Category Archives: 6396

Security Awareness Post 2: Beware of malicious software

October is National Cyber Security Awareness Month, and as I stated in the last post, I decided to celebrate by writing some Security Awareness posts. Almost as if they knew what I was going to write about, I received this spam comment on my last post this morning:

"such a very informative and valued article, regards"

The poster's name, which is undoubtedly fake, was hotlinked to: hxxp://www.antivirus-finder.blogspot.com. That, in turn, turns out to be a blog that links to various unknown and quite possibly shady anti-malware programs. ("Malware" is a collective term for malicious software, such as viruses, worms, trojan horses, spyware, adware, etc. Consequently, "anti-malware" is software that, at least purports to, remove or stop malware). The latest post on the site points to something called "ClamWin Antivirus" which I have never heard of. I tried scanning it using a public malware scanner but it was so large that it could not be scanned.  A quick analysis was unable to tell me whether it was malicious, but I would never install it based on these tell-tale signs:

  1. The underhanded way in which the link was sent to me, hidden in a comment on an unrelated blog-post
  2. Never having heard of it before
  3. It is too large to scan, which could be intentional to make it more difficult to tell whether it is malicious
  4. It installed additional unwanted software when I put it on a test system:

    Any software that automatically tries to install additional software you did not ask for should be immediately considered suspicious.

It turns out in this case that I was a little extra paranoid. ClamAV is legitimate, but given the choice, I will always tend toward not installing something.

Malicious anti-malware is epidemic on the Internet. I wrote an article on it a couple of years ago. The problem has not gone away, however, and the authors have become craftier than ever in their attempts to get You to install their wares. My all time favorite is "Green AV" which claims to donate part of the money you pay to rainforests.

There are some very simple rules of thumb you can follow, however, to protect yourself against fake anti-malware:

  1. No web site can scan your computer for malware merely by your going to it. Many web sites claim to, and that is how they try to fool you into thinking you are infected and need to pay for a new anti-malware program. There are a few legitimate ones that do scan your computer, such as Microsoft's OneCare, but they all require you to agree to install something to complete the scan. That leads us to the second rule of thumb:
  2. NEVER permit a web site to install software unless you consider a site trustworthy. You have to look at the address bar to see where you are. In a future post, I will talk about how to recognize fake software and sites.
  3. Never install software that just showed up and that you did not ask for. In fact, be extremely selective about what software you install. The less software you install from the Internet, the less likely you are to get malware.
  4. If you feel you need to install something, don't do it unless you have scanned it using a reputable anti-malware scanner. A good one is http://virustotal.com. Make sure you type the link correctly. Virtually every variant of virustotal.com is registered by malware purveyors or domain squatters. Virustotal scans files you upload using most every commercial anti-malware vendor. Here is an example report from VirusTotal.
  5. Use real anti-malware. The list in the example report from VirusTotal is not a bad starting poing. Perhaps an even easier one is to simply go buy something from a reputable online merchant, such as Amazon. Getting it from Amazon guarantees that you get something that is real.
  6. If you absolutely feel the need to install something, do a quick web search on it first. If you find hundreds of pages dedicated to removing it, chances are it is fake!

In summary, remember these key points: install only the software you absolutely need, and make sure you get it from a reputable supplier.

Security Awareness Post 2

October is National Cyber Security Awareness Month, and as I stated in the last post, I decided to celebrate by writing some Security Awareness posts. Almost as if they knew what I was going to write about, I received this spam comment on my last post this morning:

"such a very informative and valued article, regards"

The poster's name, which is undoubtedly fake, was hotlinked to: hxxp://www.antivirus-finder.blogspot.com. That, in turn, turns out to be a blog that links to various unknown and quite possibly shady anti-malware programs. ("Malware" is a collective term for malicious software, such as viruses, worms, trojan horses, spyware, adware, etc. Consequently, "anti-malware" is software that, at least purports to, remove or stop malware). The latest post on the site points to something called "ClamWin Antivirus" which I have never heard of. I tried scanning it using a public malware scanner but it was so large that it could not be scanned.  A quick analysis was unable to tell me whether it was malicious, but I would never install it based on these tell-tale signs:

  1. The underhanded way in which the link was sent to me, hidden in a comment on an unrelated blog-post
  2. Never having heard of it before
  3. It is too large to scan, which could be intentional to make it more difficult to tell whether it is malicious
  4. It installed additional unwanted software when I put it on a test system:

    Any software that automatically tries to install additional software you did not ask for should be immediately considered suspicious.

It turns out in this case that I was a little extra paranoid. ClamAV is legitimate, but given the choice, I will always tend toward not installing something.

Malicious anti-malware is epidemic on the Internet. I wrote an article on it a couple of years ago. The problem has not gone away, however, and the authors have become craftier than ever in their attempts to get You to install their wares. My all time favorite is "Green AV" which claims to donate part of the money you pay to rainforests.

There are some very simple rules of thumb you can follow, however, to protect yourself against fake anti-malware:

  1. No web site can scan your computer for malware merely by your going to it. Many web sites claim to, and that is how they try to fool you into thinking you are infected and need to pay for a new anti-malware program. There are a few legitimate ones that do scan your computer, such as Microsoft's OneCare, but they all require you to agree to install something to complete the scan. That leads us to the second rule of thumb:
  2. NEVER permit a web site to install software unless you consider a site trustworthy. You have to look at the address bar to see where you are. In a future post, I will talk about how to recognize fake software and sites.
  3. Never install software that just showed up and that you did not ask for. In fact, be extremely selective about what software you install. The less software you install from the Internet, the less likely you are to get malware.
  4. If you feel you need to install something, don't do it unless you have scanned it using a reputable anti-malware scanner. A good one is http://virustotal.com. Make sure you type the link correctly. Virtually every variant of virustotal.com is registered by malware purveyors or domain squatters. Virustotal scans files you upload using most every commercial anti-malware vendor. Here is an example report from VirusTotal.
  5. Use real anti-malware. The list in the example report from VirusTotal is not a bad starting poing. Perhaps an even easier one is to simply go buy something from a reputable online merchant, such as Amazon. Getting it from Amazon guarantees that you get something that is real.
  6. If you absolutely feel the need to install something, do a quick web search on it first. If you find hundreds of pages dedicated to removing it, chances are it is fake!

In summary, remember these key points: install only the software you absolutely need, and make sure you get it from a reputable supplier.

October is National Cybersecurity Awareness Month

The U.S. President has declared October 2010 to be "National Cyber Security Awareness Month." While the term "cyber" may not be particularly clear to most people, what this really is about is How To Stay Safe Online; and not just in America. Staying safe online is crucial everywhere.

To celebrate, I thought I'd try and jam in as many little advise posts as possible between now and, well, when everyone knows how to stay safe online. Thus, without further ado:

Advise #1: No, you really haven't won the U.K. Lottery.

Nor have you won the Microsoft Lottery. Nor does anyone really want you to share the fortune their deceased husband/uncle/father/president/iguana left them. These are all scams. What they are trying to do is get you to pay them for the information that supposedly will reward you with untold riches.

These scams are sometimes known as "Nigerian Scams" because they many of them originate in Nigeria. More technically, they are known as "Advanced Fee Frauds". The objective is to get you to pay some amount now in return for riches later. Of course, there are no riches later. What there are are hordes of people in Internet Cafes all over the developing world, and probably Toronto and Iowa as well, who are making a living by fooling people into sending them advance fees in return for the winnning lottery ticket.

This may sound too elementary to many, but the truth is that these scams work! The hordes are out there because there are people who pay them enough to sustain the business model. Ask around and see how many of your parents, relatives, children, friends, neighbors, and fellow commuters on the bus realize that these are scams. I think you will be shocked to see how many do not realize that all these are fake. I certainly was shocked when I found out that one of my neighbors lost $5,000 to one of these scammers.

But, of course, none of us would ever get fooled by these scams. So, I have one favor to ask of you: please make sure that everyone you know won't get fooled. Let's put the scum behind the advanced fee fraud out of business once and for all. All it will take is for each of us to make sure that we don't let any of our acquaintances fall prey.

Don’t fire people until after you wipe their phones

A very commonly required feature for mobile access to email is remote wipe – the ability to reach out and wipe all corporate data off a mobile device. Exchange ActiveSync supports this feature and has for several versions now. You, as the Exchange or Security administrator can issue a remote wipe command to a compliant device, or the user can do it themselves through Exchange, and the next time the user connects the device will be wiped.

There are two major flaws in that design. One is the well understood "the next time the user connects" part: you cannot reach out to the device and immediately wipe it. The devices do support receiving remote commands through SMS, but for some reason there is no function in Exchange to use that feature to somehow, securely, trigger a remote wipe.

It turns out, however, that there is another, possibly even larger, flaw in the implementation of remote wiping in Exchange ActiveSync. Here is the work flow:

  1. Device connects to Exchange Server
  2. Device transmits DeviceID
  3. Exchange server asks for authentication
  4. Device authenticates
  5. Exchange server checks if a remote wipe command has been issued for the device

Spot the flaw yet? Consider this scenario

  1. Bob failed to sufficiently internalize the sexual harassment training and racks up enough points to get fired
  2. Bob is walked to the door with his shiny personal Windows Phone 7 Smartphone or whatever in his pocket
  3. IT Department is notified that Bob has been terminated and disables/deletes his account
  4. IT Department, following the security policy, issues a remote wipe command to Bob's phone

Pop quiz: What happens to all the company confidential data on Bob's device?

Answer: Nothing! It will stay there for as long as Bob decides it should. Go back and look at the connection workflow again. The Exchange server will only send the remote wipe command to Bob's device after Bob has already authenticated. The IT Department did the absolutely logical thing and disabled Bob's account. Therefore, he will never successfully authenticate again. The way remote wipe is implemented in Exchange ActiveSync means we just lost the ability to wipe our data off Bob's mobile phone.

The alleged solution to this is that you should reverse steps 3 and 4 in your firing process: leave Bob's account active until his device gets wiped. If that makes you just a little queasy you are not alone. In my opinion, this is a major feature miss. Remote wipe in Exchange ActiveSync is only useful when a user loses his or her device, and even then, it is lacking since you cannot reach out to the device and wipe it. Remote wipe in Exchange ActiveSync is utterly useless when people are terminated from their emoloyer.

Fake Anti-Malware is Apparently Microsoft’s Fault

Munir Kotadia, an IT Journalist in Australia, has finally managed to figure out how to blame Microsoft for the fake anti-malware epidemic. Apparently, the reason is that “Microsoft could save the world from fake security applications by introducing a whitelist for apps from legitimate security firms” and, presumably, has neglected to do so out of sheer malice.

I’m clearly not a thinker at the same level as Munir; maybe that is why I don’t fully get this white list he proposes. Does he want one only of security software? How would you identify security software? I can see only two ways. The first is to detect software that behaves like security software. If you scan files for viruses, hook certain APIs, quarantine things occassionally, and throw frequent incomprehensible warnings, you must be security software. The problem is, the fake ones only do the latter of those four. If you use heuristic detection of security software it would be absolutely trivial for the fake packages to not trip the warnings. They just have to avoid behaving like security software. Of course, if they actually DID behave like security software, we would not have this problem, would we?

 The second approach I can think of is to have all security software to identify themselves as such, both the fake and the real. They could set some bit in the application manifest, the file which describes the application. I propose that it should look like this:

<?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?>
<assembly xmlns=”urn:schemas-microsoft-com:asm.v1″ manifestVersion=”1.0″>
  <assemblyIdentity type=”win32″
                    name=”RBU.FakeAntiMalware.MyCurrentVersion”
                    version=”6.0.0.0″
                    processorArchitecture=”x86″
                    publicKeyToken=”0000000000000000″
                    securitySoftware=”True”
  />
</assembly>

Note the flag in the manifest above that identifies this package as security software. Now Microsoft can just compare the name of the package against a list of known good software and if it does not match, block it. This extremely simple mechanism works just as well as the “evil bit”: http://www.ietf.org/rfc/rfc3514.txt. In fact, if we simply change the manifest like this, we can avoid the whole white list altogether:

<?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?>
<assembly xmlns=”urn:schemas-microsoft-com:asm.v1″ manifestVersion=”1.0″>
  <assemblyIdentity type=”win32″
                    name=”RBU.FakeAntiMalware.MyCurrentVersion”
                    version=”6.0.0.0″
                    processorArchitecture=”x86″
                    publicKeyToken=”0000000000000000″
                    malicious=”True”
  />
</assembly>

There you have it! Microsoft should make it part of the logo guidelines to require all malicious software to identify itself as malicious. Problem solved! You may go back to surfing the intarwebs now.

The sharp-eyed security experts in the crowd may have spotted a minor flaw in this scheme, however. What if the malicious software refuses to identify itself? Curses to them! Maybe we need something better. Perhaps Munir’s whitelist is to be a whitelist of all software? That would be simpler to be sure. In fact, using Software Restriction Policies (SRP), which has been built into Windows for years, we can restrict which software can run. Now all we need is our whitelist. Of course, as Munir points out, it is Microsoft’s responsibility to produce that whitelist.

Producing the whitelist would be conceptually simple. Microsoft would simply have to create a division that ingested all third party software, tested it, and validated it as non-malicious. DOMUS (The Department of Made Up Statistics) estimate the number of third-party applications for Windows at somewhere between 5 and 10 million, including shareware, freeware, open source, commercial applications, in-house developed applications, line of business applications, the kiosk applications that drive your ATM, your gas pump, your car, and probably a space craft or two. In order to avoid becoming an impediment deployment, Microsoft would have to test all such software for malice, with an SLA of 24-48 hours, yet guarantee that software does not turn malicious after several weeks or months. It would also need to ensure that any updates do not introduce malicious functionality. In other words, to meet these requirements, Microsoft would need to do just two things: (a) develop a method of time travel, and (b) hire and train all of China to analyze software for malicicous action. I’m sure the Trustworthy Computing division is working on both problems.

I am not arguing that reputation scoring does not have some promise, which is what Symantec’s Rob Pregnall was actually talking about, and which Munir turned into an indictment of Microsoft. However, reputation systems are not only fallible and can be relatively easily manipulated. Without consumers actually understanding what the reputation score means, and learning how to value it over the naked dancing pigs, it will never help. Again, it comes down to how we educate consumers on how to be safe online and why, instead of scaring them into buying more anti-malware software. I may be mistaken, but I was under the impression that the reason Freedom of the Press is a cherished human right is because the Press is there to educate the public. Why is the press, along with government and the IT Industry, not doing more to educate the public on how to tell real from fake?

Web Of Trust: RIP

It's official. I just received an e-mail from Thawte notifying me that, as of November 16, 2009, the most innovative and useful idea in PKI since its inception, the Web of Trust, will die.

Thawte was founded 14 years ago by Mark Shuttleworth. The primary purpose was to get around the then-current U.S. export restrictions on cryptography. Shuttleworth also had an idea that drew from PGP: rather than force everyone who wanted an e-mail certificate to get verified by some central entity – and pay for the privilege – why not have them verified by a distributed verification system, similar to the key signing system used by PGP, but more controlled. This was the Web of Trust. Anyone can get a free e-mail certificate, but to get your name in it instead of the default "Thawte FreeMail User" you had to get "notarized" by at least 2 people (or 1, if you managed to meet Shuttleworth himself or a few select others). The Web of Trust was a point-based system, and if you received 100 points (requiring at least three notary signatures) you became a notary yourself. The really cool idea was that it created a manageable system of trust based not so much on the six degrees of separation as on the fact that most of us are inherently trustworthy beings.

In 1999 Shuttleworth sold Thawte to Verisign for enough money for him to take a joyride into space, found the Ubuntu project, and to live without worries about money for the rest of his own life and that of several of his descendants. Verisign, of course, is in the business of printing money, only in the form of digital certificates, and certainly not in giving anything away for free. Not that there is anything inherently wrong with that, but it iscertainly at odds with Thawte's free service, so it was really just a matter of time before the latter was disbanded. WIth it goes the Web of Trust.

Finally, on November 16, 2009, the Web of Trust will be removed as a free competitor to Verisign's paid service that does the same thing. It will be a sad day indeed.

And finally, standard user malware

Today I finally got wind of my first piece of true standard user malware. MS Antispyware 2008 has turned standard user. The version in question installs the binaries in c:\documents and settings\all users\application data\<something>, and makes itself resident by infecting HKCU\…\Run. Curiously, the legitimate anti-malware program (one of the top 3) failed to detect the infector.

Obviously, this version is much easier to remove than the ones that require admin privileges. However, MS Antispyware is not about being hard to remove. It just needs to run until the user pays for the privilege, and more than likely, even as a standard user, many people will fall for it.

On a somewhat unrelated note, just as I was wondering who would fall for these types of scams, I met a real person that did; a not-particularly-well-off disabled retiree who was scammed out of $5000 by an organized crime ring that claims to have won you a lottery, as long as you just pay them for the ticket first. That particular scam was run partially by phone and partially online. And, the scumbags apparently didn’t think they had scammed her out of enough money so they kept calling her even after she sent them the money. I advised her to call Rob McKenna’s office (Attorney General of Washington State). Mr. McKenna’s office stated that they felt horrible for her. Apparently that was about all the comfort they could give. I must say that level of action was not particularly impressive, and does not really live up to Mr. McKenna’s campaign promises of cracking down on scammers.

Is it ActiveX that is the problem?

Last week, an expert from Verizon, nee Cybertrust, posted a note about the Active Template Library (ATL) security vulnerability over on the Verizon Business Security Blog. For home users, the phone company now advises you to use a different browser, ostensibly because IE and ActiveX are inherently insecure. I felt that quite missed the point that (a) browsers are software, and (b) all software has vulnerabilities, and (c) extension technologies in browsers add functionality, which (d) is implemented in the form of software, and therefore (e) introduce additional vulnerabilities. Just because Internet Explorer's extension technology is called ActiveX does not mean it inherently has any more, or less, vulnerabilities than the extension technologies in other browsers. ActiveX received a, deservedly, horrible reputation when it first came out about ten years ago. Since then Microsoft has actually put a lot of effort into securing the user's browsing experience, but for some reason, people keep dragging up old vulnerabilities from many years ago as proof that Microsoft does not care about security. Doing so is unfair and denigrates what is probably most comprehensive software security program in the industry.

So, I decided to try to make that claim in the comments. That generated a response from "Nathan Anderson," who did not bother really reading what I wrote, used a flawed interpretation of data to "prove" that Firefox and Chrome are far more secure than IE, ignored Low Rights IE, and concluded by, in essence, calling me an idiot.

My comment also generated a response from Dave Kennedy, who appears to have been the original poster, and who thinks I went too far.

At this point, I'd probably do better to ignore the discussion, but Mr Kennedy posited a very interesting question, and I thought I'd like to explore it a little. Here it is:
"How many millions of dollars have been lost and thousands of individuals have become the victims of identity fraud that can be laid squarely at the feet of criminal exploitation of vulnerable ActiveX controls?"

I don't know. How many? And how does it compare with the number of millions of dollars lost because users click on things they shouldn't, while running as admins? How does it compare with the number of millions of dollars lost due to vulnerable versions of Flash and Acrobat; which are vulnerable on all browsers? All of those would be fantastic statistics to have. If anyone has them, I'd love to see them.

To the Nathans of the world: I never said Firefox and Chrome are less secure than IE. All I pointed out was that they do not benefit from a sandbox the way IE does on Vista and Win7. They could. Easily. Stripping privileges out of a token and setting an integrity level is quite simple. The difficult part is really just to build an escalation method to be able to perform tasks outside the sandbox.  It is just that their respective manufacturers have chosen not to implement this functionality. I really wish they had. It would greatly improve the difficulty of exploiting either browser.

In addition, Firefox, etc, may not have ActiveX, but they have other extension mechanisms, and a vulnerable extension is a vulnerable extension, whether it is ActiveX or not. It is correct that Chrome has fewer vulnerabilities than either Firefox or IE, but a reasonable argument can be made that it is because of how long it has been out and the amount of attention from security researchers it has received so far. Chrome is not yet a year old. In that time, Chrome 1.x and 2.x have racked up 9 advisories (12 vulnerabilities), according to Secunia. I included both versions because of how fast they were released. It provides a more accurate measure of the impact on the end user. Chrome 3.x is still considered a preview release as far as I can tell, so I excluded it. Firefox 3 (the only supported Firefox version for most of the one-year timeframe) had 9 advisories in 2009 so far, and an additional 5 in late 2008. Internet Explorer 7 in that timeframe has 6. 

Based on these figures, I would submit there is no statistically significant difference between the three browsers. I am not trying to minimize the ATL vulnerability, which was sloppy in the extreme, and I am not trying to denigrate either Firefox or Chrome, as I use and enjoy both, although mostly Firefox, which I used to write this post. I am simply saying that all software has vulnerabilities, and that the attackers will be opportunistic enough to exploit any or all of them if it is necessary to meet their needs.

Vulnerability counting misses the point entirely though. All the bad guys need is one unpatched vulnerability. Furthermore, that vulnerability can reside in the browser, or in anything else running in the browser.The common add-ins, such as Flash and Acrobat, have vulnerabilities regardless of which browser they are running in. Even if the user has a fully patched and non-vulnerable browser, all the attacker needs is one unpatched add-in. Adding a new browser requires adding new add-ins, so now you have two copies of Flash to maintain, two copies of Acrobat to maintain, and another browser.Simply adding more software to maintain does not make people more secure. Most users would probably be far better off maintaining only one browser and spending the additional effort on learning how to browse more securely.

Finally, whether a computer is fully patched or not; whether a browser or its extensions are full of holes or not; the most vulnerable part of any system is almost always the user. Humans are still at v. 1.0 and there have not been a single security patch issued for them yet. There has been no Trustworthy Computing Initiative to stamp out security vulnerabilities in people. Therefore, the easiest way to hack anything is almost always to ask a legitimate user to do it for you. Simply present the user with something he values more than an intangible and incomprehensible security benefit, and your job is done. Many of the attacks today do not even use software vulnerabilities. It is more reliable and less expensive to exploit the user directly.

Please do not e-mail my social security number

Recently I had a very interesting incident. I wrote an article some time in 2008 and the publisher paid me a little bit of money for it. That means the publisher must send a report to the Internal Revenue Service (IRS – the U.S. tax department) reporting that they paid me, as well as send me a form called a 1099 form that I can use to report this money on my tax return.

A few days ago the comptroller for the publisher sent me an e-mail asking for my social security number (my national ID number for any non-Americans that are unfamiliar with the term). As is my custom, I responded that I really do not care to e-mail my social security number, but if he gives me a phone number I will gladly call him and let him know. This he did. I called, and within 15 minutes of the call I received a form California DE 542 in the mail. The DE 542 is required by the state of California when money is paid to a contractor, or a contract is entered into to pay money to a contractor. Its purpose is to permit the state to track payments to parents who do not pay their child support. Not only do I not need this form as I am not a resident of California; it also contains, you guessed it:

my social security number.

At this point I started wondering what part of "I do not wish to have my social security number transmitted by clear-text e-mail" was unclear. I sent a message to the sender that informed him that this could quite possibly be considered a data breach and require notification under Washington State SSB 6043, which requires formal breach notification. As of today, I am still awaiting a response. Any response.

Just because I felt like griping to someone, I forwarded the e-mail to my favorite accountant. Her response was "yeah, I know lots of CPA firms who e-mail around unencrypted 1040s." (A "1040" is the U.S. federal tax return form). I was absolutely floored. Last week credit card processor Heartland reported that they had experienced what may very well be the largest data breach in world history. Many banks are replacing every single one of their credit cards because of it. In fact, I took a call from a distressed bank manager just this morning asking whether it would be prudent to do so (the answer was "yes"). Yet, does that not pale in comparison to the number of unencrypted 1040s e-mailed around by tens of thousands of accountants every year, and the untold millions other tax-related forms that traverse unencrypted network channels?

If you steal my credit card number, I can call the bank and ask them to issue me a new number. A few days later, I have a new card. The bad guy can, at worst, incur a few hundred dollars in charges, maybe a few thousand if they are really lucky. Yet, credit card data is somehow seen as the primary piece of data that needs protection. How many news reports have you read that discuss a computer breach and include the words "no credit card numbers appear to have been compromised?" Have we completely lost sight of the fact that there may be other pieces of information that need protection?

Consider the corollary. If you steal my social security number, you can take over my house, get any number of credit cards in my name, give me a criminal record, get a driver's license in my name… And, how do I clean it up? If I call the Social Security Administration and ask for a new number because my existing number has been compromised they would simply laugh at me. Only in exceptionally rare circumstances do they issue new numbers. In some states I am permitted, if my social security number has been compromised, to put in a credit report freeze, but the burden is on me, as the victim, to prove that my information has been compromised before I can get a freeze. If I am deemed worthy of getting the barn door closed after the horses have fled, I get to pay $30-60, per freeze, per credit bureau, requested by certified mail. And each freeze may only be good for 90 days. That's only in some states. Other states prohibit credit freezes, and a few, more progressive ones, actually permit consumers to close the barn door before the horses run away. The freeze usually still costs money, and usually is still time-limited, and usually still requires that you use certified mail to each credit bureau to request it. Fortunately, you can "thaw" the freeze by making a single phone call and typing in a four-digit pin.

What is wrong with this picture? Why are accountants and comptrollers still e-mailing around the source data – social security numbers; while we as consumers only seem to care about the derived data – the credit card number? Why is there a Payment Card Industry (PCI) Data Security Standard that, while widely ignored, attempts to set data protection standards for cardholder data; but no Social Security Number security standard that establishes requirements for protection of social security numbers and liability for anyone who compromises someone else's Social Security Number?

Why do we not see any Attorney's General up in arms over that one? Who is going to help me protect the source data?

 

Kip Hawley: "No, the TSA is Necessary Because This is War!"

CBS News did a story a few days ago on the Transportation Security Administration (TSA). Basically it was a tit-for-tat between Bruce Schneier, security pontificator extraordinaire, and Kip Hawley, the administrator of the TSA. Mr. Hawley's maintans that the TSA provides a necessary service because we are at war, and the obvious battleground, apparently, is airplanes. Surely, we must all realize that just because the terrorists used airplanes once, they can't possibly have enough imagination to go for another target next time. Mr. Schneier, wisely, disagrees, points out all the flaws in what the TSA does, and calls the whole thing "Security Theater;" a term whose origins are not entirely undisputed, but that is beside the point.

The interesting thing with this story is that neither of Messrs. Schneier and Hawley were quoted as addressing the currently most glaring flaw in the entire air transportation security apparatus. If one of our enemies actually wanted to terrorize the populace, why take on the risk of blowing up another plane? Just for fun, head on down to your local airport this week. Walk into the terminal area and take a look at the security line. At Dulles (IAD), Los Angeles (LAX), Chicago (ORD), Denver (DEN), Atlanta (ATL), John F. Kennedy (JFK), etc, the picture is the same. There will, at any given moment, be 500 to 1,000 people in line.

It took 5 terrorists per plane (four on one plane) to blow up the planes on September 11, 2001. Together, they managed to kill 2,751 people. That's  145 victims per attacker. Take those 19 terrorists, strap them full of explosives, and position them strategically in the lines the TSA has created leading up to the security checkpoints. I guarantee you that each one of them will kill 145 people, or more. Better still, have them get in line with a bag full of explosives, then leave the bag and step out of line. They will probably have two to three minutes to make a get-away before the bag explodes before anyone even so much as looks at those bags. One might even have more if one chats up the people next to oneself in line to watch the bag while the attacker runs to the restroom. Suddenly, we have the prospect of a devastating, coordinated attack that is far more insidious, far more deadly, and far more difficult to prevent, than the attacks of September 11. This one you can't inspect away. You can't put a security checkpoint to get into the security checkpoint.

The TSA, single-handedly, created this vulnerability by making the airport security checkpoints so incredibly inefficient (and, one might add, ineffective) that the lines leading up to them back up with hundreds, or, in the case of Dulles, even thousands, of people. If the terrorists really wanted to erode confidence in our transportation infrastructure, why not make the security checkpoints the most dangerous part of it?

Mr. Hawley, in your final few weeks, how are you going to protect the public you are sworn to protect from this attack? How are you going to prioritize our safety while we are waiting in line so that your spiffily dressed officers can declare us as posing no risk to the traveling public?