[SecurityRatty] tag: scores

Links List 10.17.08

Fri, 17 Oct 2008 23:26:41 +0000

Novell announced this week its intent to purchase Managed Objects. We really didn’t see this coming. Novell? Can’t quite figure out the master plan here. I mean, they said they’d acquire PlateSpin back in February which made a lot of sense for bridging the gap of physical to virtual and building out a management portfolio beyond ZENworks Orchestrator. But Managed Objects? CMDBs? In this economy? We have to think back to the survey [link to survey post] we just did at Interop NY and the low scores – on importance and actual deployments – that CMDBs got. When it comes to tightening the belt, CMDBs kinda fell off the list. We’ll be looking forward to future announcements to see how this plays out.

Martin MC Brown at ComputerWorld has a great post on capacity planning and cloud computing. He discusses a new book “The Art of Capacity Planning”. The problem with the current model of data center management is that often a large number of machines may sit relatively idle while waiting for the traffic spike that causes them to be used. This is a problem because it’s simply a waste of time and resources on a whole number of levels. Enter the cloud – or at least the “hope of cloud computing”.

Numbers – what do they really mean? IDC released a statement with a whole bunch of them from their “Worldwide Quarterly Server Virtualization Tracker”. The most interesting stat: x86 Virtualization License Market Standings. VMware owns 44% of the market, but Microsoft, in its first quarter of general availability for Microsoft Hyper-V (plus Virtual Server 2005), has 23% of the market of new shipments.

Microsoft patches affect scores of systems

Mon, 08 Sep 2008 20:00:00 +0000

Microsoft Tuesday released four critical patches targeting vulnerabilities mostly in Windows-based server and client operating systems.

Is Your Firewall a High Risk Entity

Fri, 15 Aug 2008 11:15:57 +0000

Not trying to be overly snarky here, but I was reviewing some GRC product literature recently. And there was a screenshot of an application window showing how the software helps identify “high risk entities”. And in the screenshot, there were 5 of these entities listed, each with corresponding risk ratings (High/Medium/Low) and scores (really just non-measurement ordinal numbers). The screenshot showed that the riskiest entity of the five shown was a Checkpoint Firewall-an assertion backed up by the non-measurement “Risk Score”. The lowest risk scores were shared by a nameless Web Application and an entity called “Oracle App”.

My friend, I’m going to give you a hint. If your firewall is “high risk” and your actual business applications are “low risk” - you might be doing it wrong.

Williamson County Schools learns of breach reported nine months ago

Sat, 12 Jul 2008 20:12:01 +0000

Technorati Tag: Security Breach

Date Reported:
7/11/08

Organization:
Williamson County Schools

Contractor/Consultant/Branch:
None

Victims:
Students*

*"3,052 ACT students and 2,117 students who took the second grade test were affected", Source: Student Information News Conference Text 7/11/08

Number Affected:
5,169

Types of Data:
Names, testing scores, and Social Security numbers

Breach Description:
"FRANKLIN, Tenn.- It now appears a security breach at Williamson County schools was much worse than expected. School officials now say more than 5,000 students may have been affected when a school employee accidently posted their personal information online."

Reference URL:
Williamson County Student Information News Conference
News Channel 5
WREG Channel 3 News
WSMV Channel 4 News

Report Credit:
Liberty Coalition

Response:
From the online sources cited above:

FRANKLIN, Tenn.- It now appears a security breach at Williamson County schools was much worse than expected. School officials now say more than 5,000 students may have been affected when a school employee accidently posted their personal information online.

Now the county could lose some federal funding because of the mistake.
[Evan] Do you really think that this will happen? If we looked deeper into the way the public school systems handle confidential information, half of the school districts would lose funding. Williamson County is in good company across the country.

The school district had to notify the Department of Education because this was a federal violation.

Director of Schools, Rebecca Sharber is taking on the responsibility of fixing the problem.

"I'm the head of the school system. I'm accountable," said Sharber.
[Evan] What a fantastic statement. Corporate CEOs, non-profit executive directors, etc. ARE ultimately responsible for the protection of information. Ms. Sharber just earned my respect.

"It certainly is distressing to me that information was ever out there," said Sharber.

According to school officials, former assessment specialist, Chris Nugent is responsible for the computer mix-up.

He resigned Friday.

"Mr. Nugent has resigned his position as Assessment Specialist, effective immediately."

It was August last year when Nugent mistakenly loaded the info on a personal web page, but he never alerted the district.

They only found out a couple of weeks ago.

"A principal who had been contacted by a parent brought this to our attention on June 26th."

"The information given to us indicated that our assessment specialist, Chris Nugent, was involved. This was the first we had heard of this situation."

"We began our investigation immediately asking Mr. Nugent to gather all data that could possibly be associated with this situation."

"We thought at that time he would be able to supply the names of students possibly involved in the most timely manner."

"When Mr. Nugent was unable to get that information for us, our attorney Jason Golden contacted the Liberty Coalition, the organization that had posted the Internet report presented to us by the principal."
[Evan] The Liberty Coalition posted the information surrounding the breach in October, 2007, many months before the victims were ever made aware.

"Yesterday afternoon, the Liberty Coalition was able to provide the names of the students affected."

"Our investigation indicates that the student information was posted on a private website created by Mr. Nugent sometime during the month of August, 2007."

"On August 28, 2007, the Liberty Coalition notified Mr. Nugent that private student information was on his web site."

"On August 29, 2007, the web site was shut down."

"Mr. Nugent did not notify school authorities."

"Our investigation has established that Mr. Nugent had confidential student files on the same thumb-drive with his personal files."

"We believe that when Mr. Nugent uploaded his personal files to a web site he created, he inadvertently uploaded our student files."

Sharber said the first step will be to look at revising policies on student information.

They will also pay for fraud alerts for the students.

It could cost the district hundreds of thousands of dollars to pay for those fraud alerts.

"I would say to other school districts they need to really, really check their policies and procedures on how student data is being used," said Sharber.
[Evan] Again, did I mention that I respect Ms. Sharber? This statement is very good advice.

More than 5,000 students had their security information posted.

Most of those are high school students who took the ACT in the 2006-2007 school year, and second graders who took the TCAP the same year.

"We have learned that most students who took the second grade TCAP achievement test and most students who took the ACT test during the 2006-07 school year had social security numbers on a private website during August of 2007."
[Evan] Is there some kind of legal requirement that states that a Social Security number must be tied to test scores, or was this just poor judgment? Are/were Social Security numbers used as student IDs at the district?

"Our review of the records shows that 3,052 ACT students and 2,117 students who took the second grade test were affected."

The information was on the internet for about a month.

"I want to thank the parents of Williamson County Schools for their patience and understanding and the positive suggestions they have shared as we have conducted our investigation and gone public with this information.", said Sharber
[Evan] The Liberty Coalition went public with this breach in October, 2007. I appreciate the motives of the Liberty Coalition, but I am not pleased with the way they report breaches. I'll elaborate below in the commentary section.

"I understand the anxiety that our parents are experiencing.", said Sharber

"On Monday, we will be calling all parents of students whose social security numbers were exposed to let them know their child was affected, and we will follow up that phone call with a letter."

"We are working to locate a security company, and at our expense, we will cover the cost of fraud protection for the students affected."
[Evan] I hope that the school locates a good "security company". Of course FRSecure would be glad to help. I promise to keep the plugs to a minimum .

Commentary:
OK. We all know that a breach affecting kids is especially bad. We all know that we are all human and all humans make mistakes. I presume that there are a number of risky information security behaviors at Williamson County Schools. This risky behavior just so happened to expose personal information online. What other risky behaviors will be addressed at the school district?

Now about the Liberty Coalition's role. I appreciate the motives of Aaron Titus and the Liberty Coalition. He maintains the SSNBreach.org web site where he publicizes information security breaches that his organization finds (or is informed about). My attention was first drawn to Aaron Titus in August 2007, when he reported the Louisiana Board of Regents breach affecting ~200,000 people. What drew my attention to his report was not the breach itself, but the way in which it he proceeded to report it. Lyger at Attrition.org covers it well here.

In this case, the Liberty Coalition publicly posted this breach in October, 2007 which is more than 9 months before the victims were ever made aware! According to the Liberty Coalition press release; "We updated this press release after becoming aware of Mr. Nugent's relationship with the school district. The Liberty Coalition also worked directly with district officials to help them notify the affected individuals." It would have been nice if the victims were notified prior to a public press release. I wonder why Mr. Nugent's relationship with the school district wasn't known earlier. I don't have the details that the Liberty Coalition does surrounding this breach, so I can only speculate.

The fact that some breaches are reported on SSNBreach.org prior to notification (in this case nine months), I chose to generally not report them here at The Breach Blog.

Past Breaches:
Unknown

Ousted Air Force Secretary Looks Back in Cyber

Thu, 19 Jun 2008 02:06:00 +0000

Recently ousted Air Force Secretary Michael Wynne looks back on some of his achievements -- and settles some old scores. Noah Shachtman reports from the Air Force's Cyber Symposium.

Is security marketing worth the paper it is written on? Who can you believe?

Wed, 18 Jun 2008 14:29:01 +0000

So it looks my hot topic this week is how full of beans most vendors are and how it is making life difficult for security admins looking to choose the right product. I already wrote about how some vendors claim customers use their products for functions that they do not. I wrote about how customers are hounded by sales people calling and writing, blowing smoke about products and solutions they don't want. BTW, on a comment to that one, Greg Ness writes a very insightful piece that I want to paste in here:

I think we're seeing the tale end of the era of "entrapment marketing" whereby someone downloads a white paper or watches a webcast and then gets swamped with calls from salespeople. As a marketing VP I get about 5-6 calls a day. They're so disruptive that I've turned my ring off and batch process the calls once a week.

I think the quantity and quality of the traditional downloads has declined since the early 2000s, so that real people get even more calls than they used to. I've become a big believer in social media (no registration required) and inbound registration/interest.

I have a netsec blog at: www.archimedius.net where I talk about issues. I launched it last year after seeing our google analytics scores register large social media inbound traffic to our website. Three top blogs were generating equivalent visitor eyeball minutes on our website to leading pubs.

Social media is less disruptive, usually is part of a broader, real-time technology conversation and helps you to establish better relationships with prospects, all in exchange for sharing your view of the world.

Now I was reading a recent analyst report on NAC and almost choked when I saw some of the data passing for information in this report. To be fair the analyst does preface their report by saying they can't vouch for any of the factual information supplied by vendors, But my God does anyone tell the truth anymore? Funny thing is it is the usual suspects up to their same old, same old fudging their numbers.

So not only do we have misleading press releases talking about customers who don't really use the products as announced, we have analyst reports that have glaring factual errors that are not checked and people rely on and customers who are swamped with slick sales people. What can we do as an industry to bring sanity to all of this? Am interested in what your take on all of this? Is security marketing worth the paper it is written on anymore?

Is security marketing worth the paper it is written on? Who can you believe?

Wed, 18 Jun 2008 13:43:21 +0000

I think we're seeing the tale end of the era of "entrapment marketing" whereby someone downloads a white paper or watches a webcast and then gets swamped with calls from salespeople. As a marketing VP I get about 5-6 calls a day. They're so disruptive that I've turned my ring off and batch process the calls once a week.

I think the quantity and quality of the traditional downloads has declined since the early 2000s, so that real people get even more calls than they used to. I've become a big believer in social media (no registration required) and inbound registration/interest.

I have a netsec blog at: www.archimedius.net where I talk about issues. I launched it last year after seeing our google analytics scores register large social media inbound traffic to our website. Three top blogs were generating equivalent visitor eyeball minutes on our website to leading pubs.

Social media is less disruptive, usually is part of a broader, real-time technology conversation and helps you to establish better relationships with prospects, all in exchange for sharing your view of the world.

Demos from my TechEd talks

Wed, 04 Jun 2008 09:10:00 +0000

To those who came to my talks at TechEd 2008 Developers, thank you! Be sure to fill out an evaluation before you leave; scores matter a lot to the conference organizers, so let them know what you thought.

Here is the code from my ADFS talk.

Here is the code from my Understanding Claims talk.

Enjoy!

Demos from my TechEd talks

Wed, 04 Jun 2008 09:10:00 +0000

Here is the code from my ADFS talk.

Here is the code from my Understanding Claims talk.

Enjoy!

Demos from my TechEd talks

Wed, 04 Jun 2008 03:10:00 +0000

Here is the code from my ADFS talk.

Here is the code from my Understanding Claims talk.

Enjoy!