Analyzing The TD Ameritrade Disclosure

In a press release, TD Ameritrade this morning confirmed reports that it has been informing customers of a potential security breach. The release does not confirm the figure of 6.3 million customers, but a company spokesperson did give that number to reporters in interviews. (Dark Reading, “TD Ameritrade Breach Affects 6.3M Customers.”)

It appeared that no SSNs, account numbers, or other information was stolen. So why is Ameritrade announcing it, and what can information security professionals learn from this?

It appears that Ameritrade is getting ahead of the story. Rather than have it dribble out by accident, they’re shaping the news by sending out a press release.

Second, they’re shaping their customer response. Rather than hear about this from someone in a state with a broad disclosure notice, and worrying “was I affected, too” they’re telling everyone. That allows them to appear proactive and caring, rather than reactive and hiding.

Third, they’ve probably kept costs way down by not paying a law firm to analyze their requirement to disclose under a variety of laws.

Finally, they were smart early, and separated their customer data from the deeply sensitive stuff which was in a different database.

So what can someone who’s just been breached learn from this?

First, segment your data now. It pays off, probably more than a lot of products you might buy.

Second, when you encounter an incident, think about taking control of the situation, rather than letting the situation control you. Spending time planning for a variety of breaches will pay off, both for the the companies that are ready, and for the leader who initiated the process.

No word on the lupins

NSW Police are investigating the possible compromise of an online florist’s database and theft of customers’ credit card details.
The Fraud Squad has set up Strike Force Parkview to investigate the case that involves the retailer Roses Only.
There are unconfirmed reports that the details were used to make a string of luxury purchases in South-East Asia.
“A strike force has been set up by the State Crime Command Fraud Squad to investigate the possible compromise of an internet-based business’ database and subsequent fraudulent transactions,” a police spokesman said.
She said the investigation was in its earliest stages and no further information was available.
Roses Only later released a statement saying that it had been recently advised that their computer systems “may have been” compromised through an unauthorised intrusion earlier in the year.
“We moved quickly to address the situation and engaged a leading international technology security firm to enhance the security of our system,” the statement said.

Sydney Morning Herald
(Image grab via Youtube)

Who Likes a Cheater?

fine.jpgIf you don’t follow sports news, the New England Patriots and their coach have been fined about three quarters of a million dollars and a draft pick. This is reported in articles like “Belichick given record fine for video cheating.” (Times Online, UK) That may seem like a lot, until you realize that that’s less than 1% of the fine assessed against the McLaren F1 racing team.

The case broke open in July when a 780-page technical dossier on Ferrari cars was found at the home of McLaren’s chief designer, Mike Coughlan, who later was suspended. Ferrari mechanic Nigel Stepney, who allegedly supplied the documents, was fired.
(Detriot Free Press, “Formula One team McLaren fined $100 million in spying scandal.”)

So why was the fine for the Patriots so low? Apparently that’s the league maximum.

So who likes a cheater? Apparently, the National Football League, who has set their maximum fines low enough that cheating was an irresistible temptation.

We now return to your regularly scheduled security blogging.

Photo: Sabine, “A fine city.”

[Update: My friend Jeff, who is much more into football than I am, asks what the fines are proportioned to team budgets, and points out that this is the stiffest penalty given in NFL history. (“Penalizing the Patriots.”) Proportionally, the MacLaren fine seems to be roughly 25% of an F1 budget, assuming that MacLaren spends as much as the $400MM that Ferrari spends[1]. The Patriot’s financial penalty is less than 1% of the team’s $100MM share of NFL revenue [2]. It’s not clear to me how to compare a draft pick to points, which are the non-financial aspects of the penalties.

[1] Formula 1: The Business of Money
[2] NFL’s Economic Model Shows Signs of Strain]

Invasion Of The Password Snatchers

Invasion Of The Password Snatchers
As I’ve mentioned in the past my wife is a linguistics professor. Yesterday she came home from work with the following poster. A little research revealed that it and several others were originally commissioned in 2005 by Indiana University as part of their security awareness program that they assembled for national cyber security awareness month. While posters are hardly the be all and end all of awareness programs, these 50s horror movie-themed ones are far better then most.

When Hackers Don’t Strike

Today the New York Times asks us: “Who Needs Hackers?” The article itself which discusses the recent outages at LAX and with Skype is fairly fluffy but has some great quotes which really cover the issues that we should be looking at as an industry. Security isn’t just about hackers, but about managing threats and risks and we need to remember that much more often.
Peter “Comp.Risks” Neumann:

We don’t need hackers to break the systems because they’re falling apart by themselves.

Steve Bellovin:

Most of the problems we have day to day have nothing to do with malice. Things break. Complex systems break in complex ways.

and Avi Rubin:

Maybe we have focused too much on hackers and not on the possibility of something going wrong. Sometimes the worst problems happen by accident.

HSPD-12 Does Not Require JPL Background Checks

Adam writes about the brouhaha at NASA over HSPD-12 background checks.

A friend of a friend who is in the business of implementing HSPD-12 sent me a tidbit about it, along with a link so that you can read the primary source — something always needed when you get emails from FOAFs.

In paragraph 3, there is the interesting statement:

The Standard will include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application.

The FOAF was incredulous at the report, because there it is in paragraph three that it’s okay to have different levels of security, and that which was good enough to defend us against the Godless Commies oughta be good enough to defend us against the Godful Beard-Dyers.

Let’s look down a little further. HSPD-12 is short, it’s only eight paragraphs. What’s that in paragraph 6?

(6) This directive shall be implemented in a manner consistent with the Constitution and applicable laws, including the Privacy Act (5 U.S.C. 552a) and other statutes protecting the rights of Americans.

Which gives the protesters a lot of ammo right there. But wait, there’s more. The HSPD-12 FOAFs say that the hardware JPL has ordered can only support a low-security ID system anyway, not a high-security one, so even if it were reasonable, they can’t implement the high-value security checks anyway. The FOAF gives this site as a reference.

So there you have it, not only abuse at JPL, but waste, too.

The Fight Against HSPD12

There’s a fascinating court fight, being run by people at the Jet Propulsion Lab. See “JPL Employees File Suit to End Background Investigations

From the press release:

The plaintiffs include highly placed engineers and research scientists at JPL who have been involved in critical roles in NASA’s most successful recent programs, including leading engineers and scientists on the Mars Exploration Rovers program. All are long term employees of Caltech who have never had to submit to the incredibly intrusive check that the Bush Administration desires. None of the plaintiffs have classified or sensitive positions. Plaintiffs challenge Bush’s decision to require that all JPL employees submit to a “National Agency Check with Inquiries” and sign a broad written waiver, permitting investigators to obtain records from their past employment files, and to question their friends and associates about their emotional health, financial integrity, and general conduct, including whether they’ve ever had sex and, if so, what type.

Or, “the more you tighten your grip, the more national labs will slip through your fingers.”

Pfizer’s little problem

For the third straight month, the pharmaceutical giant is reporting a serious security breach that may have resulted in the loss of personal data belonging to current and/or former employees. The most recent breach, reported last week, involves the potential theft of personal data on some 34,000 current and former workers at the company.

A Pfizer spokesman called the breaches “three separate and distinct incidences” that bear no relationship to each other.
(Dark Reading, “Pfizer: Strike Three“)

There are several interpretations that spring to mind. The first is that all are related by poor infosec practice at Pfizer. The second is that Pfizer is doing a better job of honest reporting than other organizations.

If you’re a CEO confronted with these losses, your first instinct is going to be to cover up. To ask what you can do to avoid getting sued. It may make more sense to level with employees, and explain to them what’s going on.

As Rich Mogul points out, “you have to feel for the employees who don’t have much of a choice to go anywhere “more” secure.”

Hard as it is to confront these mistakes, covering it up and being caught is going to be a lot worse.

If only Pfizer made a drug to stiffen backbones.

The analog hole strikes again!

I had occasion to park at a rather large parking garage attached to a rather larger complex of hospitals in downtown Chicago today. The company that runs this garage does something smart — in addition to numbering the floors of the garage and giving them a characteristic color, they also play a well-known musician’s tunes as you wait for the elevator, and have signage regarding that musician prominently displayed. Today, I parked at level 4, can’t recall the color. The artist was Frank Sinatra. The sign showed a drawing of Hoboken’s favorite son in the fifties, and would definitely be memorable. What was even more memorable was the sign underneath the tinny loudspeaker from which one of Francis Albert’s hits came as I waited for the elevator:
“Unauthorized duplication prohibited”.
So much for my plan to stick it to Columbia records.

1.5 billion, and whaddaya get?

airports.jpgI wrote this post sitting on a plane to Montreal. There were all sorts of announcements about how you had to be on international flights thirty minutes before takeoff, to make Congress happy:

Congress mandated that DHS’ Customs and Border Protection (CBP) establish a requirement to receive advance information on international passengers traveling by air prior to their departure, as part of the 2004 Intelligence Reform and Terrorism Prevention Act (IRTPA)… The final APIS predeparture regulation will require air carriers to transmit manifests 30 minutes prior to departure of the aircraft or provide manifest information on passengers as each passenger checks in for the flight, up to the time when aircraft doors are secured. (“DHS Announces Predeparture Screening of International Passengers and First Step Toward Secure Flight“)

I couldn’t help but ask what this costs. It’s 30 minutes per person flying to or from the US. According to the US Department of Transportation “US International Air Passenger and Freight Statistics,” there were 154 million international air passengers in 2006. That’s 154 million people with at least half an hour wasted. That’s 77 million hours. 3.2 million days. That’s 570 years. At minimum wage ($5.85) that’s 450 million bucks in wasted time. I don’t think minimum wage is really the right number to use. Most international flyers are probably at least of average income. Wikipedia claims (“Personal income in the United States“) that’s just under $40,000 per person who’s employed full time. That’s $20 an hour, and at that rate, this policy costs the public $1.5 billion a year.

For that kind of money, maybe TSA could buy faster computers?

With all that time wasted, no wonder Congress is worried about how people behave in airport bathrooms.

First aside: The minimum wage is $5.85. Wow. Set to raise to 7.25 in July 2009. Before taxes, that’s $234 a week. Or slightly more than two weeks income for the ticket I’m on right now. I had to stop and remember how lucky I am to be in a high-demand industry.

Second aside: all of this ignores that the US is a wealthy country, and some fraction of travelers come from poorer places, where some people live on as little as a dollar or two per day. I think it’s reasonable to assume that the average person traveling by air internationally has enough money to do so.

Photo: Aereoporti: bambini in coda by andrea.lagala.

From the Advances in Aviation Desk


The Beeb reports, “Goats sacrificed to fix Nepal jet,” in which we learn that two goats were slaughtered in sacrifice to the Hindu god of sky protection, Akash Bhairab, in front of a Boeing 757. Airline official Raju KC said to Reuters, “The snag in the plane has now been fixed and the aircraft has resumed its flights.” Local media have blamed an electrical fault, which actually makes sense if you know anything about goats. American Airlines has not responded to inquiries about whether they will be trying this at DFW.

The Consumerist reports, “Southwest Airlines Thinks Your Outfit Is Inappropriate” in which a 23-year-old Hooters waitress was asked to leave the plane for wearing the outfit shown in the photo here. She had been in Tucson, where the temperatures where 106 degrees, so perhaps wearing a sweater got their goat.