[SecurityRatty] tag: oversee

Colorado Division of Motor Vehicles cited in audit report

Fri, 11 Jul 2008 05:18:07 +0000

Technorati Tag: Security Breach

Date Reported:
7/9/08

Organization:
State of Colorado

Contractor/Consultant/Branch:
Department of Revenue
Division of Motor Vehicles

Victims:
Residents

Number Affected:
~3,400,000

Types of Data:
"names, addresses, dates of birth and Social Security numbers"

Breach Description:
"The Division of Motor Vehicles put 3.4 million Coloradans at risk of identity theft due to flaws in the way driver's-license information is handled, lawmakers learned Tuesday at an interim transportation committee hearing."

Reference URL:
The Denver Post
Report of The State Auditor, Driver's License and Identification (ID) Card Security

Report Credit:
Jessica Fender, The Denver Post - Brought to the attention of The Breach Blog by an informed reader.

Response:
From the online source cited above:

The Division of Motor Vehicles put 3.4 million Coloradans at risk of identity theft due to flaws in the way driver's-license information is handled, lawmakers learned Tuesday at an interim transportation committee hearing.

The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit.
[Evan] The audit report is here.

At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers — some workers more than a year after their departure

Revenue Department leaders who oversee the division say they are working to hire internal watchdogs and build up their technological defenses.
[Evan] This is putting the cart before the horse. After reading some of the audit results it is clear to me that there is no information security strategy, no effective information security management, and no formal information security program. These administrative issues need to be addressed well before "technological defenses" should be. Addressing "technological defenses" first is often times wasteful and disjointed.

But the state, facing a budget shortfall, will have no additional money in the foreseeable future for new computer systems.
[Evan] Then get creative! No or little money is a poor excuse for not doing the right thing. Many times, we find that an organization actually saves money through effective information security management. Fix the administrative issues and formalize the information security program first. I don't know much about the Colorado state government, but I do know that other state governments are wasteful and disorganized. Information security, when aligned with organizational goals and objectives (not IT) can help organize and cut waste.

Cyber security alone is a $1.5 million problem that will be tough to solve, said Roxy Huber, Revenue Department executive director.
[Evan] I wonder where the $1.5 million dollar figure comes from. We can secure a heckuva lot of infrastructure (and information) with that kind of money. I get a kick out of "Cyber security".

"To tell you that I'm going to have the tools to do what I need to do, I don't know where they're going to come from," Huber said. "But we will continue to do the best with the tools that we have."
[Evan] Where do I start with this comment? The first tool to use is the one between your ears.

Colorado ranks eighth in the nation in identity-theft complaints per person and first in the nation when it comes to general fraud reports.
[Evan] This should tell you something! It is even more troubling if your own state government contributes to the problem.

On average, those frauds cost victims $4,041 each for a total of $41.3 million in 2007

Auditors said the DMV's method for handling sensitive information was "fragmented, disorganized and poorly planned,"
[Evan] Yeah, ya think?

No one person is responsible for security
[Evan] Or is it no one is responsible for security?

High turnover - 60 percent of entry-level workers leave during their first year - and low, $26,280-a-year starting salaries make fraud more attractive and management more difficult, DMV officials said.
[Evan] This is another problem that contributes significantly to the risk.

While employees have been caught issuing hundreds of fraudulent licenses, there are no known instances of identity theft or information security breaches, said Department of Revenue spokesman Mark Couch.
[Evan] Come on. Not that we know of anyway. Don't you think that the risk is much higher if a person has already demonstrated that he/she is willing to step over the line?

"It's not like we have a completely defenseless system," Couch said. The audit "says that we need to take more steps."
[Evan] Not completely defenseless, but like protecting a bicycle with a rope.

"Without the appropriate resources, there's no way we can hold you accountable for doing some of the things you're expected to do," said Sen. Nancy Spence, R-Centennial.
[Evan] This kind of talk does not help the cause and does little to serve constituents. I am not close to this issue, but so many of the things I have read about this breach point to mismanagement more than a lack of appropriate resources.

Some problems already have been fixed.

The 33 former employees with database access immediately had their passwords deactivated once auditors identified them, and the DMV now compiles monthly lists of departed workers to prevent future lapses

The division has a long-standing policy of redacting the last four digits of Social Security numbers before they're transmitted, and the division plans to encrypt all transmitted information by June 2009.
[Evan] What? A year? This exposure is now public knowledge and will continue for a year?

Commentary:
Due to the fact that I was a little more critical in my comments above, I should express that these are my opinions and beliefs based on my experiences and knowledge. Take the comments for what they are worth.

There seems like there is a lot of work that needs to be done at the Colorado Department of Revenue and Division of Motor Vehicles. The work must start at the top. Somebody needs to step up and fill the role as the "person responsible for security".

Past Breaches:
State of Colorado:
April, 2008 - CollegeInvest external hard drive goes missing

NSA Monitoring U.S. Government Internet Traffic

Mon, 04 Feb 2008 03:30:10 +0000

I have mixed feeling about this, but in general think it is a good idea:

President Bush signed a directive this month that expands the intelligence community's role in monitoring Internet traffic to protect against a rising number of attacks on federal agencies' computer systems.
The directive, whose content is classified, authorizes the intelligence agencies, in particular the National Security Agency, to monitor the computer networks of all federal agencies -- including ones they have not previously monitored.

[...]

The classified joint directive, signed Jan. 8 and called the National Security Presidential Directive 54/Homeland Security Presidential Directive 23, has not been previously disclosed. Plans to expand the NSA's role in cyber-security were reported in the Baltimore Sun in September.

According to congressional aides and former White House officials with knowledge of the program, the directive outlines measures collectively referred to as the "cyber initiative," aimed at securing the government's computer systems against attacks by foreign adversaries and other intruders. It will cost billions of dollars, which the White House is expected to request in its fiscal 2009 budget.

[...]

Under the initiative, the NSA, CIA and the FBI's Cyber Division will investigate intrusions by monitoring Internet activity and, in some cases, capturing data for analysis, sources said.

The Pentagon can plan attacks on adversaries' networks if, for example, the NSA determines that a particular server in a foreign country needs to be taken down to disrupt an attack on an information system critical to the U.S. government. That could include responding to an attack against a private-sector network, such as the telecom industry's, sources said.

Also, as part of its attempt to defend government computer systems, the Department of Homeland Security will collect and monitor data on intrusions, deploy technologies for preventing attacks and encrypt data. It will also oversee the effort to reduce Internet portals across government to 50 from 2,000, to make it easier to detect attacks.

My concern is that the NSA is doing the monitoring. I simply don't like them monitoring domestic traffic, even domestic government traffic.

Who says Politics doesn't pay and why can't I find clients with pockets this deep?

Mon, 21 Jan 2008 18:10:00 +0000

I have never drank the political coolaid. I have little faith in big party politics. Give me an independent politician who does not have to toe a party line and I'll show you a politician who has half a chance of being a decent advocate of the people.

I think one of the greatest wrongs that politicans commit is in their thinking of voters as idiots. I use the Washington Post article of 1/17/08 as a prime example. Staff writer Carrie Johnson writes in the Business section that GAO investigators will look into "NO-BID Contracts" irregularities involving the Justice Department.

This all came about when a firm led by the former Attorney General, John D. Ashcroft, drew attention for receiving lucrative (more like outrageous) contracts to oversee companies accused of fraud and other wrong doings. One firm in particular, Zimmer (famous for their "Zimmer Frames"), agreed to pay Mr. Ashcroft's firm between $28 and $52 million dollars to resolve kickback allegations.

Two questions spring to mind; 1) How much was the original "kickback" amount when they can now afford to pay out $28,000,000.00 to $52,000,000.00? and 2) Does the recieving of (as much as) $52 million dollars by a former high ranking politician from a company with it's back up against a wall not sound like a "kickback" in of itself?

What does Mr. Ashcroft's firm deliver as a result of this outlandish payment? Well, as a "monitor", they will make sure that Zimmer stops making illicit payment to doctors for using Zimmer products. There's got to be more than that, surely? Kind of. Ashcroft said that he has already made several trips to Indiana to "understand Zimmer's troubles." Several trips to Indiana for $52 million dollars? Did they buy their own luxury jet just for those trips?

Private investigation firms all across America conducts similar services on a daily basis, only for a mere fraction of what Zimmer has paid to this former Government official. As a private security business owner I can attest to the fact that a typical investigation company would be delighted and thrilled to receive 2% - 3% of this amount and in so doing would employ highly skilled investigators with backgrounds and certifications such as Certified Fraud examiner in the FBI, United Nations and other Govt. and corporate investigative agencies.

You can be sure that Mr. Ashccroft is not the only former government offical riding the gravy train. The article states that several other former government officials with ties to the Bush administration have been awarded similar contracts since 2001.

House committee issues report and finds fault with TSA web site

Tue, 15 Jan 2008 06:35:53 +0000

Technorati Tag: Security Breach

Date Reported:
1/13/08

Organization:
U.S. Government

Contractor/Consultant/Branch:
Transportation Security Administration (TSA)
Desyne Web Services

Victims:
Certain people that used the TSA traveler redress website between October 6, 2006 and February 13, 2007.

Number Affected:
"thousands"

Types of Data:
Name, Social Security number, birth date, birth place, sex, height, weight, hair color, eye color, address, and home and work telephone number.

Breach Description:
According to the January, 2008 United States House of Representatives Committee on Oversight and Government Reform report titled INFORMATION SECURITY BREACH AT TSA: THE TRAVELER REDRESS WEBSITE;
"In October 2006, the Transportation Security Administration launched a website to help travelers whose names were erroneously listed on airline watch lists. This redress website had multiple security vulnerabilities: it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. These deficiencies exposed thousands of American travelers to potential identity theft."

Reference URL:
The official Committee on Oversight and Government Reform report
The CSO Online Story

Report Credit:
The United States House of Representatives Committee on Oversight and Government Reform, and special credit to Chris "Boarding Pass Hacker" Soghoian.

Response:
From the online sources cited above:

At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a website that violated basic operating standards of web security and failed to protect travelers’ sensitive personal information.
[Evan] For those who don't know, Henry Waxman represents the 30th District of California in the House.

As this report describes, these security breaches can be traced to TSA’s poor acquisition practices, conflicts of interest, and inadequate oversight.

The report finds:

TSA awarded the website contract without competition.

TSA gave a small, Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress website. According to an internal TSA investigation, the “Statement of Work” for the contract was “written such that Desyne Web was the only vendor that could meet program requirements.”

The TSA official in charge of the project was a former employee of the contractor.

The TSA official who was the “Technical Lead” on the website project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne’s owner.

TSA did not detect the website’s security weaknesses for months.

The redress website was launched on October 6, 2006, and was not taken down until after February 13, 2007, when an internet blogger exposed the security vulnerabilities. During this period, TSA Administrator Hawley testified before Congress that the agency had assured “the privacy of users and the security of the system” before its launch. Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage.

TSA did not provide sufficient oversight of the website and the contractor.

The internal TSA investigation found that there were problems with the “planning, development, and operation” of the website and that the program managers were “overly reliant on contractors for information technology expertise” and had failed to properly oversee the contractor, which as a result, “made TSA vulnerable to non-performance and poor quality work by the contractor.”

Neither Desyne nor the Technical Lead on the traveler redress website has been sanctioned by TSA for their roles in the deployment of an insecure website. TSA continues to pay Desyne to host and maintain two major web-based information systems: TSA’s claims management system and a government-wide traveler redress program. TSA has taken no steps to discipline the Technical Lead, who still holds a senior program management position at TSA.

After conducting a detailed security accreditation review of the traveler redress website, TSA’s Chief Information Security Officer (CISO) granted the website a 12-month “Authority to Operate” in September 2006. The CISO did not detect a number of glaring security problems affecting the website when it went live on October 6, 2006.
[Evan] The TSA CISO is Patti Titus. I don't know how these security issues could have been missed!

The security vulnerabilities of the website included the following:

The Site Was Not Hosted on a Government Domain.

Instead of being hosted on a government web domain (e.g., “tsa.gov”), the redress system was hosted on a commercial domain operated by the contractor (http//rms.desyne.com). When they left the government domain, visitors to the redress management site lost any assurance they were visiting a legitimate government website

The Home Page Was Not Encrypted

The website home page did not have an encrypted “secure socket layer” (SSL) with an “https” protocol identifier. As a result, every time travelers visited the site to check on the status of their applications, the control numbers they entered to access their files were vulnerable to theft. Once they obtained these numbers, attackers would have access to travelers’ personal information.

The Submission Page Was Not Encrypted

One of the site’s links that allowed travelers to submit personal information was also unsecured. Although travelers could access an encrypted page to submit personal information, a link reading “file your application online” transferred users to an unsecured site. Travelers submitting their name, address, Social Security numbers, eye color, place of birth, and other sensitive personal information through this link had no protection from attack

Encrypted Pages Were Not Properly Certified

Although other web pages within the site were SSL-protected, they were not properly certified. Under standard web security practices, operators of SSL-protected websites obtain third-party certifications to assure users that an outside party has approved the web site’s security measures. Instead of the proper third-party certification, the site had only an expired certification that Desyne itself had generated.

Chris Soghoian's Comments:
"the appearance of the site was so poor that he first suspected it was a “phishing” site"

"Incredible that they would take the site live using a self-signed certificate. It shows major incompetence (elementary oversight should have caught this) and at Desyne, Inc. Someone is either too stupid or too cheap to purchase a real SSL certificate before putting up a site that asks for personal data. This is Web Development 101. Anyone who has ever worked on an ecommerce site should [be] aware of the issues."

After Mr. Soghoian posted his analysis of the security vulnerabilities affecting the traveler redress website, TSA moved quickly to transfer the site to a more secure Department of Homeland Security domain.

TSA also contacted the individuals who had submitted their personal information through the unsecured “file your application online” link to inform them that they were at a heightened risk of identity theft.

To date, TSA has awarded Desyne almost $500,000 worth of no-bid contracts to provide web services to TSA and DHS
[Evan] $500,000!? As a taxpayer, I am miffed.

Commentary:
The investigation and report by the House Committee on Oversight and Government Reform is excellent. A very good read.

Interesting, from the TSA Privacy FAQs:
Question: How can TSA ensure the security of personal information it collects?

Answer: TSA takes a number of steps to ensure the security of personal information it collects about individuals. TSA’s Office of Privacy Policy & Compliance collaborates with the Chief Information Security Office (CISO) to work with program offices during the design and implementation of systems to ensure compliance with the Federal Information Security Management Act (FISMA) and the Privacy Act, 5 U.S.C. §552a. In addition to design and implementation standards, the CISO ensures that the systems are secured against unauthorized use through the use of a layered, defense-in-depth security approach involving procedural and information security safeguards as mandated by FISMA following National Institute of Standards and Technology (NIST) guidance.

Am I missing something?

Past Breaches:
October, 2007 - Stolen laptops contained sensitive TSA information

Risky by association

Wed, 26 Dec 2007 13:14:25 +0000

The holiday season gave media and industry one more opportunity to discuss Mattel’s massive product recalls this year, and admittedly, I still find myself interested in the story. In this case, it was the World Business Council for Sustainable Development’s article calling out Mattel’s “Epiphany at Christmas”.

The revelation: “If it's got your company's name on it, it's your problem.”

At least, that’s according to the expert interviewed about taking responsibility when things go poorly. In reality however, Mattel has received praise in the past for its responsible supply chain management — this is not an epiphany.

Still, the company is taking steps to demonstrate its ongoing commitment with a new quality checking system and a responsibility organization to oversee product quality, labor standards, and sustainability...moves that CEO Robert Eckert calls “evolutionary, not revolutionary.”

But the lesson is a good one. It’s not just about managing outsourcers... it’s making sure they manage their outsourcers, and so on down the complex chain. Whether it’s product safety, social responsibility, or information security issues, supply chain management is getting more in-depth, and necessarily so, as the number and potential imapct of risks increase. For more on risk management with supply chain partners, check out Best Practices: Successfully Managing Security And Risk In A Global Supply Chain.