QOTD - Pescatore on Politicians & Technology

Very rarely do good things happen when technologists try to make public policy *or* when politicians try to dictate technology. -- John Pescatore, VP of Gartner Inc.
Src: SANS NewsBites Vol 11 Issue 60

Dr.InfoSec assists with Fayetteville Public Schools ID Theft case

As an information security professional, I always look for ways to be of assistance to others about the security and privacy of the data entrusted to them. This post is about exercising such an opportunity and in a small way, helping make a difference.

On July 29th, as I was following up on a story that flashed across my Twitter stream about 30 certified employees of a school district finding themselves victims of ID theft, I found something that should not have been there.

While looking for more information about the school district, I used a targeted Google search; it was a simple one, looking for pages containing the word 'certified.' While there were many search results, one in particular caught my eye: an Excel spreadsheet that appeared to contain Personally Identifiable Information (PII) including names, addresses, phone numbers, and social security numbers . Worse, it had been indexed by a major search engine, which meant that its contents had been cached for easier viewing, even after the file would be removed.

I placed a called to the school district right away and left a voicemail for the CIO. Within 20 minutes someone from the office had called me back. I shared with them what I had found and advised on short-term steps they should take to mitigate the problem.

While it may be tempting to lay blame for failing to properly safeguard sensitive data, this is not the purpose of this blog post. Instead, I wanted to share with the information security community and students that we can make a difference, even outside of business hours. In this case, I helped the school district identify one data leak. Was that spreadsheet the one used by fraudsters? It is simply too early to tell; the investigation is ongoing.

If you see something that is out of place, or poses a potential security/privacy risk, tell someone. It could help prevent 30 more people from becoming victims of ID theft.

Link: School District's Teachers Targeted In Identity Theft Scam | 4029tv.com
Link: Fayetteville Public Schools :: Administration

QOTD - DoD's Lentz on Cyberspace

We have to think of cyberspace as a global common that touches everything we do. Securing the global common is the joint responsibility of everyone. -- Robert F. Lentz, Chief Information Assurance Officer for the U.S. Department of Defense
Src: Better ID assurance is essential for the new online world, DOD deputy secretary says | GCN

QOTD - Merrill on Security, Users, and Campus Sidewalks

Douglas Merrill, former Google VP of Engineering, said, in his opening keynote:
Let users dictate enterprise security needs.
He went on to give an analogy that I am very familiar with, that of campus sidewalks: the planners place sidewalks and grass; students create their own paths through the grass (usually the most direct route); planners have to put roadblocks (chains, planters) to keep students off the grass.

He said, "security companies will change from creating infrastructure boundaries to infrastructure resilience. If we can build security correctly, we make things easier, not harder."

Src: Former Google VP Suggests User-Based Security | The Industry Standard

So you want to be a Chief Risk Officer?

John Ericksen, Chief Operating Risk Officer at PNC, described his responsibilities as having oversight of risks stemming from: operational risk governance, data analysis, external events, strategic risk elements, information security, privacy, business resilience, and financial intelligence.

For the banking sector, John considers the CRO's responsibility to be "to forge a view of these risks that transcends the bank's individual departments to enable quick decisions based on an enterprise-wide view of exposures" and being able "to add the right nuances to the information so you can have a thoughtful conversation about it with other staff."

Ultimately, the CRO must be able to understand data:
how it's collected, its integrity, what it's being used for, its accuracy and making sure the right data management systems and technology are in place to make informed decisions based on portfolio, geographic and customer views.
Src: The New Generals - 08..2009 | Bank Technology News

QOTD - Howard Schmidt on Data & Threats

Data is now the gold, the silver and diamonds of the online world and criminals see it as a low-risk way to steal money without going anywhere near the crime scene.
...
But even in today's financial climate and increased threat environment, we are better placed than ever before to meet these challenges – as long as we have the resolve to strengthen and invest in security rather than reduce it. -- Prof. Howard A. Schmidt, CEO of the Information Security Forum
Src: 'Crimeware as a service' set to increase over the next two years | SC Magazine UK

QOTD on Cybersecurity Decisions

When you make cybersecurity technology decisions, you want to make it within the context of things like knowing its effect on privacy, knowing whether the economics of the situation support the kinds of changes you are making, and understanding about business models, whether this consistent with the business model or not. -- Cornell Computer Science Professor Fred Schneider

Src: Producing the New Cybersecurity Pro | GovInfoSecurity.com

How Twitter Wolfes Look for Easy Prey

The majority of Twitter users don't mind sharing their tweets (i.e. their Twitter updates) with the rest of the world. After all, sharing ones thoughts/actions is at the core of social networks like Twitter, Facebook, MySpace.

However, what users often don't realize is that in aggregate, their tweets paint a picture about who they really are. Take for example those who tweet about hating their jobs. Using the search feature in Twitter, it is possible to gather scores of users who have recently tweeted on their negative feelings about work. This information is useful in the hands of someone looking to make contact with an insider, usually for nefarious purposes.

Another aspect of one's public twitter stream is whether (or in some cases how often) someone has fallen for a scam on Twitter, be it a phishing scam that they simply re-tweeted or a click-jacking attack that suddenly floods one's followers with tens or hundreds of dangerous tweets. Let's explore this item a little further.

Recently, several users fell prey to a scam promising to increase their number of followers. When they clicked on the link promising "tons of followers," users were asked for their username/password. This allowed the scammers to then use that account to spread their message onto more people.

The real danger behind such lapses in judgment, giving another site your (Twitter) credentials, comes from what it says about the victim. By monitoring patterns of behavior, attackers can zoom in on easy prey who appear to engage in a pattern of risky behavior by clicking dangerous links or providing sensitive information. Worse, if that person is one of your employees, attackers are likely to be able to extract username/passwords from the unsuspecting user again. How confident are you that one's Twitter password isn't also their password for work email, bank account info, etc?

QOTD - Graham Cluley on Hackers, Tigers & Zebras

The hackers are targeting the social networks; frankly, hackers go where the users are. It's like tigers finding out where the zebras go to get their drink of water. They're going to chase after them and take advantage of them. -- Graham Cluley, Senior Technology Consultant for Sophos, speaking to SearchSecurity.com's Security Wire Weekly podcast
Src: Defeating hackers is hard (mp3 podcast) or YouTube Video (clip)

QOTD on Compliance

Compliance can be a good starting point for securing information infrastructure and data if an organization has not put anything in place previously, but it cannot be the end point of the conversation. -- John Pironti, President of IP Architects, speaking at the ISACA International Conference in Los Angeles
The article also reports Pironti as cautioning that a single-minded focus on "security by compliance" will result in more lapses of security as adversaries shift to more effective and damaging attacks.

Src: A Policy Dialogue Platform - Promoting Better Governance | eGov monitor

Primer on Security Metrics and their Pitfalls

A great primer on the utility and pitfalls of security metrics written by Vicente Aceituno:
It is not easy to find metrics for security goals like security, trust and confidence. The main reason is that security goals are “negative deliverables”. The absence of incidents for an extended period of time leads to think that we are safe. If you life in a town where neither you nor anyone you know has ever been robbed, you feel safe. Incidents prevented can’t be measured in the same way a positive deliverable can, like the temperature of a room.
Src: Security Metrics | Information Security Management Maturity Model Blog

QOTD on Outsourced IT Supply Chain

Our national reliance on IT hardware and software from various non-pedigreed sources is a foundation for major cybersecurity risks having national security implications. The incident reports cited in this article further highlight potential risks ranging from logic bombs and self-modifying code, deliberately hidden back-doors to potentially fatal equipment failure and even foreign espionage...
As NIST advises, organizations must add “defense-in-breadth” to their strategy mix. While Defense-in-depth focuses on the operations phase of the systems development lifecycle, defense-in-breadth covers the entire lifecycle.
Src: Trust but verify: Security risks abound in the IT supply chain | GCN.com
Thanks to the CyberWarfare Forum Initiative for bringing this article to my attention.

QOTD on Risk vs Threats

Most security people don't understand risk -- they understand threats. Threats are just one input into the risk equation. Others come from operations, strategy, and marketing. -- John Pironti, President of IP Architects
Src: Security Boosted by Risk Management | ITManagement

QOTD - Gartner on Data Leaks and Pizza

Back in the day, watching the Dominos pizza delivery office closest to the White House in Washington DC was an information leakage path. Social network sites are the same thing - lots of worry in the military about loss of Operations Security because of all the tweeting and Facebook posting going on by active military and their families. -- John Pescatore, Vice President at Gartner, Inc.
Src: SANS NewsBites Vol 11 Num 53

QOTD - Honan on preparing for the breach

We have to accept that at some stage our organizations will suffer a breach. How we react and respond to the breach will make the difference as to whether stakeholders, be they customers or shareholders, will continue to view the organization. This case shows that clear, open and timely communication from senior management is valuable for rebuilding trust. -- Brian Honan, independent security consultant based in Dublin, Ireland
Src: SANS NewsBites Vol 11 Num 49

Like Dominoes - The Anatomy Of The Twitter Attack

How many of our systems have interconnections to other systems that have weaker security? If so, remember that your ultimate level of security is that of the weakest link. This is a story about an executive, in this case the CEO of Twitter, whose Gmail account gets compromised (domino #1: password reset), which leads to leakage of corporate sensitive information that was stored with Google Docs. The intruder then covered his tracks so that the account owner would not notice (domino #2: reset password back to original by correctly guessing the CEO was using a single password for multiple accounts).

The same warning are applicable for bank accounts, phone records, insurance contracts, health records. Any account with sensitive information which uses a weaker account (e.g. most webmail applications) as a backup is likely to be a target of attackers looking for fresh prey and easy access to documents.

Src: The Anatomy Of The Twitter Attack | TechCrunch.com

QOTD - Ranum on the Thrill of Hacking

Hacking systems - the thrill of the illicit, penetration, and the (slight) chance of getting caught - is a very self-reinforcing behavior. It's a paradoxical form of adrenaline addiction: the attacker is hooked on the rush, but sociopathically hides behind the safety of anonymity. It's not hard to see why a lot of hackers find it very hard to quit once they get started. -- Marcus J. Ranum, CSO Tenable Network Security Inc.
Src: SANS NewsBites Vol 11 Num 47

QOTD - Honan from bits and bytes to bullets and bombs

This case [International telecom hacker group busted] highlights the current threat posed by terrorism to computer systems worldwide. It is not to take these systems down but to raise money. The funds generated by compromising bits and bytes go to purchasing bullets and bombs. -- Brian Honan, independent security consultant based in Dublin, Ireland
Src: SANS NewsBites Vol 11 Num 47

QOTD - Pescatore on Lawsuits & Executives

There is always a hope in security circles that threats such as class action lawsuits or 'downstream liability' will cause a light bulb to go off in boards of directors' heads and they will say 'Aha - information security is important, increase the budget, promote the CISO!!' In reality, when boards hear 'liability' they tend to mostly make sure that the corporate Directors and Officers Liability insurance coverage is sufficient. The actual business damage of incidents is usually the bigger driver for action by boards of directors. -- John Pescatore, Vice President at Gartner Inc., writing about Aetna being named in a class action data breach lawsuit.
Src: SANS Institute - SANS NewsBites Vol 11 Num 46

Information Security: The Good, The Bad and The Ugly

"Why in the hell are you bothering with testing code that is already in production?" was reportedly asked by a CIO, upon learning of newly discovered vulnerabilities in their production system.

This article written by Kevin G. Coleman, Strategic Advisor with the Technolytics Institute, provides high level comments on the current state of information security and the relation to cybercrime and management.

Src: Information Security: The Good, The Bad and The Ugly | TMCNet.com

When BIOS updates become malware attacks

You get the call - a computer is acting strange, malware is the likely suspect. After recording appropriate activity logs and ensuring data is safe, you proceed with the disinfection: wipe the OS and reinstall from a clean image.

If you performed the procedure above, your machine may still be infected. The reason? The malware may have rooted itself deeply into the hardware itself, the BIOS, and not simply residing on the drive.

This is a fascinating and developing area of active research (both by hackers and security researchers such as those at Core Security) and a story that all information security professionals should be aware of.

Next time a machine is acting strange, wipe the OS and reinstall, but only after you have also flashed the BIOS.

Src: When BIOS updates become malware attacks | SearchSecurity.com

It's the compiler's fault - how good source code becomes a vulnerable implementation

As a faculty having taught programming classes for many years, I have stressed the value of writing good code, with the requisite error checks. Some languages like C/C++ need to be compiled, and over the years, compilers have been augmented with the capacity to make "smart" decisions about the source code, usually to improve execution speed or warn of dangerous omissions ("you did remember to initialize that value, right?").

Brad Spengler, a security researcher, has created an instance of code where the compiler's "smart" logic actually degrades the overall security of the resulting binary by introducing a vulnerability that until now seemed un-exploitable.

After reading the SANS ISC post below, you might just be right to claim that it was the compiler's fault: "the compiler will introduce the vulnerability to the binary code, which didn't exist in the source code."

A someone who has helped grow generations of students into programmers, the suggested fix is not acceptable as it puts the burden on the programmer to know how the compiler will optimize the code. A "smart" compiler should not penalize a programmer for being extra careful with his/her code.

Src: A new fascinating Linux kernel vulnerability | SANS ISC

QOTD -- Fox on Cyber Warfare and Attribution

War has not changed. The weapons of disruption, corruption, and destruction reflect only the evolution of human creativity and innovation. We must understand the conflicts that drive their use, be they individual, corporate, or international. Without this insight, we are doomed to cyber attrition.
Steven Fox, Principal Consultant & Founder, SecureLexicon.com, writing about Cyber Warfare.

Cyber Warfare and Attribution | CSOOnline Blog

QOTD - PrivacyProf on Data Aggregation

We are more than just the strict sum of a few pieces of information that may point to us.

A topic that is important and interesting to think about is how non-PII items, when combined with certain other non-PII items, can actually become PII. In other words, aggregating non-PII to form PII. In case that sounds fuzzy, think about it, very simplistically, this way...

Consider a zip code, first name, and birth year.

If you look at each of these separately, it would be hard to say you can link each of them to a specific individual. However, if you look at the three items in combination, you could very well be able to identify a specific individual. Especially in more sparsely populated geographic locations. So, does this combination of three items, as a group, represent PII?

It often takes just two pieces of information to be able to identify a specific individual. Once identified, finding out more information about that individual is trivial, and the stuff that criminals' dreams are made of.

Rebecca Herold, The Privacy Prof, blogging about the privacy threats of data aggregation, i.e. when it is possible to aggregate individual pieces that are not private to form a picture that can uniquely identify somebody.

What is PII? How About Groups Of Otherwise Non-PII? | Realtime IT Compliance

QOTD on CEOs & Cybersecurity

only 3% [of CEOs] cited malicious hackers as the top threat for their company's data security--about a fifth as many as the lower level employees who cited cybercriminals as the most important threat.
Src: What CEOs Don't Know About Cybersecurity | Forbes.com

NIST Draft Definition of Cloud Computing

Peter Mell, Project Lead for the NIST Cloud Computing group has released a Draft Working Definition of Cloud Computing:
Definition of Cloud Computing:
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three delivery models, and four deployment models.
Essential Characteristics are listed as: on-demand self-service, ubiquitous network access, location independent resource pooling, rapid elasticity, and measured Service.

Delivery Models are listed as: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS)

Deployment Models can be one of: private cloud, community cloud, public cloud, hybrid cloud.

Src: Cloud Computing | Computer Security Resource Center | Computer Security Division | NIST.gov

QOTD - RSA on Nature of Threats

It is now a common mantra in security that the nature of the threats has changed. Gone are the days of script kiddies looking for fame and notoriety; now enterprises face a very sophisticated worldwide fraud machine run by organized crime; with many players, each having their own niche. This system is very adaptable, changing tactics quickly to outwit any attempt to foil their operations. -- RSA report "Charting the Path: Enabling the 'Hyper-Extended' Enterprise in the Face of Unprecedented Risk"
Src: RSA, The Security Division of EMC

QOTD - Garfinkel: Privacy Requires Security, Not Abstinence

When someone can wreak havoc by misappropriating your personal data, privacy is threatened far more by the lack of a reliable online identification system than it would be by the introduction of one. And it is likely that it would cost society far more money to live with poor security than to address it. -- Simson Garfinkel, associate professor at the Naval Postgraduate School in Monterey, CA
Src: Privacy Requires Security, Not Abstinence | MIT Technology Review

Predicting Social Security Numbers from Public Data

we only used publicly available information, and ended up discovering, based on that information, that the randomness [used in assigning SSNs] is effectively so low that the entire 9 digits of an SSN can be predicted with a limited number of attempts. -- Alessandro Acquisti and Ralph Gross of Heinz College, Carnegie Mellon University.
One lesson we can draw is that what was once thought to be secure (or secure enough) is no longer (or not enough). The other lesson is that we need focus mitigating the risks created by the types of fraudulent transactions that are often based on easy-to-obtain credentials like SSNs (see Bruce Schneier's article in Forbes).

Src: Predicting Social Security Numbers from Public Data - FAQ

QOTD on Laws & Technology

We are still living in a world where we have literally Gutenberg-era laws and businesses are using Star Wars technology... [However] New technology does not absolve an organization from its obligation to retain, produce, or manage data in any way. -- John Bace, research analyst at the Gartner Group
Src: Compliance Week: Compliance Week: Cloud Computing Vs. Internal Controls

QOTD - PrivacyProf on tracking PII

Most business leaders, especially in business units, and in the legal office, just assume that all storage locations for PII are known and that there is a 100% complete inventory for it somewhere. Infosec, IT and most privacy practitioners know the real deal; it is rare that PII is formally defined, and even rarer to have an inventory of all PII. Considering the ease with which PII can be copied and distributed literally thousands of times with just one press of a button, and stored in any number of mobile devices and outside storage locations, it is very hard to have a complete PII inventory. But, it must be done. And doing so will help to determine the controls and other safeguards that need to be placed around PII to keep from having it stolen, leaked or lost.
Rebecca Herold, The PrivacyProf, blogging about the news that the University of Central Missouri didn't know that two printed reports (w/ 7,000 student names, SSNs, addresses, and birthdates) were stolen from a location on campus.

I have had similar findings in many of the information security assessments that I conducted in that management was often shocked to hear about the various sources and destinations of sensitive information throughout an organization. Until an organization traces the flow of sensitive data generated and consumed, management cannot hope to have an accurate inventory that data, its location, or whether it has been properly disposed of.

[Note: emphasis is mine]

Src: Stolen Print Documents With PII Found On Crook; Otherwise UCM Would Not Have Known The Reports Were Stolen - Realtime IT Compliance

QOTD - Rafal Los' Dose of Security Reality

In a typical company where risks are a-plenty, and IT is up to its eyeballs in delivery issues it's a little difficult to suddenly step in and talk about security vulnerabilities like they're somehow more important than the 10,000 things that are already on fire. When the whole forest is on fire... which tree do you save first?

Enterprises and SMBs alike are looking to save money, cut corners (whether they want to admit it or not) and unfortunately security sometimes falls off the docket. Whether it's the security team's fault for not properly articulating the issue or the CIO's for simply not understanding the risks... the result is often the same. Somewhere in your business are thousands of lines of insecure, exploitable, and very lucrative code. Worse yet - that stuff has been there for years and now when you review a small snip that's changing and find that the whole thing has to be re-done... no one wants to pony up the money to do the work - right? --Rafal Los, IT Security Risk Strategist, blogger at http://preachsecurity.blogspot.com/
Src: [RANT] Call Me a Realist | Digital Soapbox - Preaching Security to the Digital Masses

Zero Day Threat, the book

As I wrap up reading Zero Day Threat, written by USAToday's Byron Acohido and Jon Swartz, I wanted to share with you one of the paragraphs that best outlines the current mess of the US (and beyond) financial system. [emphasis is my own]
In the fast emerging cybercrime industry, hackers and scam artists morph and advance magnitudes of order faster than the banking and tech industries have been willing to shore up basic security. From corporate America's point of view, convenience and speed are the drivers of the business models of the new millennium. Security is a perception challenge.
I highly recommend this book to anyone charged with safeguarding data. It will open your eyes to a system of actors (banks, credit bureaus, scammers, drug-addicts, and malware authors) revolving around maximizing profit at the expense of the consumer. The book links the murky world of the "exploiters" with the ingenious capacity for "expediters" to generate new and better malware, while the "enablers" sit mainly idle, unwilling to commit to much-needed enhancements to secure consumers' financial records and credit histories.

As security professionals, we must engage in critical evaluation of the risks to the data we are entrusted with. This book is sure to generate many lively discussions among security pros, and one would hope, executive management, about the nature of the threat, the drivers, and the baseline security that ought to be implemented.

Src: Zero Day Threat official web site
Src: Cybercrime Book Excerpt: 'Zero Day Threat' | Wired.com
Src: You won't guess who's the bad guy of ID theft | USAToday