The RDV Group InfoSec Blog

Wednesday, April 26, 2006

House Passes Bill To Protect Phone Numbers

In the "this is really needed and I'm surprised they're actually doing something about it" department, the National Journal describes a new House bill to restrict those web sites that buy and sell personal phone information: "... The House yesterday passed a bill designed to protect the privacy of telephone numbers. The measure, H.R. 4709, would make it illegal for online brokers to buy and sell individuals' monthly phone records. It would empower both the FCC and FTC to enforce new rules banning 'pretexting,' the practice of obtaining customers' personal information under false pretenses."

An interesting feature about the history of this bill is that the legislation that was introduced early this year after publicity generated by a blogger, John Aravosis of Americablog: " ... After he read an article about the issue, he decided to make cell-phone privacy a pet cause. Aravosis first bought his own records to prove a point, then he bought the records of someone who mattered: 2004 Democratic presidential candidate Wesley Clark . That ploy generated lots of publicity and jumpstarted the issue in Congress."

Here's a tip of the hat to the on-going, often losing. battle for personal privacy. And a great reminder of the power of the Internet!

Campaign Leaks Social Security Numbers

I'm constantly amazed at how poorly privacy is protected by those who have access to personal information. Add this to the continuing litany of lost social security numbers. WBNS channel 10 from Ohio says that "... Millions of Social Security numbers are now in the hands of people who aren't supposed to have them...The private records were mistakenly released by the Secretary of State's office."

"Voter lists are crucial to political parties. They give campaign workers an efficient way to target potential supporters. The lists usually consist of the names of registered voters, their addresses, their party affiliation, and whether that person voted in the last election. Social security numbers aren't supposed to be revealed. But they have been because of a mistake by Secretary of State Ken Blackwell's campaign."

And it's not the first time: "... This is the second time this year private information has been compromised by Mr. Blackwell's office. In March, a link on the Secretary of State's website revealed hundreds of Social Security numbers listed on public documents."

Funny thing, Blackwell handily won his GOP primary for governor this week. Well, maybe not so funny...

I recently gave testimony ...

.. to the Westchester County Board of Leglislators about the proposed "Public Internet Protection Act" which promotes wireless security in public places like hotels and cafes. While it's obviously not a complete solution, it's a good first step in helping protect data on the wired LAN.

A CNN posted a good AP article about the act, "N.Y. county mandates wireless security."

An interesting nugget from the piece is this: "Norman Jacknis, the county's chief information officer, said that when the law was being considered officials detected 248 wireless networks during a 20-minute drive through downtown White Plains. Nearly half had no visible security."

This is not uncommon stats for wireless nets. It's important for all wireless users, especially businesses using wireless routers, to aware of the threats and vulnerabilities to private data.

There are several good books out about Wi-Fi security, and one of them is my book: "Wireless Security Essentials."

Safe computing!

Monday, April 24, 2006

Sorry For Being So Behind ...

... in my posting. Ron Krutz and I are just finishing up our CISSP Prep guide 3rd Edition (which is going to be a MONSTER book!) I did a long article for State Tech Magazine on Instant Message hacking (it'll be a couple of months before it's published,) finalizing other book proposals, and working on our information systems security training products.

I promise that I have several posts in the works that will get up this week. April has been a busy month for hacking!

Saturday, April 08, 2006

Workers accused of fudging ’04 recount

I occasionally post pieces about voting irregularities and issues with verified voting, because I feel that it's one of the biggest challenges we face as a democracy today. Avi Rubin has done a lot of good work in this area and has testified frequently before congressional panels about electronic voting problems. With many states rushing to implement HAVA requirements, reliable, verifiable, open-sourced and transparent voting systems are sorely needed.

So my interest was piqued when I read this item in the Cleveland Plain Dealer. A special prosecutor has charged that Cuyahoga County Ohio election workers secretly skirted rules designed to make sure all votes were counted correctly immediately following the 2004 presidential election, to prevent a recount from automatically kicking in.

At this time there isn't any proof that they were trying to sway the election one way or another, but rather were trying to save money: " ... While there is no evidence of vote fraud, the prosecutor said their efforts were aimed at avoiding an expensive - and very public - hand recount of all votes cast. Three top county elections officials have been indicted, and Erie County Prosecutor Kevin Baxter says more indictments are possible."

Evidently they were supposed to take a random sampling of 3% of the ballots and compare with the related machine totals: " ... If the hand and machine counts match, the other 97 percent of the votes are recounted by machine. If the numbers don't match, workers repeat the effort. If they still don't match exactly, the workers must complete the recount by hand, a tedious process that could take weeks and cost hundreds of thousands of dollars."

But they prepared the sample ahead of time, by opening ballots and eliminating any that didn't match the machine, to prevent a manual hand recount: " ... Kathleen Dreamer, manager of the board's ballot department, Rosie Grier assistant manager, and Jacqueline Maiden, Elections Division director and its third-highest-ranking employee, have been charged with misdemeanor and felony counts of failing to follow the state elections law. A May 8 trial date has been set."

It's going to be interesting to see what happens, and if this leads to bigger fish.

Wednesday, April 05, 2006

Phisher Kings Court Your Trust

Brian Grow has another piece in Business Week that's worth a look. This is a fairly extensive article that quotes a lot of sources and makes some good points. He references some of the more busy worms, like Bagle, and some of the newer, less well-known Trojans, like Hearse: "... The attachment -- labeled lawsuit.exe -- is a new variant of a computer worm called Bagle. When worried victims open the attachment, malicious code embedded in its text downloads onto their PCs, and then swiftly harvests all their e-mail addresses to send out even more spam. That second wave uses the victim's personal e-mail address to send malicious code disguised as, say, a Paris Hilton sex video, to friends and associates."

There isn't a lot new and earth-shaking in the article, but he does hit the major point, that although more users are getting savvy to the basic email schemes, $ losses are increasing, as fraudsters get more sophisticated and mercenary: "... A 2005 survey by Gartner found that just 2.5% of phish recipients responded with personal or financial information, down from 3% in 2004. But fraud losses connected to the theft of such information off the Web still rose from $690 million in 2004 to $1.5 billion last year."

I tried to make the same point on Business Week TV on April 02, that phishers have progressed from badly spelled emails, to well-funded criminal enterprises, sometimes even operating with the blessing of their governments.

Sunday, April 02, 2006

My Appearance on Business Week TV Today

Brian Grow's piece about the rootkit Hearse was the lead story, and they used about 20 secs of my comments. You can stream the video at the Business Week Weekend TV site here.

One issue I have with these pieces is that they always explain the nuts and bolts of what’s happening very well, but never get into real info you can use to combat the threat.

For example, when Brian was asked what can a regular person do about protecting themselves from these threats, he said “Be more vigilant”.

Sounds like a Homeland Security recommendation, maybe we should duct tape our computer...