[SecurityRatty] tag: tape

What would you do if you knew the Air Marshal on your plane was smuggling Drugs?

Sat, 15 Nov 2008 20:34:00 +0000

According to a recent USA TODAY article, Federal Air Marshals have been convicted of smuggling drugs, molesting children, abducting a female escort during a layover in Washington D.C., hiring a hitman to kill a spouse and many other criminal acts.

The ex-Air Marshal who was convicted of smuggling drugs apparently used his position to work with a drug dealer to carry cocaine and drug money with him on flights around the country. He was caught on tape telling an informant that he was "the man with the Golden Badge".

We should remember though, that with a current force of between 3,000 - 4,000 (exact numbers are confidential), there are bound to be a few bad apples in the bunch - that is the way in every profession.

What makes it much more alarming when we talk about Air Marshals gone bad is the fact that at 30,000 feet in the air - their authority is absolute. The last thing a passenger in a plane needs to be concerned about is the very person on the plane whose job it is to protect the passengers.

The Marshal's decision making skills should be beyond reproach. If their judgement is clouded over however, due to experimenting with the cocaine they are smuggling, the consequences could prove fatal.

Perhaps the fact that prior to 2001, the Air Marshal service had an annual budget of $4.4 million and 33 agents which exploded to $786 million and between 3,000 to 4,000 agents today might have something to do with undesirables falling through the cracks.

Not that rapid hiring needs are an excuse for allowing criminal behavior to go unnoticed. The office of Inspector General or Internal Affairs needs to get actively involved and properly supervise the agency so that rogue Marshals are not allowed to remain in the service.

How IT Helped Catch the Jewelry Thief

Tue, 11 Nov 2008 21:00:00 +0000

It used to be that after a robbery, the police would review a surveillance tape for clues into who broke in, at what time and what the bad guys looked like. Since the thieves would be long gone by the time the tape was reviewed, there would often be little the authorities could do about it.

A New Way to Back Up Digital Files on paper

Thu, 04 Sep 2008 04:28:19 +0000

This is pretty funny — a free open source application where you can backup your data by printing it, on paper, in a bar code format. A friend of mine says he tried it and that it even works –

PaperBack is a free application that allows you to back up your precious files on the ordinary paper in the form of the oversized bitmaps. If you have a good laser printer with the 600 dpi resolution, you can save up to 500,000 bytes of uncompressed data on the single A4/Letter sheet. Integrated packer allows for much better data density - up to 3,000,000+ (three megabytes) of C code per page.

You may ask - why? Why, for heaven’s sake, do I need to make paper backups, if there are so many alternative possibilities like CD-R’s, DVD±R’s, memory sticks, flash cards, hard disks, streamer tapes, ZIP drives, network storages, magnetooptical cartridges, and even 8-inch double-sided floppy disks formatted for DEC PDP-11? (I still have some). The answer is simple: you don’t. However, by looking on CD or magnetic tape, you are not able to tell whether your data is readable or not. You must insert your medium into the drive (if you have one!) and try to read it.

Paper is different. Do you remember the punched cards? EBCDIC and all this stuff. For years, cards were the main storage medium for the source code. I agree that 100K+ programs were… unhandly, but hey, only real programmers dared to write applications of this size. And used cards were good as notepads, too. Punched tapes were also common. And even the most weird codings, like CDC or EBCDIC, were readable by humans (I mean, by real programmers).

Read the whole thing here.

Don't Panic

Fri, 29 Aug 2008 13:03:16 +0000

Sometimes it's easy to believe that every last thing online is going to eat into your PC, burn your house down, kill your cat and so on. The last few days I'd been hearing rumblings about some "Youtube rap video" and a file that would start hijacking your PC - well, thanks to a tipoff from a forum-goer at Spywarewarrior, I can hopefully put this one to rest.

In short, a video promoting a rap mix-tape supposedly took you to a file that "hijacked your PC with Spywarestop". In actual fact, there's no file to hijack you. Let's take a look - here's the Youtube page in question:

Click to Enlarge

As you can see, there's the mix-tape being advertised and a link to Mediafire, where the mix-tape is hosted. Click the Mediafire link, and all that happens is you'll see an advert for various antispyware tools - some of them on the Rogue Antispyware list, some of them not on the list but known to be of little worth to the end-user.

Click to Enlarge

In this particular case, it's an advert for Adware Alert. It's not hijacking you, or breaking things or making your browser fly around the screen, nor is it a "virus". It's just an (admittedly loud) advert. If you're running a browser compatible with Adblock Plus, all you'll see beneath the Mediafire logo is a blank space. Even if you're vaguely alarmed by the advert, all you have to do is click the "Continue to Mediafire.com" message at the top right of the screen (missing from the above screenshot as I cropped the image too small - whoops) and you'll be taken to the file you requested.

Like the title says - don't panic. This really isn't something to worry about too much. Even the most obnoxious rogue antispyware advert (the ones that do resize your browser, throw up endless popups and make annoying "Woop woop" noises) can usually be escaped by simply hitting CTRL+ALT+DEL and using Task Manage to close your browser session.

IBM Raises The Stakes In Business and IT Continuity Services

Fri, 22 Aug 2008 11:38:40 +0000

IBM announced today that it was spending US$300 million to build out 13 data centers in 10 countries in 2008 - IBM refers to these sites as "Business Resilience service delivery centers". These centers will certainly help IBM deliver more of its traditional IT recovery services but they will also support the next generation of IT continuity services - repeatable, scalable, productize services such as online backup and virtual recovery. These types of services don't require massive capital investment in an inventory of heterogeneous server and storage platforms, instead the service provider can focus its efforts on building a scalable pool of virtualized servers and shared storage built with industry standard components.

Online backup is an important service because it provides an affordable information protection service for small and medium businesses and it's even useful for enterprises as a means to backup PCs corporate-wide as well as small servers at remote locations. In addition to the $300 million that IBM is spending on its new resiliency centers, late in 2008, it acquired Arsenal Digital Solutions, one of the major players in online backup.

In addition to online backup, recovery services using software-based replication to a cloud infrastructure will also open up new opportunities. These services will provide a much a better recovery time and recovery point than tape-based services but won't cost nearly as much as custom services based on storage-based replication and dedicated hardware. The cost of these services is more than most small and medium, even some large enterprises can or are willing to pay for. SunGard was the first to announce such a productized service, Forrester expects all the traditional DR service providers to bring similar offerings to market over time.

These cloud-based service offerings are important for several other reasons, first, it could help stem the tide of enterprises who are just so fed up with the traditional disaster recovery services model that they take DR back in house, second, it could convince, more medium size businesses that they can afford more advanced IT continuity solutions and lastly, it will help protect their market against new competitors who can simply partner with cloud providers such as Amazon S3 and Google to offer similar services.

IBM is not only using its expansion and acquisitions to stay competitive, it's also also hoping that customers will recognize the value of IBM expertise, process and best practices in BC.

What do you think? Does the reputation and expertise of BC and IT Continuity service providers like IBM and SunGard critical in your decision-making or can new players enter the market? Do these lower cost services that offer better RTO and RPO renew your interest in service providers or do you still plan to keep DR in-house?

I welcome your thoughts.

Traditional Disaster Recovery Services Are Dead

Wed, 06 Aug 2008 13:06:37 +0000

If you still subscribe to fixed site recovery services using shared IT infrastructure from the likes of HP, IBM BCRS, or SunGard, among others, you will quickly become a dinosaur in the next 1 to 2 years.

These types of shared infrastructure services involve lengthy restores from tape and a recovery time objective of 72 hours, at best. Plus, you'll be lucky if you recover at all because chances are, you've had trouble scheduling a test with your service provider and it's been a LONG time since the last one, if indeed you’ve ever tested.

72 hours recovery just doesn't cut it anymore. And frankly, understanding your provider's oversubscription ratio to shared infrastructure to determine the risk of multiple invocations, or attempting to negotiate exclusions zones and availability guarantees is a time suck. Most companies are either taking DR back in-house or, if they still rely on a DR service provider, they are using dedicated infrastructure.

A dedicated infrastructure is attractive as it enables replication to improve recovery objectives. But it’s expensive, and puts advanced IT recovery out of the reach of many companies who can't measure downtime in millions of dollars.

But, there are new services on the horizon that will make advanced IT recovery affordable for the masses. This month SunGard announced the availability of its new Virtual Server Replication Service. As I discussed in my most recent Forrester Wave™ of DR Service Providers and other reports, server virtualization is transforming IT recovery. With replication to a virtualized server infrastructure and shared storage infrastructure, customers can enjoy improved recovery-time and recovery-point objectives without the cost of dedicated and custom IT recovery solutions from the DR services provider.SunGard is the first DR service provider to productize these virtual services. I expect other DR service providers to follow suit.

So, the next time your contract is up for renewal, you need to completely rethink your approach to IT recovery. Get off tape and move to these new virtual services. It will improve your recovery capabilities and you don't have to worry about the oversubscription issue with shared virtual infrastructure -- the DR provider can manage capacity much more easily in this environment. In fact, SunGard is offering an RTO SLA of 6 hours as part of the offering. To my knowledge, this is the first time a DR service provider is offering this as part of a standard contract. I'm looking forward to the day when vendors will offer most services with transparent, subscription-based pricing, and standard contract terms that don't take a team of procurement professionals to negotiate.

Stolen tape puts Bristol-Myers employee data at risk

Tue, 22 Jul 2008 09:00:00 +0000

Bristol-Myers Squibb confirmed that a backup tape containing personal information on employees, former employees and their families was stolen last month from a third-party transport vehicle.

Stolen tape puts Bristol-Myers employee data at risk

Mon, 21 Jul 2008 20:00:00 +0000

Bristol-Myers Squibb Co. officials last week confirmed that a non-encrypted backup tape containing the personal data of current and former-employees and their dependents was stolen June 4 from a delivery truck carrying the device.

Backup tape is stolen from Bristol-Myers Squibb

Fri, 18 Jul 2008 07:26:26 +0000

Technorati Tag: Security Breach

Date Reported:
7/17/08

Organization:
Bristol-Myers Squibb Co. ("BMS")

Contractor/Consultant/Branch:
Unknown

Victims:
Current and former employees and some dependants

Number Affected:
Unknown*

*Bristol-Myers Squibb had "about 42,000 employees as of Dec. 31, the last date for which work force figures were available in regulatory filings.", Source: CNN Money

Types of Data:
"name, address, date of birth, Social Security number, marital status, gender, salary, hire date, termination date, retirement date, and, in some instances bank account information"

Breach Description:
"On June 4, 2008, Bristol-Myers Squibb Company ("BMS") learned that a back-up data tape containing BMS-related data was stolen while it was being transported for storage. Through subsequent forensic work, it was determined that the data tape included personal information of current and former BMS employees"

Reference URL:
Pharmalot (copy of notification letter)
Pharmalot
CNNMoney

Report Credit:
Ed Silverman, Pharmalot

Response:
From the online sources cited above:

The drugmaker sent letters over the past week saying a data tape containing reams of personal information was stolen several weeks ago

On June 4, 2008, Bristol-Myers Squibb Company ("BMS") learned that a back-up data tape containing BMS-related data was stolen while it was being transported for storage.
[Evan] This statement prompted me to list the contractor as "unknown" instead of "none". I presume that the data tape was being transported by a third-party vendor when it was stolen. I am looking for more information on this.

Through subsequent forensic work, it was determined that the data tape included personal information of current and former BMS employees, such as name, address, date of birth, Social Security number, marital status, gender, salary, hire date, termination date, retirement date, and, in some instances, bank account information.
[Evan] Ugh, this looks like very sensitive HR and benefits data.

The names, addresses, and Social Security numbers of some employee dependents also were included on the tape.

an untold number of current and former employees - and their dependents - could be affected

BMS has initiated an investigation of this incident.

To date, BMS has no reason to believe that any of your personal information has been inappropriately accessed from the data tape by an unauthorized party, or that any identity theft, fraud or misuse of your personal information has occurred.
[Evan] I agree with most of this statement except for the "misuse" part. There may be no evidence of misuse post stolen tape, but there may be an argument for misuse by BMS themselves. BMS is the data custodian in this scenario, not the data owner. If a data custodian does not care for the owner's information in a manner that is expected or communicated, does it constitute misuse?

In addition, there is no evidence that the data tape or the information contained on it was the target of the theft.
[Evan] I am interested in knowing more about who was transporting the tape and whether or not other items were taken.

As a precaution, to help you detect any possible misuse of your data, BMS has arranged for you to enroll in credit monitoring for one full year, at no cost to you.
[Evan] There is that "misuse" mention again. One year of free credit monitoring does nothing to protect a victim against fraud that occurs after one year, supposing the victim does not renew at his/her own expense. I wonder how many people renew on average.

If you have any questions, you may call the dedicated Privacy Help Line at 1-877-214-0689. Our representatives will be available to assist you Monday through Friday, between 8 a.m. and 5 p.m. ET.

the drugmaker is issuing this statement: "Bristol-Myers Squibb regrets that this incident occurred and is committed to providing appropriate assistance for affected individuals who had their personal information on the stolen data tape. We are committed to protecting the privacy and security of employee and dependent information. Maintaining the trust and confidence of our employees is paramount to Bristol-Myers Squibb."

Protecting the privacy and security of your information is extremely important to us.

In this regard, BMS wishes to reiterate that it does not have any evidence indicating that your personal information has been misused.
[Evan] Another "misuse" mention.

the company is taking appropriate remedial steps, including enhancing security protocols regarding the handling of personal information and our back-up data tapes.
[Evan] Like what? Encryption maybe?

On behalf of BMS, I apologize for any inconvenience or concern that this matter may cause for you.

Commentary:
I couldn't find any mention about encryption or whether or not police were called. You would think that a large, well-repected company like Bristol-Myers Squibb encrypts confidential data on tape, right?

Past Breaches:
Unknown

Backup Tape With Private Details Stolen From Greensboro Gynecology Associates

Thu, 17 Jul 2008 19:35:59 +0000

Patients at a Greensboro doctors’ office have been notified that their personal information - including Social Security numbers and addresses - was stolen in May. In a letter mailed to patients, Greensboro Gynecology Associates said a backup tape of their computer database was stolen. The letter was dated June 16, but some letters weren’t postmarked [...]