The Security Catalyst

With Blackhat/Defcon approaching, here are two discussions related to that:

• Black Hat/DefCon (includes meet-up details)
• DefCon - Lost at Con challenge - community team (meet new people, have some fun)

Want to participate in the next Security Round Table? We are recording the August SRT on Monday night using TalkShoe so you can listen in!

• What are the ethical standards/requirements for security bloggers? (this really exploded with amazing conversation this week)

A few of us have been kicking around pulling together an informal, low-key, low-stress gathering while in BH. Since we’re bringing the RV (the whole point of the onTour approach), this is a good time to work out the “onTour Tailgate” series. 

More details/discussions here: http://www.securitycatalyst.org/forums/index.php?topic=900.0

Unless otherwise noted (or encouraged to go a different direction), plan for Tuesday 4pm. Here: http://www.oasislasvegasrvresort.com/

Note: until the fix for podpress is released, please note the direct link for the program. iTunes listeners should not be affected: http://www.securitycatalyst.com/podcast/TSC-20080723.mp3

Story of the breach
The story is not just about one single breach, but a group of security incidents discovered by Ohio University within weeks of each other.
 - The first breach was discovered on April 21st when the FBI notified the university that a computer in the Technology Transfer Department had been compromised. The FBI had been investigating another unrelated crime when they discovered the compromised computer. The university discovered that the Technology Transfer server contained personal information on 35 individuals.
- The second breach was discovered on April 24th when the IT staff noticed that an Alumni database server was being used to launch a Denial of Service attack against an external target. This alumni server contained the personal information on 300,000 individuals and organizations including over 137,000 SSNs. When investigating this incident, the university discovered that alumni server had been compromised as far back as 2005 and had been accessed by domestic and international IP addresses. This server should have been removed more then a year before the breach was discovered and it was assumed by the IT department that it had been. This means the server had not received any updates or patches for more then a year.
- The third breach was discovered on May 4th when the university noticed that someone gained unauthorized access to server housing information used by the university’s Hudson Health Center. The compromised server contained personal information on 60,000 individuals.
- The fourth and fifth breaches were discovered on May 23rd when a forensic scan detected that a server housing IRS 1099 forms for vendors and contractors and a server used for online business transactions containing personal and credit card information had been compromised. 

In the end, 5 servers were found to be affected. All told, 367,000 personal files containing 173,000 SSNs were compromised. Emergency repair and notifications cost the university over $800,000.

The university fired 2 IT administrators and the CIO resigned.

What was the response
Ohio University’s response this series of breaches has been, for the most part, outstanding. As one would expect, all of the affected servers were immediately taken offline and investigations launched. However, there is much more to the university’s response then simple rote take down and investigate. 
- The university spent a large amount of time and money notifying those affected. The university utilized web pages, e-mail and postal mail to alert over 300,000 individuals about the different breaches. The result, the university received over 8,000 calls to the information hotline, 800 e-mails and letters of complaint and over 35,000 hits to the web site about the breaches. 
- The university spent nearly $100,000  on breach notifications
- The university formed an IT-oversight committee
- The university hired consultant firms to perform full risk assessments 
 - The findings were that the IT office was significantly understaffed and the outsourcing the university had was doing was not a good option for the future.
- From these findings that committee put together a 20-point action plan titled “Blueprint for Building a World-Class IT Function at Ohio University”
- Within three weeks of the breaches the university had spent $750,000 on emergency response fixes and will likely need an additional 7-10 million based on the consultants report.
- Ohio University has continued to talk about this breach openly and honestly.
 - OU President Roderick McDavis wrote an essay for the Chronicle of Higher Education titled “What Ohio U. Learned From a Major IT Crisis”. In this eassy McDavis is candid and open about the breaches and states that the Ohio University community did not take IT seriously enough. As for one of the key lessons learned by Ohio University, McDavis states that continuity is key and that it is important to openly share positive and negative information.
- These are more then just words in an essay. Ohio University has taken the opportunity to speak publicly about these breaches including a seminar at the 2008 educause security professionals conference.

What went wrong
- There were several issues at work causing these breaches, but all of them come down to McDavis’ statement that the university did not take IT seriously. 
 - In 2004, Stephen Kopp then the provost wrote to the Chronicle of Higher education that the computer services had grown through “spontaneous mushrooming of IT people on campus”. A report from a consultant confrimed this view describing the IT departments on campus as an “adhocarcy” characterized by poor communications and genderal mistrust among administrators, duplicated tasks and resources, and a lock of a unified strategic decision making. 
- Thomas Reid  director of communication-network services who was fired from the university after these breaches said he had tried repeatedly to warn supervisors about the security risks since 1998. According to Mr. Reid much of the blame can be tied to a significant reduction in IT budget, 1 million in 2 years and lack of clear IT management. Mr Reid had 13 bosses in 22 years. 
- In the end, this same exact environment can be found at many educational institutions. Ohio University was not unique in these issues.

Links for more information
OU news release about the breaches
http://www.ohio.edu/outlook/05-06/May/485n-056.cfm
An excellent breakdown of the incident (Subscription required) 
Wasley, Paula. “More Holes Than a Pound of Swiss Cheese” The Chronicle of Higher Education <http://chronicle.com/weekly/v53/i06/06a03901.htm> 
Articles about the breaches
Sandoval, Greg “University server in hackers’ hands for a year” CNet News.com <http://ecoustics-cnet.com.com/University+server+in+hackers+hands+for+a+year/2100-7349_3-6074739.html>
Vijayan, Jalkumar “Ohio University reports two separate security breaches” Computerworld <http://www.computerworld.com/databasetopics/data/story/0,10801,111113,00.html>
OU President McDavis’ essay about the breaches (Subscription Required)
McDavis, Roderick J. “What Ohio U. Learned From a Major IT Crisis” The Chronicle of Higher Education <http://chronicle.com/weekly/v54/i30/30b00501.htm>
A good wright-up of President McDavis’ essay
Heck, Richard “McDavis writes of computer breach in national publication” The Athens Messenger <http://www.athensmessenger.com/main.asp?SectionID=1&SubSectionID=273&ArticleID=9592&TM=42628.33>
Ohio University data theft web site
http://www.ohio.edu/datatheft/index.cfm

Also a notice about HOPE2008 and any members attending: HOPE2008

I have been working on a two-part approach to guide smaller companies to better protect information without increasing stress. Comes down to two questions:

1. what are the five (and only five) most important things for any company to do (and why)?

I have some ideas around this that I hope to flesh out this weekend and share for dissection and discussion in the forums. We’ll package up and present the final list.

2. once the initial five things are done (the ones that do not require any thinking), what are the next steps?

I felt like limiting this to 10, maybe 12 - but now I’m not convinced. I’d like to collaborate to build a sequence of steps; again, small business in mind. 

Look for some details and a discussion thread in the coming days. I look forward to collaborating, learning and starting to pull together some guides and resources for people. 

Join the in the Discussion!

The Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

Whether responsible for security awareness training — or just interested in communicating more effectively, the PCS series is designed to bring insights that get people thinking differently about protecting information.

This month James Costello and I break down – in less than 20 minutes — how to use Pop Culture references and examples to explain two simple security concepts: trojan horse and social engineering.

Time is tight - so we work fast to get rid of the boring and plain ways to explain concepts and share the insights we use to connect with people and make a difference. Listen, learn and contribute!

Direct Link: TSC-20080716.mp3

Call for challenges

 Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com

 Phone number is 206-350-8346

== Detailed Show Notes After the Break ==

(and by detailed, I mean… wow. Detailed - Thanks to James for pulling the links together!!)

Blurring the lines: blogging, ethics and journalistic integrity

I’m driving at a few things:

1 - social media is here, and it has changed the game (ask the newspapers)

2 - used to be “if it is printed, it must be true;” seems to have migrated to “if it is on the internet, it must be true”

3- journalists have (supposedly) integrity and editors. What about bloggers?

4 - are sites with editors better?

5 - what are the lines, and does the “system” have a way of repressing the bad and sifting the good to the top?

As the popularity and quality of a blogging/social media outlet improves, do the requirements change? Should superstars be role models? What about bloggers with a following?

So whether you blog, podcast/netcast or read blogs - what do you expect from your bloggers? Got a comment? Idea? Question? Send it me michael [@ SHIFT-2] securitycatalyst [period] com. Call and leave me a message or join the conversation in the security catalyst community:

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

• Taking the GSSP-C Exam
• How to see what files are being accessed and by who
• Wiki Engine Recommendations
• DefCon - Lost at Con challenge - community team (two open slots)
• Midwest Consolidated Security Forum

Join the in the Discussion!

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

PS: I’ll be updating the blogroll this weekend. If you have a blog, podcast or write for a blog (for example, I welcome guest writers), drop me a note and I’ll add you to the list.

Complete details are available here: http://www.securityroundtable.com/2008/07/security-roundtable-for-july-2008-battling-botnets-with-botnets/

The discussion ran a bit longer than we alloted, yet even on our review listen proved worth every minute. We raised some interesting questions and look forward to sharing the conversation with you. This is only the beginning and we invite you to share your ideas, insights and feedback in the Security Catalyst Community. 

Thanks to the panel:

• Colin Dixon | http://www.cs.washington.edu/homes/ckd/
• Andrew Hay | http://www.andrewhay.ca/
• Martin McKeay | www.mckeay.net
• Michael Santarcangelo | www.securitycatalyst.com & www.intothebreach.com

Joining the conversation in the Security Catalyst Community

Share your ideas in the Security Catalyst Community. Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.