How to Avoid Online Scams

Lifehacker has a good article on how to avoid various online scams, such as: avoiding bank scams, protecting your password, using strong passwords, not buying anything unsolicited, and generally looking out for deals that look too good to be true (and often are!)

[ Link ]

Quad Cities FIRST Lego League Challenge

There was a FIRST Lego League regional meet at the Putnam Museum on Saturday. Quite a good turnout, with a couple hundred kids (aged 9-14), parents and teachers from the region. The event was co-sposored by the Quad Cities Engineering and Science Council and Iowa State University. To learn more about FIRST programs, like this, visit http://www.usfirst.org.

[ Article from QC Times ]

The Evolving Role of the Security Manager

Dan Kaplan, a senior editor at SC Magazine, wrote an excellent piece on the evolving role of the security manager and the value of security certification and training, in this month's "20th Anniversary" issue of SC Magazine. Dan included some of my comments, as well as those of other security leaders and innovators. Worth a read.

[Read the SC Magazine Article here.] [2nd Link]

New Quad City Cybersecurity Group Formed

I've created a new group for the Quad City area, focused on cybersecurity issues. We also discuss infrastructure protection, physical security and related computer topics. At this time, the group is vetting new members, and we intend on meeting monthly. We met this last week for coffee, at Starbucks in Bettendorf, IA.

If you are a security expert, computer professional or interested community member, join us on Facebook or LinkedIn.

LANL Fails Again on Cybersecurity Efforts

New security weaknesses have been idenfied in a recent GAO audit of Los Alamos computer systems. Having been a network and security manager, briefly in the 1990s, this comes as no real surprise. But, I would have thought after a spate of incidents in the past 13 years since I left to form my own company, they would have figured out a better way to protect their classified networks.

Los Alamos National Laboratory has spent $45 million to secure its classified computer network between fiscal years 2001 and 2008, according to a report issued Friday by the Government Accountability Office, yet significant weaknesses remain in safeguarding the confidentiality, integrity and availability of information stored on and transmitted over its classified computer network.

The audit, requested by the House Committee on Energy and Commerce, cites Los Alamos' management as saying funding for its core classified cybersecurity program has been inadequate for implementing an effective program during fiscal years 2007 and 2008.

[Read More]

U.S. Cyberwar Planning

Progress on a plan for not only cyberdefence, but also cyber-warfare has been made. Meanwhile, Obama still has not chosen a "US Cyber Czar"... [more]

In addition to being more and more involved in the Illinois FBI Infragard chapter, I've been a part of the Cyber Security Forum Initiative (you need to get vetted to join on LinkedIn). I've noticed their website has been down, recently. I wonder if the work this private group has accomplished on the Cyberwar front has garnered the attention of Big Brother??

Photos from Black Hat and Def Con 17

• Photos from Black Hat 2009


• Photos from Def Con 17

Preparing for Black Hat 2009

The Black Hat USA 2009 conference begins in less than two weeks. I'm excited, but have a lot of preparation to do! I will be on a panel on Tuesday, and the executive briefings and then I am on a panel Wednesday morning.

I'm planning on a long week, and since I'm staying the weekend, I'll have time to relax and enjoy myself. There are lots of interesting topics for Black Hat and DEFCON. If you're going to be there, drop me a line!

Punishment Fitting The Crime

In the realm of computer security and ethics, it is important that criminals be punished as a deterrent to would-be-criminals everywhere. For example, if the SPAM KING goes to jail and pays millions of dollars in fines for filling our mail with junk mail, which he personally profited greatly from - that is reasonable.

In the news, we have two stories today. First, TJX (parent company of such chains as TJ Maxx) was fined $9.75 million for a huge breech of customer data. The Ukrainian hacker who masterminded the theft of 94 million credit card accounts from TJX has been sentenced to 30 years in jail. (Believe me, he is going to a Turkish prison for this crime and I can't imagine this will be a pleasant sentence. I think it makes our high-security prisons look like country clubs.) There were 11 people who were involved have convicted to date. Here is more, from SC Magazine:

TJX, which operates more than 2,500 outlets nationwide, agreed to pay $9.75 million to settle investigations by 41 state attorneys general, who were looking into the monster breach, announced in January 2007, that exposed as many as 94 million credit and debit card numbers.

Under the agreement, TJX will pay $5.5 million in settlement fees, plus $1.75 million to cover the cost of the states' investigations. In addition, the company will provide $2.5 million to establish a new Data Security Fund that states will use for a number of data security initiatives, including researching the benefits of technology, developing best practices or model laws, and establishing consumer outreach programs.

On the other hand, Jammie Thomas-Rasset, an unemployed, single mother from Minnesota, was fined $1.92M by a federal jury for reportedly downloading 24 songs. Is this proportionality? Is it at all befitting of the crime? These 24 songs could have been downloaded for $24.76 from iTunes - yet, she is attacked by the RIAA, and fined nearly two-million dollars. No, I don't think we have our priorities straight in this country. We are wasting the time of the courts and attacking our citizens, when there are real crimes to be dealt with.

(I understand her first lawyer had to back out, citing $130,000 in unpaid legal bills for defending her against the RIAA in the first case, which was declared a mistrial due to incorrect instructions given to the jury by the judge.)

Here is what Ms. Thomas-Rasset got for $1.92M:

• Guns N Roses "Welcome to the Jungle"; "November Rain"


• Vanessa Williams "Save the Best for Last"


• Janet Jackson "Let’s What Awhile"


• Gloria Estefan "Here We Are"; "Coming Out of the Heart"; "Rhythm is Gonna Get You"


• Goo Goo Dolls "Iris"


• Journey "Faithfully"; "Don’t Stop Believing"


• Sara McLachlan "Possession"; "Building a Mystery"


• Aerosmith "Cryin’"
  
• Linkin Park "One Step Closer"


• Def Leppard "Pour Some Sugar on Me"


• Reba McEntire "One Honest Heart"


• Bryan Adams "Somebody"


• No Doubt "Bathwater"; "Hella Good"; "Different People"


• Sheryl Crow "Run Baby Run"


• Richard Marx "Now and Forever"


• Destiny’s Child "Bills, Bills, Bills"


• Green Day "Basket Case"

Well, I do love Journey, so I'll buy that is worth $160,000 for those two songs, but Reba McEntire?? Come on now!

Social Networking: Manageable With Good Enterprise Policy

The following article comes from Security Wire Daily:

A majority of attacks on the Internet depend upon the exploitation of human nature through the abuse of trust. It is human nature, for example, to feel comfortable with Web-based social networks that include our friends and family. We don't expect these people to be hosting anything on their pages that would "attack" us.

Likewise, most wikis are created by well-meaning people, typically subject matter experts, and we tend to trust experts. We don't expect a page full of useful information to contain anything that would be harmful. However, there is plenty of evidence that such Web pages are being used to distribute malware, almost always without the knowledge of the page owner or creator.

In November 2007, the MySpace profiles of Alicia Keys and a number of other recording artists were found to be serving up malicious code. McAfee Inc. also recently reported a malicious MySpace friend request which, when clicked, popped up an apparently legitimate "Automatic Update" window that, in fact, tries to download what McAfee described as a "malware cocktail" containing additional downloaders, several Trojans and a remote administration tool.

So, in addition to enterprise concerns over productivity losses to social networks and privacy issues arising from their use, particularly at work, there are now some direct security threats in play, including network compromise via infected pages. (To get a measure of just how much "drive-by" malware is being distributed by Web pages --including but not limited to social networks -- take a look at "The Ghost in the Browser" published last year by researchers at Google.)

Continued here...

The Insider Threat

Simon Potts wasn't happy with his job. He was what they call a 'disgruntled employee'. After ten years working for KPJ Industries, as a loyal employee, he has rarely been recognized for doing a good job. He has been passed over for promotion, and this year he knows that his raise was smaller than other employees. He was mad that co-workers were showing up late for work, taking on much less of a workload, and still getting a bigger raise than he was. He deserved more, but his boss had it out for him. Bob, the office manager, always seemed to resent Simon's ability, and Simon was sure he spoke ill of him to other managers. Simon realized this was a dead-end job, and his days were numbered. It was time for him to take what he deserved, and then quit. That would be satisfying, and when he sold the customer database to a competitor, it would teach them a lesson. At least, this was the rationale Simon used when he decided to steal a sensitive customer database, with credit card numbers, from KPJ Industries in November, 2008.

Simon Potts was viewed by his management as a nice guy, but they didn't feel he was motivated. He took on a lot of work, but had a hard time completing projects on time. So, when the new year came along, Simon was given a score of "meets requirements" in his performance review. His manager tried to explain how Simon could do better, but he felt that no matter what he said, Simon took it too personally. There were signs that Simon was a disgruntled employee, but the company had no training for managers on how to identify and deal with disgruntled employees.

On November 11th, 2008, Simon notices his manager has gone to lunch and left his office unlocked. Simon has been planning for some time, and finally worked up the nerve to walk into Bob's office. He closed the door behind him and quickly moved to Bob's desk. The computer was unlocked. The company security policy locked the screen after thirty minutes, so it was pretty common to find co-worker's computer unlocked over lunch. Simon inserted a USB thumb drive and installed a keystroke logger, KSL.exe. Now, everything that Bob typed would emailed once a day to Simon. Simon was sure this would expose how his management talked about him behind his back. He would take Bob's passwords and gain access to the company CRM database, which contained sensitive customer information, such as credit card numbers, email and home addresses.

Simon returned to his desk, confident that he would quickly have what he wanted, and then he would remove the keystroke logger and quit. In the meantime, he spent his lunch using search engines to find prospective buyers for the database he hoped to acquire.

In the first day, Simon had Bob's passwords and he used this to log into Bob's email from his computer. He read through past mail, looking for some evidence that Bob really had a grudge against him. Maybe he would find evidence that he could use to sue the company, and make a few extra bucks. He didn't find anything, but got into the habit of reading Bob's email every day that week. Meanwhile, Simon found some people who were willing to pay several thousand dollars for the customer database. It was the day before Thanksgiving, and the company would be closed for four days. This was when Simon had planned to steal the database. He logged onto the CRM web interface and gave the command to save a copy of the entire database to his USB thumb drive. The job took 45 minutes, but he wasn't concerned, there was almost nobody left in the office that afternoon. He locked his desk, took the USB thumb drive and put on his jacket. With a smile on his face, he headed for the front door.

Simon thought he was clear and free, as he reached for the door, but that is when the security guard stepped out and stopped him. Simon's mind raced, he was sure it was nothing. After all, he had deleted the KSM program from Bob's computer, and he doubted they had any evidence of wrongdoing. That's when the police showed up, with Bob and the HR manager. Simon realized this wasn't going to be a very good Thanksgiving holiday after all.

As it turns out, Simon's trickery had not gone unnoticed. The first sign that something was wrong, was when Bob went into his email the day after Simon installed the keystroke logger. Usually, new mail was marked as unread, and for some reason, it was marked as read. In fact, for three days Bob noticed the same thing. Once in a while, during the day, he would see email come in as unread and before he had a chance to get to it, it would get marked as read. Bob called the help desk and they directed him to the company security team. It was clear that someone else was reading Bob's email and they began a computer forensics investigation.

The computer forensics investigator started with what they knew: someone was reading Bob's email. They went to the email team and found that two computers at different IP addresses on the network were accessing his account at the same time. It was easy to see who the culprit was, however, it would not be wise to confront Simon at this time. In order to convict Simon, or just to prove Simon was really breaking security policies so he could be fired, they would need to be careful in gathering evidence. They would need to follow the company's process for computer forensics investigations. The most important thing in an investigation is to ensure that the evidence is properly gathered and not altered. In court, they might have to prove they did not tamper with log files.

The next step was to ask the network team to capture traffic from Simon's computer. They attached a logging device to the span port on the switch that Simon's computer was directly wired to. On Bob's computer, they made a cloned copy of his hard drive, using the computer forensics 'rig' that would ensure an exact copy was made. Bob's original hard drive, and a copy were kept for the investigation, and another copy was replaced in Bob's computer so he could continue working. A search showed that a keystroke logger has been installed, but was later removed. Simon did uninstall the program, but he forgot to clean up the system logs that showed what he had done, and when.

At night, after Simon went home, the investigator did something similar with the hard drive in his workstation. He made a cloned copy, that later showed what Simon had been doing. The forensics investigation of Simon's hard drive clearly showed that he had been web surfing (through the company web proxy) and reading email using Bob's credentials. At this time, Simon had not stolen the customer data, and before leaving work each day, Simon cleared his browsing cache. The forensics software was able to find deleted files and show that Simon was not only reading Bob's email, but also shopping for a buyer for the customer database he planned to steal.

With strong evidence of wrongdoing, the computer forensics investigator worked with the database team to watch for a login from Bob's account. Simon did not have the authorization to dump the entire database, but Bob did. It was obvious that Simon wanted to not only steal the data, but frame Bob for the theft. When Simon logged on and started the download, that is when the HR manager called in the police. Everyone was waiting at the front door, for Simon to attempt to leave with the database. When the police found the USB thumb drive, they had the evidence they needed.

Simon was taken downtown, to the police headquarters, where he was interrogated. Simon thought he could blame it all on Bob. He tried to explain that he caught Bob stealing the data, and he was going to the HR manager with proof. When the police listed all the evidence the computer forensics investigation uncovered, Simon admitted what he had done and pleaded guilty.

If this case had been different, and gone undetected until Simon left with the data, the company could probably still have proven that he was the culprit, after the fact, but some of the data would have been missing and they would not have been directly logging his network traffic. Still, his sloppy actions got him noticed sooner on, and the company was able to protect their data and catch Simon in the act.

In a recent Computerworld survey (2/24/09), it was shown that 60% of US workers steal company data when they leave. Technical employees are more likely to do sabbotage than less technical employees, who typically try to steal data, to leak or sell to competitors, in ways very similar to what Simon did. This emphasizes the importance of having authorization rules for who can access data, having good security logging and auditing those logs. Often, sensitive data must follow the protection guidelines of regulations, such as HIPAA, GLB, PCI or Sarbanes-Oxley. This case also shows the importance of having a well-defined computer security forensics process in place.

RSA Conference 2009

I was just reading this article (LINK) about the 2009 RSA Conference, held in San Francisco last week. I haven't spoken to my friends, who organize the the conference yet (OFFICIAL SITE), but it seems that numbers were somewhat down as expected this week, due to the economy.

I spent the last week here, in Moline, at my desk. As it turns out, I have a huge number of projects going on that need me here, and so our new travel policy (not to travel) made sense to me. I was happy to stay here, keep working (and keep my job!) But, I must say, I was a bit nostalgic, since this would have been my 10th conference. I think having missed this year, 2010 will be even better. I can only hope that the economy improves and that this great venue for information security doesn't dry up and fade away! We probably can't ever have things the way they were five or ten years ago, but for many of us, this is the one chance we get to meet up with all of our friends, catch up and review what's new in the security industry.

Seminar on Brain Science, April 4th

There will be a seminar at Trinity Hospital at Terrace Park (4500 Utica Ridge Rd., Bettendorf, IA) on April 4th, 2009. The speakers will be Lynn Hudson and Denes V. Agoston, two research scientists. Lynn Hudson will speak on 'What Can Biomedical Research Do for You?' and Denes V. Agoston will speak on 'Regenerative Capacity of the Brain: Integrative Medicine and Traumatic Brain Injury.'

The event starts at 10AM, and it sponsored by the Bettendorf Public Schools.

Security & Privacy - In the Cloud

I am posting the slides from my Cloud Computing talk today. A slide show that you can view, and if you want my full deck you just have to email me or Tweet, with your version of PowerPoint or format choice.

I finished up the slides, and added the Larry Ellison audio last night at midnight, so I got to bed after 1am and then got about three hours of sleep before driving the 3 hours to Springfield (IL). This was for the Infragard conference on data protection (see below). We had about 160 people turn out, from all industry sectors. Including: police, federal, agriculture, banking, schools and colleges... Our keynote speaker was excellent (John Bace, of Gartner). We wrapped up around 4pm and I just got back from the return drive. I'm heading off for a nap, and may comment more later. For now, my eyes are bugging out from writing these slides up in one marathon session yesterday. I thought my talk went well, I hope you find the slides somewhat useful.

Click here for the slides. [2.8Mb - 2007 compatible]

FBI Infragard Conference, Springfield, March 13, 2009

Please think about attending the FBI Infragard Conference next week in Springfield, Illinois! The cost is ONLY $30 per person, and includes food throughout the day and a nice lunch. This is a great opportunity to hear some excellent security speakers and topical information that is current and helps you in your job.

The Cyber Defense and Recovery Conference:
“Keeping Secrets Safe: Protecting Your Data”

University of Illinois Springfield
Public Affairs Center
Studio Theater, First Floor
Springfield, IL 62703
Cost: $30.00 Start Time: 8:30AM
http://www.infragard-illinois.org/conference09.htm

Speakers include:

• John Bace
  MScL, CCEP
  Vice President, Gartner’s Compliance & Risk Management Research
  
  "The Red Queen Corollary to Moore’s Law: How IT and Public Policy Can Coexist"


• John Bambenek, "Locking Down Your Online Data: A Primer for Consumers"


• Mike Bernico, "Working Safely and Remotely: Managing the Risk of Remote Access"


• Adam Hansen, "Corporate Espionage & Counter Intelligence"


• John D. Johnson, "Security and Privacy Issues in Cloud Computing"


• SA Bob Kowalski, FBI, "Trends in Intelligence Collection against US Companies"


• Sarah Migas, "Cyberbullying"


• Gary Monnard, "Securing the Internet: Ethical Challenges for Telecommunications Companies and the Government"


• Ken Pappas, "Proactively Protect Against Next Generation Network Threats - Meet Security & Compliancy Requirements and Keep Your Network Safe in a Down Economy"


• Jeff Thompson, "My Network, Your Playground? Not If I Can Help It!
  "

What's Little Jimmy Up To?

QCESC Awards Ceremony

From the QCESC Awards Banquet on Friday. I am receiving the Sr. Scientist of the Year award from Pat Barnes, QCESC President. (2/20/2009)

Why Should I Use 2-Factor Authentication?

If you want to protect your sensitive data, and it's exposed to the Internet, you have to choose between multi-factor authentication (MFA) and a basic password. On your internal network you may have additional safeguards in place to keep the bad guys out, but when you have data exposed to the Internet, it should be protected. This means you protect it with tools like encryption when it is at rest, in transit and you strongly authenticate users when they access it. You really only want people who are authorized to be able to log on and see that stuff.

Single-factor authentication would include using a password or PIN to log onto a web application, or your Windows domain when you get to work in the morning, for example. For many users this is quite adequate. If someone steals your password and the worst they can do is screw up your data or see your email and this doesn't put your company at risk, then your company may do fine with a simple "90-day" policy for changing your password. Two-factor authentication would add another requirement in addition to your password or pin (something you know), such as a piece of hardware (something you have: a key fob or card) or a biometric (something you are: a fingerprint or iris scan). Traditionally, two-factor authentication is implemented by having both basic logon credentials (username/password) and a hardware token that generates a unique code every 60 seconds, that is somehow synchronized with a server on the other end. These two layers of security then are much more effective at only allowing the people you want to connect.

Do not fool yourself into thinking that adding a pin or a second password is really strong authentication. In that case, you are really just using two "things you know", and these can be captured by keystroke loggers if you type them into a kiosk at the airport that has been compromised. What you really want for MFA is more than one layer of authentication that relies on a different secure method of entry.

Two-factor authentication (TFA) is also important for non-repudiation. This means, if you have a good way of verifying that the person is who they say they are when you give them the a key fob, then you have a high degree of confidence that transactions using TFA can be trusted.

Let’s face it, passwords suck. They are somewhat convenient, but unless they are overly complex (requiring you to write them down or keep them someplace electronically) and changed frequently (which leads again to forgetting them, and higher help desk costs), they are not a major hurdle for a motivated individual. One-factor authentication is, however, “what we’re stuck with” until we have some ubiquitous second factor easily added on, which means card readers, USB, biometric readers, etc. These have to be ubiquitous if we want a single solution for everybody. Otherwise, it is often prohibitively expensive for companies to bear the burden of deploying readers, and it is difficult to convince managers that people should carry a “second-factor”. But, passwords still suck.

[*Unless we are simply IT managers and not really security-minded professionals who want to really do something legitimate to keep out the bad guys, in which case pins and pictures and passwords are usually adequate to keep you out of jail. They don’t really protect your data well.]

I’ve done extensive research into what is out there, and (again, since there is no industry standard solution built-into all hardware) there is no one-size-fits-all solution. However, if your company has sensitive data they want to protect, regardless of what Uncle Sam is “making” you do, it should be protected better than simply with a basic password. Of course, this comes down to a risk analysis, and the cost of the solution has to be compared to the cost of exposing the data. Also, you need to look at how people use your solution. If they are going to write a pin on the back of a token and pass it around, or if your vetting process sucks, then the results will also be poor.

The online banking sites that use additional layers of “what you know” may do somewhat better than just having a simple password. By that, I mean if they don’t just use a second pin or password, and ask specific questions or use a complicated picture scheme like http://myvidoop.com, then for many casual attacks this is better than just a password. However, if you have a collaboration tool exposed to the Internet, and you allow 20,000 internal employees to access it, and it contains sensitive data, you have to expect that SOME of the employees will be coming from exploited computers with keystroke loggers and perhaps even screen capture trojans that will totally subvert these kinds of 1-factor solutions. Once they have access from ANY employee’s account, they may have the ability to view a LOT of compartmentalized data or sensitive conversations.

Giving someone a poorly vetted, or potentially exportable cert is also not a great solution, because to really have PKI in use you need to properly vet the certificate for each user and each machine for that user and it is unwieldy and expensive to deploy and manage.

Two-factor hardware and software tokens, or out-of-band solutions like SMS/call-back phone solutions are all good, but seldom will one solution fit well for all your use cases. Many people hate using hardware tokens. Not everyone has a phone, or may have reception, etc. when they need it – but, more and more people do have at least a personal cell phone and SMS is becoming much more reliable than it used to be in the US (it was good in Europe way before in the US). You can come up with a whole infrastructure, and provide people choices if you want, but that may be more expensive and harder to manage, while providing more flexibility and usability for the end-users.

What I am considering seriously as an intermediate offering is something that is more like “1-factor + controls”. You may consider evaluating the RSA "behavioral solution" which uses the same methodology they use with many banks to audit user activity and when it becomes more suspicious than some threshold you set, it will trigger some out of band confirmation that is strong, like an SMS message or so on. This behavioral software allows most users to just use one-factor, the password, but when it sees a user logging in from two different countries at the same time, logging on at times that are unusual for that user, etc. it will raise the authentication bar, so to speak. I am not sure if this will prove to be a good intermediate method, but I am hoping it will and won’t also prove to be too expensive.

I would personally love to just tell all our employees and partners to go out to Verisign and buy a $20 VIP card that will let them authenticate to a number of federated sites like eBay and PayPal. I suspect that people will routinely carry second-factor authenticators in the future, like a card or fob – unless something like reliable biometric readers, or card readers become ubiquitous from the hardware vendors. (Barring some mandate, I don’t see that happening.)

Other alternatives include telling your business owners that they can’t put anything sensitive on external facing sites, etc. If this is self-policed by the data-owner, it will probably not work well. I am seeing some companies moving to a DLP solution, but that can be darned expensive and it requires that you have a strict data classification policy. Another alternative is more passive, which is running eDiscovery tools to find sensitive data and then remove it from those sites. However, if removing all sensitive data is going to break your ability to collaborate or have transactions, you really need 2-factor authentication and a fairly good vetting method.

To be frank, while many companies require their suppliers and employees using remote access to use strong authentication of some sort, they aren’t good about enforcing a rule that sensitive data not be exposed to the Internet. In the case that the data is high profile, like PCI data or engineering drawings, the business is going to do a pretty good job about putting that behind existing 2-factor protected standard access solutions. Other stuff like speculative discussions, potentially sensitive data files, collaboration tools like SharePoint are much less policed and based on my experience with how compartmentalized data can be exploited from my years with the government, I suspect that this is fodder for the industrial spy, even though it may not be a blueprint or contract.

I “think” the behavioral monitoring tools might be a good intermediate solution, but I have more work to do before I will say that for certain. These other (picture/passphrase/etc) solutions are exploitable unless they incorporate properly vetted certificates or some kind of two-factor authentication. There is just no substitute for 2-factor, and there probably won’t be. That means you either roll-out new hardware (tokens/cards), or use an out-of-band solution that leverages already deployed hardware (like cell phones or company laptops) or force people to buy into a federated solution (i.e. Verisign). Even the behavioral tools are not a panacea, as they ratchet up to actual 2-factor when people are not acting in a pre-determined “normal” way. But, they may be seen as single-factor for a majority of users who always transact business the same way.

That’s my best take on the subject. If the customer data is not truly sensitive, and business owners prefer to use some method of obscuring the data with a proprietary schema and/or encryption, or some other method, that may also work for programmatic transactions. I've seen this done between data processing devices and backend (non-web) apps running on special ports, with no special level of authentication. But, I don’t see how this would work if individuals have to log onto a web app. The devil’s in the details.

Please, Put Down The Mustard...

It seems my old boss found a bit of notoriety, while visiting the Quad Cities this past week. [Article Link]

Jeff Botkin was the manager who hired me at John Deere ten years ago. He moved to Denver about a year later, and went to work as a security manager at AT&T. He stopped by to visit us at the office, and we had a few beers during his trip to visit family in the area a week ago. On his way home, he decided to take two 8-ounce jars of the world-famous Boetje's Mustard in his carry-on luggage. TSA screeners quickly sequestered him, and confiscated this "dangerous contraband". I suppose it only makes sens, when you consider how dangerous mustard can be. If he perhaps found a way to get the mustard through the steel-reinforced door protecting the cockpit, and into the eyes of the pilot and co-pilot, they may have been very irritated and this may have lead to the luggage shifting in-flight.

Seriously, don't we all see that whether it's the faux security paraded about by TSA or the cover-your-ass responses that managers invent when responding to SOX audits, it is clear that people need to create and document "some" processes, regardless of their efficacy? During audits and reviews, the silly rules should be weeded out and caught, but they often aren't. TSA rules are a perfect example of rules that are simply there to serve as window dressing. They are rules that may not agree with your common sense, but they give the impression that important people are doing a lot to protect you, and thus it instills some false sense of confidence in the general flying public, and in turn politicians get re-elected, and budgets get passed at the taxpayer's expense, and very few of the rules actually do much to prevent terrorists from getting on planes. They mostly cause inconvenience and keep people from flying with nail clippers and mustard jars. The actual solution to keeping terrorists off planes is much more complex than you can fit on an airport placard, and usually they involve background checks and intelligence that is invisible to the public - an invisible solution is no good, they need SOMETHING to prop up so people know their hard-earned tax-dollars are going to good use - thus the STUPID, POINTLESS TSA rules that keep only the most inept and careless criminals off airplanes, and through their inconveniencing of us, the American travellers, they fulfil their purpose and allow us to fly from city to city, knowing that the guy next to us doesn't have explosives in their shoes, or really spicy mustard in their backpack.

The 47th Annual QCESC Engineers Week Banquet

Tonight is the 47th Annual QCESC Engineers Week Banquet (http://www.qcesc.org/banquet.htm) being held in conjunction with the Henry Farnum Dinner this year. We should have a couple hundred attendees for a talk on the completion of lock and dam 15 at Rock Island, on the Mississippi River. In addition, the Quad Cities Engineering and Science Council will be presenting Jr./Sr. Scientist and Engineer of the Year awards, a Lifetime Achievement award and student scholarships. QCESC is composed of a number of area engineering and science organizations, including the IEEE section that I was chair of last year.

If you decide to come at the last minute, we should have a couple extra places saved, and there may be snow tonight which will lead to some no-shows. Please DO COME if you have an interest. It will be a wonderful presentation, and the banquet is served by the Radisson in downtown Davenport. An excellent event, for only $40.

The award recipients already know who they are, and their biographies will be published in the brochure, so I'm not revealing too much prematurely to share that I've been selected as the Sr. Scientist of the Year. It is an honor to know that the community values engineering and science, and is willing to promote activities like this.

Teaching in 2009

Is it common for security professionals to have their (corporate) day job, and teach/write/speak in their spare time? I have my teaching schedule pretty well laid out for 2009. I will be teaching astronomy (16-week, 4 credit) in the Spring and Fall semesters for Scott Community College, and shorter Summer semester courses for SCC and St. Ambrose. The St. Ambrose course is 8 nights over 8 weeks, starting at the beginning of May, for 3 credits.

In addition, I am in discussions with a company in India to design two graduate security courses for an online university. The titles are, "Information Security Challenges and Solutions (3 sem. cr.)" and "Information Security Governance (3 sem. cr.)". If the timeline and price is agreeable, I may start on those yet this month.

Besides teaching, I will be giving an hour talk at the "Springfield Infragard Conference" on March 13th, in Springfield, Illinois on the topic of "Security, Privacy and Cloud Computing". (Yet to be written.) So, I should be kept pretty busy through the summer at least, which is a consolation since my company has decided to cut back on travel this year, and I won't be attending the 2009 RSA Conference in San Francisco. That's an excellent conference, and I will miss it, but I do plan on attending Black Hat Briefings in Las Vegas, in early August. I will be on a pre-conference panel, and I'll pay my own way if I have to.

The Importance of Reputation

I was on a panel last summer, and I claimed that I felt the most significant impact of a data breach would be the harm it can potentially do to your brand. Working at a company with a very well established brand name, it is important to avoid anything that will degrade it. Loss of brand is somewhat an intangible, but can mean a loss of market share and a loss of consumer confidence. It's hard to think of a business where data loss or a security incident made public wouldn't have some effect. This graphic from Ernst & Young seems to underscore that.

You might take liberties with the well-known poem and say, "If you can keep your reputation, whilst those around you are losing theirs..." Reputation is something that stays with you, regardless of how the economy goes or some business cycle. It is tied closely to integrity and can be much harder to regain, than lose!