Archive

Archive for the ‘Security’ Category

Now we’re afraid of T-shirts

August 30, 2006 11 comments

This is a poor example for a free people to set to the oppressive nations of the world:

Mr Jarrar’s black cotton T-shirt bore the slogan “We will not be silent” in both Arabic and English. 

He said he had cleared security at John F Kennedy airport for a flight back to his home in California when he was approached by two men who wanted to check his ID and boarding pass. Mr Jarrar said he was told a number of passengers had complained about his T-shirt – apparently concerned at what the Arabic phrase meant – and asked him to remove it.

He refused, arguing that the slogan was not offensive and citing his constitutional rights to free expression.

Mr Jarrar later told a New York radio station: “I grew up and spent all my life living under authoritarian regimes and I know that these things happen. “But I’m shocked that they happened to me here, in the US.”

After a difficult exchange with airline staff, Mr Jarrar was persuaded to wear another T-shirt bought for him at the airport shop.
- BBC News: Arabic T-shirt sparks airport row

We’re not ANY safer with people like that minding the store.  How did forcing Mr. Jarrar to change his T-shirt make anyone safer?

The terrorists have us jumping at our own shadows.  At an architect wearing a T-shirt with Arabic letters on it.  We’re jumping at the sight of cold cream.  They must be laughing at us.

Grow up, everyone.


Notes:

Categories: Geeky, Security

Not reassuring

August 12, 2006 2 comments

So I’m at Wal-Mart a few minutes ago, self-checking out my groceries and the machine reboots in mid-checkout:

Windows is shutting down

I went to the next checkout lane and it worked fine.  But as I swiped my AmEx, I thought; “Man, I hope their patches are up-to-date…

Categories: Geeky, Security

Microsoft annoyances of the day

July 20, 2006 1 comment

If someone sent you an email with an attached PowerPoint presentation containing “18 humorous slides about love between men and women”, naturally you’d assume it was the new PowerPoint virus and you wouldn’t open it.  But apparently some people still have not heard about email attachments and viruses.  Incredible!  It’s a keystroke logger, so it’s particularly dangerous.

Oh, and if you didn’t hate Microsoft’s talking paperclip enough, ‘Clippy’ has a security hole, too.

Categories: Geeky, Security

Patch your Windows today

June 13, 2006 Comments off

Microsoft is releasing a bunch of patches for Windows XP today – you should (shudder) start up Internet Explorer and click on Tools and Windows Update.  (At other times, use a real browser like Firefox or Opera)  While you’re at it, make sure your system is set to download system updates automatically, using the link that will appear on the Microsoft Windows Update page.

You may have to do this several times if the ‘Windows Genuine Advantage’ patch loads first.  This is Microsoft’s way of making sure there will be literally millions of unpatched Windows computers out there, cranking out viruses and spam. 

Yes, it is annoying but that is the price for using a Windows computer.  You Macintosh and Linux users don’t get off scot free, though.  There’s at least five percent as many viruses and known attacks you have to contend with, so get out there and patch your machines too, damn it!

Categories: Geeky, Security

Asking for a feature in Vista

June 6, 2006 3 comments

Hey Microsoft!  As long as you’re making your latest imitation of the Macintosh new operating system “Vista” all pretty and positively bulging with advanced (and probably unnecessary) features, here’s one I’d like to see:

After Vista is installed, and starts up for the first time, it shouldn’t connect to any address except Windows Update until the installing technician opens it to other addresses. 

This would eliminate the ‘race against time’ that newly built machines go through in getting their first batch ‘o’ patches.  As it stands now, new Windows installs are often compromised before 45 patches can be downloaded and installed. 

Categories: Geeky, Security

This time, the laptop was full of your credit card numbers

June 5, 2006 2 comments

How big of a ‘clue-by-four’ does corporate (and government) America have to be hit by… before they ‘get it’?

“A seemingly random theft has led to another potential breach of personal data—this time name, address and credit card information from Hotels.com customers.

A laptop belonging to an Ernst & Young employee was stolen in a car theft earlier this year. Ernst & Young is the auditor for Hotels.com, an Expedia company, and the laptop contained personal data on Hotels.com customers.

Hotels.com was notified of the theft of the laptop, which contained data for about 243,000 customers…”
- ZDnet: Laptop theft exposes Hotels.com data

Imagine you are an auditor, a consultant, a data employee, whatever, and you have a laptop full of data.  If the data gets out, there will be serious economic consequences for your company and disastrous consequences for the individuals whose data it is.

Because you work in both the IT and financial industries, you know about Bank of America, University of California, the Veterans Administration, and literally dozens of other cases where sensitive/disastrous data is compromised by carrying on portable media or devices.  Pop quiz, hotshot: what do you do?

a:  Nothing, and just hope it ‘won’t happen to you’?
b:  Encrypt the data, or get it off the laptop entirely and use a secure VPN to access it? 

What’s it going to take?

Categories: Geeky, Security

26 million veterans harmed by VA carelessness

May 29, 2006 5 comments

After soldiers serve our country at the risk of their lives, setting high the limits of human courage and devotion, our Veterans Administration does what, in reward?

Thief Steals 26.5 Million Veterans’ Identities… an information technology worker at the VA Admnistration took a laptop home, containing the personal records of 26 million discharged veterans.  This information includes Social Security numbers and dates of birth, just what’s needed for identity theft.  It’s really, really bad, especially that someone broke into the guy’s house and stole the laptop…

It’s especially egregious that the VA kept it a secret for 19 days afterward, since the best defense against identity theft is if the potential victim takes action to monitor their accounts and put a fraud watch on their credit activity. 

I have written before about this kind of carelessness and what kind of havoc it can wreck on the lives of people who entrust companies with it.  There are a few simple rules – the most important being, datasets like that should never be on a laptop in the first place (it wasn’t even encrypted!).  If it absolutely must be accessed from offsite, a SSL+VPN is called for.  And if, on review, there is NO OTHER WAY to proceed than by carrying the dataset on a portable device, strong encryption is called for. 

This was not exactly a fluke – the worker had been doing the same thing for years, apparently with the knowledge of his superiors (who are now backpedaling furiously).  The Veterans Administrations has also received warnings about this very problem, and apparently ignored them.

What does it take for institutions to at least act as if they care?  Practically every institutional disaster in history has followed some variation of “Don’t worry, it’ll be fine” and even punishing those who say otherwise.

How about; “Pretend this is YOUR data and you could have your financial identity stolen”.  What should happen to the guy who took home the laptop?  His supervisor?  The group that wrote the VA’s data security regulations? 

And to the veterans, especially the 26 million whose data was stolen, thank you.  You deserve so much better than what you get, seemingly every time you turn around.

Photo of 3 American flags hanging from giant cranes on I-74 between Bloomington and Urbana, Illinois, this afternoon.

Categories: Geeky, Security

And these are the guys in charge of our defense

May 10, 2006 5 comments

“My intention was never to disrupt security. The fact that I logged on with no password showed there was no security to begin with.”
- UK Hacker Gary McKinnon, who faces decades of imprisonment and millions in fines for hacking Pentagon computers [BBC]

Mr. McKinnon explained that he was looking for ‘suppressed UFO technology’ that he is sure is being hidden in Pentagon computers. 

Categories: Geeky, Security

“Depending on the social controls that are applied…”

April 22, 2006 Comments off

If you really dig technology history, you’d probably enjoy The Story Of Standards, by John Perry.  He told an engaging history of how all the industrial standards that supprt our technical culture came into existence – at least up until 1955 when the book was published.  In the last chapter, as tech writers are wont to do, he made some wild guesses about the future.  In the chapter “Machines with memories”, he wrote:

Science fiction writers have portrayed the mechanized society as wholly regimented and standardized.  Some of the men who best know what computers can do are equally pessimistic and with better reason.  Most of us are uneasy about invasions of privacy: wire-tapping, interception of mail, questioning of neighbors, and other techniques of the investigator.  We are made uncomfortable by the knowledge that our dossiers are kept in official and semi-official places, where information, accurate or otherwise, is accumulated.

Computers could well be used as super-investigators, keeping on tap a permanent record of almost anything we say or do within the field of perception of any computer or its auxillaries.  From schools, courts, license bureaus, credit agencies, employers, hotels, department stores, bureaus of taxation, newspapers, organization files, voting lists, and hundreds of other sources, a dossier could be compiled by pushing a few buttons…

This won’t happen in five years, thought some of the essential pieces of the picture are rapidly becoming quite real.  It may never happen but it could.  Of course the machines won’t be to blame.

Of themselves the computers will only do what they’re told to do.  The point is, however, that they are enormously powerful information processors.  Like all instruments of power, how they are used depends on what social controls are applied.  Thus far man’s record of devising and using social controls of such magnitude is rather spotty.
- John Perry, The Story Of Standards 1955 Funk & Wagnalls Co., pg 249

OK, he could spot the dystopian possibilities, but… debit cards!

You seldom have to write a check, and you seldom need cash.  Slipping your plate into a slot at any store, restaurant, or ticket office makes the purchase and transfers the money automatically.  If you travel on expense account, you carry a second plate, which will charge to your employer’s account only the kind of expenses he authorizes…

…and optical data storage, online libraries, the ascendence of the computer to primacy as a communications device and lots, lots more.  Not too shabby.

By the way, according to Harper’s Index, the state of Minnesota sells its drivers’ license database to just about any company with $1,500.  Last year, 800 companies purchased the database.

 

Categories: Geeky, Security

Will someone PLEASE explain to me…

March 27, 2006 3 comments

Fidelity Investments says they’ve lost a laptop containing customer information, including “names, addresses, Social Security numbers, and more—on as many as 196,000 Hewlett-Packard employees who have Fidelity retirement accounts”.

Their explanation is that they only allow information like that on laptops when it is needed for “client meetings”.

Horse-pucky.

There is no excuse for that kind of information ever being on a laptop.  You wanna tell me Fidelity never heard of encrypted VPN channels to web applications?  There should be no locally cached data sets.

We all know the persistence of data on hard drives.  What’s their procedure for deleting the data after the meetings?  To do it right, you need to use a shredding application.  Do all their field reps know how to do that?  And DO they do it?

I wouldn’t be torqued about this except it happens all the time with the companies that hold our ‘identity-theftable’ data in their systems.  At least the law now makes it harder for them to sweep the loss or breach under the rug; they have to notify the affected individuals and do a bunch of remediation, but lots of people can slip through the cracks.

This was first identified as a problem years ago.  It took an act of Congress to get the companies to do anything at all, but I still read about large-scale incidents on a weekly basis.  Will someone please explain to me WHY THIS IS STILL HAPPENING?

Idiots.

Categories: Geeky, Security