[SecurityRatty] tag: dodge

VCsChoosing How to Invest

Mon, 04 Aug 2008 06:23:13 +0000

Don Dodge has a series going on about VCs and why startups fail, and he says VC’s say no to startups 99% of the time, yet still choose failing companies 33% of the time or so. Interestingly he compares the selection process to the way investors choose their stocks –

I would guess that every one of you reading this blog have a stock portfolio with 5 to 10 individual stocks or mutual funds. There are more than 5,000 publicly listed companies to choose from, and another 5,000 mutual funds. But, out of 10,000 possible companies you chose 10 to invest in. Why? Why did you reject the other 9,990 companies? Obviously there are more than 10 good companies to invest in. Other investors chose to invest their money in the other 9,990 companies…why not you?

I suppose the difference must be that many investors aren’t actively involved in their investments (maybe entrepreneurs are more so, since they have to know a certain investment space quite well)…

It sounds to me a lot like the editorial selection process for book manuscripts, articles, and so forth — editors receive a ton of submissions and they have to be choosy. Sometimes they don’t pick winners; sometimes they pick losers. More importantly, each has a personal style, opinions, preferences, and they are trying to appeal to a certain audience. It’s interesting to think that VCs are similar but makes sense–the end question of “What will be successful” really depends on the consumer base and industry, and VCs are just people who probably know and prefer to interact with a certain type of consumer base or audience.

We should all be this bad - Microsoft is dead, long live Microsoft!

Wed, 23 Jul 2008 20:57:02 +0000

I have written before about what a joke I think it is when people write that Microsoft???s best days are behind it and that their corporate grave is already being dug. Google is going to usher in a new age of net centric computing and topple the once and future king. Yeah sure. Don Dodge had a good article up the other day about Microsoft???s recent end of FY numbers. The Redmond rockets racked up over 60 billion (yeah with a b) in revenue last year, an 18% increase over the year before! They dropped 17.6 billion (again with a b) to the bottom line. To give it some perspective, Yahoo all told only does about 7 or 8 billion in gross revenue a year. Microsoft grew 9 billion in revenue last year. That is they grew organically more than a whole Yahoo. You can check out Don???s article for more financial facts and figures.

I ask you ladies and gentlemen, does this sound like the numbers of a company on the way down? If you were a betting person, would you be betting against this monster? I would not be. Do you think by 2011 things are going to fundamentally change? Next time someone tells you how open source, Linux, Google or anyone else is going to kill Microsoft try to put some of these numbers in prospective.

We should all be this bad - Microsoft is dead, long live Microsoft!

Wed, 23 Jul 2008 19:57:20 +0000

I have written before about what a joke I think it is when people write that Microsoft’s best days are behind it and that their corporate grave is already being dug. Google is going to usher in a new age of net centric computing and topple the once and future king. Yeah sure. Don Dodge had a good article up the other day about Microsoft’s recent end of FY numbers. The Redmond rockets racked up over 60 billion (yeah with a b) in revenue last year, an 18% increase over the year before! They dropped 17.6 billion (again with a b) to the bottom line. To give it some perspective, Yahoo all told only does about 7 or 8 billion in gross revenue a year. Microsoft grew 9 billion in revenue last year. That is they grew organically more than a whole Yahoo. You can check out Don’s article for more financial facts and figures.

Fort Lewis soldiers exposed by laptop theft

Fri, 11 Jul 2008 09:44:02 +0000

Technorati Tag: Security Breach

Date Reported:
7/9/08 (UPDATED 7/11/08 - Laptop with information about soldier found; Lacey teen arrested)

Organization:
United States Army

Contractor/Consultant/Branch:
Fort Lewis*

*The principal Fort Lewis maneuver units are the 1st Brigade, 25th Infantry Division and the 3d Brigade, 2nd Infantry Division. It is also home to the 593d Corps Support Group, the 555th Engineer Group, the 1st MP Brigade (Provisional), the I Corps NCO Academy, Headquarters, Fourth ROTC Region, the 1st Personnel Support Group, 1st Special Forces Group (Airborne), 2d Battalion (Ranger), 75th Infantry, and Headquarters, 5th Army (West). Fort Lewis has more than 25,000 soldiers and civilian workers, source: About Fort Lewis

Victims:
Soldiers

Number Affected:
~800 - 900

Types of Data:
"personal information"

Breach Description:
"A laptop computer that was reported stolen from an Army employee’s truck last week contained personal information on about 800 to 900 Fort Lewis soldiers, said military and Lacey police officials."

Reference URL:
KING Channel 5 News
Tacoma News

Report Credit:
Elisa Hahn, KING Channel 5 News

Response:
From the online sources cited above:

A laptop computer that was reported stolen from an Army employee’s truck last week contained personal information on about 800 to 900 Fort Lewis soldiers, said military and Lacey police officials.

In this case, an Army employee told Lacey police he left the laptop and a 500-gigabyte removable hard drive on the seat of his Dodge truck, parked unlocked in front of his house overnight July 3
[Evan] Storing personal information on removable devices such as laptops, external hard drives and flash drives without encryption, strike one. Moving the mobile device outside of a controlled area is strike two. Leaving the mobile device overnight in an unlocked vehicle in plain sight of passers-by is an emphatic strike three.

He reported them stolen about 10 a.m. on July 4.
[Evan] A soldier's personal information stolen on the day our country celebrates our independence is insulting.

A post spokeswoman said officials were notifying the involved soldiers out of concern that the case might put them at risk for identity theft.

the Army began no later than Wednesday notifying the affected soldiers through e-mail and phone calls. They’ll get follow-up letters.

Officials said the employee, a civilian military personnel specialist, appears to have violated Army standards and policies for protecting personal information and government property.

Army laptops and removable storage devices containing personal information are generally restricted to on-post workplaces but can be signed out with a supervisor’s permission.

They’re also supposed to be password-protected and personal information is supposed to be encrypted

The Army is assisting Lacey police with the theft investigation and conducting its own review, said Catherine Caruso, a Fort Lewis spokeswoman.

"We’re not releasing anything more about what information was inappropriately compromised or about the soldiers whose information was involved," Caruso said.

"Clearly it was personal information regarding 800 to 900 soldiers from Fort Lewis. Beyond that, we’d rather not specify."

there was no classified, secret or top-secret information on the laptop and the hard drive.

Caruso said the employee was working on a project regarding a particular unit at a location other than his office.

She said "it would be inappropriate to speculate" about what potential disciplinary action the worker might face if he is found to have broken security rules.
[Evan] It is probably inappropriate to speculate, but you know we will anyway. My guess is that there is another person looking for a job in the Olympia, Washington area.

Since the theft, post officials have set new training requirements for military personnel staff and prepared a memo for each employee to sign outlining the safeguarding and reporting requirements

Commentary:
When someone's poor judgment creates unnecessary risk to military personnel it carries a little more weight for me. These men and women give everything to protect us. Without them I wouldn't be able to write this, and without them you wouldn't be able to read it.

Past Breaches:
United States Army:
June, 2008 - Walter Reed Army Medical Center breach through P2P
April, 2008 - Excel Spreadsheet on the web exposes Army officers and civilians

Cloud computing - I want my cake and eat it too

Sun, 08 Jun 2008 18:20:19 +0000

Its easy to dismiss Don Dodge's asking "Do you really want your data in the cloud" as a Microsoft guy defending their turf. Don uses some recent uptime problems at Amazon, Twitter, Disqus and Typepad to show that keeping your information in the cloud and relying on the net to deliver your applications gives you less control, less security, less scalability and less reliability.

Don has a point, even though net access and SaaS services are much more mature than they were in the past, there is always the times when it does not work. For that matter, cell phones, blackberries, and cable TV don't always work either. An indication of how vital something has become is how much we miss it if it is not available. But to the point, I remember when the personal computer first came into being. The idea of your data and the applications being "portable" to your device was revolutionary. The idea of keeping your data on those big floppy discs was so empowering. But even than, problems accessing data on a disk or an application not behaving or security problems could render you just as frustrated on your non-networked device as an Amazon or twitter being down does now.

Ultimately I think these things go in cycles and we are entering a centralized cycle now. However, I think this turn of the cycle could be different. Never before has net access been so ubiquitous. Never before have we seen the depth of optimized applications for the net. The infrastructure is finally in place to recognize the dreams of many of "thin clients" and net terminals. But I think the best model is a hybrid model. I like the Microsoft solution where I can work on stuff online and off line on my computer, than sync up later. Ultimately when it comes cloud versus local computing, I want my cake and eat it too.

LPL Financial reports eighteen compromised logons

Tue, 20 May 2008 04:56:31 +0000

Technorati Tag: Security Breach

Date Reported:
5/6/08

Organization:
LPL Financial

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
10,219

Types of Data:
"names, addresses, phone numbers, account numbers, Social Security numbers, and dates of birth"

Breach Description:
LPL Financial recently notified the Maryland State Attorney General of a breach in which "hackers compromised the logon passwords of fourteen financial advisors and four assistants of LPL Financial ("LPL")." The "hackers used these passwords to gain access to customer accounts in order to "pump and dump" penny stocks."

Reference URL:
Maryland State Attorney General breach notification

Report Credit:
Maryland State Attorney General

Response:
From the online source cited above:

We write to advise you of incidents in which hackers compromised the logon passwords of fourteen financial advisors and four assistants of LPL Financial ("LPL").
[Evan] How does a "hacker" compromise usernames and passwords of eighteen people working for the same company? Compromised logon server, spear phishing, malware?

To our knowledge, the hackers used these passwords to gain access to customer accounts in order to "pump and dump" penny stocks.

Attempted transactions were intercepted and either rejected or reversed.

No losses were passed on to customers

Hackers compromised the logon passwords of fourteen financial advisors and four assistants in branch offices located in New Jersey, Illinois, Rhode Island, Pennsylvania, Colorado, Texas, California, Georgia and Connecticut over the course of several months.

These incidents affected approximately 10,219 individuals

The information that was potentially accessible included unencrypted names, addresses and Social Security numbers of customers and non-customer beneficiaries.
[Evan] I don't know the architecture of LPL's network or other infrastructure components, but I question why customers or financial advisors need access to Social Security numbers as part of a trading system. I know that LPL needs to store Social Security numbers for tax and other reporting purposes, but financial advisors, traders and customers don't need access to them.

At this time, LPL has no specific knowledge that any customer information was accessed or misused as a consequence of the breach

We also are unaware of any personal instance of identity theft related to these incidents.

LPL learned of the first incident on July 16, 2007 and took the following actions: (1) notified law enforcement; (2) notified our primary regulator, the Financial Industry Regulatory Authority; (3) investigated the situation; (4) determined what information had been compromised; and (5) notified and offered solutions to the affected individuals.

LPL has taken several important steps to improve its level of data security and compliance

LPL has increased the profile of data security issues within the company at all levels, up to and including senior management.

In March 2008, LPL hired Marc Loewenthal as SVP - Chief Security/Privacy Officer, a newly created position at LPL.
[Evan] This is the first breach notification that I have read that included this type of information. I don't know Mr. Loewenthal (which doesn't say too much), but I do know that he is stepping into a pressure situation.

Mr. Loewenthal has extensive experience in the area of data protection. As a member of senior management, he reports directly to the Chief Risk Officer of LPL.
[Evan] I like when I read about information security personnel occupying "senior management" positions. Effective information security management needs to be as "senior" as possible in order to effect change in the organization. Information security governance is NOT an IT issue, but an organizational issue. There needs to be more good CISOs and CSOs.

In addition, LPL has developed a new, comprehensive information privacy and security program with new policies and procedures that were implemented in April 2008.

In August 2007, LPL engaged the services of Kroll Inc. ("Kroll"), a risk consulting company, to provide various services

In addition, LPL has commenced a project to enhance security on its advisor facing trading and operations systems in September 2007 and expects the project to complete in December 2008.
[Evan] Details are not available, but I would be interested in knowing more. Maybe removal of SSNs from the advisor facing trading systems and two-factor authentication are part of the mix.

Finally, LPL recently engaged the services of Edwards Angell Palmer & Dodge LLP to advise Mr. Loewenthal and LPL's in-house counsel as needed on information privacy and security issues.

LPL Financial is providing affected individuals with credit protection services from Kroll, Inc.

If you have any questions or feel you have an identity theft issue, please call ID TheftSmart at 1-800-588-9839 between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday.

If you want to talk to someone at LPL Financial to clarify or discuss the contents of this letter, please call us 1-800-558-7567, option 3 - Customer Service, between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday.

We apologize for any inconvenience or concern this situation may cause.

We at LPL Financial believe it is important for you to be fully informed of any potential risk resulting from this incident.

We remain committed to maintaining customer privacy as a key priority and will continue to take the needed steps to protect your information.

Commentary:
What makes this breach so interesting to me is the fact that there were at least 18 points of attack. I don't get the feeling that this was some sophisticated high-tech "hack" of LLP Financial's systems. It is much easier to craft an email or call someone and convince them to give you their login information.

Good luck Mr. Loewenthal, I'm sure you'll do fine!

Past Breaches:
Unknown

Are your digital devices Certified Pre-0wned?

Mon, 17 Mar 2008 13:11:45 +0000

I took part in the L0pht Reunion Panel at the Source Boston conference in Cambridge, MA last Friday. It was a lot of fun to get back together with the “band” and pontificate with no holds barred about the latest security threats, just like we did in the old days.

One of the questions asked of the panel by moderator Michael Fitzgerald (who did a kick-ass job) was, “What scares you the most these days?”. My answer was the proliferation of of inexpensive digital devices made in China that we plug into our computers. The malware problem is getting tricky to dodge. First you couldn’t open email attachments you weren’t expecting. Then you had to worry about surfing even trusted websites with JavaScript turned on, even with the latest patched browsers. Now you have to worry about plugging in the shiny new digital toy you got as a gift. Perhaps its a digital picture frame, digital camera, music player or silly programmable gizmo. Welcome to the age of factory installed malware –the age of devices coming Certified Pre-0wned.

The Associated Press writes:

Recent cases reviewed by The Associated Press include some of the most widely used tech devices: Apple iPods, digital picture frames sold by Target and Best Buy stores and TomTom navigation gear.

In most cases, Chinese factories — where many companies have turned to keep prices low — are the source.

We all know malware is starting to fly under the radar of black list style detection. Low volume malware is flooding the AV labs’ capability to build detection for it. The digital picture frame sold at Sam’s club was infected with previously unknown malware that stole passwords and turned off AV software.

An additional threat that has been reported is devices have been found infecting the flash memory cards that are often inserted to upload photos. From SANS:

“Recently I found a virus on it called Troj_Agent.SAO, which is what Trend Micro named it. Anytime you plug a removable device into it, it would create two files Autorun.inf and autorun.exe. The exe would place itself in the recycler\recycler folder and the .inf would place itself on the root of the removable drive as a hidden file. At first I thought this virus came in on one of our employee’s pen drive but after further investigation I discovered that the files that the virus uses were created on the kiosk the day it was shipped out to us. Also our vendor is using this kiosk in some of their stores at the moment and there have been reports that the kiosks have given their customers a virus. “

We are back to the days of the floppy or “sneaker net” attack vector. Do you know who has touched your SD card or USB drive? Don’t use it in public. Don’t share it with multiple machines. Dan Geer told me he once tossed a USB drive into an audience with the slides for a presentation he just delivered on it. About 10 people passed it around and copied off the slides. It came back with a virus on it. And this was at a security conference.

Off the wire: Pump-and-dump scam spam switches on video

Thu, 27 Dec 2007 10:42:18 +0000

Uses video clips to shill stock and dodge antispam defenses.