This article from the Seattle Times starts off like this:

A government consultant, using computer programs easily found on the Internet, managed to crack the FBI’s classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert Mueller.

I’m not sure if everyone is aware of how easy Rainbow Tables are to implement against Windows networks. Ophcrack 2 is a quite speedy implementation using Rainbow Tables to quickly crack Windows network passwords. Try it against your network, you might be surprised.

Yawn… yet another argument against passwords and for the use of stronger authentication mechanisms.

NIH Federal Credit Union is the most recent problem with identity theft – except this time, nothing was stolen, nothing was broken into. The CU isn’t acknowledging that it’s an inside job, but really, what else could it be?

I have a friend who went to GWU and so has an account there. He hadn’t heard anything about it when I called him last night to tell him. Now, according to the press report, only those who are already victims of identity theft will get a credit report and year of monitoring service. I find that amusing as when laptops were stolen/lost and people may or may not have been affected, these groups were offering monitoring service. Now, we have a case where they know people have been affected and they’re not offering the monitoring service.

My friend is calling them up soon to talk to them about it, I’ll let you know what comes of it.

Stung by recent laptop losses, thefts, and private information disclosure, the Washington Post is reporting on OMB Guidelines for Federal Employee Laptop Security. You can read the OMB memo as well. Unfortunately, the OMB is (in my opinion) unnecessarily rushing things by giving agencies 45 days to comply. In my experience, rushed implementations lead to:

• Users unhappy with another barrier to their work
• Vendors forcing sales at risk of non-compliance
• Laptops which you think are secure really aren’t
• Data loss when recovery procedures aren’t well thought out

We’ll see how this one plays out… I expect there are more losses and problems ahead for the Federal Government.

I can’t say that I haven’t participated in something like this before, because I have. Social Engineering is still the easiest way to get into a system.

In this case, users found random USB tokens and plugged them into their computers. I’ve seen the same thing happen with CDs, DVDs, and floppies. It’s the same “hack”, different media.

The problem administrators have is that the more security they pile on (ie. disabling all USB ports), the more inconvenienced users are, and the more they complain that they can’t get their job done.

Forwarded to me in an email, and worth sharing. Full story is on ComputerWorld’s Shark Tank but here’s a synopsis:

Setting up 150 user accounts seemed like a simple enough job to keep a non-technical intern busy. Intern is instructed to create passwords that consist of a word from the dictionary, followed by two or three digits.

Rather than creating passwords like ‘book345’ or ‘house57,’ he instead found a list of the 200 most commonly misspelled words to generate the passwords… As expected, we fielded numerous support calls from users trying to enter passwords such as ‘accommodate85’ and ‘asphyxiate33.’

In the article Invasion of the Computer Snatchers, the Washington Post author conducts an interview with a person who controls a botnet, with the understanding that his identity would be protected. A slashdot commenter found that within the metadata of the picture taken of individual was the location of where the photo was taken: Roland, Oklahoma, a town of less than 3000 people. Figure less than 1500 males, and significantly fewer in the age group depicted in the article… This guy is probably in trouble.

One has to wonder how many times newspapers and news organizations make simple slip-ups such as this. Granted, I have no sympathy for someone who is making a profit off a botnet, but the news media’s trustworthiness related to privacy just took a hit.
(via an old Metafilter post)

There is a post at IT Conversations which is Alan Cox’s presentation from the 2005 European Open Source Convention entitled Computer Security – The Next 50 Years. It’s a 20 minute discussion available for listen or MP3 download, and Alan brings up some interesting points. I’ve transcribed his introduction below.

If we’re going to talk about security, we need to talk about the threat. What is the biggest threat out there? Well, as far as we can tell—I can tell at least—in the longer term, the nightmare security risk is the employee, or the person using the computer system. They’re really inconvenient things. You can’t formally verify people—it just doesn’t work. They operate inside of your security system, in most cases, so they can actually do their job. They work for you, and worse than that, they mean well. If they were malicious, you could get rid of them. If they mean well, they’re harder to deal with. So, a lot of security in the future has to be around stopping people who mean well, doing things they shouldn’t.

This was linked on Slashdot this morning and some good discussions followed.

…are bound to lead to interesting behavior, including this Jamaican man who replaced his fingerprints with skin from his feet in an attempt to defeat the US-Visit program. I often joke about how painful revocations can be in a biometric system, but this takes the cake!

This Article typifies the feelings of many when it comes to email.

Outside of fictional characters in Cryptonomicon, I’m not aware of anyone else using encrypted email and digital signatures. (Anyone using cryptographic e-mail is in the minority and the exception to the rule.)
…
I don’t have the time, patience or desire to venture down the path of buying certificates and keys and configuring them on all six of the machines I work from on any given day. This is a non-starter. No one uses this feature. Thus, my point: Email is not secure.

Secure email does not have to be hard, and it does not have to be scary. It starts with protecting your SMTP, POP, and IMAP connections by running them over SSL. Many organizations we work with have their own PKI—using digitally signed and encrypted email with a managed PKI in place is very easy. Others utilize PGP or equivalent technologies. At Gemini, we encrypt all email sent internally using S/MIME.

I agree that people should be aware of the potential insecurities around email—most people consider that email is inherently secure and is sent directly from the sender to the recipient. (Neither is true.) I don’t agree that we need to be afraid of implementing solutions. One does not have to be a fictional character to take privacy seriously enough to make email more secure.