http://securityratty.com/tag/lacey Thu, 03 Jan 2008 21:00:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/fd0ce367aedf3e489eb5d0a155241be5 http://securityratty.com/article/fd0ce367aedf3e489eb5d0a155241be5 Security Breach

Date Reported:
7/9/08 (UPDATED 7/11/08 - Laptop with information about soldier found; Lacey teen arrested)

Organization:
United States Army

Contractor/Consultant/Branch:
Fort Lewis*

*The principal Fort Lewis maneuver units are the 1st Brigade, 25th Infantry Division and the 3d Brigade, 2nd Infantry Division. It is also home to the 593d Corps Support Group, the 555th Engineer Group, the 1st MP Brigade (Provisional), the I Corps NCO Academy, Headquarters, Fourth ROTC Region, the 1st Personnel Support Group, 1st Special Forces Group (Airborne), 2d Battalion (Ranger), 75th Infantry, and Headquarters, 5th Army (West).  Fort Lewis has more than 25,000 soldiers and civilian workers, source: About Fort Lewis

Victims:
Soldiers

Number Affected:
~800 - 900

Types of Data:
"personal information"

Breach Description:
"A laptop computer that was reported stolen from an Army employee’s truck last week contained personal information on about 800 to 900 Fort Lewis soldiers, said military and Lacey police officials."

Reference URL:
KING Channel 5 News
Tacoma News

Report Credit:
Elisa Hahn, KING Channel 5 News

Response:
From the online sources cited above:

A laptop computer that was reported stolen from an Army employee’s truck last week contained personal information on about 800 to 900 Fort Lewis soldiers, said military and Lacey police officials.

In this case, an Army employee told Lacey police he left the laptop and a 500-gigabyte removable hard drive on the seat of his Dodge truck, parked unlocked in front of his house overnight July 3
[Evan] Storing personal information on removable devices such as laptops, external hard drives and flash drives without encryption, strike one.  Moving the mobile device outside of a controlled area is strike two.  Leaving the mobile device overnight in an unlocked vehicle in plain sight of passers-by is an emphatic strike three.

He reported them stolen about 10 a.m. on July 4.
[Evan] A soldier's personal information stolen on the day our country celebrates our independence is insulting.

A post spokeswoman said officials were notifying the involved soldiers out of concern that the case might put them at risk for identity theft.

the Army began no later than Wednesday notifying the affected soldiers through e-mail and phone calls. They’ll get follow-up letters.

Officials said the employee, a civilian military personnel specialist, appears to have violated Army standards and policies for protecting personal information and government property.

Army laptops and removable storage devices containing personal information are generally restricted to on-post workplaces but can be signed out with a supervisor’s permission.

They’re also supposed to be password-protected and personal information is supposed to be encrypted

The Army is assisting Lacey police with the theft investigation and conducting its own review, said Catherine Caruso, a Fort Lewis spokeswoman.

"We’re not releasing anything more about what information was inappropriately compromised or about the soldiers whose information was involved," Caruso said.

"Clearly it was personal information regarding 800 to 900 soldiers from Fort Lewis. Beyond that, we’d rather not specify."

there was no classified, secret or top-secret information on the laptop and the hard drive.

Caruso said the employee was working on a project regarding a particular unit at a location other than his office.

She said "it would be inappropriate to speculate" about what potential disciplinary action the worker might face if he is found to have broken security rules.
[Evan] It is probably inappropriate to speculate, but you know we will anyway.  My guess is that there is another person looking for a job in the Olympia, Washington area.

Since the theft, post officials have set new training requirements for military personnel staff and prepared a memo for each employee to sign outlining the safeguarding and reporting requirements

Commentary:
When someone's poor judgment creates unnecessary risk to military personnel it carries a little more weight for me.  These men and women give everything to protect us.  Without them I wouldn't be able to write this, and without them you wouldn't be able to read it.

Past Breaches:
United States Army:
June, 2008 - Walter Reed Army Medical Center breach through P2P
April, 2008 - Excel Spreadsheet on the web exposes Army officers and civilians


]]> Fri, 11 Jul 2008 09:44:02 +0000 fort lewis soldiers soldiers fort lewis information personal information lacey police officials officials army army standards Fort Lewis soldiers exposed by laptop theft http://securityratty.com/article/79c47a2e1084bd1deba73b2fa9ab33e1 http://securityratty.com/article/79c47a2e1084bd1deba73b2fa9ab33e1 David Lacey makes the important point that writing secure software is "not just about cutting secure code or developing better testing tools. We need to get things right much earlier in the development process." It's a subject I've been harping on about for some time, with many references to excellent resources such as OWASP, and great leaders on the subject such as Mark Curphey. Over the last few years I've heard many solutions proposed to fix the problem of insecure software, ranging from sacking the developers to improving the software development lifecycle so that security requirements are stated from outset and followed through into production and beyond. The evidence is that none of it works. OK, the folk at Microsoft, for example, will say that security is now embedded in their culture, and they've certainly generated a nice new stream of revenue for themselves out of all the books, tools and journals on the subject. But they are still releasing security patches with a frequency and schedule that the I wish the rail company I use each day could achieve with their trains. And other vendors are coming up with clangers at an alarming rate. For example, this latest one from leading CMS vendor RedDot. An SQL Injection vulnerability in an enterprise level CMS system - what were they playing at with their quality control?! So, here's the thing. We can't write secure code. It's true. Can you show me any decent commercial, consumer focused product (that people actually want to use - not just techies who haven't seen daylight in 12 years and live on a diet of digestive biscuits) that is secure from the off as soon as it's exposed to the Internet and where 12 months later it hasn't required a patch of some sort? Systems are simply too complicated with too many lines of code for anyone to expect that they can be released without containing bugs and security holes. That doesn't mean that we shouldn't try, it just means that we should take a different approach. That approach, in my opinion, is to take a leaf out of the new edition of the PCI standards and stick a ruddy great application firewall in front of everything. That doesn't make the code secure, it's a sticking plaster over a wound. But - to continue the analogy - a plaster stops the bleeding, prevents germs getting in, and while it's not a cure, it's good enough. I'm not knocking OWASP et al. It's the first resource I recommend developers go to and will remain so. Just that the business expects more functionality, cheaper costs, more complexity, better performance, and a more rapid deployment for its products. Chucking in security with all that lot is like rubbing your belly and patting your head at the same time, while riding a motorbike. So, let's make it easy on ourselves. Application firewalls! ]]> Fri, 16 May 2008 03:00:00 +0000 code secure code secure secure code secure software security security holes security requirements security patches We can't write secure code http://securityratty.com/article/46b5afc201cb0fae76eec90375b8d310 http://securityratty.com/article/46b5afc201cb0fae76eec90375b8d310 Infosec Europe at Olympia. The program this year looks, in my opinion, to be the best yet including input from some well known industry names such as Bruce Schneier, Alan Paller, as well as my fellow bloggers David Lacey ("Locking Down Social Networking Vulnerabilities" on the 22nd) and Philip Virgo ("Why Do We Need an E-Crime Unit?" on the 23rd). I'll be participating in the "The Mock trial of A.N.Corporate" on the 24th in the Interactive Theatre, where, according to the blurb "The excitement of a real courtroom is brought to Olympia, when a mock trial is conducted where various members of a corporation (It Manager, CISO, CIO and CEO) are put in the dock, and questioned by the defence and prosecution." It should be fun! There are some exciting new exhibitors on the list for this year including Behaviosec whose product "Behavio identifies unauthorized users within seconds by detecting anomalies in keyboard and mouse behavior." I'm looking forward to seeing you there. ]]> Tue, 15 Apr 2008 03:00:00 +0000 infosec europe mock trial bruce schneier industry names real courtroom interactive theatre e-crime unit behavio identifies olympia Infosec Europe http://securityratty.com/article/cda0828ab342bef8b0fad504fd1e044c http://securityratty.com/article/cda0828ab342bef8b0fad504fd1e044c here talking about the ROI of an IPS device and here where the decision about whether or not to purchase an IPS device is debated) . The general concensus around the table was that IPS is prone to false positives, difficult to monitor, and adds too much latency to network traffic. The question of latency can certainly be a problem for an organisation reliant on transaction speed - take share trading for instance. Within my own industry a few false positives and the odd extra millisecond on a transaction will not make a whole lot of difference however, I'm beginning to lean towards the view that network IPS might have had its day. David Lacey's blog today makes the point that "nine out of ten security managers still prefer to monitor rather than block." That's a fine strategy if you have the organic resource (i.e. a person) to do the monitoring. In some businesses I've visited over the years, the monitoring habit had worn off and IDS logs were only being reviewed at fixed times. That's hardly the way to get benefit out of the investment. One of the supposed benefits of IPS is it's alleged pro-activeness in blocking attacks. I've heard this called into question in some instances. So, what is the best way forward? Innovative products such as the Secerno solution mentioned by David seem like a good idea. More generally, as we de-perimeterise, we need solutions closer to where the important assets are and more tailored to protect them. Host-based IPS systems that reliably block attacks are a good approach. Web application firewalls another. There is a certain comfort level that's difficult to shake off in having the network IPS - so, it'll still be around for a while mitigating a bit of the risk, but I'm becoming less certain about exactly how much. ]]> Wed, 19 Mar 2008 03:00:00 +0000 ips ips systems network ips ips device reliably block attacks block attacks false positives transaction speed Network IPS Systems - still worth buying? http://securityratty.com/article/c536f55c7e134d18b2a78ccd27df76ba http://securityratty.com/article/c536f55c7e134d18b2a78ccd27df76ba

Report Card: 2007 Incite #1 - Get with the Program | Security Incite: Analysis on Information Security

SANS Technology Institute: Stephen Northcutt's favorite Security Predictions for 2008

Financial Cryptography: 2008 -- The Year of the Raven!

Security Forecasts for 2008 (David Lacey's IT Security Blog)

www.andrewhay.ca » Andrew Hay’s Predictions for 2008

Security's crystal ball for 2008

]]> Thu, 03 Jan 2008 21:00:00 +0000 security information security security forecasts security blog favorite security predictions security incite incite sans technology institute andrew hays predictions Links for 2008-01-03 [del.icio.us]