Wednesday, February 28, 2007

Privacy & Security Sing-a-long: Monster Hospital

(Medical privacy sing-a-long with Metric)

Monster hospital, can you please release me?
You hold my hands down, I've been bad.
You hold my arms down, I've been bad.
I've been bad, I've been bad.

I fought the war but the war won't stop for the love of god.
I fought the war but the war won

(Watch the video)

Monday, February 26, 2007

Impacted Molars: Misguided Ninja Dudes and PCI Awareness

Dark Reading continues its obsession with physical security:
Network dude rassels potential bad guy, followed by a stern warning on what a scary world it is out there, cause physical attacks hurt.
Forgive me if I'm out of line, but why would I hire a network security guy to dress up as a maintenance dude to steal a laptop out from under an executive? Especially since there are skilled investigators who could get a signed confession and all his passwords from just talking to the accused. I wouldn't going to hire an investigator to secure my network, and I shouldn't ask a network security guy to conduct fraud investigations. I'm not going to hire the network guy to run my HR department either.

The Bank Lawyer celebrates PCI Awareness Month early, with his take on the TJX Incident. Nice run down of all the parties involved. His characterization of the consumer is incomplete:

The consumers' concern for nuance extends only to the following extent: "I see a sturdy live oak right over yonder. Let's get us a rope and hang him."
The consumer is likely to be distracted by a shiny object on the way to the noose dealership, since he or she has no loss. Credit card numbers are becoming more a disposable commodity, unlike SSNs, HDL levels or Sudafed consumption. Coming this summer: Retailers v. Credit Cards v. Banks Smackdown at the Legislative Arenadome.

Photo from Henrier.

Sunday, February 25, 2007

Everyday Privacy and Security: The Drug Store

After a conversation with a friend, I thought I'd cite some examples of how privacy and security impact day-to-day life. Here's the first in the series; though I admit, dissecting the CMEA would take more effort than I have time to fully understand. My ear is still ringing and Battlestar is on in 20 minutes.

The scenario:
Last week I went to see the doctor about my tendinitis and a persistent ringing in my right ear. I rarely go to the doctor, so you must take my word that these were annoying, persistent and painful condititions, resulting in grouchiness, restlessness, nonsensicalitude and Irritable Spouse Syndrome (ISS). I was processed through the HMO machine like a burger at Jack in the Box, with a shot of cortisone in my arm and an Rx for some OTC pseudo-ephedrine.

At Walgreens, I scan the aisles for Sudafed, a rare purchase since I'm not normally an allergy sufferer. I pick up a card for the store-branded Wal-Phed and head over to the pharmacy. The pharmacist asked for my drivers license. I show it to her, figuring it was an age requirement. She asks me to take it out of my wallet. I hand it to her, and she types my information into the cash register. She asks me to sign what looks like a receipt. What for? I'm paying cash. It's the law. It's for the Wal-Phed. So I pay her the $3.50 or so, grab the receipt, my license and leave.

What Just Happened Here:
An ingredient in the Wal-Phed is used to manufacture bathtub methamphetamines (speed/crank). To stem this scourge, the Combat Methamphetamine Epidemic Act (CMEA: part of the USA PATRIOT Act Reauthorization of 2005) placed additional controls on retail sale of ephedrine, pseudoephedrine, and phenylpropanolamine.
Consumers have to show ID and be tracked by retailers so they get just enough to take care of their stuffy nose, but not enough to start up a meth lab. The retailers have to protect the privacy of their congested customers according to the law, thusly:

C) PRIVACY PROTECTIONS.—In order to protect the privacy of individuals who purchase scheduled listed chemical products, the Attorney General shall by regulation establish restrictions on disclosure of information in logbooks under subparagraph (A)(iii). Such regulations shall— ‘‘(i) provide for the disclosure of the information as appropriate to the Attorney General and to State and local law enforcement agencies; and ‘‘(ii) prohibit accessing, using, or sharing information in the logbooks for any purpose other than to ensure compliance with this title or to facilitate a product recall to protect public health and safety.

The Data the Walgreens Now Has On Me:
Well, my name and my Texas Drivers License information (DOB, address, glasses wearer, motorcycle rider). According to the DEA website, I could also show my passport, or, if I were under 18, my report card. They also know that I bought Wal-Phed and paid cash.

What About the Data Now?
Good question. The CMEA states that the retailer has to keep it for 2 years. There is also a raft of conflicting state laws, some requiring the logbooks to be kept electronically. The retailers' association raises concerns regarding HIPAA, tracking consumer behavior (e.g., can Walgreens send me a coupon for Wal-Phed now?) and real-time tracking versus logbook maintenance. Ever since it went behind the counter, pseudoephedrine sales have decreased, so does it really matter anymore?

Everyday Privacy For Me?
Walgreens knows I ride a motorcycle because my ear rings.
This data for a cash transaction will be maintained for two years.
It may or may not be subject to any privacy rules, depending on when/if the DEA writes the regulation.
I may have no recourse if Walgreens decides to use the information in a way to which I haven't consented.
I may have no recourse if Walgreens loses, misplaces, or sells the information to unsavory third parties.

Thursday, February 22, 2007

Tuesday, February 20, 2007

With The AM Radio On

The imperial raftload of opinions on who really is the victim of credit card fraud, stemming from the Boston Globe article on the legislative reactions to the Stop and Shop Skimming Shenanigans, is centered around this quote as much as any:

"If this legislation passes, all retailers, all companies, and all
banks will know they'll be responsible for absorbing every cost
associated with a data breach."
Of course that quote doesn't make a whole lot of sense once you parse it, it just seems to be pluralizing the victims in a bizarre twist on bystanderism, i.e., if were just going to sit around and watch the crime happen, let's all be victims!

Most puzzling to me are the voices of the outraged merchants on the Slashdot thread, sounding too much like a hoodlum's fence pleading ignorance to the cops on the legal state of goods in his possession. The merchants are no doubt getting the shaft in the current credit card fraud scheme. They may not have the financial resources and high powered lobby as the banks and credit card outfits, but the merchants do have the capacity to do more to validate a transaction that to make sure the magnetic strip is functional. Are credit card transactions getting to the point were they need to be validated as vigorously as a personal check. Remember those?

I see a business opportunity here. Heck, I'm in love with the modern world and I'll be out all night.

Sunday, February 18, 2007

No Ethics, No Guild, No Credibility

An article in the hometown press on our great state's efforts to protect its citizens from crooked locksmiths and security guards with misdemeanors.

Like many state licensing agencies, such as those watching over doctors, electricians and architects, the Private Security Bureau checks the criminal backgrounds of applicants. But unlike virtually every other such agency, the bureau doesn't then evaluate whether applicants' past behavior has any relevance to their current work, how long ago the crime occurred or whether they have tried to rehabilitate themselves. Instead, applicants with a record sullied by most crimes above a traffic ticket are automatically rejected.

The result: Locksmiths and other professions regulated by the Private Security Bureau must have cleaner legal backgrounds than child care workers.

I also thought about the numerous unlicensed, unmonitored quasi-professionals that serve the security of consumers, businesses and government in the electronic rather than physical realm. Configuring a server, or setting up a home PC may grant access as lucrative as whatever a locksmith or security guard may obtain. Who configured the server for the accounting firm who does your taxes? Is the guy from Geek Squad who just serviced your computer a part-time carder? (I tried to see if there are any ethical or background requirements to become a member of the Geek Squad, but my mind boggled at their Ranks and Titles page. It's the Masons meets Homeland Security. I'd wager their pee is clear of non-approved substances, though.)

I'm not calling on the State of Texas to regulate this issue, but ethics and compliance with ethics doesn't seem a priority for the ISC2 and the CISSP designation, a point made eloquently elsewhere. I have more thoughts on how the CISSP could be salvaged, but I'll make them later.

photo by Monceau

Friday, February 16, 2007

Too important to be left to the generals

Interesting discussion on the secret language of security.

Which shovetails nicely into a panel discussion I saw yesterday. An assortment of CSOs and a Forrester analyst discussed the future of security. Essentially all the tech stuff is being outsourced, and the head of security is being molded into a Risk Officer. I can infer from this that the tech stuff (firewalls, antivirus, and the three letter acronyms) can scale. But the risk cannot. Risk is corporation's own, to be honed, polished and cherished like a treasured logo that no can quite figure out what it means. Risk is the new black, a point made elsewhere, and with more vigor.

One of the CSOs also mentioned that privacy will be shoved aside as a compliance thing, over with the lawyers. I stifled my desire to spring up and shout "HERESY!" for fear that it would awake my CEU seeking comrades from their deep and well deserved slumber.

Thursday, February 15, 2007

The Plural of Anecdote is Boring

Dark Reading has an article on identifying the insider threat, although it seems to be more focused on how to spot a bad employee. The article, which seems to be anecdote-based information from Rob Enderle and RSnake, lists the top ten warning signs that you may have a bad employee, or, as they term it, an "insider."

Sure, the insider threat may be a subset of the bad employee, but these ten warning signs don't seem to indicate anything else. The IP thief is not the same as the disgruntled vandal is not the same as the black market carder. The article conflates all these threats, and winds up with recommendations so broad as to be meaningless. For example:

  • Excessive absences
Well, this is bad employee behavior. But an employee who is about to leave is no less damaging a threat than an employee who has an ongoing scheme that requires constant maintenance. The classic anti-fraud control of requiring an employee to take vacation seems to run counter to the cited behavior. Is the dude taking extra sick days as dangerous as the dude who routinely funnels dozens of credit card numbers or SSNs to his buddy on CarderPlanet but keeps a low profile?

  • Unusual behavior / Office romance gone bad
Bad stuff, but is there really a high enough incident rate to justify it as a "red flag" for a potential bad guy? If not, this advice seems to confuse as much as clarify.

  • Employee is terminated / Employee resigns
I believe the employee would be participating in the "outsider threat" at that point.

The real meaty threats and red flags associated with them are a bit more nuanced, and have been hashed out in the fraud investigation field for years. Computer crime is just crime. Vandals are vandals. The computer security industry seems to be genuinely befuddled when encountering a threat that doesn't have a 8P8C modular connector jack.

Image from oronzo.

Tuesday, February 13, 2007

Bystanders and Heroes

From the Chronicle of Higher Ed comes this link to The Banality of Heroism. It's worth reading, as are a couple other articles that are part of the Greater Good, which I was heretofore unaware.

Some basic questions in the article (co-authored by one of the researchers behind the Stanford Prison Experiment) can be applied to the corporate realm.

This article on the bystander syndrome is also worth reading. If resistance to the bystander syndrome can be learned, it should be part of training for every auditor.

Monday, February 12, 2007

Privacy raised to level of Terrorism, Drugs

This bit from my hometown paper, written by ace real estate appraiser David Lewis, uses privacy, identity theft and terrorism to support his objection to a law requiring disclosure of the amount of real estate transactions. In some ways,

The proposed law is also dangerous. This is the era of terrorism and identity theft. Even the individual investors who make a $1 million or less on a property sale can become targets.

When these sales prices are reported, the information won't become dusty trivia hidden away in the basement of a rural courthouse. The prices will be on the Internet, easily accessible from anywhere in the world. Texans will be exposed. Should the elderly widow have her real estate wealth advertised to crooks and con artists? If we lift the veil on real estate sales prices, we will open the door of opportunity to the criminal element who will misuse this information. These incidences may be rare, but even one tragic case is too many.

According to Mr. Lewis' byline, he was a founding board member of the Harris County Appraisal District. Check out the website. I remember when they used to have sketches of the houses, they aren't there anymore. According to the website disclaimer:

Texas law prevents us from displaying residential sketches on our website. You can see the sketch or get a copy at HCAD's information center at 13013 NW Freeway.

Although hoisting his argument on the image of an elderly Texas widow being robbed of her ranch then being bombed by terrorists is naked fear mongering, there is some point to be made here. As Texas law has acknowledged, there is different level of privacy between public records available on the Internet, and public records you can only get by waltzing into an office and get face to face with a human, J. J. Gittes style.

Friday, February 9, 2007

I don't give a damn about my bad reputation

No. No. Not me.

I was meditating on reputation risk the other day, and behold, the Daily Dave belches forth the documents I sought. (I remembered something on Emergent Chaos on this topic, but hadn't dug deep enough into their archives.)
The study I remembered and cited by Adam Shostack was "Is There a Cost to Privacy Breachs? An Event Study."

The salient quote:

"[Privacy breach] impact is statistically significant and negative, although it is
Which is supported by anecdote (check out the TJX stock price).

So how do you convince your management to follow privacy principles? Appeal to the better angels of their nature? Start eavesdropping and pretexting them and see how they like it? (HP probably did as much good as the CDT, EFF or ACLU as far as advancing the privacy agenda in Congress).

I'm guessing the shift, as a result of the "privacy fatigue" and the "identity theft fatigue" should be to the high risk transactions, that expose the data's subject to verifiable risks, not just the lost computer tape or missing laptop. But I need data to support that, dagnabit. Else:

An' everyone can say what they wanna say, it never gets better anyway.

Thursday, February 8, 2007

Stupid, powerless, uneducated.

Infoworld on a session at RSA: The Cybercrime Blame Game.
Although a conference center ballroom may not be conducive to rational discourse (see: US Political Party Conventions), this discussion appears a bit over the top:

  • More people complaining about identity theft does not necessarily mean there is more identity theft. I'm sure there was a dramatic increase in complaints about anthrax without a corresponding increase in anthrax attacks. (See the corresponding stat later in the article citing an 11.5% decrease in dollar losses due to identity theft.)
  • FTC Gorman is right: Calling people stupid doesn't solve anything. I've never been a fan of Winkler's ideas nor his rhetorical method.
  • The job of an ISP is to move packets, not to sit in loco parentis for everyone with a broadband connection. (Why was this applauded? Were all the NANOG guys still in Toronto?)
  • What makes an empowered consumer is not education, but power. Give the consumer the right and responsibility to take care of their own data. Not the credit bureau, federal law enforcement, the ISPs or Wal-Mart. The consumer. Build an infrastructure around that idea. The consumer isn't stupid, he just doesn't care and when he does care, he has no standing. Maybe the empowered consumer idea is just too European.

Tuesday, February 6, 2007

Safe Internet Day

I find few concepts as boring as "Safe Internet Day." Except maybe "Is Open Source as Secure as Closed Source?" I mean good grief. If it weren't for my incredibly uncomfortable shoes digging trenches into my Achilles tendon, I would have fallen asleep just thinking about writing the above sentence.

How about a pretty chart and a map with like scans and stuff on it?

Still pretty boring.

To hold off the stultification, I've decided to rename the blog. Also, there are other blogs out there about being alone, or cheese, or being alone with cheese, that I feel would dilute my burgeoning brand. And maybe not everyone gets the Omar reference.

So the new name will be:

"Another Set of Teeth" - from "Teeth" by the Mekons

What, no, not another set of teeth
each crisis bites, but not so deep.
What, no, not another set of teeth
And through the shadows we always creep.
I think "through the shadows we always creep" is part of the CISSP Code of Ethics, but I'd have to look it up.

Monday, February 5, 2007

Testing the User or Phunk'd

The Harvard/MIT study of Bank of America's web site security, including SiteKey system and SSL certificate verification (see New York Times and Slashdot), tackles the problem of real users using real websites to see how they respond to the authentication protocols. The security, for the most part, failed the users, with the researchers citing difficulties in testing the usability of these controls.

Slashdot comments, as expected, complain about the intractability of the Trainables in their charge, diminishing the argument to "Users == Lusers."

I couldn't find a fleshy threat model in the study's methodology. The subjects (recruited from Harvard Yard) were asked to log on to the bank's legitimate website on a university computer under the guise of testing usability. Meanwhile, the researchers played pranks on their browsers, causing it to display incorrect information regarding SiteKey and SSL certificates. It seems to me that the researchers were solving for a very narrow set of threats, primarily a man-in-the-middle or a DNS spoofing attack. My understanding of published incidents is that phishing generally originates with a convincingly deceptive e-mail containing a link to a phony banking site, or through a keystroke logger. A more interesting question for me would be "Would the users pay more attention to the security clues if they were following an e-mail link?" The common credential collection trojan appears to be outside the scope of the research.

Since Harvard students should probably pride themselves on not being representative of the populace as a whole, I can't see that there's a tremendous amount that can be taken from this research. The approach seems more like an episode of "Punk'd" (even though I've never watched it) or "Candid Camera" (which I have) or the Jim Coyle/Mel Sharpe stuff (which I love, but no link! I'm shocked!). Is there a difference between a drawing a valid audit (or research) conclusion and just giving a Muntz-esque "Ha Ha" followed by a "Stop hitting yourself"?