[SecurityRatty] tag: jobs

Laptop containing personal information is stolen from U.S. Foodservice

Mon, 07 Jul 2008 19:35:13 +0000

Technorati Tag: Security Breach

Date Reported:
6/13/08

Organization:
U.S. Foodservice, Inc.

Contractor/Consultant/Branch:
None

Victims:
Present and former employees, "and in a few instances, their dependents and applicants for jobs at USF"

Number Affected:
Unknown

Types of Data:
"names, social security numbers, home addresses, and/or dates of birth"

Breach Description:
"We were informed recently of the theft of a U.S. Foodservice, Inc. ("USF") laptop computer, which contained sensitive personnel information."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

We were informed recently of the theft of a U.S. Foodservice, Inc. ("USF") laptop computer, which contained sensitive personnel information.
[Evan] We now add U.S. Foodservice to the ever-growing list of organizations that refuse to encrypt laptops, yet allow confidential information to be stored on them.

Local authorities were immediately notified and we conducted an internal investigation.

the laptop contained certain old data files
[Evan] I wonder how old these data files were. I also wonder if these files were supposed to have been removed and/or destroyed, but were missed.

In the course of our investigation, we determined that the laptop computer contained the names, social security numbers, home addresses, and/or dates of birth of some present and former USF employees, and in a few instances, their dependents and applicants for jobs at USF.

We are sending a notification letter to individuals impacted by this incident.

We expect to begin mailing the notification letters on June 13, 2008.

we have no indication that any of the information is being misused
[Evan] A breach notification is almost not a real breach notification without this mention.

Please note that several years ago, the Company stopped using social security numbers to identify employees for internal reporting or other purposes.
[Evan] A good move by the Company. USF is still required to collect Social Security numbers however.

Pursuant to USF policies, the laptop was protected by a unique user ID and password, but the individual files containing personal information were not encrypted or password protected.
[Evan] I am interested in reading the USF policies. Do the policies only require a user ID and password to protect (or access) confidential information? Probably not sufficient.

U.S. Foodservice takes the security of your personal information seriously and apologizes for any inconvenience or worry this incident may cause you.

As a precautionary measure, we are making several services available at the Company's expense, free of charge to you, to assist you in protecting your identity.
[Evan] A true "precautionary measure" might have been restricting confidential information storage on laptops (and other mobile media) or encryption.

Although at this point we have no indication that your information has been compromised
[Evan] My definition of "compromised" obviously differs. In my opinion, if the confidentiality, integrity or availability of information cannot be reasonable assured, then the information IS compromised. If you believe that password-protection provides reasonable assurance, then you and I disagree.

Call the Toll Free Help Line at 1-866-584-9681 to get answer [sic] to your questions.

Staffed by a team of professionals
Monday through Friday from 6:00 a.m. to 6:00 p.m. (Pacific Daylight Time)
Saturday and Sunday from 8:00 a.m. to 5:00 p.m. (Pacific Daylight Time)

Please know that while we have information security policies in place, we are reviewing those practices and procedures to see what changes need to be made.
[Evan] Its good the USF has information security policies in place, but it doesn't mean that they are effective or that they are well enforced. A poorly enforced policy isn't worth the paper its written on.

Commentary:
U.S. Foodservice is also offering one year of free credit monitoring and identity theft insurance. This would be fine minus the fact that a Social Security number has an effective lifespan that far exceeds one year.

If only there were other controls available to protect information stored on a laptop. Wait, we do!

Past Breaches:
Unknown

Cyber Criminals Extract Personal Details From CVs Posted Onto Job Sites

Mon, 07 Jul 2008 17:15:30 +0000

Hackers have turned the harvesting of personal information from Monster.com and other large US jobsites into a profitable black market business. A Russian gang called Phreak has created an online tool that extracts personal details from CVs posted onto sites including Monster.com, AOL Jobs, Ajcjobs.com, Careerbuilder.com, Careermag.com, Computerjobs.com, Hotjobs.com, Jobcontrolcenter.com, Jobvertise.com and Militaryhire.com. As a [...]

The Risks of Outdated Situational Awareness

Mon, 07 Jul 2008 04:46:27 +0000

It's been two months since I analyzed the proprietary email and personal information harvesting tool targeting major career web sites - "Major career web sites hit by spammers attack", received comments from Seek.com.au and Careerbuilder.com, communicated all the actionable intelligence in terms of the bogus accounts used and the related IPs to the career web sites that bothered to show interest in the attack, to come across a ghost story today - Jobsite hack used to market identity harvesting services :

"A Russian gang called Phreak has created an online tool that extracts personal details from CVs posted onto sites including Monster.com, AOL Jobs, Ajcjobs.com, Careerbuilder.com, Careermag.com, Computerjobs.com, Hotjobs.com, Jobcontrolcenter.com, Jobvertise.com and Militaryhire.com. As a result the personal information (names, email addresses, home addresses and current employers) on hundreds of thousands of jobseakers has been placed at risk, according to net security firm PrevX."

All your CV are NOT belong to us, All your CV are ALREADY belong to us.

Virtualisation - Welcome Back to the 90s.

Thu, 03 Jul 2008 02:37:00 +0000

I've been thinking about this for a while but this blog post by Pascal Meunier pretty much sums up my feelings about Virtualisation.

Back in the 90s when the Internet was new-ish and just becoming important all the machines running it were Unix boxes. (Maybe not all, but most). And a 386 would typically run DNS, sendmail, telnet (shell accounts), ftp and apache. All on the same box.

Security wasn't so tight in those days but it was usually good enough and the box could happily do what it needed to do.

Along came Microsoft and produced the idea of "one box - one service". You can't seriously consider running your domain controller as a file server. What are you thinking? And to put mail on the same box? No way. In fact, your SQL server is running under significant load, chain a few together.

And companies would buy into this concept. Microsoft were happy - more licenses. All the PC guys were happy too - more money. More complexity - more jobs.

Essentially what has happened now is that Moores Law has kicked in and has caught up with the complexity of Microsoft's software to the point where one server box can run multiple applications on it. Imagine that. But Microsoft has planted the one-service-one-box concept so well that it is now part of IT law. File server and mail server on one box? But wait...whats this button over here....? Vir-vir-virtualisation.

And now we have the tools to allow us to once again run multiple applications on one server without having to admit that one-application-one-server never made sense.

To be fair - Virtualisation does have other advantages - running multiple Operating Systems for example, being able to easily move a virtual machine from one box to another (without configuration issues), being able to make a snapshot backup of a system.

But running multiple applications on one box is not a huge win.

SQL Server high availability when upgrading to SQL Server 2005

Tue, 01 Jul 2008 09:28:32 +0000

The pursuit of minimal downtime is complex when upgrading an Active/Active cluster to SQL Server 2005/Windows Server 2003. In part three of this series, SQL Server expert Matthew Schroeder outlines the stages for migrating a database to a transition server, and then the new source system. Areas covered in this tip include configuring logins, assigning permissions, transferring SQL Server jobs.

Googles Culture of Yes

Mon, 23 Jun 2008 11:21:46 +0000

Recently, Eric Schmidt gave quite an inspirational speech at the Economic Club of Washington. It was so interesting; I wanted to share this with you in case you missed it. The entire speech is rather long but here’s the section on Google’s Culture of Yes.

After hearing his speech, I thought about how Eric and Google are impacting the digital revolution after so many others have tried unsuccessfully over the last 25 years. He has led the company through a period of explosive growth from $1 Billion to over $16 Billion in the past year, while keeping the young, fun, irreverent culture intact. Considering the meteoric rise of Google’s popularity in a reasonably short period of time, to the point that the company name is now actually a verb!

The point that I found enlightening was his summary, which you can scroll to at the 26 - 30 minutes timeframe in the presentation, where he shared an interesting glimpse into the culture of Google. “Creating more luck, giving yourself more at bats, being out there… to think big and inspire a culture of YES.” The culture of Yes inspires people to aim higher and be ambitious in their reach and goals.

That is a very interesting point in which I really believe. If there is one thing that all companies and especially small companies struggle with because of natural resource constraints, it is building a strong culture of Yes. We have tried to do this from the very inception of ScienceLogic, but it continues to get harder and harder the larger the business grows. To consistently inspire a principle of Yes, without agreeing to every idea that flows across my desk is amongst the most challenging parts of our daily jobs. However if I could create the perfect scenario, we would intuitively strive for a principle of Yes and inspire our associates and our ecosystem of partners and customers to use this simple concept to confidently go forward.

Eric says, “It is possible to build a culture around innovation. It is possible to build a culture around leadership, and it is possible to build a culture around optimism.” Google is a great example, but by no means the only example. I agree with Eric’s summary and hope to lead ScienceLogic according to these very basic but essential principles. “Let’s be revolutionaries. Let’s take this opportunity, this huge change that is before us with technology and let’s change our businesses, our communication and the way we interact on some new principles that reflect the very best in America.”

ShareThis

CISSP is here to stay! Sorry, Dre.

Fri, 20 Jun 2008 07:14:00 +0000

Dre wrote an article in which he put the argument down that the CISSP is on its way out. What he really argues is that a "generalist" Information Security position is no longer very important, specialisation is the only way to go.

I disagree. I am a CISSP and an InfoSec "generalist' but that is not why I disagree.

I love it when I read a blog and then read another about a totally different topic but that in some way relates to the first blog. And the second blog I read today is Mr Andy, IT guy's blog. In his blog entry he complains rather tongue in cheek about how many meetings he attends.

While Andy and I are many miles apart it amazes me just how similar our lives are and, yes, I also spend ages in meetings. On average I spend about 2 hours of my day not in meetings. And I love it. Every meeting that I attend makes me more educated by how the business I work for - works. I also give my input and hopefully touch on all the people just how important protecting information is.

Just like Andy, I was a techno geek until recently. I was a Firewall specialist. A Check Point Firewall specialist. I could read the pseudocode it would chuck out. I could edit the configuration with a text editor. I could read log files. I knew the system backwards. I am now employed in a company that doesn't even have a Check Point Firewall. I have moved onto something totally different.

There is a need for people who can configure security devices, perform active directory magic etc, etc. Even guys who are experts in logs. But you certainly don't want these guys tied up in meetings the whole day. You want them working on the systems that they know well.

You also want someone who can go to meetings and interface with business. Someone who can make a risk decision or at least know who to speak to. This person must be technical but also able to chat formally and informally to business and must always be thinking security. He must understand that meetings are not a waste of time but time spent educating business about security.

It is my belief that this person is not just important for a large organisation like the one I work for but even a one person shop should have one. Obviously, in that case a consultant should be used rather than a permanent employee but it is important.

The person does not have to be a CISSP but it is a good way to show that they are interested in an InfoSec career.

On a related note - I, like Andy, miss the technical side of InfoSec. But I also enjoy the ability to see my larger ideas implemented. I also enjoy selling InfoSec, something I am passionate about. In short, I enjoy my job and am happy I moved from being a techie to being an analyst. They are very, very different jobs. There are some people who may not be as happy as me. I know some, they are techies and are really good at what they do and they have no want to move to anything else. They want to specialise. In South Africa, these people are not rewarded for their knowledge and that is a problem because there is a need for the specialists. Hopefully, as demand increases and there are some techies that shine, they will be rewarded.

Windows Enterprise Data Protection with Symantec Backup Exec

Wed, 18 Jun 2008 09:00:00 +0000

(Source: Symantec) With data protection becoming more distributed and IT resources increasingly constrained, businesses need a centralized data protection strategy that can manage multiple backup and recovery jobs. Learn how to address these critical enterprise challenges with dynamic disk-based data protection.

The security sales conundrum

Wed, 18 Jun 2008 04:01:20 +0000

I spent this week on a tour of StillSecure customers speaking to them about security, their jobs and what would make their lives easier. One thing that I heard consistently from them was that they are overwhelmed with security vendors barraging them. Be email, phone or postal mail it just doesn't stop. They don't answer their phones and don't even know where these vendors get their names. Mr Bump in a recent comment on my blog about the used car salesman of NAC says this is another example of why he is just fed up with sales people.

I hear all of this loud and clear and will be sure to pass this along to our on sales and marketing teams. However, it begs the question of how are security vendors supposed to contact and sell their products? Should security vendors just sit their and wait for the phone to ring with questions or orders? Would you prefer that all sales people are highly technical and just talk bits and bytes with you? How will you find out about new products and services? For all of the bellyaching and moaning about sales and marketing overload, it would seem that if it was not successful, vendors would not do it.

I would like to hear from you. How would you like to see vendors contact you? What do you think the sales process should look like? I don't think sales people want to be a pain in the butt and for the most part don't want to blow smoke up anyones butt. What do you think? Leave a comment and be heard. The time you save dealing with annoying sales tactics may be your own.

The security sales conundrum

Wed, 18 Jun 2008 03:01:44 +0000