BP Shoots and Kills Polar Bear

Polar BearA guard at a BP facility in Alaska is said to have shot an endangered Polar Bear with an explosive shotgun charge. The bear died from internal injuries a few days later.

Late in the evening of Aug. 3, a security guard, employed by Purcell Security, saw what turned out to be a female polar bear walking down the Endicott causeway and headed for an employee housing area. The guard flashed his vehicle lights at the bear, honked his horn and sounded his siren but the bear would not leave the area and instead approached the vehicle and began to act aggressively.

The guard pulled out his 12-guage shotgun and fired what he thought was a bean bag round at the bear. The less-lethal ammunition is designed to hit the bear in the hind quarters and drive it away.

The bear did run off at that point and BP reported the incident to the Fish and Wildlife Service, as required.

But a few days later, the bear returned, swimming off to the west and ending up on a shallow island area near the four-mile long causeway and 30-acre gravel drilling pad.

BP workers could see the bear through binoculars and continued to monitor it. But sometime between the night of Sunday, Aug. 14 and Monday morning, Aug. 15, they realized the bear was dead.

Such a lethal and high-profile mistake has led BP to say it will now consider ways to avoid making another one.

[BP Alaska spokesman Steve] Rinehart said all ammunition will now be clearly marked by its type, with specific packaging colors and labels.

A “back-up bear hazer” also will be required to be on hand and verify that the correct ammunition for the level of hazing is about to be used, he said.

“We want to make completely sure that whatever guard is involved in a hazing incident knows exactly what type of hazing round is being used if it comes to that,” Rinehart said.

The solutions indicate confusion over ammunition type (lethal/nonlethal) and doubt from a single-source. In other words, they did not anticipate any harm from grabbing a lethal charge by accident; and they did not have any method setup for independent verification after a lethal accident. Both seem highly irresponsible management of risk when handling lethal force.

Here’s a good question for the investigators. At what point after shooting an endangered animal should a shooter inventory their ammunition and confirm that they did not harm the animal? Should they wait until it is dead? Was the facility manager looking through the binoculars and saying “Yup, she’s dead. I guess that means it was one of the lethal rounds…”?

It’s unfortunate that BP management demonstrates they will allow a lethal accident to happen before they take even simple measures to reduce the risk of that accident, let alone maintain controls (e.g. responsibility) for high-risk decisions.

You might think BP, a company full of environmental and mechanical engineers, could design and build a camp-site that is passively resistant to bears and therefore not threatened by them so easily. Perhaps instead they did a quick calculation and found it far less expensive to kill endangered animals in their way and just claim a lack of awareness?

iRank App

The National University of Singapore has announced the winner of a 24-hour coding competition. Here’s the goal:

…a 24-hour programming competition, encourages students and faculty to develop customized applications that advance the search and discovery process of scientific information.

So you might be thinking there would be some cool new scientific tools being developed. Maybe students have added perspective and a new way of thinking about problems, based on data discovery? No, instead the winner is a Google modification — a search engine that ranks scientific papers based on reputation.

First place: Zhao Shanheng and Zhong Zhi, of NUS, developed the iRank Apps, an application which ranks institutes by the number of papers returned in the top search results. This tool can help students decide where to apply for their PhD or pursue postdoctoral research in their chosen field.

Google’s reputation-based system has advantages, but it also has risks. It requires you to trust external sources of verification — the peer-review system depends on the quality of the peers. That seems highly unscientific. It’s a second-person or even third-person view of data.

So the first place award goes to an app that tells you what the search engines tell you about what the peers tell you about papers from institutes. It is a popularity contest app that is at least three steps removed from an actual review of source material.

The huge irony, of course, is that the contest appears to have had a controlled/trusted system to determine the winner. How quaint. Perhaps they should have instead thrown the apps into public search engines and let the one that hits the top search results win. Otherwise, I would say their decision to review and vote for iRank App in a closed system contradicts the mission of the iRank App…

FedCloud at VMworld 2011

I have been asked a few times about details of the Federal track at VMworld this year in Las Vegas so I thought I would just post the information here for convenience.

Note that all the Federal sessions are security and/or compliance related:

Session ID and Title

  • CAP1992 Building Resilient, High Performance, Distributed Applications that are Data-Intensive
  • SEC1544 Compliance and Trust in the Cloud
  • SEC1747 Desktop Security Zones with VMware View and vShield App: A Reference Architecture Review
  • SEC1980 Department of Defense Reference Architecture using vShield
  • SEC2114 Customer Panel: Ensuring Compliance in a Virtual World
  • SEC2162 Achieving a Trusted Cloud
  • SEC2192 Case Study: Building a Virtual Data Center at the Department of Homeland Security to Meet FISMA Moderate to High Data Security Requirements
  • SEC2942 Building Trusted Clouds – Proof Points not Promises
  • EUC1988 Case Study: Using VMware View to Strengthen Disaster Response Systems for Federal Agencies
  • SEC2284 Securing Government Virtual Environments: Part II
  • EUC2048 Panel Discussion: Modernizing the Desktop to Provide Better Business Continuity while Reducing Operational Costs for State and Local Government

Aside from helping prepare some of the compliance sessions I am presenting on the art of applying penetration testing skills to the cloud. And I’ve been asked to sit on a PCI expert panel. Hope to see you there:

  • SEC1236 Penetration Testing the Cloud
  • SEC2484 PCI-DSS Compliant Cloud—Design and Architecture Best Practices

Come see how far things have progressed since the early days of VMware

Beware: Townsend Key Management HSM for SQL Server

Today I received an email “newsletter” from the CEO of Townsend that announced a new product for database encryption:

Today we are excited to announce the availability of our new Alliance Key Manager for SQL Server (AKMSS). AKMSS is a Hardware Security Module (HSM) for encryption key management that protects access your encryption keys.

A quick look at the specifications, however, and an odd gap appeared between the marketing language and the actual product.

First, they seem to have stretched the phrase “Hardware Security Module” (HSM) to mean software running on a standard Linux x86 system. It used to be that an HSM had a specific meaning for cryptography. Wikipedia, a general reference, gives us this:

[HSM] are physical devices that traditionally come in the form of a plug-in card or an external TCP/IP security device that can be attached directly to the server or general purpose computer. […] The tamper evidence, resistance, and response – tamper protection – are the key and major differences HSMs have from usual server computers acting as cryptographic accelerators.

The Townsend product does not appear to meet the basic definition of an HSM.

Second, Townsend themselves say on their product specification page they have achieved validation only to NIST FIPS 140-2 Level 1. So they only use software-based security to protect the keys. FIPS 140-2 Level 1 by definition implies a software-based crypto-module since crypto-hardware certification begins at Level 2. A quick check of the NIST FIPS Validated Modules list page reveals item #1449 has the following text:

When operated with the Red Hat Enterprise Linux 5 OpenSSL Cryptographic Module validated to FIPS 140-2 under Cert. #1320 operating in FIPS mode (approved algorithms retested on listed operating environment)

Townsend’s “HSM” thus derives its FIPS security from an open-source OpenSSL software module, which previously achieved FIPS certification due to open-source community efforts — an OpenSSL crypto-module is their source of FIPS certification. That’s a good start but use of this crypto-module when not in FIPS mode would negate their FIPS-certified security.

Note: search for the string 1320 on the NIST list page will show many companies derive their FIPS certification from OpenSSL, including IBM (see #1433).

Townsend Security makes a good case for the need for an HSM in the market, but that does not appear to be what they are actually offering yet to sell from their product specification. It reads like just a software-based key-management system, offering OpenSSL for FIPS security, running on a Linux system. It does not provide the same level of security that even a TPM would provide, let alone a FIPS 140-2 Level 2 or above certified cryptographic hardware security module.

They suggest this product is a solution for compliance, but buyer beware. I find their marketing material to mislead by equating low and high security levels:

Certified Solutions Ensures the Highest Level of Compliance with Regulations

Alliance Key Manager for SQL Server 2008 is certified to the FIPS 140-2 Level 1 specification.

Level 1 is the highest level? Um, no. Level 1 provides the lowest level of compliance with regulations. And they say it ensures…let’s not even go there.

AWS Splits Up Cloud to Achieve Compliance

A recent interview I gave has turned up in a SearchCloudComputing.com column:

…GovCloud is an admission by Amazon that it cannot modify its entire cloud so it will isolate data and applications completely. Instead, it has to carve it up.

History shows us that most breaches come from out of scope, “isolated” systems that are not truly separate. The attackers enter through a back door, a system that’s connected to the backplane for emergency use only but gets them into the rest of the network. Could a contractor who is not a U.S. citizen get in under ITAR? Is Amazon hiring separate administrators to run GovCloud?

AWS itself admitted that the major outage of its Elastic Block Storage service in April happened because it did not have good separation of systems. Has it just created a false sense of separation between the GovCloud secure zone and the rest of AWS? It’s certainly given potential attackers something to look for.

I actually said Amazon chose not to modify its entire cloud. They probably had the option to make AWS secure enough to comply with ITAR but apparently it was not worth the expense, so they chose to reduce exposure to the compliance requirements through segmentation. The first thing that jumped into my mind is whether they will charge a premium to be in GovCloud — charge more money to guarantee that employees are U.S. citizens. Otherwise, who in the U.S. wouldn’t want to move all their workloads into GovCloud?

Meal Worm Tacos

The fresh tacos served by Don Bugito in San Francisco are delicious:

Monica Martinez plans to start an insect food cart in San Francisco through an incubator that helps mainly women and immigrant food entrepreneurs start up businesses. Ms. Martinez wants to feature insect dishes based on Hispanic foods but grown locally, such as a ceviche-like cricket dish and soft tortilla tacos with meal worms and green salsaDon Bugito's Incubator

I am told worms are far more sustainable source of nutrition, with “protein content as much as twice that of beef“; and they are a “centuries-old” traditional meal. Makes perfect sense to me to eat so I didn’t mind buying them for lunch.

As I munched down my second worm taco on the street a cameraman walked up and said he needed a quote for an AP story.

I stared into the camera and said “…much better than meat!” I wonder if the footage will pop up somewhere.

Later I realized I should have said something more like “feels great to be the early bird” or “I guess now I know what it’s like to have baited breath” or “it doesn’t bug me at all” or “tastes like butter…fly” or “finally, here’s some global worming we can feel good about”. Anyway, they really are delicious.

Update: Insect cuisine puts a whole new spin on agricultural risk management.

Farmers on the outskirts of Mexico City were spending large amounts of money on pesticides to kill grasshoppers, Garcia Oviedo said, until they found they could get more money for the edible bugs than for their crops.

“Now, these farmers are planting a cheap kind of corn, just to serve as a trap to catch grasshoppers,” he noted. “They’ve seen that it’s better to have a crop with pests.”

Shionogi vSphere Breach

The US DoJ released a press announcement two days ago that says a virtualized environment administrator has admitted to a serious breach.

In the early morning hours of February 3, 2011, Cornish gained unauthorized access to Shionogi’s computer network. Cornish used a Shionogi user account to access a Shionogi server, then took control of a piece of software that he had secretly installed on the server several weeks earlier.

Cornish then used the secretly installed software program to delete the contents of each of 15 “virtual hosts” on Shionogi’s computer network. These 15 virtual hosts (subdivisions on a computer designed to make it function like several computers) housed the equivalent of 88 different computer servers.

That “secretly installed software program” they are talking about sounds really nefarious, but it is actually just VMware vSphere. It is explained better in the formal complaint.

…on or about January 13, 2011, defendant Cornish accessed the CVAULT account and used that to install vSphere — the software program believed to have been used to delete Shionogi’s virtual hosts…officials advised that there was no legitimate business reason for vSphere to be installed or running on the SPVC01 Server.

The press release says Cornish did not attempt a sophisticated attack. He accessed his ex-employer and installed vSPhere from his home network. When he connected again to cause harm (two weeks later) he went to a McDonalds and used his credit card to buy breakfast before using the free wifi.

The investigation by the FBI’s Cyber Crimes Task Force revealed that the attack originated from a computer connected to the wireless network of a Smyrna McDonald’s where Cornish had used his credit card to make a purchase minutes before the attack. Cornish also gained unauthorized access to Shionogi’s network from his home Internet connection using administrative passwords to which he had access as an employee.

The formal complaint again gives more detail.

According to McDonald’s business records, a Visa credit card number ending in 8291 (“the 8291 Visa”) was used at the Smyrna McDonald’s to make an approximately $4.96 purchase…approximately 5 minutes before the attack…

Approximately $4.96? I’d like to see a more exact purchase record.

It seems like he either wanted to be caught or didn’t care much about the risk. Google confirmed that the same credit card number that bought breakfast was linked to an email account used by Cornish. And the credit card issuer, BofA, confirmed that Cornish is the account holder.

Given the timeline and the software and network details this case really boils down to termination procedures and risk management. It’s not about secret software. It’s about a bad actor who abused trust. Cornish worked for Shionogi from 2009 to 2010. The complaint suggests his attack was successful because he could authenticate and use systems many months after his departure without being noticed.

So, on the one hand the DoJ press release is a success story. Logs were available from multiple sources for at least six months of activity and were used to quickly apprehend and get an attacker to admit the crime. On the other hand the details of the attack beg a question of precautions and operational awareness.

It is unfortunate that Shionogi was a victim of this crime but will someone say they should have taken better care, like changing passwords after staff were terminated or left? In other words should a company be externally required to take precautions against an availability loss if there is no impact outside the company (e.g. no regulated data risk)?

It’s a classic case of attack economics. Should a business invest in thicker glass, replace their glass altogether, or improve the chances of catching someone who throws bricks? A related question would be whether and when a victim should realize the level of risk. Did Shinonogi make a conscious decision to leave themselves exposed, or were they somehow led to believe they were safe from easy but devastating harm ($300,000) by former employees?

It’s a good case study of security and compliance as well as the double-edge of remote administration tools in virtual environments.

vCenter Orchestrator AMQP Plugin Released

VMware’s vCenter Orchestrator has a plugin now to develop and automate workflow with the Advanced Message Queuing Protocol (AMQP) — manage brokers and run custom operations.

With this new plug-in, organizations will be able to define policies that automatically trigger specific workflows based on certain AMQP messages. For instance, as part of a vApp pre-provisioning activity in vCloud Director (vCD), vCenter Orchestrator (vCO) can intercept the provisioning request and automatically fetch an IP address from an external system before telling vCD to proceed with the provisioning activity. Or, upon detecting that the vApp provisioning operation is complete, vCO can update CMDBs and other management systems with information about the new vApp instance. What’s more, the AMQP plug-in provides the ability to not just monitor but also publish AMQP messages and conduct administrative tasks such as configuring AMQP brokers and managing queues. Finally this plug-in supports VMware vFabric RabbitMQ as well as other implementations of AMQP.

AMQP is a wire-level protocol, as I mentioned earlier with regard to sniffing.

Terror/Hate Crimes Continue in Santa Cruz

The news in 2008 was of bombs.

Firebombs were intentionally set on a porch and in a car belonging to two UC Santa Cruz researchers in separate incidents early Saturday in what police have classified as acts of domestic terrorism.

Police are calling one of the bombings an attempted homicide.

That case, because of a perceived terrorism association, was taken extremely seriously and turned over to the FBI and ATF. It sets an interesting comparison to crimes that have followed.

A year later Swastikas were displayed openly in the downtown area, but police protected it as a form of free speech.

“You can’t regulate what’s on the inside of somebody else’s house,” said police spokesman….

The man apparently rotates the swastika flags with other, less controversial banners, and Friend said police started receiving complaints of Nazi flags about a month ago. Over the weekend the resident hung America’s Old Glory and Britain’s Union Jack under two Nazi flags. Monday, he hung a modern German government flag between the two flags of the Third Reich.

Of course the police spokesman is wrong. There are many regulations that affect what is on the inside of someone else’s house.

But I can give him the benefit of the usual free speech argument, which the article mentions. It became clear early in 2011 that the residents of the California beach town were in fact facing a serious and persistent test of free speech.

The question of hateful speech and expression spread to the high school. Students who decided to openly identify themselves with white supremacy and swastikas were suspended.

Students at a Santa Cruz County high school have been suspended for suspected scrawling of racist graffiti and joining together in a white supremacy gesture while the senior class picture was being taken, school officials said Friday.

This was treated as a relatively isolated and local affair, but it showed the problem of expression was not isolated to a single resident’s window. Shortly before this incident and the suspension, the University had quietly reported a similar crime.

Campus officials discovered graffiti on March 15 in a men’s restroom in Porter College that included swastikas and the message, “Blood will be shed at UCSC 4/20/11.”

Now, at the end of July, the swastikas have come out again. This time the possible hate speech was coupled with significant property damage, not far from the high school and the University.

Vandals damaged about 50 vehicles—slashing tires and etching swastikas into the paint—on the western side of the city overnight, Santa Cruz police reported.

Most of the vandalism happened on and around Almar Avenue, all between 11 p.m. Friday and 1 a.m. Saturday, according to Santa Cruz police spokesman….

The reaction to the swastikas this month seems similar to the reaction ten years ago. In 2001 the University Student Rabbi downplayed the information conveyed by the symbol.

“This was probably the act of a 15-year-old and I would hate for it to be blown out of proportion,” he added.

Even more to the point, Santa Cruz has been mentioned in the “Save the Swastika” movement, which is trying to reclaim the symbol’s meaning. It posts images of swastika body scars, tattoos, clothing, etc..

There is a problem, obviously, for anyone who hopes to paint a nicer image or downplay significance of the symbol. The swastika clearly continues to be used alongside destructive and criminal activity (not to mention that it still is very much associated with genocide). The police say they already consider the latest vandalism a possible hate crime. Compared with the 2008 attempted bombings I wonder if attacks bearing swastikas will be at some point also be considered a form of domestic terrorism. There also could be irony here. The police may be able to redirect immigration control resources from larger/federal agencies and use it protect residents from the greater threat domestic threat — white supremacy-logo criminals.

the poetry of information security