[SecurityRatty] tag: daylight

Laptop containing personal information is stolen from U.S. Foodservice

Mon, 07 Jul 2008 19:35:13 +0000

Technorati Tag: Security Breach

Date Reported:
6/13/08

Organization:
U.S. Foodservice, Inc.

Contractor/Consultant/Branch:
None

Victims:
Present and former employees, "and in a few instances, their dependents and applicants for jobs at USF"

Number Affected:
Unknown

Types of Data:
"names, social security numbers, home addresses, and/or dates of birth"

Breach Description:
"We were informed recently of the theft of a U.S. Foodservice, Inc. ("USF") laptop computer, which contained sensitive personnel information."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

We were informed recently of the theft of a U.S. Foodservice, Inc. ("USF") laptop computer, which contained sensitive personnel information.
[Evan] We now add U.S. Foodservice to the ever-growing list of organizations that refuse to encrypt laptops, yet allow confidential information to be stored on them.

Local authorities were immediately notified and we conducted an internal investigation.

the laptop contained certain old data files
[Evan] I wonder how old these data files were. I also wonder if these files were supposed to have been removed and/or destroyed, but were missed.

In the course of our investigation, we determined that the laptop computer contained the names, social security numbers, home addresses, and/or dates of birth of some present and former USF employees, and in a few instances, their dependents and applicants for jobs at USF.

We are sending a notification letter to individuals impacted by this incident.

We expect to begin mailing the notification letters on June 13, 2008.

we have no indication that any of the information is being misused
[Evan] A breach notification is almost not a real breach notification without this mention.

Please note that several years ago, the Company stopped using social security numbers to identify employees for internal reporting or other purposes.
[Evan] A good move by the Company. USF is still required to collect Social Security numbers however.

Pursuant to USF policies, the laptop was protected by a unique user ID and password, but the individual files containing personal information were not encrypted or password protected.
[Evan] I am interested in reading the USF policies. Do the policies only require a user ID and password to protect (or access) confidential information? Probably not sufficient.

U.S. Foodservice takes the security of your personal information seriously and apologizes for any inconvenience or worry this incident may cause you.

As a precautionary measure, we are making several services available at the Company's expense, free of charge to you, to assist you in protecting your identity.
[Evan] A true "precautionary measure" might have been restricting confidential information storage on laptops (and other mobile media) or encryption.

Although at this point we have no indication that your information has been compromised
[Evan] My definition of "compromised" obviously differs. In my opinion, if the confidentiality, integrity or availability of information cannot be reasonable assured, then the information IS compromised. If you believe that password-protection provides reasonable assurance, then you and I disagree.

Call the Toll Free Help Line at 1-866-584-9681 to get answer [sic] to your questions.

Staffed by a team of professionals
Monday through Friday from 6:00 a.m. to 6:00 p.m. (Pacific Daylight Time)
Saturday and Sunday from 8:00 a.m. to 5:00 p.m. (Pacific Daylight Time)

Please know that while we have information security policies in place, we are reviewing those practices and procedures to see what changes need to be made.
[Evan] Its good the USF has information security policies in place, but it doesn't mean that they are effective or that they are well enforced. A poorly enforced policy isn't worth the paper its written on.

Commentary:
U.S. Foodservice is also offering one year of free credit monitoring and identity theft insurance. This would be fine minus the fact that a Social Security number has an effective lifespan that far exceeds one year.

If only there were other controls available to protect information stored on a laptop. Wait, we do!

Past Breaches:
Unknown

We can't write secure code

Fri, 16 May 2008 03:00:00 +0000

David Lacey makes the important point that writing secure software is "not just about cutting secure code or developing better testing tools. We need to get things right much earlier in the development process." It's a subject I've been harping on about for some time, with many references to excellent resources such as OWASP, and great leaders on the subject such as Mark Curphey. Over the last few years I've heard many solutions proposed to fix the problem of insecure software, ranging from sacking the developers to improving the software development lifecycle so that security requirements are stated from outset and followed through into production and beyond. The evidence is that none of it works. OK, the folk at Microsoft, for example, will say that security is now embedded in their culture, and they've certainly generated a nice new stream of revenue for themselves out of all the books, tools and journals on the subject. But they are still releasing security patches with a frequency and schedule that the I wish the rail company I use each day could achieve with their trains. And other vendors are coming up with clangers at an alarming rate. For example, this latest one from leading CMS vendor RedDot. An SQL Injection vulnerability in an enterprise level CMS system - what were they playing at with their quality control?! So, here's the thing. We can't write secure code. It's true. Can you show me any decent commercial, consumer focused product (that people actually want to use - not just techies who haven't seen daylight in 12 years and live on a diet of digestive biscuits) that is secure from the off as soon as it's exposed to the Internet and where 12 months later it hasn't required a patch of some sort? Systems are simply too complicated with too many lines of code for anyone to expect that they can be released without containing bugs and security holes. That doesn't mean that we shouldn't try, it just means that we should take a different approach. That approach, in my opinion, is to take a leaf out of the new edition of the PCI standards and stick a ruddy great application firewall in front of everything. That doesn't make the code secure, it's a sticking plaster over a wound. But - to continue the analogy - a plaster stops the bleeding, prevents germs getting in, and while it's not a cure, it's good enough. I'm not knocking OWASP et al. It's the first resource I recommend developers go to and will remain so. Just that the business expects more functionality, cheaper costs, more complexity, better performance, and a more rapid deployment for its products. Chucking in security with all that lot is like rubbing your belly and patting your head at the same time, while riding a motorbike. So, let's make it easy on ourselves. Application firewalls!

Caution: Patent trolls at work

Tue, 01 Apr 2008 06:07:00 +0000

I received an amusing email from a person at another security company yesterday. They wanted to know how much revenue we did here at StillSecure and what we would be willing to pay as a license fee in regard to a recent patent they had been awarded. Before the visions of Sugar Plums were deeply engraved in this persons mind, I had to tell them that, "sorry Charlie, Starkist wants tuna that tastes good". The fact is their patent did not apply to how our product works. But it brings up a bigger issue that has come up before, patent trolls.

Our patent system is in drastic need of an overhaul. In this particular case, I know for a fact that their use of this technology was not the first use in commercial instances. There is little doubt in my mind that at a trial this claim would be laughed out of court. The problem is getting this to trial. A defendant even though successful would have to pay a hefty sum in attorney costs and bad PR around the suit while it was pending. The courts are usually pretty reluctant to award attorney fees to the victorious side, let alone damages for harmed reputation. Plus the patent troll probably does not have the resources to pay such an award. I would like to see a statute put into law that if these trolls if and when they lose their law suits have to pay the legal fees and consequential and real damages suffered by the party they accused of patent infringement. In fact they should have to post a bond to make sure they are good for fees and damages in the event they lose.

Personally I think companies would be better off executing on making their product work and selling it in the market, rather than hoping to sneak a patent through the patent office and become bloodsuckers off of someone else's hard work. It is for exactly this reason that I do not even mention the company involved here. Frankly, mentioning them on my blog would give them more daylight than they deserve. Let them keep limping along with a handful of employees trying to make 30 cents out of a quarter, hoping that some lawsuit will do what their own efforts at building a company could not.

Caution: Patent trolls at work

Tue, 01 Apr 2008 05:07:03 +0000

Speaking of Security Podcast #52

Sun, 04 Mar 2007 21:00:00 +0000

Click here to listen/download (10:59).

This week we speak with Larry Hamid, CTO, MXI Security, about how their USB portable security devices are used for strong authentication, as a biometric device, to carry digital identities, and more. Also on the podcast is Sean Kline, Director of Product Management for RSA, who talks to us about the upcoming Daylight Savings Time (DST) change and how it effects IT professionals, home PC users, and RSA customers.