[SecurityRatty] tag: weekly

Links for 2008-09-10 [del.icio.us]

Wed, 10 Sep 2008 20:00:00 +0000

Paul Melson's Blog: ArcSight User Conference 2008
* Logger 3.0 has adopted a more-ESM-like boolean filter interface. Big improvement over the chained-regex search in 2.5 and earlier. * Demo of Logger 3.0 shows that searches of data (no details on data set) are roughly 80x faster than a similar sized search on 2.5. (The claim is 100x faster, but I counted. Still, that's a significant improvement.) * Hugh has hinted that the slick, high-performance append-only storage stuff that Logger has is going to be integrated into ESM is some release beyond 4.5. That could mean the end of the Oracle / PartitionArchiver storage model.
Splunk Tames the Chaos Brought on by Virtualization : VMblog.com - Virtualization Technology News and Information for Everyone
Existing system management tools were not designed to handle the dynamic nature of virtualization. The Splunk for VMWare Management application includes a VMWare API for data input, over 25 pre-defined searches, alerts, and reports and dashboards specifically designed to monitor key metrics for the VMWare Virtual Infrastructure.
Dorian Software BLOG: Why Your HR Department Will Love Windows Vista, Even If Your IT Department Doesn't.
Event ID 4802 tracks whenever the screensaver is invoked after a group policy-determined idle time. Event ID 4803 tracks whenever the screensaver is dismissed by the logged-on user.
Moderately Idiotic Competitor
But the clever inside criminal is taking all the payroll data from the system that is either off the network or is temporarily down. When the machine comes back up, there is no record of the intrusion and the traditional "inside out" log management system tells the user there is no problem.
Last In - First Out: Presumed Hostile - Your Application is Out to Get You
Help - Eclipse SDK - Working with the Log4J Logging sample
Cartoon 2 from The Data Governance Institute ROI
Eccentric Engineer » Blog Archive » Conf Call Hem and Haw
It’s just a damned centralized-logging platform. Unix sysadmins have been doing those for years. This stuff is about as basic as tying your shoes. All this fluff seems like overkill…but it’s IT…and we have policies.
(ISC)2 Blog: Security metrics: more is not better
Are you Owned? | Roer.Com Information Security Blog
# list of all your profiles online, with your log in. # list of all your IM/e-mail and other communication tools, with log in # list of other sites/tools that requires you to log on. # The lists above should also include each sites URL or contact information for changing passwords, or in worst case shutting them down. # a friends-list who you trust, and who are willing to help you get back your own life online. The purpose is to have them help you rebuild your internet presence. Make sure you agree some way for them to be certain that they are communicating with you, and not someone else.
Industry View: Web Application Security Today - Are We All Insane? - CSO Online - Security and Risk
The problem has gotten so bad that industry sources say most websites hosting malware have been hacked, Google says 1.3 percent of their search queries return malicious content, and Vint Cerf (father of the Internet) approximates that one quarter of all PCs are part of a botnet. Firewalls are not working. Antivirus/spyware is not working, nor are weekly patching, user education, SSL, or "turning off the home computer" as recommended by the FBI cyber-crime website. In what has become an inside joke, every authority says to use these "best-practices" despite their ineffectiveness.
TaoSecurity: Schneier Agrees: Security ROI is "Mostly Bunk"

Silicon Valley's Wi-Fi Situation

Wed, 09 Jul 2008 06:11:40 +0000

The Palo Alto Weekly exhaustively examines its city's and Silicon Valley's state of public Wi-Fi: The paper looks at the failures of various networks around the valley, the current state of Wi-Fi plans, and how a non-profit, WiFi101, is building (with a grant) a new effort that could be a model for how to offer free service for those without Internet access.

The Weekly also mentions Palo Alto considering fiber to the home, which the city incorrectly calls "Fiber to the Premise" (not "premises") in their request for proposal. Palo Alto installed an early city-owned fiber ring in the mid-1990s. That 40-mi. ring cost just $1.9m (in 1996 dollars) to build. The new effort would be entirely funded by partners, who would receive certain assets and contracts to anchor the project.

Microsoft To Deliver Office Hotfixes in Scheduled Cumulative Updates

Tue, 01 Jul 2008 13:34:40 +0000

Microsoft has announced, in the Office Sustained Engineering blog, that they will be moving away from the current weekly schedule for the release of Office hotfixes. Instead, every 2 months a cumulative update will be released. The first such update will appear in August, 2008. The blog announcing the development does not go deeply into the reasons for the change, other than to say that "[t]he primary goal is to deliver high quality fixes in a predictable timeframe." It's also possible that, being more cumulative than individual hotfixes, the new updates will keep configurations more consist ant, and therefore testing easier. On the other hand, the blog says that, even though the updates will come in a package with multiple updates, "...[c]ustomers accepting hotfixes will not be required to install anything more than they install today in order to take advantage of a cumulative update." So that sounds like you can pick and choose hotfixes to install from the package. Customers will also still be able to demand "Critical on-demand (COD) hotfixes." These are for emergencies only, and presumably they are rare. The new approach will not change the schedule or contents of public updates, including service packs and security updates.

Microsoft to Deliver Office Hotfixes in Scheduled Cumulative Updates

Tue, 01 Jul 2008 13:34:40 +0000

Microsoft has announced in the Office Sustained Engineering blog that it will be moving away from the current weekly schedule for the release of Office hotfixes. Instead, every two months a cumulative update will be released. The first such update will appear in August 2008. The blog announcing the development does not go deeply into the reasons for the change, other than to say, "The primary goal is to deliver high-quality fixes in a predictable time frame." It's also possible that, being more cumulative than individual hotfixes, the new updates will keep configurations more consistent, and therefore make testing easier. On the other hand, the blog says, even though the updates will come in a package with multiple updates, "Customers accepting hotfixes will not be required to install anything more than they install today in order to take advantage of a cumulative update." So that sounds like you can pick and choose hotfixes to install from the package. Customers will also still be able to demand "Critical on-demand (COD) hotfixes." These are for emergencies only, and presumably they are rare. The new approach will not change the schedule or contents of public updates, including service packs and security updates.

The hidden gas tax

Fri, 27 Jun 2008 09:02:43 +0000

We all hate paying $75 dollars or more every time we fill up our gas tanks. When we see gas and oil prices hitting new highs (it seems to happen every day) we grimace and think about how much this is going to cost us as part of our weekly gas bills. We get even more upset when the utility bills come and we see our summer time electric bills going through the roof because of fuel surcharges.

What about the price of food and other goods? Have you noticed how much they are going up? Bananas were 49 cents a pound and are now 69 cents a pound. That is a huge increase. Our government says core inflation is not going up outside of energy costs and I am not sure I believe that. We are seeing huge increases in rice, wheat and other staples. But gas prices are a hidden tax on our economy across the board.

Have a look at the UPS receipt for a package that was shipped out to me. From a base price of about $22.00, fuel surcharges add another 10 dollars to the bill. That is almost a 50% tax for fuel! Add 50% to the cost of everything you buy and it is easy to see how this energy crisis is pushing us all to the breaking point.

We need a "send a man to the moon" effort to break free of oil and move to clean renewable, cheap energy now!

The hidden gas tax

Fri, 27 Jun 2008 08:02:59 +0000

Errant email exposed Department of Consumer Affairs personal information

Tue, 24 Jun 2008 13:51:19 +0000

Technorati Tag: Security Breach

Date Reported:
6/23/08

Organization:
State of California

Contractor/Consultant/Branch:
Department of Consumer Affairs

Victims:
"employees, contractors and board members"

Number Affected:
5,000

Types of Data:
Names, Social Security numbers, salaries and job titles

Breach Description:
"The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers. "

Reference URL:
Capitol Weekly
Central Valley Business Times
Props to PogoWasRight

Report Credit:
Malcolm Maclachlan, Capitol Weekly

Response:
From the online sources cited above:

The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers.

About 2,800 of the people on the list are current, full-time employees of the DCA.

The document also included some former employees and numerous contractors, such as people who proctor state job examinations.

The rest of the names were employees and board members of the 56 professional boards and bureaus administered by the DCA, such as the Bureau of Automotive Repair and the Medical Board.

The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich.

The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this was public information.

"The thing that is troubling to us is that information was coupled with their social security numbers," Heimerich said.
[Evan] Troubling to you? It's probably hard for the victims to have much sympathy.

The main danger with giving away a social security number is that it can be used to set up new credit cards, loans or purchases in someone's name.

However, a thief would generally need other information that was not included and could be harder to get, such as addresses, phone numbers and driver's license numbers.
[Evan] Addresses and phone numbers are usually pretty easy to obtain and I would think are much easier to get than Social Security numbers. Unless of course, somebody emails them to you.

The DCA is the main state agency charged with protecting consumers in California.
[Evan] Ironic.

From 2003 to 2007, it also housed the office charged with educating consumers and businesses about identity theft and fraud.
[Evan] More Ironic

One agency whose employees were not on the list is the California Office of Privacy Protection (OPP).

Heimerich said the incident is still being investigated, and that he could not disclose who had received the document.

He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.

"We know that it left the building and that it wound up somewhere it shouldn't have wound up," Heimerich. "We're looking into how that happened."

“We kind of know where it was sent,” Mr. Heimerich says
[Evan] Sounds obvious, but did anyone check "Sent Items"? Yeah, probably. Seriously though, does the California DCA not log email sends and receives? It's hard to believe that the sender does not recall to whom they sent the email and there is no evidence of where it was sent.

The breach was discovered on Monday, June 9
[Evan] It took 3 or 4 days for the DCA to discover the breach.

People's whose names were on the list were sent an email the next day and an official letter a week later.
[Evan] Excellent quick notification. The earlier that a breach is detected and communicated to the data owner, the better.

Heimerich said the DCA will pay for a year of free credit reports and provide fraud insurance of up to $25,000 for everyone on the list.
[Evan] One year of protection does not adequately protect information that has a lifespan that far exceeds that one year. Most bad guys (or gals) know that the "standard" organization response to a breach includes one year of free credit monitoring/protection, so many of them wait a year to use the information. It is also important to point out that just because a person monitors their credit, does not mean that their identity isn't being used elsewhere. It's a scary thought, but it's a broken system.

He said the DCA had not yet determined how much these protections were going to cost.
[Evan] You can estimate the cost yourself.

Commentary:
I like how Microsoft Outlook helps me when I am typing an email address in the "To:" field of my email. It saves me some keystrokes and a few precious seconds. Sometimes I am in such a hurry that I don't even notice that Outlook put in the wrong email address. I type my email, click send and away I go onto another task. A couple of days later, I get a call from a customer asking where their information is. I state that I sent it to them a couple of days ago, but they claim to have never gotten my email. I look through my sent items, and HOLY #*@^! I just sent some confidential (sensitive and potentially damaging) information to a competitor instead of my customer.

Sound conceivable? Have you ever sent an embarrassing email to the wrong person? It is very easy to do if your not paying attention.

There are a number of controls us information security guys can put in place to reduce the risk of this happening. One of the best is information security training and awareness (kind of an administrative control).

Past Breaches:
State of California:
March, 2008 - San Quentin visitor and volunteer information lost

Some of the other noteworthy breaches last week, 6/16/08 - 6/22/08

Mon, 23 Jun 2008 04:11:34 +0000

Technorati Tag: Security Breach

The Breach Blog

Just SOME of the other noteworthy breaches from the past week (6/16/08 - 6/22/08)

Citibank Hack Blamed for Alleged ATM Crime Spree
By Kevin Poulsen, Wired.com, 6/18/08

A computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors.

The ATM crime spree is apparently the first to be publicly linked to the breach of a major U.S. bank's systems, experts say.

Security firm finds server with health-care data
By Jeremy Kirk, NetworkWorld, 6/18/08

Security researchers with Finjan Software are seeing a growing thirst from cybercriminals for data other than credit-card numbers, with the latest findings including servers containing passwords leading to heath-care records and airline systems data.

The problem is two-fold: sensitive data is being stolen after PCs are infected with malicious software, and then that data sent to unprotected remote servers, said Yuval Ben-Itzhak, chief technology officer for Finjan. The content of those servers is then indexed by search engines, leaving it open to anyone who uses the right query terms.

Bank scam spreads as institutions look for possible source of breach
By Leanne Tokars, WSBT Channel 22 News, 6/18/08

SOUTH BEND - An international bank scam is spreading, and there is some idea how that information may have gotten out.

Hundreds of people and dozens of banks and credit unions across our area are trying to recover from a major security breach.

[Evan] This story is related to the "1st Source Bank reissues all debit cards in response to breach" posting on 5/30/08. Another supporting story; Fraudulent ATM transactions overseas could be tied to Indiana bank breach This is a winding storyline.

Parents livid over database putting student profiles, pictures online
By Mohit Joshi, Top News, 6/16/08

Melbourne, June 16: With the State government planning to post the profile of every state school student on its intranet database, called OneSchool, parents in Australia are livid over the fact that it will make their kids vulnerable to paedophiles.

OneSchool, will provide each and every detail of the state's 480,000 public school students enrolled from Prep to Year 12, for which, the photographs, personal details, career aspirations, off-campus activities and student performance records are already being collected from all 1251 state schools.

[Evan] I think I’d be livid too. Are parents given the opportunity to opt out, without penalty or lost opportunities? "According to Education Minister Rod Welford, if the parents refuse to give their consent to their child being profiled, they could also be denied access to public education."

Blears PC loss - officials blamed
BBC News, 6/17/08

Information on a computer stolen from Communities Secretary Hazel Blears' office had been sent in breach of data security rules, it has emerged.

The Communities and Local Government department admitted its officials had "not fully" complied with guidance on handling sensitive data.

Its top civil servant Peter Housden said "no damage had been done" as the documents were not secret.

The computer contained a combination of constituency and government information relating to defence and extremism.

[Evan] It is disappointing to read about breaches where the government does not follow its own laws and regulations. Mr. Housden claims that the files were "not secret". They certainly weren’t public, were they?

Personal details of thousands of patients stolen from hospital in new security blunder
By James Tozer, The Daily Mail, 6/18/08

Laptops holding tens of thousands of patients' records have been stolen from a hospital and a GP's home, it emerged yesterday.

In the latest lost personal data scandal, the information was stored on the machines in contravention of NHS guidelines.

It was revealed that details of 20,000 patients were on six laptops stolen earlier this month from filing cabinets at St George's Hospital, in Tooting, South West London.

[Evan] This is six stolen laptops in one month, and the four breaches in one year?! The exposed information in this breach was "names, postcodes, hospital numbers and dates of birth". Check out the excuse for storing confidential information on these poorly secured laptops; "Normally such information is stored on the hospital's central network, but because of technical problems it was being stored temporarily on the laptops."

To Readers: I am testing this weekly "Other noteworthy breaches" post. I am using this first one to gauge interest and decide if it is something we should continue. Please feel free to comment.

Security Briefing: June 13th

Fri, 13 Jun 2008 13:38:29 +0000

Friday the 13th.

Well, it was apparently worse than I thought at Infosecurity Canada. I spoke with eight people that attended and all of them gave it a unanimous thumbs down. Too bad. I guess if they were better organized it wouldn’t have sucked that badly.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news… (better late than never)

Ameritrade Settling Hacking Lawsuit | Wired
McKinnon’s last ditch appeal to be heard by Lords | Heise Security
Third time’s the charm? RIAA tries end run around old case | Ars Technica
AG creates Cyber Crimes Unit division: Conway hopes to target Internet predators | Medical Leader News
Outsourcing contracts must offer personal data security | Computer Weekly
Windows Inspection Tool Set Helps You Troubleshoot Your System | AppScout
Web Application Security: Don’t Bolt It On; Build It In | IT Business Net
Opinion: Breach laws fail to protect anyone | InterGovWorld
Hacking: A story untold | Burlington Free Press

Tags: News, Daily Links, Security Blog, Information Security, Security News

Severance and personal details of GlaxoSmithKline employees exposed

Fri, 13 Jun 2008 09:10:18 +0000

Technorati Tag: Security Breach

Date Reported:
6/10/08

Organization:
GlaxoSmithKline

Contractor/Consultant/Branch:
None

Victims:
Employees

Number Affected:
"more than 500"

Types of Data:
"names, dates of birth, addresses, pensions, National Insurance numbers and, in some cases, redundancy payouts"

Breach Description:
"GLAXO workers fear they will fall victim to fraudsters after their personal details were sent to all staff at the Ulverston site."

Reference URL:
North West Evening Mail
Fleetwood Weekly News

Report Credit:
North West Evening Mail

Response:
From the online sources cited above:

GLAXO workers fear they will fall victim to fraudsters after their personal details were sent to all staff at the Ulverston site.

The emails contained information such as names, dates of birth, addresses, pensions, National Insurance numbers and, in some cases, redundancy payouts, of more than 500 employees.
[Evan] Have you ever received or sent an email to an entire group of people on accident? It is embarrassing. Add to fact that 500+ of your co-workers were just put at risk of identity theft, and now how do you feel. Chances are greater if you use mail client programs that automatically guess the recipient after only typing a few letters. I wonder if this email was sent by a person or programmatically.

A reliable source, who wishes to remain anonymous, says GSK staff from across south and west Cumbria are up in arms.

They fear the information has been sent out to all 110,000 employees in the UK and US.
[Evan] Glaxo officials claim that this was not the case.

And some feel they could become victims of identity theft by cash-strapped workers facing redundancy.

The mails sent out all with attachments on the intranet

When they were opened up they gave details of all 540 or so workers. It had such details as their names, address, position and if they had put in for redundancy what figures they could expect.
[Evan] Wow! The redunancy (or severance) payout information adds a twist to this breach. Not only can the personal information be used for identity theft, but a person getting a larger payout can be targeted specifically. Bad.

For instance one of the bosses is getting £200,000 redundancy and then a £40,000 a year pension.
[Evan] That's a helluva payout. That's almost $400,000 and $80,000 US.

A few days after this happened a letter saying sorry was sent out to all employees.
[Evan] "Sorry" reminds me of what my children say to me when they do something they shouldn't have done.

GSK has apologised to staff, saying it regrets the incident and has made steps to make sure the breach is never repeated.
[Evan] How will GSK ensure that this breach is never repeated?

The firm claims only Ulverston workers had access to the information.

Ulverston site director Richard Pamenter say in the letter to Glaxo employees, obtained by The Evening Mail:

"I wanted to make sure you were made aware that information has been inadvertently released on both the GSK e-mail and intranet systems, which if used inappropriately, could permit access to certain personal information for staff.

"If any of these documents are used inappropriately, this could allow access to information on individuals’ date of birth, job grade, National Insurance number and home address.

"Additionally, for some staff, information on pensions, quotes and redundancy payments could be accessed. We have removed the information source from the intranet and are currently progressing the removal of documents and relevant attachments from the company email.

"We very much regret this incident has occurred and I would like to apologise unreservedly for any embarrassment or inconvenience caused."

Commentary:
This breach was not widely covered in the press and the information we know is very limited. I'm going to presume that this breach was the result of an employee mistake.

Past Breaches:
Unknown