[SecurityRatty] tag: guns

$13 Billion of U.S. Taxpayers Money was Stolen or Wasted in Iraq.

Thu, 25 Sep 2008 00:03:00 +0000

This article in yesterday's "Washington Post" was sickening to read but hardly comes as a surprise.

It is also sad to read that there was most likely involvement by Iraqi Government officials and U.S. contractors. The investigator who testified as to the waste and theft was fearful of his life as 32 of his fellow investigative co-workers have been killed.

One scheme involved officials from the Iraqi Defense Ministry setting up a front company that received $1.7 Billion in U.S. funds to buy guns, armoured vehicles and other equipment. Only a small percentage was ever purchased and in one case, they had bullet-proof vests delivered that were defective and useless.

In another case involving Iraqis and U.S. contractors, $24.4 million was spent on an electricity project that "only existed on paper". The worst part was that money sent to the Defense Ministry was discovered to have been diverted to Al-Qaeda and found its way to bank accounts in Jordan and other places.

Let us hope the Government spends the proposed $700 Billion bail out funds in a more responsible and accountable manner.

The Two Classes of Airport Contraband

Tue, 23 Sep 2008 01:47:04 +0000

Airport security found a jar of pasta sauce in my luggage last month. It was a 6-ounce jar, above the limit; the official confiscated it, because allowing it on the airplane with me would have been too dangerous. And to demonstrate how dangerous he really thought that jar was, he blithely tossed it in a nearby bin of similar liquid bottles and sent me on my way.

There are two classes of contraband at airport security checkpoints: the class that will get you in trouble if you try to bring it on an airplane, and the class that will cheerily be taken away from you if you try to bring it on an airplane. This difference is important: Making security screeners confiscate anything from that second class is a waste of time. All it does is harm innocents; it doesn't stop terrorists at all.

Let me explain. If you're caught at airport security with a bomb or a gun, the screeners aren't just going to take it away from you. They're going to call the police, and you're going to be stuck for a few hours answering a lot of awkward questions. You may be arrested, and you'll almost certainly miss your flight. At best, you're going to have a very unpleasant day.

This is why articles about how screeners don't catch every -- or even a majority -- of guns and bombs that go through the checkpoints don't bother me. The screeners don't have to be perfect; they just have to be good enough. No terrorist is going to base his plot on getting a gun through airport security if there's decent chance of getting caught, because the consequences of getting caught are too great.

Contrast that with a terrorist plot that requires a 12-ounce bottle of liquid. There's no evidence that the London liquid bombers actually had a workable plot, but assume for the moment they did. If some copycat terrorists try to bring their liquid bomb through airport security and the screeners catch them -- like they caught me with my bottle of pasta sauce -- the terrorists can simply try again. They can try again and again. They can keep trying until they succeed. Because there are no consequences to trying and failing, the screeners have to be 100 percent effective. Even if they slip up one in a hundred times, the plot can succeed.

The same is true for knitting needles, pocketknives, scissors, corkscrews, cigarette lighters and whatever else the airport screeners are confiscating this week. If there's no consequence to getting caught with it, then confiscating it only hurts innocent people. At best, it mildly annoys the terrorists.

To fix this, airport security has to make a choice. If something is dangerous, treat it as dangerous and treat anyone who tries to bring it on as potentially dangerous. If it's not dangerous, then stop trying to keep it off airplanes. Trying to have it both ways just distracts the screeners from actually making us safer.

Security Matters: Airport Pasta-Sauce Interdiction Considered Harmful

Thu, 18 Sep 2008 14:00:00 +0000

---

Bruce Schneier is chief security technology officer of BT. His new book is Schneier on Security.

For Some, Stealing IDs Means More Than Fast Cash

Thu, 18 Sep 2008 07:54:49 +0000

Over a hundred people in the last few years have been charged with stealing IDs of dead people, in order to evade the law for various reasons — something that could probably be avoided with better computerized ID systems. Granted a hundred out of how many billion in the States is not that many people, however other reasons for ID theft are sometimes overlooked when we talk about scams. Here are some of the details:

Several of the defendants have been convicted of stealing dead people’s identities to cover up their status as illegal immigrants, military deserters or convicted drunken drivers, federal officials said.

Between July 2005 and August of this year, 112 people were charged in federal court as part of the investigation, which federal officials called “Operation Deathmatch.” Authorities seized $650,000 in cash, a Mercedes-Benz, three guns and more than 80 of the fraudulent passports.

For more case studies, read the article in the SF Gate (online version of the Chronicle).

Movie Plot Threats in The Guardian

Thu, 04 Sep 2008 01:56:57 +0000

We spend far more effort defending our countries against specific movie-plot threats, rather than the real, broad threats. In the US during the months after the 9/11 attacks, we feared terrorists with scuba gear, terrorists with crop dusters and terrorists contaminating our milk supply. Both the UK and the US fear terrorists with small bottles of liquid. Our imaginations run wild with vivid specific threats. Before long, we're envisioning an entire movie plot, without Bruce Willis saving the day. And we're scared.

It's not just terrorism; it's any rare risk in the news. The big fear in Canada right now, following a particularly gruesome incident, is random decapitations on intercity buses. In the US, fears of school shootings are much greater than the actual risks. In the UK, it's child predators. And people all over the world mistakenly fear flying more than driving. But the very definition of news is something that hardly ever happens. If an incident is in the news, we shouldn't worry about it. It's when something is so common that its no longer news - car crashes, domestic violence - that we should worry. But that's not the way people think.

Psychologically, this makes sense. We are a species of storytellers. We have good imaginations and we respond more emotionally to stories than to data. We also judge the probability of something by how easy it is to imagine, so stories that are in the news feel more probable - and ominous - than stories that are not. As a result, we overreact to the rare risks we hear stories about, and fear specific plots more than general threats.

The problem with building security around specific targets and tactics is that its only effective if we happen to guess the plot correctly. If we spend billions defending the Underground and terrorists bomb a school instead, we've wasted our money. If we focus on the World Cup and terrorists attack Wimbledon, we've wasted our money.

It's this fetish-like focus on tactics that results in the security follies at airports. We ban guns and knives, and terrorists use box-cutters. We take away box-cutters and corkscrews, so they put explosives in their shoes. We screen shoes, so they use liquids. We take away liquids, and they're going to do something else. Or they'll ignore airplanes entirely and attack a school, church, theatre, stadium, shopping mall, airport terminal outside the security area, or any of the other places where people pack together tightly.

These are stupid games, so let's stop playing. Some high-profile targets deserve special attention and some tactics are worse than others. Airplanes are particularly important targets because they are national symbols and because a small bomb can kill everyone aboard. Seats of government are also symbolic, and therefore attractive, targets. But targets and tactics are interchangeable.

The following three things are true about terrorism. One, the number of potential terrorist targets is infinite. Two, the odds of the terrorists going after any one target is zero. And three, the cost to the terrorist of switching targets is zero.

We need to defend against the broad threat of terrorism, not against specific movie plots. Security is most effective when it doesn't require us to guess. We need to focus resources on intelligence and investigation: identifying terrorists, cutting off their funding and stopping them regardless of what their plans are. We need to focus resources on emergency response: lessening the impact of a terrorist attack, regardless of what it is. And we need to face the geopolitical consequences of our foreign policy.

In 2006, UK police arrested the liquid bombers not through diligent airport security, but through intelligence and investigation. It didn't matter what the bombers' target was. It didn't matter what their tactic was. They would have been arrested regardless. That's smart security. Now we confiscate liquids at airports, just in case another group happens to attack the exact same target in exactly the same way. That's just illogical.

This essay originally appeared in The Guardian. Nothing I haven't already said elsewhere.

As They Say: When in Rome, Do as the Romans.

Thu, 07 Aug 2008 06:19:13 +0000

Recently I had a nice conversation with the head of Asia-Pacific of an international company about how to succeed in Thailand. I explained how businesses in Thailand do not respond well to companies that come to Thailand with no experience, track record or support infrastructure here in the Kingdom. I also explained how Thailand has a strong cultural tradition around “the teacher culture,” where teachers are considered much higher than mere consultants and integrators.

The conversation went well, I thought, until I received a call from another person in the company who proceeded to tell me how to do business in Thailand and how to determine the target market, and how to set up sales. Now mind you, I had already explained that there would be no immediate sales opportunities for a few years, realistically, and that this was a long term initiative, designed around a solid education and training program - build infrastructure first. From a strong education and training program, the market would become clear.

This is such a simple win-win-win situation, but companies do not seem to understand it. They just want to exploit every contact, event situation, for a quarterly sell. Why not take the long view as well, since it does not cost you any money?

The guy on the other end of the phone would have nothing to do with our way of thinking in Thailand. He seemed to be pushing to insure pre-sales contact immediately. Instead of supporting us, he wanted to manage us from overseas!! We asked for support to build their brand, what they seemed to offer was management by proxy!

Folks, this will not work in Thailand (or most Asia countries).

If you want to tap into the fast growing Asia market, leave behind your aggressive New York or Silicon Valley sales guns and forceful presale tactics, where you are content to find an opening, exploit it, make a sale, and report the sale on your quarterly report. You can get aggressive when you have built a sustainable infrastructure. The same is true in Japan, not only Thailand.

In Asia, do as the Asians. In Rome, do as the Romans. In Thailand, do as the Thais. In Japan, do as the Japanese.

It is easy to make money in Thailand (and other Asia countries) if you follow their way of business. Educate, teach, build a workforce, build a sustainable infrastructure on the ground, and then sell, sell, sell.

Granted, many companies do not have resources to do this overseas. In that case, enable your partners to do it and let them build the business; don’t manage them, support them.

Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings

Mon, 28 Jul 2008 23:29:54 +0000

It used to be a case where a botnet would be used for a single purpose, spamming, phishing, or malware spreading. At a later stage, the steady supply of malware infected allowed botnet masters more opportunities to "sacrifice" the clean IP reputation and engage in several malicious activities simultaneously - today's underground multitasking improving the monetization of what used to be commodity goods and services.

Today, a botnet will not only be sending out phishing emails, automatically SQL inject vulnerable sites across the web, but also, provide fast-flux infrastructure to money mule recruitment services, all of this for the sake of optimizing the efficiency provided by the botnet in general. This optimization makes it possible for a single botnet to be partitioned and access it it sold and resold so many times, that it would be hard to keep track of all the malicious activities it participates in. Cybercrime in between on multiple fronts using a single botnet is only starting to take place as concept.

That's the case with Stormy Wormy, according to IronPort whose "Researchers Link Storm Botnet to Illegal Pharmaceutical Sales" :

"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy websites. But the relationship between the technology-focused botnet masters and the global supply chain organizations was murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow. "Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of (US)$150 million per year."

Murky until now? I can barely see in the room due to all the smoke coming from the smoking guns of who's what, what's when, and who's done what with who, especially in respect to Storm Worm whose multitasking on different fronts in the first stages of their appearance online made it possible to establish links between several different malware groups and the "upstream hosting providers", until the botnet scaled enough making it harder to keep track of all of their activities.

The Storm Worm-ers themselves aren't sending out pharma spam, the customers to whom they've sold access to parts of Storm Worm are the ones sending the pharma spam. Here's a brief analysis published in May - "Storm Worm Hosting Pharmaceutical Scams". What's in it for the scammers? Income based on a revenue-sharing affiliate program, a pharmacy affiliate program has been around for several years :

"This criminal organization recruits botnet spamming partners to advertise their illegal pharmacy websites, which receive a 40 percent commission on sales orders. The organization offers fulfillment of the pharmaceutical product orders, credit card processing and customer support services"

What's coming out of Storm Worm's botnet isn't necessarily coming from the hardcore Storm Worm-ers whose job today is more of a campaign-rotation related in order to ensure new bots are added, what's coming out of Storm Worm is coming from those using the access they've purchased to a part of the botnet.

Related posts:
Storm Worm Hosting Pharmaceutical Scams
All You Need is Storm Worm's Love
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game

D.C. Gun Ban Lifted - Thank You Supreme Court!

Thu, 26 Jun 2008 22:23:00 +0000

The news came like music to my ears (and to hundreds of thousands of other ears across the country, I dare say). Law abiding citizens in the District of Columbia would be allowed to protect their homes and families.

The vote was not unanimous by any means - the historical decision was arrived at by a 5 to 4 vote to remove the ban prohibiting District residents from obtaining handguns. In a WTOP radio interview today, the NRA lobby spokesman, Chris Cox, spoke about the need for cities such as Chicago and San Francisco to fight to have their Second Ammendment rights re-instated.

Mr. Cox also gave notice to D.C. Mayor Fenty that he would have to honor the Supreme Court's decision, even though it is well known that the Mayor is a fierce opponent of allowing law abiding citizens to protect themselves and their loved ones with the aid of a firearm. Mayor Fenty was later qoted as saying; "More guns will mean more crimes".

Apparently the Mayor's flawed and at this stage, thread-bare reasoning, did not influence the majority of Supreme Court Justices. I would dearly love to be able to ask the Mayor this one question; how has the ban on handguns, which has been in effect in the District of Columbia for the past 32 years, helped to cut down on violent crime involving the use of ILLEGAL firearms? I am sure that I am not the only one who has heard D.C. referred to as; "The murder Capital of the World". Are drive-bys, and drug/gang related homicides ever committed by a law abiding citizen? How could having a firearm in one's home lead to more crime?

I put it to you Mr. Mayor, that the exact opposite would/will happen. All of those two-bit gun wielding punks on your streets who think they are big and bad because they have a "piece" jammed in their waist bands will think twice before burglarizing the home of a law abiding citizen who just might be pointing the noisey end of a 45 pistol at them. It is a well known fact that D.C. and Maryland criminals are very reluctant to break into a Virginia home as they know that Virginians have easy access to weapons.

Of course this latest ruling does not in any way mean that we'll all be walking around downtown with concealed firearms. Far from it, I am sure. Justice Scalia pointed out that restrictions will still be in place. As it should be. Law abiding citizens do not want to see convicted Felons carrying guns nor should those suffering from mental disorders or with a history of violent domestic abuse be allowed to access guns. Similar to what we have in Virginia, it is realistic to expect that guns will be banned from Government buildings and schools.

As the owner of a security firm who protects clients from harm and as someone allowed to carry concealed in Virginia and Maryland, I would hope that those of us who are properly licensed and insured in the District will be able to carry concealed there. I wouldn't even mind if the Mayor acted like a proper politician and found a way to tax us for the privilege.

He can even insist that all future gun holders undergo a mandated safety course. Being a certified security training school, we're ready to get on board with the training program today!

Oklahoma State University Parking Services server is compromised

Thu, 15 May 2008 11:08:54 +0000

Technorati Tag: Security Breach

Date Reported:
5/14/08

Organization:
Oklahoma State University ("OSU")

Contractor/Consultant/Branch:
OSU Parking & Transit Services

Victims:
OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008

Number Affected:
as many as 70,000

Types of Data:
"names, addresses and Social Security numbers"

Breach Description:
"Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008."

Reference URL:
Oklahoma State University Alert
KOCO Channel 5 News
The Daily O'Collegian
The Oklahoman

Report Credit:
Oklahoma State University

Response:
From the online sources cited above:

STILLWATER, Okla. -- Personal information belonging to anybody who got a parking pass at Oklahoma State University over the last five years has been compromised, university officials said Wednesday.

Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008.
[Evan] What does the OSU Parking and Transit Services department need Social Security numbers for? Do you suppose information security personnel knew that sensitive personal information was stored on the server prior to this incident?

Upon discovering this intrusion, the IT Information Security Office immediately removed the server from the network to evaluate server activity to ascertain if personal information had been accessed.

The confidential information has been removed from the database.

The illegal access was limited to the parking and transit server.

As a result of its investigation, OSU believes the intruder's purpose and only action was to use the OSU server for storage capacity and bandwidth to upload and distribute illegal and inappropriate content.
[Evan] I wonder if I am getting this right. Was there a direct network path from the public Internet through a firewall to the compromised database server running http, ftp, or some other file transfer protocol? That's not cool. A database server storing confidential information should not be accessible from the internet directly through a firewall. It is generally a good practice to separate the database function from the file transfer function into different servers and different firewall DMZs. All this for parking? Ugh.

OSU contacted and worked with federal law enforcement authorities.

After evaluation of all available data related to this incident, OSU found no evidence which would indicate that the database was copied or viewed by the hacker; however, OSU cannot say with 100 percent certainty that the hacker did not access personally identifiable information.
[Evan] I wonder what evidence they looked for and how they went about gathering it.

We are not aware of any instances of misuse of this information or of any identify theft as a result of the temporary availability of this information.

OSU recommends you carefully review any bills or financial transactions you receive in the near future to ensure that the charges associated with your accounts are accurate.
[Evan] Yeah! Review your bills (pay them occasionally) and financial transactions carefully. But wait, you do this already? Disappointing statement coming from an organization that did not carefully review their controls in securing your personal information.

OSU President Burns Hargis said, "This breakdown in security is totally unacceptable. We are conducting a full review and will take whatever steps are necessary to protect our network from unauthorized access. This is a serious matter and we will deal with it aggressively. We regret the circumstances and concern this situation has caused."
[Evan] This is my favorite statement from this story! What do you suppose his stance was prior to being notified of the breach?

In my experience, there are primarily ("primarily" because there are always exceptions) four types of senior information security management. You have the organizations that just don't get it and don't really care or know that they don't get it. These organizations lose information over and over and dangerously continue to operate in a business as usual manner.

Secondly, you have the organizations that didn't get it, suffer some adverse event, then HOLY &$#^! They respond with all guns blazing and overspend on controls they don't need and run a very cost ineffective security program (I guess they really never got it either).

Thirdly, there is the company that didn't get it, suffered an adverse event and admitted they have a problem. These companies may seek guidance and consultation in the effort to build a comprehensive information security program. These programs should be built around business objectives and sound risk management.

Lastly, there are the companies that were proactive and built a sound information security program because it was good business. These organizations didn't need an adverse event or breach before taking action. These organizations don't panic when an adverse event occurs. They know that eventually an adverse event will occur and they will be prepared when it does.

The server is believed to have been compromised on November 23, 2007. OSU learned of the breech [sic] on March 20, 2008 and blocked access to the server immediately.
[Evan] Wow. The server was 0wn3d (like my 1337 5p34k?) for almost 4 months before anyone noticed?! That is way, way, way too long for a compromised server to go unnoticed. We can now assume that there was no effective IDS/IPS (host or network) and no effective logging and monitoring of the server.

The OSU Parking Department has altered their procedures for the collection of private information. Additionally, the server which was located at the OSU Parking Service's office will be relocated to the IT Data Center for enhanced security. OSU is conducting a full review and will be taking additional steps to protect our network from unauthorized access.
[Evan] It's a very good idea to not collect private information if it is not required. It's too bad that it took a breach for this to happen. Moving the server from the Parking Service's office to the IT Data Center will help protect against physical security attacks, but this was a logical attack. Maybe the IT Data Center has better firewalls or something . I like the "full review". This should be done no less than annually.

The IT Information Security Office has made security recommendations to the OSU Parking Office which include physical relocation of their server and database to a more secure location, additional training for server administrators, and added vulnerability assessments.

Q. How will I know if any of my personal information was used by someone else?
A. The best way to find out is to obtain your credit reports from the three major credit bureaus: Equifax, Experian and Trans Union. If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make, these could be indications that someone else is using your personal information, without your permission.
[Evan] "If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make", then chances are you have already become an identity-theft victim. I'm not saying whether this is likely, or not.

Q. Why did you have my personal information?
A. You provided this information to us when you applied to Oklahoma State University, or during your tenure as a student or employee here. Oklahoma State, like other institutions, maintains records of all employees and students who have attended the University.
[Evan] Great question! Why did you have my personal information (on a publicly accessible server used in a department that doesn't really need it without proper protections and without proper monitoring)?

Commentary:
This breach torques me a little, in case you didn't pick up on that from the comments above. I made plenty.

Past Breaches:
Unknown

Fidel Castro exports his criminals, but we give guns to ours.

Wed, 23 Apr 2008 11:03:00 +0000

I was shocked to hear the news on CBS yesterday that the Army and Marine Corps are allowing convicted Felons to join their ranks. Are recruiters that desperate or just plain lazy?

The newscaster said that the Army and Marine Corps are going to open their doors to Felons who have been convicted of Robbery, Burglary, sex offenses and making terroristc threats. What can they be thinking? Have the lunatics started running the assylum?

These are some of the worst offenses on the books. I could somewhat understand if they said: "we are going to make allowances for those who have been convicted of multiple DUI/DWIs and as a result, have been declared felons". This new policy sounds like a plot taken straight out of Hollywood...."The Dirty Dozen" springs to mind.

One would think that the military upper echelon have enough on their plate everytime a story breaks about a young girl being raped in Iraq or Japan by U.S. military personnel. One can only imagine the future problems that will arise when they willingly open their doors to convicted child molesters, rapists, robbers, burglars and terrorist sympathisers/radicals.

The Navy and Airforce should be conrgratulated on failing to stoop so low. I hope they resit the temptation to put the same uniforms that have been worn so proudly in the past by decent human beings on those who should be wearing prison jump suits.

Maybe if the Government paid soldiers a decent salary, which is to say, much more than the $3,000 per month that they now get to put their lives in harm's way instead of giving it to Government contracting companies who charge the Government as much as $250,000 per year per contractor AND many times overcharge and over-bill the very same Government who are willing to pay a king's ransom in the first place.