[SecurityRatty] tag: jane

Fake Porn Sites Serving Malware - Part Two

Mon, 07 Jul 2008 23:24:00 +0000

What we've go here is the same malware gang using the very same malicious ISP among the ones you rarely see in any report, continuing to crunch out domain redirectors using the same templates for fake porn sites. And since some of the fake sites are actual redirectors, periodically revisting them leads to more fake codecs and even more actionable intelligence into the nature of their practices, and which are the ISPs proving them with hosting services for several consecutive years.

The main redirector in this campaign popular-adult.com is also responding to :

basic-adult .com
business-adult .com
center-adult .com
comp-adult .com
compadult .com
controladult .com
cruiseporn .com
drive-adult .com
ebony-adult-video .com

ebony-pornmovie .com

ebony-video-xxx .com
engine-adult .com
fat-adult-video .com
fat-pornmovie .com
fat-video-xxx .com
global-adult .com
inc-adult .com
name-adult .com
nameadult .com
other-adult .com
partadult .com
pleasureadult .com
porn-abc .com
porn-contact .com
porn-global .net
porn-go .net
porn-group .net
porn-party .net
porn-play .net
porn-plus .net
porn-power .net
porn-room .net
pornabout .com
porndrive .net
pornhelp .net
pornname .net
pornstar-adult-video .com
pornstar-pornmovie .com
pornstar-video-xxx .com
room-adult .com
scan-adult .com
seek-adult .com
u-adult .com

The secondary redirectors going out of popular-adult.com :

pornname .net/ted/382634557/1/
porn-abc .com/ike/1666520193/1/
pornhelp .net/dense/876421348/1/
porn-play .net/cristina/1970565499/1/
porn-global .net/percival/330780624/1/
porn-contact .com/cisse/854714304/1/
porn-play .net/honora/888715608/1/
pornname .net/deidre/1964468519/1/
pornhelp .net/pip/1977382266/1/
porndrive .net/shelton/767217618/1/
pornhelp .net/mat/354381578/1/
pornabout .com/tobe/1436617289/1/
porn-go .net/samson/7633197/1/
porn-contact .com/teresa/409084583/1/
porn-party .net/basil/1305549820/1/
porn-contact .com/ed/1067772053/1/
porn-contact .com/frish/1287341391/1/
pornname .net/mariah/53967973/1/
pornname .net/jacobus/291129748/1/
porn-plus .net/beverly/2122167311/1/
porn-party .net/lulu/917088357/1/
pornabout .com/boetius/1991451664/1/
cruiseporn .com/padde/1296397392/1/
porn-power .net/arch/334137732/1/
cruiseporn .com/meta/377489795/1/
porn-room .net/lynette/1518855371/1/
porn-play .net/link/1975737157/1/
hporn-global .net/vin/1241430020/1/
porndrive .net/dunk/1245242641/1/
porn-go .net/louisa/1685718172/1/
pornhelp .net/dunk/1859215260/1/
porn-contact .com/celia/1805798677/1/
porn-play .net/anabelle/987641695/1/
porn-room .net/rille/815076192/1/
pornabout.com/hodge/1040019816/1/
porn-abc .com/claes/1130748100/1/
pornabout .com/frederick/1987458246/1/
porn-go .net/fredde/1153431432/1/
porn-party .net/felicity/705720374/1/
porndrive .net/ginne/1183690031/1/
porn-group .net/kimberle/706468800/1/
porn-room .net/helen/565953612/1/
porn-party .net/arche/1387111363/1/
porn-contact .com/kingston/232354071/1/
pornhelp .net/mima/1024064014/1/
porn-power .net/gretchen/152347961/1/
porn-contact .com/ophelia/840853119/1/
porn-play .net/eleanor/88926029/1/
porn-power .net/bella/1712681771/1/
porn-global .net/melchizedek/1823498218/1/
pornabout .com/gabbe/1478560492/1/
porn-party .net/obedience/1540587230/1/
porndrive .net/rod/1177331120/1/
porn-play .net/gee/1314369182/1/
pornname .net/phineas/975226015/1/
porn-global .net/reynold/131075998/1/
porndrive .net/bat/1542809624/1/
porn-global .net/hans/400396810/1/
porn-contact .com/mock/1738069316/1/
porn-plus .net/tryphosia/354085313/1/
porn-room .net/bazaleel/1417267786/1/
porn-contact .com/joyce/353938308/1/
porn-power .net/laine/780004499/1/
pornhelp .net/mille/988856007/1/
cruiseporn .com/dare/258399427/1/
porn-global .net/nat/2039108680/1/
pornname .net/eudora/2132399934/1/
porn-go .net/ana/277211595/1/
pornhelp .net/auge/1990287956/1/
porn-contact .com/danial/1195423348/1/
porn-abc .com/teresa/1787982397/1/
porn-go .net/lawrence/1575543567/1/
porn-go .net/sherre/1066718744/1/
porn-contact .com/jack/657185819/1/
porn-abc .com/manda/216390544/1/
porn-party .net/chuck/1533427157/1/
porndrive .net/lucille/215841052/1/
cruiseporn .com/rodney/1024994863/1/
pornname .net/sheldon/669324635/1/
porn-global .net/janet/1677642355/1/
porn-global .net/basil/635902337/1/
porn-party .net/adela/980553444/1/
cruiseporn .com/charles/2038221862/1/
pornabout .com/sid/644600064/1/
porn-abc .com/eloise/1882289515/1/
porndrive .net/bryant/724023427/1/
porn-party .net/bonne/305120344/1/
porn-play .net/susan/826151266/1/
porn-room .net/sheila/439221958/1/
porn-go .net/valere/1498454342/1/
porn-contact .com/asenath/1036530205/1/
porn-plus .net/marcus/51947065/1/
porn-party .net/bridgit/518065759/1/
porn-plus.net/shawn/1427002427/1/
cruiseporn.com/alicia/1252994155/1/
porn-abc.com/arminda/975985679/1/
porn-party.net/lionel/929052416/1/
porn-contact .com/ande/1755833202/1/
porn-power .net/cyrus/732691977/1/
aboutadultsex .com/heloise/1008109638/1/
adultzoneworld .com/barne/506956701/1/
superporncity .com/roberta/1239682918/1/
pornhelp .net/eurydice/1944564451/1/
theadultpost .com/volodia/543769984/1/
porn-play .net/bird/760635633/1/
coolbestporn .com/bradford/578099145/1/
porn-plus .net/delilah/465854735/1/
porn-power .net/pheney/698426424/1/
porn-party .net/cristina/940229631/1/
porn-party .net/justin/1913395886/1/
porn-contact .com/lotte/1794233444/1/
porn-party .net/nowell/850070721/1/
worldbestadult .com/parthenia/1858633626/1/
funpornsite .com/patience/188018581/1/
adultsexpro .com/isse/1981168802/1/
adultsexpro .com/isabelle/683364151/1/
porndrive .net/erne/906935790/1/
porn-power .net/delpha/178727494/1/
porn-plus .net/chesley/1261676752/1/
porn-plus .net/selina/11889629/1/
porntimeguide .com/arnold/1555784224/1/
aboutadultsex .com/doug/1975246767/1/
porn-global .net/clum/1615653087/1/
funxxxporn .com/kym/739810260/1/
porn-plus .net/roxane/2022633909/1/
worldbestadult .com/vicke/955775101/1/
porn-play .net/jane/1396714471/1/
pornname .net/nicole/1695768032/1/
adultvideodot .com/bela/96070992/1/
porn-room .net/carre/1310194786/1/
adultsexpro .com/azubah/141802741/1/
theadulteye .com/pheney/1077328499/1/
porn-party .net/chick/1522449297/1/
aboutadultsex .com/elbert/1300176621/1/
findadultsex .com/lorre/2057361400/1/
teenporntop .com/aristotle/901956477/1/
coolbestporn .com/bartel/94175118/1/
porn-plus .net/deanne/70540201/1/
coolbestporn .com/appe/1679745028/1/
findadultsex .com/asaph/1439353641/1/
pornxxxfilm .com/tone/904077420/1/
funxxxporn .com/india/476477713/1/
adultvideodot .com/ed/879863981/1/
bestpriceporn .com/babbe/1457040435/1/
superliveporn .com/russell/56570486/1/

More fake porn video sites using similar site templates, and using the same redirection infrastructure :

porntubev20 .com
clearpornurlssite .com
mypornmovies .net
getyourfreemovie .com
tubescollection .com
free-best-porn .com/videos/
pornmovieshare .com
clipslab .com
mybestvideosite .com
avwav .com

The fake codecs download locations in this campaign :

aviutility .com
18x-adult2008 .com
2008x-adult-2008 .com
best-codec .com
hq-codec .net
mpegsystem .com
bestsoft-ware08 .com

The registrant and hosting provider :

Cernel Inc, Legal Department (support@cernel.net)
23404 W. Lyons Ave #223, Santa Clarita, Ca,91321
US, Tel. +1.6613470577

Historically, the same gang has been using the same hosting provider for many other fake codecs, which remain parked on the same netblock in a standby mode :

Fire-ticket .com - 64.28.184.162
Fire-codec .com - 64.28.184.163
Light-ticket .com - 64.28.184.163
Braketicket .com - 64.28.184.164
Mooncodec .net - 64.28.184.164
Light-codec .com - 64.28.184.165
Turbo-ticket .com - 64.28.184.165
Space-codec .com - 64.28.184.166
Ultra-ticket .com - 64.28.184.166
Brakecodec .com - 64.28.184.167
Demo-ticket .com - 64.28.184.167
Demoticket .net - 64.28.184.168
Hq-ticket .com - 64.28.184.168
Turbo-codec .com - 64.28.184.168
Hqticket .com - 64.28.184.169
End-ticket .com - 64.28.184.169
Nitro-codec .com - 64.28.184.169
Hqticket .net - 64.28.184.170
Clean-ticket .com - 64.28.184.170
Red-codec .com - 64.28.184.170
Black-codec .com - 64.28.184.171
Viva-ticket .com - 64.28.184.171
Niceticket .net - 64.28.184.171
Endticket .com - 64.28.184.172
Ultra-codec .com - 64.28.184.172
Wot-ticket .com - 64.28.184.172
Mega-codec .net - 64.28.184.173
Storm-ticket .com - 64.28.184.173
Megaz-ticket .com - 64.28.184.174
Vipcodec .net - 64.28.184.174
Democodec .net - 64.28.184.175
Giga-ticket .com - 64.28.184.175
Demo-codec .net - 64.28.184.176
Uin-ticket .com - 64.28.184.176
Hopeticket .com - 64.28.184.177
Hq-codec .net - 64.28.184.177
Best-codec .com - 64.28.184.178
Hope-ticket .com - 64.28.184.178
Endcodec .net - 64.28.184.179
Zero-ticket .com - 64.28.184.179
End-codec .net - 64.28.184.180
Pop-ticket .com - 64.28.184.180
Cleancodec .net - 64.28.184.181
Yupticket .com - 64.28.184.181

The deeper you go the more interesting it gets, malware command and controls located on the same network, fake banks, money mule recruitment sites, pharmaceutical scams and spam hosting - they or their customers if they are to forward the responsibility are definitely multitasking.

Related posts:
Fake Porn Sites Serving Malware
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs

Long Tail Supplier Collaboration - What's In It For You?

Fri, 09 May 2008 09:00:00 +0000

(Source: Sterling Commerce) A recent AMR Research study revealed that approximately 70% of companies feel collaboration with long tail suppliers is as important to their business success as collaboration with their core suppliers. If you're not one of them, what are you missing? Join Jane Barrett, Research Director for AMR Research specializing in supply chain execution trends to discuss the complete results of her latest study.

Super 8 credit card receipts found in landfill

Wed, 26 Mar 2008 07:47:46 +0000

Technorati Tag: Security Breach

Date Reported:
3/24/08

Organization:
Wyndham Hotel Group

Contractor/Consultant/Branch:
Super 8 Worldwide, Inc.
The Super 8 Motel of Lamar

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Names, credit card account numbers, expiration dates, addresses, and signatures

Breach Description:
"Bundles of credit card receipts from a Super 8 Motel in Lamar were discovered in Lamar's landfill, complete with account numbers, names, addresses and signatures."

Reference URL:
KKTV Channel 11 News

Report Credit:
Rosie Barresi, KKTV Channel 11 News

Response:
From the online source cited above:

Bundles of credit card receipts from a Super 8 Motel in Lamar were discovered in Lamar's landfill, complete with account numbers, names, addresses and signatures.

The receipts have everything a crook needs to charge thousands of dollars onto someone's credit card.
[Evan] I don't think that these are the same receipts that get handed back to a customer, these are back office receipts. I remember when all customer credit card receipts had account numbers printed on them. Some time ago this practice was largely stopped and now we only see a masked, partial account numbers. I am still in the habit of checking my receipt every time I purchase something though.

Nina Kinney lives in Pueblo. She and her husband stayed at the Super 8 Motel in Pueblo a couple of years ago. Their names and address was among the pile, but not their credit card information because they paid cash.
[Evan] A lot of times a credit card is required for reservations even if you wanted to pay cash.

Jane Lupp, Super 8 Motel Clerk said, "All of our receipts are sent to the owner in Canon City," Lupp also told 11 News.
[Evan] I think Super 8 headquarters is in Parsippany, N.J., so this Lamar hotel is probably a franchise.

Lupp says those receipts come back to Lamar and go straight into storage.

"They were cleaning out that storage the other day and those are not the boxes that should have gone into the trash. Evidently one got in there," said Lupp.

But it wasn't just one box, there were at least three of them.

"I'm sure it was accidental," said Lupp.

Lupp says, normally they shred all old receipts. "I don't know how it happened. We will certainly make sure it doesn't happen again," said Lupp.

The receipts were discovered by a Lamar man who turned them over to 11 News.

If you've stayed at Lamar's Super 8 Motel in the last few years, you may want to change your credit card number.

Customer Reaction:
"We expect them to handle that safely and with proper manor. It's upsetting and disappointing,"

"It's kind of hard to believe that it was just an accident,"

Commentary:
I'm sure that this type of breach happens more often than we would like to admit. Not just at Super 8, but retail in general.

Past Breaches:
Unknown

Stolen Bolton Hospitals Laptop affects cancer patients

Mon, 04 Feb 2008 07:47:22 +0000

Technorati Tag: Security Breach

Date Reported:
1/30/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Royal Bolton Hospitals

Victims:
"gynaecology cancer patients from Bolton, Wigan and Salford"

Number Affected:
200

Types of Data:
"names, addresses, information, their diagnosis and treatment and clinical correspondence between medical staff"

Breach Description:
A laptop computer containing sensitive personal information belonging to gynaecology cancer patients from Bolton, Wigan and Salford (UK) was stolen from the office of a radiology consultant in October 2007, but only recently came to light.

Reference URL:
The Bolton News online story

Report Credit:
Jane Lavender, The Bolton News with a special thanks to an informed UK Breach Blog reader

Response:
From the online source cited above:

A COMPUTER containing the personal details of cancer patients has been stolen from the Royal Bolton Hospital.

Thieves struck in October - but hospital bosses only made details of the incident public yesterday.
[Evan] I hope that the "hospital bosses" notified the victims much sooner!

"There is no evidence at all that whoever took the computers took them for the data. These machines were valuable, portable objects. The theft of computer equipment plagues this organisation and many others." - Ann Schenk, director of service development at the hospital
[Evan] These statements are meant to minimize the situation. I understand what Ann is saying, but I don't agree with its purpose.

The computer containing the cancer patients' details was stolen when thieves broke into the office of a consultant radiologist during the night.

The computer contained the details of 200 gynaecology cancer patients from Bolton, Wigan and Salford.

Information included patients' names, addresses, information, their diagnosis and treatment and clinical correspondence between medical staff.

Hospital bosses contacted all patients to inform them of the theft, but insist all information is data- protected and cannot be accessed by anyone other than the relevant hospital staff.
[Evan] Baloney! If the information was not encrypted (with good key management), then the data can absolutely be accessed by anyone.

From next month, all information will be stored on a central server - a secure storage network - rather than on individual hard drives. All new laptops will also have controlled encryption software to make sure no-one but hospital staff can access them.
[Evan] Nice. It only took a few lost/stolen laptops/computers before Bolton Hospitals got it. Some organizations never get it. Better late than never.

More than 300 laptops which have been already issued to staff are being recalled over the next three months so the encryption software can be installed.

Encryption software for memory sticks and pen drives will be installed on all equipment by the end of February and managers have been asked to carry out risk assessments on all computers and laptops.

Staff have also been told not to transfer any data until the encryption software has been installed.
[Evan] All good. Bolton Hospitals is taking the protection of confidential information very seriously. Kudos to Bolton Hospitals.

Heather Edwards, head of communication at the Royal Bolton Hospital, said: "While we believe the risk of anyone using any of the information is extremely small, we felt patients had the right to know what had happened.

"I'd like to repeat our apologies that such an event happened and reassure people that the hospital is taking this very seriously.

"We fully understand the anxiety the theft of data can cause and we have stepped up security of premises, as well as investing around £200,000 in additional IT security."
[Evan] The amount of money could equate to how serious Bolton Hospitals is about information security. Let's hope that the money is well spent in the right places. So far, things sound promising.

Commentary:
Bolton Hospitals and NHS Trust in general have been fodder for much information security discussion over the past few months. Although it took more potential victims before Bolton Hospital got the hint, at least they got the hint. I am impressed with Bolton Hospitals' response to THIS breach. I am hopeful that more organizations will take heed (at least more NHS Trust organizations).

Past Breaches:
NHS:
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay

Justice, in one case at least

Thu, 31 Jan 2008 13:48:08 +0000

This morning Jane Badger was acquitted of fraud at Birmingham Crown Court. The judge found there was no case to answer.

Her case was remarkably similar to that of John Munden, about whom I wrote here (and in my book here). Like John, she worked for the police; like John, she complained to a bank about some ATM debits on her bank statement that she did not recognise; like John, she was arrested and suspended from work; like John, she faced a bank (in her case, Egg) claiming that as its systems were secure, she must be trying to defraud them; and like John, she faced police expert evidence that was technically illiterate and just took the bank’s claims as gospel.

In her case, Egg said that the transactions must have been done with the card issued to her rather than using a card clone, and to back this up they produced a printout allocating a transaction code of 05 to each withdrawal, and a rubric stating that 05 meant “Integrated Circuit Card read - CVV data reliable” with in brackets the explanatory phrase “(chip read)”. This seemed strange. If the chip of an EMV card is read, the reader will verify the signature on the certificate; if its magnetic strip is read (perhaps because the chip is unserviceable) then the bank will check the CVV, which is there to prevent magnetic strip forgery. The question therefore was whether the dash in the above rubric meant “OR”, as the technology would suggest, or “AND” as the bank and the CPS hoped. The technology is explained in more detail in our recent submission to the Hunt Review of the Financial Services Ombudsman (see below). I therefore advised the defence to apply for the court to order Egg to produce the actual transaction logs and supporting material so that we could verify the transaction certificates, if any.

The prosecution folded and today Jane walked free. I hope she wins an absolute shipload of compensation from Egg!

OT: Expiring Password & News

Fri, 25 Jan 2008 07:36:53 +0000

Technorati Tag: Breach Blog

I had to share
I'm not reporting a breach in this post. I have a couple of things that I would like to share with readers.

The following is the text of a real email received by our service desk this morning (names & numbers changed). I think I may have missed this person when I conducted information security training!

From: Doe, Jane

Sent: Friday, January 25, 2008 8:34 AM
To: IT-SERVICE DESK
Subject: Expiring password

I believe my computer password will expire on 2/5/08. How do I get a new one/ Do I just call-in?

Thx for your help

Jane B. Doe

xxx-xxx-xxxx

xxx-xxx-xxxx (Fax)

The service desk thought I might find some humor in this, maybe you do too. If you don't see a problem with this email then you need some training, eh?

The Breach Blog
I started writing The Breach Blog as a hobby with the intent of sharing insight about recent information security breaches. Information security is a passion of mine, and I hope some of you find the information here to be helpful. In the 5+ months since I started writing, the blog has begun to take on a life of its own. I've noticed that its time for a change.

Over the course of the next month or so I will be moving the blog to a new, and more robust platform. For those of you that don't know, The Breach Blog is currently hosted through GoDaddy's Quick Blogcast. In my opinion Quick Blogcast is an excellent platform for a hobbyist, but there are just too many limitations to what I can do with it. The new platform will offer better browser support, present a cleaner and more intuitive GUI, and allow me to add features.

In the meantime I will continue to write right here. Actually, I have a couple of breaches coming very soon.

Thank you for reading. I hope you enjoy!

University of Iowa inadvertently posts personal data to the Internet

Tue, 15 Jan 2008 08:25:40 +0000

Technorati Tag: Security Breach

Date Reported:
1/11/08

Organization:
University of Iowa

Contractor/Consultant/Branch:
None

Victims:
May 2006 College of Engineering graduates

Number Affected:
216

Types of Data:
Names, Social Security numbers and grade point averages (GPAs)

Breach Description:
A list containing sensitive personal information belonging to University of Iowa, May 2006 College of Engineering graduates was inadvertently saved to a server accessible via the Internet. The file was exposed for several months before an external party alerted the university of the breach.

Reference URL:
The Des Moines Register Story
KCRG - TV News Story

Report Credit:
Erin Jordan, Register Iowa City Bureau

Response:
From the online sources cited above:

The University of Iowa is alerting 216 former students that their names, Social Security numbers and grade point averages were inadvertently posted on the Internet for several months.

The list of May 2006 College of Engineering graduates was put in the wrong place on a file server and ended up on the Internet, said U of I Information Technology Security Officer Jane Drews.
[Evan] Can anyone just publish files and other information to the Internet at the University of Iowa? Typically, web servers should be segregated from the internal network and access restricted to those people that are authorized to publish content. Content is published after testing and change control. Does any of this exist here?

Someone outside the university spotted the list earlier this month and alerted the U of I, Drews said. The list was then removed, she said.
[Evan] This would be embarrassing to me.

U of I technology staff believe there is little risk that the information was or will be misused.
[Evan] Should victims trust the university's risk assessment?

they are advising the students to take precautions to protect their financial information by placing "fraud alerts" on their files with the three major credit bureaus.

The college apologized for the recent incident, has corrected the problem, and said it would answer students' questions and provide assistance, if needed. To contact Drews, e-mail her at jane-drews@uiowa.edu.

Commentary:
On one hand this breach can be justified as a simple human error, on the other hand I wonder if this breach is the result of something more. People need to be trained properly and be reminded constantly about information security risk and best practices, especially if they are authorized to work with confidential information.

I also question why Social Security numbers were necessary in the file in the first place. I hope the University of Iowa does not still use Social Security numbers as student identifiers. It would have been nice if the university gave a little more information about how the plan on preventing similar occurrences in the future.

Past Breaches:
October, 2007 - Stolen University of Iowa laptop exposes philosophy students

Wisconsin Dept. of Health and Family Services mails Social Security numbers

Tue, 08 Jan 2008 13:08:37 +0000

Technorati Tag: Security Breach

Date Reported:
1/8/08

Organization:
State of Wisconsin

Contractor/Consultant/Branch:
Department of Health

Victims:
SeniorCare and other state program recipients

Number Affected:
Unknown

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
Informational brochures sent by the Wisconsin Department of Health & Family Services to recipients of SeniorCare and other state programs were inadvertently printed with Social Security numbers on them. It is unknown how many recipients are affected.

Reference URL:
620 WTMJ News Story

Report Credit:
WKOW-TV

Response:
From the online source cited above:

Social Security numbers were printed on informational brochures sent by the state to recipients of SeniorCare and other state programs

In December 2006, the state Department of Revenue mailed 171,000 tax booklets with the number printed on the label.

It is not known how many brochures were sent by the state Department of Health and Family Services in the latest case.

Department spokeswoman Stephanie Marquis told WKOW that the department was still investigating.
[Evan] WKOW broke the story initially.

Jane Marvin received the 11-page mailing, titled "Wisconsin Medicaid and BadgerCare recipient update" and dated January 2008.

Marvin told WKOW that she also had received the tax mailing last year with her Social Security number on it.
[Evan] Ugh. The same person is victimized twice by the State of Wisconsin in a little more than a year.

The Department of Revenue paid more than $500,000 to provide credit monitoring for those affected by its 2006 mailing. No cases of identity theft have been reported to the state as a result of that incident.
[Evan] If the State of Wisconsin is interested, I will proofread their mailings before they go out for $350,000/year and we can save the taxpayers some money!

Victim Reaction:
"It's unbelievable," Marvin said. "You would think they (state officials) would have learned from the Revenue Department situation. I am concerned."

Commentary:
At the time of this writing, this is a breaking story, for which I could only find one source. I am sure that more details will become apparent as the word gets out.

How does this happen? I can understand the initial mistake, but it is hard to believe that nobody at the Department of Health & Family Services noticed the problem before the mailings went out.

Past Breaches:
December 2006 - Wisconsin mails tax forms with Social Security numbers printed on them

The C-I-A Triad weighed and found wanting

Thu, 12 Apr 2007 00:54:18 +0000

Believe it or not, the field of Information Security has changed! Foundational concepts, such as the traditional C-I-A triad (Confidentiality, Integrity, and Availability) are being challenged and supplanted by a more inclusive model known as the Parkerian Hexad [1]. The Parkerian Hexad augments the traditional C-I-A triad by adding three elements. The result is a set of security principles comprised of six elements.

The six principles of the Parkerian Hexad are:

Confidentiality
Integrity
Availability
Possession
Authenticity
Utility

The principles composing the Parkerian Hexad are non-overlapping; meaning that each principle is absolutely necessary to ensure that security is maintained. In addition, each principle may be violated independently of each other principle. However, the principles can be relationally linked to each of the three components of the traditional C-I-A model (see Figure 2) [2].

Below are definitions [3] for each principle along with a brief scenario of how that element may be breached independently of the other elements.

Confidentiality: Limited observation and disclosure of knowledge.An example of an incident where confidentiality is compromised would be the early unauthorized release (leak) of information related to our latest marketing strategies – thereby allowing our competitors to prepare counter strategies.

Integrity: Completeness, wholeness, and readability of information and quality of being unchanged from a previous state.A simple example of a loss of integrity would be an employee modifying the body text of an email so as to create a false record of events (i.e. to show that Jane Doe said something that she did not really say).

Availability: Usability of information for a purpose.The explicit aim of a Denial-of-Service (DOS) attack is to compromise the availability of systems/data.

Possession: Holding, controlling, and having the ability to use information. Possession is the ability to truly own and control information and how it is used. We normally think of this as unauthorized or unintentional copying of information.If, for example, an employee emails company information to a non-corporate email account, we no longer have sole possession. In extreme cases, a loss of possession could result in total loss of the information (e.g. loss/theft of backup tapes for which there is no other copy of the data).Notable examples of a loss of possession usually include the loss of laptop computers or PDA’s containing customer or employee data (e.g. SSNs, credit card numbers, personal health information, etc.).

Authenticity: Validity, conformance, and genuineness of information.The quality of authenticity is readily understood. As the above definition suggests, it is the quality of being “the real deal.” When something does not possess authenticity, it is said to be fraudulent.Examples of a lack of authenticity include the reproduction of employee ID badges, calling into a help-desk and posing as another individual, and modifying records.

Utility: Usefulness of information for a purpose.Utility simply means that we can use the data, system, or device in the manner for which it exists. For example if a database, table, or other information is somehow altered in such a way as to remain accurate but unusable for its intended purpose, it has lost utility.Examples involve the use of encryption to “kidnap” data for ransom. This is accomplished via encrypting the data without the owner’s consent. In this, and similar cases, the victim maintains ownership of the data; and the data, technically, has integrity.

There is one exception to the general statement that these principles do not overlap; a breach of confidentiality will always result in a loss of sole possession. Once confidentiality is compromised, the organization is no longer fully in possession of the data because it is known by another party.

Understanding and communicating this new model for Information Security will likely result in greater depth and clarity within security related conversations.

______________________________

1. The “Parkerian Hexad” model was introduced by Donn B. Parker in his book Fighting Computer Crime (http://www.amazon.com/gp/product/0471163783/104-3218063-3795135).

2. Donn B. Parker suggests this mapping in his chapter, “Toward a New Framework for Information Security,” from The Computer Security Handbook 4th Edition., John Wiley & Sons, 2002 (p. 5.8).

3. The definition statements for each element in the “Parkerian Hexad” are taken from The Computer Security Handbook 4th Edition., John Wiley & Sons, 2002 (pp. 5.9 – 5.10).

note: this post is an excerpt from one of the author’s essays for Norwich University’s MSIA program.