Tom Olzak

Posts Tagged ‘Privacy’

FUD: Scientist Installs Virus-Infected RFID in His Body

In Application Security, Biometrics, Hacking, Privacy on May 27, 2010 at 10:13

Recently, a scientist in the UK was interviewed (Scientist Installs Virus-Infected RFID in His Body) about his work with malware-infected RFID devices implanted in humans.  There is no discussion in the video about the difficulty involved or how input validation techniques can easily defeat any real attack against a person or a group of people.  So this ended up being just one more way to scare the hell out of people for no good reason.

Security Tip: It isn’t just about social security numbers anymore

In Access Controls, Cybercrime, Data Security, Hacking on October 2, 2009 at 09:19

A recent breach of a PayChoice Inc. server is evidence that organizations must provide overall controls, not just those targeting popular attack vectors. 

Chris Wysopal, chief technology officer at application security vendor Veracode Inc., said the breach is interesting because it shows that hackers are looking for targets other than credit card numbers and social security numbers to steal.

“The market is saturated with [stolen] credit card data,” Wysopal said. A credit card record that was worth $10 in the underground in 2007 today can be had for about 50 cents, he said.

As a result cybercrooks looking to monetize what they are doing are moving up to higher value attacks where possible, he said.

In this case, the hackers appear to have been trying to install keystroke loggers to get information that would have allowed then to access online banking accounts of PayChoice’s customers, he said. “That is where they would have got tens of thousands of dollars,” had they been able to pull it off.

Source: Large online payroll service hacked, Jaikumar Vijayan, Computerworld, 1 October 2009

This is an example of why security professionals must continue to protect ALL sensitive information regardless of what pops up in the media.  Overall protection requires continuous marketing by security for management buy-in at all levels.

Permissions Creep: The Bane of Tight Access Management

In Access Controls, Data Security, Insider risk, Risk Management on October 1, 2009 at 10:33

Organizational role changes are common.  People are promoted, move from one department to another, or responsibilities change for the roles they’re in.  The result over time, commonly known as permissions creep, is a bunch of user accounts for which least privilege and segregation of duties no longer apply.  The solution is a documented and aggressively followed job change process.

First, let’s look at the issue of job changes.  A job change process should use an authoritative source, such as your human resources system, to track role changes.  If you assign a job code to each employee based on his or her position, then this is pretty easy.  One approach is to compare a nightly extract, including employee ID and job code to the previous night’s run.  A difference in job code indicates a change in position.  If your HR system produces a report listing job changes, then you already have what you need.

For organizations with an automated provisioning system, the next step is easy.  Feed the changes to the provisioning server and let it do its thing.  Otherwise, hand it off to a system administrator for manual changes to directory services and all relevant applications.  Whether automated or manual, the process is the same.  For each affected account, remove all current access and replace it with the approved access for the new job role.  This assumes you’ve defined access by application, AD group, etc. for each job code.  If you haven’t, this is a big job so you’d better get started…

Some admins might simply reverse access based on the original role.  This is not effective, especially for an employee who’s been around a few years.  Exceptions to base access settings may have been added over time as the employee’s manager added additional responsibilities not commonly given.  Changing responsibilities causes problems, particularly when an employee’s job never changes and the job change process isn’t invoked.

If you have employees who have worked for your organization for many years, especially those who demonstrate the ability to perform a wide variety of tasks, they have probably been given special permissions in addition to those approved for their organizational role.  These exceptions were likely approved by a data owner and are on file for the auditors.  So far, so good.  However, the dynamic nature of business inevitably shifts these responsibilities around, removing the need for access but not the actual access itself. 

Dealing with permissions creep caused by variable responsibilities over time requires actual reviews of employee access.  Schedule periodic reviews by data owners, managers, etc.  Use the results of these reviews to adjust access to reflect employee job responsibilities today.

Finally, there is the question of location.  For non-healthcare organizations (HIPAA free), this might not be a problem.  However, when you have to manage patient information visibility based on role and location, access reviews take on an additional dimension.  Make sure reviews and job changes take into account where the employee is working and adjust need-to-know controls accordingly.

Managing permissions creep isn’t exciting, but it is a necessary part of securing information assets.

Privacy Tip — Using VIP Access at PayPal

In iPhone, Multi-Factor Authentication, One Time Passwords, Privacy on September 24, 2009 at 13:02

Today I tried to load and activate VIP Access on my iPhone.  The app loaded OK from the app store, but finding the page on PayPal where I could activate it was another story.

For those of you out of the loop, VIP Access provides a means to use your iPhone as a second authentication factor.  When installed, the software provides a different six-digit code every 30 seconds.  This code is used to verify your identity at sites supporting this VeriSign identity management technology—like PayPal.  See Figure 1.

Figure 1

Figure 1

 Installing and launching the free software on my iPhone 3GS was easy.  The first screen included a video and other information about how to use the service.  So, having lost my VIP “football” for PayPal, I was anxious to try this out.  That was where the fun began.

There are no references to this service on PayPal.  Neither searching nor browsing turned up anything useful.  Finally, I searched Google and found someone who had solved this lack-of-information challenge by actually sending a message to PayPal. 

It turns out VIP Access activation uses the same link used to activate the VIP token, as shown in Figure 2.

In the activation form, enter the VIP Access Credential ID into the Serial Number field.  The rest of the form is self-explanatory.  After jumping the activation hurdle, everything worked as advertised.

Figure 2

Figure 2

%d bloggers like this: