[SecurityRatty] tag: cornerstone

Cornerstone Fitness for Women information found in discarded file cabinet

Mon, 05 May 2008 10:01:48 +0000

Technorati Tag: Security Breach

Date Reported:
4/30/08

Organization:
Cornerstone Fitness for Women

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Names, addresses, phone numbers and in many instances Social Security numbers copies of checks and credit card information

Breach Description:
"EDINBURG - A local company that operates several fitness centers across the region could be fined if investigators substantiate allegations it left clients' sensitive personal information in a trash bin."

Reference URL:
KRGV-TV Newschannel 5
The Monitor
The Brownsville Herald

Report Credit:
KRGV-TV Newschannel 5

Response:
From the online sources cited above:

EDINBURG - A local company that operates several fitness centers across the region could be fined if investigators substantiate allegations it left clients' sensitive personal information in a trash bin.

This story came to our attention after NEWSCHANNEL 5's Lisa Cortez received a phone call from a complete stranger on her cell phone.

He had Lisa's contract from Cornerstone Fitness.

He knew not only her phone number, but also her address, employer, and a copy of a check used to pay her account.

He also had about 30 other contracts.

It has everything you would want to know about them. I think those people deserve to know about it, " said Zumwalt. (Sammy Zumwalt, the person that called Ms. Cortez)

All contracts list names, addresses and phone numbers. Some of them list social security numbers and have copies of checks and credit cards.

Zumwalt says his friend found a filing cabinet in a dumpster behind the former Cornerstone Fitness Center for Women in Edinburg.

The center shut down several months ago.
[Evan] This isn't the first time that we have read about an organization vacating a location and leaving sensitive information behind (unsecured). Just in the past few months there was Affordable Realty in March, and Union Mortgage and First Magnus in February.

The paperwork was in Zumwalt's room for several weeks.

Recently, he decided to go through the stack of papers and came across the sensitive information.

Zumwalt turned the contracts over to NEWSCHANNEL 5.
[Evan] Why NEWSCHANNEL 5 and not the police or the Texas Attorney General? Do you think somebody wanted their 15 minutes of fame?

"At this point, we don't know what happened. This is not our usual practice. We are investigating it. We've been in the business for 10 years and this is the first time we hear of something like this. " (Joseph De la garza, one of the fitness club's owners)

NEWSCHANNEL 5 sorted through the contracts and contacted several members from the pile.

Cornerstone tells NEWSCHANNEL 5 they carefully guard all sensitive client information.

State Sen. Juan "Chuy" Hinojosa, D-McAllen, urged Texas Attorney General Greg Abbott to investigate, according to Jerry Strickland, a spokesman for the attorney general's office.
[Evan] I guess this is one good thing about reporting it to the media instead of the authorities. Mr. Hinojosa sees it on TV and pushes for an investigation.

"A lot of businesses are being very careless in the way they handle personal information," Hinojosa said. "Businesses (are required) to shred all information they no longer need."
[Evan] Oh yes, very true.

Victim Reaction:
"I mean, I don't even know how to explain how I feel, because I am so in shock," said one woman after we read her social security number.

Denise Grant told NEWSCHANNEL 5, "You never realize how important this information is until you have to try to prove that you are who you say you are." (a woman who claims to have been an victim of identity theft before)

Commentary:
Well, we all know (or should know) that this type of breach is nothing new, but I am keyed in on what Mr. Hinojosa stated, "A lot of businesses are being very careless in the way they handle personal information".

What will urge businesses to be more careful and secure personal information better? More laws? More costly fines? More laws mean more compliance. More compliance means more cost to companies. More cost to companies means more expensive goods and services. Seems that the same argument holds true for fines.

Maybe we should stop using a single identifier for all things personal (i.e. Social Security numbers). Do you think that the credit bureaus and the rest of the financial industry would go for such a radical idea? Do you know how the credit bureaus make money (I won't go into this now)? This would be a tough battle to fight.

An easy to implement solution does not exist. We have walked so far down this road that I think we may have gotten a little lost.

I have ranted long enough. On to the next breach, right?

Past Breaches:
Unknown

RIP Cisco PIX

Wed, 06 Feb 2008 04:00:00 +0000

I actually read this earlier this week but did not have a chance to comment. ComputerWorld had this article today that details that Cisco will stop selling its line of PIX firewalls on July 28th of this year. I don't think this announcement came as a shock to anyone. They had discontinued their VPN 3000 concentrators a year ago and it was only a matter of time that the PIX boxes went the same way. For me personally the PIX firewalls just seemed to always be there. Yes Checkpoint was the "cool" firewall when I first got into security, but PIX was from Cisco and it seemed like the cornerstone of their security business. Their IDS was not so good for a long time. Cisco's other security products were never considered back then (or now for that matter) to be best-of-breed, but PIX was a product that was not a bad product in its class.

What is more important though is what is taking the PIX place. It is the ASA line of UTMs. This presents living proof that the market is moving away from stand alone appliances like firewalls and IPS and towards UTM type of devices that also offer anti-virus, antispam, etc. I personally had perplexing experience this week on this very subject. One large analyst firm claims that by 2011, 50% of all network security will be spent on UTM. Then in speaking to an analyst from an even larger analyst firm, he said their position is that UTM will never catch on in the enterprise. Even if they buy a UTM box, they will not turn on the other features. So ASA boxes will just be used for firewall and VPN and perhaps IPS.

Here is the Shimel analysis for what it is worth. I think the larger analyst firm is wrong. I think they have only thought this half way through. I think what the facts are is that people buy the UTM for just one or two functions. I think that is true for both the mid-market and the enterprise market. What happens is after they buy the UTM and set up either the firewall or IPS or what have you, geek nature takes over. They can't help themselves but to experiment and tinker and see what the other functions can do and how they work. If these other functions work reasonably well without choking the box, they will slowly but surely use the other functions as well. So before you know it, that UTM that you bought as a firewall is doing UTM duty.

Anyway, any of you PIX owners out there don't throw out the old boxes just yet, Cisco will support them until 2013. In the meantime I am sure there will be no shortage of vendors looking to give you a deal to upgrade to the latest box. In the meantime if all you are interested in is a good firewall, don't pay anything. Go to http://cobia.stillsecure.com and use our community sourced firewall for free and upgrade to UTM down the road.

RIP Cisco PIX

Wed, 06 Feb 2008 03:46:31 +0000

The Pseudo "Real Players"

Mon, 14 Jan 2008 15:12:00 +0000

What happened with the recent RealPlayer massive embedded malware attack? Two of the main hosts are now, and the third one ucmal.com/0.js is strangely loading an iframe to ISC's blog in between the following 61.188.39.218/pingback.txt which was returning the following message during the last couple of hours "You're welcome for being saved from near infection".

As I'm sure others too like to analyze post incident response behavior of the malicious parties, in respect to this particular attack, during the weekend they took advantage of what's now a patent of the Russian Business Network, namely to serve a fake 404 error message but continue the campaign. However, in RBN's case, only the indexes were serving the fake account suspended messages, but the campaign was still active on the rest of the internal pages. In the RealPlayer's campaign case, the 404 error messages themselves were embedded with the same IFRAMEs as well, in order to make it look like there's an error, at least in front of the eyes of the average Internet user.

Despite that the main campaign domains are blocked on a worldwide scale, the hundreds of thousands of sites that originally participated are still not clean and continue trying to load the now down domains. Moreover, the big picture has to do with a fourth domain as well, yl18.net/0.js, that used to be a part of the same type of massive malware embedded attack in November, 2007.

Why pseudo "real players" anyway? Because for this attack, they took advantage of what can be defined as a fad, namely the use seperate exploit as the cornerstone of the campaign, at least if its massive infection they wanted to achieve. The "real players" or script kiddies on the majority of occasions, serve exploits on a client-side matching basis, and therefore the more diverse the exploits set, the higher the probability a vulnerable application will be detected and exploited. Therefore, given the number of sites affected it could have been much worse than it is currently based on speculations of the success rate of the campaign in terms of infections, not the sites affected - a success by itself. Execution gone wrong given the foundation for the attack - until the next time.