Yes, I’m still on a qwest to learn about laptop thefts, losses, and other related crimes, mistakes, and oopses.  If you would do a study to determine the actual amount of business data and personal information stored

on these meandering data minefields I’m sure it would be mindboggling…

Today the Arizona Republic published a report, "Lost, stolen laptops bring security risks."  Agree…the title tells us nothing new. 

However, there are some interesting statistics within the report; organizations can put these into their info sec file and use them within their awareness efforts.

Some of the nuggets include:

"Last year, 1,970 laptops or laptop-related items were reported as stolen to the Phoenix Police Department, up from 1,667 in 2004. As of April 30, 663 reports of laptop or laptop-related item theft have been filed this year. "

This is just in one city!  I see every day in the police reports from across the U.S. reports of stolen laptops/notebooks/Blackberries/PDAs/etc. 

"Tom Liffiton, a special agent for the FBI who heads a cyber-crime squad in Phoenix, said that while most laptop thefts go unreported to the FBI, "I can tell you I recently talked to a very large bank that said they lose a laptop (to theft) every day." The good news for the bank and those who do their banking there is that, unlike Fidelity, the bank encrypts the information on its laptops."

Kudos to Fidelity for encrypting all data on their laptops!  Yes, another rallying cry of mine…encrypt data on mobile computing devices!  Disk encryption is really easier and more cost efficient than ever before.  Given how many of them are lost and stolen it just makes good business sense. 

"The International Data Corp. reported in 2005 that PC makers predicted laptops will account for more than 40 percent of the PC market in 2006-2007, and expected that figure to pass percent in 2008.  According to FBI reports, more than 97 percent of those laptops are never recovered."

Not surprising.  How many of you have your laptops/notebooks/etc. tagged so that they can be tracked and reclaimed whenever they are recovered by law enforcement authorities?  An untagged device is a prime target for easy resale.  Just look on eBay…as of this moment on 5/13 there are many different types of computers for sale:

Desktop PC Components (3592)
Desktop PCs (3063)
Software (2695)
Laptop Parts & Accessories (2104)
Laptops, Notebooks (1649)
Input Devices (1406)
Vintage Computing Products (522)
Monitors & Projectors (515)
Networking (501)
Apple, Macintosh Computers (404)

How many of these do you suppose were lost or stolen?

"Among the companies that take a serious approach to the matter of laptop security is Intel, where roughly 85 percent of employees use company laptops. All employees are required to participate in a security awareness class, which Intel updates every year."

Training is also of great importance for any security effort.  Wonder if Intel also requires all data on the laptops to be encrypted?

Also, remember encrypting data on laptops, and providing training and awareness, all contribute to compliance with numerous regulations.

Technorati Tags
regulatory compliance
information security
data protection law
encrypt
laptop security
corporate governance
awareness and training
privacy

Yesterday the AP released a story that was widely published, "Pentagon Hacker Compromises Personal Data." 

The story didn’t really give much detail, but does demonstrate the importance of firewalls, intrusion detection systems, and other types of monitoring and logging to detect unauthorized access to networks.  As well as the need to encrypt personal information…

"WASHINGTON — An intruder gained access to a Defense Department computer server and compromised confidential health care insurance information for more than 14,000 people, the department said Friday. 

William Winkenwerder Jr., the assistant defense secretary for health affairs, said the affected individuals have been advised by letter that the compromise of personal information could put them at risk for identity theft. 

"Such incidents are reprehensible, and we deeply regret the inconvenience this may cause the people we serve," he said in a brief statement."

Yes, this is an inconvenience, a huge one, for people who end up having to fight the consequences of inadequate security for their personal information.  As another story from Houston points out, the amount of effort and time it takes for people to convince law enforcement, credit companies, and the companies where the security incidents occur, that bad things are happening to them, and then to clean up their credit information, is significant.

"HOUSTON — Identity theft is the fastest growing crime in the United States and Houston is the No. 1 spot for this crime in Texas. Yet, the KPRC Local 2 Troubleshooters found there is little chance the people committing these crimes will ever see the inside of a jail cell.  Every month an average of 340,000 Houstonians report crimes involving credit and debit cards.  This man is just one of those cases.

"It’s worse than having your car stolen because it’s an intangible. It’s your identity and I had no clue how I was going to get that back," a victim said.  He asked the Troubleshooters to shield his identity because someone ran up $17,000 worth of credit card charges under his name.  "I didn’t find out until I was getting calls from creditors," the victim said.  Equally frustrating is what happened when he said he reported the crime to police.  "The tone of the conversation was pretty clear. He had taken the report and I could get a copy of the report, which would help me clear my record," the victim said.  Angry by what he felt was a lack of response, he did his own digging and was able to find out which ATM the crooks were using to take out cash.

"I offered that to police and they were like, ‘Yeah, if you want to bring that down, that’s fine. We’ll have a look at it.’ But it was pretty clear nothing was going to be done," the victim said.  "I’ve been a victim of identity theft over three times in the past year and I understand their frustration. It’s a frustrating crime, said Sgt. Mike Osina with the Houston Police Department.  Osina is with HPD’s Financial Crimes Unit.  "We are inundated with cases," he said.

That may be an understatement. In the last two years, HPD’s 15-member financial crimes unit has received more than 32,000 cases for investigation. Just getting a detective on the phone to talk about a case can be a chore.  The Troubleshooters called the financial crimes unit.  "You have reached the Houston Police Department’s Financial Crimes Unit. All representatives are currently assisting other callers. Please remain on the line," the recording said.  The Troubleshooters waited for 10 minutes, 20 minutes, 30 minutes, and 45 minutes.  After being on hold for an hour, they heard the following message.  "All representatives are still assisting other callers. Please remain on the line and your call will be answered in the order in which it was received."  No one ever answered the Troubleshooters call.

"I don’t know what to tell you what happened on that and I apologize that it did happen. We will do a better job of that," Osina said.  So, with such heavy caseloads, what about actually catching the crooks?  "Every case gets read. Every single case that comes to our office gets read — that I can promise them," Osina said.  Reading a case is one thing. Solving it is another.  HPD records show in the last year, only 2 percent of forgery and counterfeiting cases and only 12 percent of fraud cases were actually solved. "Every time we get a handle on a certain way these crooks are doing things, they evolve into something else," Osina said.

Just ask the victim interviewed by the Troubleshooters. It took years to repair his credit. But what about the person who stole his identity?  "Actually, I don’t know. It’s still a mystery to me," the victim said.  One of the biggest problems with solving these cases is many of the crooks live in other cities, states or even foreign countries.  That means local detectives have to rely on other jurisdictions for help, and that spirit of cooperation isn’t always there.  As for the problems of getting ahold of a detective, the captain of the division was so disturbed by what the Troubleshooters found he said he is making immediate changes to ensure it doesn’t happen again."

Yes, this is a big inconvenience.  I think showing these stories in juxtaposition highlights the common flaw in the thinking of the companies where incidents occur, and with the judges who say if no damage is done (in their opinion) to a victim within a mere matter of a few weeks, then the company where the incident occurred is not held accountable and that it can be assumed that bad things will not happen.  Bad things can be done with the stolen data over a matter of months or years.  It often is not noticed until something unusual happens like getting a call from creditors.  The sad fact is that most people don’t look over their credit card statements closely…and that the bills for the newly established fraudulent accounts are often sent to bogus addresses, so that the victim never is aware of the fraud occurring.

Okay…back to the Pentagon hacking story…

"The Pentagon established a toll-free telephone number (1-800-600-9332) for affected people to call if they have questions. The computer server is for people insured under the Pentagon’s TRICARE health care system. 

The type of information that was compromised was not disclosed in the Pentagon announcement, but Winkenwerder said it varied and investigators do not know the intent of the crime or if the compromised information will be misused."

Of course you can never know the intent of the intruders for how they will use the information!  They will use it in any way they can, and probably in many different ways, to get as much money out of it as possible. 

It is possible the information will be sold, resold, and propagated to a very wide audience.   And, of course you cannot know IF the information will be misused, but shouldn’t you expect that is a very significant possibility given it was taken to begin with?

"A spokesman for Winkenwerder, who asked not to be identified, said the information included names, Social Security numbers, credit card numbers and some personal health information.  Routine monitoring of one of the health care insurance system’s public servers detected unusual activity, and an investigation led to the discovery on April 5 that an intrusion had occurred and information was compromised.  As a result, additional monitoring tools were installed to improve security of existing networks and data files, Winkenwerder said."

Highlights, again, the need to encrypt personal information at rest and in motion.  If this data had been encrypted there would truly have been no impact on 14,000+ people as a result of this incident (assuming the compromise was not done by an authorized insider).

The incident occurred on April 5, but the story was not reported until April 28.  I wonder how long it took the impacted individuals to get their notice of the incident?

Technorati Tags
identity theft
Pentagon
hack
cybercrime
encrypt
personal information breach
privacy
information security

There was a story published in The Register (a really great source of news, btw) earlier this week that I am just now getting around to reading, "UK PLC security prognosis mixed."  They gave a synopsis of some of the findings in the DTI Information Security Breaches Survey 2006; there is an Executive Summary and the full report.

Well…it is Friday…and I still have over half of my week’s to-do list to get done…but I’m always curious about these types of surveys…so here are just a few excerpts and thoughts about the findings from the full DTI report:

"Overall, the cost of security breaches to UK plc is up by roughly 50% since two years ago, and is of the order of ten billion pounds per annum."

This is around $18billion U.S. dollars and around 14,380,043,082 Euro.  (Here’s a nice little currency conversion calculator.)

" The average cost of a UK company’s worst security incident of the year was roughly ¬£12,000 (up from ¬£10,000 two years ago)."

This is US $21,613.20…seems low to me.  But then again, averages can be misleading.

"Roughly two-fifths of businesses spend less than 1% of their IT budget on information security."

Well…kinda, but then again not really, too surprising…seems excessively low.  Definitely disappointing to see information security is still so low on the budget totem pole.

"There is still a shortage of security qualified staff; only one in eight companies has any."

Wow!  This low number does surprise me.

"Three-fifths of UK businesses are still without an overall security policy, though a third of these have defined an acceptable usage policy for the Internet."

This is surprising also.  I wonder, with this lack of staff and lack of policies, how accurate the cost of security breaches truly is?  There is likely a lot of security problems going on…including fraud and insider abuse…that is not known or being discovered.  There’s no one on staff, and no technology being used, to discover them!

Well…there is so much more to the report…I only got to page 5 of the full report.  Check it out; I’ll look through it more closely this weekend.

Technorati Tags
information security
UK
DTI Information Security Breaches Survey
IT budget
security breaches
security study

Wow…it’s a busy week for data security incidents! The Aetna laptop I just mentioned… earlier this week the hack at the University of Texas at Austin involving a database with info on 197,000 people, etc… 

Remember last year around this time when Iron Mountain had several incidents where they lost data for their customers?  Well, spring is no kinder to them this year…they’ve lost more data on around 17,000 people, as reported by the AP:

"(AP) NEW YORK The Long Island Rail Road says it has lost personal information — names, addresses, Social Security numbers and salary figures — of virtually everyone who has ever worked for the railroad. Iron Mountain, Incorporated — a Boston company — employed by the railroad to warehouse and secure information at an undisclosed storage site discovered the loss on April 6. During a routine delivery between LIRR headquarters in Jamaica and the storage site — an Iron Mountain driver noticed that at least one unmarked box was missing. The LIRR said MTA Police and the NYPD were immediately notified.

On Monday, the railroad mailed a letter from LIRR President James Dermody to approximately 17,000 current and former employees, notifying them about the lost information. The LIRR has about 6,000 current employees. Newsday reports that the letter said the information on the computer discs was formatted in a way that is very difficult to access without specialized skills, specific software and sophisticated computer equipment. The LIRR agreed to provide anyone at risk with a free one-year enrollment with a credit check and identity theft monitoring service. The railroad has also set up a Web site and telephone hotline for employees with questions about the missing data."

It is always interesting to see when incidents involving data that is not encrypted is downplayed by the organization saying the data is "very difficult to access without specialized skills…"

Gee, how many folks have IT experience, specialized IT skills, and sophisticated computers?  Hmm…

Technorati Tags
lost backups
privacy
encrypt
personal information
Iron Mountain
security incident
social security numbers

Yesterday I posted a new article in the reading room of the Realtime IT Compliance site about the need for securing mobile computing devices and mobile storage media, "Managing Mobile Computing Risks."  Within it you will find a partial (but still pretty lengthy) listing of the laptop theft and loss events I’ve been accumulating.  There are also several pointers for securing these mobile devices, along with some awareness recommendations.  People are the weakest link in your mobile computing device security strategy; they literally hold security within their hands.  With the increase in incidents involving mobile computing devices, you must educate them about how to protect these devices.

For additional information about mobile computing security, see another article published today on SearchSecurity. 

Technorati Tags
information security
mobile computing
encrypt
stolen laptops

Today Media Life Magazine published an interesting article about using encryption to extort money from organizations from whom data has been stolen.  The dark side of encryption!  After Googling a bit, I’m sure this is nothing new to some of you.  However, the article is a pretty interesting read…

“From a venue of shared information, the web is turned by blackmailers into a vehicle for extortion. Scamsters break into a user’s computer, encrypt data, then demand money by e-payment in order to unlock the data. Such schemes have been around for years but investigators warn that they have shot up in the last year, and they’re likely to surge in the coming months. That’s because in the first quarter of 2006 the cyber criminals operating these scams developed increasingly sophisticated software, according to a report from Kaspersky Lab, a Russian anti-virus software company.  As a result of these developments, Kaspersky researchers warn, “Holding user data hostage is one of the most dangerous and rapidly evolving types of cyber crime.

It is not mainstream yet, says David Emm, senior technology consultant at Kaspersky. But this is a new twist on the theme and watch out, because it may become a bigger part of the picture.

Blackmail scams that encrypted data until a sum of money was paid first appeared in 1989. However, at that point e-payment systems weren‚Äôt readily available, so blackmail involved physically collecting the money. That made it no more attractive than traditional blackmail schemes, where the schemers face a huge risk when they swing by to pick up the loot. That risk larger evaporates with e-payment systems. Collecting involves no physical appearances, just clearly written instructions on where to send the money, and the transactions are difficult to track. 

The current scams work like this. The virus, of which there are three main ones at the moment, enters the victim’s machine through the usual routes, such as email attachments, worms or phishing. The virus then encrypts the victim’s files, locking them up. The virus leaves a readme text file, which when opened explains that the data has been locked up and will stay that way until the blackmailer receives money wired over the internet through an e-payment system.  The amount demanded typically ranges between $50 to $2,000.

The user is given very thorough instructions on how to go about setting up an e-payment account. In one instance, this even included a handy tip suggesting the victim makes the account name something easy to remember (as they will be asked for it again later) and reasonably short, according to the Kaspersky report.  In setting the extortion sum, scamsters keep the figure low enough that a sufficient number will choose to pay up. What’s more, says Emm, these low-figure operations can cover their tracks more easily.  Perhaps surprisingly, these crooks so far have generally unlocked the data upon receipt of payment.

Kaspersky advises victims of such schemes to not hand over the money demanded, though it may seem the easier course, but to instead contact their anti-virus software provider. They will likely be able to unlock the data. In the last year Emm estimates hundreds of people have fallen victim to such scams. Says he: “It is a significant number.  To date most incidents have been in Russia and Eastern Europe, but Emm believes that this is likely to change. I don’t see any reason why we wouldn’t see it soon in the U.S. and Western Europe.”

More reason to keep your data encrypted in storage…along with off-line backups!!

This extortion method has been written about before in multiple places.   An FBI acquaintance of mine told me about this a few months ago, and the FBI posted a message regarding it on their site on 3/16/06. I’d like to know how widespread this is…if it is anything like my FBI contact indicates, it is pretty incredible.

Technorati Tags
FBI
cybercrime
encrypt
extortion

Here in the Des Moines, Iowa area there has been a scandal going on with three executives of a non-profit agency collectively being paid $1.8 million dollars in the last 18 months.  It was reported today that the day after one of these executives resigned because of the investigation, her secretary was found at the office at 4:30am "throwing away" boxes of papers from the executive’s office.   

The secretary said, ""I was unable to sleep well that night and I awoke early," Rieck wrote. "I proceeded to get up and go into work as I knew my cubicle needed to be organized and the boxes of old files reviewed."

Sure!  A restless  sleepless night makes a lot of people get up, get ready, and go into work 4 hours early, doesn’t it?

Well…scandals certainly seem to motivate people to clean house, don’t they?  Shades of Enron pop into mind.

Even if the secretary did not throw away anything involved with the investigation (remember, innocent until proven guilty), it just goes to show how investigations seem to be great motivators to carefully dispose of potentially sensitive or incriminating papers…and how otherwise, without motivation, sensitive personal information, such as credit card information from a beauty supply store, get tossed out into the closest alley dumpster.

Looks like they need to learn about shredders…perhaps at an interesting site, All about Paper Shredders?  Just something I stumbled across…

Technorati Tags
privacy
CIETC
Iowa
Disposal Rule
shredder
fraud
government

Today the Edmonton Sun reported that:

"A crook used stolen credit card information to buy a laptop computer after an Edmonton company dumped 2,606 credit and debit card sales receipts in an unlocked dumpster, says the Information and Privacy Commissioner’s office. Monarch Beauty Supply came to the attention of Information and Privacy Commissioner Frank Work last September after Edmonton city cops advised that someone had turned over documents containing personal information from the Monarch Beauty Supply store in west Edmonton. The documents included the store’s daily financial records along with customer credit and debit sales receipts containing customers’ names, credit card numbers, expiry dates, customers’ signatures and debit card numbers. The receipts were for transactions over a two-year period. Work investigated and found that Monarch Beauty Supply had contravened the Personal Information Protection Act by dumping the sensitive information in the unlocked dumpster."

I’ve seen multiple organizations that have invested huge amounts of financial and human resources to protect their networks, and then have non-existent security over the data and computers they dispose of…many doing similar things, such as dumping large amounts of papers with confidential information into open dumpsters.  This incident happened in Canada, but these types of situations happen all the time in the U.S., and other countries, as well. 

I don’t think a lot of U.S. organizations, especially small- and medium-sized businesses, are aware of the Disposal Rule that is part of the U.S. Fair and Accurate Credit Transactions Act (FACTA).  The Disposal Rule went into effect on June 1, 2005.  The FTC provides a guidance document about how to comply with this rule.

Do you need to comply with the Disposal Rule?  The FTC says:

"The Disposal Rule applies to people and both large and small organizations that use consumer reports. Among those who must comply with the Rule are:

Consumer reporting companies
Lenders
Insurers
Employers
Landlords
Government agencies
Mortgage brokers
Automobile dealers
Attorneys or private investigators
Debt collectors
Individuals who obtain a credit report on prospective nannies, contractors, or tenants
Entities that maintain information in consumer reports as part of their role as service providers to other organizations covered by the Rule."

Technorati Tags
privacy
FTC
FACTA
Disposal Rule
information security
small business
identity fraud
government

Today the FTC issued a press release indicating the U.S. will join with the other 29 OECD member countries to cooperate in combatting spam. 

If only the U.S. congress would use the OECD privacy principles to establish one comprensive data protection (privacy) law applicable for all industries and organizations!

The press release included the following:

"The FTC has joined its foreign partners in calling for stepped up cross-border law enforcement cooperation and increased public/private sector cooperation to combat spam. The Organization for Economic Cooperation and Development (OECD) issued recommendations in this area today. The OECD is an international forum of 30 countries, including the United States, established to promote economic growth, trade, and development.  Spam is a vehicle for deception, for spreading viruses and spyware, and for inducing consumers to provide confidential information that can later be used to commit identity theft. Spam poses unique challenges for law enforcement in that senders can send their messages from anywhere in the world to anyone in the world, thus making spam an international problem that must be addressed through international cooperation. The OECD’s specific recommendations to address these challenges include the following:

Government enforcement agencies should have the necessary authority to take action against spammers located in their territory or against foreign spammers who target consumers in their territory."

This will be interesting to see put to the test.  Considering the proliferation of spam, it should be a long wait.

"Government enforcement agencies should have the ability to share information with foreign law enforcement officials in appropriate cases."

I wonder how far this information-sharing will go with regard to the data collected for investigations?  There are certainly some data protection laws that will conflict with this recommendation.

"Government enforcement agencies should have the ability to provide investigative assistance to foreign authorities in appropriate cases, particularly in obtaining information or locating or identifying people."

Again, it will be a test to see this recommendation put to action with regard to "locating or identifying people."

"Government enforcement agencies should partner with industry and consumer groups to educate users and promote information sharing."

This would be great to have some high-quality awareness and training materials; the government has already created several good training materials that businesses can use as part of their awareness and training efforts.

"Government enforcement agencies should cooperate with the private sector to facilitate the location and identification of spammers."

I will look forward to seeing what these outreach efforts will be.

"Countries should cooperate in international enforcement efforts; efforts to reduce the incidence of inaccurate information about holders of domain names; and efforts to make the Internet more secure.
The FTC has implemented many of the OECD recommendations. For example, it has engaged in aggressive law enforcement against international spammers; worked with an international network of spam enforcement authorities; partnered with the private sector on consumer education; and encouraged the private sector to implement domain-level authentication systems. In addition, the FTC has suggested that Congress enact legislation called the US SAFE WEB Act that would give the FTC new tools to cooperate with foreign counterparts in fighting spam and other types of cross-border fraud."

I think a big problem is that often times the private sector is not aware of the efforts of the government offices, such as the FTC, to partner on education.

Technorati Tags
privacy
FTC
spam
OECD
information security
government

Howard Schmidt provided "The State of Small Business Security in a Cyber Economy" testimony to the House Small Business Committee on March 16.  He provided some great links to resources that not only can benefit small businesses, but really any size of business.  An excerpt of some of the testimony containing many of these links include:

"B.                 Awareness and Training
1.                  There is a real need for SMBs to understand that threats against IT systems are not just directed against large companies and large enterprises.  There is a real need to provide the SMBs with a clear understanding that criminal activity is often directed at them as well. Knowing that you are a potential target is important to understand how to keep from becoming a victim.
2.                  The Treasury Department has released a DVD on called ‚ÄúIdentity Theft; Outsmarting the Crooks‚Äù that is available to a wide audience including SMBs. The FTC, USPS, USSS, Army CID as well as other private sectors groups worked to create this DVD. 

3.                  The FTC has long been a leader in providing awareness and continues to lead in this role.  In addition to the multiple efforts that they partner with other public and private entities, they have created a web site in concert with the Department of Commerce, Department of Homeland Security, USPS and the SEC.  This web site provides a wealth of information that is vital to understanding cyber security and helps SMBs understand the threats that they and their customers face. 
4.                  The National Cyber Security Alliance, formed in 2003 is a private-public partnership has a dedicated section to help SMBs learn about Cyber Security, Data recovery and reporting of cyber crimes. 
5.                  The Multi State ISAC, under the leadership of Will Pelgrin, from Governor Pataki’s office, has worked with the states to provide the awareness and training so states can pass this information on to their businesses and consumers in their jurisdictions.
6.                  The US-CERT, with the Department of Homeland Security  provide free resources that allow businesses of all sizes receive alerts and best practices free of charge. 
7.                  The National Cyber Security Partnership, led by the US Chamber of Commerce, Technet, Business Software alliance and the Information Technology Association of America (ITAA) formed this partnership, in a true private-public partnership, created task forces to provide awareness to SMBs. 
8.                  The Industry Security Alliance created a SMB ‚ÄúCommon Sense Guide‚Äù to Cyber Security.  This has been distributed through many organizations including the US Cert, Ready.gov, the US Chamber of Commerce as well as a number of other web sites."

Technorati Tags
privacy
Howard Schmidt
testimony
identity theft
information security
small business
government