[SecurityRatty] tag: col

You want the truth, you can't handle the truth!

Thu, 10 Jul 2008 18:50:16 +0000

I am not sure what it is with Richard Stiennon. Maybe his mom beat him with a NAC stick when he was young. Hence his Jack Nicholson looks (more like the Joker in Batman, than Col Jessep in A Few Good Men) and his total disdain for NAC. In any event Richard never seems to miss a chance to take a pot shot at NAC. I have fired back and debated him many times on this. In fact I am convinced that Richard's problem with NAC is that like Uncle Joe, he is just moving a little slow. Richard still thinks of NAC as Cisco???s network admission control, circa Dec ???03. He has not gotten up to speed on anything happening with NAC since. Richard is going to debate NAC with Joel Snyder according to this article by Tim Greene today. My prediction is Snyder by a knockout in 3 rounds or less.

Richard???s latest NAC knock comes on a comment to an excellent article by the Hoff. Chris takes a bold stand for someone working for a vendor and calls BS on the whole analyst thing (I will write more about that later in this article). Richard being an ex-analyst himself (lets face it, with Richard you can take the man out of the analyst job, but you can???t take the analyst out of the man), takes exception to Hoff???s ???whining??? (Richards words, not mine) and tries to tell Hoff that giving up is not the answer and the way to show up analysts, is to prove them wrong. Great Richard you try to prove them wrong, when because of what they report you don???t have a market, can???t get any capital and have no visibility. I guess that is when it is time to move on to the next gig, right? Then Richard has a bad NAC deja vu and feels it necessary to write this:

???Look how easy it is to one up the analyst firms, who as near as I can tell support Network Admission Control universally. Everyone except the folks at Updata Ventures know how seriously flawed NAC is with only one viable market, edu.???

I assume Richard is referring to Updata recently leading the Bradford Networks VC round. But more importantly Richard it is time to call a code red on you and give you the cold hard truth. Richard the fact is that the edu market is not the only viable market for NAC. In fact, one of the biggest customers of NAC is the DoD. That is right Richard at least 3 of the 4 armed forces use NAC in helping to secure their networks. To paraphrase my friend Col Jessep - Richard, you want the truth, you can???t handle the truth! You sleep securely under the blanket of protection that NAC provides. If it is good enough to help ???clean the sand??? out of laptops coming home from SWA (that is SouthWest Asia, like in Iraq and Afghanistan, in case you don???t know Richard), it should be good enough for you. Think about that next time you are about to bad mouth NAC.

Let me give you some other truths you may not like Richard. Why do you think every switch vendor (of which we partner with many of them) is lining up and bringing out NAC solutions? Why has Microsoft put such a big push on NAP? Why despite the Luddites like you does NAC still draw crowds at conferences like Interop (ask Joel about that). Richard we are still signing new major OEM partners. I am afraid you are the one sadly out of touch on this one Richard. Just as you are out of touch in missing Hoff???s point in his article.

As to Hoff???s article, as I said I give Chris credit for speaking his mind. I spend an ungodly amount of my time speaking with analysts and trying to ???learn??? from them while at the same time trying to educate them. I am constantly amazed that so many analysts (and press for that matter) just take a vendors word as gospel. I have seen research reports from analysts big and small, that I am sure did not have any more research done than calling a handful of vendors and listening to their spiel. Too many of these vendors if they do speak to customers, base their findings on such a small sample that it is impossible to have an accurate picture.

Personally, like Hoff says, who watches the watchers is the truth. I would like to see a code of conduct among analysts. I would start by dictating that vendors cannot pay analysts. Take the payola out of the equation the way they did to the DJ/Radio business in the late 50s. Next analyst reports have to come with metrics to back up the findings. I want to know how many customers they spoke to, how big they were, how they were found, etc. A vendor giving an analyst a real live???pet??? customer is not real research. I want to know if the customer pays the analyst. It is a dirty business.

Hey let me be clear, I play the game as well as the next guy. But I agree with Hoff we need to clean up the rules to make the whole analyst thing more fair, viable and valuable.

You want the truth, you can't handle the truth!

Thu, 10 Jul 2008 18:35:46 +0000

I am not sure what it is with Richard Stiennon. Maybe his mom beat him with a NAC stick when he was young. Hence his Jack Nicholson looks (more like the Joker in Batman, than Col Jessep in A Few Good Men) and his total disdain for NAC. In any event Richard never seems to miss a chance to take a pot shot at NAC. I have fired back and debated him many times on this. In fact I am convinced that Richard's problem with NAC is that like Uncle Joe, he is just moving a little slow. Richard still thinks of NAC as Cisco’s network admission control, circa Dec ‘03. He has not gotten up to speed on anything happening with NAC since. Richard is going to debate NAC with Joel Snyder according to this article by Tim Greene today. My prediction is Snyder by a knockout in 3 rounds or less.

Richard’s latest NAC knock comes on a comment to an excellent article by the Hoff. Chris takes a bold stand for someone working for a vendor and calls BS on the whole analyst thing (I will write more about that later in this article). Richard being an ex-analyst himself (lets face it, with Richard you can take the man out of the analyst job, but you can’t take the analyst out of the man), takes exception to Hoff’s “whining” (Richards words, not mine) and tries to tell Hoff that giving up is not the answer and the way to show up analysts, is to prove them wrong. Great Richard you try to prove them wrong, when because of what they report you don’t have a market, can’t get any capital and have no visibility. I guess that is when it is time to move on to the next gig, right? Then Richard has a bad NAC deja vu and feels it necessary to write this:

“Look how easy it is to one up the analyst firms, who as near as I can tell support Network Admission Control universally. Everyone except the folks at Updata Ventures know how seriously flawed NAC is with only one viable market, edu.”

I assume Richard is referring to Updata recently leading the Bradford Networks VC round. But more importantly Richard it is time to call a code red on you and give you the cold hard truth. Richard the fact is that the edu market is not the only viable market for NAC. In fact, one of the biggest customers of NAC is the DoD. That is right Richard at least 3 of the 4 armed forces use NAC in helping to secure their networks. To paraphrase my friend Col Jessep - Richard, you want the truth, you can’t handle the truth! You sleep securely under the blanket of protection that NAC provides. If it is good enough to help “clean the sand” out of laptops coming home from SWA (that is SouthWest Asia, like in Iraq and Afghanistan, in case you don’t know Richard), it should be good enough for you. Think about that next time you are about to bad mouth NAC.

As to Hoff’s article, as I said I give Chris credit for speaking his mind. I spend an ungodly amount of my time speaking with analysts and trying to “learn” from them while at the same time trying to educate them. I am constantly amazed that so many analysts (and press for that matter) just take a vendors word as gospel. I have seen research reports from analysts big and small, that I am sure did not have any more research done than calling a handful of vendors and listening to their spiel. Too many of these vendors if they do speak to customers, base their findings on such a small sample that it is impossible to have an accurate picture.

Personally, like Hoff says, who watches the watchers is the truth. I would like to see a code of conduct among analysts. I would start by dictating that vendors cannot pay analysts. Take the payola out of the equation the way they did to the DJ/Radio business in the late 50s. Next analyst reports have to come with metrics to back up the findings. I want to know how many customers they spoke to, how big they were, how they were found, etc. A vendor giving an analyst a real live“pet” customer is not real research. I want to know if the customer pays the analyst. It is a dirty business.

Hey let me be clear, I play the game as well as the next guy. But I agree with Hoff we need to clean up the rules to make the whole analyst thing more fair, viable and valuable.

Sometimes danger lurks right under our nose.

Thu, 05 Jun 2008 18:23:00 +0000

When Executive Protecion Specialists think and speak about "Threat Assessment", they are usually focusing on a known or suspected danger that may prove life-threatening. Sometimes, that danger may already have made itself at home and is silently destroying lives and eating away at victims like a cancerous growth.

One such story was highlighted by the "Washington Post Magazine" on May 25th, 2008. It involved a young girl who had been molested and raped by her own father. A man who was something of a hero to many. A man who had walked side by side with Dr. martin Luther king and who was only a few feet away from the Civil Rights leader when he was assasinated. That man is James Bevel.

I had the pleasure of listening to Col. Dave Grossman speaking at UCLA last April. He was eloquent in his description of how young lives are taken and families estroyed by School killings. He also spoke about those who prey on the less suspecting. He equated it to the Wolves hunting down and eating sheep. Mr. Bevel appears to be one of those parasitic wolves.

For years he raped his little daughter, telling her it was something of an "experiment". In his mind, he didn't think that it mattered. His unfathomable belief (and apparently remains the same until this day) is that all women are prostitutes until they reach a certain age, when sex is set aside for procreation. This beleif allowed him to allegedly rape his eight year old daughter on many occassions.

His daughter, Aaralyn Mills, finally found the courage to step foward and contact the Police in 2005. She assisted the Leesburg authorities to tape record her conversation with her father. In that conversation, James Bevel admitted raoping his daughter and that it was part of a scientific process. Unfortunately, her mother, like many other mothers, did not want or couldn't face the truth. This gave the big, bad wolf all the space he needed to desecrate the little sheep.

Sadly, men like this are living throughout our communities. they come in all shapes, sizes nd colors. Some are Doctors, Community leaders, Priests, Police Officers, Electricians and Preachers. If you have been entrusted with the job of protecting an innocent lamb, be a strong and fearful sheepdog and protect your flock, with your very life if need be. Be brave like Aaralyn Mills. She stepped forward at this time in her life because her father who has many children with many different women has now a young daughter and her half-siter is afraid that he will rape her too.

Walter Reed Army Medical Center breach through P2P

Tue, 03 Jun 2008 05:14:34 +0000

Technorati Tag: Security Breach

Date Reported:
6/2/08

Organization:
United States Army

Contractor/Consultant/Branch:
Walter Reed Army Medical Center ("WRAMC")

Victims:
"Military Health System beneficiaries" or patients

Number Affected:
~1,000

Types of Data:
"Names, Social Security numbers, birth dates and other information"

Breach Description:
"WASHINGTON (AP) — Sensitive information on about 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach, sparking identity theft concerns and an investigation by the Army."

Reference URL:
Walter Reed Army Medical Center News
Associated Press
WISH TV Channel 8 News

Report Credit:
Walter Reed Army Medical Center

Response:
From the online sources cited above:

WASHINGTON (AP) — Sensitive information on about 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach, sparking identity theft concerns and an investigation by the Army.

Names, Social Security numbers, birth dates and other information was released, hospital officials said Monday.
[Evan] This information belongs mostly to military personnel that were patients of WRAMC. The victims are the people that defend this country. Grrr.

The computer file that was breached did not include information such as medical records, or the diagnosis or prognosis for patients, they said.

Walter Reed officials declined to explain exactly how the information was compromised, pending an ongoing investigation by the hospital and the Army.
[Evan] There is more insight into the cause of the breach below. Keep reading.

Preliminary results of an on-going investigation have identified a computer from which the data was apparently compromised.

Data security personnel from Walter Reed and the Department of the Army continue to investigate the source and causes for the information compromise.

The medical center learned of the breach on May 21 from an outside data mining company, which officials did not identify.

the company was working for another client, found the file and contacted Walter Reed.

The hospital said it is working to notify all of the people named in the data file. Letters or e-mails were being sent out, beginning Monday.

The chairman of the House Armed Services Committee, Rep. Ike Skelton, D-Mo., said he wants to hear from the Army about its investigation.

"It's very troubling when private data is inappropriately released," Skelton said. "We must ensure that personal information is protected and prevent any future compromise of patient records."
[Evan] Obviously easier said than done.

Walter Reed plans to offer free credit protective services to patients whose information was revealed.

The hospital also has set up a hot line for people to call to see if their information was disclosed (1-877-854-8542, ext. 9).

The Health Insurance Portability and Accountability Act of 1996 protects patients from unauthorized release of their health records. The Walter Reed Army Medical Center has a robust information assurance program that meets all program standards and requirements. The compromised data file did not include protected health information such as medical records, diagnosis or prognosis for patients.

Message to "Team WRAMC" from COL Patty Horoho:
I want to ensure that each of you have an understanding of what may be in the papers regarding possible disclosure of personal data. Walter Reed officials were notified of a possible disclosure of personally identifiable information through a Peer to Peer (P2P) network of approximately 1000 Military Health System beneficiaries. The information did NOT contain any protected health information such as medical records, diagnosis or prognosis for patients. The individuals impacted have been identified and we are taking a proactive approach to contact them to assist in providing fraud protection services. Below is the media release we sent out will provide more details. A 24/7 hotline has been established in the Combined Operations Center, 202-782-8333 or 877-854-8542 ext 9 and a info site on the web page is also being created.

I need everyone to ensure that they are not loading or down loading programs that are not authorized by the command as it increases our vulnerability and possibly can cause a breach in protected information being shared.

Commentary:
So the cause of this breach was an unauthorized installation and configuration of a Peer to Peer (P2P) program. My concerns about this revolve around the ability to install the application and the inability of WRAMC personnel to block and/or detect the network traffic.

The installation of computer programs on a computer usually require elevated privileges such as administrative access. Are users of WRAMC information resources also administrators of their systems? If so, this is generally not a good idea.

P2P programs such as BitTorrent, Morpheus, Lime Wire, etc. are dependent upon a network to work, thus the "Peer to Peer". Most, if not all P2P network traffic is easy to block and/or detect with any combination of filtering, network access control and intrusion detection or prevention. Are these technologies not in use at WRAMC?

Lastly, what is WRAMC policy with respect to acceptable use and network access? There is no mention in the news reports.

Past Breaches:
April, 2008 - Excel Spreadsheet on the web exposes Army officers and civilians

Parents can't afford to let their guard down when it comes to their children's safety

Fri, 23 May 2008 00:35:00 +0000

I was very fortunate last night to have been able to attend a presentation in Richmond by the well known Criminal and Behavioral Profiler, Dr. Clinton Van Zandt.
Dr. Van Zandt adressed a dinner which was organized by the Private Investigators Association of Virgina. Attendees were kept spell bound by inside sories involving the Jon Bennet Ramsey murder, The Unibomber, The Beltway Snipers and more.

Last month I was also fortunate to have been able to hear Col. Dave Grossman speak eloquently and passionately about the tragic school shootings in which he has been called in to assist educators and parents understand. One thing is clear from listening to both men, parents need to be ever mindful of the fact that they are their children's protectors. They are the sheepdogs, ever on the lookout for marauding wolves.

If you are a parent, or an educator or a security professional, I strongly urge you to read up on the teachings of these learned men and jump at the opportunity to hear them live if at all possible. I personally guarantee you that you will not be disappointed.

Marines Land in Afghanistan -- with Biometrics

Thu, 22 May 2008 18:30:00 +0000

A year ago this June, Taliban fighters streamed into the remote town of Chora in southern Afghanistan expecting an easy victory over impoverished villagers. Instead, they met heavy resistance from scores of uniformed Afghan men.

Those so-called Afghan National Auxiliary Police (ANAP), all formerly in the service of local warlords, had received two months of training by Dutch and American soldiers and were now the first line of defense against the Taliban.

Arming tribesmen was a risky idea. True, this sort of tribal initiative had been effective in Iraq. But NATO commanders feared that Afghan loyalties to their warlords ran too deep. NATO was “arming people who were not necessarily in line with the [Afghan] government,” U.S. Brig. Gen. Robert Cone told Wired.com.

So, last month, NATO fired the auxiliary cops and scrapped the tribal strategy, leaving gaping holes in Afghanistan's defenses. The fix? Marines, of course, armed with fingerprint pads, iris scanners and electronic databases.

With these biometric tools, the Marines are planning to recruit new cops who have no ties to tribal warlords. “We know there are some shadow police and some militia-type police,” Lt. Col. Ray Hall, the Marine commander, said. “Once we go through the vetting process, we'll have everybody screened … so that problem should go away.”

That means scanning every new recruit's unique iris “eye prints,” logging their thumb prints and feeding it all into a growing, but still very spotty, national database linked to criminal and intelligence records. If a cop has any known warlord ties, he's disqualified from serving.

CIA teams used FBI biometrics while hunting for known Al Qaeda operatives in Afghanistan in 2001, and since then, the military has gathered data on almost every Afghan it comes in regular contact with.

There's one more problem. Not all the military databases can talk to one another. “We haven't standardized,” said Larry Schneider, a Northrop Grumman VP who last year was working on collapsing many biometrics systems into just one.

Until everyone is looking at the same data, seditious Afghan cops will probably keep falling through the cracks.

NSA Attacks West Point! Relax, It's a Cyberwar Game

Fri, 09 May 2008 21:00:00 +0000

Five hours into their assault on West Point, the hackers got serious.

The SQL [structured query language] inserts that came earlier were just pablum intended to lull the Army cadets into a false sense of security. But then the bad guys unleashed a stealthy kernel-level rootkit that burrowed into one workstation, started scraping data and "calling home."

It was a highly sophisticated attack, but this time the bad guys were really good guys in wolves' clothing.

For four days in late April, the National Security Agency -- the nation's most secretive repository of spooks, snoops and electronic eavesdroppers -- directed coordinated assaults on custom-built networks at seven of the nation's military academies, including West Point, the Army university 50 miles north of New York City.

It was all part of the seventh annual Cyber Defense Exercise, a training event for future military IT specialists. The exercise offered a rare window into the NSA's toolkit for infiltrating, corrupting or destroying computer networks.

The 34 Army cadets comprising the West Point IT team operated in a different kind of battlefield, but their combat skills and instincts need to be every bit as sharp. Like George Washington said: "There is nothing so likely to produce peace as to be well prepared to meet the enemy."

The SQL injections, targeting their Fedora Core 8 Web server, were a piece of cake for these IT combatants. Each injection tried to smuggle malicious code inside the seemingly harmless language used by the network’s MySQL software. The cadets handily defended with open source Apache web server modules, plus some manual tweaking of the SQL database to "avoid any surprises," in the words of Lt Col. Joe Adams, a West Point instructor who helped coach the team.

But the kernel-level rootkit was much more dangerous. This stealthy operating-system hijacker can open unseen "back doors" into even highly protected networks. When they detected the rootkit's "calls home" the cadets launched Sysinternal's security software to find the hijacker, then they manually scoured the workstation to find the unwelcome executable file.

Then they terminated it. With extreme prejudice.

"This was probably the most challenging part of the exercise, since it required them to use some advanced techniques to find the rootkit," Adams says. And rooting it out helped boost the West Point team to the top of the pile when, in the aftermath of the exercise, the referees rated all the universities' network defenses.

For the second year in a row, the Army placed first over the Navy, Air Force, Coast Guard and others, winning geek bragging rights and the privilege of holding onto a gaudy, 60-pound brass trophy festooned with bald eagles and American flags. Adams credits the team’s thorough preparation and their excellent teamwork despite the round-the-clock schedule.

At the network control room on the second floor of West Point’s 200-year-old engineering building (which once was an indoor horse corral and still smells like it in some remote corners, according to one instructor), the IT team set up cots and, just for the hell of it, camouflaged netting. They worked in shifts, with one team member always monitoring incoming and outgoing traffic. He or she would alert other cadets -- "router guys" -- to block any suspicious addresses. Meanwhile, off-shift cadets would make food and coffee runs to keep everyone fueled up and alert. Together, the team was "faster than anyone else," Adams says.

But the way the cadets designed their network was a big factor in their victory, too. The NSA dictated some terms: All networks had to be capable of e-mail, chat and other services and had to be up and running at all times despite any attacks or defensive measures. Beyond that, the teams were free to come up with their own designs.

West Point's took three weeks to build. The cadets settled on a fairly standard Linux and FreeBSD-based network with advanced routing techniques for steering incoming traffic in directions of the IT team's choosing.

The choices in software tools for responding to any attack really boiled down to "automatic" versus "custom," says Eric Dean, a civilian programmer and instructor. He adds that while automatic tools that do most of their own work are certainly easier, custom tools that allow more manual tweaking are more effective. "I expect one of the 'lessons learned' will be the use of custom tools instead of automatics."

Even with a solid network design and passable software choices, there was an element of intuitiveness required to defend against the NSA, especially once it became clear the agency was using minor, and perhaps somewhat obvious, attacks to screen for sneakier, more serious ones.

"One of the challenges was when they see a scan, deciding if this is it, or if it’s a cover," says Dean. Spotting "cover" attacks meant thinking like the NSA -- something Dean says the cadets did quite well. "I was surprised at their creativity."

Legal limitations were a surprising obstacle to a realistic exercise. Ideally, the teams would be allowed to attack other schools' networks while also defending their own. But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else) is allowed to take down a U.S. network.

And despite the relative sophistication of the NSA's assaults, the agency told Wired.com that it had tailored its attacks to be just "a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones."

In other words, grasshopper, nice work -- but the NSA is capable of much craftier network take-downs.

From warzones to strip clubs, the truth comes out for a former First Lady and a Pastor.

Sun, 30 Mar 2008 16:57:00 +0000

Last week in the Washington Post, "The Fact Checker" awarded former first lady, Hillary Clinton, four "Pinocchios" (real whoppers)for claiming to have come under sniper fire during a photo op. in Bosnia. On Thursday, Michael Dobbs once again awarded Senator Clinton another "poker" of Pinocchios.

This time she took heat for claiming that her trip to Bosnia was the first visit to a "war zone" by a first lady since World War II. Her claim is considered completly inaccurate, since Pat Nixon made a trip to Saigon in July 1969. At the time, South Vietnam was an actual, not a "potential" war zone in the aftermath of the 1968 Tet offensive.

The article also made mention of Barbara Bush's visit to Saudi Arabia in 1990, two months before the Persian Gulf war began. Speaking about Senator Clinton's claim that her aircraft made a tactical landing back in 1996, the pilot of the aircraft had a different memory. Retired Air Force Col. William Changose said that it was not true that they took evasive measures to avoid sniper fire. The Colonel went on to say that: "not only were there no bullets flying, there wasn't even a bumblebee flying around".

It seems that Senator Clinton is not the only one in the public eye to suffer from Pinocchioitis. Apparently the Police in Riverside, Ohio found a Pastor who had gone missing from his home in western New York, since Wednesday the 26th of March, after telling his wife that he was going to Best Buy to have his computer fixed. Officers found the Pastor at a strip club called the "K.C. Lounge", partying like a New York Govenor.

We often hear people in the media complaining about the negative effects that Rap music has on our youth. One wonders why we are now not hearing more complaining about the so-called role models getting caught with their pants down, so to speak. At least with the likes of rappers and other "bad boy" entertainers, what you see, is what you get. It's little wonder that so many people are comfortable telling lies during interviews and embellishing resumes in order to get hired and get ahead.

When I was going to school, the "dog ate my homework" excuse was used but not believed. Also, it tended to get used by children who had not yet reached their teens. I think that even children of that age these days will be able to see through these poorly constructed falsehoods that our "role models" would have us believe.

Unbelievable.

Oliver North ridicules Spitzer, calls on IT to hire war vets

Mon, 10 Mar 2008 21:00:00 +0000

ORLANDO -- At a security conference in Orlando Tuesday, Col. Oliver North mocked the plight of New York Gov. Eliot Spitzer, caught up in a prostitution-ring scandal that may end his political career.

It may be fashionable in Paris, but will lipstick and high heels keep Qaddafi Safe?

Mon, 24 Dec 2007 13:58:00 +0000

News reports were buzzing after Libya's controversial leader, Col. Qaddafi visited Paris. Most focused on the extravagance of the trip. Many appeared mesmerized by his all-female protective detail.

While we are used to seeing females as part of protective details, especially where female principals and children are involved, there is something that does not appear right about the Libyan leader's detail. There seems to be too much emphasis being placed on their looks and style. Afterall, it is quite difficult to imagine an attack scenario on a Principal being handled professionally by a security detail where everyone is wearing high heels and smiling at the cameras.

At the risk of sounding sexist or demeaning to women, these Libyan bodyguards look more like flight attendants than any kind of presidential Secret Service type of unit. While a strong case can be made that these women are helping to promote women's rights in the Islamic world, one wonders if they offer the kind of serious protection needed by a country leader.

This is even more relevant in today's climate with reports that Al Quaeda consider Qaddafi as an enemy of Islam for having "sold out" to the West. No doubt, his cruising around Paris with French President, Nicolas Sarkozy will not help his cause back at home.