An Information Security Place

The Internet is a nuisance. Really, it is. It never ceases to amaze me how much "trouble" the Internet causes.  Now I will be the first to say that it is possibly the best innovation in human history. But at the same time, it has also caused more problems, headaches, and heartaches than almost any innovation that I can think about. And it continues to redefine everything we do as a society and a race

I know this is really not news, but it just struck me when I was poking around the news this morning and ran across this article about some websites looking to sue the state of Oregon over publishing laws online (I have written about issues similar to this about governments and publishing SSN’s online here and here).  Here’s some of the opening paragraph:

Both Justia and Public.Resource.Org have been at loggerheads with the State of Oregon over their desire to publish the state’s complete body of law online, for free. While that sounds noncontroversial—state law even requires the laws to be offered as widely as possible—the state’s Legislative Counsel Committee claims copyright over portions of its Revised Statutes.

And as I started to think of something to write about this, it struck me that this was really just a symptom of a larger issue. Basically, the problem is that no one has figured out just how to deal with these issues because we have moved so far so fast in the last 15 years.  But why can’t we catch up? 

Seriously, we have been moving a the speed of light with technology for the last 100 years or more, and we have always been able to catch up with safety and laws pretty fast.  Cars were invented, there was the first crash, and then we started figuring out that we need to have some kind of traffic control  It may have been a while before it was worth a crap, but we caught up relatively quickly.  Then there were airplanes.  The Wright Brothers invented it (I have heard that it is debatable), then they crashed it and killed someone, and we figured out that we needed to make this safer.

Honestly, I don’t know how quickly people started figuring out that these types of things needed to be regulated.  Likely it was all about risk since there weren’t a lot of planes or cars around when they were first invented, so a lot of safety was needed yet.  But we got smart eventually.  Consider this quote:

It’s like trying to predict back in 1910 the impact of the automobile on society - the highway system, gasoline refineries, motels instead of hotels, new dating patterns, increased social mobility, commuting to work, the importance of the rubber industry, smog, drive-thru restaurants, mechanized warfare, and on and on. The net will bring more than quantitative changes, it will bring "qualitative" changes. Things that were impossible will now become inevitable. – Larry Landwehr, 1993

The move to adopt the Internet and the rush to make it better and faster just came to quickly.  Just like the Wright Brothers probably didn’t imagine planes that could traverse the globe in a matter of hours, the inventors of the Internet never really factored into their design a world wide public network that had to contend with a bunch of thugs trying to steal everyone’s information.  They were trusting souls who figured it would just be a bunch of geeks from colleges talking to each other over email because they couldn’t get a date. 

But it became so much more so much more quickly than anyone imagined.  And it pervaded everything.  And now it is a struggle to catch up because the people who are really trying to fix the problems are often contending with the bad guys and the people who look like they are doing something and are really just riding the gravy train that the security issues have created (I have been guilty of that and still am in many people’s eyes since I sell security services and products).

So how do we fix this stuff?  Well, short of bombing us all back to the bronze age ("Stone Age" is so overused, and bronze is shinier), I really don’t know.  There are theories abounding.  Some people say we need to go back to the people and get them to buy in to doing things right.  Some people say we need to leave them out of the equation and just implement technology.  Others say we should just start over from scratch and build in security from the ground up.  There are books upon books and speakers upon speakers (two more lucrative by-products of bad security) talking about security and the Internet.  But it all keeps coming back to one thing: we’re still insecure.

What I don’t understand is how the bad guys keep figuring out how to break in when we supposedly have people out there trying to find the flaws before they do.  Is it simply a numbers game?  Do they have that many more people looking than we do?  Do they have a much more lucrative job than we do, so they are better motivated?  Is it because the countries in which many bad guys reside don’t give a crap or just don’t have the resources to catch them?  All of the above?  What else?

How do we get ahead of this?  How can we put the same amount of resources into this to find the vulnerabilities before the bad guys?  People have tried to create communities and projects where they pay for vulnerabilities.  But there’s no guarantee that they are the only ones getting the results of their research. 

You know what?  I don’t see and end to this.  I think there is really no way to fix it.  This simply is a human problem.  There have always been bad people, and there always will be.  And since humans are imperfect and will make mistakes, the bad guys will find ways to exploit those mistakes.  There are smart people on both sides, and they will continue to struggle against each other forever (I know, kind of melodramatic).  All this talk about "security should have been built in" is just a pipe dream.  Security Nirvana is not possible.  There will always be mistakes.  Every time we come up with something new, someone figures out how to break it.  And yes, part of that may be because it is based on old, insecure technology, but the human element will always creep in.

I just don’t see another way.  Yes, there can be some model changes when it comes to how stuff is sold and what really works and other things can be factored in to make change happen on a substantial level.  But this is really what we have to work from.  I know there is a lot of room for discussion here, and I welcome it.  Please help me see this differently.  But for right now, this is how I see it.  I am not being cynical.  I am not quitting on security.  I just think it is going to be a protracted battle that will require dedication and persistence. 

Vet

From SANS Newsbites Volume 9 Number 8. This goes to prove that this was probably the biggest issue of 2006 and will keep on being big in 2007.

Crazy stuff.

TOP OF THE NEWS
–Former Michigan County Treasurer Allegedly Embezzled State Funds to
Pay Nigerian 419 Scammers
(25, 24 & 17 January 2007)
Former Alcona County (Michigan) Treasurer Thomas Katona has been arraigned on nine felony counts of embezzlement and one felony count of forgery for allegedly embezzling state funds to the tune of US $1.2 million; some of the money was allegedly sent to 419 fraudsters in Nigeria. Authorities became aware of the situation when a local bank alerted them to unauthorized wire transfers Katona had directed. Bank officials had cautioned Katona on several occasions that he was falling for a scam, but he ignored their warnings. Katona also allegedly lost more than US $72,000 of his own money in the scam.
http://www.theregister.co.uk/2007/01/25/treasurer_accused/print.html
http://www.informationweek.com/showArticle.jhtml;jsessionid=UKVFNGXFCRYXIQSNDLPCKH0CJUNN2JVN?articleID=197000242
http://www.michigan.gov/ag/0,1607,7-164-34739_34811-160250–,00.html
[Editor's Note (Schultz): It is hard to understand how someone who ostensibly is an otherwise intelligent, responsible person could allegedly have fallen for such a scam in such a big way. This shows that despite the fact that 419 scams have lost much of their lustre, they nevertheless still pose a high level of risk.
(Liston): The common misconception is that 419 scams (and their ilk) are aimed at unintelligent victims. Mr. Katona, no doubt, saw the prospect of the 419 "windfall" as a way to cover up his alleged embezzlement, and let greed and desperation overwhelm common sense. Remember: scams are aimed at other human weaknesses -- not "stupidity."
(Grefer): FTC and State Department web sites provide additional guidance at:
http://www.ftc.gov/bcp/conline/pubs/alerts/nigeralrt.htm
http://www.state.gov/www/regions/africa/naffpub.pdf
(Shpantzer): These scams are profitable
http://www.theregister.co.uk/2007/01/02/money_launderer_caught/ and have resulted in domestic violence http://www.theregister.co.uk/2006/07/20/419_shooting/ and kidnappings/ransom/killings of those who travel to Nigeria to close 'deals' with the scammers.]

–Class Action Suit Files Against Chicago Board of Elections for Data Exposure
(23 January 2007)
A class-action lawsuit has been filed against the Chicago Board of Elections for sending out more than 100 CDs with sensitive, personally identifiable voter information to city aldermen and ward committeemen.
“The suit … alleges the board violated the Illinois Personal Information Protection Act” and seeks unspecified compensation for all Chicago voters whose Social Security numbers (SSNs) were compromised.
Other data on the CDs include dates of birth, addresses and phone numbers. The board is making efforts to get the disks back, but a board spokesperson maintains there have been no reports of associated identity fraud since the disks were sent out more than three years ago. The board is required by law to notify voters about the incident, but it plans to make the notification through advertising rather than by contacting each voter individually. The Personal Information Protection Act allows for this sort of notification; see Section 10 (c).
http://www.suntimes.com/news/politics/224519,CST-NWS-data23.article
Text of Illinois Personal Information Protection Act:
http://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=094-0036&print=true
[Editor's Note (Liston): It is interesting to see the government's response to its own error and contrast that with the what we can only assume would've been the reaction if this had been a private firm's mistake.
(Shpantzer): This mirrors this week's leak investigation of the entire Israeli population data being given to the political parties in Israel, per Israeli law, facilitating democracy and election fairness. Where else is this happening, and what's being done about this unintended consequence?]

–Data Stolen from TJX Has Been Used to Commit Fraud
(25 & 24 January 2007)
The Massachusetts Bankers Association says customer data stolen in the TJX computer intrusion have been used in fraudulent activity. Close to 60 banks in Massachusetts have been contacted by credit and debit card companies regarding fraudulent activity on compromised debit and credit
cards. Banks in other states, including Vermont, Wisconsin and New
Mexico have reported issuing new cards. Canadian cardholders have been hit by fraud as well.
http://www.forbes.com/feeds/ap/2007/01/24/ap3359602.html
http://www.forbes.com/feeds/ap/2007/01/24/ap3357843.html
http://www.freenewmexican.com/news/55831.html
http://www.theglobeandmail.com/servlet/story/LAC.20070125.WINNERS25/TPStory/National
http://www.postcrescent.com/apps/pbcs.dll/article?AID=/20070124/APC03/701240643/1888/APCbusiness

–Delay In Reporting Xerox Laptop Loss Leads To Damage To Employees
(22 January 2007)
A laptop computer stolen from a Xerox human resources manager’s car in August 2006 holds information belonging to an unknown number of Xerox employees; nearly 300 employees received letters notifying them of the theft four months after the fact. Some of the employees had experienced credit problems in the interim; for instance, one individual said several cell phone accounts were opened in his name in the fall of 2006.
A spokesperson defended the company’s decision to delay notification, saying they wanted to determine whether any personal information was on the computer.
http://www.kgw.com/news-local/stories/kgw_012207_news_xerox_theft.cde8339.html

Vet