Category Archives: Compliance

Phishing Verified

jeremy_clarkson.jpg Or is it really phishing when the victim first broadcasts his bank account details?
BTop Gear presenter Jeremy Clarkson has admitted he was wrong to brand the scandal of lost CDs containing the personal data of millions of Britons a “storm in a teacup” after falling victim to an internet scam.

The outspoken star printed his bank details in a newspaper to try and make the point that his money would be safe and that the spectre of identity theft was a sham.

He also gave instructions on how to find his address on the electoral roll and details about the car he drives.

However, in a rare moment of humility Clarkson has now revealed the stunt backfired and his details were used to set up a £500 direct debit payable from his account to the British Diabetic Association.

The charity is one of many organisations that do not need a signature to set up a direct debit.

Clarkson stung by fraud stunt, Guardian Unlimited, Monday January 7 2008

He admits he was wrong, but nonetheless tries to pin the blame partly on a privacy law:
“The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again,” he said. “I was wrong and I have been punished for my mistake.”
At least he doesn’t call for revoking that Act; he does call for going after the perpetrators.

-jsq

PS: Seen on BoingBoing.

Hammers to be Outlawed in UK

parliament_logo.gif What can you expect when public, press, and government think “hacker” means criminal?
The UK government has published guidelines for the application of a law that makes it illegal to create or distribute so-called “hacking tools”.

A revamp of the UK’s outdated computer crime laws is long overdue. However, provisions to ban the development, ownership and distribution of so-called “hacker tools” draw sharp criticism from industry. Critics point out that many of these tools are used by system administrators and security consultants quite legitimately to probe for vulnerabilities in corporate systems.

The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run denial of service attacks and one designed to stress-test a network, are subtle. The problem is that anything from nmap through wireshark to perl can be used for both legitimate and illicit purposes, in much the same way that a hammer can be used for putting up shelving or breaking into a car.

UK gov sets rules for hacker tool ban, Consultants in frame? Definitely Maybe By John Leyden, The Guardian, Published Wednesday 2nd January 2008 15:54 GMT

How long will it be before a simple traceroute gets you not only disconnected from your ISP but also clapped in jail for “hacking”?

It gets better: Continue reading

Better Products Bootstrap

Gunnnar notes the formation of a software vendor security best practices consortium and asks:
Why not bootstrap a Fortune 500 Secure Coding Initiative to drive better products, services and share best practices in the software security space?

Secure Coding Advocacy Group, Gunnar Peterson, 1 Raindrop, 23 October 2007

Yes, if the customers demanded it, that might make some difference, and the vendors do pay the most attention to the biggest customers. Of course the biggest customer is the U.S. government, and they seem more interested in CYA than in actual security. And I’m a bit jaded on “best practices” due to reading Black Swans. But regardless of the specific form of better such a group demanded, demanding better security might make some difference.

Maybe they could also demand risk management, which would including having watchers watching ipsos custodes. Not just in the circular never-ending hamster wheel of death style, but for actual improvemment.

-jsq

Web Panopticons: China and U.S.

panopticon.gif Fergie points out a university project investigating censorship:

The "Great Firewall of China," used by the government of the People’s Republic of China to block users from reaching content it finds objectionable, is actually a "panopticon" that encourages self-censorship through the perception that users are being watched, rather than a true firewall, according to researchers at UC Davis and the University of New Mexico.

The researchers are developing an automated tool, called ConceptDoppler, to act as a weather report on changes in Internet censorship in China. ConceptDoppler uses mathematical techniques to cluster words by meaning and identify keywords that are likely to be blacklisted.

University Researchers Analyze China’s Internet Censorship System, News Report, Government Technology News, Sep 11, 2007

So the Great Firewall of China watches what users are doing by actively intercepting their traffic. Meanwhile, back in the U.S. of A., how about a passive web panopticon?

Continue reading

FISMA Failing

Shades of SOX complaints: the U.S. GAO reports that the Federal Information Security Management Act (FISMA) is failing:

When we go out and conduct our security control reviews at federal agencies, we often find serious and significant vulnerabilities in systems that have been certified and accredited. Part of it, I think, is just that agencies may be focusing on just trying to get the systems certified and accredited but not effectively implementing the processes that the certification and accreditation is supposed to reflect.

Q&A: Federal info security isn’t just about FISMA compliance, auditor says, Most agencies still have security gaps, according to Gregory Wilshusen, by Jaikumar Vijayan Computerworld, June 14, 2007

Sounds like they haven’t implemented numerous simple security measures that were known before FISMA, they don’t have processes to do so, and they don’t adequately report what they’re doing, even with FISMA. What to do?

Continue reading

Real ID? No, Say DHS’s Advisors

The U.S. Government is proposing to implement a national identification scheme, yet the department that is supposed to implement it can’t get its own advisors to agree:
The Department of Homeland Security’s outside privacy advisors explicitly refused to bless proposed federal rules to standardize states’ driver’s licenses Monday, saying the Department’s proposed rules for standardized driver’s licenses — known as Real IDs — do not adequately address concerns about privacy, price, information security, redress, “mission creep”, and national security protections.

Homeland Security’s Own Privacy Panel Declines to Endorse License Rules, Ryan Singel, Threat Level, Wired Blog Network, 7 May 2007

The committee says REAL ID is not “workable” or “appropriate”.

This doesn’t mean DHS won’t implement REAL ID, however, with is approx. $21 billion cost to taxpayers and greatly increased paperwork required of all citizens, increased likelihood of identity theft, not to mention the obvious surveillance state implications.

Today, 8 May 2007, until 5PM EST, is the last chance to comment to DHS about REAL ID.

-jsq

Should a Breach be Unreported if It Wasn’t Really Lost?

Adam has some ruminations on what should happen when a data loss has been reported, and it turns out the data wasn’t really lost (the tape was found, the laptop was in the closet, etc.). While I can understand the temptation to strike out that entry in wherever it was logged, I think it’s important to keep both the original report and a new report of the data being found. Why don’t we see statistics on data that wasn’t really lost, anyway? Is it because lost data is almost never found? Or just nobody thought to compile such statistics?

-jsq

SOX Redux

What do U.S. Treasury Secretary Henry Paulson and Barney Frank, D-Mass., the incoming chair of the House Financial Services Committee agree on?

U.S. Treasury Secretary Henry Paulson said the implementation of Sarbanes-Oxley corporate-governance regulations may pose a risk to the U.S. economy, advocating changes that fall short of introducing legislative adjustments.

"While necessary," the Sarbanes-Oxley accounting rules "are being implemented in a way that may be creating unnecessary costs and introducing new risks to our economy," Paulson, former head of Goldman Sachs Group Inc., said in a speech Monday to the Economic Club of New York.

Share sales have declined since the introduction of the law in 2002, and a "significant" amount of the time and cost taken complying with Sarbanes-Oxley might better have been spent creating jobs and rewarding shareholders, Paulson said.

Sarbanes-Oxley costs of compliance may threaten economy, official says BLOOMBERG NEWS, 11/21/2006

Paulson seems to be saying many euphemisms.

Continue reading