA violated both the Aviation and Transportation Security Act and the Privacy Act of 1974.

The Aviation and Transportation Security Act (ATSA) requires the TSA administrator "to ensure the adequacy of security measures at airports." The 1974 Privacy Act requires every federal agency to have in place security measures to prevent unauthorized release of personal records. Losing a hard drive containing employment records for some 100,000 individuals constitutes unauthorized release. Stay tuned for progress in the suit.

TSA web site dedicated to this incident.

Penn College Students Win Award for Computer-Security Video

2007-05-11T20:07:00.000-04:00

A reported in PCToday, Penn College Students Win Award for Computer-Security Video. This is REALLY encouraging. Congratulations guys!

I am a big believer in awareness programs. Check out the free podcast of tips on developing successful security awareness programs over at Cobb Associates.

Public Wi-Fi Often Wide Open, But Who Cares?

2007-05-10T18:06:00.000-04:00

Nice article by David Colker of the LA Times, republished here in the Chicago Tribune: Public Wi-Fi may turn your life into an open notebook. He vividly reminds us that surfing with your notebook at Starbucks can be a less than private experience. There is quite a bit of personal irony in this for me.

Wi-Fi at Starbucks is served by T-Mobile which made a big noise in October of 2004 about offering secure Wi-Fi at all its hot spots: T-Mobile Rolls Out Strong Security at Wi-Fi Hot Spots. I am personally aware of this because back then I was Chief Security Executive at STSN, now iBAHN, which provides Internet service to thousands of hotels, hotel lobbies, restaurants, and conferences around the world. At the time, iBAHN was close to completing its own roll-out of secure Wi-Fi and was under the impression it would be the first such major provider to offer this level of security at all its locations. Naturally, T-Mobile's announcement stung, partly because it garnered headlines while being ambiguous. Consider this "reporting" which is close to the wording of T-Mobile's press release:

T-Mobile is introducing strong, 802.1x-based authentication and encryption across its network of 4,700 hot spots. The move, which appears to be the first use of advanced 802.1x-based security by a national mobile carrier in U.S. hot spots leverages the existing 802.1x infrastructure used to authenticate GSM (Global System for Mobile Communications)/GPRS (General Packet Radio Service) cell-phone users. "CIOs across the country have been asking for enhanced security, and we're the first U.S. wireless carrier to deliver it.

But T-Mobile was not the first to deliver strong, 802.1x-based authentication and encryption. iBAHN was already doing that, but had not talked about it publicly because the roll-out was not complete. T-Mobile decided to claim the glory by talking about their own roll-out before it was complete. I know because, at the time of the announcement, I was in downtown Chicago and I walked many blocks to test several Starbucks locations to see if 802.1x authentication was indeed available. The results were mixed, some consolation to my boss, Brett Molen, iBAHN's CTO, and CEO David Garrison.

Despite the fact that Brett and David were two of the best bosses I have ever had, I decided to leave iBAHN in 2005 and take a break from the corporate world. For a while I lost track of the secure hotspot debate. But now I am back "on the road again," so to speak, I have had occasion to try the Wi-Fi at Starbucks in several locations around the world over the last six months and have noticed that the logon had changed considerably. It's a lot less complicated, with a lot less warning about potential security problems, than it was in 2004, and 802.1x-based authentication was apparently not offered.

Which suggests that there is considerable truth to what some of us security experts have been saying ever since computers escaped from Fortress Data Center in the eighties: Unless security is really simple and seamless, users won't use it. About the only exception to this is the user who has been educated about the risks. That is why iBAHN spent a lot of time educating its chosen market place (hotels and conferences) about those risks. And that is why iBAHN makes money selling secure connectivity at a premium.

Spector CNE and HTTP Traffic Cops

2007-05-06T20:13:00.000-04:00

Remember when SPECTOR stood for Special Executive for Counter-Intelligence, Revenge and Extortion?** Now comes Spector CNE - one of a group of products I've been sniffing around in response to this question: What's to stop employees from copying and pasting confidential company data into blogs and Google App documents?

I've been putting this question to clients lately and not getting very good answers (where 'good'='good for their information security'). I don't feel comfortable sharing specifics on a public web page, but I think this is a big problem for some big companies. I also think this could become yet another front in the endless arms race between the good guys and the bad guys (where 'bad guys'='everyone from ruthless corporate spies to weak-willed individuals under stress, or merely under-trained.) So, if anyone knows of a good http traffic cop, or any other solution to this problem, I'd love to get your comments on it.

**If you already knew what SPECTOR stood for, then you already know the name of its on-screen nemesis. But do you know the make and model of the weapon said nemesis is brandishing in the famous black tie promotional 'shots' for the second movie in the genre? I will email an electronic copy of my privacy book to the first person who sends the right answer to scobb at scobb dot net.

Image Vulnerability: Is anyone looking at the outbound threat?

2007-04-29T20:40:00.001-04:00

Remember last summer when the warnings about a surge in image spam started to appear? (Image spam being defined as unsolicited commercial email in which the message is presented as an image rather than text.) Then we saw spam volume drastically increase towards the end of 2007 with much hand-wringing over the difficulties of detecting of image-based spam.

Well, I wonder how many companies have started to worry about the outbound-image threat? A certain percentage of companies do monitor outbound Internet traffic for trade secrets and inappropriate content. Some just monitor email. At least a few monitor web traffic. But I am fairly sure most of this is filtering based on text. Even so, I don't know how many would actually spot an employee typing company secrets into a password-protected blog hosted outside the company.

But what if the employee scans images of confidential company documents and uploads the JPEG files to a blog? Would that trigger a response from information security? Scanning the content of a JPEG for sensitive text is not impossible, but it is certainly processor intensive and in some ways it is not unlike the problem of detecting image-based spam.

Of course, one way of reducing the amount of image-based spam coming into an enterprise is to use the Turntide anti-spam technology that chokes off spam without a filter, instead using a behavior-based approach (now available as the Symantec Mail Security 8100 Series Appliance). Not sure if this would work the other way round. I know there was some discussion of using it to prevent enterprise networks from sending spam. If someone tried to send out 90,000 scanned pages, one after another, as JPEGs, would it show up as an anomaly and trigger some alarms?

BTW, the 90,000 number is not entirely random. In 1992 about twenty cases of confidential documents belonging to General Motors were physically shipped to Volkswagen headquarters in Wolfsburg (many of them allegedly transported aboard a Volkswagen corporate jet, via the Spanish residence of J. Ignacio Lopez de Arriortua, then Vice President at GM in charge of Worldwide Purchasing, later hired by VW). The number of purloined pages was put at 90,000.

BBTW, this piece of infosec trivia was my excuse for featuring Ron Patrick's amazing street legal VW (Beetle) Jet.

White Hat Hacking for Rainy Day Fun: Weak search forms still revealing too much data

2007-04-20T16:43:00.000-04:00

What better way to spend a rainy April day than white hat hacking? Experience the thrill of hacking with none of the guilt. I highly recommend this for anyone who has difficulty understanding why hackers do what they do (and you are NEVER going to be a really good information security professional unless you DO understand what hacking is about).

Allow me to swap my white hat for my linguist cap for a moment (B.A. Honours, School of English, University of Leeds--one year behind guitar virtuoso Mark Knopler but way ahead of the wonderfully talented Corinne Bailey Rae--and would you believe I can't even carry a tune, but I digress). It has to be said that hacking is one of the most hotly contested words of the information age. In justifiable homage to the original good-hearted hackers many infosec professionals use the qualifier "criminal hackers" to distinguish the bad guys from the good guys (that's gender-neutral colloquial 'guys' by-the-way). The good guys, who don't break laws, can be referred to as white-hat hackers, the bad guys being black hat. I am actually leaning towards 'bad actors' as a preferred term for the bad guys (with apologies to my thespian readers).

So, one rainy April afternoon I was wearing "my film producer hat" and working the web to promote the film's appearance at two overlapping film festivals, one in Winston-Salem and the other in Columbus, Ohio. Neither the director nor myself could afford to attend these events in person and we were worried that turnout would be low. I decided to surf the web sites of colleges in the target areas and to identify faculty with an academic interest in civil rights history (and thereby interested in the film enough to tell their students about it). In the process I found a classic example of weak web design that was hackable.

After using standard search tools to identify the people I wanted to contact, I looked for their email addresses. Many organizations like schools and hospitals have a directory of staff phone numbers and email addresses. However, to prevent a variety of problems, such as spam, these and other details are not displayed wholesale in a list, but one at a time in response to a name search. In other words, a form on a web page enables users to search a database of people (in infosec terms, this database can be referred to as an asset). The premise is that you have to know the person's name to find their information.

I used this sort of directory to email several professors at several schools. However, I also found something interesting. These forms usually consist of two fields, for Last Name and First name, together with a Submit button. The way it's supposed to work is that you, perhaps an aspiring Physics major, enter Einstein in one field, Albert in the other, click Submit, and get the phone number and email address for Prof. Einstein. However, such forms can be a pain for users who can't recall the professor's full name, so the form might allow you to enter Einstein for the last name and the letter 'A' for the first name. And herein lies a dilemma that can become a problem. How 'vague' to make the search. For example, if I can enter 'D' in the last name field and 'J' in the first name field, I can all Jane and John Does in the database. What you need is a fairly clever set of rules built into the form to control the results of any conceivable form input.

You see, in terms of information security, one can reliably predict that someone (referred to as an agent) will at some point click the Submit button without entering any characters at all in either field. If the result of this action is to reveal all of the records in the database (what we might call a means), one can reliably predict, based on past history, that this method will eventually be used to make a copy of all the records in the database (asset).

Thus, by failing to properly code the handling of form input from this search page, the folks who put up the page have created a vulnerability. This becomes a means of attack and a threat exists if someone figures out how to exploit it to gain unauthorized access to the asset. (This same problem crops up with student directories as well, where you are even less likely to want to grant access to the full list.)

This example nicely displays all of the elements of an information security threat (asset, agent, means). I have seen this type of problem on local government web sites where the effect was enable the attacker to find all the data required to steal a person's identity, or even find all of the special training taken by former military personnel in the area.

As a white hat hacker it is your responsibility to inform the site manager of the problem. You avoid, as I have here, revealing specifics of the problem (e.g. the address of web site where I found this example). Hopefully, they will correct the problem. As for me, I will admit that, wearing my producer hat, I did use some of the email addresses that I found. I did not spam anyone. I sent them personal notes. And maybe it worked. At the Ohio festival Dare Not Walk Alone won the audience award for best film.
.

Photocopier FUD? Americans copying billions of tax docs don't have time to think

2007-04-17T11:08:00.000-04:00

So, you've filed your tax return and put away your tax papers until next year, but how much of the very personal information on those tax papers is still out there, accessible to other people (besides you and the IRS)?

The answer could be "a surprisingly large amount," particularly if you used a digital photocopier to make copies of things like your 1040, W2, 1099s, K-1 and so on. We're not talking about leaving your originals in the photocopier, a common enough mistake, but about the fact some digital copiers retain images of those pages until they are over-written by successive copy jobs, a fact highlighted in an AP article last month. This is not a case of unfounded 'fear, uncertainty, and doubt.' The vulnerability highlighted here is real enough to warrant serious attention, particularly in some quarters.

The underlying fact is that many office photocopiers now contain hard drives to which scans of the pages being copied are written before paper copies are printed and those scans are not always erased after the copy job is completed. Steal one of those hard drives and you could get access to some very personal information (and we're not just talking about tax returns and after-hours butt-scans).

The extent to which this 'feature' of digital copiers poses a threat to your privacy depends upon many factors, like who you are and what kind of enemies have you have got. Personally, I'm not too worried. But if I was a key player in a large company in a hotly contested market I would be paying attention to this particular vulnerability.

Note that the possibility someone could read your personal data off the hard drive of a machine you used to copy personal documents is not a threat it is vulnerability--it becomes a threat when a threat agent is willing and able to exploit the vulnerability.

As to exploitation of the vulnerability by a threat agent, the following scenario is entirely plausible: as a key person in your organization you and your spouse are under surveillance by the opposition. They've searched your trash but found nothing useful. Then one of you is seen entering the local copy-shop and spending some time on machine number 9. After you leave, a generic service person enters said copy-shop muttering something about a maintenance flag on copier number 9. He opens the machine, removes the hard drive and mutters something about a spare in the van. Off he goes with a digital copy of whatever papers you ran through that machine.

Variations on this theme are numerous and include the janitor stealing or mirroring office copier hard drives on the night shift (a great way to get a copy of that competitive bid you had to submit in triplicate). Defenses include being more thoughtful about where you do your photocopying, what access you give to the copier, and what copying hardware you use (some digital copiers offer 'safety' features--of which more later).

However, the first thing that struck me when I read the AP article was a sense of deja vu. Hard drives have been built into a lot of large copiers and printers for some time. It was at least 7 years ago that the penetration testing team at my company figured they could run a publicly accessible web site from the hard drive of such a machine located on the internal network of a large public school district (which we had been hired to test, I hasten to add). That tells you a lot about how much thought the folks who design such machines were giving to their potential for abuse.

In other words, many 'new' or 'emerging' information security threats are not so much new as newly realized or newly rediscovered. And this 'newness' is not simply a function of vulnerabilities found or re-found, but also changes in the means and motives of threat agents prepared to exploit them.

Sidebar/postscript: When you read the AP article referenced above you get the distinct impression that it was prompted by copier-maker Sharp and if I were to swap my infosec hat for my entrepreneur hat I'd have to doff it to the folks at Sharp (or Sharp's PR agency) who were behind this. I know from experience it is very difficult to get someone like AP to write a story that comes from your particular perspective. Sharp's perspective is that of a company which has gone to the trouble to makes photocopiers that are more secure (as you can read here). I think this is a good thing and this article was a good fit between education and marketing.
.

Windows & Office Barf Again! Microsoft's recommended Automatic Updates trash data

2007-04-11T10:22:00.000-04:00

If you are using Windows and value your time, do this:

1. Go to the Control Panel for Automatic Updates

2. Change the setting from "Automatic (Recommended)" to something like "Download updates for me, but let me choose when to install them."

If you don't do this, you may be set to lose a lot of time and money. Why? Whenever there is a patch Tuesday and the patch requires a reboot, like the one this week, the recommended setting means Microsoft will reboot your system for you, unless you happen to be sitting there at the keyboard to prevent it. Here's a typical scenario:

You spend several hours researching a topic on the web. You have about ten browser tabs open displaying your research results and you are cutting and pasting said results into a Microsoft Word document. The door bell chimes and you rush to answer it. You are a savvy user so even as you head to the door you make a mental note that the two apps you are using have auto-save. Word auto-saves documents. Firefox auto-saves session data. But as you stand at the door signing for a package you hear the "chime of death" from your office, signalling that your Windows machine has restarted. Not only has it restarted, it has, under the control of Microsoft's Automatic update, has trashed your Word documents.

That's right, it has not even created the temporary files that allow you to restore documents when something crashes Word. This is because Microsoft, in its current state of engorged hubris, which can only be described as galactic in scope, does not consider an unapproved system restart of its choosing to be a crash. So it only gives you the last user-saved version of the docs that you have spent an hour compiling.

Let's face it, in the year 2007, twenty years into an OS, twenty five years into an application, this is bad behavior of the worst and mist unforgivable kind. The vendor recommended mode of operation is literally data destructive.

Of course, some readers may say that, "if you are using Windows and value your time," you should switch to a Mac. But Apple has its own share of hubris and I have thousands of dollars invested in software that won't run on a Mac. Come to think of it, I have invested thousands of dollars and hundreds of man-hours creating a computer system that pretty much does what I want it to do, except when the historical recipient of many of thousands of my dollars decides to use its software and ignorance to trash my data.
.

Security Means Availability: Google and others need to address this ASAP in SaaS

2007-04-09T13:33:00.000-04:00

As enterprises explore Software as a Service, security experts like David Brussin are keeping a watchful eye. Clearly there are serious security implications whenever data is allowed to live beyond the--hopefully, strongly defended--perimeter of the enterprise fortress. Typically those implications are first thought of in terms of confidentiality and integrity: Will our data be safe from prying eyes and unauthorized access? But the third pillar of security, availability, should not be neglected. How much does strong protection against unauthorized access matter if authorized access is impaired?

Google must be pondering this question right now as news of outages spreads: "Little over a month after introducing Google Apps' Premier version, which includes a 99.99 percent uptime commitment, Google is failing to meet that service level agreement (SLA) for an undetermined number of customers." PC World article highlighted in this succintly titled posting by Ann All on the Straight to the Source blog at IT Business Edge: It's the SLAs Stupid.

This is timely data for me as I have just spent a week over in Europe meeting with executives of a VLO to discuss information security strategy in the context of a possible shift to SaaS as an alternative to out-sourcing (VLO = Very Large Organization).

Actually, I see not one but two availability question marks with SaaS. The first is supplier-side: Will the SaaS vendor's infrastructure keep up with demand. This seems to be the very problem Google is wrestling with right now.

Second is the user-side connectivity question: What use is Google Mail if the user can't get on the Internet? This is such a basic question that I am almost embarrassed to raise it, but I feel I must. Failure to question underlying assumptions is a shortcoming sadly endemic in technology adoption (the classic is probably "Sure, it's safe to handle this stuff" --Madame Curie).

SaaS seems to be predicated upon universal high-speed connectivity, a wonderful thing, but not yet a real thing, and not--perhaps ever--a cheap thing. Try to keep working on an online document as you move from office to train to plane to hotel to client to airport and back to the office. How successful you are will depend upon, among other things: where your home is; what hotel you stay at; what your client's connectivity policies and facilities are like; and your budget. This last item may be even more critical when you consider "working securely on an online document as you move..."

As for enterprise SaaS solely at the office, there will still be two SLAs to consider: Your SaaS vendor SLA and your ISP SLA.

Security Appliances Come to Dodge: So where are the horse thieves being hung?

2007-03-25T09:04:00.001-04:00

This article, Security Appliances Come to Dodge, by Drew Robb, reminded me of a train of thought I have been following for a while. Here's the opening paragraph:

Sometimes with the Internet it seems like you are living out on the frontier. But unlike the "wild West," which settled down after a few years, computer security threats have continued to rise and show no signs of abating any time soon.

I generally avoid picking apart analogies, but there is a flaw in this one. The Wild West took more than a few years to settle down. Which is why the basic Wild West analogy is actually apt. Cyber-space today is like the Wild West, a virtual Deadwood upon Dodge upon Laramie. People of low morals are trying anything they think they can get away with, and often they are. There's easy money ripping off them there virtual wagon trains and consumer pioneers.

What we haven't seen yet is the equivalent of hangings for horse theft, swift and decisive justice for those whose immoral and illegal acts strike at the infrastructure of the information age. We have flirted with the idea. When I spoke at The Global Internet Project special workshop on Internet spam in June of 2002, the chairman asked the audience what should be done about spammers and the suggestion [not from me] that there should be some hangings was widely applauded.

But when I see some of the puny sentences handed out for computer crimes, I wonder if it might be time to make a few examples. Yes, I know that is a dangerous path and there is an inherent risk of fallout from unfairness. Yet think about this: What is more corrosive to the future of our culture and economy: Selling a few ounces of pot or stealing a few million credit card records? From sentencing patterns it would appear that dealing drugs is considered way more immoral than either using drugs or ripping off consumers. America jails more people than any other country. But very few people who commit fraud and deceptions detrimental to commercial trust seem to do serious jail time (it will be interesting to see how much time the likes of Fastow and Ebbers actually serve).

Another one to watch is Brian Salcedo, who got "the longest prison term ever handed down in a computer crime case in the United States" for trying to steal customer credit card data from Lowe's. Not surprisingly, the publications like Wired that still think there is something cool about messing with people's lives [as long as you do it with a computer and not a baseball bat] termed Salcedo's 9 year sentence "Crazy" (see Crazy-Long Hacker Sentence Upheld).

Keen observers will note that story was written by Kevin Poulsen who was himself sentenced, in 1991, to 51 months for various criminal hacking offenses committed in the 1980s. At the time it was said to be the longest ever sentence for hacking. Maybe a sentence of 20 years back then, instead four and a quarter, might have had a more powerful deterrent effect.

Would Your Competitors Do This? Oracle's suit against SAP a timely lesson

2007-03-24T09:42:00.001-04:00

Referring to my previous post about the threat of spying as a "driver" in information system security, this just in:

Oracle recently found their biggest competitor has been hacking their systems and stealing their data. on a scale that may best be described as "massive."

SAP allegedly employed the usernames and passwords of customers that the firm had lured away from Oracle to download a variety of technical materials. SAP employees used the log-in IDs of multiple customers, combined with phony user log-in information, to gain access to Oracle's system under false pretexts...

Witches Brew: Cheap domains, DDoS, and man-in-the-middle eBay scams

2007-03-15T11:58:00.000-04:00

A rash of recent reports seem to revolve around the great ease and small cost of registering domains. Perhaps it is time to revert to some of the original limitations on domain name registration. Consider that before April 1, 1998, the fee for registering domain names at InterNIC (operated by Network Solutions) was US $100.00 for a two year registration and there was a limit on how many names one person could register. On April 1 the fee went down to US $70.00 for a two-year period, and renewals were decreased to $35.00 from $50.00. Despite that, the number of domains registered was already close to 2 million.

According to research from McAfee cheap or free registration of new domain names drives the growth in Web sites used for spamming or hosting malicious software.

One of the biggest names in domain name registration, GoDaddy, was hit with significant and sustained distributed denial-of-service attacks Sunday, resulting in four to five hours of intermittent service disruptions, including hosting and e-mail.

Symantec has uncovered an unusually sophisticated email scam, targeting eBay users with a combination of legitimate eBay auctions and a Windows Trojan that intercepts a user's web traffic. The "advanced" malware involved, called Trojan.Bayrob, sets up a man-in-the-middle attack, Symantec said in a blog last week.

"While we have previously seen Infostealers that try to steal your username and password, a threat attempting a man in the middle attack on eBay is very unusual," wrote Symantec's Liam O'Murchu. "Man-in-the-middle attacks are very powerful, but are also difficult to code correctly."

Fascinating differences in levels of risk around te world have been mapped by McAfee. For example, "a consumer is almost 12 times more likely to encounter a drive-by-download while surfing Russian domains as Columbian ones."

The Threat of Spies: Often overlooked, often under-estimated, inside and out

2007-03-15T11:53:00.000-04:00

I love it when people ask questions about security that cannot be answered definitively, questions like: "What are the three most serious emerging threats?" Indeed, I ask questions like that myself, of others, and of myslef. Why? Because it gets brains working, and the output can be very valuable.
I have been pondering emerging threats quite a bit this year as a result of preparing my keynote for an enterprise security conference in Malaysia last month. But lately I have been asking myself "What are the most persistent threats?" and also "What are the most under-estimated threats?"

And I think I might have a winner, or at least a threat that is a finalist in both categories: industrial espionage (iconically represented by a patent application drawing).

Clearly industrial espionage has been around for a long time (and I'm talking centuries before the late eighties when British Airways started stealing Virgin Atlantic passengers with lies and bribes and a little database hacking on the side--leading to some pretty messy headlines for BA, not to mention some hefty financial settlements in favor of Virgin and its owner, Richard Branson).

VW did it to GM. Boeing did it to Lockheed. WestJet did it to Air Canada (allegedly). Not only has industrial espionage been around for a while, it has always been, quite consistently in my experience, under-rated as a security threat. As with many areas of information security knowledge there are few hard facts to back up my assertion. But my impression, when dealing with clients, when making presentations at conferences, and when teaching seminars, has always been that most people in business don't think--or maybe prefer not to think--that their competitors would break the law to gain advantage. It is not unusual for senior people to come up to me after a presentation that touches on industrial espionage, or criminal hacking in general, and say something like "Do people really do that?"

Perhaps line managers and executives are so busy worrying about all the other critical stuff--like supply, demand, deadlines, sales targets, profit margins--they just don't want to ponder questions like: Are my competitors prowling my network? Sitting outside our offices with a listening van? Going through our garbage? Bribing our employees?

But chances are, they are. Indeed, I would say that if your company is doing more than $100 million in annual revenue then it is unlikely that your competitors are not performing aggressive competitive intelligence ops against you. And of course, the many, many ways in which our "going digital" has made information easier to copy and move now come into play (in the early nineties VW took 90,000 pages worth of documents from GM in hard to hide boxes--today that stuff would fit on a $30 flash memory card you can buy on the High Street and slip into your sock as you walk it through the metal detector undetected).

While the methodology of competitive intelligence (open source, public documents, general and specific observation) is generally legal, it is very easy for such activities to slide into "aggressive competitive intelligence ops" which are illegal. Bear in mind that a lot of spying is done without direct management approval or endorsement. Sometimes employees take it upon themselves.

And thus we arrive at the hidden, two-edged sword of industrial espionage. You are likely to be wounded if you fail to guard against spying from competitors; you may also be wounded by your own staff if you fail to rein them in and they take competitive intelligence too far (and get caught).

Here are a couple of cases to ponder just from the auto parts industry:

Selling secrets to the [Chinese] competition
Selling secrets to the competition

Note that the second link is to article summaries at the New York Times which gives 66 hits on espionage under "Automobiles" alone.

Stay tuned for more on this topic.

P.S. This article by Prof. Mich Kabay, well-respected friend and colleague, gives some examples to get you thinking (but don't think that the examples are not relevant because they are a few years old--I doubt anyone would claim the world is more moral today than it was a decade ago, and it is certainly easier to steal a gigabyte of data in the age of the SD card and USB thumb drive than it was in the age of the floppy and Zip disc).

2007-03-15T11:42:00.000-04:00

Nice article here from Sandra Rossi of Computerworld (Australia) on the cost of security breaches: Data leaks equal 8 percent drop in revenue.

"Organisations that experience publicly reported data breaches suffer an eight percent loss of revenue. Compounding the revenue and customer losses are additional expenses averaging $100 per lost or stolen customer record to notify customers and restore data, according to the compliance group which is made up of members from the Computer Security Institute, the Institute of Internal Auditors, Protiviti and Symantec."

While it is hard to arrive at firm numbers to describe security problems (or security solutions) these numbers jibe well with some past assessments. While I have not done a study of revenue impact from security breaches, I did look closely at stock price impact about six tears ago and that worked out to about 12-14% if memory serves (hey, this is a just a blog, so memory will have to serve for now--I will dig up the actual data when I get a chance). In other words, if you were to suffer a serious and publicized security hit, your stock price would go down from 12 to 14 percent.

And Larry Ponemon did a fairly recent and pretty rigorous study which showed the cost of a security breach was about $182 per lost record (you can read about the survey here). In other words, lose 6,000 records and you have surpassed $1 million in negative impact. These numbers should help security managers convince company executives to take security seriously. (Don't forget to stress "opportunity cost" as in "Even if recovery after a security breach goes well, the money spent on recovery is money not spent on a new product launch, new ad campaign, bonuses, etc.")

Note that the study cited in the Computerworld article above found that: "The primary channels through which data is lost, in order of risk, includes PC's, laptops and mobile devices, e-mail, Instant Messaging, applications and databases."

Hard Lessons About Hard Drives: Time to get a drive grinder?

2007-03-06T15:26:00.000-05:00

The Times Union of Jacksonville carried an interesting story about hard drives a few days ago. Seems a local businessman had taken his computer to a Best Buy store for repairs.

When told the old hard drive was being replaced--a hard drive that contained information about his clients--he was stunned to learn he wouldn't get it back. The retailer said it would destroy the drive so no one else could get access, but that didn't sit well with Wemhoff. It took a series of calls up the corporate chain of command to get the old drive returned. Best Buy said its policy in this case was to follow the manufacturer's warranty, which often calls for the old hard drive to be sent to the maker, even if it is loaded with personal information.

This led me to send the following letter to the paper, commending the reporter on highlighting this problem and adding some thoughts of my own. I mentioned the grinding or "chipping" of hard drives that spy agencies do but it seems Georgia Tech is working on a less messy alternative: a powerful degausser, seen here (click photo for article).

This approach has a lot to recommend it. Using a less powerful degausser can require the hard drive platters to be removed from the casing. This requires a fair amount of effort (I just opened up a dead drive recently and brute force was involved). However, despite assurances that degaussing makes the data go away for good, I bet there will still be people in three-letter agencies who opt for physical destruction. It's just so, tangible, so very verifiable. Anyway, here's the letter that the Times-Union published today:

"Kudos to Times-Union reporter David Bauerlein for Friday's Metro article drawing attention to the security issues involved in hard drive repair and replacement. As a 25-year veteran of the computer security business I have to say this is one vulnerability that simply refuses to go away. It seems that each new generation of computer users has to learn the hard way (pun intended) that the convenience of hard drive storage comes at a price.

Businesses and individuals not only need to back up their hard drives on a regular basis to pre-empt data loss due to drive failure, they also need to take appropriate steps to keep that data under their control at all times. As your reporter correctly points out, a hard drive sent out for repair is not under your control. The same is true of hard drives on leased machines that are returned and older machines that are given away. Standard policy should be for all data to be stripped from hard drives before they are handed over to anyone else.

The steps you take to remove data from drives should be determined by the sensitivity of the data. A simple format of the drive is not enough to hide the remnants of the data from even a mildly curious hacker. Drives that have stored sensitive personal or business data should be wiped with a so-called scrubber or shredder program which over-writes each sector multiple times.

However, even that may not be enough to totally destroy the data. If the drive falls into the hands of a well-funded adversary, some data might still be recoverable. That's why America's spy agencies routinely grind their old hard drives into powder; not a huge price to pay when state secrets are at risk. Given the negative impact of a security breach on company profits, stock price, and reputation, it could prove to be a cost-effective course of action for many businesses as well. "

Virtual Trade Show Appearance (is that the right word?)

2007-02-25T15:58:00.001-05:00

A couple of days ago I participated in a Ziff Davis Virtual Tradeshow on Security Management. This was a "live" event for one day but the sessions are archived for several months for people to browse. If you want to listen to the presentations (including mine) you need to go to this page and register. The registration process asks quite a few questions, but that's the price you pay for free education, so to speak. The keynote was by Peter Neumann who [IMHO] is always worth a listen.

If you check out my session on security awareness programs you will find it is taken at a pretty fast pace owing to time constraints of the format. So, I plan to podcast a less strenuous and hopefully more informative version as soon as my head cold clears up (if I record it white dow ewe wood nut udder stand be).

SaaS Challenge Mounts: Is Google the next Microsoft, security-wise?

2007-02-23T16:40:00.000-05:00

Two eWeek headlines appeared this week, as if on queue, one right after the other: Google Patches Security Vulnerability in Desktop Search and Google Apps Premier Edition Takes Aim at the Enterprise.

What do you bet that the sparks really flew at Google HQ over that timing? First, a quick reminder that we, Google, have to patch security holes, just like Microsoft. Followed by, tada! Premium enterprise apps, just like Microsoft. From my perspective this was great timing, IF it helped potential enterprise clients stop and think twice before embracing software as service web apps.

Don't get me wrong, I have been using and enjoying Google's free document and spreadsheet apps in beta. They offer a lot of convenience (not to mention great functionality for the price). But you won't find me using them for sensitive business data any time soon. There is no way I am going to be the first to find out that Google, in its enthusiasm for offering neat tools to the world, missed some of the security implications and exposed "my stuff."

From an enterprise perspective I would be blocking employees from using the free version on company machines and connections. And, no offensive to Google, but I would not adopt the paid version without a very intense security review. (How intense? I don't think there are more than two dozen people on the planet with the kind of smarts it takes to do that sort of review to an appropriate enterprise level of assurance.)
.

What Did I Tell You? Google looking like a nexus of insecurity

2007-02-22T21:35:00.000-05:00

I've been saying this for several months now. I highlighted it in my keynote at the Enterprise Security Asia conference. Google could be the next big thing in security, as in "insecurity." The recently announced hole, now patched, that permitted cross-site scripting attacks via Google Desktop, is only one aspect of "the Google factor." The concern is that Google has many of the characteristics of a "nexus of insecurity." Here are some of those characteristics:

New and exciting
Popular and widely used
Cross-platform
Network-based
Rapidly growing
Easy to install
Becoming a standard
Processing sensitive data

A good example from the past is Microsoft Word. There was a time when this application was not a major source of security problems. Then came the first Word macro, in 1995, and everyone suddenly realized that the Word doc format was a de facto, cross-platform standard , one in which companies stored highly sensitive information (often the best nuggets of corporate data are distilled into memos and letters and reports written in Word). It also became clear that Word documents were traveling from network to network and across corporate boundaries thanks to email. Then it became clear that Excel spreadsheets were also an issue, then PowerPoint, and so on.

Now, let me make it clear that I have no knowledge of Google's security strategy or how it schools its programmers in secure coding, or how it tests its code before putting it into production. Google may be doing a great job in all these areas. I would love to find out that they are. All I am saying is that, historically, software possessing the characteristics listed above has tended to become a source of security problems.

The Last Great Security Crisis? Sadly Not

2007-02-19T22:51:00.001-05:00

You can't read all the security pundits all the time, but I usually take time to read Larry Seltzer at eWeek. So I am not knocking Larry when I take issue with his recent column titled the Last Great Security Crisis. Indeed, it is well worth reading and sheds light in an area that needs it: application security.

Larry is not talking about web apps or Software as a Service but Microsoft Office apps, arguably the biggest single gateway to networked computers and sensitive data on the planet. Whuh? That's a pretty sweeping claim. But think about it. Just about every organization's really important data is currently condensed into Word documents, Excel spreadsheets, and Powerpoint slides.

Want to know what is going on in a company? Forget mining complex databases, look for the highlights, which are more often than not found in some kind of doc/xls/ppt file, starting with executive summaries of everything from new product development to sales projections to cashflow analysis. Combine that with the seemingly endless stream of holes and you have the ingredients for a permanent security headache (as opposed to the plain human headache you get from trying to picture a stream of holes).

How many organizations eventually get to experience that headache will depend on a number of factors, from the diversification of applications and formats (Mac, pdf, open document, xml, etc.), to the actions of the world's bad actors. The latter may focus more on desktop application vulnerabilities if Vista does deliver an improvement in overall enterprise security. It's that old displacement of risk black magic. As long as bad actors are plentiful and well-motivated (actually it seems like that should be badly-motivated, but you know what I mean) the overall threat level will not go down, it will just keep seeking the low-hanging fruit and the easy wins, which will be losses for legitimate users.

The Next Big Enterprise Threat? It's time to think SaaS = Software as a Service

2007-02-17T09:43:00.000-05:00

I recently asked my good friend and security guru David Brussin for his thoughts on emerging threats to enterprise security. In response he posted a very interesting entry on his blog about SaaS. I highly recommend this to CIOs and CSOs as well as CISSPs.

And for readers who are none of the above, and thus in danger of drowning in initials and acronyms, let me make it clear that:

SaaS = Software as a Service
SARS = Secure Acute Respiratory Syndrome (a non-IT enterprise threat)
SpIT = Spam over Internet Telephony (VOiP)
SpIM = Spam over Instant Messenger
CISSP = Certified Information System Security Professional

Hopefully this will help folks disambiguate a few of these threatening things.

Free Mike Cobb Security Webcasts and Podcasts Now Available!

2007-02-15T11:39:00.000-05:00

That's right, my brother Mike, the younger one (and some would say, the smarter one) is a fellow author and CISSP. And he has pulled together his recent security webcasts on one handy page. Just click and learn. Here's what is available right now:

Messaging Security: Preventing Data Loss and Malware Infection through Electronic Communications --In this webcast, discover the many procedures, tools and policies available to Windows security administrators to secure an enterprise's electronic communications.

Messaging Security: Understanding the Threat of eMail and IM Attacks -- This 15-minute podcast helps assess the evolving threats to enterprise communications. Mike investigates the severity of phishing and IM virus threats, and spends time assessing the effectiveness and requirements of unified messaging security products.

How Simple Steps Ensure Database Security --This Podcast examines some of the most common database attacks, including SQL injection, cross-site scripting and weak/default passwords. Learn how you can protect your database from these threats and listen to this Podcast now.

SearchSecurity.com's Web Security School --Learn how to harden a Web server and apply countermeasures to prevent hackers from breaking into a network. Study at your own pace and learn how to implement security policies and test a Web site's security, as well as how to handle a breach should the unspeakable happen. Michael Cobb will also arm you with tactics for creating a human firewall to combat problems such as phishing and spyware. This course consists of an entrance exam, three lessons -- each consisting of a webcast, technical paper and quiz -- and a final exam. You'll also find handy checklists that you can download and use on the job. All of these resources are available on-demand so you can learn at your convenience.

Five common application-level attacks and the countermeasures to beat them --This on-demand webcast reviews five of the most common attacks against applications: active content, cross-site scripting, denial of service and SYN attacks, SQL injection attacks and malicious bots. For each, Michael Cobb explains how they work, the damage they're capable of doing and how pervasive they are. He also arms you with:

Specific countermeasures for each of these attacks
The security policies and security defense technologies worth considering for safeguarding applications against each attack
How to improve incident response in the event of an attack
A quick overview of other, less common (but potentially damaging) application attacks that you need to be aware of

All of these resources are available on-demand so you can learn at your convenience.

Good Intentions, Wrong Conclusions: Bill Gates' security vision at RSA is cloudy at best

2007-02-14T00:15:00.000-05:00

Said Gates: “Security is the fundamental challenge that will determine whether we can successfully create a new generation of connected experiences that enable people to have anywhere access to communications, content and information.” DailyTech

Well, that sounds good, but what does it really mean? Will lack of security prevent a new generation of connected experiences being created? No. We have seen several generations of insecure connected experiences created. Their lack of security has not doomed them. Yes, security issues have meant slower and more shallow adoption than might otherwise have been achieved. And security problems have in general made the experience less enjoyable than it should have been (not to mention a royal pain in the pocket book in specific cases where the lack of security was exploited by particularly bad or careless actors). But success is relative and often based on expectations.

Mr. Gates would certainly be unwise to make higher levels of security the only measure of success. But I think that Mr. Gates is quite capable of being unwise. After all, this is the man who said spam would be a thing of the past--by this time last year. Sadly, the place where the Gates vision falls short is in its expectations of people. I say sadly because I think Mr. Gates is basically a very decent chap, one who has consistently under-estimated the decency deficit out here in the real world, while over-estimating technology's ability to make up for it.

Consider what else he said: “The answer for the industry lies in our ability to design systems and processes that give people and organizations a high degree of confidence that the technology they use will protect their identity, their privacy and their information.”

No Mr. gates, that is not where the answer lies. The answer lies in the overall standard of human behavior. Until that improves, connected experiences that enable people to have anywhere access to communications, content and information will suffer at the hands of bad people. Folk may not suffer to the extent that they give up on those experiences. But they won't be able to enjoy them as much as they should and a large chunk of resources will likely be consumed trying to maintain a barely tolerable level of enjoyment. Technology is not the answer to bad behavior.
.

4th Annual Enterprise Security Asia Conference

2007-02-09T23:17:00.000-05:00

4th Annual Enterprise Security Asia Conference

A big thanks to the folks at AC-Nergy who put on an excellent conference in Kuala Lumpur last week: Dyanna, Jin Yin, Christopher, and Andrea. Also to chairpersons Michael Mudd of CompTIA and Stan Singh of PIKOM.

The two sets of slides that I presented can be found at the newly re-launched Cobb Associates site. And a quick reminder to (ISC)2 attendees: this event is approved by (ISC)2 for CPE credits.
.

Meet the new OS, same as the old OS: AV, Vista, and Microsoft MS-DOS 6

2007-02-07T15:08:00.000-05:00

News that Microsoft's own anti-virus [AV] product does not do a good job of protecting the new Microsoft Vista operating system will come as no surprise to the infosec "old guard" who remember Microsoft's first foray into anti-virus back with MS-DOS 6.0 in 1993. A detailed deconstruction of this product's shortcomings was written by one of the early AV pioneers, Y. Radai at the Hebrew University of Jerusalem. He graciously allowed me to reprint it in my PC and LAN security book and a copy is archived here in an Adobe PDF.

Unless you are a real AV history buff you may not want to read the whole thing (and if you are a real AV history buff you've read it already). But everyone should take note of the final sentences where Radai summarized the effects of Microsoft's decision to make its own AV and bundle it with the OS:

True, many people who have never before installed AV software will now do so, and this seems to be a benefit. However, they will be under the false impression that they are well-protected.

Enough said? After all, few things are more worrying to an information security professional than someone having a false sense of security. One of them is a lot of people having a false sense of security.

And who are these folks who just gave Microsoft Live OneCare a failing grade? Virus Bulletin, which has a sterling reputation for objective AV testing. If VB says a product does not do a good job, you can rest assured it does not (of course, depending on the product you are using, the assured rest may not come easily).

More VA Data At Risk? Reminds me of last summer

2007-02-03T20:17:00.000-05:00

Looks like another black eye for the Department of Veterans Affairs. A hard drive containing thousands of unencrypted records apparently went missing. Here is what I wrote last summer for a local magazine, after the BIG data leak at the VA:

During a hotter than average summer you might think the only exposure problems we face in Saint Augustine are those caused by the UV index. And it would be nice to think the only chills we've been getting come from ice cream or the ice in our drinks. Unfortunately, some folks in town have been receiving chilling news about their personal exposure. It goes something like this: "Information identifiable with you was potentially exposed to others."

In fact, if you were one of the more than 26 million American veterans whose data was on an external hard drive stolen from the home of a Veterans Affairs employee in May, you will have read those words already, in letter from the VA. What sort of data are we talking about? According to the letters that started going out in the first week of June: names, Social Security numbers, and dates of birth, as well as some disability ratings. That is enough information to get an identity thief started, running up bills in your name.

Sadly, some local veterans who bank with VyStar were hit with a double dose of chilling news about their personal exposure. They also received letters from the Jacksonville-based credit union informing them that hackers had acquired their names, addresses, Social Security numbers, birthdates, mothers' maiden names, and email addresses. The exact number of people affected was not revealed by VyStar, which would only say it was less than ten percent of its 344,000 membership. However, that type of data would give an identity thief a running start, in several directions. For example, the email addresses could be used for very targeted and effective "phishing" attacks in which falsified email is used to trick recipients into revealing such valuable data as account numbers and passwords.

I know that at least one of the affected Vystar members was a local resident, because I had breakfast with him recently, at Jasmine's on San Marco. Over a latté and breakfast burrito he lamented that he had received letters from both VyStar and the VA. Perhaps a little too glibly I said that if he got a third letter we would write an article about him. That afternoon I noticed a new security breach exposing Floridians. Approximately 133,000 Florida driver and pilot records were on a Department of Transportation laptop stolen from a government vehicle in July.

So how should you react if this happens to you? Are you at risk if your data is exposed? What can you do to protect yourself? To answer these questions, begin by examining any information you have about the exposure. For example, here's what Vystar said about that incident: "Vystar has no indication that the stolen data has been used or will be used for identity theft or fraud."

Fortunately, you don't need to be a computer security expert to see through that one. Your first clue that this is not a very reassuring statement is how the data was exposed. According to Vystar's own report, hackers stole it. These days, that is not good. In the good old days of mainframes and early personal computers the term "hacker" did not necessarily mean someone who broke the law, more like someone who broke into the technology just to see how it worked. Hacker today can mean someone who steals bank records, either for their own nefarious purposes, or for resale to someone even more nefarious. There is a thriving black market in identity data. Organized crime is a big player in that market.

Even if your data was on a computer stolen at random, which may be the case with the stolen VA laptop and hard drive, you need to be wary of assurances that "there is no indication the data has been used for identity theft." Any computer security professional would want to add the word "yet" to that statement. After all, how can you tell if the data has been used? The beauty of all things digital is that they can be copied over and over without any indication that they have been copied. A data thief seldom erases the data, just lifts a copy so you are none the wiser.

Another assurance that bears closer inspection is this one, as seen in the VA letter: "Authorities believe it is unlikely the perpetrators targeted the items because of any knowledge of the data contents." Well, contrary to the VA's claims in the letter, the VA employee had been taking home the same sort of data for years, with permission. This implies that someone could indeed have targeted the data; but even if they didn't, your average thief today probably knows a thing or two about computers. Imagine getting that computer home and finding all that data. Knowing that it could be worth dollars per record might tempt a common burglar to branch out into data trafficking.

At this point you might be wondering what happened to all the marvelous computer security technology you see in movies: passwords, fingerprints, encryption. These are not science fiction. They exist and they are relatively effective, cheap, and easy to use. The reality is that they are not used nearly as much as they should be. One way you can tell is to read between the lines of an "exposure" announcement. The VA made no mention of passwords; the Department of Transportation did. You can bet the DOT data was password protected, the VA data was not.

So what can you do when your data is exposed by one of these incidents? The first step is to take advantage of any resources provided by the "breachee," the entity whose security was breached, thus leading to the exposure. For example, VyStar has provided a lot of information about Internet security on its web site. In addition, it has said it will provide identity theft protection to all those affected by the breach. This is a smart move because it helps to limit the company's exposure to damage claims. Several years ago I provided testimony in a class action suit brought by another group of military personnel whose data was exposed as a result of the TriWest security breach in Arizona. The victims were seeking to force TriWest to pay for identity theft protection. As far as I know the case is still unresolved, but the security lapse has already cost TriWest several million dollars.

The primary defensive action you can take, regardless of what the breachee does, is place a temporary fraud alert on your credit bureau account. This should alert you to anyone trying to open new accounts in your name. To place an alert contact one of the three main agencies: Equifax (www.equifax.com or 800-525-6285); Experian (www.experian.com or 888-397-3742); TransUnion (www.transunion.com or 800-680-7289). The alert is free, good for 90 days, and may get you a free credit report. In fact, getting a credit report on yourself is a good all-round defensive measure, even if your data has not, to your knowledge, been exposed. If it has been more than 12 months since you saw your credit report, check it out, via the contacts above, to make sure it contains no surprises.

None of this implies that the party whose inadequate security made the exposure possible is off the hook. The VA is currently under pressure to improve security and do more for the victims. You can learn more at www.firstgov.gov/veteransinfo.shtml. Sadly, if you visit the site created to keep vets informed about the May incident, you are greeted by news of an August incident. That's right, another computer went missing, this time exposing the insurance records of tens of thousands of vets.

Is there any good news? Well, I can say that the VA/VyStar victim I know has not received a third letter, yet. I'd like to say I see light at the end of the tunnel but, based on my 25 years of work against computer fraud and abuse, I don't. So be prepared to act in defense of your identity, keep abreast of new incidents, and cast a critical eye over any letters you receive. I'm afraid more of us will be over-exposed before things get better.

What's Up With Dataflation?

2007-02-02T11:49:00.000-05:00

A few years ago I coined the term 'dataflation' in an effort to focus attention on the possible negative effects of widespread exposure of personally identifiable information (PII, like name, address, Social Security number, mother's maiden name, pet's name, credit card number, and so on). My thinking had been pointed in this direction by the large number of security breaches in the first half of 2005 and the massive amount of PII that they exposed (66 million records).

Plenty of people were focused on the immediate effects of this phenomenon and the media paid attention. We saw articles on What to do if it happens to you. How to protect your identity online. What companies should do to prevent such breaches. A lot of good advice was dispensed and recent figures show it might be having a positive effect. (Remember: "The best weapon with which to defend information is information.")

However, there was no immediate sign of improvement during 2005 and I continued to focus on the cumulative rather than individual effects. What would these exposures mean to the current and future value of information? How would this impact trust within society? What would be the effect on commerce, particularly e-commerce? And what effect does trust have on growth? (There are indications that more trust = stronger GDP growth, starting perhaps with the 1997 paper by Knack and Keefer, click here for a list of articles).

To me it seemed like there had to be some sort of inflationary effect on personal data, hence data-flation. Perhaps, I wondered, the more bits of personal data pertaining to you that are known by everyone, the less value each piece of that personal data would have, notably when it comes to authenticating you, to a system, a merchant, a bank, a government agency, and so on.

My article for TechTarget on the subject of dataflation was published in October, 2005. Then I witnessed the massive exposures in early 2006 which included the 28.6 million veterans (including a friend of mine who was also 'exposed' at the same time by his credit union). So I continued to think about dataflation. When I was invited to speak at Interop Moscow I chose it as the topic of my presentation.

Then a strange thing happened. In the Q&A session after my presentation, one member of the audience told me that you could find just about any data about anyone in Russia on the streets of Moscow, sold on CD. Unfortunately, I didn't have enough time or Russian to go and buy any of these CDs, but several people confirmed that large numbers of records were sold to these street-level data vendors by employees of various government agencies. We did not have enough time for a protracted discussion, and there was something of a language barrier, but I think I sensed an implied statement: "Our data is hopelessly exposed and our society/government/economy is not crumbling."

Now, I am not an expert on the Russian economy, but I think one could argue it is not doing as well as it might. One might further suggest that a lack of trust is one reason, although proving this statement is probably an entire masters or even doctoral thesis. Furthermore, I am open to pondering that implication. Maybe dataflation won't happen and everything will work out. It's just that, when you look at a compilation of the ever-increasing numbers, such as this amazing table at Privacy Rights Clearing House, it is hard to believe we are on the right track.

What's Next next? A new time for Daylight Saving Time

2007-01-24T18:09:00.000-05:00

Just a quick post to point out the change in DST this year which will require some systems to be patched. I have some tech details over on Cobb on Tech. From a security perspective, the possibility exists that someone could exploit mis-matches between systems that correctly auto-update time on on 3/11/2007 and those that do not (mis-match being the non-technical term for who-knows-what-kind-of-synchronization-errors). One area to watch [apologies for the pun] will be access control devices for both perimeter and system security.
.

Much Anticipated Brussin Blog Now Online

2007-01-21T11:52:00.000-05:00

Attention all serious blog readers! There's a new tech blog on the block and I'm betting it will become a "must-read" for anyone serious about Web 2.0, Business 2.0, and the whole intersection of technology and business. The blog is called "What Comes Next" and the blogger is David Brussin.

While David Brussin might not be a household name in high tech households, I would add the caveat "yet." I've been in the high tech field for over 25 years and have yet to encounter a sharper mind than Brussin's. It was no coincidence that he was named to the 2004 list of the world's 100 Top Young Innovators by Technology Review, MIT's Magazine of Innovation. Brussin has that rare combination of a. technical brilliance (he was building serious commercial networks before he graduated from high school) and b. business acumen (he had co-founded two successful startups before he was thirty, and both were snapped up by public companies).

Then there is c. he is very articulate. So, not only does Brussin come up with valuable and sometimes highly complex insights, he can put them into full sentences that are easily understood. Now, you sometimes meet people who have a or b or c. Occasionally you meet people with two of the three, but rarely do you encounter someone who has all three AND a sense of humor AND above average scores in tact and diplomacy.

So check out Brussin's blog. I hope you find it as interesting as I do.

Small Business Continuity Gets a Boost: IMCD from ContingenZ

2007-01-18T12:07:00.000-05:00

What if you could buy a large amount of expert advice on how to keep your business running despite everything that fate throws at you? Want to learn how? Read on...

Everyone knows that small businesses are the true powerhouse of free market economies, whether in the US, the UK, the EU, or beyond. Most people also know that the failure rate of small businesses is very high. What a lot of people don't realize is that many of those failures could be avoided if only small businesses did a little more advanced planning. This fact gets lost in the seemingly endless array of factors that adversely impact small businesses: fire, flood, wind damage, snow days, power outage, earthquake, employee theft, virus outbreaks (biological and digital), hacking, abrupt departure of key employee(s), prolonged office evacuation due to nearby toxic spill, over-eager customer driving through the front window and mowing down the file server, unexpected incarceration of treasurer, public relations snafus. All of these happen and it is hard to predict when (you don't have to believe if global warming to know that the weather has been mighty unpredictable and frequently severe in recent years).

But all of these things have something in common: they are incidents, and incidents can be managed. Hence the art and science of Incident Management. One of the finest practitioners of this art is my friend Michael Miora who started a company called ContingenZ. The idea was that he couldn't be in two places at once and there just aren't enough incident management experts to go around meaning that smaller businesses couldn't afford to hire one. So why not distill his expertise into a piece of software that any business owner or manager can use to create an incident management plan and business continuity strateg precisly tailored to the specific needs of the company?

And that is what Michael Miora has done, working with someone I also know quite well, Mike Cobb. Both Mike and Michael are CISSPs with a ton of experience in business management and data security. The product they came up with, IMCD, is now available in two versions. The more expensive Pro version is suitable for larger companies (and some very large companies are using it right now). The brand new and considerably less expensive Small Business Edition is ideal for small firms. What is more, businesses large and small can download a trial copy of IMCD to check it out.

This is a product that could literally save your business and it may well make you a ton of money even if--fingers crossed--you never have a single incident to deal with. How? Consider what happened to one of IMCD's first customers, a small firm specializing in shipping antiques that was in the running to get a big fat contract from a major shipping company. Like many big companies establishing new vendors, this one was doing due diligence. Did the small company have a business continuity plan? Yes, replied the small company. Can we see it? asked the big company. Umm, yes, well, it is sort of...informal, replied the small company. No formal plan, no big contract. And so the small company used IMCD to formally document its business continuity plan in a complete set of highly professional documents automatically generated by the software.

Result, the company that bought IMCD got the contract. And should anything ever happen to disrupt their business they are well placed to "keep on trucking." Scobb says "Check it out!"

[Disclaimer: I don't own stock in this company. Even if you buy a zillion licenses to IMCD I won't get a single penny. On the other hand you will make two of my friends very happy.]

Prairie Dogs and Information Security

2007-01-15T16:13:00.000-05:00

I have blogged elsewhere about the Bush administration's interference with science. In the Union of Concerned Scientist's great catalog of these crimes against reason there's an interesting example of why it is important that everyone learn the basics of information security. The example concerns the white-tailed prairie dog (aww shucks, ain't he cute y'all).

The scientists claim that Julie MacDonald, of the Mountain Prairie Regional Office of the Fish and Wildlife Service, "directly tampered with a scientific determination by FWS biologists that the white-tailed prairie dog could warrant Endangered Species Act protection, and further, prevented the agency from fully reviewing the animal's status." A strong allegation. Any proof? How about Microsoft Word "track changes" edits? Yep, when you go altering reports written in Word you best be careful. Word tries hard not to forget. Check out the detailed sample here, illustrated in a pdf file that shows just what the changes were. As evidence of the scientists' claims I think the phrase that comes to mind is "dead to rights."

And change tracking is not the only way that Word coughs up secrets. Ever open a Word doc with Notepad or Texpad (which happens to be my favorite text editor)? You may well find stuff that doesn't appear in the document itself, stuff you thought you had deleted. Similar problems can occur if you are careless with Adobe Acrobat documents. See a great example of the Word issue (involving Tony Blair, Colin Powell, and the war on Iraq) on Richard Smith's fascinating Computer Bytes Man site.

The point here is that companies using Word or Adobe documents to store and distribute information need to know exactly how those programs work so those documents don't store any information that you would prefer to keep secret.
.

Divining the Devilish: Factors affecting the future of Microsoft Vista

2007-01-02T10:24:00.000-05:00

Having previously complained about a lack of "compare and contrast" coverage of Vista versus prior Microsoft operating systems, I feel I should weigh in with a little C&C of my own (with the caveat that this is a blog, not a white paper, so you won't be getting footnotes and fancy formatting—those cost extra).

We know that Vista will be attacked by hackers of all stripes. Only time will tell how well Vista resists attack. One thing to look for in the months to come is the emergence of any "class of vulnerabilities." These are not fragile students, but problems of similar type, for example, memory leaks or buffer overflows. You don't need to get too technical to spot this. Just watch for a Vista hack to be revealed and then patched, only to be followed by news of another hack via a minor variation on the previous technique. This would strongly suggest that code review has not been rigorous enough. and could well presage the sort of rolling patch situation we are in with XP and Office products. Painful as that patch situation is, the early emergence of evidence that Vista is going to be in the same boat will further discourage adoption.

And herein lies one of the variables that emerge from a C&C: rate of adoption. When Windows NT was first released it attracted very little attention from hackers (defined as people who like to pick things apart, for a range of reasons). They were heavy into UNIX back then because if you wanted to explore big and interesting networks, UNIX was the OS you would most likely encounter (if you wanted to do more than explore, the money was also in UNIX and/or mainframes). This created a false aura of security around NT. While UNIX hacks were being announced all the time, NT was relatively--albeit temporarily--unscathed.

But two things happened to change that. One was considered a success for Microsoft, growing adoption of NT in corporate America, as well as the government, the military, and colleges. The other was considered a success for the PC world: the widespread availability of cheap CD-ROM drives and CD-burners. No longer did you need a foot high stack of floppies to install or steal NT. Just a thin, slim, light and easy to conceal CD. Around the 1996-98 time frame you could buy a pirated NT CD for a couple of bucks in Hong Kong or get someone to burn you copy. I remember the first DefCon at which hackers started getting excited about NT. Part of that excitement came from the simple fact that NT was accessible. You could get at it in order to play with it.

So, two factors to consider for Vista are: ease of piracy and extent of adoption. Today we have much faster pipes down which to stuff pirated code and DVD-burners are standard equipment. The strength of Vista's copy protection will be a factor (one that is already under concerted attack). As to adoption. The very thing that Wall Street analysts are mumbling with foreboding--slower than hoped for Vista upgrading--could work to Microsoft's advantage. Several classes of hacking activity are all about the installed base (c.f. first Word macro virus of 1995 after Word doc format had become de facto standard).

But we must also contrast as well as compare, and the landscape of computer abuse today is much different from what it was a few years ago, most notably it is better-funded and more criminally-inclined. That will serve to negate the copy protection obstacles. Suppose you're a criminal who expects most banking systems to be Vista-based by oh-eight. Spending some serious money on cracking Vista in oh-seven might strike you as a good investment (and like they say, anyone who thinks organized crime doesn't make investments hasn't been to Vegas).

However, the most helpful history lesson at this juncture may well be that of "risk displacement" (also discussed here). Even if Vista holds up well in the face of concerted attacks and provides greater protection to users against some forms of information abuse, the level of effort expended to abuse information is unlikely to go down. Not to be flippant, but it is likely to go around. Improved technical controls typically lead to more concerted social engineering attacks (you put a password on the system, the attacker gets the user to reveal the password, and so on).

Just so we are clear, this is NOT the fault of Microsoft. This is the fault of human beings in general--flawed creatures that we are--and the failure of countries around the world to elicit better standards of behavior from their citizens. What would be wrong of Microsoft would be to foster the notion that Vista will somehow make the world a safer place for computing. With three "most secure yet" operating systems under its belt, and IT security spending at all time highs, Microsoft has to know that things are still not very safe out there.
.

Told You So: Spam surge drives net crime spree

2006-12-30T22:07:00.000-05:00

Not it's not my imagination: Spam is on the rise and criminals are to blame. Brings new irony to the phrase "there ought to be a law against it" and deeper for Bill Gates promise that spam will be solved in 2006.

p.s. Wonder why it's spam and not SPAM but sometimes Spam? Get the official word here.

Whole New Security Vista? There's a target painted on new Microsoft OS

2006-12-27T13:03:00.000-05:00

"Hi-tech criminals are looking forward to the consumer release of Windows Vista, say security experts." BBC News. Why? Because it is presents new opportunities, new possibilities for abuse.

"What?" you say, "surely this is the 'most secure version of Windows yet.'" (As proclaimed by Microsoft.) According to the BBC article, if new features won't get you to upgrade to Vista, security enhancements should, according to the co-president of Microsoft's platform, products and services division, Jim Allchin,. Vista will still be worth getting, thanks to its better defenses against phishing attacks, spyware and other malicious code, Allchin told the BBC. "Safety and security is the overriding feature that most people will want to have Windows Vista for."

Unfortunately, lack of historical perspective is widespread in the marketing sector of the IT industry, and too often it spreads to the media that covers IT. Where are the articles that compare and contrast the claims for Vista with those made for Windows NT, which was also claimed to be the most secure version of Windows yet, as was XP Professional? (Notice a pattern here?)

Believe it or not, I have some sympathy for Microsoft at this point because it is faced with a three-pronged dilemma (and we all know those three-prongers can be painful). Here are the three in play at the moment:

Claiming that something is the "most secure ever" is like painting a target on it. I recall arguing against the launch of a web security certification program back in about 1996 for this very reason. Hackers were big into defacing web pages at the time and locking down a site was pretty difficult with the tools available. So putting a "Certified Secure" sticker on the home page would have been a red rag to a herd of hackers.
But Microsoft had to claim Vista wasthe most secure ever because there don't seem to be enough other new things in the OS to warrant paying the asking price for the upgrade.
But Microsoft is a huge company and [IMHO] it is hard for huge companies to achieve excellence in anything, particularly where there are competing goals.

And writing secure code is a major case of competing goals. The whole thrust of computing over the last 25 years has been broader, faster, smoother access to data, often using cutting edge tools. Security is all about tried and tested tools and roadblocks, not for the sheer joy of being obstreperous--for example, in the manner of Dilbert's 'Mordac the Preventer' character--but due to the classic dichotomies between "free & open" versus "safe & secure," and so on.

At the turn of the year it is always interesting to consider what the future holds. Will Vista be a boon or a boondoggle? Developments on the security will likely be the deciding factor.

California Hacking on Such a Winter's Day: USC hacker sentence after UCLA hack

2006-12-21T09:09:00.000-05:00

I thought the juxtaposition of these two stories was interesting, on the 12th and 21st of December:
UCLA warns 800,000 people that hacker gained access to their personal information
USC hacker sentenced to 6 months of home detention
Now add this November nugget to the mix:
Rising cost of data security breaches: $182 per record
Now consider this: the June 2005 breach of USC's online student application system compromised 275,000 records and caused the university to shut down the site for 10 days and the perp gets 6 months home detention. But if the cops had found one twentieth of an ounce of crack on the guy he would be going to jail for a minimum of five years. Somehow, something is screwed up here.
.

Internet Explorer 7 User Interface Fiasco: Am I nuts or not?

2006-12-16T17:03:00.000-05:00

As astute readers will have surmised, I'm in my mid-fifties. At this time in a person's life it's not unusual to wonder, from time to time: Am I going soft in the head? For me, one of those times was my first use of IE7. Here is a little bit of what the program looked like when I installed it. Astute observers will observe there is no menu bar (File-Edit-View -etc.).
Because web browsing is now the thing I do the most on my computer--actually writing within the web browser as I am right now--I like to place my browser controls in a particular configuration. And I like some sort of consistency. So I set to work on IE7. I found you can get the old menu bar to show up, but the process is a pain. Furthermore, any further configuration hits the wall pretty quick. For example, the IE7 toolbars won't move, for me. This was so unexpected that I thought for sure my senile dementia was setting in. There I was, clicking and dragging and nothing was happening. In fact, the default UI is such a big departure from a. the norm, b. common sense, I deduced that, because I couldn't 'fix' it, I must be losing my marbles.

But no! It is Redmond that has lost its marbles on this one. How do I know? Another blog came to my rescue. I found this "Blog of Fusion" and began reading. Phew! It wasn't just me. Others were having the same "issues."

What had me really scared--before I found that blog--was an illustration in an article at microsoft.com. See that "Classic Menu" option? I couldn't find that in my copy of IE7, as shown below. Then I noticed the article was published in June. I had installed the 'shipping' version of IE7 in December. Tthis seems to be evidence that Microsoft--at one point in the Beta--allowed what the shipping version does not allow.

Check out the screen shots. My version of IE7 doesn't allow me to drag toolbars like the article shows. Seems they must have ditched this stuff during the final build and, with breezy indifference, failed to correct their own web site. BTW, that page at microsoft.com is the top result if you Google: internet explorer 7 toolbar customize.

So, can you imagine how many thousands of people around the planet are going to a. try to customize the IE7 toolbar, b. get stuck, c. Google to that page, d. waste hours resolving the resulting contradictions?

I mean no offense to the poor microserf who wrote that stuff--he probably asked them to take it down and they didn't. When I was a Microsoft Vendor, everyone that I met in Redmond seemed smart, pleasant, and very earnest, but also out of touch with reality. And the entities to which they reported within the organization were more than a little messed up. In short, a classic example of how a bunch of smart, well-intentioned people can add up to a dumb bunch of decisions. (We are seeing another of these dumb decisions play out right now: "Improved security is the rasion d'etre for the next expensive Windows upgrade.)

One specific criticism of IE7 that I haven't seen elsewhere is that the row for the tabs of the new tabbed browsing feature (a feature that got me using Firefox as my main browser several years ago) seem to be fixed on the same line as the main buttons. This gives decidedly less space to the tabs than you have in Firefox. Also, if you remove the traditional menu, the View command is gone. There is no button for it. So the only way to get the traditional View menu item back is a right click in a select area of the tab/button bar.

Makes no sense to me, and thanks to fellow bloggers, I'm pretty sure I'm not senile, yet.
.

Need Help With Computer Security? Check cobb.com

2006-12-13T13:51:00.000-05:00

Just a quick reminder that you can find a bunch of free articles about computer security at the cobb.com web site. Enjoy!

Note This Blog: Dare Not Walk Alone is now with THINKFilm

2006-12-13T11:33:00.000-05:00

The civil rights film that I have been involved with for the past few years, Dare Not Walk Alone, is making progress!

A major update on the film and related projects, like the campaign to rebuild the house at 521 North Woodlawn that was featured in the film, has just been posted on the Dare Not Walk Alone blog. Check it out!

Blogs of Note: I guess scobb's non-blog made it

2006-12-11T13:04:00.000-05:00

Apparently there is something called "Blogs of Note" and this blog was listed there today. Not sure how much of an achievement that is, but thanks to anyone who might be responsible. I write mainly for my own sanity, but it's encouraging to think some people are reading what I write. To that end may I shamelessly plug some of the other blogs I have been building. They are not all in full flow yet, but getting there.

Obviously, the idea is to group my posts around subject matter. Hopefully it is not too ambitious. Time will tell. I think scobb's non-blog will continue to be the place that I put my thoughts on security.

More Secure Windows May Not Help: BusinessWeek makes a very good point

2006-12-11T11:59:00.000-05:00

There's a nice article in Business Week that meshes with my view of computer security. Let me spell this out.

Microsoft is spending a lot of money right now to encourage people who use Windows to upgrade, for a fee, to a new version called Vista.
To justify the fee for the new version Microsoft is talking a lot about how much more secure Vista is than previous versions of Windows.
All this talk may be creating an expectation that computer users will encounter fewer security problems in the future.
This expectation is probably false.

The only way to make computing significantly more secure than it is today? Raise the general standard of behavior of people on this planet.

This may sound like a tall order--and it is--the task is not insurmountable. Law and order can eventually replace lawlessness, e.g. the Wild West. Standards of behavior within any given geographic entity can be improved, e.g. reduced drinking and driving in UK/US/et al.

Of course, these are changes that take decades to bring about. All the more reason to commit to the process now, rather than later. Remember, technology cannot create security; the sooner people set aside dreams of security based on the false promise that it can, the sooner the root problem will be addressed, and the better the interim security strategy will be.

What Are Security Breaches: Trousers they are not

2006-11-29T17:07:00.000-05:00

Are you new to the world of computer security? If so you might appreciate a little orientation lesson.

Computer security is about protecting information that is processed by computers, otherwise known as data, and the processes that use such data. This includes, for example, information about your bank account and how much money you have in it [data] and your ability to withdraw that money [process]. You want the data to be both secret and correct; and you want the process to work on demand. These are the three main pillars of computer security: confidentiality [secret]; integrity [correct]; availability [on demand].
Computer security can also be referred to as information system security although technically an information system might include other elements besides just computers.
Information system security is a part, or subset, of information security [because information security includes stuff that is not on computer, like a set of design drawings or company secrets whispered from one person to another].
Information security can also be referred to as information assurance.

Suppose you are a bank and you have procedures and mechanisms in place to prevent anyone but an account holder from finding out how much money is in an account. If someone defeats those procedures and mechanisms the result is called a security breach, as in "my cannons have breached the walls of the city" and "Once more unto the breach dear friends."

Failure to prevent the breach may cost the bank money. The bank might be sued by the account holder. The bank may have to divert staff from normal duties to a review of records to determine the extent of the breach. If the breach exposes confidential information about a lot of customers the bank might lose some existing customers who are angry about this, and the marketing dollars that the bank spends to attract new customers might not work for a while due to bad publicity.

In my previous posting I cited a study that put a dollar amount "per record" on the cost of security breaches. I think the number is higher than many businesses realize.

Rising Cost of Data Breaches: $182 per lost customer record

2006-11-15T16:42:00.000-05:00

My hat is off to Larry for his study of security costs. In some ways this latest Ponemon Insitute study is probably more indicative of the state of things than the annual CSI/FBI survey.

If you are trying to get your company to do a better job of securing data, try multiplying the number of customer records your company processes/stores (CRP) times cost of loss per record (CLR) and you might have a good starting point for budgeting project to overhaul your current security (CRP x CLR = the hit to profits from any single incident in which CRP number of records are exposed).

Larry figures the figure for CLR is $182. A breach exposing 10,000 records is thus a $1.82 million problem. Spend that amount on security upgrades and you arguably save an unknown number of exposures (there is nothing that says you won't get hit twice in one year for example). Spend anything less than that and you are playing a high stakes game of chance with your business and, if you are a C-level exec or board member, with your personal and professional liability.

And don't let your managers fob you off with "these studies are just scare tactics." Tell them I know Larry Ponemon and Larry Ponemon is no scaremonger.

Trust in Electronic Voting Eroding Faster Than Florida's Beaches

2006-11-10T12:57:00.000-05:00

Yes folks, once again Florida leads the nation in eroding public trust in electronic voting systems. Check out the story so far in Sarasota. Lots of familiar themes and players. Zero doubt in my mind that the books were cooked (based on 30 years of experience with fraud, audit, and computer security).

In keeping with what I have blogged elsewhere, I predict the public will never trust electronic voting as much as paper and pencil ballots. And rightly so. I've worked with computers in all manner of situatons, from auditing oil companies with mainframes to building mission critical networks and securing mobile devices. They work quite well for a lot of things but not everything. I just don't see how you can make a trustworthy voting system out of them. So why bother? What is there to be gained?

Save Millions on IT: Delay Vista Upgrade

2006-11-06T15:02:00.000-05:00

Come on IT people, this is a no-brainer. Don't upgrade to Vista, yet if ever. At least wait until Service Pack 1 has been released and tested (which I predict will be late 2007, early 2008). Here's five ways you save:

Fewer install hassles--let others learn the hard way and smooth it out for you.
Lower software costs--avoid premiums [and headaches] on new versions.
Reduced learning curve--if your users get Vista on their home PCs in the first half of 2007 they'll be training themselves.
Reduced learning costs--as Vista training becomes commoditized.
Hardware savings--the Vista delay (>2 years) has created a huge hardware surplus.
Cut analyst bills--don't pay a dime to anyone who told you Vista was on track and early adoption was a good thing.

Twenty years of solid historical data show that the first version of Microsoft anything is:

shipped far too late but much too soon,
more trouble than it's worth,
often followed by successive versions which actually deliver on the original promises.

Remember, ad campaigns to the contrary, Microsoft doesn't care about anyone's business but its own. Otherwise it would not have acted in a way that is likely to cut $4 billion from PC sales this year. (Of course, I would also argue that any PC execs who believed Microsoft on delivery dates should be canned, sans parachute.)

About the only redeeming qualities Microsoft can rightfully claim right now is the relative stability of XP and the massive philanthropy of its founder.

Stephen

Wired on Top of Splogs

2006-09-14T15:30:00.000-04:00

Correct me if I'm wrong, but Wired seems to be leading the discussion of splogs, those sick abuses of blogging that merely serve to line some sad maladjusted scammer's pockets.

Spam + Blogs = Trouble by Charles C. Mann
How to Fight Those Surging Splogs by Nicole Lee

Proof of another scobb rule: People Will Mess Up Every New Technology for Profit. Of course, there will be counter-attacks as legitimate interests fight back. But don't you just wish humans as a whole were less greedy and just generally better behaved?

Risk displacement and hardware viruses

2006-09-07T09:47:00.000-04:00

Check out this timely column from Adrian Kingsley-Hughes:

As Windows becomes harder to crack, could virus writers start to target hardware? "On August 25th, security firm Symantec engineers announced they had discovered a virus that leveraged a flaw in the AMD64 CPU. This virus, called W32/W64.Bounds, was capable of binding itself to Windows executables in such a way that made it hard to detect. However, it's now been shown that this virus doesn't have anything to do with in AMD CPUs, but instead with the X86-64 instruction set itself. But could this be a sign of things to come?"

Anyone who has heard me talk about risk displacement will know my answer to his question: Yes.

As you harden security in one area, softer areas will be targeted. Savvy security managers at large companies learned this in the nineties. As they began to install firewalls most attackers moved on to target other, less protected networks. In fact, this phenomenon is at the heart of the Turntide anti-spam technology that I helped develop. We bet that spam software would not waste bandwidth trying to stuff spam into networks that appear incapable of accepting spam at a high rate of messages per second. We were right.

And as Adrian points out in his column, widely deployed hardware is an attractive target for malware authors. The first Microsoft Word virus did not show up until Word was the most widely used word processing application. Email viruses did not appear until email was widely used. So the big variable in the emergence of a hardware virus threat is the extent to which a "hard to crack" version of Windows is deployed.

BTW, Adrian's web site is a gold mine of useful information about PC hardware and software, check it out at http://www.pcdoctor-guide.com/wordpress/.

No, I won't live and breathe your product!

2006-08-30T13:54:00.000-04:00

Why do software makers think you want to live and breathe their product? More and more applications seem to think they are the only reason you bought your computer. Even drivers are getting this way. I have recently installed HP printer drivers that are more than 50 megabytes. They add photoviewing, image management, file transfer, camera interfacing stuff that I don't want. They take over file associations. I bought the printer to print. Period. Am I the only person who just wants an HP printer to print? Or have I missed some liefstyle trend where printers are all about how I see the world and relate to it, digitally speaking?

Apaprently I am not the only person who has gotten ticked off...check out Simon Wilson's rant about the 170 megabyte HP driver. That was a while ago...it would be interesting to know if HP as reacted. It would sure be nice to have the option to go "basic driver only" during the install.

New Microsoft Same as the Old Microsoft?

2006-07-16T19:16:00.000-04:00

So Microsoft has spent years perfecting a means of patching holes in its flagship product--the Windows XP operating system--holes that had left XP-based computer systems vulnerable to various types of attack. When your computer is attacked you worry about a number of things, probably three. You don't want strangers accessing your private data (confidentiality). You don't want to your documents messed up (integrity). And you don't want to be denied access to your documents or your system (availability).

Well it seems some recent XP patches are themselves attacking data integrity. I noticed this myself when I came downstairs one recent morning and found my laptop had rebooted itself. The cause of the reboot? The Windows Automatic Update. The effect? A bunch of typing and research was 'lost.' That's right, Windows had rebooted without saving the latest version of my documents (and Microsoft Word did not even offer to recover the work when I re-started it).

I couldn't quite believe this, until I found other people had noticed the same thing. Blogger Tim Rains has a nice piece on this problem and what to do about it.

Getting the Hang of This

2006-07-05T20:15:00.000-04:00

So, maybe the point of a blog is to publish stuff that others will not. Like stuff that I have written but some editor somewhere decided was not worthy of publication. Here is an example. Hopefully there will time for more.

Stephen

Laptop Thefts, Spam, and More of Same

2006-03-29T20:57:00.000-05:00

Sigh...Some computer security vulnerabilities are timeless:

"Fidelity Investments last week disclosed that someone made off with a laptop containing the names, Social Security numbers and other information for 196,000 current and former Hewlett-Packard employees." Sci-Tech Today

The reasons for stealing laptops may change, but laptops used by business people are, by definition, loaded with business information. Now it seems, owing to corporate stupidity, they are also loaded with large amounts of personal information abouts large numbers of persons. The fact that a company like Fidelity had the 401K details of almost 200,000 people sitting on a laptop (instead of on a server in a locked room) is disturbing but sadly not surprising. It is not the first time something like this has happened and we confidently predict it won't be the last. Here's an article on the subject from 2000, ironically published in the HP Chronicle

As for newer vulnerabilities, there is a pretty good blog put out by Sunbelt, a Florida software company. Has some interesting stories about IE, eBay accounts for sale, and bots that might be used for more than spam (which has not gone away the way that Mr. Gates predicted--although this should come as no surprise, given that every major product in the history of Microsoft has been late).

Stephen

Just in Time: Doom & Gloom for Oh Six

2006-01-26T12:26:00.000-05:00

Wow, amazing how fast three months can pass. Here we are, late in January of 'oh six,' and I haven't even issued my annual proclamation about the state of the Internet and e-commerce. However, given my last posting, and my annual predictions in prior years, it probably comes as no surprise that I am not optimistic. Indeed, I can't remember the last time I was optimistic about the outlook for the Internet, maybe it was in the mid-to-late nineties, when I seem to recall a brief lull in virus outbreaks, very little spam or spyware, no phishing and no "for-profit" worms.

Alas, things have gone downhill since then. Sure, I use the Internet for a lot of things and find it incredibly useful. But I do so with trepidation, fully armed with paranoia and a variety of defensive mechanisms. My feeling today is that the incredible usefulness of the Internet is still, for a significant slice of the population, outweighed by the risks. My predictions for 2006? More large-scale privacy breaches, more articles about how some folks are turning away from the Internet, and yet more involvement by organized crime in acts of phishing, worming, and Internet fraud.

Oh, and the usual hand-wringing by countless boards and other bodies set up to "do something about this." Remember folks, we are less than four days away from solving spam, as predicted by Mr. Gates.*

Happy New Year!

Stephen

*Note, for all the things he has done wrong, like break the Sherman Antitrust law, and his failures, like not making Ctrl-Tab work the same in all Microsoft Office applications, I still have to confess immense admiration for Mr. Gates's approach to philanthropy. If only more CEOs, such as those in the drug industry and the petroleum industry, would give of their wealth the way that he has, kids today might not find it so hard to be unselfish.

Web Threats Do Keep Users Away

2005-10-30T09:52:00.000-05:00

According to Matt Hines, reporting a study by Consumer Reports WebWatch in eWeek on October 26, "U.S. Internet users are cutting back on the hours they spend online, shunning e-commerce and refusing to give out personal information as a result of the rising tide of Web-based crimes related to identity theft...As a result of those concerns, at least 30 percent of the 1,500 people interviewed for the survey said they have reduced the amount of time they access the Internet." See Web Threats Keep Users Away

And we are not surprised. We have predicted this for several years, and will go on predicting it until there is a major improvement in standards of conduct on the Internet. Of course, that is unlikely to happen unless there is an improvement in standards of conduct in society in general, which is unlikely to happen while so many public figures continue to act in such a shameless way (think Martha Stewart, Richard Scrushy, Bernie Ebbers, the Rigas, Dennis Kozlowski and Mark Swartz, sixteen Enron executives and counting). It's not just the crimes these people have committed, it's the way so many of them have tried to shrug off their misdeeds, or deflect punishment by professions of faith, or cheerfully gone on with their lives, with no apology to the millions of people whose lives they damaged.

Anyone who thinks this behaviour has no effect on the moral standards of today's children, who are the Internet miscreants of tomorrow, probably hasn't tried raising kids recently.

Stephen

An "Activist Judge" Gets Security Right

2005-10-24T12:24:00.000-04:00

I don't know if U.S. District Judge Royce Lamberth fits the current definition of "activist judge" but he recently acted in what I consider to be an admirable way by pro-actively preventing computer security problems. On October 20 he ordered the U.S. Interior Department "to disconnect from the Internet all computer equipment holding data related to trust accounts it manages for American Indians, a decision that could cripple large sections of the agency's computer network."

While this is only the latest in a long saga of actions and responses between Judge Lamberth and the Interior Department, it is a timely reminder of what life would be like if networks were not allowed to be connected to the Internet unless they could prove, to the satisfaction of independent experts, that there were secure. In the latest security review "investigators testified they would give the department's computer security an 'F' grade or "one notch lower than an 'F' ... a 'G.'"

But that is not the most alarming fact in this story. The failing grade came after the department had spent $100 million on security improvements.

And for those who think government agencies are, by their nature, wasteful and incompetent, I am willing to bet there are Fortune 500 companies out there that would fail the same test.

Stephen

Dataflation Column Published

2005-10-06T20:30:00.000-04:00

Okay, I took two months off (that's why I called it a non-blog).

Finally, Information Security Magazine published my column on dataflation (in the Perspectives column in the October 2005 issue). An expanded version is also available online here.

Hopefully it will spark some debate about how we cope with the steady unravelling of our secrets and the security they provide.

Stephen

Holey Internet, Michael Lynn and Cisco

2005-08-01T17:50:00.000-04:00

I think this story will prove significant in the long run:

LAS VEGAS -- 02:00 AM Aug. 01, 2005 PT -- Security researcher Mike Lynn roiled the Black Hat conference Wednesday when he resigned from his job at Internet Security Systems to deliver a talk about a serious vulnerability in Cisco IOS, the operating system powering its routers, defying efforts by the router manufacturer and his former employer to block the presentation. Wired

Commentary on the incident in Network World is here and includes some of my opinions. More of my comments are reported here.

I have used dire words before and I stand by them. Check out our column from January, 2003.

Stephen

U2, Amsterdam, Smart Cards, and Dataflation

2005-07-31T10:18:00.000-04:00

I blame the long gap between posts on U2. A trip to see the band in concert, in Amsterdam, was my present to my wife on her birthday this year.

(Marital Bliss Tip #39: To experience "multiple gratitude" give your partner a trip for his or her birthday and get four stages of pleasure: one, the gift giving day; two, the days between the giving of the gift and the taking of the trip; three, the trip itself; four, the after-glow of telling other people about the trip when you get back).

We thought Amsterdam was a very cool city, even though they were experiencing something of a heat wave. Talk about a civilized, tolerant place! I'm not just talking about a sensible attitude to public transportation, herbal remedies, ethnic diversity, and sexual orientationz. You can take your dog most places, smoke tobacco if you feel like it, and get a good cup of coffee on just about every street. And you can use smartcards (read this if you are not sure what they are).

When you land at Amsterdam airport you can buy a smartcard with which you can then purchase train tickets to get into the city (a very easy and inexpensive way to make the journey). Then buy soft drinks at the station store, tram tickets to travel around the city, and so on. No need for bank notes and coins. When we got to the Amsterdam Arena for the concert we found that all the vendors there took Arena smartcards. Buy one and you can get beer or ice cream or whatever else in a flash. For example, the beer vendors (who stroll through the crowd wearing a keg in a backpack) can squirt you out a glass of beer while you pay by inserting card, hitting Ja, and removing card. No hassle with change means a much more efficient liquid refreshment delivery system.

So, the coolest smartcard has to be the specially minted U2 Vertigo Tour Smartcard that we bought that evening at The Arena. It will go into the commemorative picture frame, along with the tickets and the blurry cell-phone photos of the massive stage with the tiny stick figures of Bono and Edge blown up on the giant projection screen.

But what does this have to do with dataflation? Well, the trip did not prevent me from polishing off a column on the topic that should appear in an upcoming print issue of Information Security Magazine. There may also be an expanded online version where I go further into the practical and legal implications for ID theft victims.

And the widespread use of smartcards reminded me that deploying new data infrastructures is possible. Which means that, if someone comes up with a way to rein in dataflation that requires a new data infrastructure, opponents won't be able to use that requirement as an excuse not to implement it.

Stephen

Dataflation Defined

2005-07-03T11:52:00.000-04:00

I came up with the term dataflation to describe an emerging phenomenon, one that could have some fairly serious implications for the future of many things (e-commerce and personal security to name a few). As the inventor of this term, I reserve the right to tweak the definition at some later date, but here is my first stab at it:

Dataflation: the tendency of data to rapidly lose value due to factors such as large-scale unauthorized access, excessive abuse and loss of confidentiality.

I do not claim to understand all of the implications of dataflation, I don't think anyone can at this stage. But dataflation is real and it is going to cause problems. Consider the fact that, in the first six months of 2005, the media has reported the exposure of 66 million personal data records belonging to Americans. (I have listed the cases here.) According to the 2000 census there are 210 million Americans age 18 or older. Given the big security breaches that occurred in 2004, it is possible that data relating to one in three American adults is now "out there," meaning it is available to be abused.

This is personal data that cannot easily be sucked back or reflated. To paraphrase the definition of inflation, we are talking about a persistent increase in the open availability of previously confidential consumer data or a persistent decline in the value of that data, caused by an inability to adequately control unauthorized access.

You cannot change your date of birth or your mother's maiden name. Your Security number is hard to change. Moving to a new address is a pain. Changing banks or switching jobs is not always practical. Yet these are the pieces of information out of which an identity thief can fashion your likeness so as to incur debts and acquire goods and services in your name.

And what if that happens? The personal cost can be enormous. Even if you can avoid paying fraudulent debts, the amount of time and stress it costs you can take a heavy personal toll. So who will pay that toll? The company that exposed your data? I don't think so. For a start, how are you going to prove that an identity thief got your data from Company A versus Company B? The first company that finds itself facing negligence claims pertaining to the exposure of your data will defend itself with the very fact of dataflation, i.e. tens of millions of records were compromised by dozens of companies in the first six months of 2005 alone.

Ironically, the aggregation of industry-wide gross negligence means that for John Doe to pin the blame on the donkeys that were supposed to be protecting his data is now an all but impossible task, unless he can get a signed confession from the identity thief himself that says, "Yes, I got Mr. Doe's data from a Citigroup computer tape that I stole from a UPS truck."

Do you see what I'm saying? There is a one in three chance your data is out there already. I'd say there is a 50/50 chance that basic personal data on half of all Americans will have been exposed by the end of the year. At that rate everyone's data is going to be compromised within a frighteningly short span of time.

There are plenty of studies that show the rampant insecurity of personal data is holding back the growth of e-commerce. One indication of dataflation is that growth in electronic trust and e-commerce cannot happen without more and more personal data. More user names, more passwords, more secret questions and answers, more unique identifiers. But at the current rate of data exposure, electronic trust will continue to decline as dataflation increases. That, along with all the fraudulent charge write-offs, could hurt the economy just as much as traditional monetary inflation .

Stephen

IBM v. MSFT, Good News At Last?

2005-07-02T11:28:00.000-04:00

We interrupt a series of postings about the abysmal state of affairs in the world of information security to bring you this heartening bulletin: Convicted monopolist Microsoft must pay IBM almost $800 million "to resolve claims it bullied the big computer maker during the 1990s."

It is good to see justice meted out in a manner that Microsoft might understand, cash leaving its bank accounts. I am particularly pleased because Microsoft has never, to my knowledge, apologized to us poor sods who lost money in the fruitless struggle to make non-Microsoft applications run on a Microsoft OS that we later learned was intentionally rigged to foil us.

But consider the words: "resolve claims it bullied the big computer maker." This is how John Boudreau of the Mercury News described the news, and he is one of the better hi-tech journalists. Yet I'm tempted to take issue with the word "claims." After all, Microsoft was found guilty. Microsoft bullied other companies. That's a fact, not a claim.

The Solid Insider Threat

2005-07-02T09:51:00.000-04:00

I just got back from Nebraska and man are my arms tired (sorry, very old joke) but seriously, my brain did get tired. I took a very challenging creative writing course on the campus of the University of Nebraska at Lincoln. There will be more about the course, and the campus, in a later post...

Right now I'm going to have to talk about the latest round of data/ID theft/abuse. Seems like the year I decided to step back from the privacy/security/fraud beat that has been my life for the last 25 years, boom! The world has woken up to just how big a mess its data are in. Consider a couple of recent articles that awaited my return from the prairie.

First, a useful reminder from Paul Nowell of the AP, that insiders at data-rich companies are a major threat to privacy. This was very timely and Paul talked to some good people, including the man who should be this nation's IT-czar, Peter G. Neumann. Howell also talked to a vice president of marketing at San Francisco-based Vontu, a firm specializing in data loss prevention. Now, I don't know Vontu or the man in question, Steve Roop, but he got it right when he said "About 70 to 80 percent of the risk is from insiders, although not all of them are malicious..."

This had been the received wisdom about risks to information security for decades until, during the last five years or so, more and more people who were surveyed ranked outsiders, notably outside attackers using the Internet, as being more serious. Big mistake! There's no way--having read and understood the history of how humans abuse trust, technology, and information--you can believe the outsider is more of a threat to the security of your information than the insider. Sure, it might seem that way when you're trying to stop a bunch of zombies from DDoS'ing your web farm into submission, or you're trying to rid your network of some particular nasty virus. But the trusted employee who turns heel and walks across the street to the competition with an SD card full of your customer data in his shoe, that's still the biggest threat, partly because it is the toughest to mitigate.

And let's not forget 'the number of people surveyed' factor. If you ask 250 people who work in computer security to name the biggest threat to that security, what you get is an opinion, not a fact. Like I say, those folks may sure as heck feel more pain from outsiders. But them thinking it is so does not make it so. Furthermore, computer security is not information security, as the award-winning Chief Security Officer of Choicepoint has hopefully learned by now. I will make that point in my next post, tackling the IRS, Choicepoint and something I call data-flation.

Not As Reassuring As They Might Think

2005-06-09T18:34:00.000-04:00

So now we hear CitiFinancial is dropping backup tapes after data loss. Perhaps they're thinking that this announcement, together with the repeated statement that it was UPS that lost the tapes, will somehow show they care: "CitiFinancial plans to begin encrypting data and sending it to credit bureaus electronically after data tapes containing the personal information of 3.9 million customers were lost by UPS." This report actually does three things.

Confirms that the lost tapes were not encrypted.
Confirms that Citi knows that the data really should have been encrypted in the first place.
Suggests that sending the data electronically is somehow safer than using a courier.

Try telling #3 to U.S. spy agenices that routinely use couriers versus networks for really sensitive data transfers. And don't forget that one of the largest holders of data about you, dear reader, has suffered several "losses" despite using electronic transfer instead of tapes:

And don't miss the really scary part of Citi's statement: "We and other lenders provide this information each month to credit bureaus...via nationally recognized couriers and require them to use enhanced security procedures to transport the tapes from our data center to the bureaus."

So, like I said in my last posting, large numbers of unencrypted tapes full of your financial details have been flying around the country for years. Untold numbers have likely gone missing, after all, if this was an isolated incident, Citi would be the first to defend their practice of using UPS by saying "This is the first time this has ever happened." It is only the new notification laws that are finally shedding light on this sad state of affairs.

Stephen

3 Things (The Cool and The Crap)

2005-06-06T22:27:00.000-04:00

Middle Aged White Guys have a reputation for complaining about things and I'm no exception. Ask me to name 3 things that suck and I would have no problem naming 9:

Credit scores
The Dish Network 921 DVR
The AC system on 1996 Jeep Grand Cherokees
The Windows OS
Prescription drug prices
Prescription drug advertisements
Prescription drug profits
Ratio of drug company research dollars to advertising dollars
Banks

I hope to complain at length about these subjects, and more, in future posts. However, by the time one gets to Middle Age it is clear that doing nothing but complain is not healthy, so here are 3 products that I have found to be very cool, meaning, in this case, they manage to work very well while breaking new ground:

Treo 600 and 650 (the photo in the upper right of this page was taken with a Tree 600)
Apple iPod (the real ones--not the Shuffles--make CD players seem so limited)
Firefox web browser (tabbed browsing's now the only way for me to work the web)

Note: I am not employed by any of the makers of the above products. Come to think of it, I'm not employed by anyone but myself.

Stephen

Reasons to Believe

2005-06-06T21:50:00.000-04:00

This week we 'welcome' a division of Citigroup to the ranks of major companies that have fessed up this year to 'losing' customer data (i.e. allowing copies of data about people--such as their names, addresses, phone numbers, Social Security numbers and other information that could be used to rip them off--to go missing).

This particular data, covering 3.9 million people, was on tapes being shipped via UPS. Citigroup said the tapes were lost by UPS Inc. "in transit to a credit bureau." So, three things to note:

Misplacing data is nothing new--it's been happening for years--but the public has rarely heard about it before now. The fact that they are hearing about it now is mainly due to California's groundbreaking SB1386 notification law.
Misplacing data tapes should not be a problem. All data tapes that leave the secure environment of the data center should be encrypted by default. That so many big companies are apparently shipping unencrypted tapes via ordinary shipping services is a disgrace, and definitely a failure to meet a reasonable standard of due care.
Until one of these companies gets sued big time, this needless exposure of consumers to the risk of identity theft will continue.

Of course, in this case, as in others, the company was quick to say, "We have no reason to believe that this information has been used inappropriately." This sort of statement never fails to make me smile. Why? Think about it. A company that is so clueless about the value of customer data it hands millions of unencrypted records to a random delivery person is now claiming to be able to detect inappropriate use of said data. Yeah right.

The reality is that IT has delivered massive gains in productivity and profits over the last ten years. The nature of businesses and humans is that the true cost of achieving these gains lags behind the gain curve. It is time for corporate America to accept that data about customers requires way more protection than it has so far been afforded. Smart companies will maintain their edge by increasing security in smart ways. It doesn't have to cost the earth, but it does cost, therefore some will cut corners and lose customers (if I had a Citi account right now I'd be closing it).

Stephen