[SecurityRatty] tag: reactionary

Schneier for TSA Administrator

Tue, 18 Nov 2008 10:46:24 +0000

It's been suggested. For the record, I don't want the job.

Since the election, the newspapers and Internet have been flooded with unsolicited advice for President-elect Barack Obama. I'll go ahead and add mine.
[...]

And by "revamp," I mean "start over." Most security experts agree that the rigmarole we go through at the airport is mere security theater, designed not to make us safer, but to make us feel safer by making it increasingly inconvenient to fly. TSA's approach to security is too reactionary -- too set on preventing attacks and attempted attacks that have already happened. And please, whatever you do, resist the temptation to let TSA workers unionize. Security from terror attacks should be a federal jobs program. You need the authority to fire underperforming screeners quickly and effortlessly. Three game-changing possibilities to head up TSA: security guru Bruce Schneier, Cato Institute security and technology scholar Jim Harper, or Ohio State University's John Mueller.

Although I'd be happy to see either Jim or John with it.

I don't want it because it's too narrow. I think the right thing for the government to do is to give the TSA a lot less money. I'd rather they defend against the broad threat of terrorism than focus on the narrow threat of airplane terrorism, and I'd rather they defend against the myriad of threats that face our society than focus on the singular threat of terrorism. But the head of the TSA can't have those opinions; he has to take the money he's given and perform the specific function he's assigned to perform. Not very much fun, really.

But I'd be happy to advise whoever Obama choses to head the TSA.

The job of the nation's CTO would be more interesting, but I don't think I want it, either. (Have you seen the screening process?)

Lost Bank of Ireland laptops affect roughly 10,000 customers

Tue, 22 Apr 2008 05:35:39 +0000

Technorati Tag: Security Breach

Date Reported:
4/22/08

Organization:
Bank of Ireland

Contractor/Consultant/Branch:
Drogheda, Dunleer, Bagnelstown, Court Place Carlow, Stephens Green, Tallaght, and Montrose

Victims:
"customers who either obtained a quote or took out a Life Assurance policy with Bank of Ireland Life from the following branches:

Drogheda
Dunleer
Bagnelstown
Court Place Carlow
Stephens Green
Tallaght
Montrose"

Number Affected:
~10,000

Types of Data:
"names, addresses, bank account details and medical histories"

Breach Description:
"DUBLIN--Four laptop computers stolen from one of Ireland's largest commercial banks contain the unencrypted details of some 10,000 customers, the bank said on Tuesday."

Reference URL:
Bank of Ireland
The Associate Press via International Herald Tribune
Agence France-Presse via Inquirer.net

Report Credit:
Data Protection Commissioner, Billy Hawkes

Response:
From the online sources cited above:

DUBLIN, Ireland: Four laptops containing the personal details of 10,000 Bank of Ireland customers have been stolen, the bank confirmed Monday.

Ireland's second-largest bank made the admission after the chief regulator, Data Protection Commissioner Billy Hawkes, told Irish broadcasters RTE he had been informed of the lost customers' data only last Friday.

Bank of Ireland said the four laptops disappeared between June and October 2007 and contained the names, addresses, bank account details and medical histories of about 10,000 holders of the bank's life insurance policies.

Commenting on the delay in reporting the thefts to the regulatory authorities, managing director Brian Forester said internal procedures had not been followed.
[Evan] Policies and "internal procedures" aren't worth squat if they aren't communicated to all affected persons AND enforced.

"Unfortunately in this situation the procedures were not properly adhered to. The thefts, while they were reported to the Gardai [police], the situation wasn't escalated to the level of management it should have been, through a human error," he said.
[Evan] Yes, human error indeed. Humans run the bank, humans run the information security program (assuming one exists), and humans collect, create, store, access, distribute and destroy confidential information. This was more like "humans error", meaning more than one.

The bank said it had found "no evidence of fraudulent or suspicious activity on any of these accounts."

The four laptops all disappeared in Ireland, at least one of them from a bank worker's home.

The laptops contained information relating to some customers who either obtained a quote or took out a Life Assurance policy with Bank of Ireland Life from the following branches:

Drogheda
Dunleer
Bagnelstown
Court Place Carlow
Stephens Green
Tallaght
Montrose

Anybody who is not a customer of these branches is not affected by this incident.

The customers' personal data was not encrypted to prevent easy access.
[Evan] Should we be surprised?

The bank said it was beginning to encrypt customers' data on its remaining 5,000 laptops
[Evan] Reactionary information security is ineffective. Organizations working with confidential information need to be proactive in risk management and information security in order to be effective. Let's think this through for a second or two. Here we have a bank (or a bank-owned entity) that has many highly confidential records. The bank employs ~5,000 laptop computers and encourages a mobile workforce. Do you think that there is a good (more than 50/50) chance that some of the laptops may be used to work with highly confidential information? Do you think there is a good chance that one of these laptops may be lost or stolen? Obviously the answer to both questions is "yes". Why then are these laptops not adequately protected? Is this another "human error"?

had yet to inform any of the 10,000 customers that their personal details had been compromised.

Bank of Ireland will be writing to these customers in the coming days.

a help-line has been set up to handle any customer queries 1850 365 365 and select the Bank of Ireland Life option

This customer help-line will be open from 9.00am to 6.00pm Monday to Friday.

Bank of Ireland apologises to customers and is committed to moving as quickly as possible to allay the concerns of affected customers.

Ireland's Data Protection Commissioner Billy Hawkes said his office was investigating what he described as "serious" security lapses.
[Evan] Of course my purview is very limited, but I tend to agree that there are some serious information security gaps at The Bank of Ireland.

Commentary:
Baffling is the first word that comes to mind. Poorly protected confidential information and a poor incident response.

Past Breaches:
Unknown

Comparing Cybersecurity to Early 1800s Security on the High Seas

Wed, 16 Apr 2008 10:27:30 +0000

This article in CSO compares modern cybersecurity to open seas piracy in the early 1800s. After a bit of history, the article talks about current events:

In modern times, the nearly ubiquitous availability of powerful computing systems, along with the proliferation of high-speed networks, have converged to create a new version of the high seas--the cyber seas. The Internet has the potential to significantly impact the United States' position as a world leader. Nevertheless, for the last decade, U.S. cybersecurity policy has been inconsistent and reactionary. The private sector has often been left to fend for itself, and sporadic policy statements have left U.S. government organizations, private enterprises and allies uncertain of which tack the nation will take to secure the cyber frontier.

This should be a surprise to no one.

What to do?

With that goal in mind, let us consider how the United States could take a Jeffersonian approach to the cyber threats faced by our economy. The first step would be for the United States to develop a consistent policy that articulates America's commitment to assuring the free navigation of the "cyber seas." Perhaps most critical to the success of that policy will be a future president's support for efforts that translate rhetoric to actions--developing initiatives to thwart cyber criminals, protecting U.S. technological sovereignty, and balancing any defensive actions to avoid violating U.S. citizens' constitutional rights. Clearly articulated policy and consistent actions will assure a stable and predictable environment where electronic commerce can thrive, continuing to drive U.S. economic growth and avoiding the possibility of the U.S. becoming a cyber-colony subject to the whims of organized criminal efforts on the Internet.

I am reminded of comments comparing modern terrorism with piracy on the high seas.

Patrick Smith on Aviation Security

Fri, 11 Jan 2008 10:47:35 +0000

Excellent essay from The New York Times:

In the end, I'm not sure which is more troubling, the inanity of the existing regulations, or the average American's acceptance of them and willingness to be humiliated. These wasteful and tedious protocols have solidified into what appears to be indefinite policy, with little or no opposition. There ought to be a tide of protest rising up against this mania. Where is it? At its loudest, the voice of the traveling public is one of grumbled resignation. The op-ed pages are silent, the pundits have nothing meaningful to say.
The airlines, for their part, are in something of a bind. The willingness of our carriers to allow flying to become an increasingly unpleasant experience suggests a business sense of masochistic capitulation. On the other hand, imagine the outrage among security zealots should airlines be caught lobbying for what is perceived to be a dangerous abrogation of security and responsibility -- even if it's not. Carriers caught plenty of flack, almost all of it unfair, in the aftermath of September 11th. Understandably, they no longer want that liability.

As for Americans themselves, I suppose that it's less than realistic to expect street protests or airport sit-ins from citizen fliers, and maybe we shouldn't expect too much from a press and media that have had no trouble letting countless other injustices slip to the wayside. And rather than rethink our policies, the best we've come up with is a way to skirt them -- for a fee, naturally -- via schemes like Registered Traveler. Americans can now pay to have their personal information put on file just to avoid the hassle of airport security. As cynical as George Orwell ever was, I doubt he imagined the idea of citizens offering up money for their own subjugation.

How we got to this point is an interesting study in reactionary politics, fear-mongering and a disconcerting willingness of the American public to accept almost anything in the name of "security." Conned and frightened, our nation demands not actual security, but security spectacle. And although a reasonable percentage of passengers, along with most security experts, would concur such theater serves no useful purpose, there has been surprisingly little outrage. In that regard, maybe we've gotten exactly the system we deserve.

Stolen laptops affect 337,000 Davidson County voters

Sat, 29 Dec 2007 08:30:26 +0000

Technorati Tag: Security Breach

Date Reported:
12/28/07

Organization:
Davidson County Election Commission*

*Davidson County, Tennessee has an estimated population of 607,413. The county seat is Nashville.

Contractor/Consultant/Branch:
None

Victims:
Registered Davidson County voters

Number Affected:
337,000

Types of Data:
Names, Social Security numbers, addresses and telephone numbers.

Breach Description:
A pair of laptop computers containing sensitive personal information belonging to 337,000 registered Davidson County, Tennessee voters was stolen from the Davidson County Election Commission office during the Christmas break.

Reference URL:
WTVF News Channel 5 Story
WKRN Channel 2 News Story
Nashville Business Journal

Report Credit:
News Channel 5

Response:
From the online sources cited above:

A break-in at the Davidson County Election Office at 800 Second Ave. has jeopardized a large number of voters' personal data, according to Ray Barrett, election administrator.

It looks as though they used a rock to break their way in.
[Evan] A rock is all it took. There is no mention of any alarm system and it appears that nobody noticed until they came back to the office.

taken were two Dell Latitude laptops containing information of 337,000 registered Davidson County voters

"As we look deeper into determining the extent of loss that occurred during the holiday break-in, we now know that full social security numbers were included on the voter files contained on one or more of the stolen computers." said Ray Barrett.

"Initially, we thought that the only information was the same that the public can purchase when putting together mailing lists, we now know that was incorrect."

The Election Commission says it will formally notify the public by mail that their full Social Security numbers may be available to outside parties and is asking voters monitor their financial and personal accounts for any suspicious activity.

Barrett says he has asked Metro's information technology department to make immediate changes to safeguard against any future security problems.
[Evan] I wonder what these people will come up with. Not only "immediate changes", but also effective changes. There are likely numerous changes that could be suggested. It all starts with policy.

The Election Commission says it does not anticipate that the theft will cause any problems in the upcoming Tennessee presidential primary.

Commentary:
This is an example of typical reactionary information security. "Immediate changes" are made after the significant loss of confidential information. I assume that there is not a well written or communicated information security policy at Davidson County. If there is, it is obviously not well enforced or supported by procedural, administrative, or technical controls.

Why are the offices not physically secure? If a rock is all that is needed to break-in and go undetected for x number of days, then the offices were not physically secure.

Why is confidential information stored on mobile devices (laptop in this instance)? Confidential information should be stored, whenever possible in a secure (physically and logically), centralized location.

Why are mobile devices that access, process, store, create, or transmit confidential data not encrypted? This is a point that I have been trying to drill home for years. Some people get it, some people fear it, and some people are oblivious. The sad thing is that consumers don't know which category the organization is in. Until consumers demand more, business as usual.

Past Breaches:
Unknown

Halvar Flake Denied Entry to U.S. for Black Hat

Sun, 29 Jul 2007 08:39:01 +0000

Respected security researcher Halvar Flake has been denied entry to the United States for his presentation at Black Hat. It's all over some stupid technicality of the contract with Black Hat being with him personally and not his company. In the process of interrogating him over it the DHS actually asked why the training he's doing couldn't be performed by an American citizen. I'm speechless. Flake will now need to get a Business visa from the U.S. embassy, a process that can take a long time. Without going into specifics, this isn't the only story I've heard lately about the DHS stifling computer security research. Flake's problems seem to be the reactionary stupidity of some officials on the ground, whereas the others I've heard of were more political. In either event, the result is government at its worst.