Securing data can be hard work. It can be complicated. It can be expensive. And then sometimes you see people putting so little effort into it that there’s just no excuse.

An example of this was sent to me by a reader. In anticipation of new gun control laws scheduled to take effect October 1, tens of thousands of citizens of Maryland applied for gun permits, which requires a background check.

The Maryland State Police, charged with performing the background checks, don’t have the resources to do it soon enough, and, according to the Baltimore Sun, “Gov. Martin O’Malley said … that the state is mustering all necessary resources” to complete the task in time.

“Mustering all necessary resources” in this case means “cutting corners.”

First the state scanned the forms. Then, in order to expand access to the data necessary to perform the background checks to over 200 data entry personnel in non-law enforcement agencies, the state set up a publicly-accessible web site with a single shared username and password.

The data entered in the site included driver’s license numbers, social security numbers, addresses and other personally identifying information.

via Maryland state security sloppiness exposes personal data | ZDNet.

There’s an old phrase: “garbage in, garbage out”. I’m wondering if “Personally Identifiable Information” (PIA) should replace “garbage” going forward.

What irks me about these situations is that the same government that puts the protection measures into place often isn’t held to the same protections. These days it seems like governments and their contractors are the ones most likely to end up on the front page with an easily preventable information disclosure.

Perhaps this is yet another example of the public sector in need of disinfecting daylight.

GFI Software announced the findings of an extensive independent research project looking at end user use of mobile devices at work and in their daily commute to and from the workplace, which revealed that commuters are using free, unsecured and unknown Wi-Fi services for accessing sensitive company data in greater numbers.

The survey of 1,001 UK office workers with a tablet or smartphone who travel to and from work on a train, bus or tube was carried out by Opinion Matters, and revealed not only that mobile devices and using data services are firmly entrenched as the primary activity of the average commuter, but also that commuters and their employers are falling foul of data security issues, as well as heightened risk of physical crime.

100% of the survey respondents acknowledged that they used open, public Wi-Fi connections at least once a week to carry out work-related tasks such as sending and receiving email, reviewing and editing documents and logging into other company servers and storage repositories.

On average, users connected to public Wi-Fi to do work and access work systems 15 times a week, putting company data and passwords at risk from packet sniffing and other forms of traffic interception.

via Travelers regularly connect to free, unsecure Wi-Fi networks.

Mobile users, especially those that travel regularly, are prime targets in any enterprise. Security education needs to start with these users but often aren’t. Heavy travelers tend toward high-ranking managers or corporate officers. They tend towards:

  • Security breeches are something that happens to other people
  • I’m too important
  • Nothing bad ever happens to me

The coddling nature of many corporate IT departments to the higher-ups ultimately lead to major security breaches. The “velvet glove” approach to executives encourages the sense of invincibility that leads to a major security breach.

IT departments would do better by treating all users as adults and professionals able to handle direction and constructive criticism.

By extension, a manager or corporate officer – made aware of the real threat – will be more likely to fire up the VPN than surf the unprotected wifi.

Your mileage may vary.

What is your take?

This is really interesting research: “Stealthy Dopant-Level Hardware Trojans.” Basically, you can tamper with a logic gate to be either stuck-on or stuck-off by changing the doping of one transistor. This sort of sabotage is undetectable by functional testing or optical inspection. And it can be done at mask generation — very late in the design process — since it does not require adding circuits, changing the circuit layout, or anything else. All this makes it really hard to detect.

The paper talks about several uses for this type of sabotage, but the most interesting — and devastating — is to modify a chip’s random number generator. This technique could, for example, reduce the amount of entropy in Intel’s hardware random number generator from 128 bits to 32 bits. This could be done without triggering any of the built-in self-tests, without disabling any of the built-in self-tests, and without failing any randomness tests.

via Schneier on Security: Surreptitiously Tampering with Computer Chips.

Posted in Uncategorized | Tagged

Assume that it’s time for Bob’s performance review.

Bob’s boss says he’s a great addition to the team. Easy to work with!

And the sales numbers? Hot mama, Bob’s smokin’! Mr. Bob surely has worked himself toward a big, fat raise!

Or not. Bob would have gotten a raise, that is, but he got fooled by a phishing email and unwittingly invited the bad guys in through the front door, torpedoing Widget Industries Ltd’s multimillion-dollar investment in security systems.

Fiction! But can you imagine if this were really the way employees were assessed? They answer a phishing scam email, they trigger a major security breach, and then they’re held accountable?

via Should employees be punished for sloppy cyber security? [POLL] | Naked Security.

A thought experiment, sure, but one that leads in some interesting directions.

The joy of out-of-date Java:

As predicted at the end of 2012 and proved by the ever expanding use of exploit kits, vulnerabilities in popular and widespread software such as Java and Adobe’s Acrobat Reader and Flash top the list of the most exploited by cyber crooks.

Zero-day vulnerabilities are less of a problem than old ones – in fact, given that many people still use older, vulnerable software versions of the software, wielding exploits for zero-days is practically unnecessary for your average cyber crook that goes after money.

via Attacks targeting unsupported Java 6 are on the rise.

I ran into an instance of someone running Java 5, which is akin to your second cousin calling you about a problem he’s having on Windows ’98.

Apple has distributed a list of security fixes in the just-released iOS 7 software update. And it’s as long and encompassing as you’d imagine any major platform update would be. I haven’t seen them online yet, so I’m reproducing it here for anyone who’s urgently interested. When/if Apple posts it to their knowledge base, we’ll update and link out.

via Apple details security fixes in iOS 7. And there’s a ton of them! | iMore.

I haven’t updated any of my devices yet, and I doubt I’ll go down the iPhone 5* path. I’m happy Apple addressed security issues. I hope they’ll backport some of these for devices that can’t run iOS7.