[SecurityRatty] tag: orlando

Speaking of Security Podcast #129

Sun, 16 Nov 2008 21:00:00 +0000

Click to Download/Listen (07:52)

This week's Speaking of Security podcast features an on-the-scene report from the Gartner Identity and Access Management Summit, one of the key shows on the security event calendar. The Summit was held last week in Orlando, Florida.

North America Recap

Thu, 09 Oct 2008 20:00:00 +0000

I was one of the 650 attendees at the recent annual North American PCI Community Meeting. Held at the Omni Champions Gate resort in Orlando, it was great to speak with many of the merchants, banks and service providers in attendance about the challenges they are facing.

"Catch Me, Yes YOU Can": Realized Threats at the Corner Store

Thu, 09 Oct 2008 20:00:00 +0000

just returned from the Payment Card Industry's 2008 Members Council Meeting in Orlando, Florida. We had a blast despite the mood being somewhat dampened as a result of the uncertainty of the global financial markets (heartfelt thanks to those wise souls who've been living outside of their means and taking undue personal and commercial financial risk...). Anyhew, I met so many interesting people from both merchants and from the card brands like Visa, MasterCard, American Express, Discover & JCB International Co., Ltd.

Florida's Agency for Health Care Administration reports a breach

Wed, 09 Jul 2008 07:15:38 +0000

Technorati Tag: Security Breach

Date Reported:
7/7/08

Organization:
State of Florida

Contractor/Consultant/Branch:
Agency for Health Care Administration

Victims:
registered organ donors

Number Affected:
"about 55,000"

Types of Data:
"names, addresses, birth dates, driver license numbers and Social Security numbers"

Breach Description:
"TALLAHASSEE, Fla. - State health officials say a security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their social security numbers."

Reference URL:
AHCA FAQs
Sarasota Herald-Tribune
WCTV CBS News
Orlando Sentinel

Report Credit:
Sarasota Herald-Tribune

Response:
From the online sources cited above:

TALLAHASSEE, Fla. - State health officials say a security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their social security numbers.

The Agency for Health Care Administrations said Monday it has corrected the flaw, which may have allowed unauthorized users to view the personal information of roughly 55,000 donors.

"We stopped all access to the database, identified the flaws and corrected them."
[Evan] This breach makes me wonder a couple of things. Is information security testing part of the development lifecycle and change control? I also wonder if AHCA uses a formal change control process with segregated development, test, and production environments.

The database includes donors' names, addresses, birth dates and driver license numbers.

The agency is sending letters to inform individuals of the flaw.
[Evan] What kind of flaw, do you suppose? A Code flaw, an administrative/process flaw, a configuration flaw?

AHCA Secretary Holly Benson said they have not received any indication that the information was accessed inappropriately.
[Evan] No logging? Logging of the systems, processes, and people accessing confidential information is a must. Extensive logging would be able to determine if the information "was accessed inappropriately" (assuming the logs weren't subject to unauthorized modification).

The breach happened on June 20 and was fixed a day later, but officials say they thought it best to make the public aware.
[Evan] What does the "breach happened on June 20" mean? It could mean that a flaw was detected on June 20, but could have been in existence for longer. It could mean that a vulnerability was actually exploited on June 20. I guess it really depends on your definition. I assume that the author means that something changed (code push, updated information, configuration, etc.) on June 20.

"If you have not received a letter our logs note that your information was not affected by this security flaw."

A couple of FAQs:
Q: If I have additional questions regarding this issue, what should I do?
A: You can call 866 757 0677. This number is open Monday through Friday from 8AM to 7PM Eastern.

Q: If I am a registered donor and I receive a letter, does this mean that I am a victim of identity theft?
A: No. It is unlikely that someone has accessed your information or used it inappropriately. It does not mean that you are a victim of identity theft or that the information may be used to commit fraud. The Agency for Health Care Administration wanted to let you know about the incident so you are aware and may take steps as you see fit.
[Evan] Again, poor logging and other detective controls lead to statements such as "It is unlikely that someone accessed...".

Commentary:
Ugh! I am left with too many questions about this breach. On the surface, this breach doesn't look all that significant unless of course, you are a victim. When I read into it more, I realize that I have some serious concerns surrounding process, control, and detection mechanisms used at AHCA. With less detail, it is easier to imagine.

Past Breaches:
State of Florida:
January, 2008 - Five stolen Florida Department of Children and Families laptops

Security Thoughts from TechEd 2008

Thu, 26 Jun 2008 11:07:00 +0000

Hi, this week is a post from Michael Howard and Laura Machado de Wright, who both attended and presented at TechEd 2008 in Orlando the week of June 2^nd.

First up is Laura.

I have been a Security Program Manager for the last 3 years, working as a security advisor for a variety of products across Microsoft and the last seven months as a member of the SDL policy team.

It's been a few years since I've been to TechEd, and this was my first time attending as a member of the security team. TechEd is now a two week conference, with one week dedicated to developers and the other to IT professionals. I think that breaking down the conference into a Developer week and an ITPro week was a good idea, and it allowed us to have good conversations with people who wanted more information about the SDL. I did two main things at TechEd:, I presented on threat modeling, and I spent a lot of time talking to customers at the SDL booth. At the SDL booth, we heard questions ranging from "What does the SDL stand for?" to "Our Web site was hacked; how do I stop it from happening again?" It was encouraging hearing people interested to hear more specifics about how we implement the SDL at Microsoft, and thinking through how they can apply it in their own companies. My understanding from other TechEd veterans in our booth is that interest in the SDL seemed higher, which is great.

During my Threat Modeling session, , most of the feedback and follow-up questions were similar to the ones in the booth: how to expand the threat modeling processes to their own companies, and how to get started.

My typical response to both questions is to start small and do what makes sense for your organization. At Microsoft, for example, when we introduce new SDL requirements, we usually start with a few teams so we can refine the requirement and supporting tools before expanding the requirements to a broader group. Similarly, while we have a core set of requirements that all teams have to meet, there are other requirements that are specific to a platform, scenario, or functionality. For example, there are some requirements that make sense for desktop-oriented products, but do not make sense for mobile devices. You may very likely have to make changes to our policies to make them relevant to your organization, your scenarios, and functionality.

Now over to Michael.

Hi, Michael here.

One of the joys of presenting at TechEd each year is hearing from real people about the issues they face using our products in the real world; rarely are the issues pure philosophical security geekness. This year I gave two talks and one "chalk talk." The talks were "Top Ten Strategies
To Secure Your Code" and "How To Review Your Code
and Test For Security Bugs", and the chalk talk, which was a lot of fun, was simply answering numerous developer questions.

It's interesting to gauge overall security awareness from our customers, and there is no doubt that over the years, the level of security knowledge and maturity has risen. I think it's possible to evaluate overall security maturity by the questions posed. Some years ago, security was never really a topic of discussion other than those that relate to security technologies, such as how to use and manage X.509 certificates. About four years ago the tide really changed and people started asking more questions about "secure" application deployment and management, and developers wanted to learn more about securing their code; especially C and C++ code. Even then there was still a reliance on exterior defenses like firewalls. All too often I would hear people claim that they don't need to focus on securing their apps because a firewall was in the way. Heck, David and I documented this excuse in the original version of Writing Secure Code (Appendix D, "Lame Excuses We've Heard, #6, ‘We're Secure-we use a Firewall'") way back in 2002.

Fast forward to 2008.

Things have obviously changed. I don't know if finally the security message is getting through because many people asked me highly specific questions about securing their apps and how best to use the defenses we offer in Windows Vista and Windows Server 2008.

I still hear the firewall excuse a little, but not too much!

Perhaps the most telling trend I saw this year was a great deal of interest in the SDL. Not cursory, "that looks interesting" interest, but, "how can I implement this in my company" interest. After answering specific questions, I pointed most folks to Jeremy's "Crawling Toward SDL" post on the subject.

In my opinion, getting to a point where you want to change your development process shows you really understand there's an issue that needs fixing.

And that's goodness.

Fake Porn Sites Serving Malware

Wed, 25 Jun 2008 08:16:20 +0000

Ah, that RBN with its centralization mentality for the sake of ease of management and 99.999% uptime. In this very latest example of using malicious doorways redirecting to fake porn sites, consisting of over twenty different domains serving the usual Zlob malware variants, we have a decent abuse of a template for a porn site.

The easy of management of such domain farms and the availability of templates for high trafficked topic segments such as celebrities and pornography, continue contributing to the increasing number of Zlob variants served through fake codecs. Moreover, once set up, the malicious infrastructure starts attracting now just generic search traffic, but also traffic coming from affiliates with whom revenue is shared on the basis of the number of people that downloaded the codec.

In this campaign, the malicious doorway that expands the entire ecosystem is located at search-top.com/in.cgi?5¶meter=drs (66.96.85.113). A redirector that appears to have been operating since 2006, according to this forum posting.

What follows on-the-fly, are all the fake porn sites whose legitimately looking videos attempt to download a Zlob malware variant from a single location - vipcodec.net. Here are all the fake porn sites, and the associated campaigns in this redirection :

watchnenjoy .com/index.php?id=1287&style=white
craziestclips .com/index.php?id=1287&q=
immensevids .com
planetfreepornmovies .com/?t=1&id=1219
poweradult .net/edmund/16551689/1/&id=1219
scan-porn .net/rosalyn/1742941675/1/&id=1219
about-adult .net/emiline/108846601/1/&id=1219
service-porn .com/inde/964842117/1/&id=1219
pleasure-porn .com/elnora/648311952/1/&id=1219
porn-the .net/verge/1734135233/1/&id=1219
porn-pleasure .net/dal/1663381205/1/&id=1219
scan-porn .net/gretchen/515268975/1/&id=1219
abc-adult .com/lillah/1467790484/1/&id=1219
about-adult .net/jenne/434165228/1/&id=1219
look-adult .net/ette/681831796/1/&id=1219
about-adult .net/mime/65729013/1/&id=1219
name-adult .net/alfe/550398461/1/&id=1219
group-adult .net/demerias/867452637/1/&id=1219
useporn .net/rhode/167691118/1/&id=1219
porn-look .net/hephsibah/1254235416/1/&id=1219
scan-porn .net/hence/1684651134/1/&id=1219
abc-adult .com/kendra/371598555/1/&id=1219
name-adult .net/link/1334727639/1/&id=1219
porn-the .net/flo/84660854/1/&id=1219
porn-popular .com/assene/875893411/1/&id=1219
about-adult .net/charlotta/972714195/1/&id=1219
porn-comp .com/orlando/761508522/1/&id=1219
useporn .net/jemima/1405735776/1/&id=1219
about-adult .net/obadiah/263904242/1/&id=1219
group-adult .net/douglas/1110779475/1/&id=1219
porn-look .net/lydde/1844064103/1/&id=1219
pleasure-porn .com/marcia/1627490290/1/&id=1219
service-porn .com/cono/295680123/1/&id=1219
group-adult .net/wes/1733468207/1/&id=1219
abc-adult .com/wib/648341815/1/&id=1219
scan-porn .net/greg/2064937302/1/&id=1219
contact-adult .net/maris/33184936/1/&id=1219
look-adult .net/regina/1273816838/1/&id=1219
abc-adult .com/gwendolyn/869744046/1/&id=1219
service-porn .com/carthaette/1021629112/1/&id=1219
scan-porn .net/ninell/1522355420/1/&id=1219
porn-pleasure .net/waldo/755290223/1/&id=1219
porn-the .net/green/669090607/1/&id=1219
try-adult .com/lula/447057398/1/&id=1219
visit-adult .net/jay/1021153563/1/&id=1219
contact-adult .net/rosa/849017739/1/&id=1219
name-adult .net/hannah/2111126283/1/&id=1219
about-adult .net/robin/2114086747/1/&id=1219
scan-porn .net/geraldine/921262381/1/&id=1219
contact-adult .net/christine/1821111087/1/&id=1219
porn-popular .com/frederica/364993202/1/&id=1219
about-adult .net/kerste/735582753/1/&id=1219
porn-the .net/vine/715820953/1/&id=1219
porn-the .net/newt/1835463160/1/&id=1219
try-adult .com/max/602914725/1/&id=1219
porn-pleasure .net/cille/1420660046/1/&id=1219
poweradult .net/phililpa/178057959/1/&id=1219
name-adult .net/lise/1379126759/1/&id=1219
pleasure-porn .com/marianne/1083617952/1/&id=1219
poweradult .net/emile/1173468576/1/&id=1219
useporn .net/patse/155685496/1/&id=1219
helpporn .net/verna/625840253/1/&id=1219
name-adult .net/aubrey/190928373/1/&id=1219
about-adult .net/alphinias/1345158043/1/&id=1219
useporn .net/rosa/223743611/1/&id=1219
pleasure-porn .com/nerva/1509620489/1/&id=1219
helpporn .net/leet/1619667733/1/&id=1219
about-adult .net/roberta/887345003/1/&id=1219
porn-pleasure .net/tore/1032556395/1/&id=1219
useporn .net/bo/1963737386/1/&id=1219
porn-look .net/karon/136085893/1/&id=1219
poweradult .net/tense/1523522750/1/&id=1219
poweradult .net/hopp/1955964399/1/&id=1219
scan-porn .net/vanne/350822489/1/&id=1219
porn-comp .com/deb/1451360694/1/&id=1219
about-adult .net/moll/1511640690/1/&id=1219
porn-popular .com/obediah/562846948/1/&id=1219
helpporn .net/tamarra/776122096/1/&id=1219
pleasure-porn .com/aristotle/1046422029/1/&id=1219
porn-comp .com/titia/158157566/1/&id=1219
group-adult .net/gay/1297835054/1/&id=1219
porn-look .net/katherine/2136357734/1/&id=1219
helpporn .net/azubah/1197502147/1/&id=1219
porn-comp .com/claes/770105101/1/&id=1219

Associated fake porn sites :

pornbrake .com
sexnitro .net
brakesex .net
pornnitro .net
adultbookings .com
qazsex .com
lightporn .net
delfiporn .net
pornqaz .com
megazporn .com
uinsex .com
xerosex .com
serviceporn .com
aboutadultsex .com
superliveporn .com
bestpriceporn .com
contactporn .net
relatedporn .com
landporno .com
adultsper .com
plus-porn .com
adultstarworld .com
cutadult .com
moviexxxhotel .com
porno-go .com
pornxxxfilm .com
porn-sea .com
review-sex .com
sureadult .com
browseadult .com
network-adult .com
timeadult .com
virtual-sexy .net
funxxxporn .com
loweradult .com
adultfilmsite .com
xxxallvideo .com
custom-sex .com
gallerypictures .net
usaadultvideo .com
adultmovieplus .com
porn-cruise .com
clubxxxvideo .com
mitadult .com
galleryalbum .net
xxxteenfilm .com
hardcorevideosite .com
helpadult .com
portaladult .net
service-sex .com
driveadult .com
access-porno .com
time-sex .com
plus-adult .com
worldadultvideo .com
key-adult .com
estatesex .com
superadultfriend .com
superporncity .com
zero-porno .com
scanadult .com
adultsexpro .com
adultzoneworld .com
porntimeguide .com
usbestporn .com
adulttow .com
look-porn .com
galleryclick .net
micro-sex .com
estatesex .com
try-sex .com
0bucksforpornmovie .com
gays-video-xxx .com
hackthegrid .com
savetop .info
vidsplanet .net
freexxxhere .com
gestkoeporno .com
tv-adult .info
gays-adult-video .com
matures-video .com
analcekc .com
tabletskard .in
molodiedevki .com
dom-porno .com
pornoaziatki .com
latinosvideo .com
geiporno .com
sweetfreeporn .com

If exposing a huge domains portfolio of currently active redirectors has the potential to ruin someone's vacation, then consider someone's vacation ruined already.

Related posts:
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs

University of Florida student information online for years

Thu, 12 Jun 2008 06:41:30 +0000

Technorati Tag: Security Breach

Date Reported:
6/11/08

Organization:
University of Florida

Contractor/Consultant/Branch:
Office for Academic Support and Institutional Services

Victims:
Students

Number Affected:
"more than 11,300"

Types of Data:
"names, addresses and Social Security numbers"

Breach Description:
"GAINESVILLE, Fla. - University of Florida officials today mailed letters of notification to more than 11,300 current and former students regarding a privacy breach that resulted in names, addresses and Social Security numbers being posted online that may have been accessible to the public."

Reference URL:
University of Florida
Miami Herald
Inside UF
United Press International

Report Credit:
University of Florida

Response:
From the online sources cited above:

GAINESVILLE, Fla. - University of Florida officials today mailed letters of notification to more than 11,300 current and former students regarding a privacy breach that resulted in names, addresses and Social Security numbers being posted online that may have been accessible to the public.
[Evan] Not "may have been". The information was accessible to the public and was not even protected by a password.

The student information was actively used from 2003 through 2005 and remained posted until it was recently discovered during a routine audit of UF systems.
[Evan] If I am reading this right, this means that some of the personal information was available publicly for ~5 years!

School officials emphasized that the site would not have been easy to find and they do not believe it was accessed by anyone outside the school.
[Evan] There is no security through obscurity.

"The risk of someone outside actually finding this information and using it inappropriately is very low," - Steve Orlando, UF Spokesman
[Evan] I wonder how Mr. Orlando came to the conclusion that the risk of disclosure and misuse is "very low". As I understand, the server was publicly accessible, presumably via the internet. If so, was the site indexed by search engines like Google, Yahoo, and Microsoft? It is much easier to find information through a search index because folder structure is much less relevant. The fact that this information was available for 3-5 years adds to the risk too. I only know what I read and based on this and experience, I wouldn't classify this as a "very low" risk situation. Either way, the risk was increased due to poor information security practice and was not necessary.

"We've done computer forensics, and we don't have any evidence that anybody accessed this information," he added.
[Evan] This indicates poor logging and monitoring which are both essential detective controls (in most situations). Information security personnel (or admins) should be empowered to reconstruct events.

"But because we can't say that with absolute certainty, we're going through with the notification out of an abundance of caution," Orlando said.
[Evan] I am NOT a fan of the "abundance of caution" claims that seem more popular in breach notifications lately. Organizations would be best advised to use an "abundance of caution" in the prevention and early detection of breaches by applying sound information security principles.

Since 2005, the site has been "dormant but accessible," said university spokesman Steve Orlando. "It was just sitting there."

The information has been removed and is no longer available online or elsewhere in the UF systems.

The breach occurred when former student employees of the Office for Academic Support and Institutional Service, or OASIS, program created online records of students participating in the program.

The student employees posted the information online so that they could work with it from remote locations, but they did not install security measures to keep others from accessing it as well
[Evan] I have so many questions and arguments. Were the students aware of the risks? If not, then there is probably an information security training and awareness problem. Why was it necessary to include Social Security numbers in the records? Why were the seemingly untrained students allowed to post the information without being stopped or detected? I have many more questions, but I am starting to confuse myself now.

The university sent letters of notification to about 11,300 students whose information is believed to have been potentially compromised.
[Evan] Here's my take on the word "compromised". If an organization cannot provide reasonable assurance that the information has not been subject to unauthorized disclosure, modification, or destruction, then the information has been "compromised".

University officials were unable to find contact information for about 570, so they are asking students who were enrolled in CLAS from 2003 to 2005 and did not receive a letter but who believe their information may have been compromised to call UF’s Privacy Office Hotline at 866-876-HIPA and provide the requested information.

Anyone who thinks he or she may be one of the 570 people who were not notified is urged to go to privacy.ufl.edu and read the information posted there before calling the privacy hotline.

"This would certainly appear to be the largest privacy breach we've had," Orlando said.

We're in the process of strengthening some of those policies regarding what information can be posted and what security measures should be in place
[Evan] Good start.

Victim Reaction:
"Why would it be necessary to use a Social Security number instead of something else?" asked Reixach, pointing out that students were given ID numbers. "It's just silly".

"It's negligence on their part, especially if anyone has been affected with identity theft,"

Johann Arias, a spring CLAS graduate, had not heard about the breach Wednesday and said UF should be doing more to notify those affected.

"They always make information very prominent when you have a hold or owe them money," Arias said.

Commentary:
This is a case where poorly trained students are granted access or obtained access to confidential information and posted the information to an unsecured location which went undetected for years. Bad all around.

Past Breaches:
May, 2008 - University of Florida doctor loses job over breach
November, 2007 - University of Florida student info online

The best way to get customer service? Blog or Twit them

Sat, 24 May 2008 03:44:15 +0000

I was reading an article in the Orlando Sentinel newspaper this morning (I know who reads newspapers anymore), about how so many companies are tracking unhappy customers by monitoring blogs and even twitter messages. It reminded me of a story that Chris Hoff had a while back about Southwest Airlines monitoring his Twitter message

The story in the Sentinel had two opposite corporate views on this. One was Comcast who quickly turned a negative blog post and experience into a positive one by reaching out to the customer and fixing their problem. The customer than ran an updated blog post to commend Comcast. Much the same way Hoff did in his post on Southwest. The polar opposite of this was Spirit Airlines, whose spokesperson according to the article said, "she wasn't concerned and that Spirit doesn't let blog posts affect its policies and procedures." Well a year later that article is still the number 3 search result on Google if you pull up Spirit Airlines. It has over a 1000 comments with many people saying they didn't fly Spirit as a result. I wonder if Spirit Airlines still feels the same way about not listening to blogs?

The article mentions a few other companies that monitor blogs and twitter and message boards. It also mentions a web site called getsatisfaction.com where over 3000 companies monitor to help consumers iron out customer service issues.

They always said the pen was mightier than the sword. In todays world maybe the keyboard is too.

Long holiday weekend

Fri, 23 May 2008 03:47:30 +0000

I am really looking forward to a long holiday weekend with the family. We are driving up to Orlando to stop in Disney World and SeaWorld. Going to check out the new water park they opened there called Aquatica. It has water rides unlike any we have ever seen. A day there and two days at Disney should have the kids in a great mood. Lets see what kind of mood it leaves me in. Waiting on long lines in the sweltering heat is not a lot of fun, plus I can only imagine what it is going to cost to fill up the gas tank to drive up there!

Anyway, won't be much blogging going on this weekend.

I'm the security guy. I used to have a security guy, but he died. Now I'm the security guy

Tue, 22 Apr 2008 20:47:27 +0000

While attending the SANS event in Orlando this week I had a chance to meet a fellow who works at a company that is a StillSecure customer. I had never met this particular guy before, so I asked him how long he had been working in security at the company. The answer I got reminded me of an old quote from the move "The Producers" -

-Who d'ya want? -I beg your pardon? -Who d'ya want? Nobody gets in the building unless I know who they want. I'm the concierge. My husband used to be the concierge, but he's dead. Now I'm the concierge.

This guy had worked at the company for a number of years in the network department. They had a "guy who did the security". He is the one that bought the StillSecure product. Evidently a while back the security guy left the company. It is not clear whether he quit or was asked to leave, but the bottom line is they had no security guy. Instead of hiring another security guy, they made this poor SOB the security guy. He inherited a bunch of security products including our own and a bunch of "open source stuff". This guy didn't even know where to begin.

After floundering around for a while, he made a smart move and signed up for some security training from SANS and is just beginning to realize how much he doesn't know. But it will still be some time before he is in a position to handle the security at his company, that by the way has SOX issues to deal with. I suggested that perhaps he look into some MSSP service to help him out. I am going to try and help this fellow out as much as I can, but he has a tall order.

How many others are out there in the same boat? How many people have had the security role thrust on them, without the training or expertise to make it happen. The greatest tools in the world, won't make up for this lack of skills and experience. Is it any wonder that we have a breach a day announced and our security seems to be in such disarray? We should let security be handled by security professionals or else we deserve what we get!