[SecurityRatty] tag: teeth

Tech tricks and treats of 2008

Tue, 28 Oct 2008 21:00:00 +0000

Growing up, you probably loved Halloween: Dressing up as your favorite superhero or princess, telling ghost stories, eating so much candy that your mom warned you your teeth were going to fall out. Of course, there was the trick side of the equation--the eggs you'd see slimed across some streets the morning after or the paper in someone's front-yard tree. Aahh, those were the days.

Feds finally put teeth into HIPAA enforcement

Mon, 08 Sep 2008 01:39:29 +0000

The federal government has signed a stringent settlement deal — the first of its kind — with a health care provider over 'possible violations' of HIPAA's data security rules.

Zango And The Batman Online Videogame

Wed, 03 Sep 2008 07:00:00 +0000

This is Newsarama, a site (mostly) geared around comics and other related media:

Click to Enlarge

You'll notice Batman, over on the right there. Let's take a closer look:

"Free Online Batman Game"? Well, that's curious because I follow comics pretty closely and I'd be the first to know if an "Online Batman Game" had been in the works (this advert has been doing the rounds on numerous comic-related websites. Visit the URL in the ad - Batmangame.info - and you'll see this...

Click to Enlarge

There it is again - "Online Batman Game". Furthermore, the text goes on to say:

"Batman Online lets you do anything and every little thing you'd like in a Batman game. From leveling up your character to destroying villans, it has it all. Download and play this amazing game now, all for free! I'm sure you'll be playing for hours on end, it's that much fun.

    Level Up Your Character

   Explore a Huge Vast World

   Play Online With Your Friends

   Hundreds of Quests To Finish

   Perfect Battle System

So start your Batman adventure today! Download the full game below and fight them all!"

Note that they specifically call it "Batman Online". It specifically sounds like a text blurb you'd expect to see with a MMORPG. However, something isn't quite right here.

1) The only DC licensed MMORPG anybody knows of is this, and it isn't due out until 2009. It's not Batman-centric, either.

2) The screenshots are lifted from the Batman Begins videogame, which came out in 2005. If you were offering a "Batman Online Game", wouldn't you use screenshots from that instead of an unrelated title?

3) Absolutely no licensing, copyright or legal mumbo-jumbo on the page anywhere. DC and Warner Bros don't roll like that.

4) The website - Batmangame(dot)info - is registered anonymously. Not exactly something you see everyday for websites related to licensed DC franchises such as Batman videogames.

5) "To download and play the Batman Online Game you must download and install Zango as well. It is free, very easy to install and will give you access to the full game."

Shall we continue?

Click to Enlarge

A Zango installer prompt, complete with picture of Batman at the top. If you say "No" to the install, you end up on Google.com. What happens if you click "Start"? Well, you'll get the usual collection of Zango installer screens including one that rather humorously has a guy in a superhero costume.

Once everything is installed, you're taken to another page and from here things just get plain confusing. Remember, up to this point you've been promised an "Online Batman Game", the description of which is clearly intended to evoke images of a MMORPG. However....

Click to Enlarge

All of a sudden, you're being told you're downloading "Batman: Vengeance" on a cheap-looking splash page and shown what looks like an unofficially ripped Batman: Vengeance trailer on Youtube.

In case you're unaware, Batman: Vengeance is a videogame first launched way back in 2001 for consoles (followed shortly after by a PC version). What does this have to do with an "Online Batman Game"? Well, nothing, actually. Aside from the fact you were presented with one thing and are now handed another, things get even stranger when you see the download location:

Click to Enlarge

Have you ever heard of an officially licensed game being offered via Rapidshare downloads? It's possible, I guess, but it seems a little odd. However, the real oddness is reserved for the "Online Batman game" itself.

Remember, we've been promised "Hundreds of quests", "A huge vast world", the ability to "level up your character" and (of course) the "play online with your friends" promise of greatness.

Click to Enlarge

Imagine your dismay, then, when you've installed Zango, downloaded the game from Rapidshare using up around 140MB of bandwidth, installed it and....

Oh dear.

Not only are you given a totally different game than what was advertised, you're given a DEMO VERSION of that game with four short sample levels present, no online functionality and quite a few less quests than the "hundreds" advertised.

Hilariously, you can download a 100% legit copy of this demo here at Fileplanet, sans Adware. Setting aside the issue of whether this file is actually sitting on Rapidshare with either Ubisoft or DC / Warner Bros permission (and if it IS okay to be there, I'm pretty sure it's NOT okay to falsely advertise it as some kind of MMORPG) there are some questions that need to be raised here.

When this guy approached them with his website, did nobody stop to think that this game did not actually match up with the "Online Batman" game it was touted as? Didn't someone at Zango Quality Control actually download the game and see the big "This is a demo" wording as soon as it starts up? Or question why the screenshots on the website don't look like the graphics for Batman: Vengeance in the slightest?

However you look at it, this is a scam, pure and simple. Whoever came up with the idea of an "Online Batman Game" is lying through their teeth. Of course, because their website is registered anonymously we have no idea who the culprit is, unless of course Zango want to deposit them on the steps of Gotham City and let me dispense some Batman-style justice to their posterior.

However, based on the way these things tend to go - God forbid anyone ever offer up the identity of someone happily scamming the public at large, even when that person is dragging the name of the company associated with them through the mud by their antics - I think I might be waiting some time for the Bat Signal...

Government Sent Home with a C on FISMA Report Card

Tue, 05 Aug 2008 09:43:51 +0000

Too bad there is no Kaplan Test Prep equivalent for FISMA.

For the third year in a row, the government’s overall FISMA grade improved. But don’t get too excited; the grade only improved from a C- to a C this year. (And D+ in 2005).

But there’s a lot to hide in an “average grade”. Turns out that the reality is a split between overachievers and underachievers.

The agencies/departments with a grade of A-, A or A+:

Department of Justice
US AID
EPA
NSF
SSA
HUD
OPM (I would hope so)

And, sadly the ones that got an F:

Department of the Interior
Department of Treasury
Nuclear Regulatory Commission
Department of Veterans Affairs
Department of Agriculture

FISMA (Federal Information Security Management Act) became a federal law back in 2002 as part of the E-Government Act. Six years later, there has been improvement, but there’s still clearly a long way to go.

So what’s the disconnect? Speaking from a vendor perspective, we’ve had first-hand experience with the lack of actionable, concrete guidelines around FISMA – for processes, monitoring and check-list assessment items. We even contacted NIST directly to get more guidance on how their very broad guidelines should be translated to actual features and reporting in something like our monitoring solution. The end goal, after all, is to help our government customers not only meet the FISMA requirements but also to be seen/assessed as meeting those requirements. As we do for other compliance/governance requirements like Sarbanes-Oxley, the more that EM7 can automate and report on, the better.

But that leads to the second issue here. How accurate is the FISMA scorecard? SC Magazine writes, “Many have seen organizations get an A when they believe they should have received an F, and vice versa” and some experts “blame this on the lack of a standardized evaluation, as well as censorship among auditors.” There’s talk about language ambiguities and opinions that the scorecard is not “one size fits all” – that small agencies face different IT security challenges than the big guys.

So what’s right about FISMA? We can point to a heightened awareness about the importance of security and the “security picture” in each federal agency. Certainly, from our own survey at FOSE, we saw the difference just from last year to this one:

91% surveyed said FISMA was important (up from 66% last year)
Over 50% had solutions installed to help with FISMA (up from only 14% last year)

Based on these numbers, we’re not surprised to see the FISMA average grade go up, but we expected it to be even higher. So what will it take to get the government on the honor roll? From Rep. Tom Davis, “We need to seriously consider incentives for agency success and funding penalties and personnel reforms for agencies that don’t measure up…We need a bill with teeth, and we need agencies to understand the goal is to keep information safe, not to check a statutory box.”

ShareThis

Yes Virginia there really are HIPAA police

Fri, 25 Jul 2008 11:58:50 +0000

One of the things that I have always not understood about HIPAA is what teeth do these regulations have and who is going to enforce them. There are plenty of firms willing to take your money and rubber stamp you HIPAA compliant, but who is going to say your not HIPAA compliant and why should you care. Finally reading this article in Security Bytes it looks like the federal government has stepped up to enforce HIPAA and have put some bite behind the bark. Providence Health in Seattle was fined 100k by US Department of Heath and Human Services for losing data containing patients information.

I say good for the HHS! A few well publicized fines where people had to pay real money will go further in getting people to take HIPAA seriously than all of the other dog barking and warnings that have taken place to date. The same goes for other regulations and statues on compliance as well. Lets hear about some financial sanctions or penalties around PCI and you will see a drastic rise in compliance there as well. Rules and regulations without enforcement serve no purpose at all and hurt more than they help.

Yes Virginia there really are HIPAA police

Fri, 25 Jul 2008 11:01:24 +0000

Do we need a farm system in the security industry?

Mon, 21 Jul 2008 12:17:30 +0000

Just read a good article by Lisa Vaas on Computerworld titles "When security staffers fail up". The article talks about some of the challenges that are faced by companies trying to provide proper security. While one of the issues is "bundled badness" which I will talk about later, the bigger problem that Lisa writes about is the profile of our security administrators. It is a familiar story I am afraid. Security people don't do a good job of "humanizing" themselves. Their peers don't understand what they are trying to accomplish and too often we speak in geek terms and try to dictate how people conduct business. As a result we are the "people in the way".

The next thing Lisa hits on is the obsession with certifications. Too many people think having a CISSP is the be all and end all of security. First of all, you can't hire enough of them and many of them don't have the practical business experience to take it to the next level. Than there is the security "prima donna". They just think they are smarter than everyone else and too many tasks are below them as to elementary. We have all met these types before as well.

Quickly on the "bundled badness" thing. Lisa rightfully points out that in spite of Mike Rothman's feelings to the contrary, though CIO and CFO types like to buy the bundle and get the jack of all trades suite cheaper than buying best of breeds individually, at the end of the day it is hurting our security. If you are really serious about securing the environment there is a world of difference between buying the bundle of goodness versus best in class tools.

Ultimately though, what are we to do about getting better security pros in the workplace? Do we need to change the certification process? Should companies have a different profile of who they hire for security positions. Do we need to develop some sort of farm system where security pros can cut their teeth and learn their craft, like the guilds and apprentices of yesteryear? The construction industry used to work like that. Maybe we should consider it too?

OWASP Talk Q&A Notes

Fri, 11 Jul 2008 11:36:26 +0000

On Monday I did a talk on Web Services security at the MSP OWASP. The talk was ok, but not as good as at RSA because I Brian Chess did a better job with some of the stories than me. What was really good though was a number of questions and answers afterwards.

One person asked the old chestnut - "do we need to care about web services security if we are inside the firewall?" Now, I have heard this question many, many times in different ways, and this time my brain just shorted out, I basically said that I am not sure what difference it really makes. You don't get security from a firewall, you may get the ability to fire someone if they do something bad, but in most companies there is no "wall" and there sure isn't any "fire", at most they are speed bumps. I am *not* saying to remove them, they are part and parcel of how you operate a network but they are not really providing any additional security. Network firewalls are thought of as a security tools because they began as a security innovation and they are paid for out of the security budget.

Robert Garigue said several years ago that network firewalls are part of network hygiene like brushing your teeth. Information security should not have to help people brush their teeth, and instead should operate like a dentist helping groups work more complex and risky issues. I have advised CISOs at several companies to off load the network firewall jockeys out of infosec and into network groups. Sometimes they listen. If so, the infosec group can focus on other issues instead of managing a Visio-driven "security" device.

Why Visio? Well, the main security property from a firewall is the scary flames and brick wall on Visio. And how do you know whether or not to open up a port? You just open the org chart (in Visio) and find the level of the person who is requesting the port be opened. If VP Then Yes. Is this security? Hardly.

So one last time - Web Services are used to provide access to your main systems (which live on mainframes, big RDBMS, SAP, ERP, CRM, and so on) these are the keys to the kingdom, and lots of apps need them. The whole point of Web Services is to make it easier to talk to them. So "inside" or "outside" the firewall, do you need to care about authentication, authorization, and auditing on the systems that run your entire business???

Another interesting question from the Q & A from Jon Passki was on XML Security Gateways. We talked a fair bit about their utility in solving the aforementioned authentication, authorization, and auditing problems. I pulled up Vordel's gateway and showed how to build security workflows to deploy security as a service. Jon asked could I ever imagine a Web services security architecture without a gateway? I said I think that they are not always the starting point but mid to long term they are definitely in basically any effective security architecture I can think of. Having a place to deploy, manage, and enforce policy that is separate the code solves a lot of real world problems. People are hung up on thinking about Web services programming like it has to be Web app programming (this happens in REST a lot), but there is another school of successful web apps, arguably the most successful, and its called email.

Email app architecture looks nothing like web app design. You wouldn't read every email sent to your address would you? Of course not, it goes through spam filters, virus checkers and so on. Further its a message oriented paradigm, and you know that unless its signed/encrypted with PGP/GPG security is suspect at best. So yeah, I think gateways are an hugely important part of a Web Services security architecture.

Finally, I can also not imagine going live when you are supporting multiple protocols and token types without a good testing strategy. Mark O'Neill recently blogged something I recommend to all my clients - namely make sure you have security specific test cases, test harnesses and testing tools, like for example Vordel's Soapbox.

Security Briefing: June 17th

Tue, 17 Jun 2008 07:33:11 +0000

Sleep deprivation, caffeine overload and documentation. How long till I start hallucinating? Stay tuned.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

Router-hacking Trojans spotted | Web User News
The ’secret’: Banks are freaked out by security | ZDNet
Malware not man blamed in child abuse download case | The Regsiter
Security Bonuses for Vista Programmers | eWeek
PCI DSS: Section 6.6 gets teeth – finally
IM Security’s Three Kings | CSO Online
Victim of its own success | BBC News
Dacre promises new look at rules on hacking by journalists Guardian

Tags: News, Daily Links, Security Blog, Information Security, Security News

On braces, baseball and Fathers Day

Sat, 14 Jun 2008 17:05:00 +0000

Image via Wikipedia

So it is quite an exciting Fathers Day weekend here at the Shimel house. On Friday my oldest son Landon, 8, had braces put on his top teeth. I know that 8 is early for braces, but evidently today they do this as a "Phase 1", so that hopefully he won't need them as long later on. Seeing my little boy come out of the room with braces was quite a sight. Unlike the trauma that kids had about braces when I was younger, he thought it was awesome. The picture to the left are not his braces. Landon's are black and gold, Steeler braces. In 6 weeks they will change them to Yankee blue and white. Braces have certainly come a long way since I was a kid. But my son Landon has come a long way too. Looking at him with his braces and talking to the office staff I realized that the little, fuzzy red headed baby we brought home from the hospital almost 9 years ago now has grown into quite a boy. Where is the little toddler that I would toss a sponge ball to underhand and tell him to use two hands to catch? Could this kid with the catchers mitt catching everything I throw at him and firing it back to me be that baby?

Saturday is a day filled with both boys. I am taking Landon and Bradley to breakfast and than off to Baseball City to practice our hitting and pitching. Then Bradley has a birthday party he is invited to and Landon and I will go swimming.

Sunday Landon has a travel baseball team game at 10am. Landon was selected for the team because of the great season he had in Little League and is now in tournaments for the next few weeks. Than we are all going to visit my Uncle and Aunt for Fathers Day at the house near the water with a pool.

I could not think of a better way to spend my Fathers Day weekend. My mother-in-law always used to say that she was the richest woman in the world because of the treasure that were her children. When I was younger I laughed but would have taken the cash. As I have grown older and have had a chance to watch my boys grow up and have come to understand what it truly is to be a Father, I know that she was right. There is nothing like the love of a child and watching, helping and sharing in their adventure that is life.

To all of you celebrating Fathers Day this year whether as a Dad with your own kids or with your own Dad, congratulations and savor every minute of it. Happy Fathers Day!