Why I Won't Join Facebook

I call it Sneakcon - they call it Beacon, not much difference there when you find out that affiliated websites (affiliated with FB) - were sending your information to your friends on FB despite your having LOGGED out of their site.

How did they figure this out? Well, simple - network monitoring via WireShark (I saw it on the blog of the original CA researcher that found this activity).

The idea behind Beacon was to send out info on your online habits to your friends on the site. However, soon people started complaining that the surprise element behind their surprise gifts were ruined because the intended recipient got to know of the purchase. Well, that's fine, and you can turn it off, but not even when you're logged off?? Whoa - that's serious breach of trust in my opinion.

As a reference, see this:
http://www.cio-today.com/story.xhtml?story_id=010000ZKE6WS

So, they track non-users as well - except that they will discard the data if it did not include an FB cookie saying it's an FB user - and then even if you were an FB user and even if you'd opted out of the 44 websites that work with FB, your info will STILL be sent except they won't process it (because you'd opted out). I don't think this is a good idea. Doesn't matter if you throw away the information or not: if I'm not an FB user you have NO RIGHT to my data. And who's to say the data is being REALLY thrown out? Who audits that?

You should know that you have to opt out ONE BY ONE - not all of the sites simultaneously. Couldn't be more painful than that. And considering how popular the site is, what if hundreds of companies choose to join the program. You'd have to constantly change your preferences to avoid opting in. It should be the reverse - unless you chose to opt in, nothing about you should be known to anyone.

This is why they are in very serious need of a customer privacy advocate, someone who can dispassionately identify such issues and guide the misguided person that chose to implement it so that people don't start abandoning the site or decide against joining it.

I'm quite sure that many people have decided not to join FB after this fiasco. I know I won't.

Be safe!

Don't Go Looking for Trouble...

http://sunbeltblog.blogspot.com/2007/11/breaking-massive-amounts-of-malware.html

I thought it was a minimal but visually arresting article - enough information to make sure you don't stumble into the dark areas of the web - or at least know what to look for.

By seeding all sorts of sites (blogs/trackbacks/comments) with their infernal site links they try to fool search engines into listing their URL at the top, or at least at the middle of the search results. Unwary users will no doubt not bother to CHECK the URL before clicking it, and what happens next should not be surprising: a whole lot of popups for installing malware/rootkits/password stealers, and of course, the maddening ads.

Here's my suggestion:
When you search for anything, first make sure you check the URL to see if it's a nonsensical mix of meaningless words. If yes then stay away.
You could also try searching your favorite sites first (such as GPSPassion/Poi-Factory for GPS stuff; ExpertsExchange for technical questions; dpreview for camera questions etc). You get the idea.

Be safe!

Why Deja Vu May Not be a Good Thing

...in the case of Britain's worst security breach ever -- the loss of 2 CDs containing details of nearly every child in the UK and the bank details of every family.

Somehow it seems astoundingly asinine that a junior-level official would be first permitted charge of this information and then scapegoated when something went wrong. Well, not much of a new thing there, but the really sad part is that a report had warned the govt of improper protocols and the implications of not following proper rules just a few months ago.

You can read about the shamefulness of it here: http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/11/25/ncustoms425.xml

Why am I not surprised that most of the core recommendations are completely based on common sense, and that they are not that difficult to follow? I myself have repeated myself a few times on this blog concerning the same security steps to be taken to protect sensitive information.

How does one combat such breaches? How does one prevent occurrences of such mishaps? Unless those that are involved learn a very harsh lesson it's going to be difficult to expect much by the way of data protection. The other thing is for the masses to wake up to what is essentially the pillaging of the bits and bytes that constitute their lives, and do something about it. Quickly. Very quickly.

You can refer to my previous posts for my thoughts on this disturbingly frequent issue.

Be safe!

Two Articles to Read on Data Breach

http://www.wane.com/Global/story.asp?S=7370654&nav=menu32_2_11

and then

http://ap.google.com/article/ALeqM5gqGfy6HNMsTyAGUesRe43dQCGsDgD8SV20PO2

And you'll get an idea of how much money is at stake for institutions and companies that deal in (and store) personal data, especially sensitive data.

Be safe!

TOR!

In a somewhat scary 4-page article ( http://www.theage.com.au/news/security/the-hack-of-the-year/2007/11/12/1194766589522.html) the author describes how easy, VERY EASY, it is to monitor sensitive, so-called anonymous electronic conversations that were previously thought to be on secure ground - traveling over the "TOR" network.

The use of TOR(http://www.torproject.org), an open source project, helps mask the origins of a user that wants to surf or send/receive data anonymously. However, the most obvious vulnerability of this software, that the endpoint (exit node) of the traffic can be monitored and plaintext, unencrypted data can be easily captured - was/is not very well understood by users.

The only solution is to use SSL (HTTPS) or end-end authentication and encryption (use GPG etc).

Who uses TOR? Lots of people: (apparently) the intelligence community, human rights activists in nations with a less-than-impressive human rights credentials, embassy employees, those that hold sensitive jobs, and, of course, people that want to see (ahem!) objectionable content while hiding behind mangled ones and zeroes.

Further, more than half the people that use it have is misconfigured, which can lead to some undesirable results. In any case, the point is that any software is only as good as its end-user understanding of it.

It's not the fault of the software that users/promoters allegedly overestimated its value (esp in terms of anonymity) - as the article says.I looked at TOR out of curiosity back in 2004/5, and found it incredibly slow, so I lost interest. But I do remember thinking this could be a pretty interesting tool for those that want the claws of the Web away from their private data.

Be safe!

Worm in the Apple

That a 'progressive' techie company with an admittedly geeky CEO will not protect its customers' best interests and privacy is indeed lamentable. Apple will not accept cash or even its own gift cards for the purchase of an iPhone.I know there are companies that will restrict the number of items sold to an individual buyer - that's fine, you want everyone to get a chance to buy the product - but explicitly forbidding cash and gift card transactions for a particular product is not only very unusual but very shortsighted as well.Let's hope they change their minds and do their part in protecting privacy (each cash-paying customer = one less credit card record to worry about!)
Be safe (and pay cash for the Zune!)
Just kidding, of course :-)

Counter to Intelligence

A top US counterintelligence executive says (http://www.cnn.com/2007/US/10/19/cyber.threats/index.html) that US networks are far too easy to hack into, and that nearly 140 intelligence agencies are trying to get in illegally.



First of all, how do they KNOW it's exactly 140? Maybe it's just the top 5 trying 28 different ways; possible isn't it?



Top 5 in my opinion? China, Iran, Pakistan, Saudi Arabia, Venezuela.

My wild guesses, needless to say. Most probably I'm wrong, or most probably I'm right. NSA is not talking.



Humor aside, the threat is very real - and not just to the US, of course. UK has also been reeling under similar threats. I blogged about this earlier on how China was using its extramilitary agency to do its dirty work. Conveniently you can then deny any responsibility for a 'renegade' organization's crazy plans. Too convenient.



What are the chances and what would be the impact/result of such an action taking an evil course, where the motive is not just to break in and snoop around a little but actually DO something?



Before we get into that, let's see what the current setup is.



a. Security awareness is pathetically low. People can be 'social-engineered' - if you have to Google the term to know what it means you're vulnerable already.



b. Security implementation is even worse; people pay very little attention (and respect) to physical security. If you have a sensitive server you want to lock it down OS-wise and physically as well so nobody can just push a button or disconnect cables.



c. Knowledge of key security concepts is woefully lacking. Most people wouldn't be able to tell you what encryption means (technical answers only).



d. Attitudes are also a problem -- people don't seem to appreciate what it means to be secure and what could happen in a non-secure environment in case of a threat. Further, they tend to treat security as an inconvenience than a safety measure (think seat belts in the 60s).



I'd like to stop here with the first part, and proceed to what connectivity means.



Connectivity means you place a call from your cell and turn on your microwave. It means watching a program recorded on a SlingBox-like machine, from across the world. It means paying your local Texas utility bills from Nigeria. It means logging in to work from an airplane. It also means the ability to get into someone else's computer without their permission. And do it anonymously, leaving no traces or leaving confusing, contradictory traffic patterns.



Therefore, when hackers penetrate a network and get into a sensitive machine they have the ability to shut down the entire water supply to/of, say, LA. They have the ability to shut down entire grids and freeze a country to death in the winter or boil a country alive in the summer. In essence, connectivity is a fantastic enabler of technology-based synergy, and it's also a huge liability when it comes to destructive ideas.

Like a row of dominoes, it's possible to take over all the computers of a company by logging on to the weakest one and going from there. As they say, a chain is only as strong...



What is the current threat level? Answer: VERY high.



Being ultra-secretive by nature, unnamed govt organizations that don't have an abbreviation or an address, and whose budgets are unlimited and oversight equally limited or nonexistent, but whose responsibility it is to protect the nation's security interests - may not always come clean.



A simple conjecture on my part with no facts: If they bet on security via obfuscation, everyone is in deep trouble. Security gets stronger by spreading knowledge of its existence and not by hiding it.



Consider an example: There are 2 houses, one with an electrified fence that says so boldly outside, and one with an ordinary fence that says "Beware of dog."

Honestly, which one would you pick if you were up to no good? I'd pick the one that says "Beware" because while I don't know what kind of a dog it is, it's a living thing, and all living things are mortal and also vulnerable to temptations of many kinds.



I'd avoid the electrified fence because while it's a known entity, it's also obviously dangerous. There are people that might say - you can cut off the power to the fence but you never know what the dog can do. However, which is easier: hunting for an electrical connection to mess with, or throwing a bone in the direction of the threat?



Anyway, I don't want to extend the example too much, but you get the idea.



In encryption technology, the key is the key and not the algorithm. The algorithm is public but the key is private, much like every home has a lock that is visible to the world but only the owner has the key to it. Therefore, security by obfuscation is a patently insane way to think about protection and safety.



What should the government do?



a. Hire the best security experts - with the highest clearances - and let them run amok. Get them to hack into whatever system they want (read-only activities, please) and document all moves. Identify with their help the best way to stop such threats



b. Hire white-hat hackers to do the same job in the most unorthodox ways possible - including social engineering - and again identify weak spots and fix them ASAP



c. Institute STRONG security measures throughout: No USBs, no portable drives, no cameras, no cell phones, no pagers, no electronic equipment at all in sensitive zones



d. Implement signal jamming - so that cell phones do not work inside and also no signal (such as keyboard/console) leaves the perimeter



e. Strong physical controls - use of biometric authentication methods for all systems



f. Auditing at every level for every phase of the working of the organization



g. Strong firewalls and private VPNs with absolutely no access to the Internet at any time



h. Logging of all incoming and outgoing packets for disassembly and analysis later on



i. Forbid the idea of remote office (no 'working from home' business)



j. No laptops - and if any issued, with self-destructing and beaconing software, with AES 256 or higher (it's the govt - they're bound to have the best already, unreleased) encryption



k. All desktops completely encrypted; all internal network communication also encrypted



l. Use of client certificates to be enforced

m. Multifactor authentication at remote sites also - syncing with the mothership for every change within a few seconds for maximum protection

n. Logging of all login/logout/download activities and cross-check immediately with employee if they are indeed performing this operation

o. Quadruple existing security budget, hire the best and pay them very well

p. Bonus based not just on performance but security proficiency and level of the department

q. Continual training on the latest threats, hacking methods, and countermeasures

r. Punish any lapse immediately, with severity going up exponentially with each recurring lapse (first probation, second suspension, third termination)

s. Reward good security practices by recognizing the person, and publicize as much as possible

t. Random deep-dive audits

u. Keep all software patched (incl and esp OS), and ban all external, uncertified software (glue up the CDROM, USB, and floppy drives if they exist)

v. Keep a record of all software deployments and have a plan B and a plan C in case deployment fails or a problem is found and so on.

I really doubt that foreign agencies will stop trying, and I really doubt the US is keeping quiet, either. I'm sure it's checking out the checkers as soon as it detects any penetration attempt and maybe does so even proactively.

Ultimately, security is not just about installing the latest patches or using the latest encryption techniques (like Quantum encryption methods used in Sweden for voting integrity), but it's about a mindset; it's an attitude that asks fearlessly, "What's the risk in doing this and how can it be done in a more secure way"?

Be safe!

TxDOT's Dumb Move

Spying on Motorists?
http://www.khou.com/topstories/stories/khou071010_jj_txdothiddencameras.158456566.html

It is one thing to send out surveys based on rough demographics, but it's totally another to send out surveys based on SPYING on your movements; and then have the gall to ask why you were where you were, and what your ultimate destination was.

In an ill-conceived move, TxDOT spied on motorists by taking pictures of their license plates, then mailed out surveys asking the recipients about their trip. Who cleared this idiotic project, which cost nearly $800K?

Apparently this has been going on for some time in other states; I wonder why nobody said anything. There is no information on what they'd do with the data (other than "plan" for the future in terms of highway construction and traffic patterns). How long is this data going to be stored, who will have access to it, and most importantly, what ELSE are they planning on doing with it (in the future)?

Is this information subject to discovery in case of a lawsuit against one of the travelers? What liability does TxDOT expose itself - and the travelers - to in implementing such projects?

It's obviously not sufficient that Houston has a ton of red-light cameras, cameras on streets, in malls - well, everywhere, but this particular move is more Orwellian than anything else I've heard. In my opinion this is a serious breach of privacy, even though the cars were traversing public streets. How many people do you identify based on their license plates? Either you know them or you don't.

Figuring out people's identities based on their license plates, then sending them surveys asking them about their travel that day: this constitutes nothing but a blatant disregard for privacy and security of an individual's lifestyle and movements within the country.

I strongly feel they should immediately stop any current project and scrap all future ones, destroy all data obtained via stealthy photography (The cameras were hidden inside orange drums!) and surveys, and finally APOLOGIZE to everyone that was affected.

I am not saying that the govt should stop surveying people for information on how best to plan future highways, but the methods can be easily much more civilized and respectful than the one being used right now.

Be safe!

McAfee to Acquire SafeBoot

In a perfect fit, McAfee has announced its intent to acquire SafeBoot. SafeBoot provides encryption technologies that apply to end-users. Using this software enterprises can mandate that all files/folders be encrypted on all machines, including filservers.

As the risk of data loss via theft grows higher by the day (driven by the reduction in the size of computing leading to ultra-high mobility but in a highly insecure environment more than anything else), it's becoming more and more urgent for companies handling sensitive data to protect the users whose data it holds.

As the many headlines scream about how large companies are getting clumsier with their data, a movement among both users as well as the govt policy makers is gaining ground to punish such companies whenever they lose data on account of insufficient security, negligence, internal fraud, lack of audit control etc.

One other motivator for organizations to implement data encryption on all machines is that even in case of data loss, a disclosure to the effect is not needed as long as the data was encrypted. This can help them save face while they try to track the miscreants.

There are many companies offering solutions for disk encryption (including Microsoft, of course), but the differentiator will be not only cost but also ease of use. The harder a piece of software is to use, the more likely it'll become shelfware.

McAfee has a great advantage here - its products are transparent to its users, and a deployment of its encryption solution could be made easily painless using its ePolicyOrchestrator software.
Overall, this is a very good purchase because the market for such solutions is not only nascent and growing, but the growth is expected to surge as more and more companies decide to go for data protection on all of their systems - both mobile (laptops, PDAs, mobile phones etc) as well as stationary (desktops, fileservers, storage systems, database servers etc).

Be safe!

Google and DoubleClick

In a very interesting article, Jeffrey Chester (http://www.alternet.org/story/64214/?page=1) goes over how Google's well-publicized intent to buy DoubleClick could have serious ramifications for an individual's privacy, especially if that individual uses the web a lot: from random surfing to online shopping to playing online games to using sites such as Facebook/MySpace etc.

Consolidation: Impact on News Coverage
-------------------------------------------

Mr. Chester raises the specter of a few large conglomerates controlling not just 'benign' online content (such as 'fun, entertainment' sites) but also the 'serious' sites, such as those that deliver the news. That ideally should concern everyone - not just netizens - because online news in the near future will overtake physical media (such as newspapers, magazines) as the most common/popular way to getting to know what's going on around the world.

It's certainly not unusual for news channels to have a specific philosophy (politically), and the way they portray world events very strongly suggest that partisanship overrides any semblance of the truth. When such media are not large or do not have high penetration levels, they are usually ignored. However, it's when they become pervasive (via ownership of multiple channels) or become the only entities that have the breadth to cover large areas that they start to raise alarms. Unfortunately, by that time it'd be too late to do anything about it. Media behemoths could simply crowd out the smaller, independent channels using money power, advertising prowess, political connections, and lobbying for favorable laws (lobbying costs huge sums of money, something which smaller channels do not have).

Data Aggregation: Impact on Privacy
-----------------------------------------
The thought that a computer somewhere knows your 'secrets' and is quite capable of creating a psychological profile based simply on your mouse clicks and the places you visit on the web should be unnerving, but it's not to most people that use the web. And why would that be?
Simple: Lack of knowledge, education, and curiosity about how things work. As long as you're fed your daily fix of the news (Infotainment, really; when did you last see hard news on TV?), you're happy and satisfied. Why unnecessarily take the trouble to figure out WHY you read WHAT you read!

Imagine if your neighbor comes to know your deepest, darkest secrets; even what you think about or are capable of thinking about (Minority Report, anyone?) - will that be a source of unease/concern to you? It should be if it's not already.Now imagine if millions of computers (and very likely thousands of people) know about what you clicked, your intent in doing so, and maybe even what you'd do next - and why. Again, something to worry about when you can't sleep at night.

Combine Google's power of serving advertising to nearly all (including physical) media with its knowledge (thanks to DoubleClick) of your exact behavior when you are online. If you cannot see what's coming, you need a stinging splash of cold water on your face.

The next step, in my opinion, will be the creation of something like a 'life-model' - a model that constitutes EVERYTHING that is you, for EVERYONE on this planet, and this model will keep growing in intelligence and get closer to the real you with every click of your mouse and every tap of your keyboard. By now the reference to 'Big Brother' is redundant. Google is already on your computer via its toolbar and search utility, and it's also in your office via its web-based productivity software. It knows about your pictures - via Picasa, about your outpourings on any and all topics - via Blogger, your search patterns - via its all-powerful search engine...and so on.

This information is WAY more than enough to construct a halfway-decent model of you (powered by a well-populated database, which GOOG already has, and data mining software, which is not rocket science). So, as it stands today, GOOG knows more about you than anyone else (assuming you use Google services frequently), and DoubleClick is going to help it connect the dots where the data is patchy or missing. Of course, this is not to say that other companies do not have the dirt on you -- they do. Any search engine website that you use is perfectly capable of storing such information on you forever.

I am not one for conspiracy theories, but recent developments involving large companies (such as News Corp's acquisition of MySpace, the rumored - potential - investment in FaceBook by MS, rapid buyouts by GOOG of various tech companies, YAHOO's purchase of Zimbra, MSNBC's purchase of NewsVine etc etc etc) have me thinking about the eventual direction of everything that makes up the Web, the most visible part of the Internet.

Yes, it's true that smaller companies will either go under or get bought, and that as large companies become slower in innovating as time goes on they must purchase new technology outright, mainly from small companies since they are much more nimble and not restricted by any shareholder of investor pressures.

This wave of consolidation, fueled by - among other factors - a most favorable market where:

* interest rates were/are low,
* intense competition rage[sd] to capture eyeballs and dollars,
* money velocity was high,
* shareholders didn't care as long as their holdings appreciated,
* governments have been revolving doors for bureaucrats-turned-lobbyists,
* apathy and lack of concern by the general masses reigned supreme,
* lawmakers, some of whom in my personal opinion may not be very tech-savvy, create unsound tech-related laws that affect us profoundly,
* lawmakers, some of whom in my personal opinion are beholden to corporate interests, do right by them and hurt the general public,
* and, the leaps in technological accomplishments far outstrip any little jumps in laws serving to keep their uses legal and legitimate

will change the direction of how we view the world, and how the world will view itself - and maybe how the world will develop, too.

My first concern (as is the author's) is not only that the pipeline of news will be controlled by a handful of coroporate monsters dedicated to making profits and keeping investors sated, but also the idea that the news can also be easily MANIPULATED by the same guys. If you have but one source, how will you verify what you see?

In the ancient Indian Scriptures - the Vedas - it's said that doubts should be/can be cleared via either your Guru (the spirtitual master), a Sadhu (a learned person who's not your Spiritual Master), or the ultimate authority - the Scriptures themselves. That way a doubting mind can make sure it's free of all doubts when/before it learns something new.

In these times, the ultimate authority is missing, and the rest don't even matter since they're tainted by their bias and assorted illicit relationships. Where's a truth-seeking person to go!

My second concern stems from the privacy aspect. SO MUCH information in SO VERY FEW hands is a great cause for worry. As the cliche goes - Power corrupts...It's not that these data brokers and analysts WILL misuse the data (of course, they easily could) but that hackers and criminals will truly rejoice: it'd be like a pack of bank robbers in an unguarded bank. I am not saying that these monstrosities will leave their data unprotected, but that the temptation is extremely high to hit once, hit hard, and spirit away as many GBs of data as possible. Needless to say, every record that's stolen could cause a new case of identity theft, blackmail, or worse crimes.

More likely than not, the threat will come from insiders rather than complete strangers. Therefore, extremely strict rules and policies should be enforced when it comes to handling sensitive information, and very severe penalties should be levied both by the company on the employee and by the govt on the company.

My appeal to the government would be that they should step in, investigate ALL such deals (targeting any one company for political reasons would be most deplorable), and evaluate:
* the types of data being collected,
* the big picture when all data are combined,
* and finally the impact on users if such data were stolen.

Further, there's a desperate need for stronger consumer protection laws against misuse and abuse of such sensitive information both by the holders of the data as well as by hackers.
I'd urge the government to institute a technically adept panel (with no members having any vested interests in seeing results go a way specific way) to research the data aggregation and advertising industry, and recommend reforms and strategies to protect users from this stealthy onslaught of the information merchants.

Be safe!

DomainKeys

Recent news has YAHOO and eBay (among many others, I'm sure) announcing that they will now use DomainKeys to counter phishing and other such scams.

DomainKeys, a technology developed by YAHOO, is based on PKI. When a mail server implements DK technology, all of its validated outgoing messages are signed by the private key part of the public-private keypair, and the public key lives on its DNS.

The received, if DK-aware, will check the DNS, extract the public key and then validate the message as being that from the sender. If the keys do not match or if the DNS does not have the keys then the message can be dropped. Combined with whitelists, and maybe other technologies such as SPF, CSV etc, it will be possible to cut spam.

It is always possible that spammers will sign their messages using DK, but then they cannot hide themselves and can be easily traced. On the other hand if they do not sign their message then it's likely their messages can be dropped (assuming all mailservers/ISPs go to DK eventually).

DKt is backward compatible, so it won't break existing systems. One other thing that DK ensures - other than non-repudiation - is integrity. That's because the message body is signed, and if the receiver detects that the message has changed (by comapring the hash *of* the message to the hash *in* the message header) it can flag/drop it.

There are some concerns with DK -- it won't stop SPAM, it will simply help out in determining the sender of the SPAM. Secondly, it can exploited to create message reply abuse. And that can damage the reputation of a valid sender. That's where technologies such as SPF can help.

In any case, this is a good beginning and much more publicity is needed for this nearly 3-year-old technology.

Be safe!

GAP in Data; New Algorithm to Keep 'em Guessing...

Two things caught my eye(s) today.

a. News that a third-party vendor of GAP had a laptop stolen; it contained personal details of almost 800,000 job applicants. No, my fingers did not hit too many zeroes. Really: 800,00.
Read it here: http://deseretnews.com/article/1,5143,695214147,00.html

Further, to make things worse, the data were not encrypted - contrary to the contract. Yes, good old plaintext so that even a 5-year-old can learn the numbers from 1 thru 800,000. There's that pesky number again!

Not sure how many times I've noted on this blog about the importance of encrypting disk drives, but I'm sure unless there's mass action against careless and negligent data owners not much will come out of any amount of outrage.

b. LAX is utilizing a thesis by a USC Ph.D. student Praveen Paruchuri to randomize vehicle inspection schedules and locations.
http://www.latimes.com/technology/la-me-airport1oct01,1,5185510.story?coll=la-headlines-technology

The thesis studied the impact of random police patrol schedules on home burglaries, and similar logic is being put to use to contain/check terrorism. The idea is that terrorists will have no dependable or predictable way of knowing when the next check will occur, or more importantly, where it will occur. Definitely one way to keep them guessing, but without human intelligence, all of this can easily come to nought.

It is my strong opinion that no technology or innovation can replace simple, direct human intelligence (or 'humint'). If you have ever read up on how Israel guards her airports, one thing you'll note is that the commandos are also expert psychologists, trained very highly in the art of reading posture, body language, gait, eye movements etc. Essentially the human element is brought in a frank manner, and any suspect is sure to know he's being watched. That'll only make him/her more self-conscious, rendering the task of catching them easier. Needless to say, Israel also supposedly deploys a lot of 'regular-looking' experts so they can observe people more inconspicuously. Easier looking at a person than the business end of a machine gun, no?

Needless to say, nobody's belittling the fantastic effort from this student, but one should also get priorities right in terms of what works (well). People affect people more than technology can ever hope.
Example -- What would a hypothetical terrorist be more wary of and seek to avoid: a strict-looking police officer or a camera that reads faces and does biometric analysis? No question - both are terribly important in these times and are quite indispensable in preventing 9/11s, but then each has its own place, and say what you will - the flesh-and-blood person in uniform is infinitely more unnerving than a whirring lens.

Be safe!

More on eVoting (DRE Machines)

I just finished reading a document written by one Daniel Castro at ITIF (http://www.innovationpolicy.org/), a think-tank. When you hear the phrase "think-tank" two question should spring in your mind before you can trust whatever the organization has put out:
a. Who's behind it?
b. What's their agenda?

In this case, ITIF seems to be very industry-friendly sometimes (http://www.itif.org/index.php?id=76) and somewhat neutral or even unfavorable at other times (http://www.itif.org/index.php?id=56)

Read through the website to get a flavor of what they do and what they're about. It does appear they are non-partisan to some extent, but it's going to be hard to guess without knowing who funds them.

This particular post deals with a 'paper' written by Daniel Castro about the use of paper audits during voting (on DRE machines, or Direct Recording Electronic machines). Curiously, he seems very much against it.

A good section of the document deals with the problems of paper ballot (when he should be discussing problems with paper audits). The document lists a couple of DRE concepts that could be applied for audit purposes, but somehow seems dead set against a paper printout.

One argument is that it'd be less secure. In my opinion, NOT having a receipt would be totally insecure. Would you like to do without your bank statement? Would you like to blindly deposit and spend money not knowing what's going on? I thought so.

Much the same way, a voter MUST know if his vote was recorded (he may not know if it was tallied, but the document has a section that deals with it quite well) and he must be able to store that receipt for reference.

The author also seems against disclosure of source code, arguing (disingenuously) that not only the system's code but also any third-party software code as well as OS code would have to be distributed. I've read many issues relating to Diebold's source code for one of their systems (http://avirubin.com/vote/analysis/index.html) so the author's argument is dangerous in that sense.

Some redeeming features of the article:
a. It does seek some sort of auditing
b. It proposes interesting new concepts to deal with eVoting issues (mainly tallying and verification)
c. It advocates a favorable outlook to companies that disclose their source code

However, the way the paper tackles (condescendingly) those that are FOR a paper audit is childish, amateurish, and completely runs against what the tone of such a paper should be (at least a little scholarly, IMHO).

Overall, I'd simply ignore this document (See this: http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070920005900&newsLang=en) -- especially because of this (extract from the above link):

About the Election Technology Council (www.electiontech.org)
The Election Technology Council (ETC) consists of companies that offer voting system technology hardware products, software and services to support the electoral process. The ETC represents manufacturers of the voting equipment used by over 90% of the population in the United States. These companies have organized as an industry trade association to work together to address common issues facing the industry. Membership in the ETC is open to any company in the election systems marketplace. Current members of the Election Technology Council include Election Systems & Software, Hart InterCivic, Premier Election Solutions and Sequoia Voting Systems.

Also, see my post here:
http://threeheadeddog.blogspot.com/2007/07/review-of-electronic-voting-systems.html

My view is this: People DESERVE to

• have a record of whom they voted for (verification/validation of vote)
• know their vote counted (verification/validation of local tally)
• feel satisfied that the total vote count reflects their decision/will with 100% accuracy (verification/validation of overall tally)

You can ensure the first by giving a paper copy of their vote (can be/should be anonymized -should have no tracking or identifiable information).

You can ensure the second by having a release of the total count from each machine for each county (along with audit verification by a third party - not the govt, not the officers of the electoral system, not a private company. How about the UN? :-)

You can ensure the third by repeating the above for the entire system (here the author introduces the use(fulness) of homomorphic cyrptography - a good idea, I think, with the use of, ironically enough, paper)

In conclusion, I wouldn't listen to any such so-called "think-tanks" or "policy centers" -- especially those that start with "Americans for" or have the words "Insititute" or "Center" in them.
I'd listen to the people.

Start by asking sane questions, and you will get surprisingly clear, smart, and highly implementable suggestions.

• What are you comfortable with using?
• Do you trust this voting system? What if we can show independent proof of how this works?
• Do you have any better ideas?
• How would YOU do it?
• What problems do you face with DRE machines or mechanical systems?
• What can we do to make sure we earn your trust in accepting the outcome of an election?

Grassroots organizations can help, too.

• Initiate focus groups to determine how to make the system simple, easy, and trustworthy
• Get communities involved (especially in depressed localities) in advocating the need for participation in the effort -- and to enhance turnout for the big event
• Initiate training and education throughout the nation (will help in removing doubts, suspicions and misconceptions; with the added bonus that you may get some excellent user-centered design ideas)

And a non-partisan election commission should:

• Make sure all machines pass a complete software (source code) test by a third-party validation agency (staffed by non-partisan scientists and researchers)
• Perform all manner of intrusion and hacking (physical, electronic, electrical, remote) to gauge the security of the product
• Assess all existing vulnerabilities and assign strict deadlines to fix the issues, then perform 100% regression testing
• MAKE ALL RESULTS PUBLIC - the process should be totally transparent and auditable/verifiable by any interested parties

Be safe!

VMWare Security

http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1257101_idx1,00.html

In a pretty detailed article, the author discusses various aspects relating to VMWare security. According to the article it's possible for malware to jump between VM instances and therefore the 'isolation' that's promised between the individual instances may not hold all the time.

Further, it's also possible for malware and other such nasty attack-kits to exist at the actual OS level - below the VM level. In that case the isolation would not matter. With a well-crafted attack it should also be possible for the VM instances to break their boundaries and jump to - and infect - other instances too.

Apart from this, the sheer complexity of the setup makes admins less prone to changing security settings other than what the default configuration looks like. I can't say that's a bad argument - with new technologies it's always going to be difficult to manipulate things until they become more popular - more mainstream. Until such time people are going to be quite uncomfortable changing settings on production (mission-critical) systems.

There's also an interesting discussion on group policies and how they can be rendered ineffective by simply bringing on a new VM on the network - making the group policies (that can make it difficult or impossible to start new VMs or modify existing VMs on a given host OS) quite irrelevant.

The article is definitely worth a read.

Be safe!

Further Misadventures in Hacking

It gets curioser and curioser: New Zealand is the latest country to report that 'foreign' governments have been trying to hack into/infiltrate/penetrate their intelligence bureau's computers, and succeeded in many instances.
http://www.stuff.co.nz/4197227a10.html

While they do not directly name the country/countries, the suspects look very much like China and/or Russia. China has been accused many times (under veiled references) of the same crime by the US, UK, and Germany. However, none of this really made any headlines here in the US much, sadly.

But one thing that should catch one's eyes is a recent report that a couple of hackers (allegedly sponsored by the military) in China have devised devious plans on how to counter US air carriers (sabotage them). One can see why this may be the case: US can only reach China (and vice-versa) using ICBMs, or if they were to go at each other via Taiwan, the hapless little mouse caught in between the subtly warring elephants, via the existing launch sites. Every time of them makes threatening noises, I'm sure the little mouse makes multiple bathroom trips.

The key to this seems to be diplomacy to some extent, but probably coupled with other tactics such as strong protests, sanctions, trade restrictions, higher import taxes, and restricted protectionism.
One must remember that no country lives in a vacuum (unless you're North Korea, and even then you need to depend on someone - like South Korea), and therefore any strong or semi-strong steps will have at least some repercussions (stronger steps = stronger blowbacks).

China holds a huge amount of our treasury bills; and even a rumored attempt at getting rid of them would decimate the US economy. But that'd also affect China directly where it hurts. Her people would rebel out of hunger and shortages caused by the sanctions and other acts, which is what the Republic wants least. And therefore because these two mistrustful global leaders have decided to bond in this very uncomfortable relationship of business partners, a give-and-take deal MUST exist.

No amount of sabre-rattling is going to resolve this; and no amount of weapons-pointing at each other will make things better (there can't be a war since neither China and USA - nor the world - can afford one), but such actions do send a very bad message to people around the globe that want to see stability from the superpower(s) - desperately. Not to mention the impact on the world economy, which is not in the best of shapes.

None of this means that such despicable acts allegedly sponsored by the Chinese govt should be ignored - to the contrary the US govt owes its citizens at least this much: A strong protest to the leaders of China mingled with no-nonsense steps that the US would be forced to undertake if such actions were not stopped immediately - AND PERMANENTLY, unless in a state of war, when no such rules will apply or be followed/obeyed.

With the Olympics coming soon, let's hope China is forced to clean up its act - at least for the time being. Stopping its taxi drivers from spitting on passers-by and passengers is not enough - it should stop its out-of-control military personnel from trying to spit at people across the blue.

Be safe!
Sesh

The Monster Inside Monster.com

I'm sure many of you are aware by now of the data breach at monster.com, which not only affects monster.com users, but also the subsidiary that serves the military, called Military Advantage. Also affected was usajobs.gov (I think I got that right).

As of yesterday Monster could not figure out the extent of the breach and the depth of the data theft (meaning, what kind of data - how granular). But it does appear that names, email addresses, and other such common information were uploaded to a rogue server, which M.com shut down once they figured out where the siphoned-off info was actually going.

They are not able to trace the hackers yet, but I'm sure they're working on it. I'd say they better get the NSA and other such people involved - that's the only way to use the government's brute power to get to the bottom of this mess.

How does this affect most people? One of the main, potentially dangerous, ramifications is that users may be subject to blackmail. Not only that, but knowing most details about a user, including possibly home address, the hackers could initiate the infamous 'Hit Man' scam, where random people got mail that they're on a hit list and if they didn't send a certain amount they'd be killed. Very few people fell for it (from those who actually came forward to report the embarrassing incident) but I'm quite sure a significant majority kept quiet.

So, the same thing could happen here; think about the millions of records that were probably taken, and if you assume that only 1% responded to the blackmail, that's still a very large amount of money for the taking.

Where does the responsibility lie in this case? No question at all -- it's with the CISO if there is one; if not, the COO and CTO.

It's really remarkable that a company such as M.com, which has the trust of millions of job seekers, could not figure out the problem early enough, which would have saved a whole bunch of people a whole bunch of problems.

You also have fake employers posting ads wanting people and then scamming money out of the gullible, or even the street-smart ones. I don't want to sound as if M.com is not a good place to further one's career interests, but I'm still a firm believer in networking - PHYSICAL, human networking.

You know why bin Laden has still not been caught? Lack of humint (human intelligence), that's why. I was reading a very nice article on Newsweek that talked about the hunt for this insanely elusive mass-murderer, and they cited how he uses money as well as punishement (the old carrot-and-stick approach) to get his way and evade the technological might of the most powerful nation in the world.

What does this have to do with data breach? Well, who commits these acts? Not a self-learning, self-aware machine like HAL in 2000: A Space Odyssey (although that's not difficult to do), but HUMANS. It's people like you, like me, like us, who indulge in such nasty acts of damage and destruction.

It's impossible to prevent it (just read about the most current hacking controversy, that China's military is behind the hacking of Pentagon - and UK military's - computers). In this age, data is king; but information is the emperor. Getting random bits and bytes won't accomplish much, but it's the intelligence that puts those bits and bytes together that causes the real damage to the data ecosystem.

Certainly, precautions MUST be taken. All kinds of anti-hacking software should be installed, and users (usually the weakest link) MUST be educated in depth. I've repeatedly stressed the power of education on this blog, but I'm sure nobody at such data-sensitive companies including the government - neither management nor employees - take it seriously. You cannot change such a mindset overnight, but you can certainly take a stab at it.

How?

a. Hire white-hat hackers (Especially a Certified Ethical Hacker) so they can form tiger teams to hunt down vulnerabilities (remember Kevin Mitnick?)

b. Perform vulnerability scans as often as possible

c. Keep AV/Anti Spam/Anti Malware etc software updated to the latest version

d. Educate, educate, educate your employees and raise their awareness to the imminent threat that is the WWW

e. Isolate weak machines (those with vulnerabilities and either fix them or take them down)

f. Have an internal email system and an external system, so even if the external is compromised (which at some point it will) it won't shut the company communciations down. There should be a clear demarcation between the two, and they should NEVER mix

I could go on forever, but I need to stop before this becomes more than a blog and ends up a novella!

Be safe!

SONY's Latest Screwup

Which one, you ask.
This one has to do with another (yes, another!) rootkit problem. And it has to do with, ironically enough, their secure USB stick. How in the world, after learning a very bitter lesson with their idiotic DRM rootkit 'protection', SONY can create another fine mess is beyond me.

I really think they need a rethink on how they approach security, be it authentication via fingerprint analysis or simply protection of IP. Security by obfuscation is not security - it's a pathetic camouflage that will come unraveled before you know it. Companies such as F-Secure, McAfee are not twiddling their thumbs waiting for the next threat - they can already foresee what hackers are going to be up to.

And in such cases, rootkit exploits are passe' and so can be easily detected, as F-Secure did with SONY's misguided implementation of fingerprint data protection using that horrid method.

The problem here is not that SONY chose to protect the data, but the way they set about doing it. I think I can smell another class action suit rising up from within the dark war-rooms of plaintiff firms.

So, another lesson learned - a final one, we hope.

Be safe!

The State of Security

http://www.infoworld.com/article/07/08/20/34FEnextbigthing_grimes_1.html

In an interesting article, Roger Grimes talks about how the state of Security is pathetic and appalling (I agree), and how in future authentication on chips and such advances would make hacking unprofitable and eventually make our online experience safe (I disagree).

It's like this:
It doesn't matter what algorithm you create - and what keyspace you may have - but the weakest link is the human being and human error. Once the key is exposed nothing can save it - not even the strongest encryption.

Only one thing can save us from being such idiots when it comes to Security, and that is multifactor authentication. "What you have, what you know, and who are you" -- any two would help, yes, but all three would be NEARLY bulletproof. Notice I use "nearly" - and that's because NOTHING in unbreakable.

Everything has a weak point, a vulnerability (Patch Tuesday, anyone?) that people are more than happy to discover, exploit, and profit from. And in this respect, the abysmal state of Security literacy and lack of focus on such issues in our education system will together drag down any advances that Security scientists and researchers may make (may have made).

You have SSL for browsers? Hmm, just phish with real-sounding fake names. You have sitekey? Create an alternative site with a map of any and all authenticating images and ask the user to enter the password. Unless it's an educated user, you'll find that nearly 99.99% will enter the password DESPITE seeing an incorrect sitekey.
Why is that? Simple - psychology. People have this air of infallibility around them, and hackers use that to full potential, to their own benefit.

How does one really avoid such issues?
a. Multifactor authentication (iris scan/fingerprint; password; smartcard)
b. Intensive and regular education
c. Strict policies and granular access control
d. End-to-end monitoring of all packets - bidirectional
...

Simple monitoring and alarms will not work; what's needed is a total change in/of philosophy when it comes to revealing one's identity on the Web to complete and possibly criminal strangers. You would not give out your house key to just anyone - so why would you give your password/id out to shady sites without verifying they are who they say they are.

Ultimately, it does not matter how much progress we make in terms of Security (new algorithms, large keyspaces, complex passwords, password protection and PBE implementation etc) - but what matters is what end-users are willing to do to protect themselves. Having electrified fences, a guard dog, 12-foot-high gates, an advanced alarm system: these are all fantastic when it comes to protecting your home, but none of these can help if you left your front door ajar.

Be safe!

EMC's Purchase of Tablus

http://www.thestreet.com/s/emc-expands-data-security-reach/newsanalysis/techsoftware/10373440.html?puc=googlefi

This is a really good buy - EMC is fast expanding its Security offerings. Coupled with its content management system, it's not that hard to see where EMC is headed. And you already know that EMC bought RSA - and the wealth of knowledge that comes from RSA is unparalleled. The main competitor to EMC, NetApp, has DeCru, but I have not read up much about it, although it seems like a very capable product.

Tablus makes content PROTECTION systems; you can call it 'leak management' systems. The idea is that an administrator will prepare a policy of what's sensitive and assign a grade of some kind. The system then parses through the various files and figures out if they match the criteria set in the policy. Based on settings it can block/inform/audit the actions that took place on the protected object.
You know the rest.

Be safe!

Review of Electronic Voting Systems

http://sos.ca.gov/elections/voting_systems/ttbr/red_overview.pdf

When you know that the basic rights of citizens could be easily violated (or hijacked) you MUST demand secure and inviolate protection of such rights.
It's your duty to vote - and your right that the vote be counted. Unfortunately, when accurate tallying of the votes is under threat, there's little you can do but suffer while the bureaucrazy plods along, trying to figure out what's going on.

To that end, the report listed in the link above is a true eyeopener. We all know about how Diebold systems were hijacked by a team of researchers just a few years ago (http://www.scoop.co.nz/stories/HL0307/S00198.htm). In a sickening reprise, research teams organized by the California Secretary of State were able to get into multiple machines -- sold by Diebold, Hart InterCivic, and Sequoia.

The methods appear to be very similar -- simply modify the firmware to execute all sorts of illegal commands. The physical security of the machines were lacking: the teams managed to push all kinds of 'protected' buttons without leaving a trace.
The more important (if you can say that) software security was lacking as well. Compromising the firmware, the boot loader, and arranging results to be different depending upon the mode of operation of the device -- all these suffered.

I'll leave the actual study for you to peruse and chuckle at (sadly), but I really think it's time our govt started taking the idea of Security more seriously. Trusting private vendors is simply insane - especially trusting them with the most critical process in a democracy. We have so many gifted scientists at the NSA, FBI, CIA, and many other organizations without acronyms or addresses - get them to do it, under the supervision of a bipartisan technical committee (no business folks need apply).

Quite simple - but I'm sure that can't be easily accomplished mainly because the govt is beholden to industry. I'm not even going to get into how to fix this security-wise (although I have a few thoughts), but do want to say that if the USA wants to be taken seriously as not just a superpower, but more importantly, as a democrazy (!), it needs to revamp its entire election process - from scratch.

Be safe!

How to Take Over an iPhone

The latest darling of the gadget-crazy crowd, the iPhone, was hacked into by researchers from a company called ISE.
http://www.securityevaluators.com/iphone/
The video clearly demonstrates how the iPhone was hijacked, and their site also lists how to avoid this security breach (and how one could fall into the trap set by the hackers).
It's a question of trust -- the SSID picked up by the iPhone, if it happens to be trusted previously, is automatically used. When that happens, you are essentially going through the hacker's network, and he could easily replace a rogue webpage for the one that's being requested. This rogue page would have the necessary code to extract information from the device. Simple - but very dangerous.

As more and more companies take to giving their execs and even lower-level personnel access to such devices, they multiply their risks exponentially. We all know how Paris Hilton's phone got hijacked -- and so many details came out that must have embarrassed her. Now imagine this happening to a high-profile, high-security firm (God forbid - the DHS!) or large law firms. So many secrets...

I'd recommend that users be trained in depth about the security vulnerabilities of such gadgets -- forget the convenience for a second -- before they are permitted to operate one. All devices must have password protection at boot-up, and for launching certain applications/documents. Further, they should have a master password in case the user forgets the actual password.

I don't know if the iPhone supports such features, but it'd be worth a look if Apple wants to get big companies to get them for their fawning execs.

My personal opinion - if you MUST use data-sieves like these, do NOT STORE any information that you wouldn't want to see on a public website somewhere. Just store songs and nothing else.
Be sure to delete all IM, conversation logs, documents, personal information that you may have stored 'temporarily' for the sake of 'convenience.'

Be safe!

Stealing CPU Cycles and Hiding Between Ticks

http://arstechnica.com/news.ars/post/20070711-security-paper-shows-how-applications-can-steal-cpu-cycles.html

I won't bore you with the details (you can look them up yourself) but what concerns me is that such techniques (hiding from the process list and stealing CPU cycles) will probably be exploited by hackers/phishers/cybercriminals and the like.

It's not terribly complex to do so, and the only reason the MacOS is immune to the problem is it uses a different algorithm (per the site above). Windows and *nix are quite vulnerable to this exploit, and an admin could be left scratching his head on who or what is consuming all of that CPU but not showing up in top or ps -ef.

Imagine a really pesky little malware/virus/trojan using this weakness - and you can quickly see that traditional methods of detection and removal will probably not work here. The only way to fix this problem is at the hardware level, or update the OS to use a completely different way of figuring out CPU usage and process-tracking.

Overall, the use of this threat is probably low at this point, but now that it's out and famous, expect use of this annoying vulnerability very soon (say less than 2 months).

Be safe!

Google Swallows Postini

http://www.macworld.com/news/2007/07/09/postini/index.php

I actually was expecting GOOG to buy up a Security company pretty soon considering how quickly it was expanding its hosted-applications suite. If you dissect the way GOOG has slowly invaded MSFT's traditional territory, it started with the Web, moving to the desktop, and now on to the enterprise level.
Right from searching the Web to looking for lost email on your desktop to mapping to price comparison and now to SAAS, Google is your go-to guy.

Thus, this purchase makes a whole lot of sense, not only from the pov of 'sensitive' companies (say banks, data aggregators) that may be chary of handing over control to a third-party (not just in terms of storing sensitive date etc) but also from GOOG's own pov in terms of compliance, due diligence in protecting data etc.
It'll help the CIOs of the hosted companies to relax a bit knowing their information is in 'good' hands. More credibility, more security, more protection.
Also important to note is that GOOG is working on making offline access to the hosted data possible using Google Gears. Now that's giving MSFT serious heartburn and sleepless nights. Wonder what other hapless ASPs are up to...

Be safe!

What Else is Surprising? DHS in Trouble!

http://www.informationweek.com/news/showArticle.jhtml?articleID=199905838&pgno=2&queryText=


As I've mentioned many times before, computer security is taken too lightly by too many people. I hope the CIO of DHS doesn't think that way.
First off, we need a CISO *and* a CIO for an organization as complex and as bureaucratic as the DHS. The CIO and CISO should get together to formulate a strategy that will feed the needs of the IT dept (CIO) and balance it or temper it with the security ramifications that come with the needs (CIOSO).

My worry is that while Congress battles the powerful bureaucrats and while the bureaucrats expend energy in defending themselves, the door is left wide open for everyone to do what they want to do. In other words, the utter indifference to real security is what results in trojans, viruses, inappropriate and objectionable content invading the computers.

Another concern is that the computers are allowed to access the Internet! First off, you want to very severely restrict access to the 'Net, and if you must, make sure you have powerful tools to control both access as well as downloads.

Here's what a basic, 20-point policy would look like (for user-terminals/computers at least):
1. Disable floppy drives (or buy computers without them)
2. Disable CD drive (need special code to unlock and use - content to be disclosed first)
3. Disable USB drives
4. Disable any and all controls on the OS that will permit configuration changes (such as IE security level etc)
5. Disable all downloads from the 'Net (incl HTTP/FTP)
6. Disable all uploads to ANY location
7. Internal data transfer should happen through pre-mapped, controlled, and constantly-monitored, network drives - probabaly a departmentalized storage subsystem such as NetApp Filers or EMC CLARiiON etc
8. Use encryption as much as possible, both on disk as well as on the network
9. Use forced authentication at every entry point (no trusted hosts nonsense)
10. Disable installation of any kind of unauthorized programs
11. Use at least 2-factor authentication (password + random key as an example)
12. Go for biometric authentication whenever and wherever possible
13. Use AV software extensively, ensuring prompt and forced updates and reboots as needed
14. Use IDS (pref IPS also) software at every sensitive node
15. Control, monitor, and record ALL communication - IM, email, phone etc
16. Email clients should be tuned to only send mail to internal personnel - no external addresses should be allowed - EVER
17. Scan ALL incoming packets - and outgoing packets at sensitive nodes
18. NO ATTACHMENTS ALLOWED ANYTIME - email/IM - whatever mode of communication
19. Use hardware encryption devices and encrypt all data, everywhere. Use PKI devices to manage the keys
20. Finally, EDUCATE THE EMPLOYEES. Nothing works better than education

Watch this space for more ideas that DHS will probably never implement! Next I'll be focusing on actual employee monitoring details.

Be safe!

Security Companies Getting Bought Out...

http://creativemac.digitalmedianet.com/articles/viewarticle.jsp?id=153590

I think the recent buying binge demands at least some investigation into:
a. Exactly what these companies market
b. What does the software actually do
c. Is it ready to deal with, or can it be extended to deal with, latest threats
d. How easy is it to integrate with current solutions
e. Are these FIPS-compliant

In any case, it does look like the Security market is golden, and doing fantastically well. If you want to make a few million dollars, start with an idea, write up rudimentary software, say it patches up this threat and that vulnerability while scanning the network and making your morning coffee, and BOOM! your company's set for sale!

Seriously though, the real value of these acquisitions will come from how easily and painlessly the products integrate into current product offerings. HP just bought SPID, and if that could be merged into any of HP's products (logically so) then customers have one less thing to deploy, manage, patch, and keep inventory.

Overall, definitely a solid consolidation in the SS market is going on, and is long overdue, too, but quite importantly we should note WHO'S buying - that will indicate a stronger trend toward tighter bonding between existing enterprise management/monitoring tools and actual Security tools.

Now you could predict that IBM will have a significant share of Security-based revenues from its purchase of ISS, that EMC will carve out a bigger and bigger share of the market using RSA, that BT will reap the fruits of its bagging of CounterPane.

This is just the beginning of the trend - quite possibly we'll see the same and new software vendors buying more and more of such companies. Ultimately, one'd be hard-pressed to find a single Security ISV.

Hot areas will include:
a. Identity management
b. Patch management
c. Vulnerability assessment and management
d. Threat assessment (from internal and external sources based on patterns and trends)
e. Code and system-hardening
f. Security services and consulting operations
g. Compliance and regulatory assessment, management, consulting and validation
h. Outsourcing of Security tasks
and so on

Be safe!

Privacy Concerns and Google

Quite interesting, the recent concerns over how Google mines data and how it might use it when combined with its recent acquisition, DoubleClick. Plus, now you have street-level, 360-degree, detailed snapshot views of actual happenings on streets that Google has covered.

Somewhat creepy, a little scary, but mostly harmless. For now.
How Google addresses privacy concerns raised by both small privacy groups and organizations like ACLU, EPIC etc is to be seen, but it's quite likely that G, whose main edict is 'Don't be evil' may be forced more and more to live up to its grand statements. Only, you don't want it going the way of 'We don't do finance'...

What is the Security concern here? Plenty, plenty, plenty. Imagine this fantastic goldmine of data that tells you all you want to know about someone's secrets and the makeup of their psyche - right from search terms to visited sites to how long they surfed those sites to your most private communication (email). Imagine this fantastic data in the hands of a hacker. There. You know what I'm saying.

So, G, which employs the most brilliant minds it can afford to buy on the strength of its balance sheet as well as brand name, needs to REALLY tighten up its environment. You do NOT want embarrassments like when someone stole G's own blog and it had to do some red-faced explaining. We don't have to teach G about security and how to protect its data, but we do have a RIGHT to expect that what G knows, only G knows and nobody else. Plus, you also hope (wish, pray, beseech, request, beg, fight) that G also has a bad memory (think data retention policies).

Anyway, the coming few months are going to be very intense as the search, advertising, and portal markets heat up with existing giants waking up and new, disruptive technologies start chipping away at the heels of the Big Ones.

Be safe!

FBI Security

...or the lack of it, really, at least according to a GAO report that was on the news a couple of days ago.
Problems included lack of encryption (for sensitive data), improper or missing authentication and authorization of users before they accessed sensitive information, and improper or default configuration of network devices.

Usually, network devices come with a default password that's a pain to change because each piece of hardware has a different management interface. Let's say you have five network devices - two switches (from different vendors), a router, a bridge, and a gateway.

Each device will have a unique website, a different way to set passwords, and a different way they can be accessed. The point is that a lack of common management interface leads to some very lazy administrators.

Here's my recommendation:
All you network hardware vendors -- can't you work together to create A SINGLE interface that could be used to work with the multitude of devices!?
It'd make life a million times easier for everyone, and make the environment a lot safer. I'm not about to go into the details of what such an interface should have, and would entail, but maybe later.

For now, this is what the FBI should do:
a. Follow a proper process that would track every piece of hardware from cradle to grave
b. Make people responsible and accountable for changing passwords every 2 months (or as often as needed per the security policy)
c. Make sure the results of the password change are updated in a document that lists those devices that could not be modified (maybe they're getting serviced, or were down for some reason), and get to them ASAP
d. Provide a checklist to any manager that has people reporting to him, on whether his employees (and he himself) actually needs access to any sensitive data. Be harsh and do not be afraid of treading on egos - do what is important and necessary to keep the country safe. People who mind on the basis of ego are eminently dispensable, and could prove dangerous in their efforts to satisfy their power-hungry needs
e. Every vendor that supplies to the FBI MUST supply a password that is tough to crack (the default password should satisfy existing requirements) - maybe not ALL criteria should be revealed to the vendor, but a few, such as the length, inclusion of special characters, etc should be mandatory
f. Use a password management software to make sure these devices are in compliance at all times (as opposed to 'b') if resistance from people is high
g. All changes should go through Change Management control and sign-off must be received from the proper authorities before changes are implemented
h. Audit the entire organization every 6 months - this may seem too frequent, but it's completely worth the time and effort. After the first 3-4 audits, the time and effort required for each subsequent audit should reduce as long as compliance rules are being properly followed
i. DO NOT make exceptions at any stage - as the cliche goes: a chain is only as strong as its weakest link
j. The default access for any device in its original, default configuration should be DENY_ALL, and then it can be configured to selectively permit traffic and users
k. Use RBACs and ACLs to control, limit, and deny access
l. Use strong and detailed logging at all levels. Storage is cheap - lives are not

Be safe!

Database Security

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1255955,00.html

Quite an interesting article, and it talks about concepts that are very logical, obvious, and yet something that's hard to implement and track.
How so?

Let's say you're the CISO of a company/govt organization that has access to highly sensitive data such as taxes, divorce records, alimony and so on. What would be your first instinct relating to protecting the data? Encryption, RBAC, ACL...?
There are many choices and each comes with its own tradeoffs. 'Mindboggling' is a mild word for the conundrum you just got yourself into.

Believe it or not, people actually abuse power! Hmmm didn't know that one, did you?

Now that you do, start with the basics. Make a list of talented people who can handle the responsibilities that will be given to them. They should be held strictly accountable at all times when it comes to the ownership and privacy of the information entrusted in their hands.

Then define roles and responsibilities that will match those tasks. With the help of commercially available software, you can do that very quickly.
For especially sensitive data, institute authentication codes. Meaning, access to certain types of data should only be possible with the help of a code that's generated by a security officer who oversees the overall security aspects of the data.

Thus, you now have division of roles and a division of how the responsibilities are executed. How does this help? Two words - collusion avoidance (and detection).

Next, logging and audit control.

Make sure the software that you use can log certain types of searches and classify them as inappropriate when applicable. It should alert the manager or supervisor within a time defined by an SLA. This kind of alert is preferred to be real-time so any violation can be stopped immediately.
Audits should be performed on a regular basis, and at least 3 times a year on a surprise! basis. That will keep any potentially devious employees somewhat honest and probably catch those that have crossed the line before they could do more damage.

Rewards - any quarter/6 months/year when there have been no violations, every employee in the security team should be congratulated and rewarded for saving the CISO's reputation and bonus.

Continuous improvement -- this phrase is used so much it's almost near meaningless, but because it's almost meaningless, if I use it just once or twice it won't hurt.

But let me define it slightly differently -- CI means new ways of figuring out how to keep secure data secure (think new hacking methods, new forms of spyware/malware/adware/badware, spam, viruses, trojans - boy you have your hands full). How to keep employees from stealing data or misusing their newfound power. How to maintain the integrity of the system and its value.
How to have business running 24/7 with no bottlenecks from the DB department. How to maintain the system's authority as the final arbiter of the correctness of data that resides within.

Needless to say most of these have strong security angles, but the top rank goes to getting employees to keep the data secure and keeping themselves honest. Very honest.
Remember: Encrypted databases and password-protected sites are powerless to stop an employee with the proper key and password, but relevant training dealing in ethics and company policies pertaining to correct use and access of records, coupled with rewards for excellent and spotless conduct, should go a long way. Combined necessarily and mandatorily with the latest technology to keep data visible to only those that need to see it, this approach should be quite foolproof.

It's quite difficult, if not downright impossible, to expect 100% adherence to policy (otherwise we wouldn't have any scandals). So, the next best step to remedy and fix a potentially devastating violation in the future is to ENCOURAGE and REWARD good habits than simply discourage and penalize bad ones. This is not to say that the bad eggs should not be disciplined/terminated/penalized, but that good behavior should be recognized and made worthwhile.

Be safe!

On PCI-DSS

Every time you hear another breach of security at a retailer site you cringe. You cringe but carry on because you know it happens all the time, or that it's become too common.

I've blogged on this particular problem before, but it's quite simple to understand that standards really are not of much help unless supplemented with a lot education and awareness. I throw around these two words quite a bit - they MATTER! Educate your IT staff on proper security etiquette and you'll save yourself a whole lot of heartburn later.

Remember, 99% of such problems occur because of human error. Computer faults are also usually caused by humans, so don't go around blaming a defenceless piece of hardware or software.
How, you ask?
1. Non-secure code/programs/applications (easily subject to buffer overflow or crash, not enough checks, not enough or no authentication needed to run them and so on)
2. Misconfiguration of the application/site, including firewalls and authentication schemes
3. Poor or no training of the staff that's supposed to manage the data
4. Lack of encryption/plaintext files

Of course, the above constitutes just a very short list of possible sources of breaches, but they're probably the most common.

In any case, I looked at the 12 requirements of the PCI-DSS compliance, and I find they are too generic and lay out a framework rather than concrete instructions. I know and understand how complex the whole thing is, but it'd be good if the PCI could provide merchants with more detailed knowledge of what to do and how to go about doing it.

For all I know this must be happening (I know nothing about how these guys work behind the scenes), but from what the CISO of FirstData said, it looks like they really need some handholding or at least more clarification.

Be safe!

Not Again! Yes, Again

http://www.networkworld.com/news/2007/051507-ibm-contractor-loses-employee.html

The link tells the story. Again. Someone. Lost. Critical. Data.
This time the information was unencrypted on some tapes - which makes retrieval a snap for those with the right tools. I think the govt should really step in immediately and pass legislation that would make encryption of all employee-related data mandatory, especially if such data were being physically transported.

I'm going to stop here.

Be safe!

TSA's Misstep

http://www.technewsworld.com/story/57281.html

So what's new, right?! This expression is becoming very common nowadays, from completely unforgivable sins such as not securing hardware to exposing sensitive data to the general public on an uncontrolled/unmoderated website (the Agriculture department comes to mind).

Let's analyze for a second how such a mishap could occur. Places such as the Los Alamos lab - famous for disappearing drives and dead-end investigations, don't seem to have a clue as to what to do and look for when a critical piece of hardware goes poof!

Lifecycle of a disk (bought separately, and assuming formal processes exist):
a. Requisition for purchase
b. Approval
c. Order
d. Delivery
e. Verification
f. Change Management process approval
g. Implementation/installation
h. Usage
i. Fault - Return to sender
j. EoL

Worker W requests Manager M for extra space and submits requisition, M approves it and sends it to Purchasing for placing the order.
Disk comes through, is verified by the appropriate personnel, and the CM team authorizes the installation of the disk (might involve downtime, reboot etc).
IT installs the disk and brings it online so users can store twenty-thousand copies of the same document so they run out of space way before the projected date and then place more orders.

Say an error crops up on this new disk, which by now has a lot of data, IT will be asked to look into it. IT will try to backup the data to another disk and try to fix it. In the meantime, since most workers have filled up this new backup disk and don't have any problems with it, they're likely to push for IT to delay installing the new disk, which has been fixed by now.

So, IT just waits around, and eventually something happens that causes them to lose track of it. This 'something' is the most dangerous aspect of IT and security because nobody knows what it is (and that's why it's called 'something'). It could be an employee with malicious intent to an ID thief to an innocent misplacing to out and out loss of the disk beyond recovery. This becomes much more of an issue if the disk is to be shipped elsewhere (ironically, for safekeeping or backup) and nobody really knows whether the destination received it, or whether they got the right material, or whether the disk was even sent!

Anyway, all through the steps above, there is no TRACKING of the material. If there were a CMDB in place, then much of this could have been part of its DB and then could be made a traceable and trackale entity.

Then, when a disk went missing, all one would have to do is search for the part number/brand/custom id/tracking number/dept id/destination -- you get the idea -- and take further action. The point is that not much is unknown at that time. Auditing, which should come in between 'h' and 'i' is the one process that people love to hate, but one which may save their (and our) lives one day. As long as regular auditing is done using the CMDB as an authoritative source of existing inventory, one can be assured that such 'issues' won't be so common as one's less likely to be lackadaisical when an audit is due.

Since most people don't even know what a CMDB is, it's going to be hard to convince them or educate them on the importance of such a database. The root problem thus lies in education and awareness. Get familiar with ITIL!

Security is all about education, training, and awareness. As Fox Mulder put it, TRUST NO ONE. This doesn't mean you incur the wrath of your boss for asking him 20 questions on why he wants to see your code, but that anyone that's not in your immediate circle of trust (something like PKI) should not be privy to your sensitive data. The idea is Need to Know comes before everything else.

Coming back to this intriguing case of the missing disk, here's how I'd do it (all of these trackable details such as tracking number etc would go into the CMDB):

a. Requisition generated by user (tracking number (tn) 1234)
b. Approval by manager (tn, approval id (aid) A45)
c. Order (tn, aid, order number (on) O858)
d. Delivery (tn, aid, on, delivery date (dd) 05/08/2007, shipper id (sid), dept id (did))
e. Verification (tn, aid, on, dd, sid, deptid, verification id (vid))
f. CM approval (tn, aid, on, dd, sid, deptid, vid, chg mgr approval id (cmid))
g. Ticket to install/installation (tn, aid, on, dd, sid, deptid, vid, cmid, iticket)
h. Usage
i. Fault (tn, aid, on, dd, sid, deptid, vid, cmid, fticket)
j. Shipping (tn, aid, on, dd, sid, deptid, vid, cmid, fticket(if fault), rticket (if request to ship), sid, sender deptid, receiver deptid, slaid (service level agreement id))
k. EoL

As you can see, everything here can be traced to the finest level - nothing can escape scrutiny, and accountability is preserved.

As for data structure, when I say verification id, the id should point to a table that contains at least the original requisition id, the id of the person performing the verification, the outcome, destination dept, contact who will pick up the disk, and anything else that may matter).

I realize it sounds like overkill, but try facing 10,000 workers after 'losing' their most precious and sensitive information. Their stares alone will jolt you into becoming an evangelist for data safety, if the govt/sanctions/bad reputation don't get there first.

Be safe!

VeriSign's Passcode Initiative

http://www.itwire.com.au/content/view/11775/53/

VeriSign now offers a special card that generates a one-time passcode that expires quickly, so even if someone were to steal it, it wouldn't be of much use.
The passcode is displayed on the card itself, at the push of a button. Expected to last two years or around 100000 uses, it's a nice, elegant, and compact solution.

I know you're waiting for the key word - HOWEVER - it's easily subject to the infamous MitM attack (Man in the Middle). See, after all, the passcode is just another bit of data that can be stolen along with user name and password. Nothing really more to it, in my opinion, than hype.

Although two-factor authentication schemes are very strong and should be recommended for most security applications (who you are, what you have, what you know are the three principal factors), there are severe limitations that need to be considered as well.

A nearly foolproof method would be the use of biometric systems - the iris check, fingerprints, voiceprints, facial recognition, and so on, are somewhat advanced and used in most high-security areas. The trick is to incorporate them into devices that we need access to at higher levels of security, such as ATM machines, bank lockers, safes etc.

In any case, VeriSign is doing the right thing by at least starting the process somewhere. I know Discover Card used to have a little application that one could download to one's desktop, and it'd do the same thing. Not sure what happened to it.

Also, many MasterCard and Visa issuers are also using the two-factor method to prevent phishing. For example, one site lets you pick a picture, and it'll show it to you when you enter just your username, and if you don't recognize it you simply don't supply the password. If the picture is something that you know you picked then you enter the password. How secure is this? Quite, but not foolproof. A hacker could try and randomly generate the pictures from actually using the site as a regular user and looking at the pictures, and if it matches - whoa!

A better idea would be to let the user pick their own pictures - something personal, say their dog or their home or their messy office desk or something that's not easy to duplicate.

In summary, while it's a good start, it's only a start. I look forward to seeing more biometric authentication schemes available to the general public and not just to the privileged. We pay the bills, after all!

Be safe!

WhIther Fidelity

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=12&articleId=9017825&intsrc=hm_topic

OK - so you're at this fashionable hotel - either staying or picking up someone - and you whip out your fashionable laptop, the one with diamonds and rubies encrusted on the logo that screams "YUCK!"

You power it up, and as expected, the 'top finds a few free networks (unsecured, of course, for easy exploitation). You connect to one of them start surfing. The name of the access point matches the name of the hotel, so there are no second thoughts of any warning bells in your head giving you an impromptu migraine.

Three days later, all of a sudden, you notice your email account has been hijacked, and also your credit cards. Hmmm how could this happen?

It could happen because the shifty-eyed person that was sitting just a few feet away from you WAS the access point and he simply named his AP the same as the name of the hotel to fool you.
This method of attack is virtually impossible to detect because the entire AP can be brought down by the attacker in a matter of seconds. So there is no trace of his presence.

How do you protect yourself? Simple - do not use any unsecured connections that appear 'free' - if in doubt ask the company about their WiFi policies and the name of their AP. Plus, warn them if you find an AP with a similar name or the same name. Be careful about submitting any sensitive data over these lines, and definitely do not submit passwords/SS numbers/medical/financial information. Use it to surf aimlessly while waiting for your date, but don't go beyond that. It's not worth it.

Be safe!

Universal Security Blunder?

There's been a spate of news concerning the threats posed by USB devices - including devices such as iPod, Zen etc. The main threat is that data could be very easily stolen using these seemingly harmless and innocuous devices.
Other threats may soon include viruses and trojans happily hopping from iPod to iPod, iPod to computer, and computer to computer.

When I say iPod I refer to the general class of such disk-based entertainment devices - sheer laziness and not any bias makes me refer to them so (I'm a huge fan of Apple's!).

A typical such device comes with a disk that's at least a few GBs, so it's not that difficult to steal large files using the USB ports.

Most companies permit employees to take their laptops with them - else what's the point of having one! The biggest problem is not that the laptop itself will go missing (which is an obvious threat) but that the data will be stolen (can't catch that unless you really audit the machine or install special tools to monitor data transfer). Now, with USB2.0 and FireWire, even GBs of data can be copied in minutes.

How do you protect against such an invisible, internal attack?
* Use software to lockdown the USB ports
* Educate employees on USB safety and security
* Order machines that have the ports disabled or not configured
* Glue them shut if all else fails

In any case, before we fall into this hysteria and become part of the USB-banning mob, we should give some thought to the level of crimes that occur using USB ports. How many people steal data using USB drives vs via hard copies of documents, CD-RW disks, email, illegal upload to online backup sites...the list is endless.

So, what do you learn from this? Definitely, USB ports are a threat, but maybe not to the extent that people make it out to be. At least not yet. Or maybe it already is, and we just haven't realized it yet.

Be safe!

Keeping Children Secure on the Net

http://www.mercurynews.com/business/ci_5677788

An inspiring read - however, the parents simply talk about online security. Here are the concerns:

1. Kids will be exposed to images/video/text that are totally inappropriate or even dangerous
2. Kids will download spyware and assorted malware/adware because they surf in ignorance
3. Kids are in danger from predators
4. Kids will communicate with anyone that seems friendly or offers comfort or shows interest or praises them (most kids nowadays are starved of love and attention because both parents typically work) - and provide easily identifiable information

How do you watch them?

Some tips:
1. Do not give them their own personal computer till they are at least 17
2. Do not let them take the computer to their room
3. Force them to interact with websites in 'public' - meaning the living room
4. Inform them that you have Internet monitoring software and that you know what they are doing anytime they're online
5. Monitor the sites they visit, noting down what they post and who they interact with on social networking sites
6. Have regular chats with them making them understand the dangers of being online without sufficient knowledge to protect oneself
7. Educate them on what the dangers are and how to spot them
8. Disable installation of all programs, and disable the USB ports
9. Give them a user id that has severely restricted access
10. Do not give them the password that'd enable them to go online
11. Do not let them go over an hour online per day - it's too much of a waste of time
12. And finally, watch out for any warning signs that may indicate unhealthy exposure of any sort

Be safe!

Even More Privacy Issues

http://www.buffalonews.com/185/story/54888.html?imw=Y

When you donate your old, pathetic, and mostly useless computer, keep one thing in mind: the disk. Forget everything else - just go after the data. Whitewash as much as possible. Many good software can accomplish the task painlessly, and they're worth the investment.

You simply do NOT want someone to have access to private data (SS numbers, medical records, employment details, financial data) etc. If they're a nice person as the one in the story above, you won't lose anything. However, if an ID thief buys up your computer from the local donation center, who knows what he can turn up? And imagine what he could do with it - a virtual goldmine of data begging to be (mis)used.

The main problem is (as it is everywhere else) lack of data awareness, and fear (even disdain) of technology itself. Luddites that may pride themselves on their 'simple' life have NO idea how vulnerable they are, every time they encounter technology that gets and/or dispenses private data.

You are SAFE if and only if:
1. You do not have an SS number
2. You do not exist
3. You are a wandering saint
4. You have NOTHING to lose - not even your identity

So, before you chuck that computer of yours for a tax write-off, download a good disk-cleaning software, and scrub as much as possible. Remember - deleting files or moving them to the Recycle Bin or emptying the RB has no effect. The data is simply marked to be overwritten but the data itself is still there - invisible, but there, and can be very easily read by someone sophisticated enough to know how to run the right tool.

Whitewashing a disk usually consists of writing garbage over and over again to the disk (or writing 0s) until there is nothing left to read.

Next time you donate a computer, whitewash the heck out of it. And when you buy a used computer, clean it the same way and then install a fresh OS on it. You don't want to see/read/hear someone else's secrets just as you don't want yours to be exposed.

Be safe!

More Windows Issues

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1250157,00.html

It must be quite maddening for Windows users to realize that 'secure computing' is nowhere near secure nor is it all about computing!
The animated cursor problem/exploit is more bad news for both IE and FF users - apparently both use the same vulnerable modules.
Where does that leave the average user? Nowhere, really. It's somewhat incomprehensible that a simple thing like an animated cursor could introduce a hugely devious problem where a hacker could completely take over a user's computer when they simply visit a website.

To make things worse some IT folks are reporting problems with installing the patch itself - the classic 'umbrella with a leak' problem. Well, better to have a leaking umbrella than get soaked, huh?

More terrible news for regular Joes: it looks like RadioShack dumped sensitive customer data in an alley in Portland, Texas. The Texas AG is suing them (they could get up to $50K/violation).

Also, a breach at UCSF has possibly exposed thousands.

When/where will it all end? Probably never. As long as people continue to have SS numbers liked to every aspect of their lives, as long as they continue to have credit cards, and as long as they have something to protect, the breach will go on...

Be safe!

The Alaska Fiasco

http://www.techworld.com/storage/news/index.cfm?newsID=8341&pagtype=samechan

Quite interesting, when someone that's come to save your data ends up destroying it :-) albeit inadvertently.

Apparently those responsible for backing up data for a bunch of files from Jan 2006 never "checked a box" requesting it be backed to tape. When a glitch arose in an EMC (www.emc.com) array the specialist figured out that the fix was to clean the area that was corrupted. In the process some key SQL files were deleted as well, making restoring of the lost data impossible. Why? Because the data had never been backed to tape, that's why. A single, simple unchecked check-box. See what happens when you don't have formal processes and procedures to accomplish even seemingly mundane IT tasks and duties?
Now they're coming up with a formal backup plan.

Now imagine if this had been a public/private company and not the govt. Hmmm.

In any case, what did they do to fix this? Go back to good ol' paper is what. Four part-timers over 2 months scanned in the paper copies and finished the task at a cost of $200K. Not something I'd want to pay for someone's dereliction of duty, but since when did us taxpayers get a say in the affairs of our govt!

Overall, this is what I'd recommend:
1. Institution of a Backup Policy:
a. Rate data (not information - that is to come later) in tiers of importance - say 1-4 (1=critical)
b. Critical data to have incremental backup every 30 minutes or every hour depending on activitiy, with full backup every 6 hours
c. Level 2 data incremental backup every 4 hours or so, with full backup every 6 hours
d. Level 3 data incremental backup every 6-8 hours, with full back up 10-12 hours
e. Level 4 data full backup every day

2. Follow Processes:
a. Implement ITIL/COBIT - they not only guide you on implementing specific processes, but also help you isolate responsibilities and increase productivity. ITIL is the future of the IT management. Without it you're not going to be able to converse intelligently with other entities that are ITIL compliant
b. Hire only those companies that follow ITIL methodologies themselves
c. Hire an independent consultant to take a look at the mess that's the IT dept and follow any and all reasonable suggestions. Break existing philosophy and destroy any comfort levels that you may have absorbed; this isn't your data - it belongs to US!
d. Run test runs every month - WITHOUT FAIL. If you're caught napping you're out
e. Do a FULL backup and recovery test every 3 months. I can't emphasize enough the importance of being prepared. What might cost you very little now will save you hundreds of thousands or even millions of dollars later on. Don't risk it - just test it

3. Follow-up:
a. Every quarter, have a meeting with the IT guys - what is missing, what can be improved, what needs to be changed, what should be chucked. Listen to them - they are your ears and eyes, and without them you're severely restricted in what you know. And while you don't have to do everything they say, at least think about it
b. Implement benchmarks 1 year from the time you started the project. No point having benchmarks too early in the game. Nothing to compare. Mark the improvement (hope it's improvement!) - on a chart and use it to inspire non-compliant members
c. Institute performance bonuses and rewards for education (ITIL certification etc)
d. Train every employee on the importance of data and its criticality

What is somewhat disturbing is the way the data got just wiped out. I mean, come on, a "specialist" can come by and simply destroy anything he wants (of course, by accident)? Shouldn't there be safeguards against precisely these kinds of incidents? How about getting permission from a resident IT expert before purging data, or just backing it up to another disk before attempting to delete something? I know it's very hard to imagine how erasing just a few files can cause havoc, but that' s nature of databases. Indexes, journaling, logging - you got to be aware of these concepts before you touch anything related to databases.