[SecurityRatty] tag: 1st

Sniffers class for the ISSA Kentuckiana

Mon, 27 Oct 2008 20:20:21 +0000

I'm teaching another free class for the ISSA, hope some of my readers can make it. Here are the details:
Who: Presented by Adrian Crenshaw of IronGeek.com
What: "Using Sniffers Effectively" - hands-on workshop with network analyzers such as Wireshark and Cain.
When: Sat, November 8, 2008 9:00 AM - 12:30 PM
Where: Louisville Technical Institute - Room 364, 3901 Atkinson Square Drive, Louisville KY 402018 (502) 456-6509
Directions: From 264 East get off on 1st Newburg Rd exit, Turn RIGHT at Bishop Lane, Turn RIGHT at Atkinson Dr./Atkinson Square Dr., Go .2 miles, Turn right at LOUISVILLE TECHNICAL/INTERIOR DESIGN INSTITUTE. Park in front parking lot. Go in Main Lobby to sign in.
Why: ISSA Kentuckiana's mission is to be the Louisville Leader in Information Security and Awareness. We want to provide relevant educational opportunities to members that enable learning, career growth, and should enable certification and technical advancement.
Cost: FREE! - Bring your own laptop or use one of the classroom PC's
How to sign up: send email to education (at) issa-kentuckiana (dot) org

Fun Reading on Security - 8

Thu, 02 Oct 2008 06:31:00 +0000

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #7, dated October 2nd, 2008.

Great paper that complements the whole "SIEM is dead?" saga - "Most enterprises are looking for a product that will solve all of their problems in some sort of off-the-shelf miracle, and when they find out that the currently available tools can't do it, they either postpone their deployment or put them on the back burner. "
"The Mess: looking for someone to blame?" is an awesome piece on Internet security and its architecture - and so is Gunnar's follow-up ("If a tree falls in someone else's silo...")
Mike call to "Rise up against Mediocrity." - "Dilbert makes the risk of the lowest common denominator approach abundantly clear."; in other words, you say 'best practices', I say 'mediocrity!' Mike also remind us, in vain, to do "Security FIRST!" (and compliance second)
A great piece from Burton: "On Response" - I think the world needs another 10-20 million reminders that PREVENTION FAILS. This is definitely a good one for those still in the "we'll just block the threat world" - "we will not win a continuing war of escalation" and "using response can be more cost effective than installing the latest and greatest preventative tool"
More on metrics, including the highly-awaited ISO27004.
Pretty dumb paper by a person confused by why PCI DSS exists (the guy needs to read this). PCI doesn't "fall short," it helps people who will otherwise not do anything and their systems will "power" those botnets of the future...
While we are on this subject: a really good coverage of PCI 1.2. changes, released Oct 1st. More PCI fun here. And more here ("PCI Compliance - dispelling some common myths"). And, more PCI myths. And more good ideas on PCI from Mike R. Sorry, can't stop thinking about PCI :-) - also this is good.
Adrian on behavioral monitoring; mostly in DAM, but also elsewhere in security.
"Premature Chasm-Crossing" - a must-read for all security vendors and especially their marketing (and their easily-excitable PR teams...) - "Shouldn't vendors be spending more time fighting the problems that security managers are facing today, right this minute?" (Mike R also comments on that). A related - and just as interesting point is made here: "Security is not a solution"
More on compliance and security checklists, good and bad: "I think this is a dangerous trend unless the "checklist" is all inclusive." (how can a checklist include ALL? :-))
"SANS Top 7 New IR/Forensic Trends In 2008"
Read "The three approaches to computer security!" Why? Come on, it is from Joanna! :-)
A fun discussion about a hot new technology: network IDS. Is IDS absolutely indispensable to ALL companies? No. Can it be incredibly useful? You bet. End of discussion.
On an unrelated note, are lasers the future of warfare? Some say no.
Finally, some security humor from Gartner (!): "Get Rich Quick With Network Security"

Enjoy!

Previous security reading.

Network and information security in Europe today

Mon, 29 Sep 2008 12:21:36 +0000

In mid Septeber, the 1st NIS Summer School jointly organized by the European Network and Information Security Agency (ENISA) and the Institute of Computer Science of the Foundation for Research and ...

EstDomains and Intercage VS Cybercrime

Tue, 16 Sep 2008 05:09:44 +0000

Surreal, especially when you get to read that EstDomains has "ruthlessly suspended over five thousand domains only for last week", and also, that it "has a reliable ally in its battle against malware in a face of Intercage, Inc".

Here's the press release :

"The EstDomains, Inc management does not deny the fact that no one is secured from having a customer who uses provided services for delinquent purposes. But it must be noted that the carefully planned infrastructure of EstDomains, Inc makes the special provision for the cases of malware distribution that may originate from the domain name registered under the company's name. Such domain names are suspended immediately along with domain holder's account if there is an evidence of malware presence on the web site. According to the most recent statistics over five thousand domain names were detected and ruthlessly suspended by EstDomains, Inc specialists only last week.

The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality. But the outstanding performance of hosting services is not the sole reason why EstDomains, Inc appreciates this partnership so greatly. Intercage, Inc generously provides EstDomains, Inc specialists with reports regarding discovered malware vehicles. As the main database for additional domain name management services is located in Intercage Data Center, EstDomains, Inc has the perfect opportunity to get notifications of the slightest mark of malware presence in the shortest time and take measures in advance. "

The press release reminds me of RBN's defacement of my blog posted on the 1st of April, and despite that EstDomains started "performing for the community" as of recently, thanks to the collective intelligence and persistence of everyone turning their research into actionable intelligence against them, this performance aiming to minimize the effect of the negative PR is more or less futile considering all the cybercrime activities that they've been tolerating or ignoring for the past couple of years. For future generations to see, this is how EstDomains "performs for the community" :

"We've suspended all the domains listed in this topic. But please don't make posting these domains on this forum a habit. We have a 24/7 online tech support which can be contacted at https://support.estdomains.com

Best regards,
EstDomains Team

EstMate says : Ihatemondayand.com and antispycheck.com - both suspended. If any of the suspended websites are still active to you it maybe be because of your computer's or ISP's DNS-cache, others won't be able to access these websites

googlescanners-360.com isn't registered with us. As for other domains, the ones, which were registered through us, have been suspended. Regarding our preventive measures, the fact that you don't see them doesn't mean there isn't any. Yes, we don't write about them but in most cases we suspend whole accounts with problematic domains and look for connections to other accounts etc. During the last week we've suspended over 15000 different domains."

What's more disturbing regarding this particular domain registrar is that it's a U.S based operation, namely, using the lack of international cybercrime cooperation as an excuse for not taking actions earlier doesn't fit into the picture. Moreover, this is just the tip of the iceberg, and taking into consideration a personal mentality that the cybercriminals you know are better than the cybercriminals you don't know, the RBN or any of its "leftovers" aren't fully taking advantage of the tactics they could be using in order to make it harder to shut them down, but how come? Simply, they don't have to put extra efforts and would once again remain online for years to come, which is perhaps more disturbing at the first place.

What in the world is the Russian Business Network, is it still alive and kicking, are the same people that used to maintain my favorite netblock ever, still the ones running it, and what tactics are they taking advantage of in order to make it harder for the community to establish direct links with a particular netblock and the RBN itself?

With RBN's "leftovers" -- InterCage, Inc., Softlayer Technologies, Layered Technologies, Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh -- making headlines just like the way it should be, what I've been researching for the past couple of months is how they've migrated from the centralized hosting provider to what appears to be a fully operational franchise. The business model is very simple, the RBN through its extensive underground networking skills supplies to customers to franchisers operating small anti-abuse netblocks across the globe, where they offer dedicated hosting and share revenue with the RBN. Anyone trusted enough and capable of supplying such netblocks starts running the RBN anti-abuse franchise. It's also worth pointing out that these franchises are in fact starting to cut the middle man, and disintermediate the RBN by actively advertising their services in order for them to create a self-sustainable business model without having to rely on the RBN connecting them with customers.

What used to be a centralized cybercrime powerhouse operating several highly visible anti-abuse netblocks, is today's decentralized infrastructure, with the profit margins for the anti-abuse services that it's logically capable to break-even and earn profits even with a few high profile dedicated hosting customers. Anyone can be the Russian Business Network, gain experience into the market segment, then disintermediate them by starting to advertise their own services. From a powerhouse to a franchise model, what the RBN had to offer can be easily duplicated by a countless number of local RBN's, and this is only starting to take place.

Related posts:
Lazy Summer Days at UkrTeleGroup Ltd.
The Malicious ISPs you Rarely See in Any Report
Geolocationg Malicious ISPs
The New Media Malware Gang - Part Four
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
RBN's Fake Account Suspended Notices
HACKED BY THE RBN!
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network

Contest: Cory Doctorow's Cipher Wheel Rings

Fri, 05 Sep 2008 08:01:09 +0000

Cory Doctorow wanted a secret decoder wedding ring, and he asked me to help design it. I wanted something more than the standard secret decoder ring, so this is what I asked for: "I want each wheel to be the alphabet, with each letter having either a dot above, a dot below, or no dot at all. The first wheel should have alternating above, none, below. The second wheel should be the repeating sequence of above, above, none, none, below, below. The third wheel should be the repeating sequence of above, above, above, none, none, none, below, below, below." (I know it sounds confusing, but here's a chart.)

So that's what he asked for, and that's what he got. And now it's time to create some cryptographic applications for the rings. Cory and I are holding an open contest for the cleverest application.

I don't think we can invent any encryption algorithms that will survive computer analysis -- there's just not enough entropy in the system -- but we can come up with some clever pencil-and-paper ciphers that will serve them well if they're ever stuck back in time. And there are certainly other cryptographic uses for the rings.

Here's a way to use the rings as a password mnemonic: First, choose a two-letter key. Align the three wheels according to the key. For example, if the key is "EB" for eBay, align the three wheels AEB. Take the common password "PASSWORD" and encrypt it. For each letter, find it on the top wheel. Count one letter to the left if there is a dot over the letter, and one letter to the right if there is a dot under it. Take that new letter and look at the letter below it (in the middle wheel). Count two letters to the left if there is a dot over it, and two letters to the right if there is a dot under it. Take that new letter (in the middle wheel), and look at the letter below it (in the lower wheel). Count three letters to the left if there is a dot over it, and three letters to the right if there is a dot under it. That's your encrypted letter. Do that with every letter to get your password.

"PASSWORD" and the key "EB" becomes "NXPPVVOF."

It's not very good; can anyone see why? (Ignore for now whether or not publishing this on a blog makes it no longer secure.)

How can I do that better? What else can we do with the rings? Can we incorporate other elements -- a deck of playing cards as in Solitaire, different-sized coins to make the system more secure?

Post your contest entries as comments to Cory's blog post -- you can post them here, but they're not going to count as contest submissions -- or send them to cryptocontest@craphound.com. Deadline is October 1st.

Good luck, and have fun with this.

Security is bigger than finding and fixing bugs

Thu, 14 Aug 2008 16:09:00 +0000

I’ve been catching up on various security-related articles that I’ve been meaning to read, and the following article was on the list http://www.itnews.com.au/News/73635,google-shares-its-security-secrets.aspx about Google’s “security secrets.”

Quoting from the article:

“In order to keep its products safe, Google has adopted a philosophy of 'security as a cultural value'. The programme includes mandatory security training for developers, a set of in-house security libraries, and code reviews both by Google developers and outside security researchers."

I think it is great that Google has a security program they are willing to talk about and I could not agree more with the ‘security as a cultural value’ philosophy. But isn’t there something really fundamental missing here? Design? There is a lot more to software engineering other than coding and testing.

The SDL has a very large set of implementation-related requirements, but there are many design-related requirements also.

Computer security experts have known since the early 1970s that you have to get the design right; and our experiences with the SDL over the last 5 years have taught us that you need to consider security and privacy (but remember, you have to ship too!) very early in the design phase and have a consistent end-to-end process if you truly hope to reduce vulnerabilities and create more secure software. This is how the SDL is helping to create ‘security as a cultural value’ at Microsoft.

We’ve seen a general trend downward in security vulnerabilities in Microsoft products, and the IBM X-Force 2008 mid-year report backs the assertion that we’re making progress; according to the report Microsoft’s share of total vulnerabilities decreased from 3.7% in 2007 (1st place) to 2.5% (that’s 2.5% for all Microsoft products; a more appropriate comparison might be Windows vs Linux vs Mac OSX, or SQL Server vs Oracle vs DB2) in the first 6 months of 2008 (3rd place.) This is an encouraging signal that the SDL is working on a large scale… of course, it might also show that vulnerability researchers are moving to easier targets, which, to me shows the SDL is working too.

What do you think?

Mailing error at the University of Maryland exposes student information

Fri, 18 Jul 2008 05:18:07 +0000

Technorati Tag: Security Breach

Date Reported:
7/17/08

Organization:
University of Maryland

Contractor/Consultant/Branch:
Department of Transportation Services

Victims:
All students registered for Fall 2008 classes

Number Affected:
23,727

Types of Data:
Names, addresses, and Social Security numbers

Breach Description:
On July 1st, 2008, the University of Maryland Department of Transportation Services mailed an on-campus parking brochure to all students registered for Fall 2008 classes as of June 15, 2008. Recipient Social Security numbers were inadvertently exposed on the mailing labels.

Reference URL:
University of Maryland
ABC Channel 7 News
WTOP FM 103.5 News

Report Credit:
University of Maryland

Response:
From the online sources cited above:

On July 1st, 2008, the University of Maryland’s Department of Transportation Services sent all students registered at the time, by U.S. mail, a brochure with on-campus parking information.

On July 8, 2008, the University discovered that the labels on that mailing included the addressees’ Social Security numbers.
[Evan] Sheesh, a fraudster doesn't even have to tamper with the mail if the Social Security number is on the label.

The error was discovered on the morning of July 8 when calls were made to the University.

This parking mailer was sent to all individuals registered for Fall 2008 classes at the University of Maryland as of June 15, 2008.

The mailing list numbered 23,727 individuals.

In our annual effort to provide parking and transportation information to the University community, the names and addresses of all registered students was requested internally at the Department of Transportation Services for the purpose of creating mailing labels for a brochure.

This information was generated by a computer query and included names, addresses and what was believed to be University identification numbers (UIDs).
[Evan] When writing and executing database queries, isn't it a good idea to check the results and see if the information displayed is the information you were looking for? I wonder if UIDs are also nine digits long like Social Security numbers are.

Our normal process is to remove the University ID numbers prior to mailing.
[Evan] Is it safe to assume that "normal process" was not followed in this instance? If so, then why not? There is no mention in the school's response.

It was not apparent to departmental staff that these numbers not only still existed within the file, but were Social Security numbers, and not University ID numbers.
[Evan] Not apparent? They were on the labels!

The numbers were not identified as Social Security numbers and did not show the normal spacing between digits.
[Evan] So it would be xxxxxxxxx instead of xxx-xx-xxxx. What percentage of people would recognize the first set of nine digits as a SSN?

This mailer was sent using third class, bulk mail delivery and may not have been delivered to you yet.

Currently, there is no evidence that anyone's Social Security number has been misused.

The University apologizes and deeply regrets this unfortunate mistake.

We are initiating immediate action to ensure that this error does not recur.
[Evan] Like what? Maybe train people to review their query results and follow "normal process"?

The University of Maryland values the critical importance of your personal information.

We strongly recommend that you take appropriate precautions to mask, black out or destroy this document after use.

In unfortunate situations like this, it is possible that dishonest people may contact you asking for personal information in the guise of offering assistance from the University.
[Evan] Equally unfortunate is the fact that there are a lot of dishonest people.

Please note that the University WILL NOT contact you by phone, e-mail or in any other way requesting personal information regarding this incident.

Please do not release any personal information in response to contacts claiming to be from the University.

In response to this incident, the University, and specifically the Department of Transportation Services, has moved to severely restrict access to sensitive student and faculty/staff information; we believe the fewer individuals who have access to this data will only increase our ability to protect sensitive information.

If individuals feel that they would like to take extra steps beyond the fraud alert, the University has arranged with Equifax to make available, at no cost to them, a 12-month service that includes credit monitoring, customer care, fraud expense reimbursement insurance and access to their credit report.

If you have not received this mailer and are unsure if you are included in the affected group, please call toll-free 1(877) 935-2428, Monday - Friday, 8:30 a.m. - 5 p.m. EST.

You may contact us in one of the following ways:
By telephone: Toll-free 1(877) 935-2428, Monday-Friday, 8:30 a.m. - 5 p.m. EST
Via e-mail: parkingmailer@umd.edu
Mailing address: Regents Drive Garage, Building #202, College Park, MD 20742

Commentary:
The lack of attention to detail coupled with lack of control leads to an increase of risk of confidential information disclosure. Not all that uncommon.

Past Breaches:
Unknown

Fort Lewis soldiers exposed by laptop theft

Fri, 11 Jul 2008 09:44:02 +0000

Technorati Tag: Security Breach

Date Reported:
7/9/08 (UPDATED 7/11/08 - Laptop with information about soldier found; Lacey teen arrested)

Organization:
United States Army

Contractor/Consultant/Branch:
Fort Lewis*

*The principal Fort Lewis maneuver units are the 1st Brigade, 25th Infantry Division and the 3d Brigade, 2nd Infantry Division. It is also home to the 593d Corps Support Group, the 555th Engineer Group, the 1st MP Brigade (Provisional), the I Corps NCO Academy, Headquarters, Fourth ROTC Region, the 1st Personnel Support Group, 1st Special Forces Group (Airborne), 2d Battalion (Ranger), 75th Infantry, and Headquarters, 5th Army (West). Fort Lewis has more than 25,000 soldiers and civilian workers, source: About Fort Lewis

Victims:
Soldiers

Number Affected:
~800 - 900

Types of Data:
"personal information"

Breach Description:
"A laptop computer that was reported stolen from an Army employee’s truck last week contained personal information on about 800 to 900 Fort Lewis soldiers, said military and Lacey police officials."

Reference URL:
KING Channel 5 News
Tacoma News

Report Credit:
Elisa Hahn, KING Channel 5 News

Response:
From the online sources cited above:

A laptop computer that was reported stolen from an Army employee’s truck last week contained personal information on about 800 to 900 Fort Lewis soldiers, said military and Lacey police officials.

In this case, an Army employee told Lacey police he left the laptop and a 500-gigabyte removable hard drive on the seat of his Dodge truck, parked unlocked in front of his house overnight July 3
[Evan] Storing personal information on removable devices such as laptops, external hard drives and flash drives without encryption, strike one. Moving the mobile device outside of a controlled area is strike two. Leaving the mobile device overnight in an unlocked vehicle in plain sight of passers-by is an emphatic strike three.

He reported them stolen about 10 a.m. on July 4.
[Evan] A soldier's personal information stolen on the day our country celebrates our independence is insulting.

A post spokeswoman said officials were notifying the involved soldiers out of concern that the case might put them at risk for identity theft.

the Army began no later than Wednesday notifying the affected soldiers through e-mail and phone calls. They’ll get follow-up letters.

Officials said the employee, a civilian military personnel specialist, appears to have violated Army standards and policies for protecting personal information and government property.

Army laptops and removable storage devices containing personal information are generally restricted to on-post workplaces but can be signed out with a supervisor’s permission.

They’re also supposed to be password-protected and personal information is supposed to be encrypted

The Army is assisting Lacey police with the theft investigation and conducting its own review, said Catherine Caruso, a Fort Lewis spokeswoman.

"We’re not releasing anything more about what information was inappropriately compromised or about the soldiers whose information was involved," Caruso said.

"Clearly it was personal information regarding 800 to 900 soldiers from Fort Lewis. Beyond that, we’d rather not specify."

there was no classified, secret or top-secret information on the laptop and the hard drive.

Caruso said the employee was working on a project regarding a particular unit at a location other than his office.

She said "it would be inappropriate to speculate" about what potential disciplinary action the worker might face if he is found to have broken security rules.
[Evan] It is probably inappropriate to speculate, but you know we will anyway. My guess is that there is another person looking for a job in the Olympia, Washington area.

Since the theft, post officials have set new training requirements for military personnel staff and prepared a memo for each employee to sign outlining the safeguarding and reporting requirements

Commentary:
When someone's poor judgment creates unnecessary risk to military personnel it carries a little more weight for me. These men and women give everything to protect us. Without them I wouldn't be able to write this, and without them you wouldn't be able to read it.

Past Breaches:
United States Army:
June, 2008 - Walter Reed Army Medical Center breach through P2P
April, 2008 - Excel Spreadsheet on the web exposes Army officers and civilians

Houghton Mifflin Harcourt server breach leads to notification

Tue, 08 Jul 2008 08:22:09 +0000

Technorati Tag: Security Breach

Date Reported:
7/1/08

Organization:
Houghton Mifflin Harcourt ("HMH")

Contractor/Consultant/Branch:
None

Victims:
"individuals affiliated with Harcourt Trade"

Number Affected:
194

Types of Data:
Social Security numbers

Breach Description:
"Houghton Mifflin Harcourt (HMH), a publishing company based in Boston, will begin notifying individuals whose information may have been compromised by a worldwide Internet-based attack that affected one of its websites."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

Houghton Mifflin Harcourt (HMH), a publishing company based in Boston, will begin notifying individuals whose information may have been compromised by a worldwide Internet-based attack that affected one of its websites.
[Evan] A "worldwide Internet-based attack" sounds impressive. In order for an attack to be successful, a vulnerability must be exploited. I wonder what the vulnerability was.

On April 25, 2008, HMH's Information Security group learned of a worldwide Internet-based attack that affected one of its non-e-commerce websites.

Within minutes, HMH took steps to secure the affected databases.

HMH has reported this matter to the U.S. Secret Service and state law enforcement, who are actively investigating the incident.
[Evan] I question how "actively" the U.S. Secret Service is investigating this incident. The incident doesn't seem to be significant enough. Sad but usually true. The Secret Service has to prioritize just like everyone else.

As part of its internal investigation, which is still ongoing, HMH retained digital forensics experts to collect and analyze data from the relevant computer systems.
[Evan] The attack was detected on April 25th (not necessarily originated on this date), and the notification went out to the New Hampshire State Attorney General on June 1st. This is a long forensic investigation! I also noticed that this statement mentions "computer systems". Does this mean that more than one server was compromised?

They have determined that social security numbers of approximately 194 individuals affiliated with Harcourt Trade, 2 of whom are New Hampshire residents, were in a company database on the affected computer server, and may have been compromised as a result.
[Evan] I don't like the "may have been" portion of this statement. My definition of compromise probably differs though.

HMH has no evidence to date to suggest that the data has been misused.

Although we do not know whether any of your information has been misused, we are committed to doing what we can to make sure support is available to you

Since learning of the incident, HHM [sic] has:

Reported this matter to the U.S. Secret Service and state law enforcement;
Cooperated with law enforcement, which is actively investigating the incident;
Conducted a thorough investigation of the incident, including an assessment of whether or not the theft created any prospective data security risk;
Identified the sensitive personal information about individuals stored on the affected server; and
Made arrangements to notify affected individuals about the incident in accordance with state laws, offer premium credit monitoring, ID theft insurance, and ID theft resolution services, and provide additional information about prevention and detection of ID theft including information about credit alerts and credit freezes.

HMH is continuing to work with information security professionals to review current policies and procedures to identify steps that can be taken to better protect against incidents of this kind.

We apologize and deeply regret that this happened.

I have asked our editors to reach out directly to everyone affected by this matter and I hope they will be or already have been able to answer your questions.
[Evan] This is a nice touch. The letter to the affected persons was signed by Gary Gentel, President or Houghton Mifflin Harcourt Publishing Company, Trade and Reference Division.

Commentary:
There aren't many publicly available details available other than those outlined in the breach notification, so we are left to speculate. Why was a server that contained a database of Social Security numbers available to this "worldwide Internet-based attack"?

Past Breaches:
Unknown

"many of Colt's clients" affected by breach, CNET included

Wed, 25 Jun 2008 07:25:20 +0000

Technorati Tag: Security Breach

Date Reported:
6/13/08

Organization:
CNET Networks, Inc. ("CNET")

Contractor/Consultant/Branch:
Colt Express Outsourcing Services, Inc. ("Colt")

Victims:
"current and former employees and their dependants"

Number Affected:
"around 6,500"

Types of Data:
"first names, last names, date of birth, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder"

Breach Description:
"Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized. Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET. The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees."

Reference URL:
Maryland State Attorney General breach notification
PCWorld
WebProNews
PogoWasRight

Report Credit:
The Maryland State Attorney General

Response:
From the online sources cited above:

On June 6, 2008, CNET received the attached letter from Colt Express Outsourcing Services, Inc., ("Colt") who has provided our client with employee benefit plan administrative services for the past 8 years.

Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized.
[Evan] Uh Oh!, this is starting to read like and smell like the ASI breach reported in February.

The breach occurred on Memorial Day, Monday, May 26, 2008, between approximately 4:30 p.m. and 5:00 p.m. PST, when someone broke into Colt Express's office at 2125 Oak Grove Road, Suite 210, Walnut Creek, California, 94598

Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET.
[Evan] According to a CNET spokesperson, via PogoWasRight.org, the "computer equipment" did not employ encryption to protect the information. Encryption could have been a prudent control in a defense-in-depth approach, a mitigating control to protect information against a physical break-in and theft.

The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees.
[Evan] Not "may have", but did. Information security and control can no longer be reasonably assured, which in my book constitutes a compromise.

Colt has also informed us that they reported the break-in to Walnut Creek police and to REACT High Tech Crimes Task Force in Silicon Valley when they discovered the burglary and that there is an ongoing criminal investigation.

report number 08-12367

In speaking directly with the Walnut Creek Police on June 12, 2008, Officer Greg Leonard, the primary investigator for the incident informed us that they are not aware of any misuse of personal information as a result of this theft at this time.

The information included first names, last names, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder for around 6,500 of our client's current and former employees, and their dependants.

some of your current and former employees and their dependants during the time period of 01-Aug-00 to present.
[Evan] August 1st, 2000 through May 26th, 2008 is almost eight years of information! I wonder what the data retention policy states at Colt, supposing one exists.

We do not have any understanding that the computers stored personal health information.

Our client is providing written notification to all affected individuals at the last home address we have on record

Although there is no evidence of misuse of the data to date, our client's notification will also inform affected individuals that it has contracted with Equifax to provide Equifax Credit Watch Gold with 3 in 1 Monitoring service, including identity theft insurance, for one full year at no cost.
[Evan] I have said it before, and I will say it again. One year of semi-effective protection should not be considered adequate for information that has a usable life that far exceeds this time frame. It should be pointed out howevere that it is better than nothing and the company is not required to offer it.

Although we are not aware of the exact number of individuals affected by the Colt breach, we do know that we were among many of Colt's clients whose data were stored on the stolen computers.
[Evan] The word that catches my attention almost immediately is "many". How many clients will be affected in the end? PogoWasRight is already following up on another company that may be affected.

Colt Express takes the protection of its customer and personal information very seriously.
[Evan] Making a statement like this and the demonstration by action are two entirely different matters. An organization such as Colt Express creates, collects, stores and transfers very sensitive information as an integral part of their business. This being said, I wonder why this information was not protected better.

Colt Express is taking steps to ensure that a potential data security breach does not occur in the future.

We installed an alarm system on Friday, May 30th.
[Evan] Are we to assume that there was none prior to May 30th? I hope not!

Colt Express is looking into what additional steps may be taken to provide enhanced security.

By this letter and enclosures, we are providing you with all the information we believe you need, and that we are able to give you. We do not have the resources, financial and otherwise, to assist you further.
[Evan] Say huh?

Towards the end of last year, our customer base was reduced to an unsustainable level.

Colt has been in the process of going out of business, while at the same time providing time for remaining customers to find alternative solutions.
[Evan] This is a twist. How long has the company been in the process of going out of business and was CNET (and the "many" other clients) aware of it? If so, this could have been a sign that could have spurred some action. Then again, maybe not.

http://www.colthr.com/

Those decisions are now final.

We are firmly committed to protecting all of the information that is entrusted to us both before and after we close down.

We sincerely apologize for the inconvenience and concern this incident will cause.

Commentary:
As I stated earlier in the post, I am a little fearful that this breach could end up as significant or more significant (in terms of number of people and organizations affected) than the ASI breach reported in February. The ASI breach was the 2nd most popular posting in The Breach Blog's history at the time, based on number of online page reads and comments posted.

This breach has got me thinking. Some of the key risks that we address with the organizations we work with are those involving the management of vendor and third-party relationships. Ideally, information security personnel are involved throughout the relationship, including the initial vendor feasibility assessment. Vendors and "trusted" third-parties need to be held to the same high security standards that we set for the organization. The methods in which this can be accomplished vary from organization to organization, but typically include risk assessments (initial and ongoing), information security requirements built into contractual language, and enforcement actions if necessary. If a vendor is not encrypting confidential information or employing burglar alarms, it is known (and hopefully addressed).

Past Breaches:
Unknown