http://securityratty.com/tag/comfyllama Wed, 28 Nov 2007 06:17:23 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/18d3a8ba34bcdca1b3614c0946dbb500 http://securityratty.com/article/18d3a8ba34bcdca1b3614c0946dbb500 Security Breach

Date Reported:
12/3/07

Organization:
UT-Battelle, LLC

Contractor/Consultant/Branch:
Oak Ridge National Laboratory (ORNL)*

*Oak Ridge National Laboratory (ORNL) is the Department of Energy's largest science and energy laboratory.  ORNL was established in 1943 as a part of the secret Manhattan Project to pioneer a method for producing and separating plutonium. Today, ORNL is home to the world's largest civilian science project, the $1.4 billion Spallation Neutron Source, and has been selected to build the fastest unclassified scientific computer in the world. - Source State Science and Technology Institute

Victims:
"visitors to the lab between 1990 and 2004"

Number Affected:
"about 12,000"

Types of Data:
Personal information including names, addresses, Social Security numbers and dates of birth.

Breach Description:
More than a dozen Oak Ridge National Laboratory employees were duped into installing unauthorized software consisting of keyloggers and other malicious software through a targeted phishing attack ("spear phishing").  The targeted phishing attack consisted of roughly 1,100 emails and resulted in the compromise of personal information pertaining to lab visitors over a 14 year period.

Reference URL:
eWeek.com Story
SecurityFocus.com Story
MyEyeWitnessNews.com Story
Oak Ridge National Laboratory Potential Identity Theft Page

Report Credit:
Oak Ridge National Laboratory

Response:
From the official breach notification site and sources cited above:

Oak Ridge National Laboratory has been bombarded by a coordinated phishing attack aimed at multiple national labs and may have unwittingly handed over to attackers the personal information of anybody who visited the lab over a 14-year span, including Social Security numbers.

"Oak Ridge National Laboratory (ORNL) recently experienced a sophisticated cyber attack that appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country." - Laboratory Director Thom Mason on December 3rd.

"When the employees opened the attachment or accessed an embedded link, the hacker planted a program on the employees' computers that enabled the hacker to copy and retrieve information. The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory." - Laboratory Director Thom Mason

The attack comprised approximately 1,100 targeted phishing attempts.

The attackers cooked up seven phishing variations, one of which purportedly advertised a scientific conference, another of which posed as a notification about a complaint on behalf of the Federal Trade Commission.

"No classified information was lost"

"If you visited ORNL between the years 1990 and 2004 your name and other personal information such as your social security number or date of birth may have been part of the stolen information. While there is no evidence that the stolen information has been used, the Laboratory deeply regrets the inconvenience caused by this event."

Mason said reconstructing the crime is tedious and time-consuming and will likely take weeks, if not longer. ORNL is attempting to send letters to every visitor potentially affected but may have difficulties due to out-of-date addresses, management said in its advisory.
[Comfyllama] If the reports about this attack originating (or proxying through) China are true, then it is unlikely that a full "reconstructing" will ever be complete.

"every security system at ORNL was in place and in compliance."
[Comfyllama] Compliant DOES NOT MEAN Secure!  Although we all need to be compliant, this doesn't mean that efforts should stop at that.  Do you want to trust the security of your information to a Senator or other lawmaker?

"If you think you're going to prevent all phishing attempts from [succeeding] in an enterprise, that's probably false. And if you think that with training, not a single employee will [click on phishing attempts and let an attacker] get through, that's probably false," - Application Security Vice President of Marketing and Strategy Ted Julian

"There's a million [conduits to data theft], and now that the attackers have gotten much more professional and focused, they only need one to get at the information. You only need one unsecured avenue and they're off and running."

it's likely that employee training about phishing attempts will be given renewed emphasis in the future in order to attempt to close down this particular avenue of data theft.

"While our hope is that no one would fall for these kinds of tricks from hackers, we believe there is an ongoing benefit to re-emphasizing staff awareness about cyber-security issues," "We must not click on e-mail attachments if we are not absolutely sure who the e-mail is from and we must not click on [URLs] embedded in e-mails unless we are certain of the source." - Laboratory Director Thom Mason

The lab has sent letters to about 12,000 potential victims.

"We continue to put in place new and more sophisticated security systems in an attempt to stop thieves who are equally determined to break into the cyber network." - Laboratory Director Thom Mason

Commentary:
Scary!  Supposedly, there is evidence that points to these attacks originating from servers in China and thus these attacks were sponsored by the Chinese government.  I like a conspiracy theory as much as anyone else, but I don't subscribe to this theory.  IF the Chinese government were attacking ORNL, I think the attacks would be much more covert.  

Think about this for a minute.  If I were going to attack a system in the United States without getting caught.  Why wouldn't I use (proxy through) an insecure server located in a country that will not cooperate with U.S. authorities?  In order to find my true location, investigators will need some level of access to the (proxy) server to look through the evidence.  Do you think China (or Iran, North Korea, Russia, etc.) will allow investigators the access they need?  Highly unlikely.  If I were to guess, I would say that this is a sophisticated attack aimed at gathering information for money and probably orginated by one of the more educated "phishing gangs".

I certainly agree with ORNL Application Security Vice President of Marketing and Strategy Ted Julian in the fact that there is likely no way to prevent all avenues of attack, but the risk of this type of attack can be significantly reduced through regular information security training and awareness.  People will be people, no matter what.

Final note, I am curious why ORNL needs to store Social Security numbers in the first place.

Past Breaches:
Unknown



]]> Tue, 11 Dec 2007 10:45:21 +0000 information personal information security store social security retrieve information regular information security security systems cyber-security issues security breach Oak Ridge National Laboratory visitor information exposed http://securityratty.com/article/2e5799582306cfe7453bce0221b53e76 http://securityratty.com/article/2e5799582306cfe7453bce0221b53e76 Security Breach

Date Reported:
10/9/07 (backdated)

Organization:
The Young Women's Christian Association (YWCA) Retirement Fund, Inc.

Contractor/Consultant/Branch:
None

Victims:
Active fund participants between January 1st, 2002 and September 28th, 2007

Number Affected:
Unknown

Types of Data:
Name and Social Security number.

Breach Description:
On Monday, October 1st, 2007 YWCA Retirement Fund employees noticed that a computer had been stolen from the Fund's office in New York.  The computer contained sensitive personal information including names and Social Security numbers for active fund participants from January 1st, 2002 to September 28th, 2007.

Reference URL:
State of New Hampshire Attorney General's Breach Notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the official breach notification and letter to victims:

We are writing to inform you that some of your personal identification information may have been compromised recently.
[Comfyllama] "May have been compromised"?  No, no, no.  If you do not have a reasonable assurance that data confidentiality, integrity, and availability remain intact, then the data IS compromised.

On Monday, October 1 when The Young Women's Christian Association Retirement Fund, Inc. staff arrived at the Fund's office we discovered one computer had been stolen.

The stolen computer contained the names and Social Security numbers of individuals who were active Participants in the Fund at anytime during the period from January 1, 2002 to September 28, 2007.
[Comfyllama] We couldn't find any information to give us an idea of how many people this refers to, but we didn't look long.

The stolen computer did not contain addresses, telephone or email contact points and most importantly no account balances.
[Comfyllama] Unauthorized access to any of this information is bad, but "most importantly no account balances"?  If I had a choice, I think I would rather have my account balance disclosed than I would my name and Social Security number.

Several factors lead us to believe that the risk to your personal data is rather low.

Here is further information about what occurred and these facts should help you assess the risk to your personal identification information:

1.  only the computer was stolen, not the monitor, nor the mouse, not the power pack
[Comfyllama] I am confused.  What does this have to do with the risk of unauthorized data access?

2.  the stolen computer was of a type that requires a power pack, not a power cord.  Power packs are not sold through retail outlets but must be ordered from the computer manufacturer which requires the computer's serial number, the customer's account number and name.  Dell has been notified of the theft.  Any attempted order will be flagged, the caller id will be recorded and forwarded to both the Fund and the New York Police Department with whom we met Monday afternoon, October 1.
[Comfyllama] This is simply untrue and useless information.  If you need a Dell power cord for a laptop, go to Dell and order one without proving a serial number, customer account number and name, or go to one of many of retail outlets that DO sell them.

3.  a passcode is required to access the personal identification information stored on the stolen computer.
[Comfyllama] This "passcode" is nothing more that a momentary nuisance to anyone with simple computer skills.

The fund has reviewed the pertinent 24-hour surveillance tapes from the week-end and they have been turned over to the NYPD.

We have already purchased and installed DEFCON cable locks on all computers.

In the next few weeks the Fund will consult with a security firm to evaluate our entire operation.  It is the intent of the Fund to implement the security firm's recommendations for improving data protection.
[Comfyllama] Let's hope that the "security firm" is worth at least half the price.

We sincerely apologize for causing you concern

Please be assured that we will be ever more vigilant in protecting your data.  If you have any questions, or if we may be of any further assistance at anytime, please call us toll-free at 1-800-222-4738.

Commentary:
This breach occurred not just as a result of a break-in and theft of a computer.  This breach occurred as a result of a fundamental failure of information security.  We don't have the privilege of looking at the YWCA Retirement Fund's information security program (assuming one exists), so we don't know much more than what we read in the Fund's response.  From reading the Fund's response, we can judge that the YWCA Retirement Fund is a poor custodian of sensitive information.  The response is one of the most clueless that we have seen to date.

I sincerely hope that the security firm eluded to in the response will recommend some serious changes, one of which would include encryption of data at rest.  I am sure the list will be long (assuming the security firm knows what they are doing).

Past Breaches:
Unknown



]]> Tue, 11 Dec 2007 09:23:19 +0000 ywca retirement fund retirement fund fund computer information security information sensitive information personal identification information active fund participants YWCA Retirement Fund participants exposed in stolen computer http://securityratty.com/article/51972210a2a286bd2be3bac4df6b20f3 http://securityratty.com/article/51972210a2a286bd2be3bac4df6b20f3 Security Breach

Date Reported:
12/5/07

Organization:
Memorial Blood Centers*

*Memorial Blood Centers is a nationally known, locally operated nonprofit community blood center that has supplied blood and blood components to area hospitals for nearly 60 years. Memorial Blood Center operates 10 donor centers at nine Minnesota sites and one in Superior, Wisconsin and conducts more than 125 blood drives monthly.

Contractor/Consultant/Branch:
None

Victims:
Blood donors

Number Affected:
About 268,000

Types of Data:
Name and Social Security number.

Breach Description:
A laptop was stolen from the Memorial Blood Centers on the morning of November 28th, 2007 while preparations were being made for a blood drive in downtown Minneapolis, Minnesota.  The laptop contained names and Social Security numbers of 268,000 blood donors and appears to have not been encrypted.

Reference URL:
Press Release on BusinessWire
Press Release on the Memorial Blood Centers Press Release

Report Credit:
Memorial Blood Centers

Response:
From the official press release cited above:

Memorial Blood Centers reported today that it has begun notifying blood donors of the theft of a laptop computer holding donor information.

About 268,000 donor records on this laptop computer contain a donor name in combination with the donor’s social security number.
[Comfyllama] Why is a Social Security number required to donate blood?!?!  Crazy.

The laptop computer was stolen on November 28, 2007 in downtown Minneapolis during early morning preparations for a blood drive.

The theft was captured on building security cameras. The Minneapolis Police Department was notified and Memorial Blood Centers is working with law enforcement authorities to recover the laptop computer.

Access to the donor information on the laptop is protected by multiple levels of passwords and requires the use of other technologies to prevent unauthorized use. The donor records do not contain medical information.
[Comfyllama] Multiple levels of passwords means little more than a nuisance to anyone with even minimal computer skill.  If this was a shared laptop (not uncommon in this situation), then the chance of the password(s) being written down are increased.  I am curious what "other technologies" means?  Right now, it means nothing to me.

“We apologize for any anxiety this incident may cause for our donors,” said Don Berglund, Chief Executive Officer of Memorial Blood Centers. “This appears to have been a random crime. We believe the measures securing access to the donor records protect against their inappropriate use. We also immediately implemented additional measures to further protect against unauthorized access to donor data.”
[Comfyllama] On the one hand, I am always impressed when a CEO comments about a breach of security because it shows recognition of the fact that "the buck stops" with him/her.  On the other hand, the comment "We believe the measures securing access to the donor records protect against their inappropriate use" shows a level of naiveness (assuming no encryption).

Memorial Blood Centers has begun notifying the affected donors whose names and Social Security numbers were on the stolen computer. Notified individuals are being encouraged to monitor their financial accounts as a precaution.

A special hotline has been established for donors who may have further questions about this theft. Donors with questions can reach the hotline by calling 888-333-1491.

Persons with any knowledge of the theft are asked to call the Minneapolis Police Tipline at (612) 692-TIPS.

Commentary:
This is a serious breach that needs further explanation.  Why on earth does the Memorial Blood Centers need to collect Social Security numbers as part of their blood collection process?  I assume that they use Social Security numbers as identifiers, which everyone should know is a "no-no" unless its require by law.  I'm no lawyer, so is it required by law?

Let's say for a second that Memorial Blood Centers is required by law to collect and store Social Security numbers as part of the donation process.  This is the year 2007, and we should be encrypting confidential data at rest.  There should be no more excuses.

Let's say for a second second that this information was protected with encryption.  Then state this in the press release.

Past Breaches:
Unknown



]]> Thu, 06 Dec 2007 11:09:42 +0000 donors blood security security cameras store social security memorial blood centers donors social security breach description blood components 268,000 donors exposed through stolen Memorial Blood Centers laptop http://securityratty.com/article/26f7b1c688ec864f0ccf677c71a53dcc http://securityratty.com/article/26f7b1c688ec864f0ccf677c71a53dcc Security Breach

Date Reported:
12/4/07

Organization:
Duke University

Contractor/Consultant/Branch:
School of Law

Victims:
Current and prospective Law School applicants

Number Affected:
3,200*

*1,400 in one database containing applicant data and some Social Security numbers, 1,800 in a second database containing applicant data and passwords used by applicants tracking their applications.

Types of Data:
Names, addresses, phone numbers, Social Security numbers, and passwords

Breach Description:
The Duke University School of Law reported that they detected unauthorized and illegal activity on a their web site.  An investigation revealed that two databases were exposed in the attack that contained sensitive personal information about some current and prospective Law School applicants and students.

Reference URL:
Duke School of Law Incident Web Page
The News and Observer Story
United Press International Story

Report Credit:
Melinda Vaughn, Executive Director of Communications at Duke University

Response:
From the official incident web page and sources cited above:


On the Duke University home page

Thank you very much for your patience as we continue to work to restore our web site and understand the full ramifications of the attack on our web site and server. The attack was a criminal act, and it is now being investigated by law enforcement officials.

Earlier this evening, the Law School sent emails to about 3,200 prospective and current applicants notifying them that some of their personal information was exposed during the recent attack on our web site.

We have no evidence that the intruders actually downloaded or acquired any of this information. Nonetheless, we know the intruders had the opportunity and the tools to do so, and we therefore felt it was important to notify those who might have been affected as quickly as possible.
[Comfyllama] A good forensic analysis should provide clues if the proper trail exists.  You would think that a web server containing sensitive information would employ extensive logging.

On Thursday, Nov. 29, at about 3:30 p.m., we detected unauthorized links and coding in our web site. As soon as a breach was confirmed, we took the site offline and launched our investigation.

By Friday, it appeared that we had removed the unauthorized content, and we reposted the web site.
[Comfyllama] Ugh.  Thursday afternoon until Friday was all it took to re-certify the site?  Doesn't seem like a good incident response.  If a site is compromised, it is usually a better practice to replace it with a new rebuilt server so that the original can be thoroughly examined.

Our continuing investigation, however, found that the web server had been compromised, and that the attack had penetrated more deeply than originally thought.
[Comfyllama] In incident response, it's not a bad idea to hope for the best but assume the worst.

We took the web site down again by Saturday morning pending a more complete security scan by the university’s IT Security Office. We do not believe that any new problems were introduced during the short time that the site was reposted.

As we further evaluated the site, we found that several databases stored on the server were exposed during the attack.
[Comfyllama] Databases on a web server?  Bad.

There were two databases containing sensitive or potentially sensitive information. The first held records containing information submitted by prospective applicants who were requesting information from the admissions office.

A small percentage of those prospective applicants had provided Social Security numbers when they completed our online request form. That group of 1,400 prospective students received notifications this afternoon about the security breach.
[Comfyllama] Social Security numbers in a database on a web server? Worse.

The second database in question included contact information and self-generated passwords for about 1,800 current applicants who were using our web site to track the status of their law school applications.

Even though our second database did not contain Social Security numbers, we also have notified this group of the security breach, in case the passwords they used on our site are the same as the passwords they use on other sites.
[Comfyllama] Prudent decision on the part of the school.

the first intrusion occurred in early November, when a directory of foreign files was inserted into the site. Another set of files was deposited on Thanksgiving Day. We believe that nothing was done with these files until the attack began on the afternoon of Nov. 29.
[Comfyllama] Write access to the web server, and the responders didn't think that the compromise "had penetrated more deeply than originally thought"?

Duke University has a policy not to gather Social Security numbers, except in a limited number of circumstances including some transactions with applicants and prospective applicants.
[Comfyllama] This is a good policy.

The Social Security numbers in this database were no longer being used, and we had in fact stopped collecting them from applicants earlier this fall. But the database had not been purged of old data.
[Comfyllama] Lack of audit and review.

We are reviewing our policies to ensure we are in full compliance with all policies that pertain to the handling of Social Security numbers.
[Comfyllama] Sometimes it takes a breach to spur additional audit and review that should have been conducted regularly all along.  Unfortunately, there are people affected already.

What has been done to secure the web site and prevent this from happening again?
Over the weekend, we moved the site off our web server to allow us to install a completely new operating system and new software. While that was being done, we also reviewed all the data from the old server’s system for remnants of the intrusion.

The application status tracker is being restructured so that it will not require passwords. Social Security numbers have been removed and will not be stored on our web server.

We are continuing our investigations into how this attack occurred and what additional steps can be taken in the short and long term to further secure our web site and all our electronic data. We will update you on our progress in coming weeks, and we will provide a full report to the community once the investigation and security planning is complete. In the meantime, if you have any questions or concerns, please feel free to contact me **email address removed**, Liz Gustafson **email address removed**, or Jill Miller **email address removed**.
[Comfyllama] We (meaning The Breach Blog) removed the email addresses because we are still a little "old school" in this regard and think that publishing email addresses without obfuscation increases the likelihood of increased spam.

Commentary:
This has to be one of the best incident disclosure announcements I have ever seen in terms of depth.  The explanation of what occurred is clear, Duke's response is clear, and what they plan to do is clear.  I am impressed.

Now, what I am not impressed about is the decision to store confidential information on a web server.  More often than not, this is bad news.  Common information security practice is to place publicly accessible servers in a DMZ, segmented from more secure systems that contain databases.  Extensive monitoring is then placed on both systems and in between.  I am curious how the server itself was compromised.  Was it not patched, was it not configured well, was the code written poorly, was someone surfing the web on the server and downloaded malicious code, etc.?  I am also curious about whether or not the University conducts regular audits of these systems and runs intrusion detection.  Even after such a wonderful announcement by the school, so many questions still remain!

Past Breaches:
Unknown



]]> Thu, 06 Dec 2007 08:37:20 +0000 school duke school breach security comfyllama social security complete breach description complete security scan security breach Duke School of Law breach affects 3,200 http://securityratty.com/article/8d17e1400440c97c305f51de371224e2 http://securityratty.com/article/8d17e1400440c97c305f51de371224e2 Security Breach

Date Reported:
12/4/07

Organization:
The AES Corporation

Contractor/Consultant/Branch:
Indianapolis Power and Light (IPL)

Victims:
Residential IPL customers from 2003 to 2007.

Number Affected:
3,000

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
A recent security audit at Indianapolis Power and Light (IPL) identified certain files containing sensitive personal information about IPL residential customers was accessible through the company's public web site.  Some of the files were exposed for up to four years.

Reference URL:
http://www.theindychannel.com/news/14768281/detail.html

Report Credit:
TheIndyChannel.com, Channel 6 News

Response:
From the source cited above:

The private information of thousands of Indianapolis Power and Light customers was inadvertently posted online for up to four years, officials said Monday.

The information affects 3,000 residential IPL customers from 2003 until November 2007.

IPL said the data included names, addresses and Social Security numbers that somehow ended up on an accessible server on the Internet.

Most of the information was out in the open for several weeks. Some other files were exposed for as long as four years.

A recent audit caught the error. IPL is sending out letters to affected customers and is offering a year's worth of free credit monitoring and identity theft insurance.
[Comfyllama] You may have read my comments about this before, but in case you haven't…  If a person's identity expired in one year, or we all received new Social Security numbers in one year then one year of credit monitoring and identity theft insurance would be an excellent response.  Don't get me wrong, it is better than nothing, but don't be fooled into thinking that this should protect you from an organizations failure to protect your data.  I am not sure, but I think the onus is on the victim to sign-up for the free service.  IPL probably isn't going to do it for you.

IPL also set up a hot line to deal with inquiries about the situation. The number is 317-261-4845.

Commentary:
Is this the first such security audit that IPL has conducted?  If not, then how do you explain the fact that this information was missed for up to four years?  In my opinion, utility companies should not be using Social Security numbers in the first place.  I understand how they do use them (i.e. reporting for collections, checking credit, etc.), but it doesn't mean I need to agree with it.

There is no mention in this brief news story about what IPL does to protect personal information.  Customers should be calling with demands for answers.  If IPL is going to collect personal information, what (exactly) do they plan to do to protect it?  I suppose customers just assume that a reputable company would be doing the right thing.  There is also no mention of whether or not IPL contacted the various internet search engines (Google, Yahoo, etc.) to have the information removed from cache, but maybe we should just keep assuming.
 
Past Breaches:
Unknown



]]> Thu, 06 Dec 2007 06:27:41 +0000 ipl residential customers ipl residential ipl customers information collect personal information customers light customers sensitive personal information information affects Indianapolis Power and Light customer data exposed for up to four years http://securityratty.com/article/875b254f0e7fa2f548bd1f8c21a41958 http://securityratty.com/article/875b254f0e7fa2f548bd1f8c21a41958 Security Breach

Date Reported:
12/4/07

Organization:
Government of Canada

Contractor/Consultant/Branch:
Passport Canada*

*"As mandated by the Canadian Passport Order, Passport Canada is responsible for issuing, revoking, withholding, recovering, and providing instructions on the use of Canadian passports."

Victims:
Certain persons applying for Canadian passports online.

Number Affected:
Unknown

Types of Data:
Names, addresses, phone numbers, birth dates, social insurance numbers, driver's license numbers, and other information contained on passport application forms.

Breach Description:
Sometime during the week of November 26th (2007) an Ontario man noticed that by changing a single character in the URL provided by Passport Canada, he could access the passport application information of other people who had used the site.  Passport Canada officials confirmed the security flaw and breach on Tuesday, December 4th.

Reference URL:
Reuters Canada News Story
680News.com News Story
The Globe and Mail News Story
The Register News Story (UK - Good commentary)

Report Credit:
Kenyon Wallace, Globe and Mail (CA)

Response:
From the sources cited above:

A security flaw in Passport Canada's website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver's licence numbers - of people applying for new passports.

The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser.
[Comfyllama] This is one of the most simplistic attacks on web sites available.  Change a character and see what happens.  Heck, this is a piece of cake to automate with a script and grab ALL the available records.  Running a site that acquires and stores confidential data which is vulnerable to the simplest of attacks is ludicrous.

That data included social insurance numbers, driver's licence numbers and addresses.

Also available were home and business phone numbers, a federal ID card number and even a firearms licence number.

Mr. Laning, 47, an IT worker at Algonquin Automotive, informed Passport Canada of the breach last week and the passport application site was suspended through yesterday morning.
[Comfyllama] I would assume, in order to fix the problem?!

Passport Canada spokesman Fabien Lengelle acknowledged that a security breach occurred but said that it was repaired on Friday. Yesterday's closing of the website was caused by "problems of a different nature," he said

"We've probed this issue today very thoroughly," Mr. Lengelle said. "This incident is an isolated anomaly. The online passport system is still a very highly secure application."
[Comfyllama] Huh?  "Still"?  Ever?

But after the website resumed operation yesterday afternoon, a few keystrokes sufficed to reveal some of the personal information of passport applicants, including names, addresses and numbers for references and emergency contacts.
[Comfyllama] But no!  The issue was not fixed after bringing the site back online!

Canadian law does not require organizations to disclose when they've suffered security breaches.
[Comfyllama] Canadian law SHOULD require it (and more).

Other Responses:

"I was expecting the site to tell me that I couldn't do that," said Jamie Laning of Huntsville. "I'm just curious about these things so I tried it, and boom, there was somebody else's name and somebody else's data."

"This is exactly how identity theft happens," said Carlisle Adams, an Internet data security expert and professor at the University of Ottawa. "If you want to take out a mortgage, for example, this is the type of information the bank is going to ask for to make sure you're really the person you're claiming to be. Then all of a sudden there's a mortgage in someone else's name."

"If you read the disclaimer on the website, it's supposed to use high-tech security," Mr. Marsden said in an interview. "You'd think it wouldn't be that bloody simple."
[Comfyllama] Mr. Marsden was one of the people that had his application revealed on the site.

"I think it's very clear that a strong, mandatory security-breach law is long overdue in this country and it's cases like these that highlight it," said Michael Geist, a law professor at the University of Ottawa.

"The reality is, even with the resources and the best security people, you're only as good as your weakest link," Prof. Geist said. "One mistake can result in significant security breaches that can put huge amounts of personal information at risk."
[Comfyllama] A person with little information security experience, some common-sense, and a PC would have found this hole if it was their job.  It is obvious that Passport Canada does NOT have "the best security people".

"Whether it was that or something else, I don't know which is worse - that someone made an error that you wouldn't expect to see from a school kid, or that 'Passport Canada' didn't notice..." - Jeremy, commented on The Register Story

"In my experience, a problem of this type suggests those who implemented the site were (possibly grossly) negligent and totally clueless about security. This error should have been caught in basic testing. A penetration test should have caught it. Clearly testing was neglected." - Anonymous Coward, commented on The Register Story
[Comfyllama] Excellent point!  If you run a site that acquires, processes, stores, or transmits ANY data that you do NOT want to be PUBLIC data, the you must secure it properly which includes regular vulnerability scanning, penetration testing, code and third-party reviews.  Cut corners, lose data.  Simple.

Commentary:
This is such a simple security oversight with such large ramifications.  Who knows how long the information contained on the site was exposed or how long the vulnerability existed?  Anonymous Coward (in the comments above) stated it right, this is negligence and cluelessness.

Me reminiscing again:
In the late 90's to early 2000's I was in charge of security and infrastructure for a site that processed thousands of credit cards transactions and collected thousands of customer records monthly.  This was before identity theft and privacy concerns were as prevalent as they are today.  We regularly ran our own internal pen testing and security assesments as well as contracted a third-party to do so on a semi-annual basis.  It just made good, common, business sense.  There was no law requiring us to do it, there was not a VISA CISP requiring us to do it, heck there wasn't a SOX or GLBA either!  What happened to companies and organizations that decide to do things because they are the right things to do?  I suppose some exist, but many have gone.

Past Breaches:
November, 2007 - Stolen Service Canada laptop affects more than 1,600



]]> Wed, 05 Dec 2007 08:51:09 +0000 passport canada information personal information passport application information application breach passport application site passport canada spokesman significant security breaches Passport Canada web site suffers serious breach http://securityratty.com/article/e5ab89e51e3da41fa9d30552261ef453 http://securityratty.com/article/e5ab89e51e3da41fa9d30552261ef453 Security Breach

Date Reported:
11/30/07

Organization:
State of Massachusetts

Contractor/Consultant/Branch:
Executive Office of Health and Human Services

Victims:
Prescription Advantage insurance program members*

*Prescription Advantage is a state-run program that offers drug insurance to seniors in Massachusetts.

Number Affected:
150,000

Types of Data:
"personal information"

Breach Description:
Authorities arrested an identity thief in August, 2007 who had been using information obtained from the Massachusetts Presrciption Advantage program in an attempted identity theft scheme.  It is not yet clear how the thief obtained the information.

Reference URL:
PC World Story
Information World Story
The Boston Herald Story

Report Credit:
Associated Press via The Boston Herald

Response:
From the sources cited above:

Thousands of senior citizens are being warned about a computer security breach involving the state’s Prescription Advantage program.
[Comfyllama] It seems like senior citizens are among the easiest prey for identity theives.

Executive Office of Health and Human Services spokeswoman Alison Goodwin wouldn’t say what kind of personal information may have been compromised, such as names, addresses or Social Security numbers.

Local authorities arrested a lone identity thief in August who had been using information taken from the program in an attempted identity theft scheme, said Alison Goodwin, a spokeswoman for the state's Executive Office of Health and Human Services.

Goodwin could not add many details on the nature of the breach, citing an ongoing criminal investigation, but she said Prescription Advantage is conducting an internal review of the incident to determine if additional security measures might be required.
[Comfyllama] If data leaked, then I would say that additional security measures are probably required.  Sounds obvious, but to some it just doesn't sink in.

The data breach did not affect all members of the program, Goodwin said
[Comfyllama] I wonder how this conclusion is drawn?  If the breach does not affect all 150,000 then why inform 150,000?  Maybe Prescription Advantage doesn't know who was affected and who wasn't.

Prescription Advantage recently began notifying 150,000 members potentially affected, as required by state data-breach laws.

"A few members were recently the victims of attempted identity theft," the state said in a Nov. 19 letter sent to possible victims.
[Comfyllama] OK, here it states that a few members were victims of identity theft and earlier statements said the identity thief "had been using information taken from the program".

The staff that maintains the program has "no reason to believe" that any Prescription Advantage members' data has been misused, the letter adds.
[Comfyllama] Here, the letter states that there is no reason to believe that any data was misused?!  A little confusing and contradictory.  If confidentiality cannot be assured, assume it has been lost.

Members who have questions about the breach can call Prescription Advantage during regular business hours: 1-866-523-6846 or 1-877-610-0241 for those who are hearing impaired.

Commentary:
Much is left in the dark about this breach.  I certainly hope that more details are being shared with victims.  They should demand it.

I am curious about too many things to even mention them all.

Past Breaches:
October, 2007 - Massachusetts DPL sends Social Security numbers in mail


]]> Tue, 04 Dec 2007 13:17:26 +0000 breach computer security breach breach description prescription advantage security breach prescription advantage program data-breach laws lone identity thief thief Some Massachusetts seniors are at risk http://securityratty.com/article/e0018c4b3afaf54cea3014f38911ba5c http://securityratty.com/article/e0018c4b3afaf54cea3014f38911ba5c Security Breach

Date Reported:
11/16/07

Organization:
Indiana University-Purdue University Fort Wayne (IPFW)

Contractor/Consultant/Branch:
None

Victims:
Certain current and former "mostly international" students

Number Affected:
32

Types of Data:
Names and Social Security numbers (and Individual Taxpayer Identification numbers)

Breach Description:
IPFW announced that personal information pertaining to certain current and former students may have been accessed through an unauthorized installation of unspecified malicious software.  This breach primarily affects international students of the school.

Reference URL:
Purdue University Official Announcement
News Channel 15, WANE.com Story
The Journal Gazette News Story

Report Credit:
News Channel 15, WANE.com

Response:
From the sources cited above:

A security breach affecting a computer at Indiana University-Purdue University Fort Wayne was a small one, but school officials called it one too many

The university announced Friday that personal information of 32 people, mostly current or past international students, might have been accessed after “an unknown intruder” installed software on a university computer.

An internal audit of a former staff member's on-campus computer revealed the presence of malware, including an e-mail-stealing "Trojan horse" that was installed through an e-mail attachment.
[Comfyllama] Most "Trojan horse" programs are easily detected by most current anti-virus programs.  Many Trojan horse programs have pretty easily identifiable characteristics.  I question whether this system had current protection installed.  Kudos to school officials for conducting internal audits and responding to this incident well.

The security breach is the first known one in more than nine years that Kostrubanic has been with IPFW, but one is too many, he said.
[Comfyllama] The first "known" one sure, but most probably not the first one.  I agree with Mr. Kostrubanic that one is too many.  Mr. Kostrubanic is the current Director of Information Technology Services and CIO for Indiana - Purdue University Fort Wayne (IPFW)

Social Security numbers and Individual Taxpayer Identification numbers might have been among the vulnerable information, said Kostrubanic, who could not specify what university department housed the affected workstation.

"The individual kind of went against our practices and stored some information in a spread sheet on their local hard drive," said Michael Kanning, IPFW Information Technology Division.
[Comfyllama] Are these "practices" put into writing via a policy or procedure, and how often are they communicated and enforced?

IPFW has sent letters to the individuals whose information might have been accessed.

If students don’t receive a notice but would like to be sure their information was not involved, they can call 1-866-597-0010, a statement from Purdue University said.

The computer workstation was removed from the system and the software disabled, according to the university, which said there is no evidence the accessed information has been used for illegal purposes.

Social Security numbers were used routinely for identification in the years before identity theft became a concern, and Purdue and other universities have discontinued the use of the numbers except when required by law, the statement said.
[Comfyllama] An excellent best practice.  Hopefully there are additional protections in place around the use that is required by law.

More information about the incident also is available online at www.purdue.edu/news/ipfw0711.html.

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, file a complaint with the FTC at www.consumer.gov/idtheft  or at 1-877-ID-THEFT (438-4338).

Student Reactions:

"It's a little bit scary that there stuff has been stolen," said student Chelsea Dougal.

"I'll be sure to be more cautious in what I'm doing, and make sure it's something that's actual, and not some sort of scam," said Dougal.

"It's through IPFW's network, so I think they can limit what people can do, I think... I hope," said IPFW student Casey Bowman.

"I trust that most of the systems pick-up things, and I would probably continue to do what I'm doing," said IPFW student Jermaine Porter.

Commentary:
Think for second about the information you store on your computer.  Most, if not all of us have things that we store that we wouldn't want shared with the rest of the world, let alone those who are determined to defraud.  How much of this information do we really need to store on our computer, or is there a better way?

It is not possible to complete guarantee that data is safe, but there are best practices for protecting important information against malware.  Seven tips that will help you:

1.  Install and maintain sound anti-virus software
2.  Install and maintain sound anti-spyware software
3.  Use a personal firewall and learn how it works
4.  Pay attention to things that seem abnormal, and investigate.
5.  Don't let others use your computer
6.  Use a business computer for business and a "fun" computer for personal stuff like games, chat, etc.
7.  Seek experienced help if you aren't sure of something.

There are plenty more, but this well get you started.

Past Breaches:
Unknown



]]> Thu, 29 Nov 2007 10:26:49 +0000 purdue university university information personal information university department university fort wayne computer vulnerable information students Some IPFW students exposed through malware http://securityratty.com/article/e9e4e49686bbca7d3d82fcf2967adea5 http://securityratty.com/article/e9e4e49686bbca7d3d82fcf2967adea5 Security Breach

Date Reported:
11/21/07

Organization:
Allied Irish Bank (AI

Contractor/Consultant/Branch:
None

Victims:
Certain AIB customers who made or received international payments between November 13th and 15th, 2007.  Some customers of other banks involved in the transactions may also be affected.

Number Affected:
11,000*

*AIB customers, unknown number of victims that are customers of other banks

Types of Data:
Names, addresses and "private bank account details".

Breach Description:
The announcement from AIB sums this breach up well; "A technical problem occurred in the issuing of these advice notices to some AIB customers that made international payments between the 13th and 15th November 2007. This affected 15,000 payment advices, which were sent in error to the wrong customers."

Reference URL:
The Irish Times Story
Computer Weekly Story
RTE Business Story

Report Credit:
The Irish Times

Response:
From the sources cited above:

A significant error at AIB bank earlier this month led it to send 15,000 notifications to its customers containing the private bank account details of other individuals. A total of 11,000 AIB customers are affected by the move, writes John Downes

Last night, it also emerged that some of the bank account details sent to AIB customers in recent days relate not just to AIB accounts, but also reveal the names and bank account details of customers with other banks.

It is understood that as many as 7,500 of the notices contained the names, addresses and full bank account numbers of AIB customers.This means these details, contained in notices relating to "inward" payments, are now in the possession of other customers of the bank.

Most of the remaining "outward" payment notices included the name of a bank account holder, usually with a bank other than AIB, and their account numbers, but not their address.

A bank spokesman said the information in question was no more or less than would be contained in a company invoice or cheque
[Comfyllama] Which wouldn't be a big deal if this information were meant to be public, but it WASN'T.

However the error, which AIB said was the result of a "technical problem" in the issuing of international payment advice notices, has been labelled a "serious breach" by a spokesman for the Office of the Data Protection Commissioner.
[Comfyllama] Sounds like someone made a change to one or more internal systems, likely without thorough testing and/or validation.

Customers of the bank who either received or transferred an international payment between November 13th and 15th are affected by the error.

Those who received the notices were wrongly provided with details relating to someone else's transaction. As a result, they were incorrectly told the transaction related to their account.
[Comfyllama] Can you imagine receiving a notice that X number of Euro (EUR) were transferred from your account, and you had nothing to do with it.  My heart would just about burst out of my chest!

The bank stressed that no customer accounts have been incorrectly credited or debited as a result of the error. A company spokesman added that it had "nothing whatsoever" to do with computer "hackers" or other unauthorised parties attempting to access its system.

AIB has informed the Office of Data Protection Commissioner which is awaiting an AIB report on the matter in the coming days. The company said it would allow affected customers to change their bank account details should they so wish.

"AIB regrets that this occurred and is currently writing to each customer involved to apologise, to explain how this occurred and to reassure them that this was an isolated error," the bank said.

One of the incorrect notices, seen by The Irish Times , wrongly informed the customer that a payment of €5,000 had been made from their business account to an account with the Bank of China.

Commentary:
Errors will always be a part of our daily lives, but at the same time we should do everything within reason to prevent them.  In IT, this is one of the primary reasons for proper change control processes.  As a part of most good change control, testing and validation are completed before the change is successful.  If testing and/or validation fail, a roll-back is initiated.

I'm not sure what AIB's change control processes or procedures are, but in this case they appear to have failed.  I am also not sure how sensitive the data involved actually is, so determining the risk to victims is a little sketchy.  Many IT folks aren't particularly fond of change control (and documentation in general), but this may be a good case to demonstrate its importance.

Now that I think a little more, these changes should have been thoroughly tested on a test platform prior to production implementation also.

Past Breaches:
Unknown



]]> Wed, 28 Nov 2007 14:08:26 +0000 bank account bank account details aib bank bank account aib details wrong customers customers AIB technical problem discloses details of bank transfers http://securityratty.com/article/99ed0b52cfa5ea621ff7790c17993f7a http://securityratty.com/article/99ed0b52cfa5ea621ff7790c17993f7a Security Breach

Date Reported:
11/21/07

Organization:
University of Florida

Contractor/Consultant/Branch:
None

Victims:
Former UF students who enrolled in classes (ISM 4220 & ISM 4330) taught by information systems and operations management professor Richard Elnicki between 1998 and 2001.

Number Affected:
534

Types of Data:
"sensitive information" including Social Security numbers of 415 students.

Breach Description:
The Liberty Coalition discovered a file containing sensitive personal information about certain former University of Florida students was publicly available on the school's Computing & Networking Services Web site since 1998.

Reference URL:
The Independent Florida Alligator

Report Credit:
The Liberty Coalition

Response:
From the source cited above:

"Social Security numbers were posted on UF's Computing & Networking Services Web site"

"14 files on the Web site contained "sensitive information" of 534 former UF students, including 415 Social Security numbers."

"All the individuals were former students of Richard Elnicki, a professor of information systems and operations management, and had taken classes ISM 4220 or ISM 4330 with him between 1998 and 2001"
[Comfyllama] Information security and identity theft just weren't as popular back in the late '90s.

"the files were on a Computer & Networking Services server that required a password to upload files, though the public could download the files without a password."
[Comfyllama] More concern around bad guys storing warez or modifying files, maybe?  Unsecured FTP and HTTP sites in the late '90s were popular places for hackers/crackers to store their files for free.

"The files were immediately removed by UF officials, who also worked with major search engines to clear their caches of the information, the release stated."

Steve Orlando, UF spokesman, said UF's investigation showed the numbers were posted in Elnicki's gradebook before UFID numbers.
[Comfyllama] I believe that the University of Florida stopped using Social Security numbers for identification some time ago, and now use UFIDs.  Sound decision.

"the Computing & Networking Services Web site's logs indicated nobody had accessed the information in five years"
[Comfyllama] As long as the server shows no other signs of tampering, then it can be reasonably assumed that the information was not accessed through HTTP (maybe FTP).

"UF is trying to find how the numbers ended up online and also reach those who might have been affected"

Commentary:
This breach brings me back to the late '90s, so I will reminisce.  In the late '90s I was working at the lead network engineer (there wasn't a dedicated security resource) for a software company that was really capitalizing on the Internet at all it had to offer.  We hosted a series of load balanced and redundant FTP/HTTP servers for downloads in excess of 3,000,000 per month.  From 1995-2000 none of the FTP/HTTP servers were firewalled and all of them allowed anonymous downloads.  We only secured uploads, much like this UF server.  Times have certainly changed, eh?

Enough of that.

Any company with a Web presence in the year 2007 should conduct external security audits no less than annually.  E-commerce, popular and complex sites require them more often.

Past Breaches:
Unknown



]]> Wed, 28 Nov 2007 06:17:23 +0000 florida sensitive personal information information information systems comfyllama information security web site services web site independent florida alligator files University of Florida student info online