[SecurityRatty] tag: license

A thin line between blog theft and promotion - another opinion

Thu, 03 Jul 2008 18:24:36 +0000

Rich Mogull has been writing a bit about his disagreement with a the SecurityRatty site posting his content (original posts here and here). These posts have set off a rash of comments and other articles on both sides of this issue. Finally Rich wrote his defining post on this topic here. Rich's position is that he owns his words. Ratty took them without his permission, ads nothing to the conversation or commentary at all and actually hosts the content rather than just linking to it. Now for those who don't know, SecurityRatty is a site allegedly owned and operated by some Russian CISSP dude. Basically, they claim they are an RSS aggregator and they just republish blog posts in their entirety. A couple of things to note though:

1. SecurityRatty does not usually add any content of their own or edit the posts in any way
2. They link back to the blogs or articles which are aggregated
3. They do appear to sell some advertising on the site
4. You can search their aggregated content on their site
5. At least recently they are removing content and feeds from their site if you request it.
6. They did not ask anyones permission that I know of before posting content

OK, now that the groundwork is laid, let me give my Shimel view on this. I disagree with Rich. Hey it is a big world and I think there is room for a dissenting opinion here. The reasons I disagree with Rich are:

1. Though Ratty plainly posts up others content, he does not hold it out as his own. He plainly gives credit to those who actually created the words and in fact links back to their sites.
2. Rich is publishing his data under a creative commons license, I am not sure if the meager ad on Ratty would qualify this as a commercial site.
3. Rich distinguishes what Ratty does from Google and other search engines (who clearly profit from Rich's content) by the fact that they just point to it. Not all together true. They also keep a cached copy of the content that you can go to as well.
4. The fact is that I have a tough time seeing any harm to Rich here. In fact if Ratty were not pointing back to Rich's site, if he did not make it as easy to see that it is just an aggregate feed or if Ratty were adding his own comments and not clearly delineating his from Rich's, I would feel differently. Some of this is directly in contrast to Rich who says that if Ratty did add his own views to Rich's, that would make it right by him.
5. Finally, I would go even further than Rich not being harmed by Ratty. I think Rich actually benefits from Ratty. It is yet another outlet for Rich's content and though not everyone reading it at Ratty may go back to Rich's site, they do know it is him and can go back easily. In fact if Rich did advertise at his site, I could understand him losing hits at his site. Otherwise if Ratty just pointed back, one could say the more hits Ratty generates, it could cost Rich more money. Much like people who link to graphics hosted elsewhere.

So, Rich I see that Ratty has stopped aggregating your content so that should be enough of a victory for you. In the long run though I think it is a Pyrrhic victory and you would have been better off with Ratty publicizing your words.

Even the Rich and Famous pay the price for being Dishonest and Unethical

Sun, 29 Jun 2008 12:05:00 +0000

All of our courses - in the U.S. and over seas, begin with the same message - ETHICS is the keystone of our profession and our success. It's a shame that famed litigator - Richard "Dickie" Scruggs forgot that lesson.

In yesterday's Washington Post, the headline reads; "Famed Litigator Gets 5-Year Term for Conspiracy to bribe Judge". For those who are not familiar with him, Scruggs became one of the wealthiest and most famous lawyers in the country by taking on tobacco, insurance and asbestos companies.

What did he do? Well, for starters (and what they were able to prove), he attempted to bribe Lafayette County Circuit Court Judge Henry Lackey by offering him $50,000.00. U.S. District Judge Neal Biggers Jr., called Scruggs' conduct "reprehensible" and told him that he picked the wrong Judge to bribe. In addition to the 5 year jail term, he was fined $250,000.00 and lost his law license.

You really got to love it when Justice is rightfully served. Unfortunately, it makes me wonder how many more sleazy lawyers around the country and unethical Judges are not getting reported and prosecuted. It is a little too hard to believe that Scruggs is the only dirt-bag in the legal profession. We welcome the message it sends out; "nobody is above the law".

Like most, if not all common criminals, Richerd Scruggs became greedy. In 1990, Scruggs became famous for suing tobacco companies and winning lawsuits that resulted in a $206 BILLION dollar settlement. If his take of that was just 10%, he walked away with a cool $20.6 Billion dollars. A film was even made about the case - "The Insider" starred Al Pacino and Russell Crowe.

A decade later he is trying to bribe a Judge with $50,000? I would say it was a combination of greed and power going to his head. Maybe that is why the "Post" reported that he nearly fainted and swayed from side to side when the Judge scolded him. He had to sit down before the sentence was read out. He must have believed that he was untouchable.

It's just a shame that he wasn't touched with a heavier sentence. A twenty year sentence would have sent out an even more powerful message. Still and all, the idea of wearing a prison jumpsuit and eating balogna sandwiches is probably like a life sentence to someone who believed themselves to be above the law.

The article claims that many high profile friends petitioned Judge Biggers for leniency when sentencing Scruggs. He's lucky I am not the warden at his jail. I think he would be a perfect candidate for the toilet cleaning squad.

Errant email exposed Department of Consumer Affairs personal information

Tue, 24 Jun 2008 13:51:19 +0000

Technorati Tag: Security Breach

Date Reported:
6/23/08

Organization:
State of California

Contractor/Consultant/Branch:
Department of Consumer Affairs

Victims:
"employees, contractors and board members"

Number Affected:
5,000

Types of Data:
Names, Social Security numbers, salaries and job titles

Breach Description:
"The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers. "

Reference URL:
Capitol Weekly
Central Valley Business Times
Props to PogoWasRight

Report Credit:
Malcolm Maclachlan, Capitol Weekly

Response:
From the online sources cited above:

The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers.

About 2,800 of the people on the list are current, full-time employees of the DCA.

The document also included some former employees and numerous contractors, such as people who proctor state job examinations.

The rest of the names were employees and board members of the 56 professional boards and bureaus administered by the DCA, such as the Bureau of Automotive Repair and the Medical Board.

The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich.

The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this was public information.

"The thing that is troubling to us is that information was coupled with their social security numbers," Heimerich said.
[Evan] Troubling to you? It's probably hard for the victims to have much sympathy.

The main danger with giving away a social security number is that it can be used to set up new credit cards, loans or purchases in someone's name.

However, a thief would generally need other information that was not included and could be harder to get, such as addresses, phone numbers and driver's license numbers.
[Evan] Addresses and phone numbers are usually pretty easy to obtain and I would think are much easier to get than Social Security numbers. Unless of course, somebody emails them to you.

The DCA is the main state agency charged with protecting consumers in California.
[Evan] Ironic.

From 2003 to 2007, it also housed the office charged with educating consumers and businesses about identity theft and fraud.
[Evan] More Ironic

One agency whose employees were not on the list is the California Office of Privacy Protection (OPP).

Heimerich said the incident is still being investigated, and that he could not disclose who had received the document.

He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.

"We know that it left the building and that it wound up somewhere it shouldn't have wound up," Heimerich. "We're looking into how that happened."

“We kind of know where it was sent,” Mr. Heimerich says
[Evan] Sounds obvious, but did anyone check "Sent Items"? Yeah, probably. Seriously though, does the California DCA not log email sends and receives? It's hard to believe that the sender does not recall to whom they sent the email and there is no evidence of where it was sent.

The breach was discovered on Monday, June 9
[Evan] It took 3 or 4 days for the DCA to discover the breach.

People's whose names were on the list were sent an email the next day and an official letter a week later.
[Evan] Excellent quick notification. The earlier that a breach is detected and communicated to the data owner, the better.

Heimerich said the DCA will pay for a year of free credit reports and provide fraud insurance of up to $25,000 for everyone on the list.
[Evan] One year of protection does not adequately protect information that has a lifespan that far exceeds that one year. Most bad guys (or gals) know that the "standard" organization response to a breach includes one year of free credit monitoring/protection, so many of them wait a year to use the information. It is also important to point out that just because a person monitors their credit, does not mean that their identity isn't being used elsewhere. It's a scary thought, but it's a broken system.

He said the DCA had not yet determined how much these protections were going to cost.
[Evan] You can estimate the cost yourself.

Commentary:
I like how Microsoft Outlook helps me when I am typing an email address in the "To:" field of my email. It saves me some keystrokes and a few precious seconds. Sometimes I am in such a hurry that I don't even notice that Outlook put in the wrong email address. I type my email, click send and away I go onto another task. A couple of days later, I get a call from a customer asking where their information is. I state that I sent it to them a couple of days ago, but they claim to have never gotten my email. I look through my sent items, and HOLY #*@^! I just sent some confidential (sensitive and potentially damaging) information to a competitor instead of my customer.

Sound conceivable? Have you ever sent an embarrassing email to the wrong person? It is very easy to do if your not paying attention.

There are a number of controls us information security guys can put in place to reduce the risk of this happening. One of the best is information security training and awareness (kind of an administrative control).

Past Breaches:
State of California:
March, 2008 - San Quentin visitor and volunteer information lost

Petroleum Wholesale charged with exposing customers

Sun, 22 Jun 2008 17:58:23 +0000

Technorati Tag: Security Breach

Date Reported:
6/19/08

Organization:
Petroleum Wholesale, L. P.

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"sensitive personal information, including Social Security numbers, bank account numbers, and credit or debit card information"

Breach Description:
”HOUSTON -- Petroleum Wholesale, which operated Sunmart Travel Centers and Convenience Stores in 10 states, was charged by the Texas Attorney General of improperly disposing of customer records"

Reference URL:
The Pasadena Citizen
KHOU-TV Channel 11 News
Convenience Store News

Report Credit:
The Pasadena Citizen

Response:
From the online sources cited above:

HOUSTON - Texas Attorney General Greg Abbott today charged Houston-based Petroleum Wholesale, L.P., which operates Sunmart Travel Centers & Convenience Stores in 10 states, for exposing its customers to identity theft.

According to the state's enforcement action, Petroleum Wholesale improperly discarded customer records containing sensitive personal information, including Social Security numbers, bank account numbers, and credit or debit card information.

"This defendant is charged with failing to protect its customers' sensitive information," Attorney General Abbott said.

"With more than 20,000 Texas victims each year, identity theft remains one of the nation's fastest-growing crimes. The Office of the Attorney General will continue working to protect Texans from identity theft."

Investigators with the Office of the Attorney General (OAG) discovered that the company improperly discarded hundreds of customer records in a publicly-accessible trash container outside its former headquarters.
[Evan] According to information posted on the Petroleum Wholesale web site, "Petroleum Wholesale services more than 350 retail locations throughout ten states." This breach has the potential to affect many, many people.

According to investigators, the records included sales receipts with customers' names and full credit or debit card numbers with expiration dates.

The records also included returned checks, along with forms listing customers' names, banking routing numbers, driver's license and Social Security numbers.

The defendant is charged with violating the 2005 Identity Theft Enforcement and Protection Act, which requires the safeguarding and proper destruction of clients' sensitive personal information.

State law establishes penalties of up to $50,000 per violation of the Act.
[Evan] This could add up quick. What's a better business decision, a few hundred bucks for a cross-cut shredder and accompanying procedures, or fifty grand per incident? Although, I am not sure that a shredder and procedures are not all that is needed in Petroleum Wholesale's information security program (assuming one exists).

The OAG also charged the company with violating Chapter 35 of the Business and Commerce Code, which requires businesses to develop retention and disposal procedures for their clients' personal information.

The law provides for civil penalties of up to $500 for each abandoned record.

For more information about preventing identity theft, contact the Office of the Attorney General at (800) 252-8011 or visit the agency's Web site at www.texasattorneygeneral.gov.

style="font-weight: bold;">Commentary:
One question that isn't clear from the news reports is whether or not this was a common practice at Petroleum Wholesale. Organizations should take heed of this case. I think actions taken by Mr. Abbott and other State Attorney Generals will only become more frequent.

I look forward to more information in the future about this case.

Past Breaches:
Unknown

Another brick in the wall to limit blogging

Tue, 17 Jun 2008 20:36:22 +0000

First it was the EU looking at passing a law that would require bloggers to disclose their identity and affiliation. Now the AP is looking to enforce a new license that would require payments when a blogger puts an excerpt from an AP article in their blog. My friend Kevin McLaughlin blogged on this over at Channel Web blog today. Basically the AP says that if you excerpt more than 5 words you need to start paying them fees. Kevin reached out to me and I gave him my views on this one.

I think that it is a really short sighted move by the AP. First of all it shows they really don't understand blogging. Blogging is about taking an idea which often comes from another source and putting the bloggers own spin and ideas behind it. In this way topics are built on one blog at a time with each blogger adding a bit more to the conversation. Each additional blog on topic enriches those blogs and articles that preceded it. As I said in the Channel Web article, it is like a jazz musician playing a riff on top of a line already laid down.

In real terms blogging on the AP content will only generate more views and interest in the AP content. AP is just a dinosaur with this type of view and will soon go the way of dinosaurs if they try to enforce this. In the meantime bloggers can talk about an AP article, but don't link to it and don't excerpt from it. I suspect that the next thing is we will have a replay of the inbound links litigation we had 8 years ago. In the meantime blogging will continue to march on with AP or not.

Another brick in the wall to limit blogging

Tue, 17 Jun 2008 19:43:03 +0000

Loving customers frustrate security firms too

Fri, 13 Jun 2008 15:45:37 +0000

Roger Grimes has a good article up on his InfoWorld, Security Advisory blog entitled "Security firms frustrate loving customers". Roger details some specific examples of how security vendors just don't "show the love" to customers and prospective customers, with the result being lost business. Roger highlights three examples:

1. Making renewals a manual process with those annoying phone trees. I agree, when I hear the press 1 for this and press 2 for this, my blood starts to boil. There is no reason that this just can't be built into the product to renew over the web. Security or no, any software vendor not doing it this is just plain crazy.

2. Calling into a company with a sales inquiry and the sales guy never calls back. This one just kills me. When doing due diligence on potential acquisitions at a prior company I would call in or email with a sales inquiry and wait to see how long it would take for them to get back to me. It was a good indication of how well the sales organization and company functioned.

3. Killing the deal with one sided, overly legal and burdensome terms. Another one that I battle all the time. The CFO has to be able to recognize revenue so needs specific T&Cs. The lawyers want to protect the vendor against all eventualities and is doing his job. You want to make as few warranties and representations as possible to limit your liability. The result, the customer gets one sided, unfair document with fine print on maintenance pricing, renewals, SLAs, etc. Most customers don't even read the EULA. Take a lot at some of the ones with software you have bought. It may surprise you.

But in my best Fox News voice, lets be fair and balanced. So in that vein, let me give you 3 specific examples of how loving customers frustrate security firms:

1. The guys who picked the product leave and the new guy comes in and doesn't have a clue. This happens all the time, especially in the government. One guy or team buys the product for a specific reason and has all of the expertise. The new folks come in and even if they know your product is there, they don't know why or how to use it. They may feel they inherited this product and have their own favorite product in this category. They can't wait to replace you and either don't use the product at all or blame the problems of the world on it.

2. Buying the product and than "other priorities" delay implementation. A surefire recipe for shelfware. When I see this happening I tell our folks better to be a pain in the butt and force them to use the product they bought than to sit around watching the license expire on the shelf. The longer the product sits, the more it becomes a nice to have, rather than a must have, that drove the sale. Now sure, one can say that what does the vendor care, the customer paid. If he doesn't use it, less support costs. But you don't get renewals, you don't get upsells or referrals without customers using product.

3. Using the product in unintended ways. Another favorite heartburn of mine. Customers figure just because the application runs Linux underneath, why can"t I run (You Name It). We recently had a customer that was chewing up support hours like the dial at a gas pump today. It turns out the problems we all due to the all of the other software that he had put on the box, not to mention editing .conf files, database tables, etc. It is hard enough supporting the software we developed. It is a whole another story supporting software that you have written.

So Roger, yes the customer is always right and security vendors have to get their act together if they want to survive, let alone compete in these tough economic times. But customers certainly don't make the job any easier with some of the shenanigans they pull.

Personal information found in Boca Raton dumpsters

Tue, 10 Jun 2008 06:24:10 +0000

Technorati Tag: Security Breach

Date Reported:
6/4/08

Organization:
Wheeler's Moving Company

Contractor/Consultant/Branch:
None

Victims:
Employees, job applicants and customers

Number Affected:
Unknown

Types of Data:
"files containing driver's licenses, social security numbers, telephone numbers, addresses and birth dates"

Breach Description:
"BOCA RATON, FL (Fox29) - Piles and piles of personal files with tax information, social security numbers and license numbers, were found in a Boca Raton dumpster. These dumpsters are located between a set of warehouses here on Northwest First Avenue."

Reference URL:
WFLX Fox 29 News
WPEC Channel 12 News

Report Credit:
Chuck Weber, WFLX Fox 29 News

Response:
From the online sources cited above:

BOCA RATON, FL (Fox29) - Piles and piles of personal files with tax information, social security numbers and license numbers, were found in a Boca Raton dumpster.

Dumpsters on Northwest 1st Avenue Boca Raton were found full of files and paperwork with personal information - names, addresses, drivers licenses and some social security numbers - all out in the open for the taking.
[Evan] I think we would be surprised at how common it is for organizations to throw confidential information in the garbage (instead of shredding). Unauthorized disclosure of confidential information including personal information, trade secrets, intellectual property, draft press releases, etc. can be very damaging.

The dumped personal records inside, apparently belonged to Wheeler's Moving Company.

containing information on employees or job applicants, and some customers

Some files even dated back as far as 20 years or more.

After contacting the Wheeler's Moving Company, they claimed to have moved out of Boca Raton and into Jupiter about a year ago and they had no idea this had happened.

Building owner Charles Wheeler, former owner of the moving company, says, "In my heart I don't think it's going to be a problem. And I didn't realize until I heard from you guys that there was something sensitive in there. And it should have never been thrown out."

Wheeler says he didn't think any sensitive documents were still inside.
[Evan] A complete lack of awareness. Business owners and leaders (everyone really) need to be more aware of the security implications involving the information they create, collect, use, store, and discard. Thieves are.

Police received a call Monday, and were able to clean up a majority of this dumpster.

There are currently some remnants of the files out there, but officials are doing their best to protect the people on these files so their identities are not stolen and get these files and papers shredded properly.

all the documents have since been shredded.

Wheeler says from now on, he will shred all unneeded documents.

Victim Reaction:
"I'm taken aback; I really almost shaking. The fact that records could be around for all these years,"

"It shouldn't have been available to anybody, but nobody has done anything."

"It's very frightening to think of that it was available, and that it could have happened,"

Commentary:
I feel bad for small business owners that aren't aware of or properly trained in risk management and information security. It's easy to be angry with them, but too many of them just don't know any better.

Obviously, I feel bad for the victims too.

Past Breaches:
Unknown

Know the Difference Between a NAC Client and a 1X Supplicant

Thu, 05 Jun 2008 13:01:00 +0000

Now that we’ve started implementing NAC solutions with 802.1X, we (as an industry) have muddied the lines between the two technologies and even the software involved.

Understanding the difference between a NAC Client and an 802.1X Supplicant can save you much time, confusion and - yes - MONEY.

How does it save money? I figured most of you would glob on to that one first- hang on, I’ll get to it in a minute ;).

NAC Clients. Most network-based NAC vendors, such as Cisco, Juniper, StillSecure and ProCurve have some type of NAC Client or Endpoint Integrity Agent provided as part of their NAC solution. The NAC Client is a software agent that sits on the endpoint and collects statement of health or posture of the endpoint and communicates that back to whatever NAC controller you’re using. (Most of these guys offer some type of agent-less or transient-agent posture checking too, but this doesn’t apply here.)

The NAC Client may also provide additional security functions such as host enforcement or it may serve as an encryption termination point for IPSec tunnels created between the endpoint and a firewall, for example. I’m sure we’ll be seeing more and more bells and whistles added to the NAC Clients as time goes by.

802.1X Supplicant. An 802.1X supplicant is a different creature all together. First of all, it’s worth noting a supplicant can exist as a piece of software on an endpoint, or as part of an infrastructure device, including switches, APs and even printers. On an infrastructure device, the built-in supplicant lets us do things like authenticate switches to one another for maintaining integrity of network devices and prevent rogues from joining the network.

If the supplicant is on a PC or laptop, it may be built in to the operating system, or provided as a 3rd party software. The supplicant is what communicates through the switches to the RADIUS server for authentication and ‘speaks EAP’. EAP, the Extensible Authentication Protocol, is what makes 1X. Generally a supplicant’s only function in life is to speak EAP and get the device authenticated to the network.

What you may see from some vendors, such as Juniper, is an integrated NAC Client with a built-in Supplicant. Juniper’s Odyssey Client bundles both functions in to 1 agent.

Okay, so back to the money… Understanding what does what, and what comes from where is helpful when we start talking dollars. In many cases you’ll end up paying separately for the NAC Client licenses and the Supplicant licenses. You won’t have to pay for both if…

If the NAC Client and Supplicant are bundled
If you’re using the Supplicant integrated with the OS or
If you’re using an open source Supplicant
If you’re not 802.1X with your NAC, and of course
If you’re not using NAC on top of 802.1X

Some vendors may offer a pricing advantage depending on what you’re planning to do. We started with two main Supplicants a few years ago- Meetinghouse’s Aegis and Funk’s Odyssey Access Client. What happened to those guys? Cisco bought Meetinghouse and now offers the Aegis client as an option with their solution and Juniper bought Funk and integrated the Odyssey Access Client directly into their endpoint integrity agent. Most likely they want to try and recoup some of the money from those acquisitions, so what that means for you is that you will likely pay money for products containing those technologies.

On the other hand, some of the home-grown technology from the NAC side may lessen the budget burden. Cisco’s endpoint integrity agent is actually included with their NAC solution, so they don’t charge any per-seat fee (unless you add 802.1X). Juniper’s is integrated, so you’re getting both functions regardless. You can probably spot companies that OEM another solution or another client if they charge for the NAC Client license… that’s not definite, but a good rule of thumb.

From a deployment perspective an bundled agent (NAC + 1X) is nice, since it means you only need to download 1 piece of ‘thing’ onto the endpoint. From a budget persepctive it can be good or bad- it really depends on how many licenses you need and how willing your vendor is to work with you on price.

# # #

Starbucks, AT&T Brick Loyalty Card Service Launch

Tue, 03 Jun 2008 09:34:56 +0000

Starbucks, AT&T biff day one of the card loyalty program: After several hours of occasional attempts to register my Starbucks Card (actually, two) with the company for free Wi-Fi and other rewards, seeing "Service Unavailable," long delays, errors, and a general failure to accept my card--now there's a message. "Due to overwhelming interest in Card Rewards we are currently experiencing difficulty accessing Starbucks Cards accounts. We are working to fix the problem and ask that you please try again later."

The Card Rewards program allows anyone with a Starbucks Card to register it with Starbucks for freebies, including Wi-Fi. There's an interesting choice (when it worked) where you can select whether to have freebies like free exotic milk options or brewed coffee refills by themselves or with Wi-Fi on top. If you choose Wi-Fi, you're redirected to SBC servers (for nostalgia's sake), at which point everything seems to fall apart.

Trying two separate cards, I was unable to set up an account and get the cards to take. The errors weren't clearly spelled out. Clearly, the system was neither designed to handle demand, nor designed to fail gracefully, blocking users until capacity was available.

For loyal Starbucks patrons, this doesn't come across very well at all.

[Photo by Matt Davis. Used under Creative Commons license.]