IdentityStuff

Backstopp - The Morning After Pill for Identity Management?

2009-12-31T09:18:00.002-05:00

It has been a while since I have posted anything as I do not have the time (nor do I get paid) to look at what happens in the Identity Management space like I used to. That said, I still believe that it is the concrete in any infosec organization, technology stack, or IT organization.

I ran across a company that has what I thought was a crucial - as in I hope you dont need it but if you did you'll be glad you have it - piece of the puzzle oft ignored. I call it the morning after pill for data.

It destroys data after you lose control, posession, or ownership of it. Someone steals your laptop, you get to wipe it the next time it boots up. An employee quits while in posession of key data and you wipe their machine and the data in it from your company HQ.

Anyway, it answers the 'so what' question simply, effectively and inexpensively.

http://www.backstoppusa.com

Check it out...

Nice

2009-08-03T10:58:00.001-04:00

http://www.theregister.co.uk/2009/07/29/kaminsky_hacked/

The hackers get hacked...

On the eve of the Black Hat security conference, malicious hackers posted a 29,000-line file detailing embarrassing attacks that took complete control of servers and websites run by several high-profile security researchers, including Dan Kaminsky and Kevin Mitnick.

The file posted on security mailing lists claimed to have obtained more than four years' worth of data from Kaminsky, and as proof, it offered a smattering of emails, instant messages, and other communications that laid out sensitive research work and intimate personal conversations. It also revealed multiple passwords Kaminsky used and back-end configurations for Kaminsky's website, which was yanked offline Tuesday afternoon and remained down at time of writing almost 24 hours later.

The data also documented attacks on the website of security expert Kevin Mitnick, who confirmed to The Register that his website was breached after hackers gained unfettered root access to machines used by his webhost. The 1MB text file capped weeks of hacks on several other security researchers, including penetration testing firm Matasano. The breaches highlight the often-overlooked reality that even seasoned security professionals are vulnerable to attacks that can expose sensitive business secrets.

"It's the illusion of invulnerability," said Mitnick, who said he purposely kept sensitive data off the servers that ran his website. "I was actually surprised that the other people would keep their email and work data on an internet-facing host. It appeared the boxes were actively used for work."

The breaches also raise the possibility that previously unpublished research about critical security vulnerabilities may have leaked into the public domain. Among the data published Tuesday was a Perl script exploiting Kaminsky's DNS cache poisoning bug. It also aired bash scripts showing security professional Jay Beale, who had an account set up on Kaminsky's server, performing nmap scans on a variety of domain names and IP addresses (presumably belonging to clients).

Kaminsky wasn't available for comment at time of writing. He scheduled a press conference for Wednesday evening. On his Twitter page, he wrote: "Messy, but heh. Walk onto a battlefield, you might get shot."

The attacks are reminiscent of ones that hit security researchers last year. In all of them, the attackers appear more interested in personally embarrassing the researchers and damaging their business reputations than in exposing vulnerabilities so they can be fixed.

So far, it's unclear how the attacks were carried out. Freelance reporter Robert Lemos, whose website was compromised Tuesday evening, said a vulnerability in blogging software WordPress is the most likely explanation. Security researchers gathered at Black Hat have revived rumors that there's a zero-day vulnerability that's being exploited in SSH applications, but so far, there is no evidence to support the suspicions.

Don' Mess with Texas, unless you are the FBI...

2009-04-10T09:43:00.001-04:00

More on the Raid of the Core IP Networks data center Raid. Story from the Wired Blog.

I sincerely hope that the new CIO in the Obama Administration invests heavily in training. Specifically about why what the FBI did was not based on probable cause, as the judge ruled, but a legal system sponsored 'smash and grab'. A few metaphors come to mind:

Special Agent ____________, a high school buddy of yours told me you smoked marijuana in high school and kept your stash in a Box of Cheerios. We looked into it and you bought Cheerios last week. We have a warrant to seize your entire house and its contents. We just want to make sure you high school buddy was on the up and up and that you don't have a stash. There's a Motel 6 down the street you can stay at with your family - but be careful, the Latin Kings are set up in there...

I will contact my Infragard officers to volunteer to train Special Agents on the basics of the internet and data center business.

Here is the Rest of the Story...

A company whose servers were seized in a recent FBI raid on Texas data centers applied for a temporary restraining order to force the bureau to return its servers, but was denied by a U.S. district court last week.

The company, Liquid Motors, provides inventory management and marketing services to national automobile dealers, such as AutoNation. It was one of about 50 companies put out of business last week when the FBI seized the servers at Core IP Networks, one of two data centers and co-location facilities raided by the FBI's Dallas office in the last month in an investigation into VoIP fraud.

Although Liquid Motors was not a target of the investigation, the FBI took all of the company's servers and backup tapes in the raid.

"As a result, Liquid Motors, Inc. has been put out of business and is in breach of its contracts with automobile dealers throughout the country," the company wrote in its application for the restraining order (.pdf). "Those automobile dealerships ... may hold Liquid Motors responsible for all of their lost business, and may terminate their contracts with Liquid Motors, causing permanent and irreparable harm ... for which there is no adequate remedy at law."

The company noted that it maintained duplicate servers to prevent outages and housed those servers in a building "on a five power grid with a generator that can last for thirty days."
Only "a bomb to the building" or, as it happens, an FBI raid, could cause the servers to go down, the company stated.

The U.S. District Court for the Northern District of Texas denied the request (.pdf), however, after holding an ex parte discussion with FBI Special Agent Allyn Lynd, who led the raid. Lynd told the court that the owner of the co-location facility was being investigated for fraud and that even though Liquid Motors was not part of the investigation, its equipment might have been used to facilitate fraud by others.

The court found that the FBI had probable cause for seizing the equipment.

The FBI told the court it would work over the weekend to create mirror images of the data from Liquid Motors' servers and provide it to the company by Monday of this week. In order to do so, the FBI asked the company to provide the agency with blank hard drives for copying the data.
Mark Burack, executive vice president for Liquid Motors, said his company did get its data back after supplying the FBI with hard drives, but that the company had to buy all new servers to restore its business.

"We had to replace everything," he said, noting that they won't know how much the raid cost them financially for a while. He said the company has more than 750 customers who were affected by the raid, and that they're working on restoring service to those customers.
When asked if his company planned to pursue legal action further he replied, "I don't know. There are a lot of lawyers involved. We're backed by some very large investors so we just defer everything to them."

He added that he respects the job the FBI does.

"Catching bad guys is important," he said. "We support them and we know they have a tough job. And sometimes innocent people get hurt."

Scary Stuff...

2009-04-08T09:46:00.002-04:00

The full text of this story can be viewed HERE

I have to say as a member of Infragard, a 15 year veteran of the hosting and colocation business from tech support to Security, and as an employee of a colocation company, that this is an apalling story.

I will call it now - this case will go to the Supreme Court so that there is a clear delineation between a business and it's customers and a clear message sent to federal agencies about what is and is not ok. Just because the servers in a facility were all interconnected does not mean they were all illegally operating. Interstate Highway 10 connects Florida to Texas but does that mean that Law Enforcement has jurisdiction to impound every car on the road because someone in Little Rock who used to live in Texas said that there was a light blue speeding vehicle on I-10 ?

I liken this story to an arms dealer working out of a hotel, and the FBI seizing the entire property and everything on it - from the extra towels, to the law abiding guests personal property, to the rental car companies' vehicles, because someone who got kicked out of the hotel for destroying property said there was an arms dealer in room 201. Like they would know.

Thank God they got the kids iPods and video game consoles though. I wouldn't want those playlists falling into the wrong hands or toddlers playing grand theft auto. That would be a travesty.

Here is a quick snippet:

The FBI on Tuesday defended its raids on at least two data centers in Texas, in which agents carted out equipment and disrupted service to hundreds of businesses.

The raids were part of an investigation prompted by complaints from AT&T and Verizon about unpaid bills allegedly owed by some data center customers, according to court records. One data center owner charges that the telecoms are using the FBI to collect debts that should be resolved in civil court. But on Tuesday, an FBI spokesman disputed that charge."We wouldn’t be looking at it if it was a civil matter," says Mark White, spokesman for the FBI's Dallas office. "And a judge wouldn’t sign a federal search warrant if there wasn’t probable cause to believe that a fraud took place and that the equipment we asked to seize had evidence pertaining to the criminal violation."

According to the owner of one co-location facility, Crydon Technology, which was raided on March 12, FBI agents seized about 220 servers belonging to him and his customers, as well as routers, switches, cabinets for storing servers and even power strips.

Authorities also raided his home, where they seized eight iPods, some belonging to his three children, five XBoxes, a PlayStation3 system and a Wii gaming console, among other equipment. Agents also seized about $200,000 from the owner's business accounts, $1,000 from his teenage daughter's account and more than $10,000 in a personal bank account belonging to the elderly mother of his former comptroller.

Mike Faulkner, owner of Crydon, says the seizure has resulted in him losing millions of dollars in revenue. It's also put many of his customers out of business or at risk of closure.

The raids are the result of complaints filed by AT&T and Verizon about small VoIP service providers whom the telecoms say owe them money for connectivity services. But instead of focusing the raid on those companies, Faulkner and others say the FBI vacuumed up equipment and data belonging to hundreds of unrelated businesses.

What ever happened to Sky Marshalls?

2009-04-02T08:42:00.002-04:00

I was in JFK yesterday and I was the number 2 person on the plane and it made me think back to when Sky Marshalls were #1 or #2. I havent seen one in a while.

Before someone writes the comment 'Thats the point' they were not too hard to spot - short cut hair, intimidating, trying to look like a regular passenger, always first or second on the plane, and they never sat in exit rows or 1st class.

Do I see a VH1 'Where are they now' segment?

Or a Government version of 'Where are they now?' on C-span? There's an idea to liven up C-Span - a reality show besides watching politiciand filibuster, or watching Pelosi whine about needing a bigger plane.

Facebook or Facebalk?

2009-02-19T12:53:00.002-05:00

I have not had the time to comment on the absurdity of the Facebook 'We own your ass even if it's not yours and will do what we want with it when we see fit' privacy policy. I was also a bit disappointed that by the time I was able to comment the overwhelming voice of the users won out and relieved Facebook came to their senses.

Having been a member of the IAPP (International Association of Privacy Professionals) and seeing the balancing act that companies go through to write a solid one, I can't help but wonder if Facebook will get a free membership out of this so that they can figure it out.

It was also interesting that no one freaked out when AOL and Yahoo changed their privacy policies - although their changes had a lot less potential harm embedded - and I have to wonder why Facebook and not AOL or Yahoo?

Better designed offering?
More Users?
Different demographics?
The ability to instantly share your views with friends of friend's friends
The absurdity of it?

I hope my old friends at the Berkman Center at Harvard Law School keep on teaching law students about this kind of stuff so that students of theirs never write drivel like that policy again.

Well Coordinated ATM hack nets $9M

2009-02-03T10:27:00.000-05:00

My Source

Hackers orchestrated a highly coordinated, global attack on ATM cards involving the theft of a staggering $9 million from bank customers — and they could strike again, according to an investigation by FOX 5 TV in New York.

Customers' personal information might also have been compromised in what federal agents are calling one of the most well-coordinated such schemes they've seen, MyFOXNY.com reported.

The FBI uncovered the plot and is investigating. The hackers are still at large and could orchestrate another attack.

In a matter of hours, thieves struck ATMs from 49 different cities — including New York, Atlanta, Chicago, Moscow and Montreal — just after 8 p.m. EST on Nov. 8.

Part of the heist was caught on security camera images obtained by the TV station. The photos show people known as "cashers" — low-level participants in the plot who used bogus ATM cards with stolen information — at the machines.

The scheme works as follows: Plotters hacked into a computer system for a company called RBS WorldPay, which allows employers to transfer workers' pay directly to a payroll card. The scam artists were then able to infiltrate the system and steal personal data needed to make duplicate ATM cards.

"We've seen similar attempts to defraud a bank through ATM machines but not, not anywhere near the scale we have here," FBI Agent Ross Rice told FOX 5. "We've never seen one this well coordinated."

The FBI has no suspects and has made no arrests thus far.

Peanut Butter Recall Products List

2009-02-02T12:25:00.001-05:00

This is my first PSA of the year

The recalled peanut butter products list as of 2/2

Got love the logic bomb...

2009-01-30T08:41:00.002-05:00

http://www.datacenterknowledge.com/archives/2009/01/30/disaster-averted-at-fannie-mae-data-center/

I caught this as I was catching up on some Tweets. Here is the link to the affadavitfrom the investigation.

A snippet from the article:

Had it not been found, the FBI says the code would have executed a series of other scripts designed to block the company’s monitoring system, disable access to the server on which it was running, then systematically wipe out all 4,000 Fannie Mae servers, overwriting all their data with zeroes. “This would also destroy the backup software of the servers making the restoration of data more difficult because new operating systems would have to be installed on all servers before any restoration could begin,” wrote (FBI agent Jessica) Nye. As a final measure, the logic bomb would have powered off the servers.

Suprising to me was that there was anyone left at Fannie Mae except disgruntled employees. Well at least employees not shacking up with Barney Frank.

What I am least surprised about is that it was an insider. Proactive monitoring, and more importantly well thought out access control policy and enforcement makes or breaks you. David Rowe and Matt Flynn at Netvision should be banging the drum loudly on this one.

Has anyone out there in the Identisphere deployed a solution whereby the access control is system centric the more critical the system is? I still see a lot of user centric stuff, but since humans are humans and you never know when someone will get disgruntled - should there be more attention paid to systems centric solutions the more valuable the asset?

Where is MY money?

2008-12-30T10:12:00.002-05:00

I have been catching up on a few news items - and I needed a break from my expense reports.

The news item that just floored me was the one about US Banks not telling where the public bailout funds are going.

Wait a minute - WTF???? I just spent an hour tediously combing through receipts to justify where my money was spent on behalf of my employer and the banking bozos don't need to do that with my money?

Hmmm. For a sector that is so concerned with transparency, auditability, justification, and bean counting - it doesn't mean sh*t. These execs just used my money and they won't tell me what for, nor will the Government that lent it to them and is charged with protecting my interests.

I am thinking that this country is now pedal to the medal on self distruction.

The government takes my money. Then lends it to institutions that claim to not have any, and then expects nothing in return. I don't get it.

Could you imagine if we stopped paying taxes? Put on our W-4 that we have 35 dependents, and refused (or chose not) to justify them? Told the government that I choose not to pay taxes since they cannot tell me where the money is going nor prove that they are acting in my best interests? Hah. Good one.

The US Government just gave Billions of money to their Junkie sibling. Textbook enabling behavior in a breathtaking systemic fashion. And the spin merchants tell us that the world economy will collapse.

No it won't - it will have one hell of a correction, but it won't collapse. People will freak out, get the fear out of their systems and then get back to work building stuff, trading stuff, figuring it all out.

Where is Barney Frank - the chief architect in this fine mess? Nice oversight. Barney Rubble would do a better job. Can we impeach this knucklehead?

It would seem that those of us who are in this segment of IT - Identity/Security/Audit have more work to do. Systemic work. Trust but verify work. The kind of work that we are capable of - providing proof that what the US Government did was idiotic, and what the financial institutions are doing is criminal.

And don't think that some of us can't prove it.

I think there is an unprecedented opportunity out there for the identity theives and hackers, the black hats with an ax to grind - embarassment at unprecedented levels within the global financial instutions and government(s). If money has little value, the currency of information just shot up like a 2 liter of Diet Coke with a fistful of Mentos in it.

Being able to prove what these companies themselves are 'choosing' not to - That they have taken what is ours (money) and they will have to account for it - or it will be done for them by the very people they took it from.

A Billion - Defined

2008-12-11T09:01:00.000-05:00

This has little if anything to do with identity, however this email really blew my mind and I felt compelled to post it. Enjoy...

How many zeros in a billion? This is too true to be funny.

The next time you hear a politician use the word 'billion' in a casual manner, think about whether you want the 'politicians' spending YOUR tax money.

A billion is a difficult number to comprehend, but one advertising agency did a good job of putting that figure into some perspective.

A. A billion seconds ago it was 1959.

B. A billion minutes ago Jesus was alive.

C. A billion hours ago our ancestors were living in the Stone Age.

D. A billion days ago no-one walked on the earth.

E. A billion dollars ago was only 8 hours and 20 minutes, at the rate our government is spending it.

While this thought is still fresh in our brain, let's take a look at New Orleans ...
It's amazing what you can learn with some simple division.

Louisiana Senator, Mary Landrieu (D)is asking Congress for
250 BILLION DOLLARS to rebuild New Orleans Interesting number... what does it mean?

A.
Well... if you are one of the 484,674 residents of New Orleans
(every man, woman, and child)
you each get $516,528.

B.
Or... if you have one of the 188,251 homes in
New Orleans, your home gets $1,329,787.

C.
Or... if you are a family of four...
your family gets $2,066,012.

Washington , D. C - HELLO!
Are all your calculators broken??

Accounts Receivable Tax
Building Permit Tax
CDL License Tax
Cigarette Tax
Corporate Income Tax
Dog License Tax
Federal Income Tax
Federal Unemployment Tax (FUTA)
Fishing License Tax
Food License Tax
Fuel Permit Tax
Gasoline Tax
Hunting License Tax
Inheritance Tax
Inventory Tax
IRS Interest Charges ( tax on top of tax)
IRS Penalties (tax on top of tax)
Liquor Tax
Luxury Tax
Marriage License Tax
Medicare Tax
Property Tax< br> Real Estate Tax
Service charge taxes
Social Security Tax
Road Usage Tax (Truckers)
Sales Taxes
Recreational Vehicle Tax
School Tax
State Income Tax
State Unemploy ment Tax (SUTA)
Telephone Federal Excise Tax
Telephone Federal Universal
Service Fee Tax
Telephone Federal, State and Local Surcharge Tax
Telephone Minimum Usage Surcharge Tax
Telephone Recurring and Non-recurring Charges Tax
Telephone State and Local Tax
Telephone Usage Charge Tax
Utility Tax
Vehicle License Registration Tax
Vehicle Sales Tax
Watercraft Registration Tax
Well Permit Tax
Workers Compensation Tax

STILL THINK THIS IS FUNNY?

Not one of these taxes existed 100 years ago...
and our nation was the most prosperous in the world.

We had absolutely no national debt....
We had the largest middle class in the world...
and Mom stayed home to raise the kids.

What happened?
Can you spell 'politicians!'
And I still have to
press '1'
for English.

What happened?????

Did they find the Holy Grail?

2008-12-05T09:32:00.002-05:00

A friend of mine had contacted me a few days ago and given me a heads up on what NetVision was up to. As a follower of the blog, he knew that I had been banging the drum about Audit as a Service, and SaaS-ing the identity space.

What NetVision seems to have done is to automate, using best practices, the cost of an audit and/or auditing at least on the inside of your company your identity based controls. Imagine, a way to have data collected, in a standarized way, without it going through layers of interpretation. Sounds like the dog is back wagging the tail.

Netvision says it's delivered on an appliance. I wonder if a Virtual Appliance is too far behind, as that would give us a very portable, standardized, low maintenance option to further mitigate audit costs, and proactively address significant risks.

If anyone tries it let me know. I will post feedback and change names to protect the innocent.

From Netvision's site:

SIMON is built on a platform that has been refined over the past decade merging proven technology with unparalleled expertise. It combines the ability to filter for relevant results with real-time monitoring, from-the-source data collection, and a powerful reporting engine. SIMON extracts and aggregates information from core network directories and file systems by monitoring user accounts, access rights, administrative changes, and user activity. The result is a flexible, hassle-free platform that delivers the exact answers you want.

"What we've done" explains NetVision CEO, David Rowe, "is remove the obstacles and pre-requisites to establishing an effective best-practice audit." The SIMON service includes all required hardware, software, installation, configuration, and maintenance. In addition, SIMON delivers years of knowledge and best-practices in the form of pre-configured templates, policies, and reports.

With SIMON, NetVision continues to provide value around core network operating system directories and related file systems from Microsoft™ and Novell™. NetVision's Matt Flynn adds "These platforms are the launch pad into the network. They provide initial authentication, file and print services, and are often used to grant access to applications across the network such as web portals, VPNs, and identity & access management systems."

"Our goal", according to Flynn, "was to create a solution that behaves like a member of the team. If some high risk activity takes place, SIMON will be watching and will let you know." SIMON's ability to translate technical jargon into non-technical reporting creates actionable intelligence for personnel across the organization. NetVision customer Steven Piubeni, Assistant VP, Information Systems at United Bank, confirms that at his bank, "NetVision actually eliminated the need to hire another employee."

Identity in the Cloud - the next new thing?

2008-11-17T13:42:00.002-05:00

I have been spending more time out talking with customers and prospects lately about all sorts of stuff. It seems as the economy slows down and belts tighten, the smart companies talk about what's next that they need to understand, and probably deal with. One of the hot topics I've noticed is the push to enter the cloud computing fray. Once that decision is made, it's like the early internet all over again - how do we implement secure controls for our users, admins, etc.

In other words, if we push ahead into the Cloud, how do we maintain the same level of security we have taken ___ years to get to now?

The issue is that with Web 2.0 apps, cloud computing etc, is that layers and functionality get extracted from one another so that they may run, interconnect, and be used independently. Awesome idea. I get it.

The issue is that as all these separate components become virtualized or cloudy, how do I maintain a secure environment? Federation is great, but what if there are a multitude of Fedration solutions that need to be cobbled together? Where does that happen? Can it?

If I log into my gmail account, and then buy something on ebay, use paypal to pay for it, and want to store it on Itunes or Amazon (or both), how is my identity protected? How do they know it's me, and how am I sure that it's truly me and not (in my case) the actor from UK with the same last name?

I know that we'll figure it out, it's just the next iteration of Identity as I see it. A new paradigm in computing driving a new paradigm in user management, authentication, and trust.

Constant Vigilence

2008-09-23T19:39:00.004-04:00

I was at the NY Metro meeting of Infragard, an organization I have been a member of in Boston and NYC for a few years. The speakers are excellent, the vendors who present stay on topic not on their brand, and it is a great place to network, and for me personally a great place to reaffirm that we live in the best country in the world and it deserves to be protected.

The focus of todays presentations could be summed up in the title of this post. We heard about the attacks in Georgia and did not know that there was a cyber attack that came from Russia at the same time mortars were being shot - a proverbial double whammy. The most interesting thing to me was that the folks who coordinated the cyber attack didn't have to recruit a bot army or drones. Russian people gladly volunteered their computing horsepower to fuel the cyber attack.

Another key point was made on how the perimeter is secure and porous and without easily defined and consumed policies - the threat vectors increase, not decrease. With the proliferation of social networking sites that distribute malware that is virtually undetectable by a lay person, the threat vectors have also been on the rise. Cyber crime has also become more profitable than drug trafficking.

Today's presentations reaffirmed my long held belief that the bad guys are far better at sharing information than the good guys and that needs to change. I am happy to play a miniscule role in getting the word out and to remind us all to maintain constant vigilence out there.

Live from New York...

The Palin Hack Details

2008-09-19T08:24:00.002-04:00

I was glad to see the BBC this morning had some coverage that those of us in the industry can sink our teeth into...

So my synopsis is that they used the password reset function to change the password at Yahoo. They gathered info from Wiki's and I'm sure Googled a bunch of stuff to piece together enough info that would or could be asked by Yahoo to perform a reset.

Then they use the CTunnel proxy service to obscure where they came in from, thinking they had covered their tracks. Then in a breathtaking 'dumb criminals' move they post screenshots with the URL from the origination point displayed clearly (PrtScn brings down Palin hackers). I wonder if these guys had ever done a B&E at a liquor store and left their Mapquest directions on the counter to let the cops know their start and end points.

The article snippet:

The attackers broke into Mrs Palin's gov.palin@yahoo.com e-mail account. This account and another, gov.sarah@yahoo.com, owned by Mrs Palin have now been deleted.

The FBI and the US Secret Service have now begun a formal investigation into the attack and who may have been behind it.

The hackers used the CTunnel proxy service which routes web browsing through an intermediary to obscure where the attackers were based.

However, the screenshots for the attack reveal the original web address used by the proxy which may help investigators track down the miscreants.

It has been reported that records from the CTunnel proxy service are being sought by the FBI.

The attack on the e-mail account comes as questions are being asked about whether Mrs Palin used her personal e-mail accounts to carry out state business.

US law states that all e-mails relating to the official business of government must be archived and not destroyed. However, it does allow for personal e-mails to be deleted.

Mrs Palin is being investigated in Alaska for alleged abuse of power while governor of the state.

It's a Countrywide Issue...

2008-09-17T21:00:00.004-04:00

I was catching up on some reading and happened across the latest breach story that happened at Countrywide. I read the story at the boston globe.

It wasn't an outsider but an Insider who harvested the data and sold it. Why in this day and age companies still think it's cheaper to have a breach than prevent one. I will have to ping Larry at the Ponemon Institute to see what the cost per record is up to. I'm sure David Rowe over at Netvision is shaking his head as well. We have had several cups of coffee talking about the Insider threat for a couple of years.

The story...

More than 45,000 Massachusetts consumers may have had personal information stolen in the security breach at Countrywide Financial Corp., according to the company.

Countrywide alleged that a former employee sold personal information of 2.2 million customers, including Social Security numbers and mortgage loan numbers, to a third party. Two arrests have been made.

The number of affected consumers in Massachusetts is far greater than initially thought. On Aug. 1, in a letter to Daniel Crane, director of the state Office of Consumer Affairs and Business Regulation, Countrywide said it mailed notification letters to "three affected Massachusetts consumers."

On Sept. 10, the California mortgage lender sent a second letter, saying that "as a result of the ongoing investigation," Countrywide had identified 45,283 at-risk consumers in Massachusetts. State law requires agencies that store consumers' personal information to issue notifications of security breaches "as soon as practicable and without unreasonable delay."

According to FBI reports, Countrywide fired the accused employee, Rene Rebollo Jr., in July. Rebollo allegedly confessed to downloading 20,000 data files per week for two years, and said he earned as much as $70,000 from the sale of the data. Wahid Siddiqi is being charged for allegedly purchasing the information.

Both men were arrested in August, a month before the breach was made public. Both pleaded not guilty.

In its letters to state officials, Countrywide said on June 11 the US Attorney's Office requested it delay notifying consumers. "It's an ongoing investigation with the FBI and we are being very, very careful as not to jeopardize it," Countrywide spokeswoman Susan Martin said.

Massachusetts Attorney General Martha Coakley declined to say whether the state was conducting its own investigation. "This is different than any other breaches in that there was no negligence on the part of the company," Coakley said yesterday. "This was intentional, and the information was sold to outside parties."

Countrywide is offering two years of credit monitoring to affected customers. But Wendy Thomas of Peabody questions if Countrywide notified at-risk customers in a timely fashion. Her husband learned last week his personal data could have been stolen and sold. "I felt like we were left out here in the wind."

Palin's accounts hacked

2008-09-17T21:00:00.003-04:00

I was watching the news and saw a report about Palin's Yahoo account being hacked and her personal information (Photos, cell phone numbers of family - minorsno less) posted, and emails accessed.

The story that I read first was geared towards activist Andre McLeod and his lawyer Donald C. Mitchell up in arms about the Governor running state business out of an unsecure and unencrypted email account:

Palin has come under fire in recent days for her use of a personal e-mail accounts to conduct state business. An Alaska activist has filed a Freedom of Information Act request seeking disclosure of e-mails from another Yahoo! account that Palin used, gov. sarah@yahoo.com.

That account appears to have been linked to the one that was hacked.

Both accounts appear to have been deactivated. E-mails sent to them Wednesday afternoon were returned as undeliverable.

Andrée McLeod, the activist who filed the FOIA request, said Wednesday evening that Palin should have known better than to conduct state business using an unsecured e-mail account.
"If this woman is so careless as to conduct state business on a private e-mail account that has been hacked into, what in the world is she going to do when she has access to information that is vital to our national security interests?" she asked.

McLeod's Anchorage attorney, Donald C. Mitchell, said Palin refused to comply with a public records request in June to divulge 1,100 e-mails sent to and from her personal accounts, citing executive privilege.

"There's a reason the governor should be using her own official e-mail channels, because of security and encryption," the attorney said. "She's running state business out of Yahoo?"

What is interesting is that his lawyer wasn't worried about the FBI, FCC, Alaska, and local officials digging so far into his and his clients pasts that they will no doubt uncover that what they did was illegal, broke a number of laws and that the Governor's family was messed with, including a minor.

Since there was so much state business being conducted with her yahoo account, why wasn't that posted up for perusal? This guy (and other militant Yahoos) would break into a bank and take a quarter, and justify their actions because he only took a quarter. It's the same as going to a peaceful rally with a Molotov cocktail - irony at its best.

Thank you activists for once again proving we have no privacy, that Change means you don't get to get away with this kind of stuff, and time will tell if he lands a bunk in a federal country club prison or a 'pound me in the ass prison'.

Anyone know if the State of Alaska or Yahoo has better security and/or encryption? Any vendor want to propose a bake off?

This Country is in a World of Hurt

2008-09-15T06:51:00.002-04:00

I was up at 3 am and the news coverage was still in full swing. All I could think of is that this country is in a world of hurt. Watching Lehman employees pack up their offices and carry a box out the front door was just awful. And the awfulness has yet to see an end.

Couple that with the folks in Houston riding out Ike and now facing the aftermath - it was not a great morning to be watching the news so early.

I am bewildered and angry that the financial markets melted down. Sarbanes Oxley, regulations up the wazoo, and compliance to the law was pitched as a way to stop the meltdowns and yet here we are. When did we all become Bud Foxx? Or did we?

Hang in there.

Props to T-Mobile

2008-09-08T10:03:00.002-04:00

I just had to write about the superb customer service I received from T-Mobile last week.

I was having an issue getting my Blackberry email to work. I logged a ticket after a day without email (blessing and a curse). Two days later I called back to check status and had to escalate. I had a feeling it was a provisioning problem - it was - and they resolved it by the end of the business day Friday. Well done T-Mobile!

I don't know what they use for provisioning but it was fast to solve the problem once correctly identified (took two minutes).

mark

I am a Free Agent

2008-07-31T18:12:00.002-04:00

To my friends and identitystuff community at large, I have parted ways with my now former employer, and will look for my next new gig as I enjoy what's left of summer. my email will stay the same - identitystuff@gmail.com and I hope to be able to write more often. Peace. Out.

Mark

Gotta love this...

2008-07-17T20:22:00.002-04:00

The simplicity and maliciousness of this one is pretty incredible... For those of you worried about the perimeter may need to spend more time looking inside...

NEWTON, Mass.--(BUSINESS WIRE)--Cyber-Ark, the privileged identity management specialists, says that the ongoing FiberWAN network lockout situation in San Francisco - where a network administrator has changed system passwords and is refusing to hand them over to administrators - could have been avoided if managers had operated a high-security approach to master passwords.

“This is yet another example of the power privileged identities, such as administrative passwords have and the havoc they can cause in the wrong hands,” said Adam Bosnian, a vice president at Cyber-Ark. “Hackers, or rogue employees such as this case, are savvier on how to create the most damage with the least effort these days, and the use of admin passwords does just that. Unfortunately, the San Francisco department left themselves wide-open by not taking their privileged identity management seriously.”

The San Francisco Chronicle reported Monday that Terry Childs, a discontent computer network administrator for the Department of Technology, tampered with the FiberWAN, which contains the San Francisco’s sensitive data, and created an administrative password that provided him access to the network. Childs refuses to give the elusive password to authorities, even after his arrest.

The city is estimating that this issue will cost millions in repairs. Though the network is running, there is still no way for IT administrators to access it.

“It is critical to take a more proactive approach to secure company back doors,” Bosnian adds, “Companies install complex systems for personal passwords and overlook the more numerous privileged passwords and identities that provide even more system access. These security breakdowns will continue to occur until these keys to the kingdom are securely centralized and managed.”

The San Francisco crisis follows numerous scandals within the last year such as the TJX disaster where millions of users’ data was compromised due to a breach involving administrative passwords.

IDaas is Garnering more discussion...

2008-07-02T08:47:00.002-04:00

My buddy Matt Flynn and Matt Pollicove were exploring the topic of IdM as a Service which we had been discussing back in this post a while back...

While at Burton Group's Catalyst this year I had the chance to speak to some folks about this topic and the mindshare was very clear - automate everything you possibly can and use IdM to do it.

IdM products have matured to the point where they can log and gather thousands of events that feed reports that drive compliance (or non-compliance). The gotchas as I see them are this:

IdM is positioned horizontally and cuts across audit, security, and business process (operations) so it can become a political hot potato quickly

Organizations capture a ton of data today, where the wheat and chaff are separated is making the data useful data, and this is a subjective art project that masquerades as science a lot of the time. I'd be curious to see if data mining would and/or could do the same as IdM in reverse - look at raw data of what happened to build a better workflow based in actual events vs. what we think happened

Bottom line is the bottom line. Automation helps us get smarter, behave more efficiently and lower costs while improving the service to the business cash registers.

Right?

The Yankees suck in a whole new way...

2008-06-13T20:36:00.003-04:00

I had to share the following experience from my travels this week, because it goes to show that while we think we are secure we're not, and a good impersonation can get you places and a horrible one will get you close enough to touch Derek Jeter, A-Rod Posada, and Mo Rivera.

I was at a partner event in NYC Monday that was taking place at Yankees Stadium where it was 100+ degress on the field that day. I got to the stadium early and was told my ticket would be next to the press area so I went to find it. I hiked around for a bit until I cam to a barricaded area and stopped to see where I was and why it was barricaded. I couldn't figure it out, but I did see the big PRESS awning in back and so I walked around the barricade past two cops and over towards the press area.

I ask how I get my ticket, is there a list, etc etc. and they said stay put so I hung out and watched the police mill around, the yankees personnel get ready and the press people with legitimate credentials stroll by.

After a bit I notice a parking area where a nice car just went into and I watched as it parked and the driver got out - it was Posada. He walked right by me 10 feet away. It was starting to register that they had the area barricaded because this was where the players came in. Nobody said boo, nobody asked me anything and I was chatting up cops, EMT's the works.

Next player to walk by me - Rivera - who incidentally gave up the game losing run that day - then Jeter, then A-Rod then Abreu. All within 10-20 feet nodded their heads to a guy standing there with a shirt with a company logo on it, and a computer bag.

My point to all of this - that the cops and presence of no less than 100 people there to keep idiots like me out did not. My identity was assumed to be the press because I was carrying my Vignette bag (which must have been the dead giveaway) and had a golf shirt on with a logo on it (second clue). If our IT assets were this loose we'd be in even worse shape.

My second point is that the Yankees suck in a whole new way for me - their identity management and controls...

For those of you going to Catalyst, look for the guy in the kilt and the Red Sox hat and we can exchange barbs about the Yankees and my beloved Red Sox at the opening reception.

Ira Winkler says 'No' to Hannaford Inside Job

2008-04-07T13:37:00.002-04:00

Ira winkler has refuted my comments about Hannaford being an inside job:

I can tell you first hand that a breach of that scope is very “relatively” easy to commit when there is a motivated attacker with the time available. Again, I have broke into many of the top companies in the world, always having tremendous success in relatively short periods of time.

Ira, what have you seen in terms of those companies who have submitted their PCI audit reports? Are they easier to break in? Harder? I am curious if the PCI spec has helped or not. I have to believe that by its nature it has helped make systems more secure and harder to break into.

With regard to many servers being compromised, it sounds like the experts have not heard about automated attack tools. Nor have they considered that servers are generally installed identically throughout an organization, and that if you can compromise one of those systems, you can compromise many. Similarly given that there tends to be password reuse, if you compromise the password on one server, you have compromised many servers. Similarly, if there are trust relationships between the systems, the compromise of one system actually compromises many systems.

I have seen, played with, and heard of automated attack tools - it's what the script kiddies and lazy grey or black hats use to accelerate the desired results. You can buy a great set on Ebay now and of IRC is the Devil's playground, but I digress...

The PCI spec which Hannaford said it had met is designed to take care of the low hanging fruit of a breach. Passwords, no consistent and measured or documented processes, and poor encryption are all targets the PCI spec is designed to mitigate and keep us lazy wannabe hackers out of systems.

Take a look at my other blog for more info on PCI...

Hannaford CEO Ron Hodge - Class Act

2008-04-02T10:06:00.003-04:00

I just caught wind of the latest from Hannaford, and I hope Ron Hodge starts a trend amongst CEO's - accepting responsibility and dealing with a breach head on.

Nice work Mr. Hodge!

Hannaford Bros. CEO offers apology online, in leaflets

Hannaford Bros. supermarket shoppers are getting an apology in their shopping bags for a security breach that was disclosed two weeks ago. Chief executive Ron Hodge sent a message to customers online and through leaflets left in grocery bags. In the note, he apologizes for the "concern and inconvenience" that was created when 4.2 million credit and debit cards were potentially compromised. At least 1,800 cases of fraud have been reported. He says Hannaford stopped the theft and brought in top security experts to help guard against any further attacks. He says the company is also considering, on a case-by-case basis, the out-of-pocket expenses faced by customers who had to cancel their cards. (AP)

More on Hannaford...

2008-03-28T09:29:00.002-04:00

So they uncovered some more data on the Breach at Hannaford this week and it was reported that software was installed on every server in their 300 stores, and that they weren't sure how the software was installed.

Let me give you my top 3 guesses:

1. An insider
2. An Insider
3. an insider

It was also reported that the software was installed at the point of sale to capture the swipes and the information. It was also reported that Hannaford did not store the credit card data.

If they had truly met the PCI standard then the entire chain would have been encrypted and the endpoints would be locked down, and this wouldn't have happened. If retailers do not work with their vendors that make up the processing chain then this kind of thing will continue to happen.

I can point fingers at the PCI spec, at Hannaford, at the manufacturer of systems, but the bottom line is there is one person at Hannaford whose responsibility it is for this - the CEO. This is his puppy and if his puppy is running around crapping in the neighbors yards, biting kids, etc. just beciase he didn't see it happen doesn't mean you don't put a leash on the dog. Common sense dictates that.

Had their authentication and identity audit practices been regularly tested and reviewed, after the second install of software had taken place or after they realized that 1 person accessed 1,000 servers and 300 endpoints, that they were an admin based in Scarborough, and they had given themselves root access on New Years eve, wel, hopefully you get the idea. This is common sense to most of us with or without lots of letters after our names a la CISSP, CISA, CISM, etc.

When all is said and done, this will be the work of an insider. Who it was is less interesting than Why they did it.

Here is a reprint of the aritcle in the Boston Globe:

The unauthorized intrusion the company disclosed on March 17 stemmed from software that intercepted card data from customers as they paid with plastic at store checkout counters, and sent the data overseas, Hannaford's top lawyer said in a letter sent to Attorney General Martha Coakley and Governor Deval Patrick's Office of Consumer Affairs and Business Regulation.

The software was installed on computer servers at each of the roughly 300 stores operated by Hannaford and its partners. Hannaford did not say how the software might have been placed on so many servers, and company spokeswoman Carol Eleazer said the company continues to investigate how the software was installed and other specifics of the breach. The Secret Service, which pursues currency crimes, is conducting its own investigation.

Data security specialists say the new details show how hackers have grown more adept at penetrating weak links in the systems that connect merchants and banks. In previous breaches, such as the record-setting intrusion at TJX Cos. of Framingham, where as many as 100 million card numbers were compromised, hackers took advantage of merchants who stored customer names and card data - sometimes in violation of payment industry standards - at central locations in their computer networks.

Hannaford Supermarkets - Welcome to the Club

2008-03-24T10:54:00.003-04:00

So this one hits close to home for me since I frequent Hannaford Brothers 2-3 times per week. It also hits even further close to home because I have contacted their CIO, CFO, and several folks in their IT group offering help for the past two years.

Why?

It is in my best interest to protect my information with the companies I do business with and especially those companies in my backyard. I have done the same for Tiffany, LL Bean, and a dozen more online and brick and mortar retailers too.

Why?

Mathematically speaking, every US Citizen's identity has been compromised.

So to the Management at Hannaford -

(Mr. Ron Hodge) here is my list of people that I have contacted in the past two years to prevent this from happening. I will also tell you that this whole issue could have been prevented for under $200,000:

Bill Homa - CIO
Jeff Reeder - CFO
Kevin Carleton - Director of Retail Operations
Tricia Gilbert - IS Auditor
John McFarland - Enterprise Systems Team Lead

Add to this list past folks who either had the sense to leave before the doo doo hit the fan, or to bail before they were called out by someone in the industry like me:

Paul Fritzson - CFO
David Fournier - IT Security Specialist

If anyone from Hannaford Brothers reads this, please get back to me. I am still in a position to help, and I will wait for the phone call from Lifelock to see if the 1800 cases of fraud reported thus far will soon include me.

Oh, and an official welcome to the Level 1 PCI Club because of Breach. Hannaford was already there handling more than 6M transactions, (wonder when they filed) and now this breach insures some new expenses every quarter that will be passed onto consumers and tourists in a few weeks...

identitystuff@gmail.com

Would the real Identity of Kristen (Spitzer's girl) Please Stand up

2008-03-13T09:29:00.002-04:00

I was wondering how long it was going to take for people to figure out who Kristen was - you know - the woman who Elliot Spitzer was hooking up with.

I can only imaginge the frenzy the folks at TMZ must have had or the gossip hounds in NYC and DC doing everything they can to track this woman down. There were some things I couldn't help thinking about after the news broke -

1. The fact that somewhat skilled, unlicensed, and people with internet access can find out the identity of 'Kristen' and a large portion of the US freaks out over wiretapping. I say pick your poison. Having tens of thousands of Paparazzi digging is probably twice what the NSA has at any given time.

2. Maybe the Paparazzi need to be exploited for our national security gains - whatever that might mean.

3. This is a hell of a way for a singer to jump start her career. I think American Idol just Jumped the Shark. Yes, - You heard it here first. Now we need the William Hong of the Prostitute-Politician connection to emerge. 'She bang, She Bang!' I still love that guy.

4. I wonder if Kristen has LifeLock or other Identity Theft prevention services on her accounts.

5. What was Spitzer thinking? Granted his choice was 1000% better than Hugh Grant's but still... I would put Mrs. Spitzer in the MILF category.

Here concludes my coverage of this incident. We're human, we screw up, and some of us do it in breathtaking ways. What do think about a Giulliani/Mrs. Spitzer ticket?

OK. I'll crawl back under my rock now... Get back to work!

Compliance as a Service Round 2

2008-02-16T23:09:00.002-05:00

I just took a wander over to my buddy Ian Glazer's site as he has posted a retort to my compliance as a service rant.

I have offered one back, and of course 30 seconds after I hit submit, I realized I forgot something, a distinction that is key. Compliance is a state of okay-ness delivered through transparency (documented okay-ness) and determined by a set of standards generally developed by people with less expertise than those who the standards must be accepted and implemented by.

***

Ian, I always love mixing it up with you.

I will respectfully argue that compliance is not about people other than the operational change a person must execute to be compliant. I will also argue that because people are involved, the more risk is present to not be in compliance.

Compliance in its purest form is group behavior modification that comes about by one’s behavior (’One’ referring to a company/organization/person) being made transparent and available for scrutiny. It is designed to make us honest, keep us honest, and provide a set of rules we all need to play by. In a way it’s a lot like art - people will interpret the same painting, sculpture, etc. different ways.

That is why the less we involve people in compliance the less margin for mis-interpretation can exist and the better off we can be.

Compliance is 100% cost at the end of the day, and companies who have figured out that it is in their best interest to automate every process to be compliant, and automate the measuring of that process, and communicate that the right process exists, will be followed, and if it’s not, people all over the company will know, and know quickly.

It is different lenses looking at the same thing…

CaaS - Compliance as a Service

2008-02-06T10:36:00.000-05:00

Compliance as a Service – The new frontier

I was stuck in Chicago the past two days thanks to mother nature, and I got to see parts of Michigan I had never seen (Saginaw), care of United Airlines. This meant I had lots of time to think about what ifs. The big idea I thought about was something I had blogged about a while back – Compliance as a Service.

There is one absolute truth about compliance that is not open to interpretation –

The costs of Compliance are 100% costs to a business

What does a company get out of compliance that help drive sales and generate revenue?

Is compliance merely insurance designed to keep us humans honest and insure that we do what we say we do, and that there is a safety on the Howitzer?

I will say that the intent of compliance is good – increase transparency within an organization, set standards for what the transparency level needs to be and make sure that a few bad apples are known about as early as possible before they bring down entire companies.

What I don’t like about compliance is that the guidelines for the most part, are open to interpretation. It’s what happens when people with little operational knowledge (lawyers and politicians) come up with ways to insert operational best practices into a system they know nothing about. It’s like me trying to improve on the intent of communism – in theory it’ll work. In reality it’s a cluster-f*** waiting to happen.

So what are alternative solutions to this spend? Reduce costs. Period. The interpretation will be there, however in what I have lived through personally in the compliance realm (HIPAA, SOX, PCI) I have come to believe one thing above all else – do something. If the guidelines are open to interpretation, interpret them in a way that gives you and your auditors a defensible position and monitor and improve the processes to reduce costs.

The new frontier is CaaS – Compliance as a Service. Fixed cost, consistent automated reporting, a defensible model for implementing and showing transparency. If the candidates out on the campaign trail do away with SOX, that would also be a great way to lower cost...

Ready for Spring Training?

2008-01-18T09:36:00.000-05:00

Those of you know know me and have chatted with me between March and October know that I am a huge fan of baseball. And a die hard 3rd generation Red Sox Fan, and four generations of MacAuleys have seen the Boston Red Sox Win the World Series twice.

Last night I was at the Boston Baseball Writers Association dinner in Boston to do some networking, see who won the awards this year, and of course to see which players showed up and what they were really like.

I arrived early, and promptly changed into my kilt which I wear to such affairs that are dressy/black tie. I don't own a suit. Well, one that fits anymore anyway...

In the lobby of the hotel, Tina Cervasio was providing some live shots from the event. She's even taller than she looks on TV.

As we went downstairs, I ran into some Board Members of the BoSox club who were just fantastic guys, and ended up sitting at their table. I checked out some auction items, pressed the flesh with several folks and listened to the stories from the Championship Season.

Then the guy with the World Series Trophy walks by, and puts it on a table where we could take pictures. Glad I brought my camera so I could get my picture taken with the trophy.

I then helped some other folks operate their cameras, snapped a few pix, and then headed up to the VIP room where you get to interact with players past and present and hang out. On my way in, Jim Rice walks past me close enough to rub shoulders and he looks down and asks - 'You got anything on under that thing?'. Those are fighting words to some of Celtic descent, but I looked at him and said if were a little cuter, I'd let you find out. Laughter ensued. Great moment.

I ran into a bunch of people, only some of who I was able to get pictures with.

Don Orsillo is a class act and the emcee for the event. He rocks, and I think I need to start a fan club for him and Rem Dog, so next season when we're in the playoffs Orsillo and Jerry Remy get to call the games instead of Joe Buck. Orsillo makes Joe Buck sound like Donald Duck in my opinion. Hey, Joe Duck, that's got a nice ring to it. anyway, Don was gracious as could be.

I worked the room and ran into Theo Epstien who was hanging out with Mark Shapiro (pronounced Sha PY ro) the GM from the Indians who was a stand up guy as well. Theo was gracious enough to snap a picture with me, but his condition was 'so long and I didn't stand on my head', quite the negotiator that Theo. He got Mike Lowell back for three more years and got me to not stand on my head. He's smooth.

I also saw John Lester, who I just think is a fantastic pitcher, had a hell of year last year, and he signed a baseball card and was very humble and gracious about it as well. Class act.

Buckholtz was a bit standoffish and wasn't signing anything, but I chalk it up to being a bit overwhelmed which I determined from his deer in the headlights look most of the night.

After we were done with the VIP room we settled into dinner and listened to the speeches, and watched the awards. Mike Lowell, dude, you're as good a guy as I've ever seen in the game of baseball. Justin Pedroia, don't let anyone on or off the field make you feel small. You're a Giant in my book.

In fact the entire Red Sox organization from the top down is a class act. Players talked about it, a ticket taker I spoke to said it, virtually everyone that is part of the Red Sox organization said it - The Boston Red Sox are Champions and the classiest champions in Baseball.

All in all quite a night.

Novell's Endpoint Solution

2008-01-15T08:33:00.000-05:00

Novell announced the availability of ZENworks(R) Endpoint Security Management with expanded encryption functionality and local language support. This policy-based security solution offers improved encryption for personal data management, removable storage and white-listed devices, as well as increased security for fixed disks.

This is a great differentiator IMHO in the identity space. Back in the day, it was all about directory consolidation, adapters/APIs, and authoritative sources. All of these server based, centralized (ok, mostly centralized) applications and using IdM to provision and deprovision people.

Ian Glazer and I worked for a company that was focused on tying endpoint identity and machine identity into a comprehensive endpoint to network and application layer identity based system. I still feel that the endpoints are always a bigger concern especially with the well documented tales of people picking up thumbdrives in parking lots loaded with password sniffers and other programs to thwart security that can unnerve risk management and certainly not help justify continued funding of IdM projects.

If I look at this conceptually, I could see a VERY solid solution of Novell's ZENworks Endpoint Security Management offering with NetVision's offerings designed to police the IdM environment so that you truly have an end to end solution covering endpoints (machines/peripherals), people, and a monitoring solution to keep everyone honest and embed transparency into Identity Management.

Lets see how things play out...

For Those About To Geek...

2008-01-04T13:03:00.001-05:00

ID Theft - Apathetic complacence, or the cost of doing business?

2007-12-21T09:14:00.000-05:00

I just read this article in the Boston Globe this morning, and a smirk crossed my face in that it proves a widely held theory I share with my friends in this space that Identity Theft and a massive breach is simply the cost of doing business. Unbeleiveable.

Or is It?

With services out there like Lifelock and the fact that the company who f'ed up covering the cost of monitoring, what's $100/year for their services or free for monitoring. You'll save at least that much shopping at TJX companies or the mom and pop shop with no overhead, and no security in place... Right?

The Boston Globe Article

Consumers don't stay angry in the face of a good deal.

That's a lesson emerging from the data breach at TJX Cos., the Framingham retailer that a year ago discovered an intrusion into its computer security that compromised as many as 100 million payment-card accounts. While the episode led to lawsuits from banks and many complaints, sales at TJX stores such as TJ Maxx and Marshalls have risen steadily this year.

Customers like Florida businesswoman Hanna Lipman help explain why. In April, Visa canceled one of Lipman's credit cards, saying it was compromised in the breach. By then, she had stopped going to the TJ Maxx store in Boca Raton.

But now, Lipman said, she is back to spending about $100 a month at the store, on pocketbooks and other items. She expects TJX will be extra-cautious about protecting her information.

"They got nailed from so many banks, I have to believe whatever can be done they have done," Lipman said.

Another customer whose card was canceled, Phil Dunkelberger, said he still shops at a TJ Maxx store in California, but pays by cash or check to reduce his risk of data theft. "I think they're much safer than other vendors who haven't had a breach and gone through the pain," he said.

This just in - Lobsterman gets into identity theft

2007-12-11T10:46:00.001-05:00

This story is from my neck of the woods. Fishing in the winter does stranges things to people...

Apparently the LobsterMAN used a WOMAN'S credit card to buy a ton of toiletries, cigars, some shoes, and a latte. Is this the latest breakdown of our Identity systems? I think not. It just goes to show you that a Lobsterman can be a woman in the real world now and not just online... Having a girly name like Evgeny helps though... And the shoes and a latte are just further gender blending cover ups... Let's see those receipts. Any mascara on there? Us Magazine or InStyle? Lip gloss?

PORTSMOUTH — A lobsterman with no permanent address and a criminal history, including a prison sentence for armed robbery, used a city woman's credit card to go on a three-hour, six-store shopping spree, even stopping to buy coffee with the stolen card, said police.

Charged with a felony count of fraudulent use of a credit card and two misdemeanor charges of receiving stolen property, Evgeny Healy, 22, was arraigned in Portsmouth District Court on Monday and ordered held on $3,500 cash-only bail.

According to an affidavit by Officer Andre Wassouf, Healy was arrested following a "lengthy investigation" into the Nov. 18 crimes.

Wassouf's report to the court says that on that date Healy first used the stolen Bank of America card at a Mobil gas station, where he charged $100 worth of merchandise at 9:02 a.m. At 9:20 a.m., he used the card at the Breaking New Grounds coffee shop for a $5.25 purchase, then went to a CVS drug store and charged $245 worth of goods at 10:37 a.m.

By 10:49 a.m., he moved onto a Rite Aid drug store and charged $266 worth of items and at 11:39 a.m. he charged $280 worth of goods at the Federal Cigar store, according to Wassouf.

The shopping trip ceased, said police, at 12:13 p.m., when Healy charged $190 worth of goods at a shoe store.

According to court records, Wassouf interviewed employees at all of the stores and reviewed video surveillance images from the pair of pharmacies, all leading to a warrant for Healy's arrest.

Brought to the district court in the custody of local police, Healy entered not-guilty pleas and denied the charges.

"I know there's cameras in all those stores," he said. "It's not me."

Judge Sawako Gardner noted Healy's criminal history as including the armed robbery conviction, in addition to past guilty findings for theft, being a fugitive from justice, shoplifting, breach of bail conditions and criminal threatening.

Healy is scheduled to return to the district court on Dec. 18 for a probable-cause hearing and has applied for a public defender. He provided the court with an address of 53 Dover Ave., Hampton, saying he moved there a few weeks ago.

2007 - The year the Identity Shine Came Off my Apple

2007-12-11T10:39:00.000-05:00

2007 – Identity in Review

It’s been a while since I’ve posted, and there is a specific reason for it. I’m over Identity Management as I know/knew it. I still follow Identity Theft stuff, have my alerts set up so I get a dump of 20-30 articles and blog updates every morning in my inbox. Bottom line is Identity Management, at least for me is not new and shiny anymore. I feel some level of sadness about it because I truly believe that Identity Management's evolution was a necessary and exciting thing to have happen in computing.

I have sent my playbook out to over 150 people around the world. The furthest away were folks in South Africa, and the Ukraine this year. I have seen an uptick in my PCI Playbook requests as well the last few months. Deadlines and the threat of fines create urgency I guess.

So why is the shine off the apple for me so soon? I guess I am waiting for the maturation of IdM to be come a service, and it’s solutions and processes to cannibalized as quickly as possible and extract all cost from the business end of provisioning. That’s what happens as IT Markets (driven by application adoption) mature.

Look at email, security, applications at the desktop. As these market segments have matured new pricing models emerged a la Software as a Service. Companies want to pay for the functionality and the inherent benefits of it, not the license cost, or the license management, or the ongoing maintenance fees. In talking to a recent customer a decision was made to stay on Exchange 2003 because the company didn’t feel like paying millions for an upgrade in functionality that was the equivalent of paying $10M for the highlighter function in Microsoft Word. But they still want email, and they want to reduce costs.

So as I look at 2007 for Identity Management I see the maturation of products, the maturation of the marketplace (acquisitions galore), some nice news stories led by the TJX breach and subsequent fines to them and Fifth Third Bank and some successful implementations.

Where do I think the action is in 2008? Software as a Service. Stay tuned for my next post where I’ll get into that in some depth. I will also start to explore some other topics like component based computing (remember Grid?), Virtualization and how it's a 'Green' play, and where there is tremendous growth in 2008-2009.

Four Generations of MacAuley Clan See Red Sox Win World Series

2007-10-29T09:21:00.000-04:00

Here is another bit of trivia for all you Identitystuff fans out there - Four generations of my family have been alive to see the redsox win the World Series twice in their lifetimes.

My grandmother, Mary, who passed away in 2005 days after meeting my 3 week old daughter for the first time was born the same year as Fenway Park - 1912. She saw the last World Series win of the Red Sox (Prior to the 2004 win) in 1918, and was alive and well, and wide awake in Maine at the end of the Winning Game in 2004.

My Dad and my Uncle were the second generation to see them win twice as did me and my son (who was born February 2004 and was wearing Red Sox stuff in her first days of life) in 2004 and 2007 respectively.

Four generations, two World Series, one team - The Boston Red Sox.

Just for the record, it has also been four generations who believe that the Yankees Suck...

The Identity of a Nation...

2007-10-22T09:23:00.000-04:00

Those of you who know me, know how much of a Boston Red Sox fan I am. I watch over 100 games in the regular season, and have seen all the games in the post season thus far. Last nights win to send the Red Sox to the World Series was awesome. It was 11:54 PM with Papelbon on the mound and shutting down the Tribe, with some help from Coco Crisp slamming into the same wall Johnny Damon did to make the game ending catch.

So to those of us who are part of the Red Sox Nation, we don't need identity cards, biometrics, or poorly designed provisioning processes to help us define who we are. We know. And we know we actually have a shot at taking the World Series this year.

I am proud to say that if the Red Sox puu it out, there will be 4 generations of Red Sox fans who have seen them win twice (my Grandmother, who passed away after the 04 win and meeting her great grand-daughter, my dad and uncle, me, and my son) in their lifetime. The profoundness of that statement has me reaching for a box of Kleenex.

GO SOX!!!!!!!

Identity Management as a Service

2007-10-15T14:11:00.000-04:00

Having been in both the IdM space and the services world for some time, a convergence of discussion topics happened this past week via email when I was thinking about IdM as a service and asking myself, why doesn't somebody do this for a living?

Someone sent me an email asking if I knew of anyone doing this and it got me into a what-if thought parade… What if IdM could be offered as a service? Would it be an elephant or a dumptruck?

My thoughts:

The service’s value would really be in BPR (Business Process Reengineering) since we are talking about streamlining the process by which access to assets is given.

The first part of the service would be a BPR Mapping session – map out what it is you want a process to look like. NOT what the process is and NOT what one group thinks it is (a really cool project with a lot of buzz). Lay out the best possible process. Period.

Then what?

Then you have to look at ways of validating identity. What parts are manual (Are you who you say you are at the other end of the phone)? What parts are automatic (LDAP?)?

Identify what people need access to by macro groups. Is this enough?

Identify what people need access to in micro groups. Is this enough?

Identify the small group of users (Roots) who get access to a lot of stuff, or the keys to the kingdom.

Install software solution(s) to manage and enforce what you’ve identified

Then identify how to un-engineer the process. Does it work? How quickly?

Continually audit to determine how well it works or doesn’t work.

What’s your service offering? An elephant or a dumptruck?

I'll Just eMule you my identity attributes...

2007-09-07T10:23:00.001-04:00

ID theft updated for the 21st century
Man accused of exploiting peer-to-peer software
By PAUL SHUKOVSKY
P-I REPORTER

Federal agents and prosecutors sounded a warning Thursday to the millions of people who use peer-to-peer software for downloading music or video files: "You are handing criminals the keys to your computer."

The warning came after the arrest of a Seattle man Wednesday on charges that he trolled through the vast peer-to-peer networks, downloading peoples' tax returns, student aid applications and credit card numbers instead of music.

The feds accuse Gregory Kopiloff, 35, of using the information to steal people's identities, then buying tens of thousands of dollars in such electronics as laptops, iPods and cell phones that he sold for "50 cents on the dollars."

Kopiloff is believed to be the first person in the nation to be arrested for using peer-to-peer software for the purposes of identity theft.

Despite what prosecutors describe as a lucrative enterprise, a U.S. magistrate judge Thursday assigned the oddly cheerful-appearing Kopiloff a federal public defender -- a right reserved to indigent defendants. According to Secret Service and Seattle police investigators, Kopiloff gambled away his ill-gotten gains.

When arrested near his publicly subsidized apartment in the Denny Triangle-Cascade neighborhood, Kopiloff told investigators he was "relieved," as he knew this day was coming.

Although Kopiloff's motive is as old as the crime of larceny, he "is a poster child of a 21st-century theft," said Assistant U.S. Attorney Kathryn Warma. The former Dumpster diver "has adapted as technology has adapted," she said.

In peer-to-peer file sharing, people download software allowing them to connect to networks such as LimeWire, Kazaa, Soulseek, eMule and Morpheus, which gives them access to every other laptop or PC that is part of those networks. When people log in to these networks, they type in a search term for the music they want, such as Bright Eyes or Madonna.

But instead of typing in Madonna, Kopiloff would type in tax return or credit report, authorities said.

Robert Boback, an industry expert on peer-to-peer risk management who participated in a news conference at the U.S. Attorney's Office on Thursday, characterized what Kopiloff is accused of doing as a harbinger, calling it a "new age of crime." People engaged in peer-to-peer file sharing "don't realize what they are sharing is their entire hard drive."

To give an idea of the potential scope of the problem, Boback said about 966 million peer-to-peer searches are done every day around the world. In research done by his company during the two weeks beginning Aug. 16, there were almost 800,000 suspicious peer-to-peer search terms involving credit cards, credit reports, tax returns, bank accounts, medical insurance and passwords.

"This is the new world of identity theft," he said. "There are tens of thousands of individuals making a living doing this kind of work."

He likened peer-to-peer file sharing with a computer containing sensitive financial data to "putting meat into a school of piranha."

Boback said there are no good fixes in place to solve the problem. And he recommended that the best protection is to use two computers, one to store financial and other sensitive records and another to conduct peer-to-peer file sharing. Boback warned parents to find out whether their children are engaged in file sharing without their knowledge.

Cybersecurity expert Howard Schmidt, a former chief of security for Microsoft Corp. and eBay, said many people who use file-sharing software such as LimeWire unwittingly expose themselves to identity thieves by accidentally allowing other access to their hard drives, not just folders that hold the music or videos they hope to exchange.

Schmidt, who also served as a cybersecurity adviser to the White House after the 9/11 attacks, pointed out that most file-sharing programs could be configured so they share only files kept in a single file or group of files.

Schmidt also suggested computer owners consider encrypting sensitive documents. He said several companies offer consumer-friendly encryption software, which also comes loaded on some new computers.

Schmidt said the full extent of the problem isn't clear.

"There's a perspective that a number of the data breaches in recent years may have been related to this," he said. "But the fact that they got it from peer-to-peer is not always known."

Kopiloff was charged Thursday in a four-count indictment with mail fraud, accessing a protected computer without permission and two counts of aggravated identity theft.

Mail fraud carries the toughest maximum sentence, 20 years in a federal prison.

Kopiloff is being held pending court appearances Monday.

P-I reporter Levi Pulkkinen and online producer Brian Chin contributed to this report. P-I reporter Paul Shukovsky can be reached at 206-448-8072 or paulshukovsky@seattlepi.com.

A Monster Paradigm Shift

2007-08-27T08:58:00.000-04:00

With all of the work I am doing related to PCI Compliance right now, I found the coverage on the Trojan at Monster very interesting for a couple of reasons:

The type of information it was designed to capture
The possible reasons behind it
And will we be seeing more of this activity?

The PCI-DSS is designed to enable best practices around data security for customer data. What I found interesting about the Monster incident was that the Trojan was designed to get key pieces of data from a group of people likely to provide it, since who is going to lie about where they live if they are looking for a job? Clever.

I can understand why criminals (or clever idiot savants) would do this – It’s public information for the most part – or you can get it through public records (tedious but not impossible) – and while is not the coveted SSN, through social engineering one could probably open up a line of credit someplace without giving the SSN up at all.

This got me wondering on a larger scale if this type of thing would occur, and where the juicy targets are. If retailers are going to be more difficult to hack because of implementing PCI compliant systems, then where is the low hanging fruit, that will give the clever criminals license to steal?

Job Boards
Public records/town offices of wealthy towns
Non-profits

What happens when a 3rd party violates your privacy policy?

Dilbert's ID Theft

2007-08-09T14:11:00.001-04:00

What happens in Vegas...

2007-08-06T06:52:00.000-04:00

I was in Las Vegas last week for Sun Microsystems Sales kickoff and MAN what a pain in the ass it was to get out there. I'm grounding myself for at least two weeks - flying at the end of the month is more hassle than it's worth. My flight was canceled twice, then I find a deal on a last minute ticket, as in my travel agent says 'How close to the airport are you?' I connect in Detroit and then wind up in Minneapolis for an unscheduled plane change for an hour and a half. I did finally get into Las Vegas after being up for 24 hours.

I have to give a shout out to the Palms hotel. Nice place. My room even had a dance floor and stripper pole in it, complete with strobe lights and the whole 9 yards. Too bad I was too tired to soak it all in.

So as I was checking in, I noticed that there were all these really tall guys there too, like NBA tall guys, and I noticed that when they checked in they all used a false name (duh). It got me thinking about a conversation I had with Ian Glazer maybe a year ago, about managing identity and what role dis-information plays in our identity. The thought popped into my head again when I saw No Way Out for the 87th time, and how over a period of years you could really craft a persona and migrate it to a full blown identity in short order through social engineering, working the system, and not a lot of effort.

So let's say I wanted to become someone else, how hard would it be? Especially if over a period of years I had built up a cadre of professional credentials that I exploited to assume a new identity. I think the issue in actually doing this lies with the processes, and the lack of challenges built into the processes that govern the establishment of identity. I heard the Brad Paisley song the other day, Online, where a short fat guy who lives with his mom is someone completely different online.

I have blogged about this before - that we need a Federated Trust of some sort that vets identities, however I am not sure it could work. Take the Bourne Identity (or any other movie that flashes a dozen passports from a dozen different countries) or Bourne Ultimatum, and look at the processes that were exploited to create an identity that is maintained. Then look at all of the interconnected systems that maintain that identity or those identities without challenge.

I think there is a thesis in here somewhere for someone who wanted to create a few new identities and study on how to do it and point out the importance of disinformation and its effect on identity in general. It seems the more we wish to be secure and identifiable, the more we realize what a difficult task that is.

Who Entitled Me Anyway?

2007-07-27T12:42:00.000-04:00

So I got to thinking this morning as I was out catching a few waves before work, that with all the buzz and thought going into entitlements I had to wonder - how did things get so f)*&^(^% up in the first place?

I got to thinking back over the years and how it all starts with onboarding. Remeber onboarding? That was the pain in the ass du jour a few years ago with identity management since it was crucial for provisioning - a big topic 2 years ago at Catalyst in San Diego. So I determined that it all goes back to HR. And perhaps Dogbert is the wizard of it all, but I digress...

If we think about roles and entitlements, I would think that there would have been more backlash in HR groups since they are the ones who ultimately control creation of an identity within a company. At least I hope we don't fill out all of that paperwork for a self service app...

So I got to wondering, what could Oracle and SAP bring to the table around getting off on the right foot to pre build roles into their applications that automatically take care of provisioning and to a certain extent, entitlements?

I have to believe it would simplify some things, especially new deployments and it's not like they haven't been doing this for 20 years and have no idea what to do or where to start. Granted every company has their own set of roles which drive the entitlements so if we address it at the source, wouldn't that help?

Identitystuff@gmail.com

It’s all about the process, but WHY?

2007-07-19T09:33:00.000-04:00

I have been up and down the East Coast this week meeting with different companies and beating my ‘It’s about the process’ drum. One question that got me thinking was – why?

I have been noticing the shifting sands of Identity for several years now and have had the opportunity to speak with organizations, and ultimately people, who sell identity management solutions, deploy identity management solutions, and manage and support identity management solutions. There are several things that are very apparent to me, and continue to be reinforced:

1. Compliance is the biggest reason people evaluate Identity management solutions. I believe this stems from (poorly written) legislation that is designed to mandate that organizations have a level of transparency and a level of knowledge about what is really going on inside their systems that run their business. It is no longer acceptable to say ‘I didn’t know about that’. It’s also where the budgets are since management wants to stay out of the papers and out of jail.

2. Convergence of Identity, Privacy, and Security means that there are now impacts beyond each silo that must be considered when evaluating a solution. What are the ripple effects beyond my group/team/business unit. Add in trying to implement a federation model/framework and the waters get muddier.

3. The number of people who have the expertise and experience of both the business drivers and technology implementations is small. Identity management is not a technology project. When I got into the space and starting to position solutions at companies, it was a technology project buy. Now that companies have started to realize that the Identity Management software out there all do 80-90% of the same thing, it has become less about the technology and more about supporting the business process and enabling transparency in a way that business folks can understand (that’s why I believe dashboards have become the must have thing).

4. Support, Maintenance, and Servicing. I also see that companies are starting to understand that an implementation is not the event it once was but the beginning of a business process reengineering effort, that once the technology is implemented, there is s a substantial effort and commitment to care and feed this new system and the processes it is designed to support.

5. I believe that companies - to varying degrees – will start to look at transition processes to off load the ongoing maintenance and management of these systems to service providers who will retain the expertise of both the business and technology components. This means that there is an opportunity for companies to build out teams to do the support, and more importantly quarterly business reviews with their clients to insure things are running smoothly.

It’s About the Process Folks, and having a continuous feedback and ongoing strategy evaluation means that you will get better at defining the processes that will foster transparency, improve how security and privacy are maintained and improved to help your business.

identitystuff@gmail.com

Tom Bergeron Sighting

2007-07-12T15:44:00.000-04:00

Tom Bergeron From WHEB in NH, Funniest Home Videos, and Dancing with the Stars is hanging at Starbucks in Portsmouth NH. Not with me per se, but hanging...

Look what I found... Shiny new tool for the Beancounters?

2007-07-12T15:38:00.000-04:00

I just had lunch with the CEO of VKernel, and we originally met to discuss some other things, and he told me about VKernel. Having worked with large companies, this is going to be a nice app to have in the IT Operations arsenal.

V-Kernel adds functionality not available in Virtual Center such as Chargeback, Top down reporting on Resources used by multiple VMs to support Business Services, and Storage usage reporting.

In just a few minutes, with these Reports, you can :

Find out how much CPU, Memory, Network, and Storage each VM is consuming.

Understand Total Resource consumption by groups of VMs that support business applications such EMAIL, CRM, and others.

Generate Chargeback reports that are based on actual consumption of resources in your environment.

V-Kernel is a Virtual Appliance. It does not require installation or extensive configuration. Simply drop this appliance into one of your ESX servers and specify which servers you want to report on. That´s it!

Great blog entry - Flying without ID

2007-07-02T16:29:00.000-04:00

http://www.thetraveljunkie.ca/articles.php?articleid=146

That is the link that outlines a travelers experience of NOT producing any ID. In light of the Glasgow bombing, I thought this was interesting.

I will also point out that the Jersey Barriers at the airport stopped the SUV. Now that either means dumb terrorists or kick ass concrete. Or they weren't used to driving on the wrong side of the road...

Either way I hope my clansmen keep up their vigilance.

Fries or Baked potato? I think I'll have the Bruschetta

2007-06-25T15:16:00.000-04:00

I recently had two discussions with two very different organizations about identity management. One was a global wired/wireless telecom provider and the other was a State government.

Ice cream and dump trucks from a similarity perspective, but my answer to them was the same – it’s all about the process. What was the question? It was:

Should we use Sun Identity manager or IBM’s Tivoli Identity Manager?

Why was my answer the same for both organizations? Because one of the two most important parts of an IdM deployment – the business process that will be enabled by the technology – directly impacts the ultimate success of a project.

Do you *really* think it matters what product you use? They both do the same thing at the end of the day, and it *really* doesn’t matter what product you use. Maybe if you spend $100M with IBM every year you’ll get a better price, but functionally they are basically the same.

They are the same in another way too – if you screw up figuring out the business process and focus on the as-is process and implement how things work today, then you will have a broken business process enabled by a shiny new piece of expensive software that may impress your peers, but will give your CFO heartburn, and let’s face it – that’s not good.

Spend your money on someone who understands process and will help you defend it, vs. someone who can tell you how different the feature sets are.

So if I should be asked again – what would you use - _______________ Identity management Solution or _____________________ identity management solution? My answer will be the same – how well is your process defined?

Extra credit - Anyone care to venture what the other most important part of an identity implementation is? Answer in my next blog entry…

Cataclysmic Catalyst

2007-06-21T13:51:00.000-04:00

cat·a·clysm (kāt'ə-klĭz'əm) Pronunciation Key
n.
A violent upheaval that causes great destruction or brings about a fundamental change.
A violent and sudden change in the earth's crust.
A devastating flood

I munged Catalyst and Cataclysm in a discussion with a friend of mine, and as it turns out the two are not unrelated. Catalyst has nothing to do with the earth's crust directly, however being in San Francisco it is tangentally related. Fundamental change? Check. A Flood? Of people? Check.

Yes I'll be there, and I am pulling together some friends to catch up in between meetings with customers in the East Bay. I will not be wearing my kilt this year (a travesty for the ladies who count on seeing my revered kneecaps, and the scar I got at Dunvegan Castle on the Isle of Skye I know) but I will be there none the less.

I happened to catch Ian Glazer's post about needing a new watering hole in San Francisco and there are a few I would recommend, however none of them are where the majority of the hotels are:

Vesuvio at 255 Columbus Ave. Kerouac used to hang here. 'Nuff said.

The Carnelian Room - Hands down the best views in the city. It's at the top of the Bank of America building 555 California street. I was at the post IPO party of ATG there with guys (at the time) worth more than John Hancock. Literally.

Ace Wasabi's in the Marina. Great Sushi, hip crowd, and saki. Opens at 6 pm

The Grove in the Marina is a fantastic place to people watch and you can't go wrong with the oatmeal for brunch.

identitystuff@gmail.com

State of Ohio Identity Whoops!

2007-06-18T09:03:00.000-04:00

I can't help but wonder what will happen to pensions. I know that the SSN's of folks have a value of $2-5 but what if you were able to get to the state pension systems? There would be a field day in there, especially with the folks who have given 19 years of service, those would likely be some good checks up for grabs...

I wonder where the intern is headed next...

The names and Social Security numbers of all 64,000 Ohio state employees were stolen last weekend from a state agency intern who left a backup data storage device in his car, Gov. Ted Strickland said.

An additional review of data revealed that the storage device also held information on 53,797 participants enrolled in the state’s pharmacy benefits management program, as well as names and Social Security numbers of about 75,532 dependents, the governor’s office confirmed Saturday. Strickland has asked Ohio Inspector General Tom Charles to investigate.

BlackDog Project = Echo Identity Systems

2007-06-08T09:14:00.000-04:00

I had posted last year that I had bought a BlackDog as my latest and greatest toy, which was a linux box with a biometric scanner built in that plugs into a USB port on your notebook and uses the computer display and keyboard and USB power. I still don't have any idea what to do with it, but someone figured out how to use it for an Identity Application - Echo Identity Systems in Salt Lake.

There is no news and it looks like the bought the assets of Project Black Dog and turned it into an identity play by using the linux server as an identity server, and the built in biometrics as one of the factors for authentication. These guys may be fun to watch...

From their page:

The Echo iD3 Ultra-Mobile Server is a self-contained mobile computer that contains its own processor, memory, and storage. This allows the Echo iD3 to interact with the host PC as a peer or server instead of as a peripheral.

The Echo iD1200 Management Router extends data, applications, and services to enterprise end users via a secured computer like the Echo iD3, in a managed and secure fashion. Deployed at the edge of the enterprise network and easily integrated with existing IT infrastructure, the Echo iD1200 Management Router provisions applications and establishes authorization for Echo iD3 users.
Users employ a Echo iD3 Ultra-Mobile Server connected to any computer in any location to safely access the applications, resources, and data they need.
Administrators control thousands of iD3s from the iD1200 Management Router.
Financial concerns are alleviated with a drop-in system that significantly reduces IT support costs.

1. iD1200 Management Router. Activates Echo iD3 devices, updates software applications that run on the iD3 Ultra-Mobile Servers, and provides access to corporate applications and resources. Also instantly disables or deactivates Echo iD3 Ultra-Mobile Servers, immediately rendering them unable to access enterprise resources through the VPN tunnel.

2. The Administration Console. Used to access the iD1200 Administration web application.

3. (Optional) Application Servers. The servers with enterprise applications available to which the Echo iD3 connects. These application servers can be Citrix, RDP, Web, or other types.

4. (Optional) The LDAP Server. The server that provides directory services to the Echo iD1200 Management Router.

5. The Host Computer. Provides keyboard, mouse, monitor, and Internet connection for the connected iD3.

Together, the Echo iD3 Ultra-Mobile Server and the Echo iD1200 Management Router address what is likely the single biggest security issue facing enterprises today -- the use of unidirectional trust models. Users no longer have to navigate multiple layers of security, presenting credentials at each level. They are also completely confident they are accessing the proper enterprise resources. Administrators are likewise confident that only authenticated users can access backend resources. This bidirectional trust model is in place even while using untrusted resources such as PCs, even those compromised with malware.

Typical Use

1. The user connects the iD3 to the USB port of a host PC and authenticates on the iD3 using the built-in biometric scanner. When connected to the host PC, the iD3 uses the host's keyboard, mouse, monitor, and Internet connection to provide a familiar and rich user interface.

2. The iD3 and iD1200 work together to automatically establish a VPN connection, providing a secure, encrypted data tunnel.

3. While connected to the host PC, the iD3 user accesses all their applications, resources, and data - both local and remote. Access to these applications, resources, and data is controlled by the profile established on the iD1200 for the user. To help ensure security and maintain the integrity of the iD3 Ultra-Mobile Server and its association with the enterprise network, the iD3 user cannot download applications, files, or malware, even by accident.

4. As necessary, administrators automatically update iD3 applications and configurations and can instantly change or deny access to any or all enterprise resources.

SafeTspace - Variation on a Theme

2007-06-05T15:53:00.000-04:00

I got a notice in my Google Alerts today about this company, SafeTspace, that was an offshoot for a post I did a while ago- back in August of 2005 actually - where I talked about this very kind of model. Don't worry SafeTSpace, I'm not going to go all William Reid on your ass.

It does however validate a theory, and one that I saw coming with HSPD-12 which is - there is no better way to manage identity than to have a human involved at some level.

identitystuff@gmail.com
aka Mark Mac Auley

Identity(ie) Fair(e)

2007-05-30T20:19:00.000-04:00

I just saw Dave Kearn's post about pulling together an Identity Fair of sorts and I think it's a great idea.

The biggest issue (as it usually is) is to find the funding. Keeping it vendor agnostic without tapping into marketing budgets of vendors would be difficult. Could we pool all of our Starwood points to get some space someplace like Phoenix in August, or Portland Maine in January?

A steering committee should be assembled to investigate. Maybe a university to secure space given that this could be the academic Mindmeld of Identity, or the Identity Stew.

It bears further investigation... And a solid sponsorship model. I'd throw some points at it...

Shouts out to my IdM crew

2007-05-30T20:08:00.000-04:00

It's been a while since I have blogged about my discussions with other folks and I wanted to give a shout out to and a note of thanks to a few folks who I have dined with and talked to from the far reaches of the identity sphere:

Nishant Kaushik at Oracle. Lunch at Olives was fantastic, the food rivaled the discussion.

Mark McClain at Sailpoint - I think you have something special going on there.

Quin Sandler - Interesting addition to the vectors of Identity, our conversation got me thinking.

Jackson Shaw - I hope we get to meet and share a fantastic meal somewhere.

Marco at HP - Keep on researching, it helps us all

Mark Dixon - always a pleasure to exchange thoughts with you

and Ian Glazer at Approva

This space has good people in it and I'm happy being a miniscule part of it...

But I'm Entitled to my Entitlements

2007-05-30T20:03:00.000-04:00

I was reading an article in InfoWorld about Securent and their ability to manage entitlements and my first reaction was – isn’t that what identity management is designed to do – govern and audit access to applications?

It also got me thinking about the power of Trusted Network Technologies solution and some research being done by HP in the UK around network layer identity and access control and the value of machine identity in the AMIMA space (Access Management Identity Management Applications - It's my acronym).

I will say up front that I have never worked with Securent’s product so I am not going to down that road but stay at 10,000 feet for now. The way the article reads, Securent has laid claim to adding to the SSO functionality and bridging into access management and entitling (enabling) access to applications. It makes me wonder – is Securent saying that other IDM solutions are great for managing the workflow of on boarding but little else, and that SSO is where the rubber meets the road?

Back in the old days, IDM was designed to manage this process and access issue and its popularity swelled, and I saw more projects get wrapped around the axle with entitlements. In my experience, entitlements are phase two of an IdM initiative, the first step is getting the process right. If you nail your process, the technology matters much less.

When I joined TNT a few years ago (I have since moved on) I saw something completely unique, and their patents guarantee that they will be unique for the foreseeable future. In essence it adds identity to the network layer which usurps all of the application layer issues that people seem to run into. It is access control, identity management of people and adds another variable (factor) of access control by binding a unique machine ID created from a unique hash of serial numbers (not MAC addresses) so you are your machine.

The management of a powerful system like this means that you have tamed the identity beast in many respects by having users and machines as the variables that govern access down to the port levels, and controls any and all connections to ANY application or server up the stack. You log in once from your machine and your access to and visibility of the applications and infrastructure is handled in the network – where most hacking starts and where risk is often overlooked.

The HP research is looking at the notion of machine identity, however to do it right and not get stuck in the wrong layer it has to occur in the network, since connections to any server or application start in the network layer.

The dependency in this model? A clean, or clean enough directory to use as the jumping off point. Until the authoritative source(s) are clean and managed well the AMIMA dog won’t hunt.

identitystuff@gmail.com

TJX - Where it all started...

2007-05-22T15:46:00.000-04:00

I was catching up on my reading and came across an article at SC Magaizine by Dan Kaplan about where the TJX breach all started... Wain Kellum CEO at my former employer Trusted Network Technologies was quoted. If you're looking to prevent this take a look at Wi-fi Owl, it is designed to catch this type of thing before you make the papers.

You can get what sounds like the antenna they used at Cantenna.com

Dan Kaplan May 4 2007 17:00

The suspects who lifted the personal data of 45.7 million customers from TJX's processing systems hatched their elaborate plan some two years ago at a Marshalls outlet in Minnesota, where they used simple technology to tap into the store's wireless connection, The Wall Street Journal reported today.

According to the story, citing investigators, the intruders, from the parking lot, used a "telescope-shaped antenna" and a laptop to decode data that was moving among the Marshalls store’s scanning devices, cash registers and PCs, which were using wireless LAN connectivity.

What the intruders either learned or physically planted that day helped them later hack into TJX’s main database, where they quietly pilfered data for two years and ended up executing the largest data breach in the nation’s history.

Investigators told the newspaper that the St. Paul, Minn. Marshalls location was running a wireless network protected by the weak Wired Equivalent Privacy (WEP) industry standards, which have since been superseded by the more robust Wi-Fi Protected Access (WPA) guidelines.

TJX operates more than 2,000 discount retailers, including hundreds of Marshalls.
Gartner Vice President and Senior Fellow John Pescatore told SCMagazine.com today that the replacement standards - required under the Payment Card Industry mandates - are much more secure than WEP, which was "riddled with holes," he said.

"The encryption to keep someone from breaking in was done very poorly in this first generation," he said. "It's no better than (no security at all). This is something I would have thought an audit would've caught."

According to the newspaper, the hackers used an antenna, a common tool used to retrieve a wireless signal from a distance, Pescatore said.

He said he has heard of people creating antennae out of Pringles potato chip cans - and several websites offer instructions on how to do so. Then, he said, "all it takes is a laptop with Windows XP and it tells you what access points it can hear. It doesn't take any special equipment."
The hackers may have planted some malware on the network that day to help them later access the central database, or they may have stolen certain data that allowed them to later intrude, Pescatore said.

"The basic issue is if you connect to an access point that puts you on the network, it's just as good as if you broke into their data center and sat down on a PC," Pescatore said. "You're on their network."

The incident highlights the need for business executives to understand the value of information assets, Wain Kellum, president and CEO of Atlanta-based Trusted Network Technologies, told SCMagazine.com today.

He said that in many cases "fairly low-level network engineers" create wireless policies without any understanding of risk or financial impact to the organization if there is a breach.
"Management people are now starting to get aware that they have to participate in the dialogue," Kellum said.

A TJX spokeswoman could not be reached for comment today.

Since the breach, the Federal Trade Commission has launched an investigation, and three New England banking associations filed a lawsuit seeking to recoup costs associated with fraudulent purchases.

However, TJX has reported no negative effect on sales, which rose during the first quarter of this year.

Compliance as a driver for LBO's and going private

2007-05-15T08:34:00.000-04:00

I was at another of my favorite haunts in Manhattan last night - St. Andrews Restaurant, eating my haggis (yes, really), and wound up chatting with a guy and his wife for a couple of hours. He works for HSBC and they just moved here from London. With the news about Daimler selling to Cerebrus, I asked him about the driving factors for companies going private. One of the first things he said was - compliance costs.

In the Identity world I couldn't help but wonder if companies are questioning is it really worth what we spend since there are no definitive answers about what is right and what is not. Based on my observations from the trenches, so long as companies are working on compliance, aka have a budget and consultants helping them, then they are ok, at least with Sarbanes-Oxley. I ask - to what end?

It is like owning a boat - it's a big hole in the water you throw lots of money into. Complaince is the new QE 2 in this metaphor.

If anyone out there has any additional insight as to whether or not our discussion has any merit, please let me know. It seems some companies would rather spend the compliance dollars into running a tighter ship their way, not by loosely defined laws cooked up by legislators.

identitystuff@gmail.com

The end of an era...

2007-05-15T08:28:00.000-04:00

One of my favorite restaurants in North America has closed - Ollies Noodle Shop - in Manhattan.

I went there for lunch yesterday, braving the tourists in Times Square, only to find a demolition company's truck parked out front and dusty windows telling me they had moved. I felt like Ralph Wiggum after Lisa Simpson told him she didn't like him and Bart caught the exact moment his heart broke on film...

I trudged another 6 or 7 blocks to their new location and it was not Ollies, in any way shape or form. They tried to go upscale, and cut 3/4 of their menu items - of course the only two dishes I have ever eaten there - and it wasn't that good at all.

I rolled back to my hotel several blocks north lamenting the end of an era. Bummer.

If anyone has any favorite picks for great chinese in Midtown, send them over...

identitystuff@gmail.com

Too good to be true?

2007-05-14T06:36:00.000-04:00

A buddy of mine told me about this site and so I had to check it out. It is a site devoted to a free 60 day Proof of Concept for Single Sign On (SSO), there are other options for IAM Pilots, licenses, etc. Turns out Grady used to work for me in a previous life so I will tell you that this offer is NOT too good to be true. Grady is a stand up guy.

Long story short here folks - Worth looking into if you are trying to get a project funded. I have yet to see something like this that is a low risk way of helping to decide if you should invest a bunch of time or money into a project.

I'm in Manhattan this week, so if there is anyone in the blogosphere who wants to talk shop, reach out and let's get caffeinated...

identitystuff@gmail.com

It's all about the (business) process folks...

2007-05-11T13:36:00.000-04:00

I cannot and will not ever say this enough. If you want a copy of my identity playbook so at least you understand this, let me know.

I spoke to a non-US Government Agency yesterday about their Identity Management initiative. Turns out they are hung up on an architecture. Why? Because there is no identifiable (or identified) business process for them to build for. The business users are saying - Just buy a tool and it'll take care of it that's what their workflows are for'. Those of us who do this for a living are probably smirking or laughing out loud at the comment. Typical, but one of the leading causes of unsuccesful projects.

- Roles don't matter in the absense of a procees
- Entitlements don't matter in the absense of process
- Ultimate success depends explicitly on process

When I say process - this is what I mean:

When a process is defined from the onboarding of an employee, certain simple truths and processes are born. Identities are created, HR data is populated, and provisioning happens. The simple truth is that there are components of that Identity (email address and phone number for example) that everyone has. Period. So at the Macro level the process is, when a user is created they get an email address and a phone number. It is the blood type and sex at birth (as a metaphor).

What this baby will grow into is a process, whether we're talking human or IdM, which is why process is so important. Looking at the simple process and simple truths of WHERE YOU WANT TO BE/GET TO is paramount.

I will meet with these folks on my next trip in country and see if I can help, even if it's to explain to the business folks that them saying 'Just buy the tool' is the wrong way to figure out a process.

In fact I may have to go to Home Depot and get a tool, any tool, and walk it and say 'that'll fix your IdM problem' to drive the point home...

Social Engineering for Seniors' ID Theft

2007-05-08T10:12:00.000-04:00

I laughed out loud to the point of a coughing fit when I saw this story on Fox News. Definitely low tech identity theft. And here I would have thought going through her purse was pretty easy. Seriously though, did they get the one smoking the crack correct?

NEW PORT RICHEY, Fla. — A woman forced an 83-year-old housemate to smoke crack cocaine so she could steal personal information to get a credit card and run up more than $3,000 in charges, authorities said.
Pasco County sheriff's investigators accused Theresa M. Stanley-Morgan, 41, of getting the older woman to smoke the drug at least twice to make it easier to exploit her financially.

Stanley-Morgan was arrested April 28. She admitted to investigators that she used Shirley Hathaway's name, birth date and Social Security number to open the account, a sheriff's report said.

Hathaway and a witness told investigators that Stanley-Morgan forced Hathaway to smoke a lit crack pipe, the report said.

Stanley-Morgan was in jail Monday on $23,000 bail, charged with criminal use of personal identification, use of another person's ID without permission and retail theft, according to jail records. Records did not indicate if she had a lawyer.

The sheriff's office said more charges were pending and asked the court not to reduce her bail.

Getting the cart back behind the horse

2007-05-04T09:28:00.000-04:00

I had several fantastic discussions with some old and new friends in the identity space yesterday, to discuss some exciting new approaches out there, and also to see how things were going in the trenches. The common theme was that people are getting the cart back behind the horse.

One of my first calls was with a fellow Red Sox fan and IdM project leader at a large beverage company who was a year into an implementation. The feedback we exchanged was that things were going very well now, especially since the client understood twhat they bought, why they bought it and why things needed to happen in a certain way and in certain phases. There were also very defined criteria for each phase that insured the next phase would not be started without a hood check on the phase that was wrapping up and sign off that the criteria had been met, was as correct at the end of the phase as when it was started and did anything need to be accounted for or changed in the criteria going forward.

This spoke to my long held belief that where you want to end up is FAR more important than where you start. Adding checks and balances keeps things tranparent and diminshes politics or gee whiz ideas from polluting the project in each phase. The cart is behind the horse, and focusing on the process has yielded measurable success. Glad to hear it.

One of my other conversations later in the day was with Sailpoint's CEO Mark McClain. While we had never met until yesterday, we knew a lot of the same folks in the business and it was another great discussion and fun to remember when provisioning was something you did to prepare a boat for a weekend trip.

The take away I had from the discussion was that Sailpoint was addressing a very key issue in the IdM world in my sole opinion, which was tying the metrics of a project to business process, and providing metrics at the outset and during the entire business operation of mitigating risk and determining where a company needs to focus and why. In essence I see their solution as the check and balance for the business folks in an organization to understand - through ongoing measurement of technology and process - what was yielding the desired successes and why, and ultimately how big their bonus might be by turning data into information that will drive the right process for project execution and ultimately reduced risk for an organization.

I also spoke to the founder of a company still in stealth mode that is putting the polish on their organization. I chair their Strategic Advisory Board, and some exciting - and common sense - approaches are afoot with these folks to extract all of the value of the Right Process. I will be blogging more about this when they launch.

Have a great weekend, and it is amazing to see the Boston Red Sox leading the AL East, crushing the Yankees out of the gate, and Beckett pitcing like we know he can. The Curse does indeed feel reversed at this point in the season...

identitystuff @gmail.com

Thanks to Dave Kearns...

2007-04-26T15:35:00.000-04:00

I was dubbed 'super salesman' by Dave Kearns in his recent blog, and I do appreciate the title. Especially given the reputation of the person bestowing it. Dave is smarter, better looking, and I hold him in the highest levels of respect.

I try my best to talk of reality from experience vs, just selling stuff and place a high value on asking the right questions, listening, and having the stones to tell people when they are about to replicate any past fiasco I may have lived through to tell about, and why they shouldn't go down that path. Most take it with a grain of salt and a cup of vinegar...

Thanks again Dave!

Who knew it was this easy?

2007-04-19T08:44:00.000-04:00

A Babe and a Hershey Bar and the World is Yours...

Two thirds of workers reveal passwords for chocolate and a pretty smile

17/04/2007A survey by Infosecurity Europe of 300 office workers and IT professionals has found that 64% were prepared to give their passwords in exchange for a bar of chocolate and a smile.

The survey also found that 67% thought that someone else in their organisation knew their CEO’s password with the most likely candidate being the secretary or PA. The survey was carried out to find out how easy it was to extract peoples work passwords using social engineering techniques with literally just the offer of a chocolate bar for taking part in a survey.

The survey was carried out amongst commuters in London Stations and also at an IT exhibition full of computer professionals just to see how much more security savvy they were compared with the average worker. The survey found that it took a little more probing and a bit more coercion than the average office worker, but even the IT professional eventually succumbed to the questions of the attractive researcher who still managed to extract their passwords in exchange for a smile and a chocolate bar!

The researchers asked the delegates if they knew what the most common password is and then asked them what their password was. Only 22% of IT professionals revealed their password at this point compared to 40% of commuters, if at first they refused to give their password the researchers would then ask if it was based on a child, pet, football team, etc, and then suggest potential passwords by guessing the name of their child or team. By using this technique, a further 42% of IT professionals and 22% of commuters then inadvertently revealed their password. This then took the total number of people who revealed their password to 64% overall for both groups.

What many of IT professionals failed to realise is that the researchers, who conducted the survey at the IT exhibition, had also read their names and organisation from their delegate badge as well! The survey found that 20% of organisations no longer use passwords, with 5% using biometric technology and tokens for identity and access management and a further 15% using tokens. The average number of passwords used at work was 5 per person, with some using as many as 20.

The frequency of changing passwords was 71% monthly, 10% rarely and 20% never as they used biometrics and tokens instead. Some of the IT professionals said that the real issue was not user passwords but the passwords on servers or buried in applications which were never changed as the consequence of changing them on the overall company IT system was unknown and there was a fear that if they were changed a critical part of the system could crash. Some other IT experts said that they often come across servers on which the administrator password was left blank.

When asked if they knew any of their colleagues passwords 29% admitted that they did. A person should never need to give their password to someone claiming to be from the IT department but 39% said that they would give their password to someone who called them from the IT department. They would not be quite so trusting if asked by their boss as only 32% said they would be prepared to give their password if asked.

When asked about confidential information two thirds said that they would look at a file containing everyone’s salary details if they were sent it by mistake and 20% said they would pass it on to colleagues. A third said that they would keep it confidential, with many of them also saying that their IT systems tracked everything they looked at and if they passed this type of information on to anyone it would mean instant dismissal. When asked if they would take any contacts or competitive information with them when they left their jobs, 58% said that they would.

One senior sales manager said I left my job last week and took my whole pipeline with me.Just under half of people used the same password they used for their corporate access for all their personal web accounts such as online banking, retailing, and email. When asked if they felt safe using online banking half said that they did but only a fifth said they felt safe using online retailing but this figure rose to 52% if the retail site was a well know reputable one.S

am Jeffers, Event Manager for Infosecurity Europe 2007 the number one event dedicated to information security which takes place at Olympia, London from 24th to 26th April 2007 said, “This survey shows that even those in responsible IT positions in large organisations are not as aware as they should be about information security. What is most surprising is that even when the IT professionals became slightly wary about revealing their passwords, they were put at their ease by a smile and a bit of smooth talk.

It just goes to show that we still have a long way to go in educating people about security policies and procedures as the person trying to steal data from a company is just as likely to be an attractive young woman acting as a honey trap as a hacker using technology to find a way into a corporate network.

The free education programme at Infosecurity Europe covers all the key issues of keeping information secure and there is a keynote dedicated to Identity Management”.At Infosecurity Europe 2007 Lord Erroll will lead a panel debate on Identity Management examining how to pick the right tools for the job. The panellists will include Toby Stevens, Vice Chairman, BCS Security Forum, Andy Kellett, Senior Research Analyst, Butler Group and Maury Shenk, Partner, Steptoe and Johnson LLP and Head of European Legal Programme SANS.

The keynote, which is free to attend for Infosecurity Europe visitors, takes place at 3:15 pm on Tuesday 24th April 2007.Andy Kellett, Senior Research Analyst, Butler Group commented on the issue of Identity and Access Management (IandAM) “Today, if there is one justified criticism of the IandAM sector, it is that the complete service-delivery model is too complex for most organisations to handle from a standing start. End-to-end projects that have been put forward to deal with all IandAM control issues have often proved to be unrealistic, and indeed, for some, far too difficult to achieve.

Whereas organisations that have taken a more structured and prioritised approach to the IandAM service delivery model, have and do achieve better results in the long run.”Infosecurity Europe is the number one event dedicated to information security. With over 300 exhibitors, the event is the most comprehensive showcase for the most diverse range of new and innovative products and services from the World’s top information security experts and vendors. The event enables security professionals and business managers to establish a commercial justification for information security, refine their security policies and select the most appropriate solutions to support their security strategy in order to safeguard their company’s reputation and assets.

Over 11,000 visitors are expected to attend this year’s event with many travelling from overseas to participate in the FREE education programme that addresses both strategic and technical issues drawing on the skills and experience of senior end users, technical experts and real world case studies. Infosecurity Europe takes place at the Grand Hall, Olympia, London from 24th to 26th April 2007.

www.infosec.co.uk

Disaster (Recovery) on my mind...

2007-04-17T10:37:00.000-04:00

Given the weather we've had in the Northeast the past few days, I think the issue of Disaster Recovery (DR) is on more minds than a few weeks ago. It also got me thinking as to why DR and Identity Management are linked.

Specifically, governing access to the DR site, data, and infratsructure to be able to recover whatever was lost or went down. Granted the time frames are short, but a few hours to an insider is all that is needed to create some back doors in all of the mayhem and leave things exposed with little or no audit trail. I equate it to remembering to grab the last several years of tax returns on your way out of your house that is engulfed in flames or a tidal surge. Stuff happens and in the midst of the stress of survival (personal or business) we focus on the most important things and we don't sweat the little stuff (and by the way it's all little stuff).

So having identity based access controls in place long before a disaster happens is key because:

1. The controls are in place long before they need to be
2. You don't need to think through the process (technical and business) while things are going wrong and the world is screaming at you for everything STAT from email to pictures of the CxO's vacation
3. You are certain that only those people AND machines who should have access will have access and there is an audit trail to capture all activity

Long story short, get a solid DR provider, implement an Identity Based Access Control solution as part of the environment, and if you're going to nickel and dime on the cost, take the budget and use it for job placement services for you and your team. We all know there is never money to fund a 'what if', but we all find money when the doo doo hits the fan.

It's a lot better to have access to an entire hospital after an unplanned loss of limb than to realize you only have band aids to stop the bleeding.

identitystuff@gmail.com

Is the Sun Setting on IdM

2007-04-16T15:16:00.000-04:00

I got a call from an old friend in India today and we were talking about the state of IdM on a global scale and since he travels every week around the APAC region, I wanted to see what his candid feedback was. In short:

'Sun is on its way out in over 12 accounts that I know of, being replaced by IBM and Oracle. Their projects are really going horribly.'

I asked him why and he replied:

'Because everyone looks at IdM as a technology project, not a business project and people just want to hook up connectors and think they're done'.

This confirms my position of 2 years that I learned with working on several projects at GE a few years ago - if you focus on the process you want and use the technology to enable that process, you'll do very well. Treat IdM like rolling out a new piece of technology and you would be better off donating the millions to charity.

I am sorry to hear that Sun is sucking wind right now. I always thought it was a decent product. I do not think it was sold correctly most of the time, and it took me 7 projects to figure out the right way to implement it, but I got there.

identitystuff@ gmail.com

SMB is in the air…

2007-04-11T14:08:00.000-04:00

I had dinner last night with the CEO of a company I sit in the advisory board for and we were discussing Identity for the SMB space. Then I wake up this morning, and happen upon Nishant’s blog (he’s a smart guy at Oracle) who was blogging about… Identity for the SMB space. Long story short, it is what I have been thinking about the past couple of weeks, and I thought I would share my experience in the SMB space and where I think software vendors could do well…

I view the SMB space as companies with <$1B in revenue, with a few hundred to several thousand employees. These companies want what the Fortune 10 want, without the price tag and without the associated overhead of Day 2 issues – Training, support, and management of infrastructure and applications. They also want most of the configuration and/or customization to be baked into the offering.

Nishant solicited some feedback, so I’ll put it up here and send it to him in an email:

Where I think companies will be successful in rolling out identity management solutions will be related to how many best practices are baked into the offering. I also strongly believe that mid-market companies will want to eat the identity elephant in bites, that is to say to roll things out in phases for a fixed cost. They will also likely want to host some or all of their identity/access management solutions with a hosting company such as NaviSite, who can offer the infrastructure (ping, power, pipe) as well as the expertise to manage a deployment and in many cases provide the implementation services as well. They will also want to outsource the care and feeding (patches, OS, DB, capacity management, backups, etc) of their environment since they want to spend as little time as possible managing infrastructure.

Where I see Oracle, Sun, IBM and others having the best reach in this market are to offer Identity solutions that are useful (processes and configuration thought out and included), managed by others (outsourced), and at a price point that is calculated per user, and spread out monthly so the infrastructure is not an asset to be depreciated, but a service that is an expense. This give the SMB companies solid functionality, intrinsic value beyond the feature set, and a way to enable trust inside and outside their companies.

identitystuff@gmail

Are you making a Cookie or a Meatloaf?

2007-04-02T21:18:00.000-04:00

As I was driving to meet a prospective client today, a thought popped into my head about the unanticipated issues that may arise and why. And then it hit me – IdM is a chance to correct a lot of business processes that were developed by humans, and by association there are people to blame (theoretically) on why things have become so complex, and it is our job as professionals to help clean up the broken glass at the very least, or perform a process detox for our organizations. Where did the trouble start? What contributes to the confusion? In the words of the Talking Heads – How did I get here?

So I have blogged about roles, I have blogged about products, and I have blogged about process, I have put my old high level playbook out there, and I have blogged about other identity related drivel and I never stopped to think about how people may have come to the point that they stumble across my blog and start asking questions about identity management. So I thought I would share a few insights:

Where you are doesn’t matter.
Where you want to get to does
How you got to where you are doesn’t matter
How you get to where you need to be does
Knowing that difference is the only difference that will matter

How can I say this? Having helped provision over 1M users and spending WAY too much time on the where my clients were at piece, I can say this with a lot of scars to show for it.

Where was I successful? When I focused only on where my clients needed to get to and focused them and my project teams on the best way to get there.

Let me put it another way – it’s the equivalent of me sitting down with a baker who has called me in to taste a cookie that tastes like crap and they can’t understand why. It’s a complex recipe, lots of ingredients that have been added over the years to make this fantastic cookie and it has crossed the chasm and has gone from cookie to meatloaf. For the record I hate meatloaf (food not the singer), love cookies.

If I was after billable hours, I would review the entire recipe, examine the ingredients, check the measuring cups and spoons, etc. etc. I’m not after extraneous billable hours (or at least I shouldn’t be as a trusted advisor), so in today’s world I would ask, what kind of cookie do you want to make? And then we’d make it with a simpler recipe and one that wasn’t so complex that what started out a cookie has now become meatloaf.

What are the flour, sugar and eggs of IdM?

A single Authoritative source
A well defined to-be process
A team of people that may not have baked before but clearly understand what a kitchen is and know that hamburger doesn’t make a good cookie. Ever.

IdentityStuff Facts & Metrics

2007-03-30T11:52:00.000-04:00

I was recently catching up on doing some analytics on my blog and looking at visits and referrers, etc. and I thought I would share some data for those of you who emailed me asking - Who reads this stuff anyway?

My privacy policy is simple - I look at high level vist data. I could care less who you are, or who you work for. I want to know if the blog is being read, and whether or not my views are adding value to our industry. It also points to the domination of Google for search

Google.com refers 90% of the traffic

There are 37-112 pageviews per day

75% are returning, 25% are new on average

Keywords that drive traffic - USB Hacks, Virtualization, TJX, Machine Identity in that order

Visitors this week are from the US (65%), Canada (7%), UK (6%), Denmark (8%), Italy (2%), Australia (1%), France (1%). Historically over the past year, 75% of visitors are from the US

Top referring sites (400 Total Sites):
9 of the top 10 are Google (Search, Search UK, etc.)
#7 of the top 10 is Oracle

Most popular time of day readers visit: 2-3PM EST /-5GMT

The Hits Just Keep on Coming...

2007-03-30T11:32:00.000-04:00

The data on the TJX breach keeps trickling out and this breach of 45.7M records is now the new poster child for a Big Breach. Some things that I find interesting:

- It continues to point to an inside job

- They made arrests, but it's the equivalent of arresting the people who bought a pair of stolen shoes from an employee out of their trunk in the back of a Marshall's

- TJX seems to follow the paradigm of the US Drug Policy by going after the small fry, or at least that is what conclusion I draw based on the information released

- At 47.5M records multiplied by $182/record the costs stand (ballpark) at $4.3B a full ONE THIRD of their Market Capitalization!!!! Put that in your spreadsheet and crunch it...

- I still want to know what the impact is of their financials, and whether or not because of Sarbanes-Oxley, someone may be held accountable, and how Identity Theft will factor into SOX at the end of this

I will continue to harp on the importance of Machine Identity as long as the inside jobs continue to happen. If you can reduce the access not only by user but by machine, why wouldn't you do that? It is one of the easiest and cost-effective threat vector reductions an organization can deploy.

Is it perfect? No, but damn it, it's the equivalent of having the DNA of the suspect(s) at the crime scene.

identitystuff@gmail.com

TJX Update - reported by The Boston Globe

2007-03-23T14:10:00.000-04:00

I wonder where this is going to lead...

***
Six people arrested in Florida this week are suspected of using credit-card data stolen from retailer TJX Cos. to buy computers, televisions, and other electronics, Gainesville police said.
The Florida Department of Law Enforcement said the six individuals apparently used stolen credit-card data to purchase large quantities of gift cards from retailers including Wal-Mart Stores and its Sam's Club unit.

They then used the gift cards to buy electronics, but store employees grew suspicious and contacted police.During the investigation, officials learned the source of the data was from a computer breach first reported by Framingham retailer TJX in December, Gainesville police said today.

The losses to Wal-Mart and the banks that issued the real credit cards totaled more than $8 million. A spokeswoman for TJX, which runs more than 2,500 stores including T.J. Maxx, Marshalls, and HomeGoods, would not confirm that the data involved in the Florida case stemmed from the breach. But she said the company continues to cooperate with law-enforcement authorities.

TJX believes hackers broke into the company’s computer system in 2005 and stole millions of customer credit- and debit-data and some license numbers dating back to 2003. Customers across the country have reported fraudulent use in what could be one of the biggest losses of consumer data to date. TJX faces numerous lawsuits from individuals and banks that accuse the company of failing to adequately safeguard private data and of delaying disclosure of the breach.
(By Ross Kerber, Globe staff)

Factors=Options?

2007-03-15T20:40:00.000-04:00

I was thinking about multi factor authentication (see previous blog on the topic) and what else does adding factors to the authentication mix get us (besides closer to a DNA match of who we do business with)?

It got me thinking about Federation and trying to extend a different model of authentication and access to different users, different machines, different physical access levels, different logical (network) access for a single user type in multiple environs.

One thought I had was that interchangeability of factors lets me set up zero stringent to very stringent access control policies for virtaully any environ. The POA (Point of Authentication) is the gatekeeper, the devices in the network are the cops/enforcers, and whether you are a user or machine what the gatekeeper knows and shares with the cop governs where you go and what you do. There is also the O factor (Omnipotent) of full auditability so if the gatekeeper is at lunch and cop forgets TCP/IP for a second, that everything is still logged in the event things get really interesting.

Business case examples:

I work for the FBI. I spend time at NSA, CIA, DEA, and State Police. We all use multiple databases that share subsets of information and disinformation. I have two 'badges'. One is my badge that I wear on my beltloop with a lanyard attached that has some/all pertinent information about who I am and my clearance level. In essence where I can go in the pysical world.

Then I have a laptop or pda with a biometric scanner that can embed the biometric data, User ID/Password data, and a unique machine ID for my network access where ever I am.

That's a lot of factors, and gives me a lot of flexibility about how I manage who gets access to what, while keeping key data sets separate (somewhat) by using card and machine.

Thoughts?

identitystuff@gmail.com

I smell an acquisition if it works...

2007-03-09T09:05:00.000-05:00

I just saw this announcement from Secude & Siemens and it is one of the first announcements I've seen in a while that is focused on extending Identity and Access Management for SAP. It's no Thor/Octet String/Oracle play, but it gets SAP in the game:

End to end technology partnership for identity and access management with emphasis on SAP integrationPosted on 09 March 2007.

SECUDE and Siemens have agreed to enter into a partnership which combines the partners’ know-how into a complementary and collaborative strategy.

The alignment of resources creates significant benefits for both partners and presents a win-win situation for SAP and their customers. The intention is to capitalize on each others complementary technologies and coordinate marketing and sales efforts on a global scale to service and support the market more efficiently and effectively. “The driver for this partnership is that the whole is more than the sum of its parts”, states Doris Hermann, VP and General Manager Security and Identity management, Siemens AG.

Siemens has successfully marketed and sold security solutions on a global scale. These solutions include an Identity and Access Management suite based on the Siemens DirX product family providing a standard-compliant, extremely reliable, scalable and highly-performing platform as well as certified and secure smart cards solutions.

SECUDE is an established leader in key and access management for over a decade with a suite of products on the same platform including Single Sign On, Key and Token Management, and managed encryption of files, folders, mail and various storage devices. SECUDE has been a strong IT-Security partner of SAP for 10 years and is a leading provider of key and access management technologies for SEAGATE encrypted disk drives.

Wireless Broadcast of Identity Information

2007-03-05T11:24:00.000-05:00

I found the charger to my old handheld Marine radio this past weekend, plugged it in and charged it up. I then did some channel surfing to see what I could pick up. I was pretty astonished when I hit the police channel.

I heard full names, license numbers, license plates, rap sheet info, etc.

It got me thinking that what if I wanted to write down some of that information, Google some people, get additional information, would it be enough to create a new identity or steal theirs? Which one would I choose? Surely not the one with the guy who had 3 priors for driving to endanger, working on his fourth, with no license but to a guy driving a Porsche with a clean record from CT, now that could be fun.

I have several friends in Law Enforcement and I intend to ask them about this issue - are they contributing to the release and possible theft of personal information? Granted it's public information (criminal records) but is it readily available to most of us? What could be done with it? They probably have to wait until someone does something with the information to commit a crime before they act.

I suspect it's a case of balancing good vs evil - so be careful where you get pulled over...

Mark

The Land of Opportunity - Reason #243

2007-03-02T11:09:00.000-05:00

So I was in Maine recently in a vehicle that was allegedly due for an inspection, and was subsequently pulled over by a very cordial police officer in Biddeford. He wrote up a ticket, and I waited the requisite number of days to go online and settle up and/or contest the charges.

I went to the PayTixx website and punch in the requisite (public) information about my ticket. I then go to pay said fine, and just happen to notice that there is NO encryption/SSL on the site where I need to enter my PRIVATE information like credit card number, etc. etc. as evidenced by no padlock on the browser I was using. I used another browser (older) to rule out an obvious technical glitch. Nada. Zip. No Padlock. No Security.

There is however a nice little graphic with the Maine.gov logo and a little padlock, allegedly ensuring that the site is secure. Hmmmm, I must be on the insecure page. This logo links me to a page with details about the Transaction Security Policy (Full text at the end of the posting).

So the State has a policy, a nice custom branded security looking logo with a link to the site, yet absolutely no validation from the technology they allegedly use to validate to me, the private information holder, that the site is in fact secure and using at least the 128-bit encryption they claim.

I'm no White Hat, Grey Hat, or Black Hat, but I do know a few and I have to say that there is a potential GOLDMINE here that is being funded by the taxpayers of Maine, for personal information of alleged drivers of different infraction types - speeders, uninspected motorists, suspended licensees, etc. etc. being poached and sold. Perhaps that is why CSC got thrown out of the State IT projects they were working on.

Don't tell me the State of Maine, or any other State can't afford better (ANY) security these days. Please DO tell me that the States will not contribute to identity theft anymore than they do. This is ridiculous.

By the way - it is also NOT PCI compliant. Big Ding from Visa and Matercard, folks. They could fine you TODAY, and suspend your right to take these cards as payments - in fact if they did, they would insure the security and privacy of me today.

I will again urge that Mark Kemmerle, Donna Grant, or Matt Dunlap please return the calls I have made into your office. I am more than willing and able to help improve the *real* security - and now, it's personal on why you need it.

identitystuff@gmail.com

Maine's Transaction Security Policy

Maine state government and InforME take Internet security very seriously. Our technology and policies are designed to make your online transactions safe, private and secure. Documented steps are taken to safeguard information according to established security standards and procedures and we continually evaluate the newest technology for protecting information.
Sensitive information passed in online transactions such as social security numbers, banking information, and personal data is confidential. Please refer to our privacy policy for details about the collection of information from visitors to state websites.

Whenever you see this icon on a Maine state government online service, you can rest assured that the following safeguards and security criteria are in place:
Transactions involving sensitive information occur on a secure server. You can look for the "lock" symbol at the bottom of your browser window to verify that you are on a secure server.
Our secure socket layer (SSL) software uses state-of-the-art 128-bit encryption to ensure that your personal and financial information cannot be intercepted during transmission to our server.
All information requests pass through hardware and software security firewalls.

Communication between InforME servers/systems and State databases is passed via a secure private network.

Encrypted personal information includes credit card numbers as well as social security numbers and banking information.

Hey look, this guy created Identity.

2007-02-27T16:38:00.000-05:00

Yes, I am being smug about this. I used to work for ATG and we got sued by Broadvision because Broadvision had a patent that basically said Broadvision invented E Commerce so they had a right to sue anyone in the eCommerce space. So they went after ATG, their chief competitor (who was kicking the crap out of them in the marketplace BTW) and ATG is still in business, Broadvision went public, went private. Broadvision also sold their name to Black & Veatch (bv.com) so my guess is that ATG has done a little better.

Anyway, this guy Reid is seeking unspecified damages (a.k.a. whatever he can get) and I also noticed that he is not going after companies worth less than several billion. Guess he owes a lawyer friend or two a favor. Best of luck Mr. Reid.

Note to developers - study the patent, find the loophole, and write an alternative application that AD users can port over to quickly. You'll make more than Reid...

Looking at the patent, it's pretty broad, and the Patent keeps referring to a 'Master Directory' which in practical terms doesn't exist. Is it the HR database, AD, LDAP? It doesn't mention access to files/content explicitly which is why people connect to the network to begin with, right?

Check out the Sept 29, 2006 post at my pal Sean O Neill's blog about this very topic. This guy's legal team has its work cut out for it...

http://www.informationweek.com/news/showArticle.jhtml;jsessionid=1RUAGNLANJMWKQSNDLRCKHSCJUNN2JVN?articleID=197009007

A former IBM scientist claims that the network identity-management systems used by corporate giants Charles Schwab, General Motors, and Halliburton violate a seven-year old patent he holds. The inventor also claims that Microsoft's Active Directory technology infringes on his intellectual property.

In court papers filed in the U.S. District Court for Eastern Texas, William Reid claims that the network ID management systems used by the defendants violate U.S. patent 6,131,120, which Reid owns and which describes an "Enterprise Network Management Directory Containing Network Addresses Of Users And Devices."

"Microsoft has been and continues to infringe directly and indirectly on one or more claims of the [patent]," according to Reid's suit, which was originally filed in 2005. A so-called Markman hearing, during which a judge will rule on the meaning of terms used in the complaint, is scheduled for May.

Virtually all corporations use such systems to authenticate and verify the identity of individuals logging onto their computer networks.

In his suit, Reid claims that Halliburton's use of Microsoft's Active Directory technology to create its ID management system violates the patent. Reid further claims that Active Directory itself, as well as Microsoft products that embed the technology, including Windows 2000 Server and Windows Server 2003, violate his patent.

In court filings, Microsoft, GM, Schwab, and Halliburton all deny violating Reid's patent. Halliburton, however, has asked Microsoft for indemnification should it lose the case. "Microsoft stands behind its technology. As such, Halliburton has tendered an indemnity demand to Microsoft if Halliburton is found to infringe in this case," Microsoft says in a related filing.
In an interview, Reid, who says he worked on artificial intelligence for IBM from 2000 to 2002, says he determined that GM, Schwab, and Halliburton were violating his patent after visiting a trade show. Reid says he watched presentations by IT officials from the companies while attending the Burton Group's Catalyst conference. "They made presentations and distributed material that described their architectures," says Reid.

Word of the suit marks the latest in a series of legal headaches for Microsoft. On Monday, it emerged that the company is being sued over its use of the Office Live name for a suite of online business productivity tools. Last week, Microsoft was ordered to pay Alcatel-Lucent $1.5 billion for violating patents related to the MP3 music format.

Reid is seeking unspecified damages.

Two Factor Authentication - Squared

2007-02-26T10:08:00.000-05:00

I was working with a large SI last week who does a lot of work for the government. I was there to prove out a solution to protect their DHCP servers from unatorized users getting an IP address and subsequently on their network, and their customer's network. I showed them how the solution worked in 15 minutes and was done with that part of the discussion. We just showed a viable alternative to 802.1x - both in implementation time (2 hours of set up, 15 minute deomonstartion) and cost (fraction of $$$ the solutions I know about).

The next part of the discussion was around authentication. Part of it was academic discussion, part was to think through a business problem - authentication, and how much is enough?

We were able to figure out that with the same solution we just used to solve one problem would also solve another, and one that is on the minds of anyone working on HSPD-12 initiatives.

Long story short - four factor authentication. Two factor authentication, squared, or 2F2.

Here is how it works:

I identify the user in two ways - PIV Card (something they have), and Login credentials (PAC & LAC Controls)

I identify the machine in two ways - by unique machine ID (hardware serial numbers encrypted in every packet), and certificate exchange. Unalterable, proven, and deployed in hours.

Why does this matter?

Audit - Be able to see every network layer event, by who, from what machine, in real time and know that the data is irrefutable and will hold up in court vs. spoofable MAC addrress/IP address.

Control - Make policy based access decisions based on some combination of 4 different attributes providing the ultimate in flexibility and rollout options.

For example - known/trusted user AND known trusted machine on my LAN - access to what they need to do their job from DAY ONE (email). Known user/unknown machine (vendors/guests) get access to Port 80 only so they can demo, check webmail, etc.

At the macro level -You have just scoped down your threat vector area to only those you know and trust, be they machines and people.

Add to it the functionality of immediate real time alerting in the event something bad looks like it is happening, and reporting to understand exactly how they tried to do what they did, were blocked, but still logged - Priceless...

identitystuff@gmail.com

Machine Identity

2007-02-21T06:48:00.000-05:00

There have been quite a number of searches in the past 90 days about machine identity that have hit this blog looking for information. A lot of interest from the EU in particular, although I have not been able to pinpoint if it's because the usual ways of ID-ing machines (MAC and/or IP address) are not as absolute as they once were, if it's related to the privacy laws that are different in the EU than they are in the US, or if it is something else altogether.

What I do know is that a MAC address and/or an IP address are not as reliable in the forensic world. It used to be that Law Enforcement could get an affadavit by producing a MAC and or IP address from a suspect and get a warrant right away. Things are different with the ability to spoof these two components of Identity with easily available software since the reliability is in question and the irrefutability is not what it was.

Trusted Network Technologies has come up with a unique and patented way to ID a machine based on hardware components and the associated serial numbers and embed that information in TCP packets. In short - it's the new irrefuatble machine identity. Your company may have 5,000 Dell laptops, but each one has a unique hardware profile, that when captured and embedded into the packet creates a unique identifier based on that build. Totally unique, totally proovable. It's a logical badge for the network that compliments the physical ones we're all familiar with.

Why this may emerge as the new Identity attribute most important to companies, law enforcement, and others is that it provides a layer of privacy - you are your machine not who you say you or your machine is, and you can govern access control by those inside and outside your organization based on this attribute and add user identity information to the mix and extend what you have.

With all of the talk about NAC and keeping unhealthy machines off the network I believe it is crucial to establish that irrefutable identity of the machine so that you know what that machine is, can quickly find out who is using it, and whether or not to allow that user and/or their machine anywhere near your network. It's a nice way to keep things open and secure at the same time whether you're human or hardware...

identitystuff@gmail.com

FBI Cyber Attack data - Interesting stuff

2007-02-07T11:04:00.000-05:00

http://www.fbi.gov/page2/jan06/computer_crime_survey011806.htm

Among the key findings:
§ Frequency of attacks. Nearly nine out of 10 organizations experienced computer security incidents in a year's time; 20% of them indicated they had experienced 20 or more attacks.

§ Types of attacks. Viruses (83.7%) and spyware (79.5%) headed the list. More than one in five organizations said they experienced port scans and network or data sabotage.

§ Financial impact. Over 64% of the respondents incurred a loss. Viruses and worms cost the most, accounting for $12 million of the $32 million in total losses.

§ Sources of the attacks. They came from 36 different countries. The U.S. (26.1%) and China (23.9%) were the source of over half of the intrusion attempts, though masking technologies make it difficult to get an accurate reading.

§ Defenses. Most said they installed new security updates and software following incidents, but advanced security techniques such as biometrics (4%) and smart cards (7%) were used infrequently. In addition, 44% reported intrusions from within their own organizations, suggesting the need for strong internal controls.

§ Reporting. Just 9% said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement's response.

And 81% said they'd report future incidents to the FBI or other law enforcement agencies. Many also said they were unaware of InfraGard, a joint FBI/private sector initiative that battles computer crimes and other threats through information sharing.

Accountability and Identity

2007-02-07T09:00:00.000-05:00

I can't help but think that holding company's management, and their boards, personally accountable for customer data theft is a good idea and may actually speed up the adoption of better security.

I would love to see what TJX spent on Christmas decorations, christmas parties and coffee the past 2 years and compare that with what they spent on security infrastructure. If they spent less on the security portion of their business they deserved to be hacked. By the way, that goes for any company who is placed in a position of customers sharing data and their trust with them.

So how does this stuff stop happening? PCI DSS is one initiative from the card companies, but I believe until there is personal accountability in these breaches at the Management or Board level, this will continue to happen. Did we learn nothing about SOX (Sarbanes Oxley) and compliance. The teeth in that is Management goes to jail - or put another way - accountability.

How about legislation for increased corporate accountability vs. legislation about data breaches and consumer protection. Companies who are more secure, will get more business, be trusted more, have a better brand, and continue to grow. Those who don't figure it out, or see the benefit to maintaining trust with your customers, lose.

identitystuff@ gmail.com

TJX - They claim they closed the barn door...

2007-01-30T06:27:00.000-05:00

I am at Logan Airport and I just heard CNN report that the CEO of TJX issued a statement that said that TJX waited to report the breach to better contain it.

That is the equivalent of saying 'The barn is secure, we have closed the barn door and put on new locks and hinges... The horses, however, are out of the barn.

This breach, the first one of the year, is a testament of what not to do. The good guys and the victims of data theft need to share information better than the hackers. Does TJX really think that this is the end of it? Do they actually believe that they contained and solved the problem?

In the world of Google, ask.com and other search engines, mass storage, etc. public is forever. Think about spam for a moment. The first time I published my email address back in 1994, I started receiving unsolicited email within a day. I still get at an email address that is 13 years old that I do not use, and have not used to receive legitimate mail since 1996.

My point? Once there is a leak and the info is out - it's forever (relatively speaking).

With all of the technology that's out there it is incomprehensible that company's cannot justify spending money on security. From General Clarke, Cyber terrorism expert, 'If your company spends more money on coffee than on security - you deserved to be hacked and by the way - you will be.'

The other thing I cannot comprehend is when a company says that spending thousands of dollars on security is too much money - they always find a way to spend millions on clean up.

identitystuff@gmail.com

Another TJX Gem...

2007-01-26T09:15:00.000-05:00

I was doing some further investigation last night and an article in Computerworld covered it:

The breach occurred as far back as mid-May 2006 but was discovered only in mid-December, said company spokeswoman Debra McConnell. The original statement from Framingham, Mass.-based TJX announcing the data compromise last week mentioned only the discovery of the breach in December and made no reference to when the breach actually happened.

Whoever the IT staff, the IDS and IPS vendors are might be hoping that they are NEVER identified. Seven months of free reign on a network of that size with so much data unprotected?

Yahtzee!!!!

TJX Ripples Go Global

2007-01-26T09:05:00.000-05:00

I just read a new piece of news regarding TJX from the Massachusetts Bankers Association saying that there have been reported fraudulent activity in Florida, Georgia, and Louisiana AND in Hong Kong & Sweden.

There is absolutely no excuse for an industry group to be providing more information than the company whose records were breached. The silence from TJX has been deafening and the lack of information (including expressing concern for those effected) is simply breathtaking.

I hope that all of the colleges in New England use this case as the poster child case for what not to do in the event of a breach, what TO do to erradicate any sense of trust within the company itself or its customers, and to the lawyers who are likely in the midst of the trainwreck trying to manage through this - chalk this one up to WHAT NOT TO DO IN THE EVENT OF A BREACH file.

identitystuff@gmail.com

TJX Breach Count at 200,000 or $36.4M

2007-01-25T14:59:00.000-05:00

I was exchanging email with Jenn Abelson at the Boston Globe the past couple of days, as she is running point on the story. It was reported by her today that the tally stands at 200,000 card numbers. You know what the real story is:

This number was reported by Massachusetts Community Banks, NOT TJX!!!!

So watch this record number rise. And the associated costs.

By the way, the cost for this breach using the numbers computed by Dr. Larry Ponemon at the Ponemon Institute bring the cost to $36.4M to date. This is only the numbers that BANKS were able to figure out, not TJX or their contractors brought in to do the clean up.

Virtualization – Virtual Security nightmare?

2007-01-24T17:12:00.000-05:00

I keep hearing and reading about server virtualization, server consolidation, maximizing server resources, blah blah blah. The point of it is – I have a bunch of servers, that I paid for, not doing anything, so if I consolidate the underused servers onto a better or more efficiently used server I will save money in maintenance, capital costs, and power, A/C and all of the other data center costs.

The issue I see that drains the blood from every CIO’s face I’ve had the pleasure of discussing this with is – how are you going to manage access and secure all of those apps on the same server now? Identity management apps? VLANs? SSO? I thought you were trying to be more efficient...

There is better way. Here is what you do…

For 1,000 users, it will cost you about $100/user, which is less than the $182 per record it will cost you in a breach.

You install some software, two appliances, highly available and redundant in front of these virtualized efficiently humming boxes, and control who can SEE and who has access to each application based on who they are, what machine they’re using, and whether or not they’re at Starbucks, a hotel, or on your LAN.

Every user, every machine. Installed in 4 hours, policies set, audited and deployed in less than a week.

For about $100/user. No changes to your directory, no changes to your infrastructure, maintaining access control by app even when consolidated. Think I’m full of it?

You gotta ask yourself – in all this worrying about virtualization what did I do to my security program – did I cover myself. Well? Did I?

I have you covered - identitystuff@gmail.com

TJX - The latest

2007-01-18T13:38:00.000-05:00

Ok, Folks... I thought my open challenge to the US Navy at the end of last year would be enough for someone to email me and tell me I was full of crap, or the other more fun option - prove that you can do what you say. So here goes folks:

I double-dare any company who has had a breach to email me and challenge me to prove how I can stop future breaches from happening, shut off access to garbage (kits, scripts, and such) that was left behind, and at the end of a two week period be able to tell you who from what machine connected to what application and when they did it down to the sub second in real time. When I say 'From what machine' I mean the machine they used, not the MAC address or IP address.

In one day I will show you the top IP addresses connected to from your network, whether is World of Warcraft, or the World of Network Security. I will then, with the same piece of technology allow you to set a policy that that can't happen anymore. For that user. For that machine. For that user at that machine. For that user at that machine while on the LAN.

Don't believe me, email me at identitystuff@gmail.com and I'll prove it in 2 weeks or less. If it doesn't work, I take it back. If it works as advesrtised you pay me.

Folks, its cheaper and less embarassing to talk to Me than to the press, Wall Street, and your bosses who all won't tolerate the bad news nearly as well as I will.

Go ahead, I double dare you. You'll feel like Neo after he took the red pill... 'Remember, all I am offering is the truth and nothing more...'

Simplicity - overlooked or over rated?

2007-01-15T09:02:00.000-05:00

I was catching up on my reading this weekend and the global message that continues to resonate is that we have forgotten simplicity when trying to address complex business issues. It’s as if we need to be as or more complex with our solution to the problem than the problem itself.

Case in point… I was reading SC Magazine and in the For/Against column was discussing database security – 'The best approach to database security is monitoring traffic before it enters the database.' I have two issues with this:

1. Whoever crafted the question, missed the point, IMHO. What does ‘monitoring’ have to do with security, and actually preventing the unauthorized access to begin with which is what you want. The relative uselessness of monitoring as compared to actually PREVENTING access should be pretty obvious. When you can monitor the unauthorized activity, alert appropriate teams, and prevent access – now that’s useful. The ‘Against’ guy alluded to it (Dr. Murray Mazer from Lumigent).
2. Let’s keep it simple. The ‘For’ guy (Gautam Vij from Symantec) had a credibility issue from the get go, working for a security vendor with 1200+ SKU’s for their products. Note to Symantec – hire an offshore firm to tackle the integration problem, or get a new marketing and product management team to come up with more integrated offerings a la Acura. They had one option with the 2006 TSX – Nav system or not. Simple works. Simple sells.

The other thing I could help but think about was a conversation I had with a colleague about how convoluted and complex IDM has become. Why? The companies that I work with today are trying to solve the same problem the companies 5 years ago were trying to solve – managing users better post authentication and automating workflows. I still need to think through what happened but I believe that it’s akin to how IDM vendors got into their space – the directory was being asked to do things it was never intended to do, and they were propagating, proprietary, and proving to be a bear to implement. Is Identity Management at the application layer headed down the same road?

What happens when you add machine identity to the mix so that companies identify machines and maintain privacy at the same time? Look here for a possible solution.

identitystuff@ gmail.com

2006 - Year in Review

2006-12-27T11:02:00.000-05:00

Year in Review

2006 is drawing to a close, and not to be outdone by my peers I thought I would highlight some of the things I thought were important this year in the industry:

1. My open challenge to the Navy to get their networks under control.

The Naval War College had to shut down their network for 2 weeks after they were hacked. If this was a business, taps would have been playing by now.

No one has accepted the challenge.

I met with the Navy earlier this year, and their integrator SAIC to discuss Identity Management and protecting the Navy from unwanted visitors and this still happened. Are my expectations too high? I think not. When there is a piece of technology that can be installed in a day, that can keep hackers out by controlling the dial tone of the line they use to hack you, there is no excuse. NONE.

2. Convergence of Identity, Privacy, and Security.

This was very obvious in the reported number of breaches and legislation this year.

We passed the 100,000,000 identities breached mark. This means that 1 in 2 Americans have had their data accessed and possibly sold and used. I wonder if this can be used to our advantage come tax time.

3. The costs of breaches are going up, yet still happening at an unprecedented clip

The Ponemon Institute tallied up the cost of a breach per record and it was pegged out at $182 of tangible costs to a company.

4. Patty Dunn and the HP debacle.

I wonder if the tell all book or mini series will be the first to market. Maybe a soap opera?

5. Let’s not forget those who won’t be down for breakfast:

Ken Lay, James Brown, James Kim, Gerald Ford, Dana Reeves, Joe Barbera, Peter Boyle, Bo Schembechler, Jack Palance, Ed Bradley, Red Auerbach, Cory Lidle, Byron Nelson, Ann Richards, Steve Irwin, Bruno Kirby, Mike Douglas, Robert Brooks, Syd Barrett, Aaron Spelling, Patsy Ramsey, Vince Welnick, Paul Gleason, Don Knotts, Earl Woods, Louis Rukeyser, Casper Weinberger, Slobodan Milosevic, Kirby Puckett, Peter Benchley, Coretta Scott King, Chris Penn, and Lou Rawls.

My predictions for 2007

1. Identity Management at the Network Layer will gather more steam since Identity and Security will continue their convergence.

2. Machine Identity will be a bigger issue than it was in 2006, especially with all the talk of NAC and Endpoint Control

3. We will hit the *reported* 200,000,000 records breached by August because the bad guys are better at sharing information of how to do a breach than the good guys are at preventing one.

identitystuff @ gmail.com

Machine Identity

2006-12-15T11:53:00.000-05:00

I recently received an email from across the pond in the UK from a gentleman who has read my ISSA Journal article discussing Machine Identity. He was looking for more resources and research on the concept of Identity of Machines being important as is the identity of a user which got me thinking about how the current state of Identity Management has been focused very heavily on users, single/multi factor identification, Directories, user provisioning/deprovisioning workflows, etc.

Since bots are a really intriguing to me (and a harmful) problem for a lot of network owners, it got me thinking about the importance of managing machine identity, and wondering why there is so little information and focus out there.

Is it too Skynet/Cyberdyne?
The Rise of the Machines?
Is this the beginning of it all?

identitystuff@gmail.com

This from This Wiki Site

In Terminator 3, the Judgment Day described in the first movie has been altered and postponed by ten years. In contrast to Terminator 2, it is implied that humans are ignorant of Skynet's sentience, which attacked humanity without any provocation whatsoever. The events of Judgment Day were ultimately not prevented, merely postponed. Ten years after the events of Terminator 2, Skynet was created as a United States Air Force project, a distributed computer network designed to create new military vehicles and make strategic decisions as well as protect their computer systems from virus attacks. One such virus had infected their defense computers, crippling them all. Under pressure, the Air Force attempted to use Skynet to remove the virus, not realizing that Skynet was sentient and had created the virus in order to manipulate humanity into giving it control over the world's computers. Skynet was initially thought to be capable of being shut down if only someone could reach its system core, but ultimately it was discovered that the Skynet was nothing more than software that ran by spreading throughout the world's computer networks and was incapable of being disabled from a central point. Judgment Day occurred, but John Connor survived. It is suggested that future events unfolded as they were supposed to.

Skynet gained access to several autonomous military drones (such as the T-1 in Terminator 3), using them to round up survivors, who were forced to build automatic factories and robots that were better at construction than the military robots. Skynet then killed these human slaves, and using the infrastructure they had been forced to start, rapidly designed newer and better machines until it controlled an extremely advanced empire centered on a city-state located in the state of Colorado in the United States, known as Sector Zero on Earth by 2029, at the Cheyenne Mountain complex, presumably the precise former location of NORAD.

James Kim, Rest in Peace

2006-12-06T20:55:00.000-05:00

I just heard the news about James Kim's body being found. I cannot express the profound sadness I feel for his wife and their two daughters.

Maybe it's being a dad myself, I don't know, but I understand at a core level the decision he made to strike out to help his family, and I also believe he knew the consequences, good and bad, before he said goodbye.

Now his family must say goodbye again. Rest in Peace James.

US Cyber Security Checklist - 2007 Final Draft

2006-12-06T11:22:00.000-05:00

http://www.cccure.org/Documents/cybersecurity/US-CCU_Cyber-Security_Check_List_2007.pdf

Here it is folks!!

Break in at The Naval War College

2006-12-06T09:24:00.000-05:00

This story is from the Associated Press, and my jaw hung open on this one for two reasons:

1. An ENTIRE network being shut down for two weeks is usually enough to bury a business
2. Having met with the Navy a few times this year and explaining HOW I can prevent this thing from happening (not just arm waving and saying that I could help, while being elusive), I guess the word didn't get out.

So if there is anyone from the Navy or the War College who reads the blogsphere - email me ASAP. For the sake of review, here is exactly how I will solve this problem:

1. Deploy 2-6 appliances to audit the entire network. These will be set up in 1 day, and will give you a baseline of what IS happening, not what you think is happening on your network.

2. I will deploy software to a handful of machines (<100) that will configure policies that will be enforced on the appliances to keep any more new hackers (and anyone else for that matter) from getting into the network so it can be rebuilt quickly and sterilized.

3. I will deploy software to the machines of the rest of the staff, admin, and other users who you want on your network. They will have the equivalent of a badge for your network.

4. I will set and audit the access policy to make sure it is correct, while still allowing ONLY those users who have the software installed and keeping unsavory folks out (and logging who they are).

5. I will then enable the enforcement of the policies so that no one who is not an identified user or identified machine does not get on the network, or critical segments of it, including hackers who may have left rootkits, malware, or other nastiness on the network to compromise its integrity, and the integrity of the United States Navy and the Department of Defense.

I will get this done by the end of the year if I am contacted by the end of the week.

Any Questions? email me - identitystuff@gmail.com or you can find out who I am through the FBI Infragard program as well.

Mark

http://www.cnn.com/2006/TECH/internet/12/05/hackers.war.college.ap/index.html

PROVIDENCE, Rhode Island (AP) -- Hackers attacked the computer network at the Naval War College in Newport, taking down the school's network for more than two weeks, including some e-mail services and the college's Web site.
The Navy Cyber Defense Operations Command in Norfolk, Virginia, detected the intrusion around November 16 and took the system offline, spokesman Lt. Cmdr. Doug Gabos said. He said the unclassified network was used by students.
Military spokesmen would not give an estimate on when the school's Web site, www.nwc.navy.mil, will be back up.
The Naval War College bills itself as the Navy's leading center of strategic thought and national security policy.
Investigators were trying to determine the extent of the intrusion, Gabos said. They planned to upgrade firewalls and make other unspecified improvements.
"Once that is complete, the network will be restored," Gabos said.
Gabos would not comment on who is suspected of attacking the network.
School spokeswoman Karen Sellers said e-mail worked on campus, but people could not send or receive messages from off-campus.
"It's certainly inconvenient," she said. "But we all understand the importance of network security and we're patiently waiting."

Year End Poll

2006-12-04T14:50:00.001-05:00

I won't call this an annual holiday tradition since I didn't do it last year, but I wanted to get a poll out there to see what others think, and give us all a chance to be visionary.

View Poll

Year End Poll

2006-12-04T14:50:00.000-05:00

I won't call this an annual holiday tradition since I didn't do it last year, but I wanted to get a poll out there to see what others think, and give us all a chance to be visionary.

Response to a Digital ID World Blog

2006-11-30T10:32:00.000-05:00

http://blogs.zdnet.com/digitalID/wp-trackback.php?p=75

Take a look at the blog, the 1 comment that is up there (mine is awaiting approval by Eric), and here is the comment and my response:

"... So-called "Identity 2.0" - and I must point out that I find it despicable that YOU GUYS are pushing such a self-deprecating buzzword - still has to wake up, and realize that identity at the network layer is only the beginning - if that. It has little importance - other than what you can achieve with a network firewall, basically just expanding the policy from "yes/no" to "HostA:yes/no;HostB:yes/no/sometimes" etc.

It still provides negligible value as compared to what can be achieved when Identity is fully adopted and integrated at the application level (and I don't mean the OSI stack !! )They are finally "treating the network layer in the same way that one would treat the application layer"? Maybe in five years, vendors will start treating the application layer the same way (just more efficient) that they treat the network (and host/OS) layer.

Posted by: douglen@..."

RESPONSE:

I beg to differ strongly on this one

Just so we're clear about why I can say what I'm about to say... I have run over a dozen initiatives that have provisioned/deprovisioned over 1M users at the application layer. I have worked with IBM, Novell, and Sun's products, and left a VP level job to join TNT for exactly the reason/point you seem to miss. I have published two articles in the ISSA Journal about this as well. My blog is at http://identitystuff.blogspot.com should you care to follow along.

Your point:So-called "Identity 2.0" - and I must point out that I find it despicable that YOU GUYS are pushing such a self-deprecating buzzword - still has to wake up, and realize that identity at the network layer is only the beginning - if that. It has little importance - other than what you can achieve with a network firewall, basically just expanding the policy from "yes/no" to "HostA:yes/no;HostB:yes/no/sometimes" etc. It still provides negligible value as compared to what can be achieved when Identity is fully adopted and integrated at the application level (and I don't mean the OSI stack !! )

My point:Identity at the network layer means that identity is carried from perimeter to port, so you've encompassed identity in the network, infratsructure, AND application layer WITH the associated entitlements in a single piece of technology. Add to the visibility of who from what machine went to (or tried to go to) an application that ultimately drives who can see and access the right apps is invaluable.

The other benefit to identity in the nework is that once I have deprovisioned the user from the directory, guess what? They can't get on my network at all, they can't login to HR systems from the laptop they still have, and every account they ever set up known or unknown is rendered useless. How's that for workflow?

So I will point out that identity in the network is exactly where things are headed, and need to be. TNT (yes I work for them http://www.trustednetworktech.com) gives DNA to identity which is as close to true identity as we can get right now...

identitystuff@gmail.com

ISSA Journal Article

2006-11-28T08:45:00.000-05:00

A second article I had submitted earlier this year is in the November issue of the ISSA Journal. You can get a copy of the article HERE. In it I discuss the importance of identity as it relates to machine identity. Since there is no AD or LDAP for machines, and they can inflict damage with or without a user using bots and other malware, it's something to look at.

identitystuff@gmail.com

Just launched PCISTUFF

2006-11-17T13:37:00.000-05:00

In an effort to keep things focused, I have started another blog, PCISTUFF, where I'll be going therough the PCI requirements, PCI Solutions, and ideally creating a space where PCI expertise will be shared.

Have a great Weekend and a fabulous Thanksgiving.

Identity 2.x = Good vs. Evil?

2006-11-15T11:08:00.000-05:00

I was at an ISSA meeting yesterday in Minneapolis and the presentations I saw were all about identity. Identity of threats, identity of solutions, and identity. It also got me thinking about whether or not there are more players in the Identity Management space that we realize.

Bots, worms, viruses all have an identity. They (for the most part) are designed to negatively impact the proper operation of technology. Whether it's driven by ego, monetary gain, or revenge, they are out there and growing. To me the identity of these programs are the equivalent of identifying whether or not we're a girl or a boy, since you are typically one or the other (there are exceptions to both). The identity is typically that they are bad, not good.

The solutions that are designed to identify, detect, deter, and destroy are in most cases considered the 'good' since the good takes care of the bad a la Star Wars, Mission Impossible, or James Bond. This is their identity.

So does that mean that the companies deploying anti-virus, firewalls, IDS, IPS, etc. are an extension of identity - it's soul (Good or Evil) and that by extension they are in essence in the Identity Management space as well? The next layer of Identity Management being the physical establishment of the 3-D world's identity of people and machines. I'll have to noodle this around some more...

identitystuff@gmail.com

PCI Compliance and Identity

2006-11-06T10:57:00.000-05:00

I don't know if it's just that time of the year when retailers large an small are gearing up for Black Friday, or if it is something else but, PCI Compliance is on the minds of many and I felt compelled to blog about the discussions I've had with several organizations from School Districts to large privately held Level 1 companies lately, and why identity is at the center of it all.

Oh, and I'll also fill you in on a way for PCI Level 3 organizations to implement a solution for $100,000 which is the proposed amount of a fine if you are found non-compliant.

Identity is at the center of PCI becuase it requires organizations to restrict access of identified and authorized employees to getting at the identity information of customers.

The conversations I have had the past few weeks have been interesting. It turns out that one level 3 organization I spoke to has been trying for 2 years to come up with something that will get them compliant. Not because they wanted to, but because their bank wanted them to prove compliance. Interesting that banks are moving risk back to the customers, at least the little ones.

The other conversation I had was with a diversified company in the midwest that stores and uses a ton of information related to PCI, and their customers were the ones asking for proof that they were PCI complaint, or at least had protections in place at the same level or better than what the customer had. It was interesting because it seemed to me that their customer was trying to assess and mitigate risk and enforce policy and standards inside and outside their 4 walls, which is a HUGE issue for companies today, PCI compliance or not.

Anyway, take a look HERE and you will be able to download the PCI specification and bullet by bullet how TNT can help you staisfy 60% of the requirements in less than a week.

identitystuff @ gmail.com