The Professional

An interesting narrative, trapped unfortunately behind a pay wall, comes from the Chronicle of Higher Education - "Chapel Hill Researcher Fights Demotion After Security Breach"

A cancer researcher's database of gets potentially pwnd (two years from incident to discovery), spurring the usual breach notification process.  Her bosses cut the researcher's pay and reduced her status to associate from full professor.  The justification was that she, as principal investigator, was responsible for the security of the personal data entrusted her by the subjects of the study.

The meat from the article (emphasis added):

The provost also accused her of assigning server-security duties to an inexperienced staff member, who failed to install important patches and upgrades, and of not providing the staff member with the training needed. Ms. Yankaskas countered that the staff member, who has since left, had worked for the university's technology office and that the employee never submitted a formal request for additional training.

"I had an employee who I trusted who told me things were OK," she added. "I would have no way to get on the computer and tell if it was secure. Unless I assumed my employee was lying to me, I don't know what I could have done."

Working in the Public Interest

I believe that there is a another option.  Some folks are in charge of security but are not liars, but are incompetent.    And, yes, it is hard to tell them apart.

If it was money that was stolen, and someone said "I have no way of telling if the books were correct.  I trusted the accountant.  He was an experienced bank teller" what would be the response.  Why didn't you hire a forkin' CPA?  CPAs have professional knowledge, and ethical obligations, and if they fail to meet them, you can have their license pulled.  

No so with security folks.  Why is it acceptable to treat for others to manhandle your personal, private data more cavalierly then your  accounting records?  

I'm tempted to start my rant on certification, psuedo-science and "computer forensic professionals" but I'll save it for the next post.   

Live Twice

Chandler at the New School made me collect, collate and sort my thoughts on the whole recall issue.  Although what follows is more like bend, fold and mutilate.

The greatest risk Toyotas pose to me is that I get drowsy rolling down the highway with nothing more interesting to divert me than continual rivulet of pale metallic four door boredom. 

Not incongruent to their exterior aesthetics, my personal reaction to the Toyotathon of Death falls in two barrels.

1. Risk of correctly engineered and manufactured product v. risk of incorrectly engineered and faulty product.   A base assumption in driving a recently produced auto is that, not only will it advance the spark automatically and not require a crank to start, but also that the accelerator will not get stuck open.   If Toyota had labeled one of their transportation appliances with the label “May very rarely yet randomly accelerate,” prudent drivers would familiarize themselves with the emergency stopping procedures.   However, Toyota did not disclose this information until much later, so the information was not available for calculation into a driving risk scenario.  Drivers were operating under a “Toyota quality” assumption.   Would the driver of a Trabant exercise the same risk equation as a Prius or Highlander driver?
2. The Mediation of the Road.  The current Toyota passenger car philosophy appears to be a closer cousin to Kitchen Aid than TF109.  This transportation appliance paradigm isolates the user (no longer a driver) from the grit, grime and smells of the road, substituting an ego coddling display of eco-righteousness and pretty maps.  How could the impolite fangs of risk driven adrenaline ever intrude into the quiet gentle rocking motions of hybrid power in a sarcophagus of LED illuminated soft plastics? The white knuckling pilot of the beater Pinto or the hyper vigilant  motorcyclist know no such peace. They know the road is a dangerous place, and that they are engaged in high risk behavior.  Unintended acceleration is one of myriad annihilation scenarios coursing ten thousand times a second through their oxygen deprived neurons.  Driving for them is like conducting transactions of the internet.   

Tangentially, yet incongruously, I once had a notion (but with a bit of backing...) that the ultimate design for a website used to conduct high dollar Internet transactions would be modeled after a mid-90s "adult" entertainment website – HTTP Auth pop-up, sloppy HotDog generated HTML, broken icon indicating missing plug-ins, probably registered at .biz, .info, .ru or .cx.  The customers would perceive the risk and exercise due caution, such as verifying the SSL certificate, maybe out-of-band telephone call to the institution, and routine changes of password for every session.  The site could be state of the art secure (y’know, SSL + firewall ), but the appearance of danger and perception of risk would make it Yet Still Even More So.   Of course, the crappiness would have to have a periodic refresh just to keep the users’ adrenaline up.

Toyota photo courtesy Wikimedia Commons.

Fiction

From Ed Park's Personal Days:

"Every employee would soon be required to create a new log-on password consisting of a mix of nonsequential capital letters and a three-digit prime number and a punctuation mark, and then change it once a month by sending an Excel form to a secure website in Oakland. This was just standard operating procedure.

Each demand felt like the securing of a strap on a straitjacket."

I got some groceries, some peanut butter

From the maddingly brilliant book of the Naples System, Gomorrah, a description of security during the Secondigliano War between the Spanish and DiLauro clans:

I would ride my Vespa through this pall of tension. In Secondigliano I'd be frisked at least ten times a day. If I'd had so much as a Swiss Army knife on me, they would have made me swallow it. First the police would stop me, then the cararbinnieri, sometimes the financial police as well, and then the Di Lauro and Spanish sentinels. All with the same simple authority, the same mechanical gestures and identical phrases. The law enforcement officers would look at my driver's license, then search me, while the sentinels would search me first, then ask lots of questions, listening for the slightest accent, scanning for lies. During the heat of the conflict the sentinels searched everyone, poked their heads into every car, cataloging your face, checking if you were armed. To motorini would arrive first, piercing your very soul, then the motorcycles, and finally the cars on your tail.

I was struck by the difference in approaches to the basic "airport security problem" between those who were obliged to obey the rule of law, and those who knew an error in their judgment would likely mean their own death.

Foto of the arrest of Cosimo Di Lauro from La Repubblica.

The Easy No

From Concurring Opinions, this commentary on a recent New York Times article on Hypercompliance on the HIPAA front. Health care folks have been intimidated into denying access to PHI to people who have legitimate inquiries and a legal right to it.

This type of behavior is born out of fear and poor understanding of rules filtered through complicated reports written by obfuscating contractors. It seems reactionary, and unreasonable, but a means to the safety only an ass well-covered provides. As Mr. McGeveran points out, "it is always easier to say 'no' than to figure out how to say 'yes.'" I believe mistaken "safe" attitudes like this is often how security policies end up being implemented, and are difficult to purge once they become corporate folklore.

The "easy no" is not uncommon in security management, and enables ten thousand wannabe Kip Hawleys to exercise passive aggressive nonsense in its name.

Beats thinking.

Dog of War or McGriff the Crime Dog?

So, solider or cop? War or Crime? Or both?

I ask this question of my own self after reading (and enjoying) Michael C. W. Research's recent posts on security framed in the context of Clauswitz. Thinking it through, though, I began to wonder if war is the context information security should frame itself. After all, as an info security practitioner, you are denied both first strike and retaliation with like force. Hampered by a bureaucracy, limited by budget and laden with metrics of questionable value, you perform awareness and outreach to a resistant, often resentful community that harbors potential adversaries. When the adversary attacks, your response is defensive, forensic, and heavily regulated. In the initial analysis, it sounds more like a cop than a soldier.

Like Mr. Peterson, I recently finished reading Robb's Brave New War. Robb describes the decline of wars between states or their proxies and the rise of the global guerrilla. The global guerrilla uses system disruption and open source warfare to break down the brittle security systems of organized and highly interdependent states. Mobile and rapidly adapting to changing tactics, this adversary is usually hidden in the state it is trying to hollow it out, cooperating with or participating in transnational organized crime. Now that threat sounds more familiar; Robb describes the phishing marketplace as a example of open source warfare.

Is War now Crime? Is the infosec defense model Clear Hold Build or Broken Windows?

Vulnerabilty v. Threat

Jeremiah Grossman's analysis of the MSNBC stock contest cheat.

It seems to me that this sort of flaw would rise to the surface quickly from a threat perspective, but slower from a vulnerability perspective. I'm not sure why though.

The Italian Job

Odd ball kidnapping heist documented at MCN and Roadracing World illustrates the danger of the insider beyond the pilfered laptop or unexpired system credentials.

Apparently the Alto Evolution World Superbike team "reduced the responsibilities" of Sergio Bertocchi, their erstwhile manager, after the race at Monza a while back.

On the way back to Italy from the most recent race at Silverstone, UK, the Alto truck gets hijacked at a border crossing. According to the Alto Evolution press release:

The driver was kidnapped for more than six hours and the truck diverted. The driver was able to escape in Bruxelles - Belgium, where he alerted the police and confirmed the names of the people of the gang which had kidnapped him and stolen the truck. Amongst the members of the gang have been recognised four people: one of them was Mr. Sergio Bertocchi.

Policemen from Belgium have immediately started investigations and, at the same time, Carabinieri in Italy have been alerted. Investigations have gone on strenuously and with outmost secrecy. On the 6th a van of ours was sent to Trieste to recover other spare parts and accessories still in Trieste's warehouse. On the way back, in the first rest/service area out of Trieste, the same criminals have stolen the van and its content. Unluckily for them, following a great effort of electronic interception and lots of their's tailing, law-enforcement personnel has had the opportunity to see the criminals in action in first person. Carabinieri have been on the van's tail for a couple of hours and at last they have recovered the vehicle and its content and put them under sequestration.

Meanwhile the subject liable for theft have been blocked. On Friday the 8th Carabinieri have given us communication that the truck has been found and is now in a safe place in Trieste, again judges have disposed sequestration of the goods.

Although it reads as if they got Alto's rider Muggas to do the translating directly from Italian to Tweed Headsian blindfolded, at first blush appears to be a story of justice served. The former manager plays the archetypical role of the disgruntled employee who turns against his employer by hacking, vandalizing, stealing office supplies, truck hijacking and/or kidnapping. His fiendish plot is foiled due to surveillance and electronic tracking. Chalk one up to the gallant carabinieri and their high tech tracking equipment!

And interesting question regarding identity, though. Did former manager Sergio use his identity to gain confidence and access to the truck? Seems that would be an enormously boneheaded maneuver for a hijacker. I've got issues trying to correlate the motivation of the attacker with his techniques.

Maybe it was just a denial of service attack. Check that word "sequestration" in the above quote, on which the Alto Evolution team elaborates:

This, and only this, is the reason for which we will not be able to partecipate to the race in Misano on the 17th of June.

Not too difficult to imagine Sergio in his Italian jail cell rubbing his hands together, mumbling about how they'll never race in Misano...never in Misano..

Motoprox

Yesterday I was barreling down the concrete slab choked with tractor-trailers and nitro-burnining funny trucks laden with oily 2x4s and spent joint compound jugs, I was engaging my left brain in random problem solving ("Resolved: The world is as random as it is not.") and engaging my right wrist in focussed throttle control on my Triumph Bonneville. I hate the road - a stretch of oversubscribed interstate that at an unfamiliar time (around 3:00 pm) and was unfamiliar with how the traffic would be flowing. The part of the brain that controls motorcycle function became increasingly engaged.

Fortunately, it didn't come out of nowhere: some set of clues were processed so I was pretty sure the black sedan was going to dart into the part of highway I was occupying. I braked as much as I could, as the pickup behind was riding my exhaust, and I moved as far to the left of the lane as I could. Just as his door was nearing my knee, the driver of the sedan spotted me, and made a panic swerve back to his lane. No harm, no foul, just a cortex soaked in adrenaline. People pay good money for that.

Which led me to my thought. Do near misses count?

UK Civilian Aviation Authority Airprox Board thinks so. They are dealing with potential accidents, however, with an not unreasonable assumption that neither party wishes a collision. There is no attacker, so it is easier to get both sides of the story, and a clearer, truer account of the incident, and quality information to improve the process. In a security incident, you will rarely get the other side of the story, so the account is skewed to what the defender has observed, and the attacker has failed to hide.

The Risk Management and Decision Process Center at the Wharton School has this brief description of its Near Miss Management study.

It may be nothing useful, but I'm wondering how "near miss" security incidents are handled. How are the elements of "luck" and "skill" (i.e, controls, response,etc.) allocated? Since the bullet was dodged, is there a increase in comfort in the level of security, even though it may have just been luck, or the actions of the attacker, that made it a "miss"?

I don't know, but I've been hyperaware of traffic lately, and my head is encased in Shoei and my body in Tourmaster. (And for more on motorisks, see Chandler's post from last September.)


Hot Honda on Duck action courtesy PhillC.

SSNS ON THE LOOSE! (Legacy Edition)

I'm trying to understand the newsworthiness of the latest episode of "SSNS On The L0OzE. OMG!!1!!"

Some dude in the mail room puts a bunch of computer tapes in the wrong slot, according to the AP report in the Houston Chronicle. State agency looks for 'em. Contractor looks for 'em. Then they find 'em, in the wrong slot. A problem as old as the mainframe.

My guess: the missing tape was a quarterly report (WITH SSNS!!), there was some turnover in the computer room, and the folkloric control vanished with the last operator who performed it. The article doesn't state the format of the tapes, but I'm guessing it's EBCDIC flavored, with a chewy center of either DB2, Adabas or Model204. (The New Russian mob has standardized on Unicode, leaving behind Blofeld and his "legacy" villainy.)

Solution? Document the process, develop a tracking spreadsheet. People have been exchanging tapes for decades, and there are simple ways to track it. You could even buy some bar code software, or something. (As it says on the wall in the illustration: If In Doubt ASK".)

What is the solution proposed by the contractor?

The company is now exploring transferring the data electronically to improve security, [contractor spokesman] Lightfoot said.

I think my way is cheaper. And safer. And easier to track. I only know what I read in the papers, though.



Diamonds Are Forever image courtesy Xeni.

Go Ask Alec Baldwin

SSL apostate Ian G. refers to an article on estimation of loss due to a privacy breach.

I think we are measuring the wrong thing, and operating on these assumptions is dangerous.

From the article, a Forrester analyst says:

"After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number."

The $90 - $305 range smacks of too much precision and not enough accuracy. Only software project managers can get away with ranges like that. These numbers are more harmful that worthwhile. Most of these factors are not driven by record count (legal fees, stock plummets or lost productivity). Record specific costs are generally lower (call center and postage - and if you lose enough records, you don't even have to mail notices). So let's just call it BTUs per furlong and call it a day. And I don't think "customer losses" is as important in assessing the risk as "losses to customer."

The next Forrester quote underlines the problem I have with the general corporate thinking about privacy breaches:

"Previously, when a company had a data breach, a response team would fix the problem and test the mitigation, then the company would resume normal activities. Now we have to spend time on public relations efforts, as well as assuring both customers and auditors that new processes are in place to guard against such breaches in the future."

The reason you could get away with just fixing it and moving on was because the company did lose anything it owned. What it lost was owned by its customers. Losing one bit of highly sensitive data about one litigious customer could cause more damage that a dozen laptops filled with the SSNs of 10 million people.

It's the "loss to the customer" that will drive your high dollar PR and legal efforts, which have scale, and can dwarf your call center and postage costs in an afternoon.

I'd like to take the data, rehash it according to type of breach, sensitivity of data and litigiousness of customer. Then I think you'd start on the road to a meaningful metric.

It's the Crime, Not the Tool

Tim Wilson at Dark Reading on IT Security: The New Big Brother:

"To identify potential insider threats, IT must monitor end users' behavior by scanning email, tracking network activity, and even watching employees for "trigger" events that might cause disgruntlement. Right now, I'm working on a story about ways corporations might monitor their employees outside the workplace to determine whether their out-of-office conduct might cause data leaks."

This is how the TSA dealt with the "insider threat" (i.e., passengers) on airplanes. Like the TSA, Mr. Wilson's focus appears to be on the tools that commit the crime (box cutters, e-mail, 3 oz. containers of fluid, USB drives) rather than the crime itself. Schneier has harped on this non-stop since 9/11. The proposed regime of surveillance will result in myriad false positives and employees as happy as your average passenger who has to remove his shoes and toss his shampoo and nail clippers into the trash at the security checkpoint.

In addition, what qualifies your IT Security department to be skilled in identifying what is legitimate and what is suspicious? How many eyes does the CEO want looking at legitimate confidential traffic? This filtering and monitoring scheme seems to be increasing risk of exposure rather than decreasing it.

Part of the solution does not involve any IT at all. Supervisors supervise. Their job is to monitor the employee activities. Managers should insure this happens.

Another part is development of an ethical culture within the corporation, where people have a channel to report if someone is acting "hinky." Internal and external auditors and ethics officers play an important role in an ethical environment. All the monitoring software in the world couldn't have prevented Enron, but an internal auditor put a stop to it.

Privacy and Security Lessons from Criminal Enterprises: The Corner & PCI

Either you have heard the stories, or encountered first hand the difficulty in convincing an organization's leaders to take adequate precautions to insure the privacy of identity related data, and maintain the integrity, confidentiality and availability of their information assets. Privacy and security have to be marketed to management since privacy and security are "non-functional" without a "ROI." As a last ditch effort, privacy and security can be pitched as a compliance effort; these activities must be performed to satisfy the requirements of an
independent, potentially hostile third party.

Nonetheless, criminal organizations, which by definition care not one whit about compliance, and have a vigorous appreciation of the bottom line, focus significant efforts on the privacy of personal data and the security of transactions and communications. For example the following story of touts, runners, ground stashes* and the electronic processing of credit cards.

The typical drug transaction occurs thusly:

• Junkie finds slinger. Junkie's selection may be based on the Slinger's reputation, effectiveness of the Touts, past business practices or location.
• Slinger takes order, collects cash from Junkie.
• Slinger signals the order to a Runner.
• Runner distributes product to Junkie, either from minimum amount on person, or collected from ground stash.
• Junkie moves on to consume product.

So the slinger is the payment processor, and the merchant is the runner. Both will be held accountable for inventory, and separation of duties not only minimizes the compliance risk (i.e., being observed by law enforcement), but also provides an accounting control. The corner boy who put out the package knows that even if the slinger and the runner collude, the collusion will result in a wrong count at the end of the day.

So what part of this transaction is so hard for folks like TJX to understand? A couple items to consider:

• Although the merchant may mitigate risk by gaining distance from the transaction (Verified by Visa, PayPal), the merchant is more interested in the customers than the Slinger is in the Junkies. The merchant and the processor want to keep all that secondary data and compile it, and convert it into cash. The Slinger wants only not to get burned by a counterfeit bill.

• No one is responsible for the "count" on credit card transactions. Unlike the corner, the matching of goods, customer and payment is out of order in electronic commerce, with each party shirking responsibility for the transaction.

• Each has to deal with impostors, though. The seller of baking soda is the "phisher" of the drug trade.

Next, yelling "5-0" as an intrusion detection mechanism.


*taken largely from Simon & Burns terrific book The Corner
or on most episodes of Simon's The Wire.

No Ethics, No Guild, No Credibility

An article in the hometown press on our great state's efforts to protect its citizens from crooked locksmiths and security guards with misdemeanors.

Like many state licensing agencies, such as those watching over doctors, electricians and architects, the Private Security Bureau checks the criminal backgrounds of applicants. But unlike virtually every other such agency, the bureau doesn't then evaluate whether applicants' past behavior has any relevance to their current work, how long ago the crime occurred or whether they have tried to rehabilitate themselves. Instead, applicants with a record sullied by most crimes above a traffic ticket are automatically rejected.

The result: Locksmiths and other professions regulated by the Private Security Bureau must have cleaner legal backgrounds than child care workers.

I also thought about the numerous unlicensed, unmonitored quasi-professionals that serve the security of consumers, businesses and government in the electronic rather than physical realm. Configuring a server, or setting up a home PC may grant access as lucrative as whatever a locksmith or security guard may obtain. Who configured the server for the accounting firm who does your taxes? Is the guy from Geek Squad who just serviced your computer a part-time carder? (I tried to see if there are any ethical or background requirements to become a member of the Geek Squad, but my mind boggled at their Ranks and Titles page. It's the Masons meets Homeland Security. I'd wager their pee is clear of non-approved substances, though.)

I'm not calling on the State of Texas to regulate this issue, but ethics and compliance with ethics doesn't seem a priority for the ISC2 and the CISSP designation, a point made eloquently elsewhere. I have more thoughts on how the CISSP could be salvaged, but I'll make them later.

photo by Monceau

Too important to be left to the generals

Interesting discussion on the secret language of security.

Which shovetails nicely into a panel discussion I saw yesterday. An assortment of CSOs and a Forrester analyst discussed the future of security. Essentially all the tech stuff is being outsourced, and the head of security is being molded into a Risk Officer. I can infer from this that the tech stuff (firewalls, antivirus, and the three letter acronyms) can scale. But the risk cannot. Risk is corporation's own, to be honed, polished and cherished like a treasured logo that no can quite figure out what it means. Risk is the new black, a point made elsewhere, and with more vigor.

One of the CSOs also mentioned that privacy will be shoved aside as a compliance thing, over with the lawyers. I stifled my desire to spring up and shout "HERESY!" for fear that it would awake my CEU seeking comrades from their deep and well deserved slumber.

There is no physical access control.

I was thinking about the difficulty of accurately testing physical controls and identity today. People let people in areas based on a system of signals that indicate they are safe/authorized: badge, biometric (face, voice), dress (uniform, hard hat, clipboard). Gradations in each of these attributes build to the decision to grant access. I was also thinking about how lousy this system works. Every security consultant brags about how they can get in any building by just looking like they belong there. But how hard can it be?

For example, this disturbing story about a 29 year old sex offender who enrolled in middle school. Horrific, insane, and befuddling. He shows up with a fake birth certificate and some seriously perverted "grandpa" and he's in. So long as he does his homework and show up for class.

I give up. There is no physical access control. I refuse to believe in it anymore.

Hostage as Asset

Reading Two Wheels Through Terror by Glen Heggstad.
A cracking adventure story of
the author's attempt to ride his KLR 650 from his home in Palm Springs
to Tierra Del Fuego and back. I'm not yet finished, but have completed
the chapters that relate his trip from Bogota to Medellin with a side excursion through the countryside courtesy the Ejercito Liberacion
Nacional, a notorious and merciless Colombian guerilla outfit.

Heggstad has to make some tough risk assessment decisions during the
course of the ordeal. Maybe there's a lesson here, maybe not.

The Risk of Riding from Bogota to Medellin
Heggsted mentions his inability to get any reliable information on the
condition of the roads despite talking to locals and reading the papers.
He saddles up his Kawasaki, and presses on. After the pavement ends, he
is pulled over at a ELN roadblock and taken hostage.
The risk issue? Haggstad, by nature of the fact he's riding a
motorcycle through Colombia, has a healthy appetite for risk. These
risks he largely mitigates through his personal toughness, experience
and cunning. He is aware that he is riding into an area of high
frequency, high impact risk. So he gets pulled over by a couple dozen
men dressed in black carrying rifles.
Hostage as Asset
The more interesting dynamic is between hostage-takers and hostage. As a hostage taker, the hostage is your primary asset. It decreases in worth if damaged beyond repair, or if destroyed. At the same time, the hostage is at the same time your principal threat actor. Hostages will make every effort to escape your control.
As a hostage, your primary asset is the same as your adversary's - your own health and well-being. However, you are primarily focussed on changing your situation, i.e., no longer being a hostage. Heggstad seek attempts to escape, gain information, and persevere until the opportunity arises for his escape. However, it isn't until he realizes that the primary asset the ELN is willing to protect is in his control. So he sabotages his own health and effects his deliverance from his captors.

There's a privacy corollary here somewhere, where corporations, information brokers, and credit bureaus are information kidnappers, and your personal information is the hostage. You are the asset, and the healthier you are the happier the kidnappers. These institutions are not aways working in your best interest However, there isn't the "sticking a key in your nose until you bleed and enter a hunger strike and you get a mule ride to the Red Cross" sort of way out for the private individual.

I probably need to think on this more.

Initial Post

The initial post for this blog. A place where I plan on documenting my thoughts on privacy, security, and the world in general.