[SecurityRatty] tag: william

File Sharing Program Exposes Prince William County Public School Private Records

Mon, 01 Sep 2008 18:13:58 +0000

Prince William County Public Schools (PWCS) recently learned that certain personal information relating to a small group of students, staff, and volunteers was inadvertently exposed to the public through the Internet for a period of approximately five weeks this summer. It was determined that a school-based employee, while working on school business from home on [...]

MBTA Hack shows security hasnt improved in 10 years

Mon, 25 Aug 2008 16:46:11 +0000

One of my old L0pht collegues, Peiter “Mudge” Zatko, is featured in Mass High Tech today in an article titled Bay State hackers find security holes in defibrillators, RFID.

Hackers getting a free T pass may be the least of our worries — local hackers-turned-security experts suggest RFID keycards, wireless networks and medical devices implanted in the body are also vulnerable to hacks.

At last week’s Defcon hacker convention in Las Vegas, a team of researchers showed it was possible to get information such as Social Security numbers and medical diagnoses, and change the settings on an implantable defibrillator by impersonating the computer it communicates with wirelessly. By doing so, a hacker could send a fatal shock to a patient’s heart, said William Maisel of the Beth Israel Deaconess Medical Center.

It is almost like things haven’t changed since the 90’s when the L0pht worked to change the mindset of security:

Don’t trust vendor claims around security
Attacks aren’t “theoretical”
Security by obscurity is no security

The L0pht worked as an independent security research think tank. For us it was non-profit side job researching and publishing vulnerabilities in software and hardware. We did it for our love of technology and published what we found out because purchasers and users of the vulnerable systems deserve to know.

It’s 10 years later and the situation hasn’t improved much. Mudge talks about the vulnerabilities the L0pht found in highway transponder systems that are still in systems being fielded today. But more important than the vulnerabilities themselves is the nature of how these vulnerabilities are coming to light. They are being found by hobbyists, students, and IT people working in their spare time. How can something as important as the security of public fare collection systems and medical equipment not have a standard process for security acceptance testing?

As we become more reliant on digital systems, with some even keeping us alive, it is high time for security testing to move beyond student papers and part time IT work. Security testing needs to become a formal part of the process of purchasing and fielding digital systems. Our lives are starting to depend on it.

Coming Soon to a Movie Plot Near You

Thu, 31 Jul 2008 17:10:38 +0000

The problem with most video surveillance is that it is not actively monitored. It is recorded so that events can be reconstructed at a later date. While this may prove to be an effective deterrent in many situations, this does limit the effectiveness (and the cost of operation) of the surveillance system.

Of course, a major problem with that approach is that the “persons of interest” are long gone by the time the video shows that “yep, you can defiantly see some guy cutting off that lock and stealing that…”.

Another problem is that unless the equipment is being checked on a regular basis, it may be defeated (or just broken) for a long time before any problems are identified.

In the photo to the right, a NYC artist William Lamson, has created an interesting photo of hacking (or blocking) a security camera with a helium balloon. This is such a simple and inexpensive attack on the video surveillance camera that I am shocked I haven’t seen this before. I am also certain that the appearance of this in a TV or movie plot is imminent. It would have been pretty simple to use two balloons to block the camera without providing the nice tether to “fix” the problem.

Digital photography is a hobby of mine, and I have a mild obsession for photographing physical security faux pas (which to date has not resulted in any ‘Imperial Entanglements’ ). So I am going to use Mr. Lamson’s photo to kick off a new category (and series) on Art of Information Security, called “Security faux pas” - stay tuned…

Cheers, Erik

Coming Soon to a Movie Plot Near You…

Houston law firm threw confidential client information in the trash

Thu, 17 Jul 2008 10:59:25 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Weber Law Firm

Contractor/Consultant/Branch:
"his wife"

Victims:
Clients

Number Affected:
"hundreds"

Types of Data:
"personal financial records, documents with Social Security numbers, people's medical files and more"

Breach Description:
"HOUSTON -- Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday."

Reference URL:
KHOU-TV News (original)
KHOU-TV News (follow-up)

Report Credit:
Jeremy Desel, KHOU-TV

Response:
From the online sources cited above:

Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday.

The records were mostly bankruptcy case files from a Houston attorney's office that found their way into a dumpster belonging to a Houston day care.
[Evan] There is little doubt about the sensitivity of the information found in a person's bankruptcy files. Don't you think that an attorney should know better?

The discovery came in a trash bin in the 9100 block of Jones Road, with box after box of records including personal financial records, documents with Social Security numbers, people's medical files and more.

When the sheriff's office first arrived, the responding deputies had no idea what to do with the records.

So, they called the law office from where the records had come from. 11 News called the law offices of William Weber as well.
[Evan] Mr. Weber's bio is pretty extensive.

Weber, who eventually arrived to pick up the discarded records, told both 11 News and the sheriff's office that it was "no big deal"
[Evan] Obviously, this answer probably doesn't go over very well. In hindsight, I am guessing that Mr. Weber wishes he could take these words back.

Still, at the insistence of the sheriff's office, Weber did arrive to pick the boxes up.

Weber had a different answer for 11 News when he showed up to retrieve the 32 boxes.

"It's a mistake," he said. "We regret it. We regret it. They weren't intended to be put here. I didn't put them here. It was a misunderstanding between me and my wife."
[Evan] Ugh. Blaming the wife would not be a good idea in my house, even if it were my her fault.

He added it was a one-time problem.

But he also said his firm does not have a policy for disposing of sensitive documents.
"No, I do not. I don't think there is a formal disposal policy. Legally," he answered.

Don't tell that to Radio Shack or Select Medical Corporation. Both settled lawsuits with the Texas Attorney General's Office this week for violating the Texas ID Theft Law that was passed in 2005.

It requires businesses to destroy any documents that contain sensitive information. Select Medical dumped 4,000 documents in its own dumpster, but did not destroy them first.

Both companies settled this week with the state for hundreds of thousands of dollars in fines.
[Evan] Don't forget about EZMONEY, L.P. and EZPAWN L.P. They agreed to pay $660,000 to the Texas Attorney General. Don't mess with Texas!

However, it's not just a civil law question. It is also an ethics question.

"If a customer of Radio Shack had an interest in privacy and an interest to have their identity protected (and) not just tossed to the wind, I can assure you that a medical provider or a lawyer has a higher duty," said 11 News legal expert Gerald Treece.

The sheriff's office is looking into the possibility laws were broken by throwing away the records in that dumpster, but were unsure if anything illegal happened.

As a matter of fact, there's a good possibility no laws were broken.
[Evan] Not criminal. This case may be ripe for a civil proceeding, however.

Weber spent several minutes loading the boxes into his car, but he also spent a lot of time avoiding the 11 News cameras as he picked up the discarded records.

Eventually, he left the scene, leaving a few boxes behind when he was confronted by 11 News cameras.

In his rush to get away, a box was left on the trunk lid of his vehicle and some of the papers inside flew out as he sped off.
[Evan] Embarrassed?

Weber told 11 News that all the documents were shredded on Wednesday morning.
[Evan] Any thought given to notifying the affected individuals? If not, it is probably too late now.

Weber also said he has talked with an attorney at the attorney general's office and told them he would cooperate fully.

11 News also spoke with one of the clients whose file was found in the dumpster on Monday. She said she's angry and feels betrayed.

Commentary:
We have read about organizations dumping sensitive confidential information in dumpsters before, but this is the first time I have read about a lawyer being responsible (or his wife). Mistakes do happen, but I question how much of a mistake this actually was due to Mr. Weber's initial "no big deal" reaction.

Past Breaches:
Unknown

William Jackson on FISMA: It Works, Maybe

Mon, 30 Jun 2008 17:03:54 +0000

Article from William Jackson in Government Computer News: Security policies remain a burden to federal IT managers, but they are producing results.

First off, GCN, come into the modern Web 2.0 era by letting people comment on your articles or at least allow trackbacks. Having said that, let’s look at some of Mr Jackson’s points:

NIST Special Publications: They’re good. They’re free. The only problem is that they’re burying us in them. And oh yeah, SP 800-53A is finally final.
Security and Vendors/Contractors: It’s much harder than you might think. If there’s interest, I’ll put out some presentations on it in my “copious amounts of free time”. In the meantime, check out what I’ve said so far about outsourcing.
Documentation and Paperwork: Sadly, this is a fact of life for the Government. The primary problem is the layers of oversight that the system owner and ISSO have. When you are as heavily audited as the executive branch is, you tend to avoid risks and overdocument. My personal theory is that the reason is insistence on compliance instead of risk management.
Revising FISMA: I’ve said it time and time again, the law is good and doesn’t need to be changed, the execution is the part that needs work.

Bookmark to:

Past, Present and Future Security Initiatives on Exhibit at Microsoft TechEd

Thu, 19 Jun 2008 12:58:11 +0000

Blogger: Dan Blum

One of our service directors likes to quote William Gibson: “The future is here, it’s just unevenly distributed.”

At Microsoft’s Server and Tools Business (STB) Analyst and Tech Ed conferences last week, I saw a vendor and a user community living in the past, present and future with many unevenly distributed capabilities.

In a session on identity management strategy, for example, Microsoft discussed a variety of initiatives. These range from Card Space (futuristic implementation of user-centric Information Card specifications) to ADFS (present day enterprise federation support, though unfortunately lacking full SAML capabilities) to self-service password reset exposed through Office (decidedly backward-looking as this functionality has been available from many vendors through browsers for many years).

In another session on rights management and SharePoint, Microsoft highlighted the opportunity to configure SharePoint libraries to automatically apply Active Directory Rights Management Services protections on downloaded documents. Digital rights management (DRM) is controversial and no strong guarantor of confidentiality. Nonetheless, it is a way to put futuristic self-protecting wrappers on content so as to prevent its accidental leakage or misuse by honest, cooperative users. Because it’s not something that can resist certain types of malicious attackers, many security professionals look down their noses at rights management. Nonetheless, preventing accidental misuse of enterprise information is a big part of the space. It was clear from the number of people in the room asking intelligent questions suggesting realistic expectations that customers see potential value for this technology.

Finally, I was impressed by a presentation on IPSec, PKI and NAP by a Brazilian university IT manager named Rodrigo Imaginario. Starting three years ago, the university combined its student and administrative networks into a single network. Yet servers running ERP and containing administrative content (such as grading information) need to be protected from a subset of students going through their hacking stage. Imaginario implemented a logical security zoning overlay on top of the network using IPSEC in Windows. In the restricted zone, servers only accept connections from Kerberos-authenticated IPSEC clients in the administrative domain. Today, the authentication is being upgraded to use PKI for secure, all campus wireless networking. Imaginario indicated the university took the Windows IPSEC route approach because no additional software had to be purchased. Configuration was difficult, he said, but will get easier with Windows Server 2008. This sounds like an idea whose time has come.

Past, Present and Future Security Initiatives on Exhibit at Microsoft TechEd

Thu, 19 Jun 2008 12:58:11 +0000

Blogger: Dan Blum

One of our service directors likes to quote William Gibson: ???The future is here, it???s just unevenly distributed.???

At Microsoft???s Server and Tools Business (STB) Analyst and Tech Ed conferences last week, I saw a vendor and a user community living in the past, present and future with many unevenly distributed capabilities.

In another session on rights management and SharePoint, Microsoft highlighted the opportunity to configure SharePoint libraries to automatically apply Active Directory Rights Management Services protections on downloaded documents. Digital rights management (DRM) is controversial and no strong guarantor of confidentiality. Nonetheless, it is a way to put futuristic self-protecting wrappers on content so as to prevent its accidental leakage or misuse by honest, cooperative users. Because it???s not something that can resist certain types of malicious attackers, many security professionals look down their noses at rights management. Nonetheless, preventing accidental misuse of enterprise information is a big part of the space. It was clear from the number of people in the room asking intelligent questions suggesting realistic expectations that customers see potential value for this technology.

Spray-On Explosive Detector

Wed, 28 May 2008 08:40:49 +0000

Interesting:

William Trogler and his team at the University of California, San Diego, made a silafluorene-fluorene copolymer to identify nitrogen-containing explosives. It is the first of its kind to act as a switchable sensor with picogram (10-15g) detection limits, and is reported in the Royal Society of Chemistry's Journal of Materials Chemistry.
Trogler's polymer can detect explosives at much lower levels than existing systems because it detects particles instead of explosive vapours. In the team's new method one simply sprays the polymer solution over the test area, let it dry, and shine UV light on it. Spots of explosive quench the fluorescent polymer and turn blue....

Did the Rent-a-Center manager knowingly expose personal information?

Mon, 12 May 2008 11:05:33 +0000

Technorati Tag: Security Breach

Date Reported:
5/9/08

Organization:
Rent-a-Center*

*formerly RentWay

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"photocopies of Social Security cards and driver's licenses, credit card numbers, home addresses and phone numbers"

Breach Description:
"Hundreds of RentWay customer files — including Social Security, driver's license and credit card numbers — were abandoned in a parking lot, leaving consumers at risk for identity fraud."

Reference URL:
Sarasota Herald-Tribune
Bradenton Herald
Sarasota Herald-Tribune (May 10)

Report Credit:
Anthony Cormier, Sarasota Herald-Tribune

Response:
From the online sources cited above:

Hundreds of RentWay customer files — including Social Security, driver's license and credit card numbers — were abandoned in a parking lot, leaving consumers at risk for identity fraud.

The files were discovered in a plaza off Cortez Road on Friday morning.

In the files were photocopies of Social Security cards and driver's licenses, credit card numbers, home addresses and phone numbers of people who leased furniture, TVs and appliances from RentWay.

A Manatee Sheriff's deputy arrived at about 10:30 a.m. and called workers from Rent-A-Center, which acquired RentWay in 2006, to clean up the mess.

In dress slacks and business shirts, Rent-A-Center employees crawled in a Dumpster on Friday afternoon.

it was unclear how long the files were in the lot and who may have accessed the sensitive information

Rather than shredding the documents that contained personal information of clients and taking them to their own Dumpster, the employees left the papers piled in the bottom of the Dots' store Dumpster

Kimberly Lash, manager of Dots, a women's clothing store next door to the the vacant storefront, said the mess had been out in the corner of the building for nearly a week.

She said the Rent-A-Center store manager said there were personal documents in the Dumpster.
[Evan] If I understand this correctly, the Rent-A-Center manager knew that there were personal documents being discarded in the dumpster?! What the *&^# kind of manager would knowingly put his/her customers at risk? I wouldn't hold the Dot's store manager ultimately responsible, but I wonder why she didn't do or say anything when she was told that there was personal information in the dumpster.

"All they did was pick it up and put it in my Dumpster," she said.

On Friday morning, a transient was seen rifling through the paperwork until he was shooed off by Don McLucas, who found the mess and called police

"Unbelievable," McLucas said. "Imagine the fraud you could commit with this stuff. And they just dump it like that? Unbelievable."

"You could open a bank account, apply for a credit card, anything. That information could be worth hundreds of thousands of dollars." - Robert Siciliano, CEO of IDTheftSecurity.com
[Evan] The bad guys certainly know this. It seems like others either don't care or don't know.

The store manager of the Rent-A-Center store declined to comment. It's unclear what happened to the documents once they were removed from the Dots Dumpster.

Lt. William Vitaioli said it would not be a criminal violation to dispose of personal information such as Social Security numbers, credit card numbers, driver's license numbers or phone numbers.
[Evan] Should it be? This is a hot debate.

Florida law requires companies to notify consumers if the security of their personal information has been breached.
[Evan] Are notification laws working? Another hot debate.

Commentary:
If I had the time, I would check dumpsters on the way home one of these days. Think I would find anything along my 25 mile ride home?

Past Breaches:
Unknown

Latest linking of Senator Obama to a '70's terrorist may damage his reputation.

Sun, 11 May 2008 20:12:00 +0000

We all know how important it is to have a good reputation and the price we pay when it becomes damaged. The latest reports linking Senator Obama with the 70's radical, William Ayers, can not help him in his nomination bid.

William "Billy" Ayers was a member of the '70's domestic terrorist group: Weather Underground Organization (WUO). WUO were opposed to the Vietnam war and pledged to bomb the Capitol, The Pentagon and Police Stations after issuing a "declaration of a state of war" against the United States Government in 1970.

These days, Ayers is a professor at UIC. Apparently, Ayers and the Senator have served jointly on various Boards and have appeared on discussion panels together. Most likely Senator Obama failed to do the proper due diligence on his co-host and was unaware of his terrorist affiliations and involvement. Unfortunately for the Senator, many voters may not be so forgiving, especially when they realize that Ayers has recently made comments to the effect that he does not regret planting bombs and thinks he did not do enough. He even went so far as to state that he can not entirely dismiss the idea of planting a bomb today.

Last week during training of an Executive Protection class in Baltimore, I spoke about the need to keep an open mind when it comes to terrorism and to realize that terrorists come in all shapes, sizes and colors. I even discussed domestic terrorism and drew their attention to the Weather Underground. We should remember that terrorists will not always arrive looking as they do in television footage.

For instance, Timothy McVeigh could walk down any street in the U.S. prior to the bombing in Oklahoma and not one single person would ever have suspected him of being a home-grown terrorist. Everything (and everybody) is not always what it seems.