According to news reports, an unencrypted laptop containing personal identification information for 33,000 registrants for the “Clear” program was stolen recently from an office at San Francisco International Airport. For those unfamiliar with “Clear”, it is used by several major airports to allow pre-screened flyers to bypass regular security lines. Their customers pay an annual membership fee to be a part of the program and go through a more in-depth screening process that involves submitting to a background check and threat assessment as well as providing biometric data in the form of finger prints and iris scans. As usual, the Breach Blog has a good summary of what’s known so far about the breach.

From The Orlando Sentinel:

“The Transportation Security Administration said it has instructed all airports that contract with Verified Identity Pass Inc. — which operates the “Clear” program at OIA and nearly 20 other airports across the country — to suspend enrollment in the service and to secure all unencrypted computers until encryption software is installed. The agency also instructed San Francisco International Airport, where the laptop was lost, to ensure that Verified Identity Pass immediately contacts everyone whose personal information was stored on the missing computer.”

Verified Identity Pass claims the stolen laptop contained less sensitive information like driver’s license numbers and passport numbers but not any credit-card numbers, social security numbers or biometric information. That’s good, but it doesn’t shake the fact that the stolen laptop was unencrypted in the first place.

For the service they provide, it’s hard to believe the company didn’t consider laptop theft to be a serious enough business risk to warrant the cost of encryption. Even though the compromised information wasn’t as sensitive as it could have been, they’re still losing revenue from new enrollees (at least temporarily) and they’re most likely going to have to deal with increased scrutiny from the TSA. Trust wasn’t broken, but it was surely weakened.

What if it they weren’t as lucky and there happened to be biometric data or social security numbers on the stolen laptop? You shouldn’t base your security efforts on improbable “what ifs”, but can anyone honestly say this is improbable anymore with all the breach notices and stolen laptops reported in the last few years?

Update: Seems Rothman ran into this in ATL on his way to Vegas for Blackhat.

Update 2: Turns out the missing laptop was found. In the same office. Just in a different spot. Either someone jumped the gun on declaring the laptop missing or whoever took it was able to sneak it back into the locked office without anyone noticing. Perhaps it’s a really tiny and inconspicuous laptop? Maybe a MacBook Air? Wouldn’t be the first time one of these has caused problems with airport security… /snark

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks news, press releases, and research.

SC Magazine: Senate OKs revamped identity theft legislation

Information Week: Expert Urges China Olympics Visitors To Encrypt Data

Search Security: EV SSL certificates won’t stop phishers, researchers say

CNet: Report: Sarbanes-Oxley could threaten security

SC Magazine: Backdoor scams emerge on phishing kits

Security Matters: Security Flaws in Online Banking Widespread

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks news, press releases, and research.

Information Week: Red Alert! DNS Flaw Revealed

eWeek: How to Approach Access Control in the Social Networking Age

Dark Reading: Researchers Raise Alarm Over New Iteration of Coreflood Botnet

ZDNet: 75% of online banking sites found vulnerable to security design flaws

SC Magazine: Small firms naive about security

CNN: UK to clamp down on Internet piracy

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks news, press releases, and research.

Ars Technica: Report: cybercrime groups starting to operate like the Mafia

eWeek: DNS Protocol Flaw: Don`t Panic, Just Patch

SC Magazine: Trojan disguised as UPS delivery note

Computerworld: Update: City IT admin pleads innocent to network tampering charges

Dark Reading: Vulnerabilities Could Expose Broad Range of Java Apps

Thanks again to everyone who attended our recent “Red Flags Update” webcast. By popular demand, slides from the website can be downloaded here (PDF). Also, an archive of the webcast will be available on-demand in our Webcast Archives. If you have any comments or suggestions for future webcasts, feel free to send them to info at secureworks dot com. Your feedback is most appreciated!

In a CLM of epic proportions (and with possible legal consequences), a network administrator for the City of San Francisco cut off access for some of the “higher ups” in the city’s Department of Technology. Courtesy of SFGate:

“A disgruntled city computer engineer has virtually commandeered San Francisco’s new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday.”

“Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn’t work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said.”

The result? A big headache for the city, which now has to crack Childs’ pass code – effectively breaking in to their own system – to regain access.

Further down in the article we find that the accused administrator was already on the hot seat:

“Childs has worked for the city for about five years. One official with knowledge of the case said he had been disciplined on the job in recent months for poor performance and that his supervisors had tried to fire him.”

To state the obvious, insiders with privileged access can do a great deal of damage if their activities go unchecked. Adhering to the principle of least privilege is ideal, but it can only go so far to reduce the risk of insider abuse especially when it comes to locking down administrative access for some network and IT systems. That’s why it’s always good practice to have other controls in place, such as reviewing access privileges before or immediately after potentially volatile events (like disciplinary measures or terminations) and monitoring root and administrative activity on critical systems. It’s also a good idea to have a qualified 3rd party periodically audit your access controls to determine if they sufficiently minimize the risk of insider abuse.

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks news, press releases, and research.

ZDnet: Gmail, PayPal and Ebay embrace DomainKeys to fight phishing emails

SC Magazine: Fake Storm Worm blast claims World War III is here

Dark Reading: Hackers to Face Off in Black Hat ‘Iron Chef’ Contest

Tech Target: Vendors rally to repair dangerous DNS flaw

Security Focus: Microsoft warns of attacks on Word

That’s the title of a review by Greg Shipley over at Network World that evaluated SIEM / SIM products from several midmarket vendors such as NetIQ, TriGeo and Q1Labs. Long story short, the reviewed products didn’t live up to expectations:

“SIEM platforms help get logging and event data from distributed points A, B and C to a centralized point C, help store it, monitor it, report on it, purge it when the time comes, and ultimately — so the pitch goes — provide the situational awareness necessary to effectively manage IT operational risk.

But do they deliver? In a word: somewhat. It’s a crowded market full of players that make many promises. Unfortunately, none of them completely deliver the whole package at this point in time.”

Greg expands on this in detail, pointing out the issues he and his assistants ran into with the SIEM tools they tested. Most of the issues, like problems receiving and parsing events, reporting performance, even correlation and general usability, are the same that we see out in the field as an MSSP. Many of the companies we provide services to have come to us after buying a SIEM tool and having too much difficulty making it work well enough to satisfy their operational security needs. They wanted to be users of a SIEM, but didn’t want the management burdens.

In the review, Greg attributes the problems he had to SIEM products still being immature even though they’ve been on the market for 10 years. I believe that’s true, but I also think it’s because SIEM products – even those at the leading edge of their industry — require a good deal of up front customization and ongoing management to do what they are expected by many companies to do. At SecureWorks, we’ve always held that Security Information and Event Management (SIEM) is a process that takes constant care and feeding to do right. And that shows in the review with most of the issues having to do more with management and integration issues than identification and response to security incidents. Why is that important? Because how well the SIEM product is managed and integrated with your IT environment directly impacts the quality of detection and alerting. Just like other security devices or technologies, poor SIEM management results in poor SIEM performance.

Will SIEM product management get easier? Probably. They aren’t as challenging to implement as they were in the past, which has led to their increased adoption. And as long as there is a SIEM product market is around I’m sure there will be incremental improvements made to management consoles and GUIs. Will it ever be a hands-off technology? Nope. There are too many dynamic variables at play when it comes to collecting security data, correlating it and identifying security incidents. IT environments are always changing, attackers are always adapting and security requirements continue to evolve. Regardless of how SIEM products move forward, they will always need to be constantly tuned and managed to be effective.

Full Disclosure: Yes, we have an interest and occasionally compete with SIEM products to do business with companies that want to monitor their networks for security. We’ve been developing, managing and using SIEM technology for quite some time (10+ years) with our Sherlock Platform, which is the technology we use to monitor security activity for our clients. Because of this, I feel we’ve got some unique insight to provide that you won’t find elsewhere.

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks staff or research, press releases, and research.

SC Magazine: Botnet creator pleads guilty

Washington Post: Amazon: Hey Spammers, Get Off My Cloud!

Network World: Diary of a deliberately spammed housewife

ZDNet: Metasploit Project’s site hijacked through ARP poisoning

SC Magazine: PCI standard to include unattended POS

Search Security: Internet Explorer open to spoofing, scripting attacks

In the June edition of On the Radar, we tackle a couple of issues that we’re always hearing questions about.

The first article is titled “Staying in Control with Managed Security Services”. It focuses on the concept that organizations lose control over their security when they choose to use MSS. While this is certainly true with some MSSPs, it isn’t the case for all. To explain, the article digs into the ways MSSPs like SecureWorks are able to keep you in control while providing their services.

The second article, “Vulnerability Assessments vs Penetration Tests”, helps to clarify the differences between the a vulnerability assessment and a pen test. The terms are often used synonymously in the marketplace, creating confusion as to what each one does for an organization’s security program. To clear the air, the article details the purpose and benefits of both while describing what you should expect out of each activity.

Both articles can be found here.