Pretexting

I have seen “pretexting” in the news far too much without commenting on it.

What is pretexting? According to wikipedia it is “the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone”.

So in other words its a specific type of social engineering. Or as I like to call it: fraud.

Lets not beat around the bush on this one. If you contact a company and pretend to be me in order to get information about me, or acquire a service or funds that you are not entitled to, you are committing fraud (and I will beat you down).

Having been the victim of both identity and credit theft, I take privacy very seriously. But yet even a thorough understanding of privacy and paranoia is still not enough.

The first time it happened someone forged my signature (convincingly too) to have all of my mail forwarded to Texas. The motivation on this one is still unclear, but it took the post office months to straighten my mail out.

The second time I was a victim of credit card “double-swipe”. While at a gas station in Ontario, CA someone swiped my debit card through a modified card reader. This reader recorded the information stored on the strip on the back of my card. They also recorded my CVV (the 3 digit code on the back of the card) and used the information to print a new magnetic strip and clone my debit card. It was used for ‘card in hand’ transactions in Toronto.

Neither of these events could have been prevented… by me. However with proper legislation our government could force private industry to implement effective safe guards against these sorts of attacks. Unfortunately until these safe guards are mandated or they become cost effective, they will never happen, and we as consumers will continue to suffer.

A prime example of this country moving in the wrong direction is the recent HP verdict. The top levels of the company condoned (nay, encouraged) pretexting and got off with no jail time.

And now we are seeing pretexting causing issues with xbox live.

We have to be clear with law makers that we will no longer sit by and let our personal data be stolen and sold.

Until we can convince law makers that this sort thing will not be tolerated all we can do is learn how to protect yourself and support organizations that are trying make things right.

Electronic Privacy Information Center (EPIC)
Identity Theft Resource Center
Privacy Rights Clearinghouse
Privacy Laws by State (source: Epic.org)

Technician Error Costs TaxPayers $200,000 and Illustrates Lack of Procedures

I just read an article that illustrates how basic planning and proper implementation of procedures could have saved us tax payers $200,000.

Source: CNN

A computer technician reformatting a disk drive at the Alaska Department of Revenue. While doing routine maintenance work, the technician accidentally deleted applicant information for an oil-funded account — one of Alaska residents’ biggest perks — and mistakenly reformatted the backup drive, as well.

There was still hope, until the department discovered its third line of defense had failed: backup tapes were unreadable.

“Nobody panicked, but we instantly went into planning for the worst-case scenario,” said Permanent Fund Dividend Division Director Amy Skow. The computer foul-up last July would end up costing the department more than $200,000.

Now, you may ask: “How could this have been avoided?”

The answers are simple, “separation of privileges” and “regular backup validation”.

In this article it was mentioned that the data contained on the drive was for “an account worth $38 billion”.  So for data that is that important and that valuable, why do they only have one backup tape?  If they do only have one backup tape why wasn’t it validated?

The “seperation of privileges” is a security concept that you often see demonstrated in movies when a government is about to launch a rocket into space or a nuke.  Either, two people have two seperate keys to launch; or one person has a key and another a secret code.  This is a valuable security concept because it ensures that no single person is responsible for the launch of a nuke.

In this case the technician (most likely ex-technician by now) should have only had file system permissions to either the data drive or the backup drive, but not both.

I thought the U.S. government invented these concepts?  Why is it that they don’t follow them?

I Got a New Job!

I finally decided that it was time to move on to a job, in which all I do is information security. Yesterday I accepted an offer with another department on campus and will be starting in this new role April 16th.

Because MSU uses union titles that don’t describe the specific role, it is difficult to say for certain what my real title would be. Having closely read the job posting, comparing it to other postings on job boards and what I know of InfoSec careers, I would describe it as “Information Security Analyst”.

It will be refreshing to get away from certain aspects of my current job: specifically support. I’m done crawling under people’s desks, thank you.

The best part of this move is that I will be able to devote all of my attention and research to InfoSec.

The whole “job search” process was interesting this time around. I interviewed at MANY different places, for all sorts of security related positions. I turned down a number of offers and had some exciting and interesting opportunities.

The two positions I narrowed it down to are the one I accepted (obviously) and a permanent position as an “Information Assurance Analyst” doing contract work for the Department of Defense. I would have had secret and IT-1 security clearance. It sounded exciting, but I decided that MSU was the best fit.

MSU is a 13 minute commute as opposed to an hour for the DoD and I can pursue a college degree here at MSU.

Texas County Clerks Want to be Above the Law on Data Privacy

In case you haven’t been following security and privacy related news, last week Texas Attorney General Greg Abbot ruled that exposing SSNs in public documents violates state and federal laws.

To me, this is common sense and good news for the common good of everyone in Texas. Why would you want anyone printing your social security number in a public document? It makes no sense and is outright dangerous.

Now we have this little gem (source: computerworld.com)

The Texas House of Representatives last week passed emergency legislation that would absolve county clerks of civil or criminal liability for exposing SSNs in public documents “in the ordinary course of business.” […] The ruling would require that clerks check each document for SSNs and remove them before making the documents public. Daunted by the task and fearful of running afoul of the law, county clerks asked state legislators to come to their aid.

This sounds like a group of people so set in their ways and fearing of change that they are unwilling (or too lazy?) to change operating procedure to comply with the law and the good of the general public.

I’m appalled that the Texas county clerks would ask legislators to exempt them from this law and I am even more disgusted with the fact that the legislators are considering it.

Apparently even the privacy concerns are bigger in Texas.

ColdFusion MX 7 2007 DST Update Instructions on Linux

What I have dubbed Y2k7DST went off (almost) without a hitch. All the hundreds of patched machines seemed to roll over properly… for the most part.

The one thing that completely slipped my mind was ColdFusion. Maybe because I haven’t coded in it in so long or maybe it was because I assumed it got its time hooks from the OS.

I any case, ColdFusion MX 7 needs to have the JVM updated to accommodate the new (<sarcasm> and infinitely wise </sarcasm>) daylight savings time change.

The ‘details’ of this update can be found in Adobe TechNote: d2ab4470

The install instructions are bit scattered so, because I’m such a nice a guy, I have summarized them here for the lazy or uninitiated. These instructions are only what you need to get CFMX7 updated. Because of this you should read the accompanying instructions so you know what you are doing. And as always I take no responsibility if anything mucks up during this process.

ColdFusion MX 7 2007 DST Update Instructions for Linux:

1. SSH to your web server and pull up a root shell or sudo all of the following.
2. Download the TZupdater from java.sun.com
3. Create an account, login or use bugmenot.com to get the file.
4. Because the sunsite uses a special download application, you need to download the patch to your local workstation and scp/ftp the file to your server.
5. Change to the directory you downloaded the tzupdater-1.1.0-2007c.zip to.
6. unzip tzupdater-1.1.0-2007c.zip; cd tzupdater-1.1.0-2007c
7. /opt/coldfusionmx7/bin/coldfusion stop
8. /opt/coldfusionmx7/runtime/jre/bin/java -jar tzupdater.jar -u
9. /opt/coldfusionmx7/bin/coldfusion start

That should be it. Test it to be sure it worked.

Sun Offers Fixes for Solaris Telnet Worm

The United States Computer Emergency Readiness Team (US-CERT) has issued an alert warning of a worm that exploits a vulnerability in the Sun Solaris telnet daemon. The flaw could be exploited to gain unauthorized access to a host using the service. Sun Microsystems has made available a patch and a workaround for the flaw, as well as an inoculation script to disable the telnet daemon and repair changes the worm has made.

Internet Storm Center (published far earlier than most other major
organizations): http://isc.sans.org/diary.html?storyid=2316

I would have to add to this; that simply using telnet is vulnerability and the patch (that has been available for years) is called SSH.

Stop using telnet! It floors me how often I go to configure a hardware firewall to find that telnet is left open or is the only remote shell available. Stop it!