Security

San Francisco Lets Identity Data Leak Into the Streets

Leave a comment

Most of the news I have seen lately about San Francisco information security has centered around a disgruntled employee who “locked” the city’s management from the network after he claimed they were not to be trusted. Now there is a new twist to the city’s troubles as a TV crew stumbled upon a physical security breach of identity information:

It’s trash day in the city and the scavengers are out rifling through the garbage bins in a San Francisco alley. A KTVU cameraman caught two individuals with pick-up trucks stopping briefly before hauling away armloads of paper. No one challenges them as they steal from the unsecured blue bins.

A closer look shows some of what they left behind: confidential documents from the San Francisco Human Services Department.

The station believes thousands of records were exposed. As the sale of personal shredders has skyrocketed in recent years city staff remain unaware of the need to secure these documents? Hard to believe. There were two individuals with pickup trucks? Did the TV crew get their license plates, even though they did not challenge them? This story raises a number of strange questions.

Perhaps the most interesting question is whether disposal bins should be open containers. Many dumpsters are locked to prevent unauthorized sources from filling them, but how many full dumpsters should be locked to prevent theft? It is, in fact, illegal to remove anything from city containers and yet there is no actual mechanism provided to secure the material. For example, what if the garbage trucks had an RFID emitter that would unlock bins upon arrival? The bins would need little more than a lock controlled by a tag. The procedure could be for buildings to leave the bins open while inside their physically secure premises, and then to close the lid (activating the lock) when they set them out on the street.

Sailing, Security

Loopholes in Indian Maritime Regs

Leave a comment

LiveMint of The Wall Street Journal points out that a shipping firm in India is finding ways to evade regulators and taxes:

Mercator Lines Ltd, India’s second biggest private shipping firm, has registered more vessels outside the country in a bid to skirt tight local regulations while trying to reap the benefits of tonnage tax, a levy based on the cargo capacity of ships that reduces maritime companies’ tax burden.

The Mumbai-based firm has registered four dredgers, which it purchased in the past year, in the Comoros, an island nation in the Indian Ocean off the eastern coast of Africa, said an official at the directorate general of shipping, the maritime regulator.

I always wonder when I see ships that have city names on them whether there is really any actual association. What is needed to authenticate a ship as genuinely from a port-of-call? Nothing, apparently.

All the ships have been registered outside India directly, without opening a subsidiary in either Marshall Islands or the Comoros.

By doing this, Mercator can hire officers and crew from any part of the world, unlike ships registered in India, which have had to employ only Indian nationals. Last week, the regulator eased the clause on hiring only Indian nationals, but ship owners say strict conditions still apply to employment of foreigners.

Easy to see why the loophole is so attractive, and the irony now of course is that Mercator has to request the authorities treat these non-Indian ships as equal to Indian ships. The question is how a regulatory body should respond when a Mercator ship arrives with an international crew and “Domoni” stenciled on its stern. Their identity profile is different, so should they be authorized?

This seems similar to the debate over yacht tax loopholes in America these days. A typical story runs like this:

Jack Darcy of Redmond paid cash for a $2.2 million yacht through a Lake Union dealership last April, but he didn’t pay a dime in Washington sales taxes.

Instead, the retired corporate executive saved $200,000 by signing papers to buy his snazzy new 73-foot yacht three miles off Washington’s coast, in international waters.

[…]

Before California state law changed last month, resident boat owners needed only to keep their craft away from California for 90 days after purchase. Then they could sail home and never pay a sales tax. Most went to Mexico and were dubbed the 90-day yacht club.

In California the regulators then passed a rule called Chapter 226 that extended the time away from 90 days to a full year. Reports showed closing the so-called “sloophole” had little negative impact.

The state’s official Legislative Analyst’s Report concluded that the temporary one-year law had not resulted “in the sharp reduction in vessel-related sales that some had feared.” According to the report, the law resulted in a $20 million increase in state and local tax revenues from yacht sales made to California residents.

Strangely enough, even though the Republican Governor called on the state to close the gap permanently, he found little support from his party. An LA Times editorial painted a disturbing picture:

Like the characters in some hippie-era pop song, many Republican lawmakers in Sacramento have decided to let this troubled world fend for itself while they sail away to some imaginary shore. On yachts. After dodging their taxes

…or like characters in maritime law who like to ply the International waters as a path to alter their identity just long enough to escape a duty before returning “home” to lay claim to local privileges.

Security

Phishing Sites Turn to (Legitimate) Profit

Leave a comment

The long-standing problem with phishing, including spear phishing, is that people are easily fooled. The authentication mechanisms we all use daily are full of flaws. What further proof of the ever-expanding market of fraud do you need than the fact that a commercial site has been setup to “educate” users by trying to see if they are susceptible to fraud. This appears to be some sort of attempt to make a legitimate phishing site:

Over 15,000 corporate users have fallen prey to spear phishing.

Can your workforce dodge the hook?

The premise is simple, they ask you to enter your financial information and then they will help you determine if someone in your company is vulnerable to a pitch where they are asked to enter financial information…

Not sure who the company is? Ah, just click on the “Who We Are” button and you will find a site with a completely different name (“intrepidusgroup.com”) that appears to have absolutely nothing to do with the “phishme.com” site.

Is that how they create trust?

Another friendly is on their blog. It would seem they are not lawyers, but they propose the following banner for mail servers:

220-NO UCE. You are hearby notified that ANY email sent here becomes
220 the property of the recipient and CAN be redistributed
220 publicly to ANYONE without consent or notice. This notice supercedes
220 any legal claim appended to the body of emails delivered here.

Not the most convincing “we’re here for you” sales strategy I have seen.

My favorite example of a similar service gone awry was when a penetration tester used a spear phishing test connected to an IRC bot. The problem was that the test was “successful” and the target was not only infected but the tester then was tasked to help clean the mess. Not the model I would recommend.

If these self-proclaimed “black hats” really want to make a difference, perhaps they could start by educating the banks on best practices so that their customers aren’t trained to be more susceptible to fraud:

The result is that even the most security-conscious Web surfers could find themselves the victims of identity theft because they’ve been conditioned to ignore potential clues about whether the banking site they’re visiting is real — or a bogus site served up by hackers.

Security

The Onion Strangely Accurate in Prediction

Leave a comment

Several people have pointed out to me that a January 2001 article in the Onion called “Bush: ‘Our Long National Nightmare Of Peace And Prosperity Is Finally Over” was an accurate prediction of things to come for America:

“Finally, the horrific misrule of the Democrats has been brought to a close,” House Majority Leader Dennis Hastert (R-IL) told reporters. “Under Bush, we can all look forward to military aggression, deregulation of dangerous, greedy industries, and the defunding of vital domestic social-service programs upon which millions depend. Mercifully, we can now say goodbye to the awful nightmare that was Clinton’s America.”

“For years, I tirelessly preached the message that Clinton must be stopped,” conservative talk-radio host Rush Limbaugh said. “And yet, in 1996, the American public failed to heed my urgent warnings, re-electing Clinton despite the fact that the nation was prosperous and at peace under his regime. But now, thank God, that’s all done with. Once again, we will enjoy mounting debt, jingoism, nuclear paranoia, mass deficit, and a massive military build-up.”

Consider this detail:

During the 40-minute speech, Bush also promised to bring an end to the severe war drought that plagued the nation under Clinton, assuring citizens that the U.S. will engage in at least one Gulf War-level armed conflict in the next four years.

“You better believe we’re going to mix it up with somebody at some point during my administration,” said Bush, who plans a 250 percent boost in military spending. “Unlike my predecessor, I am fully committed to putting soldiers in battle situations. Otherwise, what is the point of even having a military?”

At least one?

How funny and silly it might have seemed in the initial days of the Bush administration…little did we realize back then that the majority of useful analysis and insight would need to come from the modern day equivalent of court jesters.

Mission accomplished yet?

Apparently Bush just tried to explain away the current financial crisis as “Wall Street got drunk — one reason I told you to turn off your TV recorders — and now it’s got a hangover.” Risk and consequences seem to be abstract concepts, or even a silly joke, to the President.