[SecurityRatty] tag: minnesota

Minnesota woman fined $222,000 for music piracy gets new trial

Thu, 25 Sep 2008 00:00:00 +0000

A federal judge has overturned a jury verdict that ordered a Minnesota woman to pay $222,000 to various record companies for illegally copying and distributing 24 songs.

Metro Round-Up: Phila., Minneapolis, St. Louis Park (Minn.), Texas, Foster City (Calif.), Naperville (Ill.), Chehalis and Centralia (Wash.), Cambria C

Wed, 11 Jun 2008 10:33:41 +0000

Philadelphia may find operator for Wi-Fi network: The AP reports that the City of Brotherly Love's Wi-Fi network isn't yet down, or down for the count. While it's scheduled to be flipped off tomorrow (you can read whatever you like into the phrase "flipped off"), the city is talking to a party it won't disclose about the networks future. EarthLink sued Phila. in May to be able to remove its equipment and cap its liabilities. The city's wireless non-profit arm, Wireless Philadelphia, has made noises about what EarthLink's true liability could be; the non-profit has born some of the electrical cost, and might be seeking to have that repaid on top of penalties and other expenses.

Minneapolis suffers the heartbreak of leafage: Leaves are popping in Minneapolis, and Star-Tribune columnist Steve Alexander writes that residents are seeing some Wi-Fi reception problems on that city's Wi-Fi network. This is the only big-city network that can be currently described "successful," even though its long-term success has to be proven out. The firm responsible, USI Wireless, told Alexander they're working on adjusting about 5 percent of antennas to cope with the pesky greenery.

St. Louis Park sues ARINC over Wi-Fi network: The Minnesota town says the network never worked, and had earlier discussed a lawsuit. The city wants the value of the contract ($1.7m) plus a very modest amount in damages and fees ($50,000). The city plans to start removing gear if ARINC doesn't sometime in June. But they have to deal with 490 poles erected to hold the nodes and solar-charging gear--sunk into concrete. More recent testing showed that the network worked well in some areas, but the majority of the network did not, according to the Star Tribune.

Verizon builds out fiber in AT&T territory: Interesting sign of competition in otherwise monopoly-per-provider-type world. Verizon is using AT&T's hard-won statewide video franchising rules in Texas to build competitive fiber in Dallas suburbs. They're apparently not bringing telecom; they're acting like a cable TV firm with data. Verizon owns chunks of territory all over due to it encompassing GTE in a deal years ago. GTE serves suburbs west of Portland, Ore., and east of Seattle, for instance, while Qwest serves most of the rest of each state.

Foster City Wi-Fi dies on June 20: MetroFi is unlighting its cities, and Foster City opted not to spend the nearly $200,000 asking price MetroFi put on its equipment. MetroFi might still find a buyer, but June 20 is the network's current final day. Naperville, Ill., also expects a June 20 shutdown. They, too, were offered the network hardware for 200 grand.

Chehalis lights up: A small city in southern Washington votes to put in Wi-Fi hotzones. The cost is about $53,000 and annual fees $15,000. Funds will come from existing tax and grant sources. The city chose to install service to make sure they're not missing a checkbox on the amenities list for visitors and businesses rather than for a particular, measurable goal.

Nearby Centralia pulls its Wi-Fi: A pilot project in the larger city of Centralia, Wash., a bit north of Chehalis, is shut down when poles used to mount Wi-Fi radios are removed as electrical wires are buried. (The reporter here confuses broadband over powerlines (BPL) with broadband wireless.) The system might be restarted later.

Craig Settles writes up Pennsylvania's Cambria County wireless success: This is a network built for particular municipal purposes, part of Settles's long-time drumbeat about having applications first and then networks built for those networks second. He notes that Cambria built a 700 sq mi network that sounds nearly cost neutral through efficiency and cost conservation--it's cheaper to get much more service with this network than it was for a smaller array of services with incumbent-provided networks.

Santa Fe residents oppose Wi-Fi in the library on health grounds: You know what I have to say about how provable this has turned out to be in clinical studies. I am, however, as always, concerned about these people's health, even if I don't believe that Wi-Fi (or EMF) causes their problems. The group opposed to library-Fi is citing the ADA in this case, uniquely I believe. Six libraries suggested that EMF triggers seizures in epileptics, something I've never heard cited before; maybe CRTs (flickering), but EMF? Wired is substantially less kind than I am, pointing out that EMF other than Wi-Fi produces vastly higher signal strength. (They're sort of ignoring signal strength at a given point where an individual stands in relation to a transmitter, however.)

Minnesota Town Tells Google Maps: Keep out - We Mean It!

Sun, 01 Jun 2008 06:49:43 +0000

The St. Paul suburb with private roads may be the first U.S. city to ask that street images be removed. The city of 4,500 residents has demanded that Google Maps remove images of North Oaks homes from the website's Street View feature, where any Internet user can glimpse a home from the nearest road.

Building a Security Architecture Blueprint

Fri, 16 May 2008 05:26:55 +0000

This week I spoke at the Secure 360 conference on Building A Security Architecture Blueprint (slides). My thesis is that information is a strategic enterprise asset (in many cases it *is* the business), yet the typical enterprise approach to securing the information or even risk management, is rarely strategic. Last year, I wrote a Security Architecture Blueprint paper to describe one framework for putting a strategic context around information security program. The main idea is that instead of starting with security goals (cue the ritual CIA invocation), we start with considering security in the context of the stakeholders - business, development, operations, customers, and so on.

You can then use the framework to assign priorities and phasing for Information Security actions. So instead of letting the random auditor and their everpresent checklist that the final four assigns you drive your program, use a framework that incorporates the business and its goals. A number of people commented on my post on GRC -

Rich Mogull

Much of what we call GRC should really be features of your ERP and accounting software. ... It’s an additional, very highly priced, reporting layer. ...A GRC tool provides almost no value at the business unit level, since it doesn’t help them get their day to day jobs done.

Mike Rothman succinctly gets to the point with a one liner I am sure will become part of my repertoire:

It's about serving the business, NOT THE AUDITORS. If you protect information effectively (which is a key imperative for the business), then the auditors should be kept reasonably happy. And if not, screw them and fight them. Yes, the auditor can make your life a bit harder, but you don't work for them. Keep that in mind.

So my GRC post seemed to tap into a fair amount of GRC blogohostility , fair enough, but the main point is not slamming GRC, just the overfocus on GRC and substituting misdirected marketecture for real world architecture Hoff got to the heart of the point of what i was saying - its about assets

As I think about it, I'm not sure GRC would be something a typical InfoSec function would purchase or use unless forced which is part of the problem. I see internal audit driving the adoption which given today's pressures (especially in public companies) would first start in establishing gaps against regulatory compliance.
If the InfoSec function is considering an approach that drives protecting the things that matter most and managing risk to an acceptable level and one that is not compliance-driven but rather built upon a business and asset-driven approach

So I submit that you should not start with a compliance checklist, but instead build a security architecture blueprint that captures your stakeholders goals. Assess this against your policy and standards, and your security architecture capabilities. Out of this comes risk management decisions. And off we go into actually building and operating something - hopefully making some profits along the way.

So build blueprints, minimize time spent doing checkbox Olympics. The blueprint I worked on is just generic framework, you may have a different one. I know that the one that I designed is in use in many organizations and in each case I know of it has been tailored to local purposes. So its a beginning not an end, but those two things are more related than you think as someone from the financial services industry once said

In my beginning is my end ... in my end is my beginning

Where you start your security architecture and design matters, and directly effects where you end up.

Anyway, the conference was a lot of fun, I rarely get to do conferences in MN. I got meet Anton Chuvakin for the first time, and went to the presentation on the local OWASP Minnesota chapter - Robert Sullivan, Joe Teff and Kuai Hinojosa did a great job doing an overview of what OWASP is all about, demoing WebGoat and so on.

If You See Someone Using Wi-Fi to View Illegal Images, Call the Police

Sat, 19 Apr 2008 05:36:56 +0000

This child-porn-over-Wi-Fi story baffles me from two fronts: From Minnesota, a person (I use the term lightly) in a town north of Saint Paul and east of Minneapolis decided to use free Wi-Fi at a Dunn Brothers coffeeshop to view child pornography. He apparently sat or crouched in an alley or hallway between the cafe and another business.

Here's what mystifies me. First, someone from the business he's crouching near spots him viewing the porn, and instead of calling 911, reports him to the cafe's manager. Then, the cafe manager shoos the guy away instead of calling the police. Only when the man returns three weeks later does the manager call police.

If you ever see someone viewing images of clearly underage individuals engaged in sexual acts or having those acts performed on them, you call the police. There are times when it's unclear whether the images are against the rules of an orderly society in which we protect its weakest members, but I believe with most of this category of pornography, there is a bright line. There's not much subtle child porn, from the reports issued by the police.

The broader issue of whether one should ever look at images of consenting, legal age participants in naked gymnastics in public places is also pretty clear (no).

Mobile Post: Speeds Thrills in Minnesota

Thu, 03 Apr 2008 10:53:14 +0000

In Minnesota, St. Paul and Minneapolis may stand as poster children for two trends in broadband: On your left, Comcast offers 50 Mbps/5 Mbps in the home; on your right, a working urban Wi-Fi network.

Minneapolis Gets a Workout

Sat, 29 Mar 2008 14:19:55 +0000

My pal Julio Ojeda-Zapata walks around Minneapolis, and is relatively pleased with its network: Julio writes for the St. Paul Pioneer Press, the twin city to Minneapolis, and one that hasn't yet engaged in what was an explosion of requests for Wi-Fi networks by cities. He had a rocky start, unable to even get a splash screen, but ultimately was able to pay for a 24-hour pass ($10), and had consistent service on a laptop, albeit at half the 1 Mbps rate he was paying for. He couldn't get an iPod touch (Apple's iPhone without the phone Wi-Fi iPod) to work well on the network indoors, but had better luck outside.

The same day Julio's article appeared, his colleague Leslie Brooks Suzukamo filed an article about the challenges of leaves, something that's a big issue in Minneapolis, covered with the leafy menaces: 200,000 of the suckers that Gipper said caused pollution (as an allergy sufferer, I agree with him). Trees leaf out and reduce signal propagation, and that's something that US Internet Wireless has had to deal with. They upped their density of nodes from 26 to 42, which appears to be about the norm for both starting and ending points in muni netwrk planning.

This article goes into a little more depth about the problems with dead areas due to absent or problematic utility poles (it's always about the poles). USIW plans to install some of its own poles to fill in those areas.

Nearby, Steve Alexander notes a pioneering wireless network at the University of Minnesota has become obsolete. The U of M is replacing its 7-year-old 802.11b network with an 802.11n system. As is true in most older networks, they've got a melange of gear that's a headache to keep running and in sync. They'll spend $3.5m to cover about 40 percent of the campus with N, replacing a current similar coverage area. They may expand the network and add VoIP in the future.

The university and USIW are discussing interconnecting their networks for roaming.

Art and science: Bruce Schneier shares security ideas at museum

Thu, 27 Mar 2008 21:00:00 +0000

Bruce Schneier shared his ideas about the psychology of security, and the need for thinking sensibly about security, in his hometown Wednesday night when he gave a lecture at the Weisman Art Museum on the campus of the University of Minnesota.

Visa and Mastercard warn of breach at "major retailer"

Mon, 17 Mar 2008 12:27:42 +0000

Technorati Tag: Security Breach

Date Reported:
3/17/08

Organization:
unnamed "major retailer"*

*Update pending as details become available

Contractor/Consultant/Branch:
Unknown

Victims:
"consumers in Massachusetts and northern New England states"

Number Affected:
"MBA estimates that hundreds of thousands"**

**MBA is the Massachusetts Bankers Association which represents approximately 200 commercial, savings and co-operative banks and savings and loan institutions in Massachusetts and elsewhere in New England.

Types of Data:
Credit card information

Breach Description:
"BOSTON, March 17, 2008 – The Massachusetts Bankers Association (MBA) said today that Visa and MasterCard have contacted 60 to 70 banks in Massachusetts about a large data breach occurring at what the card companies characterized as “a major retailer.”"

Reference URL:
Massachusetts Bankers Association press release
CNN Money

Report Credit:
The Massachusetts Bankers Association

Response:
From the online sources cited above:

MASSACHUSETTS BANKERS ASSOCIATION ALERTS CONSUMERS ABOUT ANOTHER RETAIL DATA BREACH

BOSTON, March 17, 2008 – The Massachusetts Bankers Association (MBA) said today that Visa and MasterCard have contacted 60 to 70 banks in Massachusetts about a large data breach occurring at what the card companies characterized as “a major retailer.”
[Evan] Who the "major retailer" is could be anyone's guess.

The MBA estimates that hundreds of thousands of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected, and it is urging consumers to monitor their accounts.
[Evan] Ugh. A "major breach" at a "major retailer", which will probably lead to a "major lawsuit" from which lawyers will make "major money".

The retailer has not been named by the card companies and the bankers association wants customers to know that this was not a problem caused by banks.

The data breach is reported to have occurred between Dec. 7, 2007 and March 10, 2008.
[Evan] Holy cow that's a long time! The breach itself took place for three months and took that long to detect? Assuming the "major retailer" report is true, just think about how many credit card transactions must have taken place. Chances are good that the retailer never noticed the breach and only became aware after a slew of fraudulent charges were reported by consumers.

The MBA said that each bank that received an alert from the card companies will make its own decision whether or not to issue new cards or to monitor the accounts for the time being. In either case, customers need not worry and can protect themselves by monitoring their accounts.
[Evan] Customers will still worry.

“With lack of specificity at this point, or even when the name of the retailer becomes public, customers do not need to call their bank,” said Forte (Daniel J. Forte, president and CEO of the MBA)
[Evan] Customers will still call their bank

“If cards are to be replaced, consumers will be notified by their bank. In the event that fraud does occur due to a data breach, even though our banks did not cause this breach, the banks will hold each customer harmless, refunding any lost money.”

Visa and MasterCard, according to their own policy, have not released the name of the company responsible for the data breach, reporting to the affected banks only that it was “a major retailer.”

The MBA has been in discussions with the card companies as well as pursuing legislative remedies that would change card company rules and require release of the name of the offending retailer, as well as place liability for the costs associated with a breach with the retailer.
[Evan] Seems to me that a law like this passed last year in Minnesota.

“Releasing the name of the retailer would make all of our lives easier and safer,” said Forte. “Customers who didn’t shop there would be put at ease, and banks could do more efficient investigations to better protect customers. It is an important issue and one that we are vigorously pursuing.”
[Evan] Absolutely! I completely agree with Mr. Forte. I do not understand how disclosing the retailer would affect a criminal investigation, and I disagree with Visa's and Mastercard's crock policy that serves no interest to the consumer.

Commentary:
This will be "major news" when the retailer becomes known. It is not even known if this breach only affects Massachusetts and New England consumers either. MBA did the prudent thing by issuing a press release. Stay tuned.

I am interested in reading more details. From an information security perspective, I probably won't like what I read.

Past Breaches:
Unknown

More High Profile Sites IFRAME Injected

Wed, 12 Mar 2008 06:49:36 +0000

The ongoing monitoring of this campaign reveals that the group is continuing to expand the campaign, introducing over a hundred new bogus .info domains acting as traffic redirection points to the campaigns hardcoded within the secondary redirection point, in this case radt.info where a new malware variant of Zlob is attempting to install though an ActiveX object. These are the high profile sites targeted by the same group within the past 48 hours, with number of locally cached and IFRAME injected pages within their search engines :

NCSU Libraries - lib.ncsu.edu - 372,000 pages
FullDownloads.us - fulldownloads.us - 13,000 pages
Central Statistics Office Ireland - cso.ie - 10,300 pages
DBLife Frontpage - dblife.cs.wisc.edu - 1,130 pages
School of Mathematics and Statistics - www-history.mcs.st-andrews.ac.uk - 1040 pages
eHawaii Portal - ehawaii.gov - 992 pages
The World Clock - timeanddate.com - 944 pages
Boise State University - boisestate.edu - 471 pages
The U.S. Administration on Aging (AoA) - aoa.gov - 425 pages
Gustavus Adolphus College - gustavus.edu - 312 pages
Internet Archive - archive.org - 261 pages
Stanford Business School Alumni Association - gsbapps.stanford.edu - 157 pages
BushTorrent - bushtorrent.com - 147 pages
ChildCareExchange - ccie.com - 131 pages
The University of Vermont - uvm.edu - 120 pages
Hippodrome State Theatre - Gainesville, FL - thehipp.org - 112 pages
Minnesota State University Mankato - mnsu.edu - 94 pages
The California Majority Report - camajorityreport.com - 16 pages
Medicare.gov - medicare.gov - 12 pages
USAMRIID - usamriid.army.mil - 3 pages

This sample of the newly introduced .info domains reside on the same netblock as the previous ones - 75.125.181.0/255 a KISS strategy making it easier to respond to this incident. Best of all, they further expand the campaign since they're injected in plain text, next to javascript obfuscated, this time embedded malware :

hickey.info

kbst.info

sezejc.info

mloqrd.info

mqghrd.info

ymrxwd.info

fsqpsm.info

haxkwd.info

aagpcw.info

zdksgj.info

cgjttz.info

hkedny.info

kbsxet.info

wapdjw.info

kbsxet.info

tdwham.info

mqghrd.info

dhqjdz.info

bhrsaa.info

jramae.info

wmtwes.info

tacpmh.info

qwhhxq.info

gmjett.info

hkedny.info

rerkqz.info
bhrsaa.info

txmwxb.info

psyckr.info

jramae.info

nhwdrh.info

cqqxkh.info

stysqf.info

tgzyqz.info

kbsxet.info

cgjttz.info

tazbhk.info

kbsxet.info

Each of the these is loading a secondary domain, which is then taking us to two more before finally reaching the Zlob variant. In this case it's radt.info (75.125.208.243) with several campaigns currently up and running, pointing to the same fake codec. And the samples redirects upon visiting these as follows :

seivomerutam.info/Free-Paris-Hilton-Nude-Pics/
seivomerutam.info/spam/

all of which ultimately redirect to :

porn-popular.com (64.28.185.78) where the Zlob variant in the face of a fake codec, is downloaded from democodec.com/download/ democodec1292.exe (64.28.184.168) via an Active X object.

Scanner results : 22% Scanner(8/36) found malware!

File Name : democodec1292.exe

File Size : 74823 byte

MD5 : 30965fdbd893990dd24abda2285d9edc

SHA1 : 53eacbb9cdf42394bd455d9bd2275f05730332f7

Downloader.Zlob.ZV; Trojan-Downloader.Win32.Zlob.eie; TrojanDownloader.Zlob.epx

It gets even more interesting as according to Computer Associates :

"This fake codec is actually a hijacker that will change your DNS settings whether you are aquire your IP settings through DHCP or set your IP information manually. This hijacker will attempt to re-route all your DNS queries through 85.255.x.29 or 85.255.x.121. If you use a static IP address, CA AntiSpyware will set your DNS server to 198.6.1.1 to prevent your DNS queries from continuing to go through the rogue DNS servers. Please change your DNS server to the DNS server provided by your IP or Network Administrator."

What this means is that known Russian Business Network netblocks are receiving all the re-routed DNS queries from infected hosts, thereby setting up the foundations for a large scale pharming attack by infecting the weakest link, the end user from the perspective of using rogue DNS servers, a much more effective but noisy approach.

To sum up - it's a mess that I'll continue trying to structure, and it's a single group exploiting input validation capability within the sites' search engines we're talking about. With this segmented targeting of sites with high page ranks, and their persistance, is already positioning hundreds of thousands of keywords within the top search results, with the targeted sites are acting as the redirectors to the malware locations.