Hacked bank used to host phishing sites

March 13th, 2006

Yes, the story of the bank in China that was being used to host a phishing site to spoof messages and collect personal information from customers of a different bank, as well as eBay customers, made it all over the news today. 

Such an ironic situation; exploiting the security weaknesses of one bank’s network infrastructure to host a site to exploit the vulnerabilities of another bank’s (and eBay’s) customers.  What is discouraging with regard to security diligence is that the exploit was reported by a customer receiving one of the phishing messages, and not (at least as reported) noticed by the bank itself being used as the host.  In fact, some reports implied the bank may still not be aware of the exploit, but that is hard to believe…or is it? 

Just imagine how many organizations possibly are currently being exploited…and possibly have been for years…because they do no activity logging, vulnerability checks, or audits of their systems on a regular basis.  There have already been many reported instances of the computer systems of several organizations being used as repositories for warez, illegal music and CDs, and porn stockpiles.  Folks, part of an effective regulatory compliance program is establishing safeguards to prevent such situations from happening.

Technorati Tags




Study supports the need for a good, ethical privacy program

March 10th, 2006

Today’s report about the recent privacy survey jointly done by Carlson Marketing Canada and Ponemon Institute supports what most privacy proponents have been saying…that a good, strong, ethical privacy program will have a positive business impact.  It is nice to have some formal studies to provide to business leaders to support the theory and make it more likely to become an accepted leading business practice. 

Especially supportive of good compliance and privacy programs is the finding that companies who took a more personal touch, notifying individuals impacted by breaches directly by phone instead of postal mail and email, had less of a negative business impact that other businesses that took the easiest, least expensive means of notificationcontact.  I would imagine that this would also mean that the businesses who spent more time and resources on person-to-person phone contacts for the notifications actually saved more by less lost business…but then, that would probably take another study to verify, wouldn’t it?  🙂

Ethics, and clear personal concern for impacted individuals, should be an important component of any privacy and compliance program; your customers will recognize these characteristics.  You don’t want to be perceived as a privacy and ethics Grinch.

Technorati Tags




Wonder how often this type of laptop loss occurs?

March 8th, 2006

Okay, I don’t mean to be beating a dead horse, but I find these lost and stolen laptop instances increasingly interesting…

An interesting blurb on the BYU News Net today.

"A Hewlett-Packard laptop computer belonging to a Helaman Halls resident went missing in a delivery mix up March 2. UPS delivered the package to the Helaman Halls front desk; the package, however, bore the name of the student’s father. When front desk employees couldn’t find the name in their computer system, they returned the package to the UPS employee. UPS now cannot locate the laptop, police said."

Odd this was classified by the police as a theft.  How often do you suppose laptops get lost is similar ways?  What kind of informationis on them?  Who ends up seeing it?

Technorati Tags


More patient information compromised from yet two more laptop thefts…and news of two other laptops stolen in 2005

March 7th, 2006

"Fool me once, shame on you…fool me twice, shame on me…"

The same organization, Providence Health System, who had a laptop containing patient information stolen from an employee’s car in January (see my January 27 blog posting) has experienced laptop thefts not just once more, but twice more…each from cars AGAIN!   "The stolen laptops were being used by home care and hospice nurses to chart records on the patients they visit each day."  On February 27 and March 3 laptops were stolen from the cars of the home care nurses; one as the worker ran into a store quick and left the laptop in the car, and the other laptop was stolen from the worker’s car while the worker was visiting a home patient. 

I wrote about the unwise practice of using Lexus laptop lockers in the March Computer Security Institute Alert newsletter.

"Many patients are backing a class-action lawsuit against Providence. So far, none of the stolen records appears to have been exploited by criminals."  Smart thieves will likely wait to do much obvious mischief with the stolen information.  There is also the possibility that the information is being used in unsavory ways that won’t show up in a credit monitoring report…privacy is about more than just identity theft.  And, of course, perhaps the thieves will sell the laptops on eBay to make a little extra pocket money…hmm…something to keep an eye out for.

Two laptops containing clear text patient information were also stolen from Providence last year; the company indicates they are taking a "deeper" look at those thefts.

After the January incident involving information about 365,000 patients, Providence indicated they had paid up to $9 million for credit monitoring…after pressure from the impacted individuals.

"Since the thefts..the company has begun adding encryption to home-care practitioners’ laptops to lock out unauthorized users."  This was done after the thefts this week.

I’m sure the encryption solution cost much less than $9 million. 

With all these reported incidents of stolen laptops, thieves are probably on the lookout more than ever for vulnerable laptops and other mobile computing devices.  I hope this is a bellwether for companies to start encrypting data on these devices as a matter of standard business practice and due care.

Technorati Tags







Another stolen laptop

March 6th, 2006

I am becoming more and more drawn to stolen laptop stories much as a moth is drawn to a flame…hopefully this will result in enlightenment as opposed to burn, however!  🙂  Another story about a stolen laptop, a Boca drug salesman’s laptop is stolen.  What’s interesting about this is that the theft vicitim was a consultant for Proctar & Gamble, but the report only mentioned the value of the hardware, and not what types of files were contained on the laptop.  Wonder what kind of personal information, if any, was on the laptop?

Technorati Tags


More Health Information Found on Tapes Sold to Get a Return on Investment

March 5th, 2006

Another story was reported yesterday in the Vancouver Sun about confidential information being found on tapes the British Columbia government sold.  I’m not too surprised considering most organizations do not encrypt personal, or any, information on removable storage media, such as tapes, CDs, USB drives, and so on.  I’ve done many outsourced vendor security reviews, and I was initially surprised to see that some of them actually have within their security policies the directive to sell mobile storage media when no longer needed to try and recoup some of the investment made in it.  I’ve seen policies go into great detail about how to sell the media, on eBay and in other venues, but completely omit any mention of removing the data first.

Technorati Tags



Breach Notification and Encryption

March 3rd, 2006

I read a story from yesterday’s Computerworld, "Breach notification laws: When should companies tell all? Privacy experts, lawyers differ on whether more laws would help" with great interest, concern, and puzzlement at a point.  I realize that sometimes reporters twist words and put quotes into a different context to make the story more interesting.  However, there is one quote I want to pull from the article.

  • "“Breaches should not be tied to the potential criminal use of the information,” said Christopher Pierson, a lawyer with Lewis & Rocca LLP in Phoenix. “I find it highly unlikely that IT professionals, company officials or lawyers would be able to examine the intent of a criminal that has yet to be identified.”"

Does this logic apply to someone stealing my credit card also?  So, if someone takes my credit card, should the credit card company wait until the intent of the criminal has been identified before cancelling my card?  The main difference is that my stolen credit card is a small-scale incident; it impacts only me.  So, if the incident involves stealing thousands or millions of credit cards in a database then the intent of the criminal must first be determined?

Of course you cannot know the intent of criminals before they commit crimes.  But when computer breaches occur, the potential impact must be examined.  If someone purposefully broke into a system, it is likely they did not do it to debug  the application code or to apply a more recent security patch.  Computer crime is growing.  Many studies, such as the CERT/Secret Service Insider Threat Study, show that there is growing criminal intent involved with computer-related incidents. 

So…unless there is irrefutable evidence that someone has mucked around with and fraudulently used all the personal information that has been stolen, or found on lost storage media, or inappropriately accessed by fraudsters, we should not worry about the potential for criminal use of information that is lost, stolen, or misused by those with access to it?  I guess in the CardSystems Solutions incident last year where a network intruder stole information on 40 million people, "and according to the FTC, the security breach resulted in millions of dollars in fraudulent purchases" wasn’t anything to worry about until the fraud occurred?  I’m sure all the people who are now dealing with identity theft, identity fraud and ruined credit histories got warm fuzzies reading his opinion.

  • "Similarly, requiring even companies that encrypt their data to disclose breaches, as some states mandate, is overkill, according to Herath."

While it would take some examination of the breach notification laws involved, I generally agree with this statement.  Encryption is one of the most effective security tools available to protect the confidentiality of and access to data.  New encryption solutions have made it easier to use and manage, and more economical, than ever before.  If strong encryption is used (and this could be part of the regulatory verbiage and easily verified by organizations when breaches occur), then why would notification, or the same level or type, of notification, be necessary? 

I agree that over-notifications should be avoided, but that comes from crafting thoughtful laws and identifying what those key notification triggers should be.  Over-notification definitely could have a negative impact.  But let’s get some information security and privacy experts speaking with the lawmakers to help them understand the issues and write good legislation.

There is so much more to discuss about this…

Technorati Tags





HIPAA Violations

March 2nd, 2006

One of the activities I want to start doing is to maintain a listing of publicized HIPAA breaches, fines, judgments, potential violations, etc.  I have found many sites listing privacy breaches, but I have not been able to find a site with a listing of just HIPAA related incidents.  I’ve contacted CMS and OCR about this, and they do not have such public listings.  I was reminded of my plan to do this when reading an interesting story today about the CDC collecting medical and education records from a school district about a child with autism without seeking to obtain the parents’ consent.  Reportedly the CDC did similar actions last year.  Note that this is also a possible violation of the Family Educational Rights and Privacy Act (FERPA).

I will post other HIPAA-related incidents as I find them and dig up those from the past that I recall.

Technorati Tags





Computer Viruses Getting Biologic Characteristics

March 1st, 2006

Stories such as the one in Network World about how a new type of proof-of-concept computer virus can pass from a PC to a mobile computer device and delete files are very interesting.  The anti-virus vendors seem skeptical.  This is semi-deja vu.  A few years ago when the use of mobile computing devices was still in its infancy I read an article in which one of the anti-virus vendors, I thought it was McAfee, said someday it would be possible to get a computer virus just by walking past an infected wireless computer or smartphone with your wireless computing device.  I spent too long googling to try and find this article tonight…exasperating!  If any of you find it, please let me know! 

However, seems like this possibility has been discussed for a few years now, and appears that someday all computing devices will be wireless, and thus capable of communicating easily with each other, via one route or another, won’t they?  The use of wireless in business is increasing daily.  A 2005 study reported 93.5% of responding companies used wireless somewhere within their organization, and 48% of the employees had access to use wireless technology.   

I’m certainly not a computer virus guru, but based upon programming and wireless concepts, the threat of these kind of virtual air-born viruses make sense.  I would be interested in seeing how many viruses that exist today started out as "proof of concept" viruses…basically didn’t they all?   Seems that the potential for this new concept virus called Crossover is being downplayed by the anti-virus software vendors who cannot get their hands on the code from MARA.

Technorati Tags




iPod…you pod…we can all slurp with iPod…

February 27th, 2006

I read with interest the story about stealing data easily using iPods with a tool a security guy created. I received a 60 GB iPod for Christmas; I can certainly see how an organization’s most valuable and sensitive data could be slurped out without any knowledge of the company. I did an information check of a few of my security practitioner buddies at some very large multinational organizations. One thought all the USB ports on the desktop computers had been removed, but she did a quick check…of the desktops being used by the contracted staff…and found they ALL had active USB ports on them. Supposedly the tool the security guy created is not designed to download actual files, only report how many it found. However, how trivial would it be for an IT dude to write a simple script to find and download the files? I’ve accidentally copied files into my iTunes before, and it recognized them with the extensions renamed to look like MPEG files. Hmm…

Technorati Tags