Category Archives: Security

Computer controls and conclusions

Donohue and Levitt are somewhat famous for their bold claim, published in the May 2001 edition of the Quarterly Journal of Economics, that legalized abortion has reduced crime.

The Economist just put forward an amusing update that discusses a Federal Reserve Bank of Boston working paper and counter-claim that is based on a re-test of the data and analysis of the computer code used by Donohue and Levitt:

Messrs Foote and Goetz have inspected the authors’ computer code and found the controls missing. In other words, Messrs Donohue and Levitt did not run the test they thought they had—an “inadvertent but serious computer programming errorâ€?, according to Messrs Foote and Goetz

Fixing that error reduces the effect of abortion on arrests by about half, using the original data, and two-thirds using updated numbers. But there is more. In their flawed test, Messrs Donohue and Levitt seek to explain arrest totals (eg, the 465 Alabamans of 18 years of age arrested for violent crime in 1989), not arrest rates per head (ie, 6.6 arrests per 100,000). This is unsatisfactory, because a smaller cohort will obviously commit fewer crimes in total. Messrs Foote and Goetz, by contrast, look at arrest rates, using passable population estimates based on data from the Census Bureau, and discover that the impact of abortion on arrest rates disappears entirely.

I look forward to the question of this programming “error” being addressed by Donohue and Levitt. It does not seem to refute the premise of their conclusion outright as much as question the methodology and provide an opportunity to fix a control and re-run the tests themselves.

The big question, of course, is still whether there are controls that have a direct relationship to reducing crime and at what cost.

Top 10 Data Disasters

On-Track has released their annual report on the top ten data disasters. It is a serious business, and OnTrack has built quite a reputation for saving the day(ta):

10. PhD Almost an F – A PhD candidate lost his entire dissertation when a bad power supply suddenly zapped his computer and damaged the USB Flash drive that stored the document. Had the data not been recovered, the student would not have graduated.

He must have been in a state of shock — “Teacher, the electricity ate my homework”.

4. Drilling for Data – During a multi-drive RAID recovery, engineers discovered one drive belonging in the set was missing. The customer found the missing drive in a dumpster, but in compliance with company policy for disposing of old drives, it had a hole drilled through it.

Can we please see the top tep without the remarkable recoveries included (just the failures)? That would be more interesting, I think. Or, as the infamous WWII story goes, if you are going to better-protect your pilots you should review planes that were shot down rather than just the ones that returned.

Apple Turn-Offs

Don Norman, former VP of Apple’s Advanced Technology Group, posted a comment on TedBlog about a common failure of Apple designs:

But now let me tell you my pet peeve: the on-off switch of both the regular iPods and the Shuffle. Historically, one thing Apple has always gotten wrong – on all products, big and small — is the power switch (I even wrote a book chapter about this once). The iPod on-off is a mystery to behold, a mystery to explain to others. The Shuffle is even worse. You have to slide a very-difficult-to-slide slider down some unknown amount. It has two settings, but no marking to let you know where you are. Actually, it has markings but they have zero correspondence to the switch setting. You know, this is NOT a tradeoff. Having a little mark on the sliding part and corresponding labeled terms on the fixed case would be trivial to do. Make usage smoother and easier. Cost no money. Bah.

Why is the slider so hard to slide? Their Industrial Designers seem not to have heard of friction — the fingers slip over the nice smooth surface, while the switch remains stationary. Finally when I finally squeeze really hard, the slider does move, but too far, to the wrong position. And those blinking lights. Secret codes that mean who-knows-what. It sometimes takes me 5 minutes to get my Shuffle to start playing, me continually sliding the switch up and down, pushing various buttons, watching lights go on, blink on, flash, turn various colors. All meaningless.

Just the other day I was reviewing racks of servers with bright warning lights. “What does that indicate?” I asked the admin responsible to see if they could decipher the code. Unfortunately, I was told something similar to what Don might have guessed, “no idea, but they seem to come and go.”

All the way from the personal mp3 player to the datacenter, the sole LED has become a cornerstone of messaging and yet no one seems to be very worried about learning how to interpret its meaning. The old-school hex number codes were one thing, but it seems like an amber or green light blinking erratically is almost guaranteed to be ignored.

To be fair, Don could have mentioned that Apple does provide an iPod shuffle reference card to break the codes.

I like the Check battery code: if you do not see a light, there is no charge. Ah, yes, and if your shuffle is wet, it must be raining.

PodCast Hijacking

Corante has an interesting warning about Podcasting security. It seems that if you’re not careful, someone else might be registering your podcast for you and (as a man-in-the-middle) waiting for an opportune moment to turn off their link and then blackmail you.

Ease of adoption strikes again. Authentication of an RSS feed might be a good idea, even if it adds a moderate amount of flexibility. Podcast certificates anyone?

Can you survive without a hard drive?

NEC has announced a new laptop that has no hard disk drive, perhaps with the intention of preventing any loss of confidentiality if a powered-off system is lost or stolen:

Local storage resides in the computer’s RAM, which is cleared when the machine is switched off, thus removing any potential security risk from data theft but also requiring a backup before the computer is switched off. This can be done with a central server or, should a network not be available, to a USB memory device, [a spokesman for the Tokyo company] says.

It’s a piece of mind for many, I’m sure, but most attacks still happen when the computer is still switched on and connected to a network. Just a few more thoughts:

1) This could be a glimse of the future when online security becomes so strong that remote attacks become truly remote, meaning the physical security of traditional PCs with massive local storage (80GB and more) may be the weak link of tomorrow.

2) Saving files to USB doesn’t seem like it provides any real consolation unless the USB device is encrypted or has some other controls (pill-format that can be easily swallowed?) to prevent loss. Not to mention USB fobs tend to be volatile and have the annoying habit of wiping themselves without warning, so I wouldn’t exactly rely on them without some kind of extra assurance.

3) This is likely to be transformed into something a little more practical such as an Internet cafe system, or public kiosk. Restart the system and you know it is clean. That type of environment would easily justify the extra expense. I don’t see the cost being justified in a personal laptop sense (yet) for the prior two reasons.

4) Personally, I would love to have an instant-on thin client interface at home, which would rely on a centralized redundant array of inexpensive disks. Nothing in the market is really there yet for the home user. Yet, the NEC system suggests we could be nearing an age when a true thin-client and server-like solution could be in every home (“honey, I think we need to upgrade the datacenter”). And then we could talk about home security in a similar manner to large corporations (layers and defense-in-depth) instead of a random smattering of desktops littered around a household trying in vain to share files and migrate profiles without excessive self-exposure.

Have to give NEC some credit for pushing the envelope on security. The last thing I saw from them was a massively-redundant 4U server that promised better than five nines (less than 5 minutes of down-time per year). See? You put that thing in your basement with HVAC conditioning and a few of these laptops around the house…as soon as the price comes down to earth I’m on it.

Cool company.

Sony versus F-Secure

Yet another development in the Sony DRM saga. Looks like Sony might have moved rather slowly after they were first alerted to a serious risk to consumer safety. BusinessWeek has a fascinating update called “Sony BMG’s Costly Silence”:

Sony BMG is in a catfight with a well-known computer-security outfit that became aware of the software problem on Sept. 30 and notified the music company on Oct. 4 — nearly a month before the issue blew up. F-Secure, a Finland-based antivirus company that prides itself on being the first to spot new malware outbreaks, says Sony BMG didn’t understand the software it was introducing to people’s computers and was slow to react.

“If [Sony] had woken up and smelled the coffee when we told them there was a problem, they could have avoided this trouble,” says Mikko H. Hypponen, F-Secure’s director of antivirus research.

Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis.

Indeed, I think it fair to say Sony BMG’s response was scrambled. To make matters even worse, the Attorney General in New York very recently found the rootkit still being sold on music shelves in his state. More from BusinessWeek:

Spitzer’s office dispatched investigators who, disguised as customers, were able to purchase affected CDs in New York music retail outlets — and to do so more than a week after Sony BMG recalled the disks. The investigators bought CDs at stores including Wal-Mart (WMT), BestBuy (BBY), Sam Goody, Circuit City (CC), FYE, and Virgin Megastore, according to a Nov. 23 statement from Spitzer’s office.

This is not only a “cautionary tale for other entertainment companies hoping to make use of copyright-protection software” but a horrifying lesson in how NOT to handle incident response.

My question is why Wal-Mart, BestBuy, SamGoody, Circuit City, FYE and Virgin Megastore are not taking action. Are they liable for selling known malware from their shelves? I mean if you are a retailer and you get a notice (or read the news, for pete’s sake) that something is harmful to consumers, are you at fault if you keep selling it?

“It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year,” Spitzer said in a written statement. “I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony.”

Actiontec UDP ports 517 and 518

Responded to an odd incident tonight.

An admin noticed UDP ports 517 and 518 were reported as open on a linux system, but they knew of no services that were supposed to be attached to them:

    # nmap xx.xx.xx.xx -sU -p 500-520
    Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-28 23:20 PST
    Interesting ports on xx.xx.xx.xx:
    (The 19 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE
    517/udp open|filtered talk
    518/udp open|filtered ntalk

No services seemed willing to confess that they were using the ports flagged by the network scan:

    # netstat -tunap
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5387/mysqld
    tcp 0 0 :::80 :::* LISTEN 5633/httpd2-prefork
    tcp 0 0 :::22 :::* LISTEN 5356/sshd
    tcp 0 0 :::443 :::* LISTEN 5633/httpd2-prefork

Monitored all traffic to the port via tcpdump, and saw no unusual UDP packets. Tried to establish communication with the listener, but it instantly closed the connections. Did a quick rootkit check and looked for signs of hidden processes, trojaned binaries, etc. on the system but it came back clean. Considered doing a signature match on the binaries themselves, but then had a hunch that a network device might be at fault.

Swapped out an Actiontec GT701-WG with a Cisco 678 and sure enough, the ports closed:

    # nmap xx.xx.xx.xx -sU -p 500-520
    Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-28 23:36 PST
    All 21 scanned ports on xx.xx.xx.xx are: closed

Might be enough to finger-print the Actiontec’s of the world (scan Quest blocks for UDP 517/518). Also might be worth isolating the device to get a better idea of how broken/exposed it is, if it turns out enough people are still using these things.

Real Cheese

It was only a matter of time before I created a food category. A small block of Taleggio Cheese finally pushed me to document a few fun food facts:

First of all, who knew that a cheese might have a union? After tasting a fine slice of Taleggio this evening I found a site called the Consorzio per la Tutela del Taleggio, which provides English information under the title “The Union of Teleggio Cheese”. According to the Union:

“The Taleggio cheese is, therefore, one of the Italian cheeses whose peculiar characteristics are protected by the European Union, and it is for that reason that milk supplying, its production and its seasoning must be effectuated in the area indicated by the Italian and community legislation.”

Second, the Taleggio moniker apparently requires a certain degree of enforcement. Perhaps if you eat enough of the stuff you might develop a taste for it like bourbon versus rye whiskey, or merlot versus pinot, etc. It thus stands to reason that if a Taleggio doesn’t achieve compliance with Union cheese laws it will not get the required stamp of approval:

“The Union was, since 1981, charged to the vigilance on production and on commerce of the Taleggio cheese, the Union marks each cheese conforming to the requisite specified in the disciplinary of production.”

Sadly, I must confess that I was uninformed as a consumer about how to validate the authenticity of my cheese until after I had eaten it. Next time I will definitely check to see whether I am about to purchase contraband Taleggio, or at least cheese with a forged seal of authenticity.

Real Taleggio

Warning: This entry was written while under the influence of Taleggio

US Senate to consider Data-Breach Bill

Just before the 2005 Thanksgiving holiday the Senate Judiciary Panel approved a Personal Data Privacy and Security Act, authored by Specter and Leahy. The soon-to-be-called “Specter-Leahy Act”, also known as the SLA, has some exceptionally vague language even compared to laws (already in effect) at the state level:

  • Giving individuals access to, and the opportunity to correct, any personal information held by data brokers;
  • Requiring entities that maintain personal data to establish internal policies that protect such data and vet third-parties they hire to process that data;
  • Requiring entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data;
  • In my experience the use of the word “reasonable” in California’s AB1950 law has been remarkably useful in discussions about how to comply. Unfortunately, I do not see anything comparable here that would help clarify when law enforcement should be contacted or how to measure the internal policies for effectiveness (it is easier to draw a line for “reasonable encryption”, for example, than “protective policies”). Enforcement, on the other hand, seems to be very precise:

  • Section 103 makes it a crime for a person who knows of a security breach requiring notice to individuals under Title IV of this Act to intentionally and willfully conceal the fact of, or information related to, that security breach. Punishment is either a fine under Title 18, or imprisonment of up to 5 years, or both.
  • Any person who, during and in relation to a felony violation of the computer fraud law, knowingly obtains, accesses or transmits a means of identification of another person without lawful authority, may be imprisoned for up to 2 years in addition to the punishment provided for such felony.
  • Rumor had it that a Representative from Oklahoma was lobbying to delay consideration of the bill by talking turkey, which caused some to suggest that Cole might stop the SLA from being passed. Ha, just kidding.

    Visa provides free PCI scanning service

    After months of negotiating contracts and fees in the US for Visa PCI compliance assessments, I just ran into this odd bit of news from Canada that Visa has offered to provide free scans indefiniately. Does this mean there is no need for a certified PCI assessor if you are a Tier 2 merchant or smaller?

    According to Visa, the free service, which uses a U.S. vendor but is available across the Asia-Pacific, will be provided “indefinitely” at this point to all merchants that accept Visa cards for payment of goods and services.

    Lodens [Visa’s head of third-party assurance] said Visa’s main message, that merchants and third-party processors should not be storing card information, remains unchanged.

    “If there is a need for that, then [merchants] need to protect the information,” he said, adding that card-holder data should not be stored. “Where we see incidents of compromise is because merchants are unnecessarily storing information.”

    Yes, please do encrypt if you must store the data. And please do protect the keys if you must encrypt…but free security scans from the Payment Card Industry? More research required.