[SecurityRatty] tag: reconstruct

Laptop stolen from the home of a BearingPoint employee

Thu, 19 Jun 2008 11:38:38 +0000

Technorati Tag: Security Breach

Date Reported:
6/5/08

Organization:
BearingPoint, Inc.

Contractor/Consultant/Branch:
None

Victims:
Independent BearingPoint contractors

Number Affected:
Unknown

Types of Data:
"first and last name and Social Security Number"

Breach Description:
On May 14, 2008 a BearingPoint company-issued laptop was stolen from the residence of an employee. The laptop contained sensitive personal information belonging to a number of BearingPoint independent contractors.

Reference URL:
The Maryland State Attorney General breach notification

Report Credit:
The Maryland State Attorney General

Response:
From the online source cited above:

BearingPoint recognizes the importance of safeguarding the personal information it handles in the course of conducting business.
[Evan] As demonstrated on their web site. The number "8" followed by "The number of years in a row that identity theft has been the #1 internet crime"

To that end, we have implemented safeguards for the information.
[Evan] OK, I am following so far.

Even the most rigorous safeguards, however, can not guarantee protection against criminal conduct.
[Evan] Well, I think "rigorous safeguards" needs to be quantified somewhat. What are "rigorous safeguards" and how do they apply to this breach?

The Company was recently victimized by such conduct and we are writing to inform you that this criminal conduct might have a direct impact on you.
[Evan] Uh oh, here it comes. Not only was "The Company" recently victimized, but just as importantly, the owners of the personal information were victimized as well.

On May 14, 2008, the residence of one of our employees was burglarized and the company-issued laptop computer was taken amongst other personal property.

The employee promptly reported the theft to the Atlanta Police Department, which is investigating the break in.

The investigation into the burglary is on-going and BearingPoint is cooperating fully.

BearingPoint worked diligently to reconstruct the information stored on the stolen laptop.

BearingPoint has been able to determine that the computer contains the name and social security number of independent contractors.
[Evan] Recognizing the importance of safeguarding personal information, is storing personal information on a laptop (presumably without encryption due to the fact that there is no mention of it) a prudent practice?

The stolen laptop did not contain credit or debit card numbers, or financial account numbers.
[Evan] So a criminal would have to open his/her own accounts using the other information that WAS on the laptop.

We have no reason to believe that the information stored on the stolen laptop was the target of the burglary or that the information has been misused.

The personal information on the laptop can be accessed only with two passwords and two forms of authentication.
[Evan] The "passwords" are the authentication. I am guessing that BearingPoint meant two forms of identification (probably usernames). Again, I am guessing that one of the username/passwords is for the operating system itself which takes less than 10 minutes to bypass in most instances and I am guessing that the other username/password combination is file access for which there are known workarounds in many common applications (Word, Excel, PowerPoint, etc.). Either way, I think that this excerpt is meant to minimize the situation with a strong bias towards saving face.

In addition, the personal information was not stored in a single file or spreadsheet but dispersed among numerous files.
[Evan] Information security personnel know better than to argue the security through obscurity defense.

To date, we have received no report indicating that the information stored on the laptops has been accessed or misused.
[Evan] I think "laptops" in the breach notification is a typo

BearingPoint recognizes this development, and any related inconvenience, might be upsetting.

We regret this incident has occurred and we apologize for any inconvenience it may cause you.

As a result of this incident, we have taken immediate steps to review our current policies and procedures to further enhance security for personal data we handle and to reduce the risk of recurrence.
[Evan] Restrict ability to store confidential information on mobile devices? Encryption? Two-factor authentication?

To lessen the potential inconvenience to you and reduce the risk that you might be subjected to attempts to steal your identity, we have engaged ConsumerInfo.com Inc., and Experian company, to provide you with one year of credit monitoring, at no cost to you.

Please contact BPt-FMGOICPrivacy@bearingpoint.com should you have additional questions regarding the cirumstance of the incident.

BearingPoint currently anticipates notifying affected individuals on or before June 6, 2008, of this incident.

Commentary:
Marketing on the BearingPoint web site boasts "BearingPoint has demonstrated some of the biggest advancements in risk consulting services among the large number of providers in this market" - Forrester Wave: Risk Consulting Services, Q2, June 2007 Report.

It is disappointing to read about a well-respected company losing control of confidential information, but what makes this worse is the fact that it happened through the actions of a leading information security and risk consulting company. It is important to point out that one incident DOES NOT define a company.

No encryption or mention of it as a matter of policy, and the attempts to minimize the possible impact by mentioning ineffective controls (passwords and obscurity) is troubling.

Past Breaches:
Unknown

University of Florida student information online for years

Thu, 12 Jun 2008 06:41:30 +0000

Technorati Tag: Security Breach

Date Reported:
6/11/08

Organization:
University of Florida

Contractor/Consultant/Branch:
Office for Academic Support and Institutional Services

Victims:
Students

Number Affected:
"more than 11,300"

Types of Data:
"names, addresses and Social Security numbers"

Breach Description:
"GAINESVILLE, Fla. - University of Florida officials today mailed letters of notification to more than 11,300 current and former students regarding a privacy breach that resulted in names, addresses and Social Security numbers being posted online that may have been accessible to the public."

Reference URL:
University of Florida
Miami Herald
Inside UF
United Press International

Report Credit:
University of Florida

Response:
From the online sources cited above:

GAINESVILLE, Fla. - University of Florida officials today mailed letters of notification to more than 11,300 current and former students regarding a privacy breach that resulted in names, addresses and Social Security numbers being posted online that may have been accessible to the public.
[Evan] Not "may have been". The information was accessible to the public and was not even protected by a password.

The student information was actively used from 2003 through 2005 and remained posted until it was recently discovered during a routine audit of UF systems.
[Evan] If I am reading this right, this means that some of the personal information was available publicly for ~5 years!

School officials emphasized that the site would not have been easy to find and they do not believe it was accessed by anyone outside the school.
[Evan] There is no security through obscurity.

"The risk of someone outside actually finding this information and using it inappropriately is very low," - Steve Orlando, UF Spokesman
[Evan] I wonder how Mr. Orlando came to the conclusion that the risk of disclosure and misuse is "very low". As I understand, the server was publicly accessible, presumably via the internet. If so, was the site indexed by search engines like Google, Yahoo, and Microsoft? It is much easier to find information through a search index because folder structure is much less relevant. The fact that this information was available for 3-5 years adds to the risk too. I only know what I read and based on this and experience, I wouldn't classify this as a "very low" risk situation. Either way, the risk was increased due to poor information security practice and was not necessary.

"We've done computer forensics, and we don't have any evidence that anybody accessed this information," he added.
[Evan] This indicates poor logging and monitoring which are both essential detective controls (in most situations). Information security personnel (or admins) should be empowered to reconstruct events.

"But because we can't say that with absolute certainty, we're going through with the notification out of an abundance of caution," Orlando said.
[Evan] I am NOT a fan of the "abundance of caution" claims that seem more popular in breach notifications lately. Organizations would be best advised to use an "abundance of caution" in the prevention and early detection of breaches by applying sound information security principles.

Since 2005, the site has been "dormant but accessible," said university spokesman Steve Orlando. "It was just sitting there."

The information has been removed and is no longer available online or elsewhere in the UF systems.

The breach occurred when former student employees of the Office for Academic Support and Institutional Service, or OASIS, program created online records of students participating in the program.

The student employees posted the information online so that they could work with it from remote locations, but they did not install security measures to keep others from accessing it as well
[Evan] I have so many questions and arguments. Were the students aware of the risks? If not, then there is probably an information security training and awareness problem. Why was it necessary to include Social Security numbers in the records? Why were the seemingly untrained students allowed to post the information without being stopped or detected? I have many more questions, but I am starting to confuse myself now.

The university sent letters of notification to about 11,300 students whose information is believed to have been potentially compromised.
[Evan] Here's my take on the word "compromised". If an organization cannot provide reasonable assurance that the information has not been subject to unauthorized disclosure, modification, or destruction, then the information has been "compromised".

University officials were unable to find contact information for about 570, so they are asking students who were enrolled in CLAS from 2003 to 2005 and did not receive a letter but who believe their information may have been compromised to call UF’s Privacy Office Hotline at 866-876-HIPA and provide the requested information.

Anyone who thinks he or she may be one of the 570 people who were not notified is urged to go to privacy.ufl.edu and read the information posted there before calling the privacy hotline.

"This would certainly appear to be the largest privacy breach we've had," Orlando said.

We're in the process of strengthening some of those policies regarding what information can be posted and what security measures should be in place
[Evan] Good start.

Victim Reaction:
"Why would it be necessary to use a Social Security number instead of something else?" asked Reixach, pointing out that students were given ID numbers. "It's just silly".

"It's negligence on their part, especially if anyone has been affected with identity theft,"

Johann Arias, a spring CLAS graduate, had not heard about the breach Wednesday and said UF should be doing more to notify those affected.

"They always make information very prominent when you have a hold or owe them money," Arias said.

Commentary:
This is a case where poorly trained students are granted access or obtained access to confidential information and posted the information to an unsecured location which went undetected for years. Bad all around.

Past Breaches:
May, 2008 - University of Florida doctor loses job over breach
November, 2007 - University of Florida student info online

Computers stolen from J. Lohr Vineyards & Wines

Fri, 22 Feb 2008 09:06:49 +0000

Technorati Tag: Security Breach

Date Reported:
2/13/08

Organization:
J. Lohr Vineyards & Wines ("J. Lohr")

Contractor/Consultant/Branch:
None

Victims:
Current and former employees

Number Affected:
Unknown

Types of Data:
Names, addresses, Social Security numbers, and dates of birth

Breach Description:
Two computers were stolen from the office of J. Lohr Vineyards & Wines in San Jose, California. One of the computers contained sensitive personal information belonging to current and former employees who were/are participants in the company employee stock ownership program (ESOP).

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

On December 19, 2007, a thief broke into a locked office at the Company's headquarters and stole two computers.

We immediately reported the theft to the San Jose Police Department. The police are investigating the theft, and we are cooperating fully in the investigation.
[Evan] This may or may not always be a good idea. Understand the implications of contacting law enforcement before deciding to do so (with information security breaches). It is always a good idea to consult with your legal counsel when creating your incident response procedures to determine the best time to contact law enforcement.

We have worked to reconstruct the information stored on the stolen computers. We have determined that one of the computers contained information about participants in our Company ESOP, including the names, addresses, Social Security Numbers (SSN) and dates of birth of current and former J. Lohr employees, including yours.

J. Lohr Vineyards and Wines ("J. Lohr") recognizes the importance of safeguarding its personnel information.

Even the most rigorous safeguards, however, can not guarantee protection against criminal conduct.
[Evan] I agree that it is not possible to protect against all criminal conduct, but it was certainly possible to protect against this.

At this point, we have no reason to believe that the theft was directed at the information stored on this computer.
[Evan] There is no reason to believe that the theft was NOT directed at the information either.

We also have received no reports to date, indicating that the information stored on this computer has been misused.

We are in the process of evaluating steps that can be taken to make a recurrence of this incident less likely.
[Evan] There are always steps that can be taken to reduce risk.

J. Lohr recognizes that the theft of your personal information, and any related inconvenience, might be upsetting. We regret that this incident has occurred, and we apologize for any inconvenience it may cause you.

To lessen the potential inconvenience to you and to reduce the risk that you might be victimized by identity theft, we have arranged for one year of free credit monitoring

You have ninety (90) days from the date of this letter to activate this membership.

Commentary:
According to the breach notification, there was only one person affected who resides in the state of New Hampshire, but this is not a good indication of how many current and former employees may be affected. J. Lohr is a California company.

There is no mention as to whether or not this information was encrypted, so I am assuming that it was not. There could be many information security improvement suggestions that come out of this breach. There are thousands of companies that think they are doing the right thing with their information security dollars, but miss the mark.

Past Breaches:
Unknown

J.C. Penney customers affected by lost GE Money backup tape

Fri, 18 Jan 2008 07:24:59 +0000

Technorati Tag: Security Breach

Date Reported:
1/18/08*

*Update to " GE Money and Iron Mountain unable to locate tape"

Organization:
J.C. Penney

Contractor/Consultant/Branch:
GE Money
Iron Mountain

Victims:
J.C. Penney customers and the customers of "up to 100 other retailers" which include "many of the large retail organizations"

Number Affected:
650,000

Types of Data:
Names, addresses, account numbers, Social Security numbers, and other information

Breach Description:
GE Money and it's backup storage vendor, Iron Mountain are unable to locate a backup tape. The unencrypted tape contained sensitive personal information belonging to GE Money, J.C. Penney, and up to 100 other retail store customers. The tape was lost in October, 2007.

Reference URL:
Associated Press Story
State of New Hampshire Breach notification dated December 28, 2007
Original Breach Blog Report

Report Credit:
The Associated Press

Response:
From the online sources cited above:

Personal information on about 650,000 customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing.

GE Money, which handles credit card operations for Penney and many other retailers, said Thursday night that the missing information includes Social Security numbers for about 150,000 people.

The information was on a backup computer tape that was discovered missing last October. It was being stored at a warehouse run by Iron Mountain Inc., a data storage company, and was never checked out but can't be found either

This unencrypted tape, which was being retained at a secure, offsite storage facility, included your name, address, and Social Security number, as well as your [CLIENT1] credit card account number

It was checked into their secure facility and never checked out, and a search of their premises and ours has been unable to locate it.

there was "no indication of theft or anything of that sort," and no evidence of fraudulent activity on the accounts involved

Iron Mountain spokesman Dan O'Neill said it would take specialized skills for someone to glean the personal data from the tape.
[Evan] It also takes specialized skills to walk upright on two feet. If the information on the tape is not encrypted, accessing it is a trivial task.

the company regretted losing the tape, "but because of the volume of information we handle and the fact people are involved, we have occasionally made mistakes."
[Evan] Mr. O'Neill makes a valid point. Iron Mountain handles millions of tapes. According to their web site, they handle data storage (and protection) for over 90,000 organizations in 26 countries. Eventually a tape will go missing. I don't place much blame on Iron Mountain as I do on GE Money.

declined to identify the other retailers whose customers' information is missing but said "it includes many of the large retail organizations."

It took GE Money two months to reconstruct the missing tape and identify the people whose information was lost.
[Evan] Two months is a long time, but I suppose you want to be sure you get it right.

Since December, the company has been notifying consumers in batches of several thousand and telling them to phone a call center set up to deal with the breach. The notification is expected to be completed next week.

Penney's card holder Elizabeth Rich of Everett, Wash., got one of the GE Money letters saying her name, address and account number may have been compromised. She was told her Social Security number was not on the tape.

The letter, signed by GE Money President Brent P. Wallace, read in part, "We have no reason to believe that anyone has accessed or misused your information. The pieces of information on the tape would not be enough to open new accounts in your name, and we have implemented internal monitoring to protect your account number from misuse due to this incident."
[Evan] The "would not be enough to open new accounts in your name" part is because Elizabeth Rich was one of the fortunate persons that did not have her Social Security number on the tape.

Wallace said in the letter that Penney "was in no way responsible for this incident."
[Evan] I respectfully disagree with this statement. J.C. Penney collected the information from the owner. This puts J.C. Penney into a "data custodian" role. As a data custodian, they have the duty to ensure that the data is protected throughout its lifecycle. J.C. Penney needs to ensure that their partners and vendors adequately secure information.

The Penney name didn't appear on the envelope Rich received, and she thought it was a credit solicitation when she saw the GE Money return address.

"I think the average consumer has thrown away that GE Money letter because they don't know it's about J.C. Penney," Rich said. "Not everybody opens junk mail."
[Evan] Do you suppose this was on purpose? Who knows.

Rich said she canceled her Penney card immediately.
[Evan] This is an EXCELLENT suggestion for all affected customers. Cancelling your card does three things (at least), it protects from credit card fraud (on this card anyway), sends a message to J.C. Penney that they should do more to monitor partners' and vendors' business and security practices, and sends a message to GE Money that they must encrypt confidential data at rest (potentially among other things).

Commentary:
We originally reported this breach on the Breach Blog a few weeks ago based on information we gleaned from the New Hampshire State Attorney General. This new information helps to clarify some of the missing information. I am sure there will be more to come.

As I stated earlier in my comments, I don't fault Iron Mountain much for their role in this breach granted they lost the tape. I would expect a certain amount of loss given the nature of their business, the number of tapes they handle, and the fact that people make mistakes. I don't know what kind of excuse GE Money has for not encrypting confidential data at rest. This is a well-known best practice that is preached by most good information security personnel. The fact that the breach notifications sent to customers are not clearly marked as such (according to Elizabeth Rich) only adds insult to injury.

Contrary to what J.C. Penney may think and what GE Money has stated, J.C. Penney does have responsibility in this breach. To state that J.C. Penney "was in no way responsible for this incident" is false. They have the responsibility to ensure that the information given to them from the owner is handled appropriately. Do they audit their partners' information security practices? Did they know or care that sensitive information belonging to their customers on backup tapes was not encrypted?

Past Breaches:
October, 2007 - Iron Mountain driver does not follow company procedures

Hackers get busted

Fri, 30 Nov 2007 08:08:26 +0000

There is an article on BBC News about how yet another hacker running a botnet got busted. When I read the sentence “…he is said to be very bright and very skilled …”, I started thinking. How did they find him? He clearly must have made some serious mistakes, what sort of mistakes? How can isolation influence someone’s behaviour, what is the importance of external opinions on objectivity?

When we write a paper, we very much appreciate when someone is willing to read it, and give back some feedback. It allows to identify loopholes in thinking, flaws in descriptions, and so forth. The feedback does not necessarily have to imply large changes in the text, but it very often clarifies it and makes it much more readable.

Hackers do use various tools – either publicly available, or made by the hacker themself. There may be errors in the tools, but they will be probably fixed very quickly, especially if they are popular. Hackers often allow others to use the tools – if it is for testing or fame. But hacking for profit is a quite creative job, and there is plenty left for actions that cannot be automated.

So what is the danger of these manual tasks? Is it the case that hackers write down descriptions of all the procedures with checklists and stick to them, or do they do the stuff intuitively and become careless after a few months or years? Clearly, the first option is how intelligence agencies would deal with the problem, because they know that human is the weakest link. But what about hackers? “…very bright and very skilled…”, but isolated from the rest of the world?

So I keep thinking, is it worth trying to reconstruct “operational procedures” for running a botnet, analyse them, identify the mistakes most likely to happen, and use such knowledge against the “cyber-crime groups”?

Awareness in Installing Some Types of Software

Wed, 01 Aug 2007 15:14:00 +0000

Awareness in Installing Some Types of Software

Generally considered as some kind of potentially unwanted programs (PUP) by the Internet Security Company (McAFee,) adware and spyware could pause as a menace to original computer owners, web developers, and IT of certain corporations. Advertisements (adware) already included and mainstay of the program could present a threat or traffic nuisance for reason of its vulnerability to information disseminations, causing notorious cases of "identity theft," that'd been threatening risk on the loss of personal properties, finances, bank's credibility, financiers, and other financial institutions over the globe.

In the United States alone there is a rampant of identity theft to personal properties thru the process of transfer of ownership to a wrong person because of stolen Credit Card numbers, passwords, and other personal identifications robbed thru the internet in forms of spywares that camouflaged use-legalities that are merely ignored by users and computer owners.

Adware and Spyware software present a totally different usage in program inclusions, and for the user. While adware is a legal part of the computer's administrative settings, spyware is ironically a deceptive method, that'll not directly pause as illegal for it may be included in some software that fronts acceptance. By the time it reaches the user's end it reacts like semblance of some kinds of virus or worms; at times just ignored not to be serious and obvious, but with motives, to invade the accessibility and manipulations of some confidential information from the computer, to be transmitted to other end users who may just wait for any advantage taken from this kind of traffic interference.

When the adware database link discovers the effects of detailed interference on some confidential records, those that need financial consideration of return-payments in nature, and wherein, exclusive website agenda had already been diverted to the other end without having to pay from the mother source, it'd be too late to reconstruct to normal settings. It is expensive to replenish and change to untarnished software. At times immune anti-virus is also out there, but anywhere it goes about entails some extra expense on part of the developer.

Spyware is software that support adware usage by PC espionage on different activities in a computer such as e-mail or chat logging, but could easily cause to detour web traffic that's detrimental to e-commerce if abused or used without consent; therefore, by no means the deceiving technology in adverse adware usability.

A number of adware companies seem to feel bias about PC surveillance (spyware) for reason that, although, they had already disclosed specific data collections and transmissions on account of privacy security from their database link, it can't totally control the chances of any outgoing data, where, and to whom it might be sent. Spyware technology has the capability to send not just the banner data from the mother PC, but could channel it to other interested parties that could even install-in to a new program.

The spyware technology is by far infused into the database without the owner's awareness or consent, however, they come in as "drive-by downloads" or the user goes to click in options in "pop-up" windows, and immediately detoured to some other programs, either pornographic, or anything else without essence.

The adverse effect of adware is the fact that when it is installed in the computer and the user consents to include tracking features, it automatically becomes a "spyware" when used by another user who interacts with the "adware" outside any database link.