Some VA Laptop Theft Lessons: Don’t Get Complacent Over Laptop Thefts…Bad Things CAN Happen to Any of the People Involved…And May Not be Discovered For Years

May 23rd, 2006

Much has been written over the past two days about the theft of the laptop from a government worker’s home that contained SSNs, birthdates and names for 26.5 million U.S. veterans. 

What concerns me is a recurring, almost a lackadaisical…and in some cases flippant or dismissive…attitude about these types of incidents.

One in particular on CNET News, "Veterans’ data swiped in theft" captures the essence of some of the recurring themes in these incident reports.  For example:

"The good news for Veterans Affairs is that the crooks may not know what they have.  "It is possible that (the thieves) remain unaware of the information which they posses or of how to make use of it," Veterans Affairs said on the Web site.  Gartner’s Litan agrees. Studies have shown that thefts of computers storing sensitive data have resulted in only a small percentage of identity theft, she says. And she added that information on millions of veterans would not necessarily yield much loot.  "Frankly, veterans don’t have a lot of money," Litan said. "They aren’t typically wealthy people. Criminals aren’t going to be taking out 26 million loans (in the names of the veterans whose information was stolen). That’s a lot of information, and the thieves have time constraints just like everybody else. They want information on the wealthiest individuals.""

Wow, this certainly is good spin from the PR department.

I don’t believe such studies of computers stolen provide any type of conclusive evidence.  SSNs, names and birthdates could potentially be used YEARS after a theft to do bad things.  Just because nothing bad has BEEN DETECTED YET does not mean bad things will never be done with that information. 

Additionally, there are so many ways that this type of information can be misused by the crooks and fraudsters who have this information in hand that it is very possible that the people about whom the information applies will not find about about nefarious activity until years later.  And it doesn’t matter how much money the people involved make…this seems a rather insulting statement to the victims, doesn’t it?  You’re too poor to worry about anyone wanting to do crime with your information?  C’mon now…individuals don’t need to make anything to have their lives made a mess by identity theft!

A great example is a story I read recently in Reader’s Digest about child identity theft.

"Seventeen-year-old Randy Waldron, Jr., was shocked when he applied for his first credit card and was denied. He was even more shocked by the reason: He was delinquent in repaying thousands of dollars in debt.  Waldron’s identity had been stolen by his estranged father, who left when Randy was a toddler. From 1982 to 1999, Randy Waldron, Sr., used his son’s Social Security number to obtain credit from various merchants and lenders, then racked up tens of thousands of dollars in debts. He declared bankruptcy in his son’s name, which resulted in default judgments against the younger Waldron. It has taken Randy Jr., now a 24-year-old flight attendant, years to untangle the mess."

This identity theft…criminal use of another’s SSN and nameoccurred for around 18 years without the victim’s knowledge!  And then, the victim, who was not even making money during this criminal activity, was severely impacted for years.  And apparently this type of crime is not uncommon.

The fact is, there are no time constraints on using this type of information.  The fact is, most people are not going to change their names, SSNs or birthdates to make the data invalid.  The fact is, if nothing bad has happened within a few weeks, many, perhaps most, of the organizations that caused the mess…by poor data handling practices, lack of encryption, lack of controls, lack of awareness and training, lack of policies…are not going to step up and do what they should to protect the individuals, which at the least is to enroll them into credit monitoring services.

The fact is, once this much information has been stolen, chances are the culprits are not going to perform the crimes themselves…they possess very valuable information that they can sell…to 1000’s and perhaps millions of other criminals throughout the world…to use at their own leisure.

This particular statement hit a nerve: 

"Criminals aren’t going to be taking out 26 million loans (in the names of the veterans whose information was stolen). That’s a lot of information, and the thieves have time constraints just like everybody else. They want information on the wealthiest individuals.""

What?  Crime with personal information can occur in so many other ways than just taking out loans.  The names, SSNs and birthdates are valuable items…they can be exploited in many ways, and over a course of time by many, many criminals.  It’s just not true that criminals only want information on the wealthiest individuals.  What data supports this?  If you know someone who has been a victim, or at least read the news on a daily basis, you know this.  The most frequently scammed and violated people are those that are not wealthy.  Very rarely do you read about the wealthy that have been victims.  According to various FTC studies and reports this is a widespread problem, and definitely not limited to only the wealthy.  The September 2003 Federal Trade Commission โ€šร„รฌ Identity Theft Survey Report indicates that identity theft, and other criiminal use of personal information, impacts people of all income levels.

When an incident occurs, organizations need to be pro-active, not reactive…not waiting until bad things happen to the individuals involved.

Of course, prevention is the best course of action.

  • Encrypt mobile data
  • Implement strong policies that are enforced
  • Provide training…awareness…more training…more awareness…more awareness…more awareness…almost all incidents involve people who did not know any better, but should have.

Technorati Tags







Yet Another Laptop Theft…This One With Info About 26.5 MILLION Military Vets

May 22nd, 2006

There was a widely reported Reuters story today, "Data on 26.5 million veterans stolen from home" about yet another laptop theft with massive amounts of personal information stored upon it. The theft took place sometime this month.  Data included names, social security numbers and birthdates.

The Department of Veterans Affairs spokesperson indicated the employee took home this large amount of data in violation of "rules and regulations and policies."

Well, it is good they had these policies in place.   Policies cannot prevent people from doing the wrong things, but they are necessary to establish the expectations for appropriate business activities, and the security framework for an information handling and processing environment.

Hopefully there are some strong sanctions policies also in place.  The employee was put on administrative leave during the investigation.

Policies, though, without communicating them to personnel will be ineffective…people cannot be expected to do the right thing if they are not told what the right thing is to do.  Is there a strong information security education program in place at these companies where such incidents are occurring?  I think of the oft-quoted Rumsfeld quote when these incidents occur and I question whether or not there is adequate awareness and training in place, "But there are also unknown unknowns – the ones we don’t know we don’t know."  Your personnel don’t know that they don’t know about information security risks if you have not been communicating with them.  This is a huge risk…ignorance is definitely not bliss for your organization.  Companies need to start beefing up their awareness and training efforts or these types of senseless and avoidable incidents will continue to occur.

Technorati Tags







Another U.S. Gov’t Site With Useful Cybercrime and Fraud Information

May 22nd, 2006

I just ran across another U.S. government sponsored site, Looks Too Good To Be True, with some information that could be useful for information assurance professionals, particularly small- to medium-sized businesses, in addition to the general public.  From a business practitioner perspective this site isn’t quite as useful as some of the other government sites I’ve mentioned, however, you can always find useful nuggets.  For example, this site has:

*  There are some awareness quizzes that businesses could either point their users to, or use to give them ideas for their own quiz questions.  The threat thermometer is cute; I don’t agree with some of the "temperatures" resulting from some of the answers the quiz taker gives, but it does provide a nice visual form of feedback.
*  The victim stories that web visitors have supposedly submitted are interesting; I didn’t realize there was so much activity going on with Internet-order bride schemes!
*  The consumer alert section is pretty good for your general computer user.  When you are implementing your awareness programs, it is good to go beyond the scope of just your own business security issues and communicate to your personnel the issues they need to know about for their own personal use.  Pointing them to these types of stories helps to keep information security issues at the forefront of their thoughts.

Technorati Tags






Keyloggers Proliferating…Personnel Continue to Take Bait…Not Surprising Considering Meager InfoSec Awareness Efforts

May 18th, 2006

Okay, this story was widely reported starting Tuesday, "Websense survey says 50 percent rise in keylogger spying at work," but I’m just now getting to it.

"There was a 50 percent increase in the number of companies that reported spyware problems over the last year, according to the annual Websense Web@Work survey, the findings of which were released on Tuesday."

Hmm…yes, very interesting, but not that surprising.

""In April 2005, there were 77 unique password-stealing applications. In the latest March report, there were 197. Unique Web sites hosting keyloggers in the same time frame have gone up from 260 to 2,157–almost a 10-times growth,""

I’m not surprised, are you?  Just look how quickly other types of malicious code have grown over the years…exponentially.  It would be interesting to graph the occurrences growth trends of the different types of malicious code and overlay them…wouldn’t you think other types are still growing just as quickly…or more in some instances?

"The current survey also found that most companies believed that their staff could not distinguish between genuine sites and phishing sites. "Forty-seven percent of IT decision makers said their employees have clicked on phishing e-mails, and 44 percent believe employees cannot accurately identify phishing sites," Camissar revealed. "I am surprised that the results are not showing a larger growth in the number of organizations hit by this kind of threat.""

Now this does NOT surprise me at all!  Just look at the numerous reports about the meager awareness and training budgets organizations have for their information security efforts…E&Y, Deloitte and PWC have all published such surveys recently.  Your staff will not know how to distinguish real sites from bogus and/or malicious sites if you do not continuously remind them.  So, of course they are continuing to go these phishing sites.

Technorati Tags







New Useful FTC Site for Wireless and Computer Security, Internet Fraud, Other Topics and Related Awareness Activities

May 17th, 2006

Yesterday the FTC announced the launch of a new website, OnGuard Online.  This site has some very good information not only for consumers, but also for organizations to use in their information security and privacy education programs; especially small and medium sized businesses who often don’t have a budget for an adequate education effort for their personnel.  What is also nice is that they provide all this in both English and Spanish versions.

Some of the useful items on this site:

  • Free Videos and Tutorials
    • Teaching Kids To Be Safe Online (video)
    • Protect Your Privacy, Your Family, and Your PC (video)
    • Reducing Spam (video)
    • Defend Yourself Against Viruses and Worms (video)
    • Security/Tools (tutorials)
    • Spam Filtering (tutorials)
    • Wireless Security (tutorials)
  • Interactive Activities (such as quizzes)
  • Topical Discussions
    • An Overview of Safer Computing
    • Identity Theft
    • Internet Auctions
    • Spyware
    • Wireless Security
    • Phishing
    • Social Networking Sites
    • Spam Scams
    • Online Shopping
    • Peer-to-Peer File-Sharing
    • VoIP (Voice over Internet Protocol)
    • Cross-Border Scams

And much more information.  Check it out!  You may find you can use a lot of the information.

Technorati Tags







Do Laws Protect Muffin Privacy?

May 17th, 2006

A story today in the Dallas Morning News, "18 fall ill from tainted muffins" reported the names of faculty and employees of Lake Highlands High who went to the hospital after eating muffins probably laced with marijuana that had been delivered to the school.  It also described the symptoms (nonstop laughter, increased heart rate, dizziness, etc.), and gave the age of the oldest, who is 86. 

What struck me was a statement made by the hospital,

"The muffins might have had marijuana and Benadryl in them, and tests were being done, said Terry Long, Presbyterian’s director of nursing administration and emergency services. He said he would not be able to confirm what was in the baked goods because of privacy laws. "We are suspecting some kind of street drug or over-the-counter drug," Mr. Long said."

So, the hospital could talk about the specific conditions and symptoms of named patients, but could not "confirm" what was in the muffins "because of privacy laws"?  Huh?  Well, perhaps they obtained consent form the patients to release their names.  Or, maybe the school provided the names and ages.  But what’s up with the muffin privacy?  They involved the FBI because food tampering could endanger the public.

Let’s see…I can’t think of anything in HIPAA that prevents hospitals from talking about the ingredients of tainted food that sends people to the hospital, as long as the individually identifiable health information (IIHI) is not discussed (e.g., it is de-identified)…muffin recipe ingredients, legal or not, are not included in the list of IIHI within the reg…

Wonder what the Texas Medical Practice Act, that is similar to HIPAA…but covers a wider range of businesses, says about this type of situation?  I got frustrated after spending way too much time searching the Texas state site for the text of this law and not being able to find it. 

If you are a CE, this would be a good example to discuss as part of your training and awareness efforts; particularly if you are a healthcare provider; what information would your organization release to the press in a situation such as this?

Technorati Tags







Information Security and Privacy Professionals MUST Work Together to be Successful

May 16th, 2006

Over the past few years, as the position of privacy officer has emerged and evolved, I have discussed the responsibilities and activities of privacy officers and information security officers with many of these professionals at various meetings, conferences and seminars.  Something that has concerned, and continues to concern, me is how these two positions often seem to be at odds with each other. 

Some of the things I have actually heard privacy officers say include the following:

  • "Information security is a necessary evil…you have to include them even if they make things harder than they need to be."
  • "All I need to be concerned with are the privacy laws; I couldn’t give a s**t about firewalls or viruses."
  • "Our CISO seams to speak a different language!  It’s easier to just avoid him than to try and figure out what he’s talking about."

Some of the things I have actually heard information security officers say include the following:

  • "It’s not my job to know the laws.  If I need to know something, Legal will tell me.  Otherwise, I don’t worry about it."
  • "We’ve had a privacy officer for a couple of years, but I’ve never met her."
  • "I don’t worry about the Privacy Rule…I only need to know about the Security Rule."

Yes…I carry an old-fashioned little note pad with me to capture these nuggets…don’t worry, I never write down names…and my handwriting is like a form of cryptography…  ๐Ÿ™‚

Do these comments sound familiar?  It’s very likely there are some major compliance gaps, information security risks and vulnerabilities, and privacy infractions in organizations where CPOs and CISOs do not work together.  They have far too many overlapping issues to address to not work together.

Of course, the fact that most CPOs are at much higher levels within the organization than CISOs creates an environment that does not support collaboration.  However, in the best interests of the company, and of customer and employee privacy, these areas MUST work as a team for their shared goals.  And there are many.

  • CPOs and CISOs BOTH must address how to safeguard personal information in all forms
  • CPOs and CISOs BOTH must ensure that privacy and information security protections are built into all the organization’s applications, systems, and processes
  • CPOs and CISOs BOTH must ensure all personnel and business partners with access to the organization’s information recieve appropriate training and awareness
  • CPOs and CISOs BOTH must ensure all privacy and information security activities support the business, and must make a business case for their requirements
  • CPOs and CISOs BOTH must comply with applicable laws, regulations and contractual requirements
  • CPOs and CISOs BOTH are managing risks related to information
  • CPOs and CISOs BOTH must establish a program that is effective, justifiable, and fits in with the rest of the business frameworks being used
  • CPOs rely upon CISOs to implement the security protections to meet privacy law requirements
  • CISOs rely upon CPOs to help justify the safeguards put in place
  • And many others…

And, in some organizations, the same person, sometimes coming from an IT background and sometimes coming from a legal background, is given responsibilities for both CPO and CISO duties.  Such a role must know the issues involved with both types of practitioners, not just one.

After much discussion and thought with several practitioners about these overlapping responsibilities and the need to harmonize activities throughout the organization to be most successful and provide business with true process improvement, I had the fortune to create a 2-day workshop with Christopher Grillo, Director of Information Security at Medica, who has also put much thought into these issues.  We will next be giving this workshop June 10 – 11 in Scottsdale, AZ.  We have put literally hundreds of hours of time into the tools, frameworks, content and methodologies we will be providing within this workshop.  I’m really excited for this workshop to be offered; so many issues are critical, such as making sure the frameworks used within the business address privacy and security, and that they are understood.  Also the typical hierarchy of the privacy and information security responsibilities within the organizations.  I am confident the concepts, tools, reference materials, and case studies we provide truly will help privacy and information security practitioners more successfully meet their program goals.

Can you tell I am passionate about this topic?  ๐Ÿ™‚

Well, I truly am.  If these are issues you are dealing, struggling, or coping with, I would look forward to seeing you in AZ.

Technorati Tags





NSA…Phone Call Surveillance…Lawsuits…

May 15th, 2006

Okay…you saw this coming!  "Telecoms face billion dollar wiretap lawsuits: Verizon sued for $50 billion over wiretap program."

Yes, we are a litigious society…the NSA is not immune, is it? 

"The legal experts said consumers could sue the phone service providers under communications privacy legislation that dates back to the 1930s. Relevant laws include the Communications Act, first passed in 1934, and a variety of provisions of the Electronic Communications and Privacy Act, including the Stored Communications Act, passed in 1986."

The USA PATRIOT Act widely increased surveillance capabilities without warrants…it changed at least 35 other laws were changed as a result.  It will be interesting to see if this comes into play for this, and other, lawsuits, and how.

And there are other lawsuits out there…and more coming…

  • Dozens of Lawmakers Back Suit Challenging NSA Program: "As debate renewed over the National Security Agency’s surveillance program, dozens of Democrats in the House of Representatives backed a lawsuit filed in New York that challenges the government’s program of wiretapping without warrants."
  • Hide and go seek: "The nonprofit Electronic Frontier Foundation filed the class action lawsuit in January on behalf of telephone subscribers against AT&T, charging the telecom illegally gave the NSA access to records. Many of the allegations were echoed in the USA Today story last week."

Here’s an interesting discussion of the legalities of the NSA surveillance…

* Online groups reveal details, legalities of NSA surveillance

Technorati Tags






Password and Laptop Loss Statistics for your Awareness Files…

May 15th, 2006

There were some interesting statistics in a Rediff India Abroad article today, "It takes 14 secs to crack your password."  Several of them good justification for business leaders to invest in more information security and privacy education for their personnel, and to invest in more information security resources and technologies. 

Some of the stats in the article:

  • "Over 60,000 mobile phones, 5,838 pocket PCs and 4,973 laptops were left in licensed taxicabs in London last year."
  • "Up to one in 10 laptops will be stolen during their lifetime."  See www.juststolen.net for more info.
  • "A Symantec report suggests that an ordinary laptop holds content valued at $972,000, and that some could store as much as $8.8 million in commercially-sensitive data and intellectual property."
  • "A Gartner study warns that the Windows password can be cracked in as little as 14 seconds. "
  • "With less than $100, anyone can purchase password-recovery tools on the Internet."
  • "The Symantec research also reveals that only 42 per cent of companies automatically back up employees’ e-mails"
  • "Peter Larsson, CEO of Pointsec Mobile Technologies, says they were able to read seven out of 10 hard-drives bought over the Internet at auctions such as eBay, for less than the cost of a McDonald’s meal, all of which had "supposedly" been "wiped-clean" or "re-formatted"."

Technorati Tags





Mother’s Day, Privacy and the NSA

May 14th, 2006

Happy Mothers Day!  I enjoyed receiving some wonderful handmade gifts from my two beautiful young sons this morning.  They are the lights of my life.

Many people are calling their mothers today.  Ah, yes…these will be recorded into the largest database in the world…the NSA’s log of virtually all calls made through the U.S.  I thought I’d do a quick check on "mother" and "NSA" and see the various stories related to this…there were several!   Here is a short listing of some that were interesting:

  • In the Quad City Times, by the Washington Post, "Agency blurring lines on privacy":
    • "Colleen Holmes, a stay-at-home mother in Portland, Ore., reported an exchange with a Verizon Wireless customer agent that illustrated not only the dismay some Americans feel about the newly disclosed domestic surveillance but also the fear of terrorism that, for many, more than justifies the program.  Holmes said she was so angry about reports that the government was collecting telephone calling records on millions of Americans that she called Verizon Wireless to explore canceling her service and switching to Qwest.  โ€šร„รบIt’s your constitutional right to voice your opinion,โ€šร„รน she quoted the customer service agent as having told her. โ€šร„รบIf you want planes to fly into your building … โ€šร„รน"

Hmm…interesting customer service!

  • In the Decatur Daily, "Administration whittling away at Fourth Amendment":
    • "The theory of "Six Degrees of Separation" holds that any one person can be connected to any other person on the planet by a chain of acquaintances that has no more than four intermediaries. In other words: Somebody you know is familiar with someone else who knows another person who is acquainted with a fifth person who knows an al-Qaida operative. The goal of the government program is to "connect the dots.""

Yes, the NSA records, in conjunction with all the other gathered metadata, can certainly link basically anyone on the planet to anyone else…potentially providing a justification for anyone’s phone records, and subsequently other personal information, to be monitored or examined?  Are you really calling Mom today…or someone else…?

  • In the Twin Cities Pioneer Press, "Government has your number":
    • "So, when you are talking to your mother today for Mother’s Day, the conversation is safe, if you want to look at it that way.  But we have no privacy."

Well, I’m not that skeptical…not convinced we have NO privacy.  We don’t have privacy with regard to others knowing who we called and when.  However, there are many forms of privacy.  Not everything about each of us is digitally documented…yet…unless your name is Johnny Mnenomic… ๐Ÿ™‚

  • ABC News had some great NSA/Mother’s Day funnies:
    • "Bill Maher: There are more calls made on Mother’s Day than any other day of the year โ€šร„รฎ or as the NSA calls it, "Our busy season.""

Ah, yes…and now…it’s time to go do some laundry…dishes…cleaning…vacuuming…cooking…hey!  Reminds me of a cool tool I found…just in time for Mother’s Day; to those of you who are also mothers, enjoy.  ๐Ÿ™‚

The "Mom Salary Wizard"

Technorati Tags