This stock is da bomb!

OK.
So while researching the stock tout scam noted in another post, I came across a blog which discussed a similar mechanism, but one using text messages. An obvious variant, but the part I absolutely adored was when they linked to this August 31, 2007 article from MaineToday.com (emphases added to save your time):

An abbreviated text message on a state mail-delivery truck driver’s official unlisted cell phone had police scrambling for several hours this morning.
Maine Capitol Security Chief Russell Gauvin said the driver received a text message that read “Stcks poised to explode, ticker FDKE, Fred.”
Gauvin said the driver brought the phone to his Capitol Security office in the state’s Cross Office Building just west of the Statehouse.
Gauvin alerted the state Computer Crimes Task Force, which determined after several hours and a subpoena to U.S. Cellular that the message was an advertising message referring to stock trading, not an explosive.
Gauvin said he seized the phone from the driver and kept it for investigation, but he said when the driver returned to his office at the Muskie Federal Building, postal officials there decided to isolate the truck and have it searched with the assistance of an Augusta Police Department bomb-sniffing dog and State Police.
A portion of the Muskie building’s parking was closed off as a precaution until the search was completed.

What is it with New England and this stuff? I thought they were all stoic realists up there. If the guy’s phone had an LED, they’d have probably called in NASA to shoot it into the sun.

Open Letter to Chris Dodd

Dear Chris:

I think you’re a smart person who cares about honesty and the rule of law.

I also think your e-mail fundraising campaign is undermining that message by sending what I believe to be deliberately deceptive emails. To be clear, I am not referring to deception in the political message — spinning words, being loose with the facts, telling only half the story, etc. — I am referring to emails which show every sign of lying about the intent of the sender and contain a false and misleading message body, in an attempt to deceive the recipient into thinking he has inadvertently been copied on a private message from your campaign manager to Tim Tagaris. The idea, I suppose, is to enhance the perceived veracity of the email’s message by depicting it as private. A campaign might lie to the public, but within the family, so to speak, it would be much more honest.

This is a clever hack, and one which might work on some people. In fact, something very similar was done as part of a stock tout scheme. A woman left voicemail messages seeming to be intended for a close friend, explaining that she just got inside info on a company, and that the friend should invest. You don’t need to be a United States senator to see that this is both illegal and unethical. In the case of your analogous email, sir, it is certainly the latter. We will see if it is the former when the Federal Election Commission receives the registered letter I will be sending them.

By the way, if you have an honest IT staffer, feel free to have them contact me about getting the actual email. Here is a text rendering of the full header (with my email addresses altered to foil address-harvesting bots), and the misleading and untruthful portion of the message body:

Return-Path: <bounces@bounces.democracyinaction.com>
X-Spam-Checker-Version: SpamAssassin 3.1.6 (2006-10-03) on norad.cwalsh.org
X-Spam-Level:
X-Spam-Status: No, score=-0.7 required=5.0 tests=ADVANCE_FEE_1,ALL_TRUSTED,
BAYES_00,DEAR_FRIEND,HTML_MESSAGE,HTML_TITLE_SUBJ_DIFF,
MISSING_SUBJECT autolearn=no version=3.1.6
X-Original-To: resident[-@-]cwalsh.org
Delivered-To: cwalsh[-@-]cwalsh.org
X-policyd-weight: using cached result; rate: -8.5
Received: from m152.prod.democracyinaction.org (m152.prod.wiredforchange.com [8.15.20.152])
by smtp.cwalsh.org (Postfix) with ESMTP id D4CCCA1341
for <resident[-@-]cwalsh.org>; Fri, 30 Nov 2007 11:38:30 -0600 (CST)
Received: from [10.15.20.109] ([10.15.20.109:46923] helo=pidgit.mcl.wiredforchange.com)
by mailer.mcl.wiredforchange.com (envelope-from <bounces@bounces.democracyinaction.com>)
(ecelerity 2.2.1.21 r(19176)) with ESMTP
id C8/F2-01963-29A40574; Fri, 30 Nov 2007 12:38:26 -0500
Message-ID: <133294684.281516658@com.comDB.mail.democracyinaction.com>
Date: Fri, 30 Nov 2007 12:38:26 -0500 (EST)
From: Sheryl Cohen <scohen@chrisdodd.com>
Reply-To: scohen@chrisdodd.com
To: resident[-@-]cwalsh.org
Subject:
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_1562616_10791175.1196444306859"
Envelope-From: <bounces@bounces.democracyinaction.com>
X_email_KEY: 133294684
------=_Part_1562616_10791175.1196444306859
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Tim,
I made a few small changes to your email draft -- you'll see them in bold below.
Would have sent to the entire list, but I could only figure out how to send this test.

Update: I am not the only one who noticed.

Biometrics are not a panacea for data loss

Ian Brown writes, “Biometrics are not a panacea for data loss:”

“What we must ensure is that identity fraud is avoided, and the way to avoid identity fraud is to say that for passport information we will have the biometric support that is necessary, so that people can feel confident that their identity is protected.” – The Prime Minister, Hansard Column 1181, 21/11/07

These assertions are based on a fairy-tale view of the capabilities of the technology, and in addition, only deal with one aspect of the problems that this type of data breach causes.

Ian, you’re too kind. It’s not a fairy-tale view, it’s contempt for the public, and a belief that they can be spun into believing anything.

Japanese Breach Disclosure Law

I believe that I follow breach notification pretty closely. So I was surprised to learn that I had missed the passage of a law in Japan. Bird & Bird, Notification of data security breaches explains:

In Japan, the Personal Information Protection Act (Law No. 57 of 2003; chapters 1 to 3 effective May 30 2003 and chapters 4 to 6 effective April 1 2005) (the “PIPA”), establishes the basic principle regarding the fair handling of personal information and regulates the handling of Personal Information[1] by business operators (“Information Handlers”).

A presentation by Morrison & Foster, “Data Security and Incident Notification: The Impact of Foreign Law” tells us:

You may have obligations under Japanese privacy law if:

  • You are affiliated with a Japanese company or institution.
  • You use or have access to employee or student information maintained in Japan.
  • A Japanese institution with which you are involved, for example, in a study-abroad program enters into a contract with you, according to which you assume privacy obligations under Japanese law.

To date, I’m aware of breach disclosure laws in 38 US states and Japan. Are there others?

There’s got to be an IT secret handshake

authentication-web-page.jpg

I’ve been in the hotel I am in for over a week now. It is a European hotel that has wireless, and you have to get an access card and type a six-character string into an access web page. That authenticates you, and you can go.

The problem I have today is that I can browse the net completely. But I can’t do anything else. No email, no vpn, no ping, no traceroute, no nothing. If I telnet to a useful port on my own servers, I get a syn/ack/syn and no flow.

My hypothesis is that whatever does a redirect on port 80 to get you to the authentication web page is broken.

I’ve talked to first-line tech support at the provider who let it slip that he thinks its in the firewall at the hotel. This is consistent with my evidence. However, he won’t let me talk to anyone who actually knows what “ping” is. I have talked to someone at my front desk, who has talked to the local IT person, and we’ve had mediated back-and-forths.

If I could actually talk to someone who knows what a web redirect is or even what a “port” is, I could let them know. If I knew the URL of the authentication page, I could tell them the problem. The local IT guy is presently talking to the ISP, but I told the gal at the desk that I’m an IT person, too, and if their IT guy will call me, then I will help explain the problem.

As a matter of fact, while writing this, I just connected to an https url, which redirected me to the authentication page, and now everything is working. This is how you’re reading this today. So I know what their problem is and can tell them how to fix it. They just have to know that I know, and that I’m not a mere luser.

We need an IT secret handshake. Perhaps Randall Munroe can help. Remember those old stories about the Freemasons in some pickle or another who suddenly showed the handshake? We need one.

Update: The gal at the front desk has called back. The ISP and the local IT people have decided this is actually my problem. However, she also says that another guest has this problem. I explained this as much as I could to her, and told her to tell the other guest to go to an SSL web page to fix it.

Photo courtesy of photos.tjweb and selected because it matched a search for “authentication web page”

Banksy Would Be Proud

untergunther-frame.jpg
In a feat that would make Banksy proud, members of Untergunther, who the Guardian calls “cultural guerrillas“, restored the antique clock at the Panthéon. They spent about a year, beginning in September of 2005, in a hidden workshop, dismantling and rebuilding the entire clockwork which had been abandoned in the 1960s. They were never discovered despite having taped into the electrical and network systems.

Getting into the building was the easiest part, according to Klausmann. The squad allowed themselves to be locked into the Panthéon one night, and then identified a side entrance near some stairs leading up to their future hiding place. “Opening a lock is the easiest thing for a clockmaker,” said Klausmann. From then on, they sneaked in day or night under the unsuspecting noses of the Panthéon’s officials.

Their presence only became known when they revealed themselves so the curators would know to wind the clock. This is far from the first project Untergunther has undertaken.

Klausmann and his crew are connoisseurs of the Parisian underworld. Since the 1990s they have restored crypts, staged readings and plays in monuments at night, and organised rock concerts in quarries. The network was unknown to the authorities until 2004, when the police discovered an underground cinema, complete with bar and restaurant, under the Seine. They have tried to track them down ever since.

So keep an eye on the news, you never know where they’ll pop up next.

Is 2,100 breaches of security a lot?

forest-sky.jpg

There’s a story in the Yorkshire Post, “2,111 data disasters blamed on disc row bunglers.” At first blush, that’s an awful lot of errors:

THE bungling Government department responsible for losing 25 million people’s personal details in the post was hit by more than 2,100 reported breaches of security in the past year alone.

And 41 laptops – many containing sensitive financial details relating to members of the public – were stolen from employees at HM Revenue and Customs (HMRC) over the last 12 months, demolishing any notion that the loss of two computer discs containing the details of child benefit claimant was a “one-off” error.

There’s a scene in one of the Star Trek movies that’s stuck with me. Captain Kirk is walking around San Francisco and needs some cash. He goes into a pawn shop to sell his glasses, and the guy offers him a hundred bucks. Kirk looks at him and says “Is that a lot?” He doesn’t have the context to understand the number that he’s been given.

When I hear that HMRC has had 2,100 breaches reported, I’m forced to ask, “is that a lot?”

To put the number in context, we need three things:

  • What is a breach? Does it include, for example, leaving your screen unlocked when you go to the restroom? We can’t understand what 2,100 breaches mean without knowing what is being counted.
  • How big is the department? If it’s 10 people, then that’s a breach a day. If it’s 2,100 people, then it’s a breach a year. (As an indicator, page 7 of the HMRC 2007 departmental report indicates that their IT department supports 110,000 workstations and 120,000 mailboxes.) So it seems that they’re at about 1 “breach” per 50 employees per year.
  • How does this compare to other organizations? Do other departments of Her Majesty’s government breach at the same rate? That seems lower than the US Government reported rate of one per hour, but actually, 2,100 breaches is about one per hour per business day for HMRC. So does HMRC leak at the same rate as all of the US government, or are we seeing different definitions of breaches?

This is clearly a bad breach, a meaningful one for the UK, and it will influence what emerges from the many discussions around breaches, breach disclosure and computer security.

To me the most important lesson is that we’re unable to say if this is one of the worst breaches, or simply one one of many bad ones. Like Captain Kirk, we don’t have the context to understand the number.

Credits: Yorkshire Post story via Pogo Was Right. Image: “Forest and Sky,” showing comet Holmes shining a bit more brightly than the many stars. Photo by Vincent Jacques, via Astronomy Picture of the Day, and begging the question: is this a comet, or a star?

HMRC Data discs on EBay

Quite possibly the funniest infosec joke seen in 2007.

Here we have two CD-R’s for auction. They are not blank, but seem to have some sort of database written to them. I found them in my local courier firm’s sorting office, addressed to
“Her Majesties Audit Office – Child Benefits Section” and marked
“Sensitive HM Government Information – DO NOT LOSE – ENSURE THESE DISKS DO NOT FALL INTO THE HANDS OF THE CRIMINAL FRATERNITY”
They were obviously surplus to requirements.
I haven’t read the data myself. The database appears to have approximately 25 milion records in it, but is password protected, so it is impossible to read it and it’s definitely impossible to extract any bank account data from it.

El Reg has it all.

A quick comment on the UK lapse

Thanks to all the readers who have written to tell me about the HM Revenue and Customs breach in the UK. I’m on vacation at the moment, and haven’t had a chance to read in depth. However, example stories include the BBC’s “Pressure on Darling over records:”

Alistair Darling has apologised for the “extremely serious failure”, which has exposed all Child Benefit recipients to the threat of identity fraud.

and the Times Online’s “Moment’s blunder puts half the country at risk.”

In June, 2007, I wrote “It’s not all about ‘identity theft’,” and if you’ll indulge me, I’d like to repeat myself:

Data breaches are not meaningful because of identity theft.

They are about honesty about a commitment that an organization has made while collecting data, and a failure to meet that commitment. They’re about people’s privacy, as the Astroglide and Victoria’s Secret cases make clear.

The issue here is not ID theft risk. The data in the CDs don’t lead to that. The issue is a massive breach of public trust by Her Majesty’s government, and over that, people are rightly outraged.

[Update: I may have spoken too soon on the question of “can this data lead to ID theft in the UK.” See the comments.]

Breach Disclosure of the Zeroeth Millennium

romulus-and-remus.jpg

The BBC reports that the whereabouts of the legendary cave where Romulus and Remus, founders of Rome, were nursed by a she-wolf, Lupa, as foundlings.

The eight-meter-high cave was found buried sixteen meters under a previously-unexplored area of Palatine hill in Rome.

Although their home address has been made public, it is unclear if the Roman founders lost any other personal information such as tax ID numbers, bank information, or date of birth.

In related news, two disks in the UK have been lost with the personal details of 25 million Britons including “name, address, date of birth, National Insurance number and, where relevant, bank details.” This is everyone in the UK who receives a tax deduction from having children.

HMRC Paul Gray resigned over the incident (as if that will help). Liberal Democrat Acting Leader, Vince Cable, clucked: “why does HMRC still use CDs for data transmission in this day and age?” proving that he doesn’t read this blog. Mr Cable as well as Shadow Chancellor George Osborne predicted the end of the National ID Database as a result of this loss.

Commissioner of Obvious Information, Richard Thomas, said: “this is an extremely serious and disturbing security breach” and Chancellor Alistair Darling pointed out that at least no one had had fiber-optic endoscopes pushed into their houses unlike those Roman foundlings.

Navigation