Friday, March 30, 2007

IdentityStuff Facts & Metrics

I was recently catching up on doing some analytics on my blog and looking at visits and referrers, etc. and I thought I would share some data for those of you who emailed me asking - Who reads this stuff anyway?

My privacy policy is simple - I look at high level vist data. I could care less who you are, or who you work for. I want to know if the blog is being read, and whether or not my views are adding value to our industry. It also points to the domination of Google for search refers 90% of the traffic

There are 37-112 pageviews per day

75% are returning, 25% are new on average

Keywords that drive traffic - USB Hacks, Virtualization, TJX, Machine Identity in that order

Visitors this week are from the US (65%), Canada (7%), UK (6%), Denmark (8%), Italy (2%), Australia (1%), France (1%). Historically over the past year, 75% of visitors are from the US

Top referring sites (400 Total Sites):
9 of the top 10 are Google (Search, Search UK, etc.)
#7 of the top 10 is Oracle

Most popular time of day readers visit: 2-3PM EST /-5GMT

The Hits Just Keep on Coming...

The data on the TJX breach keeps trickling out and this breach of 45.7M records is now the new poster child for a Big Breach. Some things that I find interesting:

- It continues to point to an inside job

- They made arrests, but it's the equivalent of arresting the people who bought a pair of stolen shoes from an employee out of their trunk in the back of a Marshall's

- TJX seems to follow the paradigm of the US Drug Policy by going after the small fry, or at least that is what conclusion I draw based on the information released

- At 47.5M records multiplied by $182/record the costs stand (ballpark) at $4.3B a full ONE THIRD of their Market Capitalization!!!! Put that in your spreadsheet and crunch it...

- I still want to know what the impact is of their financials, and whether or not because of Sarbanes-Oxley, someone may be held accountable, and how Identity Theft will factor into SOX at the end of this

I will continue to harp on the importance of Machine Identity as long as the inside jobs continue to happen. If you can reduce the access not only by user but by machine, why wouldn't you do that? It is one of the easiest and cost-effective threat vector reductions an organization can deploy.

Is it perfect? No, but damn it, it's the equivalent of having the DNA of the suspect(s) at the crime scene.

Friday, March 23, 2007

TJX Update - reported by The Boston Globe

I wonder where this is going to lead...

Six people arrested in Florida this week are suspected of using credit-card data stolen from retailer TJX Cos. to buy computers, televisions, and other electronics, Gainesville police said.
The Florida Department of Law Enforcement said the six individuals apparently used stolen credit-card data to purchase large quantities of gift cards from retailers including Wal-Mart Stores and its Sam's Club unit.

They then used the gift cards to buy electronics, but store employees grew suspicious and contacted police.During the investigation, officials learned the source of the data was from a computer breach first reported by Framingham retailer TJX in December, Gainesville police said today.

The losses to Wal-Mart and the banks that issued the real credit cards totaled more than $8 million. A spokeswoman for TJX, which runs more than 2,500 stores including T.J. Maxx, Marshalls, and HomeGoods, would not confirm that the data involved in the Florida case stemmed from the breach. But she said the company continues to cooperate with law-enforcement authorities.

TJX believes hackers broke into the company’s computer system in 2005 and stole millions of customer credit- and debit-data and some license numbers dating back to 2003. Customers across the country have reported fraudulent use in what could be one of the biggest losses of consumer data to date. TJX faces numerous lawsuits from individuals and banks that accuse the company of failing to adequately safeguard private data and of delaying disclosure of the breach.
(By Ross Kerber, Globe staff)

Thursday, March 15, 2007


I was thinking about multi factor authentication (see previous blog on the topic) and what else does adding factors to the authentication mix get us (besides closer to a DNA match of who we do business with)?

It got me thinking about Federation and trying to extend a different model of authentication and access to different users, different machines, different physical access levels, different logical (network) access for a single user type in multiple environs.

One thought I had was that interchangeability of factors lets me set up zero stringent to very stringent access control policies for virtaully any environ. The POA (Point of Authentication) is the gatekeeper, the devices in the network are the cops/enforcers, and whether you are a user or machine what the gatekeeper knows and shares with the cop governs where you go and what you do. There is also the O factor (Omnipotent) of full auditability so if the gatekeeper is at lunch and cop forgets TCP/IP for a second, that everything is still logged in the event things get really interesting.

Business case examples:

I work for the FBI. I spend time at NSA, CIA, DEA, and State Police. We all use multiple databases that share subsets of information and disinformation. I have two 'badges'. One is my badge that I wear on my beltloop with a lanyard attached that has some/all pertinent information about who I am and my clearance level. In essence where I can go in the pysical world.

Then I have a laptop or pda with a biometric scanner that can embed the biometric data, User ID/Password data, and a unique machine ID for my network access where ever I am.

That's a lot of factors, and gives me a lot of flexibility about how I manage who gets access to what, while keeping key data sets separate (somewhat) by using card and machine.


Friday, March 09, 2007

I smell an acquisition if it works...

I just saw this announcement from Secude & Siemens and it is one of the first announcements I've seen in a while that is focused on extending Identity and Access Management for SAP. It's no Thor/Octet String/Oracle play, but it gets SAP in the game:

End to end technology partnership for identity and access management with emphasis on SAP integrationPosted on 09 March 2007.

SECUDE and Siemens have agreed to enter into a partnership which combines the partners’ know-how into a complementary and collaborative strategy.

The alignment of resources creates significant benefits for both partners and presents a win-win situation for SAP and their customers. The intention is to capitalize on each others complementary technologies and coordinate marketing and sales efforts on a global scale to service and support the market more efficiently and effectively. “The driver for this partnership is that the whole is more than the sum of its parts”, states Doris Hermann, VP and General Manager Security and Identity management, Siemens AG.

Siemens has successfully marketed and sold security solutions on a global scale. These solutions include an Identity and Access Management suite based on the Siemens DirX product family providing a standard-compliant, extremely reliable, scalable and highly-performing platform as well as certified and secure smart cards solutions.

SECUDE is an established leader in key and access management for over a decade with a suite of products on the same platform including Single Sign On, Key and Token Management, and managed encryption of files, folders, mail and various storage devices. SECUDE has been a strong IT-Security partner of SAP for 10 years and is a leading provider of key and access management technologies for SEAGATE encrypted disk drives.

Monday, March 05, 2007

Wireless Broadcast of Identity Information

I found the charger to my old handheld Marine radio this past weekend, plugged it in and charged it up. I then did some channel surfing to see what I could pick up. I was pretty astonished when I hit the police channel.

I heard full names, license numbers, license plates, rap sheet info, etc.

It got me thinking that what if I wanted to write down some of that information, Google some people, get additional information, would it be enough to create a new identity or steal theirs? Which one would I choose? Surely not the one with the guy who had 3 priors for driving to endanger, working on his fourth, with no license but to a guy driving a Porsche with a clean record from CT, now that could be fun.

I have several friends in Law Enforcement and I intend to ask them about this issue - are they contributing to the release and possible theft of personal information? Granted it's public information (criminal records) but is it readily available to most of us? What could be done with it? They probably have to wait until someone does something with the information to commit a crime before they act.

I suspect it's a case of balancing good vs evil - so be careful where you get pulled over...


Friday, March 02, 2007

The Land of Opportunity - Reason #243

So I was in Maine recently in a vehicle that was allegedly due for an inspection, and was subsequently pulled over by a very cordial police officer in Biddeford. He wrote up a ticket, and I waited the requisite number of days to go online and settle up and/or contest the charges.

I went to the PayTixx website and punch in the requisite (public) information about my ticket. I then go to pay said fine, and just happen to notice that there is NO encryption/SSL on the site where I need to enter my PRIVATE information like credit card number, etc. etc. as evidenced by no padlock on the browser I was using. I used another browser (older) to rule out an obvious technical glitch. Nada. Zip. No Padlock. No Security.

There is however a nice little graphic with the logo and a little padlock, allegedly ensuring that the site is secure. Hmmmm, I must be on the insecure page. This logo links me to a page with details about the Transaction Security Policy (Full text at the end of the posting).

So the State has a policy, a nice custom branded security looking logo with a link to the site, yet absolutely no validation from the technology they allegedly use to validate to me, the private information holder, that the site is in fact secure and using at least the 128-bit encryption they claim.

I'm no White Hat, Grey Hat, or Black Hat, but I do know a few and I have to say that there is a potential GOLDMINE here that is being funded by the taxpayers of Maine, for personal information of alleged drivers of different infraction types - speeders, uninspected motorists, suspended licensees, etc. etc. being poached and sold. Perhaps that is why CSC got thrown out of the State IT projects they were working on.

Don't tell me the State of Maine, or any other State can't afford better (ANY) security these days. Please DO tell me that the States will not contribute to identity theft anymore than they do. This is ridiculous.

By the way - it is also NOT PCI compliant. Big Ding from Visa and Matercard, folks. They could fine you TODAY, and suspend your right to take these cards as payments - in fact if they did, they would insure the security and privacy of me today.

I will again urge that Mark Kemmerle, Donna Grant, or Matt Dunlap please return the calls I have made into your office. I am more than willing and able to help improve the *real* security - and now, it's personal on why you need it.

Maine's Transaction Security Policy

Maine state government and InforME take Internet security very seriously. Our technology and policies are designed to make your online transactions safe, private and secure. Documented steps are taken to safeguard information according to established security standards and procedures and we continually evaluate the newest technology for protecting information.
Sensitive information passed in online transactions such as social security numbers, banking information, and personal data is confidential. Please refer to our privacy policy for details about the collection of information from visitors to state websites.

Whenever you see this icon on a Maine state government online service, you can rest assured that the following safeguards and security criteria are in place:
Transactions involving sensitive information occur on a secure server. You can look for the "lock" symbol at the bottom of your browser window to verify that you are on a secure server.
Our secure socket layer (SSL) software uses state-of-the-art 128-bit encryption to ensure that your personal and financial information cannot be intercepted during transmission to our server.
All information requests pass through hardware and software security firewalls.

Communication between InforME servers/systems and State databases is passed via a secure private network.

Encrypted personal information includes credit card numbers as well as social security numbers and banking information.