Category Archives: Security

Security

Countrywide Breach

Leave a comment

There is something really sad and ironic about the title “Countrywide Breach”. But the facts are the facts. There has been a Countrywide Breach in America. Two men are accused of conspicuously downloading all the CountryWide customer records over two years and selling them for relatively little ($70K).

The former employee, Rene L. Rebollo Jr., 36, of Pasadena, was charged with exceeding authorized access to the computer of a financial institution, the FBI said in a statement.

[…]

Rebollo would go into work on Sunday afternoons, log onto his company’s network and download the data onto flash drives, the complaint said.

Investigators believe he was selling the information to Siddiqi, who allegedly acted as a middle man for the companies that bought it, the complaint said.

The FBI says this was unauthorized and therefore a criminal act. That makes me wonder. I get notices about privacy practices all the time from CountryWide, (unfortunately) being a (vulnerable) customer of theirs, where they repeatedly warn me that if I do not actively tell them to protect my records they may be sold to other firms. I mean I am tempted to ask whether Rebollo is considered unauthorized only because he did not bother to pay Countrywide a portion of his revenue?

Are you surprised that the accused worked with the subprime mortgages:

Rebollo had access to Countrywide client information when he worked as a senior financial analyst for the subprime mortgage division, known as Full Spectrum Lending, according to the criminal complaint.

The bottom line here is that approximately 2 million records were sold (for $0.025/each, $500 for 20,000) over a 2 year period. The fact that this was done all via a flash drive on Sunday afternoons suggests it could have been detected easily and early. Was it an insider? A contractor? An outsider with inside connections? Who really cares about the perimeter anymore? The data flowed and the access was higher than roles apparently should have allowed over a long period of time.

Also interesting to note that Countrywide claims only 19,000 identities have really been compromised so far…but given 2 million records leaking over 2 years who would trust their own detection and accounting numbers?

Perhaps that’s too much sarcasm for this morning. Need coffee…

Security

Domestic Terrorism in Santa Cruz

Leave a comment

Following on the heels of my post last week about the ongoing violence in America and the confusing definition of domestic terrorism, attackers in Santa Cruz have been quickly identified by local police as a candidate:

Santa Cruz police officials said Sunday the case will be handed to the FBI to investigate as domestic terrorism while local authorities explore additional security measures for the 13 UCSC researchers listed in a threatening animal-rights pamphlet found in a downtown coffee shop last week.

“The FBI has additional resources and intelligence into groups and individuals that might have the proclivity to carry out this kind of activity,” police Capt. Steve Clark said. “The FBI has a whole other toolbox of tools for this kind of investigation.”

Nice quote Mr. Clark. I will have to remember to watch out for the toolbox of tools. That’s different than the toolbox of rubber ducks and fake mustaches that they use for cases deemed not to be terrorist related.

History, Poetry, Security

Dead Prez on Government

Leave a comment

People often ask how to simplify compliance in information security and governance. They want to know if it can all be boiled together. I remember one CIO who said “just give me one list!”

I had put together a couple slides on why this is an 80/20 question, never a perfect fit, but I like how the Dead Prez rhyme a similar answer:

“Crack is like a Democrat; Cocaine Republican; Marijuana Independent Party. Same government…”

I guess I’m intentionally being opaque on this to protect my own rhymes, besides the fact that theirs are probably better anyway. Imagine a board room where a security consultant performs a poetic recital of risks. Yeah, that’s what I’m talking about. It will be subtle, trust me.

Similarities and differences. Analysis is not synthesis.

Food, Security

Acrylamide battle – potato chip makers pay $3mil

Leave a comment

I had no idea this was even an issue, but apparently the lawsuit has been going on for three years and that is after a prior settlement with fast-food companies over the same violations. The Associated Press reports:

California sued H.J. Heinz Co., Frito-Lay, Kettle Foods Inc., and Lance Inc. in 2005, alleging they violated a state requirement that companies post warning labels on products with carcinogens.

The companies avoided trial by agreeing to pay a combined $3 million in fines and reduce the levels of acrylamide in their products over three years, officials said.

The FDA says the dangers of high doses of acrylamide in food were only just discovered in 2002. Here are the top five food types documented in 2006, with a mean AA intake greater than 0.027 kgbw-day:

  1. French Fries
  2. Potato Chips
  3. Breakfast Cereal
  4. Cookies
  5. Brewed Coffee

Interesting that the lawsuit started when the data seems to have first become available. Must be more to the story. Also interesting that most employers in America provide chips and coffee to staff. Do they know they are killing them slowly with carcinogens?

I often go to a place now that keeps unlimited amounts of cheap processed breakfast cereal out in plastic tubs, and serves transfat products in baskets. I tried to explain the risk to facilities, but they said they had to buy whatever was cheapest. Sadly, I found it impossible to explain the irony of this insecure perspective. Until the harm is real and present, staring them down in the face and threatening their pocketbook, they play dumb.

The lack of warning or information from the FDA has been noticed elsewhere. A CSPI story from 2002 highlights a more global view of health and safety:

Today is the first day of a three-day closed meeting in Geneva of experts convened by the World Health Organization (WHO) to discuss the health ramifications of the acrylamide discovery, which has since been confirmed by the British, Swiss, and Norwegian governments. The United States Food and Drug Administration (FDA) though, has been standing on the sidelines of what is fast becoming a major global debate, according to CSPI, which today called on the agency to treat acrylamide with greater seriousness.

“The FDA has been strangely silent about acrylamide,” CSPI executive director Michael F. Jacobson said. “It should be advising consumers to avoid or cut back on the most contaminated and least nutritious foods while more testing is done across the food supply. The FDA also should be intensively investigating ways of preventing the formation of this carcinogen.”

California is suing, not the federal agencies. The story from 2002 did not make the big news, as far as I can tell, despite the impact to American national security as explained in 2002:

The amount of acrylamide in a large order of fast-food French fries is at least 300 times more than what the U.S. Environmental Protection Agency allows in a glass of water. Acrylamide is sometimes used in water-treatment facilities.

“I estimate that acrylamide causes several thousand cancers per year in Americans,” said Clark University research professor Dale Hattis. Hattis, an expert in risk analysis, based his estimate on standard EPA projections of risks from animal studies and limited sampling of acrylamide levels in Swedish and American foods.

With the EPA backing down from protection of consumers and wildlife, to favor industrial self-regulation, one can only presume states and citizens are on their own here to battle with those who would do them harm. Cheers to California for taking a stand on an important issue, just like breach notification laws.