NIH Federal Credit Union is the most recent problem with identity theft – except this time, nothing was stolen, nothing was broken into. The CU isn’t acknowledging that it’s an inside job, but really, what else could it be?

I have a friend who went to GWU and so has an account there. He hadn’t heard anything about it when I called him last night to tell him. Now, according to the press report, only those who are already victims of identity theft will get a credit report and year of monitoring service. I find that amusing as when laptops were stolen/lost and people may or may not have been affected, these groups were offering monitoring service. Now, we have a case where they know people have been affected and they’re not offering the monitoring service.

My friend is calling them up soon to talk to them about it, I’ll let you know what comes of it.

Stung by recent laptop losses, thefts, and private information disclosure, the Washington Post is reporting on OMB Guidelines for Federal Employee Laptop Security. You can read the OMB memo as well. Unfortunately, the OMB is (in my opinion) unnecessarily rushing things by giving agencies 45 days to comply. In my experience, rushed implementations lead to:

• Users unhappy with another barrier to their work


• Vendors forcing sales at risk of non-compliance


• Laptops which you think are secure really aren’t


• Data loss when recovery procedures aren’t well thought out

We’ll see how this one plays out… I expect there are more losses and problems ahead for the Federal Government.

In this InfoWorld article, researchers have disclosed that they were able to breach a laptop through a buggy wireless card driver.

“You don’t have to necessarily be connected for these device driver flaws to come into play,” [Jon] Ellch [a student at the U.S. Naval postgraduate school in Monterey, California] said. “Just because your wireless card is on and looking for a network could be enough.”

Personally I’m surprised this hasn’t happened earlier. Gives you a good reason to leave that wireless radio turned off when you don’t need it.

Fraudsters have taken advantage of a weakness in PayPal’s application to insert some XSS which ends up feeding your credit card number to their site. Surprisingly, it was first caught with Netcraft’s anti-phishing toolbar rather than some security experts. The full story is on Netcraft’s site.

In fact, that may be the reason why it seems as though privacy is sacred across the pond, and up for grabs in the States.

Nearly 40 U.S. states now require public notification of security breaches, while EU member states have only started to consider this requirement.

This means that Europe could be experiencing just as many breaches as the U.S., but several factors make it more likely that U.S. breaches will be publicized. Indeed, 94% of the EU companies surveyed by Ponemon/White & Case reported that they had experienced a breach in the past three years, compared with 86% for the U.S. sample.

Within the past year we’ve heard many horror stories here in the US about how our personal information is being stolen, sold, and passed around to anyone who wants it. A stolen laptop in Maryland, a data breach at UC Berkeley , and don’t forget about Choicepoint...the list goes on.

Mix all of this with news about military USB tokens being sold in Afghan markets and NSA wiretapping, it seems though none of our information is safe in the US and that our European counterparts are immune to this sort of thing.

Here’s an article examining why this seems to be the case, but might not be after all.

Perhaps some have experienced this perception when dealing from the US with European companies or hold these perceptions themselves. Best to examine our perceptions from time to time, even if we decide not to tell anybody.

About a month or so ago, I posted this about the Authenex A-Key hardware token.

A small update, the A-Key has been FIPS 140-2 Level 3 validated, putting it in a select group of hardware tokens to be awarded this government rating.

The full article can be found here.

I can’t say that I haven’t participated in something like this before, because I have. Social Engineering is still the easiest way to get into a system.

In this case, users found random USB tokens and plugged them into their computers. I’ve seen the same thing happen with CDs, DVDs, and floppies. It’s the same “hack”, different media.

The problem administrators have is that the more security they pile on (ie. disabling all USB ports), the more inconvenienced users are, and the more they complain that they can’t get their job done.

Microsoft has recently announced pricing and licensing details for their OneCare Live service. Question: will users really pay the company that gave them an operating system susceptible to viruses, spyware, and malware an additional $50/year?

As read in eWeek, Vista Beta 2 includes Address Space Layout Randomization, or ASLR.

[Michael Howard, Sr. Security Program Manager at Microsoft] said the job of ASLR is to move function entry points around in memory so they are in unpredictable locations. In the case of Windows Vista Beta 2, a DLL or EXE could be loaded into any of 256 locations, which means an attacker has a one-in-256 chance of getting the address right.

It’s a little something which might thwart malware attempting to exploit buffer overflows. It will probably help. I hope it doesn’t introduce some sort of bug though. Imagine if one out of every 256 times your program crashed unexpectedly.

Then again, how different is that from what I deal with today?