Nuke plant evacuated as misheard new employee remark is reported to authorities as credible threat

Schneier is probably busy at RSA, so I’ll handle this one, which comes courtesy of the Manitowoc Herald Times Reporter of April 9:

About 450 employees of Point Beach Nuclear Plant were evacuated Tuesday morning after a convenience store clerk reported a man had asked for directions to Nuclear Road, where the plant is located, and then said he “came to blow up the place,” according to a press release from Capt. Robert Kappelman of the Two Rivers Police Department.
The Federal Bureau of Investigation, Point Beach Nuclear Plant, the Manitowoc County Sheriff’s Department and the Two Rivers Police Department conducted a joint investigation.
Information from the surveillance video at the gas station led authorities to a vehicle parked at the nuclear plant. A 23-year-old man from Hull, Mass., working as a contractor at the plant, had rented the car in Milwaukee.
In an interview with the FBI, the man admitted the conversation took place but said he had stated he “hoped he wouldn’t blow up the place” as it was his first day working at the facility. He said he told the clerk “they don’t allow (him) to push any buttons, anyway.”
His vehicle was searched and no threats were found. No charges are being pursued, according to TR [Two Rivers, Wisconsin] police.

Not as good as the “going to LA to shoot a pilot” non-story, but not bad. Notice the Massachusetts connection. Good thing the guy wasn’t working at Pilgrim, ’cause I am sure there were potentially lethal LEDs in that car :^).

RSA Crazy Busy, book notes

I’m sorry blogging has been light, but RSA has been really busy. I did want to post a quick reminder, I’ll be doing a book singing at 2.30 at the RSA bookstore.

PS: I know, that should really say “signing,” not “singing” but I decided I like the typo. If enough people show up and ask me to sing, maybe I will. But then again, maybe I’ll spare all of your ears from that horrid fate.

Amazon and The New School

Several of you have mailed or commented about the New School being “delayed” from Amazon. I apologize, this was a surprise to me. What our publisher says:

Because of their set-up, Amazon has been taking longer to get a book
available for shipping. As you can see this causes problems when they
list the pub date as being the same date books are available from the
publisher. They have just very recently changed their practices and now
post pub dates on their sites that better reflect when THEY will be
set-up to ship the book to customer. However, they had not put this into
practice when originally setting your book up in their systems hence the
“change in availability” date.

So the pipeline is working, although it didn’t set expectations properly here. Next time, I’ll link to the publisher site, not Amazon.

New School of Information Security: book signing at RSA

I’ll be at RSA next week, and have a book signing scheduled for 2:30 PM Wednesday (April 9) at the RSA bookstore. To be more clear: The RSA bookstore will have copies for sale.

I know many of you are waiting for copies. Many of our reviewers emailed me in the last day or two to say that they’d gotten their copies, and so I know that they’re starting to ship. I had a very few copies to hand out at the IAPP meeting recently.

In the deeply ironic department, the second copy ever delivered went to a ChoicePoint employee. (After much consideration, we’ll respect their privacy.) I tried hard to rig the drawing, but Sagi Leizerov, from E&Y, was too good for me, and ensured it was fair.

Anyway, I remain tremendously excited about the launch of the book, and hope to see many of you next Wenesday at 2:30 in the RSA bookstore.

The FDIC’s Cyber Fraud Report

The FDIC’s Division of Supervision and Consumer Protection didn’t release a report titled “Cyber Fraud and Financial Crime” on November 9, 2007. That release was left to Brian Krebs, a reporter with the Washington Post, in early March, who blogged about it in “Banks: Losses From Computer Intrusions Up in 2007” and “The FDIC Computer Intrusion Report.”

One of the great things about having the full report is that we don’t need to rely on Brian to interpret it for us. I love having data, and hate how rare it is for people who work in information security to have anything but summaries.

I found a couple of things interesting. At first they seem un-related:

  • The largest category is mortgage fraud, costing roughly $600MM in the 2nd quarter of 2007, and up 15% from Q1.
  • The second largest is check fraud. Check fraud is up, according to the FDIC (page 9) because the “Check21” program which sends images (rather than physical checks) is not sensitive enough to show watermarks or alteration detection by chemicals in the paper.

Both are really about risk tradeoffs, and it seems that with the rise in employment as a short term deal, the organizations become more focused on the short-term. [Updated: clarified that sentence a little.]

An example is the “zippy” memo, where JPMorgan Chase employees traded information about how to fool the computer into approving loans. (See “How to Get an “Iffy” loan approved at JPM Chase,” or “Chase mortgage memo pushes ‘Cheats & Tricks.’” Chase fired at least one person for distributing it.)

The advice included:

  1. Lump all of an applicant’s compensation as the applicant’s base income, rather than breaking out commissions, bonuses and tips.
  2. Do not disclose use of gifts for down payments.
  3. If all else fails, simply inflate the applicant’s income. “Inch it up $500 to see if you can get the findings you want. Do the same for assets.

Now, any security professional worth their salt can come up, post-facto, with fixes for each of these behaviors that prevent or detect them. But the real problem is that the commission isn’t paid over the life of the loan, it’s paid up front. Of course people are going to find ways to get the loans approved, and not worry about what happens next. Your community banker didn’t actually get bonuses over the life of the loan, but did expect to be with the bank when a problem happened.

As long as (as Martin Wolff says) “no industry has a comparable talent for privatising gains and socialising losses,” we should expect to be unpleasantly surprised by reading about bank fraud. (A bit more context on the Wolff quote can be found in this excerpt.)

94% of Philippine IT Professionals Endorse Breach Disclosure

LOCAL SURVEY SHOWS: Private sector wants breach of information systems reported :”

MANILA, Philippines — Local organizations want the breach of information systems and theft of personal information reported, a survey conducted by the Cyberspace Policy Center for Asia Pacific (CPCAP) showed.

“A surprising 94 percent favored the imposition by law of [an] obligation upon businesses to report [a] breach of security of information systems or theft or personal information,” Claro Parlade, executive director of CPCAP, said in a summary of its survey that was presented to a technical working group created by the Commission on Information and Communications Technology to help Congress draft a data privacy bill.

The survey had a small sample size, but even so. 94%. It’s like a sea change in just three years. How are you using breach data?

Do you feel like we do?

As many EC readers realize, press reports about data breaches involving lost or stolen computers often contain statements something like “The actual risk is thought to be minimal, since a password is required to login to the missing computer”.
Such statements are sufficiently numerous that the pre-eminent source of breach data,, have issued a comment the topic.
I recently had an idea which I honestly think might be very useful (or pathetically impotent).
I report, you decide.
The idea is simply this:
Creating some sort of on-line document and getting infosec experts/practitioner/luminaries to add
their names to it. The document would be akin to an on-line petition, except that it would not be asking for something, it would be stating a position — as I envision it would be a couple of paragraphs, pointing out the technical facts (in lay terms) that “recovery” CDs can completely bypass OS passwords, that the better state breach laws exempt encrypted data alone for a reason (Indiana is a perfect example, having had their loophole closed so recently), that any safeguard is only as good as the threat model behind it, and that operating system passwords were not intended to be defense against a threat which bypasses the operating system completely.
When the press perpetuates the canard (and I am aware of it), I’d dash off a letter to
the editor which particularizes things, and which points to this on-line
document. Hopefully, this would raise awareness.
My thinking here is that many of us with an infosec and privacy background “get it”, but that the press has relatively little access to us. Human nature being what it is, the path of least effort is often followed, and press releases are reprinted, without regard to their technical accuracy
Is this a crazy idea? If so. please comment. If you think it makes sense, comment about that.
If there seems to be solid support, we can work out the details and make it happen.

I see you stand like greyhounds in the slips…

…straining upon the start. The game’s afoot!
Follow your spirit; and upon this charge
Cry ‘God for Harry, England, and Saint George!’

So closes the speech before battle which Shakespeare wrote for Henry V. You know, the one which opens, ““Once more into the breach:” (Thoughts on the cumulative effects of notification letters).” I seem to recall Henry talking about the proper ownership of the French Crown and Harfleur, and not breaches. Only because the French crown is long settled, I’d like to follow Dissent and talk about breaches. She’s responding to an article by Scott Berinato, “The United States of TMI.” Both are worth reading. Quoting Dissent:

While their comments are thought-provoking, I don’t agree that learned helplessness is the appropriate paradigm to apply here, although I agree what the individual tells himself or herself upon reading a disclosure is key to how they respond.

Henry spoke to fire his men up for real battle. I think that we, like Henry’s men, are fired up and straining at the start. We’re aware of the danger in front of us, and the power which we have. We have today the ability to follow our spirit. We can agree that “in peace there’s nothing so becomes a man, as modest stillness and humility.” We can also see that our security measures are not working as well as we’d like, and actively engage with the problem.

There are two greyhounds straining. The first is the truth about the state of affairs, and the second is those of us sifting at start of the data, trying to make sense of it.

I don’t believe we must learn helplessness. To the contrary, I believe that we must not. The landscape has changed dramatically since ChoicePoint. Talking about breaches has transformed the landscape, and will do so further. There’s more embarrassment over coverups than over the breaches. Companies have emerged to address consumer and business concerns. We will see more.

So indeed. Once more into the breach, dear friends.