Category Archives: responsibility

In terms of cybersecurity and ransomware, most organizations are anti-vaxxers

Prologue: There are many opinions and points of view with regards to the origin and nature of COVID, response to the pandemic (or plandemic if you prefer) and vaccinations. I’m not here to express any opinion, but will borrow from these events as I briefly use vaccinations as a metaphor. And thanks for my former colleague Jason Popp for coining the phrase that I’m borrowing.

In a comment to a LinkedIn post about ransomware, Jason said, “If ransomware is a pandemic, then most organizations are anti-vaxxers.”


I’ll state this another way: the tools and techniques for ransomware prevention have been around for decades. Decades. By and large, organizations hit with ransomware are not employing these techniques effectively, if at all. Implicitly, most organizations choose not to employ the safeguards that would prevent most ransomware attacks.

Why? Good question. Perhaps it’s normalcy bias. Or that cybersecurity is too expensive, or inconvenient to users, or that it’s too hard to find good cyber persons. Or, cybersecurity is a distraction from the organization’s mission (and ransomware isn’t?).

Ransomware presents several challenges. First, most companies that pay ransoms still don’t get their data back. And, more recently, the U.S. Treasury department Office of Foreign Assets Control (OFAC) has cited that paying ransoms to cybercriminals is a violation of OFAC laws.

The solution? Perform or commission a risk assessment. Hire cybersecurity professionals who knows how to fix deficiencies and manage effective security governance, operations and response.

Or, just stop using computers.

Where Are You Going?

While hiking in the hills near our mountain cabin one day, I realized that I was looking down at each step. The terrain was unlevel, full of brush, rocks, critter holes, and other obstacles. In a moment of realization, I stopped and looked out in front of me. I realized that, for several minutes, I was not looking at where my walking was taking me.

Our jobs and our careers are like a hike on uneven ground. We make small and large decisions, interact with people, often only in the moment, without pausing to look up to see where these daily activities are taking our careers. When working only in the moment, we are surrendering control of our careers to others and to chance, rather than taking the reins and going where we want.

Like walking or hiking, it’s essential to make good in the moment decisions, but we must occasionally stop to see where our steps are taking us, and change direction when needed.

Also, remember to stop and enjoy the view.

What I Was Doing On 9/11/2001

In 2001, I was the security strategist for a national wireless telecommunications company. I usually awoke early to read the news online, and on September 11 I was in my home office shortly after 5:00am Pacific Time.  I was perusing corporate e-mail and browsing the news, when I saw a story of a plane crashing into a building in New York.

I had a television in the home office, and I reached over to turn it on. I tuned to CNN and watched as smoke poured from one of the two towers in the background, as two commentators droned on about what this could be about. While watching this I saw the second airliner emerge from the background and crash into the second tower.

Like many, I thought I was watching a video loop of the first crash, but soon realized I was watching live TV.

I e-mailed and IM’d members of our national security team to get them aware of these developments. Before 6am Pacific time, we had our national emergency conference bridge up and running (and it would stay on all day). Very soon we understood the gravity of the situation, and wondered what would happen next.  We were a nation under attack and needed to take steps to protect our business.  Within minutes we had initiated a nationwide lockdown (I cannot divulge details on what that means), and over the next several hours we took more steps to protect the company.


Since being a teen-ager I had a particular interest in World War Two. My father was a bombardier instructor, and his business partner and best friend was a highly decorated air ace.


We are under attack and we are at war, I thought to myself early that morning, and while I don’t remember specifics about our national conference bridge, I’m certain that I or someone else on the bridge said as much.  Like the sneak attack on Pearl Harbor on December 7, 1941, we all believed that the 9/11 attacks could have been the opening salvos of a much larger plan. Thankfully that was not the case. But in the moment, there was no way to know for sure.

For many days, I and probably a lot of Americans expected more things to happen. The fact that they didn’t was both a surprise and a relief.

Protect your Black Monday shopping with a quick tune-up

I cannot stress enough the need for every PC user to have a healthy, working, properly configured anti-virus program running on their computer at all times.

[updated December 1, 2012]
Before embarking on online shopping trips, it’s worth the few minutes required to make sure your computer does not enable the theft of your identity.

Tens of thousands will have their identities stolen in the next few weeks, because malware was able to help steal valuable information from you such as credit card numbers, online userids and passwords. A few minutes work will go a long way towards preventing this.

That, or you can do nothing, and potentially have to take days off of work to cancel credit cards, write letters, get credit monitoring, and get back to where you are right now with perhaps forty hours’ work.

It’s up to you.


1. On your PC, connect to .  Go through the steps required to check that all necessary security patches are installed.

Note: If you are able to connect to Internet sites but are unable to successfully install updates at, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

2. To eliminate the need to periodically visit, confirm that Automatic Updates are properly set. Use one of the following links for detailed instructions (all are Microsoft articles that open in a new window):

Windows XP | Windows Vista | Windows 7 | Windows 8 (automatic updates are turned on by default)

If you are unable to successfully turn on Automatic Updates, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

3. Ensure that your PC has working anti-virus software. If you know how to find it, make sure that it has downloaded updates in the last few days. Try doing an update now – your anti-virus software should be able to successfully connect and check for new updates. If your Internet connection is working but your anti-virus software is unable to check for updates, it is likely that your PC is already compromised.

Note: if any of the following conditions are true, it is important that you seek professional help immediately to make sure your computer is protected from malware.

a. You cannot find your anti-virus program

b. Your anti-virus program cannot successfully check for updates

c. Your anti-virus program does not seem to be working properly

If you are not sure whether your anti-virus software is working (or if you computer even has anti-virus software), you may wish to download and run Microsoft Security Essentials. This is a free anti-virus program from Microsoft. While some professionals may argue that this is not as effective as any of the commercial brands of anti-virus software (Sophos, Symantec, McAfeeTrend Micro, Panda, etc), it’s better than having nothing at all.

December 1, 2012 Update: Microsoft Security Essentials has lost its certification as being an effective anti-virus program. Full test results available here in an easy to read chart. Note the absence of the “AVTest Certified” logo next to Microsoft Security Essentials.

Several free anti-virus programs are worthy of consideration: AVG, Avast, Zone Alarm Free Antivirus + Firewall, Panda Cloud Anti-Virus. I cannot stress enough the need for every PC user to have a healthy, working, properly configured anti-virus program on their computer at all times.

Open Networking is a violation of the LinkedIn terms and conditions

Bookmark This (opens in new window)

It really irks me when I see people on LinkedIn who connect with anyone who is willing to accept a connection.  This is a blatant violation of the intentions – and the terms and conditions – of LinkedIn.

I connect only with people I know. I am VERY hesitant to connect with people who are promiscuous linkers, because I do not have any way to know which people in *their* network are trustworthy.

Today I saw a posting on a LinkedIn group that read,

“Lets expand our network together. Open Networker Accepting All Invitations.”

I responded,

“In my own opinion this violates the LinkedIn terms and conditions. And I’m surprised to hear this from a CISSP and CISA who is supposed to uphold two different codes of ethics that require honesty in all professional dealings.

In LinkedIn, we are supposed to connect only with people that we *know*, NOT with everyone who will push a button. The LinkedIn Terms and Conditions, section 3, reads:

‘The purpose of LinkedIn is to provide a service to facilitate professional networking among users throughout the world. It is intended that users only connect to other users WHO THEY CURRENTLY KNOW and seek to further develop a professional relationship with those users.’ (emphasis mine)

How can you reconcile your requirement to abide by the LinkedIn terms and conditions, your statement, “Open Network Accepting All Invitations” and your codes of ethics that require you to respect laws, regulations, and rules?

As security professionals, we are supposed to lead by example. Otherwise, how are we supposed to expect others to do so if we PUBLICLY and brazenly violate them ourselves. Doing so compromises our ability to be effective in our professional work.”

The LinkedIn terms and conditions also says:

“Any other use of LinkedIn (such as seeking to connect to someone a user does not know or to use LinkedIn as a means of generating revenue through the sale of contacts or information to others) IS STRICTLY PROHIBITED AND A VIOLATION OF THIS AGREEMENT.”

Can this be any more clear?

Integrity and intellectual property

Bookmark This (opens in new window)

On some of my mailing lists I have seen messages recently that suggest that persons are willing to send and receive copyright materials.

Exercise extreme caution when offering or accepting study materials that are not in their *original* form. If you transmit or receive electronic (or paper) copies of copyright materials such as study guides or study questions, there is a good chance that both the sender and receiver are breaking international copyright laws, which is both a crime as well as a violation of the ISACA Code of Ethics.

Sending or accepting such materials also compromises your personal and professional integrity. This will make you ineffective as IT audit professionals and leaders. See these two articles for more information:

Personal integrity: the keystone in an infosec career

A call for character and integrity

The road of higher integrity is not always the easy road. Taking the path of high integrity requires sacrifice and it is often difficult. You will, however, be a better person for it, both personally and professionally. And your conscience will allow you to sleep at night!

ETrade teaching its customers to respond to phishing scams

ETrade is teaching its users to respond to phishing scams. I am an ETrade customer, and last week they sent me the message below.

ETrade isn’t helping its customers by sending messages like this, because it makes it all the more difficult for customers to distinguish genuine messages from phony ones.

* * *

Thu Mar 13 14:48:00 2008 – Account Service Fee
Dear PETER ,

Account #: XXXX-nnnn

On 03/26/08, your E*TRADE Securities account will be charged a $40 Account Service Fee (ASF) (
If your account does not have enough funds to pay for the fee, E*TRADE Securities may sell securities in your account to cover the charge.
If you have questions about your account, call 1-800-ETRADE-1 (1-800-387-2331) or send a secure e-mail through the Help Center ( (To call from outside of the U.S., dial +1-678-624-6210).
Learn how to avoid incurring an Account Service Fee (

Review all the ways you can deposit money (
The E*TRADE FINANCIAL family of companies provides financial services that include trading, investing, cash management, and lending.
Securities products and services are offered by E*TRADE Securities LLC, Member FINRA(

(c) 2008 E*TRADE FINANCIAL Corp. All rights reserved. The information contained in this Smart Alert is subject to the Smart Alerts Terms and Conditions ( We cannot respond to e-mails sent to this mailbox. If you have questions, please contact us through the Online Service Center (

* * *

What security professionals can learn from Eliot Spitzer

Bookmark This (opens in new window)

Eliot Spitzer, the [soon-to-be-former] governor of New York State has resigned due to his being involved in a highly publicized sex scandal.

Corporate security professionals, time to sit up and take notice. I’m talking to CISSPs, CISAs, CISMs, and those in positions of ISO, ISSO, CISO, as well as Manager / Director / VP of IT Security.

As I have opined before, we are obliged to lead our organizations by example, in terms of prescribing and demonstrating desired behavior of employees on the protection of all corporate assets, including information. Leading by example means working transparently, of working every hour as though others are watching.

Eliot Spitzer gave in to his carnal desires and indulged in prostitution because he thought that he could keep it hidden. But behavior is like pouring water onto a sponge: for a time the sponge will soak up the water, keeping its presence hidden; eventually, however, the water – like the illicit behavior – will overflow and be impossible to hide. But like a frog in boiling water, Gov. Spitzer probably indulged in small ways at first, but proceeded slowly until he was no longer in control of his behavior / addiction.

Security professionals, there are steps that you can take to avoid falling into a trap of undesired behavior:

1. Be accountable. Pick two or more peers with whom you can meet every week to discuss your activities. These individuals must be trustworthy and themselves above reproach.

2. When you feel the tug of undesired behavior, confide in these accountability partners. Then, listen to their advice; if it is sound, heed it.

3. When you partake in undesired behavior, confess it to your accountability partners. Listen to their counsel; if they are loyal and have personal integrity, they will not chastise you for your behavior but instead help you to get back onto the right track.

4. Keep no secrets. Tell your accountability partners everything that you do. Keep nothing back. Share even the deep recesses of your “thought life” – which is the kernel of future behavior.

While it will be convenient to select accountability partners from the workplace, you should not choose your superiors or your staff. Instead I recommend that you choose individuals in your organization who you do not work with routinely or, better yet, choose individuals who do not work in your organization.

You can only be accountable to others when you allow yourself to be accountable to you.

Some principles of behavior:

A. If you were an outsider and would judge or criticize your own behavior, spend more time seriously considering what you are doing, and get yourself onto a path of change.

B. Do not be afraid to ask for help.

C. Learn to forgive yourself for your mistakes.

D. Do not give up.

There is an old saying: “There is no such thing as a complete failure; they can always be used as a bad example.” Gov. Spitzer may be a bad example today, but his example should help others to be introspective and re-examine their own behavior.

Remember the security professional codes of ethics:


Other postings:

CIA Triad also the basis for our ethical behavior

A call for character and integrity

Principles that guide the Christian security professional

Personal integrity the keystone in an information security career

Integrity begins within: security pros lead by example (Computerworld)

U.S. state cell phone laws

Bookmark This (opens in new window)

I ran across a nice web site that lists cell phone laws for all 50 U.S. states. The site is maintained by the Governers’ Highway Safety Association, so I’ll presume that they’ll keep it reasonably up to date. Legislation passed by my state last week is already on the site.

I’ve got my bluetooth headset already, and I use voice-activated dialing or speed dialing to avoid distractions while driving.

Americans must take personal responsibility to curb identity theft

Bookmark This (opens in new window)

I have been thinking a lot about identity theft as I’ve covered the massive TJX security breach this year. I have recently reported that the size of the breach has increased from its original 47 million cards to 94 million cards, which is nearly one card per U.S. household.

The TJX breach certainly is a high-watermark breach, but it’s nowhere near the only one, nor the only big security breach. To get an idea of just how many security breaches there have been and where they have occurred, the Privacy Rights Clearinghouse has chronicled a history of security breaches here.

The credit issuing and reporting system in the U.S. is out of control. Rather, it might be more accurate to say that the credit system has not institutionalized changes to reflect changing risks in the Internet era. The factors that have led to the epidemic of data security breaches include:

  • The proliferation of financial and private information in banking, merchant, service provider, and consumer information systems
  • The exuberance with which creditors grant credit to consumers
  • The lack of controls to ensure that the person requesting credit is actually who they claim to be

If we just sit around and wait for the government to fix this, we’ll all be robbed blind first. We must take some action on our own, now, until the credit system introduces effective controls on its own. I recommend you take these measures to protect yourself.

  1. Set up a fraud alert with one or more of the three credit bureaus (Experian, TransUnion, Equifax). This will alert you to any changes in your credit file.
  2. Examine your credit report carefully at least once per year.
  3. Close credit accounts that you no longer use.
  4. Consider getting your mail at a PO Box or a Private Mail Box (PMB), to reduce the possibility of mail theft.
  5. Reduce or discontinue your use of credit.
  6. Pay cash. Whenever you are paying with a credit or debit card, you are leaving information behind that can be used to commit fraudulent transactions.
  7. Double-lock your banking and credit information in your home and place of business. In other words, put all documents containing private and financial information in a safe or locked room within your home or business.

While it is true that all of these measure take time and money, they take far less of each than the effort required to clear your credit if you fall victim to identity theft.

We have been victims ourselves. My wife’s driver’s license was stolen, and it was subsequently used to write bad checks in her name. My credit card number (and name+billing address) was stolen from employees at a shipping company, and over $2,500 in fraudulent transactions charged against my debit card. Neither resulted in a wide scale identity theft against us, but they could have had we not taken action quickly.

Don’t wait for someone else to fix this for you.

Annual Report: Center for Information and Cybersecurity for Academic Year 2006-07

Bookmark This (opens in new window)

Written by Dr. Barbara Endicott-Popovsky, Director

University of Washington Center for Information and Cybersecurity


This past academic year was pivotal for the Center—a time to look back at our accomplishments and to prepare for taking significant steps forward in 2007-2008.

Last year was marked by two major accomplishments. First, our Center received re-certification from the NSA as a Center of Excellence in Information Assurance Education. To receive this recognition required demonstration that our academic offerings have grown since inception. Our application showed significant progress, and there is even more to come!

The second achievement is personal. I completed my doctoral studies in Computer Science/Computer Security with Dr. Deborah Frincke as major professor. My dissertation: A Methodology for Calibrating Forensic-Ready, Low Layer Network Devices, resulted in 17 publications in national and international venues.

2006-2007 Highlights

During this same period, the Center continued advancing information assurance at the University of Washington, establishing annual venues highlighting the University’s commitment to the field.

  • The Unintended Consequences of the Information Age lecture series—a collaboration among the iSchool, the Law School, CSE, URBP, UWEO, the CISO, UWTV—broadcasts programs of interest to the general public on current information security topics.
  • NWSec Conference at Tacoma—a collaboration among UWIT, the Tacoma student GreyHat organization, CSE, the iSchool, the CISO, local industries in South Sound—provides a venue for student and faculty research, as well as a platform for presentation by national experts.
  • Information Security Compliance and Risk Management Institute (ISC-RMI)—a collaboration among the iSchool, the CIAC, the Shidler Center (Law School), CSE, UWEO, the CISO, Microsoft, Christiansen IT Law—brings together a distinguished faculty that includes information security and privacy professionals, attorneys and compliance professionals from around the country to present and discuss the protection and use of information and computer systems
  • Annual Northwest Regional Collegiate Cyber Defense Exercise—a collaboration among the iSchool, UWEO, UWIT, the student GreyHat group, the US Military Academy at West Point, Ft. Lewis. This competition challenges college teams of graduate/undergraduate students to manage and protect an existing “commercial” network infrastructure. This year 5 schools participated—the iSchool, UWIT, Highline Community College, University of Alaska Fairbanks.

In addition, many of the Center’s participating departments made significant strides in information assurance research (a selection of publications is enumerated below). This provides an excellent basis for achieving certification as an NSA Center of Excellence in Information Assurance Research (CAE-R), an opportunity offered us by the NSA this month. I’ll be seeking consensus among participating departments before moving forward.


2006-2007 CIAC Achievements


  • Information Assurance and Cybersecurity Certificate

The Information School and UW Educational Outreach graduated its 3rd Cohort (25 students) for the Information Assurance and Cybersecurity Certificate. The 4th Cohort has 34 students—22 non-matriculated and 12 graduate students. Current students will assist in research projects from the ISC-RMI and the New Zealand Honeynet Project.

  • Cyber Attack/Defend Exercises at Ft. Lewis

For the 3rd year running, West Point conducted cyber attack/defend training at Ft. Lewis for iSchool and UWIT students. Several interested universities attended at the Center’s invitation. This year the Center will expand this effort to launch a regional contest to include student teams from local community colleges, University Hawaii Manoa, University of Alaska/Fairbanks, Idaho and Eastern Washington. As plans firm, we will notify interested departments about how students can get involved.

  • Information Assurance Online Course

A course in Information Assurance was designed for online delivery in collaboration with UWEO and the Information School through a grant received from the NSA. It was offered through rolling enrollment beginning in Summer and prepares students to protect their own home networks.

  • Special Topics in Computer Security (CSE)

Tadayoshi Kohno began offering a graduate seminar in Computer Security topics that will be repeated again this year.

  • OWASP Training

The CISO’s office brought OWASP (Open Web Application Security Project) training to campus, opening the opportunity to select students to fill available seats. This program trains staff and students in secure coding practice.

  • Information Assurance Scholarship Program

The IASP (Information Assurance Scholarship Program) admitted the 2nd student from the University of Washington, Ryan Bird who is finishing his MSIM degree in the Information School. Patrick Tague, our 1st scholarship student will be going to work with SPAWAR in San Diego upon graduation with this PhD in Electrical Engineering where he is studying with Radha Poovandran.

This year, the Strategic Planning for Critical Infrastructures master degree program in Urban Planning qualified for scholarships for DOD civilian and military students through an agreement developed with the National Defense University.


  • The Unintended Consequences of the Information Age Lecture Series.

1) Lecture 1: Privacy: Reconciling Reality aired over UWTV and the Research Channel during Fall and Winter. Jointly sponsored by the CIAC and the Information School with assistance from PNNL, it is ably moderated by Ed Lazowska and will be scheduled for airing again this year.

2) Lecture 2: At Odds: Victims Rights vs. Free Speech aired over UWTV and the Research Channel during Fall and Winter. Jointly sponsored by the CIAC, the Shidler Center, the Information School, and the Law School, with assistance from PNNL, this second installment in the series was introduced by Rob McKenna, the State’s Attorney General and will be scheduled for airing again this year.

3) Lecture 3: Our Infrastructures: Online and Vulnerable? was edited over the summer and will air this year in 3 segments. Jointly sponsored by INSER, the Master of Science in Strategic Planning for Critical Infrastucture from the Department of Urban Planning, the CIAC, and the Information School with support from T-Mobile, this series provides a compelling case for increased research in cybersecurity as related to critical infrastructure.

4) Winter and Spring, 2 more lectures are planned. Thus far, I’ve received recommendations that include music download impacts, and the challenges of e-voting! I will be seeking more suggestions from other departments for compelling topics!

  • Grey Hat Conferences in Tacoma

Orlando Baiocchi, UWIT, guiding the Tacoma Grey Hat group, held two events last year—The NWSec in Winter and the IP3 security seminar in Spring. They will repeat these events this year.

  • ASTAR Conference

In collaboration with the Law School, the iSchool and the National Resource Judge Program, the CIAC participated in judicial education on digital forensic evidence 56 judges from the Western region and the Pacific Rim attended.

  • SADFE Conference

Working with Northwest Security Institute (NSI), The Boeing Company and PNNL, the Center supported, and was part of the organizing team, for SADFE (Systematic Approaches to Digital Forensic Engineering) held in Seattle in April 2007. The NSI, a local non-profit organization, promotes and attracts information assurance events to the Seattle area.

  • MOU with University of Hawaii Manoa

This summer, the Center continued to collaborate, under a memorandum of understanding, with the Information and Computer Science Department at the University of Hawaii Manoa, an EPSCoR university. ICS wishes to launch its own Center this year; the CIAC has received funding to assist them in developing curriculum, their NSA-CAE application, and a collaborative research agenda with the University of Washington.


Information Assurance research is being conducted across the university. A sample list of publications in this area is provided below. A researcher was selected from three departments active in the Center—Computer Science and Engineering, Electrical Engineering and the Information School—to demonstrate the depth and breadth of activity at the University.

Computer Science and Engineering: Steve Gribble

1. SpyProxy: Execution-based Detection of Malicious Web Content, by Alexander Moshchuk, Tanya Bragin, Damien Deville, Steven D. Gribble, and Henry M. Levy. To appear in the Proceedings of the 16th USENIX Security Symposium (USENIX Security 2007), Boston, MA, August 2007.

2. HomeViews: Peer-to-Peer Middleware for Personal Data Sharing Applications, by Roxana Geambasu, Magdalena Balazinska, Steven D. Gribble, and Henry M. Levy. To appear in the Proceedings of the 2007 SIGMOD International Conference on Management of Data (SIGMOD 2007), Beijing, China, June 2007.

3. Why We Search: Visualizing and Predicting User Behavior, by Eytan Adar, Daniel Weld, Brian Bershad, and Steven Gribble. To appear in the Proceedings of the 16th International World Wide Web Conference (WWW 2007), Banff, Alberta, Canada, May 2007.

4. The Importance of History in a Media Delivery System, by Richard Dunn, Henry Levy, Steven Gribble, and John Zahorjan. Proceedings of the 6th International Workshop on Peer-to-Peer Systems (IPTPS 2007), Bellevue, WA, February 2007.

5. Cutting through the Confusion: A Measurement Study of Homograph Attacks, by Tobias Holgers, David E. Watson, and Steven D. Gribble. Proceedings of the 2006 USENIX Annual Technical Conference (USENIX ’06), Boston, MA, May 2006.

6. A Safety-Oriented Platform for Web Applications, by Richard S. Cox, Jacob Gorm Hansen, Steven D. Gribble, and Henry M. Levy. Proceedings of the 2006 IEEE Symposium on Security and Privacy, Oakland, CA, May 2006.

7. A Crawler-based Study of Spyware on the Web, by Alexander Moshchuk, Tanya Bragin, Steven D. Gribble, and Henry M. Levy. Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS 2006), San Diego, CA, February 2006.

Electrical Engineering: Radha Poovandran

1. Basel Alomair, Loukas Lazos, and Radha Poovendran, Passive Attacks on a Class of Authentication Protocols for RFID, to appear in International Conference on Information Security and Cryptology, 2007.

2. Krishna Sampigethaya, Mingyan Li, Leping Huang and Radha Poovendran, AMOEBA: Robust Location Privacy Scheme for VANET, to appear in IEEE JSAC Special Issue on Vehicular Networks, October 2007.

3. Krishna Sampigethaya, Mingyan Li, Radha Poovendran, Richard Robinson, Linda Bushnell, and Scott Lintelman, Secure Wireless Collection and Distribution of Commercial Airplane Health Data, to appear in AIAA/IEEE Digital Avionics Systems Conference (DASC), 2007.

4. Patrick Tague, Mingyan Li and Radha Poovendran, Probabilistic Mitigation of Control Channel Jamming via Random Key Distribution, to appear in IEEE Annual International Symposium on Personal Indoor and Mobile Radio Communications (PIMRC), 2007.

5. Javier Salido, Loukas Lazos, and Radha Poovendran, Energy and Bandwidth-Efficient Key Distribution in Wireless Ad-Hoc Networks: A Cross-Layer Approach, to appear in IEEE/ACM Transactions on Networking, 2007.

6. Patrick Tague and Radha Poovendran, A Canonical Seed Assignment Model for Key Predistribution in Wireless Sensor Networks, to appear in ACM Transactions on Sensor Networks, 2007.

7. Loukas Lazos, Radha Poovendran, and Jim Ritcey, Probabilistic Detection of Mobile Targets in Heterogeneous Sensor Networks, Proceedings of 6th International Symposium on Information Processing in Sensor Networks (IPSN), April 2007.

8. Mingyan Li, Rainer Falk, Florian Kohlmayer, Andreas.Koepf, Radha Poovendran, High-Assurance SDR-based Avionics RFID System, to appear in 2007 SDR Forum Technical Conference, 2007.

9. Richard Robinson, Krishna Sampigethaya, Mingyan Li, Scott Lintelman, Radha Poovendran, David von Oheimb, Secure Network-Enabled Commerical Airplane Operations: IT Support Infrastructure Challenges, to appear in First CEAS European Air and Space Conference Century Perspectives (CEAS), 2007.

10. Richard Robinson, Mingyan Li, Krishna Sampigethaya, Radha Poovendran, Scott Lintelman, David von Oheimb, Jens-Uwe Buer, Impact of Public Key Enabled Applications on the Operation and Maintenance of Commercial Airplanes, to appear in AIAA Aviation Technology, Integration and Operations (ATIO) conference, 2007.

11. Richard Robinson, Mingyan Li, Krishna Sampigethaya, Radha Poovendran, Scott Lintelman, David von Oheimb, Jens-Uwe Buer, Jorge Cuellar, Electronic Distribution of Airplane Software and the Impact of Information Security on Airplane Safety, to appear in International Conference on Computer Safety, Reliability and Security (Safecomp), 2007.

12. Loukas Lazos, Radha Poovendran, and Jim Ritcey, On the Deployment of Heterogeneous Sensor Networks for Detection of Mobile Targets, International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks (WiOpt), April 2007.

13. Mingyan Li, Iordanis Koutsopoulos, and Radha Poovendran, Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks, IEEE INFOCOM, 2007.

14. Richard Robinson, Krishna Sampigethaya, Mingyan Li, Scott Lintelman, Radha Poovendran, David von Oheimb, Challenges for IT Infrastructure Supporting Secure Network-Enabled Commercial Airplane Operations, to appear in American Institute of Aeronautics and Astronautics (AIAA) Infotech@Aerospace conference, 2007.

15. Secure Localization and Time Synchronization for Wireless Sensor and Ad Hoc Networks, Radha Poovendran, Cliff Wang, and Sumit Roy (ed.), Advances in Information Security series, Vol. 30, Springer, 2007, ISBN 978-0-387-32721-1.

Information School: Barbara Endicott-Popovsky

1.Taylor, C.A., Endicott-Popovsky, B.E. and Frincke, D.A., Specifying Digital Forensics: Formalizing Forensics Policies, in Proceedings of the Annual Meeting of the Institute for Operations Research and Management Science (INFORMS) Conference 2007, 4-7 November 2007, Seattle, WA, pp. TBD.

2.Endicott-Popovsky, B., Frincke, D., and Taylor, C. (2007), A Theoretical Framework for Organizational Network Forensic Readiness, The Journal of Computers, Issue 3.

3.Endicott-Popovsky, B and Frincke, D., The Observability Calibration Test Development Framework, in Proceedings from the Eighth IEEE Systems, Man and Cybernetics Information Assurance Workshop 20-22 June 2007, United States Military Academy, West Point, NY.

4.Seifert, C., Steenson, R., Welch, I., Komisarczuk, Endicott-Popovsky, B., Capture: A Tool for Behavioral Analysis of Applications and Documents, in Proceedings of the 7th Digital Forensic Research Workshop, Pittsburgh, PA, 13-15 August 2007.

5.Taylor, C., Endicott-Popovsky, B., and Frincke, D., Specifying Digital Forensics: A Forensics Policy Approach, in Proceedings of the 7th Digital Forensic Research Workshop, Pittsburgh, PA, 13-15 August 2007.

6.Endicott-Popovsky, B.E., Chee, B. and Frincke, D.A., (2007). Calibration Testing of Network Tap Devices, Chapter 3 in Advances in Digital Forensics III, Springer, New York.

7.Endicott-Popovsky, B.E. and Frincke, D.A., Embedding Hercule Poirot in Networks: Addressing Inefficiencies in Digital Forensic Investigations, in Proceedings of the Human Computer Interface (HCI) Conference 2007, Beijing, China, 20-27 July 2007.

8.Endicott-Popovsky, B.E., Fluckiger, J.D. and Frincke, D.A., Establishing Tap Reliability in Expert Witness Testimony: Using Scenarios to Identify Calibration Need, in Proceedings of the 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, WA, 10-22 April 2007.

9.Taylor, C., Endicott-Popovsky, B., and Phillips, A., Forensics Education: Assessment and Measures of Excellence, in Proceedings of the 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, WA, 10-22 April 2007.

10.Endicott-Popovsky, B.E., Chee, B. and Frincke, D. Role of Calibration as Part of Establishing Foundation for Expert Testimony, in Proceedings 3rd Annual IFIP WG 11.9 Conference January 29-31, Orlando, FL.

11.Erbacher, R., Endicott-Popovsky, B.E., Frincke, D., Challenge Paper: Validation of Forensic Techniques for Criminal Prosecution, in Proceedings of the 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, 10-22 April 2007, Seattle, WA, pp. 150-151.


The CIAC continues to pursue grants through government and corporate sources. This year the Center received a $68,000 NSA grant funding a scholarship student (Ryan Bird–the iSchool/MSIM program) and 2 education projects, with an option for $213,000 for scholarships to DOD students applying through the IASP-DOD program. During 2007-2008 a major fund-raising effort will be launched to sustain and grow the Center.

Personal integrity the keystone in an infosec career

Bookmark This (opens in new window)

The information security field is experiencing a high rate of growth in virtually every industry in every corner of the world.

More than almost every other profession, information security places high demands for personal integrity on all practitioners , regardless of the specialty that is practiced. In general information security professionals act as consultants to many business departments and functions, providing guidance or performing analysis, in order to identify and reduce risks. Information security professionals often act as “change agents”, to influence how other employees do whatever it is that they do, but in a way that reduces risk. Here are some examples:

  • Workstation use. If we tell people not to install unsupported programs, then we should not do so either. If we tell people to lock their workstations and take measure to prevent their accidental loss, then we must also take those same precautions.
  • Internet usage. If we tell people not to visit unsafe sites, then we should follow suit. If we tell people not to propagate chain letters, then we should not do that as well.
  • Data protection. If we instruct employees to encrypt sensitive data, then we must also encrypt sensitive data.

In short, we lead by example. To be caught doing what we say others should not do will diminish our credibility. Without our credibility, how can we expect others to follow our lead?

Personal integrity spills over into our personal life. Integrity knows no boundaries. If we lie, cheat, and steal outside of work, that taints our judgment and prevents our ability to perform at the level required of us. If we perform at a low standard on or off the job, we will tend to expect less of others, and we’ll be less apt to challenge others on their own actions. That will make us far less effective.

OpenDNS now blocks porn and more

Bookmark This (opens in new window)

OpenDNS is a useful tool for controlling access to some classes of websites on the Internet. OpenDNS has added a wide range of DNS filtering capabilities in its service.

Sorry, I probably lost most of you with that last statement. Let me explain.

DNS, or Domain Name System, is the Internet’s address book. DNS translates web addresses (also e-mail destinations and addresses for other purposes) like into cryptic IP addresses like These IP addresses are what our browsers and e-mail programs actually use to send and receive information. But since names like are easier to remember, we use those instead, and DNS does the translation for us without our even having to think of it.

OpenDNSNow, back to OpenDNS. Among its capabilities:

  • Adding multiple networks, each with its own settings, which includes:
  • Six different options for blocking adult related sites
  • A customizable list of domains to block
  • Block access to phishing sites
  • Custom image and/or text to display when a blocked domain is attempted
  • Shortcuts (e.g. “mail”) that will take you to full domains (e.g. “”)
  • Typo correction (e.g. “” will take you to “”)
  • Full statistics

I am using OpenDNS on my family’s home network, by configuring our home router. This method may prove useful for families. Configuring the router, and password-protecting the router, will prevent family members from being able to circumvent OpenDNS by twiddling settings on individual PC’s.

There’s nothing to download, and it’s free. Just set your PC or (better yet) home router configuration to use the following two IP addresses for DNS: and

Also see my post on ScrubIT.

Retailers not learning from the TJX breach

Submit: Add to your Digg This Slashdot GotNews StumbledUpon Reddit

By George Ou / ZDNet

When I blogged earlier this week about TJX‘s failure to secure their wireless LAN and how it may end up costing TJX a billion dollars, I knew that it was merely the tip of the iceberg with so many retailers still running WEP encryption. As if WEP wasn’t already broken enough, WEP is now about 20 times faster to crack than in mid-2005 when TJX’s WEP-based wireless LAN was broken and I knew from experience that most retailers were still running WEP. I decided to stroll through town and check on some of the largest retail stores in the country to see how they’re doing today. The reason I looked at the large retailers is because they’re the big juicy targets with millions of credit card transactions that the TJX hackers love. What I found was truly disturbing and I’m going to tell you what I found.

Lowes… Sears… J.C. Penney… Macy’s… Best Buy… PetSmart… Office Depot…

Most are doing poorly.

Entire article here:

For an interesting account of the TJX breach, read their 10-K

Bookmark This (opens in new window)

TJX, parent corporation of TJ Maxx and notorious for the recent colossal credit card breach of 2006 (we weren’t told until 2007, but I digress), is a U.S. public company. As such, they are required to file a quarterly report to the SEC called a 10-K.

TJX’s 10-K provides a chilling account of the breach, from discovery through disclosure to law enforcement, and finally the public. It details what they know and don’t know.

Here is how the long narrative begins…


We suffered an unauthorized intrusion into portions of our computer systems that process and store information related to customer transactions that we believe resulted in the theft of customer data. We do not know who took this action and whether there were one or more intruders involved (we refer to the intruder or intruders collectively as the “Intruder”), or whether there was one continuing intrusion or multiple, separate intrusions (we refer to the intrusion or intrusions collectively as the “Computer Intrusion”). We are engaged in an ongoing investigation of the Computer Intrusion, and the information provided in this Form 10-K is based on the information we have learned in our investigation to the date of this Form 10-K. We do not know what, if any, additional information we will learn in our investigation, but that information could materially add to or change the information provided in this Form 10-K.

…the above contains some of the legalese (the terms “Intruder” and “Computer Intrusion” used throughout the report). The report continues with a description of the discovery…

Discovery of Computer Intrusion. On December 18, 2006, we learned of suspicious software on our computer systems. We immediately initiated an investigation, and the next day, General Dynamics Corporation and International Business Machines Corporation, leading computer security and incident response firms, were engaged to assist in the investigation. They determined on December 21, 2006 that there was strong reason to believe that our computer systems had been intruded upon and that an Intruder remained on our computer systems. With the assistance of our investigation team, we immediately began to design and implement a plan to monitor and contain the ongoing Computer Intrusion, protect customer data and strengthen the security of our computer systems against the ongoing Computer Intrusion and possible future attacks.

On December 22, 2006, we notified law enforcement officials of the suspected Computer Intrusion and later that day met with representatives of the U.S. Department of Justice, U.S. Secret Service and U.S. Attorney, Boston Office to brief them. At that meeting, the U.S. Secret Service advised us that disclosure of the suspected Computer Intrusion might impede their criminal investigation and requested that we maintain the confidentiality of the suspected Computer Intrusion until law enforcement determined that disclosure would no longer compromise the investigation.

With the assent of law enforcement, on December 26 and December 27, 2006, we notified our contracting banks and credit and debit card and check processing companies of the suspected Computer Intrusion (we refer to credit and debit cards as “payment cards”). On December 27, 2006, we first determined that customer information had apparently been stolen from our computer systems in the Computer Intrusion. On January 3, 2007, we, together with the U.S. Secret Service, met with our contracting banks and payment card and check processing companies to discuss the Computer Intrusion.

Prior to the public release of information with respect to the Computer Intrusion, we provided information on the Computer Intrusion to the U.S. Federal Trade Commission, U.S. Securities & Exchange Commission, Royal Canadian Mounted Police and Canadian Federal Privacy Commissioner. Upon the public release, we also provided information to the Massachusetts and other state Attorneys General, California Office of Privacy Protection, various Canadian Provincial Privacy Commissioners, the U.K. Information Commissioner, and the Metropolitan Police in London, England.

On January 13, 2007, we determined that additional customer information had apparently been stolen from our computer systems.

On January 17, 2007, we publicly announced the Computer Intrusion and thereafter we expanded our forensic investigation of the Computer Intrusion.

On February 18, 2007, in the course of our ongoing investigation, we found evidence that the Computer Intrusion may have been initiated earlier than previously reported and that additional customer information potentially had been stolen. On February 21, 2007, we publicly announced additional findings on the timing and scope of the Computer Intrusion.

…so that’s the timeline on the discovery. Their actions in terms of quickly involving law enforcement and banking at all levels is laudable and appropriate. Then again, they knew that this was a serious situation, and they’d be criticized for slow response later if they didn’t act quickly.

The report continues by describing the timeline of the intrusions:

Timing of Computer Intrusion. Based on our investigation to date, we believe that our computer systems were first accessed by an unauthorized Intruder in July 2005, on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007, but that no customer data were stolen after December 18, 2006.

…short and to the point.

Next, TJX talks about the systems affected. This is where it gets interesting, because we get the impression that they aren’t really sure which systems were compromised, or from which systems data was stolen:

Systems Affected in the Computer Intrusion. We believe that information was stolen in the Computer Intrusion from a portion of our computer systems in Framingham, MA that processes and stores information related to payment card, check and unreceipted merchandise return transactions for customers of our T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico and our Winners and HomeSense stores in Canada (“Framingham system”) and from a portion of our computer systems in Watford, U.K. that processes and stores information related to payment card transactions at T.K. Maxx in the United Kingdom and Ireland (“Watford system”). We do not believe that the Computer Intrusion affected the portions of our computer systems handling transactions for customers of Bob’s Stores, or check and merchandise return transactions at T.K. Maxx. We do not believe that customer personal identification numbers (PINs) were compromised, because, before storage on the Framingham system, they are separately encrypted in U.S., Puerto Rican and Canadian stores at the PIN pad, and because we do not store PINs on the Watford system. We do not believe that information from transactions using debit cards issued by Canadian banks at Winners and HomeSense that were transacted through the Interac network was compromised. Although we believe that information from transactions at our U.S. stores (other than Bob’s Stores) using Canadian debit cards that were transacted through the NYCE network were processed and stored on the Framingham system, we do not believe the PINs required to use these Canadian debit cards were compromised in the Computer Intrusion. We do not process or store names or addresses on the Framingham system in connection with payment card or check transactions.

…we can speculate on the reasons why TJX doesn’t know which systems were affected. Could it be that the intruder(s) washed the audit logs, or accessed the data in a way that didn’t show up on audit logs?

There are also some hints appearing that suggest that TJX was not following PCI requirements in terms of what information may be stored and which may not. Note there they say “We do not believe that customer personal identification numbers (PINs) were compromised, because, before storage on the Framingham system…” !! It sounds like they were storing PINs on the “Framingham system” which is clearly a violation of PCI requirements. PIN must never be stored on a merchant system.

Next, the report describes the data that was stolen.

Customer Information Believed Stolen. We have sought to identify customer information stolen in the Computer Intrusion. To date, we have been able to identify only some of the information that we believe was stolen. Prior to discovery of the Computer Intrusion, we deleted in the ordinary course of business the contents of many files that we now believe were stolen. In addition, the technology used by the Intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006. Given the scale and geographic scope of our business and computer systems and the time frames involved in the Computer Intrusion, our investigation has required a substantial period of time to date and is not completed. We are continuing to try to identify information stolen in the Computer Intrusion through our investigation, but, other than the information provided below, we believe that we may never be able to identify much of the information believed stolen.

Based on our investigation, we have been able to determine some details about information processed and stored on the Framingham system and the Watford system. Customer names and addresses were not included with the payment card data believed stolen for any period, because we do not process or store that information on the Framingham system or Watford system in connection with payment card transactions. In addition, for transactions after September 2, 2003, we generally no longer stored on our Framingham system the security data included in the magnetic stripe on payment cards required for card present transactions (“track 2” data), because those data generally were masked (meaning permanently deleted and replaced with asterisks). Also, by April 3, 2006, our Framingham system generally also masked payment card PINs, some other portions of payment card transaction information, and some portions of check transaction information. For transactions after April 7, 2004 our Framingham system also generally began encrypting (meaning substituted characters for the actual characters using an encryption algorithm provided by our software vendor) all payment card and check transaction information. With respect to the Watford system, masking and encryption practices were generally implemented at various points in time for various portions of the payment card data.

Until discovery of the Computer Intrusion, we stored certain customer personal information on our Framingham system that we received in connection with returns of merchandise without receipts and in some check transactions in our U.S., Puerto Rican and Canadian stores (other than Bob’s Stores). In some cases, this personal information included drivers’ license, military and state identification numbers (referred to as “personal ID numbers”), together with related names and addresses, and in some of those cases, we believe those personal ID numbers were the same as the customers’ social security numbers. After April 7, 2004, we generally encrypted this personal information when stored on our Framingham system. We do not process or store information relating to check or merchandise return transactions or customer personal information on the Watford system.

…it is clear that much more than just credit card data was stolen. There were apparently many incidents of other information, including drivers’ license, military and state identification numbers, names and addresses, social security numbers, and perhaps more.

The report continues:

Information Believed Stolen in 2005. As we previously publicly reported, we believe customer data were stolen in September and November 2005 relating to a portion of the payment card transactions made at our stores in the U.S., Puerto Rico and Canada (excluding transactions at Bob’s Stores and transactions made at Winners and HomeSense through the Interac network with debit cards issued by Canadian banks) during the period from December 31, 2002 through June 28, 2004. We suspect the data believed stolen in 2005 related to somewhere between approximately half to substantially all of the transactions at U.S., Puerto Rican and Canadian stores during the period from December 31, 2002 through June 28, 2004 (excluding transactions at Bob’s Stores and transactions made at Winners and HomeSense through the Interac network with debit cards issued by Canadian banks). The data were included in files routinely created on our Framingham system to store customer data, but the contents of many of the files were deleted in the ordinary course of business prior to discovery of the Computer Intrusion.

…the report than shows a chart that indicates the number of cards compromised. I’ll summarize here:

Payment Card Status at Time of Believed Theft

Transactions from 12/31/02 – 11/23/03

Expired Cards: Track 2 data masked: 5,600,000 cards; All card data in the clear: 25,000,000 cards
Unexpired Cards: Track 2 data masked: 3,800,000 cards; All card data in the clear: 11,200,000 cards

Transactions from 11/24/03 – 6/28/04

Expired Cards: Track 2 data masked: unknown quantity; All card data in the clear: 0 cards
Unexpired Cards: Track 2 data masked: unknown quantity; All card data in the clear: 10 cards

The narrative continues:

Customer names and addresses and, for transactions after September 2, 2003, track 2 data were not included in the payment card information believed stolen in 2005. We do not believe that customer PINs were compromised.

In addition, we believe that personal information provided in connection with a portion of the unreceipted merchandise return transactions at T.J. Maxx, Marshalls, and HomeGoods stores in the U.S. and Puerto Rico, primarily during the last four months of 2003 and May and June 2004, was also stolen in 2005. The information we are able to specifically identify was from 2003 and included personal ID numbers, together with the related names and/or addresses, of approximately 451,000 individuals. We are in the process of notifying these individuals directly by letter.

TJX does not know how many records were stolen from 11/24/03 – 6/28/04 because they regularly purge data, and because they don’t know when the specific thefts took place, they do not know how many were taken.

They began encrypting card data on 4/7/04. Prior to that, according to the report, they either masked card data, or stored it all in the clear.

The report continues by describing data stolen in 2006:

Information Believed Stolen in 2006. As previously publicly reported, we identified a limited number of payment cards as to which transaction information was included in the customer data that we believe were stolen in 2006. This information was contained in two files apparently created in connection with computer systems problems in 2004 and 2006. Through our investigation to date, we have identified the following information with respect to the approximate number of payment cards for which unencrypted information was included in these files:

The report shows another table, a simpler one this time. In 2006, the numbers of cards that could have been stolen numbers in the tens of thousands, rather than in the millions. This suggests to me that TJM was more aggressively purging transaction data and keeping far less card data online than before.

Much more narrative follows:

Customer names and addresses were not included with the payment card information in these files. We do not believe that customer PINs were compromised. Some of the payment card data contained in these files were encrypted; we have not sought to decrypt these data.

In addition, the two files contained the personal ID numbers, together with the related names and/or addresses, of approximately 3,600 individuals, and we sent notice directly to these individuals.

We also have located a third file created in the ordinary course that we believe was stolen by the Intruder in 2006 and that we believe contained customer data. All of the data in this file are encrypted, and we have not sought to decrypt them.

As previously publicly reported, we believe that in 2006 the Intruder may also have stolen from our Framingham system additional payment card, check and unreceipted merchandise return information for transactions made in our stores in the U.S., Canada, and Puerto Rico (excluding transactions at Bob’s Stores and transactions made at Winners and HomeSense through the Interac network with debit cards issued by Canadian banks) during portions of mid-May through December 18, 2006. Through our investigation, we have identified approximately 100 files that we believe the Intruder, during this period, stole from our Framingham system (the vast majority of which we believe the Intruder created) and that we suspect included customer data. However, due to the technology utilized by the Intruder, we are unable to determine the nature or extent of information included in these files. Despite our masking and encryption practices on our Framingham system in 2006, the technology utilized in the Computer Intrusion during 2006 could have enabled the Intruder to steal payment card data from our Framingham system during the payment card issuer’s approval process, in which data (including the track 2 data) is transmitted to payment card issuer’s without encryption. Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX. The approximately 100 files stolen in 2006 could have included the data that we believe were stolen in 2005, as well as other data relative to some customer transactions from December 31, 2002 through mid-May 2006, although, with respect to transactions after September 2, 2003 generally without track 2 data, and, with respect to transactions after April 7, 2004, generally with all data encrypted.

In addition, as previously publicly reported, we suspect that customer data for payment card transactions at T.K. Maxx stores in the U.K. and Ireland has been stolen. In that regard, we now believe that at least two files of the approximately 100 files identified above that the Intruder stole from the Framingham system in 2006 were created by the Intruder and moved from the Watford system to the Framingham system. We suspect that these files contained payment card transaction data, some or all of which could have been unencrypted and unmasked. However, due to the technology utilized by the Intruder in the Computer Intrusion, we are unable to determine the nature or extent of information included in these files. Further, the technology utilized by the Intruder in the Computer Intrusion during 2006 on the Watford system could also have enabled the Intruder to steal payment card data from the Watford system during the payment card issuer’s approval process, in which data (including the track 2 data) are transmitted to payment card issuer’s without encryption.

We have provided extensive payment card transaction information to the banks and payment card companies with which we contract as requested by them. While we have been advised by law enforcement authorities that they are investigating fraudulent use of payment card information believed stolen from TJX, we do not know the extent of any fraudulent use of such information. Some banks and payment card companies have advised us that they have found what they consider to be preliminary evidence of possible fraudulent use of payment card information that may have been stolen from us, but they have not shared with us the details of their preliminary findings. We also do not know the extent of any fraudulent use of any of the personal information believed stolen. Certain banks have sought, and other banks and payment card companies may seek, either directly against us or through claims against our acquiring banks as to which we may have an indemnity obligation, payment of or reimbursement for fraudulent card charges and operating expenses (such as costs of replacing and/or monitoring payment cards thought by them to have been placed at risk by the Computer Intrusion) that they believe they have incurred by reason of the Computer Intrusion. In addition, payment card companies and associations may seek to impose fines by reason of the Computer Intrusion.

The report, above, mentions several times “the technology utilized by the Intruder” without being more specific. In a 10-K, this terminology is appropriate. For the report to describe what SQL, ODBC, .NET, or command line interface was used to get the data would be far too much detail. Still, my professional curiosity is piqued. What technology *did* the intruder(s) use?

The portion of the 10-K report on the intrusion continues and concludes:

Financial Costs. In the fourth quarter of fiscal 2007, we recorded a pre-tax charge of approximately $5 million, or $.01 per share, for costs incurred through the fourth quarter in connection with the Computer Intrusion, which includes costs incurred to investigate and contain the Computer Intrusion, strengthen computer security and systems, and communicate with customers, as well as technical, legal, and other fees. Beyond this charge, we do not have enough information to reasonably estimate losses we may incur arising from the Computer Intrusion. Various litigation has been or may be filed, and various claims have been or may be otherwise asserted, against us and/or our acquiring banks, on behalf of customers, banks, and/or card companies seeking damages allegedly arising out of the Computer Intrusion and other related relief. We intend to defend such litigation and claims vigorously, although we cannot predict the outcome of such litigation and claims. Various governmental entities are investigating the Computer Intrusion, and although we are cooperating in such investigations, we may be subject to fines or other obligations. (See Item 3 with respect to litigation and investigations.) Losses that we may incur as a result of the Computer Intrusion include losses arising out of claims by payment card associations and banks, customers, shareholders, governmental entities and others; technical, legal, computer systems and other expenses; and other potential liabilities, costs and expenses. Such losses could be material to our results of operation and financial condition.

Above, the report mentions costs associated with strengthening computer security and systems. Are these costs associated with bringing systems up to PCI standards, or beyond them? The report is not clear on this point.

Future Actions. We are continuing our forensic investigation of the Computer Intrusion and our ongoing program to strengthen and protect our computer systems. We are continuing to communicate with our customers about the Computer Intrusion. We are continuing to cooperate with law enforcement in its investigation of these crimes and with the payment card companies and associations and our acquiring banks. We are also continuing to cooperate with governmental agencies in their investigations of the Computer Intrusion. We are vigorously defending the litigation and claims asserted against us with respect to the Computer Intrusion.

TJX may suffer more losses over the years and they may be material. Well, that’s a reasonable supposition. The TJX intrusion is a watershed event to be sure, and could result in lawsuits the likes of which we haven’t seen in the past, as well as new legislation related to protection of financial information and remedies for failures.

Update: intruders probably broke in through WiFi by breaking WEP. More here.

Practicing safe hex

Submit: Add to your Digg This Slashdot GotNews StumbledUpon Reddit

The phrase “practicing safe hex” is a pun on the more obvious phrase having to do with morality and the avoidance of deadly diseases. The term came up at work one day about ten years ago when one of my engineers, Scott, blurted out the phrase during a conversation about our end users’ propensity to open spam e-mails and visit untoward websites.

Our users knew little about good Internet hygiene, but do today’s users know any better? Barely. They still open spam, they still visit websites cited in spam, and people are more gullible than ever when it comes to phishing and pharming.

Awareness training isn’t working, and it hasn’t worked well, ever. Technical controls can’t block all of the noise, nor protect people from themselves. Despite the best intentions, PC’s still do their masters’ bidding, even when that means running into trouble in the Internet’s back alleys where the hoodlums hang out and victimize the vulnerable.

Earth day: recycle your old PC

Submit: Add to your Digg This Slashdot GotNews StumbledUpon Reddit

Recycle your old PC and other electronics on Earth Day!

Only ten to fifteen percent of electronics are recycled – meaning 80-90% of discarded electronics are ending up in landfills, polluting the environment with toxic metals and other dangerous substances.

Instead of throwing your old PC and other electronics in the trash, recycle them instead.

Read a longer article here.

Here’s how: go to Computer Take Back and find out where to take discarded electronics in your state.

Would you walk away from your unlocked car?

Submit: Add to your Digg This Slashdot GotNews StumbledUpon Reddit

Today in a new-employee orientation in a $150M public company, I asked new employees if any of them ever walked away from their unlocked car, even if it was in a company parking garage.

None raised their hands.

Okay, I said, what if their car would automatically lock after fifteen minutes? THEN would they walk away from their unlocked car?

Still no hands.

Do you know where I’m going with this?

So if you won’t walk away from your unlocked car, why do you walk away from your unlocked PC every day, especially when locking your PC is just as easy as locking your car (even if you have one of those locking fob devices)??

What are the relative risks between your car being stolen or someone breaking in (or, if it’s unlocked, walking in) to your computer?

If your car is stolen, your insurance will replace it. If there were personal belongings in the car, your homeowner’s or renter’s insurance would replace it. You’d be inconvenienced for a few days while you replaced your car. If you had a garage door transmitter in your car, the thief might try to get into your home, so there’s a possible secondary loss.

If someone breaks into your computer, the intruder may find the passwords to your e-mail, banking, credit, savings, medical plans, and merchants, and would have an easy time perpetrating an identity theft on you that would cost you thousands in legal fees and ruin your credit rating (and ability to borrow money at competitive rates) for several years. The intruder might also find files about you: correspondence, financial records, bank statements, travel plans, photographs, a history of the websites you’ve visited, and a host of other things about you.

So, c’mon, lock your workstation when you’re away. You have a lot to lose, and it’s easy to protect. Your employer has a lot to lose, too, and you don’t want that loss to originate from your workstation, or do you?

How to lock your Windows workstation:

Method 1: Press Ctrl-Alt-Del, then press ‘K’

Method 2: Press Windows-L

It’s a very easy habit to get into, at least as easy as locking your car.

Another reason I am using WordPress

Submit: Add to your Digg This Slashdot GotNews StumbledUpon Reddit

I was once accused of injecting malicious code into someone’s computer in order to discover the contents of their computer, through some means such as e-mail or a web site. Well, I have not sent that person e-mail in almost two years (and then, only because one was requested), so my web site would be the only other means of injecting malicious code into their computer.

home_project_wordpressorg.pngWordPress does not permit its users to include scripts in their web content. For example, were I to write some Javascript into this page, WordPress would automattically filter it out before saving the page. And, were I to create a URL on any of my pages that included a cross-site scripting attack, WordPress would filter that out too.

Even when I had complete control over my HTML, I have never knowingly hosted malicious scripts or code. Doing so is a blatant violation of the codes of ethics of the security organizations I am involved with ((ISC)², ISACA, InfraGard).

Marriott Rewards contest mimics phishing scams

Bookmark This (opens in new window)

Marriott contest asks for name, address, date of birth

Marriott Rewards sent me an e-mail that so closely resembles a phishing scam that I did not comply with it. While I’m a Marriott Rewards member, I refused to follow through with it.

They are promoting some sort of a sweepstakes, and to enter, I am required to enter my name, full address, and full date of birth (month, day, and year), and (optionally) my phone number.

This is precisely what phishing scams do.

I wrote to Marriott, telling them that this is irresponsible and only serves to confuse private citizens who are already having enough trouble discerning genuine emails from phishing and fraud.

Here is news about a real Marriott scam. And another one.

In 2005, Marriott lost data on over 200,000 customers. Maybe they’re not thinking seriously about security yet. If not, what will it take to wake them up?