[SecurityRatty] category: Physical

Oklahoma State University Parking Services server is compromised

Thu, 15 May 2008 11:08:54 +0000

Technorati Tag: Security Breach

Date Reported:
5/14/08

Organization:
Oklahoma State University ("OSU")

Contractor/Consultant/Branch:
OSU Parking & Transit Services

Victims:
OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008

Number Affected:
as many as 70,000

Types of Data:
"names, addresses and Social Security numbers"

Breach Description:
"Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008."

Reference URL:
Oklahoma State University Alert
KOCO Channel 5 News
The Daily O'Collegian
The Oklahoman

Report Credit:
Oklahoma State University

Response:
From the online sources cited above:

STILLWATER, Okla. -- Personal information belonging to anybody who got a parking pass at Oklahoma State University over the last five years has been compromised, university officials said Wednesday.

Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008.
[Evan] What does the OSU Parking and Transit Services department need Social Security numbers for? Do you suppose information security personnel knew that sensitive personal information was stored on the server prior to this incident?

Upon discovering this intrusion, the IT Information Security Office immediately removed the server from the network to evaluate server activity to ascertain if personal information had been accessed.

The confidential information has been removed from the database.

The illegal access was limited to the parking and transit server.

As a result of its investigation, OSU believes the intruder's purpose and only action was to use the OSU server for storage capacity and bandwidth to upload and distribute illegal and inappropriate content.
[Evan] I wonder if I am getting this right. Was there a direct network path from the public Internet through a firewall to the compromised database server running http, ftp, or some other file transfer protocol? That's not cool. A database server storing confidential information should not be accessible from the internet directly through a firewall. It is generally a good practice to separate the database function from the file transfer function into different servers and different firewall DMZs. All this for parking? Ugh.

OSU contacted and worked with federal law enforcement authorities.

After evaluation of all available data related to this incident, OSU found no evidence which would indicate that the database was copied or viewed by the hacker; however, OSU cannot say with 100 percent certainty that the hacker did not access personally identifiable information.
[Evan] I wonder what evidence they looked for and how they went about gathering it.

We are not aware of any instances of misuse of this information or of any identify theft as a result of the temporary availability of this information.

OSU recommends you carefully review any bills or financial transactions you receive in the near future to ensure that the charges associated with your accounts are accurate.
[Evan] Yeah! Review your bills (pay them occasionally) and financial transactions carefully. But wait, you do this already? Disappointing statement coming from an organization that did not carefully review their controls in securing your personal information.

OSU President Burns Hargis said, "This breakdown in security is totally unacceptable. We are conducting a full review and will take whatever steps are necessary to protect our network from unauthorized access. This is a serious matter and we will deal with it aggressively. We regret the circumstances and concern this situation has caused."
[Evan] This is my favorite statement from this story! What do you suppose his stance was prior to being notified of the breach?

In my experience, there are primarily ("primarily" because there are always exceptions) four types of senior information security management. You have the organizations that just don't get it and don't really care or know that they don't get it. These organizations lose information over and over and dangerously continue to operate in a business as usual manner.

Secondly, you have the organizations that didn't get it, suffer some adverse event, then HOLY &$#^! They respond with all guns blazing and overspend on controls they don't need and run a very cost ineffective security program (I guess they really never got it either).

Thirdly, there is the company that didn't get it, suffered an adverse event and admitted they have a problem. These companies may seek guidance and consultation in the effort to build a comprehensive information security program. These programs should be built around business objectives and sound risk management.

Lastly, there are the companies that were proactive and built a sound information security program because it was good business. These organizations didn't need an adverse event or breach before taking action. These organizations don't panic when an adverse event occurs. They know that eventually an adverse event will occur and they will be prepared when it does.

The server is believed to have been compromised on November 23, 2007. OSU learned of the breech [sic] on March 20, 2008 and blocked access to the server immediately.
[Evan] Wow. The server was 0wn3d (like my 1337 5p34k?) for almost 4 months before anyone noticed?! That is way, way, way too long for a compromised server to go unnoticed. We can now assume that there was no effective IDS/IPS (host or network) and no effective logging and monitoring of the server.

The OSU Parking Department has altered their procedures for the collection of private information. Additionally, the server which was located at the OSU Parking Service's office will be relocated to the IT Data Center for enhanced security. OSU is conducting a full review and will be taking additional steps to protect our network from unauthorized access.
[Evan] It's a very good idea to not collect private information if it is not required. It's too bad that it took a breach for this to happen. Moving the server from the Parking Service's office to the IT Data Center will help protect against physical security attacks, but this was a logical attack. Maybe the IT Data Center has better firewalls or something . I like the "full review". This should be done no less than annually.

The IT Information Security Office has made security recommendations to the OSU Parking Office which include physical relocation of their server and database to a more secure location, additional training for server administrators, and added vulnerability assessments.

Q. How will I know if any of my personal information was used by someone else?
A. The best way to find out is to obtain your credit reports from the three major credit bureaus: Equifax, Experian and Trans Union. If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make, these could be indications that someone else is using your personal information, without your permission.
[Evan] "If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make", then chances are you have already become an identity-theft victim. I'm not saying whether this is likely, or not.

Q. Why did you have my personal information?
A. You provided this information to us when you applied to Oklahoma State University, or during your tenure as a student or employee here. Oklahoma State, like other institutions, maintains records of all employees and students who have attended the University.
[Evan] Great question! Why did you have my personal information (on a publicly accessible server used in a department that doesn't really need it without proper protections and without proper monitoring)?

Commentary:
This breach torques me a little, in case you didn't pick up on that from the comments above. I made plenty.

Past Breaches:
Unknown

HSBC loses a server in branch renovation

Wed, 14 May 2008 12:16:19 +0000

Technorati Tag: Security Breach

Date Reported:
5/7/08

Organization:
Hong Kong and Shanghai Banking Corporation ("HSBC")

Contractor/Consultant/Branch:
Kwun Tong branch

Victims:
Customers

Number Affected:
159,000

Types of Data:
"name, account number and transactions of customers"

Breach Description:
"HONG KONG, May 8 (Xinhua) -- The Hong Kong branch of banking giant Hongkong and Shanghai Banking Corporation Limited (HSBC) has lost a computer server with client data involving about 159,000 accounts, the bank confirmed on Wednesday."

Reference URL:
IDG Magazines Norge
Xinhua News Agency
The Standard

Report Credit:
The Breach Blog was notified by an anonymous tip at 11:15AM on May 7th. It just took me a while to get it posted. Sorry for the delay!

Response:
From the online sources cited above:

HSBC has admitted losing a server containing data on 159,000 customers.
[Evan] How do you lose a server?

The server went missing on 26 April from its Kwun Tong district branch in Hong Kong during renovation work

The server held customer names, account numbers, transaction amounts and transaction types

HSBC said the server is protected by "multiple layers of security" and the risk of data breaches and fraud is "deemed to be low".
[Evan] What kind of "multiple layers of security"? This is one of those statements that is misused and overused. Without details, who knows what they are talking about.

the server contained no PIN codes or online banking login credentials.

The bank said it has reported the incident to the police, the Hong Kong Monetary Authority, and the Hong Kong privacy commissioner.

The case has been classified as theft.
[Evan] Ah, so HSBC didn't really "lose" the server? It was stolen.

The Monetary Authority has demanded that the bank contact all the affected customers and explain what measures could be taken to avoid potential losses thereof.

The bank is contacting customers, who will not be liable for any financial loss arising from any fraudulent activity as a result of the lost data.

Clients data are kept in a confidential manner. If any complaint arises, we will deal with it case by case, HSBC chairman Vincent Cheng Hoi-chuen said.

Internet Society chairman Charles Mok Nai-kwong said even though the server has been encrypted, there may still be ways to access the data.
[Evan] Charles Mok Nai-kwong states that the server was encrypted. This is a good thing.

"I do not know how advanced the system is or the skill of those who want to access the data. But if the server goes to the police, they will have ways to get the data," Mok said.
[Evan] This reminds me of a few stories I have read where authorities were unable to break commercially available encryption implementations. The one case that comes to mind was the case of the FBI unable to crack PGP encrypted PDAs captured from terrorists. If the encryption was implemented correctly and key management is sound, it would be very difficult for the police to access meaningful information.

Commentary:
What type of physical controls were present at the time of the server theft? Stuart King on his ComputerWeekly Risk management blog sums this up very well when he says "Spend all you want on boxes of tricks to stop the hackers getting in, but forget to lock the door to the servers and it's game over."

The last HSBC breach that we reported on The Breach Blog was also physical security related, see below.

Past Breaches:
February, 2008 - Five-year-old wanders into bank branch after-hours

Physical Security, Locking Picking, and more: Bloomington Fraternal Order Of LockSport

Tue, 13 May 2008 20:09:40 +0000

Normally I cover electronic security, but as we all know if someone has physical access to your box they OWN your box. One reason to look into high security locks and lock bypassing is to increase the physical security of your assets my knowing what works and what doesn't. My friend DOSMan gave a presentation recently at Notacon 5 called Lock Picking in the New Frontier - From Mechanical to Electrical Locks you should check out if you are interested in physical security. Also check out the Bloomington FOOL organization if you are interested in Locksport in general.

HSBC lose a server

Mon, 12 May 2008 04:00:00 +0000

Another reported theft of a server containing customer data . This time from the HSBC bank in Hong Kong. "The bank said it had lost track of the server during renovation work at a Kwun Tong district branch in east Kowloon on April 26. Police are investigating and say the server was stolen. " Read all about it here and there's more here. This is a really careless way to lose data. I thought it might be fun to read the bank's own statement on data security.

Security is our top priority. The Hongkong and Shanghai Banking Corporation Limited ('the Bank') will strive at all times to ensure that your personal data will be protected against unauthorised or accidental access, processing or erasure. We maintain this commitment to data security by implementing appropriate physical, electronic and managerial measures to safeguard and secure your personal data.

Each visit I make to a business unit, one of the first things on my agenda is a visit to the server room where I'll check everything from the access log to the temperature of the air conditioning. Spend all you want on boxes of tricks to stop the hackers getting in, but forget to lock the door to the servers and it's game over. Risks increase if your office is within a building shared with numerous other businesses such as the case with this branch of HSBC in Hong Kong. I recall one particular far eastern office I visited not too long ago. The main door to the server room was locked fast and the IT manager took delight in demonstrating how secure the room was. Walking around inside the server room I noticed another door. "Where does that one lead to?" I asked. "Outside" was the response. "Is it secured?" was my next question. "Yes" the manager replied, "the sticky tape holds it shut."

5 tips to audit and improve virtual server security

Thu, 08 May 2008 20:00:00 +0000

On the surface, security questions surrounding virtual servers don't seem much different than those for the physical machines on which they run. In fact, starting a virtual security audit by keeping in mind what you've already learned in the physical world is an excellent approach. Security analysts say the same practices, principles and basic common sense apply for a group of virtual servers as for any physical server farm. But, IT managers also need to factor in some additional considerations, due to the unique characteristics of the virtual world.

The Daily Incite - May 8, 2008

Thu, 08 May 2008 06:13:54 +0000

May 8, 2008 - Volume 3, #44

Good Morning:
If I've said it once, I've said it a thousand times, success in anything that you do is based on how well you manage expectations. When you expect little, you tend to be surprised on the upside. When you expect a lot, well... you know. Reading Shimmy's post on the Iron Man movie made me think about why I go to movies and what I expect to get from the time and money I spend.

Basically for me, movies are about escaping. Not that my life is bad, quite the contrary, but every so often taking a few hours to go into the land of someone else's imagination is very useful for me. I do my best not to get into the dogma of reality vs. unreality. Plot lines that don't make sense just roll off my psyche, and I spend very little time trying to understand the "true" meaning of any of these movies.

Why? Because they are movies. If I want reality, I'll go over to CNN and remind myself how screwed up things are. If I want to be overwhelmed, I'll just spend a few hours trying to keep up with my kids. When I want to escape, I take in a movie or curl up with a suspense, mystery or science fiction novel. Then I can shut off the world, if only for a little while.

Personally, I thought Iron Man was a great movie. So I guess I'm with Farnum on that. I don't know a lot about the comic book lineage, so I wasn't worried about how true they were to the Iron Man history. Robert Downey Jr. was very believable as the main character. And the idea of a supersonic flight suit? Why not? Again, if I want reality - I'll watch Survivor - since that's very real.

I guess it's about mental health. All work and no play makes Mikey a dull boy. And given the schedule I keep and the crap I consistently add to my overflowing list of things to do, sometimes I just need to shut down for a few hours and go into someone else's world. The Boss has mandated that Friday nights are now movie night. No more catching up on the crap that didn't get done during the week. No more watching some crappy TV. Now it's about escaping from the week that was and setting the stage for the weekend to come. I think it's a great idea.

That's my story and I'm sticking to it. Have a great weekend.

Photo: "Iron Man Suit" originally uploaded by kevitivity

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Top Security News

NAC is dead! Long live NAC!
So what? - It was only a matter of time before the esteemed Stiennon tried to relive his glory days and proclaim some other security technology as "dead" and try to ride that to additional worldwide infamy, I mean notoriety. Not surprisingly, he's decided that NAC is on death row and is awaiting it's three-drug cocktail into an eternity of hell fire and disappointed VCs. Of course, Shimel takes this as validation that NAC is for real, and it's not like he needs an excuse to jump on the bully pulpit and wax poetic about all things NAC-virtuous. The reality is the truth is somewhere in the middle. NAC clearly has it's challenges, I've been one of the (only) voices that drove that point home back in 2006, until it became popular to beat down NAC. Though there are still legitimate use cases for all three aspects of NAC (admission control, access control and containment). It seems Richard forgets about the first law of security (or he's gotten the mind-meld from Matasano), which is to layer your defenses. Of course, NAC isn't going to stop a clean computer from entering your network, but who says that NAC is the answer to every problem? Maybe that's where everyone is getting hung up. Let's try this again. Repeat after me, there is no silver bullet. There is no silver bullet. There is no silver bullet. There is no silver bullet.
Link to this

Are drive-bys an endangered species?
So what? - Wouldn't it be nice to live in Larry Seltzer's skewed view of reality? Sometimes the stuff he writes is pretty good. Other times, he's taken a wrong turn and fallen off the end of the world. The world is flat, don't you know. Like this week's piece about browser defenses getting better. Huh? So Vista does some ASLR and DEP (XP has limited DEP capabilities too), so what? The applications have to use those defenses, which is slow in coming. Also everyone has to have these latest operating systems and have everything patched, and we certainly know that's not the case in the real world. Larry even takes a shot at the beloved NoScript, and now he's crossed the line. Listen, a web without JavaScript is certainly sub-optimal. And I do spend a fair bit of time authorizing different scripts on the various web sites I visit. But the point is that I am making that decision, not some jackass web developer that would rather drink Red Bull than ensure my browser can't be owned via a XSS. NoScript gives me the power to choose what scripts I want to run, and which I don't. To just blame all the ills of browser-based attacks on stupid users and social engineering is missing the point. Attackers will take the path of least resistance, and now that is through the user. Something like NoScript makes it a bit harder, and that's why I tell everyone that will listen to use it.
Link to this

Hope for everyone that isn't the market share leader
So what? - What do you do when your biggest competitor is Cisco and your main value proposition is lower cost? You commission a survey that says 77% of IT decision makers would buy network security equipment from an "alternative" vendor. Meaning an "organization other than the market share leader." Hmmm. That's interesting data. So how does Cisco (and Check Point, etc.) maintain their huge market shares if all these customers will consider another vendor. Thinking... Thinking... I got it. They are considering the other vendor for leverage. You'd be an idiot not to "consider" another vendor because that gives you a bit of power (however small) over the incumbent to break a bit on price. That's negotiating 101. I'm interested in the other 23%, who basically say they'll buy from the market leader no matter what. Just goes to show that you can get a survey to say anything you want, you just need to phrase the questions correctly. Such as, "would you consider buying a technology from an "alternative" vendor (not the market share leader) that provides more functionality at a lower price?" Hmmm. How many folks would say no? I guess around 23%. And that's why I'm such a big fan of these surveys.
Link to this

The Laundry List

Yahoo shrugs off the Microsoft deal and embraces McAfee's SiteAdvisor to warn search users that some sites may be bad. This is cool, but I'm still using Google. - NetworkWorld coverage
Add USB thumb drives to the 10 most wanted list. They could bring malware in and take data out. Of course, we already knew that, but sometimes it's good to be reminded - Network Computing Daily blog
It was just a matter of time. Now other application dev shops are embracing security as a feature. Parasoft talks about their new application security offerings, built into the dev tools - of course. - Parasoft release
Funny post on the NoticeBored blog about how not to do security awareness training. Idiotic questions are my favorite. - Noticebored blog

Peter Gabriel Web Server Stolen

Wed, 07 May 2008 09:00:00 +0000

Reported on Slashdot today is the news that Peter Gabriel's web server has been solen from the data center where it was being hosted. I have my own thoughts on a possible motive; mostly related to some of the dreadful noise he's produced over the past 30 years. Physical security has been a previous topic of this blog (see entry from 10 Dec 2007). 1. Don't make assumptions about third party security controls. Check them for yourself. 2. Make sure your incident response plans include actions to take in the event of critical equipment being stolen. Some good guidance on physical security for small businesses here on GetSafeOnline. Some further related information here.

How to maximize WLAN performance

Wed, 07 May 2008 05:38:08 +0000

With greater demands being placed on WLANs, learn what you can do to improve WLAN performance for your clients, such as choosing the right physical layer and properly setting access point channels.

Security Needs in Embedded Systems

Tue, 06 May 2008 20:00:00 +0000

The paper discusses the hardware and software security requirements in an embedded device that are involved in the transfer of secure digital data. The paper gives an overview on the security processes like encryption/decryption, key agreement, digital signatures and digital certificates that are used to achieve data protection during data transfer. The paper also discusses the security requirements in the device to prevent possible physical attacks to expose the secure data such as secret keys from the device. The paper also briefs on the security enforced in a device by the use of proprietary security technology and also discusses the security measures taken during the production of the device.

Stolen General Internal Medicine laptop exposes nearly 12,000

Mon, 05 May 2008 08:17:36 +0000

Technorati Tag: Security Breach

Date Reported:
4/25/08

Organization:
General Internal Medicine of Lancaster (PA)

Contractor/Consultant/Branch:
None

Victims:
Patients*

*"who visited the office of General Internal Medicine of Lancaster, 2301 Columbia Ave., from 2005 through 2007"

Number Affected:
"nearly 12,000"

Types of Data:
Names, addresses, telephone and Social Security numbers

Breach Description:
"EAST HEMPFIELD TOWNSHIP, Pa. -- A laptop stolen from a doctors office containing the social security numbers of patients and office staff was stolen recently in East Hempfield Township, Lancaster County."

Reference URL:
WGAL Channel 8 News
Lancaster Intelligencer Journal
General Internal Medicine of Lancaster

Report Credit:
General Internal Medicine of Lancaster (PA)

Response:
From the online sources cited above:

EAST HEMPFIELD TOWNSHIP, Pa. -- A laptop stolen from a doctors office containing the social security numbers of patients and office staff was stolen recently in East Hempfield Township, Lancaster County.
[Evan] Why do we store personal (and other confidential) information on poorly secured laptops? Why, why, why?

A medical practice in East Hempfield Township is contacting nearly 12,000 of its patients to notify them that a computer was stolen from the office April 17

"We're just sick about this," said practice manager Lois Summers. "We know that the computer didn't contain the information of all (12,000) patients, but we notified everyone we saw during that three-year period just to be safe."
[Evan] The organization is not providing (as far as I can tell) fraud alert or credit monitoring, but the costs are probably still significant. 12,000 mailings has a hard cost and is pretty easy to quantify. The price involved with lost confidence and visits is harder to nail down.

office workers on April 17 were taking paper records bearing basic patient information and scanning them into a laptop computer so the records could then be transferred to a disk.
[Evan] Even in a small scale project it is important to evaluate risks EARLY on in the process, before work starts.

After that process was completed, the office planned to burn the paper records.

no medical information about patients was compromised.

The computer contained the names, addresses, telephone numbers and Social Security number s of many of the patients who visited the office of General Internal Medicine of Lancaster, 2301 Columbia Ave., from 2005 through 2007.

East Hempfield Township police said someone stole the computer from an unlocked conference room inside the Physicians Alliance office building on Columbia Avenue last week.

An employee left the area where the scanning was being done for a brief period the morning of April 17. When that employee returned, Summers said, the laptop was gone.
[Evan] It only takes a second or two for a thief to nab a mobile device. People think that it won't happen to them until it does. Then it's like "@^ @%*#"! Understand that these things will happen. We don't know when. We don't know how. We don't know where. Many times the hardware costs are a write-off, but what is the cost of personal information for which you are not the owner? We can take steps to significantly reduce the risk of data exposure.

Police said they suspect whoever stole the laptop wanted the computer more than the information on it.
[Evan] Sure.

Investigators also said the personal information is not easy to access.
[Evan] "Not easy" is subjective. If the information was only protected by an operating system password, then the information is likely very easy to access.

"Obviously, this was not a secure system we had and it will never be done again in this office," Summers said. "We need a secure (computer) drive that cannot be removed from the office."
[Evan] Excellent quote, "Obviously, this was not a secure system". Lois Summers then goes on to address physical security of the drive itself. Physical security is very important, but it should be noted that logical security (biometrics, encryption, etc.) are equally as important.

General Internal Medicine of Lancaster located in the office building sent a letter to patients to alert them of what happened.

Anyone with questions is urged to call General Internal Medicine at 397-2738.

Commentary:
The General Internal Medicine of Lancaster web site prominently displayed a "Fraud Alert" graphic in the middle of the home page.

I appreciate organizations that do not hide the fact that personal information (entrusted to them) has been compromised. Losing the information causes enough stress for victims. General Internal Medicine does a good job of openly admitting the breach and providing information. Their "Fraud Alert" page even provides a link to a copy of the East Hempfield Township police report. I get a real sense that the organization feels terrible about the breach and has taken steps to mend the relationship with patients. I don't get this sense from many breaches.

Unfortunately the information security practices at General Internal Medicine that led to this breach are commonplace in many organizations of all sizes, in many industries.

Past Breaches:
Unknown