Monthly Archives: August 2015

A Cautionary Security Tale

Early this morning a Facebook acquaintance, henceforth known as “S,” reached out to me with an interesting problem. Some time ago, she bought a laptop from a liquidation auction at Living Social. When she finally got around to booting it up, she discovered something concerning. What follows is our conversation:

S: Hey there! have a tech question for you….I bought a laptop from an auction at Living Social a couple of months ago. Said laptop was supposed to have been wiped clean, but it wasn’t (requires the former users password). Tried calling/emailing Living social, but they’ve been completely non responsive. How can I reboot it?

Mrs. Y: that’s quite frightening, that someone’s personal data is on a laptop that was resold. I can try reaching out to contacts at Living Social, but probably won’t get you much. Was it supposed to come with an operating system already installed?

S: When it boots up it MS7 Enterprise. It’s not supposed to come with an operating system.

Mrs. Y: Yikes. Okay, I would just reinstall, unless you want me to break into it and figure out which organization or individual was silly enough to give an unwiped laptop over to an auction. If it’s MS 7 enterprise, I’m betting that it was an organization and it might have confidential data on it. FYI this is every security professional’s nightmare

S: it was Living Social. They were liquidating from their 9th street office. That’s why I tried reaching out to them. Thought it made sense to let them know and I could bring it back to them so they could wipe it.

Mrs. Y: (Where I finally realize that the laptop formerly BELONGED to Living Social, not simply being resold by them.) holy crap!



that’s friggin’ hysterical

Mrs. Y: You are so honest. Most would have already broken into it. I can reach out to contacts, but you can probably wipe. I mean, that’s probably the safest thing for you to do. Honestly, they probably won’t have time to deal with it or care since they’re downsizing. They won’t have the staff to deal with it. Worst part is that it doesn’t seem to be encrypted.

S: If you want to break into it, I’m fine with that! I feel I did my due diligence in alerting them.

Mrs. Y: (Yielding to my better nature) I reached out to them via Twitter. BTW, is there anything that identifies the system as previously having belonged to Living Social? An asset tag or branding when the OS boots up? Feel free to send me screenshots.

Mrs. Y: #FACEPALM. I’m horrified.
S: I’m so annoyed. But I also wondered how many other units weren’t wiped.
Mrs. Y: You’re trying to do the right thing by letting them know.

 Moral of the story: Make sure your organization has a disposal policy and procedure. Here endeth the lesson.
Tagged ,

OPM Hack: What We Can Learn

I frequently write for actual publications and my latest article is an analysis of the OPM breach. What I hope makes mine different is that I tried to avoid the schadenfreude so common in the industry and focus on what we could all learn and correct in our own organizations.

From TechTarget SearchNetworking

When Office of Personnel Management (OPM) Director Katherine Archuleta gave her cringe-worthy testimony before Congress earlier this summer, it felt like a nightmare from the IT collective unconscious. A series of embarrassing appearances revealed she didn’t seem to know essential details of the OPM hack or understand the problems that allowed OPM to be compromised twice in one year. Her resignation seemed a forgone conclusion and a relief for the .GOV crowd.

So what went wrong?

It would be a mistake to categorize the compromise as simply a failure in OPM’s security strategy, because the agency’s entire information technology program was a management catastrophe — a guidebook in what not to do. In watching testimony and reading reports from the Office of the Inspector General (OIG), it isn’t only the security failures that stand out, but clueless leadership that flunked at basic strategy and risk management. This kind of negligence is all too familiar to those of us with any tenure in IT. Reading those OIG reports feels like déjà vu, because they could be about almost any enterprise.

Full article continued here.

Tagged , , ,

PCI Purgatory*

*Updated: Now with Extra Snark!

Let me clarify, I’m not a QSA, ISA or any other type of SA**. But as the senior architect for a security team, I’m usually expected to have the last word on technical implementations. Like many, I’ve been stuck in PCI purgatory since the release of the 3.0 standard. New requirements to interpret, countless discussions with the QSA and the acquirer, arguments with the rest of the organization who barely understand payments and think they get to have an opinion: it makes me want to shred all my own credit cards. In addition to the scoping changes with ecommerce, the Service Provider definition was modified.

Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
Okay, I admit it, I didn’t pay much attention to this. It didn’t really seem that different. But the devil is in the nuanced PCI details. We recently engaged a contractor who performs third-party security for my organization. He was new to PCI DSS and we wanted to modify our TSP questionnaire to capture PCI DSS status if the partner was capturing payment card data for us and interacting with our payment processor on our behalf, using our merchant ID. He actually READ the new standard, pointing out that these entities were now considered service providers and to my horror, I discovered he was correct. I also realized that EVERYONE seems to be freaking out over this, most getting it completely wrong.

If there was even one iota of doubt left in my mind, this section from the PCI DSS Information Supplement: Third Party Security Assurance resolved it:

Examples of ThirdParty Service Providers

Below are examples of types of services and providers with which an entity may work:

  • Organizations involved in the storage, processing, and/or transmission of cardholder data (CHD). Third-party service providers in this category may include:
    • Call centers
    •  E-commerce payment providers
    •  Organizations that process payments on behalf of the entity, such as a partner or reseller
    • Fraud verification services, credit reporting services, collection agencies
    • Third-party processors
    • Entities offering processing-gateway services
  • Organizations involved in securing cardholder data. TPSPs in this category may include:
    • Companies providing secure destruction of electronic and physical media
    • Secure storage facilities for electronic and physical media
    • Companies that transform cardholder data with tokenization or encryption
    • E-commerce or mobile-application third parties that provide software as a service
    • Key-management providers such as key-injection services or encryption-support organizations (ESO)
  •  Organizations involved in the protection of the cardholder data environment (CDE). TPSPs in this category may include:
    • Infrastructure service providers
    • Managed firewall/router providers
    • Secure data-center hosting providers
    • Monitoring services for critical security alerts such as intrusion-detection systems (IDS), anti- virus, change-detection, compliance monitoring, audit-log monitoring, etc.
  • Organizations that may have incidental access to CHD or the CDE. Incidental access is access that may happen as a consequence of the activity or job. TPSPs in this category may include:
    • Providers of managed IT delivery channels and services
    • Companies providing software development, such as web applications
    • Providers of maintenance services

So stop arguing with reality (and me). Oh and for the record, I don’t care what you, your mom, your dry cleaner, or another merchant thinks about PCI. I love those people who spend 30 minutes going through the standard and think they understand it because they’ve read the words. As most of us know who’ve worked with PCI for any amount of time, it’s a bit like pornography. Everyone has a different definition. As far as security and compliance teams are concerned, the only opinions that matter come from the acquirer, the QSA and the organization’s ISA. Moreover, a security team for an organization usually has thousands of hours of combined experienced in PCI DSS. A non-practitioner offering us “suggestions” is the equivalent of someone offering Misty Copeland advice about her grand jetes after taking one ballet class.

**Qualified Security Assessor, Internal Security Assessor

Tagged , , ,

No More Mrs. Nice Guy

Time To Reclaim My Bitch Status.

I’m exhausted. I’m tired of working in a field that’s become a veritable wasteland for women. And while everyone seems to be discussing the absence of women in STEM fields, it’s really “a tale told by an idiot, full of sound and fury, signifying nothing.”

I also know that even the men who care about this issue are on empathy overload. So where’s the disconnect? Why are we still stuck at the beginning of the conversation?

I think it’s because women have become classic enablers in a dysfunctional situation. Instead of standing our ground and demanding equal, gender-neutral treatment, we feel obligated to play by a different set of rules. We constantly work to gain approval, managing the discomfort of those around us by walking on eggshells, ultimately failing to realize that this behavior keeps us shackled to the past. Is anyone telling men to “Lean in?”

So go ahead and say it. I know you want to. BITCH. I’m not going crumble and run into the ladies room. I’m not going to weep into my monitor. I’ve decided to wear that Bitch Label as a badge of honor. Because as Tina Fey said, “Bitches get stuff done.” So screw Sheryl Sandberg’s polite, Lean-In Army. If that’s what you need to call me in order to feel less threatened,both men and women, then do it. I’m prepared to own it.

Pix Plz from

Tagged , , ,

Security for Luddites

Dear Family and Friends,

I know many of  you are still trying to figure out what I do for a living and that you don’t really understand my Twitter feed. Some of you are confused why I give you a hard time about your poor passwords or the fact that you forgot to use BCC in an email. Let’s just say I have your best interests at heart when I take the time to alert you about a serious security vulnerability. If I take the time to let you know about some new nastiness making the Internet a dangerous place, please update. #Include <long-winded technical explanation about SOP violation, RCE, etc…>.  I care about you and know that you don’t have the time or energy to keep up with the machinations of the black hat community. Just know that it’s bad and I’ll feel terrible if your Gmail account gets hacked. Mostly, because telling friends their accounts have been hacked feels like telling them someone ran over their dog.

Your Favorite Nerd,

Mrs. Y.

Tagged , ,

Being the Security Asshole

Yes, I have become a security asshole. The one who says “no” to a technology. But I say it because of risk, and not just security risk.  And I’m angry, because my “no” is a last resort after many struggles with developer, engineering and operations teams in organizations that struggle to get the basics right.

I try to work with teams to build a design. I bring my own architecture documents and diagrams, which include Powerpoint presentations with talking points. I create strategy road maps explaining my vision for the security architecture in an organization. I detail our team’s progress and explain how we want to align with the rest of enterprise strategy and architecture. I stress that our team exists to support the business.

What do I get in return? Diagrams so crude, they could be drawn in crayon or made with Legos. They usually don’t even have IP addresses or port numbers. I have to argue with sysadmins about whether Telnet is still an acceptable protocol in 2015. I’m subjected to rehashed Kool-Aid about how some product is going to rescue the organization even though I found significant vulnerabilities during the assessment, which the vendor doesn’t want to fix.

And if this means that you hate me, fine. I’ll be the asshole. I’ll embrace it. But at least I can have a clear conscience, because I’ve done my best to safeguard the organization that’s paying me.

Tagged , , , , ,
%d bloggers like this: