(A)bort, (R)etry, (I)gnore: Perspectives on Information Security

Update 5 April 2011: This is a big story. A big IT services FAIL: http://www.cbc.ca/news/business/story/2011/04/05/business-data-breach.html?ref=rss

I’m getting ready for the wave of spam. BestBuy’s direct email service (i.e., legitimate spam) was hacked and the attackers got real, live email addresses:

http://www.thestreet.com/story/11070689/1/retailers-victims-of-e-mail-hackers.html?CM_VEN=AD|TWR|JC

On the one hand, this is no big deal. On the other, it’s kind of annoying — not the incident, but the typical response from a BestBuy corporate VP of — Marketing. Yes, the customer notification doesn’t come from tech staff, but rather from the spin machine. (see email in entirety below)

I love the vagueness in these notification emails assuring users that nothing else of value was disclosed and that the “appropriate authorities” were notified.

Just once, I’ve love an honest message: “We have no idea what they actually got, and neither do the 3rd-party consulting firm or the FBI. I’m sorry we left the default password as ‘password’ on our firewall. We’ll give you $10 of BestBuy credit toward your next purchase.”

What I find lovely is that our (by which I mean the information security community) best advice boils down to six relatively useless recommendations:

http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx

—

Dear Valued Best Buy Customer,

On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization.

We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.

For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.

In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com. If you receive an email asking for personal information, delete it. It did not come from Best Buy.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. For more information on keeping your data safe, please visit:

http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx.

Sincerely,

Barry Judge
Executive Vice President & Chief Marketing Officer
Best Buy

Update 4 April 2011: It looks like Marriott used the same service. This is a cloud failure mode. Think about it. All I need to do is attack a single vendor, and I get multiple information streams.

April 4, 2011

Dear Marriott Customer,

We were recently notified by Epsilon, a marketing vendor used by Marriott International, Inc. to manage customer emails, that an unauthorized third party gained access to a number of Epsilon’s accounts including Marriott’s email list.

In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that Marriott does not send emails requesting customers to verify personal information.

We take your privacy very seriously. Marriott has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. We regret this has taken place and apologize for any inconvenience.

Please visit our FAQ to learn more.

Sincerely,

Marriott International, Inc.

and the FAQ has this content:

April 4, 2011

What happened?
Marriott International Inc. was recently notified by Epsilon, a marketing vendor used by Marriott to manage customer emails, that an unauthorized third party gained access to a number of Epsilon’s accounts including Marriott’s email list.

What Marriott information was accessed?
The unauthorized person(s) had access to names and email addresses only. They did not have access to sensitive customer information, such as physical addresses, loyalty program point balances, account logins and passwords, credit card information or other personal data.

How does this affect Marriott customers?
There is a possibility that customers whose email addresses were obtained may receive unsolicited emails (i.e., spam or phishing). Marriott has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. As a result, Marriott never sells or rents member lists.

What is Epsilon doing about this?
Epsilon has notified Marriott that they have identified where the breach took place and has taken the necessary steps to prevent additional data loss. Epsilon has further informed us that they have notified law enforcement and that additional security precautions have been put in place to help prevent future incidents.

I should rename this blog “Complaints about Apple Mac OS X”.

Apple has their own alternative to Microsoft’s “Blue Screen of Death.” I call it the “Slow Curtain of Death” — the machine suddenly stops responding, and a line proceeds from the top of the screen to the bottom, dimming the display and displaying a typically sexy-looking Apple message box saying “You must restart your computer. Press…”

My new Macbook Pro crashed (i.e., the kernel had a “panic” — yes, that’s a technical term for when the underlying operating software encounters an unrecoverable error) for the fourth time in a week from the exact same line of code (it looks like an error in handling thread locking conditions in the kernel scheduler). I have sent all four of these reports to Apple via their automated reporting mechanism.

I suspect the culprit is some incompatibility between my version of VMWare Fusion and Snow Leopard (but this is complete speculation). I append the start of the most recent crash report below. Note a few things. First, the error output line itself is quite detailed, even including a possible cause (unlocking an already unlocked mutex or spinlock? why would that cause a problem?) It even includes the file sched_prim.c and line number of the error. Too bad I don’t have Mac OS X source code. The report also includes a dump of the stack, but it lacks reporting the standard dump of CPU registers.

Interval Since Last Panic Report: 27770 sec
Panics Since Last Report: 1
Anonymous UUID: B22098C3-CA08-4230-A115-AFDF431CCB8B

Tue Jan 18 14:50:12 2011
panic(cpu 2 caller 0x226b53): “thread_invoke: preemption_level -1, possible cause: unlocking an unlocked mutex or spinlock”@/SourceCache/xnu/xnu-1504.9.26/osfmk/kern/sched_prim.c:1471
Backtrace (CPU 2), Frame : Return Address (4 potential args on stack)
0xbe56be18 : 0x21b50c (0x5d4438 0xbe56be4c 0×223974 0×0)
0xbe56be68 : 0x226b53 (0x58babc 0xffffffff 0x58ba54 0×226714)
0xbe56bee8 : 0×227259 (0xde9db98 0×0 0x6bc9f000 0×1)
0xbe56bf58 : 0x2272c4 (0x22fc20 0x863ea0 0×0 0x2a358d)
0xbe56bf78 : 0x22fdba (0x22fc20 0x863ea0 0×0 0×0)
0xbe56bfc8 : 0x2a06cc (0x863ea0 0×0 0×10 0xe1933c0)

BSD process name corresponding to current thread: kernel_task

Mac OS version:
10J567

Kernel version:
Darwin Kernel Version 10.6.0: Wed Nov 10 18:13:17 PST 2010; root:xnu-1504.9.26~3/RELEASE_I386
System model name: MacBookPro6,2 (Mac-F22586C8)

System uptime in nanoseconds: 38460313523585

I’m concluding two years of experience with a 15-inch Macbook Pro, Mac OS X 10.5.8, 2.4 GHz Intel Core 2 Duo, 4 GB RAM. My experience suggests that the perceived “quality” of Macs is overrated — they are no more or less high quality than other commodity notebooks.

Specific complaints follow:

1. keyboard and trackpad randomly stop responding; reboot fixes issue for short time. Keyboard occasionally “stutters” or repeats characters until another key is pressed. This requires me to carry around an external keyboard and mouse. I hypothesize that the battery comes into contact with the keyboard and trackpad connector and leads to a short or overheated wire.
2. battery is effectively dead; unplugged operation of notebook leads to about 5 minutes of uptime before hard power off
3. the battery/CPU/GPU put off tremendous heat (others have noticed this “feature” of Macbooks
4. internal optical drive intermittantly fails to read CDs or DVDs; total failure about a year in
5. the “Automatically adjust brightness as ambient light changes” option under Display occasionally “checks” itself (even though I have unchecked it). As a result, the screen dims at inconvenient times
6. the built-in iSight camera has recently (within past 6 months) stopped working (this makes keeping in touch with family difficult, as I need to reboot every time I want to video Skype). I can get it to work briefly by shutting down the machine, resetting the system memory as described by Apple (with machine off, press and hold the power button for 5 seconds), and rebooting. When I manually reposition the physical screen position, the camera stops responding (in the middle of Skype sessions). It appears that the camera also stops working upon a suspend/closing the lid. From these symptoms, seems like a loose wire or connector.

Do I have good things to say about this machine? Yes, but they basically amount to “it works.” The negatives listed above, however, strongly detract from the overall usefulness of this machine, particularly as a mobile platform.

This recent article about a 3rd-party Trojan’d piece of software for Linux is a bit sensationalist.

If a user purposely installs software of uncertain provenance (STONESOUP anyone?), it doesn’t matter what operating system lurks underneath. Does anyone know of an OS that refuses to execute an application the user commands it to install and execute?

I don’t think the community has found an effective sandboxing technique that provides both precision and accuracy in constraining arbitrary software (i.e., no technique that I know of automatically ascertains what the valid limits of the software should be within the constraints of security policy and user needs).

And it definitely should not be news that Linux is (and has been for a while) a target.

Recently, this story about a researcher “infecting” himself with a computer virus has made headlines in all sorts of computer press (e.g., Techworld, Slashdot, and Financial Times — this last via ACM Technews).

The MSN article states: “University of Reading researcher Mark Gasson has become the first human known to be infected by a computer virus.”

This statement simply isn’t true — not because he wasn’t *infected*, but because *he* wasn’t infected. The same outcome / lesson would have happened if:

– the chip was on a USB stick in his pocket or keychain
– the chip was tied to a piece of string around his finger
– the chip was glued to his finger
– etc.

All this publicity stunt teaches us is that you can purposefully insert code onto microchips that have an RFID radio. Shocking. This kind of activity has an impact on the credibility of the computing profession because IT folks (among others) ask themselves in amazement: “PhDs get paid to do THAT? It isn’t even research…”

The underlying issue is about the permeability of the definition of the word “human” — I guess his message is that people are more likely to consider small, unobtrusive devices as part of themselves.

Anyway, this line of thinking is a couple of years old:

http://www.rfidvirus.org/

M.R. Rieback et al., Is Your Cat Infected with a Computer Virus?, in Proceedings of the 4th International Conference on Pervasive Computing and Communications (PerCom2006), pp.169-179, Pisa, Italy, March 2006.