[SecurityRatty] tag: treat

Gartner Event Processing Summit (and EPTS Meeting), Sept 2008

Sat, 30 Aug 2008 08:57:00 +0000

Many folks have been sending me email, inquiring if I will be attending the Gartner Event Processing Summit, September 15-16 or the 4th Event Processing Symposium, September 17-19, 2008 (the EPTS meeting). I regret not attending either event this year and will miss getting together with everyone. In addition, I would like to thank Opher and the EPTS team for inviting me.

As we get closer to the conference dates, I wish that I had made plans to fly back to the US to meet everyone. However, I have been cutting back on public speaking, taking a break since May. In addition, Gartner did not ask me to speak at their Event Processing Summit this year, I assume because they did not want to pay airfare for my flight from Thailand to the US. Also, Gartner always likes to fill their conference speaking slots with as many Gartner speakers as they can, unless you are a paid sponsor; and I noticed a number of Gartner employees speaking in multiple slots.

(Editorial Note) Then again, maybe I complained to much about the lack of organization and conference problems when I was invited at be a Gartner keynote speaker last time - reservations not made propertly, problems with the guest speaker registration list at sign-in, rooms shifted without notifying the speakers and panelists. Admittedly, I was not happy with the conference organizers at the last get together. This was my fault, as I am accustomed to better conference execution and am probally too “picky” about details these days - my bad. Anyway, the Gartner organizers apologized numerous times, saying they had too many conferences going on at the same time and not enough people to cover them all.

One of the problems with spending so much time in Asia, especially in Thailand, is that guest speakers are really treated as VIPs. There are usually special comfy couches set up for the speakers and the conference staff really treat you very nice, taking care of you every step of the way. In fact, there is an entire very nice culture around how guest speakers are treated in Thailand. Often, they pin flowers on the VIP speakers and take your photos like you are a star. Very nice culture.

I absolutely look forward to speaking on event processing or CEP at a future venue and meeting everyone face-to-face instead of over the net. My sincere and deepest apologies for not attending either the Gartner or the EPTS event this year.

PS: If you take up a collection and send me a RT business class air ticket, I might change my mind

TSA Proud of Confiscating Non-Dangerous Item

Wed, 30 Jul 2008 02:11:57 +0000

This is just sad. The TSA confiscated a battery pack not because it's dangerous, but because other passengers might think its dangerous. And they're proud of the fact.

"We must treat every suspicious item the same and utilize the tools we have available to make a final determination," said Federal Security Director David Wynn. "Procedures are in place for a reason and this is a clear indication our workforce is doing a great job."

My guess is that if Kip Hawley were allowed to comment on my blog, he would say something like this: "It's not just bombs that are prohibited; it's things that look like bombs. This looks enough like a bomb to fool the other passengers, and that in itself is a threat."

Okay, that's fair. But the average person doesn't know what a bomb looks like; all he knows is what he sees on television and the movies. And this rule means that all homemade electronics are confiscated, because anything homemade with wires can look like a bomb to someone who doesn't know better. The rule just doesn't work.

And in today's passengers-fight-back world, do you think anyone is going to successfully do anything with a fake bomb?

Things that happen in China when nodoby is watching

Sat, 19 Jul 2008 14:33:00 +0000

Here is another reason to pay attention for your own safety when you visit China - especially during the Olympics.

The BBC World News ran a story yesterday of a local Beijing woman whose house was about to be torn down, leaving her homeless. Why was her home being demolished? The Government had decided that her house would not look nice enough to the foreign visitors coming to Beijing for the summer Olympics. They planned to plant flowers in the spot where her home stood.

Apparently, the authorities knew that the woman was not going to willingly accept this obvious abuse of power. A couple of Police vans watched the house from about a block away. Then the cameras left after interviewing the woman. When the television cameras came back the next day, the house was gone and so was the woman. The house had been torn down in the middle of the night when there were no witnesses. Nobody could say what happened to her as the flower planters went about the task of digging flower beds.

The BBC had obtained similar footage that had been covertly recorded earlier at another house. In this instance, a couple of the homeowners tried to resist the authorities tearing down their house. The camera graphically recorded two men who attempted to protest on the roof of their humble abode. A couple of "heavies" pulverised the seated men with vicious blows and kicks. One poor man was kicked full-force in the face and head several times. The camera shot him being taken away by ambulance and his whole face was swollen and lacerated. It seems that the Chinese Government are very serious when it comes to planting flowers. They certainly appear to have a higher regard for flowers than they do for human rights.

Our advice to you if you are visiting Beijing this summer - don't pick the flowers. I have seen how they treat people when they think nobody is watching. It isn't pretty.

Arnon Rotem-Gal-Oz on SOA Security

Mon, 14 Jul 2008 09:40:01 +0000

Arnon cites his paper which builds on Deutsch, Gosling and Joy's famous Fallacies of Distributed Computing, specifically Fallacy #4 "the network is secure" These are common mistakes people make when building disiributed apps. Arnon blogged this:

In my opinion, assuming the network is secure for an SOA is not only naïve but negligence pure and simple. The whole premise of moving an organization to SOA is connectedness and integration. So, unless your SOA will fail it will be connected to other systems. Whether you are building RESTful systems, WS-* SOAs, EDAs or any combination of these architectural styles, If you won’t treat the services boundary as a border and secure it – you will be sorry…
Security in SOA should be considered at the "grand-scheme" level with issues like authertication, authorization but also at the single service level, looking at issues like DDOS, SQL injection, elevation of privilige and what not. A trivial thing like exposing a transaction beyond service boundaries can translate to an attacker denying services in your system simply by locking out your database. Again, this is just a simple example.
The other thing about Security is that you have to consider it early. patching security "later on" can have devestating effects on a system's capabilites esp. in areas related to performance. I have seen even military systems that had to go through serious rework, just because Security was added as an afterthought instead of handled early on

This is a great way to think about the problem, and as Arnon says its not just an issue with SOA security, its a pervasive issue. If you think REST+SSL is a security architecture then you should consider what threats you are choosing *not* to deal with.

Also, Arnon articulated what I call the gateway vulnerability problem. SOA, Web services, REST et al are fundamentally gateway, interoperability focused technologies. And they are for the most part, great at providing simplified access to back end systems. The problem is that your mainframe, ERP, CRM, et al were never designed for anything remotely resembling an Internet threat model. So you just provided a gateway to a system that from a security standpoint is underpowered. The gateway is not the problem but what lies behind it.

In school they called marijuana a gateway drug because it led to heroin usage, in web services security if you put a Web service in front of your back end creating a vulnerable gateway to that which runs your business then your sys admin may wind doing heroin.

Chinese Cyber Attacks

Mon, 14 Jul 2008 03:08:18 +0000

The popular media conception is that there is a coordinated attempt by the Chinese government to hack into U.S. computers -- military, government corporate -- and steal secrets. The truth is a lot more complicated. There certainly is a lot of hacking coming out of China. Any company that does security monitoring sees it all the time. These hacker groups seem not to be working for the Chinese government. They don't seem to be coordinated by the Chinese military. They're basically young, male, patriotic Chinese citizens, trying to demonstrate that they're just as good as everyone else. As well as the American networks the media likes to talk about, their targets also include pro-Tibet, pro-Taiwan, Falun Gong and pro-Uyghur sites. The hackers are in this for two reasons: fame and glory, and an attempt to make a living. The fame and glory comes from their nationalistic goals. Some of these hackers are heroes in China. They're upholding the country's honor against both anti-Chinese forces like the pro-Tibet movement and larger forces like the United States. And the money comes from several sources. The groups sell owned computers, malware services, and data they steal on the black market. They sell hacker tools and videos to others wanting to play. They even sell T-shirts, hats and other merchandise on their Web sites. This is not to say that the Chinese military ignores the hacker groups within their country. Certainly the Chinese government knows the leaders of the hacker movement and chooses to look the other way. They probably buy stolen intelligence from these hackers. They probably recruit for their own organizations from this self-selecting pool of experienced hacking experts. They certainly learn from the hackers. And some of the hackers are good. Over the years, they have become more sophisticated in both tools and techniques. They're stealthy. They do good network reconnaissance. My guess is what the Pentagon thinks is the problem is only a small percentage of the actual problem. And they discover their own vulnerabilities. Earlier this year, one security company noticed a unique attack against a pro-Tibet organization. That same attack was also used two weeks earlier against a large multinational defense contractor. They also hoard vulnerabilities. During the 1999 conflict over the two-states theory conflict, in a heated exchange with a group of Taiwanese hackers, one Chinese group threatened to unleash multiple stockpiled worms at once. There was no reason to disbelieve this threat. If anything, the fact that these groups aren't being run by the Chinese government makes the problem worse. Without central political coordination, they're likely to take more risks, do more stupid things and generally ignore the political fallout of their actions. In this regard, they're more like a non-state actor. So while I'm perfectly happy that the U.S. government is using the threat of Chinese hacking as an impetus to get their own cybersecurity in order, and I hope they succeed, I also hope that the U.S. government recognizes that these groups are not acting under the direction of the Chinese military and doesn't treat their actions as officially approved by the Chinese government. This essay originally appeared on the Discovery Channel website.

In the eyes of the Media and the Net, you're already guilty

Thu, 10 Jul 2008 15:10:06 +0000

For modern pundits, "presumed guilty" has more entertainment value than "presumed innocent". In newspapers, on television and radio, and now on the Internet, pundits and politicians treat accusations as truth and make sweeping declarations of guilt-shattering lives without waiting for the legal system.

How personal information wound up at the side of the road is a mystery

Thu, 10 Jul 2008 06:50:31 +0000

Technorati Tag: Security Breach

Date Reported:
7/10/08

Organization:
Liberty Furniture*

*"a North Carolina based company with Mid-South ties to Cromcraft - a furniture warehouse in Tate County", Mississippi. According to the report, Liberty Furniture may have gone out of business more than 20 years ago.

Contractor/Consultant/Branch:
Unknown

Victims:
Former employees

Number Affected:
"hundreds, maybe even thousands of people"

Types of Data:
Personal information including W-2 forms and tax forms containing names, addresses, and Social Security numbers

Breach Description:
"Eyewitness News Everywhere Uncovers the personal information of hundreds, maybe even thousands of people - dumped along a Mid-South road."

Reference URL:
Eyewitness News Everywhere

Report Credit:
Kevin Holmes, Eyewitness News Everywhere

Response:
From the online source cited above:

Eyewitness News Everywhere Uncovers the personal information of hundreds, maybe even thousands of people - dumped along a Mid-South road.
[Evan] For those readers who may be unsure where this "Mid-South" is located, in this case it is Mississippi.

We even found W-2 forms, tax forms with people's names, addresses and social security numbers.

Investigators in Tate County are trying to figure out how the papers got there.

Larry Davis made the discovery.

He says he was driving into town when he came across thousands of forms.

"That's just uncalled for...you are entrusting these people with a lot of information that could ruin you very quickly, but yet they treat it like it's trash," said Davis.
[Evan] I think most people share Mr. Davis' feelings. It is puzzling. What was the person who dumped the information on the side of the road thinking, supposing the the person was thinking and supposing the information was dumped and not lost (i.e. fell off a truck).

Financial records, shipping order forms, and W-2's of former employees

"Stupidity on the person that threw it out on the road. The people who disposed of these, there should be some legal action against them, but to me that's mismanagement," said Davis.
[Evan] Again, I think many people share the same feelings as Mr. Davis.

Many of the records are from Liberty Furniture, a North Carolina based company with Mid-South ties to Cromcraft - a furniture warehouse in Tate County

"There all from North Carolina, how did they get here? This is Mississippi. We got some strong wind, but they ain't that strong," says Davis.

Even Cromcraft employees were shocked when we brought this to their attention.

Most of the W-2's are from the late 1970's and early 80's.
[Evan] Wow! These W-2's are 20-30+ years old?!

we're told Liberty Furniture went out of business more than twenty years ago.

Larry Davis' daughter Susan Herron said, "This could be someone's grandparents on fixed income, now their social security number is floating around somewhere and it's awful, people need to be more careful."

Eyewitness News Everywhere caught up with one of the former employees whose personal information was exposed.

"My initial feeling was a very sinking, horrified, scared, feeling....You feel vulnerable and hope your social security number hasn't fallen into the wrong hands. So I have to be diligent in checking my credit report," said the employee.
[Evan] It is interesting to read how a person feels when they learn that their personal information has been compromised. I feel bad for these people. This employee doesn't need to feel "horrified and scared", but he/she does nonetheless, and it's all due to negligence. This is just one reason why information security is so personal to me.

Other former Liberty Furniture employees tell Eyewitness News Everywhere they will be doing the same thing - checking their credit report.

Eyewitness News Everywhere will keep those forms in a secure place until we hand them over to the proper authorities.

Commentary:
There is a lot of mystery surrounding this breach. How did the information get there? Why was the information still kept? Who was in possession of the information before it was found on the side of the road? Why wasn't the information already destroyed if the company who was responsible for it is no longer in business?

Past Breaches:
Unknown

Mission Statement for Federation

Thu, 26 Jun 2008 06:35:35 +0000

Bruce Sterling (11/20/2001):

You know what I want? I don't want a National ID Card. I want a Global Coalition Visa.

Like it or not, we've got a huge global diaspora now. It is a fact of life. Nations with stupid and corrupt politics have seen their clever people brain- drained away, to places where the cops don't shake you down twice a day. And jet-setters go everywhere. And properly so. If you're in a true global society, then you spend a lot of your time among aliens. Quite often you are the alien. You might notice that even Al Qaeda is a genuinely multinational group. They gravitated to wicked, lawless places like Sudan, Chechnya and Afghanistan, where the locals shoot you if you ask for a badge.

But what about all us bright, shiny, world-trading jet setters, huh? There are thirty percent fewer Yankees in Europe this Christmas, and that is bad. Let me pose the problem this way. If I am going into a Japanese restaurant in Japan, I would rather like to be able to haul out some gizmo and flash it at my fellow civilians, and have these kindly people understand with a high degree of likelihood that I am not a mass murderer. On the contrary, I am quite civilized, and I should be brought a beer immediately.

A platinum VISA card and a five-hundred-dollar suit will almost do that, but those are too easy to forge and steal, plus they are not very democratic. The UN should get together on this. We should have a high level summit about digital hardware support for the crippled tourist economy. Fear and ill treatment shut down tourism faster than anything short of open warfare. That is bad for all of us. Killing off tourism harms our civilization and impoverishes our cultures. People in civilized states shouldn't routinely treat one another as criminal suspects. I don't want to get done-over for three hours every time I get off a plane in London. When I go to London, I go with empty suitcases. I don't plan to stay, but I am better news for the London economy than a lot of the people who live there.

They should know all that that before I get off the plane. My arrival is excellent news for Britain, so I should be treated that way. If this is a new kind of war, I don't want to be the evil guy hunkered down in the bunker; I want to fly with the boys from Air Assault. I want one of those handy crypto-style Friend-or-Foe IDs.

These people who normally meet me whenever I am an alien, they don't need to know my nationality, my home address or my shoe size. They just need to know that, despite being alien, I'm sort-of okay.

I want a democratic, citizen-to-citizen device that will bridge those social barriers and language barriers. I think we could invent devices and means of verification that would strengthen the global social fabric that terrorism wants to rip. It wouldn't be easy or simple, but it's not beyond our ingenuity. Our social capital sustains all civilized societies, and it is all about trust. So let's invent new methods of trust.

I added bold to the last sentence because I think this is the mission statement for building out federation systems.

So, CAN We Have DLP?

Fri, 20 Jun 2008 12:59:00 +0000

Can we have DLP - data leak prevention?

Well, can we have IDS? How about IPS? Can we really "prevent intrusions?" Can we really "control access to our networks?"

The answer to "can we have DLP?" is actually pretty simple: if you think "DLP = box that prevents all data leaks" (and you also think that deploying IPS will "prevent intrusions"), then we can't. Forget it.

But blame the idiots who called it "leak prevention" - if you think that "DLP will prevent all leaks" - sorry, but you are one of them! :-) If you treat "L" not as "leak" but as "loss" and hope that "DLP will prevent all data loss, whether intentional or not," you are an even BIGGER one.

So rambling about "Can DLP Really Stop All Leaks" is pretty silly. No, it can't. Pondering "Is DLP Possible" is just as silly. No, complete prevention of all leaks is impossible, with OR without DLP technology. Go read Mike R instead :-)

Why seemingly smart people behave in such childish manner? I dunno. Scratch all that. Instead ask:

Is today's cutting-edge DLP technologies USEFUL?

And the answer is "Hell yeah!"

If you see how much "fun" sensitive content goes over email (corp and personal web-based), gets uploaded to forums, channeled over IM file transfers, FTP'ed somewhere, you'd scream for one of these boxes. Accidental leaks, email address typos, non-malicious leaks, blatant disregard of security policy for the sake of "productivity", even phishing, "wholesale data theft" and amateur "employee hackers" probably account for 10x (100x?) more damage (in direct losses, brand damage, embarrassment and - yes! - non-compliance fines AND loss frequency) than "uber-hackers" (who might indeed go thru your DLP box like hot knife thru butter.) And if an advanced DLP box does one day stop some determined insider theft, that's just icing on the cake.

That is why smart people don't call it "DLP" - they call it "content monitoring and filtering." This sounds much less sexy, but much more useful. The boxes that will show up on your doorstep will still have "DLP" labels, but what they will do for you is really content monitoring and filtering. And even though it will not stop all data theft, DLP box will likely prove useful more than once...

Finally, all rants about any preventative AND monitoring technologies should really end the same: go refresh your incident response plans.

Possibly related posts:

"In Passing on DLP"

Technorati tags: DLP, security, data loss, data theft, data protection

.. and now - PIN stealing..

Thu, 19 Jun 2008 06:38:00 +0000

Once the bad guys figured out how easy it was to sniff unencrypted ATM and card authorization traffic to steal track data, and after making a killing with stolen card numbers, they began setting their sights on bank PINs. PIN numbers - thanks to ANSI's TG3 - are encrypted with a half decent algorithm (and they are looking to strengthen that even more now). Which means that sniffing the traffic will only give you an encrypted number - something which would require a decryption key. A number of security controls like requiring dual control and split knowledge for key components, strict physical security requirements and Tamper Resistant Security Modules help in securing the keys. Assuming one cannot gain access to the encryption keys, this leaves only two scenarios for an attacker to gain access to the unencrypted PINs:
1. Before the PIN is encrypted by the Tamper Resistant Security Module (an ATM in the case of bank customers). Most criminals have been using fake PIN PADs and a number of techniques like jamming cards etc steal PINs blissfully unaware that they are on camera most of the time. Nice video ? here.

2. After the PIN reaches the issuer and is decrypted. This is the scarier situation -as the attacker would have access to a database of unencrypted PIN numbers / PIN offsets coming in from all around the globe. PCI supposedly requires that issuers be compliant and not store unencrypted PANs or PINs - but no validation is required (unless they are a VisaNet processor).

Well - Kevin Poulsen at Wired wrote today about how an alleged ATM crime spree has been blamed on a Citibank hack. Though Citibank has denied the hack as the cause of the fraudulent withdrawals - all signs seem to point towards it so far.
(This definitely is not new - While testing an issuer's security I'd stumbled upon ATM log entry files - complete with PAN, PIN, full name, address, zip code and atm location - back in the day when RFP just released whisker. )

This is probably just the beginning of a new wave. Issuers really need to pull up their socks and begin to treat cardmember data with the same respect that PCI Co is requiring merchants and processors to do. - and while I'm wishing horses - can ANSI or someone start working on some standards for requiring all track data to be encrypted in transit?