Emergent ChaosThe pseudonymous blogger, Publius, has been outed. Ed Whelan of the National Review outed him in what appears to be nothing more than a fit of pique at a third blogger, Ed Volokh, and Publius commented on Volokh's criticism of Whelen, so Whelen lashed out at Publius. Or so it seems from the nosebleed bleachers I sit in.
I suppose Publius isn't completely blameless, but the only thing I'd criticize him for is his taste in names. "John J" would have been cuter, and heck why not just use "Jim Madison"?
However, the particulars aren't really important. What's important is the issues of pseudonymity, and so on. So I will move on to those.
Let's get something straight from the start: pseudonymity and anonymity are not the same thing. I feel like it shouldn't need constant repeating, but hey, if law professors can't get it right, how can we expect other people to get it right? A pseudonym is an identity. It is an identity that is earned, because you don't get to use any of your previous reputation. You're starting from zero, especially when blogging.
There are many reasons people use a pseudonym. Publius did it because he's a reasonably young law professor and has heard that there can be tenure issues for controversial blogging.
Maybe. If what you write isn't very good, there's a low cost to it, personally. But if what you write is good, then ironically, being known to be a pseudonym is better than the pseudonym itself. Mark Twain, Voltaire, and are better known than their so-called real names. Think of all the great actors and musicians who are known far better by their stage names.
This is why outing a pseudonym is a two-edged sword. It will likely irk the person using a pseudonym, but it's less likely to hurt them, especially if they're reasonably good. John Blevins is probably not going to have tenure problems, especially now that Whelan outed him. Ironically, he's probably better off for having been outed than not and part of that is who outed him.
Well-known personages who are irked by pseudonymous writers may think they're being attacked by some anonymous little nobody who is hiding, but no, they're being attacked by an identity that's just not easily tied to some SSN. The power relationship is such that the better-known person is unlikely to look good. Whelan certainly hasn't come out on top on this one. While pseudonymity is somewhat controversial, it cuts across political lines and some of the most thoughtful criticism of Whelan comes from his admirers. And in the future, everyone in the law biz who remembers Publius will think better of Blevins. We human beings do that; that's why the old movie star's dictum about publicity is, "spell my name right."
In other cases, the pseudonym still wins. Dan Lyons wasn't hurt by being outed as Fake Steve Jobs. Joe Klein wasn't hurt by being shown to be Anonymous. Juan Non-Volokh was probably helped by being outed, too, and Prof. Brian Leiter, who outed him, probably suffered in his reputation.
This is perhaps, I think the most important point, as it's simply practical. If a pseudonym ticks you off, you're better off letting them stew in their own juices. The better known a pseudonym is, the better it is for the author to be known as the pseudonym.
There are exceptions to this, of course. If Publius were a politically conservative professor blogging out his inner liberal, there'd be a hypocrisy issue that would hurt him, but it doesn't make it any more right. Thoughtful people who out hypocrites usually talk about the outing being necessary despite it being questionable.
Nonetheless, an important lesson to this is that as Feedie said, outing a nym is "a matter of basic decency" and "unworthy of someone with [his] impeccable professional credentials".
Bookmark this post:
In this week's CSO Online, Bill Brenner writes about the recent breaks at Kaspersky Labs and F-Secure. You can tell his opinion from the title alone, "Security Vendor Breach Fallout Justified" in his ironically named "FUD watch" column.
Brenner watched the FUD as he spreads it. He moans histrionically,
When security is your company's business, even the smallest breach is worthy of scorn. If you can't keep the bad guys out of your own database, how can customers reasonably expect that you'll keep theirs safe?
Oh, please. Spare us the gotcha. Let me toss something back at Brenner. In the quote above, he says, "theirs" but probably meant to say "them." The antecedant of "theirs" is database, and Kaspersky isn't strictly a database security company, but an anti-virus company. "Them" is a much better turn of phrase, and I hope what he meant to say. How can we possibly trust CSO Online as a supplier of security knowledge when they can't even compose a simple paragraph? And how can we even trust your own tagline:
Senior Editor Bill Brenner scours the Internet in search of FUD - overhyped security threats that ultimately have little impact on a CSO's daily routine. The goal: help security decision makers separate the hot air from genuine action items.
Why is FUD Watch creating the very sort FUD they claim to watch? Who watches the FUD watchers? I do, I suppose.
Is my criticism unfair and picayune? Yup.
People make mistakes, even Kaspersky and F-Seecure. And heck, even CSO Online. I forgive you.
Brenner came very close to writing the article that should have been written. If even the likes of Kaspersky and F-Secure fall victim to stupid things like SQL injection, what does that say about the state of web programming tools? How can mere mortals be safe if they can't?
The drama about these breaks is FUD. It shows that no one is immune. It shows that merely being good at what you do isn't good enough. It means that people need to test, verify, buy Adam's book, read it, and act on it.
The correct lesson is not schadenfreude, but humility. There but for the grace of God, go all of us.
Bookmark this post:
The Globe and Mail and the CBC each report that Canada's Do Not Call list is being used by telemarketers both good and bad (where each term is relative).
This is a bit sad for Canada. The US's DNC list has been very successful, and one of the very few places where the US has leadership in privacy. Before the DNC list, I used to get a dozen or so calls a day. The annoying ones would be the junk faxes coming to our main line between 3am and 6am. The nightly ritual had to include taking the phone off the hook for some time. These days, the only issue we have are the people we affectionately call "The Illegal Carpet Cleaners."
On the other hand this is an opportunity. There's a fine of up to $15,000 for violating the DNC list in Canada, and this could easily be a profit center for the privacy commission. If I were a legitimate firm in Canada, I'd be looking closely at my marketing plans now. No one's going to feel sorry for the company that is found to have been calling people from a stolen DNC list.
Both articles point out that complete fraudsters are an issue, and companies such as "a Caribbean telemarketer selling fake Caribbean cruises" now have more numbers they can use. But those numbers are stolen property of a sort, and toxic. They can be a tool against foreign scammers. After all, the tourist board of said Caribbean island wouldn't want to seem uncooperative to people trying to stop fraud and dinner interruptions. If I were a scammer, I'd also want to examine the phone numbers I have recently gotten, because those could be dangerous to have as well.
It remains to be seen how Canada will handle it, how they'll track down the loss, how they'll recover from it. It will be interesting to watch, because they're good and they take privacy seriously. There's the potential for some seriously tasty lemonade to be made from these lemons. I have my fingers crossed.
Bookmark this post:
While we were all paying attention to the Inauguration and having merry debates about how many Justices can deliver the Oath of Office on a pin, what may be the biggest breach ever tried to tiptoe past.
Heartland Payment Systems may have lost 100 million credit card details, surpassing the 94 million that was lost in the TJX breach.
There aren't many details, yet. Apparently the hackers were on the network for months, having gotten in through malware.
We will of course hear many more details on this. The USA Today article has some news. AP has the best reporting I've read, but they are ambivalent about pixels, so you'll have to find it on your own.
Bookmark this post:
Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446.Dissent of PogoWasRight has some analysis. I'll take a look at the full report shortly.
Bookmark this post:
I'm just sitting here blinking, having a Brecht moment in which I am laughing at those who are crying and crying at those who are laughing.
At the CCC congress, a number of people did something dramatic -- they created a forged SSL certificate. It's dramatic, but nothing special.
We've known that MD5 is broken for over a decade. It's been undeniable for nearly five years. We have seen people create colliding PDF documents, we've seen a prediction of the last Presidential election by having a multi-collision. This is a clever bit of engineering, drama, and publicity, but anyone with cryptographic sense gives it a shrug.
Nonetheless, the twitterverse and blogosphere are chattering about this, which is what makes me laugh.
On the other hand, there are a number of CAs still using MD5, which made the attack possible and they are only now changing. This is what makes me cry.
In a year that has seen organizations crushed because of heads in the sand when chaos emerges, here's just another.
Bookmark this post:
Adam and I have discussed Debix several times in the past, so it will come as no surprise, that I am again posting about them.
Debix now has a blog, which will be covering issues around identity theft, breaches and privacy.
Debix also released a new research study examining child identity theft. The most recent blog post, contains some highlights from the study, including that one in twenty people (or one in every classroom) suffers from some sort of compromise to their identity before they reach their maturity with an average of over $12K in fraudulent debt assigned to their names.
As the post says:
Kids are a great target for identity theft, because the younger you target them, the longer you have before it is likely that the act will be discovered and as a result the corresponding amount of fraud that is committed prior to discover is significantly higher with minors than with adults.
Check out the post and the full research study for much more detailed information.
[Image is identity-theft-2 from j_lovefool on flickr]
Bookmark this post:
According to The New York Times in, "Surveillance of Skype Messages Found in China," the Chinese provider TOM has software in place that reads Skype text messages, and blocks ones that use naughty words and terms, like "Falun Gong," "Independent Taiwan," and so on.
A group of security people and human rights workers not only found out that TOM-Skype is not secure, but found the list of banned words because, as usual, someone didn't set up their servers very well. A report can be found here.
Skype president Josh Silverman replied to the issue today in this article. He says that yes, it's happening:
It is common knowledge that censorship does exist in China and that the Chinese government has been monitoring communications in and out of the country for many years. This, in fact, is true for all forms of communication such as emails, fixed and mobile phone calls, and instant messaging between people within China and between China and other countries. TOM, like every other communications service provider operating in China, has an obligation to be compliant if they are to be able to operate in China at all.
He's right: one of the quandaries of business in China is that you have to put your belief in freedom in a trust when you go there. This is why many of us do not like doing business there.
However, he also said:
We also learned yesterday about the existence of a security breach that made it possible for people to gain access to those stored messages on TOM's servers. We were very concerned to learn about both issues and after we urgently addressed this situation with TOM, they fixed the security breach. In addition, we are currently addressing the wider issue of the uploading and storage of certain messages with TOM.
In other words -- it's bad for the Chinese to spy, and bad for people to catch them at it. Oh, naughty Chinese, and shame on you too, Infowar for dragging this into the daylight.
This comes on top of April's flap in which the German and Austrian governments essentially said that they have no trouble listening in to Skype. Skype hasn't commented on that. This is a different issue, as it appears that the surveillance is being done via malware.
Despite the fact that we still don't know what goes on inside of Skype, it appears that the software is basically secure -- or at least the voice parts are. Or was at one time. The noted cryptographer Tom Berson did an analysis of Skype and showed that it was reasonably secure. There were also reverse-engineering analyses done on Skype by Philippe Biondi and Fabrice Desclaux, presented at Black Hat in 2006 that showed it was secure, if eccentric in its design.
However, despite the security of the voice parts, the text parts are obviously not secure. And we have this uncomfortable set of circumstances:
The problem here is one of labeling, and the market effects. I'm sophisticated enough to know that when Josh Silverman says:
... Allowing the world to communicate for free empowers and links people and communities everywhere.
that he is stating that free (as in beer) is important, even if he's unable to do a lot about free (as in speech) in repressive countries and in the face of law enforcement technologies.
But Skype has always touted itself as a secure technology. The reason that it became popular for free (as in beer) conversations was that we thought and were assured that it was also free (as in speech). Skype themselves paid for a security analysis.
Skype thus became not only the proverbial eight-hundred pound gorilla, but (it seems) the proverbial dog in the manger. Skype's presence has actively hindered other secure-voice technologies. Phil Zimmermann's Zfone, for example, has had to answer the question, "why do we need you when there's Skype?" It seems that he'll be answering that question less. Josh Silverman needs to do something to show us the basic integrity of the system. Presently it appears that he has empowered us to have communities everywhere but China, or Germany, or any place with a sophisticated and powerful government. At the very least, he should protect eBay's investment, because if people conclude that Skype is not secure, eBay may wish they'd invested that $1.6 billion in mortgage-backed instruments instead.
Bookmark this post:
If you are the sort of person who looks at odd legal rulings and opinions, you may remember that a few years ago the US DOJ issued an opinion that stored emails are not protected under the Stored Communications Act. The DOJ reasoning is that when you leave read email on your server, it's not a temporary copy that is needed for the communications (like a mail spool), and not a backup.
This reasoning is bizarre to people who use protocols like IMAP precisely as a backup. It's also bizarre to people who wonder why the DOJ would argue that stored communications are not Stored Communications. Those people tend to think that perhaps this would mean that if those stored emails are not Stored, then it wouldn't be illegal for the DOJ to just kindly request that copies of them be pulled from an ISP's storage (as opposed to their Storage) and be handed over, just in case you've been doing whatever.
The EFF has posted an interesting opinion, one that points out that if stored email is not Stored, then the people who reset Sarah Palin's password and read her email probably did not commit a crime under the DOJ's own interpretations of the law.
There doesn't seem to be much wrong with this reasoning. In any event, it's going to make it hard to prosecute the miscreants, because they will have to explain to a judge why they changed their mind, or why there is one law for veep candidates and one or everyone else. Way to go, guys.
Whatever one's opinion of Ms Palin, it's hard to defend violating her privacy. Let's hope this leads the DOJ to conclude that when you take communications and store them that they would be protected under the Stored Communications Act. As usual, the word is "oops."
(Many people will note that there are undoubtably plenty of other laws to charge them under, starting with the Computer Fraud and Abuse Act. But any good prosecutor can find something to charge someone with. The point is about upholding and enforcing existing laws.)
Photo "Hockey Mom Makeover" by julie.anna.
Bookmark this post:
The letter is dated June 9, regarding a February 27th loss by Archive Systems, Inc. The three-plus month delay annoys me. Archive Systems isn't named in the letter. I had to look at Data breach at New York bank possibly affecting hundreds of thousands of CT consumers to discover that.
The signup experience for the "Triple Alert Monitoring" from Experian was not awful, but it was pretty poor. It demanded lots of personal information, wasn't clear how it was going to be used. Experian stuffed a long terms and conditions into a three line at a time scroll box, clearly indicating that they don't expect anyone to read it. Their web site silently relied on Javascript, and it wasn't at all clear how long I'm enrolled for. I have little doubt I'll start getting renewal notices in three months.
Incidentally, I've Been Mugged has a review of Triple Alert.
Bookmark this post:
Today on the Dataloss mailing list, a contributor asked whether states in addition to New Hampshire and Maryland make breach notification letters available on-line.
I responded thusly (links added for this blog post):
I know only of NH and MD. NY and NC have been asked to do it, but have no plans to. NJ won't do it because the reports are held by the state police and not considered public. IN had that provision stripped from their revised law. I saw no evidence that ME has them on-line at the AG's site. Unless I missed any, those are all the states with central reporting.I personally have several hundred notices to NY and NC that I am slowly scanning and making available. Unfortunately, my site is off the net for probably a couple weeks.
A later response pointed out that Wisconsin publishes some data as well. Actually, so does New York, but it's pretty measly.
I forgot to mention in my email that California also considered central reporting -- including a web site -- as part of an update to its breach law. We blogged about this at the time. I understand these features were cut because of lack of resources.
EC reader Iang made a perspicacious comment at the time:
At some stage we have to think about open governance being run by the people. That is, expect to see some quality control from open institutions, ones that arise for a need. E.g., blogs like this and other aggregators of info.
I am very happy to report that the Open Security Foundation yesterday announced just such a resource. The press release tells the story, but basically it's crowd-sourcing information on breaches. I am very enthusiastic about getting my primary sources archive back on-line so that I can link with, and otherwise contribute to, this new DataLossDB.
Bookmark this post:
Maryland Information Security Breach Notices are put online by the most-forward looking Douglas F. Gansler, attorney general.
Case Number Date Received Business Name No. of MD residents Total breach size Information breached How breach occurred 153504 06/09/08 Argosy University name, social security number, addresses Laptop computer stolen from employee of SunGard Higher Education
I'm glad that they list case IDs on there. We're getting to the point, what with Attrition.org, Identity Theft resource center, Privacy Rights ClearingHouse, Adam Dodge, Chris Walsh, and probably others I'm forgetting, it's like chaos out there. We need a 'CBE' just to help us all cross-correlate.
Via "I've Been Mugged."
Bookmark this post:
The BBC reports in "Secret terror files left on train" that an
... unnamed Cabinet Office employee apparently breached strict security rules when he left the papers on the seat of a train.A fellow passenger spotted the envelope containing the files and gave it to the BBC, who handed them to the police.
We are also told:
Just seven pages long but classified as "UK Top Secret", this latest intelligence assessment on al-Qaeda is so sensitive that every document is numbered and marked "for UK/US/Canadian and Australian eyes only", according to our correspondent.
The person who lost them is
... described as a senior male civil servant, works in the Cabinet Office's intelligence and security unit, which contributes to the work of the Joint Intelligence Committee.His work reportedly involves writing and contributing to intelligence and security assessments, and that he has the authority to take secret documents out of the Cabinet Office - so long as strict procedures are observed.
Apparently the documents were not encrypted. Cue rimshot.
Bookmark this post:
A hacker in Chile calling himself the 'Anonymous Coward' published confidential data belonging to six million people on the internet.Chile has a population of about 16 million, so that's 3/8ths of the country.Authorities are investigating the theft of the leaked data, which includes identity card numbers, addresses, telephone numbers, emails and academic records.
See "ALERTA: Se filtran datos personales de 6 millones de chilenos vía Internet" (Google translated). The blogger, Leo Prieto, gets a rude awakening when he reads the law, "¿Es privada la información personal en Chile?" (see translated version)
Via PogoWasRight.
¿As an aside, why doesn't English use those awesome '¿' to tell you you're reading a question? We use the opening punctuation for quotes.
Bookmark this post:
From the article:
The Criminal Justice and Immigration Act has received Royal Assent creating tough new sanctions for the privacy watchdog, the Information Commissioner’s Office (ICO). This new legislation gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act.
It's about time that the Data Protection Act got some teeth for dealing with breaches. Unfortunately, I haven't been able to find out much more information on this. All I could find on the ICO's site was a press release and this position paper on the need for the ability to fine for breaches. Anyone out there know more?
Bookmark this post:
Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma)See More Breach Notification Laws -- 42 States and Counting at the law blog of Proskauer Rose.
Bookmark this post:
As many EC readers realize, press reports about data breaches involving lost or stolen computers often contain statements something like "The actual risk is thought to be minimal, since a password is required to login to the missing computer".
Such statements are sufficiently numerous that the pre-eminent source of breach data, Attrition.org, have issued a comment the topic.
I recently had an idea which I honestly think might be very useful (or pathetically impotent).
I report, you decide.
The idea is simply this:
Creating some sort of on-line document and getting infosec experts/practitioner/luminaries to add
their names to it. The document would be akin to an on-line petition, except that it would not be asking for something, it would be stating a position -- as I envision it would be a couple of paragraphs, pointing out the technical facts (in lay terms) that "recovery" CDs can completely bypass OS passwords, that the better state breach laws exempt encrypted data alone for a reason (Indiana is a perfect example, having had their loophole closed so recently), that any safeguard is only as good as the threat model behind it, and that operating system passwords were not intended to be defense against a threat which bypasses the operating system completely.
When the press perpetuates the canard (and I am aware of it), I'd dash off a letter to
the editor which particularizes things, and which points to this on-line
document. Hopefully, this would raise awareness.
My thinking here is that many of us with an infosec and privacy background "get it", but that the press has relatively little access to us. Human nature being what it is, the path of least effort is often followed, and press releases are reprinted, without regard to their technical accuracy
Is this a crazy idea? If so. please comment. If you think it makes sense, comment about that.
If there seems to be solid support, we can work out the details and make it happen.
Bookmark this post:
The Washington Post reports:
The State Department said last night that it had fired two contract employees and disciplined a third for accessing Sen. Barack Obama's passport file.Obama's presidential campaign immediately called for a "complete investigation."
State Department spokesman Tom Casey said the employees had individually looked into Obama's passport file on Jan. 9, Feb. 21 and March 14. To access such a file, the employees must first acknowledge a pledge to keep the information private.
The employees were each caught because of a computer-monitoring system that is triggered when the passport accounts of a "high-profile person" are accessed, he said. The system was put in place after the State Department was embroiled in a scandal involving the access of the passport records of then-presidential candidate Bill Clinton in 1992.
"The State Department has strict policies and controls on access to passport records by government and contract employees," Casey said.
The department uses contract employees to help with data entry, customer service and other administration tasks. The employee involved in the March 14 incident has only been disciplined so far, because the probe of that incident is continuing, an official said.
My translation is that the State Department, "in order to serve you better", violates the principle of separation of privilege and allows individual contract call center people to access the passport data for everybody in the country. Then, after a high-profile person has his privacy grossly violated (they ran Clinton's file because of malicious, false rumors he renounced his US citizenship during the Viet Nam era), they put in detective controls (not preventative -- too obvious), but these only work for important people.
Nice.
Luckily, Bill Burton, spokesman for Senator Obama, has a keen grasp of the issues:
"This is a serious matter that merits a complete investigation, and we demand to know who looked at Senator Obama's passport file, for what purpose, and why it took so long for them to reveal this security breach."
One way to learn some of that, as I am sure Mr. Burton's boss knows, is to get a decent national breach notification law.
While State may have been slow, they did the right thing, and canned the violators. Nothing reinforces a security policy better than a public execution, and nothing undermines one more effectively than blatant non-enforcement. With recent privacy breaches affecting not just semi-celebs like Presidential candidates, but also really important people, making sure that punishment is swift and sure seems like an obvious way to "incentivize good behavior".
Bookmark this post:
After showing that "encrypted" disk drives only encrypted the password you use, not the data, Heise-Online now shows that fingerprint-access is often bunk:
Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. It turns out that an easy-to-find tool allows nosy parties to get around the protection in some products.
Basically, all you have to do is get a low-level USB tool, PLscsi, and have it tell the device to ignore all that security stuff. Yes, I'm over-simplifying, but I'm disgusted. Read the article for details.
Bookmark this post:
Via Kable's Government Computing, comes news that the British House of Lords "Science and Technology Committee has announced a follow-up inquiry to its 'Personal Internet Security' report".
Chair of the committee Lord Sutherland said: "The committee was disappointed with the government's response to its report. We felt they had failed to address some of our key concerns about people's security on the internet.Kable's Government Computing, 2008-02-21"The House of Lords is likely to be debating the report in the summer and to ensure that the debate is as well informed as possible we have decided to seek key stakeholders' views on the government's response."
I speak American english, so I may not be up on the nuances, but I think Lord Sutherland is saying that they're going to line up a bunch of experts to say what absolute dolts the government were in ignoring the recommendations put forth by the Committee last year.
Excellent.
Bookmark this post:
Experian sues Lifelock.
I think I can hear the champagne corks popping at ID Analytics from here. They, arguably, provide a service which is similar enough (a detective control against new account fraud, rather than a preventative control), but theirs operates through a different mechanism.
I'd like to see some numbers showing the efficacy of these approaches. I am pretty sure Lifelock or Debix can produce them for the 'automated fraud alert' approach. I don't know what ID Analytics has.
Bookmark this post:
Title: Citibank limits ATM cash in city Author: KERRY BURKE and LARRY McSHANE Source: DAILY NEWS Date Published:January 3rd 2008 Excerpt: The New York-based Daily News reported today that Citibank has limited the cash amount its customers can take out of ATM machines. It is being reported that the security of Citibank's ATM machines in New York have been seriously compromised by fraud. According to media reports, a spokesperson for Citibank has stated that "Though we can't provide details of ongoing security investigations, we are working closely with law enforcement on this matter." Citibank declined to specify the amount of the new withdrawal cap. For complete article see: http://www.nydailynews.com/money/2008/01/03/2008-01-03_citibank_limits_atm_cash_in_city-2.html For more security News visit the FIRST Security News site at: http://www.first.org/newsroom/globalsecurity http://www.first.org/newsroom/globalsecurity/rss.xml(Passed along in case folks haven't heard)
Bookmark this post:
Thanks to Ant, Cat and Steven Murdoch for links. Image: Teton dam, Wikipedia.
Bookmark this post:
The BBC reports that the whereabouts of the legendary cave where Romulus and Remus, founders of Rome, were nursed by a she-wolf, Lupa, as foundlings.
The eight-meter-high cave was found buried sixteen meters under a previously-unexplored area of Palatine hill in Rome.
Although their home address has been made public, it is unclear if the Roman founders lost any other personal information such as tax ID numbers, bank information, or date of birth.
In related news, two disks in the UK have been lost with the personal details of 25 million Britons including "name, address, date of birth, National Insurance number and, where relevant, bank details." This is everyone in the UK who receives a tax deduction from having children.
HMRC Paul Gray resigned over the incident (as if that will help). Liberal Democrat Acting Leader, Vince Cable, clucked: "why does HMRC still use CDs for data transmission in this day and age?" proving that he doesn't read this blog. Mr Cable as well as Shadow Chancellor George Osborne predicted the end of the National ID Database as a result of this loss.
Commissioner of Obvious Information, Richard Thomas, said: "this is an extremely serious and disturbing security breach" and Chancellor Alistair Darling pointed out that at least no one had had fiber-optic endoscopes pushed into their houses unlike those Roman foundlings.
Bookmark this post:
NSW Police are investigating the possible compromise of an online florist's database and theft of customers' credit card details.The Fraud Squad has set up Strike Force Parkview to investigate the case that involves the retailer Roses Only.
There are unconfirmed reports that the details were used to make a string of luxury purchases in South-East Asia.
"A strike force has been set up by the State Crime Command Fraud Squad to investigate the possible compromise of an internet-based business' database and subsequent fraudulent transactions," a police spokesman said.
She said the investigation was in its earliest stages and no further information was available.
Roses Only later released a statement saying that it had been recently advised that their computer systems "may have been" compromised through an unauthorised intrusion earlier in the year.
"We moved quickly to address the situation and engaged a leading international technology security firm to enhance the security of our system," the statement said.
(Image grab via Youtube)
Bookmark this post:
A poor choice of names (I guess "best UNIX editor" was their second choice), but Silicon.com is doing something that seems worthwhile by launching their Full Disclosure Campaign.
Silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers, if there is a chance the breach has put individuals' sensitive personal data at risk.
Bookmark this post:
In the Times Online article, "Digital DNA could finger Harry Potter leaker," we learn that the person who leaked photos of the last Harry Potter novel has yielded up the serial number of their camera, which was in the metadata of the pictures they took.
From this, we lean that it was a Canon, likely a Rebel 350D, which means that the perp bought it in the US or Canada. (This doesn't mean that the perp is there, as lots of people buy electronics in the US or Canada).
However, I blinked when I read something from Vic Solomon, a product intelligence officer at Canon UK:
From what we know, the device is one of the original Rebel cameras, probably a 350D, and given that they've been out for three years, it's likely the owner would have had it cleaned or repaired in that time.
Likely? I take likely to be better than a coin flip -- over 50% chance. I'm a huge fan of Canon cameras, and while I don't yet own have a digital SLR (I'm very happy with my SD 700IS), I'd like one, and this makes makes me wary to hear that it is "likely" that I'll be taking it into the shop in three years. I have a twenty-five-year-old A1 SLR, and it's never been cleaned or repaired. Is Canon's well-deserved reputation for quality a thing of the past?
Or was Mr Solomon merely shooting his mouth off? He also said:
The EXIF data is like the picture's DNA; you can't switch it off. Every image has it. Some software can be used to strip or edit the information, but you can't edit every field.
That's not precisely accurate. EXIF metadata is nothing like DNA. It's metadata rather than code; it's annotations about the picture such as date and time, f-stop, exposure values, orientation of the photo, and of course the serial number of the camera. While photo-editing software often doesn't let you edit it, there are plenty of ways to get rid of it, and I'll bet that very shortly there will be more of them, particularly if they catch the person who did this because of the embedded serial number.
Photo courtesy Lone Primate.
Bookmark this post:
Mike Rothman has the unmitigated temerity to go on vacation and deprive me of his daily rant^H^H^H^Hincite, but not before remarking on the Certegy data loss incident:
So Certegy (a big check processor) loses a couple million records with information like bank accounts and credit card numbers. And Certegy's president gets interviewed and says because the data was sold to brokers and direct marketers, the information isn't at risk?!?!?
Now, I trust data brokers and direct marketers as much as anyone, but when information is obtained illegally (as this information is said to have been), what assurance is there that the thief won't sell it to anyone who will pay the price, not just nice people who will pay the price?
It's not like this is some guy fencing a stolen TV set.
Bookmark this post:
Alternate title: "If schadenfreude is wrong, I don't want to be right."
Ryan Singel reports that the "TSA Lost Sensitive Data on 100,000 Employees." This is the same agency which wants to collect all your personal data so they can deny you the right to get on a plane without any sort of legal proceedings. You know, for all those people who are too dangerous to travel, but not dangerous enough to arrest.
A hard drive containing sensitive information including social security numbers and bank account information on 100,000 Transportation Security Administration employees has gone missing from its headquarters and the FBI has been notified, according to a 7 p.m. EST [Friday] press release from the agency.Remember, you have a few days left to stop REAL ID. If you do, the TSA's next lost laptop will contain less data about you.
Bookmark this post:
The Hartford Courant reports that a Lockheed employee dropped a USB flash drive at a gas station that contained Joint Strike Fighter information. A truck driver found it and "took it home for a 20-minute look-see, then turned it over to authorities."
I have three words of advice: full disk encryption.
Photo courtesy of POONDOG.
Bookmark this post:
In my last post on security, I promised a tale, and I ought to deliver on that before it becomes nothing more than a good intention.
Some time ago, so long ago that it no longer matters, I bought a piece of network stereo equipment. It was one of these little boxes that lets you play MP3s, etc. through your stereo. I got it because it was a cute little system running Linux, had a MIPS processor, a web site for developers, extension and enhancement tools in Java, and so on.
I used it for a couple of months, and played with the Java-based remote control application for it and then decided to do some more serious work on it. I rolled my eyes that it only had telnet to get to it, but telnetted to it and was met with:
#
which I just stared at for a moment. It didn't even register for a good twenty or thirty seconds before I had the wit to type
lsand was met with something akin to:
bin dev home mnt proc tmp boot etc lib usr sbin
and that didn't even register with me until I finally then typed
pwdand was met with
/
and I made a loud two-word exclamation, of which the former was "oh" and the latter is left as an exercise for you, Gentle Reader, but there are two obvious candidates.
Yup, for the last couple of months, sitting bear-ass nekkid on the Internet was a Linux box with open telnet and a root shell. No username, no password, just a root shell. I said the other obvious candidate word. I also considered (again) getting a firewall. My network doesn't have a firewall. Part of it is that I like the road feel of the packets whizzing by. Part of it is that by the time I open up enough ports to do useful things, I'm just closing down the ones that don't have services on them anyway. Part of it is also that of the three times I've had serious security problems on my network, one of them was because my IDS box got rooted, and one was because the firewall got rooted. For me, adding a firewall adds complexity, and that lowers security. (That last time was when I was traveling with my SO who wanted to send me an email from an utterly ancient netnews program that knows nothing of SMTP-AUTH. Never reconfigure your email infrastructure from five thousand miles away while jetlagged. A couple of days later, you will ask yourself, "I wonder why the SMTP server logs have gotten so big." Fortunately for me, I caught it before the blacklists did.)
I yanked the music box off the network and connected to it directly (one cable, just it and me). Looking through the thing, I didn't see what anyone who was now using it for anything. I checked the IDS logs and there was nothing that leapt out at me to as suspicious traffic. That seemed odd, because how could it not have been owned? I thought about it for a bit, and thought about it more as I reflashed the critter. Then I laughed, because I realized that the tools that probe for vulnerable boxes are not going to be looking for #. It was then too late to tell, but I allowed myself to think that maybe the box hadn't been compromised, as the evidence suggested.
With the machine rebuilt, I connected to it directly with telnet and started probing around for putting a password (like /etc/passwd). There was none. There was no SSH, either. I fulminated on the developer fora about this security stupidity. I found the instructions on how to build the right cross-compiled Linux setup to build binaries for it, and it was filled full of warnings about how to make sure you did this, set that compiler switch, and if you didn't, things wouldn't work, and you get to reflash the box.
This wasn't how I was wanting to spend my Saturday, so I turned the box off, and went to do something else. As I did, I thought about the situation. I became increasingly amused that (apparently) the box hadn't been compromised. I convinced myself that this is because the bad guys wouldn't recognize the box as vulnerable.
As I grumbled and thought more about how to lock down the box and then something occurred to me -- anyone who wants to own the box has to go to the same trouble to make it be a productive member of their botnet community as I do to do the opposite, but they're at a disadvantage because they also have to protect it from me. Since it's easier to find some unpatched Windows box than it is to set up a MIPS cross-compile sandbox, even if they can tell that has an open root shell, it's not economically viable. Think of it as Mutual Assured Annoyance, Economic-Based Intrusion Prevention, Security Through Stupidity, or proving old adage, "In the land of the blind lion, the one-eyed zebra doesn't have to run very fast."
A couple of weeks later, I solved the whole problem when a new product was introduced that did exactly what I wanted (to be able to play music on my laptop on my stereo) at half the price and no icky telnet. The poor little music box now sits face-down, forlorn, and dust-covered on a shelf.
Bookmark this post:
IT Week in the UK writes, "Companies keep silent on data breaches."
There are a couple of interesting quotes:
Jonathan Coad, a media specialist at law firm Swan Turton, said newsworthy breaches are often leaked to the press. “Reporting crime to the police is a double-edged sword as invariably the press has found out about the incident within 24 hours,” he said.
I raise my eyebrow a bit because of the words "often" and "invariably" appearing together. I side with the reporter on "often" and just don't buy "invariably." Nonetheless, if people believe that telling the police is the same as telling the press, they'll refrain from telling the police.
However, Maxine Holt of analyst firm Butler Group argued that corporate victims not reporting crimes “is of no use to anybody”.
I concur, and so the question is how to make sure that the proper notifications happen to the proper people at the proper time. That's why there's no rule set on this. More in another post.
Bookmark this post:
At first blush, it seems that an emergency bill in Texas that exempts clerks from state and Federal law about data breaches is a bad thing.
However, with closer reading, it looks more like a correction for that pesky old law of unintended consequences. On 23 Feb, the Texas Attorney General ruled that disclosing Social Security Numbers violated state and Federal law punishable by jail time.
This means that the poor county clerks, who are tasked with redacting records, would be left holding the bag for any screwups. If I were such a clerk, not having some sort of protection would lead to my resignation.
I'm left wondering how we're going to ensure that things get done correctly, but the larger issue is the way the government is reacting. I know that I speak for The President when I say that not everything that's bad and needs to stop has to have jail time and fines on it.
It looks like the pendulum of breach control is swinging a bit wildly in Austin. Just go to SXSW, guys, have a beer, listen to some music, and be stable on this. Thanks for working to get this right.
"Grandma Abilene" courtesy of Curran Andre Hugo.
Bookmark this post:
According to Courtney Manzel, Counsel - Office of Privacy, Sprint Nextel Corporation, reporting a breach pursuant to NY's notification law:
A laptop computer was stolen from the human resources department of Velocita
Wireless during a rash of office burglaries in the Woodbridqe, New Jersey area.
The laptop computer was one of many items stolen. It contained password-
protected files that included information (i.e.. name, date of birth, social security
number, salary and whether employee was enrolled in company health plan) about
aoproximatelv 255 former and current Velocita Wireless employees.
And from the notice sent to affected individuals:
Bookmark this post:
Also note that 470,000 Canadians is roughly 1/60th of the population. An equivallent US breach would be 5 million people.
Via Pogo was right.
Bookmark this post:
From the files of "too good to make up", DavidJ.org reports a story from a couple of years ago about his credit card data being sent over AOL Instant Messenger. Essentially he bought some merchandise at a shot which didn't have a point of sale terminal so the clerk was IMing all credit card data to a friend who had one who would then run the credit card info for him.
[Via NoticeBored]
Bookmark this post:
Apparently it's Identity Theft Tuesday here on Emergent Chaos.
CNN reports that a "Hacker attack at UCLA affects 800,000 people", which includes current and former faculty, students and staff. The initial break-in was apparently in October of 2005 and access continued to be available until November 21st of this year. I am stunned that it took so long to be noticed, especially in light of Chancellor Abram's letter which states:
We have a responsibility to safeguard personal information, an obligation that we take very seriously...I deeply regret any concern or inconvenience this incident may cause you.
It's a real shame they didn't have more effective security controls and monitoring systems in place. Maybe then this incident wouldn't have happened or been detected and stopped much earlier.
[edit: fixed link to article]
Bookmark this post:
SANS has just released their annual Top 20. I won't bother linking to it -- Google knows where to find it, and if you're reading this blog, you probably do too.
Anyway, it seems like the SANS people have a bit of competition.
Check out this list:
Ooops! My bad.
This isn't a list of the top five security bonehead moves. This is a list of the things the Federal Trade Commission says Guidance Software did, resulting in the loss of thousands of customers' credit card information, in violation of federal law.
Guidance, of course, are the makers of enCase, the market-leading computer forensics tool. The company admits no wrongdoing, and has entered a consent decree with the FTC.
Bookmark this post:
Organizations around the world are getting ahead of their problems by reporting them to their customers: KRA computers stolen, which contains the interesting comment "A [Kenya Revenue Authority] official said the computers had crucial data on tax returns and it is likely that the data had no back up."
On the other side of the world, "Computers with patient data stolen from Nagasaki hospital."
Both via the Dataloss list.
Bookmark this post:
There's a feeling you get when you watch a formulaic movie. After seeing a half-hour's worth, you just know how it will end. You can see the decision points characters reach, and you know they'll make the bad choice. Indeed, the very predictability of such films is what allows hilarious parodies such as Airplane! or Scary Movie to succeed.
Anyhoo, I got that same "I know how this is going to end!" feeling when I read the following (via Dataloss):
Denver Business Journal
Matrix Bancorp Inc. disclosed late Friday that it was investigating the
theft of two personal computers from the bank's downtown branch on Friday,
July 28, one of which contained personal account information on an
undisclosed number of customers.The bank said in a news release that thieves apparently entered offices in
the company's headquarters tower at 17th and California streets in Denver
between 1:30 and 2:30 p.m., and removed the laptop computers while
staffers were away from their desks. One computer contains what the bank
called "certain proprietary information regarding Matrix Capital Bank and
some of its customers ... "
But guess what? The folks at the bank proved me wrong, and threw in a plot twist:
The data, the bank said, is fully encrypted and password-protected
The article goes on to say that despite the use of encryption, the bank is still notifying potentially-impacted customers, and is supplying credit-monitoring and fraud detection services via Equifax.
Bookmark this post:
Here's news of a breach that (I presume) involved no PII, but which could be significant.
I wrote about a previous Debian breach back in December, 2003. I hadn't realized it had been so long!
Update: Local vuln used to elevate privs. Local access gained due to weak developer password. Details here.
Bookmark this post:
This week's roundup is large. Rather than push other newish posts off the bottom of most people's screens, it has been deemed preferable to prepend this introductory paragraph, at the bottom of which readers may elect to see more.
Multiple servers breached. University loses SSNs and other data on 200,000 to 240,000 current and previous students, as well as credit-card information on those using the university bookstore or hotel. According to a response received from WIU's official "Security Alert" email address:
A majority of students potentially affected are students who took courses from
1983 to the present. A smaller number of records from 1978 to 1982
(approximately 1,000 records) may have been at risk of exposure. Anyone who
has performed an online purchase through the University bookstore or who has
stayed in the University Union Hotel may also potentially be affected
Interestingly, the Division of Student Services, which seemingly runs on-line bookstore sales, says that they "Don't retain credit card information after credit card sales have been processed."
Official version of events is at http://www.wiu.edu/securityalert/
Social Security Numbers and other info on 13,000 Washington, D.C. residents obtained when a thief stole a laptop from the home of an ING U.S. employee. No password, no encryption. Theft occurred June 12.
Washington Post has more.
Laptop stolen May 29th contained name and SSN info on up to 2500 of their employees.
(AP, via Dataloss)
The tide of theft continues. An office computer containing names, SSNs, and medical information for 9,800 kidney donors, recipients, and potential recipients was stolen in February, but "the affected people weren't notified until earlier this month because it took months for school officials to reconstruct the missing database".
Visa admits there's a problem it has known about since February, but reveals no numbers or names. Thanks, guys. AP has the story.
Names, SSNs of 28,000 Navy personnel and some family members show up on a web site. Navy discovers it, has info removed. Congress is asking for more information (such as the name of the site).
(AP, via MSN)
SSNs and test scores for 619 students show up on web. School blames Google.
(HeraldToday.com, via Dataloss)
In other news, Surgeon General caught smoking under bleachers.
In a statement, the FTC said two employee laptops were stolen from a locked vehicle. The PCs contained data on about 110 people that was "gathered in law enforcement investigations and included, variously, names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers."
3,000 former and current students' SSNs, names, grades lost via a...laptop theft!
Although use of SSNs as student idenfifiers is now banned, apparently it's just too much work to clean up the years of cruft that faculty have accumulated. An interesting research question: what is the half-life of information like this?
(SFGate.com, via Dataloss)
Names, photos, and SSNs of 26,000 workers revealed when a hacker was able to get into a USDA server.
(SeattlePI.com, via Dataloss)
Bookmark this post:
Bookmark this post:
Bookmark this post:
Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel — including nearly 80 percent of the active-duty force — were among the data stolen from the home of a Department of Veterans Affairs analyst last month, federal officials said yesterday, raising concerns about national security as well as identity theft.From the Washington Post, "Data theft hit 80 percent of active military," via Bob Sullivan, "Lost VA Data: Who's on The List," which includes useful what-happened bits:
Thanks to NBC's Pete Williams, we can offer a few more details about why the VA has been so vague. The data apparently was taken home by an employee on either DVDs or CDs. Some of those CDs or DVDs were copied to the employees computer, but no one knows how many. In the best case scenario, only some of the data was copied before the computer was stolen.Active duty personnel should be aware that there's an "active duty" alert they can put on their credit reports. For details, see "'Active Duty' Alerts Help Protect Military Personnel from Identity Theft" (Federal Trade Commission).
Bookmark this post:
Apparently, they haven't yet learned that transparency is good. Related, "Royal Ahold Execs Fined After Conviction."
Bookmark this post:
Normally this would go in the breach roundup, but it is noteworthy in that it is the only case of substitute notice I can recall seeing.
All state breach laws provide for notifications to be made via mail or telephone, and allow so-called "substitute notice" via a press release, prominent web page placement, and the like under certain circumstances.
The circumstances here are that:
Red Cross cannot determine whose records that individual may have accessed. For that reason, Red Cross is providing this [web page] notice to all blood donors who have donated in the Missouri-Illinois Blood Services Region as a precaution.
Now, Missouri has no breach law that I am aware of. Regarding form of notice, Illinois law says this:
(3) substitute notice, if the data collector demonstrates that the cost of providing notice would exceed $250,000 or that the affected class of subject persons to be notified exceeds 500,000, or the data collector does not have sufficient contact information. Substitute notice shall consist of all of the following: (i) email notice if the data collector has an email address for the subject persons; (ii) conspicuous posting of the notice on the data collector's web site page if the data collector maintains one; and (iii) notification to major statewide media.
This is terrible law. Even if a firm has perfect records, and somenhow can notify everyone for a nickel, all they need to do is expose more than a half-million folks and they are relieved of nearly all responsibility. Here, according to Computer World, a million donors were exposed. Talk about perverse incentives.
In this case, the American Red Cross either: a) has lousy record-keeping, b) is unwilling to incur an expense that nearly all others suitably situated have borne, or c) is using the size of this breach as an excuse for inaction.
Since we're talking blood here, I don't think a) is likely, so unless I am missing something (and I hope I am), it must be a combination of b) and c).
By the way, the SSNs were in a database made available to "donor recruiters", according to Computer World:
The Red Cross offices in the region last week changed the database software to strictly limit access to any Social Security numbers in the future, Williams said. Only names, phone numbers and birth dates are now accessible by blood drive recruiters. [...] [The agency] said it's taking additional security steps to ensure that such an incident doesn't happen again. All staff members are being reminded, for instance, that donors don't have to put their Social Security numbers into their Red Cross donor records.
Uh, I don't think donors put them in in the first place. The Red Cross did. If they aren't needed from today's donors, they aren't needed from ANY donors. I'm no DBA, but it looks like about two lines of SQL make this go away permanently.
Bookmark this post:
Personal data, including Social Security numbers of 26.5 million U.S. veterans, was stolen from a Veterans Affairs employee this month after he took the information home without authorization, the department said Monday.From the New York Times AP story.The material represents personal data of all living veterans who served and have been discharged since 1976, according to the department. The information was included the veterans' discharge summary that goes into a government database.
[Update: Bob Sullivan has some good analysis at "Vets deserve better treatment after data theft."]
Bookmark this post:
On Friday, April 21, the FBI advised the Technology Transfer Department at Ohio University's Innovation Center that a server containing office files had been compromised. Data on the server included e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes.
Ohio University II: 300,000 alums and friends. 137,000 have their SSNs exposed. Exposure was under way for over a year before detection.
Names, birth dates, Social Security numbers and medical information for 60,000 people were accessed in records at the school's Hudson Health Center, the university discovered last Thursday [May 4]. The student clinic has records on all Athens campus students dating back to 2001, plus faculty, workers and regional campus students who sought treatment there.
Mercantile Potomac Bank: Stolen laptop. 48,000 customers exposed. Bank says it was against policy to remove the portable computer from the bank's premises.
AICPA: Hard drive with member information, including name, address, and SSN, lost. The drive had been sent to a data recovery vendor, and was lost while being shipped back. Notice sent to members was dated May 8. The AICPA has 300,000 members. Based solely on my experience, they prefer to see rules followed, which they reportedly were not in this case.
Columbus Bank and Trust: 2,000 cardholders notified they may have had card info stolen. Is this related to the huge debit card mag stripe theft that may or may not involve a large retailer? Nobody is saying.
Bookmark this post:
[NY Police spokeswoman] Farello said the driver contacted authorities after noticing outside the Bronx VA hospital that the containers were missing.The company is treating that as "we misplaced them" rather than as theft. The New York Police are unspun, and are treating it as theft. Its good that the law doesn't give the company discretion to be gullible on your behalf.
Bookmark this post:
Via Army Times:
The Pentagon said routine monitoring of the Tricare Management Activity’s public servers on April 5 resulted in the discovery of an intrusion and that the personal records had been compromised, leaving open the possibility of identity theft among the members affected. The information contained in the files varied and investigators do not know what, if any, criminal intent the perpetrators had, or if the information would be misused.Affected members were notified by mail earlier this month and the Defense Criminal Investigative Service has begun an investigation, defense officials said.
Tricare is the U.S. military health system. If you visit their web site, you find this:
If you received a notification letter regarding a potential compromise of your personal information and you have questions, please call 1-800 600-9332. Please do not call the Defense Criminal Investigative Service number referenced in the letter. We regret the inconvenience.I believe the relevant acronym is SNAFU.
Bookmark this post:
Report via Reuters.
Aetna declined to to say where this occurred or which law-enforcement agency they are working with, but it looks like the employer whose folks just got their PII exposed was the US Department of Defense.
Stars and Stripes has the scuttlebutt from HQ:
The laptop was stolen from an employee's personal car in a public parking lot. While Aetna has strict safeguards on such matters, "the employee did not follow all company policies in this instance," Michener said. Michener refused to say whether any disciplinary action would be taken, saying it was a "personnel matter."A few thousand other Aetna customers also lost data, but they do not fall under DOD, Michener said.
The company is sending three letters: one for those whose information included their social security number, one for those whose information included health information, and one for those whose information contained both.
Bookmark this post:
"Unauthorized electronic access". Not sure if that's a poorly configured web server, or what.
Press release today.
Happened in February.
Notices sent at some unspecified time.
Indiana only requires state agencies to disclose breaches, the law isn't in effect yet, and the legislative and judicial departments aren't considered state agencies.
Quoth "Mark Smith, head and professor of the School of Electrical and Computer Engineering" [wording from Purdue's own press release]:
Removing Social Security numbers from all of the university's business practices is an enormous and expensive process, but the university has mandated that every possible step be taken to solve this problem by the end of this calendar year.
Better late than never. Cue up the usual lecture about externalities.
Bookmark this post:
Bookmark this post:
A laptop lost by Fidelity this month has exposed 196,000 current and former HP employees, staff were told last night."This is to let you know that Fidelity Investments, record-keeper for the HP retirement plans, recently had a laptop computer stolen that contained personal information about you, including your name, address, social security number and compensation," employees learned via email. (From The Register.)
Bookmark this post:
Information courtesy of the Reporting Form E&Y filed pursuant to New York state law.
The consulting firm has been criticized for the delay in reporting this breach, which occurred on January 4.
Bookmark this post:
A massive amount of investigation data kept by Ehime Prefectural Police has been leaked onto the Internet, apparently after the computer that kept the data was infected with a virus through the file exchange software Winny, it has been learned.The amount of information leaked from the Ehime police computer is about four times that recently leaked online from Okayama Prefectural Police.
The leaked data includes investigative reports on a murder case in Uwajima, and expert statements on DNA analysis in a sex offence. It also contains a list of 188 people involved in investigations, plus their mobile phone numbers and addresses. ("Ehime police force leaks huge amount of data following virus attack")
Bookmark this post:
Information on about 2,800 patients who had surgery at a privately-run hospital in Toyama between 1997 and December 2004 was unintentionally uploaded to the Internet.According to the hospital, the man in charge of data on surgery transferred the information--consisting of patients' names, sexes, birthdates and information on surgical procedures for which they were hospitalized--to his personal computer, which was infected with a virus that compromised the data.
The data manager had been using the Winny file-sharing program on his computer. (From Yomiuri Shimbun
Bookmark this post:
The Associated Press is reporting that:
Via MyrtleBeachOnline.com
An Internet server used by the state Transportation Department's Ferry Division to process credit card payments for ferry fares may have been breached by outsiders, the agency said Friday.The computer database contained 16,000 credit card numbers, the DOT said. The Office of the State Controller has notified its credit card processor about the possible breach and it will contact credit card companies.
Why are database servers reachable from the internet?
Bookmark this post:
The provincial government has auctioned off computer tapes containing thousands of highly sensitive records, including information about people's medical conditions, their social insurance numbers and their dates of birth.Way to go guys! You made $7.50 a tape!Sold for $300 along with various other pieces of equipment, the 41 high-capacity data tapes were auctioned in mid-2005 at a site in Surrey that routinely sells government surplus items to the public.
Included among the files were records showing certain people's medical status -- including whether they have a mental illness, HIV or a substance-abuse problem -- details of applications for social assistance, and whether or not people are fit to work.
(From "Health Records Sold at Public Auction," Vancouver Sun, via KH.)
Bookmark this post:
Executive summary:
Prescription drug benefits provider Medco employee loses laptop with Ohio government employee (and dependents) info. Waits six weeks to let Ohio know. Ohio complains vociferously. Interestingly, the names of the affected individuals were not on the laptop.
Money quote from a Medco spokesperson:
You're as efficient as the lessons learned in the last scenario.Network World
Medco says that the delay in notice was because local police in New Jersey were investigating and that
a complete log of the stolen data had to be created so it could be reported
Huh?
Ohio is one of the many states that has a disclosure law (which went into effect two weeks ago). It defines "personal information" in an interesting way:
"Personal information" means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person.
Now, to this layman that means that if the info says that a person with social security number 123-45-6789 has a prescription for birth control pills, you have to disclose.
Update 4/25: WRONG. They override this definition in the notification section of the law!
Ohio's law also says:
[disclosure may be delayed] if a law enforcement agency determines that the disclosure or notification will impede a criminal investigation or jeopardize homeland or national security, in which case, the state agency or agency of a political subdivision shall make the disclosure or notification after the law enforcement agency determines that disclosure or notification will not compromise the investigation or jeopardize homeland or national security.
The emphasis is mine. If I were a reporter, I'd be asking for documentation that a law enforcement agency made such a determination, and when they made it. To me (IANAL), a "determination" is an affirmative thing -- you need to actually do something -- it isn't passive. So, Medco, let's see some proof. What police department in New Jersey told you that speaking up to your customer would impede their investigation of this theft of a single laptop?
[Note: I cleaned this up a bit and added the part about what constitutes personal info a few minutes after originally posting it]
Bookmark this post:
Via news.com.au:
BANK statements, including customers' private details, were left on the side of a busy Sydney road after the documents fell off the back of a truck.The confidential account information and credit card statements of thousands of Commonwealth Bank customers were left lying on the Hume Highway at Warwick Farm, in Sydney's south-west, the Seven Network reported tonight.
The bank has apologised to customers for the security breach.
Bookmark this post:
An IT person troubleshoots dodgy printing of US earnings documents by loading 6,000 of them onto a laptop. Hilarity ensues when the laptop later turns out to be infected with malware detected during "routine monitoring".
Via wcfCourier.com:
The University of Northern Iowa has warned students and faculty to monitor their bank accounts after someone accessed a computer system holding confidential information.The university detected last week that a laptop computer holding W-2 forms was illegally accessed, though officials said the person likely did not realize he could obtain tax information for about 6,000 student employees and faculty.
"A virus was detected during routine monitoring," said Tom Schellhardt, vice president for administration and finance. "We immediately took steps to fix the problem and increase security."
The university sent letters to everyone whose data was on that computer, warning them to protect against identity theft by monitoring their accounts and contacting credit reporting agencies.
Steve Moon, the school's director of network services, said the person who used the laptop computer did so to review the print jobs for the W2 forms.
Bookmark this post:
In 2004, a graduate student apparently posted a class roster of 601 students, complete with names an social security numbers on the web. ("ODU Graduate Student Posts Student Information on Website, School Investigating," via Netsec.)Update: Lyger of Attrition pointed out that the dates in the WAVY-TV story don't add up. There's a story in the Virginian Pilot, " Social Security numbers of 601 ODU students posted to Web," which says that the data was up for nearly two years. I suspect that the TV news site made a simple mistake.
Bookmark this post:
The names and Social Security numbers of about 27,000 Blue Cross and Blue Shield of Florida current and former employees, vendors and contractors were sent by a contractor to his home computer in violation of company policies, the company said Thursday.The contractor had access to a database of identification badge information and transferred it via e-mail to a home computer, said Lisa Acheson Luther, a Blue Cross and Blue Shield spokeswoman. ("Blue Cross says contractor took 27,000 Social security numbers (AP)."
Bookmark this post:
The Suffolk county [New York] clerk's office has exposed the Social Security numbers of thousands of homeowners on its Web site, and officials said they don't have a way to remove them. And soon, a new plan will make it easier to retrieve them.From "Glitch puts Social Security numbers online."Mortgages and deeds that contain Social Security numbers for an estimated 7,000 to 8,000 individuals have been "scanned" and posted on the county clerk's Web site.
Bookmark this post:
Maybe they'll see what can be done to improve the recipe.
(Via Jericho, posting to Dataloss mail list.)
Bookmark this post:
In a comment to an earlier blog entry concerning a 'he who must not be named' policy for card processors and others who get breached , optionsScalper asks "given Adam's recent series on "Disclosure" (at least five posts back to the BofA post on 1/21/2006), how do you (or Adam) assess the disclosure in this case?"
My answer is that I think the disclosure optionsScalper refers to, which involved Regions Bank customers, but where the breach was reportedly at a processor rather than at Regions Bank, is insufficient. It is high time that names be named.
I also think this incident is related, at least conceptually, to a breach involving BofA debit cards reported by the San Francisco Chronicle here and here, also strongly implying that Wells Fargo account holders were involved as well.
The upshot is that a major big-box retailer (see report here) got hit, and now not only BofA, but also Washington Mutual are taking action to protect account holders. Of course, neither is saying anything about which retailer was hit, just like Nations Regions Bank ["I regret the error" - cw] didn't do any talking.
The ZDnet article above reports Visa as not naming names because there's an ongoing investigation. In another breach, this time reportedly involving Sam's Club, it was Visa and MasterCard not naming names (and being criticized for it by the notoriously anti-capitalist American Banker -- excerpt here).
It's time for reporters to start asking the FBI and the Secret Service whether they feel that merely identifying the retailer would compromise the investigation.
More (and more cogent) thoughts about this situation will be forthcoming, but I wanted to at least get this much out.
A quick aside to optionsScalper, since you mentioned a firm's duty to shareholders: when it comes to thinking about breach notices, I think about the efficient markets hypothesis, and whether investors might rationally think that failure to protect data might impact future profitability.
Along those lines, tt might be interesting to see which big-box retailer's insiders are selling right now, if we only could.
Bookmark this post:
For the past six months, Brigham and Women’s Hospital in Boston has been accidentally faxing the confidential medical records of women who’d recently given birth to a Boston investment bank, regardless of the bank’s repeated attempts to stop them, the Boston Herald reports. (via CSO Online.)(and)
The records, called inpatient admission sheets, contain a plethora of sensitive data, including the women’s Social Security numbers, birth dates, home addresses, hospital room numbers, health insurance data, blood types, religion and occupations, the names of their doctors and hospital discharge data.I'll add on a personal note that I got my working start at the Brigham & Women's, and there was quite a bit of care about medical privacy. My boss, Ron Kikinis, encouraged me to spend time and energy on security issues, paid for training, and generally encouraged me to learn about and implement security for the Surgical Planning Lab.
Bookmark this post:
Although Washington, DC routinely capitalizes on the strictest interpretation of its own traffic laws, the federal city has found itself in violation of a federal law intended to protect drivers from identity theft. Since December it has been illegal to display Social Security numbers on driver's licenses, yet the District Department of Motor Vehicles continues to offer this as an option.Don't miss the Drivers License with SSN that "The Newspaper" provided."I confess, I haven't read through the law that carefully recently," DMV general counsel Corey Buffo told the Associated Press. "I guess we're a little behind the timeline on the federal law. That's not entirely unusual."
Over forty percent of the capital's licenses are not in compliance and officials say it will take until 2011 to replace them all. The Distict will charge $7 to any of the 190,000 motorists who want a compliant license before its expiration -- potentially bringing in $1.3 million in revenue. ("DC DMV Violates Federal Privacy Law")
Bookmark this post:
A "human error" at Blue Cross and Blue Shield of North Carolina allowed the Social Security numbers of more than 600 members to be printed on the mailing labels of envelopes sent to them with information about a new insurance plan. ("Computerworld")
Bookmark this post:
It is amazing that the unnamed processor remains unnamed (or do I misunderstand?). I think the risk to customers at this bank has not been reduced, i.e. card replacement is ineffective. How does one even go about measuring whether the current action (or inaction) by the bank is acceptable to customers if the risk is unknown?I'd start not with acceptability to customers, but acceptability to a variety of States' Attorneys General. The choice of keeping consumers in the dark is no longer legal in 21 states, and is no longer acceptable anywhere. If I was an unnamed processor, I'd sure be asking myself "Am I gonna end up like Choicepoint or am I gonna end up Cardsystem Solutions, sold for parts?"
The rules on disclosure, both legal and social, have changed. Companies must come clean about their errors.
Bookmark this post:
From Indychannel.com:
Regions Bank is canceling the credit cards of 100,000 of its customers in 15 states -- including Indiana -- saying a separate company put their credit information at risk.Regions said the security breach involves a company that processes credit and debit cards nationwide.
The bank, which says it was not responsible for the problem, will issue new credit cards to its customers soon, Call 6 for Help's Rafael Sanchez reported Monday.
"Many times when this happens, there is no impact whatsoever, but we just decided to take the extra precaution," said John Kinman, Regions Bank senior vice president.
Information on how the breach happened and the extent of the risk wasn't known, Sanchez reported.
The credit-card processing company works for other banks, so it is possible that other banks will take the type of action that Regions is taking, Sanchez reported.
I am more convinced than ever that my prediction of a major suit against a processor will pan out. Regions Bank isn't exactly Chase or BofA, size-wise, and they had 100K cards exposed.
Neat how the bank VP says the precaution is "extra", while the News guy says the risk is unknown. Looks to me like the banker has already put an upper bound on it (at least until a Russian web site gets into the act).
Update 2/10/2006: Error in bank name corrected. My apologies. [cw]
Bookmark this post:
In responding to Lyal Collins' comment on my "Disclosure Laws" post, I went and read the Rhode Island
Identity Theft Protection act of 2005 (H6191). A couple of things occured to me. First, the National Conference of State Legislatures has a great list of Security Breach Legislation. Second, and perhaps more important, I don't see a "hacking appeared limited" exemption in the law. (I did, however, see it in this Times-Argus story, attributed to Beverly Najarian.) I do see a "most expedient time possible" clause, which fortunately has a delay available to "restore the reasonable integrity of the data system." If it was not for that, the government of Rhode Island might well have been the first to break the new law protecting their citizens.
(Chris Walsh reminded me of the breach legislation page, and Monody took the Peek-a-boo picture.)
Bookmark this post:
In an article ("Credit card numbers reported stolen from R.I. state Web site") about the Rhode Island breach, I found the following quotes:
The breach on Dec. 28 was detected during a routine security audit and reported to the state government the following day, Loring said. At the time, the company believed only eight credit cardholders were affected, she said.So let me get this straight...The breach was reported to financial institutions, but not consumers...The people who found the breach made several mistakes in their analysis. The people who found the breach couldn't be bothered to tell eight citizens about what had happened....
NEI tightened security, Loring said, although she declined to describe the measures. She said the Web site is "absolutely safe" and the intrusion was reported to financial institutions.
The state did not tell consumers about the breach in December because the hacking appeared limited, Najarian said.
Was there a question of why we don't want a 'no apparent risk' clause in the laws?
(Little girl illustrating corporate strategy photo by Brndnprkns.)
Bookmark this post:
The acronym "IANAL" is no doubt familiar to anyone reading these words. Well, I Am Not A Lawyer, but Paul Rianda is, and he wrote an interesting article for Transaction World's September 2005 issue, that I happened to run across.
In it, Mr. Rianda, esq., discusses his view of why the breaches we are all familiar with have occurred, what the credit card folks have done about it, and the likely ramifications. Herewith, some fair-use excerpts:
A dedicated and intelligent hacker can potentially compromise any database in spite of the PCID standards or any of the other security standards developed by Visa and MasterCard. The fact that such standards are widely utilized and published allows hackers the ability to study them and find ways to work around them. Also, when numerous organizations use the same standards, it leads to a situation where if hackers can compromise one database they may be able to find ways to breach others because the databases are secured in a similar manner.[...]
However, the likelihood of any such credit card processor like CardSystems going out of business to the detriment of their agents and merchants is extremely remote.
This was published after CardSystems was dropped as a processor by Visa.
Earlier in the article, Mr. Rianda, esq. opines that "The PCID [sic] standards are, to a large extent, common sense necessary to secure any type of computer network."
As I say, IANAL, but if the standards are common sense, how does publishing them help the bad guys? Also, CardSystems was bought out in a mostly-stock transaction in October, 2005.
Bookmark this post:
In what has become a near weekly occurance, large companies are collecting your personal information (sometimes without your knowledge or consent), and subsequently letting it fall into the hands of the bad guys. This is your personal information; name, address, social security number, credit card number, bank account numbers, and more.Data Loss is a mail list that covers topics such as news releases regarding large-scale data loss, data theft, and identify theft incidents. Discussion about incidents, indictments, legislation, and recovery of lost or stolen data is encouraged.
To subscribe to Data Loss, send a mail to: dataloss-subscribe@attrition.org
Bookmark this post:
Looks like a worm hit a personnel department PC.
From the Colorado Springs Gazette:
Personal information on about 2,500 current and former employees at the University of Colorado at Colorado Springs has been compromised by someone who hacked into a computer and infected it with a virus.Names, Social Security numbers, birth dates and addresses for employees dating back to 2004 were accessed without authorization Friday, the university said Tuesday.
Obtaining that information did not appear to be the reason for the attack on the computer in the Personnel Department, officials said. They still urged faculty and staff members to notify credit reporting bureaus of the breach and take other precautions against ID theft.
Bookmark this post:
Via MSNBC:
Two newspapers owned by The New York Times Co., the Boston Globe and Worcester (Massachusetts) Telegram & Gazette, said Tuesday they had mistakenly sent out slips of paper with credit card data of up to nearly a quarter million subscribers.The credit card numbers were been printed on routing slips attached to 9,000 bundles of newspapers sent to retailers and carriers last weekend, according to the newspapers.
I can see how this mess-up might get a carrier the credit-card info for subscribers on his or her route, but what credit card number(s) would be sent to a retailer?
Bookmark this post:
Long Island Newsday reports on Honeywell paying for credit monitoring for 19,000 current and former employees after their information somehow wound up on a web site:
The company notified employees about the breach within a day of learning of it Jan. 20, according to spokesman Robert C. Ferris."The company immediately contacted the relevant service provider, had the page removed from the Internet and is continuously monitoring the Internet to ensure that the Web page and any copies of it remain taken down," said Ferris.
He said the company was working with federal and state investigators to determine who posted the data. Ferris said he didn't know whether the posting was the work of a disgruntled employee or resulted from an administrative error or other cause.
The South Bend Tribune provides the important detail that the 19,000 worked for Honeywell in 2003.
Update 2/6/2006: Honeywell believes this to have been the work of a disgruntled insider, as reported here.
Bookmark this post:
