Open Networking is a violation of the LinkedIn terms and conditions

It really irks me when I see people on LinkedIn who connect with anyone who is willing to accept a connection.  This is a blatant violation of the intentions – and the terms and conditions – of LinkedIn.

I connect only with people I know. I am VERY hesitant to connect with people who are promiscuous linkers, because I do not have any way to know which people in *their* network are trustworthy.

Today I saw a posting on a LinkedIn group that read,

“Lets expand our network together. Open Networker Accepting All Invitations.”

I responded,

“In my own opinion this violates the LinkedIn terms and conditions. And I’m surprised to hear this from a CISSP and CISA who is supposed to uphold two different codes of ethics that require honesty in all professional dealings.

In LinkedIn, we are supposed to connect only with people that we *know*, NOT with everyone who will push a button. The LinkedIn Terms and Conditions, section 3, reads:

‘The purpose of LinkedIn is to provide a service to facilitate professional networking among users throughout the world. It is intended that users only connect to other users WHO THEY CURRENTLY KNOW and seek to further develop a professional relationship with those users.’ (emphasis mine)

How can you reconcile your requirement to abide by the LinkedIn terms and conditions, your statement, “Open Network Accepting All Invitations” and your codes of ethics that require you to respect laws, regulations, and rules?

As security professionals, we are supposed to lead by example. Otherwise, how are we supposed to expect others to do so if we PUBLICLY and brazenly violate them ourselves. Doing so compromises our ability to be effective in our professional work.”

The LinkedIn terms and conditions also says:

“Any other use of LinkedIn (such as seeking to connect to someone a user does not know or to use LinkedIn as a means of generating revenue through the sale of contacts or information to others) IS STRICTLY PROHIBITED AND A VIOLATION OF THIS AGREEMENT.”

Can this be any more clear?

Stop “clickjacking” with Firefox and NoScript

Clickjacking is one of the newest and most dangerous web browser vulnerabilities discovered to date. Every browser is vulnerable, even those that can defend against the similar Cross Site Request Forgery (CSRF) vulnerability.

Clickjacking can be used to completely control your home PC or your home router, which can lead to a complete compromise of your private information and turn your PC into the latest conscript in a bot army.

How clickjacking works: when you visit a compromised web site, your browser loads an invisible button that hovers below the mouse pointer. When you visit a legitimate site like online banking or e-mail, when you click on a link, you’re actually clicking the invisible button placed there by the malicious code. As explained by Jeremiah Grossman, CEO of Whitehat Security:

“Think of any button on any Web site, internal or external, that you can get to appear between the browser walls. Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to.”

Here is another example that is described by Robert Hansen, founder of SecTheory LLC:

“Say you have a home wireless router that you had authenticated prior to going to a [legitimate] Web site. “[The attacker] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules. That would give them an advantage in an attack.”

In other words, an attacker can do pretty much anything that he or she wants to. He would have the same level of control as if he physically stole your computer.

So, short of turning off your PC, how can you defend against clickjacking?

Firefox and NoScript.  Unless you have been living under a rock, you know about Firefox, the popular browser from Mozilla. NoScript is a popular Firefox add-on that was originally designed to help the user block javascript and Flash animation from selected web site (such as advertising). NoScript, starting in version 1.8.2.1, blocks all clickjacking attacks as well.

Where to get Firefox: go here, to www.getfirefox.com

IE users – take heart: during installation, Firefox can import all of your hard-won and well organized favorites, automatically.

After you have installed Firefox, install NoScript by going here: www.noscript.net

Articles on clickjacking and the Firefox / NoScript defense:

http://www.networkworld.com/news/2008/092608-security-researchers-warn-of-new.html

http://www.networkworld.com/news/2008/100808-firefox-extension-blocks-dangerous-web.html

http://en.wikipedia.org/wiki/Clickjacking

NoScript was one of PC World’s best products of the year, ranked at #52. I have used NoScript for a few years now and really appreciate its ability to block all foreign scripting, allowing only what I want to see.

Clickjacking is not a vulnerability that can be fixed on web sites. This is strictly a browser vulnerability that can only be fixed by fixing the browser itself. Reportedly the major browser makers (Microsoft, Mozilla, and Apple) are working on it. But don’t hold your breath – fixes are not likely to be released soon. Until then, Firefox with NoScript is the only available defense.

Ike: this is no time to think about disaster planning

Hurricane Ike

Thousands of businesses in Texas from Freeport to Houston are wondering, “How are we going to survive Hurricane Ike and continue business operations afterwards?”

If this is the first time this has crossed your mind, there’s precious little you can do now but kiss your systems and hope that they are still running when you see them again.  The storm surge is supposed to exceed 20 feet, which will prove disastrous to many businesses.

But when you get back to the workplace and things are back to normal (which I hope is not too long), start thinking seriously about disaster recovery planning.  A DR project does not have to be expensive or take a lot of resources, and it’s not just for large businesses.  Organizations of every size need a DR plan: the plan may be large and complex in big organizations, but it will be small and manageable and not be expensive to develop.

Hurricane Ike's Path

Where do you begin?  At the beginning, of course, by identifying your most critical business processes, and all of the resources that those processes depend on.  Then you begin to figure out how you will continue those processes if one or more of those critical resources are not available.  The approach is systematic and simple, and repetitive: you go step by step through each process, identifying critical dependencies, figuring out how to mitigate those dependencies if they go “offline” at a critical time.

Order yourself a great book that will get you started.  As one reviewer said, “It would be tempting to make all sorts of snide comments about a Dummies book that wants to take a serious look at disaster recovery of your IT area. But this is a Dummies title that you’ll actually go back to a number of times if you’re responsible for making sure your organization survives a disaster… IT Disaster Recovery Planning for Dummies by Peter Gregory. It’s actually the first book on the subject that I found interesting *and* readable to an average computer professional….” read the rest of this review here and here.

Don’t put this off – but strike while the iron is hot and get a copy of this now.  Don’t wait for the next hurricane to catch you off-guard.

I don’t want to see any business unprepared and fail as a result of a natural disaster.  If it were up to me, disaster preparedness would be required by law, but instead it’s a free choice for most business owners.  I just wish that more would choose the path of preparation and survival, but unfortunately many do not.  I wrote IT Disaster Recovery Planning For Dummies to help more people understand the importance of advance disaster recovery planning and how easy the planning process can be.

IT security spending squeeze? Switch to risk-based spending

Security managers often have a difficult time getting budget money for security controls during times of economic health, but in a downturn that puts financial pressure in some industry sectors, security budgets can literally dry up.  This may be especially true in organizations that were releasing funds for spending on security controls based upon qualitative justification.

If you’re in this situation, maybe it’s time to switch to a risk-based model for making decisions on where to best spend money on security.

This approach requires that an organization adopt a risk management and risk analysis methodology that is used to perform a detailed risk analysis for any given situation.  A risk analysis methodology will enable a security manager to precisely identify threats, vulnerabilities, and risks in specific situations or settings, which can lead to a clearer understanding of specific risks and what can be done to reduce those risks.

In the end, it’s middle or senior management’s job to make spending decisions.  As risk managers, we can help decision-makes to make more informed decisions based upon identified risks and potential remedies to those risks.

Image courtesy Tech Republic

If a decision-maker still says “no”, do not consider this a failure.  It is a risk manager’s job to help management make informed decisions.  As long as the risk manager provides the facts, including the alternatives in a risk situation, then the risk manager has done his or her job.  It is the decision maker’s job to make risk decisions.  Whether we agree with those decisions may be the basis for much professional discussion – if it’s not our decision, it’s not our decision.

The consolation for the risk manager is that risk-based spending at least puts money where it’s needed the most.

Sources for information on risk analysis and risk management:

NIST 800-30, Risk Management Guide for Information Technology Systems
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
FRAP (Facilitated Risk Analysis Process)

Does your organization need a disaster recovery plan?

Many businesses, particular those that have less than one thousand employees, think that disaster recovery planning is something that is too difficult or too expensive to undertake. Another response is that of the avoider: it won’t happen to me. These assumptions have been perpetuated to the detriment of many businesses that unnecessarily failed.

Disasters come in many forms. Most people think of massive earthquakes and hurricanes. However, there are hundreds of disasters that occur on a regular basis, but they’re too localized and small to make the news. And not all disasters are ‘acts of nature’: there are many man-caused disasters that occur on a regular basis that cripple businesses just like acts of nature do.

Disaster Recovery Planning need not be expensive, and most businesses can (and should!) get started right away with even a small amount of planning that could prove highly valuable, in case the unexpected occurs.

Get the book, build the plan!

Fake fingerprints, multiple aliases, in FBI custody; name=??

The FBI has taken a career identity thief into custody in Seattle. Problem is, they have no idea who it is.

Aliases: William Everett Gee, Robert Allen Lowe, Robert Allan Loew, Dwayne Spill

More on this FBI web site (now a dead link)

Update: Six new photos released

Stories:

Seattle Times

KOMO TV Seattle

Seattle Post-Intelligencer

Countermeasures for web application parameter tampering attacks

A parameter tampering attack is a malicious attack on an application where the attacker is manipulating hidden form variables in an attempt to disrupt the application.

Countermeasures for this attack include:

• Effective input field filtering. Input fields should be filtered to remove all characters that might be a part of an input injection. Which characters are removed will depend upon the types of software used by the application.
• Application firewall. Network firewalls inspect only the source and destination addresses and the port numbers, but not the contents of network packets. Application firewalls examine the contents of packets and block packets containing input attack code and other unwanted data.
• Variable integrity checking. If you application uses values in hidden fields to communicate parameters from page to page, you need to consider adding a variable that is a computed hash of other variables. Make sure your algorithm for hashing your hidden variables is not easily guessed – or consider using encryption in addition to hashing. When each page begins to process its variables, compute the hash again and compare it to the hash value variable. If the values are different, you know that your variables have been tampered with and you can exit gracefully after logging the incident.
• Application vulnerability scanning. Organizations that develop their own applications for online use should scan those applications for input attack vulnerabilities, in order to identify vulnerabilities prior to their being discovered and exploited by outsiders.

These countermeasures lower the risk of parameter tampering by making the application more robust and/or protected from input attacks.

Countermeasures for input injection attacks.

CIA Triad also the basis for our ethical behavior

The CIA Triad forms the core principles of information security: confidentiality, integrity, and availability. These principles govern how information and systems should be designed and managed.

The CIA Triad also applies to our professional behavior as information security professionals.

Confidentiality

We are obligated to keep many secrets – corporate secrets, staff secrets, and personal secrets. We must keep this confidential information under wraps and earn the trust of employers, colleagues, and regulators every day.

Integrity

We must act with integrity. We must develop sound policies and uphold them without bias. We must point out errors and misdeeds, dispassionately and objectively, in order to uphold the common good. We must seek out and defend the truth in all situations we find ourselves in.

Availability

Even when we may feel too weary to do so, we should be available for consultation to our employers and our colleagues. There are too few data security professional, and our counsel is needed often, especially when the advice that is sought has high-value outcomes.

Being available means we must manage our time well, to ensure that we are working on the truly important tasks and not merely the urgent ones. Risk professionals are influencers, and we must be sure to influence outcomes in situations that really matter.

XP or bust

(More new articles – scroll to the bottom)

We run Windows XP on all of our home and work systems (which is almost 1,000 machines).

After mid-2008, we will have NO CHOICE but to purchase Vista when we want to purchase a Microsoft desktop operating system.

I ran Vista Ultimate for 10 months on a daily-use system and was SO FRUSTRATED with it that I switched back to XP Pro. The system runs much better, and all of our forensics software works properly again (most of the forensic tool vendors we work with are NOT producing Vista versions – I wonder why).

After mid-2008, if I’m in a jam, I’m switching to Linux. That is, unless Microsoft continues selling XP or some other decent OS. Vista? No way.

I’m conflicted even saying this. I have written a Vista book, but I still can’t stand the OS.

This reminds me of the Windows ME debacle almost ten years ago. Windows ME was pathetic, and most people skipped it and waited for the next OS, Windows 2000. Vista is the new “ME” – the Windows version that most corporations are turning their back on.

I’m also thinking of purchasing some OEM copies of XP just in case I need it after mid-2008.

If the next version of Windows (that is, the version after Vista) is also a bust, I’ll probably walk away from Microsoft’s products for good. Tens of thousands of you already have.

I believe I’m qualified to state this opinion. I’ve been using DOS and Windows daily since 1986. I also have 20 years’ daily-use experience with UNIX, and several years of experience with other operating systems (RSTS/E, KRONOS, VMS, RT-11, MacOS, and TOPS-10).

For more information:

www.savexp.com

badvista.fsf.org

freesoftwarefreesociety.org

Sign the “Save XP” petition today

Microsoft responds to “Save XP” petition

XP: Going, Going, Gone?

Their passion is Windows XP

Sears admits to loading spyware on computers

Sears Holding Corporation, owner of Sears, Roebuck and Co. and Kmart, makes the pitch in an email sent to people shortly after they provide their address at Sears.com. Clicking the “Join” button invokes a dialog that requests the person’s name, address and household size before installing ComScore spyware that monitors every site visited on the computer.

Sears’ privacy statement does disclose this.  Their privacy statement is 54 pages long, and the disclosure is on page 10.

Wow.

Link to full story:

http://www.theregister.co.uk/2008/01/03/sears_snoopware_disclosure/

Give the gift of safe Internet use this Christmas

Internet use can be far safer for most home computer users through the use of free tools and services that help protect computers from malicious code that can lead to identity theft and fraud. In this article:

• Free anti-virus
• Free online virus scan
• Free DNS filtering
• Free personal firewall
• Free rootkit detection
• Free anti-spyware
• Free patch updates
• Free file eraser
• Free disk encryption
• Free password storage
• Free encrypted e-mail
• Free credit check

All of the tools represent the best of the best – they are all popular and renounced for their quality and effectiveness. If you doubt any of these, google these topics yourself and see where these tools appear in your search results.

Note: I have been using many of these tools for years, and am very happy with them. Data security is my profession; I am paid to know this stuff. Happy Holidays!

Free Anti-Virus

Most users don’t need fee-based anti-virus programs like Norton or McAfee. Instead, consider using AVG anti-virus. It’s free, easy to install and use, and just as effective as the big boys.

AVG from Grisoft: www.grisoft.com (you’ll have to hunt around on their site to find the free version. Keep looking.)

Free Online Virus Scan

Not sure if your installed anti-virus program is finding all the viruses on your computer? Go to one or more of these sites to get a free online scan – like getting a second opinion on the health of your computer.

Panda: http://www.pandasoftware.com (look for the ActiveScan link on the home page)
Symantec: http://security.symantec.com/default.asp?productid=symhome&langid=ie&venid=sym
Trend Micro: http://housecall.trendmicro.com/
Kaspersky: http://www.kaspersky.com/virusscanner
CA: http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Free DNS Filtering

By configuring your system (or home router) you can make sure that your system won’t be able to visit sites containing unsafe or undesired content.

OpenDNS: www.opendns.com
ScrubIT: www.scrubit.com

Free Personal Firewall

A firewall can block incoming threats like worms and bots that can otherwise harm your system and steal your data. Like the other tools on this page, these two products are both free. Firewalls require a little more knowledge, so you might want to find a power-user friend to help.

Zone Alarm: www.zonelabs.com
Comodo: www.personalfirewall.comodo.com

Free RootKit Detection

Rootkits are a new kind of malware (like viruses etc) that seek to evade detection from regular anti-virus programs. These are free and easy to install and use. More info here.

Panda Anti-Rootkit: www.pandasoftware.com
AVG Anti-Rootkit: www.grisoft.com
Sophos Anti-Rootkit: www.sophos.com
McAfee Rootkit Detective: www.mcafee.com

Free Anti-Spyware

Spyware, adware, and other unwanted software lurks in spam and on websites. Anti-virus stops some, but not all.

Spybot: www.safer-networking.org
Spyware Blaster: www.javacoolsoftware.com
Microsoft Defender: www.microsoft.com

Free software patches

Okay, software patches should be free, and free they are. It is very important to stay up to date with Windows and Office security patches. If you run Windows, get your patches straight from Microsoft. Unless you’re an IT pro, I recommend you set up Automatic Updates so that patches are installed automatically.

Microsoft update: update.microsoft.com (only works with Windows Internet Explorer)
Learn about automatic updates: www.microsoft.com

Free File Eraser

Did you know that “deleting” files on your Windows computer doesn’t really delete the information at all? It’s still there for any clever intruder to find – even after you empty your trash can. This free tool called Eraser safely *wipes* your deleted data so that it cannot be discovered. Read this tip.

Eraser: sourceforge.net/projects/eraser/

Free Disk Encryption

If your laptop (or desktop) computer is stolen, thieves are going to be able to steal all of the data on your hard drive. You can encrypt your hard drive, which will result in thieves being unable to access your data. Read this tip.

TrueCrypt: www.truecrypt.org

Free Password Storage

I have mentioned in the past that you need to be careful how and where you store your passwords. If you store them in your computer, intruders can find and exploit them by logging in to your websites. Please do not use your browser to store passwords! Instead, use one of these two free tools to securely store passwords. More info here.

Password Safe: passwordsafe.sourceforge.net
KeePass: sourceforge.net/projects/keepass/

Free Encrypted Email

If you are sometimes concerned that a third-party may be able to read your e-mail – you’re right and you’re not alone. Sending e-mail is like sending postcards through the mail: others can easily see what you are saying to your friends and colleagues. Hushmail safely encrypts e-mail with world-renowned PGP (and your power-user friends who use PGP can send and receive encrypted mail with you). Best of all, it’s free, like the other tools on this site.

Hushmail: hushmail.com

Free Credit Check

U.S. citizens can get free credit checks once per year. You can get them from all three credit reporting bureaus all at once, or do one every four months, picking a different bureau every time. By monitoring your credit, you are more likely to discover fraudulent use of your identity.

Annualcreditreport.com
Federal Trade Commission information on free credit reports
Equifax
Experian
Transunion

Learn more about computer security

Computer Viruses for Dummies – teaches all the basics, not just about viruses but online Internet use and many tips to stay safe online

Eight ways to leverage LinkedIn for business networking

I have used LinkedIn for over four years. I have long since forgotten who invited me to join it. But I immediately recognized its qualities and have regularly invested time in it ever since.

There are three ways in which you can utilize LinkedIn to enhance your professional stature:

1. Import your contacts into LinkedIn. Export your contacts from Outlook, Lotus Notes, Hotmail, wherever, and import them into LinkedIn. Then, LinkedIn will show you which of your contacts are already in LinkedIn. LinkedIn will help you to easily add those persons to your LinkedIn network (note that those people will each need to consent to this – no one can add you to their network without permission).
2. Search for experts and answers. As you grow your list of LinkedIn contacts, you can leverage your contacts to find experts in any field and answers to many questions. Click on the People tab to find people – by name, location, employer, or key words. Click on the Answers tab to ask questions or review others’ questions and answers.
3. Search for jobs or consulting gigs. LinkedIn has a powerful job search engine that is linked to other job search services. If you’re in the job market, recruiters can and will find you if you have a rich profile that outlines your entire professional background.
4. Make your LinkedIn profile publicly visible. Take the time to fill out all of the sections of your LinkedIn profile: your jobs (not just title and company, but your responsibilities and accomplishments), education, professional memberships, and so on. Then configure LinkedIn so that your profile is visible to others who may wish to find you.
5. Join LinkedIn groups. You will notice that many LinkedIn members are members of professional groups. If any of these groups align with your own interests, send an email to your contact and ask them how they joined the group (LinkedIn groups are not found in a list where you can “join” – invitations are generally private).
6. Put LinkedIn in your e-mail signature. Put a link or one of the LinkedIn graphics in your e-mail signature. LinkedIn has full instructions on how to do this. Then, people you send mail to will be invited to view your profile and learn more about LinkedIn. Those you send mail to who are already members may ask you to join their list of contacts.
7. Put LinkedIn in your blog or website. Similarly, you can put a LinkedIn graphic on your website or blog, which tells people you are in LinkedIn and that they can use LinkedIn to find out more about you.
8. Accept new LinkedIn invites with discretion. When you receive invites from others to join their networks, only accept invites from people you know, or who are recommended by people you know. Your entire network of LinkedIn contacts should be people you know and trust – not just people who invite you to join up. I must, however, confess that out of the ~525 contacts I have on LinkedIn, I have accepted invites from about three or four persons that I don’t specifically know. However, I do have specific reasons for specifically accepting their invites.

CISA exam study guides

There are now several books in print that the CISA (Certified Information Systems Auditor) candidate can use as a study aid for the CISA exam.

CISA Certified Information Systems Auditor All-In-One Study Guide, 3rd ed
by Peter H. Gregory, CISA, CISM, CIPM, CRISC, QSA, CISSP, CCISO
.
.
.
.
.

CISA: Certified Information Systems Auditor Study Guide, 2nd edition
by David Cannon

CISA: Certified Information Systems Auditor Study Guide by David L. Cannon, Timothy S. Bergmann, and Brady Pamplin

CISA Exam Cram 2 : Certified Information Systems Auditor by Allen Keele and Keith Mortier

CISA Exam Prep: Certified Information Systems Auditor (ACM Press) by Michael Gregg

IT AUDIT: A Practical Guide To the CISA Exam by Trony Clifton

CISM exam study guides

 

Most Americans favor increased surveilliance

A recent ABC News poll shows that seventy-one percent of Americans are in favor of increased video surveillance in cities as an anti-crime measure.

London’s “Ring of Steel” surveillance system is the model for U.S. cities that are considering similar systems, including New York, Chicago, and Baltimore.

Poll results here:

http://abcnews.go.com/images/US/1041a5Surveillance.pdf

More articles:

http://abcnews.go.com/US/story?id=3422372

New York City plans “ring of steel”:

http://www.newsfactor.com/story.xhtml?story_id=0210025GT3LF

Border patrol checking Seattle island ferry runs for dirty bombs:

http://seattletimes.nwsource.com/html/dannywestneat/2004300343_danny23.html

Most residential locks vulnerable to “lock bumping”

This article includes three videos from local television stations around the U.S.

The vast majority of residential door locks are susceptible to a technique known as lock bumping that can be used to quickly and easily unlock residential door locks. The mysterious disappearances of belongings from peoples’ homes is sometimes explained by this, since lock bumping gets a thief inside a home with no signs of a forced entry.

Bump keys

Lock bumping is achieved using a specially cut key called a “bump key”.

a typical bump key

While bump keys open pin-and-tumbler locks that have been in use for over 80 years, the use of bump keys is a recent phenomena, becoming popular within the past two or three years.

Earlier this year I was in an Infragard meeting that included a demonstration of bump keys. It is scary how easy they are to operate; with a minute of practice I was able to easily open residential locks. This is knowledge that I do not wish to have, but I feel uneasy knowing that common criminals are also learning about this.

Entire sets of bump keys that fit over 90% of residences are easily purchased from online sources, many of which are willing to sell to people who are not locksmiths. How-to videos are also readily available.

Laws still catching up

It is not universally illegal to own bump keys. Criminals may be able to escape prosecution on breaking-and-entering on the “I had a key” defense. When U.S. laws do catch up with this new phenomenon, many thousands of illegal bump key sets will be “out there” and homes will probably be vulnerable for decades to come.

Insurance and law enforcement

The use of bump keys as a means of entering a house is not universally known, which could lead to difficulties when dealing with insurance companies and law enforcement.

If someone robs your house and gained entry using a bump key, you may have trouble making an insurance claim. Insurance companies will suspect insurance fraud if you are trying to make a mysterious disappearance claim where there is no sign of breaking and entering.

Similarly, filing a police report for a bump-key related burglary may be problematic, as the police may wish to see evidence of forced entry.
Countermeasures

Bump key countermeasures (things you can do to reduce the risk of bump-key enabled burglaries):

• Electronic locks
• Pets (which make noise when visitors approach)
• Security systems
• Bump-resistant locksets from Kaba (UK), Medeco, and Schlage Primus

If everyone were to run out and purchase bump-proof locksets or other countermeasures, home burglaries will not stop. Instead, burglars will return to other means for breaking into residences. But, I do not feel that people will be running down to their local home improvement stores and locksmiths for new locksets. Not in 2007 anyway.

More information

http://www.komotv.com/news/8457492.html

http://en.wikipedia.org/wiki/Lock_bumping

WMC-TV Memphis, Tennessee, USA news story on lock bumping:

Fox-19 Cincinnati, Ohio, USA news story on lock bumping:

Use ReadNotify to confirm addressee receipt of e-mail

If nothing other than simple efficiency, most of the major e-mail services (Yahoo, MSN, Gmail, Hotmail, AOL, etc.) do not support e-mail return receipts. Even when a sender uses a tool that does assert return receipts, such as Outlook or Thunderbird, many of these services simply ignore return receipt requests and do not create them and send them to senders.

There is an opportunity to change all that. The tool ReadNotify restores the ability for a sender to know whether a recipient has read an e-mail message. The beauty of this is, it works even for the email services that do not support traditional return receipts.

ReadNotify has a 30-day free trial. After that, choose from either the Basic (US$24/yr) or the Premium (US$36/yr) subscription plan.

If you really need to know whether certain e-mails are actually read by their recipients, ReadNotify may be for you.

Certified Return Receipt

A really nice feature available in ReadNotify is digitally signed return receipts. This option will digitally sign your email and insert a timestamp certificate. This certificate irrevocably links the body and headers of an email to the date and time they were dispatched – and may be offered as court admissible evidence if required.

Other Features

ReadNotify supports several other features, including Ensured (stored on ReadNotify servers until the recipient reads it), Retractable (body of message can be retracted), Self Destruct (message can be destroyed prior to user reading it), Block Print (prevents user from printing – well it slows them down anyway), Invisible (recipient will not be aware of your tracking), and more.

Caution: ReadNotify was apparently used to track e-mails in the HP e-mail scandal. Seek legal advice if you are unsure whether your use of ReadNotify is legal.

Block porn and phishing with ScrubIT filtered DNS

A very easy and effective way to block phishing, porn, and other unwanted content is to use a DNS service that blocks address resolution for these sites.

Sorry, I probably lost most of you with that last statement. Let me explain.

DNS, or Domain Name System, is the Internet’s address book. DNS translates web addresses (also e-mail destinations and addresses for other purposes) like http://www.cnn.com into cryptic IP addresses like 64.236.91.22. These IP addresses are what our browsers and e-mail programs actually use to send and receive information. But since names like cnn.com are easier to remember, we use those instead, and DNS does the translation for us without our even having to think of it.

Instead of using your ISP’s DNS, consider using ScrubIT, a reliable DNS provider that “filters” unwanted sites like porn and phishing, so that any wayward clicks in spam or phishing e-mails takes you to a page that says your access has been blocked.

ScrubIT is free, and it takes only a couple of minutes to set up. If you have several computers and a home router, you can configure your home router to use ScrubIT, which will automatically protect all computers in the home. Similarly enterprises can use ScrubIT as one means for blocking access to porn and phishing.

Simply configure these two addresses as your DNS servers and you’re set: 67.138.54.100 and 207.225.209.66 .

Visit ScrubIT here: http://www.scrubit.com/

You should not rely upon ScrubIT alone to protect yourself from unwanted events. Practice a defense-in-depth strategy to protect your systems and your information from unauthorized access, disclosure, and harm.

Also see my post on OpenDNS.

TJX intrusion was a WEP (WiFi) hack

A Wall St Journal article published today details the probable cause of the TJX credit card scandal I have commented on before. Today’s article confirms my suspicions: the perpetrators probably broke into TJX’s network by hacking into a retail store’s WiFi network in 2005 that was protected with WEP, a wireless protocol that was shown in 2001 to be too weak for commercial use. TJX was slow to adopt the newer WPA protocol (which I have urged people to switch to), must to its detriment as we now know.

As many as 200 MILLION cards may have been taken by the data thieves. Because the intruders left few tracks, and due to IT processes in place at the time, no one will ever know just how many cards were stolen. But so far it looks like 47.5 million is the minimum, and somewhere around 200 million is the theoretical maximum.

For an interesting account of the TJX breach, read their 10-K

TJX, parent corporation of TJ Maxx and notorious for the recent colossal credit card breach of 2006 (we weren’t told until 2007, but I digress), is a U.S. public company. As such, they are required to file a quarterly report to the SEC called a 10-K.

TJX’s 10-K provides a chilling account of the breach, from discovery through disclosure to law enforcement, and finally the public. It details what they know and don’t know.

Here is how the long narrative begins…

COMPUTER INTRUSION

We suffered an unauthorized intrusion into portions of our computer systems that process and store information related to customer transactions that we believe resulted in the theft of customer data. We do not know who took this action and whether there were one or more intruders involved (we refer to the intruder or intruders collectively as the “Intruder”), or whether there was one continuing intrusion or multiple, separate intrusions (we refer to the intrusion or intrusions collectively as the “Computer Intrusion”). We are engaged in an ongoing investigation of the Computer Intrusion, and the information provided in this Form 10-K is based on the information we have learned in our investigation to the date of this Form 10-K. We do not know what, if any, additional information we will learn in our investigation, but that information could materially add to or change the information provided in this Form 10-K.

…the above contains some of the legalese (the terms “Intruder” and “Computer Intrusion” used throughout the report). The report continues with a description of the discovery…

Discovery of Computer Intrusion. On December 18, 2006, we learned of suspicious software on our computer systems. We immediately initiated an investigation, and the next day, General Dynamics Corporation and International Business Machines Corporation, leading computer security and incident response firms, were engaged to assist in the investigation. They determined on December 21, 2006 that there was strong reason to believe that our computer systems had been intruded upon and that an Intruder remained on our computer systems. With the assistance of our investigation team, we immediately began to design and implement a plan to monitor and contain the ongoing Computer Intrusion, protect customer data and strengthen the security of our computer systems against the ongoing Computer Intrusion and possible future attacks.

On December 22, 2006, we notified law enforcement officials of the suspected Computer Intrusion and later that day met with representatives of the U.S. Department of Justice, U.S. Secret Service and U.S. Attorney, Boston Office to brief them. At that meeting, the U.S. Secret Service advised us that disclosure of the suspected Computer Intrusion might impede their criminal investigation and requested that we maintain the confidentiality of the suspected Computer Intrusion until law enforcement determined that disclosure would no longer compromise the investigation.

With the assent of law enforcement, on December 26 and December 27, 2006, we notified our contracting banks and credit and debit card and check processing companies of the suspected Computer Intrusion (we refer to credit and debit cards as “payment cards”). On December 27, 2006, we first determined that customer information had apparently been stolen from our computer systems in the Computer Intrusion. On January 3, 2007, we, together with the U.S. Secret Service, met with our contracting banks and payment card and check processing companies to discuss the Computer Intrusion.

Prior to the public release of information with respect to the Computer Intrusion, we provided information on the Computer Intrusion to the U.S. Federal Trade Commission, U.S. Securities & Exchange Commission, Royal Canadian Mounted Police and Canadian Federal Privacy Commissioner. Upon the public release, we also provided information to the Massachusetts and other state Attorneys General, California Office of Privacy Protection, various Canadian Provincial Privacy Commissioners, the U.K. Information Commissioner, and the Metropolitan Police in London, England.

On January 13, 2007, we determined that additional customer information had apparently been stolen from our computer systems.

On January 17, 2007, we publicly announced the Computer Intrusion and thereafter we expanded our forensic investigation of the Computer Intrusion.

On February 18, 2007, in the course of our ongoing investigation, we found evidence that the Computer Intrusion may have been initiated earlier than previously reported and that additional customer information potentially had been stolen. On February 21, 2007, we publicly announced additional findings on the timing and scope of the Computer Intrusion.

…so that’s the timeline on the discovery. Their actions in terms of quickly involving law enforcement and banking at all levels is laudable and appropriate. Then again, they knew that this was a serious situation, and they’d be criticized for slow response later if they didn’t act quickly.

The report continues by describing the timeline of the intrusions:

Timing of Computer Intrusion. Based on our investigation to date, we believe that our computer systems were first accessed by an unauthorized Intruder in July 2005, on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007, but that no customer data were stolen after December 18, 2006.

…short and to the point.

Next, TJX talks about the systems affected. This is where it gets interesting, because we get the impression that they aren’t really sure which systems were compromised, or from which systems data was stolen:

Systems Affected in the Computer Intrusion. We believe that information was stolen in the Computer Intrusion from a portion of our computer systems in Framingham, MA that processes and stores information related to payment card, check and unreceipted merchandise return transactions for customers of our T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico and our Winners and HomeSense stores in Canada (“Framingham system”) and from a portion of our computer systems in Watford, U.K. that processes and stores information related to payment card transactions at T.K. Maxx in the United Kingdom and Ireland (“Watford system”). We do not believe that the Computer Intrusion affected the portions of our computer systems handling transactions for customers of Bob’s Stores, or check and merchandise return transactions at T.K. Maxx. We do not believe that customer personal identification numbers (PINs) were compromised, because, before storage on the Framingham system, they are separately encrypted in U.S., Puerto Rican and Canadian stores at the PIN pad, and because we do not store PINs on the Watford system. We do not believe that information from transactions using debit cards issued by Canadian banks at Winners and HomeSense that were transacted through the Interac network was compromised. Although we believe that information from transactions at our U.S. stores (other than Bob’s Stores) using Canadian debit cards that were transacted through the NYCE network were processed and stored on the Framingham system, we do not believe the PINs required to use these Canadian debit cards were compromised in the Computer Intrusion. We do not process or store names or addresses on the Framingham system in connection with payment card or check transactions.

…we can speculate on the reasons why TJX doesn’t know which systems were affected. Could it be that the intruder(s) washed the audit logs, or accessed the data in a way that didn’t show up on audit logs?

There are also some hints appearing that suggest that TJX was not following PCI requirements in terms of what information may be stored and which may not. Note there they say “We do not believe that customer personal identification numbers (PINs) were compromised, because, before storage on the Framingham system…” !! It sounds like they were storing PINs on the “Framingham system” which is clearly a violation of PCI requirements. PIN must never be stored on a merchant system.

Next, the report describes the data that was stolen.

Customer Information Believed Stolen. We have sought to identify customer information stolen in the Computer Intrusion. To date, we have been able to identify only some of the information that we believe was stolen. Prior to discovery of the Computer Intrusion, we deleted in the ordinary course of business the contents of many files that we now believe were stolen. In addition, the technology used by the Intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006. Given the scale and geographic scope of our business and computer systems and the time frames involved in the Computer Intrusion, our investigation has required a substantial period of time to date and is not completed. We are continuing to try to identify information stolen in the Computer Intrusion through our investigation, but, other than the information provided below, we believe that we may never be able to identify much of the information believed stolen.

Based on our investigation, we have been able to determine some details about information processed and stored on the Framingham system and the Watford system. Customer names and addresses were not included with the payment card data believed stolen for any period, because we do not process or store that information on the Framingham system or Watford system in connection with payment card transactions. In addition, for transactions after September 2, 2003, we generally no longer stored on our Framingham system the security data included in the magnetic stripe on payment cards required for card present transactions (“track 2” data), because those data generally were masked (meaning permanently deleted and replaced with asterisks). Also, by April 3, 2006, our Framingham system generally also masked payment card PINs, some other portions of payment card transaction information, and some portions of check transaction information. For transactions after April 7, 2004 our Framingham system also generally began encrypting (meaning substituted characters for the actual characters using an encryption algorithm provided by our software vendor) all payment card and check transaction information. With respect to the Watford system, masking and encryption practices were generally implemented at various points in time for various portions of the payment card data.

Until discovery of the Computer Intrusion, we stored certain customer personal information on our Framingham system that we received in connection with returns of merchandise without receipts and in some check transactions in our U.S., Puerto Rican and Canadian stores (other than Bob’s Stores). In some cases, this personal information included drivers’ license, military and state identification numbers (referred to as “personal ID numbers”), together with related names and addresses, and in some of those cases, we believe those personal ID numbers were the same as the customers’ social security numbers. After April 7, 2004, we generally encrypted this personal information when stored on our Framingham system. We do not process or store information relating to check or merchandise return transactions or customer personal information on the Watford system.

…it is clear that much more than just credit card data was stolen. There were apparently many incidents of other information, including drivers’ license, military and state identification numbers, names and addresses, social security numbers, and perhaps more.

The report continues:

Information Believed Stolen in 2005. As we previously publicly reported, we believe customer data were stolen in September and November 2005 relating to a portion of the payment card transactions made at our stores in the U.S., Puerto Rico and Canada (excluding transactions at Bob’s Stores and transactions made at Winners and HomeSense through the Interac network with debit cards issued by Canadian banks) during the period from December 31, 2002 through June 28, 2004. We suspect the data believed stolen in 2005 related to somewhere between approximately half to substantially all of the transactions at U.S., Puerto Rican and Canadian stores during the period from December 31, 2002 through June 28, 2004 (excluding transactions at Bob’s Stores and transactions made at Winners and HomeSense through the Interac network with debit cards issued by Canadian banks). The data were included in files routinely created on our Framingham system to store customer data, but the contents of many of the files were deleted in the ordinary course of business prior to discovery of the Computer Intrusion.

…the report than shows a chart that indicates the number of cards compromised. I’ll summarize here:

Payment Card Status at Time of Believed Theft

Transactions from 12/31/02 – 11/23/03

Expired Cards: Track 2 data masked: 5,600,000 cards; All card data in the clear: 25,000,000 cards
Unexpired Cards: Track 2 data masked: 3,800,000 cards; All card data in the clear: 11,200,000 cards

Transactions from 11/24/03 – 6/28/04

Expired Cards: Track 2 data masked: unknown quantity; All card data in the clear: 0 cards
Unexpired Cards: Track 2 data masked: unknown quantity; All card data in the clear: 10 cards

The narrative continues:

Customer names and addresses and, for transactions after September 2, 2003, track 2 data were not included in the payment card information believed stolen in 2005. We do not believe that customer PINs were compromised.

In addition, we believe that personal information provided in connection with a portion of the unreceipted merchandise return transactions at T.J. Maxx, Marshalls, and HomeGoods stores in the U.S. and Puerto Rico, primarily during the last four months of 2003 and May and June 2004, was also stolen in 2005. The information we are able to specifically identify was from 2003 and included personal ID numbers, together with the related names and/or addresses, of approximately 451,000 individuals. We are in the process of notifying these individuals directly by letter.

TJX does not know how many records were stolen from 11/24/03 – 6/28/04 because they regularly purge data, and because they don’t know when the specific thefts took place, they do not know how many were taken.

They began encrypting card data on 4/7/04. Prior to that, according to the report, they either masked card data, or stored it all in the clear.

The report continues by describing data stolen in 2006:

Information Believed Stolen in 2006. As previously publicly reported, we identified a limited number of payment cards as to which transaction information was included in the customer data that we believe were stolen in 2006. This information was contained in two files apparently created in connection with computer systems problems in 2004 and 2006. Through our investigation to date, we have identified the following information with respect to the approximate number of payment cards for which unencrypted information was included in these files:

The report shows another table, a simpler one this time. In 2006, the numbers of cards that could have been stolen numbers in the tens of thousands, rather than in the millions. This suggests to me that TJM was more aggressively purging transaction data and keeping far less card data online than before.

Much more narrative follows:

Customer names and addresses were not included with the payment card information in these files. We do not believe that customer PINs were compromised. Some of the payment card data contained in these files were encrypted; we have not sought to decrypt these data.

In addition, the two files contained the personal ID numbers, together with the related names and/or addresses, of approximately 3,600 individuals, and we sent notice directly to these individuals.

We also have located a third file created in the ordinary course that we believe was stolen by the Intruder in 2006 and that we believe contained customer data. All of the data in this file are encrypted, and we have not sought to decrypt them.

As previously publicly reported, we believe that in 2006 the Intruder may also have stolen from our Framingham system additional payment card, check and unreceipted merchandise return information for transactions made in our stores in the U.S., Canada, and Puerto Rico (excluding transactions at Bob’s Stores and transactions made at Winners and HomeSense through the Interac network with debit cards issued by Canadian banks) during portions of mid-May through December 18, 2006. Through our investigation, we have identified approximately 100 files that we believe the Intruder, during this period, stole from our Framingham system (the vast majority of which we believe the Intruder created) and that we suspect included customer data. However, due to the technology utilized by the Intruder, we are unable to determine the nature or extent of information included in these files. Despite our masking and encryption practices on our Framingham system in 2006, the technology utilized in the Computer Intrusion during 2006 could have enabled the Intruder to steal payment card data from our Framingham system during the payment card issuer’s approval process, in which data (including the track 2 data) is transmitted to payment card issuer’s without encryption. Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX. The approximately 100 files stolen in 2006 could have included the data that we believe were stolen in 2005, as well as other data relative to some customer transactions from December 31, 2002 through mid-May 2006, although, with respect to transactions after September 2, 2003 generally without track 2 data, and, with respect to transactions after April 7, 2004, generally with all data encrypted.

In addition, as previously publicly reported, we suspect that customer data for payment card transactions at T.K. Maxx stores in the U.K. and Ireland has been stolen. In that regard, we now believe that at least two files of the approximately 100 files identified above that the Intruder stole from the Framingham system in 2006 were created by the Intruder and moved from the Watford system to the Framingham system. We suspect that these files contained payment card transaction data, some or all of which could have been unencrypted and unmasked. However, due to the technology utilized by the Intruder in the Computer Intrusion, we are unable to determine the nature or extent of information included in these files. Further, the technology utilized by the Intruder in the Computer Intrusion during 2006 on the Watford system could also have enabled the Intruder to steal payment card data from the Watford system during the payment card issuer’s approval process, in which data (including the track 2 data) are transmitted to payment card issuer’s without encryption.

We have provided extensive payment card transaction information to the banks and payment card companies with which we contract as requested by them. While we have been advised by law enforcement authorities that they are investigating fraudulent use of payment card information believed stolen from TJX, we do not know the extent of any fraudulent use of such information. Some banks and payment card companies have advised us that they have found what they consider to be preliminary evidence of possible fraudulent use of payment card information that may have been stolen from us, but they have not shared with us the details of their preliminary findings. We also do not know the extent of any fraudulent use of any of the personal information believed stolen. Certain banks have sought, and other banks and payment card companies may seek, either directly against us or through claims against our acquiring banks as to which we may have an indemnity obligation, payment of or reimbursement for fraudulent card charges and operating expenses (such as costs of replacing and/or monitoring payment cards thought by them to have been placed at risk by the Computer Intrusion) that they believe they have incurred by reason of the Computer Intrusion. In addition, payment card companies and associations may seek to impose fines by reason of the Computer Intrusion.

The report, above, mentions several times “the technology utilized by the Intruder” without being more specific. In a 10-K, this terminology is appropriate. For the report to describe what SQL, ODBC, .NET, or command line interface was used to get the data would be far too much detail. Still, my professional curiosity is piqued. What technology *did* the intruder(s) use?

The portion of the 10-K report on the intrusion continues and concludes:

Financial Costs. In the fourth quarter of fiscal 2007, we recorded a pre-tax charge of approximately $5 million, or $.01 per share, for costs incurred through the fourth quarter in connection with the Computer Intrusion, which includes costs incurred to investigate and contain the Computer Intrusion, strengthen computer security and systems, and communicate with customers, as well as technical, legal, and other fees. Beyond this charge, we do not have enough information to reasonably estimate losses we may incur arising from the Computer Intrusion. Various litigation has been or may be filed, and various claims have been or may be otherwise asserted, against us and/or our acquiring banks, on behalf of customers, banks, and/or card companies seeking damages allegedly arising out of the Computer Intrusion and other related relief. We intend to defend such litigation and claims vigorously, although we cannot predict the outcome of such litigation and claims. Various governmental entities are investigating the Computer Intrusion, and although we are cooperating in such investigations, we may be subject to fines or other obligations. (See Item 3 with respect to litigation and investigations.) Losses that we may incur as a result of the Computer Intrusion include losses arising out of claims by payment card associations and banks, customers, shareholders, governmental entities and others; technical, legal, computer systems and other expenses; and other potential liabilities, costs and expenses. Such losses could be material to our results of operation and financial condition.

Above, the report mentions costs associated with strengthening computer security and systems. Are these costs associated with bringing systems up to PCI standards, or beyond them? The report is not clear on this point.

Future Actions. We are continuing our forensic investigation of the Computer Intrusion and our ongoing program to strengthen and protect our computer systems. We are continuing to communicate with our customers about the Computer Intrusion. We are continuing to cooperate with law enforcement in its investigation of these crimes and with the payment card companies and associations and our acquiring banks. We are also continuing to cooperate with governmental agencies in their investigations of the Computer Intrusion. We are vigorously defending the litigation and claims asserted against us with respect to the Computer Intrusion.

TJX may suffer more losses over the years and they may be material. Well, that’s a reasonable supposition. The TJX intrusion is a watershed event to be sure, and could result in lawsuits the likes of which we haven’t seen in the past, as well as new legislation related to protection of financial information and remedies for failures.

Update: intruders probably broke in through WiFi by breaking WEP. More here.

Free online CISSP training course

SearchSecurity, one of several TechTarget properties, has developed 10 free online CISSP training lessons, available here:

http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1050517,00.html