Entries Tagged "insiders"

Page 3 of 8

NSA Implements Two-Man Control for Sysadmins

In an effort to lock the barn door after the horse has escaped, the NSA is implementing two-man control for sysadmins:

NSA chief Keith Alexander said his agency had implemented a “two-man rule,” under which any system administrator like Snowden could only access or move key information with another administrator present. With some 15,000 sites to fix, Alexander said, it would take time to spread across the whole agency.

[…]

Alexander said that server rooms where such data is stored are now locked and require a two-man team to access them — safeguards that he said would be implemented at the Pentagon and intelligence agencies after a pilot at the NSA.

This kind of thing has happened before. After USN Chief Warrant Officer John Walker sold encryption keys to the Soviets, the Navy implemented two-man control for key material.

It’s an effective, if expensive, security measure — and an easy one for the NSA to implement while it figures out what it really has to do to secure information from IT insiders.

Posted on July 24, 2013 at 6:18 AMView Comments

The Effectiveness of Privacy Audits

This study concludes that there is a benefit to forcing companies to undergo privacy audits: “The results show that there are empirical regularities consistent with the privacy disclosures in the audited financial statements having some effect. Companies disclosing privacy risks are less likely to incur a breach of privacy related to unintentional disclosure of privacy information; while companies suffering a breach of privacy related to credit cards are more likely to disclose privacy risks afterwards. Disclosure after a breach is negatively related to privacy breaches related to hacking, and disclosure before a breach is positively related to breaches concerning insider trading.”

Posted on July 9, 2013 at 12:17 PMView Comments

Lessons From the FBI's Insider Threat Program

This article is worth reading. One bit:

For a time the FBI put its back into coming up with predictive analytics to help predict insider behavior prior to malicious activity. Rather than coming up with a powerful tool to stop criminals before they did damage, the FBI ended up with a system that was statistically worse than random at ferreting out bad behavior. Compared to the predictive capabilities of Punxsutawney Phil, the groundhog of Groundhog Day, that system did a worse job of predicting malicious insider activity, Reidy says.

“We would have done better hiring Punxsutawney Phil and waving him in front of someone and saying, ‘Is this an insider or not an insider?'” he says.

Rather than getting wrapped up in prediction or detection, he believes organizations should start first with deterrence.

Posted on March 20, 2013 at 11:51 AMView Comments

Insider Attack Against M&A Information in Document Titles

Protecting against insiders is hard.

Kluger and two accomplices — a Wall Street trader and a mortgage broker — allegedly stole and traded on material nonpublic information about M&A deals over a period of 17 years, according to federal authorities. The trio, facing charges from the U.S. Securities and Exchange Commission and the Department of Justice, allegedly made at least $32 million from the trades….

Kluger had access to information on M&A deals in Wilson Sonsini’s DMS, but he did not open the documents ­ to avoid leaving an audit trail that could possibly expose the scheme, prosecutors assert. Instead, he conducted searches and perused titles. “Kluger looked for board resolutions, press releases, and merger agreements because the titles of these documents revealed that specific companies were involved in pending mergers and acquisitions,” the charges state….

Remember, when people fill out the titles of documents, they are thinking about how to make the document easier to find, not about how to conceal information. Even if the firm uses code names, as was the case in the Wilson Sonsini files, it’s often easy to figure out the codes.

Posted on June 23, 2011 at 6:29 AMView Comments

Forged Subway Passes in Boston

For years, an employee of Cubic Corp — the company that makes the automatic fare card systems for most of the subway systems around the world — forged and then sold monthly passes for the Boston MBTA system.

The scheme was discovered by accident:

Coakley said the alleged scheme was only discovered after a commuter rail operator asked a rider where he had bought his pass. When the rider said he’d purchased the pass on Craigslist, the operator became suspicious and confiscated the ticket.

An investigation by the MBTA Transit Police found that despite opening electronic gates, the printed serial number in the MBTA database did not show the card had ever been activated. Hundreds of similar passes in use by passengers were then discovered, investigators said.

Although you’d think the MBTA would poke around the net occasionally, looking for discount tickets being sold on places like Craigslist.

Cubic Transportation Systems said in a written statement that it is cooperating with authorities. “Our company has numerous safeguards designed to prevent fraudulent production or distribution of Charlie Tickets,” the statement said, referring to the monthly MBTA passes.

It always amuses me when companies pretend the obvious isn’t true in their press releases. “Someone completely broke our system.” “Say that we have a lot of security.” “But it didn’t work.” “Say it anyway; the press will just blindly report it.”

To be fair, we don’t — and probably will never — know how this proprietary system was broken. In this case, an insider did it. But did that insider just have access to the system specifications, or was access to blank ticket stock or specialized equipment necessary as well?

EDITED TO ADD (5/22): More details:

On March 11, a conductor on the commuter rail’s Providence/Stoughton Line did a double-take when a customer flashed a discolored monthly pass, its arrow an unusually light shade of orange. The fading, caused by inadvertent laundering, would have happened even if the pass were legitimate, but the customer, perhaps out of nervousness, volunteered that he had purchased it at a discount on Craigslist, Coakley said.

That raised the conductor’s suspicion. He collected the pass and turned it over to the Transit Police, who found no record of its serial number and began investigating. Working with State Police from Coakley’s office, they traced it to equipment at the Beverly branch of Cubic Transportation Systems Inc. and then specifically to an employee: Townes, a 27-year-old Revere resident.

Auditing could have discovered the fraud much earlier:

A records check would have indicated that the serial numbers were not tied to accounts for paying customers. But the financially strapped MBTA, which handles thousands of passes and moves millions of riders a month, did not have practices in place to sniff out the small percentage of unauthorized passes in circulation, Davey said.

Posted on May 20, 2011 at 7:44 AMView Comments

UK Immigration Officer Puts Wife on the No-Fly List

A UK immigration officer decided to get rid of his wife by putting her on the no-fly list, ensuring that she could not return to the UK from abroad. This worked for three years, until he put in for a promotion and — during the routine background check — someone investigated why his wife was on the no-fly list.

Okay, so he’s an idiot. And a bastard. But the real piece of news here is how easy it is for a UK immigration officer to put someone on the no-fly list with absolutely no evidence that that person belongs there. And how little auditing is done on that list. Once someone is on, they’re on for good.

That’s simply no way to run a free country.

Posted on February 4, 2011 at 1:35 PMView Comments

$100 to Put a Bomb on an Airplane

An undercover TSA agent successfully bribed JetBlue ticket agent to check a suitcase under a random passenger’s name and put it on an airplane.

As with a lot of these tests, I’m not that worried because it’s not a reliable enough tactic to build a plot around. But untrustworthy airline personnel — or easily bribeable airline personal — could be used in a smarter and less risky plot.

Posted on January 28, 2011 at 1:40 PMView Comments

Gift Cards and Employee Retail Theft

Retail theft by employees has always been a problem, but gift cards make it easier:

At the Saks flagship store in Manhattan, a 23-year-old sales clerk was caught recently ringing up $130,000 in false merchandise returns and siphoning the money onto a gift card.

[…]

Many of the gift card crimes are straightforward, frequently involving young sales clerks and smaller amounts than the Saks theft. Among the variations of such crimes, cashiers often do fake refunds of merchandise and then, with the amount refunded, use their registers to electronically fill gift cards, which they take. Or sometimes when shoppers buy gift cards, cashiers give them blank cards and then divert the shoppers’ money onto cards for themselves.

That last tactic is particularly Grinch-like.

Posted on January 7, 2010 at 5:46 AMView Comments

Don't Let Hacker Inmates Reprogram Prison Computers

You’d think this would be obvious:

Douglas Havard, 27, serving six years for stealing up to £6.5million using forged credit cards over the internet, was approached after governors wanted to create an internal TV station but needed a special computer program written.

He was left unguarded and hacked into the system’s hard drive at Ranby Prison, near Retford, Notts. Then he set up a series of passwords so no one else could get into the system.

And you shouldn’t give a prisoner who is a lockpicking expert access to the prison’s keys, either. No, wait:

The blunder emerged a week after the Sunday Mirror revealed how an inmate at the same jail managed to get a key cut that opened every door.

Next week: inmate sharpshooters in charge of prison’s gun locker.

Posted on October 6, 2009 at 2:32 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.