[SecurityRatty] tag: disc

Lost Virgin Media CD contains customer information

Mon, 23 Jun 2008 14:33:22 +0000

Technorati Tag: Security Breach

Date Reported:
6/20/08

Organization:
Virgin Group

Contractor/Consultant/Branch:
Virgin Media

Victims:
"customers that signed up to Virgin Media services in Carphone Warehouse stores from January this year"

Number Affected:
3,000

Types of Data:
Bank details, names and home addresses

Breach Description:
"Virgin Media is conducting an internal inquiry into why 3,000 customers' bank details were burned to a CD which was then lost, it emerged today."

Reference URL:
The Register
Finextra
PrecisionMarketing

Report Credit:
Chris Williams, The Register

Response:
From the online sources cited above:

Virgin Media - the entertainment and communications arm of Richard Branson's Virgin Group - has lost an unencrypted computer disc containing the bank account details of 3000 UK customers.

The incident came to light inside the company on 29 May.

Virgin Media is part way through individually contacting the people affected, who all signed up in Carphone Warehouse stores nationwide from January this year.

It is not known why the data was burned onto a CD
[Evan] This is the question we are all wondering. What goes through a person's mind when they do something that goes against common sense, anything?

A company spokesman told The Register that transferring sensitive data customer on CD goes against its policy of using secure FTP tranfers [sic].
[Evan] Some people call an FTP server that requires a username and password a "secure" FTP server. There is "standard" FTP, in which the server may or may not require a password, but where data is transferred in clear-text (unencrypted), then there is "secure" FTP where data is transferred encrypted. I hope that Virgin Media's definition is the latter and not the former.

The data on the CD was not encrypted and also included names and home addresses.

Virgin Media emphasised the blunder had been "isolated" and had never happened before.
[Evan] Do you think that this is the first data "blunder"?

This is an isolated incident which has affected a small number of our customers.
[Evan] 3,000 victims are 3,000 victims, no matter how many customers there are in total.

The staff involved in the incident are subject to the internal inquiry.

The firm contacted the Information Commissioner's Office when it discovered the loss and took its advice on how to inform customers.

It is paying for credit file protection for everyone whose banking information is now out in the wild, which means any fraud will be indemnified and credit histories will be unaffected.
[Evan] Credit monitoring, although better than nothing, is limited in scope.

While the financial cost to customers will be zero, and negligible for Virgin Media, the embarrassment should be massive.

"Customer privacy is of the highest important to us and we are undertaking a full review of our data protection policies and practices to ensure this matter does not occur again. We are very sorry this situation has occurred and for the inconvenience this has caused our customers."

Commentary:
It appears as though Virgin Media has data protection policies and practices. We can only guess how well written and communicated they are. If an employee was aware of and properly trained on policy and procedure and decided to violate those policies and procedures anyway, then that's one thing. If the employee was not aware of and trained, then this indicates a serious oversight on the part of the Virgin Media information security program. Information security training and awareness should not be underestimated.

Past Breaches:
Unknown

What Happens When You Mix A Real Infection With A Mass Mail Hoax?

Mon, 23 Jun 2008 13:51:03 +0000

Here's a strange one. Snopes has always been a website that helped to combat mass mail hoaxes. However, I've seen a few mails snowballing (with ever increasing CC lists) regarding a page on Snopes that talks about a real infection - namely, the Storm Worm. I'm all for spreading the word on infections going around, but as the emails talk about a "new threat incoming" (specifically, the title of the forwarded mail is "Subject: read this!Please read: Big Virus coming") when the Storm Worm has actually been around for some time, it seems almost perverse to be sending mass mails about a real infection from a website devoted to combating hoaxes and.....mass mails.

Even weirder, the content of the mail begins with the Storm Worm, but actually finishes with text from a certified, 100% hoax (as you'll see with my handy all-in-bold additions).

The full content of the mail reads as follows:

    Subject: read this!Please read: Big Virus coming

        Please read: Big Virus coming
        http://www.snopes.com/computer/virus/postcard.asp

        Hi All, I checked with Norton Anti-Virus, and they are gearing up for this virus!

        I checked Snopes (URL above:), and it is for real!!

(At this point, that would be correct - the link does indeed point to an article on Snopes regarding the Storm Worm. However, it's all about to go horribly wrong).

        Get this E-mail message sent around to your contacts ASAP.

        PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS!

(The above suspiciously uses the required tone needed for fake EMail hoaxes to be passed around. It's almost like someone has done that on purpose, isn't it? At any rate, it all goes horribly wrong right....about.....now):

        You should be alert during the next few days. Do not open any message with an attachment entitled 'POSTCARD,' regardless of who sent it to you. It is a virus which opens A POSTCARD IMAGE, which 'burns' the whole hard disc C of your computer.

        This virus will be received from someone who has your e-mail address in his/her contact list. This is the reason why you need to send this e-mail to all your contacts It is better to receive this message 25 times than to receive the virus and open it.

        If you receive a mail called' POSTCARD,' even though sent to you by a friend, do not open it! Shut down your computer immediately.

        This is the worst virus announced by CNN. It has been classified by Microsoft as the most destructive virus ever. This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept .

        COPY THIS E-MAIL, A ND SEND IT TO YOUR FRIENDS. REMEMBER: IF YOU SEND IT TO THEM, YOU WILL BENEFIT ALL OF US.

(.....wait, what? We're suddenly talking about something entirely different. The above is taken from the "Invitation" hoax virus warning).

Interestingly, Snopes themselves have picked up on the fact that people are combining two (or in some cases three) different sets of information about one real virus and two hoaxes, and warn people to that effect at the bottom of this page:

"Readers should take particular care not to confuse the real postcard/greeting card virus with a number of virus-related hoaxes that have been circulating for several years. A variety of messages forwarded by well-intended people to warn others about the Postcard virus contribute to this confusion by including within them links to our article about the "Virtual Card for You" hoax (or by mistakenly incorporating elements from that hoax into their warnings). Other versions of the postcard virus warning erroneously combine it with elements of the Invitation virus hoax"

Whoops.

Two HSBC breaches with similar circumstances

Mon, 02 Jun 2008 05:40:52 +0000

Technorati Tag: Security Breach

Date Reported:
5/28/08

Organization:
Hong Kong and Shanghai Banking Corporation ("HSBC")

Contractor/Consultant/Branch:
HSBC Branch at Bayview & Major Mackenzie (CA)
HSBC Branch in UK (Cheshire)

Victims:
Customers

Number Affected:
Unknown, "hundreds of bank customers" in Canada

Types of Data:
"personal information" in Canada, and "credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers" in the UK

Breach Description:
Two breaches were reported in the past week affecting HSBC customers in Canada and the UK. In Canada, "A Richmond Hill man was driving in his neighbourhood Saturday night when he spotted a bank bag full of cancelled cheques on the side of the road." In the UK "papers, which relate to current bank accounts and applications, were found in a quiet road in Sale by children playing in the street."

Reference URL:
CTV News Toronto
Wigan Observer

Report Credit:
CTV News Toronto and Richard Bean at the Wigan Observer

Response:
From the online sources cited above:

In Canada:
A Richmond Hill man was driving in his neighbourhood Saturday night when he spotted a bank bag full of cancelled cheques on the side of the road.

He took the bag to a police station after a quick peek inside revealed the personal information of hundreds of bank customers.
[Evan] Information security aims to reduce the risk of unauthorized disclosure, modification, and destruction of confidential information to an "acceptable level" no matter what form the confidential information takes. Unauthorized disclosure of confidential information on paper is just as damaging as unauthorized disclosure of confidential information on a backup tape, CD, laptop, etc.

he was in the Bayview Avenue and Major Mackenzie Drive area when he spotted the redbag at the side of the road with the HSBC bank logo emblazoned at the front.
[Evan] I presume that this bag was lost in shipment. Was the information in the bag or the bag itself inventoried? Do you suppose the bank would have ever noticed that the bag was missing?

the bag belonged to the HSBC branch at Bayview and Major Mackenzie

"There were about 300 of them," he told CTV Toronto Saturday night. "There were more documents in there destroyed by the rain."

he tried to contact the bank but didn't have much luck

York Regional Police are speaking with bank officials as they investigate how the sensitive information ended up on the side of a road.

In the UK:
An investigation is under way after bank details of Wigan customers were found dumped in Cheshire.
[Evan] Does "dumped" mean thrown away, like in a dumpster?

The confidential 60-page sheaf of A4 documents, featured lists of customers of high street bank HSBC.

Among the information contained in the papers were credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers.
[Evan] Sheesh. A bad guy (or gal) could do a helluva lot of damage with this information.

The papers, which relate to current bank accounts and applications, were found in a quiet road in Sale by children playing in the street.

Lynne Stewart, 47, whose children found the documents, has informed the police and is waiting for them to collect them

She said: "I would be extremely worried and angry if I was a customer of theirs because this is just the type of stuff that criminal gangs would love to get their hands on." She has now filled a bag with as many of the computer print-offs she could find, although fears that many more have blown away on the windiest day of the year.

The papers were initially found by her nine-year-old daughter Xxxxxx who then alerted her brother Xxxxxx, 12.
[Evan] My comment here is not related to the breach itself, but I feel a little uncomfortable using children's names publicly.

Neither understood the significance of the papers – although Mrs Stewart immediately did.

She said: "Reece had been to get his ball back after it had bounced into a sub-station and says he saw a pile on top of the transformer and they were whistling around in the gale.

"But it was Jessica who grabbed one as it blew past her in the street and showed it to me.

"I have counted at least 15 pages of lists of names and account details before you even start to talk about letters applying for credit cards and photo copies of personal documents which people have sent to the bank when they have made these applications.
"I find it very alarming that this kind of information is just blowing about in the street.
[Evan] No doubt!

"Surely in this day and age when ID fraud is all over the news the bank should be more careful about this information being printed out on paper."

A spokesman for HSBC, which has branches in Mesnes Road and Wallgate, said: "HSBC is investigating the find of documents found in Greater Manchester over the weekend.

"The security of our customers' personal information is of paramount importance and we have stringent procedures in place to guard against their loss.
[Evan] Is everyone aware of and following the "stringent procedures"?

"Without speculating on how this occurred, something has clearly gone wrong, and we are extremely disappointed to hear of these particular circumstances.

"When the cause of the incident has been determined, we will be reviewing our processes to ensure this does not happen again."
[Evan] In my opinion, promises that are made but cannot be fulfilled lead to a loss of confidence.

A UK Victim's Reaction:
"I can't believe it. The first I knew was when I was contacted by the person who found them. It is unforgivable that the bank would firstly lose such confidential details and then fail to tell its clients what had happened."

"I have been with this bank since I was a young lad and it is very disappointing indeed."

Commentary:
Let's take this from both sides for a second. Poor information security practice led to these two breaches. Real lives are affected when these things happen and HSBC should be more careful in the way they protect confidential personal information. I count five publicly reported breaches from HSBC in the past six months including the two in this post. There are likely more that weren't reported publicly as well.

Now the other side, for arguments sake. HSBC is a huge company with ~10,000 offices in 83 countries and territories around the world. I presume that they also have hundreds of thousands of customers (maybe millions). Information security breaches in companies this large and diverse are bound to happen. It isn't possible to eliminate them, so the best you can hope to do is reduce risk to a level that is "acceptable" to management and shareholders. Information security personnel are not in the risk elimination business, we are in the risk reduction business. This is reality.

Past Breaches:
May, 2008 - HSBC loses a server in branch renovation
April, 2008 - HSBC loses disc with 370,000 customer details
February, 2008 - Five-year-old wanders into bank branch after-hours

HSBC loses disc with 370,000 customer details

Sun, 06 Apr 2008 20:00:00 +0000

The HSBC banking group has lost an unencrypted, password-protected computer disc with the details of 370,000 customers.

Laptop bought on eBay contained "highly confidential" Home Office disk

Thu, 28 Feb 2008 13:10:38 +0000

Technorati Tag: Security Breach

Date Reported:
2/28/07

Organization:
The Home Office (UK)*

*"The Home Office is the government department responsible for leading the national effort to protect the public from terrorism, crime and anti-social behaviour." - Source Home Office About Us page

Contractor/Consultant/Branch:
Leapfrog Computers

Victims:
N/A

Number Affected:
N/A

Types of Data:
Unknown - labeled "Home Office - highly confidential"

Breach Description:
A laptop reportedly purchased through eBay contained a CD marked "Home Office - highly confidential" under the keyboard and above the circuit board. The purchaser brought the computer to Leapfrog Computers in Westhoughton (UK) for repair where the technician discovered the encrypted compact disc.

Reference URL:
The Bolton Evening News
BBC News
Associated Press
Leapfrog Computers online statement

Report Credit:
Lee Bevan, Leapfrog Computers, brought to the attention of The Breach Blog by an informed reader

Response:
From the online sources cited above:

A highly confidential Home Office disk was found hidden in a laptop computer sold on eBay.

The CD was found between the keyboard and circuit board of the laptop by computer repair technicians
[Evan] Obviously the CD was put under the laptop on purpose. But why and by whom?

Technicians at the shop called police who sent around anti-terrorist officers to confiscate the machine

The Home Office said investigations were under way into the incident.

The laptop had been taken into the Leapfrog Computers store by a customer who bought it on the internet auction site.

When engineers took off the keyboard they found a CD marked "Home Office - highly confidential".

Managing director Lee Bevan said: "I thought it was a spoof at first - I just figured someone was having a joke."

Mr Bevan put the disk into the drive to check it and found it was encrypted.
[Evan] I understand how curiosity can drive someone to put the disk in the drive to find out what is/was on it, but I wouldn't suggest doing this if it's marked "Home Office - highly confidential". Thankfully the disk was encrypted because this could have been a different story for Mr. Bevan had it not been.

Founder and managing director Lee Bevan contacted police, who spent three hours interviewing him.

Officers from Greater Manchester Police took the laptop and disk away but have now concluded their investigation

The Home Office — the government body responsible for maintaining law and order and fighting terrorism — confirmed the disc was genuine and said it was investigating the incident.

A Home Office spokesman said: "Both the laptop and the disk were encrypted, thus safeguarding any information that might be stored on them.

"Investigations are now under way. It would be inappropriate to comment further while they are ongoing."

Staff at Leapfrog are being finger-printed and having DNA swabs to rule them out of the investigation.
[Evan] Think the Home Office is taking this seriously? Uh, yeah I would say so.

Mr Bevan, aged 36, said: "The disc had been put inside the laptop on purpose. As soon as we found it, we contacted the police, who came immediately.

"I'm just glad it's turned up here rather than landing in the wrong hands.

"I don't know where the disc has come from. I have never seen a disc stored in this way before."

Commentary:
This is very interesting and mysterious. How did the disk get there, who put it there, and for what purpose? I wonder if the disk was put under the laptop keyboard in order to get it out of a building or other secure facility without being noticed. Some high security organizations will actually check baggage and drives for the existence of disks, thumb drives and other mobile media.

Q. What could have made this much worse?
A. If the data on the disk is/was actually "highly confidential", the disk was not encrypted, and someone with bad intentions found it. Encryption is a very good thing, but only as good as the key management process that goes along with it. For instance, full disk encryption can easily be defeated on a laptop with a Post-It note that says "Username: john.doe, Password: G3tMy!-Key". Get what I am saying?

Past Breaches:
Unknown

UK gov't laptop with confidential disc sold on eBay

Thu, 28 Feb 2008 11:00:00 +0000

A laptop purchased on eBay recently arrived with a special bonus: Under the keyboard, a CD or DVD disc labeled "Home Office" and "Confidential."

U.K. gov't laptop with confidential disc sold on eBay

Wed, 27 Feb 2008 21:00:00 +0000

The Home Office has launched an investigation after a buyer acquired a laptop on eBay that contained a disc with confidential information.

Turn off Autorun - yet another reminder

Fri, 30 Nov 2007 07:41:00 +0000

Tony Bradley makes a great point on the Hack Report site about Autorun. Sure it seems convenient that when you load in a CD, DVD, or USB stick to take some automatic actions. Isn't is great to have the new Springsteen disc start to play once you put it in?

Actually, not so much. If any of that media is malicious, you've got no defense. If you remember back to the original Sony Rootkit issue from a few years back, most folks ended up installing the rootkit because they had Autorun engaged and the software automatically launched when the disc was loaded.

It was my Velvet Revolver disc that infected me. But I'm reasonably technical, so I was able to remove it pretty quickly.

I've already posted about this back in September in Autorun can be hazardous to your health. But I think it's important enough to mention it again.

So do yourself a favor and turn off Autorun. Detailed instructions are in Step 2 of Security Mike's Guide.

Autorun: good for you?

Sun, 23 Sep 2007 01:29:48 +0000

Yes, if you're a five-year-old and you're tired of always asking mom or dad how to start the game on the CD. No need to know how! Just pick up the disc (a little peanut butter on your fingers helps with the grip), slide it in the drive, and wait for the game to start. Groovy!

No, if you're a security administrator. Many people still aren't aware of the security risk that autorun raises. It isn't new anymore, but DarkReading's Social engineering, the USB way is still the best story the make the point. Check it out.

I really can't think of any business reason for keeping this feature enabled. Please shut if off, domainwide, as soon as you can.

In Windows Vista/Server 2008, go here:

Computer Configuration | Administrative Templates | Windows Components | AutoPlay Policies

Enable the "Default behavior for AutoRun" policy and set the default to "Do not execute any autorun commands."

Enable the "Turn off Autoplay" policy and set it to "All drives."

In Windows XP/Server 2003, go here:

Computer Configuration | Administrative Templates | System

Enable the "Turn off Autoplay" policy and set it to "All drives."

While this might be old news for many of my readers, disabling autorun still doesn't seem to be a common security mitigation. At a recent conference I was surprised at the number of folks who haven't considered the risks of leaving it enabled. Surely by now most of you have heard about how certain music CDs can spread rootkits in your network. Yeah, holding down the [Shift] key when inserting a CD-ROM or USB drive will bypass the autorun.inf file -- but do you really want to rely on individual users remembering this? Nope. Group policy is your security friend: put it to good use here and disable autorun right now.

(BTW, Sony is up to their dirty old tricks again.)

Updated, 22 September 2007. Turns out there's a registry key that keeps track of all USB drives your computer has ever seen, and this key will override the Autorun settings if you insert a drive that your computer has seen before. So in addition to changing Autorun, you'll also need to delete this other key. Write a little script and call it from group policy. Here's the key to delete:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

More details here.