Thursday, May 25, 2006

Security Issue?

I have been staying at the Marriott Long Wharf the past couple of nights, and I have forgotten to grab my room key more in the past two days than the past 5 years combined. I am at a conference up at dawn out past dark so I guess I'm a little tired. Anyway, I went down to get another key wearing my conference pass badge with my name on it and instead of asking me for my license, they merely looked at my badge and 'knew' who I was and gave me another key.

Now if I were a diabolical person, and a competitor happened to be here and left their badge in one of the sessions, I could easily have pulled the same thing - masquerading an identity - gotten a new room key (credential), gone into their room with a thumb drive, copied everything, and depending on my mood, deleted everything or not.

So to all you travelers out there - beware of the old fashioned masquerading of your identity.

Wednesday, May 24, 2006

Stupid Wins Everytime

So I am at Courion's Converge this week and we were having some fun discussions last night related to the Veteran's data being stolen, and the premise was that Stupid Wins Everytime.

No matter what we do to prevent bad things from happening, stupidity will somehow make it so everytime and never in the way which was logical or well thought out. It's like Homer Simpson vs. the NSA. Homer will win. Always. We're human and we can't help it.

Monday, May 22, 2006

Ouch!! I Bet No One Saw This Coming!

Boy, with all of the technology out there and a good solid upbringing about what is right and wrong - people still do stupid stuff and we still can't protect us from ourselves.

I want to be the guy that sells Maxtor or Seagate on automatic hard drive encryption when you boot down...

Personal data of 26.5M veterans stolen

By Hope Yen, Associated Press Writer | May 22, 2006

WASHINGTON --Personal data, including Social Security numbers of 26.5 million U.S. veterans, was stolen from a Veterans Affairs employee this month after he took the information home without authorization, the department said Monday.

Veterans Affairs Secretary Jim Nicholson said there was no evidence so far that the burglars who struck the employee's home have used the personal data -- or even know they have it. The employee, a data analyst whom Nicholson would not identify, has been placed on leave pending a review.

"We have a full-scale investigation," said Nicholson, who said the FBI, local law enforcement and the VA inspector general were investigating. "I want to emphasize, there was no medical records of any veteran and no financial information of any veteran that's been compromised."

"We have decided that we must exercise an abundance of caution and make sure our veterans aware of this incident," he said in a conference call with reporters.

The theft of stolen information comes as the department has come under criticism for shoddy accounting practices and for falling short on the needs of veterans. Last year, more than 260,000 veterans could not sign up for services because of cost-cutting. Audits also have shown the agency used misleading accounting methods and lacked documentation to prove its claimed savings.

On Monday, the VA said it was in the process of notifying members of Congress and the individual veterans about the burglary, setting up a call center and Web site if veterans believe their information has been misused.

It also is stepping up its review of procedures for the use of personal data for many of its employees who telecommute as well as others who must sign disclosure forms showing they are aware of federal privacy laws and the consequences if they're violated.

Nicholson declined to comment on the specifics of the incident, which involved a career employee who had taken the information home to suburban Maryland -- on disks, according to congressional sources who were briefed on the incident -- to work on a department project.

The residential community had been a target of a series of burglaries and the employee was victimized earlier this month, according to the FBI in Baltimore, which was investigating the incident.

The material represents personal data of all living veterans who served and have been discharged since 1976, according to the department. The information was included the veterans' discharge summary that goes into a government database.

Wednesday, May 17, 2006

Infragard, FFIEC Solutions, Oh My!!!

I was at the NYC Infragard meeting yesterday where the discussion was all about the FFIEC Guidance that was put out in October of 2005 and what it really means and some solutions that had been implemented or were under consideration. I learned a ton while I was there and it was worth the time to be there. Plus I met some great FBI Agents and NYPD guys, as well as other business leaders who were in attendance.

Some of the things I learned while there:

1. The FFIEC guidance is guidance. It is NOT a mandate and is ENTIRELY dependent on a risk assessment

2. The risk assessment must be completed, along with a deployed solution by 12/31

3. The American Banking Association is recommending that their members implement compartmentalized access (zoning) of employees, service providers, contractors

4. Service providers xSP’s will be under heavier scrutiny, but the banks are ULTIMATELY responsible for implementing something based on their risk assessment

5. TNT will be considered a 2nd factor (something you have/machine ID), along with username & password

6. Section 326 of the Patriot Act comes into play

7. Applications/areas/systems covered – Internet banking, loan origination apps, accounting apps, call centers, and telephone banking

The guidance supposedly has to do with protecting the identity of customers and covering banks for high risk transactions (high risk being defined as anything to do with money transfer, so basically everything). But I couldn't help but think that at the end of the day it is another exaple of a governing body of a collection of institutions trying to protect us from ourselves.

There were some interesting data points that I learned as well.

70% of Identity theft is non-electronic and paper based (dumpster diving)

Phishing and farming will continue to grow for a few reasons - it's lucrative for the bad guys, people are suckers, and more people continue to increase their online activity. It's a numbers game basically. The more people that go online, mean more targets, and more chances of catching someone offguard or who has no clue what the internet or email is beyond penis enlargement offers and GEICO ads and popups.

The most interesting thing that I came out of the meeting with was this:


By that I mean there is so much focus on customer protection from the internet, when we all should be worrying about the disgruntled guy inside the bank (or Mumbai call center) with access to every piece of financial information of every customer that could be stolen in a single 8 hour shift.

If you are a 'Black ID' merchant or bad guy, then you want access to the most information with the least amount of effort. You will get this from the inside far easier than from the outside. At $2 per ID, getting 500,000 ID's downloaded and burned onto a DVD in 8 hours is not unlikely and guess what - that employee/contractor is gone with a cool million, and can move to North Korea, publish and sell his memoirs online, and make even more.

In the immortal words of Gordon Gekko - 'This is your wake up call, pal. Now get to work'...

Monday, May 15, 2006

Cyber Consequences Unit's Top Threat Checklist

The U.S. government and industry face many cyberthreats that, until now, have not received adequate attention, according to a new checklist outlining the threats.

“We’re talking about vulnerabilities where we can calculate the effects, and the effects are considerable,” said Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit.

The unit’s Cybersecurity Checklist looks at potential avenues for real-world cyberattacks and recommends ways to thwart them. Borg presented a draft version of the list at the GovSec conference in Washington, D.C. DHS has not yet approved the draft.

The list includes 478 questions relating to cybersecurity attacks in 16 attack venues in six areas of vulnerability:

* Hardware: Physical equipment, physical environment and physical byproducts.

* Software access: Identity authentication, application privileges, input validation and appropriate behavior patterns.

* Network: Permanent connections, intermittent connections and network maintenance.

* Automation: Remote sensors and control systems and backup procedures.

* Human operator: Security training and accountability.

* Software supply: Internal policies for software development and policies for dealing with vendors.

The list contains recent content that reflects how the cybersecurity environment has changed in the past several years, Borg said. It uses a simpler framework than many similar checklists and is more self-consistent and easy to use, he said.

The checklist provides more specific guidance for industry and recognizes economic realities, Borg said. It also includes asterisked items that are necessary but difficult and expensive to implement, he said.

If the list is going to be used as a standard, it’s a practical necessity to let companies off the hook for the asterisked items, Borg said. “We don’t have the services and products to deal with them,” he said.

The unit analyzed each of the 16 critical infrastructure sectors, Borg said. Many sectors say they follow international security standards but still have gaping security vulnerabilities, he said.

“They follow all the procedures, they do all the checklists, but they have the open fields of Belgium to drive tanks through next to their beautiful, secure systems,” Borg said.

Borg referred to the Maginot Line that the French built along the border with Germany to prevent attack before World War II, but that the Germans circumvented by heading north through Belgium and Holland.

A gigantic area of vulnerability is the intersection of physical and cybersecurity, Borg said. People in each field don’t understand how physical security can cause cybersecurity breaches and vice versa, he said.

Another is inserting malware that causes normal business processes to occur in inappropriate or wrong ways, such as causing a valve at a chemical plant to open at the wrong time, Borg said.

One of the biggest security holes in networks are extra connections added for the convenience of senior users without attention to security or proper documentation, Borg said. “It’s a very bad, scary one,” he said.

Copies of the checklist are available by request at

Wednesday, May 10, 2006

Identity, SPIT & VOMIT

So I am at an ISSA event and we were discussing VOIP as the Wild West and a pretty fragmented space. As I look at the maturity model of the Internet vs. VOIP, I see many similarities:

1. What is it?
2. Why should I use it?
3. This is great!
4. Did we just open Pandora's box? Again?
5. How do we control/secure it?
6. What's SPAM?
7. Why are there so many bad guys out there?

These are a few discussion points of the top of my head. Since this blog focuses on Identity management, let me take you down a specific path -

How do we apply identity to devices in such a way that we know that a call is originating from a corporate owned device?

How do we know that the origin and destination numbers are who they say they are?

Is that even important?

I see the VOIP space as having to grapple with all of the same issues and then some (political) with this. Think about it - voice architects, voice infrastructure, voice support is under fire. Mix in the fragmentation of the VOIP market, do you look at VOIP or not? Who does what now - IT folks or Voice folks? How do you work that out? It'll be the North vs. the South agian. Think vendors do a lot of finger pointing when the sh*t hits the fan? Try getting these camps together...

If yes, then what? How do you remove as much risk surrounding all of the stuff we worry about in the network/data world like man in the middle, replay, SPIT (Spam over Internet Telephony) and VOMIT (Very Often Misconfigured Internet Telephony).

mark.macauley AT