[SecurityRatty] tag: wraps

Rifling through my DEMO notebook

Sun, 14 Sep 2008 20:00:00 +0000

Seen and heard last week at Network World's DEMOfall 08 in San Diego: When RealNetworks took the wraps off new DVD-to-PC copying software, one major selling point was that users now can sleep soundly knowing for the first time that their homemade copies of commercial movies are perfectly legal.

Feds Charge 11 in Breaches at TJ Maxx, OfficeMax, DSW, Others

Tue, 05 Aug 2008 15:12:00 +0000

A Secret Service investigation wraps up every major retail network breach in the last five years.

Details of DNS Flaw Leaked; Exploit Expected by End of Today

Tue, 22 Jul 2008 17:15:06 +0000

The details of a critical vulnerability in a core internet infrastructure have leaked onto the web, despite efforts to keep the information under wraps. The security researcher who found the hole the the Domain Name System is now urging everyone to fix the vulnerability before it's too late.

DNS hole prompts synchronized patching effort by IT vendors

Tue, 08 Jul 2008 09:00:00 +0000

A cache poisoning flaw that was discovered earlier this year in the Domain Name System protocol was kept under wraps while a group of vendors worked in tandem to develop software patches.

Metro Round-Up: Aurora (Ill.), Bay Area (Calif.), Santa Fe Says Yes-Fi

Thu, 12 Jun 2008 06:13:56 +0000

As networks go dark, so, too, do governmental network advocates: I haven't tracked the political fortunes of elected and appointed officials who pinned their star to Wi-Fi's glow, but I have to imagine both those that have suffered removal from office or who have remained in position are infinitely less likely to push plans in the near future that have any parallels with the plans that stalled.

Aurora, Ill., joins MetroFi cities turning down gear deal: Aurora, the city of light, the first electrified streetlit city in the U.S., opts to not buy the MetroFi gear. Along with all of MetroFi's other networks (excluding Riverside, Calif., operated with AT&T), June 20 will likely be the last day of service. About 160 of 600 to 900 nodes were installed in Aurora.

San Francisco paper wraps up MetroFi's shutdowns in their area: Ryan Kim writes in the SF Chronicle about the many networks being shut down by MetroFi around the bay. Santa Clara and San Jose are still looking at MetroFi's equipment offer. Neither city has complete coverage; Santa Clara is focused on some residential portions, and San Jose has some downtown service. Kim brings up the spectre of twice or three times dead Ricochet.

Santa Fe bypasses Wi-Fi health concerns: The city council voted unanimously to approve Wi-Fi service in libraries and city-owned buildings. This odd paragraph appears in the AP story: "Julie Tambourine, an advocate for the disabled and homeless, said after Wednesday's meeting that the legal analysis was flawed, because it didn't take into account those with diabetes, seizure disorders, respiratory ailments and other conditions that can be adversely affected by microwave radiation." It's unfortunate the writer didn't get a medical research in any of those areas to discuss that. I have never heard the strongest advocates of the view that EMF causes health issues mention any of those conditions.

Top 5: Why Customers Consider NAC

Sat, 31 May 2008 18:10:33 +0000

On a daily (and nightly) basis I have the wonderful experience of talking to, chatting about, presenting on or asking questions of customers about NAC.

At each of these opportunities, I like to ask ‘Why are you considering NAC?”

Here’s my Top 5 of Why Customers Consider NAC (or think they want NAC). This is not based on any other organization’s research or polls, nor is it based on analyst analysis. It’s not based on forethought or musings of an ‘expert’. It’s just my personal experience from my daily interactions.

#1: Endpoint Compliance
I put this one first, because I think it’s the most-hyped and possibly least significant. I know, that’s harsh, especially when endpoint compliance seems to be the big bat NAC carries around. Truth be told, it’s more of an ‘icing on the cake’ for the people I talk to. Until the auto-remediation features are a little more mature, the idea of checking for much beyond presence of anti-virus and possibly patches is unattractive. Frankly, endpoint compliance for LAN-based devices can be a Charlie Foxtrot except under the most ideal circumstances. There are many large organizations and DoD groups that need endpoint compliance, and that’s a primary driver for them. For the rest, one of the other reasons below is a primary compelling feature and endpoint checking is just another knob they can play with.

The lack of fervent interest in endpoint checking is why I had to disagree so strongly with Stiennon’s when he advises in his NWW article “Don’t even bother investing in NAC”. The entire premise of his issues with NAC center around various endpoing checking. (You can check out Shimel’s response too Stiennon’s blog here.)

#2: Guest Access
Believe it or not, the most frequent response I get for “why are you considering NAC” is “guest access”. Guest access seems to be a thorn in every organization’s side. It’s a simple problem with impossibly complex solutions… or so they think. For years, we’ve been provisioning safe and secure guest access for customers with the use of clean and simple protocol-less VLANs and so, I know that about 82% of the time, there are much simpler ways to offer guest access than by rolling out a full NAC implementation. If guest access is your primary and only goal with a NAC solution, there’s probably a better, faster and less expensive solution. If money and time are no object, then NAC can be a good way to get from point A to B and give you a few fun technical trinkets to play with.

#3: Edge Port Security
After guest access, the next thing I hear most is interest in adding edge port security with a 802.1X NAC solution. (We call this Layer 2 NAC.) I tend to think for the time being, this is NAC’s sweet spot. Note I said ‘for the time being’, I think this may change in the next 18-24 months. But for now, the ability to lock down edge ports and secure switch-to-switch links is an extremely attractive feature. Outside of the 802.1X protocol, there aren’t really any other ways to skin this cat. I know what you’re thinking… you don’t have to do NAC to use 802.1X… and that’s certainly true, but for a network of any size, NAC makes an 802.1X implementation easier to manage and monitor centrally and gives you more of that NAC icing we all love.

When the 802.1X-REV comes out (probably early 2009) I think you’ll see organizations that have previously blown off 1X seriously considering it for all the added security and multi-user support it will bring to the table.

#4: User & Resource Accounting
Unless you have a 3rd party solution or want to dig through mounds of RADIUS syslogs, you probably don’t have a good way to account for user authentication and accountability of resource access throughout the network. Most vendors’ NAC solutions already have pretty good logging and reporting features built in today. Depending on the solution and integration of other devices, you may even get detailed accounts of which user viewed exactly what, when and from where. This is a great selling point to organizations that are trying to follow strict regulations for accountability of financial or extremely sensitive resources. The standards bodies (IEEE, TNC framework and IETF) are coming out with more and more ways to leverage 3rd party security devices within NAC. The IF-MAP is a great example and we’ll be seeing more I’m sure.

#5: Dynamic VLAN Assignment
Lastly, but not least, I hear a lot of customers that are looking for a good way to dynamically provision attributes, such as VLAN assignment and QoS to users or devices. It makes switch configuration and management much simpler, and eliminates the need to assign port-based VLANs. The ability to leverage your existing user directory and define both broad and very granular attributes is certainly a draw, and NAC is a great way to offer that.

That wraps up my Top 5. Of course, there are plenty more drivers, both business-based or technology-based, but these are the 5 I hear most.

# # #

Wee-Fi: Fon Founder Profiled; Creative No-Fi; Inspiair Physics-Fi; Foster City-Fi

Tue, 27 May 2008 09:17:25 +0000

Profile of Fon founder and his plans for future in the New York Times: The head Fonero, Martin Varsavsky, gets a write-up from a confab he put together and hosted at his vacation home on Menorca. Varsavsky is nothing but interesting, something I've heard from everyone who has met or had business dealings with him, and this article partly details his upstart challenge and the shifting focus at Fon. I've been saying for a long time that Fon locations may be numerous and require no coordination for their growth, but only locations convenient to frequent use would have a real impact, such as in retail locations. John Markoff notes that Fon has simplified its roaming model--non-Foneros pay, Foneros don't--and that Varsavsky is now focused on bigger wins, like Fon's Time-Warmer and BT deals. Markoff also gets the detail that Fon is losing €500,000 a month down from €1m per month. Varsavsky is interested in WiMax to supplement Wi-Fi, but I can't see any model in which the frequencies useful for WiMax will be widely available enough for this kind of roaming system.

Creative drops Wi-Fi music player: The formerly leading portable music player firm, before Apple and Microsoft entered the biz, confirmed a report that the Zen Share existed, but that the company chose to drop that Wi-Fi-enabled player. An under-wraps player may appear in about two months that could include Wi-Fi--the name Zen X-Fi could be revealing or not, as X-Fi is an audio-processing technology.

Inspiair's physics-defying technology sold, relabeled Max-Fi: I express my doubts about the combination of marketing promises, including area covered, low latency, and speed, and the collision of those promises with the laws of physics as well as regulatory issues. The lack of sales, noted in the article, tends to confirm my opinion, which is precisely what happened with Vivato after early positive response led to devices being built that couldn't meet the mark. Current claims are 30 sq km with 14 access points for outdoor coverage at the port of Antwerp, a network that's in a test. I wrote about Inspiair back in 2006.

Foster City, Calif., turns down MetroFi equipment offer: The city decided against paying $200,000 for MetroFi's gear, which serves about 1,500 people a month, partly because yearly operations would top $125,000.

Cyber Espionage

Mon, 28 Apr 2008 02:45:35 +0000

Interesting investigative article from Business Week on Chinese cyber espionage against the U.S. government, and the government's reaction.

When the deluge began in 2006, officials scurried to come up with software "patches," "wraps," and other bits of triage. The effort got serious last summer when top military brass discreetly summoned the chief executives or their representatives from the 20 largest U.S. defense contractors to the Pentagon for a "threat briefing." BusinessWeek has learned the U.S. government has launched a classified operation called Byzantine Foothold to detect, track, and disarm intrusions on the government's most critical networks. And President George W. Bush on Jan. 8 quietly signed an order known as the Cyber Initiative to overhaul U.S. cyber defenses, at an eventual cost in the tens of billions of dollars, and establishing 12 distinct goals, according to people briefed on its contents. One goal in particular illustrates the urgency and scope of the problem: By June all government agencies must cut the number of communication channels, or ports, through which their networks connect to the Internet from more than 4,000 to fewer than 100. On Apr. 8, Homeland Security Dept. Secretary Michael Chertoff called the President's order a cyber security "Manhattan Project."

It can only help for the U.S. government to get its own cybersecurity house in order.

On the road again

Tue, 25 Mar 2008 15:14:06 +0000

This week I'm in Moscow. British Airways just about managed to get me here and maintain the 100% lateness record on flights I've taken in the last six months. Todays' escapades were either (according to ground staff) because of the late arrival of the previous flight and the crew being out of hours or (according to captain of the aircraft that eventually got airbourne nearly three hours late) because the first aircraft wasn't fit to fly. The purpose of my visit here is to review the information security side of things of our Russian office. I've got a well rehearsed process that covers everything from the server room to the filing cabinets. An on-site visit usually reveals issues that would otherwise remain under wraps but it's important to show support and offer constructive guidance rather than criticism. The wrong approach can result in being ring-fenced and subsequently not receiving any information at all. Most of all though, I'm looking forward to some good local hospitality and the opportunity to finally do some face-to-face networking with the people over here. До скорого!

Oldham Primary Care Trust NHS loses two data sticks

Fri, 11 Jan 2008 14:15:40 +0000

Technorati Tag: Security Breach

Date Reported:
1/11/08

Organization:
Oldham Primary Care Trust NHS (PCT)

Contractor/Consultant/Branch:
None

Victims:
PCT "clients"

Number Affected:
148

Types of Data:
"The information lost related to copies of assessments about future healthcare needs held in a secure central file. It included people’s names, addresses and dates of birth."*

*I'm not sure if this means that copies of assessments AND names, addresses and dates of birth OR just names, addresses and dates of birth.

Breach Description:
The Oldham Primary Care Trust NHS has issued a press release announcing the loss of two "data sticks" containing personal information belonging to clients that had contact with the organization's continuing care service. A total of 148 clients were affected by the breach.

Reference URL:
The Oldham Primary Care Trust NHS Press Release
Manchester Evening News Story

Report Credit:
Oldham Primary Care Trust NHS

Response:
From the online sources cited above:

A breach of information security has taken place. Two data sticks containing information relating to 148 clients who have been in contact with the PCT’s continuing care service have been reported missing.

This should never have happened.
[Evan] Got that right.

All the individuals affected have been identified. Our first priority has been to try to contact all 148 individuals, or their representatives, personally. We have made personal contact with 145, and offered to visit them. We are waiting for three to get back to us after several attempts to contact them.

We have followed up the contacts in writing with our sincere apologies, and have set up a
dedicated freephone information line for those who may have further questions.

The information lost related to copies of assessments about future healthcare needs held in a secure central file. It included people’s names, addresses and dates of birth. It did not contain financial information.
[Evan] It's a little unclear to me what this means exactly.

There is no risk at all to anyone’s future care.

A formal internal investigation has been launched.

The PCT takes patient confidentiality extremely seriously and has taken immediate action to prevent any further similar incidents. All data sticks containing ‘personal’ information have been recalled, and a full and thorough review of current processes and procedures is now underway.

Gail Richards, Oldham PCT chief executive, said: “We are deeply sorry – this should never have happened. We have launched a full and thorough investigation, and are reviewing our current policies relating to data storage.
[Evan] It's always a good sign when a "chief executive" comments on security. I have said this before, but it shows that they understand their information security role and that the buck stops with them.

“While we believe the data sticks have been lost, we have reported the incident to the police in order to get the best advice possible. We have no reason at all to believe the information has been accessed by anyone else.”

To make sure this cannot happen again, the PCT:

Is undertaking a full audit of how removable media is used across the PCT
Has recalled all data sticks and pen drives which contain ‘personal’ data
Nearly completed recalling all data sticks and pen drives in order to reissue encrypted devices to staff alongside a new procedure for their use
Has reminded all staff formally of existing policies and procedures
Is urgently developing updated guidance for staff around information security

[Evan] These steps will go a long way towards preventing an similar occurrence. This is sound information security judgment, in my opinion.

Anyone with concerns should contact the PCT’s information line on freephone 0800 144 4304. The line is open from 8.30am8pm MonFri and 10am4pm SatSun.

Commentary:
Overall, this has to be one of the best responses I have seen in some time from an organization that experienced a breach of personal information. The response is open, thorough and honest. After reading the press release, I am clear about what happened and what Oldham Primary Care Trust ("PCT") plans to do about it. Too many times, organizations attempt to keep a breach under wraps. PCT prominently displays the information on their web site home page.

The breach happens. The organization comes to terms with the fact that a breach occurred. The organization reaches out to everyone affected with an honest explanation and sincere apology. The organization issues a press release to announce what took place and what it intends to do about it. The organization saves face and keeps a certain amount of trust in the process. I am impressed with how PCT has responded to this breach.

Past Breaches:
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay