[SecurityRatty] tag: eligible

Open Letter to Verizon Wireless

Mon, 25 Aug 2008 11:43:00 +0000

After receiving no support from agents at the Verizon Wireless store or by agents on the phone, I decided to write them and make it an open letter. It’s no secret that Verizon has a great network, but it’s also no secret that their phone selection stinks. I don’t want to leave them and am hoping that whatever little bad press I can cause will encourage them to resolve the issue. If not, I’m tapping out. For 3 years I have hated my phone and loved their network. I’m ready to feel mediocre about both. Here it goes:

I am currently without a phone and would appreciate a speedy reply.

I have been a Verizon Wireless customer for over 5 years and my monthly bill easily averages over $200 during that time frame. While I love your network, I have been completely unsatisfied by your selection of phones. It is a stretch to say that my last phone worked—it had a feature called a battery that allowed me to switch from the car charger to my office charger without dying. And I waited—under duress—until I was allowed to purchase a new phone with the discount.

My current phone has a wonderful battery life, but this is the 4th time the charger has snapped off in the phone. The phone is fine, but I keep paying $30 for new chargers. I refuse to purchase another or wait until February when I will be eligible for a new phone. You sold a phone with a design flaw, and I’m not even asking for a refund or a free phone. Just allow me to take a chance on a new one at the 2 year contract renewal rate.

If not, I will gladly pay the early termination fee and leave Verizon. On general principle, I will spend more money canceling my account with you than I would likely receive as a discount on a new phone. As a customer, I consider it unacceptable that you sell inferior phones and leave me with no recourse.

The first time I waited haplessly to become eligible for a new phone. I will not suffer a second time. If you don’t like the fact that you will end up losing money by allowing me to purchase a new phone early, I suggest you take it up your vendors who supply you with awful products. I can promise you that we will both lose more money if you don’t.

Sincerely,

Eric Marvets

Who's Behind the Georgia Cyber Attacks?

Thu, 14 Aug 2008 06:16:34 +0000

Of course the Klingons did it, or you were naive enough to even think for a second that Russians were behind it at the first place? Of the things I hate most, it's lowering down the quality of the discussion I hate the most. Even if you're excluding all the factual evidence (Coordinated Russia vs Georgia cyber attack in progress), common sense must prevail.

Sometimes, the degree of incompetence can in fact be pretty entertaining, and greatly explains why certain countries are lacking behind others with years in their inability to understand the rules of information warfare, or the basic premise of unrestricted warfare, that there are no rules on how to achieve your objectives.

So who's behind the Georgia cyber attacks, encompassing of plain simple ping floods, web site defacements, to sustained DDoS attacks, which no matter the fact that Geogia has switched hosting location to the U.S remain ongoing? It's Russia's self-mobilizing cyber militia, the product of a collectivist society having the capacity to wage cyber wars and literally dictating the rhythm in this space. What is militia anyway :

"civilians trained as soldiers but not part of the regular army; the entire body of physically fit civilians eligible by law for military service; a military force composed of ordinary citizens to provide defense, emergency law enforcement, or paramilitary service, in times of emergency; without being paid a regular salary or committed to a fixed term of service; an army of trained civilians, which may be an official reserve army, called upon in time of need; the national police force of a country; the entire able-bodied population of a state; or a private force, not under government control; An army or paramilitary group comprised of citizens to serve in times of emergency"

Next to the "blame the Russian Business Network for the lack of large scale implementation of DNSSEC" mentality, certain news articles also try to wrongly imply that there's no Russian connection in these attacks, and that the attacks are not "state-sponsored", making it look like that there should be a considerable amount of investment made into these attacks, and that the Russian government has the final word on whether or not its DDoS capabilities empowered citizens should launch any attacks or not. In reality, the only thing the Russian government was asking itself during these attacks was "why didn't they start the attacks earlier?!".

Thankfully, there are some visionary folks out there understanding the situation. Last year, I asked the following question - What is the most realistic scenario on what exactly happened in the recent DDoS attacks aimed at Estonia, from your point of view? and some of the possible answers still fully apply in this situation :

- It was a Russian government-sponsored hacktivism, or shall we say a government-tolerated one

- Too much media hype over a sustained ICMP flood, given the publicly obtained statistics of the network traffic

- Certain individuals of the collectivist Russian society, botnet masters for instance, were automatically recruited based on a nationalism sentiments so that they basically forwarded some of their bandwidth to key web servers

- In order to generate more noise, DIY DoS tools were distributed to the masses so that no one would ever know who's really behind the attacks

- Don't know who did it, but I can assure you my kid was playing !synflood at that time

- Offended by the not so well coordinated removal of the Soviet statue, Russian oligarchs felt the need to send back a signal but naturally lacking any DDoS capabilities, basically outsourced the DDoS attacks

- A foreign intelligence agency twisting the reality and engineering cyber warfare tensions did it, while taking advantage of the momentum and the overall public perception that noone else but the affected Russia could be behind the attacks

- I hate scenario building, reminds me of my academic years, however, yours are pretty good which doesn't necessarily mean I actually care who did it, and pssst - it's not cyberwar, as in cyberwar you have two parties with virtual engagement points, in this case it was bandwidth domination by whoever did it over the other. A virtual shock and awe

- I stopped following the news story by the time every reporter dubbed it the first cyber war, and started following it again when the word hacktivism started gaining popularity. So, hacktivists did it to virtually state their political preferences

Departamental cyber warfare would never reach the flexibity state of people's information warfare where everyone is a cyber warrior given he's empowered with access to the right tools at a particular moment in time.

Related posts:
People's Information Warfare Concept
Combating Unrestricted Warfare
The Cyber Storm II Cyber Exercise
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attacks Against CNN.com
China's Cyber Espionage Ambitions
North Korea's Cyber Warfare Unit 121

Chinese Hackers Attacking U.S Department of Defense Networks

Electronic Jihad v3.0 - What Cyber Jihad Isn't

Electronic Jihad's Targets List

Teaching Cyber Jihadists How to Hack

Empowering the Script Kiddies

OSINT Through Botnets

Corporate Espionage Through Botnets

Malware Infected Hosts as Stepping Stones

Hacktivism Tensions - Israel vs Palestine Cyberwars

The Current, Emerging, and Future State of Hacktivism

Internet PSYOPS - Psychological Operations

Confidential Connecticut Department of Labor mailing is missing

Tue, 10 Jun 2008 08:00:32 +0000

Technorati Tag: Security Breach

Date Reported:
6/2/08

Organization:
State of Connecticut

Contractor/Consultant/Branch:
Connecticut Department of Labor

Victims:
Customers

Number Affected:
2,160

Types of Data:
"personal information, including name, address and Social Security number"

Breach Description:
"WETHERSFIELD, The Connecticut Department of Labor is notifying approximately 2,100 customers that files containing copies of letters sent to them regarding their unemployment insurance claim cannot be located."

Reference URL:
Connecticut Department of Labor
Associated Press via The Hartford Courant
Newsday

Report Credit:
Connecticut Department of Labor

Response:
From the online sources cited above:

WETHERSFIELD, The Connecticut Department of Labor is notifying approximately 2,100 customers that files containing copies of letters sent to them regarding their unemployment insurance claim cannot be located.

the agency strongly believes that the letters were mistakenly shredded along with others that were being rightfully destroyed

Following an extensive search, it appears the copies were inadvertently shredded and destroyed on or before May 21

we feel it is in the best interest of our customers to be proactive in our efforts to ensure that personal information is not compromised

The files contained copies of letters dated from May 2 to May 20 informing applicants that they were ineligible for the unemployment insurance.

Copies of the letters, which must be kept on file for three years, contained personal information, including name, address and Social Security number.
[Evan] Why does a letter informing someone that they are not eligible for unemployment insurance require a Social Security number?

we do not believe information on these letters will be used in a manner that will compromise the security of these residents

we have arranged for two years of free preventative services through the Debix Identity Protection Network
[Evan] Two years is much better that the semi-standard one year given by many organizations. Government breaches tick me off a little more than most. One reason is the fact that taxpayers get to foot the bill.

We sincerely regret any inconvenience or concern that has been caused by this situation

the agency takes the protection of personal information very seriously and since last year, we have been working on additional security features for the state’s unemployment insurance compensation system

Since federal law mandates that we use the entire Social Security number in the course of business, we are looking at ways to encrypt that data and still comply with regulations.
[Evan] I am glad to read that the agency is considering encryption of confidential information (albeit late, better than never), but this is only feasible for electronic information. Encryption would not have provided any protection against this particular breach which involved printed confidential information, namely Social Security numbers. I think it is generally a poor business practice to send mail with Social Security numbers in print unless it is absolutely necessary. I don't think that federal law requires that these mailings include Social Security numbers.

Residents who receive a letter from the agency and who may have questions regarding the free protection service can contact Debix directly at 888-332-4963. Those with questions about their Determination Letter can call the Labor Department’s Assistance Center at 860-263-6785.

Commentary:
If the missing letters only contained the information necessary to communicate the required message, then the impact of this breach would be considerably smaller.

Information security personnel don't currently review mailed information prior to release in the companies I consult for. This breach gets me thinking about a potential risk that I may have missed in my assessments.

Past Breaches:
September, 2007 - Stolen laptop contains names and allegations in state DCF cases
August, 2007 - State of Connecticut Stolen Laptop

Learning from Ghana

Fri, 09 May 2008 06:27:18 +0000

Its always interesting to see where the developed world can learn from emerging economies. A lot of the best engineering work comes from having to deal with harsh constraints (opposite of architecture astronomics). I blogged awhile ago about using smart cards for digital cash in Africa

Looks like there is a new system in Ghana as well

E-zwhich smart launched
-ZWICH smartcard, a universal electronic system that facilitates easy access to and transfer of money has now become part of financial transactions in Ghana.

The new system which is also designed to remove the cumbersome and insecure processes of using cash, was launched in Accra yesterday by President J.A. Kufuor, with a call on corporate bodies and government agencies to use it to ensure transparency and integrity on payrolls.

E-zwich is an electronic payment system that allows one to make payments for goods and services or transfer money to others without having to carry physical cash.

Available at all banks countrywide, the system involves the loading of money onto the smart card after registering with any bank without necessarily having an accounts with that bank.

President Kufuor said the introduction of the system has the potential of transforming the payments landscape, the financial services industry and the general conduct of business in the country.

He said accessing the technology was an integral part of government’s overall vision of making Ghana the gateway to the West Africa sub-region and transforming her into a major financial hub.

The President said that globalisation has come with a major challenge of adopting best practices in all spheres of endeavour especially within the macro economy in order to survive in the market.

He said it was against that background that the government has pursued polices to develop and modernise the financial sector to enable it to play a key role in resource mobilisation for increased investment.

With the reforms and the stability of the macro-economy, President Kufuor said the nation was witnessing dramatic growth in the banking sector.

He pointed out, however, that inspite of the impressive growth of financial institutions, an estimated 80 per cent of the eligible population was still "un-banked" or "under-banked" and seemed not to have access to financial services.

Wonder when we will see US, UK, and other first world banks and brokerages catch up to Ghana and South Africa on these technologies? Is it really a good idea in 2008 to have everyone type their username and password into a web browser?

New Info Sec magazine in blog format

Mon, 10 Mar 2008 04:02:00 +0000

Ken Belva, a blogger in the SBN is starting a new InfoSec magazine in blog format. Below is Ken's post on the new venture. I wish him and the team well and will be reading!

http://www.bloginfosec.com/2008/03/10/announcing-bloginfoseccom-an-information-security-magazine-in-a-blog-format/

Announcing bloginfosec.com, an information security magazine in a blog format. bloginfosec.com is written by professionals for professionals.
Our magazine delivers content for executives and practitioners written by working information security executives and practitioners.

Our columnists are respected information security veterans who hold influential positions at major corporations. bloginfosec.com prides itself on being free from vendor and commercial influence. Our columnists have an amazing flexibility to write their columns as they see fit with minimal editorial constraints.

Spotlight on Our Columnists
This week and next we will be spotlighting our columnists. We have some great column posts scheduled for publication.

      * Monday: C. Warren Axelrod - ROSI: Security Returns?
      * Tuesday: Frank Cassano - The core truth of risk
      * Wednesday: Allan Pomerantz - Our End Users: The Weakest Link
      * Thursday: Micki Krause - Core Program Practices: Assess, Implement and Monitor
      * Friday: Sam Dekay - Information Security: Orphan of the Org Chart?
      * Monday: Russell Handorf - Wi-Fu! Attacking the 802.11 Client
      * Tuesday: Derek Schatz - Are We Less Secure Now Than Before?

iPod Newsletter Raffle
Any corporate (.com, .net, .com.xx, etc.) or educational (.edu) activated email address registered between Monday, March 10th, 2008 and Friday, March 15th, 2008 on bloginfosec.com will have the chance to win a free 8G iPod Touch with video. We will mail the iPod anywhere in the world. Generic email addresses (such as yahoo.com, google.com, aol.com,
etc.) are not eligible to win. All entries are subject to our discretion. We will pick the winner and contact you via email for your physical mailing address.

Blogging from MISTI InfoSec World 2008
Stay tuned for posts, pictures and possibly video of InfoSec World 2008.
Point your feed reader here for all of the RSS action!

Qualified Writer?
Please review the columnist agreement. If qualified, please email us at authors()bloginfosec.com or contact the editors through the contact form.

New Info Sec magazine in blog format

Mon, 10 Mar 2008 03:02:01 +0000

Ken Belva, a blogger in the SBN is starting a new InfoSec magazine in blog format. Below is Ken's post on the new venture. I wish him and the team well and will be reading!

http://www.bloginfosec.com/2008/03/10/announcing-bloginfoseccom-an-information-security-magazine-in-a-blog-format/

Spotlight on Our Columnists
This week and next we will be spotlighting our columnists. We have some great column posts scheduled for publication.

Blogging from MISTI InfoSec World 2008
Stay tuned for posts, pictures and possibly video of InfoSec World 2008.
Point your feed reader here for all of the RSS action!

Qualified Writer?
Please review the columnist agreement. If qualified, please email us at authors()bloginfosec.com or contact the editors through the contact form.

Getting students, faculty to sign up for campus alerts

Wed, 20 Feb 2008 21:00:00 +0000

Although many colleges and universities have been installing or updating their emergency notification systems for students, faculty and staff since last April's shootings at Virginia Tech, technology can't fix one problem: not everyone who's eligible for the emergency alerts wants them.

Security World: Qualys selected as Red Herring Global 100 2007 winner

Thu, 13 Dec 2007 22:49:54 +0000

Qualys announced that it was selected among 1,800 eligible companies as a winner of the first Red Herring Global 100 Awards, signifying the companys growth and leadership within the technology indust...