The InfoSec Blog

Headline: FTC attorney’s laptops stolen
http://www.presstelegram.com/business/ci_3969575

The government agency charged with fighting identity theft said Thursday it had lost two government laptops containing sensitive personal data, the latest in a series of breaches encompassing millions of people.

Can you spell “Irony”?
This goes a bit beyond the bare-faced incompetence that we’ve grown used to
and come to treat as the new security baseline at the government.

And here’s another chunk of Irony:

Many of the people whose data were compromised were being investigated for possible fraud and
identity theft, said Joel Winston, associate director of the FTC’s Division of Privacy and Identity Theft Protection.

But what caught my attention in this article was the following:

On Thursday, a House panel was cautioned that credit monitoring alone may not be enough to protect Americans whose names, birth dates and Social Security numbers were compromised at the hands of the government.

During the House hearing Thursday, Mike Cook, a co-founder of a company specializing in data breaches, said identity-theft victims typically don’t become aware they’ve been hurt until six months after their data was stolen, when creditors come calling for money owed.

At that point, it’s likely the thieves will have moved on having made just a few purchases so they don’t attract notice and started using another victim’s information.

As a result, a credit monitoring service would raise a red flag after it was too late, Cook said.

So what’s the real use of this credit monitoring that the companies are
handing out in the aftermath of privacy failures if its not going to protect
you? “Oh, you’ve had your bank account emptied, your house sold, and your
wife has received a divorce notice. And by the way, your credit is non
existent but that may be due compute hackers….”

–
Do you want the truth, or a well-designed machination brought
into existence solely for the stroking of your ego?
– Empty on alt.goth

Bruce Schneier pointed to this in his blog this week:
http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System

ZDNet has a discussion about the ethics of such ‘hacking’. If Microsoft sells the XBox cheap so as to generate game revenue is it fair to deny them that by hacking the XBox to run Linux?

This article is about the security system of the Xbox and the mistakes Microsoft made. It will not explain basic concepts like buffer exploits, and it will not explain how to construct an effective security system, but it will explain how not to do it: This article is about how easy it is to make terrible mistakes and how easily people seem to overestimate their skills. So this article is also about how to avoid the most common mistakes.

To me, this is a good example of FMEA - Failure Mode Effect Analysis. And all my regular readers will know that this is on of my pet subjects

Perhaps the most interesting follow-up is a comment about the limited liability that the manufacturers insist on slapping on their products which prompted someone to write:

I bought it, so if I want to use it as a boat anchor, its not their business. If I use it as a shooting target, its not their business.
If I use it as a chair, its not their business. If I do something stupid with it and get hurt, its also not their business.

Indeed.

Regular readers will also know my attitude towards the “Oh you weren’t supposed to do that” style of security - aka “You must be this tall to attack the castle” or the pole in the front garden for the housebreaker to run into.

Why do some people consider me cynical?
Oh, right - were all bozos on this bus in the security
business, we’re “paid to be paranoid”.

Perhaps the DMCA and Britain’s new anti-hacking law will expand to cover the use of screwdrivers and soldering irons by other than licenced professionals. You think that’s a joke? In Quebec its illegal for a householder (i.e. someone not licenced) to do any electrical work other than changing a light bulb. No doubt this is justified as a “safety regulation”.

I found this:- http://www.gcn.com/print/25_16/41041-1.html

The Agriculture Department’s wireless policy, updated in April through a series of departmental notices, comprises everything from architectural requirements to acquisition guidance. Unlike the Defense Department’s most recent wireless memorandum, USDA’s policy covers technologies such as Bluetooth and infrared communications, which the department tightly restricts, requiring that Bluetooth and infrared be used only between government-owned devices or within secure government facilities. These technologies also can only be used with strict security measures turned on, including Encryption Mode 3, use of temporary personal identification numbers and more. It’s a very detailed policy.

Good, I thought.
But then I found this as well, which puts it in a differnt light
http://seattlepi.nwsource.com/business/1700AP_Agriculture_Hacker.html

A hacker broke into the Agriculture Department’s computer system and may have obtained names, Social Security numbers and photos of 26,000 Washington-area employees and contractors, the department said Wednesday. The break-in happened during the first weekend in June, the department said.

Ah. So they had secured the WiFi but not the hardware .. or something.

http://www.csoonline.com/caveat/060606.html?source=csoupdateMaybe they know something we don’t?

Maybe they do have good security, but they are doing what we say security should be, and that is being unobtrusive as far as the user is concerned.

Maybe there are hidden fiber optic cameras everywhere and those ‘tourists’ and ‘tour guides’ will casually ask someone aside and …. “poof!” There goes another terrorist.

Now that strikes me as an interesting idea.
If the terrorist organizations find their people are mysteriously disappearing with no publicity, no evidence, no trail, it might make them a bit worried.

But it does raise some question about the kind of society that would act that way.
But then who am I to talk. I grew up in one of the ultimate police states - the UK of the 60s/70s, where the police had no need to carry guns.

http://blogs.zdnet.com/hardware/?p=14&tag=nl.e539
Yea, right.
Fine for the monoculture, but what about us types for whom MS-Windows is not the ne-plus-ultra, not the first choice?

Oh, I can use Linux-specific tools to protect the USB drive, but that doens’t play well when I use them to move between Linux and Windwos and certainly doen’t ‘automount’.

Suggestions?