1. The Sun-Sentinel newspaper in Fort Lauderdale accidentally republishes a six-year-old news story about the bankruptcy of UAL. It wasn't on the home page, but instead buried somewhere inside the web site.
2. Google's news crawler (an automated thing, remember) finds the story and incorporates it as part of its news feed.
3. Investors see the story, and immediately react. When UAL's stock plunged 76% to a low of $3, Nasdaq shut down trading. Eventually trading resumed, and the stock closed at just under $11, losing about 11%.
4. United blamed Tribune Company (the owner of the Sun-Sentinel) for "irresponsibly" changing the date on the story and demanded a retraction.
5. Tribune Company blamed Google, claiming they've had issues with Google's crawler "for months."

Who will blame be shifted to next?

Look -- if people haven't realized by now that the Internet pretty much lacks a delete function, then (IMNSHO) it becomes the requirement of each and every one of us to pay close attention to what we're reading, to use our own big brains and fine-tuned bullshit detectors to suss out whether something makes sense.

Since this is my blog, I'm going to parcel out blame the way I see it:

• United: 0%. If the concept of "negative blame" made any sense, then I'd actually write −∞ (that's a negative infinity, in case your character set is different than mine).
• Google: 5%. How can an automated crawler know that a newly-dated story isn't really new? Well, those folks over there at Google are smart. Certainly it shouldn't be that difficult to compare a "new" article against existing ones. Content hashes won't work as a comparison tool, because the date would be included in the hash computation, thus making the hashes different anyway. Full-text comparisons? Sure, it would take a lot of horsepower. Perhaps not every "new" story needs comparison, but at least the crawler could submit to the comparator any stories that ought to be verified (say those with the word "bankruptcy" in them).
• Tribune Company: 30%. Hey guys, you changed the date on the article. Don't go blaming someone else for your screw-up.
• Investors: 65%. If you're using an automated news aggregator (remember, an aggregator is not a source of news) to make major financial decisions -- decisions that affect the livelihoods of thousands (maybe millions) of people -- well, you're a moron. You should know that incorrect information can be just as instantly available as correct information. Verify potentially damaging claims before engaging in reckless behavior.

What's this got to do with security? I don't know, maybe nothing directly related. But it certainly raises the question -- what if someone intentionally wanted to cause nearly permanent damage to a person or a corporation? Malicious content, disguised as "news," certainly seems to have become a potentially successful attack vector this week.

Worried about a social engineering attack on a massive scale? I suspect that what happened Monday (8 September) was the largest social engineering attack in history -- although I wouldn't classify it as intentionally malicious. Just you wait until the idea spreads.

Well here’s a story where the tradeoff for speed and efficiency caused a massive stock dump erroneously.

Apparently, many traders use automation software that trolls the Web for news stories and then, depending on what it finds, executes stock trades automatically. It was United Airline’s bad luck that an old article about its 2002 bankruptcy-court filing showed up on Google’s news service and somehow made it to the list of most popular stories. In one of a series of mistakes here, the story had no date on it – which means Google’s algorithm for assessing popularity didn’t have a way to exclude it as an “old” story – OR (because there are conflicting accounts) the South Florida Sun-Sentinel actually put “today’s” date on the page that the story appeared on. This got picked up by the Income Security Advisors newsletter and sent over to Bloomberg News as a one-line brief. Plus there’s the inevitable conspiracy theory that people manipulated the web traffic for this story to adversely affect UAL. Regardless, on Monday afternoon, the stock plunged 76% in less than a day.

But the real problem here is the growing use of automated programs to trigger stock trades without any human interaction – instead based on news headlines and earnings data. According to the Wall Street Journal, these automated programs were responsible for a very surprising 25% of NYSE trades in the last week of August.

I’m sure we’ll hear more as the lawyers are now involved trying to figure out who should get the blame.

WAFs generally struggle in a few different areas, the people running them are not web app. security experts and trying to apply a default deny policy, while a great idea in theory, is pretty hard in the real world . There is just way to much movement in most applications to pin it down. Even if the app does not change frequently, WAF admins are very hesitant to even come close to blocking legitimate traffic. What really sold me though is when I saw it in action for the first time. From the Sentinel UI we clicked a button that updated the F5 with a rule to block a vulnerability. The rule is automatically generated based on the vulnerability. We then clicked the retest button and the vulnerability was no longer exploitable . Note my careful choice of words, exploitable VS. “not there anymore”. The vulnerability certainly still exist in the code but now that the attack is blocked the business can decide if this is a good enough solution or they need to go fix the actual flaw.

The geek in me is screaming that it still needs to be fixed, the business side is saying that the rule is good enough and I am not going to commit resources to fixing it until that code is worked on again. From the PCI Section 6.6 perspective this gives the business some great options. As our customers are becoming aware of the PCI requirements and the PCI auditors are becoming tougher on web application vulnerabilities we run into a difficult situation. PCI audit is coming up and the app. is riddled with vulnerabilities.  I now have to dedicate precious development resources to fix these vulnerabilities ASAP. With this solution I can apply this rules and effectively mitigate the issue.

I am pretty excited to be part of this. I think we have moved the industry forward today, even if it was just a small step. People now have some more options to mitigate risk besides running to the development team with yet another fire.

Post from: Grumpy Security Guy

The Big Announcement

Date Reported:
2/13/08

Organization:
Tenet Healthcare Corporation

Contractor/Consultant/Branch:
None

Victims:
Patients*

*Tenet Healthcare Corp. owns 54 hospitals in a dozen states, including Hilton Head Regional Medical Center and Coastal Carolina Medical Center.

Number Affected:
37,000

Types of Data:
Social Security numbers and other personal information.

Breach Description:
A former employee working in the Tenet Healthcare Corporation billing center in Frisco, Texas has been convicted of identity theft.  Terrence Brooks worked for the company for less than two years and stole names, Social Security numbers and other personal information belonging to at least 90 patients, but also had access to 37,000.

Reference URL:
The Beaufort Gazette online story
The Sun-Sentinel online story

Report Credit:
Daniel Brownstein, The Beaufort Gazette

Response:
From the online sources cited above:

A former employee of a locally connected national hospital chain who was convicted of identity theft had access to the personal information of about 37,000 patients, according to a company spokesman.

Terrance Brooks, 30, of Fort Worth, was arrested Nov. 25 when he tried to open a Costco credit card using a state ID with fraudulent information, police said.

The company mailed letters last week announcing the security breach to anyone who could have been affected, said spokesman Steven Campanini.

Tenet also informed victims how to set up free fraud alerts at the nation's three major credit bureaus.

"There's an annoyance factor and we apologize for that," Campanini said. "We recognize consumer privacy is very important and take it very seriously."
[Evan] I am not personally a victim, but I am pretty sure that this surpasses "an annoyance factor" for some people.

The ex-employee worked at a Frisco, Texas, billing center for less than two years, and is confirmed to have stolen the names, Social Security numbers and other personal information of about 90 patients, Campanini said. The company has paid to monitor the credit reports of those victims.

Terrence Brooks, 30, had access to 37,000 other accounts

He pleaded guilty last month to five counts of fraudulent use and possession of identification information and was sentenced to nine months in prison.
[Evan] Only nine months in prison.  In 2006, the average time it took victims to recover from identity theft was 607 hours.

He had passed a background check to get the Tenet job. Brooks was immediately fired when the company learned of his arrest.

"What's challenging in this situation is there was an employee intent on committing fraud," Campanini said. "No company can prevent that, but we can have practices in place to immediately address it when it does occur, and that's what we did."
[Evan] I agree that preventing employee fraud is challenging, but reducing risk is very impossible.  There are several things that companies can do to reduce the risk significantly (segregation of duties, job rotation, cross-training, etc.).  Access to Social Security numbers should require an additional level of clearance and this clearance should be closely scrutinized.  The normal "run of the mill" billing work does not require Social Security number access.

"I'm more concerned with what could happen than what has happened," Ashley Latzer a person that received one of the Tenet notification letters.
[Evan] More than an "annoyance"?

Tenet patients concerned about the security of their personal information may call a company hotline at 1-800-553-6101 between 8 a.m. and 6 p.m. weekdays.

Commentary:
I am concerned with how many people in companies have unnecessary access to confidential information.  One of the first steps in reduding risk of employee fraud is to limit access to confidential information to only when it is absolutely required.  The resolution of most customer service, help desk, and billing calls don't require Social Security numbers, credit card numbers (including CVV2), and other sensitive information. 

I don't know enough about how Tenet manages its data and billing center, but I am sure that creative information security solutions could reduce the risk of this happening again.

Past Breaches:
Unknown