<![CDATA[[SecurityRatty] tag: pfizer]]>

<![CDATA[[SecurityRatty] tag: pfizer]]> http://securityratty.com/tag/pfizer Sun, 09 Dec 2007 18:14:53 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Laptop is stolen from Pfizer independent contractor]]> http://securityratty.com/article/b4b67279731645b79a008071f8c5ee68 http://securityratty.com/article/b4b67279731645b79a008071f8c5ee68 Security Breach

Date Reported:
3/19/08

Organization:
Pfizer Inc.

Contractor/Consultant/Branch:
Unnamed independent contractor

Victims:
Present and former employees and individuals providing contract services

Number Affected:
~800

Types of Data:
"names and credit card numbers, as well as, in some instances, credit card expiration dates, home and/or business addresses, home and/or business and/or cell phone numbers, personal and/or business e-mail addresses, hotel loyalty program numbers and other travel and logistics information"

Breach Description:
"We are writing to let you know that a laptop stolen from a Pfizer contractor's locked home on February 7, 2008 unfortunately contained some of your personal information along with personal information belonging to approximately 800 present and former Pfizer employees and other individuals providing services to Pfizer."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

I am writing to give you notice of a recent data security incident involving an independent contractor working for my client, Pfizer Inc ("Pfizer").
[Evan] Pfizer is getting pretty good at this whole breach notification thing. This is #5 for Pfizer since last August.

On February 7, 2008, the home of the contractor, who assists in arranging and planning travel and meetings for Pfizer, was burglarized and the contractor's laptop computer was stolen.

Some information about present and former Pfizer employees and individuals providing contract services to Pfizer was stored on that laptop.
[Evan] Does Pfizer allow employees and contractors to take sensitive personal information home on laptops? Without encryption?

The police were notified immediately, but no arrests have been made, and the laptop has not been recovered.

The contractor maintained an external back-up hard drive of the laptop's contents, and from the initial examination of the back-up it appears that the laptop contained information about approximately 800 individuals
[Evan] Excellent, so there were (at least) two unprotected copies of this confidential information. Does anyone else see a problem with this?

The forensic review to date indicates that the information included names and credit card numbers, as well as, in some instances, credit card expiration dates, home and/or business addresses, home and/or business and/or cell phone numbers, personal and/or business e-mail addresses, hotel loyalty program numbers and other tracel and logistics information.

The forensic review is ongoing, but it does not appear that any passwords or PIN codes for the credit cards were exposed, nor were any Social Security numbers exposed.

The laptop was password protected.
[Evan] So? We've said it here before, password protection (likely operating system) is NOT adequate protection. Although there is no perfect protection, the use of encryption reduces risk of exposure to a level that is acceptable for most applications.

At this time Pfizer is not aware that any person has inappropriately used any exposed information, but the Company is continuing to monitor the situation.

The data exposed by this incident does not appear to be the type that triggers a notification requirement under your state's data breach statute.

Nonetheless, Pfizer has made a corporate decision to notify affected individuals about the theft of the information and the steps they can take to minimize any potential impact.
[Evan] Wise decision. I can think of more wise decisions…

Pfizer is planning to send notification letters to all affected individuals within the next few days

Pfizer has arranged to provide all affected individuals with the opportunity to sign-up for a full 2-year package of credit-protection services and identity theft insurance, free of charge.
[Evan] Two years is twice the amount of time that is usually given.

Both Pfizer and our contractor deeply regret this incident and any concerns it may raise.

If you have questions, please send an email to privacy.officer@pfizer.com or call our Helpline mailbox at 212 733-0228.

Commentary:
There is no mention of encryption in the breach notification, nor is there any mention of company policy. Six breaches in the past 12 months speaks for itself.

Past Breaches:
May, 2007 - 17,000 Current and Former Pfizer Employees Exposed
August, 2007 - 2nd Pfizer Breach of 2007 Affects 950
September, 2007 - Pfizer Breach Exposes Details on Estimated 34,000
September, 2007 - 68,767 Patients Affected by McKesson Stolen Computers
October, 2007 - Encryption error at Wheels Inc. leads to Pfizer breach

]]> Sun, 06 Apr 2008 11:57:23 +0000 pfizer 2nd pfizer breach pfizer breach evan pfizer pfizer contractor contractor pfizer employees laptop time pfizer Laptop is stolen from Pfizer independent contractor <![CDATA[Five data leak nightmares]]> http://securityratty.com/article/49469a47a7014ea98c21e04dc0454e95 http://securityratty.com/article/49469a47a7014ea98c21e04dc0454e95 Sun, 06 Jan 2008 21:00:00 +0000 home depot lost high-profile data-leak incidents veterans administration personal information laptop aol employees ameritrade pfizer Five data leak nightmares <![CDATA[Phishers, Spammers, and Malware Authors Clearly Consolidating]]> http://securityratty.com/article/630ba3b8e9e355ca51f97bb8a3578cf9 http://securityratty.com/article/630ba3b8e9e355ca51f97bb8a3578cf9

In a recent article entitled "Popular Spammers Strategies and Tactics" I emphasized on the consolidation that's been going on between phishers, spammers and malware authors for a while :

"The allure of being self-sufficient doesn’t seem to be a relevant one when it comes to a spammer’s results oriented attitude. Spammers excel at harvesting and purchasing email addresses, sending, and successfully delivering the messages, phishers are masters of social engineering, while on the other hand malware authors or botnet masters in this case, provide the infrastructure for both the fast-fluxing spam and scams in the form of infected hosts. We’ve been witnessing this consolidation for quite some time now, and some of the recent events greatly illustrate this development of an underground ecosystem. Take for instance the cases when spam comes with embedded keyloggers, when phishing emails contain malware, and a rather ironical situation where malware infected hosts inside Pfizer are spamming viagra emails."

The recently uncovered breach at the U.S Oak Ridge National Laboratory is a perfect example of some of the key concepts I covered in the article, namely, harvesting of the emails courtesy of the spammers, segmenting the emails database for targeted mailings on a per company, institution basis, and malware authors eventually purchasing the now segmented databases for such targeted attacks with the spammers earning a higher profit margin for providing the service of segmentation :

"The unknown attackers managed to access a non-classified computer maintained by the Oak Ridge National Laboratory by sending employees hoax emails that contained malicious attachments. That allowed them to access a database containing the personal information of people who visited the lab over a 14-year period starting in 1990. The institution, which has a staff of about 3,800, conducts top-secret research that is used for homeland security and military purposes."

And, of course, there's a Chinese connection, but thankfully there're articles emphasizing on the concept of stepping-stones before reaching the final destination, with China's highly malware infected Internet population acting as the stepping-stone, not the original source of the attack :

"Security researchers said the memorandum, which was obtained by The New York Times from an executive at a private company, included a list of Web and Internet addresses that were linked to locations in China. However, they noted that such links did not prove that the Chinese government or Chinese citizens were involved in the attacks. In the past, intruders have compromised computers in China and then used them to disguise their true location."

Publicly obtainable research, and common sense state that malware coming through email attachments is slowing down, and is actually supposed to be filtered on the gateway perimeter by default, especially executables. Even the first round of Storm Worm malware in January, 2007, concluded that email attachments are not longer as effective as they used to be, and therefore migrated to spamming malware embedded links exploiting outdated vulnerabilities.

How such type of targeted malware attack could have been prevented?

- ensure that the emails are harvested much harder than they are for the time being, in this particular case, a huge percentage of the emails account, thus the future contact points for the malicious parties to take advantage of ornl.gov can be harvested without even bothering to crawl the domain itself through web scrapping ornl.gov

- a freely avaivable, but highly effective tool to evaluate whether or not your mail server filtering capabilities for such type of content work, is PIRANA - Email Content Filters Exploitation Framework :

"PIRANA is an exploitation framework that tests the security of a email content filter. By means of a vulnerability database, the content filter to be tested will be bombarded by various emails containing a malicious payload intended to compromise the computing platform. PIRANA's goal is to test whether or not any vulnerability exists on the content filtering platform. This tool uses the excellent shellcode generator from the Metasploit framework!"

Taking the second possible scenario, namely that it wasn't a targeted attack, but malware attachments "as usual", mostly because the fact that modern malware automatically excludes mailings to .gov's .mil's and the majority of known to them anti-virus vendor's related email addresses, hoping to infect as much people as possible before a reactive response is in place.

If it were a spammed malware embedded link, the chances are the receipts followed it, but a spammed malware as an attachment is too Web 1.0 for someone to fall victim into, and it's rocket scientists we're talking about anyway.

]]> Sun, 09 Dec 2007 18:14:53 +0000 malware malware attachments malware attack malware authors hand malware authors spammers modern malware storm worm malware emails courtesy Phishers, Spammers, and Malware Authors Clearly Consolidating