Government Officials using secret email accounts

Earlier this month the Associated Press reported that several high-level political appointees in the Obama administration are using secret email addresses for official business.  One can assume that if this is a fact, it's being done to deny less energetic people from tying the person to an issue.  

Federal computer week alleges that the former administrator of the Environmental Protection Agency, Lisa Jackson, was discovered using an email account under the name of Richard Windsor in 2012.  In addition, they allege that Kathleen Sebelius (Health and Suman Services Secretary) used a secret government account for correspondence.  According to a Fox News report Sebelius admitted she has two accounts, one for private email and one for public email.  She explains that "27-28,000 come into the public email, about 400 come into the private email.  It's just a management issue.  I can't possibly answer or screen all of them, and I want people to get timely answers".

What is the media doing to us?  Secretary Sebelius' explanation is reasonable.  Why does the media feel that it's their obligation to run people through the mud without giving them a chance to explain?!!   The Fox News reports that the practice of having multiple email accounts has been standard operating practice for years.  That seems  reasonable to me.

The Fox News report stated, "The Interior Department gave the AP a list of about 100 government email addresses for political appointees who work there but none for the interior secretary at the time, Ken Salazar, who has since resigned. Spokeswoman Jessica Kershaw said Salazar maintained only one email address while serving as secretary, but she would not disclose it. She said the AP should ask for it under the Freedom of Information Act, which would take months longer."  

I am tired of the lack of unity in this country.  The problem is that one bad fish gives the impression that the entire load is contaminated.  Maybe they are.  Society has changed since I was a kid.  My memories are of a time when the President was revered by all and politicians weren't looking out for their best interests.  Our freedom of speech is a wonderful right, however, some people use that freedom to openly exercise their right to be hateful (Westboro Baptist Church,  Ku Klux Klan and even groups that demonstrate against in our country against her citizens).  The news media spin the news and even ridicule people to move people from one side to another.  We're living in angry times.  It's time for everyone to stop thinking so hard about themselves and think about how their actions impact the good of the country.  It's time to re-introduce a campaign to strengthen the country and our personal principles. 

 

Password Security

Most people know the importance of creating a unique password for each website the user logs into.  Following that "rule" is important.  Many people also understand that the password should be complex.  The article in ARS Technica this week demonstrates that a hacker who gets access to hashed passcodes can decipher the passwords, even the hardest ones, in a short time.

Many sources prescribe that a "good password" contains several ingredients:

•    The password should be no shorter than 8 numbers or letters long.
•    The password should have UPPER CASE, lower case, numbers and special characters.
•    The password should NOT contain a word from the dictionary (any language)
•    The password should be comprised of a passcode.

This article suggests that a good password cracker can defeat even a very complicated password hash, sometimes, in a matter of a few hours.  According to the article, password expert Jeremi Gosney (Stricture Consulting Group) used a single computer with a AMD Radeon 7970 graphics card to successfully crack 90 percent of the 14,734 password hashes provided to him in a matter of 20 hours.  The least successful expert cracked 62 percent of the hashes -- in one hour. 

What are users to do?  Creating a good password simply isn't enough.  It is the only thing a user has power over, however.  A website owner has a great responsibility to securely store account information.  This includes on the server as well as on backup tapes, on paper, etc.  I mentioned that users have no control over how securely this information is stored.  It's important to recognize that users have limits to what can be controlled.  Given the lack of complete control I have a few suggestions:

1. NEVER store credit card information on a merchant website.  Many merchant sites allow the user to save credit card information.  Just say "no".
2. Maintain the practice of using a complex password.
3. NEVER re-use a password on two merchant websites.
4. If the merchant website requires you to save your credit card data on their website use a re-loadable credit card.
5. Use a Password Manager to create a password for you.  Store the password securely.

It's a cruel world out there.  Protect yourself!

NIST glossary

NIST Updates their IT Security Glossary

The National Institute for Standards and Technology recently updated their glossary in Interagency Report 7298.  The report is great, not only does the document provide a definition of the term, it also provides the source of the term.

A few terms I hadn't seen previously include "No-Lone Zone (NLZ)" which is a term that defines an "area, room or space that, when staffed, must be occupied by two or more appropriately cleared individuals who remain within sight of each other."  The term has to do with information assurance and protection of data.  In a NLZ, two authorized individuals who act as a check and balance system to protect the integrity of data by verifying that tasks are completed appropriately and all safety requirements are completed.  The two people verify that the other person completed the tasks as ordered.

This document may be a great way for people new to the IT Security area to find out what a term means then the individual can refer to the source document to get additional details.  The source document is CNSSI-4009.  I googled CNSSI-4009 and found references to CNSS.gov.  CNSS is the Committee on National Security Systems.  CNSSI-4009 is the National Information Assurance Glossary that was last revised in April of 2010.  The information in this glossary was exactly what was posted in the NIST glossary.  I did a little more research and found this image (source:  http://commons.wikimedia.org/wiki/File:No_lone_zone.jpg)

A little more research provided me with a wikipedia site that told me that the Two-Man rule was used for the protection of nuclear weapons, (as in the Minuteman Missile sites where two people were required to launch a nuclear weapon) and to protect COMSEC materials and manuals.

I bookmarked this website.  This is a nice reference when looking for information or even to learn about something new.

The time has come...

SC Magazine is leading with the story

Monster breach hits South Carolina taxpayers.

Unfortunately this shouldn't come as a surprise to anyone anymore.  According to the report in early September "unknown hackers "probed" agency systems, and sometime in the middle of the month, they were able to access the data that was stolen".   Details related to the breach were limited to the comment that it was tied to a "server issue" by South Caroliana Department of Revenue spokesperson Samantha Cheek.

Folks, the breaches aren't stopping.  We have insecure wireless networks, servers, code and sloppy employees out there.  We've got journalists and CEOs pushing BYOD (bring your own device) and cloud technologies.  The "cool kids" are all over implementing these new ideas.  It's likely we still have folks with unencrypted tapes and computers sitting in their vehicles.  Wake up folks!  We are not ready to bring our own devices!  It's clear that the criminals are more persistent than the industry. 

Something has got to change.

Can we MAKE programmers write more secure code?  Secure the networks?  Quit buying equipment from foreign companies who insert backdoors and insecure code?  How about that cloud?  Is your information hosted in a country where privacy laws allow them to access the data you think is secure?

Social security data is the basis for critical functions for Americans.  Our social security number is the identifying number that is used to store our credit score, social security eligibility, health records (in many cases), tax records, as well as a host of other important data. 

What can we do to protect ourselves?!!  Clearly consumers cannot secure the data center or the programming running systems.  We can freeze our consumer credit (Equifax, TransUnion and Experian), stop using credit or isolate ourselves from society by living in a cave.  It's a lot of trouble to freeze your credit if you want to buy anything.  Most people couldn't live without some type of credit and living in a cave is not going to work for most folks.

Obviously the solution is to ensure equipment, software and people do the right thing for existing and future equipment.  The other solution is to increase the scrutiny used when approving loans, credit cards or anything else used to modify or use information tied to social security numbers and associated personal information. 

Do you hear me Dell?  Don't send a TV out when some yayhoo opens up a credit card and buys a $5,000 TV without scrutinizing the request.  Put additional checks and balances into the equation.  Weeks later you find out that the television went to someone other than the person it was billed to.  The system ain't workin'.

I'm still a paranoid consumer and I hope you are too.  I want to see more scrutiny out there folks! 

Tampering with PIN pads

It was reported this week that the PIN pads at Barnes & Noble were replaced with skimming devices in 63 stores.  These external skimming devices were unwittingly used by customers whose credit card numbers were compromised and in some cases used. 

Many consumers are aware of security breaches such as the T. J. Maxx/Marshalls incident in 2005 when customer data was intercepted by poorly secured wireless access points.  The breach where social security numbers and other sensitive information was lost when a Veteran's Affairs database on a laptop was stolen from an analyst's home in 2006.  In 2011 77 million Sony Playstation accounts were hacked.  The list certainly doesn't stop there.

How do we protect ourselves?  Consumers often have no role in the security of their information.  Consumers are often the victims of the reckless or careless actions of others.  I have a few suggestions:

Protect your computer.  Install and maintain a virus protection suite that includes malware protection.  Ensure your computer has up-to-date patches for software on the computer including the operating system (Windows, Mac os, etc.) as well as updated software patches.  Backup important files to a separate thumb or hard drive.  Provide physical protection for that drive.

Minimize the amount of information you provide online retailers.  Do not set up accounts where your credit card data is saved on the retailers server. 

Protect your passwords.  It's important that you create a unique password for each account you use.  Consider using a password safe where you can store your passwords electronically in an encrypted file on  your computer.

Consider using a separate credit card  for online purchases.  Many people have a credit card with a nice credit limit that they use for most purchases.  If that card is compromised the credit limit might allow a thief to rack up lots of charges.  Transferring funds to a separate card to cover expenses will lower the potential amount of hassle.  Several retailers offer reloadable cards that can be used for online purchases to limit your exposure.

Ask the cashier to swipe your card.  The Barnes & Noble breach was limited to the customer PIN pad.  Hand your card to the cashier and ask him or her to swipe your card. 

Know where to go if the worst happens.  Visit OnGuardOnline.gov to learn how best to respond if you become a victim.

Stay safe out there!

Most people over the age of 20 may remember the show, The Weakest Link.  With relation to information security the weakest link is the human link.  Firewalls, encryption, passwords and other security measures cannot stand up to the breeches made by people.

Some people have an attitude that the information they're responsible for isn't that important so they treat it casually, leaving passwords out in the open or putting sensitive information in the trash can.  Social networking sites such as Facebook are another place where employees can easily post confidential information such as drawings, schedules or information about people.  It seems harmless.

Wireless networking allows people to be more productive everywhere.  We see users in aiports working on laptops.  iPads and other micro computers allow people to easily transport data outside their offices.  Encrypting these devices and adding passwords allows a safer way to store data outside the workplace.

Information security is everyone's job.  Employees "swim" in the same fishbowl as other users on their network.

What are you doing to maintain the integrity and security of the data you use?

An incomplete investigation...

Many American households have access to the internet in their home.  It is common for residents to install a wireless access point to allow access on devices all over the house. Some people purchase a wireless access point and simply plug it in without any consideration for securing it.  The Milan family in Evansville, Indiana installed an unprotected wireless access point in their home. They are probably regretting that decision...

Two residents of the Milan house, a grandmother and her eighteen year old granddaughter were watching the Food channel in the living room when a SWAT team broke in throwing in a stun grenade after smashing through the door and windows.  The SWAT team was responding to information that a device on the Milan's home network had posted the following message online:
"Cops beware! I'm proud of my country but I hate police of any kind. I have explosives :) made in America. Evansville will feel my pain."

The police invited the media to their bust, see the video.

The alleged perpetrator did not reside at the Milan residence.  The alleged offender who used the Milan's wireless network to post the threat was found on the same street but in a different house.  The police knocked on the door of the real offender's house (versus busting in the doors and windows).



Why didn't the police consider the possibility that the threat came from an external user of the unsecured wireless network?  Hmmm... no IT training?  It's clear that police did not fully investigate the threat.  A drive-by of the house would have demonstrated that the wireless access was unsecured.  That is a simple step that may have caused a reasonable person to at least examine the possibility of the threat residing outside the Milan home.  A simple wireless device would have shown the range of the wireless network so that other suspects could have been at evaluated before breaking down doors.  It's difficult to say what a preliminary investigation of the Milan home residents would have found, but that would also have been a prudent investigative step.  Bottom line is that a better preliminary investigation may have established a more sound approach.   

It's critical that police fully investigate an incident before breaking down doors and windows.  It's also a good reason why you need to secure your home wireless network...