Start Laughing Now

Ownership of What????

Every now and then, some outfit does something so embarrassing, my first response is one of horror, then incredulous laughter, followed by a sense of great relief that it wasn’t my company.

I read the Digital Transactions magazine on a regular basis; it’s a good read covering the credit card and electronic exchanges of all types. But I will forever remember them due to this cover. It certainly made picking up my mail exciting; I spilled my coffee on the floor.

I’m happy to say that it is corrected on their website, but I have no doubt that someone is either out of a job or has had their proof-reading skills relegated to somewhere beneath the ocean.

Far, far beneath the ocean.

It just goes to show you that using spell-check and grammar-check will NOT save you from embarrassment!

Belly-Laugh of the Day

A co-worker of mine came across a slide-show on cio.com (of all places!) on vintage technical ads.

How one ad for Daisy guns got in there, I’ll never know, but it does fit in well (believe it or not) with the overall theme. And the comments next to the slides had me ROTFL (Yes, I know, I couldn’t help it - Rolling On the Floor Laughing).

It’s absolutely amazing what people came up with to advertise, including some not so “Politically Correct” items that made me thankful we have progressed as a society. When I wasn’t laughing really hard.

Which One is More Clueless? I Can’t Decide

I ran across a story about a former employee who “broke into” his employer’s computers, according to a news story from a TV station, entitled Cops: Former Worker Hacked Casino Computers.

Now, here’s the real story: If you read the article, the guy did not “hack in.” He used his VPN connection from his home (Clueless Number 1) to go into his employer’s network and access computers to mess up some programming.

His VPN connection had obviously not been disabled (Clueless Number 2) by his employer.

The police (Clueless Number 3) referred to him as a “computer whiz” for using his VPN connection from his home to get into his employer’s network.

Whiz? Cheese Whiz, maybe?

Security Maxims to Live By

I happened across the Vulnerability Assessment Team website of the Argonne National Laboratory. The Security Manager there has a great sense of humor, and has devised some security maxims much like my Rules of Thumb only BETTER.

Here’s a couple of my favorites:

Big Heads Maxim: The farther up the chain of command a (non-security) manager can be found, the more likely he or she thinks that (1) they understand security and (2) security is easy.

Plug into the Formula Maxim: Engineers don’t understand security. They tend to work in solution space, not problem space. They rely on conventional designs and focus on a good experience for the user and manufacturer, rather than a bad experience for the bad guy. They view nature as the adversary, not people, and instinctively think about systems failing stochastically, rather than due to deliberate, intelligent, malicious intent.
I would add “Software Programmers” to this one.

We’ll Worry About it Later Maxim: Effective security is difficult enough when you design it in from first principles. It almost never works to retrofit it in, or to slap security on at the last minute, especially onto inventory technology.

Head on over and check out the rest.

The Emperor Has No Clothes

Visa is in a difficult position: it has said that merchants must be compliant, and the ultimate threat is to pull processing permissions from non-compliant merchants.

But if one of the merchants turns out to be a payment processor that generates huge profits for Visa, do they cut off their nose to spite their face? Evidently not. They just make them non-compliant. Sort of.

According to StorefrontBacktalk.com, Visa has declared that Heartland is no longer on the list of “PCI-compliant” vendors. Rather, Heartland is in a probationary period, with increased oversight, audits, etc.

But wait! In response to this announcement, Heartland declares that it had been compliant in 2008, is undergoing its 2009 assessment, and fully expects to be declared compliant.

(If you go to Heartland’s web site, they have quite a set of web pages on what it “means” to be PCI-compliant. The web page is entitled, “Ensuring You are PCI-Compliant.” They must take this literally, since THEY are not compliant (at least for the moment). Does anyone else besides me find this way too ironic?)

Are you confused yet? I sure am, and I’m the one who is supposed to be the auditor.

In a final expression of revisionist history, Visa is now declaring that “As of today, no compromised entity has been found to be compliant at the time of the breach.” So, temporarily, Heartland is not compliant, so no one who was compliant was…….I’m lost.

When is compliant not compliant? The message is, when Visa says it is. Or not.

PCI - Pay Cash Instead.

WOOT! Zombies in Texas

Sometimes you just have to laugh. Hackers edited roadside signs in Texas

I am willing to bet that the padlock was flimsy and the password even flimsier (IF it had one). Nice of them not to use naughty words and REALLY embarrass the Public Works Department. And when was the last time that password was changed? (Oops, I must remember I’m talking about Texas.)

The head of Public Works got all huffy, but really should have been considering what the sign might have said, and thanking his lucky stars he got off so lightly. Check out the KXAN spoofings of the Zombie alert.

It goes to show you that the low-tech attack on high-tech trumps fancy attack code every time.

What NOT to call SAS 70 Reports

I ran across the new website “securityidiot.com” in my travels, and was reminded that it is so important to be able to laugh at yourself (and others!). It’s so easy to turn a Bad Idea into Bad Technology, these days. Or worse, another new acronym.

You should especially check out the rant on InfoSEC SPEEK that had me ROTFL. (Are “old” acronyms still OK? Or just old?) Between the hackers, the vendors, and our own pretentiousness, don’t we really have to wonder how anything really gets secured?

For example, following up my previous posts about SAS 70 audit reports:

“SAS-70 Certified” (They obviously haven’t read their own report. Maybe that’s a good thing for the rest of us.) I went to Google, just for fun, and searched on the topic after seeing one such statement in an RFP (Request for Proposal). There are an astounding number of responses for businesses that are listing themselves that way. Has no one ever told these folks that there is no such certification???

“CompanyName participates in an annual audit performed by an independent accounting and auditing firm and receives confirmation of our continued compliance with SAS 70 standards.” What standards? What compliance? It’s their own controls that were tested. Where are they getting this stuff? It’s almost painful to read.

Or, in a total munge of regulations:

“AnotherCompany, a premier provider of back office, accounts receivables and financial services announced that it has received full SAS 70 certification. This fulfills Section 404 of Sarbanes-Oxley, the corporate governance accounting mandate.” Wrong added to more wrong. SOX is not a mandate, a SAS 70 audit does not fulfill Section 404, and it’s still not a certification.

Then there’s the businesses that market themselves as having “passed” or “earned” a SAS 70. Writing your own test and passing it - Wow. What an accomplishment! For our sakes, I hope it was an “A” grade and not a “C.”

BAD marketer. BAD.

It also calls into question the quality of the organization. I don’t know about you, but reading that sort of publicity announcement from a Data Center would make me really nervous about putting my data there. And if you search those terms together on Google, there seems to be an embarrassing number (more than zero) of “Data Centers” that are doing just that.

The same feeling would apply for outsourcing my financial processes with the accounts receivable/financial services people. Some medical benefits administrators have “passed” and “earned,” too.

And it’s REALLY embarrassing when a public accounting firm offers such a “certification.”

Ouch. It hurts when I laugh.

Hack My Coffee - Please

From Craig Wright comes this riveting post:

I have a Jura F90 Coffee maker with the Jura Internet Connection Kit. The idea is to:

Craig goes on to reverse engineer the software, with predictable results: Coding with no security. The details are painful.

The connectivity kit for the coffee machine installs software that uses the connectivity of the PC it is running on to connect the coffee machine to the Internet. This allows a remote coffee machine “engineer” to diagnose any problems and to remotely do a preliminary coffee service. Be still my heart - a remote coffee machine ENGINEER. (A NEW acronym:RCME)

It seems the software allows the “RCME” (can you say “attacker?”) to gain access to the Windows system it is running on at the level of the user. For most of us, that would be administrator.

Compromise by Coffee. Whoo HOO. Can’t wait to see this come up in an audit.

And you can buy it for only $1798.00 at Amazon.

What’s surprising is that this thing has been on the market since September 2006, and it seems to have just now hit the press.

And Jura’s response?

“Jura is well aware of these articles which it clearly qualifies as misinformation. “ So Jura says security researchers are wrong. A coffee maker company knows best! OOOKay.

“The internet Connectivity Kit which can optionally be acquired for only one device (IMPRESSA F90/F9) And this makes insecure software better how?

will at no times connect the coffee machine to the world wide web. Except the software allows a remote coffee machine ENGINEER to access the machine from the web. OOOKay, again, this is secure how?

“Its settings can therefore only be changed by the machine’s rightful owner.” And if a remote coffee machine ENGINEER is allowed to run diagnostics on the machine - is this statement accurate? What else can the remote coffee machine ENGINEER do while he/she is running those diagnostics?

I’m feeling a caffeine buzz already. Is this a high risk vulnerability? No. Is it a good idea? NO.

One More Acronym and I am Going to Scream

I know I’m an IT Auditor, and we should eat acronyms for breakfast, but it seems as if the focus on “achieving compliance” has brought out the worst in us. “We’re Compliant!” has become the holy grail of corporate management, and IT has jumped on the bandwagon because they can get funding for security products that way.

Round it off with the security vendors changing their market strategy to mindlessly follow this trend and you have an endlessly generated collection of “marketspeak.” Anton Chuvakin has jumped in to promote “GRC,” Governance, Risk, and Compliance. After that he used “IT GRC,” “Unified GRC,” and who knows what vendor will jump in with another riff off of that.

The latest one? “We have to get DLP.” (Data Leak Prevention) Please. Dr. Chuvakin redeems himself on this one, calling it by it’s true name: “content monitoring and filtering.”

How about “SaaS?” Cute lettering, isn’t it? Can you say: “Thin client?” along with “cost more?” Sigh. Until we can build enterprise software that incorporates security into the development lifecycle and patch our servers yesterday, getting the next new security product is water over the dam. The real thin client/virtual desktop is something I’ve seen in action, and I think it’s a pretty nifty idea. But SaaS is death by nickels and dimes.

Using the phrase “The Cloud” for the Internet is something else I find annoying. It’s incentivizing me, if you get my drift.

And “Web 2.0.” What the heck was Web 1.0 and why do we need 2.0? We can’t even agree on what “2.0″ is.

Or “IPS.” Intrusion “Prevention” that we had to turn off because it was stopping so much legitimate traffic….yup, that was preventing intrusion all right.

I hope I’m not turning into Dvorak (the classic Internet curmudgeon), but I can certainly get cranky with all this nonsense.

Let’s hear YOUR favorites.