Everyday Privacy & Security Part 2: Fear Factor Authentication, or I Won’t Forget You Baby, Even Though I Should

Posted on May 14, 2007 by dutcherstiles


If you are like me, or, if in fact, you are me, your online financial transacting experience has gone all Security 2.0 by the factor of WOW!

Over the weekend, I had an unpleasant experience. The clerk at our local What-Nots ‘N Such franchise denied me use of my cash card. I figured my financial institution was trying to protect me whilst humiliating me, so I scurried home and logged into my financial institution’s websperience.

But! Wait! My financial institution has gone all Fort Knoxy on my ass since the last time I websperienced them. They want to really get to know me before I can check out my balance. It went like this:

Dude! We’re all secure and stuff now. It may be a pain in the back-end, but you will thank us because we will know you better. It’s all legal. As a matter of fact, we wouldn’t even be doing this unless we had to, but banking is mostly about money, and partly about pretending. So let’s pretend.
Please enter your account number.

O.k.. But, no, that was your SSN.

Wait. Ooops. O.k. Let’s call it an account number for now and move on.

Here are some fun disclosures for you to read. I’ll wait here whilst you peruse them. Our attorneys wrote them to be concise but with a hint of whimsy, sort of P.G. Wodehouse meets Sartre.

Done already? Man, took our lawyers a bit longer, but whatever. Let us begin.

Type in some random characters.

More… More…. TOO MANY.
Did you include some numbers? Try that.
And some non-alphanumerics.

O.k. Hope you remembered that. It could be your new password, or your new account number or what the tellers will whisper under their breaths when you come in to get a loan.

Now comes the fun part. To your right you will see pictures of six different semi tractor trailers. We’re going to use these pictures to identify you in the future.

Please pick the truck that most resembles your maternal grandmother.

Interesting choice.

Now some questions. Answer using your gut, and pretend that this is just between you and us. We’ll use these questions for something in the future, probably resetting your password when you realize that your keyboard doesn’t have a cent symbol on it. But pretend it’s a legit reason.

Answer the following to the best of your knowledge:

Your favorite color.

The brand undergarment you are wearing right now.

Your favorite place for making whoopee (City and State only, please!)

Your favorite Poison lyric.

Interesting. You know you just qualified for a boat loan the way you answered that last one.

Now just press enter. (I hope you have Javascript, ActiveX and are typing this from a Internet Explorer 6 on Windows XP cause else I don’t know what’s going to happen.)

Sorry! You chose the wrong truck. Let’s start again. Hit the back button. NO, NOT THAT BACK BUTTON!

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07’
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value ‘login_id’ to a column of data type int.
/index.asp, line 5

Posted in Uncategorized | Tagged , , | 2 Comments

SSNS ON THE LOOSE! (Legacy Edition)

Posted on May 8, 2007 by dutcherstiles


I’m trying to understand the newsworthiness of the latest episode of “SSNS On The L0OzE. OMG!!1!!”

Some dude in the mail room puts a bunch of computer tapes in the wrong slot, according to the AP report in the Houston Chronicle. State agency looks for ’em. Contractor looks for ’em. Then they find ’em, in the wrong slot. A problem as old as the mainframe.

My guess: the missing tape was a quarterly report (WITH SSNS!!), there was some turnover in the computer room, and the folkloric control vanished with the last operator who performed it. The article doesn’t state the format of the tapes, but I’m guessing it’s EBCDIC flavored, with a chewy center of either DB2, Adabas or Model204. (The New Russian mob has standardized on Unicode, leaving behind Blofeld and his “legacy” villainy.)

Solution? Document the process, develop a tracking spreadsheet. People have been exchanging tapes for decades, and there are simple ways to track it. You could even buy some bar code software, or something. (As it says on the wall in the illustration: If In Doubt ASK”.)

What is the solution proposed by the contractor?

The company is now exploring transferring the data electronically to improve security, [contractor spokesman] Lightfoot said.

I think my way is cheaper. And safer. And easier to track. I only know what I read in the papers, though.

Diamonds Are Forever image courtesy Xeni.

Posted in Uncategorized | Tagged , , , , , | Leave a comment

Throwing Scorpion Out With the Frog Water

Posted on May 7, 2007 by dutcherstiles


Declan McCullagh says that the federal government is unlikely to implement the National Research Council’s privacy recommendations, in particular, a privacy commissioner, because it isn’t in the federal government’s scorpion-like nature. Ars Technica also has coverage. (And why must it always be a czar?)

The US is having the same issue with privacy legislation that it had with television resolution. We adopted early, because we needed to see our Felix the Cat on the airwaves, and 441 lines of resolution are all that NBC in 1941 could muster. Likewise, the privacy principles developed by the US government in the 1970s were developed too soon, when databases were just creeping out of the punch card era. US privacy law ends up like broadcast TV sets – an archaic lo-res standard, while other parts of the world lagged behind, but adapted a more advanced standard. Think of Europe’s Privacy Directive as PAL.

From what I’ve read of the NRC’s paper (the Executive Summary), it seems they are going for a full blown HiDef 1080p Dolby Surround sort of privacy regime. Just as the networks dragged their feet on the 441 lines of resolution until they were forced to move ahead with HD by the FCC, so will industry drag their feet on privacy until a privacy czar, prince or archbishop cajoles them into the 21st century. I’m being optimistic, but at least the frog was committed.

Lo-Res Felix from FelixtheCat.com

Posted in Uncategorized | Tagged , | Leave a comment

Waffle are Just Pancakes with Little Squares On ‘Em

Posted on May 5, 2007 by dutcherstiles

I’ve been working on something, but I don’t know if it will make by race time in Shanghai.

In the meantime, the most important part of internal auditing is “production value.” And we know what that means.

Posted in Uncategorized | Tagged , , , | Leave a comment

Impacted Molars

Posted on May 1, 2007 by dutcherstiles

Brighter Teeth

From Educational Security Incidents via Pogo comes this terrifying story of privacy laden scratch paper from the land of the gigantic stone Texan. Apparently Sam Houston State U. uses a student ID number that is not their SSN. Hooray! But they do sometimes print out sheets that correlate the student ID with the SSN for the math lab to use as scratch paper. Boo! But this was strictly against policy, and was surely attributable to the Soviets since:

“After a security briefing last summer, we no longer use SSN’s, we only use Sam ID numbers to keep Identity Fraud down,” Harris said. “It is against the University’s procedures to use SSN, so if it prints off, we automatically white the information out.” [emphasis all mine]

Teacher’s high indeed!

Fresher Breath
From Dark Reading, a grim story of my home town, in which it is portrayed as a the hipsterest most l337 joint for the securi-hacker community. The worst part is that it mentions my coffee shop. I’ll never feel safe using wi-fi again. (Actually, I usually limit myself to consumption of paper based information at coffee shops. But that’s just me.) (And the coffee shop is not the one that is fully populated with jaded 21 year old grad students.) (It’s the other one.)

Extra tooth
I agree with this comment to this Dark Reading article on the e-Gold dust-up. However, I believe that the phrase “going for the juggler” was an error. I’ve generally expressed the sentiment as “going for the juggalo.” The powers that be are generally in a state of going for the juggalo.

Romanian toothpaste from Jessamyn

Posted in Uncategorized | Leave a comment

Go Ask Alec Baldwin

Posted on April 27, 2007 by dutcherstiles


SSL apostate Ian G. refers to an article on estimation of loss due to a privacy breach.

I think we are measuring the wrong thing, and operating on these assumptions is dangerous.

From the article, a Forrester analyst says:

“After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number.”

The $90 – $305 range smacks of too much precision and not enough accuracy. Only software project managers can get away with ranges like that. These numbers are more harmful that worthwhile. Most of these factors are not driven by record count (legal fees, stock plummets or lost productivity). Record specific costs are generally lower (call center and postage – and if you lose enough records, you don’t even have to mail notices). So let’s just call it BTUs per furlong and call it a day. And I don’t think “customer losses” is as important in assessing the risk as “losses to customer.”

The next Forrester quote underlines the problem I have with the general corporate thinking about privacy breaches:

“Previously, when a company had a data breach, a response team would fix the problem and test the mitigation, then the company would resume normal activities. Now we have to spend time on public relations efforts, as well as assuring both customers and auditors that new processes are in place to guard against such breaches in the future.”

The reason you could get away with just fixing it and moving on was because the company did lose anything it owned. What it lost was owned by its customers. Losing one bit of highly sensitive data about one litigious customer could cause more damage that a dozen laptops filled with the SSNs of 10 million people.

It’s the “loss to the customer” that will drive your high dollar PR and legal efforts, which have scale, and can dwarf your call center and postage costs in an afternoon.

I’d like to take the data, rehash it according to type of breach, sensitivity of data and litigiousness of customer. Then I think you’d start on the road to a meaningful metric.

Posted in Uncategorized | Tagged , , , , | Leave a comment

The Red, Yellow and Green Legos of Judgment

Posted on April 25, 2007 by dutcherstiles


I’m out here in Coyote and Roadrunner land, knee deep in internal auditing. I co-presented yesterday on privacy, as a co-author of an Institute of Internal Auditing publication.

It’s been a interesting couple of days, driven in part by the isolation of the location. As attractive as a golf/casino resort may sound, it’s not so groovy if you don’t golf, don’t gamble and didn’t have the foresight to rent a car. I can meditate on the cacti, and read. I packed a couple of books to get me in and out of the Internal Auditing mindset: The Digital Person by Daniel Solove (highly recommended), a Kierkegaard anthology (because what is auditing but fear, trembling, and sickness unto death?) and Nassim Nicholas Taleb’s The Black Swan (I’ve been alternately writing “YES!” and “BULLSH*T!” in the margins. (It’s my policy to keep the margins safe for work.))

But this morning I had my own inverse Damascus moment, as Bill Power (if that is his real name) of the PCAOB was giving the assembled throng his information technology application auditing method, as demonstrated through a manufacturing case study. It was interesting enough as analysis of manufacturing financial systems go (yes, exactly that interesting), but at the end of his case study it seemed to me that he just plopped Red, Yellow and Green Legos into the risk spaces in his spreadsheet, and chalked it up to judgment. In fact, one of the slides read something like “RISK ASSESSMENT IS ALL JUDGEMENT” (I’d quote directly, but his presentation is not on the conference CD-ROM. I do remember he spelled “Judgment” with two “E”s.)

O.k. Sure. Risk assessment without judgment is pretty worthless. And auditors have an obligation to use their judgment to assess risk. Nonetheless, it doesn’t seem worthwhile to go through all this spreadsheetin’ and flowchartin’ just to get to the point where you pull red, yellow and green Legos out of your velvety Audit Sack of Judgment and snick-snack them on financial information systems and processes master control grid. How about the stuff you don’t understand well enough to apply judgment? I’m getting the idea that it’s called “Out of Scope.”

At what point does “judgment” intersect with “caprice”?

Go ahead, call me naive (if you haven’t already). But it’s getting dark, and I’m going to see if the cows come back to the hotel parking lot again tonight. This time I’ll be ready.

Photo courtesy of The Bill.

Posted in Uncategorized | Tagged , , | 1 Comment

Apocalypse Pooh

Posted on April 18, 2007 by dutcherstiles

It’s a grim world around us. A mass murder turns into a cynical ploy to promote and condemn any issue you care to name, or exploit the grief for naked profit.

How can I deal, in the short term, except for a brief absurd laugh?


Thanks to the Moonshine Mountaineer for the Youtoobage.

Posted in Uncategorized | Tagged | Leave a comment

Sweet Fancy Moses

Posted on April 12, 2007 by dutcherstiles


Lots of odd stuff (mostly from Pogo & Fergie):

Why Justice Went Blind The courthouse security folks in El Paso County can see you nekkid.
“The new machine will not replace the metal detectors already in use at the judicial complex. Instead, it will replace two of the security guards who use wands to screen entrants that set-off the metal detectors. The board of commissioners estimates by replacing the guards with the body scanner the county will save $64,704 a year.”
Outstanding! You can see my ass, and fire two guards!

Consumers Are JUMPY! “77 percent of Javelin’s respondents said they intend to stop shopping at sites that have experienced data breaches.” Well, I’m firing Trans Union, the IRS & Travis County!

ID Theft-O-Meter! – Hold on, where do I put the cost of monitoring my own credit, talking to the police, time spent in jail on false arrest, higher interest rates after a company is careless with my own date? Oh… It for the corporations that lost it. The REAL victims!

NETCOSM! – Just plain cool. I remember something similar years ago, where you used DOOM maps to kill processes on FreeBSD. Yes! PSDOOM.

Posted in Uncategorized | Leave a comment

In defense of controls

Posted on April 11, 2007 by dutcherstiles

Alex is pretty down on ISO 17799.

I think the reasons are that he sees organizations substituting ISO 17799 for risk management FAIR style. Instead of calculating a realistic, customized risk profile, an organization pulls ISO 17799 (or COBIT, though COBIT is less specific to security) off the shelf. The specific controls in the 10 areas are implemented, and therefore they are secure, and risk-free. However, a focus on these areas may not appropriately address the real risk to the organization, and may result in inefficient and ineffective use of resources. (I hope he’ll correct me if I’m wrong.)

I think he’s right if that is how the standards are implemented, but it is not necessarily the only way they can be used. I’m thinking that if used properly, ISO 17799 could help in implementing controls to reduce the risk identified. He cites an example of using metrics to manage patches. I see it this way:

Risk analysis identifies areas for control.
High value assets on exposed servers are vulnerable to complete compromise from any weak-ass hax0r wannabe, because of well known problems in the OS. The vendor has issued patches, and continues to issue patches on a routine basis.

The control is implemented.
Defining the control is where ISO and Cobit would come in. Once you have decided that it should be done, it can answer the question of how. If others have discovered a way to control the situation that works reliably, I don’t see why you wouldn’t want to use it. Engineers and accountants do it all the time. At the same time, it must be optimized to meet not only your specific risks, but also your environment and culture. Striking the balance between the universal and specific is the challenge that standards face.

The effectiveness of the control is measured.
A metric could be used to determine the effectiveness of the control, as well as the appropriateness. If you are unable to tell if a control is functioning, it is hard to tell if it is effective. If the server team does not adequately test the patches, or places lower risk items higher in the work queue, your risk is not being mitigated when you think it should be. An armed guard isn’t an effective control if he’s asleep all the time.

The way I see it, risk assessment is necessary to prioritize controls. Controls are used to manage risk. And metrics are used measure the effectiveness of controls. There are multiple ways any of these can go wrong, but it’s a beautiful evening and my motorcycle needs exercise.

Posted in Uncategorized | 3 Comments