Network Security Blog

What legitmate reason could anyone have for leaving 26 MILLION records on their laptop?  What was this person doing?  Why would you take a database this size home with you?

I’m a veteran, and even though I got out of the Army over 17 years ago, there’s a chance that my records were amongst those stolen.  I’d like to know exactly why this VA employee thought that taking home a database of this size would be an acceptable business practice.  What’s it going to take to drive it home to these people that this data is valuable and should be treated as such?  The article says that this was not authorized, but there weren’t the technical safeguards in place to prevent it, which means the VA wasn’t taking the situation seriously enough.

Technorati Tags: security, compromise, SSN

My friend Dennis McDonald has not only been listening to me, he’s internalized the conversation.  Over the weekend he saw and understood the problem with a bad process around the physical security at national Institutes of Health when he went to drop off a friend. 

We’re part of a day and age wher security is becoming more important than privacy or freedom of speech.  The problem is, we’re not getting real security, we’re getting a poor illusion of it.  Dennis’ experience with NIH is a perfect example of this.  The process doesn’t work, either because it’s being poorly implemented (didn’t check under the hood, used the equipment improperly) or because the security measures aren’t appropriate to the situation.  Once Dennis was inside the firewall, er, I mean fence, there was apparently little or no monitoring of where he went.  And there was no egress filtering to make sure he left the site.

This strikes me as a security process that was implemented so that management can say they have security measures.  They don’t necessarily have to be effective, they just have to be in place.  Unluckily, this use of security measures is all to common on the network as well as the real world.

Technorati Tags: security, physical security,

I’m not sure why, but I’m getting hammered by comment spam today.  Normally I might get a hundred a day, most of which are caught by my filters.  I’m trying to keep up with spam, but it’s hard to do when I’m supposed to be working. 

If the numbers at Zone-H are to be believed, a Turkish hacker called Iskorptix has defaced over 38,000 web sites in the last day or so.  And the number is apparently still rising.  From what I can see of the statistics, all of the sites appear to be Windows 2003 servers.  I wonder if this is a 0-day vulnerability or a known vulnerability that hasn’t been patched.

Technorati Tags: security, hacking, defacement

Have you ever put your resume online?  I used to have mine on the site, but when I moved to a new server earlier this year I decided not to move my resume over, and now I’m glad I didn’t.  My friend, Dennis McDonald, just sent me a link to a page that’s nothing more than a series of links to people’s online resumes.  Some 65,000 online resumes!  This was probably fairly trivial to program, and it illustrates why you probably don’t want to place your resume on a web site.  The amount of personal information on each one of these resumes is probably enough for someone malicious to a lot of damage, if not to your bank account then possibly to your reputation.  Be careful what you disclose online.

Note to self: It helps if you actually put the hyperlinks in the posting.

Technorati Tags: security, privacy, resume

I found an interesting podcast by Gartner on the Payment Card Industry (PCI) Data Security Standards.  The fact that I found most interesting was that only 17% of the approximately 280 Level 1 merchants are fully PCI compliant.  This percentage doesn’t surprise me at all, but it did surprise me that Avivah Litan was quoting Visa as the source of this statistic. 

I’m not the biggest fan of Gartner because they often inflate issues to make them more sensational (Can you say “IDS is dead”?).  There was none of that it this podcast.  If they keep up this level of podcasting, I may have to start listening on a regular basis.

Technorati Tags: security, podcast, PCI

My ugly mug,
originally uploaded by mmckeay.

I’m playing with my phone and Flickr just to see if I can send from my phone to Flickr to the blog. Typing on the phone is painfully slow so I won’t be doing it very often.

I don’t have a lot of time to go into this, so it’s a good thing Bruce Schneier has done the heavy lifting for me.  Michael Farnum, as well as a lot of other people, don’t see what’s wrong with the NSA and the government monitoring our phone calls.  “If you’re not doing anything wrong, who cares if they monitor your conversations?” is the common phrase.  Well, Bruce goes into what’s wrong, and it boils down to the expectation of privacy being a basic human right, along with free speech and freedom from wrongful imprisonment.   The government has no right to my phone records unless they have a reasonable assurance that I’ve done something wrong.  And no, just calling Iraq or Iran is not ‘reasonable assurance’. 

I’ve said it before and I’ll say it again:  We’ve lost more of our constitutional rights in the last 5 years than we had in the previous 50.  This has got to stop.

Technorati Tags: security, NSA, privacy

According to Brian Krebs at the Washington Post, Blue Security is being kicked in the teeth just for fun after having thrown in the towel in it’s fight against spammers.   The DDoS attack isn’t actually directed against the Blue Security site, it’s being targetted at their DNS provider UltraDNS.  The spammers are using a DNS reflection attack to get legitimate DNS servers to flood the UltraDNS servers with request at a rate of 4-5 gigabits per SECOND.  As Brian says, I don’t think there’s more than one or two sites on the whole Internet that might be able to still provide service through an attack like this.  Every client of UltraDNS is being affected by this attack.

I can barely begin to imagine what it’s like to be the subject of an attack of this magnitude, and I have no idea how anyone could plan for dealing with it.  It’s not like UltraDNS can have their service provider temporarily stop DNS traffic to their site.  And most of the traffic is coming from legitimate, if poorly configure, DNS server, so they can’t block specific sites from making DNS requests.  UltraDNS is supposed to be one of the experts in this field, but I don’t think even they were ready for the ferocity of this attack.

Technorati Tags: security, DDOS, Blue Security

According to ZDNet, Visa and Master Card are issuing an update to the Payment Card Industry (PCI) Data Security Standards later this year.   I’m trying to find more details on the exact nature of the changes, but if this article is correct, I’m not going to be happy with the update.  On the good side, the standards are going to start requiring testing at the application layer to make sure the applications used by merchants are secure.  On the bad side, and it’s a biggy, the standards are going to reduce the requirements for encryption of all sensitive data. 

Encryption is being cited as being too difficult for merchants to implement, especially for smaller merchants using older systems.  I’m sorry, but I just can’t accept that as a viable justification for putting customer information at risk.  Encryption is meant to be the last line of defense for customer data, not only from the bad guys outside your network but also the bad guys inside your network.  End to end encryption of credit card data has probably been the single biggest strength of the PCI standards and I’m very nervous that Visa and Mastercard are thinking about loosening these standards.

I feel for merchants who have to pay the expense of upgrading their systems to include database and network encryption.  But I believe it’s part of the cost of doing business and absolutely necessary.  The cost of encryption pales in comparison to the cost of customer data being compromised and the hit your company’s credibility will take.  I haven’t seen the new requirements Visa and Mastercard are proposing but I hope they aren’t weakening the encryption requirements as much as the ZDNet article makes it sound.

Thanks to Leo Laporte for bringing this to my attention

Additional notes: I found a new PCI resource in the comments on the article, the PCI Auditor Community site. This a forum specifically at, of all things, PCI Auditors. It’s managed by Dave Shackleford and Mike Dahn, who do a lot of PCI QDSP training.