I guess there are few other organisations where the lines between physical and virtual security are brought so sharply into focus than in one where you are dealing – first-hand – with criminals in the way that our police officers must every day of their working lives.

During our conversations we mused on various aspects of keeping information secure in such a fluid and volatile environment...]]> Mon, 06 Oct 2008 20:00:00 +0000 two-day agenda day uks police forces information secure police officers volatile environment virtual security focus lines Perimeter-centric Regulations in an Information-centric World http://securityratty.com/article/14b20bc109726f2d895ba34188e3ede3 http://securityratty.com/article/14b20bc109726f2d895ba34188e3ede3 iang surveyed the events that conspired to our present ever mounting economic problems. Interestingly enough Charlie Munger identified much the same themes (not all the particulars) way back in Wesco Financial's 1990 letter

Granting the presence of perverse incentives, what are the operating mechanics that cause widespread bad loans (where the higher interest rates do not adequately cover increased risk of loss) under our present system? After all, the bad lending, while it has a surface plausibility to bankers under cost pressure, is, by definition, not rational, at least for the lending banks and the wider civilization. How then does bad lending occur so often? 

It occurs (partly) because there are predictable irrationalities among people as social animals. It is now pretty clear (in experimental social psychology) that people on the horns of a dilemma, which is where our system has placed our bankers, are extra likely to react unwisely to the example of other peoples' conduct, now widely called "social proof". So, once some banker has apparently (but not really) solved his cost-pressure problem by unwise lending, a considerable amount of imitative "crowd folly", relying on the "social proof", is the natural consequence. Additional massive irrational lending is caused by "reinforcement" of foolish behavior, caused by unwise accounting convention in a manner discussed later in this letter. It is hard to be wise when the messages which drive you are wrong messages provided by a mal-designed system. 

In chemistry, if you mix items that explode in combination, you always get in trouble until you learn not to allow the mixture. So also, in the American banking system.

So Munger identified this volatile combination about 17 years ago at least. In the same letter Warren Buffett added:

A few small sections of Mr. Munger's letter have been excluded: When Berkshire's report exceeds 72 pages, we have problems in binding it. Because of this limitation, either Charlie's letter or mine had to be cut and I decided a coin flip was appropriate. In fact - as things turned out - I finally decided nine flips were appropriate. -- W.E.B.

Only thing I would (and did) add to iang's post is that historically speaking when things are looking bad is when deals are found. Jason Zweig (channeling Ben Graham)

"Could things possibly get worse? I don't know, but I am an optimist -- so I certainly hope things do get worse. Nothing else should satisfy an intelligent investor."

It is possible to introduce chemical or biological agents directly into external air-intakes or internal air-circulation systems. Unless the building has carbon filters (or the equivalent), volatile chemical agents would not be stopped and would enter the building untenanted.

[...]

Other scenarios involve the use of helicopters equipped with agricultural spraying equipment to discharge large chemical or biological contaminant clouds near external or roof-mounted air intakes or ventilators.

[...]

Terrorists have considered producing a radiological dispersal device (RDD) by burning or exploding a source or sources containing radioactive material. If large quantities of easily dispersed radioactive material were released or exploded near an HVAC intake or circulation system, it is possible that targeted individuals could suffer some adverse health effects.

I'm sure glad my government is working on this stuff.

Today Allan Pomerantz at the InfoSec blog takes a look at how the sub-prime crisis in particular might be affecting security at financial institutions —

In order to help restore their balance sheets, these institutions are announcing extensive expense reductions, particularly layoffs. Of course, the details of these cutbacks are not announced, so the result of this situation on their information security cannot be known. However, there are three results that are quite feasible in this situation.

* First, the staff reductions likely include security personnel.
* Second, the capital spending reductions may include security infrastructure.
* Third, and perhaps most important, the number of “insiders” (i.e., employees and contractors) who have a motivation to cause harm to their employers will probably increase.

This could be a volatile mix.

He also offers a couple suggestions. Go read the full post to learn more.

So my next iteration of fun reading on security, logging and other topics.

1. 0x000000 blog has a neat post on security, word definition and all. It reminds us that "security is forever" since it is about people, not broken technologies. A quote: "And so we will never able to secure other people, they have to secure them self. And we know that they can't." Same blog also have a fun (but a little bizarre with a little 80s feel) interview with Richard Stallman.
2. Along the same line, discussion about security industry longevity is here at Gunnar Peterson's blog: specifically, he debates Mike R's semi-humorous prediction that in 2012 there will be 0 "security professionals." Indeed, secure networks + secure OS + secure apps < security.
3. Also a very fun read comes from DarkReading: "7 dirty secrets of the security industry." Example quotes: "The goal of the security vendor is not to secure, it's to make money" , "Security vendors want businesses to buy what they sell, so they push specific products to block specific threats "; it also discusses another facet of compliance vs security.
4. Fun - and as usual heated - debates about the "AV is dead" and "anti-anti-virus revolt" happen here. Is blacklisting  AV dead now? More dead than before? :-) Or just "limited",  but still very useful? BTW, Matasano opines on the subject here as well, calling it not a revolution, but a protest.
5. The next  Carnival of the Security Catalyst Community - April 22, 2008; as always fun. Next carnival Apr 29 is here and the last (so far) one is here.
6. Really good look at logging for developers is here. "all too often logging gets treated as optional and not necessary. In this column we will cover the essentials of logging []for developers!] from a security perspective"
7. Latest stolen account prices are posted here by AVERT Labs guys. Account with $16,000 goes for about 700 euros (!) Also, Finjan reminds us that top corporations are all owned.
8. ISP data retention rears its (ugly?) head again. Good business for LogLogic or privacy nightmare?
9. A fun read from Tizor Blog: "How did the TJX data breach happen? Part 1: Anatomy" A must read, with diagrams, etc. "After breaching the TJX wireless system, the attacker was able to gain administrative privileges to the RTS servers located at the TJX corporate headquarters in Framingham, MA."
10. A very good read from Greg Shipley: "Risk Management: Do It Now, Do It Right." A lot of interesting bits about CSOs, security technologies evolution, etc. "The journey continues. We invested hundreds of millions of dollars in intrusion-detection systems without a solid understanding of their relative effectiveness and total cost of ownership. The IDS craze led to reinvestments in intrusion-prevention systems that even today are only partially enabled, and PKI is still a bad word in many IT circles. There's no shortage of disappointments on other product fronts."
11. "Data Classification Is Dead?"  Rich Mogul explains why data classification by the owners is never going to fly... "Enterprise content is just too volatile for static tags to really represent its value. Even those of you in defense/intelligence don’t *really* do granular data classification. " This is a good reminder to shoe that just spout the propaganda "first, need to classify data." Can you hope to do "DLP" without it? Also, read this one from Rich as well: not only you can't classify, you often don't know who owns what.
12. Hot, hot, hot! "Snake Bytes " on DarkReading. "We are all in the business of stopping just enough crime to keep us in business." Wow! Definitely a must read.
13. Marcus Ranum on logging in Start Trek (read the whole thread): "What do you expect from a starship that runs on Windows-24k? Microsoft added support for syslog in 2348 - citing customer demand - but still
    has no Enterprise-class log architecture." :-)
14. Piece on PCI and log management where a vendor makes an idiotic faux pas by saying that "less than 1% logs are of interest." In reality, all (OK, most) logs are of interest under the right circumstances. And we almost never know which ones we'd need.
15. A fun blurb from a lawyer on PCI. Good conclusion too: "Regardless, now is the time for merchants to begin engaging their legal teams to address PCI compliance, and opening the lines of communication between the lawyers and security pros." He also fights the checkbox mentality by saying that  "merchants should not view their internal security personnel or QSAs as “rubber stamps” of PCI compliance." I am happy to see this lawyer basically say that if you ignore PCI, your ass is  0wned :-)

On that happy note - see you next time! :-)

From: XXXXX
To: mike_rothman@XXXXXX
Subject: RE: Att.
Date: Thu, 7 Feb 2008 22:36:52 +0100


Dear mr Rothman,

I do not know you either, so I will send you some pictures of my estate in Germany, you can look at it at google earth from above. Sended you the adress before.

XXXXXX
Barendorf
Germany

#############

My age is 50, married with a German Lady, having two Sons.


Further, I 'am not interested in the company you are working for, only how to get the money to Germany. BUSINESS ! ! !

Now it's your turn.


Sincerely

XXXXXXXXXXX

---

From: mike_rothman@XXXXXX
To: XXXXXXXXX
Subject: Att.
Date: Thu, 7 Feb 2008 21:25:38 +0100

Att. XXXXX,
I received your quick response to my proposal. To formally introduce my self to you, I am an old top banker and have worked with Scottish Investment Trust for so many as one of their fund manager. I am an international staff, presently in Scotland office.
Scottish Investment Company is registered in Scotland number 1651. I started work with SIT 2004 and I am responsible for the European Jurisdiction Equity. I was with Abbey National Asset mangers before I moved to SIT, and a member of CFA institute.
I graduated from University of Dundee and Edinburgh where I got my BSc and MBA in civil engineering respectively.
First, I believe it is necessary for me to express my profound gratitude to you for even responding to my email with interest. I am obliged to you for your gracious concern and I hope your assistance is really genuine, although through your email I would know if I could count on you at least to an extent.
I sincerely, appreciate your interest to assist me in this project. I need a reliable foreigner who would be of assistance to me in order to have the funds transferred.
However, I would like to be convinced of your willingness, commitment and most of all your trustworthiness to execute this deal with me. I certainly cannot compromise any of these virtues, you know what I mean, and I have my principles.
Without doubt, you will eventually earn the benefits or our partnership if we are able to work things out and have the funds relocated within couple of weeks or thereabout and thereafter disbursed to your other respective accounts.
Indeed, it is necessary for me to be certain of the person to whom I will be entrusting this deal, my trust will definitely not be given out lightly, I need to be fully convinced that you are a matured person with some integrity, we should at least have respect for each other, this I would say is very essential.

Scottish Investment Trust (SIT) was founded in 1887; The Scottish Investment Trust (SIT) today is one of the world’s oldest and largest independent, self-managed investment trusts with assets of over £45 billion at 30 September 2007.
We have been working to provide solid returns for investors for over 115 years - through a number of bull and bear markets and the most volatile conditions. Our approach has generated real long term growth in both capital and income.
When you invest in SIT you are buying shares in a company that invests in the stocks and shares of companies on the world's major stockmarkets. Your investment has the potential to grow both through incomes from dividends and through capital growth from increases in share price.
SIT has a diversified equity portfolio and invests in a broad spread of international equities. Although there is always an element of risk involved in any stockmarket investment, we aim to lower this by spreading investment over numerous companies and sectors around the world, while actively searching for opportunities to benefit our investors and maximise returns.
We aim to provide steady growth in both capital and income, whilst prudently spreading investment risk. We consider these to be the key requirements for anyone seeking a solid core holding for their investment planning.

However, in my First Email Proposal to you, I stated that the said funds came out as a result of the following:
""I handle all our Investor's Direct Capital Funds and secretly extract 1.3% Excess Maximum Return Capital Profit (EMRCP) per annum on each of the Investor's Magellan Capital Funds.
As an expert, I have made over £27.4m from the Investor's EMRCP and hereby looking
for someone to trust who will stand as an Investor to receive the funds as Annual Investment Proceeds from Scottish Magellan Capital Funds.

EXPLANATION: I have more than 158 Corporate Investors attached to my PORTFOLIO who’s Capital Investment Funds are been managed and administered by me alone.
This Capital Investment Funds has a value of US$5.4Billion FIXED. The $5.4billion is been used for trading in Stock Market, Crude Oil and Lending with Profit Returns.
Every Year, each Corporate Investor is expected to receive 20% interest from his total Investment Capital Funds which is paid to the Investor annually as their Excess Maximum Return Capital Profit (EMRCP). However, I made average of 21.3% from the Investor's Investment Capital Funds annually, which have exceeded our targeted 20% of Total Investment Capital Funds. On this note, I retained the extra 1.3% from the 21.3% as my personal profits for managing the Capital Investment which is this £27.4m. On the other hands, I cannot claim this funds without presenting someone to stand as an Investor otherwise our Establishment will convert the funds into the Company's Treasury. This is why I came to you for the deal to take place.
DURATION: If you are very serious as I am, we will have this transaction concluded with 25 Banking days from the date of start.
However, for such a business of lofty magnitude, I think the most important thing is for us to build a strong association between each other so that I can be able to trust you because I have been betrayed by so many people even by my co workers that I have now decided to play my cards very close to my chest. I will like this deal to be secret and confidential. No third party. Just between you and me. Do not discuss it with any Scottish Investment staff to avoid jeopardizing my work and position.

Before we go into this deal, I will like to know about you.
Following this mail, send me your telephone number so I can call you to discuss on the modalities of the transaction. You may as well call me on my number +4XXXX so that we can discuss on the modalities of the transaction.
Sincerely
Mike Rothman

---

From: XXXX
To: mike_rothman@XXXXX
Subject:
Date: Thu, 7 Feb 2008 13:09:36 +0100



Dear mr. Rothman,

I'am a businessman, Dutch, living and working in Germany have several companies.

off course I'am interested for the 30%.

When this is phishing I'am not interested and can you better try to find someone else.
I will not pay any money for taxes, transport, lawyers, barristers or others.


Sincerely


XXXXXXX

1. The complicated story - The scammer uses a fairly complicated story, which would really require an investment professional to figure out whether it's kosher or not. But all that complicated vernacular contributes to building a credible front in the form of the Scottish Investment Trust, which is a global and well known investment house.
   
   
2. The request for "confidentiality" - The fact that this guy is claiming that he's got some additional funds because he "out-performed" sound like a hoax to me. Also the fact that he's requested confidentiality, even from other SIT personnel means this is a ruse.
   
   
3. The fact that he needs a "foreigner" to place the money - Again, this just sounds funky. If he outperformed the expectation, I'm sure he'd be due a nice bonus from SIT. Not an illicit $35 million dollar payout that he needs to get out of the country.
   
   
4. Other inconsistencies - You can't see the domain (I removed it), but it's a public email service in Australia. Yet the phone number he provided (I removed that also) is in the UK. These are inconsistencies that you need to catch.