[SecurityRatty] tag: russ

Chertoff Misleads on Laptop Searches, Feingold Charges

Thu, 07 Aug 2008 16:46:19 +0000

In an interview with Wired.com, Homeland Security Chief Michael Chertoff blatantly mischaracterized when border agents can search Americans' laptops, Sen. Russ Feingold charges. The Wisconsin Democrat says Congress needs to step in to protect Americans from intrusive searches of their electronics.

NSA Forms

Wed, 06 Aug 2008 03:26:34 +0000

They're all here:

Via a Freedom of Information Act request (which involved paying $700 and waiting almost 4 years), The Memory Hole has obtained blank copies of most forms used by the National Security Agency.

Most are not very interesting, but I agree with Russ Kick:

They range from the exotic to the pedestrian, but even the most prosaic form shines some light into the workings of No Such Agency.

'I have a lost laptop horror story for you'

Mon, 30 Jun 2008 20:00:00 +0000

The devil of identity theft is in the details: Russ Jones tells a tale of woe that isn't particularly dramatic -- or rare -- and yet it's exactly the kind of story that worries me enough to ignore my better judgment and buy identity-theft protection from my insurance provider.

PC Universe is shrinking thanks to McAfee Secure's cluelessness

Fri, 27 Jun 2008 06:11:00 +0000

My web app sec friends know exactly how to push my red buttons. "Heh-heh, send it to Russ, he'll go off." Yep. ;-) Thanks, Rafal. Now I'm all spun up. I was sent two moronic gems this morning; one on the merits of McAfee Secure / Hacker Safe and the 109% sales increase it resulted in for PC Universe, the other an interview with the Internet's single biggest dillweed, Cresta Pillsbury. These articles are both a bit dated, but they equally embrace the premise of "trust" logos as a predominant sales driver, rather than any actual motivation to secure a site and protect consumers.
An example:
"If you’re doing conversion marketing and statistical testing on your website and you haven’t explored trust logos yet, then you’re missing out."
I must be the most naive person in the world; this enrages me. When will the idiots who write this crap get a clue? They've bought right into the hype the snake oil salesmen hoped they would and are now complicit in their failures.
Case in point, as seen in the Internet Retailer piece. By the way, I realize that Internet Retailer and basic web application security practices are completely at odds, but this one deserves direct abuse.
"PC Universe first tested Hacker Safe on its own site in an A/B split test in which half the visitors saw the Hacker Safe seal and half did not. During that test, 7.3% more orders came from Hacker Safe shoppers than from the control group. PC Universe, which operates on the web at PCUniverse.com, is No. 360 in the Internet Retailer Top 500 Guide."
Really? Let's see what McAfee Secure / Hacker Safe has done to actually provide any measurable security benefit.
How about absolutely nothing.
Here's PC Universe's very current, verified McAfee Hacker Safe cert.
Now, here are a few ridiculous examples of reality from the this universe as opposed to the McAfee-twisted alternate universe. Please note, this is the "accountid" variable, and the fact that the marquee is rendered no less than eight times.
1) Marquee
2) XSS Deface
3) Cookie
If you rather just see a video of these vulns, it's here.
PC Universe, rather than lauding your sales increases thanks to some POS logo, try securing your site code. I guarantee you have other issues.
McAfee Secure, once more, you are simply fraudulent to the core.

del.icio.us | digg

Errant email exposed Department of Consumer Affairs personal information

Tue, 24 Jun 2008 13:51:19 +0000

Technorati Tag: Security Breach

Date Reported:
6/23/08

Organization:
State of California

Contractor/Consultant/Branch:
Department of Consumer Affairs

Victims:
"employees, contractors and board members"

Number Affected:
5,000

Types of Data:
Names, Social Security numbers, salaries and job titles

Breach Description:
"The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers. "

Reference URL:
Capitol Weekly
Central Valley Business Times
Props to PogoWasRight

Report Credit:
Malcolm Maclachlan, Capitol Weekly

Response:
From the online sources cited above:

The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers.

About 2,800 of the people on the list are current, full-time employees of the DCA.

The document also included some former employees and numerous contractors, such as people who proctor state job examinations.

The rest of the names were employees and board members of the 56 professional boards and bureaus administered by the DCA, such as the Bureau of Automotive Repair and the Medical Board.

The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich.

The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this was public information.

"The thing that is troubling to us is that information was coupled with their social security numbers," Heimerich said.
[Evan] Troubling to you? It's probably hard for the victims to have much sympathy.

The main danger with giving away a social security number is that it can be used to set up new credit cards, loans or purchases in someone's name.

However, a thief would generally need other information that was not included and could be harder to get, such as addresses, phone numbers and driver's license numbers.
[Evan] Addresses and phone numbers are usually pretty easy to obtain and I would think are much easier to get than Social Security numbers. Unless of course, somebody emails them to you.

The DCA is the main state agency charged with protecting consumers in California.
[Evan] Ironic.

From 2003 to 2007, it also housed the office charged with educating consumers and businesses about identity theft and fraud.
[Evan] More Ironic

One agency whose employees were not on the list is the California Office of Privacy Protection (OPP).

Heimerich said the incident is still being investigated, and that he could not disclose who had received the document.

He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.

"We know that it left the building and that it wound up somewhere it shouldn't have wound up," Heimerich. "We're looking into how that happened."

“We kind of know where it was sent,” Mr. Heimerich says
[Evan] Sounds obvious, but did anyone check "Sent Items"? Yeah, probably. Seriously though, does the California DCA not log email sends and receives? It's hard to believe that the sender does not recall to whom they sent the email and there is no evidence of where it was sent.

The breach was discovered on Monday, June 9
[Evan] It took 3 or 4 days for the DCA to discover the breach.

People's whose names were on the list were sent an email the next day and an official letter a week later.
[Evan] Excellent quick notification. The earlier that a breach is detected and communicated to the data owner, the better.

Heimerich said the DCA will pay for a year of free credit reports and provide fraud insurance of up to $25,000 for everyone on the list.
[Evan] One year of protection does not adequately protect information that has a lifespan that far exceeds that one year. Most bad guys (or gals) know that the "standard" organization response to a breach includes one year of free credit monitoring/protection, so many of them wait a year to use the information. It is also important to point out that just because a person monitors their credit, does not mean that their identity isn't being used elsewhere. It's a scary thought, but it's a broken system.

He said the DCA had not yet determined how much these protections were going to cost.
[Evan] You can estimate the cost yourself.

Commentary:
I like how Microsoft Outlook helps me when I am typing an email address in the "To:" field of my email. It saves me some keystrokes and a few precious seconds. Sometimes I am in such a hurry that I don't even notice that Outlook put in the wrong email address. I type my email, click send and away I go onto another task. A couple of days later, I get a call from a customer asking where their information is. I state that I sent it to them a couple of days ago, but they claim to have never gotten my email. I look through my sent items, and HOLY #*@^! I just sent some confidential (sensitive and potentially damaging) information to a competitor instead of my customer.

Sound conceivable? Have you ever sent an embarrassing email to the wrong person? It is very easy to do if your not paying attention.

There are a number of controls us information security guys can put in place to reduce the risk of this happening. One of the best is information security training and awareness (kind of an administrative control).

Past Breaches:
State of California:
March, 2008 - San Quentin visitor and volunteer information lost

McAfee is NOT McAfee Secure

Tue, 13 May 2008 05:39:00 +0000

A challenge was put forth on Zero Day, and it has been answered.
Apparently, McAfee doesn't care about XSS on their own sites either.
I'll let the video speak for itself.
For the love of all thing good and proper, McAfee, please address this issue...for yourselves and the consumers who look to you to do the right thing.
Sincerely,
Russ McRee

del.icio.us | digg

An Open Letter to Ken Leonard, CEO, ScanAlert

Fri, 25 Jan 2008 10:45:00 +0000

Dear Mr. Leonard,

As well you are aware; the Hacker Safe brand has long been viewed by those in the information security field with varying levels of skepticism, if not vehement disdain. As there are a plethora of blogs, articles, and exposed vulnerabilities available for you to review, I will not waste your time with excerpts validating our position. Suffice it say, the community at large shares certain doubt about the service offering ScanAlert arrogantly calls Hacker Safe.
It is our view that this is a marketing position only. Nothing, I repeat, nothing, is truly "hacker safe". You claim that websites are free of vulnerabilities when they are clearly not. This is disingenuous and is at the root of what angers information security professionals. If a site is vulnerable while under the auspicious care of ScanAlert's Hacker Safe program should it not lose its Hacker Safe credential until such a time as the vulnerability is remediated? If I take this down to a fundamentally simple premise, saying a site is Hacker Safe while vulnerable to SQL injection, XSS, CSRF, etc. is, in essence, a misrepresentation. If a consumer commits a transaction on a site that is vulnerable, are they not at risk due to vulnerabilities your service claims to scan for? While we understand that you are in the business of growing revenue by indicating websites as “hacker safe”, we believe you are also beholden to the consumers using those sites.
We ask of you this: if a site is found to be vulnerable during your scans, or as reported by third parties, then enforce the findings and suspend their certification. Strive to improve your scan engine where possible. It is your responsibility to NOT label a site “Hacker Safe” when it is not. Then, at least, you are telling the truth, and a consumer can make an informed choice as to how confident they feel about the site's security practices.
There are, at the time of this writing, sites still vulnerable to XSS, yet branded Hacker Safe, that were identified as vulnerable MORE THAN A YEAR AGO. These sites should not be reported as Hacker Safe, period.
Please don't insult us with more of Joseph Pierini’s pearls of wisdom like “XSS vulnerabilities aren't material to a site's certification”. Adopting a view like this is ridiculous and blatantly ignorant given the risks to consumers. You scan for XSS and clearly denote it in your How We Scan section. Therefore, if a site is vulnerable to XSS it is not “Hacker Safe”.
This is far from the first round, credit sla.ckers.org with driving this point home in 2006, only to be shrugged off by Pierini then too. I think there may be a job opening for him over at Zango. Perhaps he could change his mantra from “XSS is not our problem” to “We don’t make spyware.”
What about the PCI argument? If a site is vulnerable to XSS, it’s simply not compliant. See this post for details. It all adds up to consumers at risk. ScanAlert should remember, above all, that safety for the consumer is paramount. Why not live up to your marketing hype and offer a service that truly, honestly, and with integrity, lives up to even a fraction of its namesake.
"What gets us into trouble is not what we don't know. It's what we know for sure that just ain't so. - Mark Twain"

Sincerely,

Russ McRee

Those information security professionals wishing to lend your name to this plea, please add your name as a comment.

del.icio.us | digg

The Naval Surface Warfare Center warns employees

Wed, 16 Jan 2008 06:51:41 +0000

Technorati Tag: Security Breach

Date Reported:
1/11/08

Organization:
United States Navy

Contractor/Consultant/Branch:
Naval Surface Warfare Center Dahlgren Division (NSWCDD)*

*Dahlgren is a weapons-system research and test center for the Navy. About 2,800 civilian federal workers and another 3,000 civilian contractors work at the base on the Potomac River.

Victims:
"current and former federal employees who worked at the Naval Bases in Dahlgren, Va., Silver Spring, Md., and Panama City, Fla., on or before July 7, 1994"

Number Affected:
10,000**

**"Dahlgren Division spokesman Russ Coons said it is possible that about 10,000 employees could be affected", Source: www.inrich.com/cva/ric/news.apx.-content-articles-RTD-2008-01-15-0194.html

style="font-weight: bold;">Types of Data:
Names, Social Security numbers, dates of birth, job titles, salary and employment information

Breach Description:
Officials at the Naval Surface Warfare Center Dahlgren Division were made aware of a breach involving personal information belonging to current and former employees after a criminal attempted to purchase a big-screen television at a Sears store in Pennsylvania using the stolen information. One of the four suspects arrested in the attempted theft had two pages of a NSWCDD 1994 report in their possession that contained names, Social Security numbers, birth dates, job titles, salary and employment information.

Reference URL:
Official NSWCDD Press Release Online
Times-Dispatch News Story

Report Credit:
The Naval Surface Warfare Center Dahlgren Division

Response:
From the online sources cited above:

The Naval Surface Warfare Center Dahlgren Division is contacting all current and former federal employees who worked at the Naval Bases in Dahlgren, Va., Silver Spring, Md., and Panama City, Fla., on or before July 7, 1994, to warn of potential identity theft and to urge them to contact their creditor bureaus in the wake of a reported attempt to illegally obtain a credit card using an employee’s personal information.

NSWCDD officials were notified on Jan. 8 that four individuals had been arrested in Bensalem Township, Pa., on Jan. 5, 2008, for attempted identity fraud.

police in Bensalem Township, Pa., outside Philadelphia, informed a Dahlgren employee that someone was about to use his credit card to buy a big-screen TV at Sears.
[Evan] It adds a level of concern when it is known that the information is being actively used to commit fraud. It took awareness and good work to catch the four suspects in the identity fraud case.

They had in their possession two pages of a hard copy report dated July 7, 1994, containing personally identifiable information (PII) – names, social security numbers and dates of birth – of nearly 100 individuals with the last name beginning with “B.”

The employees could have been assigned to work within NSWCDD, at one of the following: Naval Facilities Command (NAVFAC), NSWC Dahlgren, NSWC White Oak, Md., NSWC Panama City, Fla., Joint Warfare Analysis Center (JWAC), Naval Space Command and the Aegis Training and Readiness Center (ATRC) or any of their detachments.

Dahlgren Division spokesman Russ Coons said it is possible that about 10,000 employees could be affected.

A call center has been established at 1-800-352-7967, Monday through Friday from 8 a.m. until 4 p.m., to answer employees’ questions and provide additional guidance on reporting and protecting against potential identity theft.

Current or former Navy civilian employees who have experienced recent identity fraud are urged to call this number as well as notify their local authorities.

Current employees were notified of the incident on Jan. 10 through an All Hands e-mail and urged to take action to safeguard their identity. The message is currently posted to the NSWCDD internal website.

At this time, NSWCDD has no information as to how the individual(s) came to be in possession of this hard copy report. The compromise of personal identity was immediately reported to all appropriate law enforcement authorities and is currently under Secret Service investigation.
[Evan] Hopefully it will be found that one of the four individuals stole the information themselves. If the information were bought from "the stolen information black market" (yes, it exists), then this could get worse before it gets better.

It is unknown whether any additional pages of the report have been compromised. Therefore, all persons employed by NSWCDD or a tenant command on or before July 7, 1994, are advised to take action to protect against any potential identity theft.

Recommended actions endorsed by the Federal Trade Commission (FTC) are available at:
www.ftc.gov/bcp/edu/microsites/idtheft/
href="http://www.usdoj.gov/criminal/fraud/websites/idtheft.html" target="_blank"> www.usdoj.gov/criminal/fraud/websites/idtheft.html
href="http://www.ssa.gov/pubs/idtheft.htm" target="_blank"> www.ssa.gov/pubs/idtheft.htm

NSWCDD follows the Department of the Navy’s policy for disposing of documents containing privacy act data. NSWCDD disposal processes are in place for rendering Personally Identifiable Information (PII) unrecognizable or beyond reconstruction. Documents containing PII are shredded when no longer needed.
[Evan] I imagine that the Department of the Navy's data disposal policy is well-written. Following policy approval comes training, awareness and enforcement.

NSWCDD and the Department of Navy take this incident very seriously. Current policies and practices will be reviewed to determine if any changes are necessary to preclude a similar occurrence in the future.

Commentary:
This is an interesting story. I can't recall a time when an identity fraudster was caught with pages of stolen information in their possession. I have many unanswered questions about this breach.

Overall, I like the NSWCDD's response to the breach. The response pointed out one very important facet of information security, data destruction. I am currently writing a Data Destruction and Re-Use Standard for a company I work for.

From the Introduction section of the standard:

The purpose of the %Company% Data Destruction and Re-Use Standard document is to describe the requirements surrounding the authorized destruction of %Company% data. This document details the specific settings necessary to conform to SP1. Data Classification Policy, which is in turn part of the greater %Company% Corporate Information Security Policy.

Past Breaches:
Unknown