[SecurityRatty] tag: taxpayers

$13 Billion of U.S. Taxpayers Money was Stolen or Wasted in Iraq.

Thu, 25 Sep 2008 00:03:00 +0000

This article in yesterday's "Washington Post" was sickening to read but hardly comes as a surprise.

It is also sad to read that there was most likely involvement by Iraqi Government officials and U.S. contractors. The investigator who testified as to the waste and theft was fearful of his life as 32 of his fellow investigative co-workers have been killed.

One scheme involved officials from the Iraqi Defense Ministry setting up a front company that received $1.7 Billion in U.S. funds to buy guns, armoured vehicles and other equipment. Only a small percentage was ever purchased and in one case, they had bullet-proof vests delivered that were defective and useless.

In another case involving Iraqis and U.S. contractors, $24.4 million was spent on an electricity project that "only existed on paper". The worst part was that money sent to the Defense Ministry was discovered to have been diverted to Al-Qaeda and found its way to bank accounts in Jordan and other places.

Let us hope the Government spends the proposed $700 Billion bail out funds in a more responsible and accountable manner.

Please dont do this at work

Wed, 17 Sep 2008 20:10:58 +0000

These can get around so fast that you may not be protected, even if you just updated.
Think before you click and dont go to nasty places.
Doug says so!

clipped from www.computerworld.com

Trojan horse captured data on 2,300 Oregon taxpayers from infected gov’t PC

The Trojan horse was of such a new variety that the agency’s antivirus software, which is updated every two hours for security reasons, had not yet been updated to protect against it, Hardin said. The agency reported the malware’s strain to the antivirus vendors, who then updated their software.

Cost/Benefit of Terrorism Security

Fri, 12 Sep 2008 02:32:33 +0000

"The terrifying cost of feeling safer," from the Sydney Morning Herald:

Sandler and his colleagues conducted an analysis of the costs and benefits of five different approaches to combating terrorism. I must warn you that, because of the dearth of information, this study is even more reliant on assumptions than usual. Even so, in three cases the cost of the action so far exceeds the benefits that doubts about the reliability of the estimates recede.
Because the loss of life is so low, they measure the benefits of successful counter-terrorism measures in terms of loss of gross domestic product avoided. Trouble is, terrorism does little to disrupt economic growth, as even September 11 demonstrated.

Using the case of the US, Sandler estimates that simply continuing the present measures involves costs exceeding benefits by a factor of at least 10. Adopting additional defensive measures (such as stepping up security at valuable targets) would, at best, entail costs 3.5 times the benefits. Taking more pro-active measures (such as invading Afghanistan) would have costs at least eight times the benefits.

According to Sandler, only greater international co-operation, or adopting more sensitive foreign policies to project a more positive image abroad, could produce benefits greater than their (minimal) costs.

What's that? You don't care what it costs because no one can put a value on saving a human life? Heard of opportunity cost? Taxpayers' money we waste on excessive counter-terrorism measures is money we can't spend reducing the gap between white and indigenous health -- or, if that doesn't appeal, on buying Olympic medals.

Admins , Good Guys or "I am NOT an Idiot!"

Tue, 29 Jul 2008 11:19:00 +0000

This is a follow-up to this ("On Doomsaying (Terry Childs case)") and this ("So ... Am I? Maybe I Am!"), both related to Terry Child case, as well as a response to this post by Paul Venezia ("The anti-admin stance and the Childs case").

First, let me disclose something - my frantic efforts with the Paint allow me to proudly proclaim: I am a certified, trusted "Good Guy":

Good guys, let me tell you, do not need any controls placed on them; they are "trusted." Don't you have to trust somebody? Why not trust a sysadmin, for example?

So, what about controls? Ah, glad that you asked! "Controls" are for the bad guys; they are in place to prevent the bad guys from doing "an unspeakable evil" (tm) :-) on you. On the other hand, good guys are doing "the right thing" every time - why monitor them? It goes without saying that nobody ever moves between these groups, especially, not from "good guys" to "bad guys."

As I am rambling about this, many of my security-minded readers are wondering "what is Anton up to? Isn't it kind of OBVIOUS that controls are for everybody?" Controls know no good/bad! For example, a network control, say a NIPS, will block malicious web access due to a typo in a URL (by - gasp! - a good guy) or due to determined malicious hacking.

I think a few of my readers have watched one too many "Batman" movies and have acquired the dark side of the "IT hero" mentality." How about getting an "IT employee" mentality? If your boss is an idiot (and Terry's managers definitely seem pretty far gone in that direction...), than your "heroic duty" is to let them impale themselves on a sword of their idiocy, not to commit crimes (even if cybercrimes) to prevent that idiocy. Really, go find another job if you do not like the environment; good admins are needed in many places. For example, if your boss insists on posting all VPN passwords for all users publicly out of his sheer and unfathomable stupidity, it is your duty to tell him that it is "a very bad idea" - and not to change all passwords and not let him see it. "Doing you job" despite your boss and despite the law just doesn't work...

In other words, I want a banker making policy decisions at a bank, not a sysadmin. If a banker makes a wrong decision, his will suffer. If he is an idiot, he will most likely make the wrong decision. However, it is NOT the admin's decision to make - he does not "own" the business. BTW, the fact that it is a city, not a bank, and it is taxpayer funded, does not change it.

Am I "anti-admin" for saying that admins should not run the business? Am I "anti-admin" for saying controls (at least logging/auditing) on administrator activities are needed? You call it "anti-admin", I call it common sense!! Pray tell me, what makes admins float above accountability, control and IT governance?

Please also read what Randy Smith said about this issue; a lot of good thoughts that I agree with.

Now I would like to respond to specific comments from my readers:

"What rankles your readers is how blithely you imply this problem has a simple or effective solution. It doesn't, all the processes or tools you advocate can do is speed up the time it takes to detect the lock-out, but not actually prevent it - i.e. they are ineffective at tackling the primary problem."

That is correct; the rogue admin problem has NO simple solution. You might prevent some (few, really) things, you might log some of them and then figure what happened, but there is no simple solution (it goes without saying that "just trust them" is NOT a solution...)

"We all know companies run without sane risk management all the time and are rarely held accountable in America. What makes you think anyone is "screwed"?"

Well, this is a good point; maybe I let my idealistic side take over. But, come on, just the fact that bad IT governance is somewhat common, doesn't make it right!

"Now ask yourself who is "screwed" by one person at a small company having all access and no accountability on a network. That's how I run my home network. Big deal."

Nobody is. I addressed it here. The risk is acceptable for smaller environments, usually. I don't have an overseeing body set up to control my home passwords :-)

"You seem to forget that sometimes the management just has to trust somebody. "

Addressed above.

"Chuvakin, you're a tool. Given the recent idiocy of the releasing of the VPN names and codes, it obviously shows that any sort of detest that Childs had against his superiors at the city were justified."

The fact that his bosses are idiots (which seems fairly well established!) does not make him right!

Bad boss + admin out of control =/= right :-)

"This is not a private organization. His superiors don't own the company and are NOT entitled to the data. We are, the taxpayers. And as a California taxpayer I fully support someone with the paranoia and technical skill of Terry Childs over a group of bureaucrats who release secure information to the public."

Properly evaluating this statement requires a law degree. Thus, no comment. Bureaucrats suck, but rogue admins are not a solution to that. Really!

"The guy was doing his job and doing it incredibly well, and keeping it out of the hands of those who, given their most recent choices, would bring potential disaster to the city."

He was NOT, unless crime is part of his job :-) Also, see comments on "IT heroes" above. If your boss is an idiot AND you don't like it, quit.

"Anton Chuvakin seems to think that all admins should be kept underneath management's boot at all times. [...] Managers can't and don't understand what we do, and thus eventually come to the conclusion that we can't be trusted with our own knowledge. [...] Perhaps it's human nature to fear what you don't know or understand -- and that's why management can develop a fear of their own employees."

You say 'fear of employees', I say "insider risk management." You say "trust employees", I say "trust but [be able to] verify (=log)"

"his blog leads the casual reader to infer that their businesses are in danger of being hijacked by disgruntled Sys Admins and that isn’t the case." (from here)

Eh, not all businesses, but some businesses - definitely (hmm, see Terry Childs story or other published insider attack cases, all the way back to Omega Engineering case and maybe all the way back to ancient history)

"I despise people like Terry Childs, but despise Chicken Little’s like Anton Chuvakin even more." (from here)

You say I am 'chicken little', I say "if your boss ignores insider risk management, he is stupid and deserves his business to fail." I also add "if you think admins are 'above the law', you have a good chance of 'turning rogue' yourself AND then ending in jail."

Finally, this and my other posts about the case are inspired by on the media reporting; I possess no "insider knowledge" on this case whatsoever.

Possibly related posts:

Confidential Connecticut Department of Labor mailing is missing

Tue, 10 Jun 2008 08:00:32 +0000

Technorati Tag: Security Breach

Date Reported:
6/2/08

Organization:
State of Connecticut

Contractor/Consultant/Branch:
Connecticut Department of Labor

Victims:
Customers

Number Affected:
2,160

Types of Data:
"personal information, including name, address and Social Security number"

Breach Description:
"WETHERSFIELD, The Connecticut Department of Labor is notifying approximately 2,100 customers that files containing copies of letters sent to them regarding their unemployment insurance claim cannot be located."

Reference URL:
Connecticut Department of Labor
Associated Press via The Hartford Courant
Newsday

Report Credit:
Connecticut Department of Labor

Response:
From the online sources cited above:

WETHERSFIELD, The Connecticut Department of Labor is notifying approximately 2,100 customers that files containing copies of letters sent to them regarding their unemployment insurance claim cannot be located.

the agency strongly believes that the letters were mistakenly shredded along with others that were being rightfully destroyed

Following an extensive search, it appears the copies were inadvertently shredded and destroyed on or before May 21

we feel it is in the best interest of our customers to be proactive in our efforts to ensure that personal information is not compromised

The files contained copies of letters dated from May 2 to May 20 informing applicants that they were ineligible for the unemployment insurance.

Copies of the letters, which must be kept on file for three years, contained personal information, including name, address and Social Security number.
[Evan] Why does a letter informing someone that they are not eligible for unemployment insurance require a Social Security number?

we do not believe information on these letters will be used in a manner that will compromise the security of these residents

we have arranged for two years of free preventative services through the Debix Identity Protection Network
[Evan] Two years is much better that the semi-standard one year given by many organizations. Government breaches tick me off a little more than most. One reason is the fact that taxpayers get to foot the bill.

We sincerely regret any inconvenience or concern that has been caused by this situation

the agency takes the protection of personal information very seriously and since last year, we have been working on additional security features for the state’s unemployment insurance compensation system

Since federal law mandates that we use the entire Social Security number in the course of business, we are looking at ways to encrypt that data and still comply with regulations.
[Evan] I am glad to read that the agency is considering encryption of confidential information (albeit late, better than never), but this is only feasible for electronic information. Encryption would not have provided any protection against this particular breach which involved printed confidential information, namely Social Security numbers. I think it is generally a poor business practice to send mail with Social Security numbers in print unless it is absolutely necessary. I don't think that federal law requires that these mailings include Social Security numbers.

Residents who receive a letter from the agency and who may have questions regarding the free protection service can contact Debix directly at 888-332-4963. Those with questions about their Determination Letter can call the Labor Department’s Assistance Center at 860-263-6785.

Commentary:
If the missing letters only contained the information necessary to communicate the required message, then the impact of this breach would be considerably smaller.

Information security personnel don't currently review mailed information prior to release in the companies I consult for. This breach gets me thinking about a potential risk that I may have missed in my assessments.

Past Breaches:
September, 2007 - Stolen laptop contains names and allegations in state DCF cases
August, 2007 - State of Connecticut Stolen Laptop

Teen Hacks PA School Computer, Gets Tax Info

Tue, 03 Jun 2008 06:23:32 +0000

A 15 year old student managed to hack into a school computer in Pennsylvania. He got his hands on 2005 tax return information for 41,000 which sent a town meeting for a loop.

From DailyLocal dot com:

Borough police arrested a 15-year-old Downingtown West High School freshman on May 21 and charged him with theft by unlawful taking or disposition, computer theft, unlawful duplication and computer trespass.

District administrators learned about the intrusion on May 9, when a student told Downingtown West’s principal that another student might have personal information, Griffin said. But 71 school employees did not learn their 2005 W-2 forms were copied until May 16, and Griffin said this was because district officials had to first perform “due diligence.”

According to police, the data files contained more than 41,000 adult taxpayers’ names and personal information, including Social Security numbers, and more than 15,000 students’ names and personal information. The school district sent out letters to 16,595 residences about the incident.

Eldredge said he received the school district’s letter but believes it’s a dead issue.

“For me, I’m comfortable that nothing was done with the information,” Eldredge said.

But, not everyone felt the same.

“I have a tremendous objection to anyone but the county having this information,” West Bradford resident Susan Singer said. And if there are instances of identity theft, “I will be more than outraged,” she said.

ID theft can scare the best of us at the worst of times.

Article Link

15-year-old "hacks" Downingtown Area School District

Sun, 18 May 2008 17:54:02 +0000

Technorati Tag: Security Breach

Date Reported:
5/16/08

Organization:
Downingtown Area School District

Contractor/Consultant/Branch:
None

Victims:
Staff members and county taxpayers

Number Affected:
"71 teachers" and "several thousand tax payers"

Types of Data:
W-2 forms, Social Security numbers, and home addresses

Breach Description:
"DOWNINGTOWN, Pa. (CBS 3) ? Authorities are investigating the theft of personal information from a computer in a Chester County school district. Downingtown Area School District officials said that a 15-year-old student gained access to files on a computer at Downingtown West High School on May 9."

Reference URL:
CBS Channel 3 News
The Philadelphia Inquirer

Report Credit:
CBS Channel 3 News

Response:
From the online sources cited above:

DOWNINGTOWN, Pa. (CBS 3) ? Authorities are investigating the theft of personal information from a computer in a Chester County school district.

Downingtown Area School District officials said that a 15-year-old student gained access to files on a computer at Downingtown West High School on May 9.
[Evan] I hope school district officials are embarrassed. Do you think that this kid used exceptional skill? I would guess that the school information was a pretty easy target.

Numerous files containing the personal information of 70 staff members and several thousand tax payers were apparently copied and distributed to other students.
[Evan] The information was "distributed to other students"? Ouch. Why does the school possess personal information belonging to several thousand tax payers?

The files apparently contained salary information and social security numbers.

Police said the students involved in the incident have been identified and the data was safely recovered.
[Evan] Were all copies of the data safely recovered? How would you be certain? Once information has been compromised, how do you un-compromise it? I don't think you can.

The district is working to determine how far the breach reached and secure their network from future abuse.
[Evan] People like to put information security into a nice little package. You can't. It's more than that, and the solutions to the school district's information security problems are more than determining the extent of this breach and securing their network.

Officials believe the student was just attempting to see if he could infiltrate the network, not identity theft.
[Evan] This may or may not be true, but what about the other students that received copies?

As a precaution, all staff members were notified of the incident and told to check their personal data.

"We are still early in the investigation and cannot provide further details," Lt. Steven J. Plaugher of the Downingtown Police Department said in a statement last night. "No arrests have been made at this time."

"We just determined a week ago what happened," said Patricia McGlone, spokeswoman for the district. "The school board will go forward with a disciplinary hearing, which will be separate from the police investigation."

It is unclear if the student will face charges.

The incident marks the second time private information has been obtained by a student at the school. Officials said a student was charged after hacking the system in December 2007.
[Evan] This should be a sign, eh? Two incidents in six months. Do you suppose the district determined "how far the breach reached and secure their network from future abuse" in that case too?

Commentary:
This breach reminds of the "Students breach Williamsville Central School District security" posting we made on April 15th. I think these two cases are very similar. School districts across the country seem to collect and poorly protect unnecessary personal information.

Past Breaches:
Unknown

Five IRS employees charged with snooping at tax records

Sat, 17 May 2008 20:00:00 +0000

Five federal workers at an Internal Revenue Service office in California have been charged with computer fraud for illegally accessing the confidential records of taxpayers.

Five IRS employees charged with snooping at tax records

Fri, 16 May 2008 09:00:00 +0000

Five employees in a California office of the Internal Revenue service have been charged with illegally accessing files of taxpayers.

[SecurityRatty] tag: taxpayers

$13 Billion of U.S. Taxpayers Money was Stolen or Wasted in Iraq.

Please dont do this at work

Cost/Benefit of Terrorism Security

Admins , Good Guys or "I am NOT an Idiot!"

Confidential Connecticut Department of Labor mailing is missing

Teen Hacks PA School Computer, Gets Tax Info

15-year-old "hacks" Downingtown Area School District

Five IRS employees charged with snooping at tax records

Five IRS employees charged with snooping at tax records

Blogroll Web vulnerabilities this week