Monthly Archives: July 2007

Do Mess With Texas

Steven Peisner heard about a new Texas requirement to shred documents with identifying information, and tried getting into the TX Attorney General website with bogus information:

To his surprise, Peisner was allowed to proceed (without giving the three-digit security code on the back of his credit card, no less), and within moments he had access to the site’s database. For $1 per search, he ran searches on several common last names including “Campbell,” “Smith” and “Jones,” as well as “Greg Abbott,” the attorney general.

— I.D.-Theft Watchdog Finds the State of Texas is Wide Open for I.D. Thieves, by Melissa Lafsky, Freakonomics blog, 12 Jul 2007 01:59 pm

He told Abbot about this, yet when he tried it again later, logging in with the name “Ima IDThief”, it worked just like before.

The scary part is that Texas is probably no better or worse than any other state or company about this sort of thing.

-jsq

Negligence and Breaches

Banks, shops and government departments have exposed thousands in Britain to the risk of fraud through “horrifying” breaches of data protection laws, a watchdog said on Wednesday.
In his annual report, Information Commissioner Richard Thomas, whose office enforces the Data Protection Act, said firms must do more to secure people’s private details.
“The roll-call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying,” he said in the report.
— Privacy watchdog warns of “horrifying” breaches, The Scotsman, Reuters, 11 July 2007

He’s not talking terrorism, so we can hope this is not just more FUD. Continue reading →

Security Executive

Well, this should seem obvious:

For quite a while now, I’ve been claiming that in order for InfoSec to do it’s job properly, it needs to understand the business.

— Whose Line Is It Anyway? Arthur, Emergent Chaos, 10 July 2007

Let’s go a bit farther:

Yesterday, Jack Jones again showed that he’s in the same camp when he asked us: "Risk Decision Making: Whose call is it?" There he shares his thoughts how to decide whether or not the Information Security team should be making information risk decisions for a company or if that should come from upper management.

I would claim that this shouldn’t be an either/or question: it’s a both/and.

Continue reading →

Connectivity: Engulf or Participate?

Can’t pass up an article with “Peril” in its title:

“I don’t think it’s a good thing, because it’s a threat to our culture,” said Tsereptse, who carries a bow and arrow with him at all times as a symbol of his position.
Some of the tribe’s younger members have been trying to convince Tsereptse that computers will have the exact opposite effect — that they can be tools to record and preserve Xavante folklore and traditions, and to disseminate them all over the world.
— Awaiting Internet Access, Remote Brazilian Tribes Debate Its Promise, Peril,By Monte Reel, Washington Post Foreign Service, Friday, July 6, 2007; Page A08

These are members of the Xavante tribe in Mato Grosso state in Brazil. They don’t have electricity yet, but they’ve decided to get Internet access. Why? Continue reading →

Vulnerability Auction

Here’s a thought: pay security researchers, and get the pay from a variety of sources:

According to Herman Zampariolo, CEO of WSLabi, We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited. Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals.

— Finally a Marketplace Site for Security Research, WabiSabiLabi, Tuesday, 03 July 2007

It’s not clear to me that they would be "forced" to sell them to cyber-criminals, but this should give them incentive not to. And WSLabi first verifies who the researcher is and replicates the exploit independently before packing and marketing it, thus reducing chances of fraud or mistaken identification.

Continue reading →

Punching Hornets

What do science fiction writer William Gibson, global guerrilla theorist John Robb, libertarian Republican presidential candidate Ron Paul, and the late historian David Halberstam agree about?

Still, it is hard for me to believe that anyone who knew anything about Vietnam, or for that matter the Algerian war, which directly followed Indochina for the French, couldn’t see that going into Iraq was, in effect, punching our fist into the largest hornet’s nest in the world.
— The Late Halberstam’s Final Verdict on Bush: “He’s No Truman”, by Adam Howard, alternet.org, 5:38 AM on July 5, 2007.

One could add Napoleon in Russia and the British in America. Funny how fighting in Russia in the winter wasn’t like Italy in the summer. Continue reading →

Fidelity Horse Already Out of Barn

Maybe breach discovery is catching on:

“This significant security breach at a Fidelity National Information Services, Inc. subsidiary – compromising 2.3 million consumers – demands answers and actions to protect citizens from identity theft. My office is aggressively pursuing additional information from Fidelity, and will ensure the company adheres to Connecticut law requiring prompt notification to consumers whose personal private information may have been compromised.
“As a first step in our investigation, we are contacting the company to seek information, including the scope and magnitude of the security breach, consumer notification measures and remedies that may be implemented.”
— Connecticut Attorney General’s Statement On Fidelity Security Breach Involving 2.3 Million Consumers, by admin, 4 July 2007

Amusingly enough, the CT Att. Gen.’s own web pages say: “The site is currently unavailable. Please visit us again later.” Continue reading →

Laugh in the Face

Bruce Schneier reviews a paper that explains why terrorism doesn’t work. Examining 28 foreign terrorist organizations (so designated by the U.S. State Department), the author notes:

First, the groups accomplished their forty-two policy objectives only 7 percent of the time. Second, although the groups achieved certain types of policy objectives more than others, the key variable for terrorist success was a tactical one: target selection. Groups whose attacks on civilian targets outnumbered attacks on military targets systematically failed to achieve their policy objectives, regardless of their nature.
— Why Terrorism Does Not Work, by Max Abrahms, MIT Press Journals, 2006

Why? Continue reading →

Terrorist Special Olympics

Bruce should go into standup:

First London and then Glasgow. Who are these idiots? It there a Special Olympics for terrorists going on in the UK this week?

— Terrorist Special Olympics in the UK, Bruce Schneier, Schneier on Security, 2 July 2007

Only it’s apparently not just in the U.K., considering the lame excuses for terrorists that DHS has dug up. Anyway, laughing at them seems more appropriate than fearing them.