NoticeBored blog

As the title suggests, Will your cellphone spill your secrets focuses on privacy exposures from lost cellphones but the same considerations apply to other gizmos of course.

The loss of a gizmo is more than just a privacy issue: we become very attached to, if not dependent on them. Speaking personally, I'm terrible at remembering names let alone phone numbers, email addresses, passwords and so forth, so I rely heavily on the technology to do the remembering for me. Naturally, being a security freak, I use encryption and other controls to protect such sensitive information so the privacy side is less of a concern than me simply losing access to all that valuable information ... so don't forget backups. Decent backups. Off-line backups with the backup media stored securely. It's a bit of a pain to take them but it's far worse to lose a gizmo (whether by leaving it on the back seat of a cab on the roof of a car, having it stolen, dropping it in a puddle or some other accident or hardware failure ... actually, thinking about it, there are quite a few ways!) and not to be able to recover the data.

Here are some simple tips to reduce the risk:
- Transfer new phone numbers from your cellphone to a diary/contacts database such as Outlook every so often, and while you're at it, look through the contacts for any that should be put on your phone. Try to make this a routine activity, perhaps once a month or two;
- Make a separate database of important contacts, for example to feed a form letter notifying them of change-of-address details. Keep a copy of this with you when you travel;
- Use encryption and other available access controls such as a PIN code to unlock your phone/SIM card, PDA etc.;
- Avoid taking all your gizmos with you when traveling - just the ones you need - and try to keep them physically about your person (e.g. not in checked-in hold baggage);
- Make an inventory of your gizmos with models, serial numbers, distinguishing marks etc. so that if you lose any, you can at least describe them properly to the Police or the Lost And Found office;
- Use those 'distinguishing marks' proactively to identify your gizmos e.g. mark the case with your name, phone number, email address or whatever, trying not to make the privacy exposure even worse but making it easier for finders to return them to you;
- Don't forget to erase personal data properly from gizmos when disposing of them. A simple 'delete' is unlikely to be sufficient. See NIST's SP800-88 for the full nine yards.

Labels: Availability, Mobile, Privacy

A software error during routine maintenance caused an ISP, Charter Communications, to delete the contents of 14,000 customer email accounts.

"Charter gives each new Internet user a free e-mail account, but some customers opt to use other accounts instead. So every three months the company deletes inactive accounts, Lamont said. "During this maintenance we erroneously deleted active accounts along with the others," Lamont said. "It's never happened before. They are taking steps to make sure it never happens again."

The news article doesn't mention whether the "software error" was an unfortunate and evidently untested change to the maintenance scripts (indicating a hole in their change management processes), a genuine bug in the code (possible I guess), or a simple human error by an operator/systems manager (seems entirely possible). Since the lost email accounts disappeared forever in a puff of logic, it seems the ISP had no backups of customer data - not just 'no recent backups' but 'no backups whatsoever' (a gaping hole as far as their customers are concerned but no doubt a legitimate money-saving measure from the ISPs perspective).

This incident cost the ISP $50 credits to the affected customers, presumably rather less than 14,000x$50 ($700k) as some will defect before using up all their credit. The reputational damage could be even costlier, although the truth is that such unfortunate incidents can and indeed occasionally do strike most organizations.

The Silicon Valley piece ends rather lamely with "Computer experts advise backing up all important e-mail.", implying in effect that customers are to blame for losing their emails. In some ways that is true (presumably any small businesses or power users will have been using local emaiil clients such as Outlook to download and read their emails and so should have local backup copies) but I would advise Charter Comms to look long and hard at its information security arrangements.

Labels: Availability, Bugs, Email, Incidents, Office

Have you heard people talking about "tier three data centers" etc. and wondered what planet they were from? Well The Uptime Institute has the answer - a short white paper explaining the characteristics of each of the four tiers, handily numbered I (basic) through IV (fault tolerant) for the Romans amongst us.

It's interesting that the top-of-the-range fault tolerant/highly resistant tier IV data center listed in one of the tables achieved 99.995% availability (down for just under half an hour per year!), still short of the "five nines" availability that people with very deep pockets sometimes insist they need.

Labels: Availability, Physical

Disk drive manufacturers quote MTBF (Mean Time Between Failures) of around a million hours under ideal conditions, suggesting a failure rate of less than 1% per year, but some studies show significantly worse performance (2-10% failure p.a.) in the Real World™. It seems the “bathtub” reliability curve has a sharply upward sloping or even stepped bottom, not the long flat period of stability often assumed.

Thanks to George Spafford's Daily News for both the above links :-)

If your data are vital and their availability is critical, the studies suggest the value of monitoring drive age, error rates and temperatures carefully. Also techniques such as RAID will help. However, the unpredictability of disk failure also implies the need to have contingency plans, backups and hot-swappable drives. Or, if money is no object, solid state disks might be the way to go (plus cosmic ray shielding!).

More availability resources

Labels: Availability, DCP

Does it matter if I offer to sell 610,000 things at 1 Yen each instead of 1 thing at ¥610,000? Errr, yes it does, especially if I'm a broker trading shares live on a busy Tokyo Stock Exchange. The broker's typo cost Mizuho Securities, Japan's second largest bank, ¥40.7bn (approximately US$340m) in charges to buy back the shares. The broker tried four times but was unable to cancel the trade due to 'a problem' with the exchange systems. In a typically Japanese form of accountability, the president, IT head and managing director/executive officer of the stock exchange all resigned, the cock-up following hard on the heels of earlier 'technical problems' i.e. capacity constraints, availability failures and functional limitations of the exchange's dealing systems.

It seems curious to me that the apparent lack of data validation on the brokerage's own systems is not even mentioned in the news reports. Being such as cheap price and more than 40x the actual number of shares in the company, the sell offer was so far out of whack with reality that the brokers' systems (both buyers and sellers) should have flagged it as a probable typo if not trapped the deal pending confirmation. It can't be easy to validate trades in such a high-pressure environment where occasional deals are bound to be outlying data values but surely if must be feasible to impose some pragmatic limits?

More links on integrity, incident management and accountability

Labels: Accountability, Availability, Incidents, Integrity

Amongst other police reforms, the new Police and Justice Act 2006 makes Denial of Service attacks illegal under British law and clarifies other aspects of computer misuse. The Computer Misuse Act 1990 made it an offence to alter a computer without authority, covering most hacking attacks but not explicitly DoS attacks. Criminal hackers who commit, for example, DoS-based extortion ("Send us loads of money or we will continue disrupting your online betting service ...") can now be called to account under the new Act.
More links on laws, regulations and standards and accountability

Labels: Accountability, Availability, Law

The transition from POTS (Plain Old Telephone System) to VOIP (Voice Over IP) is likened in an article by CSO Magazine to Swedes changing the side of the road on which they drive. It's a dramatic analogy but acts as a worthwhile counterpoint to the usual arguments about VOIP simply replicating POTS security issues. In fact, VOIP/IPtel introduces some novel risks:
- Confidentiality: unauthorized disclosure of information by snooping on calls, copying or redirecting them;
- Integrity: change management; authentication of users and security administration;
- Availability: additional complexity caused by implementing new IT/networking equipment to replace tried-and-trusted PABXs; convergence of voice and network technologies potentially creating new unanticipated technical issues;
- Financial: risks relating to the implementation project's business case;
- Operational: changing pattern of use of phone systems may open up novel working practices and business opportunities with unique security/risk implications (e.g. remote Internet teleworking potentially including offshore, wireless phones).
Analysing the risks on another axis gives a different view:
- Threats: accidental misconfiguration or operator errors causing software/system/network failures; man-in-the-middle attacks on voice calls (manipulating voice traffic in real time to change conversations);
- Vulnerabilities: new technology (compared to POTS); all the usual information or IT security vulnerabilities (e.g. bugs); all eggs in one basket;
- Impacts: simultaneous loss of network data and voice capability causing business disruption; disclosure of confidential information; regulatory or legal implications such as retention of calls.
More web and network security links

Labels: Availability, Infosec, Integrity, Network, Secrecy

Valuable paper-based records archived in an Iron Mountain storage facility in East London have been lost in a huge fire. The storage warehouse was apparently "full of paper", such that the fire was expected to rage for a day or two. The cause of the fire was unknown (as of July 13th anyway). Naturally, Iron Mountain's more sensible customers will have taken the precaution of copying their valuable archive materials and storing them separately in diverse, well-protected and secured storage facilities - won't they? Remember this story when you are moving that vital database file to your archive tapes or CDs. If that is the only remaining copy, when it's gone it's gone. Toast.
Iron Mountain's press release takes an admirably responsible position: "Iron Mountain already invests heavily and emphasises security as a normal operating principle. Due to the unknown cause of the fire at this time, we are taking extra precautions to supplement our current high level of security: Increased security staff has been added to all London facilities; Conducting an out of cycle review of background checks on personnel; Auditing external agencies and internal security assessments; Re-issuing of vendor background checks; Re-implementation of security awareness of all internal employees; Performing an out-of-cycle inspection of all Iron Mountain vehicles." [That last one could be an obtuse reference to the possible cause of the fire, or perhaps to the fact that so many couriers seem to lose their cargoes in transit]. Nevertheless, Iron Mountain's customers' misfortune is Iron Mountain's misfortune too. A lot more than just a pile of paper went up in smoke on July 12th.
More IT resilience and DR links

Labels: Availability, Awareness, Database

A power outage that took out Unisys' Penrose data centre in Auckland, New Zealand, for an hour illustrates the unfortunate impact of rare but not impossible coincidences. Although the mains power was out, the datacentre had sensibly rented a standby generator to provide cover whilst installing a new genny. That should have been enough to keep the UPS topped up ... except for a coincident problem with water in the standby genny's diesel fuel supply. How many times have we read about power works causing computer room outages? (And to be fair, how many more have taken place without incident?).
More resources on IT resilience and DR

Labels: Availability, Incidents

A presentation by Mary Ann Gadziala, Associate Director of the U.S. Securities and Exchange Commission (SEC) in 2003 discussed business continuity issues arising from 9/11. In Disaster Recovery and Business Continuity Planning, she specifically noted an overriding requirement for financiaol institutions to resume vital clearing and settlement operations on the same day as a major incident, ideally within 2 hours. In practice, this implied highly resilient systems with some form of dual-live/multiply-redundant or hot standby arrangement, and significant investment in IT by the entire [US] financial services industry by April this year. The risk of systematic failure of the banking system shines out from the page.
More resilience and DR resources

Labels: Availability, Risk

I've just stumbled into the ISA website regarding an ongoing project to develop ANSI/ISA security standards for SCADA (Supervisory Control And Data Aquisition) systems used to control industrial machinery including large chunks of the critical global infrastructure (e.g. power plants, water treatment works, and no doubt the production lines at Rover - oops). In my limited experience, many old-fashioned SCADA systems pre-date modern thinking on information security controls other than availability, perhaps: the reason old SCADA systems remain a problem is that many of them have continued running more or less unchanged for decades.
More availability resources

Labels: Availability

The latest AusCERT computer crime and security survey says "Only 35% of respondent organisations experienced electronic attacks that harmed the confidentiality, integrity or availability of network data or systems (compared to 49% in 2004 and 42% in 2003)." ONLY 35%! Am I the only person who finds it perverse to regard a situation in which MORE THAN A THIRD of those surveyed suffered business impacts as a success? 3.5% maybe but not 35. This is an outrageous indictment of the state of information security.

Labels: Availability, Integrity, Network

Distributed Denial of Service attacks are being used to extort money from on-line businesses. This is hardly hot news but various experts in a Computerworld piece say this is an increasing threat. More interesting is the emergence of commercial tools to mitigate DDoS attacks, giving victims an alternative way to spend their money (I would be surprised if there were no free tools with the same aim out there, at least in development by the wonderful public-spirited open source community).
More risk resources

Labels: Availability, Risk

US-CERT Cyber Security Tip ST05-009 outlines the pros and cons of free web-based email accounts such as Yahoo, Hotmail and gmail. Three primary risks are identified: "security" (meaning confidentiality through SSL), privacy (confidentiality of personal and commercial information) and reliability (service availability).
More email security resources

Labels: Availability, Email, Privacy, Secrecy

Yesterday was 'patch Tuesday' meaning that millions of PCs running Windows Update are slavishly downloading the latest patches from Microsoft. The explanation of "cumulative security update for Internet Explorer", just one of this month's patches, indicates that unpatched PCs accessing 'malicious Web pages' could be completely compromised by bugs in IE's handling of DHTML and URLs, potentially giving an attacker 'complete control of an affected system' through 'remote code execution'. In case you missed it, this important snippet of information is buried under the (normally unexpanded) vulnerability details section of the detailed bulletin accessible from the information page about the fix included in the latest set of patches ... how many of us bother to follow the trail through three web pages? What's more, today's Handler's Diary at SANS Internet Storm Center (which we blogged yesterday) reports that "A proof-of-concept exploit for this vulnerability is already publicly available from FrSIRT. The availability of the exploit is likely to increase the severity of this patch for most organizations.", a point which Microsoft neglected to mention explicitly. (FrSIRT notice here)
Watch out for a forthcoming NoticeBored security awareness module on 'security in information systems development' which will mention the patching treadmill as a contingency measure following the release of buggy software.
More Internet security resources

Labels: Availability, Awareness, DCP

Russian extortionists who used DDoS attacks to extort money from UK betting firms have been arrested. Complaints to the National High-Tech Crime Unit of attacks have evidently fallen since the arrest of a Russian gang believed to be behind the protection racket which forced Web-gambling firms to pay up or face extended service outages. [Whilst that may be true, DDoS attacks definitely remain a serious threat to any web-based business, us included.]
More availability resources

Labels: Availability