[SecurityRatty] tag: lawyers

Automation Gone Wrong

Wed, 10 Sep 2008 17:00:04 +0000

We’ve talked about the changing nature of the data center and the critical role that even more automation – from virtual machine movement to runbook tools to auto-remediation and more – will have in trying to manage data center operations in real-time. But it’s always a balancing act. How “smart” can automated processes really be? What really should be automated versus requiring some level of human scrutiny and decision-making?

Well here’s a story where the tradeoff for speed and efficiency caused a massive stock dump erroneously.

Apparently, many traders use automation software that trolls the Web for news stories and then, depending on what it finds, executes stock trades automatically. It was United Airline’s bad luck that an old article about its 2002 bankruptcy-court filing showed up on Google’s news service and somehow made it to the list of most popular stories. In one of a series of mistakes here, the story had no date on it – which means Google’s algorithm for assessing popularity didn’t have a way to exclude it as an “old” story – OR (because there are conflicting accounts) the South Florida Sun-Sentinel actually put “today’s” date on the page that the story appeared on. This got picked up by the Income Security Advisors newsletter and sent over to Bloomberg News as a one-line brief. Plus there’s the inevitable conspiracy theory that people manipulated the web traffic for this story to adversely affect UAL. Regardless, on Monday afternoon, the stock plunged 76% in less than a day.

But the real problem here is the growing use of automated programs to trigger stock trades without any human interaction – instead based on news headlines and earnings data. According to the Wall Street Journal, these automated programs were responsible for a very surprising 25% of NYSE trades in the last week of August.

I’m sure we’ll hear more as the lawyers are now involved trying to figure out who should get the blame.

Mythbusters Episode on RFID Security Nixed

Wed, 10 Sep 2008 10:34:45 +0000

Seems that the idea was killed by lawyers under pressure from the credit card industry. Or maybe not; the person who started this rumor has retracted his comments. Or maybe those same lawyers made him retract his comments.

Don't they know that security by gag order never works, except temporarily?

Memo to the President

Tue, 12 Aug 2008 02:36:31 +0000

Obama has a cyber security plan.

It's basically what you would expect: Appoint a national cyber security advisor, invest in math and science education, establish standards for critical infrastructure, spend money on enforcement, establish national standards for securing personal data and data-breach disclosure, and work with industry and academia to develop a bunch of needed technologies.

I could comment on the plan, but with security the devil is always in the details -- and, of course, at this point there are few details. But since he brought up the topic -- McCain supposedly is "working on the issues" as well -- I have three pieces of policy advice for the next president, whoever he is. They're too detailed for campaign speeches or even position papers, but they're essential for improving information security in our society. Actually, they apply to national security in general. And they're things only government can do.

One, use your immense buying power to improve the security of commercial products and services. One property of technological products is that most of the cost is in the development of the product rather than the production. Think software: The first copy costs millions, but the second copy is free.

You have to secure your own government networks, military and civilian. You have to buy computers for all your government employees. Consolidate those contracts, and start putting explicit security requirements into the RFPs. You have the buying power to get your vendors to make serious security improvements in the products and services they sell to the government, and then we all benefit because they'll include those improvements in the same products and services they sell to the rest of us. We're all safer if information technology is more secure, even though the bad guys can use it, too.

Two, legislate results and not methodologies. There are a lot of areas in security where you need to pass laws, where the security externalities are such that the market fails to provide adequate security. For example, software companies who sell insecure products are exploiting an externality just as much as chemical plants that dump waste into the river. But a bad law is worse than no law. A law requiring companies to secure personal data is good; a law specifying what technologies they should use to do so is not. Mandating software liabilities for software failures is good, detailing how is not. Legislate for the results you want and implement the appropriate penalties; let the market figure out how -- that's what markets are good at.

Three, broadly invest in research. Basic research is risky; it doesn't always pay off. That's why companies have stopped funding it. Bell Labs is gone because nobody could afford it after the AT&T breakup, but the root cause was a desire for higher efficiency and short-term profitability -- not unreasonable in an unregulated business. Government research can be used to balance that by funding long-term research.

Spread those research dollars wide. Lately, most research money has been redirected through DARPA to near-term military-related projects; that's not good. Keep the earmark-happy Congress from dictating how the money is spent. Let the NSF, NIH and other funding agencies decide how to spend the money and don't try to micromanage. Give the national laboratories lots of freedom, too. Yes, some research will sound silly to a layman. But you can't predict what will be useful for what, and if funding is really peer-reviewed, the average results will be much better. Compared to corporate tax breaks and other subsidies, this is chump change.

If our research capability is to remain vibrant, we need more science and math students with decent elementary and high school preparation. The declining interest is partly from the perception that scientists don't get rich like lawyers and dentists and stockbrokers, but also because science isn't valued in a country full of creationists. One way the president can help is by trusting scientific advisers and not overruling them for political reasons.

Oh, and get rid of those post-9/11 restrictions on student visas that are causing (.pdf) so many top students to do their graduate work in Canada, Europe and Asia instead of in the United States. Those restrictions will hurt us immensely in the long run.

Those are the three big ones; the rest is in the details. And it's the details that matter. There are lots of serious issues that you're going to have to tackle: data privacy, data sharing, data mining, government eavesdropping, government databases, use of Social Security numbers as identifiers, and so on. It's not enough to get the broad policy goals right. You can have good intentions and enact a good law, and have the whole thing completely gutted by two sentences sneaked in during rulemaking by some lobbyist.

Security is both subtle and complex, and -- unfortunately -- it doesn't readily lend itself to normal legislative processes. You're used to finding consensus, but security by consensus rarely works. On the internet, security standards are much worse when they're developed by a consensus body, and much better when someone just does them. This doesn't always work -- a lot of crap security has come from companies that have "just done it" -- but nothing but mediocre standards come from consensus bodies. The point is that you won't get good security without pissing someone off: The information broker industry, the voting machine industry, the telcos. The normal legislative process makes it hard to get security right, which is why I don't have much optimism about what you can get done.

And if you're going to appoint a cyber security czar, you have to give him actual budgetary authority -- otherwise he won't be able to get anything done, either.

This essay originally appeared on Wired.com.

Memo to Next President: How to Get Cyber Security Right

Thu, 07 Aug 2008 11:45:00 +0000

Obama has a cyber security plan.

Spread those research dollars wide. Lately, most research money has been redirected through DARPA to near-term military-related projects; that's not good. Keep the earmark-happy Congress from dictating (.pdf) how the money is spent. Let the NSF, NIH and other funding agencies decide how to spend the money and don't try to micromanage. Give the national laboratories lots of freedom, too. Yes, some research will sound silly to a layman. But you can't predict what will be useful for what, and if funding is really peer-reviewed, the average results will be much better. Compared to corporate tax breaks and other subsidies, this is chump change.

And if you're going to appoint a cyber security czar, you have to give him actual budgetary authority -- otherwise he won't be able to get anything done, either.

---

Bruce Schneier is chief security technology officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

Think "liability" if you want to stay out of trouble.

Sun, 03 Aug 2008 21:12:00 +0000

I speak a lot about liability, but not everyone gets it.

I have seen medical doctors, dentists, business people of all walks of life and lawyers (it is surprising how many lawyers disregard liability)pay little attention to potential lawsuits. The latest category to leave themselves open, have been auctioneers.

The current foreclosure crisis has meant that many properties are being auctioned off. We have been providing security officers at some of the properties in order to make sure that people do not try to steal or commit vandalism when viewing the houses. There was an incident recently in which a bidder decided to withdraw his offer after his bid became the winning bid. He probaly got cold feet.

While he should not have reneged on his offer to buy the property, it was a civil matter best left to civil remedy. Unfortunately, the auctioneers involved decided to take the law into their own hands and would not let the man leave the property. The man became anxious and informed them that he was having difficulty breathing and needed to go to his car for his asthma medication.

Was this true? Maybe, maybe not - but would it be wise to gamble with a person's health when you already had their personal details and you could easily have obtained his vehicle registration if he decided to leave?
Thankfully, our security officer knew better that to get involved with blocking the man's way. The auctioneers stood in front of his vehicle and yelled at him. Eventually the man drove off.

If you represent a financial institution, a law firm or an auctioneering firm, you need to think twice before you act inappropriately. I have no doubt that had that man had a serious attack and if he died as a result, his next of kin would have sued for umpteen millions. When it comes to situations like this, you need to think rationally and realize what is involved. What was the worse thing that could have happened when the person decided to renege on his offer?

Apparently, he would have signed forms and the like and most probably he could be sued civilly for not fulfilling his obligations after delivering the winning bid. At the end of the day, the note holder would be in a strong position. Even if the person had given false information and could not be subsequently located, all they had to do was to put the property back on the market. What could that have cost, a couple of thousand in extra advertising and the like? That would have been much better than having to pay the next of kin many millions - not to mention the bad publicity.

We talk a lot about liability because it is a very real threat. Think "threat mitigation". Those who do not, may pay a very high price.

(Not Really) Stateful IT-GRC Inspecting Threat Management At Gigabit Speeds

Tue, 22 Jul 2008 10:41:00 +0000

A friend of the blog recently pointed me to an article that used the term:

“PCI Risk Management”

Now usually when I see a term like this, I can only imagine that such things are the byproduct of rapidly decaying brain cells. In my mind I imagine there’s a conference room somewhere with some marketing types all hopped up on the vapors from industrial solvents spewing terms like “protectivity” or “advanced adaptive deep packet inspection” into the ether with all the acumen of an intoxicated long-horned bovine.

BUT

I thought about this, and it’s really not a bad idea - depending on how you define it. Now I just couldn’t make the effort to read how the author used the term (I have a short pain threshold), but here’s my thoughts on what PCI Risk Management should be. If we define Risk as the probable frequency and probable magnitude of future loss.

Then managing the risk inherent in PCI DSS compliance could mean:

1.) The expected frequency of being out of compliance and how much that will cost us.

Because let’s face it - being in or out of PCI compliance is still a subjective judgment. First, we have what our ever-qualified assessor says. But in the case of an incident, it’s really someone else who has the final say in whether or not we were “compliant” at the time of incident. So we can only know for certain if we’re in compliance after the fact - i.e. after there’s an incident. So if we cannot really “know” if we’re compliant - we have a probability problem to solve! Sounds like “risk” or “secure” doesn’t it?

So we could view the PCI as a threat community to deal with. This gives us the first angle of what we could call PCIRM (this sort of term begs to be it’s own acronym, doesn’t it?) - the simple creation of a probability statement that says there is some belief that we could be found out of compliance - regardless of our efforts - and the calculation of what the impact would be to our organization (like defending frivolous 90 bajillion $ law suits from tiny financial institutions whose lawyers smell blood in the water). Note that you may or may not want to add the value of the money and time spent on PCI compliance into your loss magnitude calculations. It’s a sunk cost at that point.

However, there’s another side of the coin. We can find out the risk of being out of compliance, but is there risk in being *in* compliance? I think there is. So our second aspect of PCI Risk Management might be:

2.) The expected frequency of being in compliance and how much that will cost us.

An alternate view of how we could view the Payment Card Industry as a threat community would involve trying to figure out the probable frequency with which they will make onerous demands of our security budget, and the impact of those demands.

Now note that we would have a “secondary risk” to measure here. I’m thinking that it’s not improbable that our PCI efforts may not be the most efficient use of or time and money. So if we’re spending money on what PCI says we must, and neglecting areas of our IRM landscape that would actually reduce organizational risk more than those PCI efforts - then PCI compliance is costing us some real value by reducing our capability to manage real risk. However, and it’s quite a long tail event but, imagine that we’re unlucky and an incident happens! This incident may become, in no small probability, the byproduct of PCI requirements. Being diligent in risk management, we might want to study this likelihood, too.

So there you have it. In both cases PCI Risk Management involves looking at the Payment Card Industry as a threat community, and determining the probable impact of having to deal with PCI DSS.

Now if you’ll excuse me, I have a white paper to write and I’m fresh out of acetone-based paint remover.

POST SCRIPT

I should make it clear that Risk Management should (and is) obviously being performed by those with PCI concerns. PCI, if you will, is simply a sort of ISMS. And the development of an ISMS can assist IT management with the process of developing metrics and analysis concerning the organizations capability to manage risk. There’s nothing wrong with PCI in this regard.

But I figured I should make the effort to read what the author was advocating, and the document this “PCI Risk Management” term was drawn from was really a set of “best practices” for PCI and “best practices” above and beyond what PCI requires. This is not risk management (and no, adding “risk assessment” - in quotes because the author is really referring to vulnerability management - to the list of best practices doesn’t make it risk management, either). It is more witch-doctory.

P2P-related breach affects high-profile clients from Wagner Resource Group

Mon, 14 Jul 2008 13:08:21 +0000

Technorati Tag: Security Breach

Date Reported:
7/9/08

Organization:
Wagner Resource Group

Contractor/Consultant/Branch:
None

Victims:
Clients*

*Most notably Supreme Court Justice Stephen G. Breyer, which has been well publicized.

Number Affected:
~2,000

Types of Data:
"names, dates of birth and Social Security numbers"

Breach Description:
"The Washington Post today ran a story I wrote on a data breach of a local investment firm that exposed the names, birth dates and Social Security numbers of some of the Washington area's most powerful attorneys, including Supreme Court Justice Stephen Breyer."

Reference URL:
SecurityFix
Washington Post
United Press International
NBC Universal, Inc

Report Credit:
Brian Krebs, Washington Post

Response:
From the online sources cited above:

Sometime late last year, an employee of a McLean investment firm decided to trade some music, or maybe a movie, with like-minded users of the online file-sharing network LimeWire while using a company computer
[Evan] P2P file sharing and other client software use can pose a very significant risk in most companies. It is typically an easy risk to address however. A mixture of any one or more of the following controls can help to mitigate the risk; information security training and awareness, egress traffic monitoring and filtering, intrusion detection/prevention, and hardened workstations (i.e. removal of administrative access) to name a few.

In doing so, he inadvertently opened the private files of his firm, Wagner Resource Group, to the public.
[Evan] This is a common oversight. LimeWire and other P2P file sharing applications are wonderful tools for doing what they are designed to do. Before allowing their use (or any other software), an organization must evaluate the risks in doing so. If you intend to use or allow the use of LimeWire in your organization, understand how the software works and how it is configured. During the install you will be prompted for the "Save Folder and Shared Folders". Be careful what you choose, and be careful about what information you put in these locations in the future. Most organizations that are aware of risks just choose not to allow P2P use.

That exposed the names, dates of birth and Social Security numbers of about 2,000 of the firm's clients, including a number of high-powered lawyers and Supreme Court Justice Stephen G. Breyer.
[Evan] The high-profile nature of this breach is what has grabbed headlines all last week.

Of the 2,000 records from Wagner Resource Group that were found online, 700 included Social Security numbers, names and birth dates, while other records included only one or two of those details.

The breach was not discovered for nearly six months.
[Evan] This is another danger posed by information leaked through P2P. Once information has leaked, how does an organization detect that it has been leaked? There is no longer any control.

A reader of washingtonpost.com's Security Fix blog found the information while searching LimeWire in June.
[Evan] I wonder why the reader did not notify the authorities and/or Wagner at the time of its discovery. Maybe he/she did. I don't know.

Robert Boback, chief executive of Tiversa, the company hired by Wagner to help contain the data breach, said such breaches are hardly rare.

About 40 to 60 percent of all data leaks take place outside of a company's secured network, usually as a result of employees or contractors installing file-sharing software on company computers.
[Evan] Really?! I would have not guessed that the percentage would be so high. Interesting.

"We've seen a lot of instances where a company will be working on a product that's not even released yet, and the diagrams for that product are already out on the Net," Boback said.
[Evan] Very good point. It isn't just personally identifiable information that is leaked, there are plenty of instances where intellectual property (IP) is exposed. I have read estimates that as much as 80% or organizational assets globally are intangible (information, knowledge, etc.).

"This case is unique because of the high profile of the targets. The individuals on this list are at a very high risk, almost imminent, of identity theft."

Tiversa officials found that more than a dozen LimeWire users in places as far away as Sri Lanka and Colombia downloaded the list of personal data from the Wagner network.

"To me, this was devastating," said Phylyp Wagner, founder of the investment firm. "I didn't even know what peer-to-peer was. I do now."
[Evan] This is a big problem! Corporate leaders must be made aware of the risks surrounding the information for which they are ultimately responsible for.

Wagner said his company has contracted with FirstAdvantage of Poway, Calif., which last week sent out letters notifying affected clients of the breach and offering each six months of free credit-report monitoring.

He emphasized that the peer-to-peer disclosure never endangered his clients' financial records, which are stored by a separate company.
[Evan] Maybe not their financial records, but it did affect some people's financial status (at least temporarily).

But that may be small consolation to several lawyers on the list who said they recently experienced unexplained financial activity.

"This may explain why two weeks ago I got a $9,000 cellphone bill from AT&T," said Steven Agresta, a partner with the law firm Alston & Bird.

Someone had opened a phone account using his date of birth and Social Security number, but with a different address.

this morning I heard from reader Christopher Lynt, a patent attorney from Virginia whose personal data was included in the file exposed via P2P.

He told me that last July, an identity thief used his SSN and birth date to have $1,000 wired to Mexico from Lynt's bank and credit accounts.

Commentary:
This certainly isn't the first time we have read about P2P file sharing network exposures. If your organization can find a way to use the technology without posing an unacceptable risk, then fine. If not, then don't allow the technology to be used. Seems pretty plain and simple.

There is much work to be done. At Wagner and elsewhere.

Past Breaches:
Unknown

Even the Rich and Famous pay the price for being Dishonest and Unethical

Sun, 29 Jun 2008 12:05:00 +0000

All of our courses - in the U.S. and over seas, begin with the same message - ETHICS is the keystone of our profession and our success. It's a shame that famed litigator - Richard "Dickie" Scruggs forgot that lesson.

In yesterday's Washington Post, the headline reads; "Famed Litigator Gets 5-Year Term for Conspiracy to bribe Judge". For those who are not familiar with him, Scruggs became one of the wealthiest and most famous lawyers in the country by taking on tobacco, insurance and asbestos companies.

What did he do? Well, for starters (and what they were able to prove), he attempted to bribe Lafayette County Circuit Court Judge Henry Lackey by offering him $50,000.00. U.S. District Judge Neal Biggers Jr., called Scruggs' conduct "reprehensible" and told him that he picked the wrong Judge to bribe. In addition to the 5 year jail term, he was fined $250,000.00 and lost his law license.

You really got to love it when Justice is rightfully served. Unfortunately, it makes me wonder how many more sleazy lawyers around the country and unethical Judges are not getting reported and prosecuted. It is a little too hard to believe that Scruggs is the only dirt-bag in the legal profession. We welcome the message it sends out; "nobody is above the law".

Like most, if not all common criminals, Richerd Scruggs became greedy. In 1990, Scruggs became famous for suing tobacco companies and winning lawsuits that resulted in a $206 BILLION dollar settlement. If his take of that was just 10%, he walked away with a cool $20.6 Billion dollars. A film was even made about the case - "The Insider" starred Al Pacino and Russell Crowe.

A decade later he is trying to bribe a Judge with $50,000? I would say it was a combination of greed and power going to his head. Maybe that is why the "Post" reported that he nearly fainted and swayed from side to side when the Judge scolded him. He had to sit down before the sentence was read out. He must have believed that he was untouchable.

It's just a shame that he wasn't touched with a heavier sentence. A twenty year sentence would have sent out an even more powerful message. Still and all, the idea of wearing a prison jumpsuit and eating balogna sandwiches is probably like a life sentence to someone who believed themselves to be above the law.

The article claims that many high profile friends petitioned Judge Biggers for leniency when sentencing Scruggs. He's lucky I am not the warden at his jail. I think he would be a perfect candidate for the toilet cleaning squad.

Attention - Lawyers and Private Investigators!

Tue, 24 Jun 2008 21:18:00 +0000

Lawyers are always in need of process servers to serve civil papers. More often than not, they use the services of a Private Investigator or process service company.

If the P.I. or process server is credible and ethical, there should not be a problem. If on the other hand, the server "claims" to have served the paper, charges the Law Firm for services rendered but does not actually effect the necessary service, it could be the makings of a significant lawsuit. This is what happened in Massachusetts.

The plaintiff in that casewas awarded $3,000,000.00 when the State Court ruled that the Bermuda businessman, Donald P.Lines, had not been served by the company hired to effect the service, Boston based "Stokes & Levin". It later transpired that the company had used pre-fabricated stamps of the signature of a process server who no longer worked for the company. It did not enhance the image of the Securities and Exchange Commission either as the SEC were the ones who hired "Stokes & Levin".

I have heard stories of one elderly P.I. in Virginia who gets confused when he serves civil papers and sometimes puts the same time on two different papers even when they are served 20 miles or more apart. Yet, he continues to get requests for service from lawyers that he has known a while. I hope this story serves as a reminder to him and those who hire him that you stand to lose a lot if you don't get it right - both in reputation and finacial terms. There's no shame in hanging up the gun belt when the sun starts to set on your career. It's always better to go out a winner than a defendant.

Data leaks out . . . and lawyers rake it in

Wed, 18 Jun 2008 20:00:00 +0000

What made the Ameritrade data breach particularly memorable was not that 6.3 million customers had their personal info compromised and inboxes stuff with spam as a result. No, what made it memorable was that the company had received multiple warnings from IT professionals over more than a year that its database had been compromised -- yet took no action before the bits hit the fan last fall.