Technician Error Costs TaxPayers $200,000 and Illustrates Lack of Procedures

I just read an article that illustrates how basic planning and proper implementation of procedures could have saved us tax payers $200,000.

Source: CNN

A computer technician reformatting a disk drive at the Alaska Department of Revenue. While doing routine maintenance work, the technician accidentally deleted applicant information for an oil-funded account — one of Alaska residents’ biggest perks — and mistakenly reformatted the backup drive, as well.

There was still hope, until the department discovered its third line of defense had failed: backup tapes were unreadable.

“Nobody panicked, but we instantly went into planning for the worst-case scenario,” said Permanent Fund Dividend Division Director Amy Skow. The computer foul-up last July would end up costing the department more than $200,000.

Now, you may ask: “How could this have been avoided?”

The answers are simple, “separation of privileges” and “regular backup validation”.

In this article it was mentioned that the data contained on the drive was for “an account worth $38 billion”.  So for data that is that important and that valuable, why do they only have one backup tape?  If they do only have one backup tape why wasn’t it validated?

The “seperation of privileges” is a security concept that you often see demonstrated in movies when a government is about to launch a rocket into space or a nuke.  Either, two people have two seperate keys to launch; or one person has a key and another a secret code.  This is a valuable security concept because it ensures that no single person is responsible for the launch of a nuke.

In this case the technician (most likely ex-technician by now) should have only had file system permissions to either the data drive or the backup drive, but not both.

I thought the U.S. government invented these concepts?  Why is it that they don’t follow them?

I Got a New Job!

I finally decided that it was time to move on to a job, in which all I do is information security. Yesterday I accepted an offer with another department on campus and will be starting in this new role April 16th.

Because MSU uses union titles that don’t describe the specific role, it is difficult to say for certain what my real title would be. Having closely read the job posting, comparing it to other postings on job boards and what I know of InfoSec careers, I would describe it as “Information Security Analyst”.

It will be refreshing to get away from certain aspects of my current job: specifically support. I’m done crawling under people’s desks, thank you.

The best part of this move is that I will be able to devote all of my attention and research to InfoSec.

The whole “job search” process was interesting this time around. I interviewed at MANY different places, for all sorts of security related positions. I turned down a number of offers and had some exciting and interesting opportunities.

The two positions I narrowed it down to are the one I accepted (obviously) and a permanent position as an “Information Assurance Analyst” doing contract work for the Department of Defense. I would have had secret and IT-1 security clearance. It sounded exciting, but I decided that MSU was the best fit.

MSU is a 13 minute commute as opposed to an hour for the DoD and I can pursue a college degree here at MSU.

Texas County Clerks Want to be Above the Law on Data Privacy

In case you haven’t been following security and privacy related news, last week Texas Attorney General Greg Abbot ruled that exposing SSNs in public documents violates state and federal laws.

To me, this is common sense and good news for the common good of everyone in Texas. Why would you want anyone printing your social security number in a public document? It makes no sense and is outright dangerous.

Now we have this little gem (source: computerworld.com)

The Texas House of Representatives last week passed emergency legislation that would absolve county clerks of civil or criminal liability for exposing SSNs in public documents “in the ordinary course of business.” […] The ruling would require that clerks check each document for SSNs and remove them before making the documents public. Daunted by the task and fearful of running afoul of the law, county clerks asked state legislators to come to their aid.

This sounds like a group of people so set in their ways and fearing of change that they are unwilling (or too lazy?) to change operating procedure to comply with the law and the good of the general public.

I’m appalled that the Texas county clerks would ask legislators to exempt them from this law and I am even more disgusted with the fact that the legislators are considering it.

Apparently even the privacy concerns are bigger in Texas.

ColdFusion MX 7 2007 DST Update Instructions on Linux

What I have dubbed Y2k7DST went off (almost) without a hitch. All the hundreds of patched machines seemed to roll over properly… for the most part.

The one thing that completely slipped my mind was ColdFusion. Maybe because I haven’t coded in it in so long or maybe it was because I assumed it got its time hooks from the OS.

I any case, ColdFusion MX 7 needs to have the JVM updated to accommodate the new (<sarcasm> and infinitely wise </sarcasm>) daylight savings time change.

The ‘details’ of this update can be found in Adobe TechNote: d2ab4470

The install instructions are bit scattered so, because I’m such a nice a guy, I have summarized them here for the lazy or uninitiated. These instructions are only what you need to get CFMX7 updated. Because of this you should read the accompanying instructions so you know what you are doing. And as always I take no responsibility if anything mucks up during this process.

ColdFusion MX 7 2007 DST Update Instructions for Linux:

1. SSH to your web server and pull up a root shell or sudo all of the following.
2. Download the TZupdater from java.sun.com
3. Create an account, login or use bugmenot.com to get the file.
4. Because the sunsite uses a special download application, you need to download the patch to your local workstation and scp/ftp the file to your server.
5. Change to the directory you downloaded the tzupdater-1.1.0-2007c.zip to.
6. unzip tzupdater-1.1.0-2007c.zip; cd tzupdater-1.1.0-2007c
7. /opt/coldfusionmx7/bin/coldfusion stop
8. /opt/coldfusionmx7/runtime/jre/bin/java -jar tzupdater.jar -u
9. /opt/coldfusionmx7/bin/coldfusion start

That should be it. Test it to be sure it worked.

Sun Offers Fixes for Solaris Telnet Worm

The United States Computer Emergency Readiness Team (US-CERT) has issued an alert warning of a worm that exploits a vulnerability in the Sun Solaris telnet daemon. The flaw could be exploited to gain unauthorized access to a host using the service. Sun Microsystems has made available a patch and a workaround for the flaw, as well as an inoculation script to disable the telnet daemon and repair changes the worm has made.

Internet Storm Center (published far earlier than most other major
organizations): http://isc.sans.org/diary.html?storyid=2316

I would have to add to this; that simply using telnet is vulnerability and the patch (that has been available for years) is called SSH.

Stop using telnet! It floors me how often I go to configure a hardware firewall to find that telnet is left open or is the only remote shell available. Stop it!

The 10 Most Hilarious Terms in Information Security

1. Salami attack

What’s it mean?
A salami attack is a series of minor data-security attacks that together results in a larger attack. For example, a fraud activity in a bank where an employee steals a small amount of funds from several accounts, can be considered a salami attack. (source: wikipedia)
Why is it so hilarious?
Think SuperMan or Office Space. Now say “Salami attack” aloud and try not to snicker. See, I told you it was funny.

2. Cyberwoozle

What’s it mean?
This refers to the practice of siphoning data from users’ PCs as they surf the ‘net. (source: itsecurity.com)
Why is it so hilarious?
As best as I can remember a woozle is a weasel like creature that was friends with the heffalumps and arch enemy to Winnie the Pooh in the 80’s cartoon series. But this one would be upgraded with mechanized parts. Hence the ‘cyber’ prefix.

3. Smurf Attack

What’s it mean?
The Smurf attack works by spoofing the target address and sending a ping to the broadcast address for a remote network, which results in a large amount of ping replies being sent to the target. (source: sans.org)
Why is it so hilarious?
Call me a child of the 80’s but this is one attack that I have a hard time taking seriously simply because of its name. It always conjures up images of Gargamel and Smurfet.

4. Sheep Dip

What’s it mean?
A computer that is isolated from a business core network used to screen incoming digital devices. They will often contain multiple malware scanners and egress packet detection. (source: wikipedia)
Why is it so hilarious?
Just picture it in literal terms and try not to laugh. In my head I always see a sheep being lowered into a vat of… something… by a crane with a leather strap holding the sheep up. That’s funny stuff.

5. OikMaster

What’s it mean?
A script that will help you update and manage your Snort rules. (source: oikmaster site)
Why is it so hilarious?
For starters it has the word oink in it. Call juvenile, but that’s funny. If you compound oink (the sound a pig makes) with a mastery of it, that’s just downright hilarious.

6. chaffing and winnowing

What’s it mean?
Chaffing and winnowing are dual components of a privacy-enhancement scheme that does not require encryption. The technique consists of adding false packets to a message at the source (sender end of the circuit), and then removing the false packets at the destination (receiver end). The false packets obscure the intended message and render the transmission unintelligible to anyone except authorized recipients. (source: searchsecurity.com)
Why is it so hilarious?
Not a single term, but yet a strange situation in which two terms are tied to a single concept, and both of them are down right hilarious. Chaffing on its own means “To make fun of in a good-natured way; tease.” Good-natured teasing is humor based and… I’m grasping at straws here… besides, it sounds funny.

7. Port Swigger/Burp Suite

What’s it mean?
Burp suite is an integrated platform for attacking web applications (source: portswigger.net)
Why is it so hilarious?
Now this is a project that doesn’t take it too seriously. It was previously known as Port Swigger, which, I guess, means to rapidly drink a port (or data from a port) and I’m sure Burp needs no explanation.

8. Diffie-Hellman

What’s it mean?
A key agreement algorithm published in 1976 by Whitfield Diffie and Martin Hellman. Diffie-Hellman does key establishment, not encryption. However, the key that it produces may be used for encryption, for further key management operations, or for any other cryptography. (source: sans.org)
Why is it so hilarious?
I’d like to immediately apologies to Whitfield and Marin for making light of their last names, but when you combine them it just sounds silly. This is another one that has to be said aloud to be appreciated. Hearing it conjures images of rotten mayonnaise. Maybe I’m just warped.

9. Fuzzing

What’s it mean?
The use of special regression testing tools to generate out-of-spec input for an application in order to find security vulnerabilities. Also see “regression testing”. (source: sans.org)
Why is it so hilarious?
Think puppies and kittens with their tickley softness.

10. Honeymonkey

What’s it mean?
Automated system simulating a user browsing websites. The system is typically configured to detect web sites which exploit vulnerabilities in the browser. Also known as Honey Client. (source: sans.org)
Why is it so hilarious?
Monkeys are, by default, funny. They do human things, make funny faces and fling poo. Cover them in honey and you have a sure-fire recipe for hilarity. Try it, you won’t be disappointed.

MacBook Pro Networking Issue

Today while working feverishly I have had my MBP shutdown 3 times for no apparent reason. The power adapter is plugged in and I am using the wired ethernet.

The shutdowns occurred when I had wandered away from the machine for a few minutes and not actively using it. I have no sleep mode set to kick in when the power is plugged in and the last time it happened was during a 3 minute phone call (I checked my phone to be certain).

About an hour I lost network connectivity all together. I checked ipconfig and it was reporting I had a 169.* ethernet address. This is the default when it can’t contact a DHCP server. After renewing my DHCP lease a few times I gave up and rebooted. This did the trick.

On digging through the logs I see this…

kernel[0]: ar5212GetPendingInterrupts: fatal error, ISR_RAC=0x8402c ISR_S2_S=0x10000
kernel[0]: AppleYukon: error – Uncorrectable PCI Express error

Has anyone else experienced this?

I found a couple hits on google but nothing with a definitive resolution.

f00

f00: Looking out our living room windowOh man, she did it again. Every time the Humane Society or Mid-Michigan Cat Rescue have kitties up for adoption at a pet supply store Missy ends up talking me into adopting one.

The last time this happened we got our fuzzy little assassin, Ninja. This time we got a beautiful orange (buff) tiger kitty. I named him f00.

He is adapting to his new environment fairly well. He has thoroughly investigated every room in the house and hasn’t hid yet. The others still hiss and growl whenever he is around but they will warm up to him eventually.