Emergent ChaosVirginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma)See More Breach Notification Laws -- 42 States and Counting at the law blog of Proskauer Rose.
Bookmark this post:
As many EC readers realize, press reports about data breaches involving lost or stolen computers often contain statements something like "The actual risk is thought to be minimal, since a password is required to login to the missing computer".
Such statements are sufficiently numerous that the pre-eminent source of breach data, Attrition.org, have issued a comment the topic.
I recently had an idea which I honestly think might be very useful (or pathetically impotent).
I report, you decide.
The idea is simply this:
Creating some sort of on-line document and getting infosec experts/practitioner/luminaries to add
their names to it. The document would be akin to an on-line petition, except that it would not be asking for something, it would be stating a position -- as I envision it would be a couple of paragraphs, pointing out the technical facts (in lay terms) that "recovery" CDs can completely bypass OS passwords, that the better state breach laws exempt encrypted data alone for a reason (Indiana is a perfect example, having had their loophole closed so recently), that any safeguard is only as good as the threat model behind it, and that operating system passwords were not intended to be defense against a threat which bypasses the operating system completely.
When the press perpetuates the canard (and I am aware of it), I'd dash off a letter to
the editor which particularizes things, and which points to this on-line
document. Hopefully, this would raise awareness.
My thinking here is that many of us with an infosec and privacy background "get it", but that the press has relatively little access to us. Human nature being what it is, the path of least effort is often followed, and press releases are reprinted, without regard to their technical accuracy
Is this a crazy idea? If so. please comment. If you think it makes sense, comment about that.
If there seems to be solid support, we can work out the details and make it happen.
Bookmark this post:
The Washington Post reports:
The State Department said last night that it had fired two contract employees and disciplined a third for accessing Sen. Barack Obama's passport file.Obama's presidential campaign immediately called for a "complete investigation."
State Department spokesman Tom Casey said the employees had individually looked into Obama's passport file on Jan. 9, Feb. 21 and March 14. To access such a file, the employees must first acknowledge a pledge to keep the information private.
The employees were each caught because of a computer-monitoring system that is triggered when the passport accounts of a "high-profile person" are accessed, he said. The system was put in place after the State Department was embroiled in a scandal involving the access of the passport records of then-presidential candidate Bill Clinton in 1992.
"The State Department has strict policies and controls on access to passport records by government and contract employees," Casey said.
The department uses contract employees to help with data entry, customer service and other administration tasks. The employee involved in the March 14 incident has only been disciplined so far, because the probe of that incident is continuing, an official said.
My translation is that the State Department, "in order to serve you better", violates the principle of separation of privilege and allows individual contract call center people to access the passport data for everybody in the country. Then, after a high-profile person has his privacy grossly violated (they ran Clinton's file because of malicious, false rumors he renounced his US citizenship during the Viet Nam era), they put in detective controls (not preventative -- too obvious), but these only work for important people.
Nice.
Luckily, Bill Burton, spokesman for Senator Obama, has a keen grasp of the issues:
"This is a serious matter that merits a complete investigation, and we demand to know who looked at Senator Obama's passport file, for what purpose, and why it took so long for them to reveal this security breach."
One way to learn some of that, as I am sure Mr. Burton's boss knows, is to get a decent national breach notification law.
While State may have been slow, they did the right thing, and canned the violators. Nothing reinforces a security policy better than a public execution, and nothing undermines one more effectively than blatant non-enforcement. With recent privacy breaches affecting not just semi-celebs like Presidential candidates, but also really important people, making sure that punishment is swift and sure seems like an obvious way to "incentivize good behavior".
Bookmark this post:
After showing that "encrypted" disk drives only encrypted the password you use, not the data, Heise-Online now shows that fingerprint-access is often bunk:
Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. It turns out that an easy-to-find tool allows nosy parties to get around the protection in some products.
Basically, all you have to do is get a low-level USB tool, PLscsi, and have it tell the device to ignore all that security stuff. Yes, I'm over-simplifying, but I'm disgusted. Read the article for details.
Bookmark this post:
Via Kable's Government Computing, comes news that the British House of Lords "Science and Technology Committee has announced a follow-up inquiry to its 'Personal Internet Security' report".
Chair of the committee Lord Sutherland said: "The committee was disappointed with the government's response to its report. We felt they had failed to address some of our key concerns about people's security on the internet.Kable's Government Computing, 2008-02-21"The House of Lords is likely to be debating the report in the summer and to ensure that the debate is as well informed as possible we have decided to seek key stakeholders' views on the government's response."
I speak American english, so I may not be up on the nuances, but I think Lord Sutherland is saying that they're going to line up a bunch of experts to say what absolute dolts the government were in ignoring the recommendations put forth by the Committee last year.
Excellent.
Bookmark this post:
Experian sues Lifelock.
I think I can hear the champagne corks popping at ID Analytics from here. They, arguably, provide a service which is similar enough (a detective control against new account fraud, rather than a preventative control), but theirs operates through a different mechanism.
I'd like to see some numbers showing the efficacy of these approaches. I am pretty sure Lifelock or Debix can produce them for the 'automated fraud alert' approach. I don't know what ID Analytics has.
Bookmark this post:
Title: Citibank limits ATM cash in city Author: KERRY BURKE and LARRY McSHANE Source: DAILY NEWS Date Published:January 3rd 2008 Excerpt: The New York-based Daily News reported today that Citibank has limited the cash amount its customers can take out of ATM machines. It is being reported that the security of Citibank's ATM machines in New York have been seriously compromised by fraud. According to media reports, a spokesperson for Citibank has stated that "Though we can't provide details of ongoing security investigations, we are working closely with law enforcement on this matter." Citibank declined to specify the amount of the new withdrawal cap. For complete article see: http://www.nydailynews.com/money/2008/01/03/2008-01-03_citibank_limits_atm_cash_in_city-2.html For more security News visit the FIRST Security News site at: http://www.first.org/newsroom/globalsecurity http://www.first.org/newsroom/globalsecurity/rss.xml(Passed along in case folks haven't heard)
Bookmark this post:
Thanks to Ant, Cat and Steven Murdoch for links. Image: Teton dam, Wikipedia.
Bookmark this post:
The BBC reports that the whereabouts of the legendary cave where Romulus and Remus, founders of Rome, were nursed by a she-wolf, Lupa, as foundlings.
The eight-meter-high cave was found buried sixteen meters under a previously-unexplored area of Palatine hill in Rome.
Although their home address has been made public, it is unclear if the Roman founders lost any other personal information such as tax ID numbers, bank information, or date of birth.
In related news, two disks in the UK have been lost with the personal details of 25 million Britons including "name, address, date of birth, National Insurance number and, where relevant, bank details." This is everyone in the UK who receives a tax deduction from having children.
HMRC Paul Gray resigned over the incident (as if that will help). Liberal Democrat Acting Leader, Vince Cable, clucked: "why does HMRC still use CDs for data transmission in this day and age?" proving that he doesn't read this blog. Mr Cable as well as Shadow Chancellor George Osborne predicted the end of the National ID Database as a result of this loss.
Commissioner of Obvious Information, Richard Thomas, said: "this is an extremely serious and disturbing security breach" and Chancellor Alistair Darling pointed out that at least no one had had fiber-optic endoscopes pushed into their houses unlike those Roman foundlings.
Bookmark this post:
NSW Police are investigating the possible compromise of an online florist's database and theft of customers' credit card details.The Fraud Squad has set up Strike Force Parkview to investigate the case that involves the retailer Roses Only.
There are unconfirmed reports that the details were used to make a string of luxury purchases in South-East Asia.
"A strike force has been set up by the State Crime Command Fraud Squad to investigate the possible compromise of an internet-based business' database and subsequent fraudulent transactions," a police spokesman said.
She said the investigation was in its earliest stages and no further information was available.
Roses Only later released a statement saying that it had been recently advised that their computer systems "may have been" compromised through an unauthorised intrusion earlier in the year.
"We moved quickly to address the situation and engaged a leading international technology security firm to enhance the security of our system," the statement said.
(Image grab via Youtube)
Bookmark this post:
A poor choice of names (I guess "best UNIX editor" was their second choice), but Silicon.com is doing something that seems worthwhile by launching their Full Disclosure Campaign.
Silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers, if there is a chance the breach has put individuals' sensitive personal data at risk.
Bookmark this post:
In the Times Online article, "Digital DNA could finger Harry Potter leaker," we learn that the person who leaked photos of the last Harry Potter novel has yielded up the serial number of their camera, which was in the metadata of the pictures they took.
From this, we lean that it was a Canon, likely a Rebel 350D, which means that the perp bought it in the US or Canada. (This doesn't mean that the perp is there, as lots of people buy electronics in the US or Canada).
However, I blinked when I read something from Vic Solomon, a product intelligence officer at Canon UK:
From what we know, the device is one of the original Rebel cameras, probably a 350D, and given that they've been out for three years, it's likely the owner would have had it cleaned or repaired in that time.
Likely? I take likely to be better than a coin flip -- over 50% chance. I'm a huge fan of Canon cameras, and while I don't yet own have a digital SLR (I'm very happy with my SD 700IS), I'd like one, and this makes makes me wary to hear that it is "likely" that I'll be taking it into the shop in three years. I have a twenty-five-year-old A1 SLR, and it's never been cleaned or repaired. Is Canon's well-deserved reputation for quality a thing of the past?
Or was Mr Solomon merely shooting his mouth off? He also said:
The EXIF data is like the picture's DNA; you can't switch it off. Every image has it. Some software can be used to strip or edit the information, but you can't edit every field.
That's not precisely accurate. EXIF metadata is nothing like DNA. It's metadata rather than code; it's annotations about the picture such as date and time, f-stop, exposure values, orientation of the photo, and of course the serial number of the camera. While photo-editing software often doesn't let you edit it, there are plenty of ways to get rid of it, and I'll bet that very shortly there will be more of them, particularly if they catch the person who did this because of the embedded serial number.
Photo courtesy Lone Primate.
Bookmark this post:
Mike Rothman has the unmitigated temerity to go on vacation and deprive me of his daily rant^H^H^H^Hincite, but not before remarking on the Certegy data loss incident:
So Certegy (a big check processor) loses a couple million records with information like bank accounts and credit card numbers. And Certegy's president gets interviewed and says because the data was sold to brokers and direct marketers, the information isn't at risk?!?!?
Now, I trust data brokers and direct marketers as much as anyone, but when information is obtained illegally (as this information is said to have been), what assurance is there that the thief won't sell it to anyone who will pay the price, not just nice people who will pay the price?
It's not like this is some guy fencing a stolen TV set.
Bookmark this post:
Alternate title: "If schadenfreude is wrong, I don't want to be right."
Ryan Singel reports that the "TSA Lost Sensitive Data on 100,000 Employees." This is the same agency which wants to collect all your personal data so they can deny you the right to get on a plane without any sort of legal proceedings. You know, for all those people who are too dangerous to travel, but not dangerous enough to arrest.
A hard drive containing sensitive information including social security numbers and bank account information on 100,000 Transportation Security Administration employees has gone missing from its headquarters and the FBI has been notified, according to a 7 p.m. EST [Friday] press release from the agency.Remember, you have a few days left to stop REAL ID. If you do, the TSA's next lost laptop will contain less data about you.
Bookmark this post:
The Hartford Courant reports that a Lockheed employee dropped a USB flash drive at a gas station that contained Joint Strike Fighter information. A truck driver found it and "took it home for a 20-minute look-see, then turned it over to authorities."
I have three words of advice: full disk encryption.
Photo courtesy of POONDOG.
Bookmark this post:
In my last post on security, I promised a tale, and I ought to deliver on that before it becomes nothing more than a good intention.
Some time ago, so long ago that it no longer matters, I bought a piece of network stereo equipment. It was one of these little boxes that lets you play MP3s, etc. through your stereo. I got it because it was a cute little system running Linux, had a MIPS processor, a web site for developers, extension and enhancement tools in Java, and so on.
I used it for a couple of months, and played with the Java-based remote control application for it and then decided to do some more serious work on it. I rolled my eyes that it only had telnet to get to it, but telnetted to it and was met with:
#
which I just stared at for a moment. It didn't even register for a good twenty or thirty seconds before I had the wit to type
lsand was met with something akin to:
bin dev home mnt proc tmp boot etc lib usr sbin
and that didn't even register with me until I finally then typed
pwdand was met with
/
and I made a loud two-word exclamation, of which the former was "oh" and the latter is left as an exercise for you, Gentle Reader, but there are two obvious candidates.
Yup, for the last couple of months, sitting bear-ass nekkid on the Internet was a Linux box with open telnet and a root shell. No username, no password, just a root shell. I said the other obvious candidate word. I also considered (again) getting a firewall. My network doesn't have a firewall. Part of it is that I like the road feel of the packets whizzing by. Part of it is that by the time I open up enough ports to do useful things, I'm just closing down the ones that don't have services on them anyway. Part of it is also that of the three times I've had serious security problems on my network, one of them was because my IDS box got rooted, and one was because the firewall got rooted. For me, adding a firewall adds complexity, and that lowers security. (That last time was when I was traveling with my SO who wanted to send me an email from an utterly ancient netnews program that knows nothing of SMTP-AUTH. Never reconfigure your email infrastructure from five thousand miles away while jetlagged. A couple of days later, you will ask yourself, "I wonder why the SMTP server logs have gotten so big." Fortunately for me, I caught it before the blacklists did.)
I yanked the music box off the network and connected to it directly (one cable, just it and me). Looking through the thing, I didn't see what anyone who was now using it for anything. I checked the IDS logs and there was nothing that leapt out at me to as suspicious traffic. That seemed odd, because how could it not have been owned? I thought about it for a bit, and thought about it more as I reflashed the critter. Then I laughed, because I realized that the tools that probe for vulnerable boxes are not going to be looking for #. It was then too late to tell, but I allowed myself to think that maybe the box hadn't been compromised, as the evidence suggested.
With the machine rebuilt, I connected to it directly with telnet and started probing around for putting a password (like /etc/passwd). There was none. There was no SSH, either. I fulminated on the developer fora about this security stupidity. I found the instructions on how to build the right cross-compiled Linux setup to build binaries for it, and it was filled full of warnings about how to make sure you did this, set that compiler switch, and if you didn't, things wouldn't work, and you get to reflash the box.
This wasn't how I was wanting to spend my Saturday, so I turned the box off, and went to do something else. As I did, I thought about the situation. I became increasingly amused that (apparently) the box hadn't been compromised. I convinced myself that this is because the bad guys wouldn't recognize the box as vulnerable.
As I grumbled and thought more about how to lock down the box and then something occurred to me -- anyone who wants to own the box has to go to the same trouble to make it be a productive member of their botnet community as I do to do the opposite, but they're at a disadvantage because they also have to protect it from me. Since it's easier to find some unpatched Windows box than it is to set up a MIPS cross-compile sandbox, even if they can tell that has an open root shell, it's not economically viable. Think of it as Mutual Assured Annoyance, Economic-Based Intrusion Prevention, Security Through Stupidity, or proving old adage, "In the land of the blind lion, the one-eyed zebra doesn't have to run very fast."
A couple of weeks later, I solved the whole problem when a new product was introduced that did exactly what I wanted (to be able to play music on my laptop on my stereo) at half the price and no icky telnet. The poor little music box now sits face-down, forlorn, and dust-covered on a shelf.
Bookmark this post:
IT Week in the UK writes, "Companies keep silent on data breaches."
There are a couple of interesting quotes:
Jonathan Coad, a media specialist at law firm Swan Turton, said newsworthy breaches are often leaked to the press. “Reporting crime to the police is a double-edged sword as invariably the press has found out about the incident within 24 hours,” he said.
I raise my eyebrow a bit because of the words "often" and "invariably" appearing together. I side with the reporter on "often" and just don't buy "invariably." Nonetheless, if people believe that telling the police is the same as telling the press, they'll refrain from telling the police.
However, Maxine Holt of analyst firm Butler Group argued that corporate victims not reporting crimes “is of no use to anybody”.
I concur, and so the question is how to make sure that the proper notifications happen to the proper people at the proper time. That's why there's no rule set on this. More in another post.
Bookmark this post:
At first blush, it seems that an emergency bill in Texas that exempts clerks from state and Federal law about data breaches is a bad thing.
However, with closer reading, it looks more like a correction for that pesky old law of unintended consequences. On 23 Feb, the Texas Attorney General ruled that disclosing Social Security Numbers violated state and Federal law punishable by jail time.
This means that the poor county clerks, who are tasked with redacting records, would be left holding the bag for any screwups. If I were such a clerk, not having some sort of protection would lead to my resignation.
I'm left wondering how we're going to ensure that things get done correctly, but the larger issue is the way the government is reacting. I know that I speak for The President when I say that not everything that's bad and needs to stop has to have jail time and fines on it.
It looks like the pendulum of breach control is swinging a bit wildly in Austin. Just go to SXSW, guys, have a beer, listen to some music, and be stable on this. Thanks for working to get this right.
"Grandma Abilene" courtesy of Curran Andre Hugo.
Bookmark this post:
According to Courtney Manzel, Counsel - Office of Privacy, Sprint Nextel Corporation, reporting a breach pursuant to NY's notification law:
A laptop computer was stolen from the human resources department of Velocita
Wireless during a rash of office burglaries in the Woodbridqe, New Jersey area.
The laptop computer was one of many items stolen. It contained password-
protected files that included information (i.e.. name, date of birth, social security
number, salary and whether employee was enrolled in company health plan) about
aoproximatelv 255 former and current Velocita Wireless employees.
And from the notice sent to affected individuals:
Bookmark this post:
