Blameshifting is not a good defense strategy

Today, in my newsfeed, two stories about breaches caught my attention.

In this first story, a class-action lawsuit is filed against Waste Management for failing to protect PII in the trash.

In the second story, a South Africa port operator declares force majeure as a result of a security breach, in essence declaring that nothing could have been done to prevent the breach.

In both of these situations, the victim organizations attempt to shift the blame for the failure to protect sensitive information on others. Those of us in the profession have seen victim companies do this in the past, and it generally does not work out well.

Back to the Waste Management story. Here, I argue that when an organization places something in dumpsters, they should take steps to ensure that no recoverable information is discarded. Unless the business arrangement between companies and Waste Management is more akin to secure document shredding by companies like Shred-It, I assert that the garbage company has no obligation to protect anything of value placed in the trash.

On to the South Africa port operator. Declaring force majeure as a result of a security breach is an interesting tactic. In my opinion (note that I am not a lawyer and have had no formal law education), this strategy will backfire. There are numerous examples of organizations that successfully defend themselves against attacks like this. Granted, these attacks are a global plague, and defense – while challenging – is absolutely possible.

The Breaches Will Continue

As I write this, it’s been one day since news of the latest LinkedIn breach hit the news. To summarize, about 92% of LinkedIn users’ information was leaked via LinkedIn’s API. LinkedIn is officially denying this is a breach but is just a data scrape that violated the API’s terms of use. Interesting twist of terms. This reminds me of a former President who explained, “It depends upon what your definition of IS is.”

During my six years as a strategic cybersecurity consultant, I learned that most organizations do not take cybersecurity seriously. Breaches are things that happen to other companies, those with larger and more valuable troves of data.

Organizations, up to and including boards of directors, are locked in normalcy bias. No breach has occurred (that they are aware of), and therefore no breach will occur in the future. It is normalcy bias that is also responsible for the fact that most citizens fail to prepare for emergencies such as extended power outages, fires, floods, hurricanes, tornadoes, identity theft, serious illness, and so many other calamities. I’d be lying if I said that I’m immune to this: while we’re well prepared for some types of events, our preparedness could be far better in certain areas.

A fellow security leader once told me, “Cybersecurity is not important until it is.” Like in our personal lives, we don’t implement the safeguards until after being bitten. Whether it’s security cameras, better locks, bars on windows, bear spray, or better cyber defenses, it’s our nature to believe we’re not a target and that such safeguards are unnecessary. Until they are.

Why wait for a security breach to improve security?

Neiman Marcus is the victim of a security breach. Neiman Marcus provided a statement to journalist Brian Krebs:

Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorised payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.

We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensic firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result.

We have begun to contain the intrusion and have taken significant steps to further enhance information security.

The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.

I want to focus on one of Neiman Marcus’ statements:

We have … taken significant steps to further enhance information security.

Why do companies wait for a disaster to occur before making improvements that could have prevented the incident – saving the organization and its customers untold hours of lost productivity? Had Neiman Marcus taken these steps earlier,  the breach might not have occurred.  Or so we think.

Why do organizations wait until a security incident occurs before taking more aggressive steps to protect information?

1. They don’t think it will happen to them. Often, an organization eyes a peer that suffered a breach and thinks, their security and operations are sloppy and they had it coming. But alas, those in an organization who think their security and operations are not sloppy are probably not familiar with their security and operations. In most organizations, security and systems are just barely good enough to get by. That’s human nature.
2. Security costs too much. To them I say, “If you think prevention is expensive, have you priced incident response lately?”
3. We’ll fix things later. Sure – only if someone is holding it over your head (like a payment processor pushing a merchant or service provider towards PCI compliance). That particular form of “later” never comes. Kicking the can down the road doesn’t solve the problem.

It is human nature to believe that another’s misfortunes can’t happen to us. Until it does.

Why there will always be security breaches

At the time of this writing, the Target breach is in the news, and the magnitude of the Target breach has jumped from 40 million to as high as 110 million.

More recently, we’re now hearing about a breach of Neiman Marcus.

Of course, another retailer will be the next victim.  It is not so important to know who that will be, but why.

Retailers are like herds of gazelles on the African plain, and cybercriminals are the lions who devour them.

As lions stalk their prey, sometimes they choose their victim early and target them. At other times, lions run into the herd and find a target of opportunity: one that is a little slower than the rest, or one that makes a mistake and becomes more vulnerable. The slow, sick ones are easy targets, but the healthy, fatter ones are more rewarding targets.

As long as their are lions and gazelles, there will always be victims.

As long as there are retailers that store, process, or transmit valuable data, there will always be cybercriminals that attempt to steal that data.

TSA learns redaction lesson the hard way…

…and we will all pay for it. Today it has been made public that the TSA’s detailed airport security procedures manual has been posted to the Internet. The TSA was putting out some services to bid, and posted what they believed to be a redacted version of the document. Well it turns out that the redaction technique they chose was ineffective.

Now that everyone can see TSA’s airport screening procedures in detail, they will have to resort to more pat-downs, wand scans, and body scans. Procedures for identifying CIA, air marshalls, and law enforcement personnel may need to change as well.

Some of the details revealed in the procedures include:

• The size of wires that can pass through magnetometers without setting alarms
• Procedures used for screening liquids
• Items that do not require extra screening such as wheelchairs and casts
• Procedures for verifying the identity of CIA, NSA, air marshalls, and other law enforcement personnel

See my earlier posting on redaction here.

Proper redaction of sensitive data in electronic documents is more than just covering up sensitive words and images. Instead, sensitive information is actually removed and replaced with solid black, so that the redacted text or images are not merely “underneath” it. I suspect that the NSA merely “covered” sensitive items without actually removing them from documents.

[picapp align=”right” wrap=”false” link=”term=tsa&iid=3702199″ src=”c/9/9/e/New_Airport_Security_d307.jpg?adImageId=8254188&imageId=3702199″ width=”234″ height=”236″ /]News stories here:

CNN

Yahoo News

Washington Post

New York Times

FBI Mystery Man ID Thief Sentenced

FBI mystery man Scott Andrew Shain was sentenced to 30 months in prison.

Articles:

Seattle Times

King 5 News

Earlier articles:

FBI Mystery Man Identified

Fake Fingerprints, Multiple Aliases, who is this guy?

U.S. Passport Cards Available

U.S. Passport Card

Actually they have been available for some time. While they are not valid for air travel, they are valid for auto and ship transportation out of and into the U.S.

As a citizen of Washington State, I go to Canada now and then, as well as Mexico, and in the past year have done so by car and by ship. So I’m thinking that this could be useful for me, to be able to carry a “passport” in my wallet.

I’m ordering one and will write about the experience.

Update 5/17/09 – Seattle Times article

Information is available here:

http://travel.state.gov/passport/ppt_card/ppt_card_3926.html

Wikipedia article on U.S. Passport Cards

Washington Times article, opponents fear counterfeiting

Published authors: stop the illegal file sharing hemorrhaging

Recently I was made aware of a file sharing site that reportedly had digital copies of published books, as well as music and other copyright content.  I had a look for myself, and found this to be true.

The site, 4shared.com, has thousands – maybe tens of thousands – of copyrighted books, music, and other content, freely online and available for anyone who wants to browse the site and download content.

Readers: it is illegal to post copyright content in any form online, unless you are the legal owner of the content or have written permission from the owner.  It is against the law.  Do not be deceived by the lure of free content.

Professionals: if you are found to be in possession of illegally copied protected content, you may be in jeopardy of losing your professional licenses or certifications.  You can also be sued by the copyright owner.

4shared.com will remove content on request.  It is necessary to state, in detail, who the owner of each item is, and why it should be removed.  Digital copies of many of my books were on the site, and I filed removal requests for each.  Yes, it was time consuming.  To request illegal content be removed, send an e-mail (with the full URL of the offending item(s)) to abuse@4shared.com, or visit http://www.4shared.com/contact.jsp , click on the “Copyrighted Materials” link, and complete the short form there.

The extent of illegal content on 4shared.com is appalling – it is a cesspool of of illegal content.  A quick search showed that almost one-thousand “For Dummies” titles were on the site.

Browsers are compromising our privacy

…and it’s not just Google.  IE8 also has features that are misleading, in terms of privacy.

I’ll talk about Google first.  What’s going on: text you type in the search or URL field are sent to Google, even if you don’t press Send. In other words, if you type in the word “breasts”, and then later decide that you should not be searching on that at work (or wherever you are), it’ll be sent to Google anyway.  It’s practically a key logger.

Article here (Seattle Times)

Now back to IE8.  This new version of the browser has an InPrivate browsing mode that supposedly does not record where you’ve been.  However, according to forensic experts, the feature doesn’t work and it’s still trivially easy to see what sites a user has visited even in InPrivate mode.

Article here (Network World)

ID theft suspects in TJX heist arrested

Newswire stories are carrying a story that describes the arrest of several suspects in countries around the world in what is claimed as the largest ID theft ring in history.  This group is accused of possessing over 40 million credit and debit cards, including those in the collosal TJX breach a couple of years ago.

The U.S. Department of Justice claims that some of those arrested are the same persons who broke into TJX’s network.  So this may not merely be a matter of the middlemen being caught, but the actual perpetrators of the TJX break-in.

Stories like this often fade into the background.  Criminal and court proceedings take a very long time and generally do not hold our interest.  Those in my profession (data security) will probably keep a closer eye on this matter than the general public.

Links to news story:

LA Times

CTV News

Bankinfo Security

AP via YouTube:

CISA Forum surpasses 3,000 members

(Seattle, WA) The CISA Forum, founded in 2002 by Peter H. Gregory, CISA, CISSP, has now exceeded 3,000 members.  The Forum continues to grow, with new members being added almost every day.

Created to assist and encourage professionals to pursue a career in data security and IT auditing and to earn the CISA certification, the CISA Forum contains an extensive e-mail archive, as well as collections of useful files and links.  CISA stands for Certified Information Systems Auditor, one of the most sought-after professional certifications in the information security profession.

One of the most important features is the addition of the CISA FAQ, written by Dinesh Bareja.  Gregory announced his vision of the CISA FAQ to Forum members on December 29, 2006, and Bareja took the initiative to create it.  A link to the FAQ is found on the CISA Forum site.

The CISA Forum is located here: http://tech.groups.yahoo.com/group/CISAforum/ .

The CISA certification is owned and managed by the Information Systems Audit and Control Association.  ISACA does not endorse or sponsor the CISA Forum.  Read more about the CISA certification here.

About ISACA.   With more than 65,000 members in more than 140 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 55,000 professionals since 1978; the Certified Information Security Manager (CISM) designation, earned by 7,000 professionals since 2002; and the new Certified in the Governance of Enterprise IT (CGEIT) designation.

CISA is a registered trademark of ISACA.

Microsoft smells the coffee

Maybe it’s because Microsoft is in Starbucks’ back yard – that or they are listening to the many complaints from corporate users who refuse to “upgrade” to Vista and stick with XP instead.

Steve Ballmer, Microsoft CEO, is quoted as saying, “If customer feedback varies, we can always wake up smarter,” referring to the onslaught of publicity that is beginning to make Vista look like a repeat of Windows Millenium Edition – the version of Windows that nobody wanted.

Ballmer insists that Vista is outselling XP. But of course – that’s because Microsoft all but prohibits computer manufacturers from bundling XP on computers, NOT because people want it. It would be like Ford Motor Company saying, “virtually all of our cars are selling with air bags.”

Microsoft is painfully aware that it has painted itself into a very tight corner with Vista. It knows that forcing users into Vista will instead force them to Apple and Linux in droves. Apple had a smashing good quarter – is it any wonder? Vista and other overpriced and underperforming software are making OSX and Linux look highly attractive these days. And Microsoft is too arrogant and proud to admit that it has made a mistake with Vista.

I ran Vista on systems, paid full price for Vista Ultimate last year, and I’ve reverted back to XP. I consider it money down the drain. I’m happy that I’m back on XP, which I consider vastly superior to Vista in nearly every category – at least those categories that count, like usability and performance. And for other categories like security, I consider it equal.

XP or bust

(More new articles – scroll to the bottom)

We run Windows XP on all of our home and work systems (which is almost 1,000 machines).

After mid-2008, we will have NO CHOICE but to purchase Vista when we want to purchase a Microsoft desktop operating system.

I ran Vista Ultimate for 10 months on a daily-use system and was SO FRUSTRATED with it that I switched back to XP Pro. The system runs much better, and all of our forensics software works properly again (most of the forensic tool vendors we work with are NOT producing Vista versions – I wonder why).

After mid-2008, if I’m in a jam, I’m switching to Linux. That is, unless Microsoft continues selling XP or some other decent OS. Vista? No way.

I’m conflicted even saying this. I have written a Vista book, but I still can’t stand the OS.

This reminds me of the Windows ME debacle almost ten years ago. Windows ME was pathetic, and most people skipped it and waited for the next OS, Windows 2000. Vista is the new “ME” – the Windows version that most corporations are turning their back on.

I’m also thinking of purchasing some OEM copies of XP just in case I need it after mid-2008.

If the next version of Windows (that is, the version after Vista) is also a bust, I’ll probably walk away from Microsoft’s products for good. Tens of thousands of you already have.

I believe I’m qualified to state this opinion. I’ve been using DOS and Windows daily since 1986. I also have 20 years’ daily-use experience with UNIX, and several years of experience with other operating systems (RSTS/E, KRONOS, VMS, RT-11, MacOS, and TOPS-10).

For more information:

www.savexp.com

badvista.fsf.org

freesoftwarefreesociety.org

Sign the “Save XP” petition today

Microsoft responds to “Save XP” petition

XP: Going, Going, Gone?

Their passion is Windows XP

Sears/Kmart loading spyware on computers?

Update: Sears admits to installing spyware, claims it is disclosed in its 54 page privacy statement

A report published yesterday by Ben Edelman, an assistant professor at Harvard Business School, indicates that the retail giant is violating Federal Trade Commission policies in its distribution of ComScore, an application that tracks Web browsing activity. If the allegation is true, this could erupt into another privacy scandal, such as Sony’s loading rootkits on music CDs (story).

Is this another case of technologists doing what they want and not following company policy or the law? Too often, technologists design and build systems to their own specifications without having informed outsiders review those specifications. This could also be a case of poor product data management, if a low-level person sneaked the spyware into the final system image without getting anyone’s approval.

Or was this a brazen and deliberate violation of the law? Time will tell.

News story here.

TSA on Seattle’s Sounder commuter trains

(Seattle – Nov 19, 2007 07:33am) Several uniformed TSA personnel, apparently working in an official capacity, have been seen on the Seattle-area Sounder commuter train this morning.

Update 10:30am: Local radio station KPLU inquired with Sound Transit, who reported that TSA presence is part of a routine “be-seen”-type operation that TSA does with them from time to time. They indicate there’s no particular incident, alert or threat.

TJX breach twice the size of earlier estimates

Submit:

It initially appeared that the size of the TJX breach was around 48 million credit cards, although the theoretical maximum was as high as 200 million cards. Recently, banks are finding that the TJX breach was more like 94 million cards. That nearly one credit card for every household in the U.S.

VISA and MasterCard have lost tremendous sums of money due to this breach alone. Losses are estimated at $1.04 to $1.28 per card, which translates into a total loss as high as $120 million. But the total cost of the incident will be much higher, close to $1 billion, when counting settlements and lost sales as well as the direct losses cited here.

It is common knowledge that the most likely attack vector was unsecure wireless networks using the extremely weak WEP protocol. WEP was known to be weak in 2000, and yet six years later TJX (and thousands of other businesses) were relying upon it to protect their networks. That’s about as effective as a sign reading “Please don’t come in” on an unlocked door.

The Canadian government’s privacy commissioner released a report criticizing TJX for its weak security. This report is succinct in its findings, and is good reading if you have yet read a detailed account of the TJX breach. TJX’s 10-K report is another good source of information.

Articles:
TJX breach was twice as big as admitted, banks say (The Register)
Banks claim TJX breach twice as bad (ZDNet)

Is your ISP inserting ads in your browser?

Submit:

Is your ISP inserting ads in your browser?  Possibly.  Some of them do.

What’s going on: some Internet Service Providers passively monitor the HTML flowing through their network to your PC.  In a scheme to collect advertising revenue, they intercept the HTML and substitute their ad content.  They do this via a transparent proxy server that watches for opportunities to strip out advertising content flowing from a web server and inserting advertising content that the local ISP has sold.

This means that the advertiser who originally paid for your impressions has had their advertising replaced by another.

Here is an analogy, in case you’re having difficulty following this (and I wouldn’t blame you).

A national billboard company erects a billboard along a busy street and sells the space to a national company, and proceeds to put up an ad for that national company.  The national company pays the billboard company a fee for this service.

Then a local advertising company solicits advertising business, and illicitly replaces the ad on that billboard with one of its own.  The national company that paid for the advertising, nor the national billboard company, are aware of this. 

And why is this a security issue?  Because the three principles of security are Confidentiality, Availability, and Integrity.  This gimmickry of replacing ad content violates the integrity of the content that the user requested from the website.

Is your ISP doing this to you?  Go to this website and find out.  It is run by the University of Washington and the International Computer Science Institute, as a public service and an experiment to see how many ISPs are doing this.  They are going to make their results public at the end of their experiment.  If your ISP is inserting ads, please PDF your results and send them to me, so that I can show others what such a result looks like.

http://vancouver.cs.washington.edu/

Most Americans favor increased surveilliance

A recent ABC News poll shows that seventy-one percent of Americans are in favor of increased video surveillance in cities as an anti-crime measure.

London’s “Ring of Steel” surveillance system is the model for U.S. cities that are considering similar systems, including New York, Chicago, and Baltimore.

Poll results here:

http://abcnews.go.com/images/US/1041a5Surveillance.pdf

More articles:

http://abcnews.go.com/US/story?id=3422372

New York City plans “ring of steel”:

http://www.newsfactor.com/story.xhtml?story_id=0210025GT3LF

Border patrol checking Seattle island ferry runs for dirty bombs:

http://seattletimes.nwsource.com/html/dannywestneat/2004300343_danny23.html

FBI implanted spyware leads to arrest of bomb threat suspect

Submit:

The FBI used a novel type of remotely installed spyware last month to investigate who was e-mailing bomb threats to a high school near Olympia, Wash.

Federal agents obtained a court order on June 12 to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect’s computer, other information found on the PC and, notably, an ongoing log of the user’s outbound connections.

My earlier blog entry on whether anti-virus can detect law enforcement-installed malware.

Entire story here:

http://news.com.com/8301-10784_3-9746451-7.html

Most residential locks vulnerable to “lock bumping”

This article includes three videos from local television stations around the U.S.

The vast majority of residential door locks are susceptible to a technique known as lock bumping that can be used to quickly and easily unlock residential door locks. The mysterious disappearances of belongings from peoples’ homes is sometimes explained by this, since lock bumping gets a thief inside a home with no signs of a forced entry.

Bump keys

Lock bumping is achieved using a specially cut key called a “bump key”.

a typical bump key

While bump keys open pin-and-tumbler locks that have been in use for over 80 years, the use of bump keys is a recent phenomena, becoming popular within the past two or three years.

Earlier this year I was in an Infragard meeting that included a demonstration of bump keys. It is scary how easy they are to operate; with a minute of practice I was able to easily open residential locks. This is knowledge that I do not wish to have, but I feel uneasy knowing that common criminals are also learning about this.

Entire sets of bump keys that fit over 90% of residences are easily purchased from online sources, many of which are willing to sell to people who are not locksmiths. How-to videos are also readily available.

Laws still catching up

It is not universally illegal to own bump keys. Criminals may be able to escape prosecution on breaking-and-entering on the “I had a key” defense. When U.S. laws do catch up with this new phenomenon, many thousands of illegal bump key sets will be “out there” and homes will probably be vulnerable for decades to come.

Insurance and law enforcement

The use of bump keys as a means of entering a house is not universally known, which could lead to difficulties when dealing with insurance companies and law enforcement.

If someone robs your house and gained entry using a bump key, you may have trouble making an insurance claim. Insurance companies will suspect insurance fraud if you are trying to make a mysterious disappearance claim where there is no sign of breaking and entering.

Similarly, filing a police report for a bump-key related burglary may be problematic, as the police may wish to see evidence of forced entry.
Countermeasures

Bump key countermeasures (things you can do to reduce the risk of bump-key enabled burglaries):

• Electronic locks
• Pets (which make noise when visitors approach)
• Security systems
• Bump-resistant locksets from Kaba (UK), Medeco, and Schlage Primus

If everyone were to run out and purchase bump-proof locksets or other countermeasures, home burglaries will not stop. Instead, burglars will return to other means for breaking into residences. But, I do not feel that people will be running down to their local home improvement stores and locksmiths for new locksets. Not in 2007 anyway.

More information

http://www.komotv.com/news/8457492.html

http://en.wikipedia.org/wiki/Lock_bumping

WMC-TV Memphis, Tennessee, USA news story on lock bumping:

Fox-19 Cincinnati, Ohio, USA news story on lock bumping: