Wednesday, January 31, 2007

Harry Potter and the Hacking the 1098

A couple brief notes.
From Pogo Was Right, a link to the Boston Globe op-ed on privacy, security and Harry Potter hackers. The nut of the argument of Mr. Peters, CISSP:

People take to the streets to protest the Patriot Act or the search of phone records even though the payoff may be stopping a terrorist. But the same people freely give their phone number or address to a checkout clerk when the only payoff is an abundance of junk marketing.
I remember hearing a guy named Maple quote an IBM study stating the Americans love their privacy, but will trade it away for a fifty cent off coupon. That was 1998, and I don't think much has changed.

I'm not quite ready to give up on the power of consumer, but this chart is the most distressing for me. The consumer doesn't matter if the shareholder get his bit.

And I was flattered that the Periodical of Record for Road Racing in North America picked up my post on the Ducati laptop lost and found. I should let Ducati know that I'd be happy to test the security of the USB Ducati Data Analysis on the 1098S just to make it is, you know, compliant with EU Privacy Directive. Maybe hook it up with some 802.11n and turn the 1098 into the only Desmo driven war driving device.

Tuesday, January 30, 2007

Kim Possible vs. The TSA

or the Mysterious Case of Kim and the Rights of Parking.
Briefly put, a City Council member wants to meet and greet visiting dignitaries at the airport gate, not at baggage claim. The memo that came with her special airport free parking badge (sweet!) appears to confer this privilege. Councilwoman Kim figured (not unreasonably, looking at the memo linked on the Statesman site), that the parking badge was like a home generated Northwest Airlines boarding pass.

But the memo was outdated, and caprice of the TSA being as it is, the offer of gateside greetings had expired. Kerfluffle (or a dust-up, maybe) ensues. City Manager sorts things out.

Personally, I think free airport parking is a pretty good perk in itself, especially if it's in the covered garage rather than in lot F (also known as Rosanky). And Austin Bergstrom beyond the security checkpoint is a not a bad destination with live music and good bar-b-q. (I've had friends who've had gigs there, but none of the regulars showed up. Go figure.) All reasonable folks know that security should be checked at the gate, so you don't have a race condition between check-in and boarding. Unfortunately, the set of TSA policy makers is not a subset of reasonable folks.

Monday, January 29, 2007

Not All Lost Laptop Stories Are Bad

The lost laptop story has become tiresome. Some individual, proving themselves to be careless, or even just human, loses a laptop with some sort of confidential information. SB1386 has made this the most banal folk tale of the 2000s.

Fortunately, after perusing the results of the MotoGP tests in Jerez, I read the Roadracing World's version of the lost laptop story. Four cats from DC head out early to the Laguna Seca track on the Wednesday before the big MotoGP race. They find a carry-on piece of luggage, which contained a passport, tickets, MotoGP credentials and (yes) a laptop containing precious Ducati Corse data. So, instead of heading over to Repsol Honda, or eBay, these gentlemen returned the baggage to the Corse engineer it belonged. In return, the Ducati folks treat them like royalty throughout that weekend, and invite them to the season closer at Valencia. Hanging out with umbrella girls, scooter rides with Randy Mamola, asking Garry McCoy where it hurts, watching Nicky Hayden win the championship, all worthy activities paid in gratitude from Ducati.

Admittedly, Ducati Corse is cooler than the Department of Veterans Affairs or Wells Fargo will ever be. But if people knew that they could go on a scooter ride with Randy Mamola if they returned laptops loaded with trade secrets or personally identifiably information, our privacy problems here would soon be over.

Friday, January 26, 2007

Steve McQueen's Credit Card

The Bonham & Butterfield auction of Steve McQueen's motor related ephemera included his credit card. According to February's Sports Car Market, the unsigned Wells Fargo MasterCharge (exp 07/80) was purchased for $9,945. (some coverage here of the auction).

According to this Tao Security link, you can get a better deal on credit cards on IRC.

Thursday, January 25, 2007

Shake Hands With Danger

or the Mysterious Case of the Substitute Teacher and the Depraved Pop Ups. Krebs has the details, more or less. And some comments. Lotsa comments.
I am of several minds on this incident.

The Forensics
Network Performance Daily has a couple of CSI:Connecticut posts the about the forensic evidence from folks who have seen it.
The Defense - The few details included don't support forensic discipline. The statement "[d]uring the copy process we received several "Security Alerts!" from our antivirus program" appears to indicate that the forensic data was being copied (not imaged) over to a general purpose computer (that runs antivirus). Generally, forensics is done off an image mounted as read-only. Copied files don't have much in the way of chain of custody, and copying data can change some of its properties.
The Prosecution - This post is just unreadable. I can't tell what's going on, but that the cop may have used a forensic program to examine the data.

I mean, whatever. The forensic evidence doesn't really establish who was at the keyboard when the nasty images came up. Could have been seventh graders, could have been the teacher. The teacher didn't shut off the computer (or even turn off the monitor) when she left the room, though. I mean, in the words of G.O.B. "COME ON!"

So Shake Hands With Danger
When you log on to the Internet, you shake hands with danger. Computers are dangerous. If you aren't checked out on the equipment, you shouldn't operate it! You could be a danger to yourself and those around you. Don't end up like Three Fingered Joe!

Wednesday, January 24, 2007

There is no physical access control.

I was thinking about the difficulty of accurately testing physical controls and identity today. People let people in areas based on a system of signals that indicate they are safe/authorized: badge, biometric (face, voice), dress (uniform, hard hat, clipboard). Gradations in each of these attributes build to the decision to grant access. I was also thinking about how lousy this system works. Every security consultant brags about how they can get in any building by just looking like they belong there. But how hard can it be?

For example, this disturbing story about a 29 year old sex offender who enrolled in middle school. Horrific, insane, and befuddling. He shows up with a fake birth certificate and some seriously perverted "grandpa" and he's in. So long as he does his homework and show up for class.

I give up. There is no physical access control. I refuse to believe in it anymore.

Tuesday, January 23, 2007

Buzzword Compliance or Compensating Controls

The most recent SANS e-mail letter, this article from Computerworld on pretty minor (all things considered) security incident at federal retirement fund agency.

The voice of SANS (Pescatore in this case) remarked thusly:

This and the Nordea incident, as well as the huge TJ Maxx compromise, continue to point out how commonplace financially motivated, targeted attacks now are. Attacks change faster than regulations - tunnel vision on being compliant with regulations, whether Sarbanes Oxley, Basel, or PCI, means you will not be looking at processes and architectures that can deal with changing threats.
Pescatore, duuude. Hate the game, not the playa.

First, I don't any of those regulations really apply to the TSP, except as perhaps amusing past-times in the off season.
Secondly, what the hunh??? I really don't get how some users who got their account hijacked through the client side would have to do with a focus on regulations. About a dozen accounts, $35,000 all told. In retirement fund terms, not a whole lot. And they did find out about the incident, it is possible that some account monitoring controls were in place. So maybe the system worked. And cruising around the TSP site, it looks like they are trying to educate their users.

Unfortunately, whatever cred the TSP folks gained is blown in the following quote:

"External penetration testing has demonstrated that our system has not been breached"

Umm... ? I'd like to see the pen-test firm that signed off on that. Maybe next time you should hire some forensic analysts over for a post-incident discussion. They may give you better results.

Just because you don't have heavy super duty NAC/HIDS/NIDS two factor network with buzzwords du jour and a burled walnut interior, doesn't mean that you are so distracted by your BASEL II crossword puzzle that your accounting department doesn't notice some odd ball transfers. It's all about the compensating controls.

Friday, January 19, 2007

Comply, Submit, or Obey?

A post and response from and cogent commentary from Mike Rothman.
My issues are primarily with Eric Ogren who cites "the only two effective regulations."

1. Executive accountability of SOX.
Accountability is a good idea, and formalized some of the accountability that existed de facto. However, it is currently implemented by a legion of auditors with blank checklists seeking billable hours. Accountability could be frightening to the honest CEO, but SOX will just double the thrill factor for the corrupt.

2. SB1386 Disclosure
SB1386 as a shaming device? I believe it was designed to function as a means to protect the consumer. If its objective was to shame the violating corporations in the marketplace, it has failed. I believe there is sufficient evidence that public notification of a privacy breach is not a significant indicator of long term market performance. Other non-security, non-privacy related factors have more influence, and the investing/consuming public has become somewhat inured to notification after 2006's breach-o-palooza notification blizzard. If it was designed to punish corporations, it would have provisions of fines, jail time, drawing and quartering for the execs (not unlike SOX). Market impact is a mild, short term side effect, equivalent to postage and printing notifications.

EO also cites the ineffective enforcement of HIPAA and PCI "regulations." Well, I'll go along with HIPAA, which was a bitter sausage long in the making, shoved in a casing of some of the weakest enforcement mechanisms this side of the FDCPA. I don't understand all the byzantine economics of the health care industry, so I have a hard time imagining an FFIEC correllary that could oversee physicians, dentists, hospitals, clinics and insurance companies.

But PCI compliance brought CardSystems to its knees precisely because it was not a regulation, but a business agreement.

All in all, I have to agree with Rothman. I'll even go beyond that. Compliance is a by-product. If your focus is on protecting the customer's information, compliance will occur. If your focus is on compliance, you will likely waste resources chasing the wrong rabbit down the wrong rabbit hole, and never really achieve your objective. So, what are you trying to do?

Thursday, January 18, 2007

Cooler than an iPhone

Immunity's Silica.

From Immunity's page:

Example Use Cases:

  • Tell SILICA to scan every machine on every wireless network for file shares and download anything of interest to the SILICA device. Then just put it in your suit pocket and walk through your target's office space.
  • Tell SILICA to actively penetrate any machines it can target (with any of Immunity CANVAS's exploits) and have all successfully penetrated machines connect via HTTP/DNS to an external listening port running Immunity CANVAS Professional.
  • Mail SILICA to your target's CEO, then let it turn on and hack anything it can as it sits on their desk.
  • Have SILICA conduct MITM attacks against people on a wireless network.
  • Use SILICA as you would CANVAS on your desktop - just smaller.
  • Very cool.

    Monday, January 15, 2007

    Corporate Information as Reverse Spam

    From the NYT - Firms Fret as Office E-Mail Jumps Security Walls.

    A growing number of Internet-literate workers are forwarding their office e-mail to free Web-accessible personal accounts offered by Google, Yahoo and other companies. Their employers, who envision corporate secrets leaking through the back door of otherwise well-protected computer networks, are not pleased.

    And it goes on about how the suspender-snapping punch-card set is all wound up because the people they hired are trying to work. And that their remote access solution probably sucks and doesn't meet their needs. You can go out and buy some sort of reverse spam filter that will process all the outbound e-mail for your corporate sensitive words. Once the offender is identified, you can then go mete out punishment. Of course you'll have to be watching for false positives. It's hard enough to create an accurate spam filter with the huge sample of spam processed through it, can you correctly identify all the corporate Type 1 and Type 2 errors?

    The real answer is in the comment in last paragraph of the article:

    “We have as high a security standard as any company,” said Ms. Bargero of Sendmail, “and sometimes it is just too difficult to access our e-mail.”

    Bingo. If you design a system that is usable, you might not have this problem.

    Canadian Breach Notification

    From Emergent Chaos, a link to the paper "Approaches to Breach Notification" from the Canadian Internet Policy and Public Interest Clinic. I've been spending this frosty MLK Day afternoon looking it over. I really dig this approach:

    Generally, the affected organization is in the best position to calculate the associated risks of a breach of its information security and should be entrusted with this determination. However, there should be a requirement that every breach involving defined personal information be reported to the Privacy Commissioner, with full information about the nature and extent, the anticipated risks, mitigation measures, steps taken to notify affected individuals or, where notification is not considered warranted, the justification for not taking this step.
    This seems to be a reasonable approach to prevent blanketing of potential victims with notices of low-risk data loss events. The Commissioner can evaluate the organization's risk assessment to filter for the Excessive Butt Coverage Risk Assessment Methodology. *

    The recommended contents of the notice would help, notably the time and method of the disclosure. I've seen notices with the vague "may have been accessed by unauthorized individuals" which offer the potential victim no real way to assess the damage.

    *EBC-RAM is a Full-Custom Chrome-Plated Methodology with a burled walnut finish (optional). Patent pending, R. Dutcher Stiles, 2007

    Edit to add that Educated Guesswork has a very cogent analysis of the article.

    Wednesday, January 10, 2007

    Finders Keepers

    Corporations lose data in a variety of ways, with impacts to the organization and to the privacy of individuals.

    The view from the advantage of the threat actors becomes a bit clearer when the lost data is identified simply as contraband. Once the information has sloughed off the bonds of the corporation, it has no legitimate purpose*. Analogies to the illicit drug trade are both illustrative and fun.

    Misplacing Your Assets
    The Pawn Shop Lost Laptop with Millions of SSNs = Second Hand Escalade with G Pack of Yellow Tops in Door Panels
    In this instance, the possessor of the item is not aware of its contraband contents. If he does discover the contraband, and he is a good citizen, he destroys it. No one would believe the innocent way he came to possess the contraband, and since he is not in the game, there is no easy way to convert it to cash. The contraband is useless, and the prior owner (Escalade gangster / VA administration) need not be concerned with dilution or market / rampant identity theft. Is there a countermeasure for absent-mindedness?

    Hijacked Ground Stash = 0day Exploit on Corporate Server
    The skilled threat actor knows where the contraband is, steals it, and converts it to cash. Outmoded models of the hacker as the intellectual curious, yet socially maladjusted prankster are fading even from CISSP training manuals. See Krebs and Omar Little for examples. What's the countermeasure? Awareness and solid operational security.

    Insider Fraud
    Shorting the Count = Podslurping**
    With means and opportunity, the insider can palm a few bills, snake a couple vials or pop a portable hard drive into a workstation. The countermeasure is the same: a well enforced security policy. "The count is right" is a street version of a completed GLB questionnaire. Corporations have some advantage over the corner, since the insider motive is dependent on the ability to turn the contraband into cash.

    *Focussed on NPI and trade secrets. Could be that digital entertainment could serve a social purpose, but that would require more twists in my already contorted argument.
    ** I hate this unfashionable term so much, I am compelled to use it.

    Tuesday, January 9, 2007

    Now That's What I Call Fraud By Impersonation! COED EDITION!

    NY Post story on mysterious fraudster coed.

    "All she took was her cat, her toothbrush and her brushes and combs - anything with DNA on it," he said.
    Man, I try to keep my DNA away from my cat.

    From the Chronicle of Higher Ed's news blog.

    (photo courtesy Fritz & Julie Beth )

    Provably Private?

    From the Guardian, I read this curious article on privacy and contextual
    "Linear temporal logic," eh? I wish I could groove to what that means. So I read Wikipedia, then I started researching the folks mentioned in the article, finding the paper mentioned in the Guardian article: Privacy and Contextual Integrity: Framework and Applications.

    Two things I liked, from what I've been able to digest so far (but I'm a lover, not a logician, so I am likely indigesting as well).

    "Unlike a number of prominent normative accounts of privacy, the approach taken here rejects the idea that a simple dichotomy-usually between public and private (sensitive, intimate) information-is sufficient for adjudicating privacy claims. Instead, there is potentially an indefinite variety of types of information that could feature in the informational norms of a given context."

    That sounds right to me, but I'm going to have read more to make sure fully understand the if the words mean what I think. I also really like the idea of time as a factor to enter into the privacy question.
    I also found figure 4 irresistible and disturbing:
    Irresistible? Because I like the idea of the fistful of regulations and laws boiled down to a set of numbers, letters, (and especially) symbols.

    Disturbing? Because it looks too much like compliance. Wrestling the GLB down to a series of equations is noble and mostly cool. However, if it falls in to the wrong hands, it could launch a raft of ill advised applications that get the auditor's seal of approval, are "provably compliant" and yet don't do much in the way of privacy. (This is a knee-jerk reaction.)

    The paper covers the US privacy law hit parade (COPA, HIPAA, GLBA), but wait! What about everybody's favorite - SB 1386?

    "Finally, our current language faces a limitation common to many policy languages. Consider SB 1386, a California law requiring businesses that inappropriately disclose personal information to notify the subjects of the information. This provision cannot be expressed properly in the language because it takes effect only when an agent violates norms. In our model, agents never violate norms and thus would never be required to notify individuals. However, such notifications are common in California. To express such “defense in depth” provisions, we plan to extend our model to account for agents who occasionally (perhaps unintentionally) violate the norms. We expect this to require modifications to the current logic."


    Monday, January 8, 2007

    Grackles in a Pancake Mine!

    This morning, city officials decided to shut down a significant portion
    of Austin's central business district due to the discovery of a covey of
    dead birds

    Meanwhile, Gotham panics when confronted with a strange pancake smell.

    I'm not going to second guess the response to the pile of avian rats on
    Congress Ave. Nor will I try to determine which eldritch spell summoned
    from the Permian Basin
    was used to extinguish these fowl lives.

    I will however, try to figure out under what circumstances a bunch of
    dead birds would require the closing of a central business district.
    What sort of risk assessment process went on here?

    1. PANDEMIC! O.k., the birds may have had a virulent version of avian
    cedar fever. Some of the carcasses have been sent to our Aggie brethren
    to be tested for bird flu. We'll get the results in a week or so. Then
    we will close Congress Ave. again? If the folks in the hazmat outfits
    scooped up the carcasses, pureed them, placed them in 3 oz bottles and placed them in one quart zip top bags, what is the risk?

    2. NERVE GAS ATTACK! Then these truly were the grackles in the
    coalmine, who gave their lives for us. Only the bad guys released the
    gas at 3:00 am on a Monday morning. He should at least wait until the
    Lege is in session, so as to terminate some Bees as well as birds.

    3. A DISTURBING MESSAGE IS BEING SENT! - Homeland Security necromancers
    find an ancient passage in the code of federal regulations that speaks
    ominously of the scents of phantom flapjacks aligning with the mass
    suicide of capital city trash birds. Maple Alert!

    4. JUST ANOTHER GRACKLE MUNDY - My just-don't-have-to-work day.

    5. YUPPIE TERROR - Rich fella or fellette from out-of-state, encountering the foul stench of grackle fecal splatter, sets out a Williams-Sonoma bowl of hand-tooled Vermont pigeon poison. Problem solved. (A real Austinite, or any grad of University of Texas would use a shotgun, just like the pros.)

    So what did we learn? I'll have to think on that some more.

    photo courtesy of Ikayama

    Friday, January 5, 2007

    Hostage as Asset

    Reading Two Wheels Through Terror by Glen Heggstad.
    A cracking adventure story of
    the author's attempt to ride his KLR 650 from his home in Palm Springs
    to Tierra Del Fuego and back. I'm not yet finished, but have completed
    the chapters that relate his trip from Bogota to Medellin with a side excursion through the countryside courtesy the Ejercito Liberacion
    Nacional, a notorious and merciless Colombian guerilla outfit.

    Heggstad has to make some tough risk assessment decisions during the
    course of the ordeal. Maybe there's a lesson here, maybe not.

    The Risk of Riding from Bogota to Medellin
    Heggsted mentions his inability to get any reliable information on the
    condition of the roads despite talking to locals and reading the papers.
    He saddles up his Kawasaki, and presses on. After the pavement ends, he
    is pulled over at a ELN roadblock and taken hostage.
    The risk issue? Haggstad, by nature of the fact he's riding a
    motorcycle through Colombia, has a healthy appetite for risk. These
    risks he largely mitigates through his personal toughness, experience
    and cunning. He is aware that he is riding into an area of high
    frequency, high impact risk. So he gets pulled over by a couple dozen
    men dressed in black carrying rifles.
    Hostage as Asset
    The more interesting dynamic is between hostage-takers and hostage. As a hostage taker, the hostage is your primary asset. It decreases in worth if damaged beyond repair, or if destroyed. At the same time, the hostage is at the same time your principal threat actor. Hostages will make every effort to escape your control.
    As a hostage, your primary asset is the same as your adversary's - your own health and well-being. However, you are primarily focussed on changing your situation, i.e., no longer being a hostage. Heggstad seek attempts to escape, gain information, and persevere until the opportunity arises for his escape. However, it isn't until he realizes that the primary asset the ELN is willing to protect is in his control. So he sabotages his own health and effects his deliverance from his captors.

    There's a privacy corollary here somewhere, where corporations, information brokers, and credit bureaus are information kidnappers, and your personal information is the hostage. You are the asset, and the healthier you are the happier the kidnappers. These institutions are not aways working in your best interest However, there isn't the "sticking a key in your nose until you bleed and enter a hunger strike and you get a mule ride to the Red Cross" sort of way out for the private individual.

    I probably need to think on this more.

    Wednesday, January 3, 2007

    The Lost Wallet vs. The Mugging

    According to the new round of disclosure laws that sprouted up out of state houses in the past couple years, if an outfit loses your data, they ought to let you know. The notice if familiar to just about anyone either attended an institution of higher education, applied for credit or was issued a Social Security card.

    "Dude -
    We lost your information in a way we may or may not describe to you.
    The Man"

    The Dude reads the letter, cusses, and hopes for the best.
    Of course this doesn't work in the real world. Consider the alternative:
    Dude loans his ATM card to his buddy to grab a sixer and pack of butts at the Sunshine Mart. Bud comes back without card nor highly taxable products. The Dude has some key risk assessment questions to ask, primarily, "Did you lose it, or were you mugged?"

    This question is key, and when extrapolated to the Man's letter, exposes why disclosure laws generally suck in protecting the Dude. The Man isn't required to fess up as to the how and who of the incident, so the Dude can't make an informed decision. Does he call up the bank, cancel the card, bum butts and distill moonshine until the bank gets it all figured out? Or does he ask Bud to go crawl back into the Chevette and dig around between the seats?

    SB1386 and its cousins don't require the Man to give the Dude enough information to make an informed decision. There's a difference between privacy and compliance. Compliance can really suck.

    Initial Post

    The initial post for this blog. A place where I plan on documenting my thoughts on privacy, security, and the world in general.