Full Disclosure debate, 2.0

A poor choice of names (I guess “best UNIX editor” was their second choice), but Silicon.com is doing something that seems worthwhile by launching their Full Disclosure Campaign.

Silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.
We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers, if there is a chance the breach has put individuals’ sensitive personal data at risk.

Canon Says Over 50% of Cameras Repaired in First Three Years


In the Times Online article, “Digital DNA could finger Harry Potter leaker,” we learn that the person who leaked photos of the last Harry Potter novel has yielded up the serial number of their camera, which was in the metadata of the pictures they took.

From this, we lean that it was a Canon, likely a Rebel 350D, which means that the perp bought it in the US or Canada. (This doesn’t mean that the perp is there, as lots of people buy electronics in the US or Canada).

However, I blinked when I read something from Vic Solomon, a product intelligence officer at Canon UK:

From what we know, the device is one of the original Rebel cameras, probably a 350D, and given that they’ve been out for three years, it’s likely the owner would have had it cleaned or repaired in that time.

Likely? I take likely to be better than a coin flip — over 50% chance. I’m a huge fan of Canon cameras, and while I don’t yet own have a digital SLR (I’m very happy with my SD 700IS), I’d like one, and this makes makes me wary to hear that it is “likely” that I’ll be taking it into the shop in three years. I have a twenty-five-year-old A1 SLR, and it’s never been cleaned or repaired. Is Canon’s well-deserved reputation for quality a thing of the past?

Or was Mr Solomon merely shooting his mouth off? He also said:

The EXIF data is like the picture’s DNA; you can’t switch it off. Every image has it. Some software can be used to strip or edit the information, but you can’t edit every field.

That’s not precisely accurate. EXIF metadata is nothing like DNA. It’s metadata rather than code; it’s annotations about the picture such as date and time, f-stop, exposure values, orientation of the photo, and of course the serial number of the camera. While photo-editing software often doesn’t let you edit it, there are plenty of ways to get rid of it, and I’ll bet that very shortly there will be more of them, particularly if they catch the person who did this because of the embedded serial number.

Photo courtesy Lone Primate.

Electronic data: you can sell it and have it

Mike Rothman has the unmitigated temerity to go on vacation and deprive me of his daily rant^H^H^H^Hincite, but not before remarking on the Certegy data loss incident:

So Certegy (a big check processor) loses a couple million records with information like bank accounts and credit card numbers. And Certegy’s president gets interviewed and says because the data was sold to brokers and direct marketers, the information isn’t at risk?!?!?

Now, I trust data brokers and direct marketers as much as anyone, but when information is obtained illegally (as this information is said to have been), what assurance is there that the thief won’t sell it to anyone who will pay the price, not just nice people who will pay the price?
It’s not like this is some guy fencing a stolen TV set.

TSA Can’t Keep a Secret

Alternate title: “If schadenfreude is wrong, I don’t want to be right.”

Ryan Singel reports that the “TSA Lost Sensitive Data on 100,000 Employees.” This is the same agency which wants to collect all your personal data so they can deny you the right to get on a plane without any sort of legal proceedings. You know, for all those people who are too dangerous to travel, but not dangerous enough to arrest.

A hard drive containing sensitive information including social security numbers and bank account information on 100,000 Transportation Security Administration employees has gone missing from its headquarters and the FBI has been notified, according to a 7 p.m. EST [Friday] press release from the agency.

Remember, you have a few days left to stop REAL ID. If you do, the TSA’s next lost laptop will contain less data about you.

Flash Data Breach


The Hartford Courant reports that a Lockheed employee dropped a USB flash drive at a gas station that contained Joint Strike Fighter information. A truck driver found it and “took it home for a 20-minute look-see, then turned it over to authorities.”

I have three words of advice: full disk encryption.

Photo courtesy of POONDOG.

Security Through Stupidity

In my last post on security, I promised a tale, and I ought to deliver on that before it becomes nothing more than a good intention.

Some time ago, so long ago that it no longer matters, I bought a piece of network stereo equipment. It was one of these little boxes that lets you play MP3s, etc. through your stereo. I got it because it was a cute little system running Linux, had a MIPS processor, a web site for developers, extension and enhancement tools in Java, and so on.

I used it for a couple of months, and played with the Java-based remote control application for it and then decided to do some more serious work on it. I rolled my eyes that it only had telnet to get to it, but telnetted to it and was met with:


which I just stared at for a moment. It didn’t even register for a good twenty or thirty seconds before I had the wit to type


and was met with something akin to:

bin   dev  home  mnt  proc  tmp
boot  etc  lib   usr  sbin

and that didn’t even register with me until I finally then typed


and was met with


and I made a loud two-word exclamation, of which the former was “oh” and the latter is left as an exercise for you, Gentle Reader, but there are two obvious candidates.

Yup, for the last couple of months, sitting bear-ass nekkid on the Internet was a Linux box with open telnet and a root shell. No username, no password, just a root shell. I said the other obvious candidate word. I also considered (again) getting a firewall. My network doesn’t have a firewall. Part of it is that I like the road feel of the packets whizzing by. Part of it is that by the time I open up enough ports to do useful things, I’m just closing down the ones that don’t have services on them anyway. Part of it is also that of the three times I’ve had serious security problems on my network, one of them was because my IDS box got rooted, and one was because the firewall got rooted. For me, adding a firewall adds complexity, and that lowers security. (That last time was when I was traveling with my SO who wanted to send me an email from an utterly ancient netnews program that knows nothing of SMTP-AUTH. Never reconfigure your email infrastructure from five thousand miles away while jetlagged. A couple of days later, you will ask yourself, “I wonder why the SMTP server logs have gotten so big.” Fortunately for me, I caught it before the blacklists did.)

I yanked the music box off the network and connected to it directly (one cable, just it and me). Looking through the thing, I didn’t see what anyone who was now using it for anything. I checked the IDS logs and there was nothing that leapt out at me to as suspicious traffic. That seemed odd, because how could it not have been owned? I thought about it for a bit, and thought about it more as I reflashed the critter. Then I laughed, because I realized that the tools that probe for vulnerable boxes are not going to be looking for #. It was then too late to tell, but I allowed myself to think that maybe the box hadn’t been compromised, as the evidence suggested.

With the machine rebuilt, I connected to it directly with telnet and started probing around for putting a password (like /etc/passwd). There was none. There was no SSH, either. I fulminated on the developer fora about this security stupidity. I found the instructions on how to build the right cross-compiled Linux setup to build binaries for it, and it was filled full of warnings about how to make sure you did this, set that compiler switch, and if you didn’t, things wouldn’t work, and you get to reflash the box.

This wasn’t how I was wanting to spend my Saturday, so I turned the box off, and went to do something else. As I did, I thought about the situation. I became increasingly amused that (apparently) the box hadn’t been compromised. I convinced myself that this is because the bad guys wouldn’t recognize the box as vulnerable.

As I grumbled and thought more about how to lock down the box and then something occurred to me — anyone who wants to own the box has to go to the same trouble to make it be a productive member of their botnet community as I do to do the opposite, but they’re at a disadvantage because they also have to protect it from me. Since it’s easier to find some unpatched Windows box than it is to set up a MIPS cross-compile sandbox, even if they can tell that has an open root shell, it’s not economically viable. Think of it as Mutual Assured Annoyance, Economic-Based Intrusion Prevention, Security Through Stupidity, or proving old adage, “In the land of the blind lion, the one-eyed zebra doesn’t have to run very fast.”

A couple of weeks later, I solved the whole problem when a new product was introduced that did exactly what I wanted (to be able to play music on my laptop on my stereo) at half the price and no icky telnet. The poor little music box now sits face-down, forlorn, and dust-covered on a shelf.

UK Story On Breaches and Silence

IT Week in the UK writes, “Companies keep silent on data breaches.”

There are a couple of interesting quotes:

Jonathan Coad, a media specialist at law firm Swan Turton, said newsworthy breaches are often leaked to the press. “Reporting crime to the police is a double-edged sword as invariably the press has found out about the incident within 24 hours,” he said.

I raise my eyebrow a bit because of the words “often” and “invariably” appearing together. I side with the reporter on “often” and just don’t buy “invariably.” Nonetheless, if people believe that telling the police is the same as telling the press, they’ll refrain from telling the police.

However, Maxine Holt of analyst firm Butler Group argued that corporate victims not reporting crimes “is of no use to anybody”.

I concur, and so the question is how to make sure that the proper notifications happen to the proper people at the proper time. That’s why there’s no rule set on this. More in another post.

Mommas, Don’t Let Your Babies Grow Up to be County Clerks

grandma-abilene.jpgAt first blush, it seems that an emergency bill in Texas that exempts clerks from state and Federal law about data breaches is a bad thing.

However, with closer reading, it looks more like a correction for that pesky old law of unintended consequences. On 23 Feb, the Texas Attorney General ruled that disclosing Social Security Numbers violated state and Federal law punishable by jail time.

This means that the poor county clerks, who are tasked with redacting records, would be left holding the bag for any screwups. If I were such a clerk, not having some sort of protection would lead to my resignation.

I’m left wondering how we’re going to ensure that things get done correctly, but the larger issue is the way the government is reacting. I know that I speak for The President when I say that not everything that’s bad and needs to stop has to have jail time and fines on it.

It looks like the pendulum of breach control is swinging a bit wildly in Austin. Just go to SXSW, guys, have a beer, listen to some music, and be stable on this. Thanks for working to get this right.

Grandma Abilene” courtesy of Curran Andre Hugo.

Breach irony

According to Courtney Manzel, Counsel – Office of Privacy, Sprint Nextel Corporation, reporting a breach pursuant to NY’s notification law:

A laptop computer was stolen from the human resources department of Velocita
Wireless during a rash of office burglaries in the Woodbridqe, New Jersey area.
The laptop computer was one of many items stolen. It contained password-
protected files that included information (i.e.. name, date of birth, social security
number, salary and whether employee was enrolled in company health plan) about
aoproximatelv 255 former and current Velocita Wireless employees.

And from the notice sent to affected individuals:

CIBC, 470,000 Canadians, lost tape

I’d attribute our knowledge that “CIBC loses info on 470,000 Canadians” (reported in the Globe and Mail) to the new transparency imperative, but as the CIPPIC survey makes clear, privacy regulators are finding notice requirements in extant laws. (More on that excellent survey soon.) Also note that the Globe and Mail seems to think that Canadians have SSNs.

Also note that 470,000 Canadians is roughly 1/60th of the population. An equivallent US breach would be 5 million people.

Via Pogo was right.

Credit Card Data Over AOL IM

From the files of “too good to make up”, DavidJ.org reports a story from a couple of years ago about his credit card data being sent over AOL Instant Messenger. Essentially he bought some merchandise at a shot which didn’t have a point of sale terminal so the clerk was IMing all credit card data to a friend who had one who would then run the credit card info for him.
[Via NoticeBored]

Information Exposed For 800,000 At UCLA

Apparently it’s Identity Theft Tuesday here on Emergent Chaos.
CNN reports that a “Hacker attack at UCLA affects 800,000 people”, which includes current and former faculty, students and staff. The initial break-in was apparently in October of 2005 and access continued to be available until November 21st of this year. I am stunned that it took so long to be noticed, especially in light of Chancellor Abram’s letter which states:

We have a responsibility to safeguard personal information, an obligation that we take very seriously…I deeply regret any concern or inconvenience this incident may cause you.

It’s a real shame they didn’t have more effective security controls and monitoring systems in place. Maybe then this incident wouldn’t have happened or been detected and stopped much earlier.
[edit: fixed link to article]

SANS Top 20 has competition!

SANS has just released their annual Top 20. I won’t bother linking to it — Google knows where to find it, and if you’re reading this blog, you probably do too.
Anyway, it seems like the SANS people have a bit of competition.
Check out this list:

  1. Failing to assess adequately the vulnerability of its network to commonly known or reasonably foreseeable Web-based attacks, such as structured query language injection attacks;

  2. Failing to implement simple, low-cost, and readily available defenses to such attacks;

  3. Storing in clear, readable text network administrator credentials, such as user name and password, that facilitated access to credit card information stored on the network;

  4. Failing to use readily available security measures to monitor and limit access from the corporate network to the Internet; and

  5. Failing to employ measures to detect unauthorized access to consumers’ credit card information.

Ooops! My bad.
This isn’t a list of the top five security bonehead moves. This is a list of the things the Federal Trade Commission says Guidance Software did, resulting in the loss of thousands of customers’ credit card information, in violation of federal law.
Guidance, of course, are the makers of enCase, the market-leading computer forensics tool. The company admits no wrongdoing, and has entered a consent decree with the FTC.

International Breach Notices: The Future Is Unevenly Distributed

So said William Gibson, and it is as true in breach notices as it is anywhere else. While only 34 US states have laws requiring these notices, we see organizations around the world sending them. They resonate as the right thing. Acknowledging and apologizing for your mistakes is powerful. (Hey, someone should mention that to Mark Hurd. Using a scandal as a pretext for promotion isn’t going to serve you well. But I digress.)

Organizations around the world are getting ahead of their problems by reporting them to their customers:
KRA computers stolen, which contains the interesting comment “A [Kenya Revenue Authority] official said the computers had crucial data on tax returns and it is likely that the data had no back up.”

On the other side of the world, “Computers with patient data stolen from Nagasaki hospital.”

Both via the Dataloss list.

The butler did it

There’s a feeling you get when you watch a formulaic movie. After seeing a half-hour’s worth, you just know how it will end. You can see the decision points characters reach, and you know they’ll make the bad choice. Indeed, the very predictability of such films is what allows hilarious parodies such as Airplane! or Scary Movie to succeed.
Anyhoo, I got that same “I know how this is going to end!” feeling when I read the following (via Dataloss):

Matrix Bancorp Inc. disclosed late Friday that it was investigating the
theft of two personal computers from the bank’s downtown branch on Friday,
July 28, one of which contained personal account information on an
undisclosed number of customers.
The bank said in a news release that thieves apparently entered offices in
the company’s headquarters tower at 17th and California streets in Denver
between 1:30 and 2:30 p.m., and removed the laptop computers while
staffers were away from their desks. One computer contains what the bank
called “certain proprietary information regarding Matrix Capital Bank and
some of its customers … ”

Denver Business Journal
But guess what? The folks at the bank proved me wrong, and threw in a plot twist:

The data, the bank said, is fully encrypted and password-protected

The article goes on to say that despite the use of encryption, the bank is still notifying potentially-impacted customers, and is supplying credit-monitoring and fraud detection services via Equifax.