[SecurityRatty] tag: democrat

Liberal Democrat leader visits our lab

Fri, 17 Oct 2008 15:05:08 +0000

This week, Nick Clegg, leader of the UK Liberal Democrat Party, and David Howarth, MP for Cambridgeshire, visited our hardware security lab for a demonstration of Chip & PIN fraud techniques.

They used this visit to announce their new party policy on protections against identity fraud. At present, credit rating companies are exempt from aspects of the Data Protection Act and can forward personal information about an individual’s financial history to companies without the subject’s consent. Clegg proposes to give individuals the rights to “freeze” their credit records, making it more difficult for fraudsters to impersonate others.

Extremism in defense of security is no vice

Wed, 03 Sep 2008 20:00:00 +0000

During his acceptance speech for the 1964 Republican presidential nomination, Barry Goldwater proclaimed "…extremism in the defense of liberty is no vice." As a supporter of a strong defense during a time when the Vietnam peace movement was gathering momentum, Goldwater was portrayed as an extremist by his political rivals. Even though this image of a hawkish warmonger would be used to the Democrat's advantage during the presidential campaign, Goldwater stood by his principles.

VP Nominee Sarah Palin, Hacker?

Sat, 30 Aug 2008 14:51:57 +0000

John McCain’s pick for VP, Sarah Palin, knows a thing or two about retrieving evidence from a computer. The mainstream reporting calls her a “hacker” because she is able to retrieve files from the Windows recycle bin.

The Anchorage Daily News reports back in September 2004:

Sarah Palin never thought of herself as an investigator. Yet there she was, hacking uncomfortably into Randy Ruedrich’s computer, looking for evidence that the state Republican Party boss had broken the state ethics law while a member of the Alaska Oil & Gas Conservation Commission.

The next week, when Palin went back to work at the AOGCC, she noticed that Ruedrich had removed his pictures from the walls and the personal effects from his desk. But as she and an AOGCC technician worked their way around his computer password at the behest of an assistant attorney general in Fairbanks, they found his cleanup had not extended to his electronic files.

The technician “said it looked like he tried to delete this, but she knew a way to go around and get some of the deleted stuff,” Palin said in an interview. “I didn’t know what I was looking for, but I was there.”

And this is how Salon reports the same incident:

“In a neat symbolic fit, the agent responsible for Alaska’s current moment of reform and modernization is a woman, a breed once nearly as rare in far Northwest politics as a Democrat. Sarah Palin, a libertarian and hockey mom from the fast-growing suburbs of Anchorage, began her political career — as an appointed member of the state’s Oil and Gas Commission — by hacking into the computer of another commissioner, Randy Ruedrich, chairman of the Alaska Republican Party. Palin was seeking the evidence that she would eventually use to charge him with an improper relationship with lobbyists. (Ruedrich would later settle state ethics charges against him by paying a $12,000 fine.)”

Is this where the McCain administration is going to get their computer security expertise? She’s not a security expert but it is nice to see someone at the level of state govenor who knows their way around a computer.

Chertoff Misleads on Laptop Searches, Feingold Charges

Thu, 07 Aug 2008 16:46:19 +0000

In an interview with Wired.com, Homeland Security Chief Michael Chertoff blatantly mischaracterized when border agents can search Americans' laptops, Sen. Russ Feingold charges. The Wisconsin Democrat says Congress needs to step in to protect Americans from intrusive searches of their electronics.

Employee fraud hits Baptist Health in Arkansas

Thu, 10 Jul 2008 20:00:20 +0000

Technorati Tag: Security Breach

Date Reported:
7/2/08

Organization:
Baptist Health*

*Baptist Health is the largest not-for-profit healthcare organization in Arkansas

Contractor/Consultant/Branch:
None

Victims:
Patients

Number Affected:
~1,800

Types of Data:
"name, address, date of birth, Social Security number, and reason for coming to Baptist Health"

Breach Description:
"LITTLE ROCK (AP) - A North Little Rock woman has been arrested for using financial information from patients at Baptist Health to illegally obtain Wal-Mart gift cards for her own use. The hospital has notified about 1,800 patrons of the ID theft."

Reference URL:
Associated Press via WXVT Channel 15 News
KARK Channel 4 News
Arkansas Democrat-Gazette

Report Credit:
Toby Manthey, Arkansas Democrat-Gazette

Response:
From the online sources cited above:

Baptist Health has sent letters warning about 1,800 patients that the hospital system’s records may have been breached
[Evan] Uh, "may have been breached"?!

The notification came after the arrest of a Baptist Health employee at a Wal-Mart store on 25 counts of financial identity fraud.
[Evan] Wouldn't life be grand if we could trust our employees? Maybe, I suppose.

The letters, mailed last week, follow the firing of the woman in early June

North Little Rock police say Tamara Hill, 30, of that city worked at Baptist Health Medical Center-North Little Rock in the emergency department.

Hill, an admissions clerk, was arrested May 30 at the Wal-Mart

Ebony Flowers, 25, also of North Little Rock, was arrested at the store the same day on three counts of identity fraud

Flowers was listed in a police report as a janitor for the North Little Rock School District
[Evan] Key word is "was".

Baptist Health recorded more than 950,000 patient visits systemwide in 2007, a number that includes repeat visits.

Mark Lowman, spokesman for the Little Rock-based Baptist Health system, confirmed that the system fired the employee after notification of the arrest.

Police reports say the women used a victim’s personal information to obtain temporary Wal-Mart "account authorization numbers" - credit cards, essentially - used to buy Wal-Mart gift cards.

The victim reported to police that he had not authorized the transactions

the same victim confirmed he was a Baptist Health patient

He expressed appreciation of the handling of the case by the system and by the North Little Rock police.

Among the items found during a search connected with the arrest of Hill was personal information for 24 other people, including "screen shots" - printouts showing the exact appearance of the images on a computer screen - that showed victims’ personal information.
[Evan] This seems like confirmation that "may have been breached" is not all that accurate.

Also found were four Wal-Mart gift cards and $ 1,490 in cash

Police found a small bag of marijuana on Flowers, according to the reports. In a search connected with her arrest, they also discovered a. 25-caliber magazine with six bullets, as well as a receipt for four of the gift cards and information on three-identity theft victims.
[Evan] A thug.

The U. S. Secret Service is helping with the investigation.

"Due to a breach of our information systems security policies, there is a possibility that some personal information, such as your name, address, date of birth, Social Security number, and reason for coming to Baptist Health, was accessed by an unauthorized person."
[Evan] This is from the letter to the victims.

No information in the patient’s "medical records" and no information about the patient’s diagnosis or prognosis was accessed

while no "medical record" information was accessed, the letter mentioned the patient’s "reason for coming" to the system possibly was accessed

Lowman said a reason stated by a patient using the system isn’t considered medical information because the reason is a layman’s explanation, not one from a medical professional.
[Evan] This is Mark Lowman, spokesman for the Little Rock-based Baptist Health system

He said the breach wouldn’t violate the Health Insurance Portability and Accountability Act, or HIPAA.

But Pam Dixon, executive director of the San Diego-based World Privacy Forum, a privacy advocacy group, thinks all the information mentioned in the letter falls under HIPAA.

"It doesn’t matter that [it’s not ] a prognosis or diagnosis," she said.
[Evan] Splitting hairs. The bottom line is that confidential personal information was stolen and there are victims. Whether or not it is a HIPAA violation seems somewhat irrelevant.

Dixon found the system’s letter lacking in several respects, such as clarifying the exact meaning of a "reason for coming to Baptist Health." The letter also should have mentioned when and for how long the breach occurred, she said.

"Almost all breach letters have that," Dixon added.
[Evan] Almost all breach letters have what? A mention about for how long the breach occurred? I must be reading some of the wrong breach letters because it seems to me that this information is 50/50 at best. Also missing is the "we have no reason to believe that the information will be misused", but this one doesn't fit does it?

Dixon said Baptist Health should have offered in the letter to set up free credit monitoring for victims.
[Evan] Why? One year (or two) of credit monitoring is almost useless. Credit monitoring alerts a victim after fraud has already occurred and one year (or two) of monitoring is too limited for information that has a much longer lifespan. I guess credit monitoring would be better than nothing, but not by much.

Lowman said the health system continually conducts audits to know which staff members are accessing what information, and whether or not the access is appropriate.
[Evan] Good!

"We’re always looking to provide better audits and better oversight of private, confidential and protected information," Lowman said.
[Evan] And Good!

Commentary:
Preventing and detecting employee fraud has always been a challenge. This doesn't mean we give up though. We have some tools at our disposal such as employee background checks, role-based access control, segregation of duties, and job rotation to name a few.

I don't think that these two crooks are anything more than common criminals. The fact of the matter is that identity theft and fraud are very easy crimes to commit and require very little skill.

Past Breaches:
Unknown

White House Refused to Open Pollutants E-Mail

Thu, 26 Jun 2008 08:54:58 +0000

This is by far one of the more asinine things I have read in a while and speaks volumes to lunacy in the White House. The WH refused to open an email that was sent by the EPA because they disagreed with the conclusion that greenhouse gases are pollutants.

So, they played three monkeys and said, “la la la, I can’t see it. la la la” (not an exact quote) But, that’s not where the absurdity ends. The EPA could have sent a printed copy and that would have been the end of it.

Nope.

Instead they rewrote the conclusions to make more palatable for the dunking bird-set. Email has always been a best effort tool that has morphed into business critical function over the years. But, to say they wouldn’t open an email…wow. Remember folks, if you are a Republican or Democrat be sure to VOTE. You have a responsibility.

From NY Times:

Over the past five days, the officials said, the White House successfully put pressure on the E.P.A. to eliminate large sections of the original analysis that supported regulation, including a finding that tough regulation of motor vehicle emissions could produce $500 billion to $2 trillion in economic benefits over the next 32 years. The officials spoke on condition of anonymity because they were not authorized to discuss the matter.

Both documents, as prepared by the E.P.A., “showed that the Clean Air Act can work for certain sectors of the economy, to reduce greenhouse gases,” one of the senior E.P.A. officials said. “That’s not what the administration wants to show. They want to show that the Clean Air Act can’t work.”

November can’t come soon enough.

Article Link

Online theft and fraud involves OSU Bookstore customers

Thu, 05 Jun 2008 05:42:32 +0000

Technorati Tag: Security Breach

Date Reported:
6/3/08

Organization:
Oregon State University

Contractor/Consultant/Branch:
OSU Bookstore, Inc.*

*OSU Bookstore is a nonprofit corporation that has been serving Oregon State University and the town of Corvallis since 1914. Our main store is located in the Memorial Union on the Oregon State University campus. Today, as in 1914, the bookstore is governed by a Board of Directors composed of faculty, staff, and students of Oregon State University.

Victims:
Online customers

Number Affected:
"as many as 4,700"

Types of Data:
Personal information including credit card numbers

Breach Description:
"The Oregon State Police is investigating the theft of personal information from as many as 4,700 online customers of the OSU Bookstore who used credit cards to purchase items."

Reference URL:
Albany Democrat Herald
Associated Press via KVAL Channel 13 News
KVAL Channel 13 News

Report Credit:
Albany Democrat Herald

Response:
From the online sources cited above:

CORVALLIS, Ore. (AP) - Oregon State officials say credit card scammers may have defrauded 4,700 online customers of the school's bookstore.

In March, OSP began investigation into a report that approximately 30 OSU Bookstore customers’ personal information may have been compromised following online orders.
[Evan] Unfortunately, the bookstore did not appear to be monitoring web traffic to and from the server to detect unusual (and potentially attack) traffic. The fact that this detective control was missing from the security architecture meant that the bookstore had to rely on customers to tell them something was wrong. An incident response should have probably been initiated at this point (March not May).

Then last week, telephone calls and e-mails began coming into the bookstore from customers who had noticed fraudulent charges on their credit cards almost immediately after placing online orders

Bookstore General Manager Steve Eckrich says servers were shut down when the security breach was discovered.
[Evan] 2+ months after the bookstore was originally notified that something was wrong. At the time of this post, the site is still down.

"They tried different attacks and our Web site evidently had one vulnerability in it," said General Manager Steve Eckrich.
[Evan] I would bet my cup of coffee that the Web site had more than on vulnerability! I love my coffee. Where is the IDS/IPS?

The Bookstore has alerted its online customers who had made a purchase

State Police Lieutenant Jeff Lanz says the security breach appears to have originated outside the university, but where is unknown.

The OSU Bookstore has hired an outside agency to help with its own investigation and to provide guidance on strengthened security safeguards for its computing network.
[Evan] Good call it just stinks that the bookstore was reactive and not proactive.

"We'll be using their recommendations not only to solve that particular problem that was exploited but to add additional layers of security on top of that so that information is not exposed or cannot be exposed in the way that it was,"
[Evan] Another good call.

Commentary:
Obviously the OSU Bookstore did not employ the proper security controls to #1 secure the site, #2 detect a breach, and #3 respond to a breach. Three strikes. Poor planning and poor implementation. I hope that OSU Bookstore, Inc. takes the proper steps to formalize their information security program and reduce risk. We'll see.

Past Breaches:
Unknown

Stolen SunGard laptop affects at least 10 post-secondary schools

Mon, 21 Apr 2008 10:49:39 +0000

Technorati Tag: Security Breach

Date Reported:
4/17/08

Organization:
Various post-secondary schools, including but not necessarily limited to:
Central Connecticut State University
Eastern Connecticut State University
Southern Connecticut State University
Western Connecticut State University
Northwestern Michigan College
Northwest Missouri State University
Buffalo State College
State University College at Brockport
Monroe Community College

Contractor/Consultant/Branch:
SunGard Higher Education*

*From the SunGard Higher Education "About Us" page:
"SunGard Higher Education provides software, strategic consulting, and technology management services to colleges and universities. We help more than 1,600 institutions worldwide strengthen institutional performance by improving constituent services, increasing accountability, and enhancing the education experience.

SunGard Higher Education has a vision to unify people, process, and technology in an environment that addresses the needs of higher education institutions and the people they serve. We call this vision the Unified Digital Campus."
[Evan] All of "the needs" except one critical one... SECURITY!

Victims:
Students and a limited number of employees

Number Affected:
Unknown, but at least 23702

Types of Data:
Personal information including names, Social Security numbers and financial aid information

Breach Description:
"A laptop belonging to a consultant at SunGard Higher Education was stolen on March 13, 2008. The theft was immediately reported to law enforcement but the laptop has not been recovered. After analyzing a backup of the computer, SunGard Higher Education found that the stolen laptop contained data from projects with a number of customers."

Reference URL:
SunGard Higher Education (general)
The News-Times (Connecticut State University Schools)
Associated Press Connecticut (Connecticut State University System)
Associated Press Michigan (Northwestern Michigan College)
Maryville Daily Forum (Northwest Missouri State University)
The Buffalo News (Buffalo State College)
Democrat and Chronicle (State University of New York schools)
Northwestern Michigan College
Buffalo State College
State University College at Brockport

Report Credit:
SunGard Higher Education

Response:
From the online sources cited above:

A laptop belonging to a consultant at SunGard Higher Education was stolen on March 13, 2008. The theft was immediately reported to law enforcement but the laptop has not been recovered. After analyzing a backup of the computer, SunGard Higher Education found that the stolen laptop contained data from projects with a number of customers.

Security teams from affected institutions and SunGard Higher Education are working together to analyze and verify the data and notify affected individuals.

The laptop was protected with a strong password to access the operating system.
[Evan] It could be the strongest damn password in the world and still not provide an adequate level of security in my opinion. Operating system passwords (especially Windows) can be bypassed in a matter of seconds. This is a poor attempt to minimize the incident.

The computer was password-protected but contained unencrypted files with personally identifiable data
[Evan] Even though encryption is not the "end all", it would have (in conjunction with other controls) reduced the risk of exposure to a level that is acceptable to many organizations (mine included).

All affected customers have been notified. Customer names will not be disclosed for privacy and security reasons as the investigation continues.
[Evan] We already know of at least 10 post-secondary institutions.

The laptop was stolen in New York on March 13 and state officials say it contains the names and personal information of 3,502 present and former students of the four CSU universities.

could put the personal information of 1,600 Northern Michigan College students from 2003 at risk.

could potentially put personal information about Northwest Missouri State University students and alumni in the wrong hands.

Northwest believes it followed all appropriate internal procedures for protecting the privacy of its students. For its part, SunGard Higher Education has accepted responsibility for this incident and is working with the University to minimize any adverse consequences.
[Evan] This is a classic misunderstanding of the roles and responsibilities for information security governance and management. The custodians of the personal information were the schools AND SunGard, not only SunGard. It is the responsibility of the schools (as co-custodians) to require certain information protections from their vendors and contractors. This should be done through policy, contractual language and regular audit/enforcement.

Social Security numbers of about 16,000 current and former Buffalo State College students

affected thousands of students at State University College at Buffalo, State University College at Brockport and Monroe Community College.

We believe that the laptop was stolen for the hardware rather than the data. We do not know if any personally identifiable data was accessed by the thieves.
[Evan] This is another statement meant to minimize the impact of the incident. I do not doubt that often times computer equipment is stolen for the hardware value, but how do we know? I am guessing that more and more criminals are examining the contents of poorly secured computing devices and looking for additional opportunities. The "laptop was stolen for the hardware" argument doesn't work anymore.

The nature of that employee’s job included analysis of customer data as part of software implementation and upgrade projects.

The laptop was taken from an employee of SunGard, a Pennsylvania-based computer software company that provides Buffalo State’s records system, said Voldemar Innus, a college vice president and chief information officer.

Innus also said the laptop was secure.
[Evan] No offense Mr. Innus, but the laptop WAS NOT secure.

"The laptop was stolen for its own worth as hardware," Innus said. "We do not believe it was stolen because of the information that was on it. And it was heavily password protected, we’re told."

"The risk I would say is not that high, but that doesn’t matter," Innus said. "There are steps we need to take because of what happened."
[Evan] People like to throw these terms like "secure" and "risk" around without any validation. How did Mr. Innus determine the risk (of exposure and/or misuse) with respect to this incident?

The data was originally provided for SunGard to perform various services for the university system, but it was apparently retained longer than necessary to perform those services,

A dedicated Web site containing updated information may be accessed at www.sungardhe.com/laptoptheft.

A help desk has been established with a toll-free number, (866) 520-2408, to respond to questions from affected individuals.

Credit monitoring will be provided at no cost to the affected individuals, for a period of one year.
[Evan] Credit monitoring is a post-fraud activity. One year is very limited for information that has a much longer lifespan.

Buffalo State student reaction:
In a campus dormitory, Ben Bissell, a sophomore special education major, and his friend Thomas Dennis, a freshman English education major, were making housing arrangements for next year. Bissell said he got the e-mail and was aware of the situation. Dennis was not.

Bissell was surprised such sensitive information could be placed in such a portable device as a laptop, which could easily be lost or stolen.
[Evan] Mr. Bissell is a "data owner" in this instance. The school and SunGard are "data custodians". In simplistic terms, data owners dictate what level of protection is required for the data that they own and data custodians apply the designated level of protection. Did the school and SunGard apply the designated level of protection in this case?

"You’d think it would be somewhat secure," Bissell said of his personal information.

He plans to closely monitor his bank statements and account activity following the announcement.

Omar Vargas, a sophomore elementary education major, told a reporter it was the first he had heard of the stolen laptop, admitting he feels "less secure" knowing about it.

"There’s enough things to handle being on campus, like going to classes and deadlines," Vargas said. "Then, just to find out my personal information is threatened is like, man, who knows what that could jeopardize."
[Evan] Very true. If we all just did what we were supposed to do, we wouldn't have to worry so much about what others aren't doing.

"I could wind up with bad credit when I’m on a good roll."

Commentary:
I provided a lot of my commentary above. There is no excuse that I can think of for such poor information security practice and management. Can the people running these companies (such as SunGard) and those responsible for information security claim they didn't know any better? Does it not go against SunGard Higher Education (or school) policy to store confidential information on a laptop while relying solely on operating system level passwords?

Nuts.

Past Breaches:
Unknown

Senator: Let's Spend $1B to monitor P2P for illegal files

Thu, 17 Apr 2008 18:50:01 +0000

A prominent Senate Democrat on Wednesday said federal and local police should use custom software to monitor peer-to-peer networks for illegal activity, and wants to spend $1 billion in tax dollars to make that happen.

Thoughts on Super Tuesday

Wed, 06 Feb 2008 03:44:05 +0000

Since I chimed in on Super Bowl Sunday, let me press my luck and talk about the primaries of Super Tuesday. I stayed up late tonight switching between CNN and Fox News to really get a "fair and balanced" view of what was going on. I must say that in all of the years I have been watching presidential races (and the first one I remember was '68), I don't remember both parties having such close races this late in the season. Without letting my own political beliefs get in the way here is my analysis:

1. The Republicans - They are in a fight for the soul of this party. Though all three leading candidates claim the title of heir to the Regan revolution, in my mind it is a bit different. Mike Huckabee, clearly is the choice of the Karl Rove wing of the party. He is the choice of the religious right and the South. This is the bedrock of the Republican presidential majority. Taking them on is John McCain who is a genuine war hero, but independent enough to stand for what he believes in and has the record and stature to stand up for it. He makes no bones that he is all about the traditional Republican argument of being strong in foreign policy and probably a bit less involved in economic matters. Finally, you have Mitt Romney who represents, to me anyway, the traditional Republican big business view. So who wins this fight for what it means to be a Republican. Are the Republicans a party of the religious right who vote primarily on social issues such as abortion, gay rights, etc. Are the Republicans the party of big business/small government which was their traditional stand as I grew up. Or finally are they the party who is best suited to keeping America safe and recognizing our own self-proclaimed "manifest destiny". I guess the rest of the primary season will answer that question.

2. The Democrats - Obama has certainly energized a large section of the populace. He is bringing people who never voted or are usually very under represented in elections into the process and that is a good thing. However, when you examine the wins, a Democratic winning their primary in Utah, Alaska and Idaho is just not very exciting. He has as no chance of winning those states in the general election. On the other hand Hillary has certainly demonstrated her ability to win in the traditional Democratic states (including Michigan and Florida, whose votes will have to count in a close race). But is she electable in a general election. She is a lightening rod for Republican wrath it seems. Maybe it is part of that vast right wing conspiracy that she always spoke about. What is interesting on the Democratic side, is I really don't just see a lot of difference in their positions. In fact most people I speak to say it would be cool if they would just join up and run as a ticket. Of course who is on top and bottom is the key to that one, but I don't think it will happen, to much ego there.

So, here we are Super Tuesday is over and still no conclusive answers. This is what I do know. No matter who wins the primaries, 40% of this country is going to vote Republican and 40% is going to vote Democrat. It is who the other 20% vote for that will will determine the next President. But as someone who remembers the Civil Rights movement and the womans lib movement. I can tell you that I am thrilled as an American to see in my life time that either an African-American or a woman will be the nominee of one of the major parties. I think it will be a while until we see something like that on the Republican side, but it will come. In the meantime I am looking forward to seeing how this all plays out. But this race is not done so yet, it is up to you to decide who wins. Get out and vote!