Enterprise Key Management in the news

A technical committee I’m working on, called Enterprise Key Management Infrastructure (EKMI), has made the news:

The OASIS key management standard, basically an API, would let you use a single key management solution on both platforms rather than try to manage separate key systems for each product that have different procedures and processes for the keys. This will make it easier to roll out encryption…

American hunger replaced with “low food security”

Senator Boxer has issued a statement about an odd change in US policy. Sorry I don’t have a link as this was sent to me directly:

The Department of Agriculture recently announced that it would remove the word “hunger� from reports on the nation’s food supply. Instead, it announced that it would use “low food security� or “very low food security� in its reports. I have written to Secretary of Agriculture Michael Johanns to express my displeasure over this change.

Officials at the Department of Agriculture report that the change in labels was not a plot to try to disguise or mask hunger in America. Instead, they claim that “hungerâ€? is too amorphous a phrase to describe, in their terms, ”a potential consequence of food insecurity that, because of prolonged, involuntary lack of food, results in discomfort, illness, weakness or pain that goes beyond the usual uneasy sensation.”

Although I have monitored the politics of food-aid and security for many years, I have to say it is not clear to me why a term like “hunger” suddenly would be seen as vague compared to “low food security”. Strange. Was someone offended to hear that people in America go “hungry”? Senator Boxer puts it this way:

I believe that most Americans are acutely aware of the meaning of “hunger,� especially when used in official reports meant to describe peoples’ access to the food supply.

Exactly, so perhaps that’s why they changed it? Now politicians can say “this report shows no one in America ever goes hungry“, even though the numbers might show 35 million people still experience “low food security” issues.

I’d write more, but you’ll have to excuse me as I’m experiencing a high bladder security issue…probably a result of my low food countermeasures.

UCLA warns of security breach

The identity alert site at UCLA has some late breaking news:

A sophisticated computer hacker has illegally and fraudulently accessed a restricted UCLA database containing names and certain personal information. This database includes UCLA’s current and some former students, faculty and staff, some student applicants and some parents of students or applicants who applied for financial aid. The database also includes current or former staff and faculty of the University of California, Merced, and current or former employees of the University of California Office of the President, for which UCLA does administrative processing.

UCLA is notifying all of those individuals in the database, even though a continuing investigation indicates that the computer trespasser sought and obtained only some of the information. There is no evidence to suggest that personal information has been misused.

That’s a lot of data. Wonder if these big schools are considering breaking apart and isolating repositories in order to reduce the value of assets exposed by a single breach.

Did they really have to say “sophisticated” hacker? That seems to differ in tone from the detail in a breach notification message, distributed today:

Only designated users whose jobs require working with the restricted data are given passwords to access this database. However, an unauthorized person exploited a previously undetected software flaw and fraudulently accessed the database between October 2005 and November 2006. When UCLA discovered this activity on Nov. 21, 2006, computer security staff immediately blocked all access to Social Security numbers and began an emergency investigation. While UCLA currently utilizes sophisticated information security measures to protect this database, several measures that were already under way have been accelerated.

So which was more sophisticated, the hacker or the information security measures?

Unaccelerated measures. I know how that goes. Upper management often says “I know it’s required for compliance, and it sounds great, but can we do it later?” Costs more to do things late, but even more to do things late and fast. It’s hard to know where you need to accelerate the most if your budget isn’t able to cover all the lost time.

At the end of their email message is the following warning and advice:

This is an automated message regarding the recent identity alert at UCLA. We’re sorry, but we are unable to respond to emails. Please do not reply to this email. If you have questions or concerns and would like to speak with someone, please call (877) 533-8082. For additional information and steps to take, please go to the dedicated website at http://www.identityalert.ucla.edu.

Hard to tell if they do not want to respond to email because of the liability, vulnerability/compromise issues, or because phone line bandwidth tends to be far inferior to the unlimited capacity of email queues so they hope to throttle-down the amount of complaints coming into their inbox.

The letter also wisely points out that they will not be requesting any information from the victims:

Please be aware that dishonest people falsely identifying themselves as UCLA representatives might contact you and offer assistance. I want to assure you that UCLA will not contact you by phone, e-mail or any other method to ask you for personal information. I strongly urge you not to release any personal information in response to inquiries of this nature.

I’m sure more details will emerge over the next few days.

Microsoft Word Exploit in the Wild

Just another day in the Office.

Here is an update to the Microsoft Word Remote Code Execution vulnerability announcement from just a few days ago. Another zero-day vulnerability has been found along with exploits in the wild:

…this attack used a new zero-day vulnerability in Microsoft Word. It is reported that the emails originated from a Yahoo! email account, which the hacker accessed through a mobile device CDMA link to conceal their identity. Security professionals claim the emails contain information about the political situation in Iran and attempts to entice recipients…

[…]

Experts claim the attack was designed to steal sensitive data through the recipient’s computer.

Moreover, Microsoft continues to investigate another proof-of-concept zero day flaw for Word discovered last week. However, neither of the vulnerabilities are expected to be tackled in tomorrow’s security update, Patch Tuesday.

It’s not clear what separates the two vulnerabilities, or if they are just variations of the same flaw.

I suppose the Microsoft advice is still to never open word attachments unless you can verify the sender’s identity and confirm their good intentions. Easy to do in an Office environment, right?

The December 12th security updates do not seem to mention either vulnerability, although they do show a re-release of MS06-059, which fixes a fix for an Excel remote code execution vulnerability.

Some Microsoft Excel 2002 users who have Microsoft Windows Installer 2.0 installed received indication that the original version of security update 923089 for Excel 2002 was installed successfully. However, the actual binary file, Excel.exe, was not updated to the secure version. The re-release version of security update 923089 for Excel 2002 corrects this issue.

Verifying the success of a patch should never be underestimated.