[SecurityRatty] tag: stanley

Foundry Networks - Brocade's 3 billion dollar baby

Mon, 21 Jul 2008 20:03:53 +0000

By now you have probably heard that Brocade is making a big push from storage networking switches into Ethernet switches by buying Foundry Networks for almost 3 billion in cash. Actually the deal is valued at about 2.8 billion. However, Foundry has about 800 million or so in cash and liquid assets. So taking that into account, the deal is for about 2 billion really, according to the San Jose Mercury News. Still that is quite a number when you consider that $18.50 of the $19.25 price per share is in cash. That works out to about 2.7 billion. Considering Brocade only had about 700 to 800 million in cash itself, that means someone is lending them about a billion and half. Again according the Mercury News, it is Bank of America and Morgan Stanley. This is a 41% premium over Foundry's closing price. Pretty sweet!

The real question is what does Brocade do with this. With all of that debt, do they have what it takes to go on and take on Cisco now? The highways and byways of Silicon Valley are littered with companies that have tried to take Cisco out of this market. What about the 7 dwarfs who currently compete in this market. Companies like HP ProCurve, Extreme Networks, Nortel, Enterasys, Alcatel-Lucent and Force 10 are not small little companies. These are companies with 100's of millions, if not billions of dollars of market cap themselves. They are not going to roll over and die here. Will this set off a round of consolidation for these players to bulk up in order to compete in this brave new world of networking? I think so. What about next gen secure switches like ConSentry, Nevis and Napera? Or some of the other smaller switch vendors like D-link? Do they view this a a good opportunity to get bought by one of the giants or do they think they can run through the legs of these giants? I don't know but it is going to be a high barrier of entry into this market.

Ultimately though I don't think Cisco will lose its place of dominance very easily. Brocade will be another competitor among the other switch vendors fighting over 25% of the market. But it sure will be interesting in the switch market for a while.

Foundry Networks - Brocade's 3 billion dollar baby

Mon, 21 Jul 2008 19:04:10 +0000

Why even having health insurance is not enough anymore

Sun, 04 May 2008 11:13:07 +0000

Forgive me for going totally off topic (hey its my blog I write what I want) but it is Sunday and not much news on security. I wanted to write about an article I saw in the NY Times today called "Even the Insured Feel the Strain of Health Costs". The article details that with the hard economic times even people who have health insurance are being bitten by the ever rising costs of health care. Rising premiums, covering less procedures and care and charging more for prescriptions and medical care combine to put the bite on everyone. From my own experience here are 4 examples of how even with health insurance, medical care costs are taking a bite:

1. My wife had minor surgery in September. It was ambulatory surgery where she went in the morning and went home that afternoon/evening. Even though we have full PPO coverage and it was participating doctors, hospital, etc. my out-of-pocket costs after insurance were almost $3000! The surgeon received a whopping $472 from the insurance company for the operation and the hospital billed like 17k! When I called the hospital they said they did not expect to get paid that much, but had to bill it so they could get as much as they could. I than had to negotiate what I would pay out of pocket beyond that. I also had to pay the anesthesia, the prescriptions, etc.

2. Here at StillSecure we had to switch providers again this year because United Health Care wanted another 15 to 20% raise in premiums. In fact that is about normal for health insurance, way above the cost of living and inflation. We pay a good chunk of our employees insurance premiums, but even so the 20% or so that we have the employee pick up gets bigger and bigger. Plus the insurance company covers less and less. This squeeze is frankly baffling. How can you pay more and get less.

3. I had a dental implant a few months back. Though we pay for dental coverage, our insurance would cover a bridge or cap, but they don't consider implants necessary and would not cover any of it. I had to lay 2k out of pocket. On top of this the panoramic x-ray the oral surgeon took (which again was not covered, another 100 bucks) showed I had an impacted wisdom tooth with a cyst around it. My dental insurance covered the wisdom tooth, but the cyst removal would be considered under my regular insurance and my dentist was not participating. In fact I could not find a participating oral surgeon in the area. So I had to an extra $600 dollars out of pocket and of course my out-of-network deductible was $750, so I ate it again.

4. The orthodontist. This one is perhaps the worst of all and really gets my goat. My oldest son went for an orthodontic exam. The doctor told my wife that he would probably need braces when he gets older and that current best practices in orthodontics is to put braces on now in a phase 1 and than if necessary they put other braces on later when more of his adult teeth come in. Putting braces on now would lesson the severity of what he would need later. OK, great lets do it, right? Wrong! Our insurance covers a one time payment of $1200. The dentist said if we use it now, the cost for phase 1 would be $3600. That leaves a balance of $2400 that I have to pay. However, if I do it without insurance he would charge me $2400 and than I could use the $1200 towards the phase 2 braces my son may need which could be up to 10k. So if we went through insurance the cost was $3600 with $2400 out of pocket or no insurance $2400 out of pocket. What is wrong with that picture. Whether I have insurance or not, it still costs me $2400! This is fundamentally what is wrong with our health care system. The dentist is willing to accept $2400. He should take the $1200 from my insurance and I should pay him another $1200. Anything else is ludicrous and in my mind borders on criminal insurance fraud.

We need to restore sanity to the whole system. It is not just the 48 million people in this country that don't have insurance, it is also the costs of the people who do have insurance. Don't tell me that giving us greater limits to put in tax deferred health savings plan are the answer either. Fundamentally we need the insurance companies to stop sucking the blood of the premium payers. We need the health industry to bill for what the do and what it is worth, not how to maximize what the insurance company pays and most of all we need to make sure that people can afford and receive decent health care!

BTW, if you want to read an excellent blog on this subject, Dr. Stanley Feld, Brad's dad writes a great blog on it.

Breach affects "ever student enrolled at Joliet West High School"

Thu, 10 Apr 2008 07:06:34 +0000

Technorati Tag: Security Breach

Date Reported:
4/10/08

Organization:
Joliet Township High Schools District 204

Contractor/Consultant/Branch:
Joliet West High School

Victims:
Students

Number Affected:
"every student enrolled at Joliet West High School"*

*According to the Joliet West High School Report Card there were 2,584 students enrolled in 2007

Types of Data:
Names and Social Security numbers

Breach Description:
"JOLIET -- Police say a student using a school computer last month was able to access personal information about every student enrolled at Joliet West High School."

Reference URL:
The Herald News

Report Credit:
Brian Stanley, The Herald News

Response:
From the online source cited above:

JOLIET -- Police say a student using a school computer last month was able to access personal information about every student enrolled at Joliet West High School.

The student allegedly downloaded a list of names and Social Security numbers to his iPod on March 7, according to reports.

Police Chief Fred Hayes said the school learned George C. Janecek, 18, had gotten the information after he showed it to other students who notified a teacher that day.

"Apparently, Janecek, who is in the school's ROTC program, has authorized access to a computer at the school to work on the ROTC Web site," said Hayes. "But he does not have authorized access to student data."
[Evan] I wonder. I doubt that Mr. Janacek circumvented (or some people call it "hacked") the systems to access the information. He may not have had explicit access, meaning nobody told him specifically that he is authorized to access the personal information, but I am guessing that he was "authorized", meaning that his user account was allowed access (due to process deficiencies, poor information security governance, whatever).

The school conducted an internal investigation which concluded March 13 when they notified Joliet police of the breach.

"We conducted an investigation that day and arrested Janecek on a misdemeanor charge of computer tampering," Hayes said.

Police seized the computer and iPod he reportedly used.

"Our investigation determined none of the data was used or disseminated," Hayes said.
[Evan] Really? How would the school's investigation determine this? Admittedly I have never forensically examined an iPod before, but I wonder how you could determine that the information was not transferred or disseminated elsewhere. Mr. Janacek must have been pretty proud of his conquest if he was bragging about it to other students.

School district spokeswoman Kristine Schlismann said the issue is a police matter.
[Evan] The singular issue in dealing with Mr. Janecek and his actions may be a police matter, but the school district should not discount the other issues that may exist around their information security program (if it exists).

"Investigators have assured us that there is no reason to believe that any accessed information was communicated to third parties," she said. "In compliance with the Illinois Personal Information Protection Act, a letter will be sent to any person whose personal information may have been obtained."

Commentary:
I assume that there are many many schools across the nation that do not adequately secure personal information. I am surprised that we don't hear about more breaches like this one. Assuming that they do occur, may be the schools are not even aware.

Past Breaches:
Unknown

A breach that hits home with 2008 presidential candidates

Sat, 22 Mar 2008 10:16:50 +0000

Technorati Tag: Security Breach

Date Reported:
3/20/08

Organization:
U.S. Government

Contractor/Consultant/Branch:
U.S. Department of State
Stanley, Inc.
The Analysis Corporation

Victims:
United States passport applicants

Number Affected:
Unknown*

*Prominent political figures such as Barack Obama, Hillary Clinton and John McCain were all affected. It is expected and assumed that there are more affected individuals, but due to the sensational nature of events, the full extent of the breach is not known.

Types of Data:
"It is not clear whether the employees saw anything other than the basic personal data such as name, citizenship, age, Social Security number and place of birth, which is required when a person fills out a passport application."

Breach Description:
"The passport files of all three major presidential candidates were breached by unauthorized searches by four employees, the State Department said yesterday, prompting apologies from Secretary of State Condoleezza Rice, outrage from the candidates and calls by lawmakers for further probes."

Reference URL:
MSNBC News Story
Associated Press Story
Stanley, Inc. Official Company Statement
Statement from The Analysis Corporation

Report Credit:
Associated Press, posted to The Breach Blog through the kind urging of an informed reader

Response:
From the online sources cited above:

State Department employees snooped through the passport files of three presidential candidates — Sens. Barack Obama, Hillary Rodham Clinton and John McCain — and the department's inspector general is investigating.
[Evan] The Inspector General job is still vacant. Would you want this job? If so, you may have to call them. I don't see a job description or a posting on Monster.com.

State Department spokesman Sean McCormack said the violations of McCain and Clinton's passport files were not discovered until Friday, after officials were made aware of the unauthorized access of Obama's records and a separate search was conducted.
[Evan] Are we safe to assume that the unauthorized access to McCain and Clinton's passport files would have gone unnoticed without the discovery of the Obama access?

The incidents raise questions as to whether the information was accessed for political purposes and why two contractors involved in the Obama search were dismissed before investigators had a chance to interview them.

McCormack said one of the individuals who accessed Obama's files also reviewed McCain's file earlier this year. This contract employee has been reprimanded, but not fired. The individual no longer has access to passport records, he said.

"I can assure you that person's going to be at the top of the list of the inspector general when they talk to people, and we are currently reviewing our (disciplinary) options with respect to that person," McCormack said.

Secretary of State Condoleezza Rice spoke with all three candicates on Friday and expressed her regrets.

After speaking with Obama, Rice told reporters: "I told him that I was sorry, and I told him that I myself would be very disturbed."

"None of us wants to have a circumstance in which any American's passport file is looked at in an unauthorized way," said Secretary of State Condoleezza Rice as she offered apologies to the candidates.

The State Department said the Justice Department would be monitoring the probe in case it needs to get involved.

In Clinton's case, an individual last summer accessed her file as part of a training session involving another State Department worker. McCormack said the one-time violation was immediately recognized and the person was admonished.
[Evan] As part of a training session? What the….? Is it common practice to train employees/contractors with live confidential information? Bad.

Obama's records were accessed without permission on three separate occasions — Jan. 9, Feb. 21 and as recently as last week, on March 14.

McCain, who was in Paris on Friday, said any breach of passport privacy deserves an apology and a full investigation.
"The United States of America values everyone's privacy and corrective action should be taken," he said.
[Evan] Yes, especially when it is your own privacy!

Aside from the file, the information could allow critics to dig deeper into the candidates' private lives. While the file includes date and place of birth, address at time of application and the countries the person has traveled to, the most important detail would be their Social Security number, which can be used to pull credit reports and other personal information.

The violations were detected by internal State Department computer checks because certain records, including those of high-profile people, are "flagged" with a computer tag that tips off supervisors when someone tries to view the records without a proper reason.
[Evan] Excellent. It is good practice to log access attempts (successful and not) to confidential information. Of course you need to identify confidential information and classify it first, which is a huge challenge in a vast majority of companies. I think the government does a pretty good job of data classification however.

Former Independent Counsel Joseph diGenova said the firings of the contract employees will make the investigation more difficult because the inspector general can't compel them to talk.
[Evan] We have ways of making you talk! Seriously though. With all the resources at the disposal of the United States government, do you really think that officials won't be able to conduct a thorough investigation? Whether they will or not, or whether any details become public is another story.

Two companies that provide workers for the State Department say they fired or otherwise punished those who improperly accessed the passport records of the three major presidential candidates.

Stanley Inc., based in Arlington, Va., and The Analysis Corp., or TAC, of McLean, Va., said Friday that their employees' actions were unauthorized and not consistent with company policies.

Just this week, Stanley won a five-year, $570 million government contract extension to support passport services.

"When you have not just one but a series of attempts to tap into people's personal records, that's a problem not just for me but for how our government functions," Obama told reporters while campaigning in Portland, Ore. "I expect a full and thorough investigation. It should be done in conjunction with those congressional committees that have oversight function so it's not simply an internal matter."

From the Stanley, Inc. Official Company Statement:
Stanley manages more than 1,800 personnel including subcontractor personnel nationwide on contracts
assisting Department of State and other contract employees with production of over 18 million passports
annually.
[Evan] 18,000,000+ passports annually! We already know that there are trust issues with these four (both Stanley and TAC) contractors, does the potential exist for a breach of 18,000,000 records? Is the risk significant?

Prior to employment, Stanley and its subcontractor candidates undergo several background checks, including security and credit checks. Candidates are also subjected to a Government-sponsored background check. In addition, candidates receive training on the Privacy Act and are required to sign a Privacy Act acknowledgement prior to starting employment. This acknowledgement, among other items, indicates that any employee who knowingly obtains access to information under false pretense is subject to immediate dismissal and both civil and criminal prosecution.
[Evan] Obviously, some people don't care.

While this is a rare occurrence, we regret the unauthorized access of any individual's private information. Two Stanley subcontractor employees were involved in the unauthorized access of Senator Barack Obama’s passport files. In each of these instances the employee was terminated the day the unauthorized search occurred.

At this time we are unaware of the involvement of any Stanley or subcontractor employees in the unauthorized searches of Senator John McCain’s or Senator Hillary Clinton’s passport files.

From the "Statement from The Analysis Corporation":
Late this morning, representatives of the Department of State informed The Analysis Corporation (TAC) for the first time that one of the individuals who had been detected inappropriately accessing passport files of prominent political figures was a TAC employee. The individual was working on contract at the Department of State.

This individual's actions were taken without the knowledge or direction of anyone at TAC and are wholly inconsistent with our professional and ethical standards.
[Evan] Classic attempt by the company to separate themselves from the incident in question. I hope that this is an obvious statement.

TAC has an exemplary record of supporting the Department of State and other elements of the U.S. Government for close to two decades. We are fully cooperating with the Department of State in its investigation. Specifically, we have honored the Department's request to delay taking any administrative action related to the employment of the individual in order to give the Department's Office of the Inspector General the opportunity to conduct its investigation.

We deeply regret that the incident occurred and believe it is an isolated incident.
[Evan] What are the chances of four contractors from two independent contracting companies accessing confidential information while on contract at the same organization? Isolated? Maybe, maybe not.

Commentary:
Well, now information security (and privacy) hits home with some very powerful people. This will almost certainly spur changes. More so than when "commoners" were the ones affected.

I am concerned that these series of reported incidents are part of a bigger problem at the Department of State. It's probably unlikely that someone is going steal Barack Obama's identity (do you think he will get the standard one year of free identity theft protection? [heh]). Employees and the risks involved with their identity and access management are some of the most challenging issues to deal with as an information security professional. Employees need a certain amount of access in order to perform tasks, but how do you detect when an employee decides to use their "legitimate" access for purposes outside of the scope of their duties? You maybe able to detect when they "do" abuse access rights, but how could you detect when they "decide" to?

Past Breaches:
Unknown

Nevada Department of Public Safety applicants exposed

Fri, 07 Mar 2008 07:20:48 +0000

Technorati Tag: Security Breach

Date Reported:
3/4/08

Organization:
State of Nevada

Contractor/Consultant/Branch:
Nevada Department of Public Safety
Crown, Stanley and Silverman

Victims:
Job applicants

Number Affected:
~300

Types of Data:
Names, addresses, Social Security numbers, and other personal information required for thorough background checks.

Breach Description:
"A private firm working for the Nevada Department of Public Safety has lost personal information provided by 109 individuals seeking jobs with the agency."

Reference URL:
KTVN Channel 2 News
Las Vegas Review-Journal
The Houston Chronicle

Report Credit:
KTVN Channel 2 News

Response:
From the online sources cited above:

Crown, Stanley and Silverman (CSS), a company contracted by The Nevada Department of Public Safety (DPS), has lost personal background information on 109 people.

CSS was conducting background checks on applicants for DPS positions.
[Evan] Crown, Stanley and Silverman does not appear to have a web site, but their Reno business license information can be found here.

The information was stored on a portable computer memory device (thumb drive) that was owned by an employee of CSS.

The DPS is in the process of notifying the 109 applicants that personal information about them, including their social security numbers, addresses and background check information about them has been lost.

The DPS has ordered CSS to cease all background check activities and to return all files to DPS.

The DPS has suspended the use of outside vendors for background checks while a review of processes and procedures is conducted.
[Evan] This seems like a prudent decision.

There is currently no indication the data that was lost has been used for any unlawful purpose.

From the Crown, Stanley and Silverman statement:
The drive contained unencrypted personal information of approximately 300 individuals.
[Evan] The Nevada DPS reports 109 people and Crown, Stanley and Silverman reports 300. Are there actually 300 affected individuals related to Nevada DPS, or was Crown Stanley and Silverman not segmenting client data on separate devices and another organization involved?

"We deeply regret this incident," said Gina Crown, President of the firm.

"Crown, Stanley and Silverman is deeply committed to protecting the privacy and security of all the personal information that is entrusted to us by our clients and generated in the course of our investigations. We are currently reviewing all of our security processes, and we are strengthening our processes to help ensure that this incident will not reoccur," she said.
[Evan] Much of Crown, Stanley and Silverman's work is with sensitive personal information. Using confidential information provides much of the basis of their company.

Commentary:
Crown, Stanley and Silverman is a security investigative services company. It seems like many of these companies are staffed by ex-law enforcement personnel, and I wonder how many of them have ever received formal information security training.

Obviously (maybe not so much), using thumb drives for the storage and transportation of confidential personal information is discouraged in many circumstances. IF the business benefit provided by using thumb drives is too great, then at least use encryption to reduce the risk of exposure.

Past Breaches:
November, 2007 - 470 missing CDs with State of Nevada payroll information

Are fund managers really overcompensated?

Fri, 11 Aug 2006 03:55:00 +0000

CFA Magazine recently published an interview with Barton Biggs in its July-August 2006 Issue. Mr. Biggs has been with Morgan Stanley for 30 years acting as chief global strategist and is well respected by Wall Street. In 2003, He retired from Morgan Stanley to form Traxis Partners (hedge fund) with colleagues. In the interview, the following quote struck me the most...

"The hedge fund is another way for people to run money. It happens to be a way in which there are high fees charged. Eventually, the sheer size of the money going into hedge funds and the number of hedge funds that exist are going to inevitably result in a decline in hedge fund fees. In fact, my guess is that compensation across the investment management business is beginning a secular decline. It's the most overcompensated business in the world. Never have so many been paid so much for adding so little. It's an evolutionary process."

I am aware that competition forces fees in a downward trend and compensation will surely follow. But I still don't see the evidence of this happening at the moment based on the postings I see in jobs boards and the number of fresh grads wanting to go into the business (because it pays well).

I think it's all a matter of supply and demand. As more and more fund managers are needed, it becomes more difficult to get really good managers. The lack of supply raises the price for talents. The lack of supply also forces some funds to employ sub-standard managers (whether intentional or not) which results into Mr. Biggs observation of so little value added.

Some articles about Barton Biggs:
Morgan Stanley
Turtle Trader
Weeden & Co.

Tags: finance investing hedge funds CFA