Monthly Archives: March 2007

30% of Bank Firewalls Misconfigured

This is from Sourcemedia’s Financial IT Security Intelligencer:

During a year’s worth of bank and credit union security audits, audit firm Redspin found that 30 percent of firewall configurations evaluated violated the institution’s own security policy. Not surprisingly, Redspin offers a tool that can detect and remedy these inadvertent holes. The company pins the industry-wide problem on the fact that most IT administrators have wide-ranging responsibilities rather than network engineering focus. To highlight the issue, the vendor is offering free use of an online version of its analysis tool for the next 90 days, available at

Here’s redspin’s PR. I don’t have any way to verify this report, but it’s also about what I would expect. Administrators are too busy cleaning the CEO’s laptop of its latest viruses to be ensuring their firewalls work.


Postmodern Identity

Gunnar Peterson compiles some realizations by several people that there is no such thing as a unique identity, and people ought to get over that idea and think in terms of attributes. He concludes with:
Hunter S. Thompson said “buy the ticket, take the ride.” But don’t conflate yourself the ticket and the ride.

Openly IDentify your attributes with Open ID, 1 Raindrop, Gunnar Peterson, 15 March 2007

Don’t confuse the map for the territory; there may be multiple maps, and none of them completely describe the territory. Don’t confuse the sign with the signifier or the signified. Etc.

Information security needs to work itself forward historically from logical positivism at least to semiotics and postmodernism. Understanding what we don’t know and stopping pretending that there is such a thing as an absolute identifier would be good risk management.


SSN: Identifier or Authenticator?

Spire Security Viewpoint lists some salient points about social security numbers (SSNs), among them this one:
There are over 150,000 people (my estimate) with “defendable” access to your SSN right now. They aren’t secret.

SSNs Re-Re-Re-Revisited, 8 March 2007

And you’re ten times more likely, he says, to be victimized with identity fraud by one of these authorized people than by somebody else. And his main point is that the problem with SSNs is not their use as identifiers, rather their use as authenticators. After all, if everybody knew SSNs as readily as names, credit card companies and the like would have to stop using them as authenticators. Then they’d have to use something better for authentication. That would be better risk management.


Dating RIsk

Chander Howell about a fiance wasn’t happy about his fiancee requiring him to undergo a background check before dating:
’ll bet he wasn’t, given that in the United States, the SSN is still the golden key to access someone’s potential lines of credit. Someone has probably already figured out that they can use a demand for this information as the source of inputs to commit full-fledged identity fraud. It’s an emotionally loaded demand, so it will probably work. Then, the scammer can break off the relationship for something that was allegedly found in the check. It’s the worst security of all: Insecurity in the name of security.

Beware the Dating Security Complex, by Chandler Howell, Not Bad For a Cubicle, March 9th, 2007

I bet it’s already worked. How long before some dating service that does background checks and reveals them to members before dating gets sued bigtime?


Narrowly Focused Anti-Terrorism

Bruce Schneier says he’s tired of headlines like one that says a new autopilot will prevent any more 9/11s, and says:

Why are people so narrowly focused? The goal isn’t to protect against another 9/11. The goal is to protect against another horrific terrorist incident.

Making Another 9/11 Impossible, Bruce Schneier, Schneier on Security, March 15, 2007

Why? Because 66-74% of the U.S. population have detail-oriented personalities, good at seeing details, not good at seeing the big picture. Other populations probably aren’t much different.

Continue reading

Reputation Management

In the previous post I mentioned reputation systems. The flip side of that is reputation management, so that companies can react to reputation systems and proactively manage their own reputations. It turns out that Harold Burson, “the century’s most influential PR figure”, and Jon Harmon are thinking along similar lines:
The key is in reputation management. When company leaders come to understand that reputation is the company’s most valuable asset, they will increasingly value those who can actively and successfully manage reputation.

Reputational momentum defines the art of the possible of nearly every other goal of the business or organization – sales, profits, retention, recruitment or fund-raising. If your reputation is on the rise, achieving your other goals is so much easier. Conversely, a poorly managed crisis leading to a significant drop in reputation can capsize even the company’s most valiant efforts to achieve its other goals.

An Open Letter to Harold Burson: Reputation Management Fulfills PR’s Highest Calling, John Harmon, Force for Good, 15 March 2007

Harmon’s specific suggestion has to do with a chief-level PR officer, with potential for being on CEO track. On the one hand, every profession seems to want this. On the other hand, after the big reputation botches at Intel and HP it’s hard to argue that corporations could use reputation advice at the highest levels, preferably before they shoot themselves in the foot. So a PR consigliere sounds good to me.


ID Theft Virus Map

Brian Krebs has used google maps to plot the locations of victims of identity theft:
I based the story in part on a cache of stolen data I found online (more on how I obtained it in a bit). The data was being compiled by a password-stealing virus that had infected many thousands of computers worldwide; the particular text file that I found included personal information on 3,221 victims scattered across all 50 U.S. states.

Tracking the Password Thieves, Brian Krebs, Security Fix,

He didn’t have to look up the locations of the victims to map them; the virus had already done that for him, sometimes accurately, sometimes not. The virus cared because banks flag transactions that are from unexpected geographical locations. Continue reading

Super-Cat Fear?

Warren Buffett notes that neither he nor anyone else knows whether the many big hurricanes of 2004 and 2005 were an aberration or the beginning of a trend, but super catastrophe bonds are the likely insurance response.
Don’t think, however, that we have lost our taste for risk. We remain prepared to lose $6 billion in a single event, if we have been paid appropriately for assuming that risk. We are not willing, though, to take on even very small exposures at prices that don’t reflect our evaluation of loss probabilities. Appropriate prices don’t guarantee profits in any given year, but inappropriate prices most certainly guarantee eventual losses. Rates have recently fallen because a flood of capital has entered the super-cat field. We have therefore sharply reduced our wind exposures. Our behavior here parallels that which we employ in financial markets: Be fearful when others are greedy, and be greedy when others are fearful.

To the Shareholders of Berkshire Hathaway Inc, Warren Buffett, Annual Report, Berkshire Hathaway, 28 Feb 2007

So the current super-cat market is unsure because a lot of capital has entered, yet not as many events happened last year as expected.


PS: Seen in Warren Buffett on Risk Management, Gunnar Peterson, 1 Raindrop, 2 March 2007.

Malamud Concludes

Carl Malamud has not only started archiving and indexing Congressional committee hearings, he’s spent two years studying the problem of using the Internet to make Congress accessible, and has concluded:
By the end of the 110th Congress, the U.S. House of Representatives could achieve the goal of providing broadcast-quality video of all hearings and the floor for download on the Internet.

Report to Congress, Carl Malamud to Nancy Pelosi, Speaker of the House, 13 March 2007

Sounds doable to me. See his report for copious details.