[SecurityRatty] tag: ranks

Compromised Cpanel Accounts For Sale

Mon, 18 Aug 2008 06:42:50 +0000

Is the once popular in the second quarter of 2007, embedded malware tactic on the verge of irrelevance, and if so, what has contributed to its decline? Have SQL injections executed through botnets turned into the most efficient way to infect hundreds of thousands of legitimate web sites? Depends on who you're dealing with.

A cyber criminal's position in the "underground food chain" can be easily tracked down on the basis of tools and tactics that he's taking advantage of, in fact, some would on purposely misinform on what their actual capabilities are in order not to attract too much attention to their real ones, consisting of high-profile compromises at hundreds of high-profile web sites.

Embedded malware may not be as hot as it used to be in the last quarter of 2007, but thanks to the oversupply of stolen accounting data, certain individuals within the underground ecosystem seem to be abusing entire portfolios of domains on the basis of purchasing access to the compromised accounts. In fact, the oversupply of compromised Cpanel accounts is logically resulting in their decreasing price, with the sellers differentiating their propositions, and charging premium prices based on the site's page ranks and traffic, measured through publicly available services, or through the internal statistics.

SQL injections may be the tactic of choice for the time being, but as long as stolen accounting data consisting of Cpanel logins, and web shells access to misconfigured web servers remain desired underground goods, goold old fashioned embedded malware will continue taking place.

Interestingly, from an economic perspective, the way the seller markets his goods, can greatly influence the way they get abused given he continues offering after-sale services and support. It's blackhat search engine optimization I have in mind, sometimes the tactic of choice especially given its high liquidity in respect to monetizing the compromised access.

The bottom line - for the time being, there's a higher probability that your web properties will get SQL injected, than IFRAME-ed, as it used to be half a year ago, and that's because what used to be a situation where malicious parties would aim at launching a targeted attack at high profile site and abuse the huge traffic it receives, is today's pragmatic reality where a couple of hundred low profile web sites can in fact return more traffic to the cyber criminals, and greatly extend the lifecycle of their campaign taking advantage of the fact the the low profile site owners would remain infected and vulnerable for months to come.

Related posts:
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Injecting IFRAMEs by Abusing Input Validation
Money Mule Recruiters use ASProx's Fast-flux Services
Malware Domains Used in the SQL Injection Attacks
Obfuscating Fast-fluxed SQL Injected Domains
SQL Injecting Malicious Doorways to Serve Malware
Yet Another Massive SQL Injection Spotted in the Wild
Malware Domains Used in the SQL Injection Attacks
SQL Injection Through Search Engines Reconnaissance
Google Hacking for Vulnerabilities
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

Automated Spim on Microblogging Site Via MSN Messenger

Thu, 07 Aug 2008 17:12:09 +0000

There's been a fair amount of Twitter coverage recently, but it's worth noting that other countries have their own versions of Twittering and some of them have seem to be a little easier to use in conjunction with Instant Messaging, whereas Twitter still seems to have a need for third party services, add-ins and other tools to get the job done if the service used is something other than Google Talk, Livejournal Chat or Jabber (if it's now more straightforward for other clients too, please let me know!)

Either way, the below illustrates why adding Instant Messaging features to services such as Twitter can cause problems in the long run and needs to be considered carefully.

We were alerted to the fact that a large amount of Spam seemed to be coming out of China in the last day or two (indeed, one contact mentioned to me that this particular message had been sent to their Honeypot around 29,000+ times, which is a lot of spamming for one URL however you look at it). The spam in question seemed to have been sent via a Spambot, and the only mentions of this URL so far in search engines seems to be related to China - shall we take a look?

The URL in question (with part of it redacted) is

http: //5834******/ ;)

You'll notice the spam is short, snappy and also includes a little smiley-face thing at the end. In fact, it looks a little bit like the kind of link people send to their contacts on Twitter, doesn't it?

Well, let's see - a quick search and we find this:

Click to Enlarge

A page from Fanfou.com, which I believe is a Chinese site "inspired" by Twitter with much of the same features and functionality. In fact, it has one feature working straight off the bat that Twitter users previously had to rely on plugins for - the ability to send messages to their page via MSN Messenger updates.

http: //5834****** doesn't actually resolve anywhere - however, a quick Ping to that address and we have an IP:

Click to Enlarge

Type the IP address into the browser, and via some geolocational technology, you'll see a region specific version of the following dating website:

Click to Enlarge

Go back to the page on Fanfou.com, scroll down and select any of the clickable links and surprise - the same page appears. This particular account on Fanfou has something like 30+ pages devoted to endless Spim links via MSN. They link to placeholder pages, sites that look as though they've been suspended and / or deleted with no way to determine what content was there previously - all interspersed with "Twitter" style messages throughout such as this:

Again, note everything is coming via MSN. By this point, you're probably wondering exactly how they allow you to send messages to their Twitter-style pages. Well, the solution is quite clever - check out the IM page. You enter your MSN address, and when you login to your MSN account, you'll suddenly find you have a new IM buddy who wants to be a contact:

Add it, and whenever you want to put a message on your page, send it an instant message and, lo and behold, your Tweet-style message has appeared on your page:

Click to Enlarge

In conclusion, the steps here appear to be

1) Create a Spambot that infects users via MSN Messenger
2) Tailor the messages it sends to be short and sweet, just like a Twitter-style message
3) Set up an account on a service such as Fanfou.com that makes it easy to send messages to your page via MSN Messenger (or other IM services affected by your bot)
4) Infect the PC running your MSN Messenger account then watch as it spams the userpage with whatever messages you want it to send.

Of course, the links can be anything from dating sites and ringtone adverts to infection files and exploits - all made so much more easier (and far less time consuming than manually typing in URLs to your userpage) by the functionality built into the site you happen to be using. It's also worth noting that the accounts sending the Spim don't have to be set up by the spammer - they could be compromised accounts that had been hijacked when clicking a rogue IM link, which is a great way of filling out the spamming ranks very quickly.

This is definitely something Twitter - and any other site out there involved in microblogging - need to keep an eye out for, and consider carefully when thinking of adding integration with popular Instant Messaging clients.

We detect the file sending the weblinks via MSN as Foubot.

Research and Writeup: Christopher Boyd, Director of Malware Research
Additional Research: Chris Mannon, Senior Threat Researcher

Learning GovieSpeak: The Plum Book

Thu, 17 Jul 2008 08:53:00 +0000

You were thinking this was part of the rainbow series, along with the orange book, the red book, and the fuchsia book, weren’t you?

Well, no, security dweebs, we’re on a public policy kick, probably will be until the end of the year (more on that to follow, stay tuned), so you wouldn’t be so lucky.

The Plum Book’s official title is Government Policy and Supporting Positions and basically it’s a huge staffing chart for the Senior Executive Service–the political appointees. Congress publishes the Plum Book after each presidential election, so for those of us who remember our civics lessons in high school, that would be every 4 years, and the last one was published in 2004.

In fact, you can see the last edition here. Caveat: it’s dry, like the uber-trocken Franken white wine that grows in the fields around where I used to live in Germany–so dry that it sucks the moisture right out of you.

Plum Pickin photo by Secret Tenerife

Now why do we care about the Plum Book? Well, that’s a good question. Have a look at some of the staffing plans in the plum book, and you’ll see something missing: Agency CISOs.

Now, I’m not a rocket scientist on org charts, but it seems to me that unless you put CISOs up to where they’re answerable to the agency head, they’re just a cost center inside the IT department with no visibility to the decision-makers. Once again, we’ve crippled our security staffs like the old-school way of doing things.

On another note, taking a quick straw poll of the agency CISOs that I know, I think about half of them are political appointees, and half of them are GS-15s. So what’s the difference?

Well, political appointees (SES) are appointed by the President. They make a better target because they have much more visibility from the higher-ups they are more political in nature.

GS-scale employees are civil service careerists. Usually these are the guys who have moved up the ranks in the various agencies and know quite a bit of things.

Which is better? Well, if you want survivability, then GS-scale is the way to go. If you want to make the most difference, SES is the ticket.

Most of us will never get the choice. =)

Bookmark to:

Colorado Division of Motor Vehicles cited in audit report

Fri, 11 Jul 2008 05:18:07 +0000

Technorati Tag: Security Breach

Date Reported:
7/9/08

Organization:
State of Colorado

Contractor/Consultant/Branch:
Department of Revenue
Division of Motor Vehicles

Victims:
Residents

Number Affected:
~3,400,000

Types of Data:
"names, addresses, dates of birth and Social Security numbers"

Breach Description:
"The Division of Motor Vehicles put 3.4 million Coloradans at risk of identity theft due to flaws in the way driver's-license information is handled, lawmakers learned Tuesday at an interim transportation committee hearing."

Reference URL:
The Denver Post
Report of The State Auditor, Driver's License and Identification (ID) Card Security

Report Credit:
Jessica Fender, The Denver Post - Brought to the attention of The Breach Blog by an informed reader.

Response:
From the online source cited above:

The Division of Motor Vehicles put 3.4 million Coloradans at risk of identity theft due to flaws in the way driver's-license information is handled, lawmakers learned Tuesday at an interim transportation committee hearing.

The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit.
[Evan] The audit report is here.

At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers — some workers more than a year after their departure

Revenue Department leaders who oversee the division say they are working to hire internal watchdogs and build up their technological defenses.
[Evan] This is putting the cart before the horse. After reading some of the audit results it is clear to me that there is no information security strategy, no effective information security management, and no formal information security program. These administrative issues need to be addressed well before "technological defenses" should be. Addressing "technological defenses" first is often times wasteful and disjointed.

But the state, facing a budget shortfall, will have no additional money in the foreseeable future for new computer systems.
[Evan] Then get creative! No or little money is a poor excuse for not doing the right thing. Many times, we find that an organization actually saves money through effective information security management. Fix the administrative issues and formalize the information security program first. I don't know much about the Colorado state government, but I do know that other state governments are wasteful and disorganized. Information security, when aligned with organizational goals and objectives (not IT) can help organize and cut waste.

Cyber security alone is a $1.5 million problem that will be tough to solve, said Roxy Huber, Revenue Department executive director.
[Evan] I wonder where the $1.5 million dollar figure comes from. We can secure a heckuva lot of infrastructure (and information) with that kind of money. I get a kick out of "Cyber security".

"To tell you that I'm going to have the tools to do what I need to do, I don't know where they're going to come from," Huber said. "But we will continue to do the best with the tools that we have."
[Evan] Where do I start with this comment? The first tool to use is the one between your ears.

Colorado ranks eighth in the nation in identity-theft complaints per person and first in the nation when it comes to general fraud reports.
[Evan] This should tell you something! It is even more troubling if your own state government contributes to the problem.

On average, those frauds cost victims $4,041 each for a total of $41.3 million in 2007

Auditors said the DMV's method for handling sensitive information was "fragmented, disorganized and poorly planned,"
[Evan] Yeah, ya think?

No one person is responsible for security
[Evan] Or is it no one is responsible for security?

High turnover - 60 percent of entry-level workers leave during their first year - and low, $26,280-a-year starting salaries make fraud more attractive and management more difficult, DMV officials said.
[Evan] This is another problem that contributes significantly to the risk.

While employees have been caught issuing hundreds of fraudulent licenses, there are no known instances of identity theft or information security breaches, said Department of Revenue spokesman Mark Couch.
[Evan] Come on. Not that we know of anyway. Don't you think that the risk is much higher if a person has already demonstrated that he/she is willing to step over the line?

"It's not like we have a completely defenseless system," Couch said. The audit "says that we need to take more steps."
[Evan] Not completely defenseless, but like protecting a bicycle with a rope.

"Without the appropriate resources, there's no way we can hold you accountable for doing some of the things you're expected to do," said Sen. Nancy Spence, R-Centennial.
[Evan] This kind of talk does not help the cause and does little to serve constituents. I am not close to this issue, but so many of the things I have read about this breach point to mismanagement more than a lack of appropriate resources.

Some problems already have been fixed.

The 33 former employees with database access immediately had their passwords deactivated once auditors identified them, and the DMV now compiles monthly lists of departed workers to prevent future lapses

The division has a long-standing policy of redacting the last four digits of Social Security numbers before they're transmitted, and the division plans to encrypt all transmitted information by June 2009.
[Evan] What? A year? This exposure is now public knowledge and will continue for a year?

Commentary:
Due to the fact that I was a little more critical in my comments above, I should express that these are my opinions and beliefs based on my experiences and knowledge. Take the comments for what they are worth.

There seems like there is a lot of work that needs to be done at the Colorado Department of Revenue and Division of Motor Vehicles. The work must start at the top. Somebody needs to step up and fill the role as the "person responsible for security".

Past Breaches:
State of Colorado:
April, 2008 - CollegeInvest external hard drive goes missing

Vengeance

Thu, 29 May 2008 09:07:04 +0000

Jared Diamond on vengeance and human nature:

This question of state government's recent origins, and, conversely, of its long failure to originate throughout most of human history, is a fundamental concern for social scientists. Until fifty-five hundred years ago, there were no state governments anywhere in the world. Even as late as 1492, all of North America, sub-Saharan Africa, Australia, New Guinea, and the Pacific islands, and most of Central and South America didn't have states and instead operated under simpler forms of societal organization (chiefdoms, tribes, and bands). Today, though, the whole world map is divided into states. Of course, most of that extension of state government has involved existing states from elsewhere imposing their government on stateless societies, as happened in New Guinea. But the first state in world history, at least, must have arisen de novo, and we now know that states arose independently in many parts of the world. How did it happen?
[...]

...anthropologists, historians, and archeologists tell us that state governments have arisen independently under one of two sets of circumstances. Sometimes external pressure from an encroaching state has placed a people under such duress that it ceded individual rights to a government of its own that would be capable of offering effective resistance. For instance, about two centuries ago, the formerly separate Cherokee chiefdoms gradually formed a unified Cherokee government in a desperate attempt to resist pressure from whites. More frequently, chronic competition among warring non-state entities has ended when one gained a military advantage over the others by developing proto-state institutions: one example is the formation of the Zulu state by a particularly talented chief named Dingiswayo, in the early nineteenth century, out of an assortment of chiefdoms fighting each other.

[...]

We regularly ignore the fact that the thirst for vengeance is among the strongest of human emotions. It ranks with love, anger, grief, and fear, about which we talk incessantly. Modern state societies permit and encourage us to express our love, anger, grief, and fear, but not our thirst for vengeance. We grow up being taught that such feelings are primitive, something to be ashamed of and to transcend.

There is no doubt that state acceptance of every individual's right to exact personal vengeance would make it impossible for us to coexist peacefully as fellow-citizens of the same state. Otherwise, we, too, would be living under the conditions of constant warfare prevailing in non-state societies like those of the New Guinea Highlands.

A new blog on the block

Fri, 16 May 2008 19:36:19 +0000

This one is not all security related, but is the ScienceLogic Blog. One of my favorite persons in the IT field Dave Link is the CEO and founder of ScienceLogic. Several other friends from Interliant including Louis Dimiglio (sorry if I messed up the spelling Lou!), Richard Chart and Chris Cordray are also part of the team. They have done a great job of creating a network management product and in a hyper-competitive industry carving out a place for themselves. I am running into them more and more at shows, conferences and in the field. Now they have joined the blogging ranks and it looks like there will be several contributers. They are all smart folks and I am sure will have good things to say, so be sure to check out the blog!

In one article responding to a post I did about where is the interoperational in interop, Dave says that he and the ScienceLogic team had a very different experience at Interop this year. Due to their participation in the InteropNet and ILabs project, ScienceLogic was very involved in making sure the network at Interop was up and running and showing off the many different products and vendors working together. Certainly the work of the many people at Interop Labs and Interop Net show how heterogeneous equipment and technology can work together, but where those labs and network used to be the center of the show, I am not so sure that is the case any more. Many folks walk by the NOC at Interop, peak inside at the folks at the stations, smile and move on. How many actually take the tour compared to how many walk the floor or sit in on presentations. I think in Dave's view it is a case of when you are a hammer, everything looks like a nail.

More importantly though Dave challenges me to answer his questions of what StillSecure has done to promote interoperability with other vendors that we can promote. Great question and it deserves an answer. So at the risk of giving StillSecure a shameless plug, let me give you the three foundations that we have built our products on that allow us to excel at interoperability:

1. Using open standard software and hardware - All StillSecure products run on off the shelf x86 hardware or in VMware virtual machines. Additionally, our products all run on top of the StillSecure OS which is a hardened and stripped version of Linux, but still provides that standard command line programs and interoperability that the Linux OS allows. Additionally, we use standard and open databases such as MySQL and PostgresSQL that are SQL and ODBC compliant. Additionally, we have open data base schema's. Also, we use Java webservers and similar types of open standard software that makes it easier for us to work with other products and for our customers to feel comfortable with what is under the hood.

2. Support of industry frameworks and standards - Whether it be TCG/TNC or NAP in the NAC world or CVE and FDCC in vulnerability management, we support industry wide standards and frameworks which allow products to work with each other. SNMP traps, SMTP email alerts are all standard in StillSecure products.

3. Enterprise Integration Frameworks- StillSecure products all ship with our enterprise integration frameworks. These are a complete set of fully documented and functional APIs in XML and Java that allow for the bi-directional exchange of data with many 3rd party products. This is perhaps our greatest means of interoperabitility and integration.

Dave, I hope that answered the question for you. Now that we know about the blog, we will be reading. Good Luck!

Personal information from two Colorado mortgage companies found in dumpsters

Wed, 07 May 2008 18:20:50 +0000

Technorati Tag: Security Breach

Date Reported:
4/28/08

Organization:
Cove Creek Mortgage
Front Range Mortgage, LLC

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Mortgage files, tax returns, pay stubs, Social Security numbers, and other personal information

Breach Description:
"ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend."

Reference URL:
Denver Channel 7 News
Denver Channel 7 News (update)

Report Credit:
Denver Channel 7 News

Response:
From the online sources cited above:

ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend.
[Evan] Cove Creek Mortgage joins the ranks of other mortgage companies reported for similar breaches on The Breach Blog. The others are Affordable Realty and Union Mortgage Services of Cleveland, Inc..

Cove Creek's owner had abandoned his Englewood office in January, and property managers had not been able to find him
[Evan] What kind of businessman just abandons an office full of confidential files and equipment?

On Saturday, the property manager had a crew clean out his office and throw all items from the office -- including complete mortgage files -- into two Dumpsters.
[Evan] Maybe the property manager should pay a little closer attention to the things they throw in the dumpster. Having said this, the property manager is not really at fault.

David Peters who works in the same complex found the files Monday morning.

"I was taking some other trash out to the garbage can and opened the lid and on there was a couple of laptops,"

"Directly underneath them were files with people's names on it and I was like, 'Well, this is not right.'"

"There were tax returns, pay stubs, everything in there," he said. "And as I looked at the different files I realized that it was mortgage files, which was kind of scary, because who do you disclose the most information to or all of your information? That is when you are getting a mortgage loan."
[Evan] According to the news report, Mr. Peters contacted authorities. This could have easily been much worse for victims.

The Dumpsters were not secured and located at 88 Inverness Drive East, Bldg. F.

Sheriff's investigators finally found the owner of Cove Creek and talked him into retrieving the files, many of which had private information, including Social Security numbers and credit history.
[Evan] Mr. owner guy, will you please come get your stuff and the personal information that was entrusted to you? According to zoominfo a guy named Charlie Cartwright is/was the president of Cove Creek Mortgage. I have no idea if this is the same guy that is referred to in the news article.

The district aAttorney's office got a tip about numerous mortgage files and two laptop computers in a Dumpster behind offices formerly used by Cove Creek Mortgage and Front Range Mortgage.
[Evan] Now Front Range Mortgage joins the ranks. Front Range Mortgage offers credit repair services too! Do you suppose they could have repaired the damage that could have been done?

"With a name, Social Security number and bank account number, they can clean you out before you even know," said Arapahoe County District Attorney Carol Chambers.

The files and computers contained sensitive information on many former customers of Front Range Mortgage, including names and addresses, Social Security numbers and bank, credit card and investment account information.

While there are civil laws against dumping such documentation, Chambers said it is not against the law.
[Evan] It's too bad that we have to write and enforce laws to protect us from idiots.

"I think it is a matter of legislation not catching up with the realities of identity theft," said Chambers. "And absolutely, we think recklessly disposing or negligently disposing of this kind of information should maybe carry a criminal penalty, just to get people's attention that you can't just leave this information or leave it out in a Dumpster."

"The district attorney recommends that any former customers of Front Range or Cove Creek should place a fraud alert on their credit reports and monitor any bank, credit card or investment accounts that might have been included on a mortgage application with that firm."

For further information, assistance or questions, call the District Attorney's Fraud Assistance Line at 720-874-8547.

Commentary:
What is with these mortgage companies? The 90's and early 2000's was a wild ride for mortgage brokers, real estate agents, and investors. The money attracted people from all walks of life and a lot of poor decisions were made. Now that the bubble has burst, we start to see the true colors of some of these "professionals".

I don't know much if anything about the owners of these companies, but I do know that securing personal information poorly is bad business.

Past Breaches:
Unknown

Health care practices and UCSF patient records exposed

Wed, 07 May 2008 12:10:17 +0000

Technorati Tag: Security Breach

Date Reported:
5/1/08

Organization:
University of California

Contractor/Consultant/Branch:
University of California at San Francisco ("UCSF")
Target America Inc.

Victims:
Patients

Number Affected:
6,313

Types of Data:
"The information included names, addresses, medical departments and some patient medical record numbers"

Breach Description:
"(05-01) 17:22 PDT San Francisco -- Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft"

Reference URL:
San Francisco Chronicle
CNET
United Press International
UCSF News Release

Report Credit:
Elizabeth Fernandez, San Francisco Chronicle

Response:
From the online sources cited above:

Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft, The Chronicle has learned.

The information accessible online included names and addresses of patients along with names of the departments where medical care was provided.

Some patient medical record numbers and the names of the patients' physicians also were available online.

The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.

Sensitive information can be used by employers, health insurers and other entities to discriminate

thieves can use purloined information to obtain medical treatment and prescription drugs and to file false medical claims.
[Evan] Purloined is a funny word.

"This is a large and very significant data breach," said Pam Dixon, executive director of the World Privacy Forum

"To commit medical identity theft, all you need is a patient's name, address and the name of the hospital. If you have a doctor's name and the medical department where the patient was being treated, it is gold. If you add a medical record number, it is a disaster for patients."
[Evan] I don't think most people know this. Many people think that they are fine if there were no Social Security numbers or credit card numbers exposed.

Hospital officials say there's no indication of identity theft to date.

UCSF had shared information on its patients with a vendor, Target America Inc., which mines electronic databases amassing information about a nonprofit's potential or existing donors.

Target America, whose Web site says it maintains "the highest standards of security," tunnels through millions of electronic records to help nonprofits identify and cultivate future donors as well as current donors "who could be giving you more." Additionally, it unearths financial information about donor friends and business acquaintances - even offering maps of a donor's neighborhood.
[Evan] Seems wrong, doesn't it? You go to the clinic, the clinic farms out your information to a company that determines whether or not you are a good candidate to hit up for money (you probably don't pay enough in health insurance, deductibles and co-pays). If you are a deemed a good donor candidate, you get emails and letters that you never signed up for. The purpose of the emails and letters is to build a rapport with you with the intention of getting you to donate money. Personally, I would be more willing to donate if an organization were straight with me.

The breach was discovered, said UCSF officials, when the hospital was alerted that a patient's name had been queried on the Internet "and it was listed in association with UCSF."

Corinna Kaarlela, UCSF director of news services, said immediate action was taken to close off the information. Ten days after the breach's discovery, UCSF ended its business agreement with Target America.

Nancy Johnson, president of Target America, said she could not discuss the matter because of client confidentiality.
[Evan] There is no mention of this breach anywhere on Target America's site either. Sweep it under the rug and maybe it will go away?

The breach spotlights a little-known practice among medical institutions to plow the ranks of patients for fundraising purposes.

Hospitals and other health care providers are turning patients into "fundraising free-fire zones," said Dr. Arthur Caplan, chairman of the department of medical ethics at the University of Pennsylvania School of Medicine.

"The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising," Caplan said. "I don't think people are aware of the degree to which this is occurring, whether it's by a hospital or a nursing home or a hospice."

Since 2004, UCSF said it provided the names and addresses of 30,590 patients to Target America, paying the company $12,000 a year.

Hospital officials said it contracted with the company to assist "with identifying names of individuals who could potentially receive communications from UCSF."
[Evan] Why not say it like it is. The true motive?

"These opportunities included upcoming events, developments in specific UCSF programs, and opportunities to support the University."
[Evan] Closer.

After the breach was discovered, the hospital said it required Target America to hire "an objective third-party firm" to investigate. UCSF received the forensic analysis report March 26. It showed that information was potentially accessible from July 1 to Oct. 9 last year "if a query for a specific name was made." Notification letters were mailed to patients April 4.

While UCSF officials stressed that the breach did not involve Social Security numbers, Dixon said that patients could nonetheless be at risk for harm.

"With medical identity theft, there is so much on the line - only minimal information needs to go out for there to be a problem," she said.

Linking patients to the departments where they were treated, for instance, is problematic because it can serve as a key identifier of a patient's health condition.
[Evan] Don't think that this doesn't happen. Insurance companies are not in business to help people, they are in business to make money. They want to identify as many pre-existing conditions as possible.

UCSF officials say the use of a department's name is not prohibited under HIPAA. But it acknowledged that such a disclosure is against its own "best practice" policy.
[Evan] I think that this is open to interpretation. HIPAA is not clear (nor can it be) in all circumstances, and some people would argue this claim with UCSF officials.

"Steps have been taken to reinforce this practice,"
[Evan] Like what? Are "steps" enough?

For one outraged UCSF patient whose name was part of the online data disclosure, the incident involved an alarming breach of medical trust.

"They told a fundraising company that I'm a patient - morally this should not ever be done by any health care provider," said the patient, a retired executive living in San Francisco. He asked that his name not be published.

"Medical records are supposed to be of utmost privacy," he said. "The University of California is high up in the totem pole for quality medical care. When you go there, the first thing you see are notices regarding patient privacy. Why in the world would they give out my private information? It boils down to monetary greed."
[Evan] There is no doubt that UCSF Medical Center is an outstanding health provider in terms of providing innovative medical care and saving lives. One of the best from what I read.

UCSF is committed to maintaining the privacy of patient information and takes any compromise of patient information very seriously. When patients are seen at UCSF, they are provided with a Notice of Privacy Practice (NOPP), which describes how UCSF may use and disclose their medical information in accordance with the Federal HIPAA Privacy Rule.

UCSF continually modifies systems and practices to enhance the security of patient information.

Commentary:
Hmm. I agree with Dr. Caplan when he stated that "The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising,". There is not much discussion surrounding the details of the actual breach itself. I have also read concern of the length of time it took before patients were notified.

From Target America's "Why Target America?" page:
"Target America data base, culled from 75 data sources, contains more than 7 million records of the wealthiest and most generous people in the nation -- the top 5 percent in terms of income, assets, and philanthropic history. Ninety-four percent of the individuals on the data base give more than $5,000 a year to charities. The breadth of our data is unique: we focus not only on high-profile, corporate America, but include emerging sources of wealth such as minority-owned business and women entrepreneurs."
Looks like a pretty important database to me.

There are no apologies made by UCSF or Target America for the breach.

Past Breaches:
University of California:
April, 2008 - University of California Irvine students are hit with mysterious breach

Blackhat SEO Campaign at The Millennium Challenge Corporation

Tue, 06 May 2008 23:57:19 +0000

Among the very latest victims of a successful blackhat SEO campaign that has managed to inject and locally host 1,370 pharmaceutical pages, is the Millennium Challenge Corporation (mcc.gov) - a United States Government corporation designed to work with some of the poorest countries in the world.

The injected pages are loading remote images from what looks like a secondary compromised site, in this case ttv-bit.nl which is a legitimate Dutch table tennis association. Compared to previous blackhat SEO campaigns that I've assessed in the past taking advantage of redirection only, the layout of the embedded pages in this one is sticking the remotely loading images at the top of the page, and placing the original at the bottom.

The campaign's main URl is ttv-bit.nl/rr/c.php where a redirector is forwarding to canadiandiscountsmeds.com, and these are some of the remotely loading images ttv-bit.nl/rr/s.JPG; ttv-bit.nl/rr/l.JPG; ttv-bit.nl/rr/c.JPG; ttv-bit.nl/rr/v.JPG

Moreover, as in the recent massive SEO poisoning attacks, the referrer is checked, and given that the campaign URL is dedicated to mcc.gov only, only mcc.gov referrers are directed to the spam pages. These blackhat SEO incidents targeting sites with high page ranks, are either the result of the automated process of searching for vulnerable such high page rank-ed sites, or direct abuse of purchased access to the already compromised hosts via web shells or web backdoors.

Related posts:
Massive IFRAME SEO Poisoning Attack Continuing
Massive Blackhat SEO Targeting Blogspot
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Compromised Sites Serving Malware and Spam

Heroin vs. Terrorism

Thu, 01 May 2008 02:56:21 +0000

A nice essay on security trade-offs:

The mismatch between the resources devoted to fighting organised crime compared with those directed towards counter-terrorism is unnerving. Government says that there are millions of pounds in police budgets that should be devoted to dealing with organised crime. In truth, only a handful of British police forces know how to tackle it. The ridiculous Victorian patchwork of shire constabularies means that most are too small to tackle serious criminality that doesn't recognise country, never mind county, borders.
The Serious Organised Crime Agency (Soca) was launched two years ago as Britain's equivalent of the FBI, with the remit of taking on the Mr Bigs of international crime. But ministers have trimmed Soca's budget this year. Far from expanding to counter the ever-growing threat, the agency is shrinking and there is smouldering unhappiness in the ranks. Soca's budget for taking the fight to the cartels and syndicates is £400 million -- exactly the same amount that the Government intends to spend overseas in countries such as Pakistan on workshops and seminars to counter al-Qaeda's ideology.