[SecurityRatty] tag: utmost

Urgent Message

Wed, 17 Sep 2008 15:57:30 +0000

Good Day To You My Friend.
It is understandable that you might be a little bit apprehensive because you do not know me but I have a lucrative business proposal of mutual interest to share with you. I got your reference in my search for someone who suits my proposed business relationship.
I am 54 years old and happily married with children, and I have an obscured business suggestion for you. I will need you to assist me in executing a business project from Hong Kong to your country. It involves the transfer of a large sum of money. Everything concerning this transaction shall be legally done without hitch. Please endeavor to observe utmost discretion in all matters concerning this issue.
Once the funds have been successfully transferred into your account, we shall share in the ratio to be agreed by both of us.
I will prefer you reach me on my private email address below (xxxxxxxxx@yahoo.com.hk) and finally after that I shall furnish you with more information's about this operation. Should you be interested, please forward the following to me urgently:
1. Full names
2. Occupation
3. Private phone number
4. Current contact address
Please if you are not interested delete this email and do not hunt me because I am putting my career and the life of my family at stake with this venture. Although nothing ventured is nothing gained.
Your earliest response to this letter will be appreciated.
Kind Regards,
Ben S. Bernanke

The Importance of Trust

Tue, 16 Sep 2008 15:46:00 +0000

As an instructor and trainer, I am constantly reinforcing the importance of living by one's word.

Integrity, Honor, Loyalty - all of these fine characteristics are the building blocks upon which reputations are raised. It is of the utmost importance in any walk of life to "live by your word", but in the security profession - especially where the protecting of life is concerned, it is everything.

I attended National Stadium last night and watched the Washington Nationals beat the New York Mets. I was fortunate to have been invited to enjoy the game from the president's box. During the pre-dinner networking, I ran into a business owner whom I had met a few years previously. He had been introduced to me at that time as his business involved him being around some area celebrity sporting stars.

Being interested in a chance to possibly offer executive protection services to these stars, I arranged to meet with this business owner to discuss how we might be able to assist one another. I remember it was during the winter and the roads were a little suspect in places as I drove the 25-30 miles to be closer to his location.

I arrived a little early, as is my custom and waited for him to arrive. It became clear after about an hour that he was experiencing some difficulty or had some other reason for being so late. I left a few voice mails and called it quits after around 90 minutes. He never returned any of my calls but when I reached him about a week later he admitted that something else had come up. Unfortunately, he did not think it worth his while to let me know this with a phone call.

So, here I am last night and this same person is introduced to me once again. Maybe he didn't remember back three years ago because he started to tell me about some connection that he knew that may be a "good fit" for my company. His small talk fell on deaf ears. He had already lost all credibility with me and eventhough I have not thought about it once in the inetrvening years, as soon as I saw him it came back as clear as day.

In his book; "The Speed of Trust", the author Stephen M.R. Covey sums it up best - "keeping commitments is based on the principles of integrity, performance, courage and humility. It is the perfect balance of character and competence. Particularly, it involves integrity (character) and your ability to do what you say you are going to do (competence)."

New Weblog - Its Gonna Be Good: Risktical.Com

Fri, 01 Aug 2008 07:51:03 +0000

From Chris Hayes at http://risktical.com/.

I have the utmost respect for Chris as a risk analyst. He’s big in (started?) the Columbus OWASP chapter (and I have to admit to not getting to a meeting yet because I’m a slacker), works, lives and breathes Information Risk, and if you want a pragmatic, practical view of risk within the context of a sophisticated IRM program, his blog is something you’ll want to read.

Also, he’s into the cello. Which is cool.

Collaboration in the Cloud, Virtual Worlds and the Hacker Mindset

Thu, 17 Jul 2008 11:51:24 +0000

Collaboration in the Cloud

Forward thinking companies use collaboration technologies to melt away the physical distance between disparate offices, remote workers and suppliers. Investments in R&D projects to create the next generation of business collaboration technologies and starting to bear early fruits and are worth paying attention to - especially if you get paid to “do security”. One major focus area is Virtual Worlds.

Teleporting Virgins

The big news in the Second Life research community is that avatars (”virtual people”) have successfully teleported between distinct virtual worlds. The virgin teleporters went from a Second Life Preview Grid - an experimental grid completely disconnected from the Main Grid - to a virtual world running IBM OpenSIM.

At this stage there is intentionally no asset transfer going on at all - in other words, you can’t take your “stuff” from one world to another - but that will come in time as the Open Grid Protocol is extended. Today just login and teleport are supported. No stealing those trade secret “assets” yet ;-).

Linden Labs speaks to this issue:

Q: How will Linden Lab prevent property from being copied into other virtual worlds?
We’re paying extremely close attention to that question. We will be designing this with the Second Life community to ensure their needs are met. We want to stress that when it does become possible to move avatars between worlds, we will take the utmost care to protect the rights of Second Life property owners and creators. Linden Lab will not design a system that lets people openly violate the permissions of SL goods and take them to other worlds. We recognize that intellectual property is the engine that drives Second Life, and we are completely committed to preserving the qualities that make Second Life the unique, innovative and dynamic place that it is today.

With my “hacker-vision” ™ enabled I see *all kinds* of opportunities for mischief here. I’m betting we’ll see imaginative attacks as the usual cat and mouse game of vulnerability research and vendor response plays out. “Sorry boss, someone hijacked my avatar and now I’m stuck on this desert island for who knows how long!”.

Threat Profiling Second Life

Getting back to reality, people are already exploring Virtual World security. Michael Thumann of ERNW in Germany is a pen-tester and security researcher and in this 10 minute video, Michael shares the result of his security research on Second Life.

He covers:

In-game cheating
Identity theft
Attacking 3rd party servers using Linden Scripting Language (think about the liability issues and the providers ability to track abusers)

For those interested in more detail, the full presentation he gave at BlackHat Europe 2008 in Amsterdam is here (pdf).

Of particular note, Michael applied a formal threat model approach to the research - STRIDE from Microsoft.

In a future post I’ll talk more about threat profiling in the context of Cloud Computing vulnerability research and specific API security vulnerability classes we can expect to see exploited.

Security Function as a Business Enabler

Fri, 27 Jun 2008 16:50:00 +0000

In one of my earlier blog posts I branded Information Security function (as part of IT) as an overhead of an overhead. It is utmost important for security manager to run the security function in a way that it enables the business.

The various components (sub functions) of security organization should align with the business objectives of the IT and the whole organization. There needs to be a cohesive security strategy in order to align the various comoponents. One good way of understanding the business objective is why is the business parting with money for deploying a specific security component. Why is business giving me money for Compliance? Why is business giving me money to implement IDP? Constitutive questions such as these will help you to understand the fundamental concerns for the business and based on these we can come up with a strategy suitably aligned with the business.

One good example is the area of compliance. Attempting to make each every units of your business complaint with certain standards/legal regulations and so on would be a tall order. First define the scope, draw a circle around the units that need to be compliant, then come up with a strategy to make it compliant by formulating your objective - derived from the business objective of why the business gave you money.

Any security implementation effort should have a well defined focus (scope), business objective and strategy to bind the various components cohesively that aligns with the ultimate business objective. By this business will view security organization with dignity else security organization will end up being a spoke in the wheel of business.

In the past, I was involved in discussion about the ROI of information security and security is insurance and so on. After eating the forbidden apple from the tree of paradise, I realize security has neither ROI nor akin to insurance. Information security is way of doing business with due care. Security is way of enhancing the trust of a business among customers and thus enhancing the identity (or brand image of the company). Few years down the line people won't even question why you do security, it will become a part of your background conversation. Nobody questions why we buy hybrid vehicles anymore right?

If components of security function is not cohesively aligned with business objective it is spoke in the wheel of business else it is a brand enhancer of business.

The power of communication.

Fri, 13 Jun 2008 13:24:00 +0000

I think many of us fail to realize the extreme importance of communicating in a way that ensures we are understood.When I was working for the United Nations in different countries around the world, I would often be told by other UN staff that they were surprised that they could actually understand what I was saying. Apparently, they had met other Irish and could only understand a few words here and there. That was easy for me to understand. As the Deputy and later Chief of the United Nation's Special Investigation Unit, it was of the utmost importance that people could understand me. Imagine questioning a person who was facing deportation back to their country for an alleged crime. It would be unfair to them if I didn't make my self understood, even if it meant that I had to slow down my fast Irish speech and leave out the Irish slang words (that very few people around the world can ever understand).

I was in Dublin last weekend, passing through on my way to the Middle East. The big topic was the Irish referendum on the Lisbon treaty. It seems that the country was fairly evenly divided by those who were; voting yes, voting no, did not know. I wasn't that terribly sure what it was all about so I asked my sister and her husband. They had to admit that the whole thing was rather unclear and that the Politicians didn't do a great job of explaining. Then I met up with my brother. He too was not 100% about the importance of a "yes" or "no" vote. I got the impression that Ireland might lose their National identity if they voted "yes", so I left thinking that "no" was the way to go.

Apparently the rest of Ireland thought so too, as I am sitting in my hotel room in Dubai listening to the BBC and Sky news talking about the after effects of Ireland's rejection of the Lisbon treaty. That got me thinking. The only time we really ever had any problems with a client involved communicating, or a lapse on somebody's part. It is amazing how large the repercussions can be when you are talking about a whole country. Next time you are involved in a negotiation, remember the Lisbon treaty and make sure you know what is at stake. You could be avoiding a costly mistake.

MetriCon 3.0

Fri, 13 Jun 2008 03:27:39 +0000

MetriCon 3.0 — Third Workshop on Security Metrics

Tuesday,29 July 2008, San Jose, California

___________________________________________________________________

8:45am:Welcome words / housekeeping details - Dan Geer

Four grouped sessions to follow; each has three at-most-20 minute presentations of

ideas followed by 30 minutes of reaction from discussants and general interaction

with all MetriCon attendees.

Breaks are short as is life.

Lunch, which is in-room, is long enough but no longer.

Dinner,which is in-room, is as long as people want though there is nothing "to do"

that is more important than making the very utmost of the day and thus keeping at it

until late.

Any and all electronic materials that presenters or attendees wish to provide will be

available online at the meeting and a digest account of all that transpires will be made

available to all (and eventually published).

There is both a lot to cover and the time to do it.

___________________________________________________________________

9:00am-10:30am - Models proposed and derived

•Thomas Heyman & Christophe Huygens : "Using Model Checkers to Elicit Security

Metrics"

•Adam O’Donnell : "Games, Metrics, and Emergent Threats"

•Fred Cohen : "Bringing Clarity to Security Decision Making Using Qualitative

Metrics in 2 Dimensions"

Discussants:Lloyd Ellam & Elizabeth Nichols

___________________________________________________________________

10:30am-10:45am break

___________________________________________________________________

10:45am-12:15pm - Tools and their application

•Yolanta Beresnevichiene : "Metrics Driving Security Analytics"

•Alain Mayer : "Security Risk Metrics: The View From the Trenches"

•Amrit Williams : "How to Define and Implement Operationally Actionable Security

Metrics"

Discussants:Gunnar Peterson & AndrewJaquith

___________________________________________________________________

12:15pm-1:30pm - In-room lunch, the final 30 minutes jointly from

•Jennifer Bayuk : "Comparing Metrics Designed for Risk-Management with Metrics

Designed for Security"

Discussant:Bryan Ware

___________________________________________________________________

1:30pm-3:00pm - Scoring results and methods

•James Walden : "Code Complexity and Static Analysis"

•Karen Scarfone : "Evidence-Based, Good Enough, & Open"

•Arshad Noor : "Identity Protection Factor"

Discussants:Fred Cohen & Dan Conway

___________________________________________________________________

3:15pm-4:45pm Enterprise plans and lessons learned

•Caroline Wong : "eBay’sMetrics Program"

•Clint Kreitner : "CIS’ Metrics Program"

•Kevin Peuhkurinen : "Great-West’s Metrics Program"

Discussants:Christine Whalley&Dan Geer

___________________________________________________________________

5:00pm-5:45pm - Perimeters arethe simplest possible thing to measure, right?

•Sandeep Bhatt : "Metrics-Based Firewall Management"

•Avishai Wool : "Firewall Configuration Errors Revisited"

Discussant:Bob Blakley

___________________________________________________________________

5:45pm-whenever:Minimalist closing remarks - Dan Geer

Drinks & dinner in room, and whatever happens next — which it is hoped includes

lessons learned, volunteers for further episodes of MetriCon, ideas on howwecan

best further support ourselves jointly,etc. Perhaps we will have someone stand up

and lead such a discussion; consider that part of the program still fluid.

Breach at UCSF gets leadership response

Sat, 31 May 2008 06:34:08 +0000

Technorati Tag: Security Breach

Date Reported:
5/28/08

Organization:
University of California

Contractor/Consultant/Branch:
University of California at San Francisco ("UCSF")
Departments of Pathology and Laboratory Medicine

Victims:
Patients

Number Affected:
3,569

Types of Data:
"names, dates of pathology service, health information and, in some cases, social security numbers"

Breach Description:
"The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information."

Reference URL:
UCSF News Release

Report Credit:
Kristen Bole, UCSF

Response:
From the online source cited above:

The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information.

There is no indication that any patient files were accessed.

UCSF takes this situation very seriously and is therefore responding with the highest level of caution and concern.

During routine monitoring of the campus computer network on January 11, 2008, UCSF discovered unusual data traffic on one of its computers.
[Evan] Its good that the unusual traffic was detected through routine monitoring, but I wonder how long the traffic was present before it was detected. Later on in the news release there is mention that an unauthorized movie-sharing program was installed on the computer on or about December 2, 2007. It seems likely that the unusual traffic may have started on or about December 2, 2007. Why the time gap between presence and detection?

The computer was immediately removed from the network to prevent further access.

UCSF conducted a thorough investigation into the incident to assess how this breach occurred and whether any patient information may have been compromised.

The investigation was completed this month.
[Evan] This is a long investigation. January 11th, 2008 through May 1st, 2008 is more than 3 1/2 months.

During the investigation, UCSF determined that an unauthorized movie-sharing program had been installed on this one computer on or about December 2, 2007, by an unknown individual.
[Evan] Uh oh. If the installation of the program requires administrative access to the computer, it is conceivable that the local administrator credentials were compromised. The fact that the news release states "unknown individual" leads me to believe that the account used was potentially a shared account.

Installation of this program required high-level system access, which is why the incident is considered a security breach.

This computer contained files with lists of patients from the UCSF pathology department’s database.

The data included information such as patient names, dates of pathology service, health information and, in some cases, social security numbers.

The Department of Pathology has notified 2,625 UCSF patients whose information was contained on the computer.

The files also included 944 patients whose tissue samples had been referred by other health care providers to UCSF for analysis.

UCSF has established a special phone line (415) 353-7427 and a special email address PathHotline@ucsf.edu to answer questions from patients who receive the notification letters.

The security of protected health information at UCSF is of utmost importance

The campus has undertaken extensive work in this area, including upgrading system security and performing the monitoring that uncovered this breach.
[Evan] Great! I just want to point out that the word "undertaken" is past tense. Information security is a lifecycle employing continuous management, improvement, monitoring, etc.

this event and others nationwide have caused UCSF to redouble its efforts in this area.

UCSF Chancellor J. Michael Bishop has formed a top-level task force to improve the system of controls to protect patient information and other sensitive data.
[Evan] Excellent! This demonstrates good organizational leadership, of which information security is integral. It stinks that it took a breach affecting over 6,000 people before this action was taken.

This task force is composed of campus leadership and is chaired by Executive Vice Chancellor and Provost Eugene Washington.

Chancellor Bishop has charged the group with conducting a comprehensive, expedited review of actions already taken and future actions needed to protect sensitive data, including reviewing associated practices, systems and policies.

He also has charged the committee with implementing the changes needed to safeguard protected health information and other sensitive data and has asked the group to report to him weekly on their status, with an emphasis on actions taken and planned.

Commentary:
I commend UCSF leadership for the establishment of the new task force led from the top. Hopefully the momentum will continue. All organizations, non-profits and profits alike, need information security leadership that comes from the uppermost echelons in order to be effective.

Past Breaches:
University of California:
May, 2008 - Health care practices and UCSF patient records exposed
April, 2008 - University of California Irvine students are hit with mysterious breach

Discover the Secret to Secure Remote Access: GoToMyPC Corporate Security White Paper

Fri, 30 May 2008 09:00:00 +0000

(Source: Citrix) Protecting the integrity of the corporate network and the privacy of sensitive data is of utmost concern to any organization. That's why security should be top priority when extending remote access to mobile employees. Download the Security White Paper to learn how Citrix® GoToMyPC® Corporate provides industry-leading security, end-point management and centralized control.

Two stolen Saks Incorporated laptops contained sensitive information

Sun, 11 May 2008 17:28:38 +0000

Technorati Tag: Security Breach

Date Reported:
4/30/08

Organization:
Saks Incorporated

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown*

*According to the New Hampshire State Attorney General breach notification there were 163 persons affected who reside in the state of New Hampshire

Types of Data:
Name, address, Saks Fifth Avenue credit card account number, and/or Saks Fifth Avenue/MasterCard co-branded credit card account number.

Breach Description:
"In mid-April 2008, Saks learned that four company laptops were stolen. Two of the stolen laptops contained several files that included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth Avenue/MasterCard co-branded credit card account numbers."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

In mid-April 2008, Saks learned that four company laptops were stolen. Two of the stolen laptops contained several files that included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth Avenue/MasterCard co-branded credit card account numbers.

Based on our investigation, we have confirmed that these files did not include Social Security numbers, the credit cards' expiration dates, pin numbers, codes, or passwords, or any other types of sensitive data.
[Evan] Thank God for that!

Given the very limited type of personal information on these files and that it was stored on password-protected laptops, we believe there is a very low risk of identity theft or credit card fraud as a result of this event.
[Evan] I agree with the limited type of information argument, but could care less about password-protected laptops. Password-protected laptops are little more than nothing to stop someone for accessing the information.

We have no indication that this personal information has been accessed or misused, or even that the laptops are in the hands of someone seeking to misuse the information.

Nor was this a breach of our network, website, or database (as is typical in many company breaches covered by the news).
[Evan] I think laptop thefts and losses are more typical that network, website or database breaches.

The company has drafted a written notice of the breach that it will be sending to the affected individuals imminently.

Saks takes its customers' privacy very seriously, and we have exercised utmost caution and diligence in our response following the discovery of the theft.

Within hours of learning of the theft, we initiated our own investigation into the incident and notified law enforcement.

Finally, if you have additional questions related to this situation, you can contact us between the hours of 9:00 a.m. ET through 6:00 p.m. ET on Monday though Saturday through our dedicated toll-free information helpline at 1-888-724-2455.

We deeply regret any inconvenience or concern that this matter may cause you.

Commentary:
The letter sent to the affected individuals is signed by Stephen I. Sadove, Chairman and Chief Executive Office of Saks Incorporated. I respect Mr. Sadove for addressing this situation in person (so to speak). It demonstrates his understanding that information security is a corporate issue for which he is ultimately responsible.

Past Breaches:
Unknown