I run a company http://www.lifeensured.com/ that exist for the explicit purpose of preventing these kinds of issues when someone passes away. We've got several happy customers, are backed by an irrevocable trust and get a feed of people who have passed away from the social security administration (in addition to letting people select someone to verify that they have passed away)
We've also put together http://www.deceasedaccount.com/ where we reviewed all of the privacy policies for major sites and pulled out the processes they require if someone passes away. We also had a lawyer pull relevant laws which you can use to help get access to things from internet companies if you are having trouble.
For the security minded. When we take a password, it is encrypted with a 2048 bit public key. The private key is stored offline. We only decrepit passwords when we have verified one of our clients has passed away and the process involves a human who has undergone a background check.
I work in IT security for a large financial firm. We've spent a good amount of time convincing the development community and the business that security is THEIR responsibility and have built processes to reinforce this (i.e. if folks want to do truly risky things, we can make them go get signoff from senior management). With check in place, I feel we take the approach of "doctors" for applications/architectures.
Dev team is building a new architecture to trade with an exchange? They ask us to review their architecture before they build (sort of like a checkup before going to climb a very dangerous Mt. Everest).
User accidentally e-mails confidential information to the wrong counterparty? We help them work with legal to get things cleared up, give training on appropriate data handling and add client controls to their outlook. (I.e. tell a kid not to run with scissors, take away the scissors and put band aids on the wounds)
In this light, I feel I'm proactively helping folks and treating those who have run intro trouble. Security folks are able to have a broad view of the solutions available to common problems (even outside of security) and teams get value out of this. I've even had folks say (and mean) thanks after meetings that involved them totally re-architecting their application. With the right approach, you can be more than a roadblock...
Orwell, 1984: "The children, on the other hand, were systematically turned against their parents and taught to spy on them and report their deviations. The family had become in effect an extension of the Thought Police. It was a device by means of which everyone could be surrounded night and day by informers who knew him intimately."
Ben Franklin: "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety"
Actually I started a company that does just that a little over a year ago. RFID Blocking wallets and passport cases.
http://www.difrwear.com/
-All the best.
Big Brother in the form of an increasingly powerful government and in an increasingly powerful private sector will pile the records high with reasons why privacy should give way to national security, to law and order, to efficiency of operation, to scientific advancement and the like.
-Justice William O. Douglas
In 2003, I made a video for EFF on how break diebold's security through obscurity password scheme on their election management software (GEMS). This results in the ability to change election results and remove any logs of doing so.
Again, another limitation which is only causing problems for legit users. This arms race will be won by the pirates until MPAA/RIAA starts to deal with Analog Reconversion. None of this DRM stuff is preventing anyone determined from bootlegging....
A report (with pretty graphs) from a recent financial engineering class. Data was from Feb to Sep 2005... The 83 recorded loss events were categorized by loss event type and by industry sector. The data is relevant over 232 days. This yields a probability of a loss event occurring in any sector on any given day 35.7%. If only events affecting financial services institutions are counted, the probability is 7.5%.
One of the folks in my research lab has built a system attacking this exact problem.
NABS uses machine learning to detect the type of traffic by properties of the payload, at the end of the day it dosen't matter what kind of protocol your running, once an admin sees it they can just tag it.
Nabs is a network abuse detector. It allows a network to define and enforce a use-policy based on bandwidth and content type. It uses statistical properties of packet payloads to robustly and efficiently identify content types of network flows and monitor the flows for any deviations from the use-policy. Nabs does not depend on well-known port bindings or application specific headers to determine content types. Nabs has been tested on OC3 lines and work is ongoing to scale the system to even higher speeds. http://isis.poly.edu/projects/nabs/
1. Do a WHOIS lookup of the IP range the network is on.
2. Search newsgroups for previous network internals that the SA has posted somewhere.
3. Do a port scan and fingerprint.
4. If there is a vulnerable service running, use a common exploit.
5. A quick description of how sql injection attack works on a web-application login.
6. Use xp_cmdshell on MS-SQL to download remote shell code via tftp.
7. Once somone has the sql server under control, use the poorly configured internal network to become domain admin.
Somone needs to put together a description on how a "social engineering" penetration test should be done objectivly. If there is one out there please let me know. =P
We have done a few of these setups. Essentially we set up a rack at your location that has several slots for ide or scsi drives, you plug the disk in and it wipes it and reports the serial number of the disk as wiped.
You can also have a barcode sticker on the hard drives and scan it with a barcode reader(optional) during erasure.
Check out our site. And tell em Mike sent ya;)
http://www.blancco.us
If you do make it to NY, feel free to stop by Polytechnic University (6 metrotech in Brooklyn). The Chudnovsky brothers are here (on the 3rd floor) and are currently building a supercomputer for IBM.
http://www.poly.edu/polypress/chudnovsky.cfm
Got bored over the summer and found this document which shows how to get past diebold's password "security" on the counting software and made a video on how I did it.
It is beyond silly how easy this is.
-Mike
Slashdot Mirror
I run a company http://www.lifeensured.com/ that exist for the explicit purpose of preventing these kinds of issues when someone passes away. We've got several happy customers, are backed by an irrevocable trust and get a feed of people who have passed away from the social security administration (in addition to letting people select someone to verify that they have passed away)
We've also put together http://www.deceasedaccount.com/ where we reviewed all of the privacy policies for major sites and pulled out the processes they require if someone passes away. We also had a lawyer pull relevant laws which you can use to help get access to things from internet companies if you are having trouble.
For the security minded. When we take a password, it is encrypted with a 2048 bit public key. The private key is stored offline. We only decrepit passwords when we have verified one of our clients has passed away and the process involves a human who has undergone a background check.
I work in IT security for a large financial firm. We've spent a good amount of time convincing the development community and the business that security is THEIR responsibility and have built processes to reinforce this (i.e. if folks want to do truly risky things, we can make them go get signoff from senior management). With check in place, I feel we take the approach of "doctors" for applications/architectures.
Dev team is building a new architecture to trade with an exchange? They ask us to review their architecture before they build (sort of like a checkup before going to climb a very dangerous Mt. Everest).
User accidentally e-mails confidential information to the wrong counterparty? We help them work with legal to get things cleared up, give training on appropriate data handling and add client controls to their outlook. (I.e. tell a kid not to run with scissors, take away the scissors and put band aids on the wounds)
In this light, I feel I'm proactively helping folks and treating those who have run intro trouble. Security folks are able to have a broad view of the solutions available to common problems (even outside of security) and teams get value out of this. I've even had folks say (and mean) thanks after meetings that involved them totally re-architecting their application. With the right approach, you can be more than a roadblock...
Quick, someone calculate how many layers of copper foil it takes to prevent this attack! http://en.wikipedia.org/wiki/Skin_depth
Orwell, 1984:
"The children, on the other hand, were systematically turned against their parents and taught to spy on them and report their deviations. The family had become in effect an extension of the Thought Police. It was a device by means of which everyone could be surrounded night and day by informers who knew him intimately."
Ben Franklin:
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety"
Even better, you can get the real deal. RFID Blocking Wallets and passport cases http://www.difrwear.com/.
Why not just get an RFID Blocking Wallet? http://slashdot.org/articles/06/10/03/2133244.shtm l from http://www.difrwear.com/ and not worry.
I started up a little venture selling RFID Blocking passport cases http://www.difrwear.com/ Give it a look if you are interested =)
Little venture I started about a year ago....
Stylish RFID blocking passport cases and wallets
http://www.difrwear.com/
Actually I started a company that does just that a little over a year ago. RFID Blocking wallets and passport cases. http://www.difrwear.com/ -All the best.
Big Brother in the form of an increasingly powerful government and in an increasingly powerful private sector will pile the records high with reasons why privacy should give way to national security, to law and order, to efficiency of operation, to scientific advancement and the like. -Justice William O. Douglas
I am taking a compilers course now with the "Dragon" book.... it is really awful. Most confusing description of a parse table evar.
1. emeu
2. eu
3. adieu
4. aeu
5. basbleu
6. beaulieu
7. bleu
8. boutefeu
9. calcasieu
10. camaieu
11. ceu
12. chisleu
13. feu
14. heu
15. jussieu
16. leu
17. lieu
18. meu
19. milieu
20. montesquieu
21. neu
22. pareu
23. pourlieu
24. priedieu
25. purlieu
26. reu
27. richelieu
28. seu
29. teu
30. virgalieu
31. weu
32. xeu
behold the power of grep.
In 2003, I made a video for EFF on how break diebold's security through obscurity password scheme on their election management software (GEMS). This results in the ability to change election results and remove any logs of doing so.
t s/DieBoldGems.avi
http://www.michaelaiello.com.nyud.net:8080/exploi
This news does not suprise me at all =(
Again, another limitation which is only causing problems for legit users. This arms race will be won by the pirates until MPAA/RIAA starts to deal with Analog Reconversion. None of this DRM stuff is preventing anyone determined from bootlegging....
A report (with pretty graphs) from a recent financial engineering class. Data was from Feb to Sep 2005...
The 83 recorded loss events were categorized by loss event type and by industry sector. The data is relevant over 232 days. This yields a probability of a loss event occurring in any sector on any given day 35.7%. If only events affecting financial services institutions are counted, the probability is 7.5%.
http://privacydata.michaelaiello.com/paper.pdf
Bring forth the math corrections
One of the folks in my research lab has built a system attacking this exact problem.
NABS uses machine learning to detect the type of traffic by properties of the payload, at the end of the day it dosen't matter what kind of protocol your running, once an admin sees it they can just tag it.
Nabs is a network abuse detector. It allows a network to define and enforce a use-policy based on bandwidth and content type. It uses statistical properties of packet payloads to robustly and efficiently identify content types of network flows and monitor the flows for any deviations from the use-policy. Nabs does not depend on well-known port bindings or application specific headers to determine content types. Nabs has been tested on OC3 lines and work is ongoing to scale the system to even higher speeds. http://isis.poly.edu/projects/nabs/
Quick overview of the meat of the article
1. Do a WHOIS lookup of the IP range the network is on.
2. Search newsgroups for previous network internals that the SA has posted somewhere.
3. Do a port scan and fingerprint.
4. If there is a vulnerable service running, use a common exploit.
5. A quick description of how sql injection attack works on a web-application login.
6. Use xp_cmdshell on MS-SQL to download remote shell code via tftp.
7. Once somone has the sql server under control, use the poorly configured internal network to become domain admin.
Somone needs to put together a description on how a "social engineering" penetration test should be done objectivly. If there is one out there please let me know. =P
We have done a few of these setups. Essentially we set up a rack at your location that has several slots for ide or scsi drives, you plug the disk in and it wipes it and reports the serial number of the disk as wiped. You can also have a barcode sticker on the hard drives and scan it with a barcode reader(optional) during erasure. Check out our site. And tell em Mike sent ya ;)
http://www.blancco.us
If you do make it to NY, feel free to stop by Polytechnic University (6 metrotech in Brooklyn). The Chudnovsky brothers are here (on the 3rd floor) and are currently building a supercomputer for IBM. http://www.poly.edu/polypress/chudnovsky.cfm
Got bored over the summer and found this document which shows how to get past diebold's password "security" on the counting software and made a video on how I did it. It is beyond silly how easy this is.
-Mike