June 18, 2009

I see you’re gangsta – tattoos, biometrics, and the police

A gangster's main method of creativity and self-expression is becoming increasingly detrimental to their freedom.

Law enforcement agencies have long used any means of verifiable markings to link a suspect to eyewitness accounts of crimes. As a fairly permanent and distinct marker in identifying an individual, tattoos have been an invaluable tool in pursuing “persons of interest” over the years.

                        i_m_gangsta

Now, science has brought us a tool to help the process of searching through databases of thousands of tattoos to find that special someone, that much easier and quicker.

Enter Tattoo-ID.

Anil Jain and Jung-Eun Lee of Michigan State University’s Department of Computer Science and Engineering have developed a new methodology to categorizing and identifying scars, marks, and tattoos (SMTs). They have labeled the new process Tattoo-ID and believe that it will help law enforcement agencies more accurately and quickly link an SMT with the individual they are interested in.

Currently, law enforcement agencies use the standards for SMT classification as stated by ANSI/NIST-ITL 1-2007. Which, according to Mr. Jain and Mr. Lee, is subjective, time-consuming, and is not scalable to meet the rapid growth in tattoo design.

With Tattoo-ID, the researchers believe their method can meet the needs of SMT identification as the needs of law enforcement grows.

Our approach is one of content-based image retrieval using features (e.g., color, shape, and texture), instead of labels or keywords, to compute the similarity between two images.

Currently the program is seeing 835 out of 1000 images correctly identified with the first attempt out of a database of 64,000.

Although blurred images and low quality image sources create lower success rates, Mr. Jain and Mr. Lee feel that by tweaking their current process and with the addition of new algorithms in their software, the tool will be able to resolve a larger number of SMTs quicker and more accurately, with even larger image databases.

Michael Mongold

Posted at 12:20 PM | | Comments (0) | TrackBack (0)

June 10, 2009

Lxlabs head commits suicide

Sadly, the CTO and founder of Lxlabs was discovered dead in his home in Bangalore Monday morning, from an apparent suicide. As reported in The Times of India, K T Ligesh,32, was found by a friend, hanging in his room.

As I discussed yesterday, up to 100,000 websites had been erased due to a vulnerability in Lxlabs’ software at webhost provider, VAServ.

According to various reports, Mr. Ligesh was deeply agitated over recently losing a project to another company, as well as living with the loss of both his sister and mother a few years ago to suicide by hanging.

Despite what other contributing factors may be at play in Mr. Ligesh’s decision to take his own life, it cannot be clearer that the actions of the hackers that attacked VAServ’s websites played a significant role in this tragedy.

I assume the criminals that infiltrated VAServ’s infrastructure and destroyed the efforts of so many; that created so much anxiety and distress and then caused untold financial damages – that they never really MEANT for someone to die either directly or indirectly from their actions. But it doesn’t really matter, the results of unintended consequences are always just as bad as as the results of those that are intended. They are still a product of someone’s actions or inactions and they are still responsible (if even just partially).

Unfortunately, knowing how often hackers are brought to justice, we can also assume that this wrong will never be righted. RIP K T Ligesh

Posted at 12:05 PM | | Comments (0) | TrackBack (0)

June 09, 2009

Webhost hacked – VM vulnerability blamed

According to the Register, a hacker attacked a Webhosting company’s virtual server infrastructure on Sunday and erased up to 100,000 sites.

Vaserv.com was hit by a calculated attack on its virtualization application which left roughly half of Vaserv’s customer without a website.

Rus Foster, a director at Vaserv, stated that LXLabs’s HyperVM had been compromised during a zero-day exploit. They are currently trying to reach LXLabs to find a solution.

Visiting Vaserv’s website show’s an organization in full triage/crisis mode.

At the time of this writing, Vaserv’s site is just a text document showing the status of their server recovery progress (or lack thereof).

vaserv

Pretty tough times as an administrator (both for a system and web admin).

A very thin but important silver lining is the encryption Vaserv implemented that allowed them to keep the actual data from being usable by the hacker(s).

Ultimately, this shows me two things:

1) How organizations’ reliances on VMs have created a keystone in the arch where a hacker can pinpoint their attacks to reach maximum destructiveness. If a hacker wants to access data for the sake of profit, they go after the database. Alternatively, if they want to go for destructiveness, they can vector in on the VM infrastructure.

VMs are a business reality for large organizations which must rely on fewer physical machines that hold far more virtual servers running many more services. Ultimately this allows enterprises to leverage their rack space more efficiently, but creates a more appealing and concentrated target for people bent on mayhem. Thus, as this VM-reality matures in the TecSec community, the strength and security of the VM infrastructure itself becomes exponentially more important.

In the past, we’ve had to worry about the OS and the applications within it but now we must be concerned with the layer that manages the operating systems themselves. No doubt all webhosting companies are going to re-evaluate their VM security posture as news of this spreads. As for the TecSec community at large, we will need to pay closer attention to what risks VMs pose from motivated individuals.

and 2) How incredibly malicious hackers can be. At one time, there was the idea that someone would deface a site to make a statement or to show a webmaster his site was vulnerable. Wiping out 100,000 websites, however, is beyond explanation.

Michael Mongold

Posted at 09:58 AM | | Comments (0) | TrackBack (0)

June 08, 2009

Virginia Patients at Risk

                      idtheft

Known: a hacker gained access to the Virginia Prescription Monitoring Program and then asked for a ransom of $10 million. According to The Virginian-Pilot, the following is also known:

The database contains records of more than 35 million prescriptions dispensed since 2006 for certain federally controlled drugs with a high potential for abuse, such as OxyContin, Vicodin and Xanax.

The records include patients' name, address and date of birth, the name and quantity of the drug prescribed, and identifying numbers for the doctor and pharmacist.

What is unknown, is if the hacker gained access to the customer’s social security numbers which were placed along side many of the customer’s pharmacy records. Throw in 1,400 or so doctors and pharmacists that entered their social security numbers and you have the potential for a real mess.

Also, unknown is if the database was encrypted. The hacker stated that he had copied the database and deleted the commonwealth’s backups of the database although Virginia claims to still have access to its backups

One thing is for certain, some administrator is hating their life right now while they have to explain why 530,000 patients must now watch their credit report and bank accounts more diligently than ever.

Finally, there is the irony where the Roanoke Times reports that:

…lawmakers were told that the VDHP ranked in the top 5 percent of state agencies in an audit of information security.

Not the most confidence-inspiring statement the state could make.

Databases are ultimately one of the great prizes for hackers. In one fell swoop they can acquire more data than if they stole 100,000 laptops. This is an excellent example why database security and encryption should be paramount for any organization that stores sensitive information. Way to learn one the hard way, Virginia.

Michael Mongold

Posted at 06:29 PM | | Comments (0) | TrackBack (0)

Security enhancement for iPhone = Find My iPhone

For those who have been pushing their company to adopt the iPhone as a business device, at least now you can present the security argument as a little stronger.

                                        iphone1

A few minutes ago, Apple unveiled at WWDC a remote wipe feature through its new ‘Find My iPhone” application.

In addition to allowing you to remotely erase your iPhone (something available on other devices for some time now), you can also view where your iPhone is on a map, make your iPhone beep so that you can locate it (even if it is in ‘silent mode’), AND display a message to the person who stole found your phone. Perhaps something like “I know you have my iPhone, I know where you’re at – I’m coming to get it”.

The catch? You must subscribe to Apple’s MobileMe service to have access to the ‘Find My iPhone” features. Still, for companies who have potentially sensitive data stored on their iPhone, this becomes a no-brainer.

Michael Mongold

Posted at 01:54 PM | | Comments (0) | TrackBack (0)

Worst ISP in the US = Pricewert

Well, that’s according to the FTC who shut their connectivity off late last week. And if their claims are accurate, I believe they have a pretty good case for giving Pricewert the title.

                     evil-monkey

According to the FTC’s press release, Pricewert (AKA 3FN, APS Telecom, among others), knowingly hosted child pornography, malware, and spam servers which were responsible for depositing trojan horses, viruses, spyware, phishing attacks, botnet cnc servers, as well as numerous additional web sites with illegal material on them.

If you have ever wondered why a website can exist that can do so much damage or why spam servers can clog your e-mail with so much time/money wasting data or where the truly bad/sick people on the web go for their disease, this is it.

The claim states that by ignoring security groups’ notices to disconnect the offending sites and by frequently changing the source IP address of the servers, Pricewert was able to provide criminals a safe haven on the web.

If the allegations are true, let’s hope that the government doesn’t wait so long next time to find organizations like this on the web and shut down this conduit of crime and filth.

Michael Mongold

Posted at 01:12 PM | | Comments (0) | TrackBack (0)

June 04, 2009

Smart Cards are not rocket science

NASA may have to reissue more than 70,000 smart cards that have been provided to NASA employees over the past three years due to security concerns.

                    NasaLogo

Prior to the Homeland Security Presidential Directive 12 (HSPD-12) mandate for a Personal Identity Verification (PIV) card, NASA was in the process of deploying their own common badging and access control system (CBACS) - as were a number of other agencies. However, according to a report filed by NASA’s Inspector General, they did not follow federal guidelines for insuring the proper transition and oversight from their own card implementation to the new PIV standards.

Although the Inspector General’s office did not find that any cards had been distributed to individuals with inappropriate access, it leaves the door open for that possibility.

At the heart of the issue is this:

“While NASA properly assessed the PIV card issuer for satisfaction of Federal requirements at both organization and facility levels, found deficiencies, and developed a corrective action plan in accordance with Federal guidance, the Agency did not monitor corrective actions to ensure that identified deficiencies were corrected nor initiate timely reassessment. If the reassessment of the PIV card issuer reveals that significant deficiencies continue to exist and those deficiencies affect the integrity of the PIV cards, NASA could be required to discontinue PIV card issuer operations and reissue its PIV cards, which we estimate could cost a minimum of $1 million.”

Ouch. And the audit did not even include Jet Propulsion Laboratories due to their own PIV issues.

Ultimately, if the Inspector General’s office is able to confirm that the credential provider’s failings persisted after NASA’s knowledge of them AND if it resulted in any inappropriate issuance – 98% of NASA’s employees will have to undergo the badging process again.

For the Inspector General’s full report, click here

Michael Mongold

Posted at 08:53 AM | | Comments (0) | TrackBack (0)

Congress set to impose biometric competition in airports

If it isn’t broke, don’t fix it – even if it could possibly save money. That’s what the airports are saying to congress now that legislation is before the House to revamp the biometric technology selection process at airports

                     tsa-logo

around the country. I feel for the airports, since they seem to have a system in place that they like and on the face of it, is relatively inexpensive. However, I’m sure there is a number of access solution providers that are eager to take a stab at winning the business. Here’s the whole story… {via Washington Technology}

Posted at 12:50 AM | | Comments (0) | TrackBack (0)

June 03, 2009

Clean Security Bill of Health?

What if a doctor told you that you had a clean bill of health, only to find that he missed a dangerous growth which later caused significant damage because it was not treated earlier?

This is basically the gist of a lawsuit that Merrick Bank has brought against Savvis in a federal complaint.

The short-term affects of this lawsuit will no doubt have a chilling effect on the compliance-service industry as they recognize their own vulnerability in signing off on an audit.

It has always been critical that if you are giving someone a stamp of approval, that they truly meet the standard that has been defined. It’s important that your beef has been properly approved by the USDA and it’s important that your compliance with a security standard (Visa’s Cardholder Information Security Program or CISP, in this case) has been thoroughly vetted and approved.

No doubt, there have been security “stamps of approval” that have been given out to organizations in the past that might not have been deserving and we’ll never hear about them. And this might not be one of those times since we’ll have to wait until Savvis has had an opportunity defend itself and we hear the ruling by the court. However, it is inevitable that we would see a lawsuit occur at some point.

If you tell me, or rather, guarantee me that I am compliant with a regulation or meet a certain standard or criteria and then I am fined a significant amount of money ($16 million in this case) because I am not, you can rest assured I will come to you for some answers and some compensation.

What can be done to avoid this? This certainly invokes a number of questions. After all, companies are paying these auditors to insure they can bypass this whole mess. Ultimately, it will require more transparency of the actions performed by the auditing organization and the certifications of each individual auditor. If an auditor has passed a certification and his actions (or inactions) lead to a failure like this, should his certification be revoked? For my two cents, I believe this moves us a step closer to requiring a license-like structure for data security auditors that could have a better mechanism for granting and revoking its credentials. Ultimately, passing a test and receiving a certificate has limited if any accountability on an individual level.

However, the question that will be addressed first is what culpability an auditing organization has when damages occur to a customer they have certified as compliant. For this, we will have to stay tuned to how the court rules. One thing we know for sure, companies that perform audits will take another look at how their contracts are worded and review carefully how they perform their contracts.

 

Michael Mongold

Posted at 06:31 PM | | Comments (0) | TrackBack (0)

June 26, 2007

VA vs USB

This is a little stale but I wanted to talk about it anyway. With their latest actions, I believe the Department of Veterans Affairs is quickly becoming the poster child for reformed data loss victims.

(important to note that, in this case, the data was eventually recovered)

The VA announced a few weeks ago that they have purchased 25,000 USB drives with built-in encryption from Kanguru.

The built-in AES-256 encryption will help insure that only authorized users can gain access to the USB drive and will prevent another major meltdown if lost or stolen.

Also, it should be noted that Kanguru says that they can prevent users from attaching the devices to the network based on a device identification number.

I believe that this is a great step but one that must be accompanied by some level of control. I have stated in this blog a number of times that a policy without the means to enforce it, is just window dressing.

So, kudos to the VA on a positive step and showing corporate America the direction to move in. Just make sure that you keep the momentum going and block access to the unauthorized USB devices out there.

Michael Mongold

Posted at 08:25 AM | | Comments (1) | TrackBack (0)

June 25, 2007

Shameless Self-Promotion

Since I only do this blog for my own narcissistic pleasure, won't you please go to Austin's "Best of" poll and vote for me as the best blogger? Many humble thanks, my friends!

 

http://www.austinchronicle.com/feedback/bestof/07/

 

Michael Mongold

Posted at 02:07 PM | | Comments (0) | TrackBack (0)

Quicken backdoor outed...

A Russian firm, ElcomSoft, is now selling a password recovery tool that helps you gain access to Quicken, Quicken Lawyer, and QuickBooks for only $99 for a commercial license.

ElcomSoft gained access to files encrypted by Quicken's software by discovering a backdoor that Quicken had placed in their software for password recovery scenarios.

ElcomSoft discovered that Quicken had implemented a 512-bit RSA key. After factorizing the key, ElcomSoft promptly moved forward with a solution that can instantly remove the passwords protecting Quicken files.

The result is, if placed in the wrong hands, this product could potentially open a number of customers to the exposure of very sensitive data to competitors and the public, alike.

Quicken has responded that they take this threat seriously and are working on resolving the issue.

Until they have provided a work around for the backdoor, make sure you keep a tight hold on any Quicken documents.

Michael Mongold

Posted at 10:45 AM | | Comments (0) | TrackBack (0)

June 21, 2007

Senforce integrates encryption into NAC

Senforce announced on Monday that they will incorporate data encryption into their NAC offering.

Back in March, I suggested that a natural evolution of encryption and NAC would eventually bring the two together. Kind of like chocolate and peanut butter.

Now, Senforce is making a play in that direction.

I'll spare you the trauma of reading their press release. Suffice to say after they finish huffing about how they are the leader and all that - you know, the usual press release BS. They eventually say a little bit about how they are planning to prevent "thumbsucking".

A term that they are a little overly proud of creating.

(Thumbsucking refers to data that is "sucked" off of corporate devices and onto USB drives. The term "slurping" has been around longer and refers to programs that automatically search for certain file types on a hard drive and pull them over to an iPod or other removable device when it attaches to the computer.)

So, verbiage aside, I am glad to see someone pick up this angle of data security. Right now, everyone I speak to is concerned about USB proliferation in the workplace. For organizations that have sensitive data (i.e. everyone), this is a critical issue.

The beauty of NAC is that it can easily incorporate new technologies and flash points into controllable security policies as they arise. This kind of flexibility and control are what is required as data security evolves.

I always tell organizations that without NAC, your security policies have no teeth. policies are basically words on a paper with no means of observing or enforcing behaviour. NAC gives you the ability to change all of that.

Quite honestly, I'm not sure how CEOs/CFOs/CIOs/CISOs can sleep at night - with all of the current regulatory constraints that are flying around, not knowing what is on the network, and then not having the ability to do anything about what is on your network, even if you did know.

Hmmm - guess I should be glad I'm not in that position.

So, while I can't recommend Senforce's offering yet since I haven't had a chance to play with it, I will say that I like the thought they have put into the features listed and look forward to seeing more of it (and the offerings from other NAC vendors) in the future.

Michael Mongold

Posted at 11:43 AM | | Comments (0) | TrackBack (0)

June 20, 2007

Government buys encryption

Can I get an "Amen?" The General Services Administration just announced that they have selected 10 data encryption companies to "guard sensitive, unclassified data that reside on laptops, mobile computing gadgets and thumb drives."

 The ten companies are:

Mobile Armor's Data Armor

Safeboot's SafeBoot Device Encryption

Information Security's Secret Agent

SafeNet's SafeNet ProtectDrive

Encryption Solution's SkyLOCK At-Rest

Spyrus' Talisman/DS Data Security Suite

WinMagic's SecureDoc

CREDANT's CREDANTMobile Guardian

GuardianEdge's Data Protection Platform

It is an interesting line-up of encryption vendors with some of the usual suspects included and then a few that made it from out of left field and then a few notables that were left off.

Of the surprises on the list:

  • Information Security
    • A small player who caters to the federal space
  • Encryption Solution
    • Finding information on this company was like pulling teeth. Not much of a presence in the market. However, with government contracts, it's always fun to see who has been doing the most lobbying

 

Of the surprises OFF the list:

  • Utimaco
    • With about a quarter of all of the encryption licenses in the world, their absence is definitely noteworthy. Perhaps because their German?
  • Pointsec
    • The other 800 pound gorilla in the encryption market. Recent purchase by Checkpoint should have made them more palatable to the government, but I guess they're still too Swedish.

It was good to see WinMagic make the list. They're a good group of guys and I'm sure they worked hard to get this deal.

It appears that Guardian Edge may be back in the good graces of the government after winning and then losing the VA deal. Word is that they are having a lot of problems financially so we'll have to see if this keeps them afloat for awhile longer.

Also, good to see Mobile Armor. I have been hearing a lot of good things about their software and look forward to getting my hands on some of it soon.

To put things into perspective, the deal is worth at least $79 million dollars over the next five years.

On top of all of the government agencies that can get in on this deal, state and local governments can get the same pricing through the winning vendors for their various organizations. This represents a tremendous opportunity for local and state authorities to provide encryption for their user's data at greatly reduced costs.

So if you are a local or state agency, jump on this deal because it is unlikely you will find better pricing on your own.

Michael Mongold

Posted at 11:07 AM | | Comments (6) | TrackBack (0)

June 19, 2007

Ohio mess could have been prevented...

This may hard to believe, but experts are saying that IF the data stolen from Ohio would have been encrypted it would have prevented the worries they are going through now.

Uh, yea. No kidding. Oh, well. More fodder for the bloggers and newsies to write about. There certainly seems to be no shortage of it.

The plus side of this is that these big, very public losses are helping divert attention from the smaller losses that are occurring everyday. So, if your company has any data theft that it needs to report, try to time it around another data theft that is a lot larger. Most likely the news outlets will only run one story on data theft that day and choose to run the other company's screw up. Bonus points if you report this late on a Friday.

I should be a political spin-meister.

Of note, is Gov. Strickland's stance that Ohio "maybe should have considered encrypting the data". Regardless, he believes the data is still safe because it should be difficult to use the data on the hard drive.

I hope the Ohio voting populace feels better about their tech-savvy governor telling us how it is.

Perhaps the car that the data was stored in maybe should have been harder to break into as well.

Michael Mongold

Posted at 02:54 PM | | Comments (0) | TrackBack (0)

June 18, 2007

Find the Phish

My fiancee forwarded an e-mail she received today from a bank that she does not use. The e-mail stated that the bank had locked her online access and needed some information from her.

Here is the gist of it:

"Dear customer,

Your access to Online Services has been suspended. Due to a miss-match access code between your Site key information. To enable you continue accessing your online account it will only take you few minutes to re-activate your account. Click on the link below and you will be taken straight to where you can activate your account."

It goes on to provide a link to the bank, which if investigated shows that it actually points to a link at MISIONCRISTIANAELIMHN.com. Performing a quick check at dnsstuff.com shows that it is registered to Solucion Logica in San Pedro Sula, Cortez, Honduras with Julius Barber as the technical contact. Continuing along this path, I visited Solucion Logica's website at www.slogica.net and found that they are currently having problems with their mail because one of their servers is being used for Spam.

Of course, they say that they are investigating who the culprit is and once that account has been discovered, it will be suspended. Also you are welcome to call 9982-8141 if you have any questions, but you better be fluent in Spanish.

I guess where I'm going with this is the fact that this should not be happening. Organizations which allow people to spam from their servers should be held liable for any damage that it does. And let's face it, this is not just spam but an attempt to illegally gain someone's banking information.

No less than an outright attempt to steal money from someone and it should not be tolerated.

I am a strong proponent of what the Electronic Frontiers Foundation represents and I believe an open Internet allows for the most advances. However, allowing people to attempt such flagrant scams should not be tolerated. And yes, there are other things that occur over the Internet that are even more disturbing but our law enforcement personnel are already pursuing those individuals.

I guess I find it hard to believe that in this day and age, someone can feel so brazen as to attempt something like a phishing scam and not be concerned about the repercussions.

Let us hope that someone will put into effect a mechanism to block those that attempt scams such as these.

Here's a thought: If a government body ran a DDOS, after judicial approval similar to a wiretap proceeding, against one of these creeps, it would force ISPs to be much more diligent about the junk they allow through their networks.

Of course, the ISP would need to be given prior knowledge and a chance to work the issue out themselves, but at least we would have some recourse.

Right now, we solely place the burden of protecting yourself on the end user which is sounds like money to a phisher.

What do you think?

Michael Mongold

Posted at 11:19 AM | | Comments (2) | TrackBack (0)

June 15, 2007

Ohio State Employees Show It All

An employee for the state of Ohio lost a cd containing the Social Security numbers and "other" personal information for ALL 64,000 Ohio state employees.

Now Governor Ted Strickland has stepped in and issued an executive order to change the way data is handled.

I did a quick search to look at who had picked up this release. It was on the top of MSNBC's website under the heading "Also Making Headlines". ABC, the Boston Herald, Baltimore Sun, Forbes, Houston Chronicle, and over 130 other news outlets decided that this was important enough to announce. Not the kind of headlines you want to make.

So please take a moment and visit this site. It is the Governor office's announcement and a copy of his executive order. I believe they are handling this very well and I completely approve of the steps they are taking and the immediacy they are giving this issue.

Among the steps, is a change in their completely BONE-HEAD methodology of storing this data off-site. That alone should get someone fired. Storing this kind of information at some employee's apartment? Are you kidding me? Folks, if any of you are doing this then count yourself lucky that you are still employed and hire someone today that can securely and legitimately store the data.

Next, the assessment is so important. They need to know what data is important to secure and what data is not. They need to insure all points where the data is handled is done so properly.

Lastly, the push to have this occur within seventy-five days is extremely aggressive for any government body so I'll cut them some slack on the timeframe. 

Also, I like the fact that they have setup a website so the state employees can have a place to get the latest info on the breach.

Of course, credit monitoring (and the associated costs with that) is de rigeur at this point.

It is unfortunate that the disc (or device depending on where you get your information) was "contained on a specialized medium" and that "it is highly unlikely that the data could be accessed by someone without the knowledge of how to do so."

I say unfortunate because it doesn't really mean squat in this situation. They are still being run through the ringer because they can't say authoritatively that they disc is encrypted and completely worthless to anyone that doesn't have the key.

So take a good look at how Ohio is addressing this problem. They are doing a great job of trying to clean up a mess they could have prevented in the first place.

In fact, I would just keep this site handy in case you don't have your own ducks in a row. Ohio might become a good template for your company. And on that sarcastic note, I sincerely wish you a fun and safe weekend!

Michael Mongold

Posted at 02:09 PM | | Comments (0) | TrackBack (0)

June 13, 2007

When Richard Clark Speaks...

...I hope that your ears perk up. Mr. Clark has been in the tempest of security on many levels over the past few years. His experience working with four different presidents and the inner-machinations of the federal intelligence network has given him an authoritative perspective to view the legitimate threats that organized and motivated individuals can present to all organizations.

Now Richard Clark has come forward to push something near and dear to my heart, data encryption.

You can read the article for yourself but I have to point out this one comment by Mr. Clark:

 

"It's about what you don't know, or what you don't see or can't prove. Industrial and national espionage is happening daily on a massive scale. Your databases are being stolen and copied, and just because the evidence isn't in front of you doesn't mean it's not a problem."

 

That pretty well sums it up. People are losing data on a scale that they don't even understand. Criminal organizations are discovering that at an alarming rate. Malicious purposes follows the path of least resistance for the greatest payoff.

Once organizations take this more seriously, the criminal components of our society (both one-offs and organized) will move along to an easier prey.

It is unreasonable to expect this to go away until it becomes unprofitable for them. Thus, as more organizations push for higher standards of data protection, it will force those seeking the information illegally to look at an increasingly smaller subset of companies and institutions that do not have adequate data protection deployed. Additionally, those performing these invasions will hone their technics to further perfect their processes.

The end result: The longer you wait, the more likelihood you have of being exposed.

Here's a little formula (let's call it Mongold's Formula of Data Vulnerability for narcissistic reasons) that I threw together to help represent this:

 

P = (Gb - Ga) * Ch+1 * t

 

P = Probability that an incident will occur

t = Time

Ga = The organizations that are increasing their security

Gb = The organizations that are not increasing their security

C = Criminal attempts

h = multiplier representing criminal learning curve

 

Thus - the longer you wait to protect your sensitive data, the less organizations will be standing with you, the more criminal attempts (that are becoming increasingly more successful due to their experience) will be launched, over time which will result in a much greater probability that you will be successfully attacked.

Yea, that's oversimplified but it hopefully helps explain why every organization should have a certain sense of urgency.

You don't want to be one of the last targets in the shooting gallery.

Michael Mongold

Posted at 11:10 AM | | Comments (0) | TrackBack (0)

June 12, 2007

So long and thanks for all the fish!

Checkpoint performed some research that shows when most people leave a company, they take some amount of company data with them.

This seems to be fairly intuitive. I am sure that a number of people will forward contacts that they want to stay in touch with or maybe examples of their work for their next position. And I suppose, some would take data for malicious intent as well.

But as one that has been tasked with insuring the integrity of the data within your organization is kept intact, how do you insure people leaving your company leave the sensitive data behind?

Well, quite honestly, that's not an easy task. Without some form of certificate-based access that allows for centralized access and permissions to documents, there are few ways to expire that information once it leaves the confines of your network.

There are a few software packages that can allow you to wipe a document after a certain period of time and then there are also the programs that require the documents to connect to a centralized location to insure the person attempting access is allowed. But no organizations that I am familiar with are deploying anything like this on a grand scale.

The problem always starts at identifying the data that needs protected. This must be the first step in the road to securing sensitive data. If you do not know what to protect, then you are wasting cycles on data that might not need protecting and possibly missing the data that does need securing.

Once you feel comfortable with what you know and don't know, then you can proceed to defining access roles and implementing control mechanisms.

This is where things tie back into where I began.

This study by Checkpoint was performed to sell Pointsec's Device Protector which allows organizations to define which USB devices are allowed to connect to corporate assets and how data is allowed to be transferred between the two.

This is important because users have always taken data with them when they've left their company.

What may have been just some notepad with a few bits of information jotted down on them thirty years ago can now be a million files on an eight gigabyte hard drive in someone's pocket.

The potential for problems dwarfs the past possibilities. (that's an alliteration, folks)

WinMagic, Utimaco, and Guardian Edge, to name a few, are also manufacturing similar products to Device Protector to help organizations reign in USB access.

 All of these manufacturers know that there is a need for their products and that it's only a matter of time before every organization comes to that same conclusion.

Michael Mongold

Posted at 11:48 AM | | Comments (0) | TrackBack (0)

June 07, 2007

The times they are a-changin'

Today, we are at a point in the technological evolution of encryption that is unparalleled. In the past, encryption was relegated to only government or military organizations due to the cost and expertise involved in the encryption/decryption process. However, now we are seeing the most advanced encryption technology available being used by consumers on a global scale.

This could not have come at a better time.

Nowhere in our past histories has so much information been so readily available to all that would look for it. And now the problem is becoming apparent that in a number of circumstances, data is too readily available and does not go far enough to insure that proper authorization is given before access is permitted. The pendulum has swung to the other side and organizations find themselves scrambling to reign in the generous amounts of access that once existed.

As different organizations have responded to the clamor of their personnel for the ability to have more access to more data, more of the time, the checks and balances responsible for insuring that prudent measures are in place for these actions have become skewed.

Enter mass data encryption.

It has now become a race by organizations to collectively attempt to plug the multitude of vectors for data loss that have sprung up due to all of this unfettered access that has been permitted. Daily we see the reports in blogs, online articles, newspapers, and even the evening news, where this organization or that organization has lost thousands or millions of pieces of their customer’s data. The ensuing fallout results in financial loss, name-brand disintegration, and loss of personnel. Additional measures by our state and federal governments are insuring stiffer penalties in the future for organizations who fail to protect the data of their customers and users.

However, encryption can provide a means to stem the flow of data exiting these organizations. Simply by deploying full disk encryption, a wide swath of potential data loss can be prevented, rapidly and with little or no interference to your current business processes. Additional measures to shore up the protection of removable media devices, e-mail, tape backup storage, network shares, and individual files and folders can allow any organization the ability to rest easier at night.

Taken as a holistic approach, users can have access to data when and where they want without compromising the integrity of an organization’s security policies. Through a phased approach of technology and education, each organization can insure that they are giving their customers an adequate level of protection against the accidental or malicious misuse of their data.

Michael Mongold

 

Posted at 10:33 AM | | Comments (2) | TrackBack (0)

May 10, 2007

Insult to injury

Ah, the poor, often maligned TSA. It really hurts that they lost a laptop containing the names, Social Security numbers, birth dates, bank accounts, and routing data of 100,000 of their past and present employees. Now, they are being sued by their employee union for being lax on security.

It's never a good sign when a government organization that has the word Security in it is being sued by it's own employees for a LACK of security. That is just not very reassuring. But, hey, at least they caught the fact that I had a button fly on my last trip to SF. Just kidding, Kip! I'm probably already going to be audited for my comments on the IRS, I don't want to make my traveling anymore convoluted than it is.

So, back to the lawsuit: The American Federation of Government Employees's national president, John Gage, stated today that the TSA's "reckless behavior is clearly in violation of the law."

Besides facing a lawsuit (only one so far) and looking incompetent, the TSA is paying Identity Force to monitor their employees credit for one year and provide up to $25,000 in identity theft insurance.

However, the union is looking for a little more love.

They are seeking to force the TSA to comply with the 2001 Aviation and Transportation Act and the 1974 Privacy Act. Also, they want the TSA "to grant administrative leave to transportation security screeners requesting leave in order to protect against or correct identity theft or financial disruption caused by this data security incident."

Also, they want their credit monitored for the next five years, plus pay for any damages that result from the theft, plus pay each employee who was adversely affected by the theft the amount of $1000 (potentially $100,000,000.00 if you're keeping track), plus all legal fees.

Ouch!

This is, of course, in addition to the fact that we have the Secret Service and the FBI spinning cycles trying to hunt down this laptop, which if would have been encrypted, would not have even been reported. Of course, the FBI does not have a good record finding laptops, so don't get your hopes up that this one is going to make it back.

The only good thing about the TSA's actions is that they reported it the day after they lost it instead of weeks or months later.

Oh well. The future of the encryption industry looks good...

Thanks, Kip!

One last thought: if you're keeping track of the letters that are sent out to people when an organization looses their data - please add this to your rapidly growing collection.

Michael Mongold

Posted at 04:55 PM | | Comments (0) | TrackBack (0)

May 09, 2007

The most dangerous device

Thumb drives have been listed as the top security concern by a resent poll of 370 IT professionals. And for good reason, if your organization fails to frisk and search every person that enters and leaves your buildings for removable media, you may be exposing yourself to a large data loss in the near future.

Of course, a trade-off must be made between what is an acceptable level of intrusion into your employees' personal space and the amount of risk you are willing to assume.

Some employers would have a difficult time keeping their positions filled if they burdened their employees with complex and aggressive physical security measures. While other organizations, such as Sandia National Labs or the National Security Agency, come with certain expectations that security is going to be taken to another level.

Regardless, some measures to address this issue must be taken.

According to the market research conducted by Centennial Software (bias alert - they manufacture a solution to the problem - of course), 80% of the respondents do not "have effective measures in place to combat the unauthorized use of portable devices." The report continues by saying that 8.6% of the organizations polled have completely banned the use of portable devices. Which makes me extremely curious how they have achieved this total ban, but that was apparently not documented.

Plus, it should be noted that the responses pulled from IT managers while they were attending a technology security oriented conference so the posture of these organizations may be slightly skewed from the norm.

The most important component of this article is the fact that IT managers are becoming aware of the dangers these little devices can present.

USB devices represent so much convenience that it has been easy to ignore the perils they can provide.

It is important to look at this as a bi-directional danger. It is not just the fact that someone could suck 80 GB of data off of a hard drive, but the fact that someone could place any number of malicious programs and/or code onto a network from within the organization.

And where there is a problem, there's a buck to be made.

As a result, there are a number of manufacturers that are beating a path to help organizations protect themselves. See Utimaco, Pointsec, Guardian Edge, Centennial, SafeBoot, and SecureWave among others...

So, the software you decide upon should provide the following functionality:

  • Block unwanted devices
  • Encrypt data written to USB devices
  • Allow data to be shared on authorized devices by authorized users

Also, remember that, unlike whole disk encryption which does not need to be intrusive into your end user's experience, device control requires policies to be created and the enforcement of those policies - which may rub some of your sensitive customers the wrong way.

See? Now doesn't that sound simple?

Michael Mongold

Posted at 10:25 AM | | Comments (0) | TrackBack (0)

May 08, 2007

The Universal Adoption of Encryption

The magnanimous Nigel Dessau, SVP at Sun, has decided that the world of encryption would be a better place if everyone just agreed to get along. And to show his sincerity, Sun is giving away their Key Management System! Well, technically they are just opening up their APIs so you can connect your encryption product into their KMS, but it's a start.

IEEE has been working a number of years on a standard for key management identified as IEEE-P1619. P1619.0 refers to a disk storage standard, P1619.1 identifies a tape storage standard, and P1619.2 addresses wide-block encryption standardization for disk drives.

These are, of course, important steps.

Encryption will eventually be a ubiquitous technology requiring a heterogeneous environment which will allow all of the different players to work together. We are slowly rapidly approaching an encryption cloud that will encompass all devices and protect any and all sensitive data.

This results in one of two scenarios:

We purchase everything from one vendor and pray that they have a solution that encompasses all of our needs.

or

We purchase the best of breed products from  different manufacturers and pray they all work together.

The first option does not scale.

The second option pushes us towards an open standard that allows us to have one Key Management System that is able to store and share our keys for tape backups, full disk encryption, network share encryption, removable media encryption, CD-RW/DVD-RW encryption, etc.

This is the path we are most likely to prosper along.

No organization will be able to provide you the best solution for such a disparate group of technologies. Key management is inevitable, thus consolidation and standardization is the best solution.

So, while Sun may or may not see much movement towards their KMS and regardless of their motivation, their efforts are noteworthy.

Over the next twelve months, I look forward to other organizations stepping forward and showing us who the true leaders in encryption are going to be in the universal adoption of encryption.

Michael Mongold

Posted at 11:01 AM | | Comments (0) | TrackBack (0)

May 07, 2007

TSA Security - Not So Much

Our government certainly knows how to set an example for its citizens. Ok, maybe more as an example of what not to do, but I'm trying to put a positive spin on this somehow.

It appears that the friskers have lost a laptop containing "personal, payroll, and bank information of 100,000 current and former workers" of the TSA.

 Can I get a "D'oh!"?

The laptop contains "employee names, Social Security numbers, birth dates, and bank account and routing information".

Obviously, the FBI is not going to be of much help since they lose nearly three laptops a month themselves (a few years ago they lost nearly eleven a month!). Actually, the FBI may need to look at the TSA as an example because at least the TSA knows what was on the laptops they lost. (Of course, I am not sure how confident we can be in the TSA's mea culpa at this point) 

Funny Scary sidenote: One of the laptops lost in the Boston area included software for creating FBI identification badges.

And if we look to the Internal Revenue Service to help us identify a government organization to help shine a light on the protection of sensitive data, they will need to direct us elsewhere because they are certainly in no position to assist us.

Of course, I have examples of many many more government agencies that have been caught bumbling their (our) sensitive data. But, to what effect?

The problem is not so much that these agencies are losing laptops; the problem is that they are losing laptops that contain unencrypted sensitive data.

Smart? Prudent? Responsible? Not so much.

Michael Mongold

Posted at 10:49 AM | | Comments (0) | TrackBack (0)

May 04, 2007

Crossroads / HP Encrypts!

HP Encrypts!

First, let me give a big "Kudos!" to our friends at HP. It is good to see another computer manufacturer "get" the importance of hard drive encryption.  Also, congrats to SafeBoot for getting in there and making the deal happen. I know from first hand experience that can be an extremely tough battle to wage.

According to the information I've seen, it looks like they are pushing PBA, which I feel is not worth the inconvenience. Kind of like the whole TPM integration, but that's just me.

Regardless, I think it's a great step for HP and their customers. Hopefully we will see others follow Lenovo's and HP's lead...

---------------------------------------------

Crossroads

Last week I had the opportunity to discuss tape backup encryption with a local Austin company, Crossroads. I was very impressed with their line of products and how solid their presentation was. I specifically liked their agnostic approach to encrypting whatever tape backup system a company may be using.

I am a big fan of solutions that leave you the flexibility to work with a variety of vendors so you can insure you are maximizing the performance you get for your dollar. I look forward to learning more about their product line in the coming weeks.

Tape encryption is another piece of the "encryption cloud" that organizations need to insure their data is protected.

That's all for now. Everyone put your laptops down for a little while, get outside and enjoy your weekend!

Michael Mongold

Posted at 11:52 AM | | Comments (0) | TrackBack (0)

May 01, 2007

GSM Encryption

There have been some high profile cases of eavesdropping or wiretapping involving cellular phones in Italy recently. While this hasn't quite exploded onto the US scene yet, it isn't much of a stretch to envision some organization that would go to those lengths (think Wal-Mart or HP's little faux pas).

Of course, I mention this because there is a solution that is available to help head this off before it even becomes an issue.

Cryptophone makes a device that can encrypt all GSM traffic to and from the phone. I suspect that over the next couple years you will be hearing more about this technology and the exploitation of it.

It goes without saying that any method of communication that conveys data that is considered sensitive or personal in nature, can and will be exploited. It is only a matter of time...

Michael Mongold

Posted at 03:14 PM | | Comments (0) | TrackBack (0)

April 27, 2007

Study shows weak encryption adoption

Generally, when I see a study come out that is performed by some group or institute for a player in the field that is being surveyed, I am often skeptical of the results. It is just hard for me to see the propriety in it.

However, in a recent study by the Ponemon Institute performed for PGP, I found myself shaking my head in disbelief for another reason: There is no way that nine percent of companies have a comprehensive encryption scheme.

I would say one in one thousand would be an exaggeration.

I must assume that the responding organizations' concept of a comprehensive encryption scheme and mine are far different. I believe that if you looked solely at whole disk encryption on laptops we would still be at a one in one hundred ratio. Once you figure in the other places that sensitive data can reside in an organization, I believe you will find that the ratio starts to really stretch out.

That's not to say that many organizations are not pursuing a larger role for the encryption of their data. I spoke with approximately fifty IT managers at an information management consortium meeting yesterday that had excellent questions and seemed to understand the necessity for the technology.

But ultimately it comes down to money, resources, political will, and urgency. The agenda for most organizations (from a security perspective) is dictated by perceived need or threat and the cost of action/inaction.

If you remember back to your economics class when your professor discussed the idea of an opportunity cost, it becomes directly relatable to security in a very quantifiable way. The necessity of urgency can easily be demonstrated on a daily basis by the number of organizations that lose data and spend more money on investigating the loss, damage control with their customers, and then performing some emergency encryption in an attempt to save face - when all they had to do was encrypt the data ahead of time and save themselves all of that drama (and possibly their jobs).

Make sure the people that own the pocketbooks of your company/agency understand the economics of data loss. If they believe you can afford to wait on data encryption, get them to put it in writing...

Michael Mongold

Posted at 10:13 AM | | Comments (0) | TrackBack (0)

April 25, 2007

Encryption Cloud

I have been speaking to some of my clients over the past few weeks about an "encryption cloud". It is the idea that there are many different ways that data can escape from an organization and to protect that data requires a larger approach than just whole disk encryption.

Right now, many companies and agencies are just trying to get a handle on all of the laptops they have that leave the relative safety of their offices every day. This is a great first step and one that should not be procrastinated on. However, any security policy is only as good as its weakest link. Unencrypted PDAs, CD-RWs/DVD-RWs, thumb drives, iPods, P2P software, etc. represent paths along which large amounts of sensitive data can quickly appear in the wrong hands.

That is why you see different encryption manufacturers producing a wider variety of solutions to try and stem all of the leakage points. Secure E-mail, encrypted network shares, tape and database encryption are all areas that must be included in a comprehensive encryption solution. Data at rest and data in transit must have a way to be centrally managed to provide for the ease of use and management while always providing the most security.

Pretty soon a cloud of encrypted traffic within your network appears and extends out to to encompass mobile devices taken to client's sites or user's homes.

Encrypting data is not hard to justify if you ask the right people. And I am not talking about people within the encryption industry. I am speaking of organizations like Neiman Marcus who just announced they "lost" the names, addresses, social security numbers, birth dates, and salaries of over 160,000 current and former employees. Of course, the sad part of this is that it wasn't really Neiman Marcus that lost their entire staffing history but a pension-benefits consulting firm that NM had hired. The contractor's guidelines requires them to encrypt their information but strangely, they cannot confirm if the data was encrypted or not (Ahem, whole disk encryption would have not made that an issue).

Be sure to read the whole article and be glad it's not your organization that they are talking about. :)

Michael Mongold

Posted at 04:33 PM | | Comments (0) | TrackBack (0)

April 20, 2007

Cancer patients' data stolen...

Thieves have no conscious and this is definite proof of that.  I believe it also shines a light on the fact that we have a tendency to minimize the risk of having unencrypted devices that may not seem so portable. What is more likely to have sensitive data on it? A laptop or a server? The answer will typically be a server. Of course a laptop has a higher likelihood of being lost or stolen, but those are usually more a crime of opportunity whereas someone that steals a server is out to perform some serious damage.

I believe that you need to prioritize your devices by sensitivity of data and probability of loss. If you weigh both elements you might find that certain segments of your mobile workforce AND certain segments of your desktops/servers need to be addressed first.

If you have groups within your organization that are at an elevated level of exposure or have information that is significantly more sensitive then consider deploying a solution that addresses those groups first from a panoptic approach. That may mean that you focus on a specific group within your organization or a subset of devices and perform whole disk encryption, PDA encryption, USB/CD-RW/DVD-RW restrictions, and removable media encryption within just that group.

Additionally, adding to that mix a network access solution that insures there is no P2P software to siphon data off of the device can provide some additional assurance.

Finally, a quick thanks to the organizations that I spoke with this week in Detroit. It is always interesting to see how universal the needs are of those I speak with.

Ultimately, everyone is faced with the same obstacles and hurdles both internally and externally. The positive side of that is that there are mature products and processes that can be implemented to clear those hurdles.

Michael Mongold

Posted at 11:17 AM | | Comments (0) | TrackBack (0)

April 12, 2007

Encrypted world

I initially wanted to write today's blog about Disk Encryption and Pre-Boot Authentication but quickly realized that I would never get it published today due to my preperations to be in Galveston this weekend and Detroit all of next week. So, I will just hit on a point that is beginning to ring louder and louder for many organizations. All information is becoming electronic. Yea, everyone know that. However, it's not just that more devices are now mobile and have the capability of carrying more information, but it is also the fact that more information now resides in an electronic format than ever before. As Richard Moulds points out in his article today, everything from gambling machines to new projectors in movie theaters deal only with digital information.

What's the security spin? Before we started storing all of our documentation in digital media, someone needed physical access to the information in order to aquire it. I couldn't steal a document off of your desk at your job in Chicago unless I was in Chicago and was able to get into your office. Now we live in a world where we have more means of accessing more data.

That is a pretty good thing unless you are worried about a global catastrophe wiping out most of the knowledge accumalated in the last thirty years. Of course, the most likely source of problems associated with this migration from physical information is the same as its greatest benefit: its accessability.

Granted, we may not care that our personal information is so readily available as our society evolves. Once we are able to make some form of bio-metric authentication ubiquitous throughout our work and personal life, perhaps we will feel more comfortable that anyone accessing our data will have the proper authority to do so. Then again, we may feel even more exposed than ever before.

The main point that I want to make here is: we will have more data available to more people than ever before and that without encryption we will have less control than at any point in history. Organizations that have sensitive data that they need to protect will have to rely more and more on technology security and the people behind it, as analog information slowly fades away.

Michael Mongold

Posted at 02:27 PM | | Comments (0) | TrackBack (0)

Next »
My Photo
Subscribe to this blog's feed
Add me to your TypePad People list

June 2009

Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        

Recent Posts

Have a look at...

Headlines from the Security Roundtable

  • Headlines from the Information Security Blogosphere
    Add your feed to this box

    Security Catalyst

    ©Viralinks

Categories

Archives

Blog powered by TypePad

About