Jan 30 2008
I’ll have to show my friend John this one and hope he doesn’t bring the Google car back around for a more in depth picture taking experience. Of course, the post linking to pictures of John with the Googlemobile was one of those I lost , so here are the pictures (1, 2, 3). If this doesn’t make you think twice about your privacy, nothing will.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Jan 29 2008
Rich and I were joined by a pair of special guests tonight, Marcin Wielgoszewski and Andre Gironda from the ts/sci security blog. The story goes something like this: Andre and Marcin plied Rich with beer after the last SunSec meeting until he agreed to let them on the podcast. In any case, Marcin and Andre bring a level of web application security knowledge we don’t often have on the podcast. They’ll be giving a talk at Shmoocon called Path X: Explosive Security Tools using XPath. Good luck guys, I just wish I could be there (with a couple shmooballs)
Show Notes:
Network Security Podcast, Episode 92, January 29, 2008
Time: 35:48
Jan 24 2008
One of the basic tenets I’ve been living with for a while is if it’s online, it’s public. I consider everything I write online to be available to the public, whether it’s something I blog about, something I write on a closed mailing list or something I put on a social networking site. Most people don’t realize how true that really is and that their data is only a couple of lines of code from being posted all over the Internet at the best of times. Half a million MySpace users found out this week exactly how true that is; the photos they considered private were recently placed online in a 17 Gb file.
One of the things I find mildly surprising is that creator of the file, DMaul, says he hasn’t found any photos that we’re “obviously illegal”. I guess that means the folks doing bad things on the Internet are smart enough not to place photographic proof on a social networking site. The good news is even if your pictures were amongst those downloaded, the sheer size of the file is enough to keep most people from downloading it. Someone might index the files and place them in an online database though, which would make things interesting again.
The average end user thinks their information is safe with their social media company, if they think about it at all. But this isn’t the case, whether due to a vulnerability similar to what MySpace suffered or a business model that makes your private information a commodity like Facebook’s Beacon. This is a lesson we’ll have to teach our friends and end users, along with others like “never accept links from a stranger” and “don’t open unknown files”.
Jan 23 2008
Jeff Jones has just released a pdf, Windows Vista One Year Vulnerability Report. I’m still digging into the report, but I like how he’s shown a side by side comparison between the number of vulnerabilities XP had at one year versus the number Vista has had at one year. A number that would be more revealing, but that we’re not going to see, would be the number of open, unpatched vulnerabilities in each system today. That would tell us a lot more about how secure we are, which is really what we really want to know. I think Jeff does a very good job of comparing apples to apples in the report, but it doesn’t do much to prove that as of today, Windows Vista is the most secure OS available.
I’m still not upgrading to Vista until I can make sure the 64-bit drivers exist for all of my hardware. Even if Vista is as secure as Jeff asserts, it’s not enough to make the upgrade worthwhile to me.
Jan 22 2008
Rich and I are up to our usual patter on the show tonight. We talked about some of the security news and a concern of my own, credit prevention. A listener, Roman, sent in a request for some career guidance, something Rich and I were only able to scratch the surface of. We’re asking other listeners and readers to leave comments in the show notes with their own suggestions for his career growth.
Network Security Podcast, Episode 91, January 22, 2008
Time: 40:30
Jan 22 2008
They’ve reached a pair of milestones over at Tenable. Ron Gula posted the Tenable blog’s 200th post this morning. When you’re posting high quality, technical posts like he does, 200 is quite a lot of writing. Additionally, Tenable has released their 30,000th plugin for Nessus. Ron’s the first to admit that the number of signatures or plugins isn’t a good measure of a security program, but it’s still a major milestone.
Congratulations, Ron. I’m looking forward to the next 200. See you at RSA in April.
Jan 20 2008
Here’s a few stories that caught my attention in the last 48 hours.
Jan 19 2008
Dan Goodin was at the Fortify documentary earlier this week and draws some of the same conclusions I do about the loss of JC Penney’s customer data. And more importantly, he actually knows the names of the players, something I’m terrible at remembering.
NotEnough commented on my earlier post that GE Money is offering a year’s credit monitoring for those affected, which he says is not long enough. He’s specifically talking about SSN’s, which don’t have a expiration date, can be set aside for a year or two and used to commit identity fraud when no one’s actively looking for that data set anymore. This is part of why statistical correlation between a specific breach and identity theft is so hard. I’d like to see if anyone has done an academic survey of the difference in level of identity theft in populations that have been victims of a breach and the general population, specifically over the long term.
It’s becoming more obvious to me that despite many companies best efforts, my data is going to be at risk at some point in my lifetime. That feels cynical, but as a security professional, I know it’s just realistic. There are too many places that my data is being stored, too many connections being made, too many possible points of failure in the systems. I’ve never been a big fan of paying a monthly fee to make sure my credit is safe, but given that my information may already be a commodity somewhere in cyberspace (or Russia), a small inconvenience and a few dollars a month might not be a bad price to pay for peace of mind. Corporate America obviously can’t keep my data and credit safe, so it’s up to me to take steps of my own.
Rich Mogull recently switched to Debix and I’ll get him to talk about why and what they offer on the next podcast. At this point, I’m not even sure what the proper questions are to ask when choosing a credit protection service, but I’m sure Rich’ll help me understand. I already know I’m not going to choose LifeLock, but I am interested in knowing what other solutions are out there. I want something I can live with long term, especially since the problem isn’t going to go away any time soon.
Technorati Tags: security, McKeay, JC Penney, identity theft
Jan 18 2008
I don’t know if this is fact or fiction, but haven’t we all wanted to sick some hacker’s mother on him? “Wait until your father get’s home!”
Jan 18 2008
I’d say this looks like another case of a box falling of the back of a truck somewhere: Iron Mountain has lost a backup tape belonging to GE Money with approximately 650,000 JC Penney customer records on it, and 150,000 of those records include customer social security numbers. There’s the usual patter about requiring specialized equipment to read the tape, but I’d feel more secure if they said it was encrypted. We all know that a tape backup drive isn’t that hard to get, especially if you’re targeting a specific merchant and have any sort of intelligence on them. We’re being told the number of JC Penney records that have been lost and that as many as 100 merchants could have been affected, so what is the total number of records on the tape? It could add up to be quite a number when all is said and done.
A representative from JC Penney was interviewed for the Fortify documentary last night, and this is one of the dangers of the information age he didn’t bring up. Not only do you have to worry about all of the bad guys attacking you directly, you have to worry about your partners, how they’re protecting your data and how their partners are protecting your data. I’m willing to think this is simply a case of human error and the tape in question fell under a floor panel or something, but it isn’t far outside the realm of possibility that someone took the tape purposefuly. In a lot of companies, it’d only take a conspiracy of two or three to get the tape, a drive for it and the encryption keys to unlock everything.
I agree that JC Penney isn’t responsible for the incident, but I get tired of reading the “We have no reason to believe …” statement. They also have no reason to believe it isn’t being used; there’s no reliable way to correlate a data breach of this sort and the repercussions. Even most of the people that have been caught in the TJ Maxx case have been the flunkies who were doing the in-person fraud using compromised data. If someone knows of a statistically significant way the credit card companies can track the affects of this breach, I’d like to hear about it.
We’d never have heard about this before California’s SB1386 and the other state laws that have followed. And in all likelihood, this probably is just a case of a lost tape, with no nefarious intent involved. We’re at a stage of the game where I’d rather hear about a couple of false alarms than miss one real event.
Technorati Tags: security, McKeay, Iron Mountain, backup, tape
