[SecurityRatty] tag: employ

The asymmetry of data loss - data thief has an upper hand

Wed, 01 Oct 2008 02:33:22 +0000

I read this awesome book by Dan Geer, Economics and Strategies of Data Security. This gave me structure for my thoughts about a complex topic such as data security.

When a data owner's (a business) sensitive data is breached it is difficult to quantify the monetary loss. According to respectable survey sources, the average cost of sensitive data breach for a large size company is about $50,000. I am attempting here to think about this in simple mathametical terms:

There is a data breach. From the data owner's perspective the loss is:

Loss = Cost to protect data + Loss of business due to data theft aka cost of competitive disadvantage

From the data thief's perspective

Net Gain= [Cost of producing the data * Data freshness factor] - Cost to steal the data + Profit of business due to data aka gain of competitive advantage

From the above two equations it is very clear that this is not a zero sum game. There is a clear cost asymmetry for a data owner and for a data thief. When there is an asymmetry there is an opportunity. Data owner would not even know that the data is lost because the original copy of the data may be still intact - data thief could have simply copied the data. Data theft does not look like a car theft, there is no vacuum left behind.

This motivates a data thief to keep the cost to steal low, steal highly valuable data that has a long shelf life and in a way that data owner will never even be aware of theft.

From a data thief's perspective, the cost to steal data if kept high would disincentive him. Moreover, Data freshness factor, i.e. how valuable this data is over period of time plays an important role. A good example is content of today's newspaper is hardly valuable tomorrow, but the content of newspaper two days ahead (if can be procured)would be invaluable. Data relevance is a function of time and other marketplace variables - Data freshness Factor accounts for that variable. A good way to discourage data thief is to increase his/her cost to steal the data. There are other inferences from the above equation. If there exists no competitive advantage with the stolen data, hardly any thief would even venture to steal the data in the first place. If the cost of producing data is very low, then probably thief can just produce the data himself and would not attempt to steal the data. If the cost of theft is kept high, it would definitely deter the data thief from stealing data using technical mechanisms, then the data thief would exploit weak links in data security such as use of social engineering to get access to the data.

From data owner perspective protecting data becomes very important. How much would the owner be willing to spend? Not definitely the cost equal to cost of producing the data. 1% to 10% of cost of producing data is considered prudent. For a data owner it is difficult to estimate cost of data protection of a specific data, because it is not easy to chunkify data protection costs. Moreover, as Dan Geer says in his book, a data owner has to protect himself from number of intruders not just one.

It pays for a data owner to: be aware of data breaches (or data leaks), employ appropriate mechanisms to protect the data; the cost of protection which is fractional cost of the valuable data and enhance information security awareness of personnel who handle the data.

Data loss is not a zero sum game. The advantage is in favor of a data thief (data thieves rather). Data owner does not give much thought on the value of data unless there is a data theft. But, a data thief has every reason to think about economics of data theft before he acts to steal the data else data thief won't survive in this game and he is very well aware of his advantageous position.

Around The Web For Friday

Fri, 26 Sep 2008 08:56:15 +0000

We’re frequently asked what we’re reading and what we like in blog posts, so here are some interesting things that hit our RSS readers that you may have missed:

COBIT rivals ITIL from The IT Skeptic

“Everyone is tiptoeing around the fact that COBIT offers a significant competitive body of knowledge (BOK) to ITIL. Sure ITIL goes into more depth in places, but to say COBIT sits over the top is to grossly understate the overlap. COBIT extends a long way down into the “how” and it does it with an intellectual rigour that ITIL lacks.”

Interesting stuff that. A detailed mapping might help some folks. Either way, the good news for those keen on understanding risk management is that governance metrics, done right, allow us to understand a part of that “capability to manage risk” we’re always looking for. Assurance, verification and the acquisition and interpretation of knowledge is king. Speaking of which….

How To Tell When “Nothing Happens” by Pete Lindstrom

“…problem is that, it isn’t really true that “nothing happens” when you employ some specific security control to prevent an exploit. Not only that, but even when it is difficult to collect data on what didn’t happen, one can devise experiments to tell how frequently that nothing occurred.”

Good analysis is all about the uncertainty. Speaking of accounting for uncertainty…

Assets Good Until Reached For by Gunnar Peterson

“If you have a 100,000 dekstops or 100,000 servers it hard to manage. You will need to automate and to do that you need to abstract, but you should also realize that its a drawing on a whiteboard not reality. You need abstraction assurance.”

And there’s the trick. We might call “abstraction assurance” an analog to “confidence” or “uncertainty” in certain priors (metrics) or posteriors (calculated values based on those metrics). The stronger that abstraction assurance is, the less uncertainty we have in our knowledge and the better our ability to create wisdom from that knowledge (you know, make decisions).

Epstein, Snow and Flake: Three Views of Software Security by Adam Shostack

Adam’s focus is on software security, but the discussion here can be abstracted out into the broader realm of risk management quite nicely.

Two-thirds of firms hit by cybercrime from Security Focus

The US DoJ says that in 2005 (there’s some timely data) 2/3 of their surveyed firms detected at least one cybercrime. “Cybercrime” is “classified … into cyber attacks, cyber theft, and other incidents.” Pretty general. Also from the report: “Computer viruses made up more than half of all cyber attacks.”

(That sound you hear is me tapping my forehead lightly on large iron object)

Lessons Learned from “Personal” Risk Management By: Christopher Daugherty

“This process is what I call “personal risk management.” All of us have done it and will continue to do so. Why is it, then, many companies have ignored following similar principles with the on-going health of the business? This is a debate with many different answers so I ask you to select the best answer for your employer:

a) Have not ignored as this keeps me awake at night!

b) Please restate the problem, I cannot hear well with my head buried in the sand.

c) We passed our SOX audit so we checked this off the list!

d) We are informed of the challenge but we have a business to run and profits to make

e) Is this what internal audit and risk management has been telling us?”

One Mans Frustrations With Risk Management

Tue, 23 Sep 2008 14:05:20 +0000

Chris, who is a male in Government C&A has a blog with a wonderful title: How is that Assurance Evidence?

I’d love to have another blog even more specific - “Ok, that Assurance is Evidence Of What, Exactly?

Today he has a great article called:

What’s the matter with Risk Management?

And “in short, it’s everything.” It pretty much sums up why I had to grow to re-evaluate how our industry does risk, risk management, approaches controls & vulnerability and find a new way. A couple of things jump out at me in reading Chris’ article:

1.) Just because that Deming cycle sucks and is full of unknowns doesn’t mean “risk” doesn’t exist, nor that it isn’t of primary importance. Nor does it mean that in the absence of model & methodology, we won’t be “doing” risk analysis anyway - just in an ad hoc method and completely from “the gut”.

Our industry calls these unstructured risk analysis “Best Practices”, as it’s an easy and convenient way of sweeping the unknowns under the rug of bureaucracy and enforcing it via peer pressure.

2.) What this “suckiness” does mean is that your model and methodology aren’t helping you. As Chris intimates, there is too much uncertainty in the inputs for his model (they are, in the language of Bayesians - too subjective to be useful priors).

Take for example how we might be approaching the “controls” part of our analysis. Chris writes:

“2. What are the controls that we have to employ?
800-53, ISO 27001, PCI, etc.

Still kinda good, but we basically know that ISO is relatively voluntary and NIST supplies a control catalog and not policies. So here we have to take the control catalog, and mash our policies into it.”

I wouldn’t call this “kinda good” at all :) These control catalogs only provide a hierarchy within which to look for evidence of our ability to resist an attacker. They are incapable of making any claim about the effectiveness of the controls when they are operated at 100% efficiency, or more importantly, what % efficiency our specific organization operates at.

Let’s use Chris Hayes’ Initech as our fictional example.

Initech has a control (a back door on a loading dock). Now the locks on the door are 100% capable of locking the door. This is different than saying that they are capable of frustrating all but the top 5% of lockpicking burgalars. It is also diffferent than saying that in a sample of several “walk around audits” the doors are left open 20% of the time (they are not in compliance with policy 100% of the time). Even worse, that 80% of the time the door is not propped open? Yeah, tailgating is a known issue.

So we have several different variables here that we need to account for (and it’s just a door). But the analogy stands that most “risk management” methodologies are “We have a door, yes/no?” And most GRC platforms, when asked for their “opinion” will simply say “door is needed” or, even worse, “a door policy is needed”.

3.) Criticality and the Source of Value is all messed up in these Risk Management models.

Chris writes:

Someone wants me to tell them which boxes are more critical than others. This is mainly because of budgetary or operational reasons. To which I usually say “All of them, it is a system after all”.

This literally made me laugh out loud. And this sort of “rate the firewall as Risk = 500 but rate the actual business application as Risk = 157″ thing is also endemic. Now Chris is very smart here. He correctly identifies that the value is tied to the business process the systems support, and not to a specific box. Oh, we scan at the specific box level - but because of the nature of systemic failures - all the boxes in the process are inexorably interrelated.

One of the reasons I really like FAIR is that the losses are quantified (or qualified) based not on some amorphous value of the box or the process itself, but losses are linked to the actions that the threat will take. Take systems in a highly regulated industries as an example. Usually the most probable losses aren’t due to system compromise per se, but in the disclosure the compromise causes (regulators are a threat source, after all). But many “risk management” methodologies will say “online banking is worth $2 billion, the value of the systems is therefore $2 billion”. And suddenly we’re telling executive management that there’s a 60% probability that they’ll lose $2 billion.

4.) If the primary source of prior information for your “risk management” methodology is a vulnerability scanner - you’re doing it wrong. Chris writes:

So we ran a scan and now we have a report. A snapshot in time to make all decisions. Where did these vulnerability ratings come from? Do I even know if my system is at risk? What if I spend my time on vulnerabilities that have no threat?

So first, my thoughts are that actual “vulnerability” must be a comparison of the force a threat can apply, and our ability to resist that force (this is a probability statement, btw).

Changing your thinking about vulnerability now helps us understand the problem in several new ways. First, you can start to divorce yourself from the scanner. After all, the scanner is simply providing you with current state information that is usually just relevant variance from policy. It doesn’t really tell you about real “weakness in a system” because the system is an interrelated mess of people, processes and IT assets.

5.) Finally, most “risk management” approaches just *don’t* do a good job of helping us understand the how’s and why’s of managing risk. In the past, I’ve referred to these standards as really being “issue management” because they are at their heart, an act of discovery - a formal process around gathering prior information. They are not, in and of themselves, capable of linking the issues discovered to the root cause. And these root causes? Yeah, they’re the things that create “risk”. Not a threat, not a vulnerability, not the existence of an asset - the amount of risk that we have stems from our capability to manage it.

So Chris, I completely agree - but I wouldn’t give up yet. There actually are a few of us who are focused on what you suggest:

Where to go from here: A fundamental revamp of how to deal with Risk. Where risk professionals focus on the treating the sickness and not the symptoms, and come up with some new success/actionable metrics.

Chris, there’s nothing I want to do more than that.

The Growing Security Skills Shortage

Tue, 19 Aug 2008 05:02:06 +0000

We are regularly hearing from our security clients about their difficulties finding people with the right skills – or when they do finally find them, these people are too costly to employ because their skills are in such demand.

Indeed, the “unavailability of people with the right skills” was cited as a top challenge for security groups in both our enterprise and SMB surveys.

In comparing need for talent across 25 different IT roles, Forrester analysts came to the conclusion that information security experts are among the hottest roles in IT, sharing the top spot with information/data architects.

The skills shortage is likely to get worse before it gets better. We’re unlikely to see a significant spike in security experts’ salaries to attract those we need to hire: large changes in compensation for senior security personnel would run against the current of economic belt-tightening. Another typical approach to offsetting the shortage would be to train up: foster the career development and advancement of existing security personnel on our payroll. However, with all the outsourcing that is going on – and which will increasingly occur – there is a shrinking pool from which to find people with “the right stuff” worth championing their advancement.

We could look outside of security to others in IT, or even to co-workers in other departments or business groups. But given how poor a job IT Security does of marketing its value proposition, I don’t hold much hope for attracting non-security people.

What do you think? Are we about to hit a very big wall when it comes to skills and staffing? Are you presently feeling the pain of a skills shortage? Do you see such a shortage looming? What measures are you taking to acquire and nurture talent? Which ones are successful and why?

I welcome your thoughts on the topic.

Great Trend Micro article on Understanding Malware

Sat, 09 Aug 2008 11:33:56 +0000

Reading this article will be worth your time.
Cyber criminals are constantly coming up with new angles to get you to become infected with their Malware.

clipped from newsletters.trendmicro.com

Malicious URLs: Ticket to Malware

To better understand malicious URLs, it helps to divide them into two broad categories: 1) URLs that use social engineering to initially entice users to click on them, and 2) techniques that do not involve social engineering, but instead employ various technological means.

Email Hacking Going Commercial

Wed, 23 Jul 2008 22:04:48 +0000

This email hacking as a service offering is the direct result of the public release of a DIY hacking kit consisting of each and every publicly known vulnerability for a variety of web based email service providers, with the idea to make it easier for someone to execute their attacks more efficiently. Outsource the hacking of someone's email, and receive a proof in the form of a screenshot of the inbox, next to a guarantee that you'll be able to get back in even after they've changed their passwords? Too good to be true, but since they only charge after they provide you with a proof that they did the job, they could be in fact attempting to hack these emails, compared to the majority of cases where scammers scam the scammers. The service works in 7 steps :

"1- Submit your case to one of our experts.
2- After successful submission , you will be sent a confirmation email along with your Case Reference Number (CRN) .
3- Our expert(s) will revert back to you in a few minutes with the details, the charges & the turn-around time. You may also be asked to provided additional information through a private form if required by our expert.
4- Once our expert has all the required information, you will be provided a username/password to our client area where you can view the real-time progress of your case.
5- Within a matter of hours (maximum 72 hrs), you can see the results. Our expert will provide you with proof-of-success , which you can verify and confirm.
6- Once you have verified the authenticity of success, you will be sent detailed payment instructions. You will be asked to pay using anyone of our multiple payment methods.
7- Once the payment is realized, we will provide you the requisite information"

Who's doing the actual email hacking? Independent contractors on behalf of the service as it looks like :

"Most other groups employ phishing , trojans or viruses which could damage or even alert the target. Our experts use techniques which are developed by themselves , not shared by anyone. We don't ask them how they do it, but as long as they provide us the desired results, its ok for us. Since we test their methods while they are on probation period with us, we check if the target is being alerted or not. As of now, for the past 4 years, we have NOT RECEIVED A SINGLE COMPLAINT IN THIS REGARD, which is testimonial to the ingenuity of the methods used by CSP."

How would they prove that they've managed to hack the email account before requesting the payment?

"1- Multiple screenshots of the mailbox
2- A copy of your own email which you had sent to the target
3- A copy / part of the address-book of the target mailbox."

Ironically, a hypothetical questionarry that I once speculated a private detection would require from someone interested in Outsourcing The Spying on Their Wife, in order to set the foundations for a successful social engineering attack, is being used by the email hacking group.

"many of Colt's clients" affected by breach, CNET included

Wed, 25 Jun 2008 07:25:20 +0000

Technorati Tag: Security Breach

Date Reported:
6/13/08

Organization:
CNET Networks, Inc. ("CNET")

Contractor/Consultant/Branch:
Colt Express Outsourcing Services, Inc. ("Colt")

Victims:
"current and former employees and their dependants"

Number Affected:
"around 6,500"

Types of Data:
"first names, last names, date of birth, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder"

Breach Description:
"Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized. Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET. The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees."

Reference URL:
Maryland State Attorney General breach notification
PCWorld
WebProNews
PogoWasRight

Report Credit:
The Maryland State Attorney General

Response:
From the online sources cited above:

On June 6, 2008, CNET received the attached letter from Colt Express Outsourcing Services, Inc., ("Colt") who has provided our client with employee benefit plan administrative services for the past 8 years.

Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized.
[Evan] Uh Oh!, this is starting to read like and smell like the ASI breach reported in February.

The breach occurred on Memorial Day, Monday, May 26, 2008, between approximately 4:30 p.m. and 5:00 p.m. PST, when someone broke into Colt Express's office at 2125 Oak Grove Road, Suite 210, Walnut Creek, California, 94598

Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET.
[Evan] According to a CNET spokesperson, via PogoWasRight.org, the "computer equipment" did not employ encryption to protect the information. Encryption could have been a prudent control in a defense-in-depth approach, a mitigating control to protect information against a physical break-in and theft.

The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees.
[Evan] Not "may have", but did. Information security and control can no longer be reasonably assured, which in my book constitutes a compromise.

Colt has also informed us that they reported the break-in to Walnut Creek police and to REACT High Tech Crimes Task Force in Silicon Valley when they discovered the burglary and that there is an ongoing criminal investigation.

report number 08-12367

In speaking directly with the Walnut Creek Police on June 12, 2008, Officer Greg Leonard, the primary investigator for the incident informed us that they are not aware of any misuse of personal information as a result of this theft at this time.

The information included first names, last names, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder for around 6,500 of our client's current and former employees, and their dependants.

some of your current and former employees and their dependants during the time period of 01-Aug-00 to present.
[Evan] August 1st, 2000 through May 26th, 2008 is almost eight years of information! I wonder what the data retention policy states at Colt, supposing one exists.

We do not have any understanding that the computers stored personal health information.

Our client is providing written notification to all affected individuals at the last home address we have on record

Although there is no evidence of misuse of the data to date, our client's notification will also inform affected individuals that it has contracted with Equifax to provide Equifax Credit Watch Gold with 3 in 1 Monitoring service, including identity theft insurance, for one full year at no cost.
[Evan] I have said it before, and I will say it again. One year of semi-effective protection should not be considered adequate for information that has a usable life that far exceeds this time frame. It should be pointed out howevere that it is better than nothing and the company is not required to offer it.

Although we are not aware of the exact number of individuals affected by the Colt breach, we do know that we were among many of Colt's clients whose data were stored on the stolen computers.
[Evan] The word that catches my attention almost immediately is "many". How many clients will be affected in the end? PogoWasRight is already following up on another company that may be affected.

Colt Express takes the protection of its customer and personal information very seriously.
[Evan] Making a statement like this and the demonstration by action are two entirely different matters. An organization such as Colt Express creates, collects, stores and transfers very sensitive information as an integral part of their business. This being said, I wonder why this information was not protected better.

Colt Express is taking steps to ensure that a potential data security breach does not occur in the future.

We installed an alarm system on Friday, May 30th.
[Evan] Are we to assume that there was none prior to May 30th? I hope not!

Colt Express is looking into what additional steps may be taken to provide enhanced security.

By this letter and enclosures, we are providing you with all the information we believe you need, and that we are able to give you. We do not have the resources, financial and otherwise, to assist you further.
[Evan] Say huh?

Towards the end of last year, our customer base was reduced to an unsustainable level.

Colt has been in the process of going out of business, while at the same time providing time for remaining customers to find alternative solutions.
[Evan] This is a twist. How long has the company been in the process of going out of business and was CNET (and the "many" other clients) aware of it? If so, this could have been a sign that could have spurred some action. Then again, maybe not.

http://www.colthr.com/

Those decisions are now final.

We are firmly committed to protecting all of the information that is entrusted to us both before and after we close down.

We sincerely apologize for the inconvenience and concern this incident will cause.

Commentary:
As I stated earlier in the post, I am a little fearful that this breach could end up as significant or more significant (in terms of number of people and organizations affected) than the ASI breach reported in February. The ASI breach was the 2nd most popular posting in The Breach Blog's history at the time, based on number of online page reads and comments posted.

This breach has got me thinking. Some of the key risks that we address with the organizations we work with are those involving the management of vendor and third-party relationships. Ideally, information security personnel are involved throughout the relationship, including the initial vendor feasibility assessment. Vendors and "trusted" third-parties need to be held to the same high security standards that we set for the organization. The methods in which this can be accomplished vary from organization to organization, but typically include risk assessments (initial and ongoing), information security requirements built into contractual language, and enforcement actions if necessary. If a vendor is not encrypting confidential information or employing burglar alarms, it is known (and hopefully addressed).

Past Breaches:
Unknown

Canadian farmer personal information on stolen CCGA laptop

Sun, 08 Jun 2008 15:32:52 +0000

Technorati Tag: Security Breach

Date Reported:
6/4/08

Organization:
Government of Canada

Contractor/Consultant/Branch:
Canadian Canola Growers Association (CCGA)

Victims:
Farmers

Number Affected:
~32,000

Types of Data:
"social insurance numbers, bank account numbers and other data"

Breach Description:
"OTTAWA, June 5 (UPI) -- Prairie farmers in Canada are upset the federal government waited two months to tell them a laptop computer containing their personal data was missing."

Reference URL:
Winnipeg Free Press
CBC News
United Press International

Report Credit:
Lindsay Wiebe, Winnipeg Free Press

Response:
From the online sources cited above:

About 32,000 Canadian farmers are on the alert after learning a laptop containing their financial information has been stolen.

The laptop was stolen when a programmer working for the Canadian Canola Growers Association took the machine off-site for routine maintenance.
[Evan] No offense to programmers, but in my experience the ways they use information can be some of the most dangerous threats to information security. There is no reason for a programmer to EVER have access to confidential production information. Programmers should only be permitted to work with scrubbed information in a test and/or development environment.

CCGA general manager Rick White described the theft as a classic "smash and grab."
[Evan] Also classic as in another organization that either does not know how or is unwilling to properly secure confidential information.

The laptop has the bank account numbers and social insurance numbers of farmers who applied for Agriculture Canada's advance payments program, which is administered by the CCGA on behalf of the federal government.

Although the theft happened March 30, Canadians weren't sent letters until last week informing them

The federal department has sent letters out to all farmers affected by the theft.

The letter said the laptop was stolen from an undisclosed, remote location in Manitoba.

"We treat this very seriously," White said. "This is an unfortunate incident, a very low-risk one."
[Evan] Mr. White is probably not well versed in risk analysis. Or incident response for that matter.

the strict security measures being used on the laptop reduce the chances of information being misused, White said.
[Evan] Like what?

"There was a very strong password protection on it, [and] there was a biometric fingerprint reader on it," he said. "That would prohibit anyone other than the user or the person with the password to access the data on the laptop."
[Evan] These are "strict security measures"? My emphatic answer is NO! These "strict security measures" are easily bypassed.

but the data was not encrypted
[Evan] The missing piece of the puzzle. Why go through all of the (self-proclaimed) "strict security measures" and not employ encryption. What you get with full-disk encryption is pre-boot authentication and this defeats the boot to CD attack.

Agriculture Canada spokesman Sean Malone said there were security features on the laptop, but a sophisticated hacker could likely bypass them.
[Evan] No sophistication required. A novice could figure it out with Google, a CD, and 15 minutes.

So far, there have been no reports of identity theft among the farmers, the report said.

Pitblado LLP privacy lawyer Brian Bowman said the CCGA and agriculture department deserve credit for notifying people of the breach -- a move not required by Manitoba law.
[Evan] Just because CCGA is not required by law, doesn't mean that they deserve any credit for notification. The information belongs to the victims not CCGA, and as owners of the information don't you think they should be informed of an incident that has the potential affect them personally?

Victim Reaction:
"If they're devilish enough to steal a computer, maybe they're devilish enough to do something with the information,"

"What frustrates me is that they've treated this like it's no skin off their back,"

"They've known this since then and they're only getting the letters out now?"

"I don't want to find out a mortgage has been taken out on our farm."

Commentary:
It is bad enough for an organization to lose confidential information on a poorly protected laptop, but what makes this more troubling is the apparent fact that they still view the practice that led to the breach as a low risk. Clueless and sad.

Past Breaches:
Government of Canada:
December, 2007 - Passport Canada web site suffers serious breach
November, 2007 - Service Canada stolen laptop affects more than 1,600

AT&T management information on stolen laptop

Sun, 08 Jun 2008 14:28:48 +0000

Technorati Tag: Security Breach

Date Reported:
6/4/08

Organization:
AT&T

Contractor/Consultant/Branch:
None

Victims:
AT&T management personnel

Number Affected:
Unknown

Types of Data:
Compensation information, including employee names, Social Security numbers, and salary and bonus information.

Breach Description:
"An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop."

Reference URL:
PogoWasRight
SC Magazine
NetworkWorld

Report Credit:
PogoWasRight

Response:
From the online sources cited above:

An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop.
[Evan] Don't you think that a well known (and respected) company like AT&T would have had the forethought to encrypt laptops?

Employees were first alerted to the theft on the evening of May 22nd by email from Bill Blase, Senior Executive Vice President - Human Resources.

This is to alert you to the recent theft of an AT&T employee's laptop computer that contained AT&T management compensation information

The laptop was stolen May 15 from the car of an employee

The data on the computer was not encrypted -- a violation of company policy -- and included names, Social Security numbers and in some cases, salary and bonus information.

No customer or client data were on the stolen laptop.

the company would not disclose the number of affected individuals, but there is no reason to believe any of the data was being targeted when the machine was stolen.

AT&T repeatedly declined to disclose the number of employees affected "as a matter of policy."

"Usually these are property crimes in which the drive is wiped clean and resold for profit,"
[Evan] This used to be the case, but do you think the same still holds true today? If a thief is going to go through the trouble of wiping the drive, it seems plausible that he/she may also attempt to access/review the information contained on it. Hardware value = ~$1000, Information value = ~$10, $20, $50+ per record. Do the math and it soon becomes apparent that a thief can profit much more by selling the information. I presume that some thieves know this.

The employee who was in possession of the laptop when it was stolen has been disciplined.
[Evan] Was it the employee's responsibility to encrypt the information, or was it his/her responsibility to not store confidential information on it? If the employee was aware of his/her responsibilities, then I can understand the disciplinary action. If not, then AT&T has much bigger problems.

"There are a number of rules governing the handling of encrypted material and the mobile devices handling that material that employees must follow," Sharp said. "It is up to the employee to ensure that any sensitive material is encrypted."
[Evan] Really? It is "up to the employee" to ensure that sensitive material is encrypted? Most of the users I work with wouldn't know the first thing about how to encrypt information. This is why we usually implement policies, standards and procedures to encrypt the entire contents of hard drives as part of the standard laptop build. Encryption is then semi-transparent and we don't need to worry about an incident such as this. Take information security out of the hands of employees if feasible.

AT&T used the breach as a reminder that employees must follow policies.
[Evan] Hopefully this isn't the only time employees are reminded to follow policies.

We deeply regret this incident.

You will soon hear about additional steps we're taking to reinforce our policies to safeguard sensitive personal information and ensure strict compliance in order to avoid incidents like this in the future.

The telecom also says that it is "in the process of encrypting devices," but that may be small comfort to those whose data were on the stolen laptop.
[Evan] Sheesh, hundreds if not thousands of breaches involving lost and/or stolen laptops affecting millions of people and now AT&T is "in the process of encrypting devices"? To AT&T's credit, they do employ thousands of mobile devices which take time to encrypt and it's better late than never. Explain this to the people affected.

AT&T is offering free credit monitoring to those affected

Victim Reaction:
"I'm very disappointed in my company,"

"Eight days passed before we were notified ... and it took up to another 10 days to be informed about requesting a fraud alert and to be given instructions for signing up for credit watch."

"It is pathetic that the largest telecom company in the world -- with more than 100 million customers -- doesn't encrypt basic personal information,"

"I receive company internal e-mails reminding me to contact our legislators about relieving the company of the burdens of regulation," he says. "What happened here shows the company isn't ready to have those burdens lifted."

Commentary:
Excellent work at PogoWasRight.org. Their report contains copies of the actual AT&T correspondence. Obviously, AT&T should have known better.

The Breach Blog was notified via a comment from the wife of an affected employee on May 28th, but we did not have enough information to report. The comment was not approved by me either because the commenter used her real name (out of protection for her and her husband).

Past Breaches:
August, 2007 - AT&T Stolen Laptop, Unknown Number of Former Employees Affected

Online theft and fraud involves OSU Bookstore customers

Thu, 05 Jun 2008 05:42:32 +0000

Technorati Tag: Security Breach

Date Reported:
6/3/08

Organization:
Oregon State University

Contractor/Consultant/Branch:
OSU Bookstore, Inc.*

*OSU Bookstore is a nonprofit corporation that has been serving Oregon State University and the town of Corvallis since 1914. Our main store is located in the Memorial Union on the Oregon State University campus. Today, as in 1914, the bookstore is governed by a Board of Directors composed of faculty, staff, and students of Oregon State University.

Victims:
Online customers

Number Affected:
"as many as 4,700"

Types of Data:
Personal information including credit card numbers

Breach Description:
"The Oregon State Police is investigating the theft of personal information from as many as 4,700 online customers of the OSU Bookstore who used credit cards to purchase items."

Reference URL:
Albany Democrat Herald
Associated Press via KVAL Channel 13 News
KVAL Channel 13 News

Report Credit:
Albany Democrat Herald

Response:
From the online sources cited above:

CORVALLIS, Ore. (AP) - Oregon State officials say credit card scammers may have defrauded 4,700 online customers of the school's bookstore.

In March, OSP began investigation into a report that approximately 30 OSU Bookstore customers’ personal information may have been compromised following online orders.
[Evan] Unfortunately, the bookstore did not appear to be monitoring web traffic to and from the server to detect unusual (and potentially attack) traffic. The fact that this detective control was missing from the security architecture meant that the bookstore had to rely on customers to tell them something was wrong. An incident response should have probably been initiated at this point (March not May).

Then last week, telephone calls and e-mails began coming into the bookstore from customers who had noticed fraudulent charges on their credit cards almost immediately after placing online orders

Bookstore General Manager Steve Eckrich says servers were shut down when the security breach was discovered.
[Evan] 2+ months after the bookstore was originally notified that something was wrong. At the time of this post, the site is still down.

"They tried different attacks and our Web site evidently had one vulnerability in it," said General Manager Steve Eckrich.
[Evan] I would bet my cup of coffee that the Web site had more than on vulnerability! I love my coffee. Where is the IDS/IPS?

The Bookstore has alerted its online customers who had made a purchase

State Police Lieutenant Jeff Lanz says the security breach appears to have originated outside the university, but where is unknown.

The OSU Bookstore has hired an outside agency to help with its own investigation and to provide guidance on strengthened security safeguards for its computing network.
[Evan] Good call it just stinks that the bookstore was reactive and not proactive.

"We'll be using their recommendations not only to solve that particular problem that was exploited but to add additional layers of security on top of that so that information is not exposed or cannot be exposed in the way that it was,"
[Evan] Another good call.

Commentary:
Obviously the OSU Bookstore did not employ the proper security controls to #1 secure the site, #2 detect a breach, and #3 respond to a breach. Three strikes. Poor planning and poor implementation. I hope that OSU Bookstore, Inc. takes the proper steps to formalize their information security program and reduce risk. We'll see.

Past Breaches:
Unknown