[SecurityRatty] tag: sean

NFL Players and Senseless Violence

Tue, 16 Sep 2008 18:58:00 +0000

Scott Brown writes about the dangers that well known NFL players face on a regular basis. For some, it has even led to their untimely deaths.

Interestingly, many players seem reluctant to hire professional security agents. There is a fear that it will make them seem "self important" and may arouse "indignation". Is it just me or does this strike anybody else as a stupid reason to forego concerns and plans to safeguard one's own personal safety?

Does anybody think any less of a country's President because he/she is flanked by highly trained personal protection specialists? Of course not. Why? Because history has proven to us that there are disturbed individuals in society who would kill a well known person/celebrity just for their 15 minutes of fame.

Why then should an NFL player not be entitled to have a security person(s) looking out for them? I am fairly sure that the family of Sean Taylor wishes that he had employed personal security and that they had confronted those criminals who broke into his house rather than Mr. Taylor.

There is no shame in taking precautions. Ask any security consultant for their opinion on whether a person is better off saying; "I wished I had..." or saying; "I am going to, just in case".

Consider of all of the wonderful music John Lennon could have produced these past years had he employed a Personal Protection Agent to watch his back and protect him from the lunatics of this world. Artists like Lennon and world class athletes need to be protected so that they can continue to entertain us and thrill us with the gifts that they have been given. They deserve our support, not our indignation.

Canadian farmer personal information on stolen CCGA laptop

Sun, 08 Jun 2008 15:32:52 +0000

Technorati Tag: Security Breach

Date Reported:
6/4/08

Organization:
Government of Canada

Contractor/Consultant/Branch:
Canadian Canola Growers Association (CCGA)

Victims:
Farmers

Number Affected:
~32,000

Types of Data:
"social insurance numbers, bank account numbers and other data"

Breach Description:
"OTTAWA, June 5 (UPI) -- Prairie farmers in Canada are upset the federal government waited two months to tell them a laptop computer containing their personal data was missing."

Reference URL:
Winnipeg Free Press
CBC News
United Press International

Report Credit:
Lindsay Wiebe, Winnipeg Free Press

Response:
From the online sources cited above:

About 32,000 Canadian farmers are on the alert after learning a laptop containing their financial information has been stolen.

The laptop was stolen when a programmer working for the Canadian Canola Growers Association took the machine off-site for routine maintenance.
[Evan] No offense to programmers, but in my experience the ways they use information can be some of the most dangerous threats to information security. There is no reason for a programmer to EVER have access to confidential production information. Programmers should only be permitted to work with scrubbed information in a test and/or development environment.

CCGA general manager Rick White described the theft as a classic "smash and grab."
[Evan] Also classic as in another organization that either does not know how or is unwilling to properly secure confidential information.

The laptop has the bank account numbers and social insurance numbers of farmers who applied for Agriculture Canada's advance payments program, which is administered by the CCGA on behalf of the federal government.

Although the theft happened March 30, Canadians weren't sent letters until last week informing them

The federal department has sent letters out to all farmers affected by the theft.

The letter said the laptop was stolen from an undisclosed, remote location in Manitoba.

"We treat this very seriously," White said. "This is an unfortunate incident, a very low-risk one."
[Evan] Mr. White is probably not well versed in risk analysis. Or incident response for that matter.

the strict security measures being used on the laptop reduce the chances of information being misused, White said.
[Evan] Like what?

"There was a very strong password protection on it, [and] there was a biometric fingerprint reader on it," he said. "That would prohibit anyone other than the user or the person with the password to access the data on the laptop."
[Evan] These are "strict security measures"? My emphatic answer is NO! These "strict security measures" are easily bypassed.

but the data was not encrypted
[Evan] The missing piece of the puzzle. Why go through all of the (self-proclaimed) "strict security measures" and not employ encryption. What you get with full-disk encryption is pre-boot authentication and this defeats the boot to CD attack.

Agriculture Canada spokesman Sean Malone said there were security features on the laptop, but a sophisticated hacker could likely bypass them.
[Evan] No sophistication required. A novice could figure it out with Google, a CD, and 15 minutes.

So far, there have been no reports of identity theft among the farmers, the report said.

Pitblado LLP privacy lawyer Brian Bowman said the CCGA and agriculture department deserve credit for notifying people of the breach -- a move not required by Manitoba law.
[Evan] Just because CCGA is not required by law, doesn't mean that they deserve any credit for notification. The information belongs to the victims not CCGA, and as owners of the information don't you think they should be informed of an incident that has the potential affect them personally?

Victim Reaction:
"If they're devilish enough to steal a computer, maybe they're devilish enough to do something with the information,"

"What frustrates me is that they've treated this like it's no skin off their back,"

"They've known this since then and they're only getting the letters out now?"

"I don't want to find out a mortgage has been taken out on our farm."

Commentary:
It is bad enough for an organization to lose confidential information on a poorly protected laptop, but what makes this more troubling is the apparent fact that they still view the practice that led to the breach as a low risk. Clueless and sad.

Past Breaches:
Government of Canada:
December, 2007 - Passport Canada web site suffers serious breach
November, 2007 - Service Canada stolen laptop affects more than 1,600

A breach that hits home with 2008 presidential candidates

Sat, 22 Mar 2008 10:16:50 +0000

Technorati Tag: Security Breach

Date Reported:
3/20/08

Organization:
U.S. Government

Contractor/Consultant/Branch:
U.S. Department of State
Stanley, Inc.
The Analysis Corporation

Victims:
United States passport applicants

Number Affected:
Unknown*

*Prominent political figures such as Barack Obama, Hillary Clinton and John McCain were all affected. It is expected and assumed that there are more affected individuals, but due to the sensational nature of events, the full extent of the breach is not known.

Types of Data:
"It is not clear whether the employees saw anything other than the basic personal data such as name, citizenship, age, Social Security number and place of birth, which is required when a person fills out a passport application."

Breach Description:
"The passport files of all three major presidential candidates were breached by unauthorized searches by four employees, the State Department said yesterday, prompting apologies from Secretary of State Condoleezza Rice, outrage from the candidates and calls by lawmakers for further probes."

Reference URL:
MSNBC News Story
Associated Press Story
Stanley, Inc. Official Company Statement
Statement from The Analysis Corporation

Report Credit:
Associated Press, posted to The Breach Blog through the kind urging of an informed reader

Response:
From the online sources cited above:

State Department employees snooped through the passport files of three presidential candidates — Sens. Barack Obama, Hillary Rodham Clinton and John McCain — and the department's inspector general is investigating.
[Evan] The Inspector General job is still vacant. Would you want this job? If so, you may have to call them. I don't see a job description or a posting on Monster.com.

State Department spokesman Sean McCormack said the violations of McCain and Clinton's passport files were not discovered until Friday, after officials were made aware of the unauthorized access of Obama's records and a separate search was conducted.
[Evan] Are we safe to assume that the unauthorized access to McCain and Clinton's passport files would have gone unnoticed without the discovery of the Obama access?

The incidents raise questions as to whether the information was accessed for political purposes and why two contractors involved in the Obama search were dismissed before investigators had a chance to interview them.

McCormack said one of the individuals who accessed Obama's files also reviewed McCain's file earlier this year. This contract employee has been reprimanded, but not fired. The individual no longer has access to passport records, he said.

"I can assure you that person's going to be at the top of the list of the inspector general when they talk to people, and we are currently reviewing our (disciplinary) options with respect to that person," McCormack said.

Secretary of State Condoleezza Rice spoke with all three candicates on Friday and expressed her regrets.

After speaking with Obama, Rice told reporters: "I told him that I was sorry, and I told him that I myself would be very disturbed."

"None of us wants to have a circumstance in which any American's passport file is looked at in an unauthorized way," said Secretary of State Condoleezza Rice as she offered apologies to the candidates.

The State Department said the Justice Department would be monitoring the probe in case it needs to get involved.

In Clinton's case, an individual last summer accessed her file as part of a training session involving another State Department worker. McCormack said the one-time violation was immediately recognized and the person was admonished.
[Evan] As part of a training session? What the….? Is it common practice to train employees/contractors with live confidential information? Bad.

Obama's records were accessed without permission on three separate occasions — Jan. 9, Feb. 21 and as recently as last week, on March 14.

McCain, who was in Paris on Friday, said any breach of passport privacy deserves an apology and a full investigation.
"The United States of America values everyone's privacy and corrective action should be taken," he said.
[Evan] Yes, especially when it is your own privacy!

Aside from the file, the information could allow critics to dig deeper into the candidates' private lives. While the file includes date and place of birth, address at time of application and the countries the person has traveled to, the most important detail would be their Social Security number, which can be used to pull credit reports and other personal information.

The violations were detected by internal State Department computer checks because certain records, including those of high-profile people, are "flagged" with a computer tag that tips off supervisors when someone tries to view the records without a proper reason.
[Evan] Excellent. It is good practice to log access attempts (successful and not) to confidential information. Of course you need to identify confidential information and classify it first, which is a huge challenge in a vast majority of companies. I think the government does a pretty good job of data classification however.

Former Independent Counsel Joseph diGenova said the firings of the contract employees will make the investigation more difficult because the inspector general can't compel them to talk.
[Evan] We have ways of making you talk! Seriously though. With all the resources at the disposal of the United States government, do you really think that officials won't be able to conduct a thorough investigation? Whether they will or not, or whether any details become public is another story.

Two companies that provide workers for the State Department say they fired or otherwise punished those who improperly accessed the passport records of the three major presidential candidates.

Stanley Inc., based in Arlington, Va., and The Analysis Corp., or TAC, of McLean, Va., said Friday that their employees' actions were unauthorized and not consistent with company policies.

Just this week, Stanley won a five-year, $570 million government contract extension to support passport services.

"When you have not just one but a series of attempts to tap into people's personal records, that's a problem not just for me but for how our government functions," Obama told reporters while campaigning in Portland, Ore. "I expect a full and thorough investigation. It should be done in conjunction with those congressional committees that have oversight function so it's not simply an internal matter."

From the Stanley, Inc. Official Company Statement:
Stanley manages more than 1,800 personnel including subcontractor personnel nationwide on contracts
assisting Department of State and other contract employees with production of over 18 million passports
annually.
[Evan] 18,000,000+ passports annually! We already know that there are trust issues with these four (both Stanley and TAC) contractors, does the potential exist for a breach of 18,000,000 records? Is the risk significant?

Prior to employment, Stanley and its subcontractor candidates undergo several background checks, including security and credit checks. Candidates are also subjected to a Government-sponsored background check. In addition, candidates receive training on the Privacy Act and are required to sign a Privacy Act acknowledgement prior to starting employment. This acknowledgement, among other items, indicates that any employee who knowingly obtains access to information under false pretense is subject to immediate dismissal and both civil and criminal prosecution.
[Evan] Obviously, some people don't care.

While this is a rare occurrence, we regret the unauthorized access of any individual's private information. Two Stanley subcontractor employees were involved in the unauthorized access of Senator Barack Obama’s passport files. In each of these instances the employee was terminated the day the unauthorized search occurred.

At this time we are unaware of the involvement of any Stanley or subcontractor employees in the unauthorized searches of Senator John McCain’s or Senator Hillary Clinton’s passport files.

From the "Statement from The Analysis Corporation":
Late this morning, representatives of the Department of State informed The Analysis Corporation (TAC) for the first time that one of the individuals who had been detected inappropriately accessing passport files of prominent political figures was a TAC employee. The individual was working on contract at the Department of State.

This individual's actions were taken without the knowledge or direction of anyone at TAC and are wholly inconsistent with our professional and ethical standards.
[Evan] Classic attempt by the company to separate themselves from the incident in question. I hope that this is an obvious statement.

TAC has an exemplary record of supporting the Department of State and other elements of the U.S. Government for close to two decades. We are fully cooperating with the Department of State in its investigation. Specifically, we have honored the Department's request to delay taking any administrative action related to the employment of the individual in order to give the Department's Office of the Inspector General the opportunity to conduct its investigation.

We deeply regret that the incident occurred and believe it is an isolated incident.
[Evan] What are the chances of four contractors from two independent contracting companies accessing confidential information while on contract at the same organization? Isolated? Maybe, maybe not.

Commentary:
Well, now information security (and privacy) hits home with some very powerful people. This will almost certainly spur changes. More so than when "commoners" were the ones affected.

I am concerned that these series of reported incidents are part of a bigger problem at the Department of State. It's probably unlikely that someone is going steal Barack Obama's identity (do you think he will get the standard one year of free identity theft protection? [heh]). Employees and the risks involved with their identity and access management are some of the most challenging issues to deal with as an information security professional. Employees need a certain amount of access in order to perform tasks, but how do you detect when an employee decides to use their "legitimate" access for purposes outside of the scope of their duties? You maybe able to detect when they "do" abuse access rights, but how could you detect when they "decide" to?

Past Breaches:
Unknown

Competitors OEM'ing the same product

Tue, 11 Mar 2008 08:17:25 +0000

Read an interesting article by Sean Michael Kerner today in eSecurityplanet.com. Sean talks about the fact that both Juniper and Nortel are both OEM'ing the Q1's Radar product to help them compete against Cisco's MARS solution. Of course Juniper and Nortel compete against each other and the logical question is how can they compete against each other with both offering an OEM of the same product. I thought the answer by both the Juniper and Nortel folks were great and shows the strength of an OEM strategy, much like we have pursued here at StillSecure.

Sean says that technology vendors who need to fill a need in their product line can build, buy or partner to fill that need. It is right on. But as Sanjay Kapoor at Juniper points out, Juniper takes the Q1 product as a starting point and builds functionality on top of that. Nortel's Shmulik Nehama makes another point about competitors OEM'ng the same product when he says, "... this validates our choice of technology and choice of partner". A great point. If one of your competitors have vetted the solution and picked it over the competition, there is probably a good reason they did so. If your own analysis shows that this solution is superior, you should not "settle" for second best because a competitor is using it as well. I think you look at how you can add value over and above the base solution. If you are going to compete with Cisco, you are going to need the best product you can have. Not choosing the best product because someone else has is just not a smart move!

At StillSecure we have OEM partners in the same situation and they have arrived at the same conclusion. Of course we have had some folks who did not OEM our solutions because of this, but at the end of the day, they wind up with a solution that is at best second rate. Moral of the story, pick the best product you can.

Competitors OEM'ing the same product

Tue, 11 Mar 2008 07:17:25 +0000

Speaking of Security Podcast #91

Sun, 27 Jan 2008 21:00:00 +0000

Click here to download/listen (07:55).

Speaking of Security Blogger Sean Kline talks with Paul Joyal about his top 5 intriguing ideas for authentication for 2008.

Speaking of Security Podcast #70

Sun, 29 Jul 2007 20:00:00 +0000

Click here to listen/download (10:15).

October's RSA Conference Europe promises to be bigger and better than ever! In this podcast we talk with two of the conference's movers and shakers from RSA's U.K. headquarters. And we also welcome our newest Speaking of Security Blogger, Sean Kline, and learn some of his thoughts for the RSA blog and what security topics he plans to tackle.

Speaking of Security Podcast #52

Sun, 04 Mar 2007 21:00:00 +0000

Click here to listen/download (10:59).

This week we speak with Larry Hamid, CTO, MXI Security, about how their USB portable security devices are used for strong authentication, as a biometric device, to carry digital identities, and more. Also on the podcast is Sean Kline, Director of Product Management for RSA, who talks to us about the upcoming Daylight Savings Time (DST) change and how it effects IT professionals, home PC users, and RSA customers.