Monday, June 20, 2005

From the miscellaneous items department...


Picture credit: NBA
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe Spurs' Tim Duncan is one of the smartest and classiest players in the NBA. But a recent interview with his coach, Gregg Popovich, provided some unintended mental imagery:

"He's exactly the same person that I laid on the sand with down in St. Croix when we drafted him," added Spurs coach Gregg Popovich. "He hasn't changed a lick, very honestly..."


NBA.com: The Quiet Storm
 

YubNub: A (social) command-line for the web


Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueHere's a really interesting idea, courtesy of John Battelle's Searchblog. YubNub is a "command-line for the web" with a social-networking spin.

What to do an image search on Google for Anne Bancroft? Type in gim anne bancroft. How about viewing the Wikipedia entry for Bob Knight? Just type in wp bob knight.

Want to create your own commands? That's where the social-networking aspect comes into play. You can add your own syntax to YubNub.

Check it out: YubNub
 

Saturday, June 18, 2005

CardSystems' missing 40 million records



Photo
Two consumers enjoying their privacy (CardSystems)

The details are sketchy, yet ominous. As many as forty million consumer credit-card records may have been stolen from CardSystems, a major payment-processing house.

The theft was discovered back on May 22nd. And CardSystems seems none too pleased that MasterCard has disclosed the extent of the breach. Publicly, MasterCard indicated that:

...an intruder was able to use security vulnerabilities to infiltrate the CardSystems network and access the cardholder data...


In addition, MasterCard reported that:

...CardSystems Solutions was hit by a computer virus that sucked up card numbers and other customer data...


Who was behind it? Probably organized crime, at least based upon information in this Boston Globe article:

...MasterCard said yesterday that criminals used a computer virus to collect vast amounts of financial data moving through the company's computer network and estimated that 13.9 million of its accounts may have been stolen. Thieves also had access to millions of cards issued by Visa and Discover, as well as some American Express cards...

...examination of CardSystems computers found that information had been copied from a database containing 40 million account numbers from a variety of credit card brands. It also found that the CardSystems network had been infected sometime late last year, meaning that the data thieves had been able to collect credit card numbers for several months before the breach was detected.

The investigators found that some of the stolen card numbers have been used illegally. ''We are aware of some fraud from the data that's been taken," said Jessica Antle, spokeswoman for MasterCard International. She added that the thieves had used very few of the stolen account numbers so far...


Some expressed surprise that a breach of this scale was possible:

...Former federal prosecutor Mark Rasch, chief technical counsel for computer security firm Solutionary Inc., was surprised by the scale of the crime. ''It's not surprising that there's a breach," Rasch said. ''It is surprising that there's this large a breach." Rasch said that the data-stealing computer virus should have been quickly detected if CardSystems ran regular virus scans...


Was it a virus... or something altogether different? The LA Times, via Slate, says:

...a "rogue program" planted in the computer network of CardSystems compromised millions of card numbers...


The FBI is probably hunting down possibilities of an inside job or an Israeli-style social engineering scam (the recent Israeli corporate espionage debacle included trojans that were snail-mailed to victims as software updates from a corporate IT department).

Ironically, CardSystems' website boasts of its e-Payment Systems offering:

...In today's information age, new technologies... increase the risk of fraud as perpetrators find new ways to infiltrate systems. You need payment solutions that help you grow revenue and maximize efficiencies while mitigating fraud...


Yes, we do. That's their mission statement, eh? Repeat after me: forty... million... records.

And now CardSystems' livelihood itself may be at stake. Mastercard has reportedly given CardSystems "an undisclosed deadline to demonstrate that its systems are now secure".

That ought to be quite a demonstration.

After reports like this one and the Israeli trojan horse scandal, one is left only to speculate how much cyber-criminal activity remains ongoing and completely undetected.
 

Friday, June 17, 2005

PayPal's Comical Anti-Phishing Page


Picture credit: http://microsoft.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueI have a PayPal account, which I use only sporadically. And I just received an email purporting to be from PayPal itself, which addresses anti-phishing techniques. This should be fun. Let's review PayPal's advice for avoiding phishing scams (which they call spoofing). Entitled "Protect Yourself from Fraudulent Emails", it's actually somewhat comical.

Here's the first "warning sign" of a bogus email, according to PayPal:

Generic greetings.
Many spoof emails begin with a general greeting, such as: "Dear PayPal member."


In other words, the spammers can't address you by name.

According to the security page, after you recognize a phishing attempt, you are advised to immediately contact their anti-fraud department:

Forward the entire email - including the header information - or the site's URL to spoof@paypal.com We investigate every spoof reported. Please note that the automatic response you get from us may not address you by name.


Talk about an enigma wrapped in a riddle... PayPal advises you to report any bogus email purporting to be from their organization. The first way to recognize a fraudulent email is a generic greeting. And when you send in a report of a phishing attempt, PayPal responds with another email that (using their criteria) also appears to be bogus. For the love of...

And here's warning #3:

Fake Links.
The text in a link may attempt to... send you to a spoof address [sic]... be aware that a fake link may even have the word "PayPal" in it.


Interesting. First problem: the PayPal anti-fraud page uses a domain name of paypalobjects.com, not paypal.com. What the...? Can't anyone here play this game?

Yet another interesting aspect to the PayPal anti-fraud message is their attempt to get you to download a "helpful toolbar". Here's more from their security page:

...If you use Internet Explorer, download the eBay toolbar. Account Guard helps ensure you are on PayPal or eBay. Download the eBay toolbar now...


This is almost too easy. My prediction is that phishers will create and pitch a fake eBay toolbar using their typical, massive spamming campaigns. For the phishers, this is an even better deal. Users will install a truly malevolent trojan themselves, all under the guise of increased security.

You heard it here first.

In my opinion -- and, for at least the three reasons listed above -- the PayPal anti-phishing page leaves a lot to be desired.

The only realistic way to deal with the phishing scourge is to use digital signatures and intelligent email clients (preferably web-based) to ensure that the guy who says he sent the file really did so. Yahoo has released a proposed standard called DomainKeys that does exactly that.

I think I'll wait for DomainKeys, thank you.

PayPal: Protect Yourself from Fraudulent Emails
 

Thursday, June 16, 2005

Fraudsters use iPods to steal company information


Picture credit: http://www.conversionfury.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThere are more options for ripping off sensitive data than there are noodles at Johnny Chan's Take-Out joint. All the more reason to ensure that your company's sensitive data is always encrypted at rest.

Anti-fraud experts warned yesterday that the machines, along with other music players, that boast hard drives with up to 20Gbytes of memory, could become widely used by employees to fool security officials and breach data security rules.

In one case a recruitment agency found much of its client database had been copied to an iPods's memory and used to defraud the firm.


Guardian: Fraudsters use iPods to steal company information
 

Wednesday, June 15, 2005

The Next Generation of Phishing Tools


(Picture credit http://www.carrera-uk.com)
Excel-web sharing of spreadsheetsThe folks at SC Magazine -- or, maybe just Maksym Schipka -- describe the interesting ramifications of program complexity. Windows XP, according to Schipka, consists of a scant 40 million lines of code. A conservative figure of five bugs per KLOC (one thousand lines of code) yields the potential of perhaps 200,000 bugs. Schipka posits that about one-tenth of one percent of that figure will be remote-execution security issues: in other words, about 200 serious remote vulnerabilities.

Worse, the trend towards blended, polymorphic attacks continues unabated. Recent generations of trojans blatantly scan for vulnerabilities, rip down defensive barriers such as anti-virus protection, and hijack trusted applications and libraries.

From the phishing perspective, the trend is equally serious:

...A recent phishing attack, purporting to be a communication from a major UK bank to its customers, provides a significant pointer to likely future developments in the email banditry arena.

It works like this: customers receive an email that makes the usual phishing bid to gain personal banking details -- but it also has a more purposeful payload. Before attempting the phish, it first uses an IFRAME exploit to download a trojan installer without the user's knowledge.

The installer checks a number of parameters on the system -- for example, the versions of Windows and Internet Explorer being used, whether Norton AV updater or McAfee AV updater are running and what version of Java Virtual Machine is in use. Based on the information it collects, the installer chooses one of the four different exploits to perform the trojan executable drop.

The innovation here is that, not only are different exploits and vulnerabilities used to penetrate the user's computer, but also that a trojan installer is an integral component of the phishing attempt.

If this new technique proves as successful as its criminal perpetrators surely hope, we can expect to see even greater uses of such convergence in the future. With the prospect of spam messages arriving in your inbox trying to sell you a product while attempting also to obtain your personal banking information -- and planting a trojan on your computer at the same time -- the case for adopting comprehensive email security has surely never been more pressing...


This conforms pretty much exactly with CounterPane's assessment. Blackhat activities revolve around criminal, not recreational, endeavors. Bruce Schneier:

Another 2004 trend that we expect to continue in 2005 is crime. Hacking has moved from a hobbyist pursuit with a goal of notoriety to a criminal pursuit with a goal of money. Hackers can sell unknown vulnerabilities -- "zero-day exploits" -- on the black market to criminals who use them to break into computers. Hackers with networks of hacked machines can make money by selling them to spammers or phishers. They can use them to attack networks. We have started seeing criminal extortion over the Internet: hackers with networks of hacked machines threatening to launch DoS attacks against companies. Most of these attacks are against fringe industries -- online gambling, online computer gaming, online pornography -- and against offshore networks. The more these extortions are successful, the more emboldened the criminals will become.

We expect to see more attacks against financial institutions, as criminals look for new ways to commit fraud. We also expect to see more insider attacks with a criminal profit motive. Already most of the targeted attacks -- as opposed to attacks of opportunity -- originate from inside the attacked organization's network...


One thing is for certain: endpoint security has never been more critical.

SC Magazine: The Potential for Bugs
 

Top Open-Source Security Applications


Picture credit: http://www.f-secure.de
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIf open-source security applications suit your taste (and, frankly, they should), NewsFactor reports on the top 'brands' of the OSS security world:

OpenSSL: Anthony Nadalin, Chief Security Architect for IBM's software group, recommends Bouncy Castle crypto interfaces and OpenSSL -- an open-source implementation of the secure sockets layer (SSL) and transport layer security (TLS) protocols...

OpenSSH: OpenSSH is another software package that comes highly recommended. This open-source implementation of the Secure SHell (SSH) session technology is designed to let administrators and users open a command shell on a remote host...

Nessus: When it comes down to it, no matter what security system you use, you'll need to test for security vulnerabilities in your code. Both Jaquith and Moyle rate Nessus as a top-tier open-source vulnerability scanner...

Nmap: Moyle and Jaquith recommend the Nmap port scanner, which is designed to interrogate remote hosts to see what services they are running. The open-source application usually can detect the operating system correctly as well... "For example, many companies use it to 'sweep' their networks to see what hosts are there, and to see if any of them are running services that would violate policy."

IPtables: IPTables and IPFW are host-based firewalls for Linux and BSD, respectively. Both of them do the same thing: They block access to particular server ports using a flexible rule-based-language...

ClamAV: Barracuda Networks' Levow sees considerable merit in the use of open-source antivirus and antispam tools, and specifically points to ClamAV as the largest and also most widely used open-source antivirus technology...


NewsFactor: Top Open-Source Security Applications
 

Frequency Jamming


Picture credit: http://www.faa.gov
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueLike handheld lasers pointed at airliners to (presumably) blind pilots, this Washington Times report is somewhat ominous:

...Shortly before touching down in Charlotte, the pilot announced to passengers that the landing was being delayed because somebody was "jamming" the plane's communications with the control tower.
"We have a jamming problem," the lawyer, who asks not to be identified, paraphrased the pilot. "We've gotten word from the tower that our radio frequencies are being jammed."
Then these words: The problem could "involve national security."

..."Unless you find the source, you're not sure if it's inadvertent or on purpose. As you know from reporting on the lasers [being beamed at pilots from the ground], laser incidents go back 10 years. But it wasn't until the September 11th attacks that we have to look at everything through national security lines now."


Washington Times: Jamming
 

Now that's a concert


Picture credit: http://www.espn.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueFrom the miscellaneous items department:

Suspended Florida State quarterback Wyatt Sexton was doused by pepper spray and taken to a hospital by police after he was found lying in the street, saying he was God...

...Police said Sexton's roommates told them he had been at a Dave Matthews Band concert in Tennessee with them earlier Monday...

...However, The Dave Matthews Band played in Noblesville, Ind., on Sunday and Monday.


Enquirer.com: College Football Notebook
 

Tuesday, June 14, 2005

Protecting Data At Rest


Picture credit: http://www.unixwiz.net
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueOver at RedmondMag, Roberta Bragg notes some good starting points for protecting data at rest. Data 'at rest' means data stored statically on some media: hard disk, tape backup, etc. When sensitive data items -- like SSNs -- are stored in the clear, they're literally sitting ducks for hacking attempts.

Overall her point is, as mine was a few days ago, that data 'at rest' needs a comprehensive set of data protection standards. Roberta provides a good checklist that IT teams can use to vet their standards against best practices.

However, I believe she's omitted one quite crucial step in protecting data:

Sensitive data should be encrypted at the application level. That is, even if you have an encrypted file system, don't trust that it alone will be sufficient to keep blackhats at bay. Go the extra mile and ensure that sensitive fields (SSNs, for instance) are encrypted at the application level. Force your application to securely retrieve decryption keys in order to convert the fields into cleartext data.

Why? What's the risk?

One with which I'm familiar is the old favorite, SQL injection. SQL injection permits an intruder to craft their own SQL statements and submit them against your databases. Thus, if SSNs are stored in the clear (at the field level), a SQL injection hack could rip the SSNs straight out of your tables. No muss and no fuss for the intruder.

Thus, I recommend that all sensitive data is encrypted -- at the application level -- in the tables themselves. At least then, if a rogue process were to compromise your database, they have an extra attack to make against the sensitive fields. Force the bad guys to go the extra mile.

Redmond: Data at Rest Is a Sitting Duck
 

Monday, June 13, 2005

A Phishing Primer


Picture credit: Stern
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueI received this email today, related to some earlier blog postings on the epidemic of phishing.

Not sure what phishing is? Sure you do: it's the plethora of emails you receive asking you to reset your PayPal account information, notifying you that your CitiBank account may have been compromised, and a myriad of variations thereof. All are designed to get you to sign-in to a "false store-front" that appears to be a real financial site. But instead of logging on to a real website, your account and password data are sent directly to the crooks running the scam.

Back to the email I received. In part, it read:

We are trying to compose a short but clear guide to email to our customers and put on our site to warn our customers what to look out for - what is the customer information email you have seen? Would be great if you have some examples of the good, bad and ugly.


Here's a simple summary. The following is a typical phishing email, courtesy of Wikipedia:

From: eBay Billing Department
To: xxx@yyy.com
Subject: Important Notification

We regret to inform you that your eBay account could be suspended if you don't re-update your account information. To resolve this problems please click here and re-enter your account information. If your problems could not be resolved your account will be suspended for a period of 3-4 days, after this period your account will be terminated.

For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us.

Due to the suspension of this account, please be advised you are prohibited from using eBay in any way. This includes the registering of a new account. Please note that this suspension does not relieve you of your agreed-upon obligation to pay any fees you may owe to eBay.

Regards,
Safeharbor Department
eBay, Inc

This is an automatic message. Please do not reply.


If you ever receive an email purporting to be from a financial website, please follow this simple step:

Never click on a link in an email to visit a sensitive website. Visit the site directly by using your browser bookmarks or by typing in the address in the browser's address bar.


That's the easiest way to be a safe surfer in the wonderful world of phishers.
 

New Scientist on the BlueTooth Vulnerability


(Picture credit http://www.tomsnetworking.com)
Excel-web sharing of spreadsheetsI wrote a bit last week on the implications of the recently discovered vulnerabilities in the BlueTooth protocol. The weaknesses, combined with hacking innovations such as the BlueSniper rifle, make it easy to sniff or even co-opt BlueTooth networks at distances in excess of a mile. New firmware, anyone?

The best description of the vulnerability I've yet read is this excerpt from an article in New Scientist:

During pairing, two Bluetooth devices establish the 128-bit secret “link key” that they then store and use to encrypt all further communication. The first step requires the legitimate users to type the same secret, four-digit PIN into both devices. The two devices then use this PIN in a complex process to arrive at the common link key.

Whitehouse showed in 2004 that a hacker could arrive at this link key without knowing the PIN using a piece of equipment called a Bluetooth sniffer. This can record the exchanged messages being used to derive the link key and feed the recordings to software that knows the Bluetooth algorithms and can cycle through all 10,000 possibilities of the PIN. Once a hacker knows the link keys, Whitehouse reasoned they could hijack the device.

But pairing only occurs the first time two devices communicate. Wool and Shaked have managed to force pairing by pretending to be one of the two devices and sending a message to the other claiming to have forgotten the link key. This prompts the other device to discard the link key and the two then begin a new pairing session, which the hacker can then use.

In order to send a “forget” message, the hacker must simply spoof one of the devices personal IDs, which can be done because all Bluetooth devices broadcast this automatically to any Bluetooth device within range.

“Having it done so easily is surprising,” says Schneier. He is also impressed by the fact that Wool and Shaked have actually implemented Whitehouse’s idea in real devices.

They show that once an attacker has forced two devices to pair, they can work out the link key in just 0.06 seconds on a Pentium IV-enabled computer, and 0.3 seconds on a Pentium-III. “This is not just a theoretical break, it’s practical,” says Schneier.


New Scientist: New hack cracks 'secure' Bluetooth devices
 

Moving men and material into space


(Picture credit http://www.thespacereview.com)
Excel-web sharing of spreadsheetsInteresting article on the challenges of transporting people and material into near-Earth orbit. Say, logistic support for a Mars colony or an interstellar mission, for instance:

"What you need is a launch system that stays on the ground"... One option is laser propulsion. Researchers at [RPI] have shown that they can propel an object weighing 5 ounces 300 feet into the air with a laser. A real-life version that could launch people in a vehicle "about the size of a Volkswagen" would require a 1,000-megawatt laser located on top of a mountain, he said...

...Another option is the Slingotron. "It is a huge slingshot affair that accelerates your payload on a spiral track and then, zoom--off to outer space," he said. It would kill humans but could be used for cargo.

A third option is the space elevator, a large structure made of customized molecules that could spring people into outer space, according to proponents...


Project Orion (The Space Site)
Dyson himself worked on Orion, a project to land people on Mars, in the 1950s and 1960s. Orion, which would have been built by a submarine company in Connecticut, would have literally been a spaceship.

"We were going to walk on Mars with our notebooks and draw pictures of everything. It would have been true 19th century exploring," he laughed.

To propel it out of orbit, however, would have required exploding 3,000 atomic bombs, one every two seconds. The bombs would have been tossed out of a hole in the plate in the ship, delivered by "essentially what was a glorified coke machine," he said.

Engineering prototypes and simulations showed that the project would work, and it would have cost far less than Apollo. The original plan was to get to Mars by 1965 and the moons of Saturn by 1970.

"The fatal flaw of this scenario, of course, was radioactive fallout," he said, the ill-effects of which were being discovered at the time. "Technically, it worked very well, but it was political death."


Let's colonize space for fun
 

Fineman on Imus


(Picture credit http://en.wikipedia.org)
Excel-web sharing of spreadsheetsLast week, Newsweek's Howard Fineman visited the Don Imus program and had some interesting commentary regarding Watergate and the Felt affair.

Fineman noted that upon his entrance to the Columbia School of Journalism (where else?), his hero was Pulitzer Prize-winner Theodore White, who had authored the best-selling Making of the President  book series.

Upon leaving Columbia, Fineman's new heroes were Woodward and Bernstein, two journalists who transformed the art of beltway reporting. Everything that the pair stood far was not positive, according to Fineman. The key negative point?

Journalism became a de facto opposition party.

Over a period of time, this consistent anti-administration bias gave rise to the likes of Fox News chieftan Roger Ailes. Ailes and Fox News became "the opposition to the opposition party".

In this same vein, the Cassandra Report has its own take on journalism as the opposition party: MSM/DNC - a singular noun.
 

Sunday, June 12, 2005

A Hike up Sandia Mountain



Picture credit: http://www.newmexicoliving.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueBrooke has a good write up -- with plenty of pictures -- on his hike up Sandia Mountain. The peak is 10,678 feet above sea level. Challenging under normal circumstances, the trek can be especially taxing for low-landers operating under a self-imposed time constraint.

Hike up Sandia
 

Bizarre, yet useful, Search Sites



I'd like to point out a couple of search sites that I found courtesy of a James Fallows article in the New York Times.

Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe first is a search portal called Mr. Sapo. Mr. Sapo provides instant comparative access to all major search engines using a simple button metaphor. Enter a search term, then click any of the buttons to see the results for the specified engine. Bizarre name? Check. Odd interface? Checkety check. Pretty darn useful? Check and mate, beenizzle*.

Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe Mr. Sapo site pointed me to a new search engine with which I was unfamiliar: Exalead. It is very, very interesting. Search on a term and you get a plethora of sidebar windows along with the traditional results. The sidebar windows provide drill-down capabilities over a variety of categories:

  • Related terms

  • Related categories

  • Geographic location of web site

  • Document type

  • Screen captures of each resulting site

  • In other words, support for down-selecting the search results using several useful criteria. Check it out.

    *I am licensed to use teen/hip-hop lingo, given two teens in my current household.
     

    Saturday, June 11, 2005

    So you want to be a phisher


    Picture credit: http://tecfa.unige.ch
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueLike most Internet users, I've been awash in a deluge of phishing attempts of late. Unlike most users, though, I enjoy tracking down the source of the spam mails, the location of the false storefronts, and their owners. I think I've nailed down the typical modus operandi . Here's the lifecycle of a typical phishing scam, at least so far as I can tell.

  • Phisher uses IRC or similar means to surreptitiously meet with other blackhats and trade, purchase or otherwise acquire stolen credit-card data

  • Phisher uses stolen credit-card to purchase domain name (optional)

  • Phisher uses stolen credit-card to open a shared web hosting account

  • Phisher creates false storefront on new site

  • Phisher uses IRC or similar means to acquire list of open mail-servers or spamming accounts that can be used to send phishing emails

  • Phisher uses mass-mailing software to dispatch thousands or millions of phishing emails to direct victims to the bogus site

  • Phisher waits for the dough to roll in

  • After enough complaints arrive, the web hosting provider will inevitably determine that the bogus site needs to be shut down. At this point the phishing scam -- at least temporarily -- comes to a screeching halt.

    Can we learn anything from this lifecycle?

    I think we can. Hosting providers need to implement a little bit of technology: call it an anti-phishing package (APP). The package would be a process running on each shared server. Using the server's log files, APP would perform the following tasks:

  • Detect any new site (i.e., less than 90 days old) that receives a sudden burst of traffic

  • Examine the traffic for form submissions (GETs or POSTs)

  • Examine the traffic for pages named login, auth, etc.

  • In the event that any or all of these criteria are met, APP sends an automatic email to system administrators. They can then examine the suspect site and shut it down if necessary.

    I would hope that the major shared hosting providers are already running a process like APP.
     

    Thursday, June 09, 2005

    Do you know where your teens are and where they’ve been?



    Excel-web sharing of spreadsheetsIf you worry about where your teens are going, or where they've been, this gadget's for you.

    "I'm staying overnight at Sara's house," your daughter tells you. Now there's a way to verify that everything's on the up-and-up. Hey, we all trust our kids. But, as Ronald Reagan used to say: trust... but verify.

    SkyTel's new SkyGuard provides real-time location data, trip information, and location reports for up to 45 days. All of this is available through a web application.

    You can even set up allowed and denied zones, areas where a family member shouldn't leave or a region they shouldn't enter. Real-time alerts can be sent to your pager, email account or a mobile phone. SMS text messaging is also supported.

    If you're the paranoid type, this sort of technology can help set your mind at ease.

    SkyTel: SkyGuard Features
     

    The Littlest Big Man



    Excel-web sharing of spreadsheetsThe senior hoops writer at SportsLine, Gregg Doyel, tells us what's happening at the NBA draft camps. Will Bynum, a 5'10" guard from Georgia Tech, is wreaking havoc on the mock draft: dunking on players and even getting called for defensive goaltending...

    Will Bynum isn't supposed to be here, much less be the most impressive player after one game of the 2005 NBA pre-draft camp. But that was Bynum out there Wednesday, dunking on bigger players, blocking shots and getting to the rim whenever he wanted...

    ...Matched against Marquette's Travis Diener or Utah Valley State's Ronnie Price at the Moody Bible Institute, Bynum did as he pleased offensively and showed his ridiculous hops by getting called for defensive goaltending.

    The only thing Bynum didn't show was a jump shot, and the way he was getting to the rim, why bother? On one fast break, he broke down Price so severely, using a behind-the-back dribble, that a European scout broke into applause...


    Doyel: 5-10 Bynum works on elevating draft status at camp
     

    Protecting Consumer Data


    Picture credit: http://www.perspectivemr.co.uk
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe hits just keep on coming at Citigroup:

    In February last year, a magnetic tape with information on about 120,000 Japanese customers of its Citibank division disappeared while being shipped by truck from a data management center in Singapore. The tape held names, addresses, account numbers and balances. It has never turned up.

    And this week the company revealed that it had happened again--this time the loss of an entire box of tapes in the care of the United Parcel Service, with personal information on nearly 4 million American customers.


    Here are some random thoughts on what every company should strive for when handling consumer data:

    Catalog - catalog all sensitive data flowing through your systems, SSNs, dates-of-birth, credit-card and account numbers, etc. Know the fields that you hold and categorize any privacy fields as 'sensitive'.

    Encrypt - sensitive data 'at rest' (meaning, on disk) should always be encrypted. Always. If a truck driver loses a backup tape, at least force any blackhat into a massive brute-force attack against it. Shipping around sensitive data in the clear makes about as much sense as handing the keys to a bulldozer and a six-pack to a 16-year old boy.

    Key management - when applications or subsystems need access to sensitive data, force them to retrieve keys from another subsystem managed by another department or team. After decryption, force them to purge the keys (i.e., keys are never stored on disk). Log all key access attempts. This division of labor provides checks and balances in terms of access to sensitive data.

    Log analysis - analyze the log files. Who has been requesting keys? How often? Do their usage patterns make sense given their roles - or are their statistical anomalies when compared to similar types of users? These are the types of questions that, say, a ChoicePoint should be asking. Oops, I forgot, those issues aren't ChoicePoint CISO Rich Baich's problem.

    Processes - are documented processes in place for verifying the categorization of sensitive data, ensuring data at rest is encrypted, managing keys, and analyzing logs? If not, ensure that processes are put in place and that they are followed on a regular basis to ensure the safety of sensitive data.

    Audit - is the audit team reviewing the process documents to ensure that the processes are being followed on predetermined schedules?

    In short, we're not talking rocket science here. We're describing a relatively simple set of processes and the functional discipline to follow them. Given the financial risks of disclosing consumer data (i.e., check the graph of ChoicePoint's market capitalization), the time has never been better. Or you could simply risk having your organization highlighted on the front page of USA Today - in a non-flattering story.

    The scramble to protect personal data