Archive for April, 2006

Computers…Armed and Dangerous

Wednesday, April 12th, 2006

Interesting report…my thoughts follow the story…

"Internet hunting ban

The Kentucky Legislature on Tuesday voted to outlaw the practice of using the Internet to fire remote-controlled rifles at live animals.  A spokeswoman for Governor Ernie Fletcher said the governor intends to sign the bill banning internet hunting.  No such facilities exist in the state, but all Kentuckians would be banned from hunting on such sites, even if the target is in another state or country. At least 10 other states have passed similar measures.  State Representative. Robin Webb, a Democrat who sponsored the bill, said she considers internet hunting unsportsmanlike.  The flurry stems from a Texas website that let users fire at animals from the privacy of their homes. At the urging of sportsmen’s groups, Texas banned such operations last year."

Holy cow!  Or, considering I live in the country in Iowa and know the capabilities of largely city-living "hunters" coming out to the country to hunt with no knowledge of animals outside of a zoo, I should say HOLEy Cow!  I never even thought about this possibility before; using the Internet in conjunction with a webcam to fire a rifle or shotgun. 

And, yes, it certainly is unsportsmanlike.  Beyond that, it is just downright dangerous.  I’ve seen many people new to nature (putting it kindly) shoot at cats mistaking them for rabbits and shoot at cows and horses that they only had a glimpse of through the woods or grass thinking they were deer.  And then of course there are those who are trigger happy and will shoot at anything that moves.  Can you imagine how many accidental shootings could possibly occur if all it took was the press of a computer key from miles away to fire a gun (yes, I thought of several snide remarks about Cheney, but I’ve suppressed them.), not to mention potential premeditated shootings.

Now I don’t know what is involved with these Internet hunting "sites", and you may wonder what the heck this has to do with information security or privacy.  However, as I read this I thought of how this type of gun-shooting surveillance is really melting technology more and more into the material world and not only creating new privacy concerns, but also physical safety concerns at the same time.  Shooting a gun through the use of a webcam placed who-knows-where (I get MANY hunters wanting to hunt on my private land…which I don’t allow) on private property, where the people could be using cams could see people within their own homes and on their own property, really does present a privacy and safety risk to the people; the many children that play outside, and the pets and livestock that are on the property, just to name a few. 

Guns in the hands of firearms-ignorant people is dangerous…guns under the control of whomever happens to remotely pull the trigger, accidentally or on purpose, from miles away by depending upon the fuzzy images they see through a cam is very, very, very dangerous…and a very real privacy concern to boot.

In case you’re curious, at least 10 states (Delaware, Hawaii, Maine, Michigan, Minnesota, North Carolina, South Carolina, Vermont, Kentucky and  Wisconsin) and possibly up to 12, ban Internet hunting, and a Federal law H.R. 1558 prohibits "certain computer-assisted remote hunting, and for other purposes."  Here is an excerpt from that short bill:

"(a) PROHIBITION.—Whoever, using any instrumentality of interstate or foreign commerce, knowingly makes available a computer-assisted remote hunt shall be fined under this title or imprisoned not more than 5 years, or both.
(b) EXCEPTION.—Providing an instrumentality of commerce, such as equipment or access to the Internet, is not a violation of this section unless the provider intends the use of the equipment or access for a computer-assisted remote hunt.
(c) CONSTRUCTION WITH OTHER LAW.—Nothing in this section limits the power of State and local authorities to enact laws or regulations concerning computer-assisted remote hunting facilities.
(d) DEFINITIONS.—In this section—
(1) the term ‘computer-assisted remote hunt’ means any use of a computer or any other device, equipment, or software, to allow a person remotely to control the aiming and discharge of a weapon so as to kill or injure an animal while not in the physical presence of the targeted animal; and
2) the term ‘instrumentality of interstate commerce’ means any written, wire, radio, television, or other form of communication in, or using a facility of, interstate commerce.’’

Well…does that give you the warm fuzzies…?  Seems to only apply to using Internet hunting capabilities across state lines.

Maybe I’m making a mountain out of a mole-hill, but such a scenario that merges privacy, safety, surveillance, and gunfire, sure seems like a frightening possibility down the road if we are not already at the crossroads…

Technorati Tags



Destroy or Encrypt the Data Remotely from Stolen and Lost Computers…as Long as the Bad Guys Don’t Get Wise…

Tuesday, April 11th, 2006

Today there were several news reports about a new service "that makes it possible to encrypt or delete data even after a laptop has gone missing."  This sounds great!

Let’s read on…

"The new Everdream "Theft Recovery Managed Service" allows organizations to retain control over lost or stolen PCs and laptops, the Fremont, Calif., company said in a statement. The service also can assist law enforcement with the tracking, locating and recovery of computers, the company said.

When a missing PC is connected to the Internet, it automatically contacts Everdream. This triggers encryption or deletion of data on the computer, based on the customer’s setting, Everdream said.

At the same time, information on the Internet connection used by the lost computer is stored. This can help locate and recover the PC, Everdream said. The service won’t work, however, if the computer’s hard disk has been formatted, because the Everdream software resides on the hard disk, an Everdream representative said."

I’m really interested to see what type of configuration possibilities this "service" has available. 

The weakness in this system is, "The service won’t work, however, if the computer’s hard disk has been formatted, because the Everdream software resides on the hard disk"

Well, of course you can’t wish for technology miracles, and technology certainly has its weaknesses.  However, if the bad folks with their hands on stolen or lost computers know about this, it is likely they will first copy all the data, and not the Everdream software, onto a separate storage device and then reformat the hard drive, thus getting all that valuable data.  Of course, if the bad guys don’t keep up on this news, they will probably not know to do this, will they?  🙂

Sounds like a nice mobile computing device security possibility, though…worth looking into…

Technorati Tags




Example of the Insider Threat: An Insider Information Leak in the Honolulu FBI Office

Monday, April 10th, 2006

Wayne Sumida brought this story to my attention…thanks Wayne!

The Honolulu Advertiser reported on Saturday a case of a trusted FBI employee leaking sensitive information to drug traffickers.  This is a good example of the need for organizations to implement practices to help ensure trusted insiders can still be trusted.  In this case a secretary with the FBI had authorized access to the same information to which the FBI agents had access.  She  apparently subsequently gave this confidential information to her husband, who then passed it on to members of a drug ring.

This illustrates one of the many ways in which trusted insiders can present huge risks to confidential and sensitive information, and supports the findings of the annual CERT/Secret Service insider threat results

When you have trusted insiders with access to sensitive information, seriously consider doing the following, in addition to your other precautions, to help address the accompanying risks:

  • Give individuals access to only the information they need to perform their job responsibilities.
  • Establish formal grievance procedures and additional forums for employees to voice concerns about work practices; dissatisfied employees are the most likely to compromise security. 
  • Train management, and really all personnel, how to identify red flags associated with personnel who experience negative work-related events.
  • Provide ongoing awareness messages to personnel about the need to protect the sensitive information to which they have access, and remind them of the possible sanctions for information leaks.
  • Provide ongoing targeted training and awareness for personnel with access to sensitive information.
  • Perform regular background, criminal and credit checks on personnel with access to particularly sensitive information.
  • Implement access logs to keep track of the individuals accessing sensitive information, and when they are accessing it. 

Of course, some people with trusted access will do bad things regardless.  However, being vigilent in your information security and awareness efforts will help to reduce the likelihood of such incidents.

Technorati Tags




iPod Accomplice for Stolen Credit Card Numbers in San Francisco

Saturday, April 8th, 2006

I read with interest the story published yesterday about the San Francisco man arrested "on 53 felony counts of fraud and forgery for stealing hundreds of credit card numbers, many of which he stored on an iPod."

"Lee had been staying for months at first-class hotels on Nob Hill, using stolen identities and credit cards, The San Francisco Chronicle reported. Lee was arrested outside the Grosvernor Suites hotel after signing a receipt for the delivery of computers he ordered using the name of a San Francisco attorney whose wallet was reported stolen from his Mercedes a few days earlier.  A subsequent search of Lee’s hotel room turned up a list of more than 500 names and credit card numbers, police said.  Among the names were Nancy Pelosi, the House Democratic leader in Congress, and LaRae Quy, spokeswoman for the FBI’s San Francisco office."

I love my iPod…I’m trying to figure out the possible scenarios for how the information could have most easily been stored on the iPod…and the other scenarios for which the data could have been first input to his computer and then transferred to the iPod…very easy but very slow if he input one at a time from stolen wallets and purses.  A good possibility is that he was able to connect to a network and copy the data from an inadequately secured folder or file on the network…

This recalls the iPod slurping discussed a few weeks ago and how easily a software tool created by Abe Usher could be used to copy, quite quickly, files from a network if an iPod is attached to the network.

Perhaps Lee was actually able to connect to networks with his iPod and use this tool, or something similar?  Perhaps the hotel’s network?  Perhaps through a wireless AP?

Technorati Tags




Health Information Privacy and Security Week: April 9 – 15; Memories of Seinfeld

Friday, April 7th, 2006

Next week is Health Information Privacy and Security Week, sponsored by the American Health Information Management Association (AHIMA). 

Through this week AHIMA is encouraging each person to keep his or her own personal health record (PHR) to "help reduce or eliminate duplicate tests and allow you to receive faster, safer treatment and care in an emergency." I think this is a good idea, but I know that I have not been able to collect all the information each of my healthcare providers has about me and my children, so being able to maintain my own PHR would be quite a challenge. 

Even though HIPAA provides folks in the U.S. with the opportunity to view their own PHI, much medical information within patient records falls outside the HIPAA requirements, and healthcare providers often do not want to provide all details to patients, for various reasons.  Remember that episode of Seinfeld where Elaine reads her chart in the doctor’s office, the doctor is upset when she confronts her about it and tells her she shouldn’t be reading her chart?  This reminds me of that episode…there is likely significant information within patient records that most people never know about.

I think raising awareness of health information privacy and security is a great idea, and the other four topics this week highlights are also worth noting.  All the topics as outlined by AHIMA include the following:

  1. "Each of your healthcare providers compiles a separate medical record on you. This means your complete history probably cannot be found in any one place. By keeping your own personal health record (PHR), you can provide your doctors with valuable information that can improve the quality of care you receive. A PHR can help reduce or eliminate duplicate tests and allow you to receive faster, safer treatment and care in an emergency.
  2. Federal laws are in place to protect the privacy and give you access rights to your health information. Under the Health Insurance Portability and Accountability Act (HIPAA), you can view, request changes to, and obtain copies of health information documents collected and kept about you.
  3. Your information can only be seen by those who need it in order to provide your treatment, to facilitate payment for healthcare services, and to make sure quality care is being received. Your information may also be used for research and as a legal document in cases where evidence of care is needed. Anyone else who wants to use it for any other purpose needs your permission first.
  4. The healthcare industry and the federal government are working to improve healthcare through the use of information technology. This is done through the use of electronic health records (EHR) and a secure system that would allow EHRs to be shared across healthcare systems and providers to allow you greater access to your health information.  Currently most healthcare providers still manage medical records in a paper format.
  5. At healthcare organizations across the nation, health information management professionals are working to maintain your health record. These professionals are responsible for ensuring your health record is accurate, complete, confidential, and available when you, your doctor, and other healthcare professionals need access to the information."

Technorati Tags



Good, Free Information Security Materials from the USPS

Friday, April 7th, 2006

Bob Johnston provided a great pointer on the CISSPforum maillist for good, free information security resources from the United States Postal Service; 7 free fraud and information secuity awareness DVDs.  Thank you for the heads-up, Bob!

The free awareness DVDs include:

  1. All the King’s Men: Picking Up the Pieces. This DVD is about fraud schemes and how to avoid becoming a victim, and how to recover from fraud.
  2. Nowhere to Run: Cross-Border Fraud. This film illustrates how U.S. Postal Inspectors created task forces with Canadian law enforcement partners to stop "long distance" scams through long distance calls and the Internet.
  3. Web of Deceit: Internet Fraud. This DVD tells the story of a scammer who uses the Internet to victimize unsuspecting consumers around the world until he gets caught in his own web of deceit.
  4. Long Shot: Foreign Lottery Scams. This free DVD tells the story of a foreign lottery fraud victim and the con artist behind the scam.
  5. Work-at-Home Scams: They Just Don’t Pay.  This film tells the story of a new type of work-at-home scam and how a mother gets caught up in it.
  6. Identity Crisis: Protect Your Identity. This DVD tells the story of a couple whose credit is ruined and of the criminals who defrauded them.
  7. Delivering Justice: Dialing for Dollars. This DVD tells the story of such a phone investment "opportunity " scam and the lives that are ruined by these criminals.

Technorati Tags


Huge Police Oops in Australia

Wednesday, April 5th, 2006

A database with around 800 people’s email addresses and corresponding passwords was posted to the Internet accidentally in Australia by the NSW police.  Besides demonstrating how the vulnerabilities of individual actions impact information security, the details of the passwords posted also show more education is necessary to help people choose strong passwords…even if the password file had not been posted, it’s likely many of these could have easily been discovered with a password cracker, or guessed by someone who knows the corresponding people.  And…why weren’t the passwords encrypted in storage…?

Technorati Tags






Vermont Incident Demonstrates Many Security Snafus

Monday, April 3rd, 2006

Here’s a Vermont incident reported yesterday that includes many compliance and information privacy and security topics…

  • Theft of a laptop from car
  • Reasons why large databases of personal information should not be stored on mobile computing devices
  • Unauthorized disclosure of personal information
  • The need to report breaches of personal data quickly
  • The ease with which emails can be spoofed
  • The need to encrypt confidential information in storage as well as in transit

This indicident really did cover almost the gamut of security gone wrong.

Technorati Tags







Another Email Oops…

Sunday, April 2nd, 2006

Last Thursday it was reported that the Social Security numbers of the 1,250 teachers and school administrators in the Connecticut Technical High School System were mistakenly sent via e-mail to staff

"The e-mail was sent to the system’s 17 principals…to inform them about a coming workshop.  The file with the Social Security numbers was attached to the e-mail by mistake".

"At least one principal…then forwarded the e-mail to 77 staff members without opening the attachment containing the Social Security numbers."

A few important lessons here…

  • Humans are the weakest link in the information security chain…train them well…often…and in many ways.  Mistakes will still happen, but individuals will be more alert with good education by your organization.
  • You may be tired of hearing me beat the encryption drum…but the beat goes on…if the file had been strongly encrypted, the data would have been unreadable by the recipients (at leash those without the decryption key…which you would hope would be virtually all of them), making this a non-incident.  Encrypt confidential data not only in motion, but also at rest.
  • Confidential data in unstructured forms is highly vulnerable to being compromised.
  • Once you send an email, you might as well consider it has been sent out into the wild…depending upon the email system and features used, you typically have no control over where the email is forwarded to; in this instance at least 94 people now have the SSNs of 1,250 people…and if any of them have also forwarded the email…the possibilities are exponential.

Technorati Tags




Georgia on my Security Mind…

Saturday, April 1st, 2006

Another incident with hacking in Georgia…this time at Shorter College.  It would be a good exercise to look at the reasons why universities seem to be more susceptible to computer incidents, and think about how to address those vulnerabilities.  Of course their environment is typically much more open than other types of organizations…but would still be a good exercise…

Technorati Tags