TSA knows what you read


Privacy advocates obtained database records showing that the government routinely records the race of people pulled aside for extra screening as they enter the country, along with cursory answers given to U.S. border inspectors about their purpose in traveling. In one case, the records note Electronic Frontier Foundation co-founder John Gilmore’s choice of reading material, and worry over the number of small flashlights he’d packed for the trip.

The breadth of the information obtained by the Gilmore-funded Identity Project (using a Privacy Act request) shows the government’s screening program at the border is actually a “surveillance dragnet,” according to the group’s spokesman Bill Scannell.

“There is so much sensitive information in the documents that it is clear that Homeland Security is not playing straight with the American people,” Scannell said. (Wired News, “U.S. Airport Screeners Are Watching What You Read.”)

In related lying news, last week it came out that Director of National Intelligence McConnell lied to the Senate about wiretaps.

If this was a political blog, we’d analyze the trend. Since we’re all about information security, and pirates I’ll just say that in an environment where the security measures are unclear and scary, you can expect users to behave in strange ways.

Free, as in milk

What the hell are the idiots at Facebook thinking?
If there’s anything stupider than banning a woman from breastfeeding in public, it is banning a picture of a woman breastfeeding on the grounds that it is “obscene”, which is what the morons at Facebook have done, as reported (for example) by the Toronto Star.
Attention Facebook idiots:
“Obscene” is a legal term. If your lawyers tell you that something like this is obscene, you need lawyers who didn’t go the Springfield Upstairs School of Law. It sure as hell looks like it has redeeming social value to me.
Much is being made about the hypocrisy of Facebook allowing umpteen pro-anorexia groups, when anorexia is itself demonstrably damaging to women and when such web content (according to recently-published research) is as well. I think this is a foolish argument.
Facebook’s position isn’t wrong because it does more harm than good, or because it is inconsistent. It is bad because being able to advocate controversial things is an essential element of freedom.

Those scurvy dogs!


The scurvy dogs at TD Ameritrade may have tricked us!

Well, maybe. The comments on “Analyzing the TD Ameritrade Disclosure” and articles like “Lawsuit Raises Questions on TD Ameritrade Breach” and “Ameritrade Customers’ contact information hacked” have been demanding a re-think of what I want to think on the subject. But less importantly, today is International Talk Like a Pirate Day!. We at Emergent Chaos love pirates far more than we love ninjas. No one has any fun on talk like a ninja day.

We celebrated in 2005 by reminding you that more pirates, less global warming.

We stand by that a lot more than we stand by me Ameritrade post. If there be any justice, I’d be scraping the bottom o’ barnacles. But there’s no justice this side of the Atlantic, thanks be.

Image plundered from amphion27.

Motley Fool on SIAC

Case in point: SAIC confessed in July that “information … stored on a single, SAIC-owned, non-secure server at a small SAIC location, and in some cases … transmitted over the Internet in an unencrypted form … was placed at risk for potential compromise.” In the context of other firms having actual knowledge of miscreants accessing their data, and in some cases using it in actual identity theft schemes, SAIC’s warning of “risk for potential compromise” sounds pretty tame. Still, the company has hired Marsh & McLennan (NYSE: MMC) subsidiary Kroll to help patch its security, and it would take at least $7 million to $9 million in charges in its second fiscal quarter to fix the breach.

What management does:
That won’t do any good for the trend of declining gross, operating, and net margins at SAIC. But to put things in perspective, the midpoint of the range SAIC posited, $8 million, represents just one-tenth of one percent of the firm’s cost of goods sold over the last 12 months. For a company this big, the financial cost of the breach isn’t a tragedy, folks. It’s a rounding error. (Motley Fool, “Foolish Forecast: SAIC’s Chance to Shine“)

I’ve been predicting this sort of response from the market for a long time. It’s nice to see it arrive at a respected consumer-oriented site.


Adam mentioned the recently-announced Ameritrade incident. One thing I found interesting is their decision to hire ID Analytics to determine whether ID theft follows this data breach.
According to an ID Analytics press release, the US Veterans’ Administration did something similar when several million veterans’ information was revealed. At a cost of $25,000 (according to Fedspending.org) in the VA case, this sort of approach would almost certainly be much less costly than services like Equifax’s CreditWatch, which are often offered to those whose information has been revealed by a breach.
I think what we’re seeing here is the leading edge of a trend. Firms are applying (what they think is a) risk-based approach to determining what level of post-breach response they provide (if any) to individuals whose information is involved. This is similar to the risk-based notification triggers which some think wise. I would look for more of this, as firms become more knowledgeable about their options, they will become more discriminating in their responses.

Analyzing The TD Ameritrade Disclosure

In a press release, TD Ameritrade this morning confirmed reports that it has been informing customers of a potential security breach. The release does not confirm the figure of 6.3 million customers, but a company spokesperson did give that number to reporters in interviews. (Dark Reading, “TD Ameritrade Breach Affects 6.3M Customers.”)

It appeared that no SSNs, account numbers, or other information was stolen. So why is Ameritrade announcing it, and what can information security professionals learn from this?

It appears that Ameritrade is getting ahead of the story. Rather than have it dribble out by accident, they’re shaping the news by sending out a press release.

Second, they’re shaping their customer response. Rather than hear about this from someone in a state with a broad disclosure notice, and worrying “was I affected, too” they’re telling everyone. That allows them to appear proactive and caring, rather than reactive and hiding.

Third, they’ve probably kept costs way down by not paying a law firm to analyze their requirement to disclose under a variety of laws.

Finally, they were smart early, and separated their customer data from the deeply sensitive stuff which was in a different database.

So what can someone who’s just been breached learn from this?

First, segment your data now. It pays off, probably more than a lot of products you might buy.

Second, when you encounter an incident, think about taking control of the situation, rather than letting the situation control you. Spending time planning for a variety of breaches will pay off, both for the the companies that are ready, and for the leader who initiated the process.

No word on the lupins

NSW Police are investigating the possible compromise of an online florist’s database and theft of customers’ credit card details.
The Fraud Squad has set up Strike Force Parkview to investigate the case that involves the retailer Roses Only.
There are unconfirmed reports that the details were used to make a string of luxury purchases in South-East Asia.
“A strike force has been set up by the State Crime Command Fraud Squad to investigate the possible compromise of an internet-based business’ database and subsequent fraudulent transactions,” a police spokesman said.
She said the investigation was in its earliest stages and no further information was available.
Roses Only later released a statement saying that it had been recently advised that their computer systems “may have been” compromised through an unauthorised intrusion earlier in the year.
“We moved quickly to address the situation and engaged a leading international technology security firm to enhance the security of our system,” the statement said.

Sydney Morning Herald
(Image grab via Youtube)

Who Likes a Cheater?

fine.jpgIf you don’t follow sports news, the New England Patriots and their coach have been fined about three quarters of a million dollars and a draft pick. This is reported in articles like “Belichick given record fine for video cheating.” (Times Online, UK) That may seem like a lot, until you realize that that’s less than 1% of the fine assessed against the McLaren F1 racing team.

The case broke open in July when a 780-page technical dossier on Ferrari cars was found at the home of McLaren’s chief designer, Mike Coughlan, who later was suspended. Ferrari mechanic Nigel Stepney, who allegedly supplied the documents, was fired.
(Detriot Free Press, “Formula One team McLaren fined $100 million in spying scandal.”)

So why was the fine for the Patriots so low? Apparently that’s the league maximum.

So who likes a cheater? Apparently, the National Football League, who has set their maximum fines low enough that cheating was an irresistible temptation.

We now return to your regularly scheduled security blogging.

Photo: Sabine, “A fine city.”

[Update: My friend Jeff, who is much more into football than I am, asks what the fines are proportioned to team budgets, and points out that this is the stiffest penalty given in NFL history. (“Penalizing the Patriots.”) Proportionally, the MacLaren fine seems to be roughly 25% of an F1 budget, assuming that MacLaren spends as much as the $400MM that Ferrari spends[1]. The Patriot’s financial penalty is less than 1% of the team’s $100MM share of NFL revenue [2]. It’s not clear to me how to compare a draft pick to points, which are the non-financial aspects of the penalties.

[1] Formula 1: The Business of Money
[2] NFL’s Economic Model Shows Signs of Strain]

Invasion Of The Password Snatchers

Invasion Of The Password Snatchers
As I’ve mentioned in the past my wife is a linguistics professor. Yesterday she came home from work with the following poster. A little research revealed that it and several others were originally commissioned in 2005 by Indiana University as part of their security awareness program that they assembled for national cyber security awareness month. While posters are hardly the be all and end all of awareness programs, these 50s horror movie-themed ones are far better then most.

When Hackers Don’t Strike

Today the New York Times asks us: “Who Needs Hackers?” The article itself which discusses the recent outages at LAX and with Skype is fairly fluffy but has some great quotes which really cover the issues that we should be looking at as an industry. Security isn’t just about hackers, but about managing threats and risks and we need to remember that much more often.
Peter “Comp.Risks” Neumann:

We don’t need hackers to break the systems because they’re falling apart by themselves.

Steve Bellovin:

Most of the problems we have day to day have nothing to do with malice. Things break. Complex systems break in complex ways.

and Avi Rubin:

Maybe we have focused too much on hackers and not on the possibility of something going wrong. Sometimes the worst problems happen by accident.