[SecurityRatty] tag: animal

They give you love unconditionally, give it back!

Tue, 26 Aug 2008 11:00:08 +0000

Just a lil blurb for this great volunteer organization that gets animals that are doomed to die from shelters and finds them homes.

clipped from www.petfinder.com

Trails of Happy Tails

Trails of Happy Tails is a 501c3 non-profit animal rescue organization strictly ran by volunteers. We mainly rescue dogs and cats from the Merced County Animal Shelter. We work with many different rescue groups throughout the state, placing thousands of abandoned, neglected, and unwanted animals. We’ve reduced the euthanasia rate from 70% to 35%.

Straight Talking Warren Buffett

Mon, 25 Aug 2008 08:45:00 +0000

For those who did not hear Warren Buffett being interviewed last Friday morning on CNBC, he did not beat about the bush when talking about the former Presidential hopeful, John Edwards.

Mr. Buffett came straight out and accused Mr. Edwards of soliciting and taking money by deceitful means during his unsuccessful Presidential bid earlier this year. According to Mr. Buffett, John Edwards knew back then that it was only a matter of time before the media uncovered the story of his mistress and alleged love-child.

Unfortunately, this did not stop him from asking suporters to fund his campaign. Had people knew about the extra-marital affair, they most likely would not have sent in their hard earned dollars as there was no chance that he could continue in the race once the damning news broke. Mr. Buffett suggested that Edwards should cut back on a few of those expensive haircuts and return those fifty and one hundred dollar donations that came in from ordinary hard working followers.

This sentiment rings true for my industry. At our training courses, we focus on Ethics at the beginning of the course and it runs throughout the training. Nobody is saying that we are not human and we do not make mistakes - we all do, but covering up the truth to further your own selfish goals is a practice that would probably even disgust the animal Kingdom - except the reptiles possibly.

Thank you Mr. Buffett for being so frank and forthright in this era of sterile political correctness. This is why I enjoy working with successful business people and despise the empty promises and double-talking of policticians, to whatever party they belong. To those of you in the security world, again I implore you to never forget that your word is your bond and at the end of the day, your reputation will live on after you are long gone.

Links for 2008-07-23 [del.icio.us]

Wed, 23 Jul 2008 20:00:00 +0000

Social Networking: When It All Goes Horribly Wrong

Tue, 01 Jul 2008 15:33:10 +0000

Interesting article over at PCWorld:

One of the first social networking upstarts, MySpace, is facing continuing security problems that threaten to spoil many of the innovative features that make the site useful.

Hackers, spammers and Internet malcontents have turned many of the "group" sites, which are dedicated to interests such as home beer brewing, animal welfare and gay rights issues, into cyber-graffiti walls, filled with offensive comments and photographs.

Link here.

Why you dont like to voluntarily buy security solutions - and how to get around the issue

Sun, 15 Jun 2008 23:28:06 +0000

Bruce Schneier’s recent explanation in a CIO article of psycho-economic experiments regarding how we handle simple security investment makes us all look pretty silly (click HERE). With images that bring to mind Jack Black playing the part of a doomed jungle animal or primitive “homo securosis” (in my mind’s eye, anyway), he recalls Kahneman and [...]

If they are so harmful, why are they added?

Thu, 05 Jun 2008 10:44:01 +0000

Im sorry, couldnt resist this post.
Is it in the best interest of big business to kill us off?
Or in the big scheme of profit vs consumer, maybe it does not matter.

clipped from health.msn.com

12 Food Additives to Avoid

Whoever coined the term “food additives” had it all wrong. Including something new in a food doesn’t always add up to more, at least when it comes to your health. Many studies that test the safety of additives are based on animal trials. It is difficult to deduce whether the results of an animal study equate to human health, though many of these studies show that the additives could be cancer-causing. Here, 12 additives to subtract from your diet.

Wee-Fi: Caribou Roams Free; OK Wi-Fi Network A-OK

Wed, 04 Jun 2008 16:54:42 +0000

Caribou goes free: Caribou, like its totem animal, has spent a while roaming and grazing. It started with SBC FreedomLink (now AT&T Wi-Fi), moved to Wandering Wi-Fi, and then, sticking with that firm, has opted to drop the free-with-an-order or modest fee service. It's now all free.

Nintendo DS lost free McDonald's-Fi last year: Not with a blam blam, but with a whimper, did the Wi-Fi-enabled game player's two-year deal with Wayport expire. The Web site Knowzy revealed the agreement ended in Nov. 2007, and notes that because the DS lacks a Web browser, it's essentially unusable at public hotspots.

Oklahoma City has 555 sq mi network: Fortunately, not 666 sq mi down there near the Bible Belt. The municipal network has 150 applications available on it, and uses Tropos gear. The network covers 95 percent of the city's core area, with the whole network having 100-percent dedication to city workers and public safety purposes. This includes real-time video from 300 cameras. Tropos says 150 applications are available over the network. The network cost a tiny amount, just $5m, relative to the high cost of public access Wi-Fi. These sorts of networks are far easier to build. Funding came from city funds designated for capital improvement and public safety. The real question, of course, is whether savings in efficiency--and lives saved, even--can be measured over time.

Jericho Forum and the Collaboration Oriented Architecture (COA) position paper

Fri, 09 May 2008 10:16:55 +0000

Blogger: Dan Blum

After discussing the concept of collaboration oriented architecture (COA) for some time, Jericho Forum released its COA position paper last month at the RSA and Infosecurity Europe conferences. The paper is now posted at http://www.opengroup.org/jericho/COA_v1.0.pdf.

For those who may be unfamiliar with Jericho Forum, it started as a user forum for discussing the problem of deperimeterization, wherein centralized firewalls become less effective as the mainstay of corporate security due to mobility, partnering, outsourcing, telecommuting and all those good things that happen as organizations become more geographically distributed and virtual.

The COA paper focuses on the need for business processes to operate across and between multiple organizations, potentially over untrusted networks such as the Internet. Users and endpoints must securely interact with services and applications controlled by multiple security domains.

The COA position paper builds on the Jericho Forum commandments, which are published at http://www.opengroup.org/jericho/commandments_v1.2.pdf. When reading the commandments, by the way, I find it helps to ignore the explanatory paragraphs, and just focus on the 11 statements of principle. This gets me away from nitpicking the explanations to death and into a state where I just accept them as a very good list of principles for operating securely over open networks.

The COA position paper spends much of its space describing the need for secure, open collaboration as well as principles, processes, standards and frameworks through which the collaboration might be achieved. Most of this doesn’t convey much new information to persons who already grasp the notion of deperimeterization and understand that security is about people, process and technology. But there were some really interesting bits in the section Recommended Solution/Response:

"The COA framework generalizes conventional architectures as follows. It provides:

increased emphasis on the requirements listed under ‘principles’ below. These are traditionally only seen as external or ‘boundary’ interface concerns in enterprise architectures.
a user repository (keyed on people identifiers) is generalized into a contract repository (keyed on relationship, or obligation identifiers). A contract repository records agreements, and the obligations and capabilities that ensue from them.
an accounting log (keyed on system events) is generalized into a reputation repository (keyed on business events). A reputation repository records user actions and compares them to applicable contracts, and, depending on whether or not the actions are in accordance with the contract, upgrades or downgrades a reputation.

The architecture formed by combining SOA (Service Oriented Architecture) with available security protocols (SAML or other XML) is insufficient to support COA. The following elements are also valuable: [Here, I shorten and paraphrase the list of bullet points]

attribute brokers
access brokers
contract brokers
policy language (like XACML 3.0)
performance manager (builds audit logs and reputation systems)”

I wish that the COA position paper had spent more space discussing some of its recommended solutions. The notion of a reputation system (not just a repository) is something we’re hearing more and more about. There is also a growing awareness of the importance of intermediaries, or brokers, that can fairly represent the interests of multiple parties. Perhaps we’ll see this covered in some future Jericho Forum work.

PS: The last bit of COA, in the conclusion, was quite entertaining: “A fundamental shift in thinking is required to implement a COA, moving from the thinking of a hedgehog, an animal that rolls into a tight ball at any sign of threat, to that of a Strawberry Plant, which puts all its key genetic material securely on its outside, as well as sending out suckers to extend the plant’s domain

Jericho Forum and the Collaboration Oriented Architecture (COA) position paper

Fri, 09 May 2008 10:16:55 +0000

Blogger: Dan Blum

The COA position paper spends much of its space describing the need for secure, open collaboration as well as principles, processes, standards and frameworks through which the collaboration might be achieved. Most of this doesn???t convey much new information to persons who already grasp the notion of deperimeterization and understand that security is about people, process and technology. But there were some really interesting bits in the section Recommended Solution/Response:

"The COA framework generalizes conventional architectures as follows. It provides:

increased emphasis on the requirements listed under ???principles??? below. These are traditionally only seen as external or ???boundary??? interface concerns in enterprise architectures.
a user repository (keyed on people identifiers) is generalized into a contract repository (keyed on relationship, or obligation identifiers). A contract repository records agreements, and the obligations and capabilities that ensue from them.
an accounting log (keyed on system events) is generalized into a reputation repository (keyed on business events). A reputation repository records user actions and compares them to applicable contracts, and, depending on whether or not the actions are in accordance with the contract, upgrades or downgrades a reputation.

attribute brokers
access brokers
contract brokers
policy language (like XACML 3.0)
performance manager (builds audit logs and reputation systems)???

I wish that the COA position paper had spent more space discussing some of its recommended solutions. The notion of a reputation system (not just a repository) is something we???re hearing more and more about. There is also a growing awareness of the importance of intermediaries, or brokers, that can fairly represent the interests of multiple parties. Perhaps we???ll see this covered in some future Jericho Forum work.

PS: The last bit of COA, in the conclusion, was quite entertaining: ???A fundamental shift in thinking is required to implement a COA, moving from the thinking of a hedgehog, an animal that rolls into a tight ball at any sign of threat, to that of a Strawberry Plant, which puts all its key genetic material securely on its outside, as well as sending out suckers to extend the plant???s domain

700,000 records on stolen CCB server

Tue, 22 Apr 2008 10:57:38 +0000

Technorati Tag: Security Breach

Date Reported:
4/18/08

Organization:
Numerous*

*See Commentary section for list of businesses

Contractor/Consultant/Branch:
Central Collection Bureau ("CCB")

Victims:
Individuals who were referred to CCB for debt collection purposes by Indiana businesses, on or before March 20, 2008

Number Affected:
~700,000

Types of Data:
"personal information, including names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes"

Breach Description:
"Indiana residents are hereby alerted to a security breach at Central Collection Bureau (CCB, located at 7510 South Madison Avenue, Indianapolis, Indiana. This breach potentially exposed the personal information, including names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes."

Reference URL:
Central Collection Bureau
Chicago Sun-Times (Associated Press)
NBC Channel 13 Eyewitness News

Report Credit:
Central Collection Bureau

Response:
From the online sources cited above:

SECURITY BREACH NOTIFICATION ALERT:
CENTRAL COLLECTION BUREAU
Dated April 18, 2008

Indiana residents are hereby alerted to a security breach at Central Collection Bureau (CCB, located at 7510 South Madison Avenue, Indianapolis, Indiana.

This breach potentially exposed the personal information, including names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes.

These individuals were referred to CCB for debt collection purposes by Indiana businesses, on or before March 20, 2008

Approximately 700,000 files may have been breached.

The businesses that engaged CCB for debt collection during that period of time are listed below.

Please note that only a very small percentage of the individuals who were patients or customers of the businesses below—i.e., those who ultimately were referred for debt collection—would have their personal information included in the CCB database.

Some of the information might be outdated. St. Vincent Health System said it had not given any billing business to Central Collection in more than three years, so all of the missing billing information is several years old.
[Evan] This was a question that my colleagues and I were debating about this breach. 700,000 records seems like an awful lot of "active" collection accounts. CCB would need quite a few collection agents to service this many accounts, if in fact they were all active. I think we can assume that only a fraction of the 700,000 records were actually "active" and CCB did not effectively destroy information that they no longer needed to keep.

Other patients and customers of those companies are not affected by this breach.

The theft occurred on Friday, March 21, 2008, at CCB's location in Indianapolis.

On that date, thieves broke into the company's offices and stole 8 computers, as well as one of its servers (databases).

The server was password protected and protected by three locked doors. The 8 computers did not contain personal information.

The information was protected by two passwords but was not encrypted, Klene said.

"Our server was password protected. We have obviously spoken to some IT people who feel that a good computer hacker could get through those passwords," he said.
[Evan] It doesn't even take a "good computer hacker" to get through the passwords.

CCB promptly contacted the police and is working with the Indiana Attorney General's office.

The company also promptly installed additional locks, a security system, and a motion detection system to help minimize the risk of any further unauthorized access to its information.
[Evan] These will help with physical security. Full-disk encryption and a effective data retention policy wouldn't hurt for logical security, eh? Us information security guys would refer to multiple defensive layers as "defense in depth". Brilliant!

CCB apologizes to its clients and all Indiana residents affected by this incident.

"We're obviously heartsick about this," said Chet Klene, Central Collection Bureau president. "We've been in business since 1972, and nothing like this has ever happened before."
[Evan] I don't doubt that CCB is "heartsick" by this incident. I feel bad for them and the fact that they probably did not know any better. Maybe this is partly a failure on the part of the information security profession as a whole.

While the company has no information suggesting that the breach occurred for purposes of identity theft, it nevertheless has contacted the three national credit bureaus to place a fraud alert.

Please go to the CCB website at www.ccbinc.net, call CCB at 317-887-5165 or 1-800-878-5165 or email CCB at theft@ccbinc.net for more information

Commentary:
Clients of CCB with information on the stolen server include:

Academy Animal Hospital, Advanced Interventional Pain, Advanced Physical Therapy, Alternative Care Experience, Anderson General Surgery, Andrew Dick MD, Anesthesia, Aqua Systems, Associated Billing, "Barbara Sturm, MD", Brad Sammons DDS, Brien Grow DO, Buchanan Counseling Services, Campion Barrow & Assoc., Cardiothoracis Surgeons, Cardiovascular Diagnostic Services, Carl Foster MD, Caryn Guba DDS, Center For Orthopaedic Surgery, Central Indiana Phys Medicine & Rehab, Charles Howe Professional Medical Corp, Charles Kelley III DPM, Charles Kerkhove Jr DDS, Charles Tomich DDS, Chiropractic Thereputics, Citizens Gas & Coke, City of Franklin Ambulance, Clarian Radiology, Clinical Laboratory Physicians, Comdent, Comprecare, Culligan Water Conditioning, Cummins Behavioral Health System, D.E. Kelley DDS, Daniel Feeny MD, David Pennington III MD, David Shaw MD, David Szentes MD, Denture By Design, Dermatopathology Lab, Diagnostic Medicine, Dunlap Urgent Care, Edward J Diekhoff MD, Emily Cline MD, Emergency Medical Group Physicians, Forest Creek Family Dental, Friendly Village of Indy, Gary Hunt DDS, Gary Taylor DDS, Generations In Dentistry, George Small Jr MD, Gial Anesthesiology Service, Grandmas House Child Care, Greg Hardin MD, Hamilton Anesthesia Group, Hearing Center, Henderson Drugs & Home Health, House of Kids, Howard Alig MD, Howard Regional Health System, Indiana Radiology Partners, Indiana Spine Group, Indiana General Surgery, Indiana Medical Network, Indpls Neurosurgical Group, Internal Medicine Plus, JCB Anesthesia & Pain Mgt, Jeffrey Stevens DPM, Jennifer Siegel DDS, JMH Health Affiliates, John Jackson DC, John Norris MD, Johnson Co Anesthesia, Johnson County REMC, Johnson Memorial Hospital, Joseph Meek DDS, Julie Chao MD, Kenny Stall MD, Kerry Mays MD, Kevin Macadaeg MD, Khalil Wakim MD, Kidd Pediatrics, Knowledge Learning Corp, Koehring & Sons, Kokomo Sports Center, Larry Buckel MD, Laura Steiner MD, Laura Stitle MD, Laurette Robey MD, Laverne Tubergen MD, Lawrence Falender DDS, Library Park Immediate Care, Lora Overton DO, Madison Anesthesia Group, Madison Avenue Flower Shop, Mark Ellis DDS, Mark Kahn DDS, Mark Ogle MD, Mark Yamanaka MD, Martinsville Dental Center, Memory Maker Studios, Mere Image Sportswear, Meridian Veterinary Clinic, Methodist Arthritis Physicians, Methodist Medical Group, Michael Arnold DDS, Michael Cozzi MD, Michael Harper, Midamerica Surgery Center, Milto Cleaners, Mitchell Foster MD, Muncie Cataract & Laser Center, Nancy Zinni MD, Northside Surgical Specialists, Northside Anesthesia Services, Northwest Medical Pain Control, Nufinity, Orthopaedic Supplies Inc., Panchapakesan Harlan MD, Paul Batties MD, Paul Johnson DDS, Paul Johnson DDS, Paul Strange MD, Philip Borders MD, Pioneer Anesthesia Consultanta, PT Buntin MD, R.D. McQuiston MD, Rebecca De La Rosa DDS, Richard Herd Jr DDS, Rick Stephens Builder, Riley Bennett & Egloff LLP, Robert Smith MD, Robert's Salon & Day Spa, Ronald Wines DDS, RW Armstrong, Sandhya Nanda MD, Sarah Akard DDS, Scot Hagadorn MD, South Emerson Anesthesia Assoc., South Emerson Pain Management, South Emerson Surgery Center, Southeast Family Physicians, Southside Animal Hospital, Southside Family Medical Group, Southside Pediatrics, St. Vincent Health and related entities, Stephen Stitle MD, Stephen Szynal DO, Stonehedge Apartments, Stop 11 Animal Hospital, Sun Medical, Surgical Associates of Madison Co, Susan Wagner DDS, Thomas Eads MD, Thomas Ferrara MD, Tim Schafer DDS, University Family Physicians, University Pediatric Associates, University Surgeons, USF Inc, Valle Vista Guidance Center, Valle Vista Hospital, Walker Family Dentistry, Wells & Marvel PC

Past Breaches:
Unknown