Archive for April, 2006

How Encryption Supports Compliance

Sunday, April 30th, 2006

If you’ve read some of my previous posts or articles you know that I am a proponent of using encryption to protect confidential information.  Today I posted a podcast discussing how encryption supports compliance as well as effectively protects personal information. 

Encryption is an under-utilized security tool.  Considering the infinite number of today’s risks, threats and vulnerabilities, encryption can effectively keep unauthorized individuals and systems from accessing sensitive information and thwart many types of attacks.  In today’s business environment with sensitive information being stored in multiple locations, many of them mobile, encrypting information is an effective privacy safeguard organizations can add to their arsenal of safeguard tools.  I also discuss incidents that occurred and how the laws, regulations, and regulatory bodies encourage the use of encryption.

If you listen, please give me feedback on the content!  (Hey, I only know how to use my Audacity to record…I haven’t explored how to edit my podcasts…yet…so no, there are no fancy sound effects…just me talking!)  Also, if you have any thoughts about the issues I discuss, please let me know.

Technorati Tags




How Encryption Supports Compliance

Sunday, April 30th, 2006

In this episode I discuss how encryption supports compliance as well as effectively protects personal information.  Encryption is an under-utilized security tool.  Considering the infinite number of today’s risks, threats and vulnerabilities, encryption can effectively keep unauthorized individuals and systems from accessing sensitive information and thwart many types of attacks.  In today’s business environment with sensitive information being stored in multiple locations, many of them mobile, encrypting information is an effective privacy safeguard organizations can add to their arsenal of safeguard tools.  I also discuss incidents that occurred and how the laws, regulations, and regulatory bodies encourage the use of encryption.


Data About 14,000+ Persons, Including SSNs, Credit Card Numbers, and Health Information, Accessed by Hackers on Pentagon Computers

Saturday, April 29th, 2006

Yesterday the AP released a story that was widely published, "Pentagon Hacker Compromises Personal Data." 

The story didn’t really give much detail, but does demonstrate the importance of firewalls, intrusion detection systems, and other types of monitoring and logging to detect unauthorized access to networks.  As well as the need to encrypt personal information…

"WASHINGTON — An intruder gained access to a Defense Department computer server and compromised confidential health care insurance information for more than 14,000 people, the department said Friday. 

William Winkenwerder Jr., the assistant defense secretary for health affairs, said the affected individuals have been advised by letter that the compromise of personal information could put them at risk for identity theft. 

"Such incidents are reprehensible, and we deeply regret the inconvenience this may cause the people we serve," he said in a brief statement."

Yes, this is an inconvenience, a huge one, for people who end up having to fight the consequences of inadequate security for their personal information.  As another story from Houston points out, the amount of effort and time it takes for people to convince law enforcement, credit companies, and the companies where the security incidents occur, that bad things are happening to them, and then to clean up their credit information, is significant.

"HOUSTON — Identity theft is the fastest growing crime in the United States and Houston is the No. 1 spot for this crime in Texas. Yet, the KPRC Local 2 Troubleshooters found there is little chance the people committing these crimes will ever see the inside of a jail cell.  Every month an average of 340,000 Houstonians report crimes involving credit and debit cards.  This man is just one of those cases.

"It’s worse than having your car stolen because it’s an intangible. It’s your identity and I had no clue how I was going to get that back," a victim said.  He asked the Troubleshooters to shield his identity because someone ran up $17,000 worth of credit card charges under his name.  "I didn’t find out until I was getting calls from creditors," the victim said.  Equally frustrating is what happened when he said he reported the crime to police.  "The tone of the conversation was pretty clear. He had taken the report and I could get a copy of the report, which would help me clear my record," the victim said.  Angry by what he felt was a lack of response, he did his own digging and was able to find out which ATM the crooks were using to take out cash.

"I offered that to police and they were like, ‘Yeah, if you want to bring that down, that’s fine. We’ll have a look at it.’ But it was pretty clear nothing was going to be done," the victim said.  "I’ve been a victim of identity theft over three times in the past year and I understand their frustration. It’s a frustrating crime, said Sgt. Mike Osina with the Houston Police Department.  Osina is with HPD’s Financial Crimes Unit.  "We are inundated with cases," he said.

That may be an understatement. In the last two years, HPD’s 15-member financial crimes unit has received more than 32,000 cases for investigation. Just getting a detective on the phone to talk about a case can be a chore.  The Troubleshooters called the financial crimes unit.  "You have reached the Houston Police Department’s Financial Crimes Unit. All representatives are currently assisting other callers. Please remain on the line," the recording said.  The Troubleshooters waited for 10 minutes, 20 minutes, 30 minutes, and 45 minutes.  After being on hold for an hour, they heard the following message.  "All representatives are still assisting other callers. Please remain on the line and your call will be answered in the order in which it was received."  No one ever answered the Troubleshooters call.

"I don’t know what to tell you what happened on that and I apologize that it did happen. We will do a better job of that," Osina said.  So, with such heavy caseloads, what about actually catching the crooks?  "Every case gets read. Every single case that comes to our office gets read — that I can promise them," Osina said.  Reading a case is one thing. Solving it is another.  HPD records show in the last year, only 2 percent of forgery and counterfeiting cases and only 12 percent of fraud cases were actually solved. "Every time we get a handle on a certain way these crooks are doing things, they evolve into something else," Osina said.

Just ask the victim interviewed by the Troubleshooters. It took years to repair his credit. But what about the person who stole his identity?  "Actually, I don’t know. It’s still a mystery to me," the victim said.  One of the biggest problems with solving these cases is many of the crooks live in other cities, states or even foreign countries.  That means local detectives have to rely on other jurisdictions for help, and that spirit of cooperation isn’t always there.  As for the problems of getting ahold of a detective, the captain of the division was so disturbed by what the Troubleshooters found he said he is making immediate changes to ensure it doesn’t happen again."

Yes, this is a big inconvenience.  I think showing these stories in juxtaposition highlights the common flaw in the thinking of the companies where incidents occur, and with the judges who say if no damage is done (in their opinion) to a victim within a mere matter of a few weeks, then the company where the incident occurred is not held accountable and that it can be assumed that bad things will not happen.  Bad things can be done with the stolen data over a matter of months or years.  It often is not noticed until something unusual happens like getting a call from creditors.  The sad fact is that most people don’t look over their credit card statements closely…and that the bills for the newly established fraudulent accounts are often sent to bogus addresses, so that the victim never is aware of the fraud occurring.

Okay…back to the Pentagon hacking story…

"The Pentagon established a toll-free telephone number (1-800-600-9332) for affected people to call if they have questions. The computer server is for people insured under the Pentagon’s TRICARE health care system. 

The type of information that was compromised was not disclosed in the Pentagon announcement, but Winkenwerder said it varied and investigators do not know the intent of the crime or if the compromised information will be misused."

Of course you can never know the intent of the intruders for how they will use the information!  They will use it in any way they can, and probably in many different ways, to get as much money out of it as possible. 

It is possible the information will be sold, resold, and propagated to a very wide audience.   And, of course you cannot know IF the information will be misused, but shouldn’t you expect that is a very significant possibility given it was taken to begin with?

"A spokesman for Winkenwerder, who asked not to be identified, said the information included names, Social Security numbers, credit card numbers and some personal health information.  Routine monitoring of one of the health care insurance system’s public servers detected unusual activity, and an investigation led to the discovery on April 5 that an intrusion had occurred and information was compromised.  As a result, additional monitoring tools were installed to improve security of existing networks and data files, Winkenwerder said."

Highlights, again, the need to encrypt personal information at rest and in motion.  If this data had been encrypted there would truly have been no impact on 14,000+ people as a result of this incident (assuming the compromise was not done by an authorized insider).

The incident occurred on April 5, but the story was not reported until April 28.  I wonder how long it took the impacted individuals to get their notice of the incident?

Technorati Tags







Study shows UK businesses have almost non-existent information security budgets, and only 12.5% of companies have info sec staff

Friday, April 28th, 2006

There was a story published in The Register (a really great source of news, btw) earlier this week that I am just now getting around to reading, "UK PLC security prognosis mixed."  They gave a synopsis of some of the findings in the DTI Information Security Breaches Survey 2006; there is an Executive Summary and the full report.

Well…it is Friday…and I still have over half of my week’s to-do list to get done…but I’m always curious about these types of surveys…so here are just a few excerpts and thoughts about the findings from the full DTI report:

"Overall, the cost of security breaches to UK plc is up by roughly 50% since two years ago, and is of the order of ten billion pounds per annum."

This is around $18billion U.S. dollars and around 14,380,043,082 Euro.  (Here’s a nice little currency conversion calculator.)

" The average cost of a UK company’s worst security incident of the year was roughly ¬£12,000 (up from ¬£10,000 two years ago)."

This is US $21,613.20…seems low to me.  But then again, averages can be misleading.

"Roughly two-fifths of businesses spend less than 1% of their IT budget on information security."

Well…kinda, but then again not really, too surprising…seems excessively low.  Definitely disappointing to see information security is still so low on the budget totem pole.

"There is still a shortage of security qualified staff; only one in eight companies has any."

Wow!  This low number does surprise me.

"Three-fifths of UK businesses are still without an overall security policy, though a third of these have defined an acceptable usage policy for the Internet."

This is surprising also.  I wonder, with this lack of staff and lack of policies, how accurate the cost of security breaches truly is?  There is likely a lot of security problems going on…including fraud and insider abuse…that is not known or being discovered.  There’s no one on staff, and no technology being used, to discover them!

Well…there is so much more to the report…I only got to page 5 of the full report.  Check it out; I’ll look through it more closely this weekend.

Technorati Tags





Iron Mountain Loses More Personal Data…This Time for 17,000 LIRR Present and Past Employees

Thursday, April 27th, 2006

Wow…it’s a busy week for data security incidents! The Aetna laptop I just mentioned… earlier this week the hack at the University of Texas at Austin involving a database with info on 197,000 people, etc… 

Remember last year around this time when Iron Mountain had several incidents where they lost data for their customers?  Well, spring is no kinder to them this year…they’ve lost more data on around 17,000 people, as reported by the AP:

"(AP) NEW YORK The Long Island Rail Road says it has lost personal information — names, addresses, Social Security numbers and salary figures — of virtually everyone who has ever worked for the railroad. Iron Mountain, Incorporated — a Boston company — employed by the railroad to warehouse and secure information at an undisclosed storage site discovered the loss on April 6. During a routine delivery between LIRR headquarters in Jamaica and the storage site — an Iron Mountain driver noticed that at least one unmarked box was missing. The LIRR said MTA Police and the NYPD were immediately notified.

On Monday, the railroad mailed a letter from LIRR President James Dermody to approximately 17,000 current and former employees, notifying them about the lost information. The LIRR has about 6,000 current employees. Newsday reports that the letter said the information on the computer discs was formatted in a way that is very difficult to access without specialized skills, specific software and sophisticated computer equipment. The LIRR agreed to provide anyone at risk with a free one-year enrollment with a credit check and identity theft monitoring service. The railroad has also set up a Web site and telephone hotline for employees with questions about the missing data."

It is always interesting to see when incidents involving data that is not encrypted is downplayed by the organization saying the data is "very difficult to access without specialized skills…"

Gee, how many folks have IT experience, specialized IT skills, and sophisticated computers?  Hmm…

Technorati Tags






Another Laptop With Personal Info on ~40,000 Individuals, Including SSNs, Stolen From A Car

Thursday, April 27th, 2006

Well, the list of incidents involving the theft of a laptop containing personal information about a large number of people continues to grow.  A central Florida station reported:

"Health insurer Aetna Inc. reported that a laptop computer containing personal information on about 40,000 of its members was stolen, according to a Local 6 News report.  Aetna officials said that someone stole a laptop out of an employee’s vehicle.  The laptop contained personal information on 38,000 of its members, including names, addresses and Social Security numbers.  Aetna is sending letters to its members, Local 6 News has learned.  The insurance company said it has not detected that any of the information on the notebook computer has been used, the report said.  Watch Local 6 News for more on this story."

No mention of whether or not the data was clear text, but the report seems to imply it was not encrypted.

The mantra continues…

Encrypt personal information…don’t allow databases with large amounts of personal information on mobile computing devices…don’t leave laptops in cars…

Technorati Tags





Data Security Problems at the HHS and CMS…the Oversight Agency for the HIPAA Security Rule

Wednesday, April 26th, 2006

Today an interesting article, "HHS Data Not Secure," was published by the Heartland Institute that is quite interesting to read.

"A U.S. Government Accountability Office (GAO) report released March 23 pointed out possible flaws in data security at the Centers for Medicare & Medicaid Services (CMS).  The GAO–Congress’s investigative arm–noted current controls on government health programs may put information at risk due to several weaknesses in the way information is handled.  According to the study, the U.S. Department of Health and Human Services and CMS have significant "weaknesses" and "vulnerabilities" in their data-control systems–particularly those "designed to physically secure computer resources, conduct suitable background investigations, segregate duties appropriately, and prevent unauthorized changes to application software."

‘Swiss Cheese’ Security

The study, requested by Senate Finance Committee Chairman Charles Grassley (R-IA), stated the reason for the weaknesses is HHS’s failure to implement a "department-wide information security program." A program exists, the study said, but has not yet been put in place.  "HHS relies on automated information systems and interconnected networks to process and pay medical claims; conduct medical research; manage its wide spectrum of health, disease prevention, and food and safety programs; and support its department-wide financial and management functions," the authors note. "Interruptions in HHS’s financial and information management systems could have a significant adverse effect on the health, welfare, and mental well-being of millions of American citizens who depend on its services.""

Okay…as an aside, Senator Grassley is from my home state…and he’s been doing a pretty darn good job as a senator for several years!  🙂

"The authors cited several examples of potential data security problems. One CMS Medicare contractor used a privately owned vehicle and an unlocked container to transport approximately 25,000 Medicare check payments over a one-year period. In another instance, 440 individuals were granted unrestricted access to an entire data center, including a sensitive area, although their jobs did not require them to have such access."

Ouch!  Excessive access…if they were a covered entity (CE) that would be a noncompliance issue.

""We’re learning [Medicare/Medicaid recipients’] medical, personal, and financial information is vulnerable to fraud and abuse," Grassley said in a March 23 statement.  "Instead of firewalls to safeguard sensitive data, we have Swiss cheese," Grassley noted."

Great quote…I’m surprised he didn’t go on to say how it was probably attracting digital rats…

"Questions About Findings

But in a written response to Gregory Wilshusen, GAO’s director of Information Security Issues and the study’s author, HHS Inspector General Daniel Levinson stated, "The evaluation approach utilized by GAO does not provide an accurate or complete appraisal of the HHS enterprise-wide information security program.  HHS assesses risk periodically; disseminates necessary policies and procedures; develops security plans; delivers security awareness and training; tests and evaluates system controls at least annually; detects, responds to and reports incidents; plans continuity of operations; and maintains reliable monitoring and reporting capabilities," Levinson continued. "This programmatic structure, as mandated by law and proven in practice, led to the development of sound security practices and continuous improvement in HHS’s overall security posture."

While checks kept in unlocked cars are one issue, increased reliance on electronic data is another.  "Keep in mind that the electronic medical record (EMR) is not a mandate from the public," said Twila Brase, a registered nurse and president of the Citizen’s Council on Health Care, a Minnesota-based free-market health care organization. "It’s a mandate from payers, including government, health plans, and large employer groups. The public is not all that comfortable with the idea."

Patient Consent

A 2005 Harris Poll found 48 percent of those surveyed believe the benefits of a centralized database outweigh the risks, and 47 percent believe the risks outweigh the benefits, noted Brase. A 2000 Gallup poll found 95 percent of those polled didn’t want information released to a national database without their permission.  The only way to safeguard the information is to give patients consent over who gets access to their data, according to Brase.  "[The federal Health Insurance Portability and Accountability Act] allows data to be disclosed without ever telling the patient. States must pass strong patient-consent laws for electronic access to private data," Brase said.

In addition, the Health Information Technology Promotion Act of 2005 (H.R. 4157), currently pending in the House Subcommittee on Health, must not be allowed to pass in its current form, Brase said.  "It will abolish the right of states to enact real medical privacy laws," Brase said, "leaving all patients vulnerable to HIPAA’s permissiveness."

Slippery Slope

Rep. Nancy Johnson (R-CT), who introduced H.R. 4157 last October, said the bill would "make sure the national health [information technology] coordinator’s post is a permanent one" and "overcome some of the key obstacles that have slowed our progress toward adoption of a national, interoperable electronic system."  Brase said its effects will be felt more strongly in years to come.  "Everything will be recorded somewhere," Brase explained. "By electronically linking each child’s birth certificate with other seemingly innocuous government health databases [such as state immunization registries, newborn hearing screening registries, and newborn genetic testing registries], citizen profiles are being created from birth. This is a very slippery slope.  EMRs also can facilitate massive privacy breaches," said Brase. "It would require a truck in the middle of the night to carry 4,000 paper medical records out of a clinic, but it only takes a disk in a pocket or an e-mail transmission to steal those same records in electronic format in broad daylight."

For more information …

The U.S. Government Accountability Office’s Report to the Chairman, Committee on Finance, U.S. Senate February 2006, Information Security: Department of Health and Human Services Needs to Fully Implement Its Program, is available online at http://www.gao.gov/new.items/d06267.pdf."

If you are interested in patient privacy and HIPAA issues, it is a very good read indeed.

"Information about the Citizen’s Council on Health Care is available on its Web site at http://www.cchc-mn.org."

Can an oversight agency, namely the CMS, responsible for enforcing a regulation, namely HIPAA, be entrusted to do satisfactory Security Rule compliance reviews or investigations if they themselves do not have good security?  What impact would that have on the credibility of their review findings?  Hmm…

Technorati Tags









Laptop Security: Incidents Listing and Recommendations

Wednesday, April 26th, 2006

Yesterday I posted a new article in the reading room of the Realtime IT Compliance site about the need for securing mobile computing devices and mobile storage media, "Managing Mobile Computing Risks."  Within it you will find a partial (but still pretty lengthy) listing of the laptop theft and loss events I’ve been accumulating.  There are also several pointers for securing these mobile devices, along with some awareness recommendations.  People are the weakest link in your mobile computing device security strategy; they literally hold security within their hands.  With the increase in incidents involving mobile computing devices, you must educate them about how to protect these devices.

For additional information about mobile computing security, see another article published today on SearchSecurity

Technorati Tags



Give Me Your Money Or I Won’t Decrypt! Using Encryption for Extortion

Tuesday, April 25th, 2006

Today Media Life Magazine published an interesting article about using encryption to extort money from organizations from whom data has been stolen.  The dark side of encryption!  After Googling a bit, I’m sure this is nothing new to some of you.  However, the article is a pretty interesting read…

"From a venue of shared information, the web is turned by blackmailers into a vehicle for extortion. Scamsters break into a user’s computer, encrypt data, then demand money by e-payment in order to unlock the data. Such schemes have been around for years but investigators warn that they have shot up in the last year, and they’re likely to surge in the coming months. That’s because in the first quarter of 2006 the cyber criminals operating these scams developed increasingly sophisticated software, according to a report from Kaspersky Lab, a Russian anti-virus software company.  As a result of these developments, Kaspersky researchers warn, "Holding user data hostage is one of the most dangerous and rapidly evolving types of cyber crime.‚Äù

“It is not mainstream yet,” says David Emm, senior technology consultant at Kaspersky. “But this is a new twist on the theme and watch out, because it may become a bigger part of the picture.”

Blackmail scams that encrypted data until a sum of money was paid first appeared in 1989. However, at that point e-payment systems weren‚Äôt readily available, so blackmail involved physically collecting the money. That made it no more attractive than traditional blackmail schemes, where the schemers face a huge risk when they swing by to pick up the loot. That risk larger evaporates with e-payment systems. Collecting involves no physical appearances, just clearly written instructions on where to send the money, and the transactions are difficult to track. 

The current scams work like this. The virus, of which there are three main ones at the moment, enters the victim’s machine through the usual routes, such as email attachments, worms or phishing. The virus then encrypts the victim’s files, locking them up. The virus leaves a readme text file, which when opened explains that the data has been locked up and will stay that way until the blackmailer receives money wired over the internet through an e-payment system.  The amount demanded typically ranges between $50 to $2,000.

The user is given very thorough instructions on how to go about setting up an e-payment account. In one instance, this even included a handy tip suggesting the victim makes the account name something easy to remember (as they will be asked for it again later) and reasonably short, according to the Kaspersky report.  In setting the extortion sum, scamsters keep the figure low enough that a sufficient number will choose to pay up. What’s more, says Emm, these low-figure operations can cover their tracks more easily.  Perhaps surprisingly, these crooks so far have generally unlocked the data upon receipt of payment.

Kaspersky advises victims of such schemes to not hand over the money demanded, though it may seem the easier course, but to instead contact their anti-virus software provider. They will likely be able to unlock the data. In the last year Emm estimates hundreds of people have fallen victim to such scams. Says he: "It is a significant number.‚Äù  To date most incidents have been in Russia and Eastern Europe, but Emm believes that this is likely to change. ‚ÄúI don‚Äôt see any reason why we wouldn‚Äôt see it soon in the U.S. and Western Europe.‚Äù"

More reason to keep your data encrypted in storage…along with off-line backups!!   

This extortion method has been written about before in multiple places.   An FBI acquaintance of mine told me about this a few months ago, and the FBI posted a message regarding it on their site on 3/16/06. I’d like to know how widespread this is…if it is anything like my FBI contact indicates, it is pretty incredible.

Technorati Tags



European Investigation of Personal Information Privacy in the Private Health Insurance Sector Under Way

Monday, April 24th, 2006

If you do business internationally, it is good to track the country-specific privacy commissioner (or whatever the country-specific term happens to be) site.  It is also good to track the sites of organizations such as the European Union EU Working Party, Asia Pacific Economic Cooperation (APEC), and so on.

The EU Working Party posted the following notice in March about launching a data protection investigation specifically in the "private health insurance sector":

"The EU- Working Party for data protection is launching an investigation into the processing of personal data in the private health insurance sector early March 2006. It is the first time that the national Data Protection Authorities of the Member States, in the context of their activities in the Article 29 Working Party, undertake a co-ordinated EU-wide investigation. The aim of this investigation is to analyse whether and how the data protection regulations are being complied with in the private health insurance sector across the EU."

BTW, there are currently 25 EU member countries.

"This joint action will take place in the same time period. It starts in March and it is focusing on the processing of data by private health insurance companies offering private medical treatment insurance, in all the Member States. This sector has been selected because the processing of sensitive personal data is a key element of its activities and because of the potential impacts of non compliance upon a significant number of people across the European Union.

European citizens and the insurance sector have a shared interest in careful data management in compliance with the law and this joint investigation aims to contribute to this aim. In order to ensure a fruitful  cooperation with the sector involved, the CEA (European Federation of National Insurance Associations) has been regularly informed and an exchange of views has taken place during the preparation of the investigation action.

The investigation will be carried out through a questionnaire which is the same for each EU Member State, with questions focused on six areas in which data processing plays a particularly important role. The responses received will be evaluated both at national and at EU level. Based on the results, the Article 29 Working Party could subsequently decide to issue practical guidance for the sector at large and identify areas for future action with a view to improving compliance in the least burdensome way.

As a background to this, in a declaration of 25 November 20041, the Article 29 Working Party stated that the promotion of harmonised compliance with data protection legislation is one of its strategic and permanent goals. The declaration emphasizes the importance of enforcement as a means of increasing compliance. The Working Party expressed the aim of contributing to a more pro-active stance towards enforcement and announced that EU wide synchronized national enforcement actions would be undertaken in the years to come.

In addition to that, as a result of the first Report on the implementation of the Data Protection Directive in May 2003, the European Commission requested the Article 29 Working Party to consider the launching of sectoral investigations at EU level and the approximation of standards in this regard. These developments have resulted in the investigation action which will currently be undertaken."

There are likely many organizations impacted outside the EU.  I found a privacy self-assessment questionnaire on the site; I don’t know if it is the same one being used within this investigation or not.  However, even if your organization is not a health insurance company, if you do business in the EU you could benefit from doing this self assessment.  Sounds like sooner or later your organization may be part of a future investigation.

Technorati Tags