[SecurityRatty] tag: dennis

Speaking of Security Podcast #123

Sun, 28 Sep 2008 20:00:00 +0000

Click to Download/Listen (07:03)

Recent updates to the Fair and Accurate Credit Transactions Act (FACTA) of 2003 mandate that U.S. financial institutions and creditors must comply with the Identity Theft Red Flag provisions by November 1, 2008. Amanda Van Veen speaks with EMC's resident FACTA expert, Dennis Mayer from EMC Consulting about the upcoming deadline and what it means to those who must comply.

Show 029 - An Interview with Dennis Fisher

Mon, 18 Aug 2008 11:05:01 +0000

On the 29th episode of The Silver Bullet Security Podcast, Gary talks with Dennis Fisher, executive editor of The Security Media Group at TechTarget. Dennis helps run SearchSecurity.com and Information Security Magazine. Gary and Dennis discuss the current “BS factor” in security journalism, shopping at TJ Maxx right after the TJX privacy breach, the state of software security, and which is harder: being a fry cook at Hardees or working as a PR flack.

Vulnerability in SNMP 3

Wed, 11 Jun 2008 03:17:05 +0000

Dennis Fisher blogs over at SearchSecurity.com about a new critical flaw found in SNMPv3. I have blogged before how some NAC vendors that utilize SNMP have tried to fool unknowing sys admins that SNMP stands for security network management protocol, instead of simple NMP.

The SNMP zealots have always tried to counter the SNMP is not secure arguments by pointing to v3 as very security method and now this flaw is found. How many more will be found? In any event glad they found and fixed this. Now if they could just find someone using SNMPv3 it would be great!

Way to go Dennis!

Sun, 25 May 2008 10:56:04 +0000

A story with a good ending. So many Vets dont get what they deserve form us.

clipped from www.steamboatpilot.com

Country, community, commencement

Craig — The year was 1964, and Dennis Collins, a wild, 17-year-old Moffat County High School junior, had a family tradition to follow and a country to protect.

Collins, 60, joins more than 150 high school seniors in donning cap and gown and receiving their high school diplomas during commencement services in the MCHS gymnasium.

Stolen SunGard laptop affects at least 10 post-secondary schools

Mon, 21 Apr 2008 10:49:39 +0000

Technorati Tag: Security Breach

Date Reported:
4/17/08

Organization:
Various post-secondary schools, including but not necessarily limited to:
Central Connecticut State University
Eastern Connecticut State University
Southern Connecticut State University
Western Connecticut State University
Northwestern Michigan College
Northwest Missouri State University
Buffalo State College
State University College at Brockport
Monroe Community College

Contractor/Consultant/Branch:
SunGard Higher Education*

*From the SunGard Higher Education "About Us" page:
"SunGard Higher Education provides software, strategic consulting, and technology management services to colleges and universities. We help more than 1,600 institutions worldwide strengthen institutional performance by improving constituent services, increasing accountability, and enhancing the education experience.

SunGard Higher Education has a vision to unify people, process, and technology in an environment that addresses the needs of higher education institutions and the people they serve. We call this vision the Unified Digital Campus."
[Evan] All of "the needs" except one critical one... SECURITY!

Victims:
Students and a limited number of employees

Number Affected:
Unknown, but at least 23702

Types of Data:
Personal information including names, Social Security numbers and financial aid information

Breach Description:
"A laptop belonging to a consultant at SunGard Higher Education was stolen on March 13, 2008. The theft was immediately reported to law enforcement but the laptop has not been recovered. After analyzing a backup of the computer, SunGard Higher Education found that the stolen laptop contained data from projects with a number of customers."

Reference URL:
SunGard Higher Education (general)
The News-Times (Connecticut State University Schools)
Associated Press Connecticut (Connecticut State University System)
Associated Press Michigan (Northwestern Michigan College)
Maryville Daily Forum (Northwest Missouri State University)
The Buffalo News (Buffalo State College)
Democrat and Chronicle (State University of New York schools)
Northwestern Michigan College
Buffalo State College
State University College at Brockport

Report Credit:
SunGard Higher Education

Response:
From the online sources cited above:

A laptop belonging to a consultant at SunGard Higher Education was stolen on March 13, 2008. The theft was immediately reported to law enforcement but the laptop has not been recovered. After analyzing a backup of the computer, SunGard Higher Education found that the stolen laptop contained data from projects with a number of customers.

Security teams from affected institutions and SunGard Higher Education are working together to analyze and verify the data and notify affected individuals.

The laptop was protected with a strong password to access the operating system.
[Evan] It could be the strongest damn password in the world and still not provide an adequate level of security in my opinion. Operating system passwords (especially Windows) can be bypassed in a matter of seconds. This is a poor attempt to minimize the incident.

The computer was password-protected but contained unencrypted files with personally identifiable data
[Evan] Even though encryption is not the "end all", it would have (in conjunction with other controls) reduced the risk of exposure to a level that is acceptable to many organizations (mine included).

All affected customers have been notified. Customer names will not be disclosed for privacy and security reasons as the investigation continues.
[Evan] We already know of at least 10 post-secondary institutions.

The laptop was stolen in New York on March 13 and state officials say it contains the names and personal information of 3,502 present and former students of the four CSU universities.

could put the personal information of 1,600 Northern Michigan College students from 2003 at risk.

could potentially put personal information about Northwest Missouri State University students and alumni in the wrong hands.

Northwest believes it followed all appropriate internal procedures for protecting the privacy of its students. For its part, SunGard Higher Education has accepted responsibility for this incident and is working with the University to minimize any adverse consequences.
[Evan] This is a classic misunderstanding of the roles and responsibilities for information security governance and management. The custodians of the personal information were the schools AND SunGard, not only SunGard. It is the responsibility of the schools (as co-custodians) to require certain information protections from their vendors and contractors. This should be done through policy, contractual language and regular audit/enforcement.

Social Security numbers of about 16,000 current and former Buffalo State College students

affected thousands of students at State University College at Buffalo, State University College at Brockport and Monroe Community College.

We believe that the laptop was stolen for the hardware rather than the data. We do not know if any personally identifiable data was accessed by the thieves.
[Evan] This is another statement meant to minimize the impact of the incident. I do not doubt that often times computer equipment is stolen for the hardware value, but how do we know? I am guessing that more and more criminals are examining the contents of poorly secured computing devices and looking for additional opportunities. The "laptop was stolen for the hardware" argument doesn't work anymore.

The nature of that employee’s job included analysis of customer data as part of software implementation and upgrade projects.

The laptop was taken from an employee of SunGard, a Pennsylvania-based computer software company that provides Buffalo State’s records system, said Voldemar Innus, a college vice president and chief information officer.

Innus also said the laptop was secure.
[Evan] No offense Mr. Innus, but the laptop WAS NOT secure.

"The laptop was stolen for its own worth as hardware," Innus said. "We do not believe it was stolen because of the information that was on it. And it was heavily password protected, we’re told."

"The risk I would say is not that high, but that doesn’t matter," Innus said. "There are steps we need to take because of what happened."
[Evan] People like to throw these terms like "secure" and "risk" around without any validation. How did Mr. Innus determine the risk (of exposure and/or misuse) with respect to this incident?

The data was originally provided for SunGard to perform various services for the university system, but it was apparently retained longer than necessary to perform those services,

A dedicated Web site containing updated information may be accessed at www.sungardhe.com/laptoptheft.

A help desk has been established with a toll-free number, (866) 520-2408, to respond to questions from affected individuals.

Credit monitoring will be provided at no cost to the affected individuals, for a period of one year.
[Evan] Credit monitoring is a post-fraud activity. One year is very limited for information that has a much longer lifespan.

Buffalo State student reaction:
In a campus dormitory, Ben Bissell, a sophomore special education major, and his friend Thomas Dennis, a freshman English education major, were making housing arrangements for next year. Bissell said he got the e-mail and was aware of the situation. Dennis was not.

Bissell was surprised such sensitive information could be placed in such a portable device as a laptop, which could easily be lost or stolen.
[Evan] Mr. Bissell is a "data owner" in this instance. The school and SunGard are "data custodians". In simplistic terms, data owners dictate what level of protection is required for the data that they own and data custodians apply the designated level of protection. Did the school and SunGard apply the designated level of protection in this case?

"You’d think it would be somewhat secure," Bissell said of his personal information.

He plans to closely monitor his bank statements and account activity following the announcement.

Omar Vargas, a sophomore elementary education major, told a reporter it was the first he had heard of the stolen laptop, admitting he feels "less secure" knowing about it.

"There’s enough things to handle being on campus, like going to classes and deadlines," Vargas said. "Then, just to find out my personal information is threatened is like, man, who knows what that could jeopardize."
[Evan] Very true. If we all just did what we were supposed to do, we wouldn't have to worry so much about what others aren't doing.

"I could wind up with bad credit when I’m on a good roll."

Commentary:
I provided a lot of my commentary above. There is no excuse that I can think of for such poor information security practice and management. Can the people running these companies (such as SunGard) and those responsible for information security claim they didn't know any better? Does it not go against SunGard Higher Education (or school) policy to store confidential information on a laptop while relying solely on operating system level passwords?

Nuts.

Past Breaches:
Unknown

Welcome to Microsoft Dennis Groves

Wed, 16 Apr 2008 10:29:13 +0000

I have been waiting to send this email since January; welcome to Microsoft Dennis Groves. Dennis will be a Technical Product Manager for the Connected Information Security Framework (more on that as promised next week). Dennis started OWASP with me back in the day and we have been trying to find a way to work [...]

Captching

Fri, 22 Feb 2008 20:21:27 +0000

Dennis Groves just sent me this, made me chuckle. Earlier this year an XSS Worm contest was going on. A few people got passionate about the ethics but essentially everyone watched on to an anticipated dull outcome. I wonder wether a competition to share exploit code to generate the most ridiculous words on a Public [...]

Malicious Advertising (Malvertising) Increasing

Wed, 20 Feb 2008 19:33:33 +0000

In the wake of the recent malvertising incidents, it's about time we get to the bottom of the campaigns, define the exact hosts and IPs participating, all of their current campaigns, and who's behind them. Who's been hit at the first place? Expedia, Excite, Rhapsody, MySpace, all major web properties. Now let's outline the malicious parties involved. These are the currently active domains delivering malicious flash advertisements that were, and still participate in the rogue ads attacks :

01. quinquecahue.com (190.15.64.190)
quinquecahue.com/swf/gnida.swf?campaign=tautonymus
quinquecahue.com/swf/gnida.swf?campaign=atliverish
quinquecahue.com/statsg.php?campaign=meatrichia

quinquecahue.com/swf/gnida.swf?campaign=atticismus

02. akamahi.net (190.15.64.185)
akamahi.net/swf/gnida.swf?cam
akamahi.net/swf/gnida.swf?campaign=innational
akamahi.net/swf/gnida.swf?campaign=annalistno
akamahi.net/statsg.php?u=1199891594&campaign=annalistno

03. thetechnorati.com (190.15.64.191)
thetechnorati.com/swf/gnida.swf?campaign=ofcavalier
thetechnorati.com/swf/gnida.swf?campaign=whoduniton
thetechnorati.com/statsg.php?u=1198689218

04. vozemiliogaranon.com (190.15.64.192)
vozemiliogaranon.com/statss.php?campaign=zoolatrymy
vozemiliogaranon.com/swf/gnida.swf?campaign=zoolatrymy
vozemiliogaranon.com/statss.php?campaign=revenantan

05. newbieadguide.com (190.15.64.188)
newbieadguide.com/statsg.php?campaign=missblue
newbieadguide.com/statsg.php?campaign=2rapid1y
newbieadguide.com/statsg.php?campaign=missblue
newbieadguide.com/statsg.php?campaign=germanit
newbieadguide.com/swf/gnida.swf?campaign=ta5temix
newbieadguide.com/swf/gnida.swf?campaign=c0pperin
newbieadguide.com/swf/gnida.swf?campaign=remain0r
newbieadguide.com/swf/gnida.swf?campaign=mi1eroof
newbieadguide.com/swf/gnida.swf?campaign=m9in9re9

06. traffalo.com (84.243.252.94)
traffalo.com/swf/gnida.swf?campaign=atekistics
traffalo.com/swf/gnida.swf?campaign=byagnostic
traffalo.com/statsg.php?u=1201711626

traffalo.com/statsg.php?u=1202224809

07. burnads.com (84.243.252.85)
burnads.com/swf/gnida.swf?campaign=1akeweak
burnads.com/swf/gnida.swf?campaign=flatfootup

08. v0zemili0garan0n.com
v0zemili0garan0n.com/statsg.php?u=1199391035

09. adtraff.com (84.243.252.84)
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=forcejoe

adtraff.com/swf/gnida.swf?campaign=forcejoe

adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=weightt0

10. mysurvey4u.com (194.110.67.22)
mysurvey4u.com/swf/gnida.swf?campaign=rubberu5

mysurvey4u.com/swf/gnida.swf?campaign=me9ntthe

11. traveltray.com (194.110.67.23)
traveltray.com/swf/gnida.swf?campaign=pavoninean

12. tds.promoplexer.com (217.20.175.39)
tds.promoplexer.com/statsg.php
adtds2.promoplexer.com/in.cgi?2

Additional domains sharing IPs with some of the domains, ones that will eventually used in upcoming campaigns :

aboutstat.com
newstat.net
officialstat.com
stathisranch.net

station-appraisals.net

Contact details of the fake new media advertising agencies :

- Traffalo - "A Leader in Online Behavioral Marketing"
Phone: +46-40-627-1655
Fax: +46-8-501-09210

- MyServey4u - "Relax At Home ... And Get Paid For Your Opinion!"
mysurvey4u.com

- AdTraff - "Leader enterprise in Online Marketing"

Phone number: +49-511-26-098-2104
Fax: +353-1-633-51-70

Detection rate :

gnida.swf : Result: 21/32 (65.63%)
Trojan-Downloader.SWF.Gida.a; Troj/Gida-A
File size: 3186 bytes
MD5: 015ebcd3ad6fef1cb1b763ccdd63de0c
SHA1: 5150568667809b1443b5187ce922b490fe884349
packers: Swf2Swc

The bottom line - who's behind it? Now that pretty much all the domains involved are known, as well as the structure of the campaign itself, it's interesting to discuss where are all the advertisements pointing to. Can you name a three letter acronym for a cybercrime powerhouse? Yep, RBN's historical customers' base, still using RBN's infrastructure and services. Here's further analysis of this particular case as well - Inside Rogue Flash Ads, by Dennis Elser and Micha Pekrul, Secure Computing Corporation, Germany, as well as a tool specifically written to detect and prevent such types of malvertising practices.

Checklists -The Preserve of the Intelligent

Sun, 17 Feb 2008 04:51:11 +0000

As the New Yorker says “If something so simple can transform intensive care, what else can it do?”. Dennis Groves sent me this article a week ago and I read it twice. Each time I couldn’t stop myself thinking about how many people in the information security industry shun checklists and considering why this is. [...]

Theft from vendor affects Modesto City Schools employees

Tue, 12 Feb 2008 12:03:09 +0000

Technorati Tag: Security Breach

Date Reported:
2/11/08

Organization:
Modesto City Schools

Contractor/Consultant/Branch:
Systematic Automation Inc.

Victims:
School district employees

Number Affected:
3,500

Types of Data:
Names, addresses, birth dates and Social Security numbers

Breach Description:
A computer hard drive containing sensitive personal information belonging to Modesto City School district employees was stolen from Systematic Automation Inc. in Fullerton, California. Systematic Automation Inc. prints annual benefits summaries for employees.

Reference URL:
The Modesto Bee online story
KCRA Channel 3 News story
ABC News Channel 10 story

Report Credit:
KCRA Channel 3 News

Response:
From the online sources cited above:

All 3,500 employees were affected by the breach, which happened after a computer drive with names, addresses, birth dates and Social Security numbers was stolen from a Southern California data processing firm in Fullerton.

Systematic Automation Inc., prints benefits information for employees including health benefits for the district.

The hard drive and three monitors were stolen at 4:30 a.m. in a "window smash" burglary, said Sgt. Linda King with the Fullerton Police Department.

An e-mail was sent out to all affected employees.

Snelling said the district sent the employee information in an encrypted format to Systematic Automation, where it apparently was stored on the computer in an unencrypted format.
[Evan] Good and bad. Good that the school district encrypted the information before sending it out. Bad that the school either did not communicate it's security expectations well or enforce them through regular audits of vendors.

"We want to do the accountable thing, which is to let everyone know so they can take their own steps to protect themselves," Modesto City Schools Superintendent Arturo Flores said.

Director of Business Services Dennis Snelling said no cases of identity theft connected with the data breach have been reported.

"We’re keeping an eye out," Snelling said. "We want our people to be able to protect themselves."

Snelling said other agencies had their data compromised in the theft, but he did not have details.
[Evan] Not cool.

Snelling sent a memo by e-mail and hard copy on paper just before 2 p.m. to warn employees and provide information about how to monitor for fraud.

District officials said they plan to look into the security practices of each agency to which that receives employee information is sent.
[Evan] Excellent addition to their practices. Vendors and contractors are extensions of the organization.

"We’d certainly be taking that up with Systematic Automation," he said. Employees with concerns can contact Louise Baker, supervisor of payroll and benefits, at 576-4192.

Victim Reaction:
"There are a lot of very unhappy people," said Ray Duran, vice president of the Modesto Teachers Association. "I just hate to think all my stuff is out there. We know these things happen. We just hope the district will find a way to remedy the problem."
[Evan] Unfortunately, there is little remedy for exposed information. Once information has been exposed, it stays exposed.

Sonoma Elementary teacher Judy Pierce said she was pleased at how quickly the district notified district employees and provided steps to help prevent identity theft.

"I think all of us hope in our lifetime we won’t be faced with these issues," Pierce said. "But (the district) gave us an entire two pages of steps of who to go to, who to contact. It made it very, very easy for us to follow through on it."

Commentary:
I am actually impressed with how well the school responded to this breach. It appears that they notified employees in a timely manner. The school also appears to know a thing or two about information security as demonstrated by encrypting the data and now recognizing the importance of evaluating vendor security practices.

Past Breaches:
Unknown