Security's Everyman

Security's Everyman

Thursday, August 31, 2006

Messed up privacy

Maybe I'm missing something here. I did some searching to find out more but wasn't very successful. InformationWeek had an article yesterday by K.C. Jones
Fidelity Bank Fined $50 million
Apparently the state of Florida (probably all states) makes a lot of money from the sale of personally identifiable information. This in itself seems wrong to me. Part of the job of government is to protect the citizens not make money off of their information.

In 1994 Congress passed the Drivers Privacy Protection Act which is supposed to protect us from this very thing. Here is the first portion of the act "
In General -- Except as provided in subsection (b), a State department of motor vehicles, and any officer, employee, or contractor, thereof, shall not knowingly disclose or otherwise make available to any person or entity personal information about any individual obtained by the department in connection with a motor vehicle record."
I'm not going to print "subsection (b)" you can read it here

What I want to know is that if it's illegal for Fidelity to buy the data why isn't it illegal for the State of Florida to sell the information? They didn't sell it directly to Fidelity there was a middle man involved. He bought it from the state for Fidelity. So Fidelity gets fined and the rest of those involved make money. All off you and me.

I don't have the answer to this. It just seems to me that in today's world of identity theft being rampant that we have to do more to protect our personally identifiable data. It shouldn't be for sale to the highest bidder by those who are entrusted to protect us.

Wednesday, August 30, 2006

Where do I start?

It's days like this that make me wish that I didn't have a "real" job and could just read and write on all that is going on. Before I get started I'd like to say thanks to Martin Mckeay for mentioning my blog on both his latest podcast and his blog. I listen to him every week and think that he has a great show and insights into what's going on in security.

Let's see.... there is the AT&T hack,
the issue with Java updates leaving vulnerabilities on your system,
stupid (let me rephrase that) careless people selling things with personal info still on them,
DRM erasing software,
I'm still shaking my head over the Fidelity Bank fine.
I'll have more on these later but for now read them and see what you think.

Am I the only one who see something wrong with this?

Bank to Pay $50 million for Buying Personal Data

>This link is to an article on informationweek.com by K.C. Jones. It's pretty interestering and raises some questions about privacy and punishment. Take a look at it and let me know what you think. I'll write more later, but I want to have all of my facts before I say more.

Tuesday, August 29, 2006

Small Shop Blues

One of the disadvantages to working in a small IT dept is that you don't have many people to bounce ideas off of or to learn new things from. Of course I have friends who work in IT that I call on if necessary, but you hate to call and say "Let me run this by you" or "Do you know how to do ..." That's fine from time to time, but it can get old. Kinda like when the relatives call, you know they have a computer question. One of the things that I have found that really helps me is to listen to podcasts, read blogs, and spend lots of time reading web sites, RSS feeds, and tech publications. I also try to communicate via email with some of the people who do blogs, podcasts and such. These things may not be a good or convenient as having several good techies on the same team with you, but you would be surprised at how much you can learn.

Lessons learned

I work in a small shop where often we have to pull double duty. One of the things that we have not been diligent with is keeping up with inventory in our offices. We have 13 offices and often when something breaks it is replaced w/o the inventory list being updated. You can imagine how this can cause problems when trying to troubleshoot a problem remotely or when something like the Dell battery recall comes up. This battery recall really hit me hard. About a month prior to the recall becoming a big news story I received either an email or a letter from Dell telling me that they were recalling some batteries. So I called in all of our laptops (about 20) and checked the batteries against the list on the battery recall website. Luckily none of my batteries were affected (unless you think about how nice it would be to get new batteries for those already out of warranty). Then when this hit the news the list of affected batteries had doubled so I had to have all of the batteries rechecked against the expanded list. What was the lesson learned? I should have recorded the battery serial numbers so I wouldn't have to touch every laptop a second time. I'm also making sure that we get an updated (and keep it that way) inventory in our branch offices.

Busy

It's been a whole week since my last post. Time gets away from you. I've got projects running out my ears. We've got several big things going on at work that will radically change our network and how we do things. I can't go into much detail here but as I can I'll update from time to time.

Tuesday, August 22, 2006

Losing Your Identity

Identity theft has been around for a long time and it's not going anywhere anytime soon. It's all over the news and for those of us in the Security Profession it's obviously a hot topic. I don't know anyone who has ever been hit real hard by it but I have been a victim at least twice in my life. Once was several years ago when MasterCard called me to notify me of some "suspicious" activity on my card. There had been about $900 worth of calls to 1-900 Phone Sex numbers made in the previous 2 days. Luckily I was able to prove that it wasn't me and they even caught the guy because his number showed up on the charges. The other time was a "mistake" at least that's what my dad told me. We both have the same name, at least part of it. His middle name is the same as my first name and it is the name that he goes by (I go by a nickname). One day a Credit Card offer came in the mail to his house but in my name. He wasn't paying close attention and applied for the card and got it. Doesn't make me feel very good about the security measures that a card company takes to ensure that the person getting the card is actually the person he claims to be. I got off easy both times. I didn't have to pay for any of the phone sex calls (I promise I didn't make them) and my dad was always on time with payments and actually helped my credit a little I guess.

The reason I'm writing this is because in the last week at least 2 guys at the office have had their cards used frequently. All of this has yet to be played out, but one could possibly be out about $300 and the other almost $1000. They both also know someone else who has been hit in the last week or so. As of yet they don't know how their credit card numbers, nor their friends were compromised, but it leads me to be diligent about keeping a close eye on my statements and encouraging everyone else to do the same.

Thursday, August 17, 2006

Ubuntu

I said I was going to do it and I did. I built a Ubuntu Linux box yesterday. It's not my first, but each time I build one it gets put aside for other projects that are more pressing. I know that as a Security Professional I should be very familiar with Linux already but now there are too many good tools that have been ported to Windows and it hasn't been necessary. This time I really plan on learning Linux and implementing it in my job. There are several tools out that don't have a windows counterpart that I've been wanting to try and now I will. I'll write about my experiences as I go through this learning process. It will be a process that much I know for a fact. I decided on Ubuntu because I had several people tell me that it was the most user friendly for those who have been stuck in the windows world for years. So far it's going OK. I haven't done much yet outside of getting it up and running and checking out some of the features. If anyone has any hints or tips that will be helpful I'd love to hear them.

Tuesday, August 15, 2006

Jumping the gun

We all do it. I did it with my second blog post. That was when I said that I was going to replace my home locksets with ones made by Abloy. I talked to my locksmith and he said that there were much better locks on the market that were cheaper and since I do a lot of business with him at work he is getting them for me at cost. But that's not the point. The point is that I read something that worried me and I saw a couple of peoples answer and assumed that was the correct one. I know better than that, but..........

This holds true in the world of networking and security also. We see a threat and often jump the gun when it comes to deploying the best meaure or fix. We either spend too much money and violate the cost/benefit principle, apply the wrong countermeasure or fix b/c we didn't truely understand the problem, or we do something that gives the impression that we are doing something when in reality we are just covering our selves and trying to make ourselves look good.

Kind of like Homeland Security here in the US and their counterparts in the UK. After they foiled the plot to blow up airplanes they banned all of these substances and various items. Then they eased off on the restrictions after a few days. Don't think that I'm saying that they should either stick to their guns or not have been so rash. They did the right thing under the current circumstances. The problem is that they are being reactionary, or more likely they are doing what then think will make us feel better. Don't get me wrong it's important for us to "feel better" when it comes to national security, but we need REAL safeguards in place not just something to make us feel better for the moment. Real policies and procedures that will make a difference and make us safer are what we need.

We need to keep this in mind in regards to IT security also. We need to do all we can to ensure that REAL policies and procedures are in place to adequately protect what we have been entrusted with. As security professionals our job isn't to make ourselves look good or make our users feel better for the moment. We have to stay on top of our game to keep up with, if not ahead of, the bad guys.

Friday, August 11, 2006

Microsoft Woes

It seems that Microsoft never learns from its mistakes. Just when you think that maybe they are getting their act together something else happens to blacken their eye. I have yet to do any testing on Vista on my own and after all I have read I don't think that I want to. Other than marketing hype I can't think of one really good thing that I have read about it. It's supposed to be their most secure OS ever (we've heard that before) and yet all I have read is about its security flaws and blue screens. I guess staying in Blue Screen would keep it secure. :)

There is also talk that the IP stack is brand new which means untested and ripe for the picking. They had just recently gotten the one they had in pretty good shape and now they change. I just don't understand how they have gotten to be the dominate OS in the market. I guess if Security had been as "popular" in the days of 3.x and 95 then Windows would probably have died a hard death.

I also read today that they have something called PatchGuard in Vista that is supposed to keep any software but Microsoft’s from hooking into the kernel. Sounds like a great thing until you realize that a lot of 3rd party software such as AV, Firewalls, and such need to do just this to be effective. Does that mean that we will have to rely on Microsoft to provide these services also? I hope not.

I've never spent much time in the world of Linux but it’s looking more and more inviting all the time. Maybe I'll actually build that Suse box I've been thinking about.

Thursday, August 10, 2006

Are they ever going to learn?

Once again there is another laptop stolen with Personably Identifable Information and once again it is a government agency that has lost the data. What is it going to take for people, especially our Federal Government, to get serious about security? I know that information is out there and easily available to those who really want to find it, but why must we help them out? This is getting way out of hand.

I don't know who had the laptop, if they had permission to have the data on it, or why they didn't have it with them or safely locked up. The government has to get serious about this. I hate for anyone to lose their job, but until we really crack down hard this will continue to happen. There is NO reason for information to be on an unsecured device especially if the device is designed to be portable.

What needs to happen to prevent this from continuing? There needs to be an immediate lockdown on all portable devices until they can be adequately secured.
1. Password protect the bios and the harddrive.
2. Encrypt the drive or at least the data.
3. Require strong authentication, preferably 2 factor.
4. Audit the data that is on these devices to ensure that the person has a need to know and the
proper authorization to have the data.

Is this a lot of work? Of course it is, but this is happening way too often and something has to be done about it. It needs to be done quickly and it needs to be done right. As for those whose carelessness causes the problem, maybe they need to be in positions where there carelessness will only cause a few patties to be burned and not a few families.

Wednesday, August 09, 2006

Bump Key

I was just checking out some of the latest on some other IT blog sites and ran across this. http://www.youtube.com/watch?v=7Uv45y6vkcQ

It's called Bump Keying and it shows how simple it can be to use a special key that supposedly is easy to obtain to unlock most any lock. Even those that are supposed to be high security locks. Pretty scary.

This may not seem like an IT issue but if you are charged Physical security then it becomes an IT issue. Not to mention securing your home. There are several posts that mention an Abloy lock that is imune to Bump Keying. I'm going to get one.

Introduction

Hi, I'm Andy, ITGuy. I'm a networking and security professional. I've been in the business for about 10 years now and have decided that I want to start blogging and see how it goes.

As I said I've been in IT for almost 10 years and most all of it has been in the financial sector. I took a short break for a year and went to work for a small consulting firm. I quickly decided to return to the world of financial IT. I still do consulting on the side, but I didn't like doing it for a living.

I'm in my second life as an IT geek. I started out in Youth Ministry and decided to change paths around the time I turned 30. It's hard being 30 and not knowing what you want to do when you grow up. I actually stumbled into IT by accident. Once I got here I knew where I wanted to be though.

I'm currently studying to take the CISSP exam. If life ever slows down enough for me to take the test. I had originally planned on taking it in May and now it looks like November, if I'm lucky.

That's enough about me for now. This is just a starting place. I'll move on from here to things that will hopefully be more interestering and will keep you coming back to see what I have to say about Networking and Security.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.