Pingree on Security

One thing that all of us forget is some of the basics in security. The following article is a survey RSA had performed in 2007 which asked security related questions about user activities. I found the numbers somewhat amusing and validated my own thinking in terms of where efforts needed to be focused. I thought it was interesting that Government employee's seem to be more on top of security (at least physical) than the corporate world.

Read the article here

Is "Intrusion Tolerance" replacing "Intrusion Detection and Prevention"? I doubt it.

Reading an article on DarkReading today about a new project started by "Aron Sood" that he's dubbed "Intrusion Tolerance". Basically the approach is simple, his idea was to take a "clean" copy of a web, dns or other server and rotate it into 1st position on the DMZ on a regular interval roughly 1 minute. He commented that this would lower the window of opportunity for a system to become breached and limit the data loss exposure.

In my humble opinion, Intrusion Detection and Prevention is not going away any time soon and here's why:

1. Web Servers don't normally store sensitive data these days (Application Databases do).
2. This does nothing to prevent zero day application exploit via the exposed web server.
3. To infect a system only takes moments and therefore any exposure for even more than 1 second can lead to a breach. Case in point - Place an unpatched Windows XP system on the internet for about 10 minutes and whammo, you'll have several worms infecting your machine in that timeframe.

Summary:

Although this technology helps aid us security folks in our endevour, its by no means a panacea. Honestly, this is only one small component that can be added to your overall security strategy and call it a day. Don't drop your Firewall, Intrustion Detection and Prevention and other compliance technologies on account of someone saying they will "limit" your data loss. I'll be keeping an eye on this technology as it has some promise if combined with the right complementary technologies. We'll see.

Read the Article here

Read about SCIT - Self Cleansing Intrusion Tolerance here

I hate to say it but it bothers me when people send the wrong message to the public regarding identity theft. Simply having someone's name, address and phone number is not enough to perform identity theft. I believe the media has a tendancy to embelish the idea of stealing someone's information and then having free reign to charge it up on the person's credit as this article suggests. The article says it can be used to perform phishing which is accurate and can help someone perform such a technique, but the data in question that has been so called "leaked" is public data with possibly the exception of the email address. Just trying to keep us all honest. 

I was just reading an article on the Riverside court, essentially anything disclosed in a court case is considered a matter of public record in california courts. So its important that people know that what they disclose to courts gets input into imaging software or databases and sometimes (like this case) can be viewed online. My suggestion to the public is to ensure that your documents obfiscate certain personal information that can be used incorrectly when obtained. I also would encourage local officials to pass legislation to bar courts from posting documents containing PII onto the internet. Its bad enough that we have a PII problem on system's within corporations, but having the court disclose it is a breach that should be treated the same way as a corporate breach. Of course this makes too much sense for regulators.

Main Entry:

I was cruising different ways to invest and I came across some statistics for a service that I use to lend people money. The statistics show the different types of job categories, the amount lent to the categories and the % late each of them are. The thing that I found interesting is that Clergy and Lawyers were the least likely to be late on loans. The stats are taken from prosper.com, a P2P lending service. It then occurred to me... is it possible to tell how trustworthy a person is by the way that they pay their bills? I mean, isn't a loan a promise to repay a debt, so if we were to expand this somewhat to trust, is it such a stretch? I'm sure some would disagree, but interesting none the less. Check the following stats and make your own conclusions.

Well, I knew it was coming but now it has come and we're entering a new phase of accountability at the consumer endpoint. Now consumer's in the UK are being held accountable to have properly updated AV, Firewalls and Anti-Spyware... What a concept! I'm assuming this will soon be coming to the USA. I'm fairly certain that any lawsuit involving an end consumer would be defensible in this way in the USA already but I'm not a lawyer. I'm also not sure if any bank wants this type of PR yet, but we'll see. Check the article here

I'm not sure if everyone is aware of this, but in January, SB1386 was extended to include medical information and medical insurance information breached requires notification. A copy of the law is located here coupled with other notification laws, doing business in California means that businesses must be more responsible than ever, requirements that should have existed for years in my opinion.

An interesting survey of 18 dentists was conducted to assess the compliance to HIPAA. The Health Insurance Portability and Accountability act of 1996 defines some of the protections necessary for patient confidentiality and privacy. The dentists were given 10 compliance questions by Darrell Pruitt D.D.S.

Quote:
"The range of compliancy was found to be from 0% for the requirement of a written workstation policy to 88% for that of password security. The average was 49%, meaning that less than half of the requirements are being respected by the dentists in this sample."

Read the article here

We're on the cusp of a new generation of document distribution systems utilizing central storage and there are some interesting security questions that will need to be answered in order for the transition to occur. Essentially, document managment systems are nearly integrated with the client endpoint. There are several technologies that are converging together than will change the face of how data is managed today. These technologies are "data leak/loss prevention (DLP)", "digital rights managment (DRM)". These two technologies will eventually be coupled together to form an elastic band around documents travelling throughout the corporate or personal networks. Data will eventually be controlled centrally no matter where it resides so that management of said data will be easy and more structured.

The latest idea I had was for a "stateful data object architecture" (SDOA). Once the DLP and DRM convergence occurs, the next challenge is to ensure that only "one" copy of the data exists in any given environment. This would reduce overall storage requirements and ensure that an organization's data is not duplicated, outdated, or in essence causing inefficiencies throughout the organic nature of human social groups. My best guess at this time is that one of the "content management systems (CMS) vendors will introduce an architecture that will enable distribution of "copies" of documents or artifacts, and when that artifact is changed in the central repository, the endpoints will automatically have state awareness of the document version change and will then prompt for the user to accept the "updated" document onto their system.

This presents some interesting security questions on how to authenticate and encrypt the documents in transit so that one can "trust" the centralized document repository in order to properly ensure that the document was not modified in storage or "spoofed" by a third party. To that end, I leave it to you the reader to decide where it will go from here, but for me, I'm intriegued on where we are going and what lies ahead in the "stateful data object architecture (SDOA)".


Again, I invented it and released it to you, no l0zers can claim it now. Enjoy!

I just came up with a cool idea. It could be possible to utilize google hottrends to trade stocks. Taking in the data into a database, creating dynamic signatures around the data and it's contents within the news and then automatically trading stocks based on the data and then merge it with the price data that's fed in from the market. You could technically auto trade based on google hottrends data to make money based on human news interest p-waves. Wow. Sorry for going off the topic of security, but I wanted to say something about my idea. Remember, I invented it, so no l0zer's trying to take props for it.

A recent social engineering attack on a man shows how a malicious posting can utilize social engineering to trick people into taking property from innocent victims. Apparently a posting on craigslist told people that they could come by and just grab the man's property and haul it away. Amazingly people believed it and when the man was on his way home he discovered people were taking stuff from his home. It just blows me away that people would use this old technique again and again to destroy each other's lives. For whomever posted the entry and did this to the man, shame on you. Read the article

Why doesn't the social security office issue "credit card" like cards that use the existing ATM/Credit networks to "Authenticate" the users of the "Social Security Card"? Essentially allowing people to pick a "pin" code in order to process a verification of the social security number and "authenticate" an individual during credit issuance in the case of bank.

In the case of "instant" credit issuance a credit issuing bank could be registered to the social security system and present "pre-authorization" requests that would then require a user to "authenticate" to the social security service's website using their own account and password to "permit" and enter their pin completing the transaction.

This would eliminate fraud across the board when it comes to identity theft, and this would not be that difficult to do. This could be an "optional" service that a person could "Opt" into in order to protect their social security account, this way the old system could remain in place and functioning.

Just my two cents. Don't you think its a good idea?

Specifically called "Part 248 - Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information" if accepted directly effects financial institutions in the following main ways:

• Includes new standards which relate to data security breach
• Changes the scope of safeguards and data disposal
• Require written policies of their safeguards and data disposal processes
• Requires audit of their safeguards and processes
• Proposes modification of the opt-in opt-out provision of the GLBA
  
  Check the actual document here
  Comment on the law here

There's been some recent discussion on using Diceware as a way to pick passwords. One thing I noted from the website was they said the following:
-- Start Quote --

Easy to learn and use

Very secure

Totally prescriptive - we tell you exactly what to do at each step of the process

Transparent - there are no "trust me"s

Free - there is no computer software or hardware required, just the Diceware list and some ordinary dice
-- End Quote --

My thoughts:
1. It's not easy to use.
2. Its no more secure than many other methods for selecting passwords if you correctly enforce "Alphanumeric, Upper-Lower, Length and Non-Alphanumeric"
3. The step by step process is slow and cumbersome (plus I'd have to run to a store to get the Dice)
4. My brain is free and requires me to drive nowhere... plus, doesn't gas cost like 50% more than last year to buy the Dice?

While I agree that using this method is a nice random way to generate passwords, its not all that practical for the common user to implement, nor would they be really that interested in a long drawn out practice of using this method. In my past blogs, I've written a bit about password selection. Presumably the best way to pick passwords with some randomness and be memorable for a user is to pick a phrase that they like and then select the first letter of each word in the phrase, then add a upper-lower case character along with a non alphabetic character and keep the phrase to at least 10 words. What many of us as security professionals forget is the KISS methodology (Keep it simple stupid)