Ranum's Rants

Ranum's Rants - The Anatomy of Security Disasters

by Marcus J. Ranum
March 26, 2009

(PDF version of this is available from my personal website, PDF of Powerpoint handouts from Source Boston 2009)

Introduction: Truth

Since I started in security, 20 years ago, "they aren’t taking security seriously" has been the constant complaint of the security expert. Even in organizations where security is taken seriously, it has been at the expense of living in a constant relationship of opposing management or other business units. Some of us enjoy the strife; most don’t. In fact, most of us enjoy being employed more than we enjoy being right.

AfterBites - Man Must Decrypt Hard Drive

by Marcus J. Ranum
March 8, 2009

The original article:

 --Judge Says Man Must Decrypt Drive
(February 26 & March 3, 2009)
A federal judge has ruled that a man suspected of having child
pornography on an encrypted drive on his laptop computer is not
protected by the Fifth Amendment. US District Judge William Sessions
ruled that Sebastien Boucher surrendered those rights when he allowed
his laptop to be searched the first time, and ordered Boucher to provide
the court with an unencrypted version of the drive in question. The
ruling reverses an earlier decision in which a judge ruled that Boucher
was protected from incriminating himself under the Fifth Amendment. The
original request from the US department of Justice had been to make
Boucher surrender his encryption passwords; the appeal asked only that
he decrypt the drive in view of the grand jury. Boucher's laptop was
searched in December 2006 while crossing the border into the US from
Canada. Agents claim to have seen the offending content, then shut down
the computer. When they tried to access the images after Boucher's
arrest, they were unable to because of his PGP program.

There are several things about this particular article that really bother me - and they're all about the rights of citizens to be free of government interference.

AfterBites: Incident Reporting and Science 101

by Marcus J. Ranum
February 21, 2009

I need to preface this with a disclaimer: I am not criticizing SANS for carrying the article. It's instructive, and that's always useful. I wish, however, that technology journalists were a bit more skeptical or clueful - and - as they say, "that's our story."

The article:

Reports of Cyber Incidents on the Rise
(February 17, 2009)
The number of cyber security incidents at federal civilian agencies reported to the US Department of Homeland Security's US-CERT has tripled since 2006. In fiscal 2008, 18,050 incidents were reported, compared with 12,986 in fiscal 2007 and 5,144 in fiscal 2006.
Agencies are required to report cyber security incidents under the Federal Information Security Management Act (FISMA); such incidents include unauthorized access, denial of service, malicious code, improper use, scans, probes and attempted unauthorized access. The significant increase over the last several years can be attributed to both an increase in malware and a heightened awareness of and ability to detect incidents.


Small Businesses Want Centralized Cyber Incident Reporting Organization
(February 19, 2009)
A report from the Federation of Small Businesses says that 54 percent of small businesses have experienced fraud or cyber crime over the last year. Although more than one-third of respondents do not report the incidents to police or to banks because they believe it would not make a difference, 53 percent of those surveyed would like specific information about how and where to report the incidents. Eighty-five percent of respondents said that they would make use of organizations established specifically to gather the information and use it to combat fraud. The average annual cost of cyber crime and fraud to small businesses in the UK is GBP 800 (US $1,140).

Let's start with the second article first, because it's less interesting. The headline should have said "UK small businesses" but that's a minor detail. Does this set off your stealth marketing alarm? It pegged the needle on mine; so I'd like to make a prediction: someone is out beating the bushes, right now, to start up that reporting center. Let's see if I'm right and, within the next year, someone announces that they're either member-funded (in which case they will quickly vanish) or government-funded and are offering that capability. Those of you who've been around information security since the early 1990's will remember the spectacular rise and fall of break-in reporting in the US, with attrition.org, CERT, and CSI/FBI publishing various statistics that meant - uh - various things. Usually, what they meant, to me, was "security reporting is a hard problem."   ... And that's the topic of the first article.

AfterBites - 160 Illustrations of Transitive Trust

by Marcus J. Ranum
February 16, 2009

The article:

 Number of Banks Affected By Heartland Breach: 160 and Growing
(February 6 & 12, 2009)
According to the Bank Information Security website, nearly 160
financial institutions have acknowledged that they were affected by
the Heartland Payment Systems data security breach. Banks in 40 US
states as well as in Canada, Bermuda and Guam have reported that
some of their customers' cards were exposed. It is not known how
many card accounts were compromised; Heartland says it processes 100
million transactions a month.

One of the underlying realities of computer security is the problem of transitive trust.

AfterBites: Cyberwar Hypewatch

by Marcus J. Ranum
February 11, 2009

The article:

 --German Magazine Says Armed Forces Establishing Cyber Warfare unit
(February 9, 2009)
German magazine Der Spiegel Reports that the country's armed forces are
in the process of establishing a unit dedicated to cyber warfare. The
unit will take on responsibility for protecting German IT infrastructure
from attacks as well as conduct reconnaissance and interventions on
foreign and "enemy" computer networks.

I'm sure there are lots of countries setting up "cyberwar" units. Why? Because they're so very, very l33t!

AfterBites: Parking Ticket Social Engineering

by Marcus J. Ranum
February 6, 2009

(This column is one of what I am going to call "afterbites" - extended random commentary on topics raised in SANS' Newsbites column. As some of you know, I am one of the volunteer editors/commenters on the weekly Newsbites and it probably won't surprise you to discover that sometimes the discussions we have on the editors' mailing list can get - interesting. Usually, there's not enough space to rant at length, so I'm going to periodically fire unaimed salvoes from the safety of my blog, here.)

The story:

Parking Tickets as Cyber Attack Social Engineering Vector
(February 4 & 5, 2009)

Cyber criminals in Grand Forks, North Dakota planted phony parking
violation notices on cars. The notices direct the users to a website
for more information, which leads the users through a set of links
that downloads malware onto their computers. That malware then urges
users to download an anti-virus scanner that is worthless.

A few years ago, I was sitting in a hotel bar at a security conference, matching my tequila-drinking skills against all comers, when we got to discussing the next generations of identity theft attacks. One of the ideas I suggested was related to what we see above, and I'm really unhappy to see that The Bad Guys are showing no sign of stopping their creative engines.

AfterBites: My Hospital Robo-Surgeon Has a What?

by Marcus J. Ranum
February 3, 2009

(This column commences what I am going to call "afterbites" - extended random commentary on topics raised in SANS' Newsbites column. As some of you know, I am one of the volunteer editors/commenters on the weekly Newsbites and it probably won't surprise you to discover that sometimes the discussions we have on the editors' mailing list can get - interesting. Usually, there's not enough space, nor would it be appropriate for the editors to engage in hand-to-hand combat, so I'm going to periodically fire unaimed salvoes from the safety of my blog, here.)

The story:

 --London Hospitals' Worm Infection "Entirely Avoidable"
(February 2, 2009)
A review of the worm infection that affected three London hospitals last
November found that the incident was "entirely avoidable." The Mytob
worm infected 4,700 PCs at St. Bartholomew's, the Royal London Hospital
in Whitechapel and The London Chest Hospital; as a result, some
ambulances were rerouted and some recordkeeping had to be done with pen
and paper. While administrative systems were running again within three
days, it took two additional weeks to scan all the machines to ensure
they were clear of infection. The review determined that the initial
infection resulted from misconfigured anti-virus software and spread so
widely due to a decision by administrators to disable security updates
because they had caused some computers to reboot while surgery was

There is so much wrong with this picture, that it's hard to know for sure where to start. "Ambulences rerouted" could be extremely unpleasant if you were, say, waiting patiently for help after a car crash, or something. "Recordkeeping with pen and paper" is, perhaps, a useful survival drill. The part that makes my blood run cold is "caused some computers to reboot while surgery was underway." I know that if I were a patient and heard the distinctive "cdrom-whirr, beep" of a computer rebooting, I would leap off the table and make a bloody trail toward the taxi stand, if I had working legs.

Cyberespionage (Part III of a series)

by Marcus J. Ranum
September 19, 2008

Hello again!

In my last column, we looked at cyberterror and puzzled aloud about "if it's so horrible, why isn't it happening?" In this episode, we're going to tackle the most straightforward aspect of cyber-badness: espionage. While it's straightforward, it scares me more than any of the other cyber-badness.