Skip to main content

Posts

Showing posts from 2011

Security Theatre in the Hospital

I was listening to the radio this morning and heard this story about how the local children's hospital is reducing waste . One of the things they are removing from the emergency rooms is the paper that lays across the examination tables. An emergency room doctor explained that the paper doesn't really contribute to the infection control program at the hospital, it's only really there for patient peace of mind.   You know, so it looks clean and fresh, and through its use, convinces us that the room is clean. Sounds a lot like security theatre .

Domino Disk Performance

So, today marks the first day that I've had a chance to play with our new Domino server.   Most of the hardware is pretty standard.   IBM 3650M2 hardware, 12GB of RAM and 2 quad core CPUs. Usually, the performance bottleneck I run into is disk access.   Today, I'm trying some new hardware to see if we can eliminate that bottleneck. Here are my first results: This spike was the result of starting a compact -C on a database with a size of 1.6GB and 150,000 documents.  It took 2 minutes to complete. I'll let you know how performance continues.

RCMP Camera Gaffe and Security Policies

I read about the RCMP's gaffe with leaving images from past investigations on a camera used for surveillance of a suspected graffiti artist, and immediately thought of this article entitled "IT Security policies Widely Ignored, Survey Suggests". Is that what happened?   Was it a process issue, or a policy issue? I wonder if we'll ever know?

Anonymous and the City of Toronto

Toronto Mayor Rob Ford is confident that City of Toronto systems are secure after a threat from hacking group Anonymous. I read that in an article from SC Magazine.  He really couldn't say anything else, but I wonder if he really believes it.   I also wonder what City of Toronto CIO David Wallace is thinking...   After large takedowns of Sony and the like by Anonymous, he's probably not as confident.

Help: Domino ACLs and Email Address as User Login

It's not often I resort to the LazyWeb method of looking for information, but I haven't had any luck finding what I was looking for otherwise. I have a client who wants to use their email address to log in to a Domino web application. My memory tells me that there is/was an issue with this and using Groups in the ACL of the Domino database. Can anyone point me to any resources on how to do this, or that it can't be done, or anything along those lines? Thanks.

Security Notice: THC-SSL-DOS, Lotus Domino and SSL Regegotiation

A group called www.thc.org released a tool called THC-SSL-DOS.  Here's a clip from their site: THC-SSL-DOS is a tool to verify the performance of SSL. Establishing a secure SSL connection requires 15x more processing power on the server than on the client. THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet. This problem affects all SSL implementations today. The vendors are aware of this problem since 2003 and the topic has been widely discussed. This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection. Its also been covered in various places on the web, like here or here . While it doesn't look like there is much that can be done to mitigate it, you may get some relief for your Lotus Domino servers (and other software that uses Domino as a platform) by disabling SSL Renegotiation. It's an option available in the following releases of Lotus Domino

Greece, a Referendum and Security

About now, some people will be pontificating that if Greek citizens vote down austerity measures, Greece will run out of money in a matter of days, and that the world/European economy will go into a tailspin shortly thereafter. I suspect that if that occurs, there will be a rather public hack of Greece's infrastructure, taking advantage while they are down.   Quite possibly, it will be an inside job, by someone disgruntled that they are broke.  

VirusTotal - Free Online Virus, Malware, and URL Scanning

I found out about VirusTotal today. It's run by a Spanish company, and offers free, online virus checking. http://www.virustotal.com/index.html The best part in my mind?  It's crowd-sourcing your anti-virus. You submit a suspect file, it's scanned by 42 different anti-virus applications, and the results get displayed to you.  If the file is picked up by at least one of the 42 anti-virus programs, then they each get a copy of the file to test to improve their products. By you testing a file, you're potentially helping keep everyone safe.

Reading List for 24 Oct 2011

A few good articles I read today: Tool lets low-end PC crash much more powerful webserver Hackers have released software that they say allows a single computer to knock servers offline by targeting a well-documented flaw in secure sockets layer implementations. http://www.theregister.co.uk/2011/10/24/ssl_dos_tool_released/   Down the Rabbithole Podcast Episode 4 - Effective Small Business Security http://podcast.wh1t3rabbit.net/down-the-rabbithole-episode-4-effective-small-business-security   Pocket Guide To Securing Mobile Devices With workers bringing their own smartphones and tablets into the company, IT security needs to focus on creating a more secure environment, not on securing each device http://www.darkreading.com/security/vulnerabilities/231901557/pocket-guide-to-securing-mobile-devices.html   Stay Cool, Nobody is Calling Your Baby Ugly Conversations for developers and information security specialists. http://www.veracode.com/blog/2011/10/stay-cool-nobody-is-calling-your-baby

Electronic Communications Privacy Act and the Cloud

Great article from Threat Level.   Worth the read, and giving some thought to how you or your company may be affected, especially if you are a foreign company with cloud services in the United States. ECPA allows the government to obtain, without a warrant, any content stored in the cloud — such as files in a Dropbox account, if it’s older than six months. It goes without saying that there was no such thing as cloud-storage services available for the average Joe Sixpack when Reagan was president. Now those services have become mainstream, yet the Reagan-era law applies. http://www.wired.com/threatlevel/2011/10/ecpa-turns-twenty-five/

Running a Security Program without a Budget

I've been thinking more and more about small businesses and security recently.   Most small businesses don't have the budget to run their own security program.   These organizations, that employ many, many people, are often left vulnerable.   Larger organizations have the budget to fund a security program, while most small businesses don't. I've pointed out before  that most small businesses don't have an information security program. I spotted a great article earlier today that dealt with the concept of security below the poverty line , and it contained both a podcast, and a link to a research paper published by the 451 Group.   I'm not going to link directly to the research, as the 451 group decided to make it available for free through The Ashimmy Blog , and not through my site.  Credit where credit is due. As a small business owner, what 4 steps can you take to drastically improve your security? Introduce an acceptable use policy.   Let your employees know

SANS Ouch! - October 2011

The latest edition of SANS Ouch! is out. Every month they publish a newsletter directed at the typical web user.  Not those of us with a heightened awareness of security, but people like your office manger, mail room clerk or your parents. This month's newletter deals with a critical step in protecting your data.  Backups. I encourage you to take a look, and disseminate it to your staff.   In fact, they even encourage you to do that. http://www.securingthehuman.org/resources/newsletters/ouch It is available in English, French, Arabic, Italian, Korean, Malaysian, Polish, Portuguese, Spanish, and both Simple and Traditional Chinese. You can now follow Securing the Human on Facebook and Twitter too. http://www.facebook.com/securethehuman http://www.twitter.com/securethehuman

Conference Call Systems and Security

I found a very interesting article talking about the security surrounding conference call systems, and the ease there is with some systems to allow you to eavesdrop in on calls. Your competitors are simply dialing into insecure conference call lines and silently listening in. This happens at all levels … from the executive team making bajillion dollar decisions all the way down to those of us in the trenches talking shop on the technologies we use to build solutions. And the problem is only going to get worse as the workforce continues to migrate to more distributed environments. It's a great article, and a really good read.   I even mentioned it to an acquaintance, and told me of a time it happened to him. The Vulnerability We All Love to Ignore - NovaInfosecPortal Scary.  (And not in a good Halloween-type scary...)  

Domino not starting on Windows 2008 R2

If you are like me and setup your Domino server on one IP address and move it to another, under Windows 2008 R2, you may end up in a situation where the server refuses to start after you change the IP address. To fix it, add the following line to your notes.ini file, replacing 192.168.100.50 with the IP of your server: TCPIP_ControllerTCPIPAddress=192.168.100.50:2050

Facial Recognition on Spark

There are many privacy concerns about facial recognition. Imagine being able to identify someone by taking their photo with your phone.   What about combining that with cloud computing to determine someone's address, and date of birth?   Or perhaps their Social Security Number? Worse yet, who is already using facial recognition?   What if the police were using it in conjunction with CCTV feeds to track you, or someone you know?   What if criminals were instead? There was a great piece on Spark, a radio show on the CBC that shows how technology affects our lives.  I encourage you to have a listen. http://www.cbc.ca/spark/2011/09/spark-157/

Published: Securing Lotus Domino For the Web - Email Relay

Due to issues I had with Scribd, I'm posting my paper entitled "Securing Lotus Domino For The Web - Email Relay" here on my site. Enjoy! Securing Lotus Domino for the Web - Email Relay

Every Application and Device Needs a Retirement Plan

Here's a great headline that grabbed my attention this morning: Air traffic control data found on eBayed network gear Turns out this fellow in the UK bought a Cisco switch on Ebay for £20.    When he saw the sticker on the back that said NATS (National Air Traffic Services), he started poking around. He found internal VLAN estate data, information about the SNMP community strings (read and write, named after aircraft funnily enough), some ideas about password composition, VTP Trunk info and password, and details of upstream switching.   Enough that it would allow you to plug it into a port connected to the NATS network and 'become' part of the network, allowing you access to all the network traffic. My first thought after reading this article?    How does the NATS in the UK not have a retirement/decommissioning plan that would have addressed this?    After all, the UK was the country that developed the ITIL framework, and system decommissioning is a core part of the service

Canadian Government Proposes Mandatory Data Breach Reporting

The Canadian Government proposed changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) that would force organizations to report personal information breaches to both the privacy commissioner and the affected individuals. The changes are part of a proposed bill that died on the floor of parliment when Canada went to the polls to elect a new government this past May. "Ensuring trust and confidence through the protection of personal information is essential to the growth of the digital economy.  Our government will continue to help protect consumers and businesses from the misuse of their personal information, thereby increasing confidence in the online marketplace." - Industry Minister Christian Paradis Organizations would be required to inform individuals if there had been a breach that might result in 'significant harm' to an individual.   Significant harm could be defined as identity theft, fraud or risk to a person's reputation. Ot

How To: Mitigate the SSL/TLS Vulnerability for Lotus Domino

I've been doing quite a bit of research into the BEAST (Browser Exploit Against SSL/TLS) vulnerability that security researchers Juliano Rizzo and Thai Duong demonstrated at the ekoparty security conference in Buenos Aires on Friday. The session at ekoparty revealed the technical details about how the exploit works and the vulnerability it exploits.   The vulnerability has been known for quite a while . The vulnerability affects SSL/TLS ciphers that use the Cipher Block Chaining (CBC) mode. These include the popular AES and Triple-DES encryption methods.  The easiest way to mitigate the vulnerablity is to switch to an encryption algorithm that doesn't use CBC, like those based on the RC4 stream cipher . Interestingly enough, Google websites  don't use CBC based encryption .  They use the RC4 encryption cipher instead.   Domino Server BEAST Mitigation - With Internet Site Documents In the Domino Administrator Client, open the 'Configuration' tab and expand &

NIST Releases Guide for Conducting Risk Assessments

National Institute of Standards and Technology (NIST) has released the Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1). As threats to cyber systems grow more and more complex, risk assessments help companies determine appropriate responses to mitigate risks to their organizations, guide investment strategies and maintain ongoing situational awareness of the state of their systems. Overall guidance for risk assessment for information security can be found in  Managing Information Security Risk: Organization, Mission, and Information System View  (NIST SP 800-39).  

Microsoft Releases a TLS 1.1 Fix Tool for Windows

Microsoft has released a security advisory relating to the SSL/TLS vulnerability previously discussed.   Included in the advisory are a workaround and a tool that can implement a fix on Windows 7 and Windows Server 2008 R2 systems. If you're using a version of Windows prior to version 7 or Server 2008 R2, your system doesn't even support TLS 1.1.   Your only hope is that server admins fix the SSL/TLS problem on their web servers. Interestingly enough, the RC4 cipher suite is unaffected.   Only encryption based on CBC (cipher block chaining) is affected.   RC4 is a streaming cipher, which is not affected.

Ideas

http://articles.boston.com/ 2011-09-21/business/30185263_ 1_data-breaches-data-thieves- data-leaks http://businessblogs.co.nz/ 2011/09/data-loss-statistics- in-new-zealand/ http://m.itworld.com/security/ 205933/data-breach-insurance- offer-shows-how-high-risk-has- grown-smbs?mm_ref=http%3A%2F% 2Fnews.google.com%2F http://mobile.eweek.com/c/a/ Health-Care-IT/Health-Care- Organizations-Underprepared- to-Secure-Patient-Data-PwC- 706770/ http://online.wsj.com/article/ SB1000142405311190426550457656 6991567148576.html Misha Glenny: Hire the hackers!   http://www.ted.com/talks/ titles/id/1221/lang/eng http://www.pcmag.com/article2/ 0,2817,2368484,00.asp http://www.cbc.ca/news/canada/ story/2011/09/19/passports- cost.html http://web.eweek.com/t?r=2&c=45095&l=9&ctl=138E03:27CE567BFA884DD24E1D01934CAA685655D4898BCCC40632& http://web.eweek.com/t?r=2&c=45095&l=9&ctl=138E02:27CE567BFA884DD24E1D01934CAA685655D4898BCCC40632&  

Pssst... Want to buy some patient records?

You know, probably not the best words in an article about lost patient records to link ads from if you want your website to look legit. Just saying...

Swedish Computer System Crash; 50 000 lost medical records

A computer system crash in Region Skåne, Sweden have resulted in the loss of appointment and prescription records, but may have resulted in the loss of over 50 000 medical records. The affected hard drives have been shipped to a Norwegian company to attempt to recover the information lost in the crash that occurred on August 22, 2011.  (Almost a month ago as of the publication of this post.) The cause of the crash is still under investigation, and the extent of the data loss is still unknown. ”We have never before lost so much information,” Mette Marklund, director of the National Board of Health and Welfare’s Southern Region, told DN. ”It can be a great risk to patient safety whe n we do not have access to adequate information. But, we do not know yet what to rebuild.” Interestingly enough, Region Skåne is scheduled to launch a centra l medical record system fo r the entire nation in 2012. Ed. Note:  I'm not certain how a health organization in a first world country could have st

My ATM is running Windows 98?

Picture this, you walk up to an ATM belonging to your bank and find the error below on the screen. Do you change banks?    

(IN)SECURE Magazine number 31 is available

If you work in IT security, and you don't read (IN)SECURE Magazine, you should take a look at it. Here is the article list for issue 31: The changing face of hacking Review: [hiddn] Crypto Adapter A tech theory coming of age SecurityByte 2011: Cyber conflicts, cloud computing and printer hacking The need for foundational controls in cloud computing A new approach to data centric security The future of identity verification through keystroke dynamics Visiting Bitdefender's headquarters Rebuilding walls in the clouds Testing Domino applications Report: Black Hat 2011 USA Safeguarding user access in the cloud with identity governance You can download it here:  http://www.net-security.org/insecuremag.php

IBM Lotus Domino and the SSL/TLS known vulnerability

Based on this article , I started thinking about how the fallout from the SSL/TLS vulnerability may affect me. I wasn't ready for what I found. As it turns out, as detailed in this IBM tech note , there is no support for TLS 1.0, TLS 1.1 or TLS 1.2 for Domino's http server.   There is only support for SMTP (through STARTTLS) and SIP (for Sametime) within Domino.   All other Lotus Domino Internet based protocols (HTTP, LDAP, POP3, IMAP) support SSL up to 3.0. So...    As for a plan, it looks like you can probably put your Domino servers behind a Websphere Edge Server doing reverse proxy.   Much like you would have to do if you were looking to make Domino FIPS 140-2 compliant .          

Looking for a Lotus job?

If you are looking for a job revolving around one of the IBM/Lotus technologies, make sure you take a look at Tom Duff's website.   He posts daily on the new jobs that surface in the Lotus world. Duffbert's Lotus Jobs  

Known Vulnerability in SSL/TLS is now a Problem

In case you didn't read it here , or here , there has been a successful exploit for a long known vulnerability in all versions of SSL and TLS 1.0 . Although the vulnerability has been known since the early iterations of SSL, up until now, it was thought to be un-exploitable. Thanks to the work of Juliano Rizzo and Thai Duong (who previously brought an issue to light with ASP.NET that caused Microsoft to release an 'out-of-band' patch), the vulnerability has been exploited through a web browser. What does this mean for us, the security practitioners?   It may be time to implement and enforce the use of TLS 1.1 or TLS 1.2 soon.  Attacks against SSL / TLS 1.0 have yet to show up in the wild, but it is only a matter of time. Still unsure about what SSL/TLS is?   Here's a good reference . (Note: I didn't like the spin used by the news article  entitled "Online banking encryption broken" on the CBC's website about the exploit.  It harkens to fear mongeri

Cybersecurity Awareness Month

The Department of Homeland Security (DHS) in the United States has set October as Nati0nal Cybersecurity Awareness month . Despite choosing one month to bring public awareness to cybersecurity,  most security professionals recommend practicing cybersecurity year round, not just in October. You'll probably want to think about things on the list below during October. Anti-Virus Firewalls Backups Software Updates You should also review the list of what to do when things go wrong (as most things eventually will).   You can find that resource here:  http://www.staysafeonline.org/tools-resources/learn-what-do-if-something-goes-wrong

Great Cryptography Reference

Do you know some of the basics of cryptography, like what a Caeser cipher is?   How about a Vignere table?  Are you looking for an easy reference on what data encryption is? Check it out! http://library.thinkquest.org/27158/concept1_5.html

Securing The Human

Part of SANS security awareness program is a site called 'Securing The Human'. Every month they publish a newsletter directed at the typical web user.  Not those of us with a heightened awareness of security, but people like your office manger, mail room clerk or parents. This month's newletter, appropriately called 'OUCH!', deals with privacy and security surrounding social networking. I encourage you to take a look, and disseminate it to your staff.   In fact, they even encourage you to do that. http://www.securingthehuman.org/resources/newsletters/ouch It is available in English, French, Arabic, Italian, Korean, Malaysian, Polish, Portuguese, Spanish, and both Simple and Traditional Chinese.

Using Comics to Teach a Lesson

I'm a closet comic fan, I always have been.   I've found it can be a great way to get a lesson across, especially to children and teens. As a result, I always enjoy when I find a comic that I can use as part of a training I am giving, or a presentation I make.   I found one of those yesterday, and I wanted to share it. Post it in your lunchroom, post it on a bulletin board.  Post it where people will read it, and hopefully learn from it.

Wikimania Prize Package

I got my Wikimania prize package in the mail the other day. There were numerous items including a Spam Sentinel t-shirt, some IBM bottle openers, IBM bottle sleeves, and the best part, a copy of the Mastering XPages book. Gotta love it! Update: I just got a note from one of the organizers asking if I got the mugs.   Yup, I did.  Two shiny IBM mugs as well.   I'll snag a photo of it all tonight.

Admin Notes: The Hidden Field

I was implementing a third party plugin to Domino this morning, and was asked to put a certain value in a certain field. However, search as I did, I couldn't find the field in the server document. As you know, the server document uses the server form (server) in the address book (names.nsf).   I opened Domino Designer, opened the form, found the field I was looking for, checked the 'hise when' value, and discovered what I had to do to make it visible. Could only happen in Domino, and for that I love it.

Insider Threat: Your Data Is For Sale

Security firm SailPoint released the results of a recent survey that shows that your corporate information may be for sale.  The SailPoint Market Pulse Survey examined the current state of employee compliance with corporate policy related to private and sensitive data. Here's what they found: 22% of US, 29% of Australian and almost half of British (48%) employees who have access to their employer's or client's private data, and who answered the question, indicated they would feel comfortable doing something with that data, regardless if that access was intentional or accidental 10% of American, 12% of Australian and 27% of British employees with access admitted they would forward electronic files to a non-employee 9% of Americans, 8% of Australians and 24% of Britons of these same groups admitted they would copy electronic data and files to take with them when they leave a company While only 5% of American and 4% of Australian employees with access who answered the questio

Ontario Cancer Screening Records Go Missing

Ontario's Privacy Commissioner is looking into reports that the whereabouts for up to 15 screening activity reports is unknown.   These reports contain the Personal Health Information (PHI) of up to 6,490 Ontarians. The Privacy Commissioner's office is still investigating the status of 11 other reports that could jeopardise the PHI of another 5,440 individuals. The records contain information such as names, birth dates, gender, health card numbers and cancer screening test information.   The whereabouts of the documents has been unknown since their being sent to doctors during the February - March 2011 time frame. "Medical test results rank among the most sensitive personal information about an individual," said Commissioner Cavoukian. "I am astounded that such a loss could take place. The first step is to minimize any harm by locating as many of these reports as possible. As part of our investigation, we will be looking at steps that can be taken to ensure that

Admin Notes: Domino and Encryption

I often find myself running for this information, and I'm going to keep it here.   That way, it may benefit someone else as well. Lotus Domino Server/User ID - RSA dual-key Cryptosystem and RC2, RC4 and AES algorithms for encryption - RSA keys can be at any of the following strengths:     - 630 bit (Domino R6+)     - 1024 bit (Domino R7+)     - 2048 bit (Domino R8+) - RC4 algorithm key     - 128bit (Domino R6+) - RC2 algorithm key     - 128bit (Domino R6+) - AES algorithm key     - 128bit (Domino R8.0.1+) (Required for FIPS)     - 256bit (Domino R8.0.1+) (Required for FIPS)  Lotus Network Encryption - RC4 key     - 128bit (Domino R6+) Local Database Encryption - RC2     - 128bit (Domino 6+) - AES     - 128bit (Domino 8.0.1+ based on UserID/ServerID encryption level)  (Required for FIPS)     - 256bit (Domino 8.0.1+ based on UserID/ServerID encryption level)  (Required for FIPS) Internet User - X.509 certificate SSL Encryption -  SSLv3 Cipher Settings     - AES encryption with 128bit

Lotus Domino Denial of Service Attack

Credits to Tom Duff . Packet Storm is reporting a  Lotus Domino Denial of Service  issue... # Exploit Title: Lotus Domino SMTP router, EMAIL server and client DoS - all 3 may crash # Date: July 16, 2011 # Author: None - looks like a malformed Kerio generated calendar invitation was the reason this was discovered -http://forums.kerio.com/index.php?t=msg&th=19863&start=0 # Software Link: none - cut/paste the malformed meeting invitation show below, send into some Domino shop as a mime type text/calendar with a filename.ics # Version: 8.5.3 and very likely all 7.x and 8.x # Tested on: W2K3, W2K8, XP running 8.5.3 # CVE : none - but IBM has patches for this and other items https://www-304.ibm.com/support/docview.wss?q1=vulnerability%20OR%20vulnerabilities&rs=0&uid=swg21461514&cs=utf-8?=en&loc=en_US&cc=us https://www-304.ibm.com/support/docview.wss?uid=swg21504183 Particularly ugly in that the rest of the page has the cut and paste code for making the attachment

Admin Notes: Is your SMTP server running TLS?

I found a great website today that allows you to check if the mail server for your domain supports TLS. This is a great tool to see if an email you send a client, colleague or even your buddy will be transmitted as open text.   It's also a great tool for troubleshooting your Domino mail server. Check it out here:  http://www.checktls.com

Policies and Controls are King in the IT Security world

I came across an article by Roger Grimes over at Infoworld on how security policies and controls are the real power when it comes to IT security. Roger mentions the SANS 20 Critical Security Controls for Effective Cyber Defence , which are a great read for anyone looking at updating or auditing your policies for completeness. The SANS top 20 controls are a must for any organization: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Boundary Defense Maintenance, Monitoring, and Analysis of Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access Based on the Need to Know Continuous Vulnerability Assessment and Remediation Account Monitoring and Control Malware Defenses Limitation and Control

Me Personally? I love DAOS...

I think DAOS is great, and why?   Because of the screenshot below.   A database a quarter of that size would make most admins cry, but with DAOS, it hums along beautifully. Makes me wonder if this type of scenario is what IBM had in mind when they designed DAOS. Oh, and the size is not an error.   Logically, it actually is 140GB in size, with about 53,000 attachments.

Indian users of Groupon subsidiary face password breach

An Australian security consultant, Daniel Grzelak, discovered an SQL file with over 300,000 usernames and plain text passwords from Sosasta.com by conducting a Google search. The entire user database of Groupon’s Indian subsidiary Sosasta.com was accidentally published to the Internet and indexed by Google. The database includes the e-mail addresses and clear-text passwords of the site’s 300,000 users. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs. Grzelak used Google to search for SQL database files that were web accessible and contained keywords like “password” and “gmail”. On a side note, this is the same Daniel Grzelak who created, as a side project,  shouldichangemypassword.com , a website that allows you to search a database of known-compromised e-mail address and password pairs to see if your password has been compromised.

Bioware Account Breach

I got an email the other day, one I wasn't expecting to receive, because I wasn't even aware that the organization had a data breach.  (But then, how could I?  They've been coming fast and furious for a while now.) The email looked like this: We recently learned that hackers gained unauthorized access to the decade-old BioWare server system supporting the Neverwinter Nights forums. We immediately took appropriate steps to protect our consumers' data and launched a thorough ongoing evaluation of the breach. We have determined that no credit card data was compromised from the servers, nor did we ever have or store sensitive data like social security numbers. Our investigation shows that information such as user names, encrypted passwords, email addresses, mailing addresses, names, phone numbers, CD keys and birth dates from accounts on the system  may have been compromised, as well as other information (if any) that you may have associated with this forum account. In an

Is speed a good thing in disclosing security breaches?

How quickly do you feel a company should notify you that your personal data has been exposed as the result of a security breach? There have been a number of high profile data breaches recently, such as Sony, Epsilon and Honda Canada.  Each company took a different amount of time to notify customers, but that is because they are allowed to.  There are no laws that specify how quickly they must advise you that your private information may have become public. Sony, who has lost more than 100 million records this year, took 3 days after the detection of the Sony Playstation Network breach to advise customers. Epsilon, who lost millions of customer account data belonging to more than 50 major companies, contacted people only a day after the breach was discovered. Honda Canada, who suffered a breach in March , didn't notify people until May. Reuters is reporting that a new US data breach bill would set a mandatory maximum on the amount of time a company can delay advising the public.

Basic Information Security Practices missing at most Small Businesses

As I read this article earlier today, I have to say that I am not really all that surprised. Most small businesses are more concerned with their day-to-day operations and where the next client is coming from than they are around spending the time to creating policies and processes to manage security. Although 78.6% of respondents were aware of the legal requirements of storing, keeping, and disposing confidential data, 31.1% never trained staff on the company’s information security procedures and protocols, and 35.5% of companies have no protocol in place for storing and disposing confidential data. With any small business there is only so much time and so much to get done.  Most processes exist, but are usually non-documented, and quite often verbal. “Most things are passed around in an oral tradition, rather than a written tradition. Information is imparted verbally, and companies don’t tend to have formal policies and procedures in place until that start to grow more” Without a tra

Canadian Privacy Commissioner criticizes Staples

The Canadian Privacy Commissioner, Jennifer Stoddart, has found that Staples Canada Inc. failed to fully wipe customer data from returned devices such as laptops, hard drives or USB keys prior to reselling them. The Staples audit included tests on data storage devices (ie. computers, laptops, USB hard drives and memory cards) that had undergone a "wipe and restore" process and were destined for resale.  Of the 149 data storage devices tested, over one-third (54 devices) still contained customer data - in some cases, highly sensitive personal information such as Social Insurance Numbers, and health card and passport numbers; academic transcripts; banking information and tax records. This brings a few questions to mind. Who are these individuals who would return a device to a store, and blindly trust that the store will do what is in their best interest, rather than in the store's best interest. The privacy commissioner stated that: ...although Staples generally has good

IamLUG - North American Lotus User Group

Once again, I beleive for the third year, St. Louis is opening its doors to Loti from across North America. Founded on the 'free' conference ideal, IamLUG has offered more than 25 sessions each year with the optional 'TackItOn' full day of training on specific subjects. This year's session list looks great, and the speakers rock.   It's happening on August 1st and 2nd, with the 'TackItOn' day being Aug 3rd. You can find more detail here .

Taking Security Too Far: Breaking the Business Process

Read the following statement: apparently the advent of 3D projectors is severely cutting the amount of light that reaches the screen because projectionists are not changing out the 3D lenses for 2D screenings as they should Would you believe that a poorly planned security process is at fault of our enjoyment of 3D movies?  With more and more thought being given to security, and protecting the intellectual property of the organization, it is possible for those controls to go too far. Hollywood is making a trade-off here: believing that 3D and digital are the new technologies that will get people back into theaters BUT believing that anything not locked down will be copied and redistributed without payment, the studios et al have opted to secure the projectors. Understandable. But in doing so, they've made it difficult for the people running the projectors to do their jobs properly. While it is a great idea to make sure that the business is protected, making security too much of a ch

Wikimania - Please don't post (I want to win...)

Yeah, the title is a bit tongue in cheek, but seriously... I entered an article in the Wikimania contest last year, and I even won a book, and a number of other small items. I've entered again this year , on the very day the contest opened.   I suspect that I was even pointed out for it . Sharing with the community is a great way to develop friendships and share information.  (And win prizes.  After all, who doesn't want to be recognized for their work.)

Security Review - 6/7/2011

Similar to a number of other breaches (Sony, Epsilon, Lockheed-Martin), hackers seem to mostly be targeting the 'larger' targets , that will bring a lot of public exposure. The Conservative Party of Canada site was the  target of such an attack this week, as were many branches of the Sony empire .  The Kingston Police department just got their website back online on Tuesday following a breach. It's no surprise then that Vermont Democrat Senator Patrick Leahy has introduced a bill that would set a national standard for notifying consumers of breaches, and would make it a crime to conceal a data breach. Is there any doubt why Canadian companies are wary of the cloud ? As a result, Canadian firms tend to experience fewer security lapses. On average, 43% of global companies reported a breach within the last year versus 38% in this country.

Hackers target Conservative Party website

Despite news on the Conservative Party of Canada website, Prime Minister Stephen Harper was not airlifted to a hospital in Toronto following a choking incident at breakfast with his children. In fact, it was an attack by hackers targeting the Conservative Party website. The CBC has more details .

Hackers make off with Government of Canada data

Back in April 2010, two groups ( The Citizen Lab and The SecDev Group ) discovered that government computers in 103 countries were compromised by hackers from China.  They wrote about it in a published report called Shadows in the Cloud . Fast forward to the fall of 2010 when Communications Security Establishment Canada (Canada's electronic eavesdropping agency) started looking for signs that Canada's governmental networks had been compromised. Fast forward to January 2011, when a hack was discovered in three Canadian government departments including the Department of Finance and an agency of the Department of National Defence. A memo written at the end of January 2011 states: "Indications are that data has been exfiltrated and that privileged accounts have been compromised," Moving on to February 2011, when Prime Minister Stephen Harper says that the government has a strategy to protect computer systems, but admits that cybersecurity is a "a growing issue of i

Tomorrow is IPv6 day!

Tomorrow is the Internet Society's World IPv6 day. On June 8th, many major world organizations (including Google, Akamai and Yahoo!) will be turning on IPv6 services for a 24 hour test. More information can be found here .

Computer Security Policy: Part 1 - Hierarchy of Management Direction

When writing computer security policy, or any policy for that matter, it is important to remember that there is a hierarchy when it comes to the types of documents that make up policy. Laws & Regulations Policy Standards/Directives Procedure Guideline Laws & Regulations These are the compulsory rules, with sanctions, declared by the government for all citizens. Here in Canada, the laws are passed by elected members of parliament.  In the United States, laws are passed by elected members of Congress, and then ratified by the Senate.  The president signs the law into being. Policy A policy is "a high level statement of enterprise beliefs, goals, and objectives and the general means of attainment" (Peltier).   Another way to look at it is that "policy is the articulation of the intentions of management".  (Fites/Kratz) It's a course of action or a principle taken by a group of individuals used to govern themselves. Standards Standards could be def

Domino databases can disappear when UNIX/LINUX server is shutdown

Abstract In certain cases on a Domino 8.5.2 FP1 server, the contents of the Domino data directory can be deleted during shutdown on UNIX and Linux platforms. This does not happen frequently or on all Domino servers. However, if this does happen, a backup restore of the data will be necessary. This IBM Alert addresses an issue with the ~notetmp.reg file on UNIX or LINUX servers running Domino 8.5.2 FP1. This is what happens: The problem occurs if   ~notetmp.reg   points to the Domino data directory as the temp directory and also contains an empty string filename. In that case, Domino sees everything in the data directory as temporary and all files will be deleted at server shutdown.   More information can be found on the IBM support site .   Reference is SPR# DWON8FVMYS. Thanks to Gunawan T. Wicaksono for pointing this Alert out.

Admin Notes: Fixes for File Viewer Vulverabilities in Lotus Notes

Just a quick note to make sure this gets out there. I'm taking on more 'security' type duties at work.   This is something that falls under both my hats. IBM Support has released a Flash Alert regarding some vulnerabilities discovered in Lotus Notes. More information can be found on the IBM Support site. I do like the fact that they have provided work around information all the way back to Lotus Notes 5.x.

Cross Country Lotus User Group - May 12th, 2011

PLEASE NOTE THE UPDATES TO THE AGENDA IN  BLUE Date:   Thursday,    May 12th, 2011 Time:      1:00pm to 5:00pm –  Eastern Daylight Time  -  Montreal, Ottawa, Toronto             11:00am to 3:00pm –  Mountain Daylight Time - Calgary             10:00am  to 2:00pm – Pacific Daylight Time  - Vancouver Locations Montreal 1360 René Levesque Blvd West , 13 th  floor, Conference Room Local Host: Angela Caruso,  acaruso@ca.ibm.com Ottawa 340 Albert St , Room 100 Local Host: Connie Triassi,  ctriassi@ca.ibm.com Toronto 120 Bloor Street East   Suite 104 Local Host: Rosie Seth,  rseth@ca.ibm.com Calgary 227 - 11th Avenue SW,  2nd floor, Room 2-045 Local Host:  Don Gillis,  dgillis@ca.ibm.com Vancouver 4611 Canada Way , Burnaby, BC , Queen Charlotte Room Local Host: Jayne Johnson,  jaynej@ca.ibm.com Welcome to the Cross Country Lotus User Group Meeting! Agenda: Montreal / Ottawa/ Markham Calgary Vancouver Topic  & Speaker Speaker ’ s Location 12:30 Lunch 10:30 Coffee 9:30 Coffee Meet & Gre