[SecurityRatty] tag: davidson

Fugitive spammer dead in apparent murder-suicide

Fri, 25 Jul 2008 07:29:26 +0000

Spammer and escaped convict Eddie Davidson shot his wife and three-year-old daughter before turning the gun on himself Thursday night in Bennet, Colorado.

Colorado 'Spam King' walks away from prison camp

Mon, 21 Jul 2008 20:00:00 +0000

Convicted penny-stock spammer Eddie Davidson walked away from a federal minimum-security prison camp in Colorado on Sunday, the U.S. Department of Justice said Tuesday.

Colorado penny stock spammer gets jail time

Tue, 29 Apr 2008 20:00:00 +0000

A federal judge has ordered convicted spammer Eddie Davidson to just under two years in prison for sending out a large volume of spam promoting watches, perfume and penny stocks.

Is This How Security Will Be Improved?

Mon, 07 Apr 2008 12:20:00 +0000

"Davidson Cos. Sued for Negligence in Data Breach: Lawsuit confirms that companies can be held liable for failing to provide adequate security" (source)

"A Billings, Mont., law firm has filed a class-action lawsuit in federal court against Davidson Companies, claiming the company was negligent when it allowed a hacker to penetrate its systems, resulting in a data security breach and the exposure of some 226,000 customer records, according to a report."

This will be immensely fun to watch! So, for those companies that didn't start paying enough attention to security after viruses, then worms, then SOX, then PCI DSS, than bots, then data loss, then data theft, how about a threat of a nice cold lawsuit? Will it be enough to pay attention?

Well, we will see soon :-)

Show 024 - An Interview with Mary Ann Davidson

Fri, 14 Mar 2008 15:26:36 +0000

Oracle Chief Security Officer Mary Ann Davidson is the guest on the 24th episode of The Silver Bullet Security Podcast. Gary and Mary Ann discuss how an MBA helps in the CSO role, Oracle’s “Unbreakable” campaign, why everyone needs training in secure coding, and how military history informs computer security. They also talk about how a young CSO-to-be got her first library card.

Davidson Companies illegal network intrusion exposes clients

Fri, 01 Feb 2008 11:51:54 +0000

Technorati Tag: Security Breach

Date Reported:
1/30/08

Organization:
Davidson Companies*

*"Davidson Companies is a financial services holding company based in Montana. It includes D.A. Davidson & Co., an investment firm; Davidson Investment Advisors, a money management firm; Davidson Trust Co., a wealth management and trust company; Davidson Fixed Income Management, an investment and money management services firm; and Davidson Travel, a travel agency." - Source InformationWeek story

Contractor/Consultant/Branch:
None

Victims:
Clients and former clients

Number Affected:
226,000

Types of Data:
Names, Social Security numbers, and account numbers and balances

Breach Description:
Davidson Companies announced that a database containing sensitive personal information belonging to clients and former clients was accessed via an "illegal network intrusion".

Reference URL:
Davidson Companies " Important Client Announcement"
Great Falls Tribune online story
InformationWeek news story

Report Credit:
Erin Madison, Great Falls Tribune Business, with a special thanks to "Coop"
a Breach Blog reader

Response:
From the online sources cited above:

Davidson Companies clients and former clients were notified the week of January 28 of an illegal network intrusion, and steps clients should take to protect themselves from identity theft, including enrolling for a credit monitoring product being offered at Davidson's expense for 12 months.

A computer hacker broke into a Davidson Companies database and obtained the names and Social Security numbers of virtually all of the Great Falls financial services company's clients.

The database included information such as account numbers and balances, said Jacquie Burchard, spokeswoman for Davidson Companies. However, the hacker didn't get access to the accounts.

"People's accounts at Davidson are fine," Burchard said. "Their assets are fine."
[Evan] Not really, I think of a Social Security number is an asset, an information asset. Just as important as protecting financial or physical assets is protecting information assets.

The computer hacker accessed information on 226,000 current and former clients, Burchard said.

"With the investigation ongoing, it would be inappropriate to delve into the technical aspects of the security breach," - Burchard
[Evan] No disrespect, but I don't think Jacquie Burchard would be qualified to "delve into the technical aspects".

"Despite our efforts to safeguard client information, a computer hacker using sophisticated techniques illegally accessed a database and obtained access to confidential client information," said William A. Johnstone, Davidson Companies president and CEO
[Evan] I respect Mr. Johnstone for communicating his thoughts about this breach. It demonstrates his understanding that he has a fiduciary responsibility to protect confidential information. I think we would be surprised at how many corporate executives do not understand this simple fact. Remember, terms like "sophisticated" are subjective and depend on perspective.

"All of us at Davidson are acutely aware of the uncertainty, stress and inconvenience associated with the potential compromise of personal information. We are fully committed to helping our clients deal with this unfortunate event as quickly as possible and are adopting measures to further enhance our network security." - Johnstone

The financial services company is temporarily opening call centers and extending branch hours to help answer clients' questions.

Current clients should call 800-909-6485.

Former clients should call 800-736-6153.

The Great Falls office of D.A. Davidson & Co. will be open for extended hours this week as follows:7 a.m. to 7 p.m. through Friday and 9 a.m. to 4 p.m. Saturday

The computer break-in occurred earlier this month, Burchard said. Authorities investigating the crime asked the company to keep the news extremely confidential during the early stages of the investigation.

This was a "very, very sophisticated hacker," Burchard said. "We don't know where this person is; we don't know who this person is."
[Evan] I speculate (I like to speculate when there is little risk!) that this attack was not as technologically advanced as claimed. How "very, very sophisticated" does an attacker need to be in order to convince another person to click on a link or open a browser. Often what seems to be very sophisticated is often very simple. Does that sound like Confucius?

Davidson Companies has many procedures and policies in place to protect client information, Johnstone added.

The company reportedly hired a penetration testing company last September to assess its IT security and the firm's hackers did not find any holes.
[Evan] If this company was worth a hill of beans, they should have found flaws. I am going to speculate again and say that they are and did. I don't think that this was a typical external hack (attack).

"Obviously, we're enhancing our IT (Information Technology) security systems," Burchard said.
[Evan] Yeah, obviously! ALL of us should ALWAYS be enhancing our security systems. Security is a life cycle discipline that requires constant monitoring and improvement. No destination here.

Law enforcement agencies note that because people are constantly finding new ways to hack into systems, it's an ongoing problem, she said.

Commentary:
I think I speculated more about this breach than I about any other on The Breach Blog. Maybe it’s a Friday thing, and maybe I have a point to make even if my speculation is 180 degress off. I suppose this could have been some uber l337 hack that got past multiple layers of defense such as firewalls, hardened servers, IDS/IPS, etc. (supposing they exist), but I can tell you that if this was the case, this is rare. Why go through all the work, when there are more effective means to access the same information?

A majority of security breaches are the result of simple mistakes, lack of knowledge, laziness, and/or poor common sense.

OK, I am stepping down from my soap box now. Have a nice weekend.

FYI, the Davidson login page is down

Past Breaches:
Unknown

Financial services firm hacked

Wed, 30 Jan 2008 21:00:00 +0000

Great Falls, Mont.-based Davidson Companies yesterday disclosed that hackers broke into its networks and gained access to a database containing the personal information of its clients.

Stolen laptops affect 337,000 Davidson County voters

Sat, 29 Dec 2007 08:30:26 +0000

Technorati Tag: Security Breach

Date Reported:
12/28/07

Organization:
Davidson County Election Commission*

*Davidson County, Tennessee has an estimated population of 607,413. The county seat is Nashville.

Contractor/Consultant/Branch:
None

Victims:
Registered Davidson County voters

Number Affected:
337,000

Types of Data:
Names, Social Security numbers, addresses and telephone numbers.

Breach Description:
A pair of laptop computers containing sensitive personal information belonging to 337,000 registered Davidson County, Tennessee voters was stolen from the Davidson County Election Commission office during the Christmas break.

Reference URL:
WTVF News Channel 5 Story
WKRN Channel 2 News Story
Nashville Business Journal

Report Credit:
News Channel 5

Response:
From the online sources cited above:

A break-in at the Davidson County Election Office at 800 Second Ave. has jeopardized a large number of voters' personal data, according to Ray Barrett, election administrator.

It looks as though they used a rock to break their way in.
[Evan] A rock is all it took. There is no mention of any alarm system and it appears that nobody noticed until they came back to the office.

taken were two Dell Latitude laptops containing information of 337,000 registered Davidson County voters

"As we look deeper into determining the extent of loss that occurred during the holiday break-in, we now know that full social security numbers were included on the voter files contained on one or more of the stolen computers." said Ray Barrett.

"Initially, we thought that the only information was the same that the public can purchase when putting together mailing lists, we now know that was incorrect."

The Election Commission says it will formally notify the public by mail that their full Social Security numbers may be available to outside parties and is asking voters monitor their financial and personal accounts for any suspicious activity.

Barrett says he has asked Metro's information technology department to make immediate changes to safeguard against any future security problems.
[Evan] I wonder what these people will come up with. Not only "immediate changes", but also effective changes. There are likely numerous changes that could be suggested. It all starts with policy.

The Election Commission says it does not anticipate that the theft will cause any problems in the upcoming Tennessee presidential primary.

Commentary:
This is an example of typical reactionary information security. "Immediate changes" are made after the significant loss of confidential information. I assume that there is not a well written or communicated information security policy at Davidson County. If there is, it is obviously not well enforced or supported by procedural, administrative, or technical controls.

Why are the offices not physically secure? If a rock is all that is needed to break-in and go undetected for x number of days, then the offices were not physically secure.

Why is confidential information stored on mobile devices (laptop in this instance)? Confidential information should be stored, whenever possible in a secure (physically and logically), centralized location.

Why are mobile devices that access, process, store, create, or transmit confidential data not encrypted? This is a point that I have been trying to drill home for years. Some people get it, some people fear it, and some people are oblivious. The sad thing is that consumers don't know which category the organization is in. Until consumers demand more, business as usual.

Past Breaches:
Unknown