[SecurityRatty] tag: federal

40% of surfers don't bother with browser security updates

Wed, 02 Jul 2008 18:30:21 +0000

A new collaborative study between Google, IBM, and the Swiss Federal Institute of Technology suggests that users are slower to move between product updates than they should be—especially those using Internet Explorer. The researchers believe that browsers could learn from the food industry, of all things.

Your 419 Mail Roundup

Wed, 02 Jul 2008 13:11:42 +0000

A handful of scam mails currently in circulation, including one mention of "groundnut oil" that seems so bizarre I had to highlight it in bold text. All this and more, after the jump...
Subject:
FROM THE DESK OF MR. STEVEN JAMES
From:
"Steven James"
Date:
Mon, 30 Jun 2008 19:17:03 +0100
BCC:

FROM THE DESK OF MR. STEVEN JAMES
CHAIRMAN INTERNATIONAL RELATION
FIRST BANK OF NIGERIA PLC
# 1 BANK ROAD WUSE FCT
ABUJA-NIGERIA.
PHONE: +234-80-66520277
Email: stevenjames809@live.co.uk

Very Urgent Attention,

Please permit me to introduce my humble self to you, my name is Mr. Steven James, I am the Manager of International Relation with First Bank of Nigeria Plc, I 'm 38yrs old, and I got your email address from a friend of mine, and my confidence reposed on you. I hope you read this message carefully and reply me immediately. Although we have not met before, but I suggest that this transaction will bring us together.

My dear, we had a customer, a foreigner but base here in Nigeria, his Name was Mr. Hamilton Creek. He is from Atlanta Georgia United State of America, but based here with his wife and his two children, Mr. Hamilton has being banking with us for the past 4yrs and some time in August 2002, Mr. Hamilton was on his way to his house, and unfortunately ran into a Trailer load of Groundnut Oil, and died   immediately, Their car got burnt, no single soul was saved, Mr. Hamilton Creek and His entire family was confirmed dead.

My Board of Directors and the Management of First Bank has mandated and instructed me to look for Mr. Hamilton Creek? Relation(s) and his Next of Kin to come and claim his fund, Since August 2003 till date, I have been looking for his relation's or his next of Kin to come and claim his fund which he Deposited with our bank, I have contacted his Embassy and after 3days, his Ambassador told me that Mr. Hamilton Creek has no relation and no next of Kin, their Ambassador told me that he used his first son as His next of kin, but it is quite unfortunate that Mr. Hamilton Creek Died with all his family members.

The reason why I contacted you is thus, Mr. Hamilton is dead, and his only son who supposed to inherit his properties and money also died with him. As at this moment, nobody or person[s] is coming to   claim this Money from our bank. The Board of Directors and management of our bank told me that if nobody or person[s] apply for the claim of Mr. Hamilton Fund, the bank will return the entire Fund into our Federal reserve. In the Light of the above, I want you to stand as the next of kin to Late Mr. Hamilton Creek; it might interest you to know that he had a Domiciliary Bank Account with our Bank and he has a total sum of US$9.2M Nine Million Two Hundred thousand Dollars, this is the exact amount which he had in his domiciliary account before the ugly incident occurred, and this money is still in his account as unclaimed money.

This transaction is very easy and simple, and it is 100% risk free, I'm the Manager for International Relations with First Bank of Nigeria Plc, and the Management and Board of Directors of the Bank are waiting for me to provide to them the Relation or next of Kin to late Mr. Hamilton Creek, of which I told them that I am still searching the next of kin to the deceased. Finally, if you are interested with this transaction, I will front you to the bank as the only next of kin to late Mr. Hamilton Creek, and I will let the bank know that you are the only right person to inherit Late Mr. Hamilton Funds and properties. If you are interested, just email me or call me on my   direct and private line#: +234-80-27536038 and late Mr. Hamilton's Funds will be credited into your account and all his Properties will be released to you either through Courier Services or the Bank will Cargo all his properties to you in any were you want it.

So reply me immediately and feel free to ask any question with regards to this transaction. You will take 50% of the US$9.2M. Which is? US$4.600, 000.00 Four Million Six Hundred Thousand Dollars, while the Balance of the same amount will be mine.

Your swift response will be highly appreciated.

Thanks and have a nice day.

Friendly Regards

Mr. Steven James

*******************************************************************************************

Subject:
REPRESENTATIVE NEEDED
From:
DFS SALES LTD UK
Date:
Tue, 01 Jul 2008 23:00:55 +0800
To:
undisclosed-recipients: ;

COMPLIMENT OF THE DAY TO YOU.

I am PETER WOODS from DFS SALES LTD UK.(
Website: www.dfs-online.co.uk ) Visit our site

We are into furnitures and we sell shares to people in
Canada,America, Australia and Europe.

We are in need of a book keeper. someone who can represent our company
in his/her country.

Our client in your location will contact you and make the company
payment to you.

You will be entitle to 11% of every payment been made out to you.

This is because most of our officer are from china and they do not

understand english very well.its hard for them to contact our
customers.

Our head office is located in CHINA. But we have a sub-office in the
uk.

If you are interested, Kindly send the entries for more understanding.

NAME IN FULL :.........
COMPANY NAME: .....
POSITION:......
FULL ADDRESS: .......
CITY/TOWN:........
STATE:............
ZIP CODE:........
COUNTRY:.......
MOBILE:.......
HOME TEL: .....
EMAIL ADDRESS: ........
OCCUPATION: ...........
BANK NAME :.......
AGE:............

You are to send the above details to

NAME : PETER WOODS.
EMAIL : dfs_woods@yahoo.co.uk
PHONE NUMBER : +44-704-575-0212

HOPE TO HEAR FROM YOU

*****************************************************************************************

To:
undisclosed-recipients:;

Good day!!!

We have been waiting for you since to contact me for your Confirmable Bank Draft of ?18 Million (Eighteen Million Pounds sterling) but we did not hear from you since for a couple of weeks now. Then we went to the bank to confirm if the draft that expired or getting near to expire and Metropolitan Police Uk told us that before the funds will get to your hand that it will expire.So I told him to cash the ?18 Million (Eighteen Million Pounds sterling) to cash payment to avoid losing this fund under expiration as I will be out of the country for a 6 Months Course.

What you have to do now is to contact FED EX COURIER SERVICES as soon as possible to know when they will deliver of your funds to you because of the expiring date. For your information we have paid for the delivering Charge Insurance premium. The only money you will send to the FED EX COURIER SERVICES to deliver your cheque direct to your postal Address in your country is ?250.00 being Security Keeping Fee of the Courier Company so far. Again don't be deceived by anybody to pay any other money except ?250.00 for the Security Keeping Fee.We would have paid that but they said no because they don't know when you will contact them and in case of demurrage. You have to contact FED EX COURIER SERVICES now for the delivery of your Draft with this
information below:

CONTROLLER: Mrs.Helen Williams
NAME: FED EX COURIER SERVICES
ADDRESS: fedexofficeuk@gmail.com
PHONE NUMBER: +447024080684

IF YOU ARE THE OWENER OF THE FUNDS AND YOU WILL SEND YOUR INFORMATION TO US SO THAT WE CAN DELIVERY YOUR FUNDS TO YOU WITHIN THE NEXT 84HRS TIME.IF YOU DO NOT RECEIVED YOUR FUNDS WITHIN THE NEXT 72HRS TIME AND YOU REPORT US THE UK FBI AND THE METROPOLITAN POLICE (SCOTLAND YARD) or YOU CONTACT YOUR LAWYER TO TAKE UP PROCEDURES AGAINST US.

Let me repeat again try to contact them as soon as you receive this mail to avoid any further delay and remember to pay them their Security keeping fee of ?250.00 for their immediate action. The FED EX COURIER SERVICES don't know the contents of the funds. This is to avoid them delaying with the funds.

Thanks as you contact them today.

Yours Faithfully

Mrs Helen Williams.

(The above actually comes with a nifty graphic that they've thrown in, thinking it makes it all look more legitimate. It doesn't, but here it is anyway):

....altogether now: oooooh. A slightly shorter 419 roundup than usual, but I'm sure I'll have piles of the things next week.

ACLU, EFF sue US gov't over mobile phone tracking

Tue, 01 Jul 2008 20:00:00 +0000

The American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) are asking a federal court to order the U.S. Department of Justice to turn over records about the agency's tracking of mobile phone users.

BurnLounge promoter settles FTC complaint

Mon, 30 Jun 2008 20:00:00 +0000

A promoter of a digital music service accused by the U.S. Federal Trade Commission of running an illegal pyramid scheme has settled the agency's complaints and will pay a fine of US$20,000, the FTC announced Tuesday.

William Jackson on FISMA: It Works, Maybe

Mon, 30 Jun 2008 17:03:54 +0000

Article from William Jackson in Government Computer News: Security policies remain a burden to federal IT managers, but they are producing results.

First off, GCN, come into the modern Web 2.0 era by letting people comment on your articles or at least allow trackbacks. Having said that, let’s look at some of Mr Jackson’s points:

NIST Special Publications: They’re good. They’re free. The only problem is that they’re burying us in them. And oh yeah, SP 800-53A is finally final.
Security and Vendors/Contractors: It’s much harder than you might think. If there’s interest, I’ll put out some presentations on it in my “copious amounts of free time”. In the meantime, check out what I’ve said so far about outsourcing.
Documentation and Paperwork: Sadly, this is a fact of life for the Government. The primary problem is the layers of oversight that the system owner and ISSO have. When you are as heavily audited as the executive branch is, you tend to avoid risks and overdocument. My personal theory is that the reason is insistence on compliance instead of risk management.
Revising FISMA: I’ve said it time and time again, the law is good and doesn’t need to be changed, the execution is the part that needs work.

Bookmark to:

Times Up IPv6 OMB Mandate

Mon, 30 Jun 2008 15:27:18 +0000

Three years ago, the OMB set a June 2008 deadline “by which all agencies’ infrastructure (network backbones) must be using IPv6 and agency networks must interface with this infrastructure.”

Agencies are supposed to demonstrate that they can:

Transmit IPv6 traffic from the Internet and external peers, through the core (WAN), to the LAN.
Transmit IPv6 traffic from the LAN, through the core (WAN), out to the Internet and external peers.
Transmit IPv6 traffic from the LAN, through the core (WAN), to another LAN (or another node on the same LAN).

(Source: OMB IPv6 FAQs)

One year ago, the OMB reviewed the Enterprise Architecture Assessment Framework results and found that six of the twenty-four agencies were on track to achieve the June deadline. Two months ago, there was a good article by Carolyn Marsan Duffy about the status of compliance. Take a look at this article because it seemed like there was a lot of backpedaling going on about meeting the date – using phrases like “we don’t like the term mandate” and “more of a recommendation than a mandate.” At the time, only three agencies were in compliance.

Duffy just wrote an updated article, “Feds say they have aced IPv6 deadline”, and suddenly two months later, all lights seem green. As of June 24, ten of the twenty-four agencies sent emails to the OMB stating that “they have successfully transmitted IPv6 packets”. Fourteen still need to report in, but none have asked for an extension. And all of it was done through the regular tech refresh budget over the past three years. So if this is true, kudos to the feds!

Right around the time of the first not-so-rosy article, we ran a survey at FOSE, the big federal government IT show. We asked attendees if their agencies would be ready by the deadline:

33% said they would be ready
6% said they were already there
33% said they would NOT be ready
About a quarter didn’t know

What was really interesting is that we asked this same question in 2007, and the audience was equally split (yes/no) on whether or not their agencies would meet the mandate – 1 in 5 (2007) instead of 1 in 3 (2008).

So what can explain these numbers? Surprisingly, out of the attendees we talked to, only 65% of them said that IPv6 is important to their operations, making it second to last on the list of IT priorities covered by the survey. Maybe the answer lies in the relative “unimportance” of the milestone – that just the network backbones (and the routers supporting them) be capable of passing IPv6 packets. The true test for government IT workers will be when actual IPv6 applications must be supported which will impact networks, systems, application and monitoring tools throughout the government.

So was this a nice checklist item for the Bush administration? This initial deadline is the only one for IPv6 mandates from the current OMB incarnation. Actually running IPv6 applications, that’s a whole ‘nother story, apparently for a new administration.

ShareThis

Teenage creator of Nugache worm reaches plea agreement

Mon, 30 Jun 2008 09:00:00 +0000

The teenage creator of a botnet that used a clever worm to infect PCs and then steal users' personal data has agreed to a plea deal with federal prosecutors.

Creator of Nugache worm reaches plea agreement

Sun, 29 Jun 2008 20:00:00 +0000

The teenage creator of a botnet who used a clever worm to infect PCs and then steal users' personal data has agreed to a plea deal with federal prosecutors in California.

Feds Ready for IPv6 D-Day

Fri, 27 Jun 2008 02:53:53 +0000

In August 2005 the White House issued a policy "... directing all Federal government agencies to transition their network backbones to the next generation of the Internet Protocol Version 6 (IPv6), by June 30, 2008." That would be this Tuesday. The requirements in that directive were not especially difficult, and it appears that it will be met. Agencies are not required to move their traffic to IPv6 at this stage, just to demonstrate that they can properly handle IPv6 traffic on their backbones. So it's more an issue for routers than for servers, for example. There are no requirements in place for further adoption of IPv6. Such requirements and such adoption are inevitable for the next administration though, as the depletion of the IPv4 address pool is scheduled to happen on its watch.

Civilians Ask Whats With All the Privacy Act Kerfluffle?

Thu, 26 Jun 2008 17:51:41 +0000

And by “kerfluffle”, I mean these articles:

GAO Privacy Report
Technology Liberation Front
Center for Democracy and Technology
And how about an analysis of the Privacy Act from DOJ for background reasons?

Well, let’s talk about how privacy and the Government works with Uncle Rybolov (please hold the references to Old Weird Uncle Harold until we’re through with today’s lesson please).

We have a law, the Privacy Act of 1974. Think about it, what significant privacy-wrenching activities happened just a couple of years prior? Can we say “Watergate Scandal“? Can we say “Church Committee“? Suffice it to say, the early 1970s was an era filled with privacy issues and is where most of our privacy policy and law comes from. Remember this for later: this was the 1970’s!

Each of the various sections of the Privacy Act deals with a particular data type. For instance, Title 13 refers to data collected by the Census Bureau when they’ll go count everybody in 2010.

The Privacy Act talks about the stuff that everybody in the Government needs to know about: how you’re going to jail if you disclose this information to a third party. For those of you who have ever been in the military or had to fill out a government form that required your social security number, the light in the back of your head should be going off right now because they all have the warnings about disclosure.

Remember to respect the privacy of the beach huts and chairs photo by Joe Shlabotnik

When it comes to IT security, the Privacy Act works like this:

You realize a need to collect PII on individuals.
You do a privacy impact assessment to determine if you can legally collect this data and what the implications of collecting the data are.
You build rules about what you can do normally with the data once you have collected it. This is called the “routine use”.
You write a report on how, why, and about whom you’re collecting this information. This is known as the “System of Record Notice”.
You file this report with the Federal Register to notify the public.
This IT system becomes the authoritative source of that information.

IE, no secret dossiers on the public. We’ll suspend our disbelief in FISA for a minute, this conversation is about non-intelligence data collection.

Now the problem with all this is that if you stop and think about it, I was 1 year old when the Privacy Act was signed. Our technology for information sharing has gone above and beyond that. We can exchange data much much much more quickly than the Privacy Act originally intended. As a result, we have PII everywhere. Most of the PII is needed to provide services to the citizens, except that it’s a royal PITA to protect it all, and that’s the lesson of the past 2 years in Government data breaches.

Problems with the Privacy Act:

The SORN is hard to read and is not easy to find.
Privacy Act data given to contractors or “business partners” (aka, state and local government or NGOs) does not have the same amount of oversight as it does in the Government.
Data given to the Government by a third-party is not susceptible to the Privacy Act because the Government did not collect it. Wow, lots of room for abuse–waterboarding-esque abuse.
Privacy Act procedures were written for mainframes. Mainframes have been replaced with clusters of servers. It’s easy to add a new server to this setup. Yes, this is a feature.
If you build a new system with the same data types and routine uses as an already existing SORN, you can “piggyback” on that existing SORN.
It’s very easy to use the data in a way that isn’t on your “routine use” statement, thus breaking the entire privacy system.

Obviously, at this point, you should have gotten the hint that maybe we need to revise the Privacy Act. I think GAO and OMB would agree with you here.

So, what alternatives do we have to the existing system?

Make blanket data types and do a PIA and SORN on them regardless of where that data lies.
Bend the Paperwork Reduction act and OMB guidance so that we don’t collect as much information.
Make the Privacy Act more specific on what should be in SORN, PIA, and routine use statements.

To be honest, it seems like most of this is already in place, it just needs to get tuned a little bit so we’re doing the right things. Once again, the scale of the Government’s IT infrastructure is keeping us from doing the right thing: there isn’t enough time in the day to do PIAs on a per-server basis or to keep track of every little bit of data. You have to automate our privacy efforts in some fashion.

And this is why, dear readers, I think the Government needs DLP solutions more than the private sector does. Too bad the DLP vendors are stuck on credit cards and social security numbers.

Bookmark to: