CISO – the ultimate in CYA……….

Here is an interesting article in CSO.  Do CISOs need to have liability protection???

In the wake of a data breach, the company’s top brass may go looking for someone to blame. If you are the security chief, chances are it’s going to be you.

It doesn’t matter that you warned executives repeatedly that certain technological or cultural flaws were putting the company at risk, or that you had to maintain security with a shoestring budget and little or no staff. Chances are you’ll take the fall whether you deserve it or not, says George Moraetes, a Chicago-based security contractor and executive board advisor for security event management firm IdentityLogix.

He has watched as some of his CSO acquaintances were blamed for a security failure or dismissed for trying to blow the whistle over the company’s security holes.

“One friend of mine, the CISO of a credit bureau, blew the whistle on a security auditor who wasn’t following best practices and was making reporting discrepancies,” says Moraetes, an independent consultant. “The auditor was a friend of the top brass, and the CISO was let go. I know of three others in Georgia who were fired or demoted for similar reasons.”

For that reason, he believes security professionals would be wise to cover themselves with some form of legal protection, whether it’s liability insurance or language in their contract that clearly places full responsibility for security decisions with the CEO.

But is liability protection appropriate for everyone? Some industry experts aren’t so sure.

One big downside to the concept of liability protection is that it could end up shielding those who deserve to be on the hot seat. Rick Lawhorn, CISO for PLANIT Technology Group LLC – a technology service company whose clients range from commercial enterprises to state and local government clients – says that some arrangements simply make it easier for IT personnel to save face following an incident or keep the wraps on the real state of insecurity in their organization.

It’s a sad state of affairs that its come to this.

http://www.csoonline.com/article/440108/Data_Breach_Fallout_Do_CISOs_Need_Legal_Protection_?page=2

Here’s another pci post that misses the point………..

Here’s another PCI-DSS post that completely misses the point:

Corporate American has been battered by ineffective information security for a long time, with untold billions of dollars in collective losses through the years. Sites that tracked defaced Web pages stopped listing them when they become too numerous to enumerate. Similarly, data breaches are now so common that even large breaches barely make the news.

To the rescue comes PCI-DSS — perhaps the most effective security standard created to date. PCI is a welcome and timely standard, beneficial to consumers and merchants. Yet far too many people have derided PCI rather than defending it, pointing to a few of its shortcomings instead of focusing on its many benefits. Rather than embracing PCI as a catalyst for security change, people are caught in an information security version of Stockholm syndrome and long for the good old days before standards and regulations.

Stockholm syndrome, for those who have forgotten the 1970s (or aren’t Blink-182 fans), is a psychological response sometimes seen in an abducted hostage, in which the hostage shows signs of loyalty to the hostage-taker, regardless of the danger in which the hostage has been placed. Stockholm syndrome is also sometimes discussed in reference to other situations with similar dynamics, such as battered person syndrome, rape cases, child abuse cases and bride kidnapping.

People point to the Hannaford Bros. breach and say, Aha! PCI does not work. Even David Hogan, CIO of the National Retail Federation, has missed the point. In a letter to Bob Russo, president of the PCI Security Standards Council, Hogan wrote that “PCI, which has been in existence in one form or another for several years, was supposed to prevent such crimes. It is a valiant attempt to prevent large stockpiles of credit card data from getting into the wrong hands. However, it is unlikely PCI will ever be able to keep pace with the continually evolving sophistication of the professional hacker, or anticipate every possible variation of future attacks.”

Hogan’s mistake is in thinking that PCI could somehow prevent every data breach. PCI can’t prevent every data breach, just as laws against cocaine are powerless to prevent the import of every kilo of cocaine. Even so, it does not mean that these laws should be abandoned.

Likewise, Hogan is correct in his observation that PCI can’t keep pace with the dynamic nature of the industry. The fact that Kaspersky Lab’s antivirus software updates itself every hour shows just how fast change comes. But the fact that PCI can’t stop every breach, or that a compliant company may later be breached, does not mean that the standard should be abandoned. The state of information security at tens of thousands of merchants is nothing less than abysmal. Far too many people are victims of this information-security Stockholm syndrome and need to stop finding fault in the minutiae of PCI.

That is not to say that PCI can’t be improved upon. In a Computerworld interview with Bob Russo, he is forced to defend complaints that the PCI standard is too prescriptive. Yet this same cabal screamed that Sarbanes-Oxley was not prescriptive enough. Russo is dead-on accurate when he notes that “if you open the standard up and show it to any security guy and they don’t know it’s PCI, [they would tell] there isn’t anything there that you shouldn’t be doing for security. There are no new concepts, there is nothing strange; we are not making you jump through hoops. These are things you should be doing as best practices.”

PCI is good security, and the PCI-DSS practices are good security practices. PCI has come to rescue those suffering from information-security Stockholm syndrome. PCI is good security for everyone. Embrace it, defend it, and improve it.

As us usual, Rothke misses the point that PCI is useless without enforcement.  The card brands are the enforcers, and the don’t do a thing unless its in their best interest – i.e. to protect themselves from liability. 

 

I don’t care………..

Least Competent Criminals

Not Ready for Prime Time: According to police in Canton, Mich., Joseph Webster, 54, walked into a Comerica bank in June, gave the teller a robbery note and claimed he had a bomb strapped to his body. A nearby customer overheard, pulled out his licensed 9 mm handgun and told Webster: “You are not robbing this bank.” Webster insisted: “But I have a bomb.” The customer: “I don’t care.” Webster then quietly sat down in a chair, where he remained until police arrived. [WXYZ-TV (Detroit), 6-17-08]

 

From “News of the Weird”

WTF??…….and what was the staff at the City of SF doing?

WTF??

Secret room

On Monday, when Childs supplied three user names and an access code to Newsom, officials learned they could use them to get onto the system only at a computer in a room at the Hall of Justice that even police technology experts were unaware of.

Investigators say they are still worried about the modems hidden away in locked filing cabinets in public buildings around the city. Maupin told prosecutors that city officials estimate there are 1,100 such modems. Childs could still gain access to the network through any of them and create more mischief, prosecutors say.

In arguing that his bail not be lowered, prosecutors said a search of Childs’ Pittsburg home turned up a co-worker’s identification. They said they fear he could impersonate other employees to obtain access to the network.

They also said he had $10,000 cash on him when he was arrested, supporting their fear he would be a flight risk if released.

Childs’ attorney maintains Childs is being scapegoated by incompetent officials resentful of his abilities in computer network management. The modems he installed in locked cabinets, she said in a bail reduction motion, were for the “sole purpose of maintaining the system.”

Some of the protections, she said, were put in place after Childs concluded that a colleague inadvertently infected the city’s network with a virus two years ago. It was Childs who put up the firewalls, with management approval, she said.

And, pray tell, what were his BOSSES doing all this time?  Sounds like they let their network admin run AMOK.  This is the craziest thing I’ve ever heard.  Wack Wack Wack

 

http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/23/BANU11TS7I.DTL

And who comes out ahead??

The BJ’s Wholesale data theft fiasco is still in the federal court mill:

Bank Back On Hook For Data Theft At BJ’s Wholesale

 An appeals court reversed a lower court ruling absolving Fifth Third Bancorp from paying damages associated with replacing credit cards.

 

 A federal appeals court last week reversed a lower court’s order that credit card processor Fifth Third Bancorp did not have to pay for new credit cards for some cardholders whose data was stolen during a 2004 hacking incident at BJ’s Wholesale Club. In ruling, the United States Court of Appeal upheld a challenge to the lower court’s decision brought by the Pennsylvania State Employees Credit Union.

  

Fifth Third provided credit card processing services to BJ’s. In its initial complaint, PSECU argued that Fifth Third bore some liability for the data breach because it failed to properly train the retailer’s staff in proper security procedures.  The breach led to the pilfering of the names and credit card numbers of thousands of BJ’s Wholesale customers and led to millions of dollars in theft-related losses.

 

PSECU, which issues Visa credit cards to its members, said it was forced to spend $100,000 canceling and reissuing more than 235,000 cards after the breach, and sought damages against Fifth Third. However, a U.S. District Court judge in Pennsylvania dismissed the claim two years ago.

 

Last week, the U.S. Court of Appeals judge reinstated the claim and ordered the matter returned to the district court. Several claims that PSECU filed against BJ’s Wholesale Club were dismissed previously, but several matters related to the case remain pending in court.

 

At one point, the case involved IBM (NYSE: IBM). BJ’s Wholesale sought to recover some of its losses from the computing giant, claiming that when it upgraded card-processing software, it told IBM to deactivate a feature that retains magnetic strip data so that a transaction can be processed offline. It’s that data that was hacked.

 

IBM was dismissed from the case in October 2005, court records show.

Everyone tries to blame everyone else, lawyers make tons of $$$, the court system gets bogged down, and the rights and welfare of the consumer, AS USUAL, is the least of anyone’s worries.

San Francisco FiberWAN hijacker gives it up……….

Well – at $5 million bond, the guy FINALLY decided to play ball with the city………

Former IT administrator says he’s ready to give the keys back to the city

JULY 18, 2008 | Terry Childs, the former IT administrator accused of kidnapping the city of San Francisco’s data network, is ready to give up the administrative passwords to the system, his attorney said yesterday.

Childs is accused of changing all of the city’s network passwords so that only he could access the network, which contains email, payroll, law enforcement, and inmate booking files, apps and data. (See San Fran Insider Threat Gone Wild.)

According to a report in Wired, Childs pleaded not guilty yesterday to four felony counts of denying access to the city’s network and of producing an unauthorized access device to control the government’s network remotely.

Childs is being held on $5 million bail, as the authorities fear he could unleash a wave of attacks on the FiberWAN system he built for the city. Security officials said the hijacking could have been avoided had the city undertaken proper security measures, such as limiting administrative rights given to IT staffers.

Childs’ attorney, Erin Crane, said that the ordeal is a “misunderstanding,” according to the report. “As the case unfolds, you’ll see that,” Crane said. “He’s been willing to hand over the passwords since Tuesday.”

Crane said “we have negotiations underway” with prosecutors, but she refused to provide details. She said Childs worked under a “hostile environment” at the city’s Department of Technology Information Services, but declined to elaborate.

All’s well that end’s well I guess.  I  hope the city has WISED UP………..

http://www.darkreading.com/document.asp?doc_id=159440&f_src=drdaily

 

DBA locked up……….for stealing data

Seems like this is the week to talk about IT staff getting locked up.  As a former DBA, this guy sounds pretty dumb to me, a good DBA REALLY KNOWS how to cover their tracks. 

William Sullivan, a former data base administrator at Fidelity National Information Services Inc., was sentenced to 57 months imprisonment and ordered to pay $3.2 million in restitution for his role in the theft of data from Certegy.

Sullivan pleaded guilty to conspiracy and fraud in the case in November. U.S. District Judge Steven Merryday issued the sentence, a release from U.S. Attorney Robert O’Neill said.

According to court documents, Sullivan exceeded his authorized computer access to unlawfully steal the consumer information of 8.4 million people from all 50 states, the Virgin Islands, the District of Columbia, Puerto Rico and various foreign countries.

The information stolen included names and addresses, and for 5.3 million people it included either bank account information or credit and debit card information, and sometimes both, the release said. The data was resold from 2002 through 2007 for more than $580,000, primarily to telemarketers.

Fidelity National Information Services (NYSE: FIS), a Jacksonville firm that bought St. Petersburg-based Certegy in 2006, has seen no evidence of the stolen information being used for anything other than marketing purposes, according to a May 9 filing with the Securities and Exchange Commission.

However, several class action lawsuits seeking monetary damage were filed against Fidelity and were settled in January with the court approving the settlement in March, the filing said. Final approval of the settlement is expected to occur in the third quarter.

http://tampabay.bizjournals.com/tampabay/stories/2008/07/07/daily59.html 

Locked up………..but not locked out…………

Interesting what IT people can get going for themselves when they are pi$$ed:

Right now, San Francisco computer experts are frantically trying to crack an exclusive administrative password of one of their former computer engineers who’s sitting in jail for basically holding the city’s new multimillion-dollar network hostage.

Terry Childs, 43, is cooling his heels in the slammer on charges of computer tampering for configuring sole admin control of the city’s new FiberWAN network so that no other IT officials can have administrative rights to the network, which contains email, payroll, law enforcement, and inmate booking files’ apps and data, according to a published report.

Childs apparently gave some passwords to police that didn’t work, and refused to give up his magic credentials when they threatened to arrest him. Seems he set up the password lockout to ensure he didn’t get fired after he was cited for poor performance on the job.

Now the report doesn’t contain all the technical details of how Childs pulled this off (and why no one can reverse it), but it does send chills down your spine when you think of a disgruntled IT guy effectively swallowing the key to the network and willing to go to jail for it. He got even, and he apparently thinks blackmail will get him out of trouble. Or maybe he’s willing to throw it all away just to make his point. Who knows.

His actions could cost the city millions of dollars when all is said and done, but an even bigger fear is that he may have set up a logic bomb of sorts to destroy sensitive documents, or may even have an accomplice finishing off his dirty work. No sign of that so far, but the guy did set up a monitoring tool to track what other administrators were doing or saying about his personnel case, according to the report.

But officials say the network so far has been humming along just fine without admin access by the city. Kind of like a train without a conductor, but hey, it’s moving along, right? Besides being a nerve-wracking race to regain control of the network, it’s also a terribly embarrassing breach of the city’s network and systems.

 Sounds like the city of San Francisco didn’t think things all the way through when they let ONE GUY control their admin passwords.  How dumb is this???????????

http://www.darkreading.com/blog.asp?blog_sectionid=342&f_src=drdaily

KBR Whistleblower……….$200 million windfall……….

This article in the Houston Chronicle last week really torqued me:

WASHINGTON — The Pentagon’s oversight of Houston-based KBR’s work in Iraq and Afghanistan has been “irregular and highly out of the ordinary,” a former Army contracting official told Senate Democrats Wednesday.

Charles Smith, the former chief of the Army Field Support Command with responsibility for overseeing KBR’s massive contract with the Army, contends he was forced out of his job in 2004 for objecting to the Pentagon’s treatment of KBR.

“The interest of a corporation, KBR, not the interests of American soldiers or American taxpayers, seemed to be paramount,” Smith told the Democratic Policy Committee, a Democrats-only panel.

Dan Carlson, a spokesman for the Army Sustainment Command, acknowledged that Smith was reassigned within the command. Smith later retired.

Carlson said Smith’s allegations are “under investigation by appropriate authorities within the Army.”

KBR, the largest military contractor operating in Iraq, builds bases, serves meals and provides a host of other support services for U.S. troops. To date, the company has been paid nearly $26 billion for its work under the contract, Army officials say.

During his tenure, Smith said, he saw KBR submit more than $1 billion in billings to the government that lacked the necessary documentation to merit reimbursement.

KBR had come under particular criticism for its bills for providing meals at base dining halls. The Pentagon’s own auditors, the Defense Contract Audit Agency, objected to $200 million worth of billings, Smith said. But rather than pursue the issue, the Army agreed to change the contract, effectively barring the government from going after that money.

“It was at least a $200 million relief for KBR,” Smith said.

KBR spokeswoman Heather Browne, in a prepared statement, said the company “remains committed to providing high-quality service to our customer and conducting our business with ethics and integrity.

“The company in no way condones or tolerates anything to the contrary. When questions have been raised about our work, we have fully cooperated with the government in providing information requested of us. We remain committed to finding quick resolution to issues when they arise.”

Smith argued that rather than tighten control over the contract when billing issues arose, Army officials waived rules that would have allowed the government to withhold 15 percent of expected reimbursements until KBR provided the necessary documentation.

Sen. Byron Dorgan, D-N.D., Democratic Policy Committee chairman, noted what he called “a concerted effort in the Pentagon to award huge contracts to certain companies and to protect it at all costs.”

Smith said the Pentagon essentially “outsourced” oversight of the contract to a firm called RCI, later acquired by Virginia-based Serco.

Serco spokesman Steve McCarney said the firm does not oversee any contractor.

“We simply provide independent economic cost analysis to our client, which is the U.S. Army,” McCarney said.

Carlson, the Army Sustainment Command spokesman, pointed to improvements in recent years, including deploying contracting officers overseas, establishing a requirement review process and improving contractor business systems to better meet the standards of the Defense Contract Audit Agency.

Underlying discussion of KBR’s treatment by the Army was apparent concern among at least some at the Pentagon that the company would, if pushed too far, withdraw from Iraq. That would have dealt a huge blow to a war effort heavily dependent on the work of private contractors.

Smith discounted that notion, saying KBR would not risk its corporate reputation — and its business as a military contractor — by deserting the troops in the field.

After the hearing, Smith said that while he oversaw KBR’s contract, he occasionally heard from midlevel KBR officials complaining about cash flow and warning that the company might fail to complete tasks assigned under the contract. These calls, however, invariably were followed by assurances from higher-level managers of the company’s commitment to the contract, Smith said.

Four years later Congress is FINALLY looking into it.  And while VP Cheney supposedly severed ties with KBR/Halliburton in 2000, I just can’t help but believe that they have plenty of other “get out of jail free” cards within the current administration.  And, just the idea that an American contractor would hold the Pentagon hostage by threats of withdrawal just turns my stomach.  Although, I’m betting that they had no idea what they were getting into when they signed up for the “Mess’O'Potamia.” (Thanks to Jon Stewart and The Daily Show for coming up with that phrase!!

http://www.chron.com/disp/story.mpl/front/5880185.html

IIIIIRRRRRRROOOOOONNN Chef!! (Not)

I wish I could see this:

Two ‘Iron Hackers’ will have one hour to find as many vulnerabilities in a piece of mystery code as possible at Black Hat USA next month.

For the second year in a row, Fortify Software is hosting its own version of the wildly popular Food Network show “Iron Chef,” pitting fuzzing techniques against static-code analysis in the Iron Chef-style hacking contest. (See Hacking, Iron Chef Style.)

The two hackers who will face off in Vulnerability Stadium on Aug. 6 are Charlie Miller, principal analyst at Independent Security Evaluators, who will use fuzzing techniques to find vulnerabilities in the code; and Sean Fay, lead engineer for source code analysis at Fortify, who will show his stuff with static-code analysis techniques.

Miller was recruited for the hacking battle after nearly stealing the show last year. “Last year, this epic battle taking place wasn’t the battle we thought it was going to be — it ended up being a battle between Iron Chef [session] and the session next door, with the iPhone vulnerability [found by] Charlie Miller. So we had to get some resolution this year,” quips Brian Chess, chief scientist at Fortify Software. “This year, Charlie Miller is taking up the cause of fuzzing.”

Chess is keeping details about the open source code — the “secret ingredient” — close to the vest, but he did say it would be something that Miller would be comfortable with. “But we won’t be handing out iPhones,” Chess says.

One thing Fortify learned from last year’s competition was that actual exploits are more palatable to the security-celebrity judges and audience than theoretical vulnerability finds. “Showing something exploitable goes a long way to impressing people. They had their theoretical results, but what ended up carrying it were the exploits of some simpler stuff,” Chess says of last year’s contest. “Even if it’s not as wild as the theoretical stuff,” the judges were hungry for actionable exploits, he says.

The contestants bring their own machines and tools for the contest, and they don’t see the code until the contest begins. The audience is also able to compete simultaneously, and Chess and Jacob West, who heads up Fortify’s Security Research Group, will serve as emcees and provide live commentary and presentations on the techniques the Iron Hackers are deploying.

“It isn’t just one presentation… there are three or four going on,” Chess says.

“It’s controlled chaos,” West says.

And Iron Chef audience members who get the most vulnerabilities get a free dinner at one of Vegas’s hot new restaurants. Just don’t tell Miller or Fay: “Nothing but glory for the guys up on stage,” Chess says.

Fortify is also sponsoring another hacking competition during the week that could win you an iPhone. “We’re going to put up a Web app that will be vulnerable in a couple of ways we know about, and probably a couple we don’t know about,” Chess says. “The iPhone goes to whoever finds the most vulns in the application.”

Awesome – I hope it makes Youtube.

http://www.darkreading.com/document.asp?doc_id=158356&f_src=drweekly