http://securityratty.com/tag/gfi Mon, 30 Apr 2007 07:11:02 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/87c54c54327d8210db9b3ec6f7ab16b3 http://securityratty.com/article/87c54c54327d8210db9b3ec6f7ab16b3 Tue, 05 Aug 2008 13:32:22 +0000 e-mail spam quality assurance software development network administration product management david vella insight sof experience Q&A: E-mail spam and Software as a Service (SaaS) solutions http://securityratty.com/article/a5e63bcaba0c5cbc6bbb00dcc2552131 http://securityratty.com/article/a5e63bcaba0c5cbc6bbb00dcc2552131 Wed, 09 Jul 2008 20:00:00 +0000 ndr spam limit exposure technical explanation recommend solutions prevent gfi email provide paper How to Block NDR Spam http://securityratty.com/article/4867e518bf8629156350b8d04e8d6209 http://securityratty.com/article/4867e518bf8629156350b8d04e8d6209 Mon, 09 Jun 2008 14:09:36 +0000 e-mail security thr quality assurance software development network administration product management david vella insight experience gfi Q&A: E-mail Security Threats and Countermeasures http://securityratty.com/article/3eb649001a20e2d52da1da1e282ad875 http://securityratty.com/article/3eb649001a20e2d52da1da1e282ad875 Security Breach

Date Reported:
12/11/07

Organization:
State of Iowa

Contractor/Consultant/Branch:
Department of Natural Resources (DNR)
Salem Associates

Victims:
Waste water and drinking water worker permit applicants

Number Affected:
7,000

Types of Data:
Applicant data including names, addresses, phone numbers, and Social Security numbers.

Breach Description:
An employee of Salem Associates, a contractor working for the Iowa DNR lost a thumb (flash) drive containing sensitive personal information belonging to DNR waster water and drinking water permit and certification applicants.

Reference URL:
KCRG-TV News Story
Radio Iowa News Story
The Des Moines Register

Report Credit:
Mike Wagner, Managing Editor with KCRG-TV News

Response:
From the online sources cited above:

A contractor for the Iowa Department of Natural Resources lost a computer flash drive containing the names and Social Security numbers of more than 7,000 Iowans

The information on the flash drive was about people who operate water and sewage treatment plants, landfills and well-drilling operations.

the records, kept by Salem Associates of Des Moines on behalf of the DNR, were related to the certifications.
[Evan] Salem Associates is a an IT services contractor for the DNR.  You would think that a company that makes a living off of IT would know better than to copy un-encrypted confidential data to a thumb drive.

Salem told DNR managers on Dec. 5 that the flash drive…went missing on Nov. 21 and probably ended up in the trash at the department's office complex in Des Moines.

Liz Christiansen, deputy director of the DNR, sent a letter to the affected people on Friday.

The records included information about retirees in addition to active workers.

Rick Hindman, an information technology supervisor at the DNR, said that Iowa government policy bans the use of flash drives to back up sensitive information but that the DNR's policy is not as specific.
[Evan] A non-specific policy is doomed to fail as is the entire program built around it.

The department was already reviewing its security policies when the Salem incident happened and probably will ban the use of flash drives in similar situations, he said.
[Evan] Probably?  If the Iowa DNR decides not to ban them, I hope they at least decide to control them (encrypt).

State law and U.S. Environmental Protection Agency rules often require that Social Security numbers be listed on the databases, Hindman said.
[Evan] Is this true?  Ugh, outdated regulation and bureaucracy.

He said it is unlikely that people could access the records even if they had the flash drive. That's because the file was a backup copy that would have to be restored, meaning the user would need the same program used to create the file - a program that isn't on many home or office computers. "The information is not encrypted, but it isn't very accessible," Hindman said.
[Evan] Just because the data "isn't very accessible" does not mean it is secure and it does not excuse the Iowa DNR from treating confidential data in risky manner.  This is nothing more than an attempt to minimize the situation and draw attention away from the true problem(s).

He said the state has not received any reports of fraud or identity theft and doubts that it will.

The DNR is paying for a year's worth of credit-monitoring service for the workers. The workers have been told to contact the Iowa attorney general's office if they suspect fraud or identity theft.
[Evan] One year of credit monitoring may help all of those people who have expriring Social Security numbers.  Do you have an expiring Social Security number?  I don't.

"We sincerely apologize for the inconvenience this situation causes you and reiterate our commitment to achieving and maintaining information technology security systems," Christiansen said in her letter.

Victim Reaction:
"We were told the state system is secure and there is no way anyone could hack into it," - Scott Smith of the Boone County landfill and past president of the state landfill operators association.

"They don't have to hack to get the information - they are handing it out on flash drives." - Scott Smith

Commentary:
Breaches like this irk me.  An employee working for an IT contractor for some reason thought it would be OK to copy confidential data onto a thumb drive.  Thumb drives are inherently an information security nightmare if they are not properly controlled.  They are small, high-capacity and easily lost or stolen.  Some of the options we have explored in the past include disabling USB ports and employing technological controls (check out TrueCrypt, BeCrypt Connect Protect, GFI EndPointSecurity and Pointsec to name just a few).

According to a May, 2007 Information Week article, "Thumb Drives Replace Malware As Top Security Concern"

Why is the DNR policy "not as specific"?

Past Breaches:
Unknown



]]> Wed, 19 Dec 2007 11:22:00 +0000 iowa dnr iowa iowa dnr decides iowa dnr lost iowa department dnr computer flash drive drive information Iowa DNR loses personal information on 7,000 http://securityratty.com/article/92bcae0aa671ef34e1a21ae7993e850f http://securityratty.com/article/92bcae0aa671ef34e1a21ae7993e850f Mon, 30 Apr 2007 07:11:02 +0000 removable media tool storage devices fixed forms temporary gif control Quick Tool Update: GFI EndPointScan http://securityratty.com/article/c360113bd0fc4e775df3035f5355e520 http://securityratty.com/article/c360113bd0fc4e775df3035f5355e520 Mon, 30 Apr 2007 07:11:02 +0000 removable media tool storage devices fixed forms temporary gif control Quick Tool Update: GFI EndPointScan