Archive

Archive for July, 2011

Malware Detection: The Case for a New Approach

If you have seen the not all that far-in-the-past NSSLabs evaluation of endpoint protection software, you, like myself, have probably been somewhat discouraged. NSSLabs infected systems with multitudes of viruses and other types of malware to determine the degree to which endpoint software packages can detect and remedy infections. Not many vendors’ software tools fared well, and a number of widely-purchased tools performed downright deplorably.

Read more…

Categories: Uncategorized Tags:

More Electronic Voting System-related Woes

The stakes are high–if someone subverts voting systems or if voting systems do not produce valid results for some other reason, democracy itself is at risk–free voting is the foundation of a democratic society. A large proportion of the US public still remembers voting system problems in Florida and Ohio in the 2004 Presidential election that may very well have resulted in victory for a candidate who may not have been the bona fide winner.

Read more…

Categories: Uncategorized Tags:

A Big Kudo for NIST

I just went back and looked over all the blog postings I have written over the years, only to discover that I never wrote even one about the National Institute of Standards and Technology (NIST). I admit that I have some biases about NIST, and that they are all positive. When the DOE CIAC incident response team that I started and managed was a fledgling entity, no US government agency or group stood behind CIAC more than did NIST. The major players there with whom I dealt at that time included Lynn McNulty, Stu Katze, Denny Steinauer, Marianne Swanson, John Wack and Lisa Carnahan. Afterwards retired Air Force officer Tim Grance came on the scene, and he added a special dimension of leadership.

Categories: Uncategorized Tags:

Internet-wide Network Access Control: Are You Serious, Scott?

In a recent posting Microsoft VP of Trustworthy Computing, Scott Charney, raised more than just a few eyebrows by proposing that only PCs with a “clean bill of health” should be able to connect to the Internet. The security condition of each PC should, according to Charney, be evaluated, and if the PC passes a health check, it should be issued a certificate attesting to its good security condition. The health check should, according to Charney, include determining whether or not the PC is up to date with respect to patches and whether or not it is infected with malware. Unpatched and/or infected PCs should be automatically patched and/or disinfected–if this proves unsuccessful, Charney says, these machines should be quarantined such that they could not connect to the Internet.

Read more…

Categories: Uncategorized Tags:

SANS INCIDENT RESPONSE MANAGEMENT COURSE OCT 14-15, 2011

DR. GENE SCHULTZ WILL TEACH A NEW SANS INCIDENT RESPONSE MANAGEMENT COURSE OCT. 14-15 IN BALTIMORE

Dr. Gene Schultz, Emagined Security’s Chief Technology Officer, will be teaching a new SANS course, Incident Response Management, October 14 – 15 in Baltimore, California. If you are an incident response or information security manager or are involved in highly related functions such as business continuity or disaster recovery management or IT audit, there is a good chance that this course is for you! Its course content is as follows: Read more…

Categories: Uncategorized Tags:

The Morgan Stanley Data Breach Smear

News today of a data breach at Morgan Stanley has followed the usual pattern. Some self-appointed expert writes a blog and gets on the news to highlight the apparent negligence of a large and respected company in the handling of its customers information. Followed by carefully worded statements from “spokesmen” for both the company and other parties to the debacle. In this case the other party was the New York State Department of Taxation and Finance. Then dozens of news outlets pile on after doing no digging whatsoever to confirm the facts.

Morgan Stanley claims they have information or evidence that shows that a package they sent to the New York State Department of taxation arrived at its destination “intact.” How they know this has not been discussed publicly. Regardless, the CDs are now unaccounted for. The New York department of taxation stated, according to the website credit.com, “if Morgan Stanley had bothered to encrypt the CDs before sending them, none of this would have happened.” This implies that Morgan Stanley followed poor practices when securing the data send. But later in the same article is revealed that “while the Department of Taxation and Finance does now have a secure pipeline that allows for encrypted data transmissions, they didn’t ask Morgan Stanley to use the application because the software ‘was not fully implemented until after the request for annual data was sent.’ ” [emphasis is mine] These statements are attributed to New York Department of Taxation and Finance spokesperson Susan Burns. In fairness, credit.com did not use quotation marks around the “if Morgan Stanley had bothered…” comment so that bit of editorial confusion may have been cooked up by credit.com to spice up their story.

In general, when private companies send data to the state they are compelled to do so. The format, timing, and security or lack thereof is all part of the state’s command to send data. For example, if data were to be encrypted, then an agreed upon scheme to protect the keys and transmit the keys for decryption would have to be agreed upon. This would be explicitly true for the use of, say, AES 256 encryption using WinZip or other encrypting program. Or this would be implicitly true for the use of TLS encryption and an encrypted channel over the Internet. Either way, the state makes the rules. If Morgan Stanley used, say, Microsoft Office Excel password protection to secure the data, that was most likely because that’s what the New York State Department of Taxation and Finance insisted upon. This is probably why the commentary coming from New York State has been relatively mild and has not unequivocally pointed the finger of blame at Morgan Stanley. After all, it appears that at least some of the data sent to the NY State Department of Taxation and Finance has not been secured according to NY statute for at least five years. Probably budgetary pressures.

In this case the law in question is the New York Information Security Breach and Notification act (ISBN A). It appears that both Morgan Stanley and the New York State Department of Taxation and Finance are in fact covered by the ISBNA, which was originally enacted in late 2005. However, upon review of the New York State Technology Law Section 208 (the part of ISBNA that pertains to state agencies), it appears that what happened to the CDs from Morgan Stanley was not, in the eyes of New York State, a “data breach”. Here is the definition of “breach of security system” contained in state technology Law section 208: “Breach of the security system means an ‘unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business. Good faith acquisition of personal information by an employee or agent of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.’ ” So the breach was not a breach and it appears that Morgan Stanley and, reluctantly, New York State Department of Taxation and Finance, have decided to notify taxpayers in New York out of an abundance of caution. Please note that no one is congratulating Morgan Stanley for taking the high road in its ongoing compliance with New York State law. It didn’t have to notify its customers but it chose to anyway.

The moral of this sad story is that when it comes to suspected data breaches, companies are damned if they do and damned if they don’t. A company like Morgan Stanley, which has excellent technology infrastructure and a reasonably good track record when it comes to protecting information, will be tarred with the same brush used on companies like Sony and others who arguably turned a blind eye to the protection of information in their care. You have a good reputation until you don’t. That time for good reputation expiration is chosen by people you never met who have only sketchy access to the facts and who then twist those facts to their own advantage. Welcome to data breach notification, United States style.

[Author’s Note: I have no inside information concerning this incident and have not included any proprietary information in this blog.]

Categories: Uncategorized Tags:

The Changing Nature of Incident Response: Part 4

I last wrote about the first bona fide global emergency that response teams faced. The good news is that the worm that triggered this emergency eventually died out–its duration was slightly less than three weeks. Far more dramatic events started occurring around ten months later, however. People at a number of Department of Energy (DOE) sites as well as elsewhere started reporting suspicious events in their computer systems. Commonality in these events started pointing to a single origin. For example, some individuals reported finding that their password files in Unix systems contained an unexplained entry with a blank account name and password. Others reported that new accounts named “rgb” or something else started to show up in VMS systems. When it was possible to trace the origination of attacks, many of them appeared to originate from the Netherlands. Read more…
Categories: Uncategorized Tags: