First Android phone revealed by T-Mobile, Google: The first smartphone based on the Google-sponsored, Open Handset Alliance-backed Android platform was announced by T-Mobile today. The G1 will cost $180 in the U.S., has a slide-out keyboard, and has Wi-Fi, Bluetooth, and GPS built in. The phone should start shipping 22-Oct-2008 in the U.S. and November in the UK. The monthly American fee will be $25 to $35 for data on top of a two-year voice plan commitment.

Soldiers at Joint Base Balad get Wi-Fi network: 20,000 American soldiers at this base in Iraq can now use a secure mesh Wi-Fi network for personal access. The description of how the network can self-heal is perhaps particularly apt in a country torn by insurgency.

The interesting thing to me is the big question of certifying companies v/s individuals.  I think the endgame will involve doing both because you certify companies for methodology and you certify people for skills.

This is the problem with certification and accreditation services as I see it today:

• Security staffing shortage means lower priority:  If you are an agency CISO and have 2 skilled people, where are you going to put them?  Odds are, architecture, engineering, or some other high-payoff activity, meaning that C&A services are candidates for entry-level security staff.
• Centralized v/s project-specific funding:  Some agencies have a “stable” of C&A staff, if it’s done wrong, you end up with standardization and complete compliance but not real risk management.  The opposite of this is where all the C&A activities are done on a per-project basis and huge repetition of effort ensues.  Basic management technique is to blend the 2 approaches.
• Crossover of personnel from “risk-avoidance” cultures:  Taking people from compliance-centric roles such as legal and accounting and putting them into a risk-based culture is a sure recipe for failure, overspending, and frustration.
• Accreditation is somewhat broken:  Not a new concept–teaching business owners about IT security risk is always hard to do, even more so when they have to sign off on the risk.
• C&A services are a commodity market:  I covered this last week.  This is pivotal, remember it for later.
• Misinformation abounds:  Because the NIST Risk Management Framework evolves so rapidly, what’s valid today is not the same that will be valid in 2 years.

So what we’re looking at with this blog post is how would a program to certify the C&A service providers look like.  NIST has 3 viable options:

• Use Existing Certs: Require basic certification levels for role descriptions.  DoD 8570.1M follows this approach.  Individual-level certification would be CAP, CISSP, CG.*, CISA, etc.  The company-level certification would be something like ITIL or CMMI.
• Second-Party Credentialing:  The industry creates a new certification program to satisfy NIST’s need without any input from NIST.  Part of this has already happened with some of the certifications like CAP.
• NIST-Sponsored Certification:  NIST becomes the “owner” of the certification and commissions organizations to test each other.

Now just like DoD 8570.1M, I’m torn on this issue.  On one hand, it means that you’ll get a higher caliber of person performing services because they have to meet some kind of minimum standard.  On the other hand, introducing scarcity means that there will be even less people available to do the job.  But the big problem that I have is that if you introduce higher requirements on commodity services, you’re squeezing the market severely:  costs as a customer go up for basic services, vendors get even less of a margin on services, more charlatans show up because you’ve tipped over into higher-priced boutique services, and mayhem ensues.

Guys, I’m not really a rocket scientist on this, but really after all this effort, it seems to me that the #1 problem that the Government has is a lack of skilled people.  Yes, certifying people is a good thing because it helps weed out the dirtballs with a very rough sieve, but I get the feeling that maybe what we should be doing instead is trying to create more people with the skills we need.  Alas, that’s a future blog post….

However, the last thing that I want to see happen is a meta-game of what’s going on with certifications right now–who certifies those who certify?  I think it’s a vicious cycle of cross-certification that will end up with the entire Government security industry becoming one huge self-licking ice cream cone.  =)

Bookmark to:

Yes, transparent government is a pretty good goal.  I think the authors of Freedom to Tinker have forgotten that not all Government data is fit for public consumption.  The problem is one of sanitization:  how do you clean all of the PII out of data before you release it to the public?  Not only that, but because of the size of the data sets, most likely you need an automated method to sanitize it.  I think that because of the sanitization factor that the Government would not gain that much efficiency by outsourcing the data presentation to others.

As with all things in security, this is nothing new.  There’s a little-known project (First Rule of “Fight Club” being what it is…) known as Radiant Mercury that does exactly this with classified data.  You can check out the basic concept in quasi-official presentations here (.pdf caveat) and here.

If we were going to make all this data available, we would need an unclassified version of Radiant Mercury to filter out all the PII and “Sensitive but Unclassified” bits.

Now as far as letting second parties build interfaces into the raw data, I’m torn on it.  On one hand, private industry can provide access to data “Now at Web 2.0 Speeds!” but on the other hand, then the Government loses control over the presentation and, by extension, accountability for the content.

Bookmark to:

Date Reported:
2/22/08

Organization:
LGT Group - The Wealth and Asset Management Group of the Princely House of Liechtenstein
English Version
German Version
French Version
Italian Version

Contractor/Consultant/Branch:
LGT Treuhand AG
(LGT Trust Ltd in English)

Victims:
Clients of LGT Trust (prior to 2002)

Number Affected:
~1,400*

*there may be an additional 4,527 beneficiaries affected.

Types of Data:
Confidential bank account information.

Breach Description:
Confidential customer information was stolen from LGT Trust in 2002 by a former employee of the company.  As a result of this breach, Heinrich Kieber was convicted of "serious fraud, dangerous threats, unlawful compulsion, and suppression of documents."  Now it appears that German authorities paid Mr. Kieber "as much as 5 million euros ($7.4 million)" for information about German account holders for the purpose of investigating tax evaders.  Other countries that are interested in the information allegedly stolen by Mr. Kieber include the United Kingdom (U.K.), the United States (U.S.), Australia and others.  Mr. Kieber now has a new identity (possibly as part of the arrangement with Germany) and his whereabouts are unknown.

Reference URL:
LGT Group Media Communique dated 2/24/08
[Evan] Highly recommended interesting read
The Australian online news story
Bloomberg.com online news story
MarketWatch online news story

Report Credit:
Chad Thomas, Bloomberg.com

Response:
From the online sources cited above:

For LGT Group, all the facts now point - despite contradictory statements form sources said to be close to the German intelligence service - to the fact that the data material illegally disclosed to the German authorities is limited, in as far as LGT is concerned, to the client data stolen from LGT Treuhand in 2002.

Even though other rumors have been circulated about the occurrences, LGT Group is assuming on the basis of numerous indications that the person, who illegally passed the data on to the German intelligence service, is the same former employee of LGT Treuhand who stole the data in 2002.

Apparently, the stolen data material has also been illegally disclosed, directly or indirectly, to other authorities.  According to reports in the media, the previously convicted offender was paid a sum of several millions for the information and was provided with a new identity.

this is a possibility that law firms were interposed as intermediaries.  LGT will now re-register its report of a criminal offence committed by a person unknown directly against the convicted data thief.

approximately 1,400 client relationships with LGT Treuhand, which were established before the end of 2002.  The largest proportion, about 600 clients, are resident in Germany.  The figure circulated in the media of 4,527 sets of data represents the number of beneficiaries of all the foundations

it has become increasingly clear that the so-called "informant" of the BND German intelligence service is indeed the same convicted data thief who illegally disclosed the client data in 2002

Acting on the information, German authorities raided the home of one of the country's most high-profile executives, the chief executive of Deutsche Post AG, alleging he evaded paying about E1 million in taxes.

The government, which paid as much as 5 million euros ($7.4 million) for information on German account holders in Liechtenstein on a disk provided by an informant to the Federal Intelligence Service, or BND, will share this information with other countries, the finance ministry said today.
[Evan] You mean to tell me that its possible (and acceptable) to steal confidential corporate information and sell it for big bucks?  German authorities paid over $12,000 per record (7,400,000/600)!  The question is, is this an informant or a data thief cashing in?

U.K. tax collectors, after initially turning up their nose at an informant's offer to sell them confidential data from a Liechtenstein bank, have now paid up and have information on about 100 wealthy British subjects

they were persuaded to pay the informant around 100,000 pounds only after Berlin tax officials launched in recent weeks a high-profile crackdown on Germans with money said to be stowed away in Liechtenstein
[Evan] The UK got a deal.  They only paid ~$2,000 per record.

Australian authorities have been given details of Australian clients of Liechtensteinische Landesbank (LL, according to reports in the Wall Street Journal and Guardian newspapers.

"The Australian Tax Office does not pay for information about tax schemes," an ATO spokeswoman said. "Nonetheless, we have a good flow of information from people concerned about fairness and equity in the tax system."
[Evan] The best deal of all.  Australia got the stolen information for free!

The former employee, who was convicted of the data theft, is a Liechtenstein citizen named Heinrich Kieber (HK).

He was active from October 1999 as an external employee of an IT-company, and from April 2001 to November 2002 as an employee of LGT Treuhand.  At the time of his recruitment and during his employment with LGT Treuhand, he had not been previously convicted of a crime.  However, as would become known later, an arrest warrant had been issued against HK, which was not accessible for examination during the standard checks carried out on new employees.

This arrest warrant was linked to a real estate deal in Spain in 1996, which HK had allegedly financed with uncovered checks, and was issued by the Spanish criminal prosecution authorities in 1997, firstly at national and subsequently at international level.

It has been reported that he (Heinrich Kieber)  has been given a new identity and is living in Australia.

Commentary:
This is a very intriguing story and one that will take a while to shake out.  I am a little torn by the series of events, and struggle with the ethics of it all.  I don't think Heinrich Kieber is any kind of hero by any means.  I think he is a common thief that just received a huge payday.

A couple of questions to think about:

• Do you think Heinrich Kieber is lucky criminal, or do you think he is an honest "informant" and "whistleblower"? 
  
• If he were truly an honest guy, why would he shop the confidential information around like he did and not give it freely?
• Do you think this story will encourage other insiders to follow suit?