[SecurityRatty] tag: folders

Proactive Education: Remedying the 'Strain' of Compliance

Thu, 07 Aug 2008 20:00:00 +0000

A recent survey confirmed that internal threats continue to grow and to represent a challenge to organizations' security postures. It revealed that, in scans of 100,000 PCs and servers in many industries: 12% of infected computers had a missing or disabled anti-virus program, 10.7% had unauthorized personal storage such as USB sticks or external hard drives, 9.1% had unauthorized peer-to-peer (P2P) applications installed, 8.5% had a missing 3rd party desktop agent, 2.6% had unprotected shared folders, 2.2% had unauthorized remote control software, and 2% had missing Microsoft service packs. These results continue to resonate with the conclusions of the CSI FBI survey that reported in 2007 that internal threats have now outpaced viruses in terms of risk to organizations...

Do You Speak E-Discovery? You Should, Even in Europe

Thu, 24 Jul 2008 08:05:25 +0000

How often have you watched the news on television and seen people carrying boxes full of electronic media and digital files out of some well-known company's headquarters? It's a familiar scene in the United States, because of the number of companies subject to e-discovery actions. But even though this subject is disturbing the sleep of CIOs in companies large and small in the U.S. - and even though vendors of tools supporting e-discovery are all looking for the next "killer app" - most Europeans just look on and say, "What on earth is this 'e-discovery'?"

The concept of legal discovery (called "e-discovery" when electronic information is involved) is unique to the "common law" countries - notably the U.S., the U.K., Canada, Australia and New Zealand. Discovery in common-law civil litigation is a form of interrogatory in which both parties agree to the pretrial exchange of information, so that the plaintiff can prosecute a cause for action and the defendant can build a defense. By contrast, in countries with legal systems based on the Roman or Napoleonic traditions - which is to say, most of continental Europe - the obligation to produce information that is relevant to the cause for action is nowhere as comprehensive as the obligation attached to discovery in common law.

There is an important difference between criminal and civil litigation, irrespective of a country's legal system. In a criminal case, if the authorities have a warrant or an indictment, the subject is obligated to produce relevant information, and this is true both in common-law countries and in continental Europe. In civil litigation, however, only common law requires the pretrial production of information and its exchange between affected parties. In non-common-law civil litigation, the relevant information is produced before the judge for consideration and evaluation.

Despite these differences, there are some important lessons for all Europeans about e-discovery and about legal discovery in general. The first is that if an external party demands information, whether during civil or criminal proceedings, it pays to deliver that information quickly. Gartner has seen many cases where enterprises simply didn't know how to find the requested information or couldn't produce it for several days - just long enough to generate some damaging media coverage.

The second lesson: It also pays to be able to deliver precisely the information requested. Law enforcement officers may seize folders and binders, disks and tapes, files and e-mails, reports and logs - anything they can get their hands on, really. This may include information that is not relevant to the case, and it may include information that is highly sensitive. This information will be reviewed, processed and analyzed, and some of this sensitive information might leak to the public or to competitors. It's much better to be prepared to hand over just the requested and required information.

The e-discovery landscape is made even more confusing by international jurisdictional differences. In the global economy, a business relationship with an entity in the U.S. is becoming more the rule than the exception. But a company's duty to release information following a U.S. legal discovery claim - for example, for a European subsidiary - and how that would be seen in relation with European privacy legislation remain unclear at best. E-discovery rules require quick delivery of information that has not been tampered with, but privacy protection requires that personal data be removed first.

E-discovery simply does not exist in most European legal systems, but European companies would be well-advised to familiarize themselves with the concept, in case an e-discovery claim originates elsewhere. Companies that have processes and automation for information archiving and retrieval, document and records management, and a retention policy (including disposal when information is no longer needed) will be well-prepared for any e-discovery claims that arise.

P2P-related breach affects high-profile clients from Wagner Resource Group

Mon, 14 Jul 2008 13:08:21 +0000

Technorati Tag: Security Breach

Date Reported:
7/9/08

Organization:
Wagner Resource Group

Contractor/Consultant/Branch:
None

Victims:
Clients*

*Most notably Supreme Court Justice Stephen G. Breyer, which has been well publicized.

Number Affected:
~2,000

Types of Data:
"names, dates of birth and Social Security numbers"

Breach Description:
"The Washington Post today ran a story I wrote on a data breach of a local investment firm that exposed the names, birth dates and Social Security numbers of some of the Washington area's most powerful attorneys, including Supreme Court Justice Stephen Breyer."

Reference URL:
SecurityFix
Washington Post
United Press International
NBC Universal, Inc

Report Credit:
Brian Krebs, Washington Post

Response:
From the online sources cited above:

Sometime late last year, an employee of a McLean investment firm decided to trade some music, or maybe a movie, with like-minded users of the online file-sharing network LimeWire while using a company computer
[Evan] P2P file sharing and other client software use can pose a very significant risk in most companies. It is typically an easy risk to address however. A mixture of any one or more of the following controls can help to mitigate the risk; information security training and awareness, egress traffic monitoring and filtering, intrusion detection/prevention, and hardened workstations (i.e. removal of administrative access) to name a few.

In doing so, he inadvertently opened the private files of his firm, Wagner Resource Group, to the public.
[Evan] This is a common oversight. LimeWire and other P2P file sharing applications are wonderful tools for doing what they are designed to do. Before allowing their use (or any other software), an organization must evaluate the risks in doing so. If you intend to use or allow the use of LimeWire in your organization, understand how the software works and how it is configured. During the install you will be prompted for the "Save Folder and Shared Folders". Be careful what you choose, and be careful about what information you put in these locations in the future. Most organizations that are aware of risks just choose not to allow P2P use.

That exposed the names, dates of birth and Social Security numbers of about 2,000 of the firm's clients, including a number of high-powered lawyers and Supreme Court Justice Stephen G. Breyer.
[Evan] The high-profile nature of this breach is what has grabbed headlines all last week.

Of the 2,000 records from Wagner Resource Group that were found online, 700 included Social Security numbers, names and birth dates, while other records included only one or two of those details.

The breach was not discovered for nearly six months.
[Evan] This is another danger posed by information leaked through P2P. Once information has leaked, how does an organization detect that it has been leaked? There is no longer any control.

A reader of washingtonpost.com's Security Fix blog found the information while searching LimeWire in June.
[Evan] I wonder why the reader did not notify the authorities and/or Wagner at the time of its discovery. Maybe he/she did. I don't know.

Robert Boback, chief executive of Tiversa, the company hired by Wagner to help contain the data breach, said such breaches are hardly rare.

About 40 to 60 percent of all data leaks take place outside of a company's secured network, usually as a result of employees or contractors installing file-sharing software on company computers.
[Evan] Really?! I would have not guessed that the percentage would be so high. Interesting.

"We've seen a lot of instances where a company will be working on a product that's not even released yet, and the diagrams for that product are already out on the Net," Boback said.
[Evan] Very good point. It isn't just personally identifiable information that is leaked, there are plenty of instances where intellectual property (IP) is exposed. I have read estimates that as much as 80% or organizational assets globally are intangible (information, knowledge, etc.).

"This case is unique because of the high profile of the targets. The individuals on this list are at a very high risk, almost imminent, of identity theft."

Tiversa officials found that more than a dozen LimeWire users in places as far away as Sri Lanka and Colombia downloaded the list of personal data from the Wagner network.

"To me, this was devastating," said Phylyp Wagner, founder of the investment firm. "I didn't even know what peer-to-peer was. I do now."
[Evan] This is a big problem! Corporate leaders must be made aware of the risks surrounding the information for which they are ultimately responsible for.

Wagner said his company has contracted with FirstAdvantage of Poway, Calif., which last week sent out letters notifying affected clients of the breach and offering each six months of free credit-report monitoring.

He emphasized that the peer-to-peer disclosure never endangered his clients' financial records, which are stored by a separate company.
[Evan] Maybe not their financial records, but it did affect some people's financial status (at least temporarily).

But that may be small consolation to several lawyers on the list who said they recently experienced unexplained financial activity.

"This may explain why two weeks ago I got a $9,000 cellphone bill from AT&T," said Steven Agresta, a partner with the law firm Alston & Bird.

Someone had opened a phone account using his date of birth and Social Security number, but with a different address.

this morning I heard from reader Christopher Lynt, a patent attorney from Virginia whose personal data was included in the file exposed via P2P.

He told me that last July, an identity thief used his SSN and birth date to have $1,000 wired to Mexico from Lynt's bank and credit accounts.

Commentary:
This certainly isn't the first time we have read about P2P file sharing network exposures. If your organization can find a way to use the technology without posing an unacceptable risk, then fine. If not, then don't allow the technology to be used. Seems pretty plain and simple.

There is much work to be done. At Wagner and elsewhere.

Past Breaches:
Unknown

Credit Card "Hack Pack" Is Flavour Of The Month With Script Kiddies

Mon, 30 Jun 2008 04:34:20 +0000

There's a collection of credit card hack / generation tools currently in circulation, and apparently quite popular with the script kiddies. With programs seemingly dating back from 1995(!) up until the present day, there's something for everyone in this little bundle of "joy".

Here's what you'll see when the files have been unzipped:

The folders give dates from 2006 to 2008, though the dates of the included programs stretch back quite a way further than that. One of the programs inside the folders is dated as 2001:

As you can see, it's a fairly basic Credit Card generator / validation program. The rest of the programs are something of a mixed bag indeed, some of them don't actually work (not that I'm complaining). For the old school connoisseur, here's an ancient program going back to 1995:

Click to Enlarge

The most notable program included would probably be something called Credit Wizard, which seems to make up the majority of the bundle with updated releases in each folder:

Click to Enlarge

As you can see, it comes with most of the options of the other tools and also comes with an "Info Generator", which allows you to create fake names & addresses at the push of a button. There are a few URLs included in the zip which seem to point to Argentinian hacking sites, but as they all seem to be down, there's no way to verify if they distributed this collection or are just getting shout-outs from their friends. Either way, not the greatest thing to wake up to on a Monday morning...

Mashup of the Titans

Wed, 25 Jun 2008 13:29:25 +0000

Information Security - an Oxymoron for the information age

“Always the beautiful answer who asks a more beautiful question.” e. e. cummings

...or why i am with Gelernter

This is a mashup of Saltzer & Schroeder's famous information security principles with David Gelernter's Manifesto.

The premise of this mashup is to examine the paper by Saltzer and Schroeder which was written in 1975 and serves as the basis for most information security programs against the Gelernter's manifesto as to where computing is actually going. Each of the eight principles in Saltzer and Schroeder's paper is listed in order, and followed by select excerpts of Gelernter's manifesto. This comparison is to examine theoretical information security principles vis a vis the actual utility of modern information systems. I will not make an attempt to reconcile theory and practice, but will point out where the two schools of thought agree. In fairness, Saltzer and Schroeder's paper was written 25 years before Gelernter's, however Saltzer and Schroeder's principles dominate the thinking about information security to this day and so its important to view them side by side with Gelernter's thinking on the direction of computing.

Saltzer and Schroeder:

"a) Economy of mechanism: Keep the design as simple and small as possible. This well-known principle applies to any aspect of a system, but it deserves emphasis for protection mechanisms for this reason: design and implementation errors that result in unwanted access paths will not be noticed during normal use (since normal use usually does not include attempts to exercise improper access paths). As a result, techniques such as line-by-line inspection of software and physical examination of hardware that implements protection mechanisms are necessary. For such techniques to be successful, a small and simple design is essential."

Gelernter:

"9. The computing future is based on "cyberbodies" — self-contained, neatly-ordered, beautifully-laid-out collections of information, like immaculate giant gardens."

Conclusion(gp): So far, so good

Saltzer and Schroeder:

"b) Fail-safe defaults: Base access decisions on permission rather than exclusion. This principle, suggested by E. Glaser in 1965,8 means that the default situation is lack of access, and the protection scheme identifies conditions under which access is permitted. The alternative, in which mechanisms attempt to identify conditions under which access should be refused, presents the wrong psychological base for secure system design. A conservative design must be based on arguments why objects should be accessible, rather than why they should not. In a large system some objects will be inadequately considered, so a default of lack of permission is safer. A design or implementation mistake in a mechanism that gives explicit permission tends to fail by refusing permission, a safe situation, since it will be quickly detected. On the other hand, a design or implementation mistake in a mechanism that explicitly excludes access tends to fail by allowing access, a failure which may go unnoticed in normal use. This principle applies both to the outward appearance of the protection mechanism and to its underlying implementation."

Conclusion(gp): A conservative design principle that puts the object's owner in control of permissions. This makes a lot of sense from the object point of view, but does little to address the use case in which it executes.

Saltzer and Schroeder:

"c) Complete mediation: Every access to every object must be checked for authority. This principle, when systematically applied, is the primary underpinning of the protection system. It forces a system-wide view of access control, which in addition to normal operation includes initialization, recovery, shutdown, and maintenance. It implies that a foolproof method of identifying the source of every request must be devised. It also requires that proposals to gain performance by remembering the result of an authority check be examined skeptically. If a change in authority occurs, such remembered results must be systematically updated."

Gelernter:

"8. The software systems we depend on most today are operating systems (Unix, the Macintosh OS, Windows et. al.) and browsers (Internet Explorer, Netscape Communicator...). Operating systems are connectors that fasten users to computers; they attach to the computer at one end, the user at the other. Browsers fasten users to remote computers, to "servers" on the internet.

Today's operating systems and browsers are obsolete because people no longer want to be connected to computers — near ones OR remote ones. (They probably never did). They want to be connected to information. In the future, people are connected to cyberbodies; cyberbodies drift in the computational cosmos — also known as the Swarm, the Cybersphere.

13. Any well-designed next-generation electronic gadget will come with a ``Disable Omniscience'' button.

17. A cyberbody can be replicated or distributed over many computers; can inhabit many computers at the same time. If the Cybersphere's computers are tiles in a paved courtyard, a cyberbody is a cloud's drifting shadow covering many tiles simultaneously.

20. If a million people use a Web site simultaneously, doesn't that mean that we must have a heavy-duty remote server to keep them all happy? No; we could move the site onto a million desktops and use the internet for coordination. The "site" is like a military unit in the field, the general moving with his troops (or like a hockey team in constant swarming motion). (We used essentially this technique to build the first tuple space implementations. They seemed to depend on a shared server, but the server was an illusion; there was no server, just a swarm of clients.) Could Amazon.com be an itinerant horde instead of a fixed Central Command Post? Yes."

Conclusion(gp): Complete mediation provides the underpinning for Saltzer and Schroeder's system, but does not appear to scale to the desired itinerant horde at least in common interpretation.

Saltzer and Schroeder:

"d) Open design: The design should not be secret. The mechanisms should not depend on the ignorance of potential attackers, but rather on the possession of specific, more easily protected, keys or passwords. This decoupling of protection mechanisms from protection keys permits the mechanisms to be examined by many reviewers without concern that the review may itself compromise the safeguards. In addition, any skeptical user may be allowed to convince himself that the system he is about to use is adequate for his purpose. Finally, it is simply not realistic to attempt to maintain secrecy for any system which receives wide distribution."

Conclusion(gp): both seem to agree, hard to get the itinerant horde moving in a swarm without open standards.

Saltzer and Schroeder:

"e) Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key. The relevance of this observation to computer systems was pointed out by R. Needham in 1973. The reason is that, once the mechanism is locked, the two keys can be physically separated and distinct programs, organizations, or individuals made responsible for them. From then on, no single accident, deception, or breach of trust is sufficient to compromise the protected information. This principle is often used in bank safe-deposit boxes. It is also at work in the defense system that fires a nuclear weapon only if two different people both give the correct command. In a computer system, separated keys apply to any situation in which two or more conditions must be met before access should be permitted. For example, systems providing user-extendible protected data types usually depend on separation of privilege for their implementation."

Gelernter:

"37. Elements stored in a mind do not have names and are not organized into folders; are retrieved not by name or folder but by contents. (Hear a voice, think of a face: you've retrieved a memory that contains the voice as one component.) You can see everything in your memory from the standpoint of past, present and future. Using a file cabinet, you classify information when you put it in; minds classify information when it is taken out. (Yesterday afternoon at four you stood with Natasha on Fifth Avenue in the rain — as you might recall when you are thinking about "Fifth Avenue," "rain," "Natasha" or many other things. But you attached no such labels to the memory when you acquired it. The classification happened retrospectively.)"

Conclusion(gp): Information Security models tend to look at things statically through information classification lenses, but its how information is used that makes it valuable. In practice this is how information security theory breaks down in the face of reality - what does an access control matrix look like for a mashup? What does it look like for a data mining app?

Saltzer and Schroeder:

"f) Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur. Thus, if a question arises related to misuse of a privilege, the number of programs that must be audited is minimized. Put another way, if a mechanism can provide "firewalls," the principle of least privilege provides a rationale for where to install the firewalls. The military security rule of "need-to-know" is an example of this principle."

Gelernter:

"28. Metaphors have a profound effect on computing: the file-cabinet metaphor traps us in a "passive" instead of "active" view of information management that is fundamentally wrong for computers.

29. The rigid file and directory system you are stuck with on your Mac or PC was designed by programmers for programmers — and is still a good system for programmers. It is no good for non-programmers. It never was, and was never intended to be.

30. If you have three pet dogs, give them names. If you have 10,000 head of cattle, don't bother. Nowadays the idea of giving a name to every file on your computer is ridiculous."

Conclusion(gp): Least Privilege is the point where the practical matter of applying Saltzer and Schroeder's principles breaks down in modern systems. Its a deployment issue, and a matter of insufficient models and modes.

Saltzer and Schroeder:

"g) Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users [28]. Every shared mechanism (especially one involving shared variables) represents a potential information path between users and must be designed with great care to be sure it does not unintentionally compromise security. Further, any mechanism serving all users must be certified to the satisfaction of every user, a job presumably harder than satisfying only one or a few users. For example, given the choice of implementing a new function as a supervisor procedure shared by all users or as a library procedure that can be handled as though it were the user's own, choose the latter course. Then, if one or a few users are not satisfied with the level of certification of the function, they can provide a substitute or not use it at all. Either way, they can avoid being harmed by a mistake in it."

Gelernter:

"6. Miniaturization was the big theme in the first age of computers: rising power, falling prices, computers for everybody. Theme of the Second Age now approaching: computing transcends computers. Information travels through a sea of anonymous, interchangeable computers like a breeze through tall grass. A dekstop computer is a scooped-out hole in the beach where information from the Cybersphere wells up like seawater.

16. The future is dense with computers. They will hang around everywhere in lush growths like Spanish moss. They will swarm like locusts. But a swarm is not merely a big crowd. The individuals in the swarm lose their identities. The computers that make up this global swarm will blend together into the seamless substance of the Cybersphere. Within the swarm, individual computers will be as anonymous as molecules of air.

55. Software can solve hard problems in two ways: by algorithm or by making connections — by delivering the problem to exactly the right human problem-solver. The second technique is just as powerful as the first, but so far we have ignored it.

56. Lifestreams and microcosms are the two most important cyberbody types; they relate to each other as a single musical line relates to a single chord. The stream is a "moment in space," the microcosm a moment in time."

Saltzer and Schroeder:

"h) Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user's mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors."

Gelernter:

"7. "The network is the computer" — yes; but we're less interested in computers all the time. The real topic in astronomy is the cosmos, not telescopes. The real topic in computing is the Cybersphere and the cyberstructures in it, not the computers we use as telescopes and tuners.

27. Modern computing is based on an analogy between computers and file cabinets that is fundamentally wrong and affects nearly every move we make. (We store "files" on disks, write "records," organize files into "folders" — file-cabinet language.) Computers are fundamentally unlike file cabinets because they can take action.

31. Our standard policy on file names has far-reaching consequences: doesn't merely force us to make up names where no name is called for; also imposes strong limits on our handling of an important class of documents — ones that arrive from the outside world. A newly-arrived email message (for example) can't stand on its own as a separate document — can't show up alongside other files in searches, sit by itself on the desktop, be opened or printed independently; it has no name, so it must be buried on arrival inside some existing file (the mail file) that does have a name. The same holds for incoming photos and faxes, Web bookmarks, scanned images...

32. You shouldn't have to put files in directories. The directories should reach out and take them. If a file belongs in six directories, all six should reach out and grab it automatically, simultaneously.

33. A file should be allowed to have no name, one name or many names. Many files should be allowed to share one name. A file should be allowed to be in no directory, one directory, or many directories. Many files should be allowed to share one directory. Of these eight possibilities, only three are legal and the other five are banned — for no good reason.

53. Your car, your school, your company and yourself are all one-track vehicles moving forward through time, and they will each leave a stream-shaped cyberbody (like an aircraft's contrail) behind them as they go. These vapor-trails of crystallized experience will represent our first concrete answer to a hard question: what is a company, a university, any sort of ongoing organization or institution, if its staff and customers and owners can all change, its buildings be bulldozed, its site relocated — what's left? What is it? The answer: a lifestream in cyberspace."

Conclusion(gp):

The Saltzer and Schroeder principles of Open Design and Economy of Mechanism hold up well in the face of modern computing realities, and to a certain extent Fail Safe Defaults does as well; however if we information security people are to be effective we need to re-think the other principles.

Last word: Gelernter:

We'll know the system is working when a butterfly wanders into the in-box and (a few wingbeats later) flutters out — and in that brief interval the system has transcribed the creature's appearance and analyzed its way of moving, and the real butterfly leaves a shadow-butterfly behind. Some time soon afterward you'll be examining some tedious electronic document and a cyber-butterfly will appear at the bottom left corner of your screen (maybe a Hamearis lucina) and pause there, briefly hiding the text (and showing its neatly-folded rusty-chocolate wings like Victorian paisley, with orange eyespots) — and moments later will have crossed the screen and be gone.

Employment records in a New Mexico dumpster

Thu, 05 Jun 2008 19:32:53 +0000

Technorati Tag: Security Breach

Date Reported:
6/3/08

Organization:
State of New Mexico

Contractor/Consultant/Branch:
Department of Workplace Solutions

Victims:
Employees and job applicants

Number Affected:
Unknown

Types of Data:
"employment records with names and Social Security numbers"

Breach Description:
"ROSWELL, N.M.—State documents with names and Social Security numbers were thrown into a trash bin behind the state Department of Workforce Solutions office in Roswell."

Reference URL:
The Associated Press via Las Cruces Sun-News
Roswell Daily Record
KRQE Channel 13 News

Report Credit:
Roswell Daily Record

Response:
From the online sources cited above:

Four boxes of manilla folders with documents containing names and social security numbers were mistakenly thrown into a trash bin Monday behind the New Mexico Department of Workforce Solutions office near Main and Bland streets.
[Evan] New Mexico does not currently have a data breach disclosure law on the books. The state is one of eleven that do not. The others are Alaska, South Dakota, Iowa, Missouri, Kentucky, West Virginia, Virginia, Mississippi, Alabama, and South Carolina.

Employees at Savedra's Tienda, a nearby business, contacted County Commissioner Dick Taylor and Magil Duran of the New Mexico Department of Workforce Solutions to help remove the documents from the bin.
[Evan] This is what a model citizen does. How many people are model citizens?

papers were flying out of the Dumpster they were inside.

Duran said the Roswell office of the Department of Workforce Solutions recently moved to a new location and a janitor inadvertently threw the documents in the bin on Monday.
[Evan] Not a good excuse.

"It was a misunderstanding," Duran said.

After arriving at the scene, Duran and Taylor sifted through the bins and retrieved the files.

Duran said he would shred the files immediately.
[Evan] The files should be inventoried and their destruction should be certified.

Taylor said the files looked like employment records with hours worked along with names and social security numbers printed on them.

"That's the bad thing," Taylor said. "They should have been shredded and not dumped in the trash. The state needs to be more careful with records like that."

"We do have a standard procedure," said Carrie Moritomo of the department. "We are currently reevaluating that and making sure all of our field staff offices are aware of what that policy is."
[Evan] A "standard procedure" ain't worth the paper it's written on if nobody knows about it or follows it.

Commentary:
I doubt that this is an isolated incident and I doubt that the agency has a sound information security strategy.

Past Breaches:
Unknown

An internal breach at the University of Toledo exposes 6,500

Sun, 13 Apr 2008 17:14:52 +0000

Technorati Tag: Security Breach

Date Reported:
4/13/08

Organization:
University of Toledo

Contractor/Consultant/Branch:
None

Victims:
Employees that worked on the Health Sciences Campus from 1993 to 1999

Number Affected:
6,500

Types of Data:
W-2 Forms, including names, addresses, and Social Security numbers

Breach Description:
"TOLEDO -- A university spokesperson said Sunday that personal information involving nearly 6,500 university employees was accidentally placed on the the university's server last month, which all employees would have been able to access."

Reference URL:
NBC24 News
13ABC News
The Toledo Times

Report Credit:
NBC24 News

Response:
From the online sources cited above:

Personal information of nearly 6,500 University of Toledo employees - the majority having worked on the Health Science Campus in 1993 and 1999 - last month was inadvertently placed on a server to which all employees had access.
[Evan] This information seems a little old to still be kept by the school. I don't know about Ohio's legal requirements, but I know that neither the IRS and Department of Labor require that payroll information be kept for so long. Maybe a data retention policy would be in order.

A data file, once only visible to those in UT's payroll department, was mistakenly placed on a shared network.

An employee in the payroll department authorized to work with the data accidentally moved it to the wrong folder on the morning of March 4.

It was discovered in the wrong place by an information technology employee on March 5, said Bob Hogle, interim information technology chief operating officer.
[Evan] Excellent work by the information technology employee. I wonder how he/she became aware.

It is common for large data files, such as these spreadsheets, to be stored on the internal server, but they are typically kept in folders where only employees of that department have access, Mr. Hogle said.

"There were about 6500 employees w-2 forms primarily from 1993 and 1999," says UT spokesperson Jon Strunk.

The personal information, including social security numbers, were made available to all university employees. University officials doubt the information was ever stolen.

"The likelihood that an employee who didn't know the file was there to begin with would chose to search the obscure part of the data, and further would have malicious intent seems unlikely," says Strunk

Strunk says the incident happened back on March 4th and was corrected the very next day, but those effected weren't notified until this past week.

"Letters were sent out on Thursday. The reason for the delay there being we wanted to ensure, as these were former employees, we had the most accurate addresses we could find to send them out a letter," explains Strunk.

The temporary folder where the information was accidentally placed has been removed, he said.

If you received a letter and have more questions, or if you didn't and want to know if you were effected, you can e-mail the Compliance Office at the University of Toledo at complianceoffice@utoledo.edu

Commentary:
Employees make mistakes. They are human. What are some of the things that we can do as information security professionals to reduce the frequency and severity of employee mistakes? This issue is a big challenge. The risk of identity theft or further damage is probably pretty low due to the fact that this was an internal exposure.

Of course, you can't expose information that you no longer possess. Why does the school still have this information? Does the school have a data retention policy? Like many breaches, there are more questions than answers.

Past Breaches:
August, 2007 - University of Toledo, Two Stolen Computers, Unknown Number of Victims

Human error is blamed in WellCare Health Plans breach

Wed, 09 Apr 2008 08:39:08 +0000

Technorati Tag: Security Breach

Date Reported:
4/7/08

Organization:
WellCare of Georgia, Inc.*

*WellCare Health Plans, Inc. provides managed care services exclusively for government-sponsored healthcare programs, focusing on Medicaid and Medicare. Headquartered in Tampa, Florida, WellCare offers a variety of health plans for families, children, the aged, blind and disabled and prescription drug plans, currently serving more than 2.3 million members nationwide.

Contractor/Consultant/Branch:
None

Victims:
Members of "Georgia Families"

Number Affected:
up to 71,000

Types of Data:
"name, birth date, dates of eligibility, Medicaid or PeachCare for Kids member identification number, social security number or other health plan related information"

Breach Description:
"ATLANTA, GA (April 7, 2008) — WellCare of Georgia, Inc. today announced that a human error made some Georgia Families member data available on the Internet. On March 28th, WellCare secured the data on its own computer systems and by April 2nd, all WellCare member information had been removed from the Internet. "

Reference URL:
WellCare announcement
Triangel Business Journal
The Atlanta Journal-Constitution
The Tampa Tribune

Report Credit:
WellCare Health Plans

Response:
From the online sources cited above:

Private records of up to 71,000 Georgia families who are members of health insurance programs for the poor or working poor were accidentally made available on the Internet for several days, and some of the data may have been viewed by unauthorized people, Tampa-based WellCare Health Plans Inc. said today.

“We were able to determine what data was available on the Internet,” explained Anil Kottoor, WellCare’s chief information officer, “and we are notifying anyone who might have been affected.”

a human error allowed the information to be accessible for an unknown period of time, but that the secret data was removed from the Internet on April 2. It was not immediately known when the data breach occurred or how long the secret data was available.

The state of Georgia said it was notified March 31.

WellCare believes that this affected only our Georgia Families membership in Georgia, and not our Medicare coordinated care, private fee-for-service or prescription drug plan membership.

The files exposed did not contain credit card, debit card or financial account numbers.

They may have contained personal identifying information, such as a member’s name, birth date, dates of eligibility, Medicaid or PeachCare for KidsTM member identification number, social security number or other health plan related information.

about 10,500 members' Social Security numbers may have been viewed by unauthorized people on the Internet, all members of Medicaid or PeachCare.

"There is a possibility that an initial 59,000 members may have had some personal information made accessible, so we are notifying them as well, just to be safe," Knapp said. (spokeswoman Amy Knapp)

At this time, WellCare is not aware of any misuse of its member information due to the accidental exposure of the file on the Internet.

A Web developer prepared a copy of a DCH report folder that was "to be deployed to our Georgia Web portal" but instead made it accessible on the Internet.
[Evan] Ugh. I can state from a lot of first-hand experience that developers can either be your information security best friend or your information security worst enemy. Developers that put functionality and usability first without taking information security into account along the way can be dangerous. Effective information security governance and information security training and awareness can help significantly. Having said all of that, people are people and we all make mistakes. I wonder if there is room for significant process improvement here though.

She said at least 53 folders of names were accessed 248 times.
[Evan] This means that the folders and files did not go completely unnoticed.

WellCare is now notifying in writing the members who could have been affected by this incident. Members should receive those letters by the middle of this week.

WellCare is offering to pay for one year of credit monitoring for those individuals.
[Evan] Every time I see this offering in a breach notification if feel like this is really short-sighted. Better than nothing I guess, but people need to recognize it for what it is.

“We regret that this incident occurred,” said Mike Cotton, president of WellCare’s Georgia region. “WellCare takes the privacy and security of personal information very seriously. It is an honor to serve our members in Georgia, and we apologize for any inconvenience this issue has caused.”

To ensure its data security for the future, WellCare has retained a national information technology firm to perform a full assessment of its security and privacy controls.
[Evan] I wonder who. A "national information technology firm" means very little to me. The "national information technology firm" may do a good job for helping improve "information technology", but who is going to handle "information security"? Information security is NOT an information technology issue. It's bigger than that.

Commentary:
This breach is being chalked-up as human error, but I think there are many times when "human error" could have been avoided by effective processes and controls. I appreciate WellCare's candid explanation and attempt to make things better.

Past Breaches:
Unknown

Luxury car retailer eliminates spam burn out

Sat, 08 Mar 2008 21:00:00 +0000

After experiencing its fair share of virus attacks as well as dealing with the ongoing problem of spam overwhelming the corporate network, luxury car retailer Brisbane BMW, made the decision to upgrade its e-mail management system.

Download MICROSOFT SEARCH SERVER EXPRESS 2008 FREE	Advertisement
Search file shares, SharePoint sites, Exchange Public Folders, Lotus Notes repositories, and more!

'Vantage Point' delivers many perspectives, few twists

Wed, 05 Mar 2008 21:00:00 +0000

The movie "Vantage Point" depicts an attempted presidential assassination from the point of view of many witnesses, an approach that gets old and muddies the film with too many story lines and underlying messages.

Download MICROSOFT SEARCH SERVER EXPRESS 2008 FREE	Advertisement
Search file shares, SharePoint sites, Exchange Public Folders, Lotus Notes repositories, and more!