[SecurityRatty] tag: sandy

Stolen Griffin Electric laptop exposes employee information

Fri, 11 Apr 2008 07:40:02 +0000

Technorati Tag: Security Breach

Date Reported:
3/21/08

Organization:
Wayne J. Griffin Electric Inc.

Contractor/Consultant/Branch:
None

Victims:
Employees

Number Affected:
Unknown*

*The New Hampshire State Attorney General was notified of "approximately 55 New Hampshire residents"

Types of Data:
"employee names, social security numbers and dates of birth"

Breach Description:
"Please be advised that our company experienced a potential data breach that occurred when one of our Human Resources employees had their home broken into which involved a theft of personal items, along with a password protected company laptop computer and company health plan insurance invoices. The theft occurred over this past weekend."

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

This letter is to notify you that an employee in our Human Resources Department had personal items stolen from her home over the weekend, along with a password protected Company laptop computer, and Company health plan insurance invoices.
[Evan] Yeah, don't forget to mention "password protected", even though it likely provides little to no value of protection.

The Worcester, MA city police department was alerted the same day as the theft and an investigation is underway.

The laptop contained the names of certain employees, their social security numbers, and dates of birth.
[Evan] This information should NOT be on a laptop (or other mobile device) without additional controls. Although no control is perfect, clearly encryption would be a control that could have significantly reduced the risk of exposure.

The health insurance paper invoices listed employee names and social security numbers, although those security numbers were identified as "sub. numbers" and not "social security numbers."
[Evan] Ugh. Why would this information ever be allowed outside of (what would be assumed as) a secured or controlled office environment. It would take a complete idiot to not identify a xxx-xx-xxxx pattern of numbers as a Social Security number, even if you call it something different. Even a xxxxxxxxx number on a health insurance invoice would be pretty easy to identify.

The invoices did not include any personal medical information, addresses or dates of birth.
[Evan] No need. A potential identity thief already has enough information with what was disclosed.

We take the possibility of identity theft very seriously and, therefore, are sending this precautionary advisory.

The purpose of this letter is to make you aware of this incident so that you can take steps to protect yourself, minimize the possibility of misuse of your information and mitigate any harm that could result.
[Evan] It is a shared responsibility of the data owner (victim) and the data custodian (company) to "take steps to protect". The data custodian did not "take steps to protect" in this breach by adequately securing personal information.

Based on what we know to date, we are not aware of any specific cases of misuse of personal information obtained in connection with the incident.

We apologize for this situation and any inconvenience it may cause you.

We treat all sensitive employee information in a confidential manner and try to be proactive in the careful handling of such information.
[Evan] I am interested to know what the company's definition of "confidential manner" is. I think it probably differs from the definitions of many information security professionals.

We continue to assess and modify our privacy and data security policies and procedures to prevent similar situations from occurring.
[Evan] The word "continue" in my mind implies that this was done prior to the breach. Do you think that this was the case? It should be.

Due to the details of the above crime, we do not believe your information will be misused as a result of this incident.
[Evan] How is the conclusion drawn? Why would the thief take the health insurance invoices? Maybe the company doesn't think that identity theft and fraud are profitable for a thief, or maybe the company thinks that identity theft doesn't really happen.

However, as a precaution, we are finalizing arrangements to provide you with credit monitoring services (at the company's cost) should you wish to use such a protective measure.

Any employee who wishes to use such a service can call the Holliston, MA office at 1-800-421-0151 and talk with Sandy Crowe at Extension 5251 or Mark Danielson at Extension 5349 for assistance.

Again, we apologize for any inconvenience this incident may cause you or your family and we encourage you to take advantage of the resources we will provide to you to protect your personal information.

Commentary:
I am puzzled every time I read about people leaving confidential information at home, in a car, or in a public place on a mobile device such as a laptop without encryption (at a minimum). Ideally, we would all like confidential information to remain at the office, but sometimes this just isn't feasible for a business. Was the company never approached by anyone trying to sell them data encryption products? Did anyone at the company ever conduct any research into the risks involved? Did anyone at the company ever read one of the hundreds (or maybe thousands) of stories concerning stolen laptops with personal (or other confidential) information?

Nothing personal with Griffin, I am venting again.

Past Breaches:
Unknown

RSA 2008 Keynote: Craig Mundie

Wed, 09 Apr 2008 20:16:00 +0000

Yesterday was a busy day, so I get a bit behind with my updates on RSA, but I wanted to post about the Microsoft keynote, in addition to the others I attended.

Format was fireside chat, with Craig Mundie, Microsoft's Chief Research and Strategy Officer sitting and talking with Chris Leach, Chief Information Security Officer at Affiliated Computer Services. [fwiw, I personally don't love the fireside chat format. Give me videos, fancying graphics and lots of acrobats on the stage ...]

I knew generally what Craig was going to talk about, but I was very interested to hear Craig's perspective and see how he thought about and talked about the end-to-end Trust topic. In my opinion, this is one of the key topics that could help guide where Microsoft security efforts will go over the next 5 years, building on the past 5 years, and I am happy to see that leadership (Craig, Scott Charney) are approaching it as a dialog with industry and a recognition that it needs interoperability and industry support.

Two key topics stuck with me at the end of the keynote:

How security and privacy are very independent, supporting each other, while also having a tension between them.
Any technological efforts supporting End-to-end Trust will need to be very inclusive in order to work in heterogeneous environments. Past infrastructure efforts (e.g. PKI) have demonstrated that the level of work and investment required means that it is more likely to hit roadblocks if existing business processes are excluded.

After the keynote, with the excellent assistance of Eric Green, I was able to pin down several Microsoft partners and get their thoughts on these two areas. Listen to the attached mp3 to hear our discussions with these good folks:

Sandy Porter
Director, Strategy
Avoco Secure

Jeremiah Beckett
President
SecureVantage Technologies

Patrick McGregor, Ph.D.
CEO
BitArmor

Jon Callas
CTO & CSO
PGP Corporation

Conrad G. Bayer
Senior Vice President
IDA Strategy
Avalaris, Inc.

Edward J. Gaudet
Senior Vice President, Corporate Development and Marketing
Liquid Machines

I did get a couple of these folks on video as well, so once I get that edited and uploaded, I'll update with links to those.

Additional information that is available on End to End Trust:

Best regards from RSA ~ Jeff

Stolen Salt Lake Community College laptop

Thu, 28 Feb 2008 12:12:17 +0000

Technorati Tag: Security Breach

Date Reported:
2/26/08

Organization:
Salt Lake Community College ("SLCC")

Contractor/Consultant/Branch:
None

Victims:
Students, faculty and staff

Number Affected:
unsure, maybe 1,000*

*Although the school claims "we called more than 25,000 people"

Types of Data:
Names, addresses, dates of birth, Social Security numbers and bank account numbers.

Breach Description:
A laptop belonging to the Salt Lake Community College is missing and presumably stolen. The laptop may have contained sensitive authentication information that could in turn be used to access resources containing personal information belonging to students, faculty and staff of the school.

Reference URL:
The Salt Lake Tribune online news story

Report Credit:
Roxana Orellana, The Salt Lake Tribune

Response:
From the online source cited above:

SLCC acknowledged a laptop had been stolen, but spokesman Joy Tlou said the school is still unsure whether the laptop taken from the Continuing Community Education of SLCC's Miller campus in Sandy contained internal log-in information for about 1,000 students, faculty and staff.
[Evan] What is "log-in information"? Is Joy Tlou talking about usernames, passwords, or both? Let's assume that it's both. If so, then this is very poor information security practice. There is NO need for anyone to know personal passwords except for the person that it belongs to. A personal password is confidential information that should not be disclosed to anyone. It proves to the system that you are who you proclaim yourself to be (called authentication). No assurance of password confidentiality = no proof that a person (or entity) is who they proclaim to be.

"We know which computer it was and we are trying to ascertain what information was on that computer," Tlou said.

Within a matter of hours of the computer's disappearance, the school began to contact all subscribers to the SLCC Web site through telephone calls, e-mails and a notice on the site.

"By the end of the next day, we called more than 25,000 people," he said.
[Evan] Due to poor information management the school does not know which 1,000 of the 25,000 people were victims, thus they have to call all 25,000?

With a user name and password, an intruder could gain access to a student's "My Page" account, which contains a Social Security number and financial aid information, among other information, students said.
[Evan] Social Security numbers stored in a database accessible through an intranet page with passwords stored in clear-text on a laptop. Sound like a bum deal? I can only venture to guess what controls and processes surround database access.

Tlou said even if log-in information were on the laptop, it "may or may not have been accessible because of the security measures that were already placed on that machine."
[Evan] Like?

"We have done everything we possibly can to make sure everyone is physically safe and that their information is safe," Tlou said. "I can't stress enough that is our No. 1 priority."
[Evan] No, no, no. Everything possible entails much, much more.

He added that the security concern prompted SLCC to accelerate a planned policy change that will require all college personnel to change passwords every 90 days.
[Evan] Regular password changes (if you use them) offers a limited amount of risk mitigation with regards to what caused this breach. The problem is much bigger.

Victim Response:
"I'm upset that they're not telling me everything that happened," Marty Greenlief, SLCC student

Student Dan Behunin said that although SLCC officials tried to assuage his concerns, he's still worried someone may have access to information on his student account. "That information is crucial," Behunin said. "That could ruin you."

Commentary:
I am glad that I do not have any of my personal information under the custodianship of SLCC. Organizations that collect and store confidential information need to design appropriate controls around the security of such information. Judging from the (very) limited information I have about SLCC's information security practices, they have much room for improvement and much work to do.

By the way, did anyone mention encryption?

Past Breaches:
Unknown

BEP is BEP, CEP is CEP

Thu, 24 Jan 2008 11:38:58 +0000

Joe McKendrick, in Taking the ‘complex’ out of complex event processing, makes a case for renaming CEP, BEP.

Joe references IBM’s Sandy Carter, as I did in my post earlier today, IBM Says Business Event Processing is Not CEP.

Joe wants to change the world “complex” to “business” in CEP because he believes the word “complex” is not good for marketing.

The problem with Joe’s approach, as I see it, is that CEP is different than BEP. However, I remain open-minded on the topic.

There is quite a difference in event-driven orchestration-oriented processing, BEP. and situation detection-oriented event processing, CEP.

BEP is, for the most part, about orchestrating event-driven business processes.

CEP is about detecting opportunities and threats (situations) in real-time.

It is not clear to me that simply renaming BEP CEP touches the core technical and business differences.

IBM Says Business Event Processing is Not CEP

Thu, 24 Jan 2008 10:54:31 +0000

Sandy Carter, IBM’s vice president of SOA and WebSphere strategies, said something in IBM Buys AptSoft To Boost BPM-SOA Line I completely agree with, relative to most of the technologies folks are calling “CEP” these days:

“In the marketplace today, everybody talks about complex event processing,” Carter said. “We actually are trying to rename that category, because we believe the real value is in business event processing, with a focus on the business.”

For example, none of the current CEP vendors are doing “complex event processing” as many of us have said, repeatedly.

TIBCO and AptSoft, for example, are examples of companies that are really implementing, business event processing. You can easily confirm this in TIBCO’s press release, TIBCO BusinessEvents 2.2 now shipping…, where Paul Vincent blogs:

The main change with this [TIBCO BusinessEvents 2.2] release is the inclusion of new deployment options:

+ deploy BusinessEvents within a BusinessWorks container: great for using BusinessEvents as a decision engine for SOA integration processes, choreography, transaction flow monitoring, etc, or for using BusinessWorks as a ruleflow tool.

+ deploy BusinessEvents as a BusinessWorks container: great for exploiting SOA orchestration and services under the control of CEP, such as invoking complex adapters.

This is absolutely, “business event processing” just as IBM’s Sandy Carter stated, correctly in my opinion, not CEP.

The same is true for event stream processing (ESP). ESP technology from companies like Apama, Coral8 and StreamBase, is much more closely aligned with the “business event processing” than anything that is truly CEP.

Sandy Porter Director, Strategy Avoco Secure
Jeremiah Beckett President SecureVantage Technologies
Patrick McGregor, Ph.D. CEO BitArmor
Jon Callas CTO & CSO PGP Corporation
Conrad G. Bayer Senior Vice President IDA Strategy Avalaris, Inc.
Edward J. Gaudet Senior Vice President, Corporate Development and Marketing Liquid Machines