[SecurityRatty] tag: eds

All Quiet on the CA Front

Wed, 01 Oct 2008 11:31:54 +0000

If you’ve read the blog, you know that we follow the Perils of CA with much amusement. Honestly, you couldn’t make up the stuff that Sanjay Kumar et al were and apparently are still making headlines with “35-day months”, accusations that founder Charles Wang knew and was part of the whole mess, a former US senator involved too, Sanjay’s unbelievable $1 billion in restitution…and the list goes on. (img from NYTimes.com)

But I am reminded that it’s not just the titillating stuff that’s of interest. CA is still one of the Big 4 and up until a couple of years ago making headlines with some major and strategic purchases in our space – such as buying Concord for its e-Health software in 2005 and Wily Technology in 2006.

I recently ran across a 451 Group report, “CA: ghosts of deals past” by Brenon Daly (if you haven’t read one of his takes on the M&A market, you don’t know what you’re missing) that showed quantitatively just how much the acquisitions had slowed down.

2003 – 4

2004 – 3

2005 – 6

2006 – 6

2007 – 0

2008 – 0 (so far)

Two or three years ago (I still have the slide in our presentations), it seemed like you couldn’t go a month or two without hearing about the latest acquisition by the Big 4 – to either fill gaps in their monolithic portfolios or take out a growing threat, which had built some good technology. This should sound very familiar to anyone (like me) who rubbed up against WorldCom. Growth (in revenue and technology) by acquisition. Buy your own revenue and don’t worry about the niggling details like integration.

But we’ve certainly seen the acquisition trend slow across the board. HP, after its mega-purchase of Mercury Interactive in 2005 for $4.5 billion, for example, went relatively silent on the acquisition front in our space. Perhaps, as it turns out, because they were too busy preparing for the even bigger purchase of EDS for $13.9 billion (and the layoffs, 24,600 and counting, which in this worsening economy are probably just starting).

HP Hires 140,000 to Get Rid of Your Job

Wed, 27 Aug 2008 09:47:57 +0000

HP completed its $13.25 billion acquisition of EDS today.

Can HP-EDS put its money where its mouth is? EDS profit margin, pre-acquisition, was under 6%. The former EDS CEO, now heading the combined outsourcing unit, expects to leverage HP automation tools to cut costs and improve that margin.

But Rod Bourgeois, an analyst at Sanford Bernstein says, “It’s not like HP has automation tools that weren’t at EDS’s disposal before.”

But this brings up a good point. EDS and 140,000 new bodies notwithstanding, HP seems to be positioning itself to do a big automation push in the marketplace.

Of course this makes sense – we’ve talked before about what a critical role automation is going to have in managing the rapidly evolving “dynamic” data center. Technologies like virtualization and cloud computing needs are pushing out the limits of real-time resources management in the data center; management tools must perform faster, integrate with more solutions across the spectrum of IT infrastructure and be smart enough to do much of this on their own.

MSSP and NAC - true love or lust?

Thu, 22 May 2008 06:51:56 +0000

A recent edition to the Security Bloggers Network (over 50,000 combined subscribers strong now!) is Grant Hartline, CTO of Mirage Networks, Mirage blog. Mirage is a competitor of StillSecure in the NAC marketplace, sometimes (actually we don't run into them very often) but I was happy to see them join the SBN. I have certainly taken shots at them in the past and am glad they are using the blogging medium to put their own point of view out there. Networks like the SBN are strongest when multiple and different points of view are represented. Anyway, Grant has been blogging up a bit over there with some good stuff, especially about post-connect, NAP, Interop and Joel Snyder. Grant's most recent article is called MSSP and NAC - True Love.

For the most part I agree with Grant that NAC is a natural for the managed services space. However, I think for the MSSP (managed security services provider) market specifically it may be beyond their current offering levels. Most MSSP offerings today are focused at the perimeter. They have grown from managed firewall to managed IDS/IPS, managed anti-spam and managed content filtering. Now managed UTM is all the rage. However, all of these technologies are perimeter based. If I am not mistaken Mirage's early experience offering a managed service was with AT&T offering it as a behavior based type of intrusion prevention and worm detection. I think moving into the internal network with a more traditional NAC offering might beyond the current scope of most pure MSSPs. However, managed service providers who are already providing desktop management and full network management like an EDS, IBM or HP are indeed natural candidates to provide a managed NAC service. I think we will be seeing much more of managed NAC from these type of providers in the future, but it will be a while until the pureplay MSSPs have managed NAC.

Links List 5.16.08

Fri, 16 May 2008 14:01:19 +0000

Interoperability continues to be an issue for Microsoft, as they face another complaint in Europe. I seem to remember big signs in the Microsoft booth touting “interoperability” at Interop…it makes us all smile.

Denise Dubie of Network World shares her top 3 reasons to get excited about management technology, particularly network and systems management. She discusses that innovative technologies often require superior management to meet high demands, as well as the benefits of saved time, reduced costs, and streamlined applications.

An Infoworld blog cites some very interesting numbers around the needs driving green computing. Datacenters total estimated energy bill will be $11.5billion in 2010, up 34% from 2007. This reflects a 16% increase in installed server base – wonder how much this projection takes virtualization adoption into account?

Dave’s friend and network security e-pundit, Alan Shimmel writes about his un-interoperability experience at Interop this year. As part of InteropNet, the multi-vendor project all about interoperability, we of course had a different opinion. Different perspectives are a good thing.

HP announced its intention to buy EDS this week for $13.9 billion. There was a lot of talk about HP positioning itself better to take on IBM in the technology services space, but more interesting to us was what such a deal means to Microsoft. Given the combined Microsoft-buying/bought power of HP and EDS, will the new HP have the power to push Microsoft around?

ShareThis

TOP 10 - HP-EDS buy, Icahn strikes again, China quakes

Thu, 15 May 2008 20:00:00 +0000

This was a big IT news week, with the massive earthquake in China on Monday showing once again the role that the Internet plays in connecting us all, in good times and bad, and the importance of telecommunication, particularly for rural areas. HP opened the week with word that it is buying EDS. And the Microsoft-Yahoo saga was back in headlines, thanks to investor Carl Icahn, who hasn't enjoyed a good proxy fight lately and so decided to try to shake up Yahoo's board.

HP buying EDS- Offensive to IBM or defensive to Indian firms?

Mon, 12 May 2008 16:40:45 +0000

Saw the big news today about HP maybe buying EDS in a deal rumored to be in the 12 to 13 billion dollar range. That is a fat 35%+ premium over what it was trading at before rumors of the deal were announced. Most of the commentary I have seen positions this deal as HP making a move to better compete with IBM. While I agree that is certainly an angle to this deal, I think another important angle is keeping HP ahead of the pack of large Indian services firms that have been expanding world-wide over the last few years. In the global marketplace for IT services and consulting, HP and IBM may be the American based entries in a world-wide competition with Infosys, Tata, and other firms from India, China and the rest of the world.. For this reason I think it is a good move by HP to shore up a solid second place behind IBM.

I should mention that at StillSecure we partner with both companies and I have had a chance to work with both of them. EDS is certainly not the powerhouse it was 10 years ago, let alone in the Ross Perot/GM heyday. Like any company that size it is hard to make rapid change with the amount of inertia built into the system. However, they have been in turn around mode for several years and perhaps HP can make this buy with EDS on the way up. One thing for sure is Mark Hurd, HP CEO is remaking this company in his own wishes if not image. So far everything he has touched there has turned out well, so lets see what he can do with EDS's 2.8% average year to year growth. He will have to do better for this deal to be considered a success.

TRICARE breach affects 4,700 households

Thu, 20 Dec 2007 09:15:59 +0000

Technorati Tag: Security Breach

Date Reported:
12/07/07

Organization:
TRICARE

Contractor/Consultant/Branch:
TRICARE Area Office Europe (TAO-Europe)
Department of Defense TRICARE Management Activity (TMA)
Electronic Data Systems (EDS)

Victims:
TRICARE beneficiaries located in Europe between the years 2004 and 2007

Number Affected:
4,700 households

Types of Data:
Full or partial Social Security Numbers, and for one or more members of the affected household, their name, date of birth, and a medical diagnosis code associated with a health benefits claim submitted to TMA

Breach Description:
On November 7th, 2007 Electronic Data Systems (EDS) reported to TRICARE that they had discovered a potential compromise of sensitive personally identifiable information belonging to beneficiaries located in Europe. EDS is an IT contractor for TRICARE and "had not appropriately secured a part of the system" they support.

Reference URL:
TRICARE TMA Website Announcement
Air Force Times Story

Report Credit:
TRICARE

Response:
From the online sources cited above:

A potential compromise of personally identifiable information belonging to approximately 4,700 TRICARE beneficiaries located in Europe occurred recently due to a problem with a claims Web site managed by Electronic Data Systems (EDS).

The incident was reported to TRICARE on November 7, 2007. The information that was potentially compromised, however, existed between the years 2004 and 2007.

The compromised information may include your full or partial Social Security Number, and for one or more members of your household, their name, date of birth, and a medical diagnosis code associated with a health benefits claim submitted to TRICARE Management Activity.

Although the assessment yields that external entities did in fact, access the system for purposes that do not appear malicious, at this time we have no indication that any of your personal information has been misused.
[Evan] This statement is a little confusing to me. Are the "external entities" authorized or not? If they were not authorized to use the system, and they had in fact accessed the system, then I would say that the access was probably malicious in nature.

It is possible that an unauthorized person could have accessed your personal information, but the Department of Defense is taking proactive steps to keep you informed.
[Evan] I don't like the word "proactive" when using it in reference to a reaction. The notification is a reaction to a lack of proactivity. You dig?

Those who may have been potentially affected by this compromise will receive a notification letter

The data was held on a Web application server that allowed external entities an unauthorized level of access without going through the required authentication process if the Web address was known.

That situation has since been remedied.

Practices such as Public Key Infrastructure (PKI) requirements and authentication verification cookies have fixed all known vulnerabilities associated with this incident. In addition, the CMS application has since been taken off-line. EDS has completed the forensics analysis of the server and is performing a by-line code review to ensure there are no further critical vulnerabilities present in the code.
[Evan] Should EDS be the ones conducting the vulnerability assessment and code review? If it were me, I would feel more comfortable with a third-party review.

EDS is offering beneficiaries put at risk a free, one-year subscription to a credit monitoring and protection service.

Additionally, those affected will receive up to $20,000 identity theft protection coverage with no deductible as it relates to this matter.

Affected beneficiaries with questions or concerns may contact the EDS Incident Response Center at 1-800-556-3195.

Those located outside the United States must dial the country’s AT&T USADirect access number first.

Commentary:
I am trying to determine with some certainty what led to this breach.
Was it poorly written code? (check out OWASP)
Was it a mis-configuration of the web server?
Was encryption not required, i.e. a user could use http or https to access the application?
Was it a combination of factors? I will assume it was a combination of factors.

On the one hand, I commend EDS for disclosing the breach to TRICARE, but on the other hand I am concerned about how long this problem may have gone un-noticed. Web applications acquiring, processing, accessing, storing or interacting with sensitive information in any manner require regular security reviews commensurate with the risk to the such information (unauthorized disclosure, alteration or destruction). This seems to be a case where you have an IT contractor in charge of design, implementation and maintenance of an application (typically with functionality as a driving factor) but also in charge of maintaining it's security. Information security really is a "stand-alone" function that should not be lumped into the same IT contract and warrants a "stand-alone" contract with a company that specializes in information security. My $.02.

Past Breaches:
Unknown

Security Consultant Hacks: Size Matters

Thu, 20 Dec 2007 02:16:07 +0000

This is part of my occasional series on security consultants and how best to employ them.

Security consulting operations come in the standard small, medium and large sizes. Small shops are less than 30 consultants, medium 31-200, large 201+.

Small shops: Sometimes known as boutique firms or lifestyle firms (since the people that run them take jobs when they want and only when they want) can be excellent resources within their specialities. Typically these are 1-5 person shops that are fairly niche focused, maybe they specialize in Web Application Security, secure development, or PCI audits.

Advantages: If you are using them in an engagement that is their speciality you are going to get a lot of bang for your buck. Prices are generally in line with normally hourly rates but try to get them to make a fixed cost bid. Most of the smaller shops are terrible at estimating and you have a lot of leeway once you get them in to push a little scope creep on them, all within reason of course. Don’t forget these people have to eat and they might not have another gig lined up after yours.

Disadvantages: Scheduling and resources. Small shops can easily get stretched. They can generally only handle 1 or 2 engagements at the same time. If they are a lifestyle shop they like to take long vacations. If you need a time sensitive service, like incident response or forensics, it might be better to go with a larger shop or at least have a backup plan if your small shop is not available.

Medium Shops: In my opinion the medium shops are the best balance between flexibility, resources and mailability. They typically employ at least 3-4 people for any given service they are offering so you get some decent coverage. Quality stays fairly high top to bottom. They will employ junior people but they are not likely to send them out solo.

Advantages: Good flexibility, reasonable prices and good access to people resources.

Disadvantages: Increasingly are becoming part of traditional VAR shops so they might be prone to push product on you. Can still run into resource issues if something big comes. Also are prone to the bait-and-switch where they pitch the rockstar and the new kid shows up to do the actual work.

Large Shops: Have hundreds if not thousands of consultants and a bill rate to match. Incredible appetite for large and lengthy engagements. I did time at EDS and let me tell you they are pretty evil, at least when I worked there. We would get a long term contract, then hire the cheapest talent we could find. They would then proceed to screw things up and cause other problems and we would then point out that fixing those problems was outside the scope of the contract! Cha-ching!

Advantages: No one gets fired for going with IBM, EDS or PWC. You will have a lot of people show up day 1.

Disadvantages: Masters of the bait-and-switch, the business model they run practically make it a requirement. Not usually the home of subject matter experts. All those people that show up day 1 need a place to sit.

Who are you favorite security consultants and why?

Consultants

When Do You Need Consultants?
This is part one of a continuing series about how to use information security consultants effectivel...
Is Your Security Consultant Hacking You?
I am surprised I didn't think of this! :-) This security consultant was not satisfied with a high bi...
Alumnus hacks Texas A&M system
My dad is a Aggie, sorry to see his school can't secure their systems. If anyone is from Texas they ...
Hackers Buy Ads to Install Malware
My Review of Tiger Team

Post from: Grumpy Security Guy

Security Consultant Hacks: Size Matters

Show 005 - An Interview with Ed Felten

Mon, 28 Aug 2006 14:05:36 +0000

The fifth edition of the Silver Bullet Security Podcast features Ed Felten, Professor of Computer Science and Public Affairs at Princeton University and the Director of the Center for Information Technology Policy. Gary and Ed take a look at Ed’s predictions for 2006 and how he’s faring so far and then discuss Ed’s relationship with his former adversaries. They also talk about how to discuss difficult technology issues with lawmakers and the importance of public policy and the law to computer scientists. Ed also outlines the challenges of raising a bright 11-year-old.