The personal details of over 100,000 Boston College alumni were exposed on a compromised server.

College representatives said Thursday that the school was the target of a virus attack on a computer housed in a campus calling center used by students to solicit donations from alumni. According to Boston College spokesman Jack Dunn, the machine in question is managed by a third-party IT service, which the school has chosen not to publicly identify.

Dunn said the company noticed a spike in the computer’s activity during a routine maintenance operation and discovered a virus on the device that was attempting to use the database to launch attacks on other systems. The machine was then taken offline and examined in order to determine the extent of the attack.

No other computers were found to be affected by the virus, he said.

Although the investigation bore no evidence that hackers may have accessed alumni information stored on the database, which included individuals’ Social Security numbers and other personal details, the school decided to inform all the people whose records may have been compromised.

Dunn said the college will also purge individuals’ Social Security numbers from all of its records in the future.

I didn’t go to Boston College, but I’d guess that my alma mater’s alumni database isn’t much better. They haven’t sent me any beg-mail in a few years, though, so maybe they finally gave up and purged me…yeah right. Data is forever, unless it’s something you actually meant to keep.

I just got around to reading the latest EFF Paper on DRM in the Developing World and found it made some excellent points. KasLog has already weighed in with some worthy observations on it:

First, I don’t think there is anything inherently wrong with DRM, if that’s what consumers really want. However, it seems obvious that only a very small minority of those consumers actually understand the bargain they are buying into. From the ITU paper:

‘New “renewable” DRM systems can be used to take away features that consumers paid for when they bought their devices, and even to undo consumers’ efforts to install after-market improvements to their own technology.’

How many iTunes users would have second thoughts, if they truly understood what they are buying? In particular the limited shelf life of their tunes might give them pause. How long will it take for a lot of people to discover, that one too many hard disk crashes, software upgrades and whatnot, has turned hundreds or even thousands of dollars worth of music into nothing but wasted disk space, unplayable and utterly useless?

Today, just to prove the Good Guys right, Apple decided to live up to everyone’s low expectations of what DRM is really intended for, namely preventing people from using as they saw fit something (digital music) that they thought they had purchased.

Assume for a minute I’m evaluating various options for getting my music into a portable format (i.e can listen to it on my laptop or an iPod, etc). I have three possible solutions to the problem:
(more…)

Bruce Schneier has weighed in on The Failure of Two-Factor Authentication. I have a ton of respect for Schneier–he produces some of the better thinking about risk and security out there. I’ve learned tons from his writings on the subject.

Today, though, I have to take exception with his position.
(more…)

Over at EmergentChaos, Adam Shostack has posted some thoughts on, “Privacy and Background Checks” in response to a comment he received:

In a comment, Axinar writes:
Is it reasonable for an employer to know whether or not a potential employee has a history of violence or theft? Well, probably. And with our liability situation the way it is, generally any company with deep pockets is virtually REQUIRED to run background checks because if an employee “goes postal” and discovery reveals that person has a previous background of violence that the company could have found out but didn’t, that company can be sued out of existence.

This tension is challenging. The quality of records maintained is low. We know that people have been denied jobs because of bad records. At the same time, as an employer, I’m concerned about doing the right thing for my employees and for my shareholders.

I’m going to go a step further and put my own analysis of what this means. Background checks are a Risk Management mechanism. In the scenario outlined above, the employer is managing the threat of a “dangerous” employee making it through the screening process by conducting a background check.
(more…)

We’ve had two Instant Messenger worms in the past month that forced us to shut down our Official IM servers (Microsoft Exchange Instant Messenger).

What has been the response to these incidents, other than more aggressive patching? A campaign to ban Unapproved IM clients–the ones that haven’t been affected by a worm (or any worm outbreak of note since I’ve been here). Go figure.

When I looked for the tag, “Security” over at technorati, 1,902 posts from 417 blogs match this tag. When I looked for the tag “Risk Management,” only 33 posts from 8 blogs match this tag (the tag “Risk” by itself produces a bunch of boardgame fans).

I think this merits some consideration, since it says to me that the vast majority of thinking about “security” is occurring in a vacuum. People who talk about”upgrading from IDS to IPS,” may be trying to secure their networks, but they’re not managing risk. And if they’re not managing risk, then they’re just playing with geek toys. The fact that it might make the environment safer is just a lucky side-effect.

The standard defense is, “Because it’s more secure!” I know since I’ve used it myself. Occasionally it was because I knew that the person with whom I was having the discussion couldn’t or wouldn’t understand my reasoning or there was a lot of technical nuance involved, but sometimes because I just “felt” that something was right, even if I couldn’t justify it.

In the modern corporate world, however, feeling that something will make a difference is not enough–it’s enough to serve as a starting point to real Risk Analysis, but it’s not a justification in and of itself. Somewhere, a security vendor’s salesperson is taking me off their Christmas card lists right now, but that’s the price I pay for speaking the truth ;-), which is, More security is not necessarily better.
(more…)

The news about ChoicePoint just keeps getting worse and worse (This is becoming my standard ChoicePoint introduction).

As Bruce Schneier says, “I have no idea why ChoicePoint has decided to tape a huge “Please Regulate My Industry” sign to its back, but it’s increasingly obvious that it has.“.

ChoicePoint actually has no idea if only 145,000 customers were affected by its recent security debacle. But it’s not doing any work to determine if more than 145,000 customers were affected — or if any customers before July 1, 2003 were affected — because there’s no law compelling it to do so.

That sounds a lot like what I said a few days ago:

[ChoicePoint CISO Richard] Baich goes on to explain that, much in the tradition of laws against things like Getting Caught Stealing, “We worked with (authorities) and did the right thing disclosing the breach where a lot of companies may not have ever disclosed this.”

So it just me, or does this not ring quite true? Back in 2002 when it was just The Right Thing, they didn’t feel the need to disclose it to anyone. It’s only when The Right Thing became The Law that they actually did it.

Do these guys truly believe that just because it’s not illegal, it’s right? Not that I had them before, but I’m definitely not getting Warm Fuzzies about the whole Personal Data Aggregation industry now.

Here is a profile of Richard Baich, CISO of ChoicePoint.

Baich completed an MBA at UMUC in 2003 and a master’s degree in financial management, also from UMUC, four years earlier.
…

Baich also holds a bachelor’s degree from the United States Naval Academy.
…

Before becoming the chief information security officer at ChoicePoint, Baich served as cryptology officer at the National Security Agency and as the information security consultant and special assistant to the deputy director for the National Infrastructure Protection Center of the FBI.

Richard Baich may hold the title, but he seems to have confused the role of the CEO (Maximize revenue/protect the revenue stream, shareholder value, etc.) with the role of the CISO (To cost-effectively manage risks and protect the assets of the corporation–be it money in the bank, computers in the office, or data in the database). He should know better.

ChoicePoint’s statements as this incident has unfolded demonstrate that their first loyalty is to their revenue stream (”No Choicepoint customer information was involved.”). They consistently ignored or underestimated the risks to the asset (the data) to protect the revenue going back at least four years. That makes it effectively corporate practice.

Of course, the real irony will probably come after they’re sued out of business and someone buys one of their servers at auction with a ton of Personal Data still on it.

I love this essay on the construction and cracking of safes by Tim Hunkin.

At first glance a modern safe does look totally impregnable. The two locks, (one key and one combination) do not themselves open the door, they merely release the elaborate bolt mechanism. This pushes 50mm steel bolts out in all directions, securing every side of the safe door, even the hinge side. It is no use chopping the hinges off a safe, the bolts will still hold it as firmly shut as ever. If it looks virtually impossible to get in through the door, getting in through the walls or the back is no easier. They are about four inches thick, an inner and outer skin of steel, with the cavity between filled with extra strong concrete. The enormous weight of a safe makes it very difficult for thieves to carry it off, whole – it also makes the door very dangerous. Its extreme weight gives it such momentum when closing that it becomes a guillotine, chopping any fingers caught between door and frame.

I trip across a link to it every so often and even though I know I’ve read it before, I still read it again.

Richard Bejtlich has made an excellent observation over on TaoSecurity about the recent changes with Snort, the excellent open-source Intrusion Detection System (IDS).

I believe Marty and crew are being pushed by market forces to adopt the IPS [Intrusion Prevention System] stance. This is a shame, as we all know an “IPS” is a layer 7 firewall that inverts the access control best practice of “allow some, deny everything else.” (In other words, an IPS performs a “deny some, allow everything else” function.) I absolutely detest the IPS label and wish access control devices were simply identified as such, and not confused with audit devices (e.g., IDSs).

While IDS to IPS is blandly considered by many to be an evolutionary change, it’s absolutely not, any more than would be replacing logging servers with firewalls. Yes, there is a significant overlap in how IDS and IPS work–both use (primarily) signatures and both log their actions–but that’s where the conceptual similarity ends. By that same logic, I could argue that there is no difference between IDS and Anti-Virus software since they both use signatures and log their actions, too.

Remember Bejtlich’s thinking next time someone talks about “upgrading” from IDS to IPS.