[SecurityRatty] tag: police

Personal Internet Security: follow-up report

Tue, 08 Jul 2008 09:05:04 +0000

The House of Lords Science and Technology Committee have just completed a follow-up inquiry into “Personal Internet Security”, and their report is published here. Once again I have acted as their specialist adviser, and once again I’m under no obligation to endorse the Committee’s conclusions — but they have once again produced a useful report with sound conclusions, so I’m very happy to promote it!

Their initial report last summer, which I blogged about at the time, was — almost entirely — rejected by the Government last autumn (blog article here).

The Committee decided that in the light of the Government’s antipathy they would hold a rapid follow-up inquiry to establish whether their conclusions were sound or whether the Government was right to turn them down, and indeed, given the speed of change on the Internet, whether their recommendations were still timely.

The written responses broadly endorsed the Committee’s recommendations, with the main areas of controversy being liability for software vendors, making the banks statutorily responsible for phishing/skimming fraud, and how such fraud should be reported.

There was one oral session where, to everyone’s surprise, two Government ministers turned up and were extremely conciliatory. Baroness Vadera (BERR) said that the report “was somewhat more interesting than our response” and Vernon Coaker (Home Office) apologised to the Committee “if they felt that our response was overdefensive” adding “the report that was produced by this Committee a few months ago now has actually helped drive the agenda forward and certainly the resubmission of evidence and the re-thinking that that has caused has also helped with respect to that. So may I apologise to all of you; it is no disrespect to the Committee or to any of the members.”

I got the impression that the ministers were more impressed with the Committee’s report than were the civil servants who had drafted the Government’s previous formal response. Just maybe, some of my comments made a difference?

Given this volte face, the Committee’s follow-up report is also conciliatory, whilst recognising that the new approach is very much in the “jam tomorrow” category — we will all have to wait to see if they deliver.

The report is still in favour of software vendor liability as a long term strategy to improving software security, and on a security breach notification law the report says “we hold to our view that data security breach notification legislation would have the twin impacts of increasing incentives on businesses to avoid data loss, and should a breach occur, giving individuals timely information so that they can reduce the risk to themselves“. The headlines have been about the data lost by the Government, but recent figures from the ICO show that private industry is doing pretty badly as well.

The report also revisits the recommendations relating to banking, reiterating the committee’s view that “the liability of banks for losses incurred by electronic fraud should be underpinned by legislation rather than by the Banking Code“. The reasoning is simple, the banks choose the security mechanisms and how much effort they put into detecting patterns of fraud, so they should stand the losses if these systems fail. Holding individuals liable for succumbing to ever more sophisticated attacks is neither fair, nor economically efficient. The Committee also remained concerned that where fraud does take place, reports are made to the banks, who then choose whether or not to forward them to the police. They describe this approach as “wholly unsatisfactory and that it risks undermining public trust in the police and the Internet“.

This is quite a short report, a mere 36 paragraphs, but comes bundled with the responses received, all of which from Ross Anderson and Nicholas Bohm, through to the Metropolitan Police and Symantec are well worth reading to understand more about a complex problem, yet one where we’re beginning to see the first glimmers of consensus as to how best to move forward.

Daily Mail publisher admits to stolen laptop

Sat, 05 Jul 2008 08:55:49 +0000

Technorati Tag: Security Breach

Date Reported:
7/4/08

Organization:
Daily Mail and General Trust plc

Contractor/Consultant/Branch:
Northcliffe Media
Associated Newspapers Ltd

Victims:
Staff, suppliers and contributors

Number Affected:
"thousands"

Types of Data:
"name, address, bank account number and bank sort code"

Breach Description:
"Daily Mail publisher Associated Newspapers has admitted that a laptop containing financial and personal details of thousands of staff, suppliers and contributors has been stolen."

Reference URL:
ComputerWorldUK
Guardian News (UK)
Guardian News (UK) additional info

Report Credit:
Guardian Newspaper

Response:
From the online sources cited above:

Daily Mail publisher Associated Newspapers has admitted that a laptop containing financial and personal details of thousands of staff, suppliers and contributors has been stolen.

A Daily Mail & General Trust spokeswoman said: "DMGT confirms that a laptop company computer containing certain confidential information was stolen last week.

After months of criticising "criminally careless" government departments for losing confidential records, the company has been forced to send out an embarrassing letter telling journalists they may now be at risk of identity theft
[Evan] This is the same Daily Mail managed by Associated Newspapers that according to The Guardian "has been at the forefront of coverage of the recent bank and government department missing data scandals". It would be very difficult for Associated Newspapers to claim that they didn't know any better than to store confidential information on a poorly protected laptop.

Details such as names, addresses, bank account numbers and sort codes were on the laptop

the laptop was "password protected" but tell recipients to contact their banks and also "consult the government website ... for advice on avoiding or dealing with identity theft"
[Evan] The mention of password protection is nothing more than an effort to minimize the effect of the breach. It does very little (if anything) to protect the personal information.

In a letter to those who details were affected, Simon Dyson, finance director at Daily Mail publisher Associated Newspapers, and Martyn Hindley, his counterpart at sister company Northcliffe, said it was likely that the details had been erased by the thief.
[Evan] How is the conclusion drawn? I don't see how there could be enough information to determine what the thief was likely to do.

From the letter to affected persons from the Associated Newspapers group finance director, Simon Dyson, and his Northcliffe counterpart, Martyn Hindley:

"Unfortunately one of the company's laptops has been stolen."

"The contents included personal data, some of which related to you."

"The laptop was password-protected. "
[Evan] So what? This won't adequately protect the information on the laptop, so why mention it?

"We are writing to you as quickly as possible to alert you to the fact that the theft has happened and to inform you of the data types lost, so that you can take appropriate action."
[Evan] I guess we should give some credit for the quick notification, if nothing else.

"In your case, your name, address, bank account number and bank sort code were the sensitive information lost."

"The likelihood is that this theft was carried out in an opportunistic manner by a thief who will not realise that there is any personal data on the laptop and who may just erase what is on the hard disk in order to disguise the fact that the laptop is stolen."
[Evan] This is nothing more than speculation. I can't imagine that there are any specific facts for which this conclusion is based on.

"We have, of course, notified the police of the theft of the laptop and are talking to the Office of the Information Commissioner about what has happened."

"On behalf of the company, I would like to offer my sincere apologies for any annoyance and inconvenience to you that this breach of security may cause."

"I can assure you that we take security of personal data very seriously and have, since this incident, which was inadvertently caused by a technical issue, already further strengthened procedures."
[Evan] This breach was caused by a "technical issue"? Like what? I presume that the technical aspects surrounding this breach were working exactly as they were designed to in the manner of which that they were implemented. Without further elaboration, "strengthened procedures" is subjective and means little. Organizations should offer details, instead of general statements in order to bolster some sense of confidence.

Commentary:
This breach must be embarrassing for Associated Newspapers. A breach like this should be embarrassing for any organizations. Unencrypted lost of stolen laptops storing personal (or other confidential) information is a pretty well-known risk nowadays. An unacceptable risk for most.

Past Breaches:
Unknown

Random Stupidity in the Name of Terrorism

Thu, 03 Jul 2008 08:57:04 +0000

An air traveller in Canada is first told by an airline employee that it is "illegal" to say certain words, and then that if he raised a fuss he would be falsely accused:

When we boarded a little later, I asked for the ninny's name. He refused and hissed, "If you make a scene, I'll call the pilot and you won't be flying tonight."

More on the British war on photographers. A British man is forced to give up his hobby of photographing busses due to harrassment.

The credit controller, from Gloucester, says he now suffers "appalling" abuse from the authorities and public who doubt his motives. The bus-spotter, officially known as an omnibologist, said: "Since the 9/11 attacks there has been a crackdown. "The past two years have absolutely been the worst. I have had the most appalling abuse from the public, drivers and police over-exercising their authority. Mr McCaffery, who is married, added: "We just want to enjoy our hobby without harassment. "I can deal with the fact someone might think I'm a terrorist, but when they start saying you're a paedophile it really hurts."

Is everything illegal and damaging now terrorism?

Israeli authorities are investigating why a Palestinian resident of Jerusalem rammed his bulldozer into several cars and buses Wednesday, killing three people before Israeli police shot him dead. Israeli authorities are labeling it a terrorist attack, although they say there is no clear motive and the man -- a construction worker -- acted alone. It is not known if he had links to any terrorist organization.

Boston public school locked down after someone saw a ninja:

Turns out the ninja was actually a camp counselor dressed in black karate garb and carrying a plastic sword. Police tell the Asbury Park Press the man was late to a costume-themed day at a nearby middle school.

And finally, not terrorism-related but a fine newspaper headline: "Giraffe helps camels, zebras escape from circus":

Amsterdam police say 15 camels, two zebras and an undetermined number of llamas and potbellied swine briefly escaped from a traveling Dutch circus after a giraffe kicked a hole in their cage.

Are llamas really that hard to count?

Your 419 Mail Roundup

Wed, 02 Jul 2008 13:11:42 +0000

A handful of scam mails currently in circulation, including one mention of "groundnut oil" that seems so bizarre I had to highlight it in bold text. All this and more, after the jump...
Subject:
FROM THE DESK OF MR. STEVEN JAMES
From:
"Steven James"
Date:
Mon, 30 Jun 2008 19:17:03 +0100
BCC:

FROM THE DESK OF MR. STEVEN JAMES
CHAIRMAN INTERNATIONAL RELATION
FIRST BANK OF NIGERIA PLC
# 1 BANK ROAD WUSE FCT
ABUJA-NIGERIA.
PHONE: +234-80-66520277
Email: stevenjames809@live.co.uk

Very Urgent Attention,

Please permit me to introduce my humble self to you, my name is Mr. Steven James, I am the Manager of International Relation with First Bank of Nigeria Plc, I 'm 38yrs old, and I got your email address from a friend of mine, and my confidence reposed on you. I hope you read this message carefully and reply me immediately. Although we have not met before, but I suggest that this transaction will bring us together.

My dear, we had a customer, a foreigner but base here in Nigeria, his Name was Mr. Hamilton Creek. He is from Atlanta Georgia United State of America, but based here with his wife and his two children, Mr. Hamilton has being banking with us for the past 4yrs and some time in August 2002, Mr. Hamilton was on his way to his house, and unfortunately ran into a Trailer load of Groundnut Oil, and died   immediately, Their car got burnt, no single soul was saved, Mr. Hamilton Creek and His entire family was confirmed dead.

My Board of Directors and the Management of First Bank has mandated and instructed me to look for Mr. Hamilton Creek? Relation(s) and his Next of Kin to come and claim his fund, Since August 2003 till date, I have been looking for his relation's or his next of Kin to come and claim his fund which he Deposited with our bank, I have contacted his Embassy and after 3days, his Ambassador told me that Mr. Hamilton Creek has no relation and no next of Kin, their Ambassador told me that he used his first son as His next of kin, but it is quite unfortunate that Mr. Hamilton Creek Died with all his family members.

The reason why I contacted you is thus, Mr. Hamilton is dead, and his only son who supposed to inherit his properties and money also died with him. As at this moment, nobody or person[s] is coming to   claim this Money from our bank. The Board of Directors and management of our bank told me that if nobody or person[s] apply for the claim of Mr. Hamilton Fund, the bank will return the entire Fund into our Federal reserve. In the Light of the above, I want you to stand as the next of kin to Late Mr. Hamilton Creek; it might interest you to know that he had a Domiciliary Bank Account with our Bank and he has a total sum of US$9.2M Nine Million Two Hundred thousand Dollars, this is the exact amount which he had in his domiciliary account before the ugly incident occurred, and this money is still in his account as unclaimed money.

This transaction is very easy and simple, and it is 100% risk free, I'm the Manager for International Relations with First Bank of Nigeria Plc, and the Management and Board of Directors of the Bank are waiting for me to provide to them the Relation or next of Kin to late Mr. Hamilton Creek, of which I told them that I am still searching the next of kin to the deceased. Finally, if you are interested with this transaction, I will front you to the bank as the only next of kin to late Mr. Hamilton Creek, and I will let the bank know that you are the only right person to inherit Late Mr. Hamilton Funds and properties. If you are interested, just email me or call me on my   direct and private line#: +234-80-27536038 and late Mr. Hamilton's Funds will be credited into your account and all his Properties will be released to you either through Courier Services or the Bank will Cargo all his properties to you in any were you want it.

So reply me immediately and feel free to ask any question with regards to this transaction. You will take 50% of the US$9.2M. Which is? US$4.600, 000.00 Four Million Six Hundred Thousand Dollars, while the Balance of the same amount will be mine.

Your swift response will be highly appreciated.

Thanks and have a nice day.

Friendly Regards

Mr. Steven James

*******************************************************************************************

Subject:
REPRESENTATIVE NEEDED
From:
DFS SALES LTD UK
Date:
Tue, 01 Jul 2008 23:00:55 +0800
To:
undisclosed-recipients: ;

COMPLIMENT OF THE DAY TO YOU.

I am PETER WOODS from DFS SALES LTD UK.(
Website: www.dfs-online.co.uk ) Visit our site

We are into furnitures and we sell shares to people in
Canada,America, Australia and Europe.

We are in need of a book keeper. someone who can represent our company
in his/her country.

Our client in your location will contact you and make the company
payment to you.

You will be entitle to 11% of every payment been made out to you.

This is because most of our officer are from china and they do not

understand english very well.its hard for them to contact our
customers.

Our head office is located in CHINA. But we have a sub-office in the
uk.

If you are interested, Kindly send the entries for more understanding.

NAME IN FULL :.........
COMPANY NAME: .....
POSITION:......
FULL ADDRESS: .......
CITY/TOWN:........
STATE:............
ZIP CODE:........
COUNTRY:.......
MOBILE:.......
HOME TEL: .....
EMAIL ADDRESS: ........
OCCUPATION: ...........
BANK NAME :.......
AGE:............

You are to send the above details to

NAME : PETER WOODS.
EMAIL : dfs_woods@yahoo.co.uk
PHONE NUMBER : +44-704-575-0212

HOPE TO HEAR FROM YOU

*****************************************************************************************

To:
undisclosed-recipients:;

Good day!!!

We have been waiting for you since to contact me for your Confirmable Bank Draft of ?18 Million (Eighteen Million Pounds sterling) but we did not hear from you since for a couple of weeks now. Then we went to the bank to confirm if the draft that expired or getting near to expire and Metropolitan Police Uk told us that before the funds will get to your hand that it will expire.So I told him to cash the ?18 Million (Eighteen Million Pounds sterling) to cash payment to avoid losing this fund under expiration as I will be out of the country for a 6 Months Course.

What you have to do now is to contact FED EX COURIER SERVICES as soon as possible to know when they will deliver of your funds to you because of the expiring date. For your information we have paid for the delivering Charge Insurance premium. The only money you will send to the FED EX COURIER SERVICES to deliver your cheque direct to your postal Address in your country is ?250.00 being Security Keeping Fee of the Courier Company so far. Again don't be deceived by anybody to pay any other money except ?250.00 for the Security Keeping Fee.We would have paid that but they said no because they don't know when you will contact them and in case of demurrage. You have to contact FED EX COURIER SERVICES now for the delivery of your Draft with this
information below:

CONTROLLER: Mrs.Helen Williams
NAME: FED EX COURIER SERVICES
ADDRESS: fedexofficeuk@gmail.com
PHONE NUMBER: +447024080684

IF YOU ARE THE OWENER OF THE FUNDS AND YOU WILL SEND YOUR INFORMATION TO US SO THAT WE CAN DELIVERY YOUR FUNDS TO YOU WITHIN THE NEXT 84HRS TIME.IF YOU DO NOT RECEIVED YOUR FUNDS WITHIN THE NEXT 72HRS TIME AND YOU REPORT US THE UK FBI AND THE METROPOLITAN POLICE (SCOTLAND YARD) or YOU CONTACT YOUR LAWYER TO TAKE UP PROCEDURES AGAINST US.

Let me repeat again try to contact them as soon as you receive this mail to avoid any further delay and remember to pay them their Security keeping fee of ?250.00 for their immediate action. The FED EX COURIER SERVICES don't know the contents of the funds. This is to avoid them delaying with the funds.

Thanks as you contact them today.

Yours Faithfully

Mrs Helen Williams.

(The above actually comes with a nifty graphic that they've thrown in, thinking it makes it all look more legitimate. It doesn't, but here it is anyway):

....altogether now: oooooh. A slightly shorter 419 roundup than usual, but I'm sure I'll have piles of the things next week.

Kill Switches and Remote Control

Tue, 01 Jul 2008 02:48:37 +0000

It used to be that just the entertainment industries wanted to control your computers -- and televisions and iPods and everything else -- to ensure that you didn't violate any copyright rules. But now everyone else wants to get their hooks into your gear. OnStar will soon include the ability for the police to shut off your engine remotely. Buses are getting the same capability, in case terrorists want to re-enact the movie Speed. The Pentagon wants a kill switch installed on airplanes, and is worried about potential enemies installing kill switches on their own equipment. Microsoft is doing some of the most creative thinking along these lines, with something it's calling "Digital Manners Policies." According to its patent application, DMP-enabled devices would accept broadcast "orders" limiting capabilities. Cellphones could be remotely set to vibrate mode in restaurants and concert halls, and be turned off on airplanes and in hospitals. Cameras could be prohibited from taking pictures in locker rooms and museums, and recording equipment could be disabled in theaters. Professors finally could prevent students from texting one another during class. The possibilities are endless, and very dangerous. Making this work involves building a nearly flawless hierarchical system of authority. That's a difficult security problem even in its simplest form. Distributing that system among a variety of different devices -- computers, phones, PDAs, cameras, recorders -- with different firmware and manufacturers, is even more difficult. Not to mention delegating different levels of authority to various agencies, enterprises, industries and individuals, and then enforcing the necessary safeguards. Once we go down this path -- giving one device authority over other devices -- the security problems start piling up. Who has the authority to limit functionality of my devices, and how do they get that authority? What prevents them from abusing that power? Do I get the ability to override their limitations? In what circumstances, and how? Can they override my override? How do we prevent this from being abused? Can a burglar, for example, enforce a "no photography" rule and prevent security cameras from working? Can the police enforce the same rule to avoid another Rodney King incident? Do the police get "superuser" devices that cannot be limited, and do they get "supercontroller" devices that can limit anything? How do we ensure that only they get them, and what do we do when the devices inevitably fall into the wrong hands? It's comparatively easy to make this work in closed specialized systems -- OnStar, airplane avionics, military hardware -- but much more difficult in open-ended systems. If you think Microsoft's vision could possibly be securely designed, all you have to do is look at the dismal effectiveness of the various copy-protection and digital-rights-management systems we've seen over the years. That's a similar capabilities-enforcement mechanism, albeit simpler than these more general systems. And that's the key to understanding this system. Don't be fooled by the scare stories of wireless devices on airplanes and in hospitals, or visions of a world where no one is yammering loudly on their cellphones in posh restaurants. This is really about media companies wanting to exert their control further over your electronics. They not only want to prevent you from surreptitiously recording movies and concerts, they want your new television to enforce good "manners" on your computer, and not allow it to record any programs. They want your iPod to politely refuse to copy music to a computer other than your own. They want to enforce their legislated definition of manners: to control what you do and when you do it, and to charge you repeatedly for the privilege whenever possible. "Digital Manners Policies" is a marketing term. Let's call this what it really is: Selective Device Jamming. It's not polite, it's dangerous. It won't make anyone more secure -- or more polite. This essay originally appeared in Wired.com.

Australian medical information found in abandoned amusement park

Sat, 28 Jun 2008 09:10:55 +0000

Technorati Tag: Security Breach

Date Reported:
6/27/08

Organization:
New South Wales Government (AU)

Contractor/Consultant/Branch:
Sydney West Area Health Service
Unnamed "bankrupt contractor"

Victims:
Patients

Number Affected:
Unknown

Types of Data:
"confidential medical records"

Breach Description:
"The Sydney West Area Health Service has been embarrassed by the discovery of medical records in an abandoned amusement park."

Reference URL:
ABC News
Macquarie National News
Macquarie National News (2)

Report Credit:
ABC NEws

Response:
From the online sources cited above:

The Sydney West Area Health Service has been embarrassed by the discovery of medical records in an abandoned amusement park.
[Evan] This is a first. An abandoned amusement park? I would be embarrassed too!

Pathology results and slides were found when a container dumped in the former Magic Kingdom park at Lansvale was set alight this week.

The container was discovered after it caught on fire yesterday, attracting the attention of the local fire department.

A bankrupt contractor is being blamed for dumping confidential medical records and contaminated waste in the grounds of an abandoned fun park.
[Evan] Confidential medical records AND contaminated waste? Ugh.

Police said it was likely the container had been there for a decade.
[Evan] A decade? This story keeps getting more bizarre.

The Health Department is reviewing waste disposal procedures following the discovery at Lansvale in Sydney's south west.
[Evan] I presume that the waste disposal procedures have probably changed over the past ten years. The Health Department should be reviewing procedures on a regular basis anyway.

The health service's chief executive, Professor Steven Boyages, says it is a serious breach and the health service is reviewing its waste disposal procedures.

"There are clear policy and procedures in place to manage records and disposal of records and clear policies in place to manage and dispose of any clinical waste," he said.

"It appears at first glance that the policy and procedures weren't followed by the contractors who were engaged to do this."

“It is a huge concern, I’ve called for an immediate review to ensure our existing contractors are following standard policy and procedures so this doesn't happen again," he said

Shadow health minister Jillian Skinner said the state government also has some explaining to do.

"Why if it was know this company had gone bankrupt and wasn't carrying out its duties they didn't check to make sure this material was disposed of properly?" Ms Skinner said.

Commentary:
The landscape of information security and personal information issues has changed markedly over the past ten years. SWAHS should still be held accountable, but how much can you comment on something that happened ten years ago and probably does not reflect upon current practice.

This is one of the most bizarre breaches I have read about in some time.

Past Breaches:
Unknown

Security Matters: I've Seen the Future, and It Has a Kill Switch

Thu, 26 Jun 2008 00:00:00 +0000

OnStar will soon include the ability for the police to shut off your engine remotely. Buses are getting the same capability, in case terrorists want to re-enact the movie Speed. The Pentagon wants a kill switch installed on airplanes, and is worried about potential enemies installing kill switches on their own equipment.

Microsoft is doing some of the most creative thinking along these lines, with something it's calling "Digital Manners Policies." According to its patent application, DMP-enabled devices would accept broadcast "orders" limiting capabilities. Cellphones could be remotely set to vibrate mode in restaurants and concert halls, and be turned off on airplanes and in hospitals. Cameras could be prohibited from taking pictures in locker rooms and museums, and recording equipment could be disabled in theaters. Professors finally could prevent students from texting one another during class.

The possibilities are endless, and very dangerous. Making this work involves building a nearly flawless hierarchical system of authority. That's a difficult security problem even in its simplest form. Distributing that system among a variety of different devices -- computers, phones, PDAs, cameras, recorders -- with different firmware and manufacturers, is even more difficult. Not to mention delegating different levels of authority to various agencies, enterprises, industries and individuals, and then enforcing the necessary safeguards.

Once we go down this path -- giving one device authority over other devices -- the security problems start piling up. Who has the authority to limit functionality of my devices, and how do they get that authority? What prevents them from abusing that power? Do I get the ability to override their limitations? In what circumstances, and how? Can they override my override?

How do we prevent this from being abused? Can a burglar, for example, enforce a "no photography" rule and prevent security cameras from working? Can the police enforce the same rule to avoid another Rodney King incident? Do the police get "superuser" devices that cannot be limited, and do they get "supercontroller" devices that can limit anything? How do we ensure that only they get them, and what do we do when the devices inevitably fall into the wrong hands?

It's comparatively easy to make this work in closed specialized systems -- OnStar, airplane avionics, military hardware -- but much more difficult in open-ended systems. If you think Microsoft's vision could possibly be securely designed, all you have to do is look at the dismal effectiveness of the various copy-protection and digital-rights-management systems we've seen over the years. That's a similar capabilities-enforcement mechanism, albeit simpler than these more general systems.

And that's the key to understanding this system. Don't be fooled by the scare stories of wireless devices on airplanes and in hospitals, or visions of a world where no one is yammering loudly on their cellphones in posh restaurants. This is really about media companies wanting to exert their control further over your electronics. They not only want to prevent you from surreptitiously recording movies and concerts, they want your new television to enforce good "manners" on your computer, and not allow it to record any programs. They want your iPod to politely refuse to copy music a computer other than your own. They want to enforce their legislated definition of manners: to control what you do and when you do it, and to charge you repeatedly for the privilege whenever possible.

"Digital Manners Policies" is a marketing term. Let's call this what it really is: Selective Device Jamming. It's not polite, it's dangerous. It won't make anyone more secure -- or more polite.

---

Bruce Schneier is chief security technology officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

Is this a case of; "Do as I say, not as I do"?

Wed, 25 Jun 2008 23:23:00 +0000

I think it is a shame when a Police Officer acts like a Politician. It seems like this might be what happened to the Police Chief in San Francisco.

It has leaked out that Chief Heather Fong has not qualified with her service weapon in years. She actually admits to it but blames the lapse on her busy schedule. This poses two really pressing questions. Firstly, what would she do if she was getting into her vehicle going to or coming from work and she witnessed a grievous felony taking place? If she pulled her weapon, she would most definitely not be able to respond in a manner befitting a trained Police Officer who had undergone requalification every 6 months as is her Department's policy. Would she even be qualified/legally covered to use her weapon after going years without re-training?

Secondly, how is she able to administer punishment to other officers who have failed to re-qualify when she herself is facing disciplinary charges? What kind of message is she sending out? Apparently, in San Francisco there seems to be one law for the street cops and another for high ranking officers. This must do wonders for morale.

Of course we know that you have a busy schedule Chief, but it is hard to believe that you couldn't find an hour once every six months to run out to the range and "pop a few off". You would hardly have to wait in line like everyone else. Have you forgotten what every Police Officer (and armed security officer for that matter) is taught, that using a weapon is based upon muscle memory? In other words, if you don't use it, you lose it.

People like Chief Fong are supposed to lead by example and shame on them when they don't. Do the right thing Chief, bring a sandwich to work with you and go out to the range on your lunch break. You shouldn't put yourself above the law.

"many of Colt's clients" affected by breach, CNET included

Wed, 25 Jun 2008 07:25:20 +0000

Technorati Tag: Security Breach

Date Reported:
6/13/08

Organization:
CNET Networks, Inc. ("CNET")

Contractor/Consultant/Branch:
Colt Express Outsourcing Services, Inc. ("Colt")

Victims:
"current and former employees and their dependants"

Number Affected:
"around 6,500"

Types of Data:
"first names, last names, date of birth, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder"

Breach Description:
"Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized. Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET. The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees."

Reference URL:
Maryland State Attorney General breach notification
PCWorld
WebProNews
PogoWasRight

Report Credit:
The Maryland State Attorney General

Response:
From the online sources cited above:

On June 6, 2008, CNET received the attached letter from Colt Express Outsourcing Services, Inc., ("Colt") who has provided our client with employee benefit plan administrative services for the past 8 years.

Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized.
[Evan] Uh Oh!, this is starting to read like and smell like the ASI breach reported in February.

The breach occurred on Memorial Day, Monday, May 26, 2008, between approximately 4:30 p.m. and 5:00 p.m. PST, when someone broke into Colt Express's office at 2125 Oak Grove Road, Suite 210, Walnut Creek, California, 94598

Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET.
[Evan] According to a CNET spokesperson, via PogoWasRight.org, the "computer equipment" did not employ encryption to protect the information. Encryption could have been a prudent control in a defense-in-depth approach, a mitigating control to protect information against a physical break-in and theft.

The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees.
[Evan] Not "may have", but did. Information security and control can no longer be reasonably assured, which in my book constitutes a compromise.

Colt has also informed us that they reported the break-in to Walnut Creek police and to REACT High Tech Crimes Task Force in Silicon Valley when they discovered the burglary and that there is an ongoing criminal investigation.

report number 08-12367

In speaking directly with the Walnut Creek Police on June 12, 2008, Officer Greg Leonard, the primary investigator for the incident informed us that they are not aware of any misuse of personal information as a result of this theft at this time.

The information included first names, last names, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder for around 6,500 of our client's current and former employees, and their dependants.

some of your current and former employees and their dependants during the time period of 01-Aug-00 to present.
[Evan] August 1st, 2000 through May 26th, 2008 is almost eight years of information! I wonder what the data retention policy states at Colt, supposing one exists.

We do not have any understanding that the computers stored personal health information.

Our client is providing written notification to all affected individuals at the last home address we have on record

Although there is no evidence of misuse of the data to date, our client's notification will also inform affected individuals that it has contracted with Equifax to provide Equifax Credit Watch Gold with 3 in 1 Monitoring service, including identity theft insurance, for one full year at no cost.
[Evan] I have said it before, and I will say it again. One year of semi-effective protection should not be considered adequate for information that has a usable life that far exceeds this time frame. It should be pointed out howevere that it is better than nothing and the company is not required to offer it.

Although we are not aware of the exact number of individuals affected by the Colt breach, we do know that we were among many of Colt's clients whose data were stored on the stolen computers.
[Evan] The word that catches my attention almost immediately is "many". How many clients will be affected in the end? PogoWasRight is already following up on another company that may be affected.

Colt Express takes the protection of its customer and personal information very seriously.
[Evan] Making a statement like this and the demonstration by action are two entirely different matters. An organization such as Colt Express creates, collects, stores and transfers very sensitive information as an integral part of their business. This being said, I wonder why this information was not protected better.

Colt Express is taking steps to ensure that a potential data security breach does not occur in the future.

We installed an alarm system on Friday, May 30th.
[Evan] Are we to assume that there was none prior to May 30th? I hope not!

Colt Express is looking into what additional steps may be taken to provide enhanced security.

By this letter and enclosures, we are providing you with all the information we believe you need, and that we are able to give you. We do not have the resources, financial and otherwise, to assist you further.
[Evan] Say huh?

Towards the end of last year, our customer base was reduced to an unsustainable level.

Colt has been in the process of going out of business, while at the same time providing time for remaining customers to find alternative solutions.
[Evan] This is a twist. How long has the company been in the process of going out of business and was CNET (and the "many" other clients) aware of it? If so, this could have been a sign that could have spurred some action. Then again, maybe not.

http://www.colthr.com/

Those decisions are now final.

We are firmly committed to protecting all of the information that is entrusted to us both before and after we close down.

We sincerely apologize for the inconvenience and concern this incident will cause.

Commentary:
As I stated earlier in the post, I am a little fearful that this breach could end up as significant or more significant (in terms of number of people and organizations affected) than the ASI breach reported in February. The ASI breach was the 2nd most popular posting in The Breach Blog's history at the time, based on number of online page reads and comments posted.

This breach has got me thinking. Some of the key risks that we address with the organizations we work with are those involving the management of vendor and third-party relationships. Ideally, information security personnel are involved throughout the relationship, including the initial vendor feasibility assessment. Vendors and "trusted" third-parties need to be held to the same high security standards that we set for the organization. The methods in which this can be accomplished vary from organization to organization, but typically include risk assessments (initial and ongoing), information security requirements built into contractual language, and enforcement actions if necessary. If a vendor is not encrypting confidential information or employing burglar alarms, it is known (and hopefully addressed).

Past Breaches:
Unknown

SQL injections compromise Balmar e-commerce site

Mon, 23 Jun 2008 18:07:43 +0000

Technorati Tag: Security Breach

Date Reported:
6/3/08

Organization:
Balmar Incorporated
Arts Education Partnership ("AEP")

Contractor/Consultant/Branch:
Unnamed hosting provider

Victims:
Online customers

Number Affected:
Unknown

Types of Data:
Names, addresses, telephone numbers, emails, and credit card information.

Breach Description:
Balmar Incorporated notified the Maryland State Attorney General of a breach that occurred sometime between April 4, 2008 and April 30, 2008, in which sensitive customer information was compromised through their ecommerce site.

Reference URL:
Maryland State Attorney General breach notification

Report Credit:
Maryland State Attorney General

Response:
From the online source cited above:

Balmar Incorporated ("Balmar") recently experienced a data security breach in its e-commerce site server.

Balmar has reason to believe that the personal information of seven (7) of its online customers who reside in the State of Maryland may have been accessed sometime between April 4, 2008 and April 30, 2008 without proper authorization.
[Evan] The sensitive information may have been accessed sometime during the 26 days listed above, but as you will read later on in the notification, the attack started as early as March 27th.

The personal information affected may include customer names, addresses, telephone numbers, emails, and credit card information.

Balmar has determined that at least one fraudulent credit card transaction has occurred as a result of this incident.
[Evan] This is likely confirmation that the sensitive information WAS accessed, not "may have been" as stated previously.

A full analysis of our e-commerce server logs revealed on March 27, 2008, an individual initiated several SQL-injections queries on the main page of our e-commerce website from an IP address in Viet Nam.
[Evan] I am pleased to read that Balmar had/has implemented enough logging to determine the type and source of the attack. I am curious to know why the e-commerce site was under attack from March 27th until as late as April 30th without detection? Either the Balmar e-commerce site was not protected by intrusion detection/prevention or information security personnel didn't know how to use intrusion detection/prevention. IDS/IPS is a must-have for e-commerce platforms in most circumstances. Part of using IDS/IPS is to review and investigate alerts ASAP.

Random queries were attempted over time through March 31st.

By March 31st, the individual had gathered enough information to pipe the queries to a search bot.

By April 4th, the search bot was able to access and transfer data from our e-commerce server to a web page.

Once discovered, Balmar immediately undertook the following actions:

Reported the incident to the Virginia State Police and the FBI;
Contacted the web page host to demand that the page be disabled;
Removed all credit card information from the affected area of our database and moved it to a secured area of the database that cannot be accessed by the method used during the incident;
Installed an additional database security solution to detect and prevent any future attempted security breaches;
Sent notice to affected customers by letter and e-mail

Balmar's investigation of this incident is ongoing.

We sincerely apologize to you for this situation and want to assure you that protecting the security and privacy of your information remains our top priority.
[Evan] This letter is signed by the President of Balmar, Bruce Seger. I respect a business leader that speaks (or writes) about information security issues. It demonstrates his/her ownership.

We have made and will continue to make significant investments in security software, systems, and procedures, and will remain vigilant in protecting you.

For more information, contact us by telephone at 1 (800) 265-2724 or by email at bseger@balmar.com.

Commentary:
Was this an e-commerce site running code that was susceptible to SQL injection attacks and no host or network intrusion detection/prevention?

Past Breaches:
Unknown