Dumb and Dumber: School district spying, assisted burglary

This post was supposed to contain further details of the CAFE cycle that I outlined in my previous post but no, two dumb things cropped up this past week on which I feel obliged to comment.

First, we have the school district in Pennsylvania that gave all its high school students laptops with built in cameras that could be remotely activated by teachers to take pictures of the students without the students' knowledge. Sounds like a really dumb idea? Yes, it was a really dumb idea, particularly in light of the high statistical probability that at least one of those teachers is a paedophile (no, I'm not accusing anyone of paedophilia, but statistically I'm right--it was true in my high school and it is/was probably true in yours).

So yes, a dumb idea, and what makes it particularly shocking is that this school district is not in some backwater town. The Lower Merion School District is one of the most affluent in the country, located in an upscale suburb of Philadelphia (after all, it was rich enough to out 2,300 Apple laptops with built in cameras).

This monumentally dumb idea came to light when a student was upbraided by a teacher for inappropriate behavior. The evidence? A snapshot taken remotely by one of those laptops with a built in camera that could be remotely activated by teachers to take pictures of the student without his or her knowledge. Talk about the the beam in thine eye versus the mote in mine.  Here's more of what has been reported:

The Assistant Principal of Harriton High School reprimanded 15-year-old student Blake Robbins for "improper behavior in his home," according to the lawsuit. Matsko cited as evidence a photograph from the webcam on the boy's school-issued laptop. Harriton High School student Blake Robbins, claims that an assistant principal reprimanded the 15-year-old for "improper behavior in his home" that was captured by the embedded camera on Robbins' school-issued Apple MacBook. Robbins told reporters that the improper behavior he was cited for was eating Mike & Ike candies, which he said the school mistook for illegal pills.

Just how inappropriate was the assistant prinicipal's action? Well, the logic behind the remote picture taking was to aid in the recovery of a stolen laptop. In other words, it was a "security feature." There has been no claim that Robbins' laptop was stolen, but more importantly, one of the basics that any decent class in computer security teaches you is that all security features can be abused.

The example I normally use in my classes is a company deploying data encryption and a disgruntled employee encrypting company data, then demanding a ransom to decrypt it. That is why security features must deployed very carefully, with controls to prevent abuse, like a master key to the encryption scheme that prevents data ransoming.

In the case of Lower Merion School District the abuse was to invade the student's privacy and the point of failure was a lack of sufficient controls to prevent such abuse (i.e. a strong permissioning process for the use of the remote viewing capability, e.g. requiring two teachers and the principal signing off on the activation after a documented evidence of theft).

Part of the stupidity in Lower Merion School District was the commission of this particular act of privacy invasion within this particular demographic. This is a place where many parents are well-educated, tech-savvy, and probably more inclined to outrage than most. When you read the complaint filed by parents of the student you will know what I mean. Given the international attention this case has received, not to mention FBI involvement, I would say it is destined for the textbooks. It sure looks like omitting this security feature and taking the risk of losing a few laptops would have been a much better decision.

So, there was one more stupid thing I wanted to mention, a web site created to show how stupid people can be. Yes, that's right. Some people in the Netherlands created a web site called PleaseRobMe that shows how you could target a home for low-risk burglary by monitoring social media sites where people mention their comings and goings. Talk about a pointless exercise, the only point apparently being media attention for the people who created the site (and yes, the media loved this story, playing it on the evening news along these lines: "Be scared oh you sheep, burglars can now use Facebook and Twitter to rob you!"

Well, let's see how that might work. I'm going out of town to a trade show tomorrow. I will be gone for several days. This is well known to my friends and family and colleagues. It can also be deduced from any number of web sites about the show, the company, or me. But you'd have to be an exceptionally stupid burglar to try robbing my place next week. Apart from the dog and the attack cats that will be in residence, there will be one heavily-armed lady at home who is an excellent shot. Do you feel lucky?

I will pick up the CAFE cycle next post.

Do They Ride the Same Cycle? Criminal hacking, terrorists, and other security threats

I have written this post/article/paper because I see a pattern of human behavior, the understanding of which may have some potential to improve the security of data and data subjects in the virtual world, as well as the security of persons and property in the real world. Because my thoughts about this pattern came together while I was in my favorite coffee shop, I coined the term “CAFE cycle” to describe a cycle of behavior that goes like this:

Cause-Action-Frustration-Exposure/Extremism

I will describe the cycle in generic terms then present two examples. Generically, a person becomes motivated by a Cause and takes Action to achieve the goal of that cause. Frustrated by failure to achieve the goal through legal means, the person takes illegal action, exposing him or her to three potentially problematic experiences: illicit thrills, illegal gains, and group membership. Continued failure to achieve the goal leads the person to pursue extreme forms of these experiences until they become an end in their own right, an Extremism that supplants the original Cause for Action, essentially rendering it irrelevant.

For a basic example consider an adolescent male who wants to learn, through direct experience, the workings of large computer networks. He exhausts the limited avenues of legal access to a large network and so he makes repeated attempts to gain unauthorized access, breaking the law as he does so.

2 Security Tips: David Kennedy and the Symantec Threat Forecast 2010 Webinar Recording

Just a quick post to point to the archived version of the Symantec MessageLabs Threat Forecast 2010 Webinar/webcast that I mentioned in my previous post: A Good Way to Start the Year. Definitely worth watching.

Also worth watching as we make our way forward into a fresh decade of information system security challenges, are the updates from David Kennedy. You can catch them on FriendFeed and for me they are just the right mix of security alert. Not too granular, but most likely to include the stuff you don't want to miss. David's been at this a long time and become wise in the ways of the security world (for a short time in the mid-nineties we were co-workers at NCSA, later ISCA Labs and TruSecure). You can also catch David's blog at Verizon Business.

Symantec Threat Forecast 2010 Webinar: A Good Way to Start the Year

Okay, so the year has already started, but how many hours have you spent pondering your information security strategy for 2010? If the answer is zero, then there's a webinar on January 19 you should sign up for here. If your answer was greater than zero then: a. Good for you, seriously! b. Ask yourself if you could use some well-informed speculation about what is coming down the pike in 2010, threat-wise, seriously. Consider:

"With compromised computers issuing 83% of the 107 billion spam messages distributed globally each day, the shutdown of botnet hosting ISPs, such as McColo in 2008 and Real Host in 2009, appear to have made botnets re-evaluate and enhance their backup strategy to enable recovery in just hours.

"It is predicted that in 2010 botnets will become autonomously intelligent, with each node containing an inbuilt self-sufficient coding in order to coordinate and extend its own survival."

 *Source: MessageLabs Intelligence 2009 Annual Security Report

Not that all the threats to your data in 2010 are botnets, far from it, but the continued rise of botnets puts pressure on all levels of security, from end points to servers and even analog attack points like employee compromise. In 2010 we will continue to experience the knock-on effects of the marketization of compromised systems and personal data that can pry open system access. Register for the webinar now and you can get the MessageLabs Intelligence 2009 Annual Security Report. See you on the 19th.

Network Auditing Article on TechTarget

Just a quick post to help folks find the recent article on network auditing on TechTarget's SearchSecurity.

Think of it like this: There's at least a 50/50 chance you have one or more significant network security problems, and an audit is good way to find them. In fact, 43% of survey respondents felt their organizations should audit their networks more frequently...Read more...

Here's Another Great Source of Cobb Security Smarts: Mike Cobb, CISSP ISSAP

In addition to his work for a certain government agency, my brother Mike continues to find time to put out some very helpful security articles, webcasts, and tutorials. Here is just a smattering from Mike Cobb's Page at Search Security:

• SearchSecurity.com's Web Security School
• How to prevent the risks of client-side caching
• How to secure e-mail with S/MIME
• Securing Web apps against authenticated users
• Protect your Web site against path traversal attacks
• Best practices for managing secure Web server configurations
• Don't hide sensitive information in hidden form fields
• Using 802.1X to control physical access to LANs
• Application firewall tips and tricks
• What's new in the revision of ISO 17799

Why Denial of Service is the Dumbest "Hack"

Large chunks of Web 2.0 are not working this morning, apparently because of one or more denial of service attacks. Users of Twitter, Facebook--and many apps and blogs which rely on those services for authorization credentials--are feeling understandably frustrated, yours truly included.

While reports that this DoS event is DefCon-related appear to be mere rumor at this point, it bears repeating: Denial of Service is the Dumbest Hack!

Since the first computer was plugged in, anyone with opposable thumbs has been able to execute a denial of service attack. DoS attacks are like the boiled egg of hacking. The fact that computers connected into a network can be disrupted is old news. Proving it with a DoS attack proves nothing new. So what is the point? Do we want the world to sit up and say "Gosh! All this stuff is connected, and if one part goes down many others are also affected."

Yawn! That is known, proven, accepted, it's history. All you gain by executing such an attack is a lot of anger directed at you by the millions of people whose lives you are messing about. You do not win any prizes for figuring out how to do this. The people who lead the field in figuring out how to execute DoS attacks are the kind of folks who do not execute them.

I watched one of those people demonstrate, in 1996, how to take down any web site with a 386 PC and 28Kbps modem. That was not at DefCon but in a tiny lab somewhere. But I did speak at DefCon that year and gained a lot of respect for serious hackers, not because they wrecked things, but because they had figured out how to, yet they refrained from using that knowledge for gain or fame or to piss people off. Would that all hackers followed that code.

Old News? Researchers predict SSNs, crack algorithm

This story is curious to me. About 13 years ago I taught some banking security classes with a chap who could do this in his head. I always assumed the algorithm was widely known in certain circles.

"Social Security numbers have a predictable pattern, according to researchers at Carnegie Mellon University, who have developed a reliable method of cracking a person's SSN based on data gleaned from multiple sources, including profiles on social networking sites."

Search Security Coverage: Researchers predict SSNs, crack algorithm putting identities at risk

TJX to pay $9.75 million for data breach investigations

As reported by SearchSecurity: "TJX Companies, Inc., which has undergone a barrage of lawsuits as a result of a massive data breach of its systems, agreed to pay $9.75 million, settling a lawsuit brought on by Attorneys Generals from 41 states."

That's on top of many previous costs arising from the fact that "over an 18-month period, hackers exploited a hole in TJX's Wi-Fi network and used a modified sniffer program to monitor and capture data from TJX's transaction systems."

Consider: "In December 2007, TJX settled a lawsuit from dozens of banks, agreeing to pay out $40.9 million to cover costs connected to the retailer's massive data breach."

Better Twitter Signup Could Stall Twitter Woes and Twitter Worms: Why delay the inevitable?

When they say "anyone can get a Twitter account" they mean anyone and anything can get a Twitter account, including malicious 'bots and worms.

I'm all for equality, open access, and ease of access, but I'm not keen to share my social-network-of-choice with machines and anonymous jerks. History tells us that sort of thing eventually leads to spam and worms, both of which threaten to hobble Twitter as they hobbled email. And a lot of the problems now looming with Twitter are preventable, or at least containable, if the folks at Twitter act now, before things get out of hand.

(As for the hobbling of email, make no mistake, email could be very much better than it is right now if it were less prone to abuse. Securing email, which could be done if the large providers would drop their petty greed-based differences, would make it way more useful and productive than the pale shadow it is today--in other words, spammers and worm-writers cost the world billions in lost productivity, on top of the ongoing cost of blocking with their irresponsible crap).

The first step in prevention and protection for Twitter is to require email confirmation for Twitter signup. That would make it harder to do things like this. Right now the Twitter signup process is irresponsibly open, as in "open to abuse" and we are seeing the first Twitter worms right now. Consider what happened recently when I had the pleasure of participating in an elaborate April Fool's caper.

To increase the credibility of our hoax I created a Twitter account in the name of the fake product we launched. I was shocked at how easy this was. Although the Twitter signup process asks for an email address it does not check to make sure the address is real. There is no "confirmation email" such as most forums, bulletin boards, and social networks require. And although Twitter signup uses a captcha, we know captchas can be beaten by any entity who is motivated enough to create fake accounts. (The "fake"account that I created used a valid email address but tests show this is not required--Twitter does try to validate your email address after signup and lets you know if they have a problem with it, but they don't kick you off the system.)

The point is, and I say this with love--because I love to Twitter--the folks at Twitter could do more to prevent abuse. Right now they have a chance to save Twitter from worms and I'm hoping they will learn from the mistakes made by email providers and act now rather than later, when it will be that much harder. I predict email verification will eventually come to Twitter, so why not do it now? The email industry missed several golden opportunities to keep the bad guys and bullies out. Twitter can do better, and I hope it will. I would happily give up the ability to make fake Twitter accounts for April Fool's Day.

Power Grid Hacking Story = New Low for Journalism

Surely April 8 will be flagged as a new low in the history of American journalism. Why? The "power grid may be hacked" story, and I use the word "story" very intentionally. Everything I heard and saw about this yesterday--from CNN to NBC--was, to put it politely: trash. About the only thing I've seen written about this that made sense was former hacker Kevin Poulsen blogging at Wired:

"The unspoken lesson here is obvious: Chinese Superhackers Are Our Superiors. No, wait. That's not it. I know...Only the intelligence agencies are equipped to protect us from foreign cyber attacks."

See: Put NSA in Charge of Cyber Security, Or the Power Grid Gets It | Threat Level from Wired.com

My own theory was that the large power companies, fearful of localized, alternative power generation, were trying to scare people away from "smart grids." This theory is based on the fact that a lot of the "reporting" suggested smart grids would make our power supply more vulnerable. Yeah, like that's why they're called smart. Does nobody out there in mainstream media remember why the Internet was designed like it is?

I recall, nine, maybe ten years ago, when someone on our penetration testing team said "Can I let some water out of the dam, please, that would be so cool?" Because Yes, we had reached the power company's hydro-electric control panel. We said No to that particular demonstration of how far we had penetrated. After all, it was the power company that had hired us to test their security. And the power company fixed the holes we found. AFAIK they've regularly checked for, and fixed, new ones ever since. The grid is not impenetrable, but this whole legend that "Russian and Chinese hackers are all up in our systems and can pull killer moves at the click of a mouse" just seems like scare-mongering. And people normally carry out scare-mongering for a reason.

Did anyone hear any journalist ask "Why?" As in why would people, foreign or domestic, want to mess with the grid? After all, anyone with a backhoe could drive into the field near my house today and cut the prominently labeled Verizon fiber optic trunk that runs through here (here being a place where lots of people own backhoes). But for years people have somehow avoided the temptation to do this (even deranged broadband addicts bummed out on dialup and convinced by voices in their fillings that cutting the cable was a cheap way to get FIOS, the fastest Internet and best TV picture ever).

Sure, there are some gifted hackers in Russia and China, but there is zero doubt in my mind that America could bring both of those countries to their knees in a matter of minutes if any kind of cyber-war were to break out.

So, as far as I can tell no mainstream journalists bothered to ask Why? Or bothered to think about where this story came from and how come it appeared at this time. The grid was no more or less susceptible on April 8, 2009 than it was on April 7, 2009. And I don't know whether to pity or impugn the talking heads they trotted out to comment on this "story."

Please let me know if you heard anyone in the media, besides Mr. Poulsen, raising the possibility that this story was part of the push by NSA to take over cyber-security from DHS (that's NSA as in "Not Safe Agency" that worked with companies like AT&T to suck the Internet into massive servers so they can read our email and blog posts).

And if you have heard anything to suggest that the Obama administration is about to kick some serious cyber-butt and bring sanity to our secret agencies and critical infrastructure protection programs, I'd really appreciate hearing about it, because frankly I'm getting pretty depressed here.

Vast Spy System Loots Computers in 103 Countries

Vast Spy System Loots Computers in 103 Countries - NYTimes.com:
By JOHN MARKOFF, Published: March 28, 2009

"TORONTO — A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded."

5 Years After CAN-SPAM

Larry Seltzer at eWeek: "The other big thing that CAN-SPAM did was to set rules for businesses to follow in order to do mass-mailings. These were the most controversial part of CAN-SPAM because they were opt-out instead of opt-in. This is why critics said, and continue to say, CAN-SPAM 'legalized spam.'"

I think the current state of commercial email is largely determined by market forces exerted via new media. Smart companies have found out that customer relations and marketing outreach goes much better if you don't send people email they don't ask for.

The Internet is not only a uniquely self-documenting phenomenon, is self-reflective and self-monitoring. If GM were to start sending out a mass of unsolicited commercial email asking consumers to support the federal bailout, I bet it would be canceled before it was completed. The feedback loops through Twitter and social networks are instant and effective (see the whole Motrim baby debacle: "Motrin Learns: Hell Hath No Fury Like Baby-Wearing Moms").

And hell hath no furry like consumers spammed. Any spammer with a detectable street address, traceable web site, or list phone number would be in big trouble. Not only because of the spam he or she sent, but as a target on which to vent the pent up anger generated by the thousands of spammers who have no detectable street address, traceable web site, or list phone number.

Did CAN-SPAM help or hurt? Five years on I would say it didn't hurt. And it has probably helped. (It certainly gave me something I could wave at companies who were not getting the message; today they all have the message --"Thou shalt not send unsolicited email"--engraved in their policies).

Underground Data Market Tops $275 Million

The market for buying and selling stolen credit card numbers and access to financial accounts has reached the $276 million mark, according to Symantec (as reported by TechTarget).

"Symantec said the total value of the stolen data has risen sharply in recent years as spam gangs and individual phishers sell credit card information in bulk on Web forums and bulletin boards right in the public eye. The market has become so big that phishers have to fight for credibility in a seedy underground where it's common for cybercriminals to phish other phishers."

So, after we sort out the world financial crisis and the fossil fuel crisis and global warming and international terrorism, we will still have these immoral scumbags to deal with? Great!

A new phish frontier: Domain registrar accounts

A new phish frontier: Phishing of domain registrar accounts--Sophos Report
New and expanded attempted to get personal data via domain names warnings--n0w includes Networks Solutions.

WARNING: Enom Phishing Scam

WARNING: Enom Phishing Scam Domain Name News: "We have received several reports of phishing scam emails that at first glance appear to be coming from domain name registrar Enom.com. The emails warn of a complaint for invalid whois information and ask the user to login. Of course the link that the email directs you to is not a valid Enom domain name. The site is likely harvesting user names and passwords to access legitimate Enom accounts."

These are very nasty messages--I just got a couple and they make your heart race at first read because you are informed someone has bought your domain. A pox on the perpetrators!

Medical Alert: HIPAA gets six figure teeth

Ten years ago I started to alert my clients to the emergence of privacy as the new "driver" of data security. Eight years ago I started to warn them about the specific implications of the Health Insurance Portability and Accountability Act ( HIPAA). In the slide deck that I created for my first HIPAA seminar I made sure my audiences were aware of the penalties built into HIPAA, such as fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.

I can't tell you how many doctors and hospital administrators greeted that slide with disbelief. And, given the lingering arrogance so endemic to America's crumbling health care community, some doctors went so far as to suggest I was simply scare-mongering to scrounge up security consulting work. The attitude among many was something like this: "Nobody would dare to levy fines on us because of some esoteric aspect of patient data storage."

Well, here we are in the Summer of 2008 and the penny has finally dropped. In fact, ten million pennes have dropped. because the HHS, the U.S. Department of Health & Human Services, has collected $100,000 from a hospital that allowed unencrypted personal health data to leave the premises, as detailed in this this comprehensive posting by Sara Kraus over on the privacy law blog.

Providence Health & Services, a Seattle-based not-for-profit health system, was forced to paid $100,000 to HHS and enter into a Corrective Action Plan with the government to avoid a “civil monetary penalty.” That three-year plan is like probation and is no cake walk. Failure to comply could result in more penalties and Providence could still face criminal liability.

The immediate trigger fort this HHS action was "five incidents in 2005 and 2006 in which unencrypted electronic protected health information (“ePHI”) of Providence patients was stored on backup tapes, optical disks and laptops that were taken off-site from Providence by members of its workforce, and then misplaced or stolen, potentially compromising the health information of over 386,000 patients."

So if you are in any way responsbile for health care data, I urge you to read the details in the blog post linked above. You do not want to be next on the HHS hit list. Also note that, as I predicted, there is a cumulative effect to the various and diverse privacy legislation passed during the last ten years. The incidents at Providence might have been hushed up but state notification laws required patients be advised of the loss of their information. Further note that there was no evidence that any personal information was wrongfully used as a result of these incidents. When HHS investigated it focused on Providence's failure to implement policies and procedures to safeguard the ePHI. And that failure cost $100,000.

(FYI, the picture is a hippo skull on which the massive teeth of the beast can be clearly seen -- thanks to Wikimedia for the image.)

News Spam Rolls On: First CNN, now MSNBC

The outbreak of spam that pretends to be a news alert from CNN has now morphed into "BREAKING NEWS" from MSNBC, like this message proclaiming that trading in McDonalds has been suspended.

However, the message is not part of a dump-n-pump stock scam, merely a variant of the basic take-me-to-your-Trojan attack. Indeed, another one of these that I received has the strangely amusing headline: "Study reveals bass players 'every bit as dull as golfers.'" What bass playing recipient could resist checking out that story?

This type of attack looks like it will run for some time (I predict Google will be the next patsy). So information security staff might want to send out a generalized alert to employees warning them to

a. disregard [and delete without reading] any news alerts they have not specifically requested,
b. decline to install any new video players.

And so the world grinds on, with each new technology benefit poisoned by selfish, twisted souls. Sigh...

Nasty New Form of Spam: CNN News Alerts

I have received a handful of these in the past few days, messages that look like they could be a CNN news alert that I had signed up for, except I hadn't.

The subject = "Breaking news" and spammers have designed them like this because many of us humans find it hard to resist a breaking news story. This means a lot of people may open these messages before the spam filters and malware detectors are updated and the security staff get out the word to the troops.

The link inside these messages can be quite goofy, like "Titanic sinks again in 2008." But some people will fall for them. And when they click on the story link they will probably find themselves on a web site in Russian or China. They will then get a message saying that, in order to view the video of the news story, they need to download new video player software. A convenient download is provided, but the software it sends you is a Trojan that takes compromises your system. These messages come hot on the heals of the "Daily Top Ten" from CNN that were very convincingly crafted (including an unsubscribe link that actually appeared to work).

There are only two things that will stem the tide of this garbage:

a. Widespread improvement in the general standards of human behavior.
b. Widespread adoption of new email standards.

Sadly both a and b still appear to be a long way off.

Laptops in Peril at the Airport

My brother, Mike, has been busy this week, responding to questions about the latest Ponemom Institute survey, which suggests a heck of a lot of laptops are separated from their owners at airports. He did more than a dozen radio interviews in one day!

I've worked with Larry Ponemon in the past and he does a pretty mean survey. So if he says 3,800 computers go missing each week from Europe's 24 busiest airports, I'm inclined to believe that's the case. An even more shocking finding is that more than half of these laptops are never retrieved. People traveling with their laptops should take note.

One of the first things I do when I get a new laptop is tape my business card to the bottom of it (taking care not to block any ventilation ports).

Travelers' Laptops May Be Detained At Border

If this wasn't in the Washington Post I would think it was a hoax: Travelers' Laptops May Be Detained At Border. More than anything else, this should awaken those who so far have been complacent to the reality of what our government has been doing to our rights these last 7.5 years.

Scobbs Blog on Hiatus

There won't be any new posts here for a while, but you can catch the latest news and views at Cobbsblog.com.

Trust in Banks Declines: UK distrust rises 47% to 71%

Interesting study indicates banks cannot substitute a virtual presence for local branches and a commitment to community.

Nearly three-quarters of UK customers do not trust their retail bank, and the more virtual a bank is, the lower the level of trust, according to a survey by Unisys.,..When Unisys asked the same questions in 2005 and 2006, 47 per cent of customers indicated that they did not trust their retail bank. This year the figure had risen to 71 per cent....the attributes most cited for eroding trust are 'disrespectful attitudes', 'poor privacy', 'weak IT' (such as websites), 'poor corporate governance' and a 'lack of investment in the local community'.

I'm just speculating here, but I'd say the constant drumbeat of security breaches and phishing scams involving online banking are having an erosive effect on trust.

What SMBs Need to Know About Computer Security Threats

I found a handy set of pages by a Victor Ng titled What SMBs Need to Know About Computer Security Threats in a publication called SMBedge which describes itself as "The Pulse of SMBs in Asia Today."

It is basic infosec 101 material that is handy because you can send that link to someone who doesn't know what infosec is--but should--just to get them started. Ng's material is more current than some of the 'intro' articles I had been using for this purpose in the past. You know, when someone says "So, you're a computer security consultant? I got a question. Should I renew that Symantec software that came with the PC I bought last year for inventory? I heard there are zombies out there." What do you tell them? Ask for their email address and send them a link.

Of course, this may be someone to whom you have just paid money for services rendered at the rate of $1 a minute and they are now inviting you to donate about $20 of your time given them a basic education (although they probably won't see it like that). As a CISSP, I always try to strike a balance between politely doing my civic duty and giving them that 10 minute intro and telling them to just go buy a book (valuing my time at $2 per hour minimum).

Usually it takes less than 5 minutes talking to the SMB to figure out if it is in more immediate danger than the rest of us, i.e. doing something really dumb with their systems. If they are, I am obliged, I think, to advise them to call in a professional. If I have the time I might be the professional and do a 10 minute fix for free, but then you start to encounter others issues, like: the problem you are fixing is just the tip of the iceberg; they have no budget; and what about liability if there is no formal contract?

TJX Discovering Cost of Security Failure

Here is a pretty good reason to make sure your company is doing a good job of protecting customer data: TJX: Data breach damage $25 million and counting.

That's right, according to SearchSecurity, the bottom line for TJX Companies Inc. took a big hit in the first quarter of 2007, thanks to a $12 million charge tied to the security breach that exposed at least 45.7 million credit and debit card holders to identity fraud. In total, the breach has cost the company about $25 million to date. And that doesn't include the cost of customers who decided to shop elsewhere.

TJX executives better hope that they can document the security policies and practices they had in place to prevent the hacking that took place. If a judge deems them to be up to par, they may avoid censure even though they were hacked. An active and well-documented security program is a good defense against charges of negligence or failure to meet the standard of due care.

As Predicted: Lawsuits up the security stakes

As predicted, by myself and numerous other information security experts, lawsuits are becoming an increasingly common response to a security breach. The latest example: The American Federation of Government Employees is suing the Transportation Security Administration after the TSA lost a hard drive containing employment records for some 100,000 individuals, including names, social security numbers, dates of birth, payroll information and bank account routing information,

The drive went missing from the TSA Headquarters Office of Human Capital. The names included various personnel and even U.S. Sky Marshals. The law suit is AFGE, et al v. Kip Hawley and TSA (AFGE = American Federation of Government Employees and Kip Hawley is the TSA Administrator). The AFGE claims, that by failing to establish safeguards to ensure the security and confidentiality of personnel records, the TSA violated both the Aviation and Transportation Security Act and the Privacy Act of 1974.

The Aviation and Transportation Security Act (ATSA) requires the TSA administrator "to ensure the adequacy of security measures at airports." The 1974 Privacy Act requires every federal agency to have in place security measures to prevent unauthorized release of personal records. Losing a hard drive containing employment records for some 100,000 individuals constitutes unauthorized release. Stay tuned for progress in the suit.

TSA web site dedicated to this incident.

Penn College Students Win Award for Computer-Security Video

A reported in PCToday, Penn College Students Win Award for Computer-Security Video. This is REALLY encouraging. Congratulations guys!

I am a big believer in awareness programs. Check out the free podcast of tips on developing successful security awareness programs over at Cobb Associates.

Public Wi-Fi Often Wide Open, But Who Cares?

Nice article by David Colker of the LA Times, republished here in the Chicago Tribune: Public Wi-Fi may turn your life into an open notebook. He vividly reminds us that surfing with your notebook at Starbucks can be a less than private experience. There is quite a bit of personal irony in this for me.

Wi-Fi at Starbucks is served by T-Mobile which made a big noise in October of 2004 about offering secure Wi-Fi at all its hot spots: T-Mobile Rolls Out Strong Security at Wi-Fi Hot Spots. I am personally aware of this because back then I was Chief Security Executive at STSN, now iBAHN, which provides Internet service to thousands of hotels, hotel lobbies, restaurants, and conferences around the world. At the time, iBAHN was close to completing its own roll-out of secure Wi-Fi and was under the impression it would be the first such major provider to offer this level of security at all its locations. Naturally, T-Mobile's announcement stung, partly because it garnered headlines while being ambiguous. Consider this "reporting" which is close to the wording of T-Mobile's press release:

T-Mobile is introducing strong, 802.1x-based authentication and encryption across its network of 4,700 hot spots. The move, which appears to be the first use of advanced 802.1x-based security by a national mobile carrier in U.S. hot spots leverages the existing 802.1x infrastructure used to authenticate GSM (Global System for Mobile Communications)/GPRS (General Packet Radio Service) cell-phone users. "CIOs across the country have been asking for enhanced security, and we're the first U.S. wireless carrier to deliver it.

But T-Mobile was not the first to deliver strong, 802.1x-based authentication and encryption. iBAHN was already doing that, but had not talked about it publicly because the roll-out was not complete. T-Mobile decided to claim the glory by talking about their own roll-out before it was complete. I know because, at the time of the announcement, I was in downtown Chicago and I walked many blocks to test several Starbucks locations to see if 802.1x authentication was indeed available. The results were mixed, some consolation to my boss, Brett Molen, iBAHN's CTO, and CEO David Garrison.

Despite the fact that Brett and David were two of the best bosses I have ever had, I decided to leave iBAHN in 2005 and take a break from the corporate world. For a while I lost track of the secure hotspot debate. But now I am back "on the road again," so to speak, I have had occasion to try the Wi-Fi at Starbucks in several locations around the world over the last six months and have noticed that the logon had changed considerably. It's a lot less complicated, with a lot less warning about potential security problems, than it was in 2004, and 802.1x-based authentication was apparently not offered.

Which suggests that there is considerable truth to what some of us security experts have been saying ever since computers escaped from Fortress Data Center in the eighties: Unless security is really simple and seamless, users won't use it. About the only exception to this is the user who has been educated about the risks. That is why iBAHN spent a lot of time educating its chosen market place (hotels and conferences) about those risks. And that is why iBAHN makes money selling secure connectivity at a premium.

Spector CNE and HTTP Traffic Cops

Remember when SPECTOR stood for Special Executive for Counter-Intelligence, Revenge and Extortion?** Now comes Spector CNE - one of a group of products I've been sniffing around in response to this question: What's to stop employees from copying and pasting confidential company data into blogs and Google App documents?

I've been putting this question to clients lately and not getting very good answers (where 'good'='good for their information security'). I don't feel comfortable sharing specifics on a public web page, but I think this is a big problem for some big companies. I also think this could become yet another front in the endless arms race between the good guys and the bad guys (where 'bad guys'='everyone from ruthless corporate spies to weak-willed individuals under stress, or merely under-trained.) So, if anyone knows of a good http traffic cop, or any other solution to this problem, I'd love to get your comments on it.

**If you already knew what SPECTOR stood for, then you already know the name of its on-screen nemesis. But do you know the make and model of the weapon said nemesis is brandishing in the famous black tie promotional 'shots' for the second movie in the genre? I will email an electronic copy of my privacy book to the first person who sends the right answer to scobb at scobb dot net.

Image Vulnerability: Is anyone looking at the outbound threat?

Remember last summer when the warnings about a surge in image spam started to appear? (Image spam being defined as unsolicited commercial email in which the message is presented as an image rather than text.) Then we saw spam volume drastically increase towards the end of 2007 with much hand-wringing over the difficulties of detecting of image-based spam.

Well, I wonder how many companies have started to worry about the outbound-image threat? A certain percentage of companies do monitor outbound Internet traffic for trade secrets and inappropriate content. Some just monitor email. At least a few monitor web traffic. But I am fairly sure most of this is filtering based on text. Even so, I don't know how many would actually spot an employee typing company secrets into a password-protected blog hosted outside the company.

But what if the employee scans images of confidential company documents and uploads the JPEG files to a blog? Would that trigger a response from information security? Scanning the content of a JPEG for sensitive text is not impossible, but it is certainly processor intensive and in some ways it is not unlike the problem of detecting image-based spam.

Of course, one way of reducing the amount of image-based spam coming into an enterprise is to use the Turntide anti-spam technology that chokes off spam without a filter, instead using a behavior-based approach (now available as the Symantec Mail Security 8100 Series Appliance). Not sure if this would work the other way round. I know there was some discussion of using it to prevent enterprise networks from sending spam. If someone tried to send out 90,000 scanned pages, one after another, as JPEGs, would it show up as an anomaly and trigger some alarms?

BTW, the 90,000 number is not entirely random. In 1992 about twenty cases of confidential documents belonging to General Motors were physically shipped to Volkswagen headquarters in Wolfsburg (many of them allegedly transported aboard a Volkswagen corporate jet, via the Spanish residence of J. Ignacio Lopez de Arriortua, then Vice President at GM in charge of Worldwide Purchasing, later hired by VW). The number of purloined pages was put at 90,000.

BBTW, this piece of infosec trivia was my excuse for featuring Ron Patrick's amazing street legal VW (Beetle) Jet.

White Hat Hacking for Rainy Day Fun: Weak search forms still revealing too much data

What better way to spend a rainy April day than white hat hacking? Experience the thrill of hacking with none of the guilt. I highly recommend this for anyone who has difficulty understanding why hackers do what they do (and you are NEVER going to be a really good information security professional unless you DO understand what hacking is about).

Allow me to swap my white hat for my linguist cap for a moment (B.A. Honours, School of English, University of Leeds--one year behind guitar virtuoso Mark Knopler but way ahead of the wonderfully talented Corinne Bailey Rae--and would you believe I can't even carry a tune, but I digress). It has to be said that hacking is one of the most hotly contested words of the information age. In justifiable homage to the original good-hearted hackers many infosec professionals use the qualifier "criminal hackers" to distinguish the bad guys from the good guys (that's gender-neutral colloquial 'guys' by-the-way). The good guys, who don't break laws, can be referred to as white-hat hackers, the bad guys being black hat. I am actually leaning towards 'bad actors' as a preferred term for the bad guys (with apologies to my thespian readers).

So, one rainy April afternoon I was wearing "my film producer hat" and working the web to promote the film's appearance at two overlapping film festivals, one in Winston-Salem and the other in Columbus, Ohio. Neither the director nor myself could afford to attend these events in person and we were worried that turnout would be low. I decided to surf the web sites of colleges in the target areas and to identify faculty with an academic interest in civil rights history (and thereby interested in the film enough to tell their students about it). In the process I found a classic example of weak web design that was hackable.

After using standard search tools to identify the people I wanted to contact, I looked for their email addresses. Many organizations like schools and hospitals have a directory of staff phone numbers and email addresses. However, to prevent a variety of problems, such as spam, these and other details are not displayed wholesale in a list, but one at a time in response to a name search. In other words, a form on a web page enables users to search a database of people (in infosec terms, this database can be referred to as an asset). The premise is that you have to know the person's name to find their information.

I used this sort of directory to email several professors at several schools. However, I also found something interesting. These forms usually consist of two fields, for Last Name and First name, together with a Submit button. The way it's supposed to work is that you, perhaps an aspiring Physics major, enter Einstein in one field, Albert in the other, click Submit, and get the phone number and email address for Prof. Einstein. However, such forms can be a pain for users who can't recall the professor's full name, so the form might allow you to enter Einstein for the last name and the letter 'A' for the first name. And herein lies a dilemma that can become a problem. How 'vague' to make the search. For example, if I can enter 'D' in the last name field and 'J' in the first name field, I can all Jane and John Does in the database. What you need is a fairly clever set of rules built into the form to control the results of any conceivable form input.

You see, in terms of information security, one can reliably predict that someone (referred to as an agent) will at some point click the Submit button without entering any characters at all in either field. If the result of this action is to reveal all of the records in the database (what we might call a means), one can reliably predict, based on past history, that this method will eventually be used to make a copy of all the records in the database (asset).

Thus, by failing to properly code the handling of form input from this search page, the folks who put up the page have created a vulnerability. This becomes a means of attack and a threat exists if someone figures out how to exploit it to gain unauthorized access to the asset. (This same problem crops up with student directories as well, where you are even less likely to want to grant access to the full list.)

This example nicely displays all of the elements of an information security threat (asset, agent, means). I have seen this type of problem on local government web sites where the effect was enable the attacker to find all the data required to steal a person's identity, or even find all of the special training taken by former military personnel in the area.

As a white hat hacker it is your responsibility to inform the site manager of the problem. You avoid, as I have here, revealing specifics of the problem (e.g. the address of web site where I found this example). Hopefully, they will correct the problem. As for me, I will admit that, wearing my producer hat, I did use some of the email addresses that I found. I did not spam anyone. I sent them personal notes. And maybe it worked. At the Ohio festival Dare Not Walk Alone won the audience award for best film.
.