[SecurityRatty] tag: procedure

The opt-out from hell

Tue, 16 Sep 2008 15:22:03 +0000

One problem with making your email address available (which I will continue to do, don't worry) is that folks with something to sell assume you're interested in their stuff. To wit, let's consider an email I received today (copied, headers and all, after my griping).

Note that if I want to opt out of further communications, I have to do two separate things -- which actually becomes three things.

First I have to click the last link to opt out of future TechTarget spam. (Yes, I deleted the actual links. But certainly none of my trustworthy readers would attempt to re-subscribe me, right...?
But that isn't enough -- I also have to separately opt out of future Avaya spam! (Why does the no-more-from-Avaya link live on a techtargetmail.com server? Whatever.) Clicking on that link eventually does land me on an avaya.com page, where I have to confirm my email address and indicate they don't have my permission to send me spam. Hmm, too difficult to embed my email in that link, when the other techtargetmail.com link did embed my email?
Then after submitting it, another page pops up telling me that I'll soon receive an email with additional instructions! In this email there's a link -- to avaya.com with my email address embedded -- that I must click, I guess to double plus confirm that yes, I really really really do wish never to hear from you again. Clicking that link takes me to a page that promises my "permissions have successfully been set. Thank you."

A pox on both your houses, TechTarget and Avaya. I never asked for your stuff. Go away.

Spam, my friends, is only going to get worse. It was so easy to ban junk faxes in 1991. But even those regulations were weakened in 2005. So do you really think we'll see anything even remotely logical for outlawing spam? I doubt it, unless we the citizens foment a revolt. Let's get cracking!

Received: from SVC-EXGWY-E801.partners.extranet.microsoft.com (10.251.24.242)
by tk5-exhub-c102.redmond.corp.microsoft.com (157.54.18.53) with Microsoft
SMTP Server (TLS) id 8.1.291.1; Tue, 16 Sep 2008 11:27:56 -0700
Received: from mail139-wa4-R.bigfish.com (216.32.181.113) by
mail04.microsoft.com (10.253.160.184) with Microsoft SMTP Server (TLS) id
8.1.291.1; Tue, 16 Sep 2008 11:27:55 -0700
Received: from mail139-wa4 (localhost.localdomain [127.0.0.1])    by
mail139-wa4-R.bigfish.com (Postfix) with ESMTP id 018C11184C2    for
; Tue, 16 Sep 2008 18:27:50 +0000 (UTC)
X-BigFish: ps16(zz18c1K1936K2b7wcak69jzzzz2af1jz2fh6bh5eh65h)
X-Spam-TCS-SCL: 4:0
Received: by mail139-wa4 (MessageSwitch) id 1221589667478982_28100; Tue, 16
Sep 2008 18:27:47 +0000 (UCT)
Received: from pp.techtargetmail.com (pp.techtargetmail.com [65.211.80.227])
    by mail139-wa4.bigfish.com (Postfix) with SMTP id 46566978071    for
; Tue, 16 Sep 2008 18:27:47 +0000 (UTC)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pp.techtargetmail.com; b=iOmibOrM91/1Ugy2gj3QbWo74T2m3GuhmwxZCXJQpFT+nwRES8QKg+4vjt48SNp7WWJExG61Ge+DtnKD3KVI3KwqTKzkPRVrEBF0DCHhYot6VAG/EyEr5vb5RhBz+91yvNhbIqITzGnuQ+uBDJzyc6gU0FHfBl0Fa3S/phcPELM=;
Message-ID:
Date: Tue, 16 Sep 2008 14:27:47 -0400
thread-index: a818b044.724694.236c8ee748f7dd97.1.n.4
Reply-To: Avaya
From: Avaya
To: Steve Riley
Subject: 7 Tips to Ensure Readiness for UC Deployment
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Return-Path: a818b044.724694.236c8ee748f7dd97.1.n.4@pp.techtargetmail.com
X-MS-Exchange-Organization-PRD: pp.techtargetmail.com
Received-SPF: Pass (SVC-EXGWY-E801.partners.extranet.microsoft.com: domain
of Avaya@pp.techtargetmail.com designates 65.211.80.227 as permitted sender)
receiver=SVC-EXGWY-E801.partners.extranet.microsoft.com;
client-ip=65.211.80.227; helo=mail139-wa4-R.bigfish.com;
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.6916.600;SV:3.3.6916.813;SID:SenderIDStatus Pass;OrigIP:65.211.80.227
X-MS-Exchange-Organization-SCL: 2
X-MS-Exchange-Organization-SenderIdResult: PASS

The following message was sent to you as a subscriber to third party offers from a TechTarget property, including our network of Search sites, Bitpipe.com, CIO Decisions Magazine, Information Security Magazine, Storage Magazine, KnowledgeStorm, TheServerSide.com and/or TheServerSide.NET. To unsubscribe, see below.
____________________________________________________________

How should you evaluate the move to unified communications (UC)? Who within which parts of an organization will benefit? Will UC reduce the time to market? Read this E-Guide for answers to these questions and a better look at how the value of UC will, at first, be less of a financial issue and more of a productivity improvement issue that translates into financial benefits. Download this white paper now: http://pp.techtargetmail.com/c.asp?724694&236c8ee748f7dd97&1

When implementing unified communications, there are a number of important issues to think about and questions to ask. This E-Guide analyzes seven phases to ensure you reap the full benefits of UC in each. If you're ready to take the plunge but you're not sure your business or your infrastructure is - download this E-Guide now.

Click here to learn more: http://pp.techtargetmail.com/c.asp?724694&236c8ee748f7dd97&1

"If you do not wish to receive future promotions directly from Avaya please forward this e-mail to {link removed} ; please note that there is a separate opt-out procedure below to be removed from the list from which this email originated."
____________________________________________________________

Please do not reply to this email. To unsubscribe from all future third party offers from all TechTarget properties, simply click here: {link removed}

TechTarget | 117 Kendrick Street, Suite 800 | Needham, MA 02494

Is an incorrectly implemented security program better than a non-existent one ?

Wed, 03 Sep 2008 12:02:00 +0000

Think carefully before you answer that one. A large majority of you would be inclined to give a resounding 'yes' - but I really want you to think carefully on this one. Think long term. Think about implementation hurdles, think about project documentation.

The answer to this IMHO is a big "DEPENDS".

To explain:

Imagine you're working in a company that has no security controls in place - and is in desperate need of getting a security program impemented. They hire a new CISO to make sure their physical and logical controls are in place, network and applications are secured appropriately and their incident management and forensics capabilities are upto date. At this point the CISO clearly knows that he needs to create and implement a number of programs and hires a bunch of people to perform and manage a series of tasks. Till this point, things are going smoothly. Everyone understands the need, and is working towards meeting a common goal. The program is not in place yet, but people know and understand the urgency need to act immediately. The CISO's risk radar has a list of projects ranked by priority and everone begins to tackle them.

Now consider the scenario when certain security programs are not done right - say, a few of the high risk applications are not considered in the initial risk matrix or there are certain business units that have been granted an 'exception'to the process that is being put in place, with the most common excuses of:

1. This is a pilot
2. We will get to this in the next phase
3. The group has a number of high profile clients who don't want it implemented right now
4. <plug your own excuse here>

Well - initially, everyone is completely aware that they have more issues to remediate and and have honest intentions to fix that too, once the pilot and
PoC is well established and in place. But then things change. Leaders change. Managers change. People's roles change. What doesn't, is the documentation regarding the project. But documents usually tend to highlight what the project does, not what it doesn't do. Nobody seems to remember there are additional tasks that need to get completed. People take a quick look at documents detailing what was done in the program and begin to assume that it is well established, completely ignoring the fact that a very important Phase 2 still needs to be in place. A false sense of security is now well in place... and life goes on.

Till you get hacked.

..and then a forensics team attempts to determine the cause. A new CISO comes in, reviews the existing program, decides it is too complex and structureless and decides to do away with it entirely and create a new security program.. and the cycle continues.

The moral of the story: When you have no security program - be very careful while diligently working to get one in place

But when you have a partial one, be extremely careful and don't leave any loose ends while getting it completely and correctly put in place.

On a lighter note - here's an email I received from a school I was doing some courses from ..

Beautiful !! Here is your PIN (username). But we will not give you your password over email. I was sooo impressed when I got that! - Could it be that schools and universities are finally waking up and trying to understand security ? No more SSNs as IDs ? No more default 'password' passwords ? This was great. I followed the procedure outlined to receive a new password - it asked for my name, DOB and email.. and then .. I receive this:

For those who cannot see the image:

the email says:

blah blah blah blah blah blah..
your PIN:
your password: password1234

blah blah blah blah blah blah

ISO 27001 Adoption Poll Results are In

Thu, 28 Aug 2008 05:00:00 +0000

So, several weeks ago I wrote a piece discussing the "long road to ISO 27001" adoption. A question posed to readers at the end of the piece: "How far off are we from the point at which ISO 27001 certifications in the U.S. are standard operating procedure for businesses -- the exception, rather than the rule?"

Well, the results are in! Our servers nearly crashed thanks to the influx of responses, but, fortunately, that wasn't the case. Here are the results...

Phish Page Steals Your Details, Then Logs You In

Fri, 22 Aug 2008 10:15:31 +0000

One of the few things that - perhaps - alerts users that they've been phished is when (after entering perfectly valid login details) they see something like this:

...or like this:

Generally, when net-savvy users get phished, they're alert enough to know that messages such as the ones above are a clue that they might have stumbled onto a Phishing page (assuming they're 100% sure they entered their details correctly, of course). This "break" in the login cycle has always been a weakness of a phish page, and the typical flow of events is as follows:

1. Visit Phish page
2. Enter details
3. User is told "your login cannot be processed at this time", and your information is stolen

What if the process could go like this:

1. Visit Phish page
2. Enter details
3. Phish page steals your information, but logs you into the target site

You'd miss that vital clue - the failed login - and assume everything was okay.

Well, a Phish for the popular Habbo Hotel caught my eye today because it does just that - seamlessly logging you into Habbo Hotel once your details have been stolen. Here is the Phish page in question:

Click to Enlarge

Here I am, entering my login details into the page:

At this point, a regular Phish page risks giving the game away because of the familiar variations on "Your login could not be processed" that appear at this point in the procedure.

However, the Phish page takes you to a page hosting an encoded base64 script:

From there, the user is deposited onto the Habbo Hotel website, fully logged in - no "Your login could not be processed" messages here!

Click to Enlarge

Meanwhile, my login has been stolen (it's the one in red) and placed in the ever growing pile collected by the Phisher:

Click to Enlarge

From the point where I decided to login to Habbo Hotel, to the point where I'm actually logged into the site there is no break in the usual procedure and I have absolutely no indication I've just been phished. If this kind of devious tactic is employed for banking phishes, it'll make it all the more crucial that end-users start to think about running Anti-Phishing programs and browsers that have built-in Phish Detectors because the stakes seem to have raised once again.

Flying Without ID

Tue, 12 Aug 2008 08:33:39 +0000

Seems like the procedure has changed:

Mr. Peters nodded, and then looked down at the sheet which I had filled out and signed. “I’m going to have to make some calls to verify your identity.”
I nodded.

He pulled out a cell phone. I had assumed that we would be going to some separate screening room, but that wasn’t the case. He stood facing the silver table, and I leaned back against it. So this was the dreaded interview. People walked past us with bags and luggage.

"Hello," he said. "Security." Long pause. It sounded like he was transferred. He said a number that I think had the same number of digits as a phone number. Then he said a shorter number. "No, she doesn’t." He wrote something in small letters on the form. Then he spelled my name over the phone. "D-A-V-I-D-O-F-F. That’s Indigo Delta… yes."

He looked at me. "What’s the name of a street that you lived on prior to your current address?"

"Inman."

"Inman," he repeated. There was a pause. "Where did you live in 2004?"

"Hmm…" I said. "New Mexico? I think? Maybe Massachusetts."

He conferred with the person on the phone. "That’s fine." He hung up.

"All right," he said. "You’re going to go through full security screening." He wrote "SSSS" in red marker on my printed boarding pass. He handed my form to one of the officers at the podium, and then gestured to the first screening line. "Right here."

This only works if you've lost your ID, not if you refuse to show it.

Indiana State University professor's laptop is stolen

Thu, 17 Jul 2008 05:29:35 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Indiana State University

Contractor/Consultant/Branch:
None

Victims:
"students who took economics classes from 1997 through the spring semester 2008"

Number Affected:
"more than 2,500"

Types of Data:
"names, grades, e-mail addresses and student identification numbers"*

*Until 2003, student identification numbers were the equivalent of each student’s Social Security number.

Breach Description:
"A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen during the weekend, the university reported Tuesday."

Reference URL:
Indiana State University
Associated Press via WTHI Channel 10 News
Associated Press via Chicago Tribune

Report Credit:
Indiana State University

Response:
From the online sources cited above:

A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen during the weekend, the university reported Tuesday.
[Evan] What do you suppose the purpose of the "password-protected" mention is? I hope it is not meant to reassure anyone that the information is safe. For those of you that do not know, password-protection is easily bypassed and in the opinion of many information security professionals (this one included), does NOT provide adequate protection for confidential information.

While there is no evidence to suggest that password security was breached, the university is taking the precaution of notifying all affected students for whom it has current contact information.
[Evan] If someone were to breach the "password security", what evidence would the school see? None. There would be no evidence (except locally on the laptop) if the local password store had been compromised. The school no longer has possession of the laptop, so the school would have no evidence.

The laptop contained data for students who took economics classes from 1997 through the spring semester 2008, estimated at more than 2,500 individuals.

If you took an economics class during this time period, but did not receive a letter, please call the Registrar’s Office to verify that you were on the list, and to update your address so that we may send you a letter.
[Evan] Contact information for the Registrar's Office, click here.

The information includes names, grades, e-mail addresses and student identification numbers.

Beginning in 2003, use of social security numbers as student ID numbers was discontinued in favor of university-specific identification numbers.
[Evan] A sound security decision by the university would have been to follow up with a project to identify and remove Social Security numbers already held as student IDs. Maybe it was, but the information on this laptop was missed.

The theft occurred Saturday while the professor was traveling in southern Indiana

the professor was traveling with his family and briefly left the computer unattended
[Evan] A laptop can grow legs in a flash. A person doesn't need to leave a laptop unattended for very long for it to disappear.

The incident occurred on July 12, 2008 and was reported to university officials on July 14, 2008.

The incident was reported immediately to the appropriate law enforcement agency and early Monday to university officials.

The extent of the information contained on the computer was not determined until Monday night.

Faculty and staff are being reminded that university policy prohibits the storage of private, sensitive data on portable computers.
[Evan] Excellent policy provision. Policy does little if it is not communicated, enforced, audited against, and improved. Where was the failure in the breach? Was the policy not communicated to this professor, and thus he/she was not aware?

In addition, laptops provided to faculty are equipped with several security measures including encryption and a bio-metric fingerprint reader to prevent access by anyone other than the assigned user.
[Evan] An excellent standard (or procedure).

Approximately 500 ISU faculty members have laptop computers.

The university is reviewing its procedures to ensure compliance with existing policies, said Interim President C. Jack Maynard, the university’s provost and vice president for academic affairs

From the FAQs:

Q: What can someone do with a stolen SSN?
A: "With just a SSN there is little anyone can do in the way of setting up a false identity or securing credit. Generally an identity thief would need more information and documentation to set up false credit.
[Evan] A SSN needs to be held in strict confidentiality in today's financial, employment, health, and other systems. It is often used for identification and authentication. Once an identity thief has a SSN, the owner of that SSN is now a prime target because the thief has the most confidential piece of information (ingredient) in the identity theft recipe. The rest of the information is typically easier to come by, i.e. name, address, employer, etc. It is true that an SSN alone is not enough information to commit identity theft, but it is an EXCELLENT start.

Commentary:
We can assume that the school knows the risks involved in storing confidential information on a poorly protected laptop. Otherwise, they probably wouldn't have policy and procedure against it. The school's statements that are meant to minimize the risk, seemingly without fact, are disappointing.

Past Breaches:
Unknown

"Metro" employee information mistakenly posted to Web

Tue, 15 Jul 2008 06:39:14 +0000

Technorati Tag: Security Breach

Date Reported:
7/14/08

Organization:
Washington Metropolitan Area Transit Authority ("Metro")

Contractor/Consultant/Branch:
None

Victims:
"past and present employees"

Number Affected:
4,675

Types of Data:
Names and Social Security numbers

Breach Description:
"Metro has advised nearly 4,700 past and present employees that their social security numbers were published accidentally on the transit agency’s Web site last month."

Reference URL:
Metro Press Release
Associated Press via Forbes.com
NBC Channel 4 News
The Washington Post

Report Credit:
Washington Metropolitan Area Transit Authority

Response:
From the online sources cited above:

Metro has advised nearly 4,700 past and present employees that their social security numbers were published accidentally on the transit agency’s Web site last month.

The information was posted between June 9 and 25 as part of a solicitation from Metro to companies interested in providing worker’s compensation and risk management services.
[Evan] Rather than post this information to a public web site, why wasn't a more secure method of tranmission used such as VPN or secure FTP?

The document mistakenly included the social security numbers of 4,675 employees.
[Evan] According to Metro spokeswoman Candace Smith the sensitive information was supposed to be redacted. I wonder how well this mandate was communicated to the employee(s) responsible for compiling and posting the information.

A smaller group of employees had their names and social security numbers posted in the lengthy document. Metro officials continue to analyze the information for any other data breaches.

Three Metro employees have been disciplined

The three disciplined employees, including a manager, have been suspended for up to a month without pay, officials said.
[Evan] This implies that the employees responsible for the mistake should have known better. We can probably assume that they were informed of the proper procedure, but did not follow it.

Letters warning of the breach were sent out to the affected employees.

The letter urges employees to watch their credit reports for signs of identity theft.

Last week, the agency set up a separate Web site where employees can determine whether their numbers were among those posted.

The agency is offering the 4,700 employees one year of free credit report monitoring, $25,000 in identity theft insurance and counseling services.

"We deeply regret this incident, and believe the likelihood of misuse of the information is low," said Metro Chief Safety Officer Ronald Keele.

"However, we have taken additional steps to protect employee information by bolstering Internet security and requiring more checks and balances of materials before they are being released publicly."
[Evan] Checks and balances are typically lacking in these types of breaches, so I think it’s a good sign that Metro is addressing these.

Metro officials say they are not alone in this type of data breach.
[Evan] So what?

According to the Identity Theft Resource Center, data breaches at businesses, governments and universities were up 69 percent in the first half of 2008 compared with a similar period in 2007.

Commentary:
The end result of this oversight is three disciplined employees (with no pay for a month) and nearly 4,700 people with an increased risk of identity theft. Forethought is there for a reason, whether or not you use it is your choice.

Past Breaches:
Unknown

Waukesha County job applicant data exposed in mailing

Tue, 15 Jul 2008 04:07:06 +0000

Technorati Tag: Security Breach

Date Reported:
7/13/08

Organization:
Waukesha County, Wisconsin

Contractor/Consultant/Branch:
Crivello Carlson, S.C.

Victims:
Job applicants from the year 2006

Number Affected:
"more than 130"

Types of Data:
Job applications including, names, addresses, job and education history, salary, and Social Security numbers

Breach Description:
"More than 130 people who applied for a job with Waukesha County in 2006 had their Social Security numbers, employment and salary information, addresses and phone numbers and other personal information released to one of the women who applied for the job. "

Reference URL:
Milwaukee Journal Sentinel
New Richmond News

Report Credit:
Raquel Rutledge, Milwaukee Journal Sentinel

Response:
From the online sources cited above:

Taunya Thomas was horrified when she got a call from a stranger who knew almost everything about her.

The woman on the phone told Thomas she knew her Social Security number, where she lived and worked, how much money she made and where she went to high school and college. She rattled them off, not missing a single digit or fact.

She promised she wasn't going to use the information.
[Evan] Yeah. The government body that exposed the information made the promise that "your Social Security number will remain confidential". So much for promises.

She was calling, she said, because she wanted Thomas and others to know where she had gotten it.

She hadn't stolen it.

Waukesha County sent it to her in the mail, along with the same personal information for more than 130 other people who had all applied for a job with the county in 2006.
[Evan] What's with Wisconsin and mailing confidential information (in error)? This is the third mailing error reported on The Breach Blog coming out of Wisconsin this year.

The woman on the phone, Bernadine Matthews, too had applied for the position as an economic support specialist.

This is Matthews displayed holding the applications. Source: Milwaukee Journal Sentinel

When she didn't get it, she filed a complaint with the Equal Employment Opportunity Commission.

As part of the complaint and the investigation, the EEOC requested copies of all the applications.

The law firm representing the county, Crivello Carlson, sent the applications to Matthews.
[Evan] Really? Any second thoughts about the fact that this may put innocent people at risk?

Waukesha County tried to reclaim the documents sent to Matthews, threatening to get a search warrant and send a lawyer to her house, Matthews said.

When Matthews refused, they insisted she bring the documents to the law firm so they could white-out the private information in the applications.

Again, Matthews refused.
[Evan] At what point does Matthews cross a line. The confidential information on those job applications does NOT belong to her. In my opinion, she has no right to maintain possession of the information. For Matthews to knowingly maintain information that does not belong to her almost seems criminal to me.

The applications would be critical to her discrimination suit, she thought.
[Evan] So risk the disclosure of senstive information belonging to 130 people for your own benefit? If not criminal, it is certainly selfish.

She quickly hired an attorney, copied the documents and sent a set back to the county. She keeps her copies in an oversize safe-deposit box at her bank, she said.
[Evan] Who authorized her to make copies? The data owners (victims) certainly did not.

"I'm not going to be like the county," Matthews said. "I'm going to protect the privacy of the information in this box. Obviously they didn't give a darn about the applicants' privacy."

The Waukesha County employment application specifically states it will protect Social Security numbers.

"Your Social Security Number will remain confidential and will not be copied or released but is required for applicant tracking purposes," the application reads.

Ray Pollen, an attorney with Crivello Carlson, at first said it was no mistake that Matthews received the uncensored applications.
[Evan] So Mr. Pollen sent the information on purpose. Did he stop to think that there might be a problem here? Did it occur to anyone that they should redact the most sensitive information such as Social Security numbers, or names?

He said it was required under federal law that all parties in an EEOC discrimination complaint receive copies of information requested by the agency investigating. He couldn't point to the specific provision.
[Evan] Does a specific provision exist? I cannot think of a single purpose that a Social Security number would serve in this case.

Several days later, Pollen said the EEOC had no such requirement.

"The EEOC is silent on the issue," he said.

Instead it's the state's Equal Rights Division that requires all parties be copied on information requested by the division but even that provision doesn't mandate that attachments - such as the applications - be included. And, Matthew's case was not filed with the state.

"We followed the state's protocol," Pollen said.

P.I. asked: So anyone who applies for a job with Waukesha County could have their private information disclosed to a non-governmental third-party?

Pollen answered: "We responded to a federal agency's request for information. . . . In my opinion there was no violation of any law or procedure."
[Evan] Let's give Mr. Pollen the benefit of the doubt. Let's say that there was no violation of any law or procedure here. There certainly seems to be a violation of trust, a violation of good judgment, and a violation of privacy. The "if the law don't state it, then I must be able to do it" mentality is one of the reasons we have so many laws. Maybe if we used a little more common sense.

Taunya Thomas called the release of her information to a stranger shocking. She said at a minimum the county should have notified her that her information had been compromised.

"I'm devastated that it's that easy for my information to be disclosed," she said. "For someone to call me and tell me where I worked, where I went to school, recite my Social Security number verbatim to me, that's scary."

Commentary:
This is a very frustrating breach to read about. It is frustrating when someone knowingly discloses confidential information and then tries to justify it. Equally frustrating is when a person that has no right to the information refuses to part with it. In the middle of all of this are 130 innocent people.

I do not claim to know half as much about the law as Mr. Pollen does. His actions may be well within his legal rights for all I know.

Past Breaches:
Unknown

Employee fraud at Wells Fargo Home Mortgage affects some customers

Tue, 08 Jul 2008 08:58:12 +0000

Technorati Tag: Security Breach

Date Reported:
5/16/08

Organization:
Wells Fargo & Company

Contractor/Consultant/Branch:
Wells Fargo Home Mortgage

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"names, addresses, dates of birth, loan numbers, Personal Identification Numbers (PIN), current bank account numbers and last five digits of their Social Security numbers"

Breach Description:
"We have learned that a former Wells Fargo employee working in our reverse mortgage servicing department inappropriately used another customer's account information. We have taken appropriate action against this individual."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

Pursuant to the information compromise notification requirements of the State of New Hampshire, Wells Fargo hereby notifies you that we have give notice to approximately 24 residents of the state of New Hampshire of a potential compromise of their Social Security numbers and mortgage loan account numbers.

We have learned that a former Wells Fargo employee working in our reverse mortgage servicing department inappropriately used another customer's account information.
[Evan] Employee fraud is one of the most difficult breaches to prevent (and sometimes to detect). Most controls are largely administrative in nature such as background checks, segregation of duties, job rotation, policy and procedure, etc. Sometimes even the best controls won't do much to prevent an attack from the enemy within.

We have taken appropriate action against this individual.
[Evan] I wonder what this means.

We have no information indicating your information was compromised.

However, the former employee, in the course of their employment, had access to information that may have included your name, address, date of birth, loan number, Personal Identification Number (PIN), current bank account number and last five digits of your Social Security number.
[Evan] The fact that only the last five digits of the Social Security numbers were accessible is a good indication that Wells Fargo identified the risk involved with a person in the former employee's position accessing confidential information. Limiting Social Security number exposure also limits the extent and impact of the breach.

We started mailing consumer notices on May 13, 2008.

Wells Fargo Home Mortgage takes information security very seriously and wants to assure you that we are taking precautionary measures to reduce the potential risk associated with this incident.

Wells Fargo Home Mortgage, to ensure everything is done to protect you, will be providing you with a new PIN to access the line of credit on your reverse mortgage loan.
[Evan] Not just "to protect you". Remember that Wells Fargo is in business to make money and I am pretty sure that the things they do are to that end.

As a precaution, Wells Fargo has partnered with a company called Intersections, Inc. to provide you with a free one-year subscription to IDENTITY GUARD CREDITPROTECTX3.
[Evan] Cool! "CREDITPROTECTX3" sounds super strong and effective!

Wells Fargo Home Mortgage values and appreciates the trust you have placed in us by allowing us to serve you.

We sincerely apologize for this situation.

If we can be of further assistance, please do not hesitate to call us at (800) 472-3209 between the hours of 8:00 am and 8:00 pm eastern time, Monday through Friday.

Commentary:
I think that breaches like this are more common than some people would like to admit. Banks have the one thing that everyone wants!

Past Breaches:
Unknown

SP 800-53A Now Finally Final

Tue, 01 Jul 2008 08:08:12 +0000

The perpetual draft document, SP 800-53A, has been officially released after 3 years. Check out the announcement from NIST here.

Now the interesting thing to me is that NIST is working with some other players (DNI comes to mind) on reference implementations of 800-53A. This is big, so big that I can’t add enough hyperbole to it.

Why do they need to do reference implementations? Well, because by itself, SP 800-53A is dangerous if it’s given to people who “don’t get it”. By that what I mean is this:

SP 800-53 needs tailoring to distill into actual requirements.
SP 800-53A needs a huge amount of tailoring to distill into test cases/procedures that match the tailoring that you did with 800-53.
Taken at face value, 800-53 and 800-53A become the source of “death by compliance”.
If you think the auditors could grill you to death with 800-53, 800-53A gives them tons more material.

Now time for a war story: I worked on a project where the contractor was having a hard time building a security program, mostly because they didn’t have the right staff to get the job done. The government told the contractor to use 800-53A as a starting point, and 6 months of insanity followed with 13 “security engineers” in a conference room cranking out documentation that had no basis in reality. At the end of it all, the contractor handed the Government a bill for $1M.

Now don’t get me wrong, I like the ideas behind 800-53A, but the first thing you need to know when you start using it is when you shouldn’t use it:

Don’t run test procedures on every computer you have, use an automated tool and do spot-checks to validate that the automated tool works.
Use less test procedures on low-criticality systems.
“This procedure is conducted as part of the hardening validation process.”
Common controls are even more important because you do not want the repetition of effort.

And whatever you do, don’t let 800-53A turn your risk management into a compliance activity. It has all the potential to do that.

US Government Doc’s photo by Manchester Library.

Bookmark to: