[SecurityRatty] tag: disposal

HP layoffs, Wall Street blues, Palin's hack

Thu, 18 Sep 2008 20:00:00 +0000

The week got off to a rough start with the collapse of Lehman Brothers sending shudders through global financial markets and raising questions about whether there will be a ripple effect on the IT industry. After the market closed Monday, Hewlett-Packard added to the dismal mood by announcing it will lay off 24,600 employees as it integrates Electronic Data Systems into the HP fold. Republican vice presidential candidate Sarah Palin was the victim of an apparent hacking attack on the Yahoo account she uses for official business as governor of Alaska, and in other government-related IT news, a GAO report says the U.S. does a lousy job of following its regulations regarding electronic-waste shipment and disposal.

Summarizing August's Threatscape

Wed, 10 Sep 2008 02:57:32 +0000

Following the previous summaries of June's and July's threatscape based on all the research published during the month, it's time to summarize August's threatscape.

August's threatscape was dominated by a huge increase of rogue security software domains made possible due to the easily obtainable templates for the sites, several malware campaigns targeting popular social networking sites, Russian's organized cyberattack against Georgia with evidence on who's behind it pointing to "everyone" and a few botnets dedicated to the attack making the whole process easy to outsource and turn responsibility into an "open topic", several new web based botnet management kits and tools found in the wild, evidence that the 76service may in fact be going mainstream since the concept of cybercrime as a service is already emerging, and, of course, a peek at India's CAPTCHA solving economy, where the best comment I've received so far is that every site should embrace reCAPTCHA, so that while solving CAPTCHAs and participating in the abuse of these services in question, they would be also digitizing books. As usual, August was a pretty dynamic month for the middle of summer, with everyone excelling in their own malicious field.

01. McAfee's Site Advisor Blocking n.runs AG - "for starters"
False positives are rather common, especially when you're aiming to protect the end user from himself and not let him gain access to "hacking tools", but you're flagging security tools as badware and missing over half the SQL injected domains currently in the wild due to the fact that SiteAdvisor's community still haven't reviewed them - that's not good

02. The Twitter Malware Campaign Wants to Bank With You
Twitter, just like every Web 2.0 application, isn't and shouldn't be treated as a unique platform for dissemination of malware, since it's dissemination of malware "as usual". This particular malware campaign was not just executed by a lone gunman, but also, was taking advantage of a flaw allowing the author to add new followers potentially exposing them to the malicious links serving banker malware. For the the time being, MySpace, Facebook and Twitter accounts are the very last thing a malicious attacker is interesting in puchasing accounting data for, but how come? It's all due to the oversupply of automatically registered accounts at other popular services, whose ecosystem of Internet properties empower cybercriminals with the ability to launch, host and distribute malware in between abusing the very same company's services for the blackhat SEO campaign and redirection services. Theoretically, a distributed network build upon the services provided by a single company is faily easy to accomplish due to the single login authentication applied everywhere. A singly bogus Gmail account results in a blackhat SEO hosting blogspot account, flash based redirector hosted at Picasa, and a couple of thousands of spam emails sent automatically sent through Gmail in order to abuse it's trusted email reputation

03. Compromised Web Servers Serving Fake Flash Players
If aggressiveness matter, this campaign consisting of remotely injected redirection scripts at legitimate sites next to on purposely introduced malware oriented domains, was perhaps the most aggressive one during the month. Fake flash players, fake windows media players and fake youtube players are prone to increase as a social engineering tactic of choice due to the template-ization of malware serving sites for the sake of efficiency

04. Pinch Vulnerable to Remotely Exploitable Flaw
With Zeus vulnerable to a remotely exploitable flaw allowing cybercriminals to hijack other cybercriminal's Zeus botnet, private exploits targeting the still rather popular at least in respect to usefulness Pinch malware are leaking, allowing everyone including security researchers to take a peek at a particular campaign running unpatched Pinch gateway

05. Phishers Backdooring Phishing Pages to Scam One Another
Backdooring phishing pages is perhaps the most minimalistic approach a cybercriminal wanting to scam another cybercriminal is going to take. The far more beneficial approach that I've encountered on a couple of occassions so far, would be to backdoor a proprietary web malware exploitation kit, release it in the wild, let them put the time and efforts into launching the campaigns, then hijack their botnet. In fact, the possibilities for backdooring copycat web malware exploitation kits in order to take advantage of the momentum while introducing a non-existent kit has always been there at the disposal of malicious attackers. One thing's for sure - there's no such thing as a free web malware exploitation kit, just like there isn't such thing as a free phishing page

06. Email Hacking Going Commercial - Part Two
In between the scammers promising the Moon and asking for anything between $20 to $250 to hack into an email account, there are "legitimate" services taking advantage of web email hacking kits consisting of each and every known XSS vulnerability for a particular service in an attempt to increase the chances of the attacker. And given that the majority of these have been patched a long time ago, social engineering comes into play. Do these services have a future? Definitely as more and more people are in fact looking for and requesting such services, in fact, they're willing to pay a bonus considering how exotic it is for them to have any email that they provide hacked into and the accounting data sent back to them

07. The Russia vs Georgia Cyber Attack
Event of the month? Could be, but just like every "event of the moth" everyone seems to be once again restating their "selective retention" preferences. What is selective retention anyway? Selective retention is basically a situation where once Russian is attacking another country's infrastructure, you would automatically conclude that it's Russian FSB behind the attacks and consciously and subconsciously ignore all the research and articles telling you otherwise, namely that the FSB wouldn't even bother acknowledging Georgia's online presence, at least not directly. Moreover, talking about the FSB as the agency behind the cyberattacks indicates "selective retention", talking about FAPSI indicates better understanding of the subject.

In times when cybercrime is getting ever easier to outsource, anyone following the news could basically orchestrate a large scale DDoS attack against a particular country in order to forward the responsibility to any country that they want to. In Russia vs Georgia, you have a combination of a collectivist society that's possessing the capabilities to launch DDoS attacks, knows where and how to order them, and that in times when your country is engaged in a war conflict drinking beer instead of DDoS-sing the major government sites of the adversary is not an option.

Selective retention when combined with a typical mainstream media's mentality to "slice the threat on pieces" instead of turning the page as soon as possible, is perhaps the worst possible combination. Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives

08. 76Service - Cybercrime as a Service Going Mainstream
The reappearance of the 76Service allowing everyone to log into a web based interface and collect all the accounting and financial data coming from malware infected hosts across the globe for the period of time for which they've bought access, indicates that what used to be proprietary services which were supposedly no longer available, are now being operated in a do-it-yourself fashion. Goods and products mature into services, so from a cost-benefit analysis perspective, outsourcing is naturally most beneficial even when it comes to cybercrime

09. Who's Behind the Georgia Cyber Attacks?
If it's the botnets used in the attacks, they are known, if it's about who's providing the hosting for the command and control, it's the "usual suspects", but just like previous discussion of the Russian Business Network, it remains questionable on whether or not they work on a revenue-sharing basis, are simply providing the anti-abuse hosting, or are the shady conspirators that every newly born RBN expert is positioning them to be.

Cheap conversation regarding the RBN ultimately serves the RBN, and just for the record, there's a RBN alternative in every country, but the only thing that remains the same are the customers, tracking the customers means exposing the RBN and the international franchises of their services, making it harder to identify their international operations. And given that the "tip of the iceberg", namely RBN's U.S operations remain in tact, talking about taking actions against their international operations in countries where cybercrime law is still pending, is yet another quality research into the topic building up the pile of research into the very same segments of the very same ISPs.

Just for the record - these "very same ISPs" are regular readers of my blog, and if you analyze their activities, they're definitely reading yours too, ironically, surfing through gateways residing within their netblock that are so heavily blacklisted due to the guestbook and forum spamming activities that their bad reputation usually ends up in another massive blackhat SEO campaign exposed.

10. Guerilla Marketing for a Conspiracy Site
Conspiracy theorists may in fact have a new wallpaper to show off with

11. Banker Malware Targeting Brazilian Banks in the Wild
When misinformed and not knowing anything about a particular underground segment, a potential cybercriminal would stick to using such primitive compared to the sophisticated banker malware kits currently in the wild. These sophisticated banker malware kits are often coming in a customer-tailored proposition, with their price increasing or decreasing based on the specific module to be included or excluded. For instance, a module targeting all the U.S banks that has been put in a "learning mode" long before it was made available to the customers can be requested and is often available with the business model build around the customer's wants

12. Compromised Cpanel Accounts For Sale
Despite the massive SQL injection attacks, accounting data for Cpanel accounts coming from malware infected hosts seems to be once again coming into play, which isn't surprising given the filtering capabilities and log parsing tools today's botnet masters are empowered with. These very same compromised Cpanel accounts and the associated domains often end up so heavility abused that it's tactics like these that are driving the underground multitasking mentality, namely, abusing a single compromised account for each and every malicious online activity you can think of - even hosting banners for their blackhat SEO services

13. A Diverse Portfolio of Fake Security Software - Part Two
In August we saw a peek of fake security software, neatly typosquatted domains whose authors earn revenue each and every time someone installs the software. The vendors behind this software are forwarding the entire process of driving traffic to those excelling in aggregating traffic and abusing it. As anticipated, underground multitasking started taking place within the fake security software domains, with the people behind them introducing client-side exploits in order to improve the monetization of the traffic coming to the sites

14. DIY Botnet Kit Promising Eternal Updates
There's no such thing as a (quality) free botnet kit. What's for free is often the leftovers from a single feature of a more sophisticated proprietary botnet kit. This one in particular is however trying to demonstrate that even a plain simple GUI botnet command and control software can achieve the results desired by an average script kiddie, and not necessarily satisfy the needs of the experienced botnet master

15. A Diverse Portfolio of Fake Security Software - Part Three
As far as trends and fads are concerned, the majority of the domains are currently parked at up to four different IPs, with most of them going into a stand by mode once they get detected and reappear back couple of weeks later

16. Fake Celebrity Video Sites Serving Malware - Part Two
Due to the template-ization of fake celebrity video sites, and simple traffic management tools combined with blackhat SEO tactics, these sites are also prone to increase in the next couple of months

17. Web Based Botnet Command and Control Kit 2.0
It's releases like these that remind us of the amount of time, efforts and personal touch that a malicious attacker would put into such a management kit, currently acting as a personal benchmark as far as complexity and features indicating the coder's experience with botnets is concerned. What's he's failing to anticipate is that this kit is sooner or later going to turn into the "MPack of botnet management"

18. A Diverse Portfolio of Fake Security Software - Part Four
Keep it coming, we'll keep it exposing until we end up getting down to the "fake software vendor" itself

19. Automatic Email Harvesting 2.0
Email harvesting is slowly maturing into a vertically integrated service provided by vendors of managed spamming services. This email harvesting module is aiming to close the page on text obfuscation in respect to fighting spam, and is successfully recognizing and collecting such publicly available emails. From a psychological perspective though, the end users who bothered to obfuscate their emails are less likely to fall victims into phishing scams, with the obfuscation speaking for a relatively decent situational awareness on how they emails end up in a spammer's campaign

20. Fake Porn Sites Serving Malware - Part Three
As a firm believer in sampling in order to draw conclusions on the big picture, an approach that has proven highly accurate in modeling historical and upcoming tactics and behavior, a single fake porn site serving malware campaign usually exposes a dozen of misconfigured redirectors, which thanks to their misconfiguration despite the evasive features available within the kits, expose another dozen of malware campaigns

21. Facebook Malware Campaigns Rotating Tactics
With no particular flaw exploited other than the social engineering tactic of using already compromised Facebook accounts who would automatically spam all their friends with links to flash files hosted at legitimate services, the more persistent the campaign is, the higher the chance that it will scale enough. This campaign in particular is mainly relying on rotation of tactics, namely different messages, different services and file extensions used in order to trick someone's friend into visiting the URL. With the number of users increasing, the most popular social networking sites are naturally going to be permanently under attacks from cybercriminals

22. Fake Security Software Domains Serving Exploits
Despite that it's a single brand, namely the International Virus Research Lab that's introducing client-side exploits within it's portfolio of domains, the opportunity for abuse may be noticed by the rest of the brands pretty fast

23. Exposing India’s CAPTCHA Solving Economy
Taking into consideration the mentality surrounding a particular country's cybercriminals, how they think, how they operate, what do they define as an opportunity, and how much personal efforts are they willing to put into their campaigns, I wouldn't be surpised if a Russian vendor offering 100,000 bogus Gmail accounts for sale has in fact outsourcing the account registration process to Indian workers, paid them pocket change and is then reselling them ten to twenty times higher than the price he originally paid for them.

The text based CAPTCHAs used at the major Internet portals and services, are so efficiently abused by this approach that continuing to use is directly undermining the trust these email providers and services often come with as granted

The Commoditization of Anti Debugging Features in RATs

Wed, 03 Sep 2008 03:46:00 +0000

Is it a Remote Administration Tool (RAT) or is it malware? That's the rhetorical question, since RATs are not supposed to have built-in Virustotal submission for the newly generated server, antivirus software "killing" and firewall bypassing capabilities.

Taking a peek into some of commodity features aiming to make it harder to analyze the malware found in pretty much all the average DIY malware builders available at the disposal at the average script kiddies, one of the latest releases pitched as RAT while it's malware clearly indicates the commoditization and availability of such modules :

" - FWB (DLL Injection, The DLL is Never Written to Disk)
- Decent Strong Traffic Encryption
- Try to Unhook UserMode APIs
- No Plugins/3rd Party Applications
- 4 Startup Methods (Shell, Policies, ActiveX, UserInIt)
- Set Maximum Connections
- Built In File Binder
- Multi Threaded Transfers
- Anti Debugging (Anti VMware, Anti Sandboxie, Anti Norman Sandbox, Anti VirtualPC, Anti Anubis Sandbox, Anti CW Sandbox)"

Malware coders or "malware modulators"? With the currently emerging malware as a web service toolkits porting common malware tools to the web, drag and drop web interfaces for malware building are definitely in the works.

HP Hires 140,000 to Get Rid of Your Job

Wed, 27 Aug 2008 09:47:57 +0000

HP completed its $13.25 billion acquisition of EDS today.

Can HP-EDS put its money where its mouth is? EDS profit margin, pre-acquisition, was under 6%. The former EDS CEO, now heading the combined outsourcing unit, expects to leverage HP automation tools to cut costs and improve that margin.

But Rod Bourgeois, an analyst at Sanford Bernstein says, “It’s not like HP has automation tools that weren’t at EDS’s disposal before.”

But this brings up a good point. EDS and 140,000 new bodies notwithstanding, HP seems to be positioning itself to do a big automation push in the marketplace.

Of course this makes sense – we’ve talked before about what a critical role automation is going to have in managing the rapidly evolving “dynamic” data center. Technologies like virtualization and cloud computing needs are pushing out the limits of real-time resources management in the data center; management tools must perform faster, integrate with more solutions across the spectrum of IT infrastructure and be smart enough to do much of this on their own.

Do You Speak E-Discovery? You Should, Even in Europe

Thu, 24 Jul 2008 08:05:25 +0000

How often have you watched the news on television and seen people carrying boxes full of electronic media and digital files out of some well-known company's headquarters? It's a familiar scene in the United States, because of the number of companies subject to e-discovery actions. But even though this subject is disturbing the sleep of CIOs in companies large and small in the U.S. - and even though vendors of tools supporting e-discovery are all looking for the next "killer app" - most Europeans just look on and say, "What on earth is this 'e-discovery'?"

The concept of legal discovery (called "e-discovery" when electronic information is involved) is unique to the "common law" countries - notably the U.S., the U.K., Canada, Australia and New Zealand. Discovery in common-law civil litigation is a form of interrogatory in which both parties agree to the pretrial exchange of information, so that the plaintiff can prosecute a cause for action and the defendant can build a defense. By contrast, in countries with legal systems based on the Roman or Napoleonic traditions - which is to say, most of continental Europe - the obligation to produce information that is relevant to the cause for action is nowhere as comprehensive as the obligation attached to discovery in common law.

There is an important difference between criminal and civil litigation, irrespective of a country's legal system. In a criminal case, if the authorities have a warrant or an indictment, the subject is obligated to produce relevant information, and this is true both in common-law countries and in continental Europe. In civil litigation, however, only common law requires the pretrial production of information and its exchange between affected parties. In non-common-law civil litigation, the relevant information is produced before the judge for consideration and evaluation.

Despite these differences, there are some important lessons for all Europeans about e-discovery and about legal discovery in general. The first is that if an external party demands information, whether during civil or criminal proceedings, it pays to deliver that information quickly. Gartner has seen many cases where enterprises simply didn't know how to find the requested information or couldn't produce it for several days - just long enough to generate some damaging media coverage.

The second lesson: It also pays to be able to deliver precisely the information requested. Law enforcement officers may seize folders and binders, disks and tapes, files and e-mails, reports and logs - anything they can get their hands on, really. This may include information that is not relevant to the case, and it may include information that is highly sensitive. This information will be reviewed, processed and analyzed, and some of this sensitive information might leak to the public or to competitors. It's much better to be prepared to hand over just the requested and required information.

The e-discovery landscape is made even more confusing by international jurisdictional differences. In the global economy, a business relationship with an entity in the U.S. is becoming more the rule than the exception. But a company's duty to release information following a U.S. legal discovery claim - for example, for a European subsidiary - and how that would be seen in relation with European privacy legislation remain unclear at best. E-discovery rules require quick delivery of information that has not been tampered with, but privacy protection requires that personal data be removed first.

E-discovery simply does not exist in most European legal systems, but European companies would be well-advised to familiarize themselves with the concept, in case an e-discovery claim originates elsewhere. Companies that have processes and automation for information archiving and retrieval, document and records management, and a retention policy (including disposal when information is no longer needed) will be well-prepared for any e-discovery claims that arise.

Houston law firm threw confidential client information in the trash

Thu, 17 Jul 2008 10:59:25 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Weber Law Firm

Contractor/Consultant/Branch:
"his wife"

Victims:
Clients

Number Affected:
"hundreds"

Types of Data:
"personal financial records, documents with Social Security numbers, people's medical files and more"

Breach Description:
"HOUSTON -- Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday."

Reference URL:
KHOU-TV News (original)
KHOU-TV News (follow-up)

Report Credit:
Jeremy Desel, KHOU-TV

Response:
From the online sources cited above:

Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday.

The records were mostly bankruptcy case files from a Houston attorney's office that found their way into a dumpster belonging to a Houston day care.
[Evan] There is little doubt about the sensitivity of the information found in a person's bankruptcy files. Don't you think that an attorney should know better?

The discovery came in a trash bin in the 9100 block of Jones Road, with box after box of records including personal financial records, documents with Social Security numbers, people's medical files and more.

When the sheriff's office first arrived, the responding deputies had no idea what to do with the records.

So, they called the law office from where the records had come from. 11 News called the law offices of William Weber as well.
[Evan] Mr. Weber's bio is pretty extensive.

Weber, who eventually arrived to pick up the discarded records, told both 11 News and the sheriff's office that it was "no big deal"
[Evan] Obviously, this answer probably doesn't go over very well. In hindsight, I am guessing that Mr. Weber wishes he could take these words back.

Still, at the insistence of the sheriff's office, Weber did arrive to pick the boxes up.

Weber had a different answer for 11 News when he showed up to retrieve the 32 boxes.

"It's a mistake," he said. "We regret it. We regret it. They weren't intended to be put here. I didn't put them here. It was a misunderstanding between me and my wife."
[Evan] Ugh. Blaming the wife would not be a good idea in my house, even if it were my her fault.

He added it was a one-time problem.

But he also said his firm does not have a policy for disposing of sensitive documents.
"No, I do not. I don't think there is a formal disposal policy. Legally," he answered.

Don't tell that to Radio Shack or Select Medical Corporation. Both settled lawsuits with the Texas Attorney General's Office this week for violating the Texas ID Theft Law that was passed in 2005.

It requires businesses to destroy any documents that contain sensitive information. Select Medical dumped 4,000 documents in its own dumpster, but did not destroy them first.

Both companies settled this week with the state for hundreds of thousands of dollars in fines.
[Evan] Don't forget about EZMONEY, L.P. and EZPAWN L.P. They agreed to pay $660,000 to the Texas Attorney General. Don't mess with Texas!

However, it's not just a civil law question. It is also an ethics question.

"If a customer of Radio Shack had an interest in privacy and an interest to have their identity protected (and) not just tossed to the wind, I can assure you that a medical provider or a lawyer has a higher duty," said 11 News legal expert Gerald Treece.

The sheriff's office is looking into the possibility laws were broken by throwing away the records in that dumpster, but were unsure if anything illegal happened.

As a matter of fact, there's a good possibility no laws were broken.
[Evan] Not criminal. This case may be ripe for a civil proceeding, however.

Weber spent several minutes loading the boxes into his car, but he also spent a lot of time avoiding the 11 News cameras as he picked up the discarded records.

Eventually, he left the scene, leaving a few boxes behind when he was confronted by 11 News cameras.

In his rush to get away, a box was left on the trunk lid of his vehicle and some of the papers inside flew out as he sped off.
[Evan] Embarrassed?

Weber told 11 News that all the documents were shredded on Wednesday morning.
[Evan] Any thought given to notifying the affected individuals? If not, it is probably too late now.

Weber also said he has talked with an attorney at the attorney general's office and told them he would cooperate fully.

11 News also spoke with one of the clients whose file was found in the dumpster on Monday. She said she's angry and feels betrayed.

Commentary:
We have read about organizations dumping sensitive confidential information in dumpsters before, but this is the first time I have read about a lawyer being responsible (or his wife). Mistakes do happen, but I question how much of a mistake this actually was due to Mr. Weber's initial "no big deal" reaction.

Past Breaches:
Unknown

Employee fraud hits Baptist Health in Arkansas

Thu, 10 Jul 2008 20:00:20 +0000

Technorati Tag: Security Breach

Date Reported:
7/2/08

Organization:
Baptist Health*

*Baptist Health is the largest not-for-profit healthcare organization in Arkansas

Contractor/Consultant/Branch:
None

Victims:
Patients

Number Affected:
~1,800

Types of Data:
"name, address, date of birth, Social Security number, and reason for coming to Baptist Health"

Breach Description:
"LITTLE ROCK (AP) - A North Little Rock woman has been arrested for using financial information from patients at Baptist Health to illegally obtain Wal-Mart gift cards for her own use. The hospital has notified about 1,800 patrons of the ID theft."

Reference URL:
Associated Press via WXVT Channel 15 News
KARK Channel 4 News
Arkansas Democrat-Gazette

Report Credit:
Toby Manthey, Arkansas Democrat-Gazette

Response:
From the online sources cited above:

Baptist Health has sent letters warning about 1,800 patients that the hospital system’s records may have been breached
[Evan] Uh, "may have been breached"?!

The notification came after the arrest of a Baptist Health employee at a Wal-Mart store on 25 counts of financial identity fraud.
[Evan] Wouldn't life be grand if we could trust our employees? Maybe, I suppose.

The letters, mailed last week, follow the firing of the woman in early June

North Little Rock police say Tamara Hill, 30, of that city worked at Baptist Health Medical Center-North Little Rock in the emergency department.

Hill, an admissions clerk, was arrested May 30 at the Wal-Mart

Ebony Flowers, 25, also of North Little Rock, was arrested at the store the same day on three counts of identity fraud

Flowers was listed in a police report as a janitor for the North Little Rock School District
[Evan] Key word is "was".

Baptist Health recorded more than 950,000 patient visits systemwide in 2007, a number that includes repeat visits.

Mark Lowman, spokesman for the Little Rock-based Baptist Health system, confirmed that the system fired the employee after notification of the arrest.

Police reports say the women used a victim’s personal information to obtain temporary Wal-Mart "account authorization numbers" - credit cards, essentially - used to buy Wal-Mart gift cards.

The victim reported to police that he had not authorized the transactions

the same victim confirmed he was a Baptist Health patient

He expressed appreciation of the handling of the case by the system and by the North Little Rock police.

Among the items found during a search connected with the arrest of Hill was personal information for 24 other people, including "screen shots" - printouts showing the exact appearance of the images on a computer screen - that showed victims’ personal information.
[Evan] This seems like confirmation that "may have been breached" is not all that accurate.

Also found were four Wal-Mart gift cards and $ 1,490 in cash

Police found a small bag of marijuana on Flowers, according to the reports. In a search connected with her arrest, they also discovered a. 25-caliber magazine with six bullets, as well as a receipt for four of the gift cards and information on three-identity theft victims.
[Evan] A thug.

The U. S. Secret Service is helping with the investigation.

"Due to a breach of our information systems security policies, there is a possibility that some personal information, such as your name, address, date of birth, Social Security number, and reason for coming to Baptist Health, was accessed by an unauthorized person."
[Evan] This is from the letter to the victims.

No information in the patient’s "medical records" and no information about the patient’s diagnosis or prognosis was accessed

while no "medical record" information was accessed, the letter mentioned the patient’s "reason for coming" to the system possibly was accessed

Lowman said a reason stated by a patient using the system isn’t considered medical information because the reason is a layman’s explanation, not one from a medical professional.
[Evan] This is Mark Lowman, spokesman for the Little Rock-based Baptist Health system

He said the breach wouldn’t violate the Health Insurance Portability and Accountability Act, or HIPAA.

But Pam Dixon, executive director of the San Diego-based World Privacy Forum, a privacy advocacy group, thinks all the information mentioned in the letter falls under HIPAA.

"It doesn’t matter that [it’s not ] a prognosis or diagnosis," she said.
[Evan] Splitting hairs. The bottom line is that confidential personal information was stolen and there are victims. Whether or not it is a HIPAA violation seems somewhat irrelevant.

Dixon found the system’s letter lacking in several respects, such as clarifying the exact meaning of a "reason for coming to Baptist Health." The letter also should have mentioned when and for how long the breach occurred, she said.

"Almost all breach letters have that," Dixon added.
[Evan] Almost all breach letters have what? A mention about for how long the breach occurred? I must be reading some of the wrong breach letters because it seems to me that this information is 50/50 at best. Also missing is the "we have no reason to believe that the information will be misused", but this one doesn't fit does it?

Dixon said Baptist Health should have offered in the letter to set up free credit monitoring for victims.
[Evan] Why? One year (or two) of credit monitoring is almost useless. Credit monitoring alerts a victim after fraud has already occurred and one year (or two) of monitoring is too limited for information that has a much longer lifespan. I guess credit monitoring would be better than nothing, but not by much.

Lowman said the health system continually conducts audits to know which staff members are accessing what information, and whether or not the access is appropriate.
[Evan] Good!

"We’re always looking to provide better audits and better oversight of private, confidential and protected information," Lowman said.
[Evan] And Good!

Commentary:
Preventing and detecting employee fraud has always been a challenge. This doesn't mean we give up though. We have some tools at our disposal such as employee background checks, role-based access control, segregation of duties, and job rotation to name a few.

I don't think that these two crooks are anything more than common criminals. The fact of the matter is that identity theft and fraud are very easy crimes to commit and require very little skill.

Past Breaches:
Unknown

Taming of the Information Security

Wed, 09 Jul 2008 02:33:00 +0000

In many mid-size to large organizations, information security grows up to become an unmanageable complex beast. In some cases, this happens consciously where information security goes out of control, but in other cases this happens unconsciously where there is a slow but incremental increase in the complexity of information security which leads to chaos.

The information security field is not yet fully mature; there is a lack of cohesive interoperable framework. The rapidly evolving landscape adds to the existing problem. There are several examples: Intrusion Detection System (IDS) was quickly overtaken by Intrusion Prevention System (IPS). On the Firewall arena: the focus has moved from perimeter security to end point security. There are some security visionaries who are preaching inside-out security approach i.e. building products with information security in mind from the beginning.

Threats are moving higher up in the OSI stack making it harder to detect. Hackers are becoming more sophisticated – there are powerful free open source hacking tools available at their disposal. Security managers driving security initiatives without co-ordination can result in pieces of puzzle that don't fit well. Agency problem i.e. security managers thinking more about their personal advancement rather than security of the company is bad for the company’s security initiative. Security leaders who do not have a clear vision of

security at the component level, the administration level and the strategy level can only make information security even more convoluted. The CISO and acting CIO of US Dept of Veteran affairs resigned after the breach in May, 2006 where personal data of 26 million veterans and more than 2 million service members was stolen. This clearly demonstrates the accountability and visibility of security leadership.

The attitude of IT security leaders and security team members has a significant impact on security. Reckless buying of information security technology can result in wasteful expenditure and very little gain in efficiency. Not understanding the business perspective of security issues or security perspective of business issues can lead to poor security decisions. Using security as a mechanism to gain control rather than using it as a tool to reduce risk can only diminish the perceived value of security initiative. Implementing security as an afterthought rather than building it into the framework not only result in poor architectural decision. Security investment is more like buying insurance. Thinking security as a vehicle providing an ROI can result in wrong expectation and lead poor decision. The business in which a company operates contributes largely to the perceived importance to security. Financial institutions usually have a higher bar on security because of the very nature of their business and their exposure legal liability. It is a good idea for many technology companies to emulate financial institutions to raise their information security bar.

It could be a pipedream to accomplish complete information security but accomplishing a well managed information security program is an attainable possibility.

Media disposal must include sanitation

Mon, 07 Jul 2008 04:30:48 +0000

Media sanitation isn't a critical step when all sensitive information is encrypted, but releasing unencrypted systems to the public can have the same consequences as posting it on the Web.

Media disposal must include sanitation

Mon, 07 Jul 2008 04:30:48 +0000

Media sanitation isn't a critical step when all sensitive information is encrypted, but releasing unencrypted systems to the public can have the same consequences as posting it on the Web.