If you have an account, please:
Log in

Citibank Unable to Afford Secure Web Design

Really Citibank?

When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak security. This has just become my new go-to example.

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.

What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:


One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Given that this kind of issue is one that security professionals have known about and handled for more than a decade apparently large (and rich) companies can somehow manage to forget the basics.


Tags: , , , ,

TSA Nude Scanners Coming To American Malls

You're kidding, right?



What now?

A Yahoo article says that because women's cloths sizing is hard, they're going to nude scan them to figure out what they can wear. Seriously!?

Ms. Shaw, the entrepreneur, is chief executive of a company called MyBestFit that addresses the problem. It is setting up kiosks in malls to offer a free 20-second full-body scan — a lot like the airport, minus the pat-down alternative that T.S.A. agents offer.

Lauren VanBrackle, 20, a student in Philadelphia, tried MyBestFit when she was shopping last weekend.

“I can be anywhere from a 0 at Ann Taylor to a 6 at American Eagle,” she said. “It obviously makes it difficult to shop.” This time, the scanner suggested that at American Eagle, she should try a 4 in one style and a 6 in another. Ms. VanBrackle said she tried the jeans on and was impressed: “That machine, in a 30-second scan, it tells you what to do.”

That's cute. A strip search in the name of getting something to wear? So instead of wasting millions on this disrobing plan, why not standardize women's clothing and use inch measurements like men's clothes? How's that for an idea?

How long until someone hacks these poorly protected machines to record copies of all women scanned and the photos show up on the Internet? Will you put your teenage daughters in them?

This is so, so stupid, I can't believe it's actually true. I really hope this doesn't catch on because if it does, my faith in humanity will suffer yet again.

Tags: , , , , , ,

Congressional Neanderthals Mess Up Big

(Image is in the Public Domain)

Yesterday the House passed a FISA amendment act which includes a provision shielding telecommunications companies from any liability. In the coverage of the situation by Ars Technica, they were able to quote Nacy Pelosi as being an idiot:

(Bold text in parenthesis is mine)
The most extended apologia came from House Speaker Nancy Pelosi (D-CA), who urged that the compromise be judged by comparison with the Senate bill, which she characterized as the only realistic alternative (So we can't ask for a good law, only a less bad one? That's a great standard to live to). She outlined several ways in which the current legislation is preferable to the Senate's version. First, the compromise bill reasserts that FISA is the "exclusive means" for conducting electronic surveillance, which would require the president to ignore such language twice in order to launch an extralegal surveillance program, rather than only once, as under traditional FISA rules (So if the President breaks the law, now it would violate two laws instead of just one. The next time someone breaks a law, I wonder if it will result in jail time if it only breaks the law "once"). Second, it preserves prior judicial review of surveillance authorizations, except in "very, very rare" circumstances, such as when the attorney general asserts that waiting for a judge would entail delay (I think that recent history has shown how much we can trust to the "rarity" of the Attorney General approving anything a president might ask. Has she even been awake in the last decade?). Third, it contains specific provisions barring the use of authorizations targeting parties abroad as a pretext for targeting U.S. persons, presumably to be enforced by a board of psychics. Finally, it provides for an internal investigation of the extent of past surveillance, which Congress will act upon with the same legendary zeal for civil liberties it has displayed over the past seven years (Brilliantly summarized. Ars has some great writers.).

So in one day, the House voted to expand powers of the Judicial branch that they didn't need and shield their conspirators from liability against justice.

Don't get me wrong, if I got a letter from the Attorney General of the United states that required my company to do something and my lawyers said to do it, I would have and maybe that's what happened to the telcos. But if there is no accountability for the Attorney General, the President, and the involved Agencies, then the whole things tastes like Congress cooked us up some chili made of poo.

Tags: , , , , , ,

Bruce Schneier Interviews the Head of the TSA

Bruce has some very good pointed questions that the head of the TSA mostly doesn’t answer. What a shame. In five parts: Bruce Schneier interviews head of the TSA Tags:

Supermarkets Treat You Like A Criminal – Fingerprints for Food

Some supermarkets now have fingerprint readers in lieu of credit card payments. You have to supply your fingerprint and attach your credit card to it, but then you can pay just by touching your finger to the reader. There are many problems with this: 1) In theory, they’re promising only to take the “data points” not the fingerprint, but if they use the same data points as other companies, then the data points are the same as your fingerprint. If every company uses different data points, as data from each breach is combined, it create a better and better picture of your actual fingerprint. 2) Unlike a credit card that can be re-issued or changed, fingerprints can’t. 3) You don’t leave impressions of your credit card everywhere you touch like you do with your finger. Fingerprints can be used for tracking and accountability that you shouldn’t have to be responsible for unless you’re a criminal. 4) There was nothing wrong with the system that was there before. Swiping a credit card is actually easier and faster than putting your finger on a reader and entering a PIN. 5) The more people that use the system, the more problems they will have with false matches (where your finger and someone elses are too close to distinguish. Granted that the PIN solves this problem to a degree, but these companies will have to add more and more data points to the algorithm to make the system work. The more data points they use, the closer to storing your actual fingerprint. This is bad, bad news. I wonder when the first “fingerprint data breach” will happen. Tags:

Brain-dead Teachers Freak Students Out With Fake Gun Attack

(Image is used under the Pixabay license)

Someone actually thought this was a good idea? How stupid do you have to be?

Staff members of an elementary school staged a fictitious gun attack on students during a class trip, telling them it was not a drill as the children cried and hid under tables. ... "The children were in that room in the dark, begging for their lives, because they thought there was someone with a gun after them," said Brandy Cole, whose son went on the trip.
Update: Here's a link to the school's press release on the topic. Their account of what happened is completely opposite of what was reported on CNN.
Most of the students stood up and said, "That was a good one." "Yeah, you got me." High fives were exchanged.

Either the school is totally downplaying this or CNN has got some serious problems with their accuracy. But something about this press release bothers me and apparently I'm not the only one:

"The children went to sleep and did not discuss it the following morning." The absurdity of that statement is staggering. They are trying to convince people that in a class of over 60 students, after teachers pulled a 'prank', that not one of these ~60 students said anything about it the next day? Not one of them teased another one about falling for the 'joke'? Really? Not one?

The person who posted this comment on the Slashdot forums is right on.

Tags: , ,

RFID Worst Case Scenario Has Arrived

(Image used under: Creative Commons 2.0 [SRC])

The people over at CASPIAN have warned about how companies are trying hard to get RFID tags into all their products without people knowing. Well, now they will. The anti-theft tags that nearly every product currently has will be combined with RFID technology so that nearly every item you walk out of the store with will also transmit a unique identifying number to any reader nearby. Theives, marketers and big brother are salivating.

You don't believe that companies are desperately interested in what you do every waking moment? Then you haven't been paying attention.

Tags: , , , , , ,

ID Theft Taskforce Issues Final Recommendations and Strategic Plan

Federal Trade Commission
(Image is in the Public Domain)

On April 23rd, the ID Theft Task Force that's chaired by Alberto Gonzales (the US Attorney General) and co chaired by Deborah Platt Majores (the chairwoman of the FTC) has released their final recommendations for reducing identity theft.

Here are a few of their better recommendations:

  • Decrease the unnecessary use of social security numbers in the public sector
    For example, the federal Office of Personnel Management (OPM) has already done an internal review and realized that they were using SSNs in many cases where it wasn't necessary. They havebegun issuing employee numbers instead of just using SSNs. Dang straight! Stopping data brokering is a very good first step.
  • Develop comprehensive record on private sector use of SSNs
    What they mean by this is that they need to study how SSNs are used in businesses to determine how much is legitimate use and how much should be stopped, controlled, or altered. They plan to have completed this study and made recommendations to the president by first quarter '08. Ditto above: Stopping data brokering is a very good first step.
And here are some of their less-thought-out ones:
  • Educate Federal Agencies on how to Protect Their Data and Monitor Compliance With Existing Guidance
    Okay… Granted, bringing laptops home to get stolen was stupid the first time and got successively stupider as time went. Theoretically, by teaching the agencies obvious security and then monitoring compliance, we should be able to stop or reduce that particular type of data loss. The important point to note here is that if an agency fails to protect data properly, they will be harshly punished by having that fact noted on their PMA scorecard *rolls eyes*. What this means and what the consequences are (if any), I have no idea.
  • Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies
    This means they're going to develop a set of guidelines on how to handle breaches and issue it to all agencies (which they've already done). The guidlines will (emphasis mine):
    set forth the factors that should be considered in deciding whether, how, and when to inform affected individuals of the loss of personal data that can contribute to identity theft, and whether to offer services such as free credit monitoring to the persons affected.
    Ugh. So they might not even tell you that they messed up by losing your data now? That's some good accountability there. And credit monitoring? Are they still going on about this? I find it so hard to trust the opinion of someone who suggests credit monitoring as any kind of response to a data breach.
  • Establish National Standards Extending Data Protection Safeguards Requirements and Breach Notification Requirements
    They want to create a national standard of safeguards that applies to all "private entities that maintain sensitive consumer information". More importantly, they say that all such entities must be required to notify law enforcement and consumers of a breach. Though this requirement would only come into effect if there was "significant risk of identity theft" due to the breach. Their justification for this is that consumers wouldn't want to be "overwhelmed" by breach notifications. That's crap. If a company has to send out an "overwhelming" amount of breach notifications, perhaps enough people would leave that company to make said company actually implement some security. This loophole also fails in that there's a lot of wiggle room in "significant risk". Who decides what's significant risk or not? The company? If so, I bet all breaches will be labeled "low risk". Ah yes, and let's not forget our favorite clause. This legislation will preempt state laws on data breaches.

Where's the Freeze recommendation?

For those who don't know my site, I am a big proponent of credit security freezes. I am severely disappointed in this final set of recommendations in that they softened the language from their initial recommendations from
For residents of states in which state law authorizes a credit freeze, consider placing a credit freeze on their credit file.7 This option is most useful when the breach includes information that can be used to open a new account, such as SSNs. A credit freeze cuts off third party access to a consumer’s credit report, thereby effectively preventing the issuance of new credit in the consumer’s name.
Among the state-enacted remedies without a federal counterpart is one granting consumers the right to obtain a credit freeze. Credit freezes make a consumer’s credit report inaccessible when, for example, an identity thief attempts to open an account in the victim’s name. State laws differ in several respects, including whether all consumers can obtain a freeze or only identity theft victims; whether credit reporting agencies can charge the consumer for unfreezing a file (which would be necessary when applying for credit); and the time allowed to the credit reporting agencies to unfreeze a file. These provisions are relatively new, and there is no "track record" to show how effective they are, what costs they may impose on consumers and businesses, and what features are most beneficial to consumers. An assessment of how these measures have been implemented and how effective they have been would help policy makers in considering whether a federal credit freeze law would be appropriate. Accordingly, the Task Force recommends that the FTC, with support from the Task Force member agencies, assess the impact and effectiveness of credit freeze laws, and report on the results in the first quarter of 2008.

This is very weak and isn't even a recommendation of it's own, just a sub-component of "Assess Efficacy of Tools Available to Victims". So it went from the nice, solid (and correctly worded) "effectively preventing the issuance of new credit in the consumer’s name" to "there is no 'track record' to show how effective they are, what costs they may impose on consumers and businesses, and what features are most beneficial to consumers". Alberto Gonzales and Deborah Platt Majores should be ashamed of themselves for putting their names on this worthless report.

Update 9/27/2007

It looks like the credit reporting companies are starting to read the bones and pre-emptively offer credit freezes before they get legislated into having to provide it on worse terms and lower fees. Two out of three have jumped onto the bandwagon with only one holding out so far.

Tags: , , ,

Spyware to be Legalized

Brilliant Plan
(Image used under: Creative Commons 2.0 [SRC])

Congress is now considering a bill similar to the CAN-SPAM act for spyware. Like the CAN-SPAM act, it doesn't actually stop anything, but rather legalizes it instead.

Let's sum up. If the Spy Act become law, hardware, software, and network vendors will be granted carte blanche to use spyware themselves to police their customers' use of their products and services. Incredibly broad exceptions will probably allow even the worst of the adware outfits to operate with legal cover. State attempts to deal with the spyware problem will be pre-empted and enforcement left up almost entirely to the FTC. Gee, what's not to like in that deal?
Tags: , , ,

Police “Book” Unruly 6 Year Olds

Stories like this give all police a bad name.
(Image used under: Creative Commons 2.0 [SRC])

Tantrum turns to police record.

She flailed away at the teachers who tried to control her. She pulled one woman’s hair. She was kicking.

Unless the kid has a knife or some other kind of weapon, nothing they can do could be counted as dangerous.

Desre’e was charged with battery on a school official, which is a felony, and two misdemeanors: disruption of a school function and resisting a law enforcement officer. After a brief stay at the county jail, she was released to the custody of her mother.

So your kid has a felony and two misdemeanors on record from the time they're 6? What was wrong with the normal way, calling her mother? So now this poor girl, her mother, the community, and most of the Internet all have less respect and trust for police officers. Great work Florida.

Tags: , , , ,

If you want to learn more about my professional background, click here to learn more. Otherwise, let’s get started - how can I help?

Online learning
On-site learning
Read my blog