Adam On…

Over the past week there has been much talk by a group of Chinese hackers about attacking CNN web sites as part of a protest of what the group claims has been anti-China news coverage by CNN. The Dark Visitor site (where I presonally became aware of this whole incident) has done a great job of covering the whole saga.

After calling off the attack after attack details became public, it seems that the group decided to go through with the attack after all. Offering words of encouragement and automated tools for those without the technical skills for manual attacks, the group launched an attack that appeared to be successful. Even now sites like sports.si.cnn.com remain offline causing individuals to boast about the success of the attack on sites such as twitter.

Yet, there is one small problem. The site attacked, the “Sports Network” is not part of the CNN/SI family of sites. Instead the Sports Network is a privately held Pennsylvania company that has been taken offline by these attacks. As of this writing the web site for the Sports Network still displays a note about the attack and that the Sports Network is working to get everything back up and running.

This was an odd story to watch unfold and I wish the best of luck to the staff over at the Sports Network in getting everything back online and avoiding future attacks.

Why I love the Internet, Reason #2:

You Never Know What You Will Find

The ability to follow your train of thought on the Internet is amazing. I can, and often do, jump from topic to topic to topic as different web sites trigger different memories. During these journeys, I often run across some amazing stuff that without the Internet I would never have found. I had one of these journeys as recently as last night.

For some odd reason I started thinking about Dungeons and Dragons and wanted to find some fan fiction I remember reading years and years ago. Yep, you read that right. I played D&D, I have read fan fiction, and I did indeed spend my Friday night alone, searching for D&D fan fiction online. Hello, my name is Adam and I am a geek.

Anyway this D&D fan fiction quest lead to me trying to remember the names of the different AD&D realms I used to play (Dragonlance, Forgotten Realms and Dark Sun for anyone interested). Remembering the different realms had me looking up all of the fantasy authors I used to love reading such as Weis and Hickman (I was a super fanboy not only the Dragonlance chronicles but also the Rose of the Prophet, Darksword and Death Gate Cycle series)  as well as Ed Greenwood. 

Then I came across “What It’s Like to Play D&D“ by Roger M. Wilcox and I was again reminded of why I loved the Internet. This essay is quite funny and I urge anyone who still plays or used to play some D&D go read it.

The ability to go from looking up information on Forgotten Realm fan fiction, to reminiscing about some great book I’ve read, to discovering a humorous essay on D&D in an easy, smooth manner is another reason that I love the Internet.

Oh, the many ways that organizational information can be lost. Insiders, outsiders, mistakes, malicious actions, theft, loss, the list seems to going on and on. Yet, one area that tends to be overlooked quite often is contracted third-parties. However, as several colleges and universities have found out recently, third-party actions can have serious consequences for the campus community.

What am I talking about? Well, thus far in April several institutions have had confidential information lost and/or stolen from a trusted third-party. The University of Miami notified 47,000 patients after backup tapes were stolen from an off-site storage company. Northwest Missouri State University, Buffalo State College and four Connecticut State University System campuses have had to alert 1,100, 16,000 and 3,400 students respectively after a laptop belonging to a vendor was stolen.

As show above, as well as at the end of a previous post, third-party loss of college/university information is not unknown within higher education. As more and more educational institutions reach out to third-party companies for support and development, more internal information will be traveling outside of the institution’s control. Colleges and universities should start looking at ways to control this risk by placing control requirements into vendor agreements.

Some of the controls that should be considered are time limits on how long the information can be stored by the vendor, limitations on how many vendor employees and/or copies of the data can exists, as well as controls on data protection such as requiring encryption on portable equipment. One of my personal favorites is to ask vendors for a copy of internal security control procedures/policies as well as asking about what employee (at the vendor) is responsible for the safety and security of the information they are requesting.

We need to stop blinding trusting our vendors and make sure that they have controls in place to properly handle an incident and minimize the effects of a data breach/loss/theft when it occurs. After all, it is not a question of if by when such an event will happen to your institution.

Reading this blog one might get the impression that I do not hold educational institutions in high regard with respect to information security. However, nothing could be further from the truth. The reason I write about higher education on this site and track security incidents over at ESI is that I believe that these efforts (mostly ESI) will help educational institutions. I have dedicated most of my professional life to working in higher education and I want nothing more then to see this industry succeed.

This disire to see the industry succeed is why I am excited to see the manner in which Ohio University is handling the aftermath of the university’s breach back in 2006. Instead of reamining silent about this unfortunate incident, Ohio University is speaking out about what happened and what the university has learned from the incident. In a recent article in the Chronicle Of Higher Education (subscription required), Ohio University president Roderick McDavis describes the incident from the inside.

This is a great article and hopefully those reading this have access to the Chronicle. If not, The Athens Messenger has an overview of the article, but I feel it misses several key points. These key points include that “We don’t think” is not a good enough answer when determining if systems are at risk, that the university IT department (like many college/university IT departments) was “was significantly understaffed and that its future performance was not sustainable without further investment” and that the outsourcing the university was doing was not a good option for the future.

However, I will say that the overview does capture the best point of the article: “Share information openly - both positive and negative.” Perhaps there is a light at the end of the tunnel after all.

Want to hear more about the Ohio University incident? Ohio University will be talking about this incidient at the upcoming EDUCAUSE Security Professionals Conference during a preconference seminar titled “The Lifecycle of a Security Breach”. If you are going to the conference but not attending the preconference events, you can still learn about the breach at the “Keeping the Skillet Hot: Managing Security Between the Breaches” session where I have the pleasure of being on a panel with Matthew Dalton of Ohio University and Jack McCoy of the University of Colorado System.

Anyone that has attended a security training at my organization knows that I hate passwords. Why you might ask? It is simple. Passwords are a pain! Just us take a look at my daily password entry:

• Password #1: Log into my personal laptop in the morning
• Password #2: Log into personal e-mail account
• Password #3: Log into ESI web site, check logs/stats and update if needed
• Password #4: Log into AdamOn, check logs/stats and update if needed
• Password #5: Log into FeedBurner and check stats
• Password #6: Log into work computer
• Password #7: Log into work e-mail
• Password #8: Open encrypted disk at work

Yup, thats right, I type in 8 different passwords before 8am in the morning! Is it any wonder I hate passwords? Oh, each of these passwords is different then the others. This is a typical morning for me and does not require that I sign into other services such as IM or Twitter or any of my servers. (Doing so can add up to 5 more unique passwords to my daily log on procedures.)

Each day I face a growing contempt for these passwords. They are in my way, preventing me from doing my job in the most efficient manner possible. It is no wonder that people write down passwords, use similar/the same passwords over and over again and use applications to store passwords. Passwords just suck!

It might sound strange to some people that a security professional doesn’t like passwords, but I am not alone. Dr. M.E. Kabay, CTO of the School of Graduate Studies at Norwich University and Program Director for the university’s Masters of Science in Information Assurance, has an excellent set of articles over at Network World about passwords.

The bottom line is that we need a better solution.

It’s no secret that I love technology. Yet, this obsession has lessened over the past few years. For some reason I just couldn’t make myself get excited over minor improvements in power consumption or the inevitable increase in processing power. This has all changed, however, thanks to a couple of new pieces of technology that are in the pipeline.

What are these wondrous creations that have me all atwitter?

The first is OCZ’s Neural Impulse Actuator. The ability to control my computer using only my brain, eyes and facial muscles? Hell yes! Even if the NIA only works half as well as advertised I’m going to be picking one up.

The second piece of technology that has reduced me to fanboy mentality is Brother Industries Head-mountable Retinal Scanning Technology. I have been a fan of head-mounted displays for years and I can barely contain my joy over the possibility of using this product.
I can’t wait to pick up either of these devices and give them a whirl.

Update: Looks like this was a belated April Fools joke and I fell for it. Great job! Now excuse me while I wipe the egg off my face…

Today is a solemn and sad day over at AdamDodge.com. Attrition.org announced today that it is no longer going to be updating the DLDOS site or the DLDOS feed. I completely understand the reasoning behind this move. I have noticed for a while now certain for-profit outfits using the ESI feed for their services so I can only imagine that the type of outright theft and plagiarism that sites like Attrition.org and PogoWasRight.org deal with. (Dissent over at PogoWasRight.org has a great post up about this whole situation.)

One of the first decisions I made with ESI was to ensure that I not only gave credit to the news source where I pulled the Abstract, but that I also gave a nod to the site where I found the news story. If I found it on my own, I list ESI as the source. However, if I find it on a site like Attrition.org or PogoWasRight.org I make damn sure I give them the credit. I run a breach disclosure web site so I understand how much time it takes to find and catalog these incidents.

The fact that companies and organizations out there feel the need to steal and repackage work done by others without attributing credit is a despicable practice and I urge anyone that uses such a service to reconsider the fact that you are paying for content that A) is being delivered through unethical and possibly illegal means and B) is most likely available from the original source for free.

I too understand the pressure to ensure that posts are mistake free. I have made a number of mistakes on ESI and I always feel horrible when I discover them. I always make sure to update the story to not only correct the mistake but to also point out that I did make a mistake. Given the lack of ethics the vultures that rip my content without permission and/or attribution display, I often worry that they never bother to correct these mistakes. So for everyone using these services that are not worried about ethics or the fact that they are paying for content that is freely available elsewhere, consider the fact that you may be paying for information that is not correct.

I want to thank Attrition.org for the hard work in running this amazing resource. I know that I for one will greatly miss the DLDOS.

Symantec’s Global Internet Security Threat Report was released recently. Can anyone guess what sector represented the “highest number of known data breaches that could lead to identity theft”? (If you’ve already seen the report, Shhhhh!)

With 24% of total for the second half of 2007 (drum roll, please) Education topped the list! The good news: 24% is down from the “30% of the total” Education received in the previous report. The bad news: Education was the top ranked sector then as well.

Give that ESI has seen an increase of breaches thus far in 2008 (a trend mirrored industry-wide according to the Identity Theft Resource Center), it appears that Education will unfortunately top the next Global Internet Security Threat Report.

However this is not the biggest news from the report. With average identity netting criminals $1-$15, apparently I’m not even worth as much as the pizza I ordered for dinner the other night!

The LA Times has a great article on the recent UCLA medical records breach. In the article, the woman accused of illegally accessing over 61 medical records, Lawanda Jackson, gives a reason for her snooping. What was the reasoning behind Lawanda Jackson’s actions? Was it a diabolical plot to destroy the place where Jackson has worked for over 30 years? Nope. Was Jackson just looking to score some quick cash selling dirt on celebrities? While claims have been made there is no proof of this (plus almost half of the records Jackson accessed did not belong to celebrities).

What possible reason could Jackson have had then if it wasn’t malicious intent?!? Simple, Jackson was prompted by nothing more then curiosity. According to statements made to the LA Times, Jackson would see a news story and wonder if the people involved came to the UCLA medical center. To quote Jackson from the story, “There was no intent to do anything bad.” Welcome to how insider threat is born.

Insiders are not always angry or disgruntled employees seeking to get even with their employer. Nor are insiders money-grabbing opportunists looking to make a quick buck at the expense of their employer. Instead, most insiders are individuals that generally enjoy what they do and where they do it. Above all, insiders are human.

Why does the fact that employees are human matter when it comes to insiders and the threat they pose to information security? It is important to always understand that your employees (ie insiders) are people and as such have all the failings of people. Some are lazy, some are manipulative, some are mean while others are nice. Above all, many are curious.

This curiosity can easily lead to security incidents if the organization does not take the necessary steps to restrict access. It is no longer enough for information security professionals to protect our organizations’ infrastructure from external attackers, we need to start thinking about how to protect our organizations’ data from unauthorized access or disclosure by our own employees.

It seems that Hannaford supermarket has pulled all of its advertising off at lease one television station claiming the reporting on the recent security breach has been too “aggressive”. Attempts by the television station to get more information from Hannaford have gone unanswered according to the article. (Please note that I have not seen any of the reporting so I am going off the cuff here.)

This seems to be an odd move. Now Hannaford has every right to choose where it advertises its stores, but it seems a bit odd that they would pull advertising simply because they were unhappy with news coverage. Apparently there are no factual errors in the television station’s reports of the incident. It simply seems that Hannaford is hurt by the “aggressive” reporting

Why is this odd you ask? This move by Hannaford smacks of an attempt to control the news stories report about the company. While this may not be the reason the advertisements were pulled, it certainly looks like that.

Is this really a possible perception the company wants the public to have following the recent breach?