Emergent ChaosIn a blog post entitled "Lending Tree A Little Late In Cutting Off Network Access?", I read that in the recent Lending Tree breach:
several former employees may have helped a handful of mortgage lenders gain access to Lending Tree's customer information by sharing confidential passwords with the lenders.
Later, the author describes "an obvious chink in Lending Tree's information security armor", (reprinting a U.S. News quotation from Brian Cleary):
These are former employees—how can those user accounts to critical customer data still be active? Those should be shut down. So, their access to all of the information and resources should be revoked on the day of their termination.USNews.com
Finally, he observes that
If you're going to rely primarily on human beings to implement the policies, then you'd better make sure that those human beings are either themselves subject to checks and reviews to make certain that they're following the policies.
All of this is nothing new to EC readers. What surprised me, and what I think is noteworthy here, is that the guy writing this is not some CISSP, CISA, or even CISO. He's the voice behind the Bank Lawyer's Blog, an attorney with banking and other corporate clients.
Not to read too much into this, but when the legal profession starts commenting knowledgeably about access termination policies, there's something interesting afoot.
Bookmark this post:
You see, the CIA apparently uses the less dangerous version of "waterboarding" -- not the Spanish Inquisition method, but the technqiue popularized by the French in Algeria, and by the Khmer Rouge -- involving the placing of a cloth or plastic wrap over or in the person's mouth, and pouring or dripping water onto the person's head. That's the civilized version of waterboarding -- the benign, anodyne, variant of the water treatment, the kind carefully administered by professionals. We would never dream of the barbaric practice of actually forcing the water into the nose and mouth.Go read "The Underdeveloped Jurisprudence of the Forcing/Pouring Distinction" and wonder how the next President is going to avoid prosecution.
Bookmark this post:
Schneier is probably busy at RSA, so I'll handle this one, which comes courtesy of the Manitowoc Herald Times Reporter of April 9:
About 450 employees of Point Beach Nuclear Plant were evacuated Tuesday morning after a convenience store clerk reported a man had asked for directions to Nuclear Road, where the plant is located, and then said he "came to blow up the place," according to a press release from Capt. Robert Kappelman of the Two Rivers Police Department.The Federal Bureau of Investigation, Point Beach Nuclear Plant, the Manitowoc County Sheriff's Department and the Two Rivers Police Department conducted a joint investigation.
Information from the surveillance video at the gas station led authorities to a vehicle parked at the nuclear plant. A 23-year-old man from Hull, Mass., working as a contractor at the plant, had rented the car in Milwaukee.
In an interview with the FBI, the man admitted the conversation took place but said he had stated he "hoped he wouldn't blow up the place" as it was his first day working at the facility. He said he told the clerk "they don't allow (him) to push any buttons, anyway."
His vehicle was searched and no threats were found. No charges are being pursued, according to TR [Two Rivers, Wisconsin] police.
Not as good as the "going to LA to shoot a pilot" non-story, but not bad. Notice the Massachusetts connection. Good thing the guy wasn't working at Pilgrim, 'cause I am sure there were potentially lethal LEDs in that car :^).
Bookmark this post:
Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma)See More Breach Notification Laws -- 42 States and Counting at the law blog of Proskauer Rose.
Bookmark this post:
Thanks to infosec expert (and Indiana resident) Chris Soghoian, and a receptive state legislator who listened to an informed constituent, Indiana now has a much improved breach notification law , closing a loophole we discussed previously.
We've written about expert involvement in crafting improved state laws before, most recently here.
BTW, the loophole Indiana has fixed still has a tenacious grasp on the press. As folks on the Dataloss Mailing List know all too well, nary a week goes by without a reportedreporter dutifully and unquestioningly stating that "risk is said to be small, since the stolen laptop was protected by a password". More on this in a future post.
Bookmark this post:
A year ago, I discussed stupid email disclaimers in, "If I Screw Up, It's Your Fault!" This week, Brian Krebs of the Washington Post comes over the same issue, indirectly, in his "They Told You Not To Reply."
Krebs tells the story of Chet Faliszek, who owns the domain donotreply.com, which he bought in 2000 as a lark. The interesting situation is that many otherwise sane people will send broadcast messages with a return address that has donotreply.com in it. And of course, people reply. When they reply, he gets the mail.
He gets customer service mail from Charbroil grills; financial service from Capital One and Merrill Lynch; network diagrams and vulnerabity data from Yardville National Bank; faxes from Iraq contractor and former subsidiary of Halliburton, Kellog Brown & Root; and of late very interesting mail from the Department of Homeland Security.
Krebs quotes Faliszek:
"I've had people yell at me, saying these e-mails are marked private and that I shouldn't read them.""They get all frantic like I've done something to them, particularly when you talk to the non-technical people at these companies."
The most delicious emails end up on his blog. He will remove them if you show proof of a donation to an animal protection league or humane society.
Note that if you send your email to Mr Faliszek, it becomes his email. No one suggests that there is anything untoward in owning donotreply.com. No one suggests that the disclaimer has any standing. No one suggests that there is anything wrong with his letting you ransom those emails through good works.
Certainly, it's stupid to use a domain like donotreply.com. It's a legal domain. There are some reserved domain names, and they are documented in RFC 2606. For Heaven's sake, use donotreply@yourdomain! However, it's worse to have the disclaimer. Non-expert, non-technical people might think that it has standing. Note what Mr Faliszek said, that people think that because they're marked private, he shouldn't read what's delivered to his domain. I have every sympathy with these people. They think they're protected, and they're not. Fortunately for us all, Mr Faliszek is a nice guy who loves animals. Take it away, bandleader.
Photo "its just sad" by Quiz....
Bookmark this post:
The real culprit is actually ChoicePoint itself and the three bureaus. By creating what is supposedly a superior solution than the old fashioned way of granting credit (knowing your customer, personal references, bank references, like they do it in most of the rest of the world) they have created a system that is prone to identity theft and over extended borrowers.He's right. The players at the heart of identity theft in the U.S. are the credit bureaus. But, what they've done is more than just creating a system which is prone to identity theft. Let's review how the credit bureaus work. They serve businesses by selling information about creditworthiness. Their customers (businesses extending credit) are happy to charge higher rates for people with poor credit, so there is little incentive for the business or the bureau to eliminate errors from the credit data. Worse, as the problem of identity theft becomes more widespread, the credit agencies can sell “credit monitoring” services to consumers and “enhanced authentication” to businesses and make even more money.
The credit agencies now run TV commercials touting credit monitoring, threatening people with identity theft. They don't quite say "nice credit score you've got there. Shame if we were to do something to it," but they come close.
Small wonder it’s hard to address the problem.
Rich closes:
I suggest that the FTC, various Attorneys General, and the trial lawyers, target the credit reporting industry for reform. Maybe we can starve the cyber criminals out by making identities less valuable goods.I think it would be simpler to remove their exemption from libel law. The credit agencies share default data just fine. They should have to share remedial data as well, or be accountable for the costs which they impose by their negligence.
Bookmark this post:
Chris Hoofnagle has completed a paper which ranks US financial institutions according to their relative incidence of ID theft, based on reports to the FTC by consumers who named an institution.
Chris (like another Chris I know) would like to see more complete information on ID theft available to consumers, so they can make informed decisions about with whom to do business. In an earlier paper, he argued that banks should publicly disclose identity theft statistics.
From the current paper's abstract:
There is no reliable way for consumers, regulators, and businesses to assess the relative incidence of identity fraud at major financial institutions. This lack of information prevents more vigorous competition among institutions to protect accountholders from identity theft. As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data show that some institutions have a far greater incidence of identity theft than others. The data further show that the major telecommunications companies had numerous identity theft events, but a metric is lacking to compare this industry with the financial institutions.This is an area fraught with methodological challenges, many of which are due to sparse (or, as I have intimated with regard to ID Analytics for example) proprietary data. Chris' paper simultaneously shows what can be done with what we have, and why we'd be better off if we had more.
Bookmark this post:
Dan Solove has an interesting article up, "Coming Back from the Dead." It's about people who are marked dead by the Social Security Administration and the living hell their lives become:
Dan starts with quotes from the WSMV News story, "Government Still Declares Living Woman Dead"I'd propose a different solution: libel law. These organizations are making false and defamatory statements about people. They should be held accountable, under existing law.According to government paperwork, Laura Todd has been dead off and on for eight years, and Todd said there's no end to the complications the situation creates.Responsibility should be placed on every entity that maintains records to ensure that information is correct and that errors are promptly fixed. Moreover, when information is shared with others, the one sharing the information should have duties to inform the others of the error; and those receiving the data should have a duty to check for corrections in the data from the source....
According to a government audit, Social Security had to resurrect more than 23,000 people in a period of less than two years. The number is the approximate equivalent to the population of Brentwood.
...
Illinois resident Jay Liebenow was also declared dead. He said Todd is now more vulnerable to identity theft because after someone dies, Social Security releases that person’s personal information on computer discs. He said the information is sold to anyone who wants it, like the Web site Ancestry.com.
I've been discussing libel and the credit agencies for years, in posts like "Because That's Where The Money is: Ethan Leib's ID Theft" or " Government Issued Data and Privacy Law." I've yet to hear why libel law isn't a reasonable and easy approach to the problem. As Nick Szabo comments in "The Discovery of Law," "common law is a painstaking way of discovering and making better law, case by case, dispute by dispute, piece of evidence by piece of evidence."" I'm not calling for a broad overhaul. I think that a common law approach to libel law would likely address many of our issues with the way data flows between organizations.
Bookmark this post:
Experian sues Lifelock.
I think I can hear the champagne corks popping at ID Analytics from here. They, arguably, provide a service which is similar enough (a detective control against new account fraud, rather than a preventative control), but theirs operates through a different mechanism.
I'd like to see some numbers showing the efficacy of these approaches. I am pretty sure Lifelock or Debix can produce them for the 'automated fraud alert' approach. I don't know what ID Analytics has.
Bookmark this post:
We've made frequent calls here at EC for improved breach breach reporting. In particular, we've said that governments (be they state, provincial, national, whatever) should provide standardized reporting forms, should collect a basic set of facts in each report, should require precision in reporting rather than accepting weasel-words, and should mandate centralized reporting, so that legislators and the public can see (without commissioning a study) what the facts are. Additionally, we've mentioned research discussing notification fatigue, and the artful construction of notification letters seemingly designed to discourage both comprehension and action. Finally, we've praised efforts to increase transparency -- in particular New Hampshire's posting of notification letters on a government-administered web site.
In recent days, I was elated to learn of legislative efforts in California and Indiana that together substantially advanced each of these points. In California, Senate Bill 364 was recently voted out of the state senate. This bill requires that breach notification letters be written in plain language, and that they contain:
It also requires that breaches be reported to California's Office of Information
Security and Privacy Protection (where they would be subject to Freedom of Information requests).
In Indiana, House Bill 1197 would require the attorney general to publish notice of a breach of the security of a system on the attorney general's Internet web site, and closes a loophole in Indiana's existing breach law, which currently allows password protection to be sufficient to exempt and incident from disclosure. The new law would only exempt completely encrypted portable devices, with unexposed keys.
Each of these bills is a great thing, and each shows that (despite what cynics like I might say), smart people who are motivated can make a big difference. In California, the smart, motivated people are at the Samuelson Law, Technology & Public Policy Clinic, whose recent research supplied part of the bill's foundation. In Indiana, infosec researcher Chris Soghoian was instrumental in educating his own local legislator, and making several suggestions which found their way into Indiana's bill.
But the story gets more interesting. As Chris documents, the centralized notification portion of the Indiana bill is vigorously opposed by telecom giants AT&T and Verizon, as well as by Microsoft. The last, writes Soghoian, even argued that availability of actual breach letters would make phishers' work easier. Funny that the letters already posted by New Hampshire and others haven't done this. I guess phishers are too busy to write a FOIA letter, too. Note to Microsoft: this information is not secret from bad guys, it is merely hidden from the vast majority of good guys. Thanks for arguing that it should stay that way. Maybe Microsoft's lobbyists should learn about threat modeling.
Lest it be thought that tech industry opposition to democratic transparency is a purely domestic thing, the Information Technology Association of Canada testified in opposition to a Canadian breach law, as reported by Canadian privacy law expert Michael Geist.
Meanwhile, in California, a portion of the bill requiring breach notices to be placed on the web, thereby allowing the interested public to avoid the hassles of writing FOIA letters, has been stricken from the bill, this time for cost reasons.
I'm happy that California takes this issue seriously, and turned to some folks who obviously know their stuff. I guess they are strapped for cash. As for Indiana, and for Canada, it's disheartening to see tech firms argue that technology should not be used to bring relevant information closer to those who want it.
Bookmark this post:
Bookmark this post:
On the beaches of Mexico, they're talking about Copacabana, a new cipher-cracker that works on DES and other ciphers with a 64-bit key. Yes, this has been done before, but this is interesting for a number of reasons.
First is the price. About €9,000. Second, there's the performance. A complete DES keyspace sweep in a fortnight. That's not bad. If you think about Deep Crack and what you'd expect from normal semiconductor advances.
The news, however, is that apparently there are banks using two-factor authentication tokens with DES-based keys, and if you're clever, you can break this token with far less than a full key search. You only need to observe the supposedly one-time password (or two or three of them), and then with a fortnight's of computing, you can generate any one-time password the real owner can.
Maddeningly, there are other systems based on AES or some other crypto that aren't at all vulnerable to this attack -- because they have better keys. People who are vulnerable to this attack need not be.
Apparently, these banks have fallen in love with DES. But falling in love is dangerous. It's also negligent, when it's so easy to get shot.
Photo courtesy of Imagem Compartilhada.
Bookmark this post:
Hence, we imprison and deport American citizens for immigration violations.
McClatchyThomas Warziniack was born in Minnesota and grew up in Georgia, but immigration authorities pronounced him an illegal immigrant from Russia.
Immigration and Customs Enforcement has held Warziniack for weeks in an Arizona detention facility with the aim of deporting him to a country he's never seen. His jailers shrugged off Warziniack's claims that he was an American citizen, even though they could have retrieved his Minnesota birth certificate in minutes and even though a Colorado court had concluded that he was a U.S. citizen a year before it shipped him to Arizona.
During a deportation hearing Thursday morning, pleas by Warziniack's family and lawyer to release him, as well as a copy of his birth certificate proving his citizenship, did little to deter the government.
"The immigration agents told me they never make mistakes," Warziniack said in a phone interview from jail. "All I know is that somebody dropped the ball."
The story of how immigration officials decided that a small-town drifter with a Southern accent was an illegal Russian immigrant illustrates how the federal government mistakenly detains and sometimes deports American citizens.
The whole article (which is a must read) makes The Trial seem like a due process Shangri-La by comparison.
The title quote, BTW, is from Ernestine Fobbs, whom McClatchy describes as a spokeswoman for "ICE, the federal agency that oversees deportations".
Bookmark this post:
DOYLESTOWN, Pennsylvania (AP) -- A man who wrote a vulgar message on the memo line of a check he used to pay a $5 parking ticket has apologized in writing, leading police to drop a disorderly conduct charge against him. David Binner sent the check after receiving a $5 parking ticket. He calls it "a temporary lapse of judgment." Clerks were offended by the message, and the disorderly conduct charge was filed because the comment was obscene, police Chief James Donnelly said. "He was contrite enough to offer an apology, and I think that satisfies the people who were insulted by it," he said.Associated Press, via CNN So what vulgarity was so "obscene" the police had to step in?
"The F-word isn't what it used to be," attorney [for the check-writer] Keith Williams said. It doesn't have a sexual connotation anymore and so can't be considered obscene, he said.I guess that about says it. Meanwhile, the local police Chief explains that clerks were "insulted" when they saw this naughty, naughty expression while they were being paid from the public purse. As an idealistic youth, I read Cohen v. California. So should the Chief:
The ability of government, consonant with the Constitution, to shut off discourse solely to protect others from hearing it is, in other words, dependent upon a showing that substantial privacy interests are being invaded in an essentially intolerable manner. Any broader view of this authority would effectively empower a majority to silence dissidents simply as a matter of personal predilections.Cohen v. California, 403 U.S. 15 (1971)
Bookmark this post:
Following my posts last week on encryption and the Fifth Amendment, a few readers asked about how courts have dealt with such issues before. As far as I know, there is only one other judicial decision specifically addressing the Fifth Amendment implications of decrypting ciphertext. Remarkably, it arose 200 years ago, in the treason trial of former Vice-President Aaron Burr.
Bookmark this post:
I think you're a smart person who cares about honesty and the rule of law.
I also think your e-mail fundraising campaign is undermining that message by sending what I believe to be deliberately deceptive emails. To be clear, I am not referring to deception in the political message -- spinning words, being loose with the facts, telling only half the story, etc. -- I am referring to emails which show every sign of lying about the intent of the sender and contain a false and misleading message body, in an attempt to deceive the recipient into thinking he has inadvertently been copied on a private message from your campaign manager to Tim Tagaris. The idea, I suppose, is to enhance the perceived veracity of the email's message by depicting it as private. A campaign might lie to the public, but within the family, so to speak, it would be much more honest.
This is a clever hack, and one which might work on some people. In fact, something very similar was done as part of a stock tout scheme. A woman left voicemail messages seeming to be intended for a close friend, explaining that she just got inside info on a company, and that the friend should invest. You don't need to be a United States senator to see that this is both illegal and unethical. In the case of your analogous email, sir, it is certainly the latter. We will see if it is the former when the Federal Election Commission receives the registered letter I will be sending them.
By the way, if you have an honest IT staffer, feel free to have them contact me about getting the actual email. Here is a text rendering of the full header (with my email addresses altered to foil address-harvesting bots), and the misleading and untruthful portion of the message body:
Return-Path: <bounces@bounces.democracyinaction.com> X-Spam-Checker-Version: SpamAssassin 3.1.6 (2006-10-03) on norad.cwalsh.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=ADVANCE_FEE_1,ALL_TRUSTED, BAYES_00,DEAR_FRIEND,HTML_MESSAGE,HTML_TITLE_SUBJ_DIFF, MISSING_SUBJECT autolearn=no version=3.1.6 X-Original-To: resident[-@-]cwalsh.org Delivered-To: cwalsh[-@-]cwalsh.org X-policyd-weight: using cached result; rate: -8.5 Received: from m152.prod.democracyinaction.org (m152.prod.wiredforchange.com [8.15.20.152]) by smtp.cwalsh.org (Postfix) with ESMTP id D4CCCA1341 for <resident[-@-]cwalsh.org>; Fri, 30 Nov 2007 11:38:30 -0600 (CST) Received: from [10.15.20.109] ([10.15.20.109:46923] helo=pidgit.mcl.wiredforchange.com) by mailer.mcl.wiredforchange.com (envelope-from <bounces@bounces.democracyinaction.com>) (ecelerity 2.2.1.21 r(19176)) with ESMTP id C8/F2-01963-29A40574; Fri, 30 Nov 2007 12:38:26 -0500 Message-ID: <133294684.281516658@com.comDB.mail.democracyinaction.com> Date: Fri, 30 Nov 2007 12:38:26 -0500 (EST) From: Sheryl Cohen <scohen@chrisdodd.com> Reply-To: scohen@chrisdodd.com To: resident[-@-]cwalsh.org Subject: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_1562616_10791175.1196444306859" Envelope-From: <bounces@bounces.democracyinaction.com> X_email_KEY: 133294684 ------=_Part_1562616_10791175.1196444306859 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Tim, I made a few small changes to your email draft -- you'll see them in bold below. Would have sent to the entire list, but I could only figure out how to send this test.
Update: I am not the only one who noticed.
Bookmark this post:
In a May, 2006 post entitled Codename: Miranda, I joked about having my gr
