Archive for the ‘Security Curve’ Category

It’s official, The Register confirms what I’ve been saying all along: malware on the phone just isn’t something people are writing. I’ve gone on record saying phone virus scanning is a “solution in search of a problem”, and here’s a consenting opinion. A good read.

Have you seen “Harold and Kumar go to White Castle“? It’s a cinematic journey through the American Dream as lived by two guys who reside in New Jersey. After an evening of “sparking up”, the two heroes get the munchies and decide to head to White Castle for some burgers.

What’s this have to do with Enron (Ken Lay) and Computer Associates (Sanjay Kumar)? Well, Ken Lay is telling reporters that the fall of Enron made him a “victim” and Sanjay Kumar pleaded innocent.

Massive accounting fraud was occurring at the companies these men helmed as CEO yet they had *no idea* these misdeeds were going on?

If Ken Lay and Sanjay Kumar did not know about the actions of their respective corporate accounting teams and associated practices – what were they doing as CEO? Perhaps they were driving around, stoned and looking for burgers?

Corporate governance is about taking responsibility.

Those are the words printed in Greek on the official Boston College seal. I’m a proud Eagle, BC graduate, and since graduating from BC have tried hard to live up to those words. BC, however, recently failed to live up to them.

Today it was reported that BC’s alumni database was hacked. The Social Security Numbers (SSN) of 137,000 alumni were exposed. BC is recommending that alumni contact their financial services institutions to alert them to the breach.

How’d it happen? Apparently, from the published report, the database not only held SSNs that did not have to be stored but it was also outside of the BC firewall. Wow. What security architect approved that?

Educational institutions tend to have fairly open boundaries to support the ethic of academic freedom. But SSNs are credentials that need to be protected. Every organization must assess the need to store SSNs, if they are not essential, don’t keep them in the record. It’s time for Academia to take note and provide the proper controls.

BC – you did not excel for your alumni this week. My alumni wish is that moving forward BC takes some of the $441 million USD raised in the “ever to excel” capital campaign to improve IT controls and risk management. Knowing that my SSN was hacked through BC doesn’t make me a happy alumni. And if some of the money raised in capital campaigns doesn’t go towards protecting my data that still resides at BC, you can be darned sure I’m not going to be motivated to contribute to future campaigns.

“Ever to Excel” – that includes IT BC. Take note.

Remember the before and after photos that they have on those diet ads on late night TV? Information security has it’s own “before and after” photos. For example, do you remember when ChoicePoint CISO Richard “Dick” Baich told us that the stolen PII data wasn’t that big a deal? Well, that was the candid “before” shot. The “after photo” in our little analogy would of course be ChoicePoint CEO standing before congress and apologizing over the tragedy. Like the airbrushing and softening done in the weight loss ad, this apology has been “dressed up” to make the change appear great when really little or no change has gone on in reality. The change is entirely a fiction created in the photos. Is it fair to say this? After all, maybe ChoicePoint really had a change of heart; maybe they were visited by three spirits in the middle of the night and they have woken up to find that there’s still time to reform their terrible ways. Unfortunately, no. To quote the article:

Smith and Sanford said they were opposed to legislation banning the sale of Social Security numbers, arguing that the sale of personal information was important to fight fraud and assist law enforcement in its investigations.

So, they just don’t want to get regulated and they want to keep doing business as usual. Apparently, Smith’s “soul searching” is light on the “soul” and heavy on the “seaching” (at least as it pertains to searching for a way to get the attention to pass with as little cost as possible.) Sickening.

Ugh. Have you all seen this? Usually, I’d say that there is no shame for a FS company to report under CA SB1386 – I say this because I think that the difference between the firms that are reporting and the ones that aren’t are the degree to which the security folks know the systems and processes in use by the business (meaning that everyone should report, but some don’t because they are clue-free enough to assume that they’ve got it all under control.”) Seriously; describe to me the difference between a burgler walking off with desktop machines (by precident an incident requiring disclosure) and one or more brokers/advisors/etc using their insecure, unprotected, directly-connected-to-the-internet, and riddled with spyware home machine to store their client lists. Seems to me like it’s the same thing, but what do I know?

Anyway, I guess my point is that I think these CSO’s (particularly one very astute Bostonian who I respect very highly) didn’t say the most important thing; that in the end the business will do what the business does – sometimes you’ll know about it and sometimes you won’t. Be it storing the addresses on tape and losing them (if you’re a bank) or making the decision to release patches quarterly if you’re a vendor (although I think we’re safe for the time being from a vendor doing something *that* obviously unsafe – heh,) businesses need to do what enhances profitability.

Anyway, usually I would agree with that, but in this case BOA really needs to get their name out of the press; between the 1.2 million addresses and the poor guy who lost all that money from fraud and BOA won’t give it back, they need to do something. Seems like paying that guy his 90k would have cost them less, right? Oh well, you live and you learn.

ChoicePoint CISO Richard Baich has the following to say about how ChoicePoint inadequately defended our most private credit, medical, insurance, salary, tax and earnings information.. Does this make anybody else’s hair stand on end? Check out the choice comments below:

“This is not an information security issue… This type of fraud happens every day. ” – Thanks, Rich. Of course, I always suspected that the “stewards” of my semi-personal information (e.g. address and phone number and such) were leaking it out, as Dick here indicates, “every day.” However, I sort of thought that my financial or medical information was between me and only those with a “need to know.” I was wrong – apparently. Apparently, they see the loss of 145,000 records as “not an information security issue.” I’m curious what type of issue it is – Maybe Richard sees it more as a Media Relations issue? How about a Sales issue? “Darn sales department – they are always slacking when it comes to ensuring the security of all that information.” Bah. Wishing it to be somebody else’s problem won’t make it any better.

” I was at RSA among other CISOs when the media frenzy around this kicked in.” Am I misunderstanding or did he just imply that their process is so hosed up that he (the CISO) didn’t even hear about the pending disclosure until after the media reports? Strange as it sounds, I actually hope that their process is that hosed, since the only other alternative is that he did know about it but chose to “otherwise occupy” himeself at RSA when they disclosed. (Maybe he was busy indulging in a bit of free cheese danish over at the Verisign sponsored “CISO refreshment table” – I don’t blame him, the danish are the first to go.)

“What would help (the security) industry is to say that a mislabeling of this event as a hack is killing ChoicePoint.” ??? Hack or fraud. Excuse me, but really – who cares?

“…this has been mislabeled a hack and a security breach. That’s such a negative impression that suggests we failed to provide adequate protection..” Um. Still not following you. Is the argument that the 145,000 records fall under the auspices of “adequate protection”? Or is the argument that it’s not *really* a security breach because they didn’t h4×0r some server over there? Oh! I have a great rationalization – how about this: it’s not an information security “breach” because all ChoicePoint’s information security resources were involved in intense, precision, laser-focused infosec planning activities at the W bar when the fraud/hack took place.

Poor form, ChoicePoint…

There has been a lot of speculation about exactly what happened to Paris’ Sidekick (her little mobile PDA device)… Just in case you haven’t heard, Paris Hilton suffered a very unfortunate exposure of her personal information when the data from her sidekick was exposed to the world.

The question I’ve seen over and over is… how did it happen? Did she have a weak password? Or was there a known exploit? In the absence of further evidence, all we really can do is speculate (although the ’sploit on rootsecure looks pretty convincing to this casual observer.)

One of the things that I find interesting is how T-Mobile can insinuate that this is somehow Paris’ fault. Lest we forget, one of the parties in this equation has a sordid history of having their private bits exposed over and over again in the public eye… and I don’t mean Paris. For example, remember when that guy had complete run of the T-Mobile network for over a year or when T-Mobile had all that data on secret service agents stolen? Oh yeah, and I almost forgot, remember when T-Mobile wasn’t sure who stole what because they didn’t keep sufficient audit data? Seems to me T-Mobile’s cry of “maybe Paris had a weak password” is looking pretty flimsy in the light of their previous security debacles.

In any event, maybe this will be a good thing for the big pink T. After all, we’ve had device ID capability for quite a while now. Maybe one of these phone companies will wake up and realize that maybe if I access their website from a sidekick that they should limit access to people with… well, sidekicks.

“Sooner or later it had to happen. Microsoft is putting a lot of money into Digital Rights Management, and expects to get a lot more money back out so long as it can persuade consumers that DRM is their fluffy friend, and most certainly not a fiendish plot to allow the music companies to squeeze even more money out of them. This time, the knife was pointing at Steve Ballmer when it stopped spinning, so the prez’s name went onto a DRM apologia sent out as Microsoft’s regular customer information email.”

Yup, the public is starting to twig to the fact that some of the Trusted Computing and NGSCB work over at MS could well mean loss of control over data on their computers. While most people are against out and out piracy (granted there are plenty that are all for it, but let’s leave them out of the discussion for the nonce), that doesn’t mean they want to lose control of the data they’ve paid for. Most consumers want to be able to reproduce legally paid for music files for different form factors (legal CD purchase that’s loaded on an MP3 player for gym time listening, for example). To take that freedom away won’t sit well at all.

I think MS should concentrate on DRM for IP inside enterprises and leave the RIAA and personal data issue out of it. This article isn’t the first to indicate that a big storm is brewing with the public. MSFT should pay careful attention. When the buyers speak loudly enough, vendors must listen.