[SecurityRatty] tag: hired

Thieves Target Homeowners and Builders

Fri, 29 Aug 2008 15:51:00 +0000

We have written about thefts of copper wire and even street manhole covers in the past. It appears that new homes and those being foreclosed upon are ripe targets for unscrupulous thieves.

Thankfully, there are many more solutions than in days past. Global Positioning Systems can now be hidden in materials and the thieves can be tracked in real time and the Police notified by the security consultant who has been hired to monitor their movements.

The highlighted link from "The New York Times", tells the sad story of a young couple and their 7 month old child who had to live onsite at their new house for many months in order to deter thieves.

We have spoken with home builders in the past regarding supplying security officers to monitor unfinished homes. One of the hurdles has been the cost of security. The escalating cost of these thefts may now make Home Builders think twice though.

The National Association of Home Builders claims that $5 BILLION a year is being stolen nationally by theives from homes under construction. That would purchase a lot of security services. Not to mention the cost of labor to replace that missing copper wire, plumbing fittings, doors & windows, etc.

Like we always say, thieves are opportunists. If you give them an opportunity such as leaving valuable building supplies unprotected, they will take them. On the other hand, if you put an obstacle in their path such as a site that is monitored by security cameras (with somebody on the other end of the camera - you'd be surprised how many businesses put in cameras but have nobody to monitor them)or a roving security vehicle, they will move along and ply their trade elsewhere.

That is called "target hardening". Quite literally, you make yourself (or your property) a harder, more difficult target. They then move along to some other target. Bad for someone else, but good for you.

Log Management - Day 1

Mon, 28 Jul 2008 07:03:00 +0000

Inspired by this and this here (and this too). It started from Jeremiah saying this:

“You’re hired on at a new company placed in charge of securing their online business (websites). You know next to nothing about the technical details of the infrastructure other than they have no existing web/software security program and a significant portion of the organizations revenues are generated through their websites.

What is the very first thing do on day 1?”

At about the same time, I saw a message posted to one of the mailing lists where the poster wondered: "I’ve been asked to look into finding a replacement to our current log management/auditing system. This is a field I haven’t even come close to touching before, and really don’t know the ideal things to look for (or ignore), etc. I’ve been searching through SANS site as well as googling, and I’m not coming up with a lot of great starter information. " And then he asks "Where should I start?"

This is indeed a really good question! Let's rephrase the above for the case of logging:

"You’re hired on at a new company placed in charge of TAKING CONTROL OVER THE LOGS. You know next to nothing about the technical details of the infrastructure other than they have no existing LOG MANAGEMENT process and tools... What is the very first thing do on day 1?”

So the "Day 1" of log management project. What's up?!

The very first thought that should cross you mind before you even do whatever first thing you wanted to do is "WHY?" (don't people hate those 'Why?" questions - focusing on "What?" or "How?" is soooooooo much easier....)

"Log management" is a solution, not a problem. What is your problem that you now have a mandate to solve?

Logs don't just drop on people :-) Well, not often.

What is it that motivated your boss (or his boss, or whoever) to decide to "address this", to "take control over logs?" Was it a new compliance mandate, PCI perhaps? Was it a recent incident where investigation hit the wall due to utter lack of logs? Was it a new corporation-wide IT efficiency improvement project? Was it a lawsuit where an e-discovery request was not satisfied and thus fine was levied? Was it a hot IT project that is impossible to complete without having a tool to analyze logs?

This "need" is very important since logging is a huge realm and not focusing on the need is akin to starting a journey into a hostile wilderness without a map - in other words, it might be fun for a while, but it can end badly :-)

Next, what do you actually do first? Figure out what logs are needed for this effort and what systems produce them (and who "owns" them!) Analyzing SAP logs for J-SOX is a VERY different effort from analyzing Cisco ASA logs for network troubleshooting.

Only at this point you can start thinking about "tools:" parsers, logs, databases, reports, alerts, indexing and other technical thingies as well as capacity planning, scalability, etc. This is the stage where you learn the lingo and learn to cut through marketing messaging to get to the actual tool capabilities.

So, remember: given mandate to "tame the logging monster", think "WHY?" first!

Waukesha County job applicant data exposed in mailing

Tue, 15 Jul 2008 04:07:06 +0000

Technorati Tag: Security Breach

Date Reported:
7/13/08

Organization:
Waukesha County, Wisconsin

Contractor/Consultant/Branch:
Crivello Carlson, S.C.

Victims:
Job applicants from the year 2006

Number Affected:
"more than 130"

Types of Data:
Job applications including, names, addresses, job and education history, salary, and Social Security numbers

Breach Description:
"More than 130 people who applied for a job with Waukesha County in 2006 had their Social Security numbers, employment and salary information, addresses and phone numbers and other personal information released to one of the women who applied for the job. "

Reference URL:
Milwaukee Journal Sentinel
New Richmond News

Report Credit:
Raquel Rutledge, Milwaukee Journal Sentinel

Response:
From the online sources cited above:

Taunya Thomas was horrified when she got a call from a stranger who knew almost everything about her.

The woman on the phone told Thomas she knew her Social Security number, where she lived and worked, how much money she made and where she went to high school and college. She rattled them off, not missing a single digit or fact.

She promised she wasn't going to use the information.
[Evan] Yeah. The government body that exposed the information made the promise that "your Social Security number will remain confidential". So much for promises.

She was calling, she said, because she wanted Thomas and others to know where she had gotten it.

She hadn't stolen it.

Waukesha County sent it to her in the mail, along with the same personal information for more than 130 other people who had all applied for a job with the county in 2006.
[Evan] What's with Wisconsin and mailing confidential information (in error)? This is the third mailing error reported on The Breach Blog coming out of Wisconsin this year.

The woman on the phone, Bernadine Matthews, too had applied for the position as an economic support specialist.

This is Matthews displayed holding the applications. Source: Milwaukee Journal Sentinel

When she didn't get it, she filed a complaint with the Equal Employment Opportunity Commission.

As part of the complaint and the investigation, the EEOC requested copies of all the applications.

The law firm representing the county, Crivello Carlson, sent the applications to Matthews.
[Evan] Really? Any second thoughts about the fact that this may put innocent people at risk?

Waukesha County tried to reclaim the documents sent to Matthews, threatening to get a search warrant and send a lawyer to her house, Matthews said.

When Matthews refused, they insisted she bring the documents to the law firm so they could white-out the private information in the applications.

Again, Matthews refused.
[Evan] At what point does Matthews cross a line. The confidential information on those job applications does NOT belong to her. In my opinion, she has no right to maintain possession of the information. For Matthews to knowingly maintain information that does not belong to her almost seems criminal to me.

The applications would be critical to her discrimination suit, she thought.
[Evan] So risk the disclosure of senstive information belonging to 130 people for your own benefit? If not criminal, it is certainly selfish.

She quickly hired an attorney, copied the documents and sent a set back to the county. She keeps her copies in an oversize safe-deposit box at her bank, she said.
[Evan] Who authorized her to make copies? The data owners (victims) certainly did not.

"I'm not going to be like the county," Matthews said. "I'm going to protect the privacy of the information in this box. Obviously they didn't give a darn about the applicants' privacy."

The Waukesha County employment application specifically states it will protect Social Security numbers.

"Your Social Security Number will remain confidential and will not be copied or released but is required for applicant tracking purposes," the application reads.

Ray Pollen, an attorney with Crivello Carlson, at first said it was no mistake that Matthews received the uncensored applications.
[Evan] So Mr. Pollen sent the information on purpose. Did he stop to think that there might be a problem here? Did it occur to anyone that they should redact the most sensitive information such as Social Security numbers, or names?

He said it was required under federal law that all parties in an EEOC discrimination complaint receive copies of information requested by the agency investigating. He couldn't point to the specific provision.
[Evan] Does a specific provision exist? I cannot think of a single purpose that a Social Security number would serve in this case.

Several days later, Pollen said the EEOC had no such requirement.

"The EEOC is silent on the issue," he said.

Instead it's the state's Equal Rights Division that requires all parties be copied on information requested by the division but even that provision doesn't mandate that attachments - such as the applications - be included. And, Matthew's case was not filed with the state.

"We followed the state's protocol," Pollen said.

P.I. asked: So anyone who applies for a job with Waukesha County could have their private information disclosed to a non-governmental third-party?

Pollen answered: "We responded to a federal agency's request for information. . . . In my opinion there was no violation of any law or procedure."
[Evan] Let's give Mr. Pollen the benefit of the doubt. Let's say that there was no violation of any law or procedure here. There certainly seems to be a violation of trust, a violation of good judgment, and a violation of privacy. The "if the law don't state it, then I must be able to do it" mentality is one of the reasons we have so many laws. Maybe if we used a little more common sense.

Taunya Thomas called the release of her information to a stranger shocking. She said at a minimum the county should have notified her that her information had been compromised.

"I'm devastated that it's that easy for my information to be disclosed," she said. "For someone to call me and tell me where I worked, where I went to school, recite my Social Security number verbatim to me, that's scary."

Commentary:
This is a very frustrating breach to read about. It is frustrating when someone knowingly discloses confidential information and then tries to justify it. Equally frustrating is when a person that has no right to the information refuses to part with it. In the middle of all of this are 130 innocent people.

I do not claim to know half as much about the law as Mr. Pollen does. His actions may be well within his legal rights for all I know.

Past Breaches:
Unknown

P2P-related breach affects high-profile clients from Wagner Resource Group

Mon, 14 Jul 2008 13:08:21 +0000

Technorati Tag: Security Breach

Date Reported:
7/9/08

Organization:
Wagner Resource Group

Contractor/Consultant/Branch:
None

Victims:
Clients*

*Most notably Supreme Court Justice Stephen G. Breyer, which has been well publicized.

Number Affected:
~2,000

Types of Data:
"names, dates of birth and Social Security numbers"

Breach Description:
"The Washington Post today ran a story I wrote on a data breach of a local investment firm that exposed the names, birth dates and Social Security numbers of some of the Washington area's most powerful attorneys, including Supreme Court Justice Stephen Breyer."

Reference URL:
SecurityFix
Washington Post
United Press International
NBC Universal, Inc

Report Credit:
Brian Krebs, Washington Post

Response:
From the online sources cited above:

Sometime late last year, an employee of a McLean investment firm decided to trade some music, or maybe a movie, with like-minded users of the online file-sharing network LimeWire while using a company computer
[Evan] P2P file sharing and other client software use can pose a very significant risk in most companies. It is typically an easy risk to address however. A mixture of any one or more of the following controls can help to mitigate the risk; information security training and awareness, egress traffic monitoring and filtering, intrusion detection/prevention, and hardened workstations (i.e. removal of administrative access) to name a few.

In doing so, he inadvertently opened the private files of his firm, Wagner Resource Group, to the public.
[Evan] This is a common oversight. LimeWire and other P2P file sharing applications are wonderful tools for doing what they are designed to do. Before allowing their use (or any other software), an organization must evaluate the risks in doing so. If you intend to use or allow the use of LimeWire in your organization, understand how the software works and how it is configured. During the install you will be prompted for the "Save Folder and Shared Folders". Be careful what you choose, and be careful about what information you put in these locations in the future. Most organizations that are aware of risks just choose not to allow P2P use.

That exposed the names, dates of birth and Social Security numbers of about 2,000 of the firm's clients, including a number of high-powered lawyers and Supreme Court Justice Stephen G. Breyer.
[Evan] The high-profile nature of this breach is what has grabbed headlines all last week.

Of the 2,000 records from Wagner Resource Group that were found online, 700 included Social Security numbers, names and birth dates, while other records included only one or two of those details.

The breach was not discovered for nearly six months.
[Evan] This is another danger posed by information leaked through P2P. Once information has leaked, how does an organization detect that it has been leaked? There is no longer any control.

A reader of washingtonpost.com's Security Fix blog found the information while searching LimeWire in June.
[Evan] I wonder why the reader did not notify the authorities and/or Wagner at the time of its discovery. Maybe he/she did. I don't know.

Robert Boback, chief executive of Tiversa, the company hired by Wagner to help contain the data breach, said such breaches are hardly rare.

About 40 to 60 percent of all data leaks take place outside of a company's secured network, usually as a result of employees or contractors installing file-sharing software on company computers.
[Evan] Really?! I would have not guessed that the percentage would be so high. Interesting.

"We've seen a lot of instances where a company will be working on a product that's not even released yet, and the diagrams for that product are already out on the Net," Boback said.
[Evan] Very good point. It isn't just personally identifiable information that is leaked, there are plenty of instances where intellectual property (IP) is exposed. I have read estimates that as much as 80% or organizational assets globally are intangible (information, knowledge, etc.).

"This case is unique because of the high profile of the targets. The individuals on this list are at a very high risk, almost imminent, of identity theft."

Tiversa officials found that more than a dozen LimeWire users in places as far away as Sri Lanka and Colombia downloaded the list of personal data from the Wagner network.

"To me, this was devastating," said Phylyp Wagner, founder of the investment firm. "I didn't even know what peer-to-peer was. I do now."
[Evan] This is a big problem! Corporate leaders must be made aware of the risks surrounding the information for which they are ultimately responsible for.

Wagner said his company has contracted with FirstAdvantage of Poway, Calif., which last week sent out letters notifying affected clients of the breach and offering each six months of free credit-report monitoring.

He emphasized that the peer-to-peer disclosure never endangered his clients' financial records, which are stored by a separate company.
[Evan] Maybe not their financial records, but it did affect some people's financial status (at least temporarily).

But that may be small consolation to several lawyers on the list who said they recently experienced unexplained financial activity.

"This may explain why two weeks ago I got a $9,000 cellphone bill from AT&T," said Steven Agresta, a partner with the law firm Alston & Bird.

Someone had opened a phone account using his date of birth and Social Security number, but with a different address.

this morning I heard from reader Christopher Lynt, a patent attorney from Virginia whose personal data was included in the file exposed via P2P.

He told me that last July, an identity thief used his SSN and birth date to have $1,000 wired to Mexico from Lynt's bank and credit accounts.

Commentary:
This certainly isn't the first time we have read about P2P file sharing network exposures. If your organization can find a way to use the technology without posing an unacceptable risk, then fine. If not, then don't allow the technology to be used. Seems pretty plain and simple.

There is much work to be done. At Wagner and elsewhere.

Past Breaches:
Unknown

Work-place violence kills many U.S. workers every year.

Sat, 12 Jul 2008 14:28:00 +0000

Our company is hired regularly to make sure that fired employees do not come back to work and kill a supervisor or fellow colleagues.

When people hear that Corporations hire bodyguards to work in their Corporations pending and following company terminations they are surprised. This surprises me. Every year, workplace violence makes the "top ten" list of serious concerns facing U.S. businesses.

Yesterday, on WTOP radio station I heard the phrase; "Desk Rage" for the first time. Unfortunately it is very appropriate. Some people have very bad tempers and an argument or decision at work can lead to them getting a weapon and committing homicide. This was evidenced a couple of weeks ago in Kentucky when five factory workers were killed by an employee who had been slightly reprimanded.

Employers do have a responsibility to ensure a safe work place environment. That is the reason companies hire us. If we are called in and are onsite when a violent worker returns intent on hurting people, we will be the ones to stop him or her from committing the act.

Fellow workers should report incidents involving any type of inappropriate behavior, especially instances where people are likely to get hurt, or worse. Very rarely does an employee just go ballistic or "postal" for no reason. The most common cause of work place homicides are domestic situations. An employee with a dangerous spouse/significant other who has just been arrested on domestic violence charges or has been served with a protective should be brought to a supervisor's attention immediately.

With so much rage in schools, on the road and in the home, the Police have their hands full just reacting to situations where many times the SWAT team will be called in. Private security companies are a great resource to the business community as Police do not have the resources to sit for days and wait to see if something will happen.

Be part of the solution. Report all potentially dangerous situations in the workplace to a supervisor.

SMS death threat scam arrives down under

Fri, 11 Jul 2008 20:00:00 +0000

A text message scam purporting to be from a hired hitman is reportedly duping Australians into sending thousands of dollars to the scammers to "buy" a stay of...

ConSentry CEO talks up security issues

Sun, 06 Jul 2008 20:00:00 +0000

Network-access-control start-up ConSentry Networks has filled its long-vacant CEO position with Joe Golden, a partner in Accel Partners, a ConSentry investor. Golden was a partner in Accel Partners' London venture-capital office from 2001 until ConSentry hired him; before that he was Cisco's managing director of business development and strategic alliances for Europe, Middle East and Africa. With NAC in flux and with some start-ups having failed, Golden spoke with Network World Senior Editor Tim Greene about ConSentry, its strategy and the future of NAC.

Data Breach At Benefits Company Affects Google Employees

Fri, 04 Jul 2008 00:53:03 +0000

Google employees hired before 2006 have been warned to watch out for possible attempts to steal their identities. InformationWeek reports that in a letter last month, Google attorney Lewis A. Segall alerted New Hampshire Attorney General Kelly A. Ayotte that computers had been stolen from Colt Express Outsourcing Services, a third-party employee benefits administrator for Google [...]

Attention - Lawyers and Private Investigators!

Tue, 24 Jun 2008 21:18:00 +0000

Lawyers are always in need of process servers to serve civil papers. More often than not, they use the services of a Private Investigator or process service company.

If the P.I. or process server is credible and ethical, there should not be a problem. If on the other hand, the server "claims" to have served the paper, charges the Law Firm for services rendered but does not actually effect the necessary service, it could be the makings of a significant lawsuit. This is what happened in Massachusetts.

The plaintiff in that casewas awarded $3,000,000.00 when the State Court ruled that the Bermuda businessman, Donald P.Lines, had not been served by the company hired to effect the service, Boston based "Stokes & Levin". It later transpired that the company had used pre-fabricated stamps of the signature of a process server who no longer worked for the company. It did not enhance the image of the Securities and Exchange Commission either as the SEC were the ones who hired "Stokes & Levin".

I have heard stories of one elderly P.I. in Virginia who gets confused when he serves civil papers and sometimes puts the same time on two different papers even when they are served 20 miles or more apart. Yet, he continues to get requests for service from lawyers that he has known a while. I hope this story serves as a reminder to him and those who hire him that you stand to lose a lot if you don't get it right - both in reputation and finacial terms. There's no shame in hanging up the gun belt when the sun starts to set on your career. It's always better to go out a winner than a defendant.

The Arizona Office of the Auditor General finds plenty of holes

Mon, 23 Jun 2008 08:28:27 +0000

Technorati Tag: Security Breach

Date Reported:
6/19/08

Organization:
The Arizona Board of Regents

Contractor/Consultant/Branch:
Arizona State University
University of Arizona
Northern Arizona University

Victims:
Students, faculty and staff

Number Affected:
"more than 10,000"

Types of Data:
Names, Social Security numbers, student identification numbers, addresses, phone numbers, e-mail addresses and user accounts

Breach Description:
"The Office of the Auditor General has conducted a performance audit of information technology security at Arizona State University (ASU), the University of Arizona (UA), and Northern Arizona University (NAU) pursuant to Arizona Revised Statutes (A.R.S.) §41-2958." "ASU’s, UA’s, and NAU's Web-based applications are vulnerable. Auditors were able to gain unauthorized access to sensitive information, such as social security numbers, and could have modified or deleted important university information."

Reference URL:
Arizona Office of the Auditor General's report titled "Arizona’s Universities—Information Technology Security"
The Arizona Daily Star

Report Credit:
Arizona Office of the Auditor General

Response:
From the online sources cited above:

The Office of the Auditor General has conducted a performance audit of information technology security at Arizona State University (ASU), the University of Arizona (UA), and Northern Arizona University (NAU) pursuant to Arizona Revised Statutes (A.R.S.)
§41-2958.

Information technology (IT) security practices are important for Arizona's universities to protect large amounts of sensitive and confidential information that are stored on their computer systems, including information for more than 122,000 students and nearly 25,000 faculty and staff.

Universities in general are attractive targets for computer hackers because universities traditionally have a strong culture of academic freedom that values open access to information and a free exchange of ideas.

University IT security problems are occurring more often through weaknesses in computer programs called Web-based applications.

The Arizona universities combined use at least 205 significant Web-based applications for educational and administrative purposes, such as curriculum and course management, documenting personal information for admissions and financial aid, and processing financial, payroll, and other transactions, such as purchasing parking permits.

ASU’s, UA’s, and NAU's Web-based applications are vulnerable.

Auditors were able to gain unauthorized access to sensitive information, such as social security numbers, and could have modified or deleted important university information.

Auditors were able to gain this access by exploiting some critical and commonly found weaknesses that exist in many of the universities' Web-based applications.

Security weaknesses in one Web-based application allowed auditors to access a database and obtain more than 10,000 records with names and social security numbers.

Auditors also obtained other records that contained student identification numbers, addresses, phone numbers, and e-mail addresses.

Auditors also had the ability to modify and delete this information.

In two other applications, auditors were able to exploit a security weakness that would have allowed them to take over a large number of user accounts, including accounts with high-level access.

In many applications, auditors discovered a security flaw that would allow an attacker to take over user accounts and install malicious software.

Auditors did not attempt to identify every flaw that may exist because the testing was designed to determine what the impact could be if certain identified vulnerabilities were successfully exploited.

To better protect the information processed through their Web-based applications,
ASU, UA, and NAU need to:

Conduct regular security assessments of Web-based applications. The universities first need to determine how many Web-based applications they have and then make provisions to regularly update their lists of applications. They then need to develop and implement procedures for regularly conducting security reviews of their critical Web-based applications.

[Evan] Even though it seems like it’s the same story in company after company, I am still amazed by how many organizations don't know what or how many applications that have (not to mention servers, clients, routers, switches, wireless access points, etc.)! Its pretty hard to secure something if you don't know it exists, and just because you don't know it exists does not mean you are not responsible for it.

Develop a university-wide policy and associated procedures for updating Web servers, which are computers that host Web-based applications. Software vulnerabilities are constantly being discovered and publicized, and the universities need to develop or enhance: (1) procedures for identifying vulnerabilities relevant to their Web servers, (2) a timeline for reacting to notifications of newly discovered Web server vulnerabilities, and (3) a process for determining whether to apply a software update, establish another control to address the Web server vulnerability, or accept the risk of not updating the software.
Ensure that security is built into the process for developing Web-based applications. According to ASU, UA, and NAU officials, none of them have university-wide security standards for developing applications. According to an IT best practice, building security into the development process is more cost-effective and secure than applying it afterwards.
Provide training to application developers so that they are aware of common Web-based application vulnerabilities and methodologies that can be used to avoid them. None of the universities have a training program that is mandatory for all users and geared toward an individual's role within the university.

All three Arizona universities have taken some key steps toward developing an overall
IT security approach; however, additional work is needed.

Creating information security staffs--Over the past few years, ASU, UA, and NAU have established and filled information security officer (ISO) positions and made these ISOs responsible for information security efforts university-wide. Until the ISOs were hired, the universities have not had any staff whose sole responsibility included directing and coordinating all aspects of information security across the university.
[Evan] Typically, this position is more effective if it reports directly to an executive such as CEO, President, etc. Information security is not an IT problem, and often times there is a conflict of interest if an ISO reports up through the IT organization.

Developing information security programs--The universities are at varying stages in developing formal programs to guide their information security efforts, but none have yet developed all the standards or procedures needed to support a complete information security program. The universities are in the beginning stages of implementing their information security programs, in part because the ISO positions are relatively new.

[Evan] The report goes on to address specific findings and recommendations for all three of the schools. In my opinion, the report is very well-written and definitely worth your reading time!

Commentary:
I didn't provide much commentary on the Auditor General's report because it really speaks for itself. It was a good read (for a security guy anyway). Kudos to the Arizona legislature for funding the audit, Kudos to the Auditor General on the findings, the report, and the excellent recommendations, and Kudos to the schools for their agreements and plans for improvement. I feel a little giddy and I'm not really sure why.

Is anyone planning to notify the people whose information was found to be vulnerable to attack and exploit? I would be surprised if the auditors were the first to find these chinks in the armor.

I highly recommend reading the report.

Past Breaches:
Unknown