rudis dot net

The Grand Tech Merger Of 2008

The Microsoft/Yahoo! dance is quite fitting since it seems both companies share a very common hobby: zero day security vulnerabilities.

I guess it’s only fair that if Yahoo! passed on a virus to Microsoft during whatever activities they were doing together that they should do the right thing and partner in a more official capacity with them.

The Grand Debacle Of 2008

For the record, I’d still like a none of the above option for this election. Since there is little chance of getting a truly decent candidate in office we’re left with following the current candidates as they vie for our votes. Google is going to make following the election even easier this year and their Super Tuesday coverage is a great, innovative example. I do find it strange that they’ve partnered with Twitter rather than a certain other social networking service.

At least we have yet another example that the even gravitational mass of Google is not sufficient to prevent folks from finding what works best for them.

Now, if only Google or Microsoft would buy and then kill off Facebook…one can dream.

Two ironies and the day has just begun.

Technorati Tags: 2008 election Google president primary twitter Array

A story in the Fairview Observer illustrates a number of problems that plague more than just small county election offices.

In Davidson County, two laptops were stolen from the offices of the election commission. One of the laptops had a password taped to the top, though the election administrator, Ray Barrett, claims that it was an old password that had been changed. The other laptop was claimed to be broken. These systems were not secured - no hard disk encryption, no physical isolation - and contained approximately 337,000 Social Security numbers.

The Mayor has called for a government-wide security audit, but that may do little to allay the fears of voters and voter watchdog groups. Without encryption, the data on the disks inside those systems is completely accessible to the thieves. Beyond the PII loss, there is also a concern that the voting machine ballot testing software may also be loaded on the systems, potentially putting election results at risk.

There are reports that the security guards ignored their duties the night of the break-in and, in an audit of the access card key swipes, it was discovered that no guards had been watching the building at all on Saturday nights through early Sunday mornings for months.

What could they have done to prevent this?

• Physically secure the portable computers
• Employ full hard disk encryption
• Maintain an accurate and up-to-date inventory of what data and applications reside on all systems
• Never tape passwords/passcodes/passphrases to machines
• Have a tested incident response program in place
• Perform regular audits of the physical security controls

Would it have been *that* hard to lock the laptops in a desk or cabinet? Is hard disk encryption *that* expensive or difficult to employ? In such a small environment, is maintaining an asset database *so* time-consuming and intensive to make it not worth doing? Is it completely unreasonable to expect folks to remember a password? Should an organization not already be making sure outsourced functions are meeting expectations?

The only area that I am willing to give them a “bye” on is that of incident response procedures, and even that is not too difficult to get a handle on.

Unfortunately, Fortune 500 corporations make the same mistakes. Security is not that difficult, yet most folks pay little-to-no attention to even the fundamentals.

If someone broke into your store/small business would you have fared better than the Davidson County officials?

Technorati Tags: 2008 data loss election encryption incident response PII security