[SecurityRatty] tag: grave

We should all be this bad - Microsoft is dead, long live Microsoft!

Wed, 23 Jul 2008 20:57:02 +0000

I have written before about what a joke I think it is when people write that Microsoft???s best days are behind it and that their corporate grave is already being dug. Google is going to usher in a new age of net centric computing and topple the once and future king. Yeah sure. Don Dodge had a good article up the other day about Microsoft???s recent end of FY numbers. The Redmond rockets racked up over 60 billion (yeah with a b) in revenue last year, an 18% increase over the year before! They dropped 17.6 billion (again with a b) to the bottom line. To give it some perspective, Yahoo all told only does about 7 or 8 billion in gross revenue a year. Microsoft grew 9 billion in revenue last year. That is they grew organically more than a whole Yahoo. You can check out Don???s article for more financial facts and figures.

I ask you ladies and gentlemen, does this sound like the numbers of a company on the way down? If you were a betting person, would you be betting against this monster? I would not be. Do you think by 2011 things are going to fundamentally change? Next time someone tells you how open source, Linux, Google or anyone else is going to kill Microsoft try to put some of these numbers in prospective.

We should all be this bad - Microsoft is dead, long live Microsoft!

Wed, 23 Jul 2008 19:57:20 +0000

I have written before about what a joke I think it is when people write that Microsoft’s best days are behind it and that their corporate grave is already being dug. Google is going to usher in a new age of net centric computing and topple the once and future king. Yeah sure. Don Dodge had a good article up the other day about Microsoft’s recent end of FY numbers. The Redmond rockets racked up over 60 billion (yeah with a b) in revenue last year, an 18% increase over the year before! They dropped 17.6 billion (again with a b) to the bottom line. To give it some perspective, Yahoo all told only does about 7 or 8 billion in gross revenue a year. Microsoft grew 9 billion in revenue last year. That is they grew organically more than a whole Yahoo. You can check out Don’s article for more financial facts and figures.

Another brick in the wall to limit blogging

Tue, 17 Jun 2008 20:36:22 +0000

First it was the EU looking at passing a law that would require bloggers to disclose their identity and affiliation. Now the AP is looking to enforce a new license that would require payments when a blogger puts an excerpt from an AP article in their blog. My friend Kevin McLaughlin blogged on this over at Channel Web blog today. Basically the AP says that if you excerpt more than 5 words you need to start paying them fees. Kevin reached out to me and I gave him my views on this one.

I think that it is a really short sighted move by the AP. First of all it shows they really don't understand blogging. Blogging is about taking an idea which often comes from another source and putting the bloggers own spin and ideas behind it. In this way topics are built on one blog at a time with each blogger adding a bit more to the conversation. Each additional blog on topic enriches those blogs and articles that preceded it. As I said in the Channel Web article, it is like a jazz musician playing a riff on top of a line already laid down.

In real terms blogging on the AP content will only generate more views and interest in the AP content. AP is just a dinosaur with this type of view and will soon go the way of dinosaurs if they try to enforce this. In the meantime bloggers can talk about an AP article, but don't link to it and don't excerpt from it. I suspect that the next thing is we will have a replay of the inbound links litigation we had 8 years ago. In the meantime blogging will continue to march on with AP or not.

Another brick in the wall to limit blogging

Tue, 17 Jun 2008 19:43:03 +0000

Teen bomb maker stopped in his tracks in South Carolina.

Thu, 24 Apr 2008 22:58:00 +0000

The parents of Ryan Schallenberger undoubtedly saved a lot of lives when they turned in their son as a potential bomber. Authorities said he had all the components he needed to make several deadly bombs.

Ryan Schallenberger had used E-Bay to order 20lbs of ammonium nitrate from a supplier in Kentucky. The teen has been described as being "mad at the whole world". In a search of the family home, Law Enforcement officers discovered hate filled writings in which he praised the Columbine killers.

Having just returned from a Threat Assessment workshop at UCLA put on by Gavin De Becker Associates, I was able to identify many of the same characteristics that we looked at when examining other teenage killers who have wreaked havoc in schools across the U.S. Teens like this tend to have a "chip on their shoulder" and feel like they need to cause grave damage in order to "get even" or "teach people a lesson". Unfortunately, the "copy cat" phenomenon is a common denominator and these troubled teens seem to look up to those who have killed previously.

We all have a part to play in keeping schools safe. More parents need to emulate the Schallenbergers, who were willing to turn their own son in, knowing that he will most likely be locked away for a very long time thereby ensuring the safety of others. Class mates who hear rumors need to alert guidance counsellors and teachers and not be so quick to dismiss their fears and concerns. We need to get rid of any feelings that might suggest:"this could never happen at our school".

It is a sad fact that this terrible trend looks set to continue and violent behavior is capable of happening in any school where adequate security precautions are not taken. Whether it is from television, video games, broken homes or any other contributing factor, our youth are being exposed to higher and more toxic levels of violence every day. Perhaps we can do a better job at home and help to nip this evil trend in the bud before our classrooms begin to resemble battlefields.

Irish jobs site compromised and personal information accessed

Mon, 31 Mar 2008 06:13:21 +0000

Technorati Tag: Security Breach

Date Reported:
3/27/08

Organization:
Jobs.ie

Contractor/Consultant/Branch:
None

Victims:
Job seekers and applicants

Number Affected:
Unknown

Types of Data:
Information contained on CVs (or resumes) often times including names, addresses, email addresses, phone numbers, job histories and other personal information.

Breach Description:
"A security breach occurred on job-seekers site Jobs.ie late on Thursday 27 March, when what the company described as a ‘small number’ of CVs were illegally downloaded by a third-party that hacked the site and gained access to the database."

Reference URL:
Jobs.ie Important Notice
SiliconRepublic
The Irish Times
ElectricNews.net Ltd.

Report Credit:
Jobs.ie

Response:
From the online sources cited above:

A security breach occurred on job-seekers site Jobs.ie late on Thursday 27 March, when what the company described as a ‘small number’ of CVs were illegally downloaded by a third-party that hacked the site and gained access to the database.
[Evan] Hacked?

It is understood that the hackers used an illegally obtained log-in and password given to employers who are registered with Jobs.ie to access the job applications area of the site. They then downloaded personal information from CVs submitted, along with job applications.
[Evan] How do you suppose that the "hackers" came into the possession of a log-in and password? Did they get it from a stolen laptop or other piece of equipment? Did they get it from someone's Post-It note? Did they socially engineer a legitimate user? Let's suppose that the "hackers" obtained the log-in through social engineering, or a social engineering type of attack. When most people think of a "hack" they think of some sophisticated and sleuthy high-tech intrusion. Although these "hacks" do exist, this is not how most criminals access confidential information without authorization. Many intrusions take place through relatively easy exploits such as convincing someone to give you their password (i.e. social engineering, phishing, etc.).

Several CVs were downloaded before Jobs.ie was alerted. While the company has not yet given exact figures on the number of its members who had private data stolen, it says an investigation is now under way
[Evan] Social engineering attacks are typically very difficult to prevent AND detect. Monitoring "legitimate" username and password access to data and looking for patterns of possible abuse is a sophisticated science and the amount of collected information can be enormous. It is usually easy to detect common network and host-based technical attacks because the patterns of traffic and commands differ from what would be considered "normal". Social engineering attacks can and often do go unnoticed.

Most of the stolen information relates to archive CVs rather than those of people now looking for jobs.

All site members whose CV was downloaded illegally were contacted immediately by Jobs.ie and alerted to the hacking
[Evan] Kudos to Jobs.ie for doing the right thing. Immediate notification is excellent.

The email stated: "Unfortunately your CV was one of the records taken. I understand and apologise for the concern this will cause you and I want to assure you that we are taking steps to prevent this happening again."

The email, signed by Huw Taylor, general manager of Jobs.ie, goes on to warn those whose personal data has been compromised to "exercise extra caution while conducting online activity".

It warns users of the possibility of being contacted by someone claiming to be a reputable company and asking for personal details or banking information.

Brian Honan of online security consultancy BH Consulting says on his firm’s official blog that there are no mandatory breach disclosure laws in Ireland and that Jobs.ie should be "commended for coming clean about the incident" and doing so within 24 hours of the breach.
[Evan] I agree with Brian.

Contrary to media reports, the DPC told ENN that, as of Monday morning, it had yet to be formally contacted in relation to the matter. The DPC said that the nature of the potential data lost was a cause for concern.

An IT professional who’s CV was one of those downloaded from Jobs.ie told siliconrepublic.com: "The worst that could happen is identity theft. It depends how much information you have on your CV too, some people are really foolish and put on PPS numbers and all sorts. Stealing CVs can be really handy for guessing or resetting peoples passwords."
[Evan] I wonder if this is a misquote. "The worst that could happen is identity theft."

Because most people would include an email address and mobile phone number on their CV, he said that as well as phishing or identity theft, there was also a risk of spamming.

Anthony Gibbons, another affected Jobs.ie member, said to siliconrepublic.com: "This is far more significant than the loss of encrypted personal data from the blood services."

"The fact that this information was illegally gathered increases the possibility of it being illegally used. This would include seeking personal loans and credit cards, identity theft, seeking false ID such as a driving licence or birth certificate, and identity cloning."

"Most people are reasonably aware about the dangers associated with unsolicited e-mails but they might be more inclined to be more responsive to someone who rang them claiming to be from their bank,"

Victims of the security breach who contacted The Irish Times said they had "grave concerns" in relation to their exposure to identity theft.

A dedicated 24 hour customer helpline has been set up to deal with any further questions or concerns you may have. Please call +353 (0)1 680 8699 or email info@jobs.ie

Commentary:
It is unlikely that a criminal could use the information obtained in this attack for identity theft, directly. The information could be used to glean further information from the victims, which in turn could lead to identity theft. The criminals gained information that wasn't meant for general public consumption. If I were a victim, I would be much more vigilant and on alert.

Past Breaches:
"Jobs.ie, one of the State's largest recruitment sites, said it had never before had such a breach."

Voting For Transparent Communication

Fri, 28 Mar 2008 12:03:00 +0000

Adam Shostack here. We think of the SDL as a cradle-to-grave process, where we build security into the product from conception until the end of support. One part of that process that doesn't get much attention on this blog is how we engage with vulnerability reports. We work very closely with the Microsoft Security Response Center (MSRC) and the Microsoft team in charge of relationships with security researchers to better understand what issues are turning up in our products and what researchers are doing with them. The relationships aren't always perfect, but we work very hard to ensure open channels for dialogue. We do this because at the end of the day, we would like to improve computer security, and researchers share that goal.

Even when researchers such as Ed Felten send us potential vulnerability notices a week before releasing them to the public http://blogs.msdn.com/si_team/archive/2008/02/25/protecting-bitLocker-from-cold-attacks-and-other-threats.aspx, we like to talk to them on two important levels. The first is technical: what did they find, and can they help us reproduce it? The second is logistical: what's their timeline for disclosing a vulnerability, and how can we all work together to release guidance or protection for customers? Ideally, we do that in concert with the researchers and thank them for their responsible disclosure. For this issue, it didn't work out that way, mainly because the story broke as we were analyzing the report.

While these conversations aren't always comfortable, we've learned it's much better to have them on a technical level than on a legal level. They're also better on a person-to-person level, rather than being mediated by attorneys. http://feeds.freedom-to-tinker.com/~r/freedom-to-tinker/~3/253302555/. Research into security issues helps us improve our products. Collaborating around that research, and doing so in a civil and mutually respectful way, is even better. That's why we invite folks like H.D. Moore to our BlueHat conference. We recognize that MetaSploit is both valuable and also worry about how it might be used, but we're all better off when we talk to each other. We create the foundations for trust.

One of the things I found fascinating in reading the California and Ohio voting system reviews was the lack of mention of this tension. (I didn't read all the reports-did I miss this somewhere?) I think a key recommendation to the states should include a more transparent process for review, better reporting of issues and better vendor responses to issues when they're reported. What's better? That's for the community to figure out. We can't dictate it, it has to involve give and take over a series of conversations about what's important and why.

When we look at voting systems http://blogs.msdn.com/sdl/archive/2008/02/04/more-trustworthy-election-systems-via-sdl.aspx , we think about trustworthiness not only in terms of the technology, but in terms of the cradle-to-grave processes. As citizens, we would feel more trust in our voting systems if we knew the people creating them took that same approach.

This is not a bodyguard - this is a walking lawsuit.

Mon, 17 Mar 2008 23:52:00 +0000

If you are like me and you view the latest "bodyguard gone wild" video, you can't help but wonder, how many millions of dollars will this uncontrollable violent outburst cost Nicole Kidman.

As someone who not only hires personal protection agents, but who also trains them, I can tell you that Ms. Kidman would be far better off looking after herself than being "protected" by this unprofessional hothead. Not only did her security person make a grave mistake by assaulting and battering the photographer in question, but he left her totally unprotected when he jumped out of the vehicle in a rage.

What would he have done if this were a trap? If someone wished to harm Ms. Kidman, or kidnap her, they could have staged this. The 'photographer' could have merely been bait used to lure her security and trick him into leaving his vehicle. Being unproteced, another bad guy could have easily harmed her at that stage.

I do not know where celebrities hire amateurs like this. I could refer them to dozens of professional security firms who highly value their professional reputations and who would never dream of hiring an incompetent like this. I would like to think that poor judgement is confined to Hollywood celebrities, but I know that is not the case.

Sometime people hire a "friend of a friend" who used to be in the army, or who used to be a night club bouncer. Those hires are always a mistake. The have LIABILITY written all over them. Whenever you hire someone to work for you, stop and think what might happen if they are not who or what they claim to be.

What happens if they use drugs and have an accident while driving your company vehicle? What happens if they have a temper problem like Ms. Kidman's employee? I think you already know the answer and it isn't pretty.

Do yourself a big favor and always do your due diligence. Or you could always hire an expensive law firm. Lawyers have to eat too, I suppose.

The North Koreans are not our friends...

Sun, 10 Feb 2008 10:36:20 +0000

The government of North Korea will not rest until the Korean peninsula--and the Chosun people--are reunited under Pyongyang rule. Any American or South Korean government official who believes otherwise is putting his or her country at grave risk.

Five-year-old wanders into bank branch after-hours

Wed, 06 Feb 2008 07:24:03 +0000

Technorati Tag: Security Breach

Date Reported:
2/6/08

Organization:
HSBC Group (UK)

Contractor/Consultant/Branch:
Market Place, Easingwold

Victims:
Potentially customers, but no confirmed loss or theft occurred

Number Affected:
Unknown

Types of Data:
Potentially customer banking records

Breach Description:
The HSBC branch in Easingwold was found unlocked during non-business hours on Saturday, February 2nd. A five-year-old boy wandered into the bank while his father was using the cash machine. The bank was closed and unattended since 4:30 the previous day and no alarms were sounded.

Reference URL:
The Northern Echo online story
The Press online story

Report Credit:
The Northern Echo

Response:
From the online sources cited above:

Little Oliver was at the HSBC with mum, Alison, and dad Daniel, when the family visited the cash machine at Easingwold, North Yorkshire, on Saturday afternoon.

Mrs Pettigrew said: "We usually go into the bank and so Oliver just pushed the door and wandered in.

"I was at the cash machine and it was Oliver's dad who started saying, 'where's Oliver? where's Oliver?' "Then Oliver appeared again. He and his dad ended up wandering around the place, which was totally deserted. There were computers everywhere and there was no alarms sounding.

The HSBC tried to downplay the breach saying the emergency services would have been summoned automatically if someone stepped inside.
[Evan] This did not appear to have happened. According to the news story, emergency services were not even aware of this physical breach until notified by the Pettigrews.

However North Yorkshire Police have confirmed that the only call received was from Daniel Pettigrew.

The bank had been closed for business at 4.30pm on Friday and Oliver opened the door at lunchtime on Saturday.

A spokeswoman for the bank said there had been a malfunction with the catch on the door.
[Evan] A malfunction is not an acceptable reason for a breach. System malfunctions need to be taken into account when designing secure systems (physical and technical), especially at a bank.

"When I realised the bank was empty and the service times said Monday to Friday I phoned 999."

He and Oliver also walked right up to the door of the vault where money is kept.
[Evan] It is important to note that they walked up to the door, not THROUGH the door. This would be a more sensational story if the vault were open too.

There were computers and walkie talkies lying around in there. Anyone could have stolen them.

"The hard drives were in there too. In the current climate it makes you wonder if anyone could have got the database with bank customers' details on it.
[Evan] There is chatter that HSBC employs centralized and secure data storage, meaning that there should be no sensitive information on the client computers. This may be true, but often there is much more information on these computers than people realize. I would guess that there is also a substantial amount of sensitive paperwork in the branch.

The Pettigrews stood guard at the bank until police officers arrived.

A spokesman for HSBC, which made profits of about £11bn in 2006, said there was no danger to bank customers.
[Evan] Not so. There WAS a danger to bank customers. It may not exist in this instance anymore, but the danger was there.

She said: "Basically, what happened was there was a malfunction with the door catch. Once the door was pushed open it would have alerted the police anyway.
[Evan] This was obviously not so. Malfunctions must be detected at the time of the occurrence.

She said: "There would have been no danger to customers in terms of cash or information being stolen. Obviously we don't want security issues but sometimes these things happen."
[Evan] Again, I disagree.

From Simon Davies, director of Privacy International:

"extraordinary state of affairs" which could have exposed thousands of customers to a "grave risk"

"I cannot believe that a bank would not have procedures in place to make sure all exits are sealed at close of business."

"This is a situation I have never encountered before. It is a failure on multiple levels, on the human level and on the technical level and what it does is expose thousands of customers to a grave risk."

"It could be that the computers are part of a central control system and are password protected and contain no information locally, in which case you don't have the same level of threat."

"But if they are just password protected then someone could have gained access to the whole central resource of data."

Commentary:
I added this breach to The Breach Blog because the potential for lost data confidentiality and intergrity was real and present. There appear to have been no customer-related victims, which is a very good thing. HSBC and/or their security team should have detected the door malfunction well before a five-year-old did.

How many times have we used a cash machine at the bank after-hours? Most of us just assume that the bank doors would be locked. Even if the door were unlocked, most of us would assume that alarms would go off as soon as I opened it.

I don't suggest that you drive from bank to bank looking for unlocked doors because this might get you in a lot of trouble.

Past Breaches:
Unknown