I’ll have to show my friend John this one and hope he doesn’t bring the Google car back around for a more in depth picture taking experience. Of course, the post linking to pictures of John with the Googlemobile was one of those I lost , so here are the pictures (1, 2, 3). If this doesn’t make you think twice about your privacy, nothing will.
Rich and I were joined by a pair of special guests tonight, Marcin Wielgoszewski and Andre Gironda from the ts/sci security blog. The story goes something like this: Andre and Marcin plied Rich with beer after the last SunSec meeting until he agreed to let them on the podcast. In any case, Marcin and Andre bring a level of web application security knowledge we don’t often have on the podcast. They’ll be giving a talk at Shmoocon called Path X: Explosive Security Tools using XPath. Good luck guys, I just wish I could be there (with a couple shmooballs)
One of the basic tenets I’ve been living with for a while is if it’s online, it’s public. I consider everything I write online to be available to the public, whether it’s something I blog about, something I write on a closed mailing list or something I put on a social networking site. Most people don’t realize how true that really is and that their data is only a couple of lines of code from being posted all over the Internet at the best of times. Half a million MySpace users found out this week exactly how true that is; the photos they considered private were recently placed online in a 17 Gb file.
One of the things I find mildly surprising is that creator of the file, DMaul, says he hasn’t found any photos that we’re “obviously illegal”. I guess that means the folks doing bad things on the Internet are smart enough not to place photographic proof on a social networking site. The good news is even if your pictures were amongst those downloaded, the sheer size of the file is enough to keep most people from downloading it. Someone might index the files and place them in an online database though, which would make things interesting again.
The average end user thinks their information is safe with their social media company, if they think about it at all. But this isn’t the case, whether due to a vulnerability similar to what MySpace suffered or a business model that makes your private information a commodity like Facebook’s Beacon. This is a lesson we’ll have to teach our friends and end users, along with others like “never accept links from a stranger” and “don’t open unknown files”.
Jeff Jones has just released a pdf, Windows Vista One Year Vulnerability Report. I’m still digging into the report, but I like how he’s shown a side by side comparison between the number of vulnerabilities XP had at one year versus the number Vista has had at one year. A number that would be more revealing, but that we’re not going to see, would be the number of open, unpatched vulnerabilities in each system today. That would tell us a lot more about how secure we are, which is really what we really want to know. I think Jeff does a very good job of comparing apples to apples in the report, but it doesn’t do much to prove that as of today, Windows Vista is the most secure OS available.
I’m still not upgrading to Vista until I can make sure the 64-bit drivers exist for all of my hardware. Even if Vista is as secure as Jeff asserts, it’s not enough to make the upgrade worthwhile to me.
Rich and I are up to our usual patter on the show tonight. We talked about some of the security news and a concern of my own, credit prevention. A listener, Roman, sent in a request for some career guidance, something Rich and I were only able to scratch the surface of. We’re asking other listeners and readers to leave comments in the show notes with their own suggestions for his career growth.
They’ve reached a pair of milestones over at Tenable. Ron Gula posted the Tenable blog’s 200th post this morning. When you’re posting high quality, technical posts like he does, 200 is quite a lot of writing. Additionally, Tenable has released their 30,000th plugin for Nessus. Ron’s the first to admit that the number of signatures or plugins isn’t a good measure of a security program, but it’s still a major milestone.
Congratulations, Ron. I’m looking forward to the next 200. See you at RSA in April.
Here’s a few stories that caught my attention in the last 48 hours.
Hackers cut cities’ power – So much for the invulnerability of the SCADA systems. If it can happen in other countries, it can happen in the US. There might be a bit more effort involved, but it can happen. Chris was nice enough not to include a direct “I told you so”, but he’s obviously pleased to be proven right. Why did I ever think our SCADA network would be any more secure than the rest of the Internet?
Cyber unit pivotal in solving crime online and off – I haven’t listened to this yet, but it’s the first of a four part series on cybercrime. This could be another tool to use in your own companies awareness plan. NPR usually does a pretty good job of passing along information without dumbing it down too much.
Dan Goodin was at the Fortify documentary earlier this week and draws some of the same conclusionsI do about the loss of JC Penney’s customer data. And more importantly, he actually knows the names of the players, something I’m terrible at remembering.
NotEnough commented on my earlier post that GE Money is offering a year’s credit monitoring for those affected, which he says is not long enough. He’s specifically talking about SSN’s, which don’t have a expiration date, can be set aside for a year or two and used to commit identity fraud when no one’s actively looking for that data set anymore. This is part of why statistical correlation between a specific breach and identity theft is so hard. I’d like to see if anyone has done an academic survey of the difference in level of identity theft in populations that have been victims of a breach and the general population, specifically over the long term.
It’s becoming more obvious to me that despite many companies best efforts, my data is going to be at risk at some point in my lifetime. That feels cynical, but as a security professional, I know it’s just realistic. There are too many places that my data is being stored, too many connections being made, too many possible points of failure in the systems. I’ve never been a big fan of paying a monthly fee to make sure my credit is safe, but given that my information may already be a commodity somewhere in cyberspace (or Russia), a small inconvenience and a few dollars a month might not be a bad price to pay for peace of mind. Corporate America obviously can’t keep my data and credit safe, so it’s up to me to take steps of my own.
Rich Mogull recently switched to Debix and I’ll get him to talk about why and what they offer on the next podcast. At this point, I’m not even sure what the proper questions are to ask when choosing a credit protection service, but I’m sure Rich’ll help me understand. I already know I’m not going to choose LifeLock, but I am interested in knowing what other solutions are out there. I want something I can live with long term, especially since the problem isn’t going to go away any time soon.
I’d say this looks like another case of a box falling of the back of a truck somewhere: Iron Mountain has lost a backup tape belonging to GE Money with approximately 650,000 JC Penney customer records on it, and 150,000 of those records include customer social security numbers. There’s the usual patter about requiring specialized equipment to read the tape, but I’d feel more secure if they said it was encrypted. We all know that a tape backup drive isn’t that hard to get, especially if you’re targeting a specific merchant and have any sort of intelligence on them. We’re being told the number of JC Penney records that have been lost and that as many as 100 merchants could have been affected, so what is the total number of records on the tape? It could add up to be quite a number when all is said and done.
A representative from JC Penney was interviewed for the Fortify documentary last night, and this is one of the dangers of the information age he didn’t bring up. Not only do you have to worry about all of the bad guys attacking you directly, you have to worry about your partners, how they’re protecting your data and how their partners are protecting your data. I’m willing to think this is simply a case of human error and the tape in question fell under a floor panel or something, but it isn’t far outside the realm of possibility that someone took the tape purposefuly. In a lot of companies, it’d only take a conspiracy of two or three to get the tape, a drive for it and the encryption keys to unlock everything.
I agree that JC Penney isn’t responsible for the incident, but I get tired of reading the “We have no reason to believe …” statement. They also have no reason to believe it isn’t being used; there’s no reliable way to correlate a data breach of this sort and the repercussions. Even most of the people that have been caught in the TJ Maxx case have been the flunkies who were doing the in-person fraud using compromised data. If someone knows of a statistically significant way the credit card companies can track the affects of this breach, I’d like to hear about it.
We’d never have heard about this before California’s SB1386 and the other state laws that have followed. And in all likelihood, this probably is just a case of a lost tape, with no nefarious intent involved. We’re at a stage of the game where I’d rather hear about a couple of false alarms than miss one real event.