[SecurityRatty] tag: senator

Telecom Amnesty Foes Lobby Obama Using Obama Tech

Mon, 30 Jun 2008 17:52:00 +0000

Left-leaning opponents of amnesty for telecoms sued for helping the government warrantlessly spy on Americans are turning to Senator Barack Obama's own Web 2.0 tools to lobby him to oppose a pending bill. They wonder if the new participatory politics he's relied on to secure the Democratic nomination can sway him back to his original opposition to the spying bill, or if old-style politics will rule the day.

I feel even more safer, dont you?

Fri, 20 Jun 2008 14:46:59 +0000

Just more laws to make us safer?
Sad.

clipped from www.freedomworks.org

Senate Housing Bill Requires eBay, Amazon, Google, and All Credit Card Companies to Report Transactions to the Government

Broad, invasive provision touches nearly every aspect of American commerce.

Washington, DC -?
Hidden deep in Senator Christopher Dodd’s 630-page Senate housing legislation is a sweeping provision that affects the privacy and operation of nearly all of America’s small businesses. The provision, which was added by the bill’s managers without debate this week, would require the nation’s payment systems to track, aggregate, and report information on nearly every electronic transaction to the federal government.

Senator: US gov't needs to better protect personal data

Tue, 17 Jun 2008 20:00:00 +0000

Updates to a 34-year-old privacy law are needed to better protect personal information held by the U.S. government, some privacy experts said Wednesday.

Ted Kennedy: a lifetime of achievement, regrets of a world that could have been

Tue, 20 May 2008 20:04:43 +0000

I usually stay away from politics on my blog. As I have said before, it is my blog and I can write what I want, but politics usually is just to controversial for me to write on. Upon hearing the terrible news about Ted Kennedy's malignant brain tumor, I was moved to write something, than thought twice about it and thought yet again. However, Ted Kennedy and his life and times has been such an influence and part of my life, that I am compelled to write. So on this night where it appears that an African-American has won a majority of the pledged delegates of the Democratic Party, while running against a woman, I think it only fitting to remember Ted Kennedy. I do not mean this as a eulogy or obituary and in fact hope against all that I have read and heard that a miracle will grant him many more years of serving in the Senate. But it seems Teddy has a tough road ahead and this is as good as a time as any to speak out.

One of my earliest memories of current events was when Ted's brother John was assassinated. I was a little boy playing catch with my Dad when my Mom came to the door and called us in because something terrible had happened. I didn't really understand, but my parents told me that the President (who I had seen with VP Johnson drive by in a motorcade months before) had been shot. I don't remember a lot more of the details, but do remember Oswald getting shot and some pictures of the funeral. The mind of a young boy is quickly filled with other things though and I moved on past that horrific November day.

Next when I was a bit older, the crazy year of '68 was upon us. I was still fairly young, but I remember riots in the cities, pictures on the news of the war and Bobby Kennedy, the Senator from NY running for President when President Johnson said he would not run. Martin Luther King was shot and killed and so was Bobby shortly after. By now I was old enough to realize the tragedy of these killings. I remember hearing Teddy's eulogy of Bobby and thinking what a terrible thing to have happened to this family, losing two of their sons like this.

For me it was the start of a life long interest in all things Kennedy. I read many books about all of the Kennedy's and lamented what could have been if not for the bullets that killed first John and than Bobby. A key part of my core political beliefs was that if John Kennedy would have served out his first term and been re-elected, how different the world would have been. If Bobby Kennedy had been elected President instead of Nixon, what would the world look like now? There was always a sense that Teddy, the baby Kennedy brother would rise up and take the mantle and place that seemed to belong to this family. He would restore Camelot. Alas it was not to be. His time just never came. Though he ran a noble race, Chappaquiddick haunted and doomed his candidacy. After that Teddy was the patron of a family that just seemed unable to escape tragedy. One mishap after another befell this family that had been previously granted so much good fortune. It truly did seem as if they were cursed. Teddy himself had his ups and downs with drinking and divorce and the health of his children. Though he asked us to never let the dream die, the legacy of Camelot did seem to pass on.

Through it all Ted Kennedy continued to do good work for this country in the Senate. Looking back Teddy's legislative record has probably had more of an influence on this country than either of his brothers had. His name is attached to many of the greatest laws passed over the last 40 years. Teddy was also a great orator. Many say that his finest speech was as the keynote speaker at the 1980 Democratic Convention, when he mounted his challenge to a sitting President Carter. But for me Teddy's finest moment was in delivering the eulogy for his brother Bobby. The "some man ask why, Bobby dreamed of what could be and asked why not" speech never ceases to move me. I include this You Tube as a tribute to Ted Kennedy and all that he and his brothers meant to me along with my prayers for a recovery from this terrible condition.

Latest linking of Senator Obama to a '70's terrorist may damage his reputation.

Sun, 11 May 2008 20:12:00 +0000

We all know how important it is to have a good reputation and the price we pay when it becomes damaged. The latest reports linking Senator Obama with the 70's radical, William Ayers, can not help him in his nomination bid.

William "Billy" Ayers was a member of the '70's domestic terrorist group: Weather Underground Organization (WUO). WUO were opposed to the Vietnam war and pledged to bomb the Capitol, The Pentagon and Police Stations after issuing a "declaration of a state of war" against the United States Government in 1970.

These days, Ayers is a professor at UIC. Apparently, Ayers and the Senator have served jointly on various Boards and have appeared on discussion panels together. Most likely Senator Obama failed to do the proper due diligence on his co-host and was unaware of his terrorist affiliations and involvement. Unfortunately for the Senator, many voters may not be so forgiving, especially when they realize that Ayers has recently made comments to the effect that he does not regret planting bombs and thinks he did not do enough. He even went so far as to state that he can not entirely dismiss the idea of planting a bomb today.

Last week during training of an Executive Protection class in Baltimore, I spoke about the need to keep an open mind when it comes to terrorism and to realize that terrorists come in all shapes, sizes and colors. I even discussed domestic terrorism and drew their attention to the Weather Underground. We should remember that terrorists will not always arrive looking as they do in television footage.

For instance, Timothy McVeigh could walk down any street in the U.S. prior to the bombing in Oklahoma and not one single person would ever have suspected him of being a home-grown terrorist. Everything (and everybody) is not always what it seems.

Senator: Let's Spend $1B to monitor P2P for illegal files

Thu, 17 Apr 2008 18:50:01 +0000

A prominent Senate Democrat on Wednesday said federal and local police should use custom software to monitor peer-to-peer networks for illegal activity, and wants to spend $1 billion in tax dollars to make that happen.

From warzones to strip clubs, the truth comes out for a former First Lady and a Pastor.

Sun, 30 Mar 2008 16:57:00 +0000

Last week in the Washington Post, "The Fact Checker" awarded former first lady, Hillary Clinton, four "Pinocchios" (real whoppers)for claiming to have come under sniper fire during a photo op. in Bosnia. On Thursday, Michael Dobbs once again awarded Senator Clinton another "poker" of Pinocchios.

This time she took heat for claiming that her trip to Bosnia was the first visit to a "war zone" by a first lady since World War II. Her claim is considered completly inaccurate, since Pat Nixon made a trip to Saigon in July 1969. At the time, South Vietnam was an actual, not a "potential" war zone in the aftermath of the 1968 Tet offensive.

The article also made mention of Barbara Bush's visit to Saudi Arabia in 1990, two months before the Persian Gulf war began. Speaking about Senator Clinton's claim that her aircraft made a tactical landing back in 1996, the pilot of the aircraft had a different memory. Retired Air Force Col. William Changose said that it was not true that they took evasive measures to avoid sniper fire. The Colonel went on to say that: "not only were there no bullets flying, there wasn't even a bumblebee flying around".

It seems that Senator Clinton is not the only one in the public eye to suffer from Pinocchioitis. Apparently the Police in Riverside, Ohio found a Pastor who had gone missing from his home in western New York, since Wednesday the 26th of March, after telling his wife that he was going to Best Buy to have his computer fixed. Officers found the Pastor at a strip club called the "K.C. Lounge", partying like a New York Govenor.

We often hear people in the media complaining about the negative effects that Rap music has on our youth. One wonders why we are now not hearing more complaining about the so-called role models getting caught with their pants down, so to speak. At least with the likes of rappers and other "bad boy" entertainers, what you see, is what you get. It's little wonder that so many people are comfortable telling lies during interviews and embellishing resumes in order to get hired and get ahead.

When I was going to school, the "dog ate my homework" excuse was used but not believed. Also, it tended to get used by children who had not yet reached their teens. I think that even children of that age these days will be able to see through these poorly constructed falsehoods that our "role models" would have us believe.

Unbelievable.

If politicians can imagine sniper fire, don't be surprised what people can imagine on their resumes.

Tue, 25 Mar 2008 23:09:00 +0000

Why is it that so many people these days are mis-speaking and mis-remembering? Shortly after Hillary Clinton's animated version of coming under sniper fire in Bosnia, she now tells us she "mis-spoke".

I first read about this story in last Saturday's Washington Post, in an article written by Michael Dobbs. Mr. Dobbs, who visited the Tuzla air base in Bosnia, much earlier than Senator Clinton, spoke of the risk being minimal, particularly at a heavily fortified U.S. air base like Tuzla.

The report went on to say that instead of the former first lady having to run with her head down, dodging sniper fire, the party was greeted by smiling U.S. and Bosnian officals. The paper even carried a picture of Mrs. Clinton bending down to kiss a local girl.

Mr. Dobbs concludes by saying that Clinton's tale of sniper fire is simply not credible, as photographs and video taken at the time told a very different story. Senator Clinton's story was then awarded with "Four Pinocchios", signifying a "real whopper".

As someone who spent many years in the former Yugoslavia during the war, I can attest to the fact that you know when you are coming under sniper or mortar fire, there is nothing to imagine. One thing you wouldn't do, is to stand around taking photographs for the press. I am sure that there were plenty of people around the country last week who believed Senator Clinton - she certainly seemed very credible the way she recalled the dangerous event. Now she just looks like another used car salesman who got caught turning back the clock on a used car to hide its true miles.

Like I tell clients all the time, do not be in a hurry to judge a book by its cover. Just because someone appears to have a fantastic resume, does not mean that everything in that resume is true. Around 40% of all resumes contain lies or "miswritings" as they are probably being called now.

If a former First Lady (and one who is looking to be the country's first female President at that) can tell a "real whopper", expect it from anyone. Remember, paper has never been known to refuse ink.

A breach that hits home with 2008 presidential candidates

Sat, 22 Mar 2008 10:16:50 +0000

Technorati Tag: Security Breach

Date Reported:
3/20/08

Organization:
U.S. Government

Contractor/Consultant/Branch:
U.S. Department of State
Stanley, Inc.
The Analysis Corporation

Victims:
United States passport applicants

Number Affected:
Unknown*

*Prominent political figures such as Barack Obama, Hillary Clinton and John McCain were all affected. It is expected and assumed that there are more affected individuals, but due to the sensational nature of events, the full extent of the breach is not known.

Types of Data:
"It is not clear whether the employees saw anything other than the basic personal data such as name, citizenship, age, Social Security number and place of birth, which is required when a person fills out a passport application."

Breach Description:
"The passport files of all three major presidential candidates were breached by unauthorized searches by four employees, the State Department said yesterday, prompting apologies from Secretary of State Condoleezza Rice, outrage from the candidates and calls by lawmakers for further probes."

Reference URL:
MSNBC News Story
Associated Press Story
Stanley, Inc. Official Company Statement
Statement from The Analysis Corporation

Report Credit:
Associated Press, posted to The Breach Blog through the kind urging of an informed reader

Response:
From the online sources cited above:

State Department employees snooped through the passport files of three presidential candidates — Sens. Barack Obama, Hillary Rodham Clinton and John McCain — and the department's inspector general is investigating.
[Evan] The Inspector General job is still vacant. Would you want this job? If so, you may have to call them. I don't see a job description or a posting on Monster.com.

State Department spokesman Sean McCormack said the violations of McCain and Clinton's passport files were not discovered until Friday, after officials were made aware of the unauthorized access of Obama's records and a separate search was conducted.
[Evan] Are we safe to assume that the unauthorized access to McCain and Clinton's passport files would have gone unnoticed without the discovery of the Obama access?

The incidents raise questions as to whether the information was accessed for political purposes and why two contractors involved in the Obama search were dismissed before investigators had a chance to interview them.

McCormack said one of the individuals who accessed Obama's files also reviewed McCain's file earlier this year. This contract employee has been reprimanded, but not fired. The individual no longer has access to passport records, he said.

"I can assure you that person's going to be at the top of the list of the inspector general when they talk to people, and we are currently reviewing our (disciplinary) options with respect to that person," McCormack said.

Secretary of State Condoleezza Rice spoke with all three candicates on Friday and expressed her regrets.

After speaking with Obama, Rice told reporters: "I told him that I was sorry, and I told him that I myself would be very disturbed."

"None of us wants to have a circumstance in which any American's passport file is looked at in an unauthorized way," said Secretary of State Condoleezza Rice as she offered apologies to the candidates.

The State Department said the Justice Department would be monitoring the probe in case it needs to get involved.

In Clinton's case, an individual last summer accessed her file as part of a training session involving another State Department worker. McCormack said the one-time violation was immediately recognized and the person was admonished.
[Evan] As part of a training session? What the….? Is it common practice to train employees/contractors with live confidential information? Bad.

Obama's records were accessed without permission on three separate occasions — Jan. 9, Feb. 21 and as recently as last week, on March 14.

McCain, who was in Paris on Friday, said any breach of passport privacy deserves an apology and a full investigation.
"The United States of America values everyone's privacy and corrective action should be taken," he said.
[Evan] Yes, especially when it is your own privacy!

Aside from the file, the information could allow critics to dig deeper into the candidates' private lives. While the file includes date and place of birth, address at time of application and the countries the person has traveled to, the most important detail would be their Social Security number, which can be used to pull credit reports and other personal information.

The violations were detected by internal State Department computer checks because certain records, including those of high-profile people, are "flagged" with a computer tag that tips off supervisors when someone tries to view the records without a proper reason.
[Evan] Excellent. It is good practice to log access attempts (successful and not) to confidential information. Of course you need to identify confidential information and classify it first, which is a huge challenge in a vast majority of companies. I think the government does a pretty good job of data classification however.

Former Independent Counsel Joseph diGenova said the firings of the contract employees will make the investigation more difficult because the inspector general can't compel them to talk.
[Evan] We have ways of making you talk! Seriously though. With all the resources at the disposal of the United States government, do you really think that officials won't be able to conduct a thorough investigation? Whether they will or not, or whether any details become public is another story.

Two companies that provide workers for the State Department say they fired or otherwise punished those who improperly accessed the passport records of the three major presidential candidates.

Stanley Inc., based in Arlington, Va., and The Analysis Corp., or TAC, of McLean, Va., said Friday that their employees' actions were unauthorized and not consistent with company policies.

Just this week, Stanley won a five-year, $570 million government contract extension to support passport services.

"When you have not just one but a series of attempts to tap into people's personal records, that's a problem not just for me but for how our government functions," Obama told reporters while campaigning in Portland, Ore. "I expect a full and thorough investigation. It should be done in conjunction with those congressional committees that have oversight function so it's not simply an internal matter."

From the Stanley, Inc. Official Company Statement:
Stanley manages more than 1,800 personnel including subcontractor personnel nationwide on contracts
assisting Department of State and other contract employees with production of over 18 million passports
annually.
[Evan] 18,000,000+ passports annually! We already know that there are trust issues with these four (both Stanley and TAC) contractors, does the potential exist for a breach of 18,000,000 records? Is the risk significant?

Prior to employment, Stanley and its subcontractor candidates undergo several background checks, including security and credit checks. Candidates are also subjected to a Government-sponsored background check. In addition, candidates receive training on the Privacy Act and are required to sign a Privacy Act acknowledgement prior to starting employment. This acknowledgement, among other items, indicates that any employee who knowingly obtains access to information under false pretense is subject to immediate dismissal and both civil and criminal prosecution.
[Evan] Obviously, some people don't care.

While this is a rare occurrence, we regret the unauthorized access of any individual's private information. Two Stanley subcontractor employees were involved in the unauthorized access of Senator Barack Obama’s passport files. In each of these instances the employee was terminated the day the unauthorized search occurred.

At this time we are unaware of the involvement of any Stanley or subcontractor employees in the unauthorized searches of Senator John McCain’s or Senator Hillary Clinton’s passport files.

From the "Statement from The Analysis Corporation":
Late this morning, representatives of the Department of State informed The Analysis Corporation (TAC) for the first time that one of the individuals who had been detected inappropriately accessing passport files of prominent political figures was a TAC employee. The individual was working on contract at the Department of State.

This individual's actions were taken without the knowledge or direction of anyone at TAC and are wholly inconsistent with our professional and ethical standards.
[Evan] Classic attempt by the company to separate themselves from the incident in question. I hope that this is an obvious statement.

TAC has an exemplary record of supporting the Department of State and other elements of the U.S. Government for close to two decades. We are fully cooperating with the Department of State in its investigation. Specifically, we have honored the Department's request to delay taking any administrative action related to the employment of the individual in order to give the Department's Office of the Inspector General the opportunity to conduct its investigation.

We deeply regret that the incident occurred and believe it is an isolated incident.
[Evan] What are the chances of four contractors from two independent contracting companies accessing confidential information while on contract at the same organization? Isolated? Maybe, maybe not.

Commentary:
Well, now information security (and privacy) hits home with some very powerful people. This will almost certainly spur changes. More so than when "commoners" were the ones affected.

I am concerned that these series of reported incidents are part of a bigger problem at the Department of State. It's probably unlikely that someone is going steal Barack Obama's identity (do you think he will get the standard one year of free identity theft protection? [heh]). Employees and the risks involved with their identity and access management are some of the most challenging issues to deal with as an information security professional. Employees need a certain amount of access in order to perform tasks, but how do you detect when an employee decides to use their "legitimate" access for purposes outside of the scope of their duties? You maybe able to detect when they "do" abuse access rights, but how could you detect when they "decide" to?

Past Breaches:
Unknown

Oak Ridge National Laboratory visitor information exposed

Tue, 11 Dec 2007 10:45:21 +0000

Technorati Tag: Security Breach

Date Reported:
12/3/07

Organization:
UT-Battelle, LLC

Contractor/Consultant/Branch:
Oak Ridge National Laboratory (ORNL)*

*Oak Ridge National Laboratory (ORNL) is the Department of Energy's largest science and energy laboratory. ORNL was established in 1943 as a part of the secret Manhattan Project to pioneer a method for producing and separating plutonium. Today, ORNL is home to the world's largest civilian science project, the $1.4 billion Spallation Neutron Source, and has been selected to build the fastest unclassified scientific computer in the world. - Source State Science and Technology Institute

Victims:
"visitors to the lab between 1990 and 2004"

Number Affected:
"about 12,000"

Types of Data:
Personal information including names, addresses, Social Security numbers and dates of birth.

Breach Description:
More than a dozen Oak Ridge National Laboratory employees were duped into installing unauthorized software consisting of keyloggers and other malicious software through a targeted phishing attack ("spear phishing"). The targeted phishing attack consisted of roughly 1,100 emails and resulted in the compromise of personal information pertaining to lab visitors over a 14 year period.

Reference URL:
eWeek.com Story
SecurityFocus.com Story
MyEyeWitnessNews.com Story
Oak Ridge National Laboratory Potential Identity Theft Page

Report Credit:
Oak Ridge National Laboratory

Response:
From the official breach notification site and sources cited above:

Oak Ridge National Laboratory has been bombarded by a coordinated phishing attack aimed at multiple national labs and may have unwittingly handed over to attackers the personal information of anybody who visited the lab over a 14-year span, including Social Security numbers.

"Oak Ridge National Laboratory (ORNL) recently experienced a sophisticated cyber attack that appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country." - Laboratory Director Thom Mason on December 3rd.

"When the employees opened the attachment or accessed an embedded link, the hacker planted a program on the employees' computers that enabled the hacker to copy and retrieve information. The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory." - Laboratory Director Thom Mason

The attack comprised approximately 1,100 targeted phishing attempts.

The attackers cooked up seven phishing variations, one of which purportedly advertised a scientific conference, another of which posed as a notification about a complaint on behalf of the Federal Trade Commission.

"No classified information was lost"

"If you visited ORNL between the years 1990 and 2004 your name and other personal information such as your social security number or date of birth may have been part of the stolen information. While there is no evidence that the stolen information has been used, the Laboratory deeply regrets the inconvenience caused by this event."

Mason said reconstructing the crime is tedious and time-consuming and will likely take weeks, if not longer. ORNL is attempting to send letters to every visitor potentially affected but may have difficulties due to out-of-date addresses, management said in its advisory.
[Comfyllama] If the reports about this attack originating (or proxying through) China are true, then it is unlikely that a full "reconstructing" will ever be complete.

"every security system at ORNL was in place and in compliance."
[Comfyllama] Compliant DOES NOT MEAN Secure! Although we all need to be compliant, this doesn't mean that efforts should stop at that. Do you want to trust the security of your information to a Senator or other lawmaker?

"If you think you're going to prevent all phishing attempts from [succeeding] in an enterprise, that's probably false. And if you think that with training, not a single employee will [click on phishing attempts and let an attacker] get through, that's probably false," - Application Security Vice President of Marketing and Strategy Ted Julian

"There's a million [conduits to data theft], and now that the attackers have gotten much more professional and focused, they only need one to get at the information. You only need one unsecured avenue and they're off and running."

it's likely that employee training about phishing attempts will be given renewed emphasis in the future in order to attempt to close down this particular avenue of data theft.

"While our hope is that no one would fall for these kinds of tricks from hackers, we believe there is an ongoing benefit to re-emphasizing staff awareness about cyber-security issues," "We must not click on e-mail attachments if we are not absolutely sure who the e-mail is from and we must not click on [URLs] embedded in e-mails unless we are certain of the source." - Laboratory Director Thom Mason

The lab has sent letters to about 12,000 potential victims.

"We continue to put in place new and more sophisticated security systems in an attempt to stop thieves who are equally determined to break into the cyber network." - Laboratory Director Thom Mason

Commentary:
Scary! Supposedly, there is evidence that points to these attacks originating from servers in China and thus these attacks were sponsored by the Chinese government. I like a conspiracy theory as much as anyone else, but I don't subscribe to this theory. IF the Chinese government were attacking ORNL, I think the attacks would be much more covert.

Think about this for a minute. If I were going to attack a system in the United States without getting caught. Why wouldn't I use (proxy through) an insecure server located in a country that will not cooperate with U.S. authorities? In order to find my true location, investigators will need some level of access to the (proxy) server to look through the evidence. Do you think China (or Iran, North Korea, Russia, etc.) will allow investigators the access they need? Highly unlikely. If I were to guess, I would say that this is a sophisticated attack aimed at gathering information for money and probably orginated by one of the more educated "phishing gangs".

I certainly agree with ORNL Application Security Vice President of Marketing and Strategy Ted Julian in the fact that there is likely no way to prevent all avenues of attack, but the risk of this type of attack can be significantly reduced through regular information security training and awareness. People will be people, no matter what.

Final note, I am curious why ORNL needs to store Social Security numbers in the first place.

Past Breaches:
Unknown