[SecurityRatty] tag: excessive

Social media challenges reside with users, not technology

Thu, 10 Jul 2008 08:04:41 +0000

Strict network policing will not solve productivity problems stemming from excessive social media use, and the tactic could backfire. IT managers should embrace social media in the enterprise and create best practice guidelines for employee usage.

Im Getting Annoyed With A Vendor

Tue, 10 Jun 2008 21:45:36 +0000

So, I discovered a vulnerability in a vendor’s software which I reported to them on January 18, 2008 to which they responded the same day.

All well and good.

Yes, it’s that blasted disclosure discussion again. Now, of the vendor’s I have dealt with up until now (save one other) the turnaround time has been phenomenal. They have been all easy to work with and I was more than willing to accommodate their time lines so that they could get their products fixed up.

No problem.

Well, I got this email from them today. Let’s call them vendor “X”. In response to my email checking in about our previously agreed upon June release,

The update from the dev team is that they now expect that we will have all updates for impacted products available in November. It turns out that we will have to update all supported products which use [the software in question], and that the fix will need to be localized for our international customers.

I should point out that they indicated that they would have to fix the international versions of said software when they wrote me back in January.

I have to say my good will is sparse at the moment.

Granted this will affect a wide array of their products but, November? Am I being too harsh? I’m wondering whether or not to post it anyway. Not a path that I would normally consider as I like to try and play nice but, almost a year to fix the problem seems rather excessive.

What would you do?

US-CERT Gets New Boss

Thu, 05 Jun 2008 22:51:45 +0000

Former DOJ staffer Mischel Kwon to head up the US-CERT.

From Network World:

The U.S. Department of Homeland Security has chosen a new head of its U.S. Computer Emergency Readiness Team (US-CERT).

Mischel Kwon, will start as director of US-CERT on June 24, a DHS spokeswoman said Thursday. She is presently acting deputy director of IT security and the chief IT security technologist at the U.S. Department of Justice. She is also an adjunct professor at The George Washington University, where she runs the school’s Cyber Defense Lab.

She replaces Cheri McGuire, who left in March, and will report to Cornelius Tate, director of the DHS’s National Cyber Security Division.

Deducting 10 points for excessive use of the word “cyber”.

Article Link

More on Airplane Seat Cameras

Wed, 04 Jun 2008 08:05:37 +0000

I already blogged this once: an airplane-seat camera system that tries to detect terrorists before they leap up and do whatever they were planning on doing. Amazingly enough, the EU is "testing" this system:

Each camera tracks passengers' facial expressions, with the footage then analysed by software to detect developing terrorist activity or potential air rage. Six wide-angle cameras are also positioned to monitor the plane’s aisles, presumably to catch anyone standing by the cockpit door with a suspiciously crusty bread roll.
But since people never sit still on planes, the software's also designed so that footage from multiple cameras can be analysed. So, if one person continually walks from his seat to the bathroom, then several cameras can be used to track his facial movements.

The software watches for all sorts of other terrorist-like activities too, including running in the cabin, someone nervously touching their face or excessive sweating. An innocent nose scratch won't see the F16s scrambled, but a combination of several threat indicators could trigger a red alert.

This pegs the stupid meter. All it will do is false alarm. No one has any idea what sorts of facial characteristics are unique to terrorists. And how in the world are they "testing" this system without any real terrorists? In any case, what happens when the alarm goes off? How exactly is a ten-second warning going to save people?

Sure, you can invent a terrorist tactic where a system like this, assuming it actually works, saves people -- but that's the very invention of a movie-plot threat. How about we spend this money on something that's effective in more than just a few carefully chosen scenarios?

Report: Government's Cyber-Security Plan Is Riddled With New Spying Programs

Thu, 15 May 2008 15:30:00 +0000

Major parts of the government's proposed $17 billion computer-security plan are actually spying programs, according to a Senate committee's budget report. The committee also faulted the plan for excessive secrecy around privacy and civil liberties issues and for funding experimental and possibly illegal technologies.

UBS Explains Risk Management Gone Wrong

Wed, 23 Apr 2008 12:49:32 +0000

Big news in risk management this week as UBS released a report to shareholders describing the situation that has led to roughly $37 billion in write-downs so far related to the company's subprime exposures (see articles in Reuters , Forbes , the Wall Street Journal , and BusinessWeek).

Overarching causes described in the report are not surprising; control failures, an overly aggressive focus on short-term growth, and excessive risk taking are among the high level issues addressed. Also in the report, however, are scores of more detailed explanations of control failures in more than 20 different categories. Specific problems on the list include:

• Gaps in risk management expertise
• Failure to respond to wider industry concerns
• Lack of comprehensive Subprime risk assessment
• Complex and incomplete risk reporting
• Inadequate systems (related to infrastructure investment)
• Lack of strategic coordination
• Asymmetric risk/reward compensation

The list goes on, providing a substantial study guide for risk managers and auditors on problems to avoid. And because of the unfortunately massive losses due to these failures, the report also offers a bit of cost justification support for your new, broad risk management initiatives.

Bruce Schneier's Security Matters: The Myth of the 'Transparent Society'

Wed, 05 Mar 2008 23:00:00 +0000

Can you neutralize the harm caused by excessive government surveillance just by watching the watchers? No, actually.

So much to read, so little time - Top Information Security Risks for 2008

Wed, 16 Jan 2008 10:32:00 +0000

Now this is impressive! It's going to take a while to read the supporting reference documents, but this summary is gold and from my perspective a must read for IT Risk Management.

In the primary summary document, "Top Information Security Risks for 2008" we get an impressive laundry list of threats & vulnerabilities, their impacts, the risk and the controls. Page 5 talks of specific risks, some can be addressed with various technical control product on the market, example: #2 - Information Leakage. If you want to get down and dirty understanding these products spend some time with Rich over at securosis, specifically his blog entries and the summary which formed this white paper around understanding & selecting DLP solutions.

This section also highlights non-technical controls, audits etc in #5: "poor information security studies, risk assessments, projects/assignments and/or staffing/organization, causing failed, wasted, excessive or otherwise inadequate controls and practices selection, implementation, performance measurement, monitoring and/or auditing." Wow, that's a mouthful! But this is exactly what IT GRC is all about. Through using these software platforms you can evolve from poor, ad-hoc attempts at mitigating this risk while ensuring your enterprise takes a comprehensive, top-down look at any and all potential risks and assess their potential impact. If you then go down to #1 in the controls section of the document you will see what in my eyes is basically an advertisement for an IT GRC solutions and the process around deploying it, "investment in a good and systematic ISMS (Information Security Management System) incorporating high quality information assurance processes..."

A key statement back in #5 of risks that I was surprised to see was the calling out of "excessive" controls. This is something we at Securityworks (especially Bryan) are passionate about. Some vendors in the IT GRC space believe in throwing the entire "book of controls" at it, and you will be fine...we believe its about making sure you have quality controls in place, not simply quantity. Bryan has talked about this previously.

Corporate Spying

Wed, 16 Jan 2008 09:21:41 +0000

This is a good article on a new trend in corporate spying: companies like Wal-Mart and Sears have resorted to covert surveillance of employees, partners, journalists, and even Internet users to protect itself from "global threats."

"Like most major corporations, it is our corporate responsibility to have systems in place, including software systems, to monitor threats to our network, intellectual property and our people," Wal-Mart spokeswoman Sarah Clark said in a statement in April. Following the Gabbard firing, Wal-Mart said it conducted a review of its monitoring activities. "There have been changes in leadership, and we have strengthened our practices and protocols in this area," Clark said.
[...]

At a gathering of security specialists in New York City in January of 2006, David Harrison, the former Army military intelligence officer who was hired by Senser to head Wal-Mart's analytical security research center, provided a rare glimpse into the company's monitoring operations. Harrison told the gathering Wal-Mart faces a wide range of threats: "A bombing in China, an armed robbery in Brazil, an armed robbery in Las Vegas, another bomb threat, and that was just yesterday," Harrison said.

To safeguard its employees and operations Wal-Mart has tapped its massive data warehouse of information, now believed to be larger than 4 petabytes (4,000 terabytes), to look for potential threats. It tracks customers who buy propane tanks, for example, or anyone who has fraudulently cashed a check, or anyone making bulk purchases of pre-paid cell phones, which could be tied to criminal activities. "If you try to buy more than three cell phones at one time, it will be tracked," he reportedly told the audience.

[...]

Gabbard, the Wal-Mart employee fired for recording reporters' phone calls, said in his interview with The Wall Street Journal that Wal-Mart uses software from Raytheon Oakley Networks to monitor activity on its network. The Oakley product was originally developed for the U.S. Department of Defense.

The Oakley software is so sophisticated it can allow administrators to visually see what types of information are moving across the network, from Excel spreadsheets to job searches on Monster.com, or photos with flesh tones that might indicate a user is viewing pornography.

And this article talks about ex-CIA agents working for corporations:

The best estimate is that several hundred former intelligence agents now work in corporate espionage, including some who left the C.I.A. during the agency turmoil that followed 9/11. They quickly joined private-investigation firms whose U.S. corporate clients were planning to expand into Russia, China, and other countries with opaque business practices and few public records, and who needed the skinny on international partners or rivals.
These ex-spies apply a higher level of expertise, honed by government service, to the cruder tactics already practiced by private investigators. One such ploy is pretexting -- obtaining information by pretending to be somebody else. While private detectives have long posed as freelance reporters or job recruiters to get people to talk, former agents have elevated pretexting to an art.

[...]

Similarly, ex-agents have helped popularize the use of G.P.S.-based monitoring devices and long-range cameras for following people around. One corporate-espionage technique comes straight from the C.I.A. playbook. In the constant search for the slightest edge, some hedge funds and investment companies have turned to a handful of private-investigation firms for a tactic that seems to fall between science and voodoo. Called tactical behavior assessment, it relies on dozens of verbal and nonverbal cues to determine whether someone is lying. Signs of potential deception include meandering off topic rather than sticking to the facts and excessive personal grooming, such as nervously picking lint off a jacket. This method was developed by former lie-detector experts from the C.I.A.'s Office of Security, which administers polygraph tests to keep agents honest and verify the stories of would-be defectors.

[...]

Most of the ex-agents' activities, from surveillance to lie detection, are perfectly legal. In the wake of the 2006 Hewlett-Packard scandal, detectives used pretexting to obtain the private telephone records of company directors, employees, and journalists. In an effort to track leaks to the media, federal law was tightened to prohibit using fraudulent means to obtain telephone records. Financial records were already off-limits. But federal law doesn't forbid assuming a false identity to get other information -- an area that ex-spies exploit.

Still, a few techniques favored by the spies-for-hire do appear to violate privacy statutes. One of these involves using "data haunts," extreme methods of electronic monitoring such as tracking cell-phone calls and gathering emails by relying on secretly installed software to record computer keystrokes. An ex-C.I.A. agent described a group of his former colleagues who set up shop offshore so that they could tap into telephone calls -- a practice prohibited by federal law -- outside U.S. jurisdiction. "They call themselves the bad boys in the Bahamas," he said.

Even some of the legal methods are controversial within the industry. Certain old-school firms won't stoop to dumpster diving or stealing garbage -- which is usually legal as long as the trash is on a curb or other public property --" because they consider it unethical. They say that the prevalence of former intelligence agents in the field and the rise of unscrupulous tactics have tarnished a business that often struggles with its reputation. One longtime investigator complained that he recently lost business to some ex-C.I.A. officers who promised a potential client that they could obtain the phone and bank records of a target -- something that is illegal in most cases.

[...]

Current and former employees said Diligence's ex-spies also held classes in using false identities to obtain confidential information. Ex-employees said it wasn't unusual for an investigator to have five or six cell phones, each representing a different identity, on his or her desk. And while ex-C.I.A. and former MI5 agents were old hands at such deception, the new initiates sometimes got confused and answered a phone with the wrong name.

All interesting. It seems that corporate espionage has gone mainstream, and the debate is more about how and when.

On a related note, this paragraph disturbed me:

On occasion, Diligence investigators were dispatched to collect garbage from a target's home or office. In some cases, two former employees said, Diligence hired off-duty or retired police officers to take trash so that they could wave their badges and fend off any awkward questions.

It's public authority being used for private interests. We see it a lot -- off-duty police officers guarding private businesses, for example -- and it erodes public trust of authority. In the case above, I'm not even sure it's legal.