Macrocosmic Technologies

It looks like Norm Coleman may have a new challenge: Violating state laws related to breach notifications. Politico is reporting that his web site exposed credit card details, and he hasn’t notified folks that their financial information was exposed. While the breach happened back in January, it wasn’t until this past Wednesday that the campaign issued a statement on the matter. This was precipitated by lists of the donors (and their information) being made available online.

Wired is running an outstanding story about the 2003 Antwerp diamond heist. The story provides a lot of information about how the heist itself was carried out, from the high tech reconnaissance that was conducted with a stealthy camera, to the blindingly low-tech of using a plexiglass shield to hide a heat signature. My favorite was spraying the heat and motion detector in the vault with hairspray to temporarily blind it.

Like most criminals, they got sloppy. They dumped incriminating garbage in property abutting a highway. Unluckily for them, the property owner was one who would routinely call police whenever he found stray signs of people on his property. It’s no surprise that four days after one of the largest diamond robberies in history, police were very interested in trash that included envelopes from the Antwerp diamond center. There were also receipts for equipment used during the robbery, including the name of one of the robbers.

The thing I find most surprising is that someone implicated in a 20 to 100 million dollar (depending upon whose figures you use) theft only spent six years in prison. Each individual share is believed to have been at least three million dollars. That’s about $1370 per day in jail. How many people would spend six years in prison in exchange for three million dollars?

Within the security world, caller ID is widely known to be broken. Its use as an authenticator SHOULD be none, as it’s trivially easy to spoof the information. Whether you’re using it to call your friends (and make it appear as their boss’ phone), or you’re using it to call the police, making them believe there’s a hostage situation at someone’s home, people place way too much faith in caller ID.

While not the first such service, 123Spoof looks to be making it the easiest to use, for Blackberry users anyway. Their service, an application that integrates with the Blackberry address book, will allow people to call anyone with forged caller ID information, has many international access numbers to use, and even has a voice changer available as an option. While currently free, the only cost to users is listening to a ten second advertisement before their call is connected.

Although most use of this service is likely to be harmless pranks between friends, providers recognize the very real possibility that their services will be used maliciously, and have created an opt-out registry to allow people to block their numbers from receiving spoofed calls.

Apology after prisoners’ health info goes missing - Lancashire Evening Post.

So, is it not secure to encrypt stuff and leave the password attached to the encrypted item? This security stuff is soooo hard! Good thing prisoners are kept busy and don’t have lots of time on their hands to file frivolous lawsuits, let alone real ones with legitimate complaints.

Proper vulnerability analysis is critical to delivering secure software. It is equally important if you find yourself in the middle of a major motion picture too. Consider the following:

• If you only had one single vulnerability, wouldn’t you commit pretty much any and all resources you had available toward ensuring that said vulnerability was impossible to exploit? Sauron let his top soldiers, the Nazgul, run all over Middle Earth, getting involved in what amounted to turf battles. A smarter strategy would have been to completely fortify Mount Doom, and THEN start worrying about taking over the rest of Middle Earth. Having a firewall is not sufficient. You need to record and monitor activities at both the perimeter of a network and close to its most-valuable assets.
• If you have an application that hosts valuable data from an attacker’s perspective, you need to ensure that all inputs are validated and appropriately sanitized. The most comprehensive physical security out there can be rendered irrelevant by failing to perform validation on even one input. You need look no further than “Snatch” and its diamond heist as proof of this. Criminals, posing as buyers, bypass the security by posing as expected input and are not screened completely.
• Sandboxes, whether for virtual servers or VM’s for code, need to be completely isolated from the host operating system. If someone can leave the sandbox and touch the underlying host, it is possible for the host to be compromised. In “The Matrix”, Neo broke out of the sandbox, rooted the host, and then corrupted the processes running in the sandbox.
• If you must have a trusted subsystem that is allowed to perform low-level actions against high-value assets in an unauthenticated manner, then you need to make sure that authentication and authorization to your trusted subsystem is extremely strong. Having an authorized process share its authorization token with a malicious process will allow the malicious process to access the assets. In “Brazil”, Minister Helpmann shares his password with Sam, who then uses it to access the master systems and “delete” all records of the existence of an individual.
• When mapping out the security roles in an application, always consider following the principle of least privilege. If a user doesn’t need access to an action or asset to perform their authorized duties, they shouldn’t be allowed access. If a system is improperly modeled, and a user can access low-level or administrative functionality, it can be used to exploit an application. In Star Trek’s “Best of Both Worlds”, Data issued the “Sleep” command to all members of the collective, forcing them to go to sleep. Clearly, this command should only have been made available to a small set of super-users or administrators.

In response to November 2007’s loss of some seven million individuals’ banking information, Top Gear host Jeremy Clarkson wrote

“Back in November, the Government lost two computer discs containing half the population’s bank details,” he said. “Everyone worked themselves into a right old lather about the mistake but I argued we should all calm down because the details in question are to be found on every cheque we hand out every day to every Tom, Dick and cash and carry.

Jeremy then proceeded to publish his banking details, as well as information about the car he drives and where to find his address. In a thoroughly unsurprising turn of events, he found himself the victim of identity theft, donating £500 through a non-signature debit to the British Diabetic Association.

Now, with the pain of identity theft having been personalized, he has changed his tune.

“Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy.”

I presented a few days ago at Cleveland’s Information Security Summit. My topic was originally to be about Threat Modeling, using a system-centric approach to analyzing the threats, assets, and vulnerabilities of an application. Because there was another session being presented on threat modeling, I wanted to offer something unique. To that end, I reworked the presentation to include a section about the Security Development Lifecycle and how threat modeling fits within it.

While the slide deck won’t give you all the information from the session, it will provide you with the highlights. The PDF version can be found here.

Remember that prescreening frequent fliers could subject themselves to which would allow them to breeze through airport checkpoints? It turns out the data for some 33,000 travelers may have been exposed after the laptop was misplaced in San Francisco’s airport.

The thing is, the laptop was lost, and subsequently found, in the same locked room in which it had been left. They are now claiming, contrary to initial reports, that the data is secured by two levels of password protection. Now, if those levels are BIOS password and Windows login, yes, it is protected by two levels of protections, both of which are easily circumvented.