Macrocosmic Technologies

According to a recent article, an unclassified computer belonging to the DOE was hacked in September of 2005, and had a file containing names, social security numbers, and security clearances for 1500 employees stolen. Frighteningly, senior management was only made aware of this two days ago, or nearly nine months after the fact.

What separates this incident from most data disclosures is that the article makes this out to be a TARGETED theft of data, rather than randomly stealing hardware that happens to contain sensitive data. In this case, the data was the target.

Personal information, including social security numbers, was stolen last month from the home of a VA official last month. Some 2.2 million people, including up to 80% of current active military personnel, are affected. The breakdown is 1.1 million active-duty military personnel, 430,000 National Guard members and 645,000 reserve members. The information includes names, dates of birth, and social security numbers.

One day, increasingly soon given the current rate of egregious data disclosures, anyone handling sensitive or confidential information will be required by law to encrypt it and protect it. Already, HIPAA and The Graham Leach Bliley Act place these requirements on entities that handle medical or financial information. While these are good ideas, they’re simply the first steps to providing comprehensive protection for all of everyone’s private information.

Particularly worrisome about this loss is the fact that while senior VA officials were aware of the loss within hours, it wasn’t until nearly TWO WEEKS later that the VA secretary was notified. According to the Washington Post article covering the data loss, the analyst who had the laptop and hard drive removed from his home had been taking the data for at least three years.

Ye Olde Register is reporting that Ernst & Young has followed up its February loss of four laptops with losing only one, but this one happened to contain information about nearly a quarter of a million of Hotels.com’s customers. From a joint letter by E&Y and Hotels.com to its customers:

“Unfortunately, the computer contained certain information about customer transactions with Hotels.com, and other sites through which we provide booking services directly to customers, from 2002 through 2004.

“This information may have included your name, address and some credit or debit card information you provided at that time.”

Maybe I should have given my itinerary to a globetrotting garden gnome instead… If you’re interested, Ernst & Young does offer an IT Security and Risk Management practice. I have to wonder though, if they’ve ever heard the phrase, “Eat your own dog food.”

Bruce Schneier has recently written an interesting piece in his blog about Caller ID. In it, he writes about an AP article that details the failings of Caller ID. He asks a VERY good question. Namely,

Q: What’s worse than a bad authentication system?
A: A bad authentication system that people have learned to trust.

This is why it is imperative that when building a system used for authentication, it must be secure. The more widely utilized the system is to be, it becomes that much more important.

The article goes through real-life examples of forged caller ID information, including a congressman who was targeted by having his phone appear as the caller ID, a SWAT team operation in response to a call from a spoofed phone number, breaking into voicemail boxes that automatically authenticate based on the caller ID, and even how caller ID spoofing played a role in the 2004 “hack” of Paris Hilton’s cell phone.

More interestingly, the article touches on how the last scenario, an example of “pretexting”, is a textbook example of social engineering. With the caller appearing to be the legitimate user, the target is lulled into a lowered sense of security. It’s been used to obtain all sorts of information, but most recently, has come under fire as shady operators make pretext calls to wireless carriers to obtain copies of cell phone bills, including calls placed and received.

I’m conducting an experiment. I’m going to throw an email address out there, sparchive@valuableonline.info, and see how long it takes for spiders to pick it up and start spamming it. The email will be funnelled into an auto-posting blog, allowing for it to be easily searchable and reported on. To further the fun, perhaps even comments will be allowed to be posted unmoderated, which will let us analyze multiple spam vectors.

Why do this, you might ask? Simply put, I’ve been exceptionally careful with my email addresses. Using a service like Sneakemail religiously, I have absolutely no sense of what most folks go through with spam. I get maybe one or two a week. With Sneakemail, as soon as an address is compromised (ie, starts being spammed), you turn it off or apply filters or grey-listing (which causes the first transmission to bounce, but if the sender is a real relay, they will try again). Now, I’ll actually have an understanding of what people are actually going through dealing with spam.

A Pennsylvania junior high student has been suspended for sharing drugs. In this case, it was a stimulant called caffeine. Quoth the school district superintendent, “As a parent, would you want your child to be able to get that type of product?” Quite frankly, yes, I would. Considering everything else they can get, I don’t think sharing a piece of gum should merit a three day suspension.

Amy Palermo, the superintendent, said the gum is “a stimulant that has no other redeeming quality.” Clearly, she didn’t check out the Jolt Gum web site, where they wax poetically about how minty it is. If alert students with fresh breath isn’t something teachers want, is that a school where we want to send our kids?

If you’ve never heard of Dave Farber, you owe it to yourself to check out his Interesting People (IP) mailing list. Dave covers a broad range of technology topics, many focused on personal liberties in the digital world. While most days you’ll get no more than five messages, on busy days, you can get up to four times that. It’s post-only, though he can and does forward on some of the more interesting, insightful, and substantive replies he receives.

Given all the freely-available web services out there, it’s fairly easy to build a custom search engine. Combining the services of Google, Yahoo, eBay, Amazon, and MSN, you can build a dynamic directory script that is easily monetized and is very search engine friendly. MSN search results, Google and Yahoo keyword suggestions, Google AdSense ads, and eBay and Amazon search results. All of it is combined in a couple of PHP pages that are easily customized and even more easily installed.

I’ve been playing with two pieces of hardware recently. One is the Linksys NSLU2. This device runs the Intel XScale processor with BusyBox linux. Off the shelf, it’s a way of turning your USB disks into NAS. With custom firmware, you can run pretty much whatever your want on it. Imagine one box running your file shares, caching proxy, and web server, all for under $100.

If you live in Illinois, it may soon become illegal to own a magnetic stripe reader, if this bill is introduced into law, as reported by Bruce Schneier

Clearly, if we outlaw n, we won’t have to think about the fallout of n because no one will have n. It worked for alcohol, didn’t it?