I received the following email on Monday morning:

You don’t know me.  I’m nobody.  My name is Steve.  I came across a database dump from Gawker.com earlier this evening.  It’s making its rounds around the internet.  Besides just the code dump from gawker.com among other sites, it also contains email addresses and passwords for over 1.3 million accounts.  I’m sending this email to the 200,000 or so people who’s passwords were included, in plain text, in this archive.  I have your password.  However, I have 0 interest in it.  Obviously i’m anonymous so how can you trust me – you can’t.  But trust me, if I had interest in your password, I wouldn’t be emailing you saying I have it. That’s just dumb.  The reason I’m telling you this is because people all over the world, who aren’t like me, who won’t notify you, have it.  They will use and abuse it.  Change your gawker.com credentials. Now.  MORE IMPORTANTLY, change passwords on other sites you visit that use the same one as your gawker.com/lifehacker.com/gizmodo.com login.

Well, it was believable enough… then, I read an article on Forbes and knew it wasn’t a scam. Argh. To their credit, Gawker has some informative posts on their breach and how to audit and update passwords.

As background: I use a password manager to manage my passwords, and it helps me use secure passwords wherever possible. However, I have a number of passwords which predate my use of a password manager, and for many sites I used the same password. Yes, it’s a bad security practice that we’ve talked about before, and even XKCD has weighed in.  The use of this same password didn’t bother me – it was my password for using on sites that I considered “low impact”. In other words, I didn’t feel like it was a big deal if that password was compromised.

Receiving that email, along with a notification from Google that my account had been locked out, was a wakeup call. Suddenly, it became a big deal to me.

So, I spent this evening going through my password manager’s records. I have 507 saved passwords.  I had nearly 150 with the same password.  I changed every one of them to a randomly generated password.  It took me over three hours to go through that process.  A tremendous hassle. Let me suggest from experience: change those passwords you use on many sites.  If you try to do them all at the same time, it will be a tiring and painful process.

A number of our employees are currently spending a fairly large amount of their time helping a customer with a task.  In a perfect world, this task would be completely unnecessary.  Suffice it to say that there is some maintenance that must be performed on a number of systems before the year is out, and they are having trouble getting responses from the system administrators who are responsible for the systems.

When we perform assessments, we often ask our customers about whether they have a configuration management database (CMDB) or something similar.  While CMDB systems may be useful for performing a physical inventory of your systems, that isn’t the real benefit. The real power of a CMDB comes in being able to track the current configuration, status, health, usage, and ownership of every system in the organization.  Let’s say a new patch is released; an up-to-date CMDB can help you understand what systems the patch applies to, whether they need to be patched and/or need prerequisite requirements fulfilled, what applications should be tested before and after the patch, and who the administrator(s) and owner(s) of the system are.

In this particular case, while there is a CMDB, it doesn’t do a good job of tracking the administrators and owners of their systems.  We are experiencing a huge gap in responsibility management.  While we may know of a system which needs maintenance, we don’t know who is responsible for its maintenance, and who is responsible for the information and applications which may be affected by the maintenance on that system.  In this organization, they are typically different people from different parts of the organization, who may not have even met.

Without understanding who is responsible for the system, the applications running on it, and the information stored within it, you are setting yourself up for problems. Well, you’re at least setting yourself up for many frantic emails and phone calls as deadlines draw near.

Today is the day before thanksgiving in the U.S., otherwise known as the busiest travel day of the year.  It is also the date of national opt-out day, an effort to raise awareness of the TSA’s use of “strip search scanners” and “enhanced pat-downs”.  While I’m sure most folks would prefer not to be irradiated, seen naked, and/or groped, they will willingly do it because (a) they want to get to their destination with a minimum of hassle, and (b) everyone else is doing it.

Robert Graham decided to address this topic and to do so he wanted to take some photos of his TSA checkpoint for his blog.  Photography is, by the way, completely allowable under TSA regulations. Unfortunately, due to the fear and concern raised by potential protesters and this opt-out day brouhaha, the TSA employees overreacted and detained Mr. Graham for 30 minutes trying to decide what to do with him.

Many folks will point to quotes from the interaction such as “Not all parts of the government are accountable to the public, especially the TSA” and think that the TSA is out to get us all, strip all our liberties and freedoms away and be accountable to nobody.  While this is a good sensationalistic view and will draw a certain type of reader, I don’t think it accurately reflects the real problem here.

The TSA really is just trying to keep us safe when traveling.  That’s their mission. They are trying to do their job.  Mind you, I disagree with many of their methods because they are ineffective and uncreative.  The TSA’s security mechanisms are focused almost entirely on solving the last security breach, not preventing the next one. That’s a topic for another post.

The TSA’s largest failure is one of communication with their officers. The TSA agents at Mr. Graham’s airport should have known that taking photos was allowable.  Matt Kernan’s post about avoiding scanners upon re-entering the US and how many different phone calls and individuals had to be involved demonstrates that communication and cooperation is limited at best.  All this behavior and resulting blog posts and press articles are exactly why a vocal minority of folks is now dead-set against the TSA, organizing protests, and being labeled as domestic extremists.

I hope the TSA learns from these misadventures and improves its communication before everyone’s view of it becomes unfavorable.  As I said before, I believe TSA is really trying to do its job, but to do that job they must walk a fine line.

A colleague lent me his most recent copy of IEEE’s Computer magazine.  Inside was an article entitled A Web 2.0 Model for Patient-Centered Health Informatics Applications (IEEE membership required to read).  Some possible benefits of their proposed approach were listed, including:

• Run deeper analytics across physicians groups and facilities, which can include relevant patient data…
• Provide a wide community of health professionals with feedback on the use and effectiveness of protocols…
• Share similar and alternative protocols and their analyses across many medical facilities and individual providers…

Anyone want to guess what’s completely missing from their approach?  You guessed it, any mention of security.  The commonly misunderstood (and frequently misspelled) HIPAA makes it pretty clear that the privacy and confidentiality of personal health information must be protected.  Even without HIPAA, it would just make good sense to be extra careful when sharing information and running data mining and analytics across large sets of health information.

The only mention of keeping information safe in the article is the fact that there is a division of data between the protocol, protocol modifications, and actual patient data – but it is very difficult to draw such bright, clear lines considering medical records and information.  How can you be sure the protocol modification a doctor submits won’t include information on the patient he tried it on?  Without even mentioning or considering the need for the protection of privacy, confidentiality, and data integrity within such a system, the authors of this article have done themselves and the software community a disservice.  Security requirements and threats must be considered at every phase of the life cycle, especially during the architecture phase.  As Kenneth Van Wyck and Mark Graff put it in their book Secure Coding: Principles and Practices,

As a general rule, the hardest vulnerabilities to fix are those resulting from architectural or design decisions. You may be surprised at how many of the vulnerabilities you have heard of we ascribe to errors at “pure think” time.

By developing an 8 page article published in a respected technical journal without any mention of the need for security controls in such a system, the authors of this article have once again helped me with my job security.  It is still difficult for me to foresee the day where security and risk management training programs won’t be necessary, and we won’t need an information security industry.

If you haven’t already heard about LIGATT security, you need to.  I won’t do them a favor of linking to them from this blog post, but I would like to provide some information about why I’m afraid of them.  No, it’s not because they have the world’s #1 hacker.

There is a lot of terrific information about the company, its misgivings and wrongdoings on attrition.org’s Charlatan page for Gregory Evans, the LIGATT founder and CEO.  Convicted of wire fraud in the beginning of last decade, Mr. Evans made good upon his release from prison by… marketing a caller ID spoofing service starting two days after the US House of Representatives made caller ID spoofing illegal.

Another fantastic resource is the book review issued today by Ben Rothke on Gregory Evans’ book How To Become The Worlds No. 1 Hacker.  In the review, Rothke explains:

In short, this is merely a work of cut and paste.  In the parts of the book where the author attempts to write original text, it’s ripe with various errors.  I could list many such errors, but why bother… But the real offense is the author’s blatant use of unattributed sources.  I am not talking about a paragraph here or there, it is about wholesale plagiarism, often taking the form of an entire chapter.

So what scares me about them?  No, it’s not that they have the “#1 hacker for hire”.  I’m more scared of my own employees than this joker. It’s because they are a marketing machine that is escaping the ire of the media.  In fact, they’re getting fluff pieces on Fox News and publicizing frightening commercials, taking out full page ads in hakin9 magazine, talking on radio stations, and issuing press releases and ALL CAPS tweets regularly. There’s even a movement to get LIGATT profiled on Oprah.

They proclaim on their front page “LIGATT Security is a leader in cyber security.” If anyone treats and respects this company as a “leader” it will put the community of hard working information security professionals many steps behind.  Organizations like this give the whole security community a bad rap.

For starters, let me just say that I personally have three Mac systems and three Windows systems I interact with on a regular basis.  I’m writing this blog post from a Macbook Pro.  However, there is a wide and growing misconception about the security of Mac systems vs. the security of Windows systems.  I just came across the following post in PC Magazine’s Security Watch blog, and there is a lot of good information in there; specifically the following quote which I want to share:

In the abstract, Macs are every bit as vulnerable as Windows systems, perhaps more so. But in the real world Mac malware is so rare that it actually makes news. Hundreds of Windows trojans like OpinionSpy come out every day. Mac users are generally “irresponsible” about such things, but for now they can afford to be.

My neighbor mentioned the other day that she got a Mac and loved it because (a) it was easier to use, and (b) it was more secure. Point (a) can be argued both ways, some things are easier to do on Windows and some are easier on Mac… but point (b) is something that troubles me.  The lack of publicized vulnerabilities and attacks does not mean more security.  Joe User wasn’t concerned about the advanced persistent threat before Google released information about the Aurora attacks.

The bottom line I try to keep telling people: there are more vulnerabilities written for Windows because that is where the market share is; the attackers are going after the largest market out there.  As the market dries up they will focus their efforts on OSX, and when that happens, beware.  Mac users, don’t be too comfortable.  Get an anti-malware product. Turn on your firewall. Turn on FileVault. Disable automatic logon. Don’t make yourself the easy target when the bad guys turn their attention to Macs.

Today Slashdot had a story about how a news story about an Australian transportation plan was broken early by a newspaper. The transport minister said the access of this information was akin to the newspaper trying to “pick the lock off a secure office and take highly confidential documents”.  What was the brilliant security plan that was supposed to be protecting this information?  The information was all stored on an unpublished URL with no security or authentication in place.

We in the security industry call this “security by obscurity“.  And it is not security at all. (more…)

An uproar was recently started in reference to some privacy concerns about the new release from Google, Google Buzz. One of the first to sound the alarm was a blogger who was quite explicit about disliking some of its default options (and by explicit I mean “NSFW language” explicit, the post is here) which prompted some quick changes from Google.  In order to start using Buzz, you have to create/modify your Google public profile which will appear next to all of your activity in the Buzz feed.  By default, the public profile would display all those you follow. Chances are you’ve followed everyone in your contact list, so you just made your whole contact list public.  Now in the new behavior:

A box titled “How do you want to appear to others” will now include a check-box that says “Show the list of people I’m following and the list of people following me on my public profile.” To hide your followers, click the box, or click the “View and edit the people you follow” to customize your account.

The interesting thing here to me is that Buzz is essentially a service like Facebook or Twitter, designed to let other folks know what you are up to.  The fact that there is a privacy uproar around it is somewhat amusing, because it is designed to provide the opposite of privacy – to provide your followers information about what you are doing.  If you don’t want to share this information, don’t use Google Buzz!

I’ll enlist a famous quote from Scott McNealy, then CEO of Sun Microsystems: “You have zero privacy anyway. Get over it.”

It is amusing to me what people – especially young people – are willing to post online.  As a child, my parents once told me that once you say something you can’t take it back.  In today’s Internet-connected age, this holds true and is even more significant: once you say something online, hundreds if not thousands of people will see it instantly, and potentially billions of people will be able to track it down in archives, Google searches, the wayback machine, or in countless other ways.  Be careful what you share online.  Be careful what you say.  It might–probably will–come back to haunt you.

We have recently taken a look at Internet Explorer 6 (IE6) to try and help convince a customer of ours to stop deploying it on workstations.IE6 still holds about 33% of the browser market share, but Microsoft stopped mainstream support for it in April of 2009.  IE6 runs ActiveX controls at the same privilege as the browser, which is the same privilege as the user – typically administrator level.  And according to Secunia there are 23 known unpatched vulnerabilities in IE6 – including one which has been around since 2003.

And in a timely post from Brian Krebs on his new site krebsonsecurity.com, there’s a very simple way to crash IE6.

If you’re curious and have IE6 lying around, type or cut and paste the following into the address bar (that last character is a zero):  ms-its:%F0:

So, what are we missing? Are there any other reasons I can throw at this customer to put IE6 out to pasture? Let me know in the comments.

According to a new article on TechTarget, a study by the Ponemon Institute has revealed the cost of a data breach has increased once again, to $204 per compromised record. The study is available for download at http://www.encryptionreports.com/ after giving away some personal details.

The “Fifth Annual U.S. Cost of Data Breach Study,” funded in part by encryption vendor PGP Corp., determines the annual cost of the breach by establishing a company’s cost of lost business as a result of an incident; expenses incurred by notifying individuals and authorities of a breach; costs associated with legal fees and consulting firms and new investments made in technology and employee education.

In our down economy, it is interesting that the cost of data breaches have been rising for five years running.  If I were cynical, I might suggest that one of the reasons for the constantly increasing costs in this study is the partnership with PGP, who sells products designed to protect you in the case of a lost laptop or storage device.

That said, I’m not even sure that those items above can accurately represent the cost of data breaches, especially in certain environments.  The loss or damage of reputation caused by a data breach can be so devastating that the monetary cost can’t even be calculated.  If you don’t know what I’m talking about, what is the first thing that comes to your mind when I mention Heartland Payment Systems, TJX, or the Department of Veterans Affairs?  These organizations have suffered tremendously because of wide (and widely publicized) data breaches.  Imagine the firestorm of criticism if some of the most trusted companies were to suffer data breaches along the lines of Heartland’s breach?

In addition to the loss of reputation, what are other costs of data breaches that the Ponemon study doesn’t reveal? Let us know in the comments.