[SecurityRatty] tag: rear

Chairman Tata Surprised by Tricky Terrorists

Sun, 30 Nov 2008 22:29:00 +0000

Chairman Rata Tata, whose company owns the Taj hotel in Mumbai, gave a frank and honest interview to CNN. I would imagine that the Tata Group's PR people and General Counsel are scrambling at the moment trying to do as much damage control as possible.

The sad part of this unfolding story is the feeling one gets that the terrible loss of life at the hotel may have been prevented or at least mitigated had proper security measures been implemented and if the security that had been in place prior to the attack had not been removed.

One eye witness who stayed at the hotel a week before the terrorist assault spoke about metal detectors and baggage being checked. The same witness then went on to say that those security measures had been removed within the last week, allowing people to enter without being checked.

The most surprising news to surface must be the Chairman's comments regarding the terrible event. Unbelievably, he actually said; "They knew what they were doing and they did not go through the front. All of our arrangements were on the front entrance".

Who is Tata's security advisor, a kitchen worker? Actually, he might have been better off if that were the case since the terrorists entered the hotel through the rear kitchen door. ANNOUNCEMENT TO ALL CHAIRMEN AND CEO's; Terrorists are Tricky. That is their job. They are watching your businesses and will do the opposite to what you expect.

In the case of the TAJ HOTEL, you made it easy for them. Did nobody in Mumbai ever stop to think that a bad person can go through the back door? It is one thing for a cafe in a pedestrian area to be attacked as anyone can walk right by or walk through the front and open fire, but how can a major landmark that attracts Western vistors drop their security measures AFTER they have received terrorist alert warnings that the hotel may be the target of terrorsit attacks?

I don't know if it was the case with the Taj Hotel, but cutting corners where security is concerned is common place in corporate culture. Security is often seen as a necessary evil and usually the first department to experience budgetary cutbacks. It is very difficult to convince some clients that nothing happening is really a good thing and that by cutting out security may open the door to evil.

This appears to have been the case with the Taj. There is no doubt that the terrorists had conducted hundreds of hours of surveillance in and around Mumbai. Was it a coincidence that the attack occurred the week after security measures had been removed? What might have been the result if security had remained tight (if you could call watching the front entrance and disregarding the back as "tight security")? Maybe the terrorists would have held back another month or two...maybe in that time they would have been detected...

One thing is for certain, places like the Taj Hotel have to get serious about security. Mr. Tata's claim that; "If I look at what we had...it could not have stopped what took place", must be replaced by more progressive, proactive thinking. If the Tata Group had spent an adequate amount of funding on ensuring that a strict security policy was in force - if only for the period in question - then they might not now be facing a 5 Billion Rupee reconstruction bill. Who knows how high the civil suits against the Taj will run when compensation and punitive costs are calculated.

Kudos though to Chairman Tata for at least recognizing that the Indian authorities may not be able to handle the situation on their own. "These attacks underscore the need for Law Enforcement to seek outside expertise for training, equipment and strategic operations", he said.

We agree Mr. Tata. We also hope that you will recognize the need for the Tata Group to seek similar outside expertise to assist you with your security planning and training.

Beware! $4 + a gallon is bringing out the thieves in our communities.

Sat, 31 May 2008 00:53:00 +0000

We recently alerted our readers to watch out for copper piping, wiring and even art pieces that were being stolen by thieves looking to cash in on the rising price of copper. It was only a matter of time before the same thing happened to the fuel tanks on our vehicles.

Neil Cavuto ran a story on Fox's "Cavuto World" today about thieves who are even going so far as to drill into tanks in an effort to steal a vehicle's fuel. Gasoline, Dielsel and even greasy cooking oil is being stolen. That's right - cooking oil.

I first heard that old cooking oil could be used to run a car on from my brother in Northern Ireland about four or five years ago. There was very little start-up costs involved and being the owner of a restaurant, he had a ready supply of used oil. He told me at that at that time, people were converting their vehicles to run on the oil and were going around gathering up used oil from restaurants. The owners of these establishments were thrilled since they used to pay to have the old oil removed previously.

Apparently this recycling of cooking oil has become so popular, that restaurants are now selling it - last I heard for about $1.50 a gallon. Thieves have discovered its worth and are now draining the oil tanks located at the rear of restaurants. The report went on to say that SUVs are especially being targeted as their size gives the thieves plenty of good cover. The fact that their tanks are larger and contain more fuel is an added advantage for them.

What can you do? For starters, if your fuel cap is not lockable, replace it with one that can be locked. If at all possible, keep your vehicle in a locked garage. If that is not an option, park it in a well lit area. Unfortunately, the higher the prices go at the pump, the more prevalent that fuel thefts will become.

BSDNews.com is hacked and user information is exposed

Fri, 25 Apr 2008 04:10:33 +0000

Technorati Tag: Security Breach

Date Reported:
4/24/08 (This report was postponed for 24 hours to allow for the site administrator to respond and notify affected people)

Organization:
Daemon News*

*At the time of this writing, the Daemon News web site was not available.

Contractor/Consultant/Branch:
BSDNews.com**

**At the time of this writing, the BSDNews.com web site was not available.

Victims:
BSDNews.com members

Number Affected:
5498

Types of Data:
Username, password, email address, and in some cases real names

Breach Description:
It appears that the BSDNews.com web site may have been compromised through an exploit of a file named "bottom.php3", which was used by the site. The attacker was able to access and download user account information. As of the time of this writing, BSDNews.com is offline.

Reference URL:
Golden-Warez
Indonesia Underground Blog
Jim O'Gorman's Site

Report Credit:
Brought to the attention of The Breach Blog by Jim O'Gorman

Response:
From the online sources cited above:

"Hi all, maybe some of you, saw that bsdnews.com is/was offline.

I hacked their database, with an exploit found by myself.
I tried to submit to milw0rm, but they dont accept exploits of .php3 .

bottom.php3 , this file was vulnerability.

LOL, ok.. But i have their user database.
I dont want to waste my time to check the hole thing..

first word is username, second word is password, third word is email adress. B
By some lines the password,email is NULL.

Do what you want to do with it..
Please, if u think i didnt hacked it, search forums/google , you dont find anything

THIS IS MY FIRST RELEASE HERE!

i kept everything as i got it so there can be info what is usefull

uploaded at my host"
[Evan] There is a link in this Golden-Warez post that leads to a compressed (.rar) file. In the RAR there are two text files that each contain ~1000 records. I don't generally suggest that people make it a habit to go to warez sites and download files. If you are going to anyway, then don't claim that I told you to.

Commentary:
OK. Some of you may be asking the question, so what? The "hacker" only compromised usernames, email addresses and passwords allowing access to BSDNews.com, which doesn't store financial, health, or other personal information, right? Well, kind of. The problem is the fact that a password is itself confidential personal information. According to some estimates, as many as 70% of people use the same or similar password for access to multiple or all sites that they use. Take PayPal for instance. This breach compromised email addresses and passwords. If a person uses the same password at PayPal as they do at BSDNews.com, then a bad guy can easily access the PayPal account of the victim and wreak all kinds of havoc. This is the issue. Out of a claimed 5498 accounts, don't you think that there is a good chance that something like this will be the case with at least a few?

A couple of suggestions. If you are one of the people that uses a single (or similar) password to access multiple online accounts, change this habit. Use a different password for each account, especially the accounts that are sensitive like online banking, PayPal, etc. If managing all of these passwords becomes a pain in the rear, then use a password management program such as Password Safe (Thank You Bruce Schneier) or RoboForm. If you happen to be one of the many victims of this breach, change your passwords now and be aware.

Jim O'Gorman sent multiple emails to the site administrator(s) at BSDNews.com urging them to do the right thing and notify all affected persons. It appears that this has not happened yet. Jim shared the multiple emails back and forth between him and the site administrator(s). We still have not seen an actual notification. A special thanks to Jim for his awareness and diligent work to get a resolution!

Past Breaches:
Unknown

Overestimating Threats Against Children

Thu, 10 Apr 2008 09:00:16 +0000

This is a great essay by a mom who let her 9-year-old son ride the New York City subway alone:

No, I did not give him a cell phone. Didn't want to lose it. And no, I didn't trail him, like a mommy private eye. I trusted him to figure out that he should take the Lexington Avenue subway down, and the 34th Street crosstown bus home. If he couldn't do that, I trusted him to ask a stranger. And then I even trusted that stranger not to think, "Gee, I was about to catch my train home, but now I think I'll abduct this adorable child instead."
Long story short: My son got home, ecstatic with independence.

Long story longer, and analyzed, to boot: Half the people I've told this episode to now want to turn me in for child abuse. As if keeping kids under lock and key and helmet and cell phone and nanny and surveillance is the right way to rear kids. It's not. It's debilitating -- for us and for them.

It's amazing how our fears blind us. The mother and son appeared on The Today Show, where they both continued to explain why it wasn't an unreasonable thing to do:

And that was Skenazy's point in her column: The era is long past when Times Square was a fetid sump and taking a walk in Central Park after dark was tantamount to committing suicide. Recent federal statistics show New York to be one of the safest cities in the nation -- right up there with Provo, Utah, in fact.
"Times are back to 1963," Skenzay said. "It's safe. It's a great time to be a kid in the city."

The problem is that people read about children who are abducted and murdered and fear takes over, she said. And she doesn't think fear should rule our lives.

Of course, The Today Show interviewer didn't get it:

Dr. Ruth Peters, a parenting expert and TODAY Show contributor, agreed that children should be allowed independent experiences, but felt there are better -- and safer -- ways to have them than the one Skenazy chose.
"I'm not so much concerned that he's going to be abducted, but there's a lot of people who would rough him up," she said. "There's some bullies and things like that. He could have gotten the same experience in a safer manner."

"It's safe to go on the subway," Skenazy replied. "It's safe to be a kid. It's safe to ride your bike on the streets. We're like brainwashed because of all the stories we hear that it isn't safe. But those are the exceptions. That's why they make it to the news. This is like, 'Boy boils egg.' He did something that any 9-year-old could do."

Here's an audio interview with Skenazy.

I am reminded of this great graphic depicting childhood independence diminishing over four generations.

Do not dismiss the dangers of being stalked

Mon, 25 Feb 2008 13:48:00 +0000

Q: My friend told me that she is being stalked. I am very worried for her safety. Are stalkers dangerous or just a nuisance?

A: You are right to be concerned for your friend’s safety. Stalkers are people with serious mental disorders. The ones we tend to hear about most often are the cases involving celebrities. We all know what happened when John Lennon’s stalker followed him home and the ex-Beatle did not have any security around him. I have dealt with many cases and most people would be horrified to discover the thoughts that go through a stalker’s mind.

For instance, we were protecting a television personality some time ago who was being stalked by a person from out of State. The stalker “knew” our client from having seen her on television. However, in his mind, they were involved in a “relationship”. He would write to her work telling her that other television presenters were talking “in code” about our client and he on the air.

Our client became so frightened that she was afraid to go outside of her door. The stalker became more and more irrational and added to her state of fear when he declared that he knew she was sending him special messages by the color of clothes she wore when she appeared on television.

In that particular case, the stalker’s identity was known and the fact that he had previous convictions in his own State for a similar offence. It took several months, but eventually he was picked up by the Police on a warrant. The only way that the victim could go about her life was to have bodyguards protecting her 24 hours a day. Without that protection, she would have been looking over her shoulder everywhere she went and not only would it have made her job as a reporter extremely difficult, it would have hindered her ability to enjoy life.

I often advise clients to have the stalker’s handwriting examined and evaluated by a hand writing expert. On another case, the stalker had sent one of my clients several letters that had been computer generated but he had handwritten her address on the envelopes. I took the envelopes to a highly regarded hand writing expert for subsequent examination.

The expert’s evaluation was quite alarming. The stalker knew where our client lived, since he probably followed her on many occasions as he also knew her work address. Apparently he knew she was married and that is where it became very disturbing. The expert was able to tell that the stalker became angry when he wrote about our client’s husband in the letter.

When he mentioned her husband and even when he wrote her surname (which was her husband’s name and became her married name) on the envelope, he applied more pressure to the pen as the ink was darker. That was a tell tale sign of his anger. When I asked the expert if his handwriting gave away any clues to the stalker’s ability to harm our client or her husband, I was told that he was capable of inflicting physical harm, especially against the husband. The hand writing expert believed that if he did become physical that his preferred method of attack would be up close, most likely with a knife.

The Police will usually get involved and assist as much as possible to find a stalker and arrest them, albeit temporarily. Unfortunately, stalking is only a misdemeanor offence so even if a victim is successful in having a stalker arrested, they will most likely be out on bail in a short time. The best result will be if the authorities can have the person medically examined to determine if they are a real threat.

Those victims who can have their own security will obviously be in the safest position since the Police do not have the manpower to sit outside of a victim’s home at night and accompany them through out the routine of their daily life. For those who can not have their own private security, they should become extra observant as they go about their business and vary their routine.

They should pay attention to their rear-view mirror for anyone following behind their vehicle, make notes of vehicle tag numbers and description of suspicious persons. Dead bolts and an alarm system should be installed in the home. You should consider the use of discreet surveillance cameras.

Above all else, do not take chances. You will not know this person and therefore, you do not know what they are capable of doing. If at all possible, avoid traveling alone and always let people know your times of departure and estimated time of arrival. Listen to your inner feelings. If you feel something is not right, there is a good chance that it is not.

Orthogonal Blogging at the SOA Horse Races

Sun, 20 Jan 2008 03:30:30 +0000

Dear friend Opher Etzion responds to my post Betting on the SOA Horse with a discussion on how SOA, EDA and CEP are technically orthogonal, concluding:

“Event Processing can have different interactions with SOA, and when IBM’s announcements in this area will be available you’ll realize that there are different entry points. Event processing can also work in legacy and non-SOA environment.”

Richard Veryard, who also kindly reads my blog (and Opher’s blog) replies with Technological Perfecta where he opines,

“I think there are some mutual dependencies between these technologies, but they are what I call soft dependencies.”

Opher, Richard, you guys are technically right, but you are blogging orthogonally to the message in Betting on the SOA Horse.

First of all, my post was not a technical discussion, it was a discussion about business, marketing, timing positioning and the software industry in general. Therefore, it is a bit humorously orthogonal to reply to a marketing metaphor about investments, competition, software postioning and horse racing with architectual posts about technology and how they are related or interdependent.

In a nutshell, here is why….

Candidly speaking, despite what many analysts want you to believe, end users rarely build “SOAs” “EDAs” or CEPs”. End users have IT budgets to solve business problems with the most cost effective technology they can find; and they do not care (if they have a clue) what cute three letter acronyms have been created by analysts to describe momentum in the software market. Sorry, it is true really.

For example, I remember when I was in Tokyo where the very capable and conservatively risk adverse Japanese executives told me time and time again, “We don’t care about SOA we simply want to integrate our systems.” They were quick to remind me, “You guys in America must realize we don’t care what the western analysts, supported by software companies, say. They have a conflict-of-interest anyway and they are not end users. What we care about are mature technologies with solid reference clients and proven implementations.”

By the way, this is one reason I admire Japanese business so much. They are not impressed with handwaving hyperbole. They just want to see results. In other words, “Prove it, don’t just say it.” The devil is in the details, as they say. The Japanese are highly skillful at cutting through the smoke-and-mirrors. I think this is one reason the Japanese are among the leaders in so many industry sectors, but that is a blog story for another day.

To this point, if you are in front of customers and you are pushing SOA because your software company has “bet the farm” on positioning themselves as an SOA company, you are making a mistake. Three letter acronyms and technology jargon do not solve business problems. In fact, for the most part, they are a red-herring. The same is true of EDA and CEP. This was the main message in my post Betting on the SOA Horse.

How do I make such a statement?

Because for over 20 years I have worked as a consultant working on the opposite side of the table of hungry software vendors who come into our house (organization) tossing out buzzwords, acronyms, and jargon. My job was solving real business problems, not selling software. We used to wonder when all the scrabble and babble the software companies were tossing at us was going to turn into a business language that solves a real business problems easily, rapidly and economically. That day never came.

Then, I made a conscious decision to take a break from a long career of consulting to get an insiders perspective on, and perhaps even transform, the software industry. This experience, working for a software company, was an eye-opener, and one I am most likely not to repeat. I have never been interested in selling softare. I am interested in real business solutions.

Candidly speaking again, many software companies tend to live in “La La Land”.

They create go-to-market strategies based on jargon, buzzwords and three letter acronyms that have very little to do with understanding their customer’s business problems, risks, and culture. They spin and position and reposition in a land of smoke-and-mirrors happy to sell you a gold disk of “the-answers-to-all-your-problems.” They leave you the gold disk, and your business problem, as they drive away, looking at you in the rear view mirror as they count the revenue from their victorious campaign.

These same companies bet on jargon like SOA, EDA, CEP, BAM and they hedge their bets with different combinations of the above, the theme of my post Betting on the SOA Horse, which was not a technology nor architectural discussion, in any way.

Is it any real wonder why SOA has become, for the most part, complex, vendor-driven jargon barely making a dent in the real-world, whereas social-networking and other grass-roots user-driven technologies, most without trendy three letter acronyms, has left SOA in the dust for the past few years?

Hacking Polish Trams

Thu, 17 Jan 2008 12:43:06 +0000

A 14-year-old built a modified a TV remote control to switch trains on tracks in the Polish city of Lodz:

Transport command and control systems are commonly designed by engineers with little exposure or knowledge about security using commodity electronics and a little native wit. The apparent ease with which Lodz's tram network was hacked, even by these low standards, is still a bit of an eye opener.
Problems with the signalling system on Lodz's tram network became apparent on Tuesday when a driver attempting to steer his vehicle to the right was involuntarily taken to the left. As a result the rear wagon of the train jumped the rails and collided with another passing tram. Transport staff immediately suspected outside interference.

Here's Steve Bellovin:

The device is described in the original article as a modified TV remote control. Presumably, this means that the points are normally controlled by IR signals; what he did was learn the coding and perhaps the light frequency and amplitude needed. This makes a lot of sense; it lets tram drivers control where their trains go, rather than relying on an automated system or some such. Indeed, the article notes "a city tram driver tried to steer his vehicle to the right, but found himself helpless to stop it swerving to the left instead."

The lesson here is that security by obscurity, combined with physical security of the equipment, wasn't enough. This kid jumped whatever fences there were, and reverse-engineered the IR control protocol. Then he was able to play "trains" with real trains.

XBOX 360 Dies Again

Sun, 26 Aug 2007 17:57:00 +0000

Two days ago my XBOX 360 quit working after a few minutes of play and started blinking red. I checked out the error message online and it seems to be a simple overheating issue. I contacted Microsoft, and they agreed to fix the console (only 6 months old), but that it would take 3 to 5 days to send me a box to ship it to them in, and then another 4 to 8 weeks for them to fix it and send it back.

I thought about it for a minute, and decided I rather buy a new one rather than sit around and wait on them for two months. First though, I looked around online for a fix and saw that quite a few people were having the same problem. Everyone had an opinion on what the problem was and what to do about it, so I decided to do a couple of things: replace the thermal compound on the CPU and GPU and extend the fan shroud over the GPU using cardboard from a cereal box wrapped in aluminum foil and attached to the existing fan shroud.

That fix worked like a champ until today, when the rear fan on the GPU completely died. I don’t know if it started to fail 2 days ago and finally quit, or if the fan controller is cutting the fan off intermittently. I have a plan to fix it either way though. I ordered a replacement Talismoon fan from llama.com and found a spot on the board to solder it to, which will circumvent the variable speed fan controller.

The replacement fans are supposedly quitter, but they will be moving from a 5V variable speed controller to a 12V power source. I hope it ends up with about the same noise profile, but at least I’ll have a functioning XBOX when Halo 3 is released in a few weeks.

Security Incident Strikes and You are on the Hot Seat..

Fri, 27 Jul 2007 03:00:39 +0000

At the risk of sounding like a preacher, I would like to share this short story. Many of us, ACT only when bad news hits the roof and at the point we don’t ACT pragmatically since we did not plan for it! We recently attended a friend’s daughter’s birthday party. Before heading to the party, I printed out the driving directions from the Internet. hit the freeway in the south direction, when the exit arrived found that the exit ramp was closed for repairs. Using common sense, I traveled further south, and took another exit to head North on the same freeway, the exit arrived, but this was blocked too! We did not know how to get to the party and the cake cutting time was approaching. What are my plans for this incident? Luckily I had an AAA map in my glove compartment and I found our way right on time to the cake cutting time. In future I decided wherever I go I have to carry maps or buy a GPS or as a last option ask around.

Security incidents are sometimes a blessing in disguise. It compels you to act. There is a tendency among upper management to blame security team for security incidents. Knee jerk reactions such as CIO firing the CSO or the CSO firing the security team members should be avoided. The facts around the event should be enumerated and the incident should be dealt with pragmatically [refer Pragmatic CSO: Step #8 Contain the Problem]. Security incidents are “breakdowns”. When there is a nasty security incidents here are some facts:

There is a business cost associated with the incident.
There is a vulnerability that has been exploited by a threat agent.
The vulnerability could be:

Unknown
Known but accepted
Known but Ignored

The incident needs to be handled with due care.
Either you have a well defined incident handling plan or you are shooting from your hips [remember P-CSO The Incident Playbook] .

Scenario 1: The vulnerability that resulted in the incident was known and was accepted. Remediation: Deal with the incident and then re-visit the rationale of why this was accepted in the first place. This highlights the importance of documentation such as business risk acceptance form; this will help to cover your rear during security incidents. Make sure to get a business risk acceptance form signed by the business owner. An example is a business owner signs a business risk acceptance form if there is no budget to mitigate the vulnerability.

Scenario 2: The vulnerability that resulted in the incident was an unknown. Remediation: Deal with the incident and create a mitigation plan for this newly known vulnerability going forward.

Scenario 3: The vulnerability that resulted in the incident was ignored. Remediation: Deal with the incident and revisit why the vulnerability was chosen to be ignored in the first place. It may be possible that you end up making a decision of not ignoring this vulnerability.

In all the above scenarios you have to deal with the security incident, this emphasizes the importance of a sound incident handling plan. Putting an incident handling plan is fairly simple. Document what you need to do and whom to escalate to, then communicate the incident management plan to the relevant actors and stick to plan when incident does happen.

Here is simple example of what needs to be done for an Earthquake incident:

- Identify a structurally safe place inside the home to take shelter or identify an open safe place near your house where you can rush

- Decide on a family meeting place, where all family members get together

- Enough food for a week

- Two dozen water bottles etc...