[SecurityRatty] tag: ugh

In the News: The Feds Want Your Laptop, Free Network-Security Toolkit

Wed, 13 Aug 2008 08:53:49 +0000

Say What?"We were fine until the LLX ported to the BMT, which frammised the UGH." Huh? What? Arcane acronyms seem to be multiplying like rabbits, so how is an IT guy supposed to keep up?...

Backup tape is stolen from Bristol-Myers Squibb

Fri, 18 Jul 2008 07:26:26 +0000

Technorati Tag: Security Breach

Date Reported:
7/17/08

Organization:
Bristol-Myers Squibb Co. ("BMS")

Contractor/Consultant/Branch:
Unknown

Victims:
Current and former employees and some dependants

Number Affected:
Unknown*

*Bristol-Myers Squibb had "about 42,000 employees as of Dec. 31, the last date for which work force figures were available in regulatory filings.", Source: CNN Money

Types of Data:
"name, address, date of birth, Social Security number, marital status, gender, salary, hire date, termination date, retirement date, and, in some instances bank account information"

Breach Description:
"On June 4, 2008, Bristol-Myers Squibb Company ("BMS") learned that a back-up data tape containing BMS-related data was stolen while it was being transported for storage. Through subsequent forensic work, it was determined that the data tape included personal information of current and former BMS employees"

Reference URL:
Pharmalot (copy of notification letter)
Pharmalot
CNNMoney

Report Credit:
Ed Silverman, Pharmalot

Response:
From the online sources cited above:

The drugmaker sent letters over the past week saying a data tape containing reams of personal information was stolen several weeks ago

On June 4, 2008, Bristol-Myers Squibb Company ("BMS") learned that a back-up data tape containing BMS-related data was stolen while it was being transported for storage.
[Evan] This statement prompted me to list the contractor as "unknown" instead of "none". I presume that the data tape was being transported by a third-party vendor when it was stolen. I am looking for more information on this.

Through subsequent forensic work, it was determined that the data tape included personal information of current and former BMS employees, such as name, address, date of birth, Social Security number, marital status, gender, salary, hire date, termination date, retirement date, and, in some instances, bank account information.
[Evan] Ugh, this looks like very sensitive HR and benefits data.

The names, addresses, and Social Security numbers of some employee dependents also were included on the tape.

an untold number of current and former employees - and their dependents - could be affected

BMS has initiated an investigation of this incident.

To date, BMS has no reason to believe that any of your personal information has been inappropriately accessed from the data tape by an unauthorized party, or that any identity theft, fraud or misuse of your personal information has occurred.
[Evan] I agree with most of this statement except for the "misuse" part. There may be no evidence of misuse post stolen tape, but there may be an argument for misuse by BMS themselves. BMS is the data custodian in this scenario, not the data owner. If a data custodian does not care for the owner's information in a manner that is expected or communicated, does it constitute misuse?

In addition, there is no evidence that the data tape or the information contained on it was the target of the theft.
[Evan] I am interested in knowing more about who was transporting the tape and whether or not other items were taken.

As a precaution, to help you detect any possible misuse of your data, BMS has arranged for you to enroll in credit monitoring for one full year, at no cost to you.
[Evan] There is that "misuse" mention again. One year of free credit monitoring does nothing to protect a victim against fraud that occurs after one year, supposing the victim does not renew at his/her own expense. I wonder how many people renew on average.

If you have any questions, you may call the dedicated Privacy Help Line at 1-877-214-0689. Our representatives will be available to assist you Monday through Friday, between 8 a.m. and 5 p.m. ET.

the drugmaker is issuing this statement: "Bristol-Myers Squibb regrets that this incident occurred and is committed to providing appropriate assistance for affected individuals who had their personal information on the stolen data tape. We are committed to protecting the privacy and security of employee and dependent information. Maintaining the trust and confidence of our employees is paramount to Bristol-Myers Squibb."

Protecting the privacy and security of your information is extremely important to us.

In this regard, BMS wishes to reiterate that it does not have any evidence indicating that your personal information has been misused.
[Evan] Another "misuse" mention.

the company is taking appropriate remedial steps, including enhancing security protocols regarding the handling of personal information and our back-up data tapes.
[Evan] Like what? Encryption maybe?

On behalf of BMS, I apologize for any inconvenience or concern that this matter may cause for you.

Commentary:
I couldn't find any mention about encryption or whether or not police were called. You would think that a large, well-repected company like Bristol-Myers Squibb encrypts confidential data on tape, right?

Past Breaches:
Unknown

Houston law firm threw confidential client information in the trash

Thu, 17 Jul 2008 10:59:25 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Weber Law Firm

Contractor/Consultant/Branch:
"his wife"

Victims:
Clients

Number Affected:
"hundreds"

Types of Data:
"personal financial records, documents with Social Security numbers, people's medical files and more"

Breach Description:
"HOUSTON -- Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday."

Reference URL:
KHOU-TV News (original)
KHOU-TV News (follow-up)

Report Credit:
Jeremy Desel, KHOU-TV

Response:
From the online sources cited above:

Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday.

The records were mostly bankruptcy case files from a Houston attorney's office that found their way into a dumpster belonging to a Houston day care.
[Evan] There is little doubt about the sensitivity of the information found in a person's bankruptcy files. Don't you think that an attorney should know better?

The discovery came in a trash bin in the 9100 block of Jones Road, with box after box of records including personal financial records, documents with Social Security numbers, people's medical files and more.

When the sheriff's office first arrived, the responding deputies had no idea what to do with the records.

So, they called the law office from where the records had come from. 11 News called the law offices of William Weber as well.
[Evan] Mr. Weber's bio is pretty extensive.

Weber, who eventually arrived to pick up the discarded records, told both 11 News and the sheriff's office that it was "no big deal"
[Evan] Obviously, this answer probably doesn't go over very well. In hindsight, I am guessing that Mr. Weber wishes he could take these words back.

Still, at the insistence of the sheriff's office, Weber did arrive to pick the boxes up.

Weber had a different answer for 11 News when he showed up to retrieve the 32 boxes.

"It's a mistake," he said. "We regret it. We regret it. They weren't intended to be put here. I didn't put them here. It was a misunderstanding between me and my wife."
[Evan] Ugh. Blaming the wife would not be a good idea in my house, even if it were my her fault.

He added it was a one-time problem.

But he also said his firm does not have a policy for disposing of sensitive documents.
"No, I do not. I don't think there is a formal disposal policy. Legally," he answered.

Don't tell that to Radio Shack or Select Medical Corporation. Both settled lawsuits with the Texas Attorney General's Office this week for violating the Texas ID Theft Law that was passed in 2005.

It requires businesses to destroy any documents that contain sensitive information. Select Medical dumped 4,000 documents in its own dumpster, but did not destroy them first.

Both companies settled this week with the state for hundreds of thousands of dollars in fines.
[Evan] Don't forget about EZMONEY, L.P. and EZPAWN L.P. They agreed to pay $660,000 to the Texas Attorney General. Don't mess with Texas!

However, it's not just a civil law question. It is also an ethics question.

"If a customer of Radio Shack had an interest in privacy and an interest to have their identity protected (and) not just tossed to the wind, I can assure you that a medical provider or a lawyer has a higher duty," said 11 News legal expert Gerald Treece.

The sheriff's office is looking into the possibility laws were broken by throwing away the records in that dumpster, but were unsure if anything illegal happened.

As a matter of fact, there's a good possibility no laws were broken.
[Evan] Not criminal. This case may be ripe for a civil proceeding, however.

Weber spent several minutes loading the boxes into his car, but he also spent a lot of time avoiding the 11 News cameras as he picked up the discarded records.

Eventually, he left the scene, leaving a few boxes behind when he was confronted by 11 News cameras.

In his rush to get away, a box was left on the trunk lid of his vehicle and some of the papers inside flew out as he sped off.
[Evan] Embarrassed?

Weber told 11 News that all the documents were shredded on Wednesday morning.
[Evan] Any thought given to notifying the affected individuals? If not, it is probably too late now.

Weber also said he has talked with an attorney at the attorney general's office and told them he would cooperate fully.

11 News also spoke with one of the clients whose file was found in the dumpster on Monday. She said she's angry and feels betrayed.

Commentary:
We have read about organizations dumping sensitive confidential information in dumpsters before, but this is the first time I have read about a lawyer being responsible (or his wife). Mistakes do happen, but I question how much of a mistake this actually was due to Mr. Weber's initial "no big deal" reaction.

Past Breaches:
Unknown

Florida's Agency for Health Care Administration reports a breach

Wed, 09 Jul 2008 07:15:38 +0000

Technorati Tag: Security Breach

Date Reported:
7/7/08

Organization:
State of Florida

Contractor/Consultant/Branch:
Agency for Health Care Administration

Victims:
registered organ donors

Number Affected:
"about 55,000"

Types of Data:
"names, addresses, birth dates, driver license numbers and Social Security numbers"

Breach Description:
"TALLAHASSEE, Fla. - State health officials say a security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their social security numbers."

Reference URL:
AHCA FAQs
Sarasota Herald-Tribune
WCTV CBS News
Orlando Sentinel

Report Credit:
Sarasota Herald-Tribune

Response:
From the online sources cited above:

TALLAHASSEE, Fla. - State health officials say a security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their social security numbers.

The Agency for Health Care Administrations said Monday it has corrected the flaw, which may have allowed unauthorized users to view the personal information of roughly 55,000 donors.

"We stopped all access to the database, identified the flaws and corrected them."
[Evan] This breach makes me wonder a couple of things. Is information security testing part of the development lifecycle and change control? I also wonder if AHCA uses a formal change control process with segregated development, test, and production environments.

The database includes donors' names, addresses, birth dates and driver license numbers.

The agency is sending letters to inform individuals of the flaw.
[Evan] What kind of flaw, do you suppose? A Code flaw, an administrative/process flaw, a configuration flaw?

AHCA Secretary Holly Benson said they have not received any indication that the information was accessed inappropriately.
[Evan] No logging? Logging of the systems, processes, and people accessing confidential information is a must. Extensive logging would be able to determine if the information "was accessed inappropriately" (assuming the logs weren't subject to unauthorized modification).

The breach happened on June 20 and was fixed a day later, but officials say they thought it best to make the public aware.
[Evan] What does the "breach happened on June 20" mean? It could mean that a flaw was detected on June 20, but could have been in existence for longer. It could mean that a vulnerability was actually exploited on June 20. I guess it really depends on your definition. I assume that the author means that something changed (code push, updated information, configuration, etc.) on June 20.

"If you have not received a letter our logs note that your information was not affected by this security flaw."

A couple of FAQs:
Q: If I have additional questions regarding this issue, what should I do?
A: You can call 866 757 0677. This number is open Monday through Friday from 8AM to 7PM Eastern.

Q: If I am a registered donor and I receive a letter, does this mean that I am a victim of identity theft?
A: No. It is unlikely that someone has accessed your information or used it inappropriately. It does not mean that you are a victim of identity theft or that the information may be used to commit fraud. The Agency for Health Care Administration wanted to let you know about the incident so you are aware and may take steps as you see fit.
[Evan] Again, poor logging and other detective controls lead to statements such as "It is unlikely that someone accessed...".

Commentary:
Ugh! I am left with too many questions about this breach. On the surface, this breach doesn't look all that significant unless of course, you are a victim. When I read into it more, I realize that I have some serious concerns surrounding process, control, and detection mechanisms used at AHCA. With less detail, it is easier to imagine.

Past Breaches:
State of Florida:
January, 2008 - Five stolen Florida Department of Children and Families laptops

Australian medical information found in abandoned amusement park

Sat, 28 Jun 2008 09:10:55 +0000

Technorati Tag: Security Breach

Date Reported:
6/27/08

Organization:
New South Wales Government (AU)

Contractor/Consultant/Branch:
Sydney West Area Health Service
Unnamed "bankrupt contractor"

Victims:
Patients

Number Affected:
Unknown

Types of Data:
"confidential medical records"

Breach Description:
"The Sydney West Area Health Service has been embarrassed by the discovery of medical records in an abandoned amusement park."

Reference URL:
ABC News
Macquarie National News
Macquarie National News (2)

Report Credit:
ABC NEws

Response:
From the online sources cited above:

The Sydney West Area Health Service has been embarrassed by the discovery of medical records in an abandoned amusement park.
[Evan] This is a first. An abandoned amusement park? I would be embarrassed too!

Pathology results and slides were found when a container dumped in the former Magic Kingdom park at Lansvale was set alight this week.

The container was discovered after it caught on fire yesterday, attracting the attention of the local fire department.

A bankrupt contractor is being blamed for dumping confidential medical records and contaminated waste in the grounds of an abandoned fun park.
[Evan] Confidential medical records AND contaminated waste? Ugh.

Police said it was likely the container had been there for a decade.
[Evan] A decade? This story keeps getting more bizarre.

The Health Department is reviewing waste disposal procedures following the discovery at Lansvale in Sydney's south west.
[Evan] I presume that the waste disposal procedures have probably changed over the past ten years. The Health Department should be reviewing procedures on a regular basis anyway.

The health service's chief executive, Professor Steven Boyages, says it is a serious breach and the health service is reviewing its waste disposal procedures.

"There are clear policy and procedures in place to manage records and disposal of records and clear policies in place to manage and dispose of any clinical waste," he said.

"It appears at first glance that the policy and procedures weren't followed by the contractors who were engaged to do this."

“It is a huge concern, I’ve called for an immediate review to ensure our existing contractors are following standard policy and procedures so this doesn't happen again," he said

Shadow health minister Jillian Skinner said the state government also has some explaining to do.

"Why if it was know this company had gone bankrupt and wasn't carrying out its duties they didn't check to make sure this material was disposed of properly?" Ms Skinner said.

Commentary:
The landscape of information security and personal information issues has changed markedly over the past ten years. SWAHS should still be held accountable, but how much can you comment on something that happened ten years ago and probably does not reflect upon current practice.

This is one of the most bizarre breaches I have read about in some time.

Past Breaches:
Unknown

Axcess Financial reports stolen laptop to New Hampshire AG

Wed, 28 May 2008 07:45:44 +0000

Technorati Tag: Security Breach

Date Reported:
5/13/08

Organization:
Axcess Financial Services, Inc.*

*Axcess Financial Services, Inc. appears to be affiliated or another name for CNG Financial Corp. aka Check 'n Go.

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown**

**Axcess informed the New Hampshire State Attorney General of 142 residents affected in her state.

Types of Data:
"personal information (such as name, address, and social security number)"

Breach Description:
Axcess Financial Services, Inc. has notified the New Hampshire State Attorney General of a breach involving a stolen employee laptop that contained personal information belonging to customers.

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

The purpose of this letter is to inform the New Hampshire Department of Justice that a security breach occurred in connection with a crime involving an employee's stolen computer.

Although information contained within the stolen computer is unlikely to have resulted in unauthorized access due to the password protection and other security measures, we are notifying your office because information contained therein may have included data with some of your residents' personal information (such as name, address, or social security number).
[Evan] Password protection provides very little assurance that the information won't be accessed. What are the "other security measures"?

This crime occurred on or about October 23, 2007, and we filed a police report with state law enforcement officials.
[Evan] October 23, 2007?!

Following the discovery of this crime, an extensive forensic investigation was required to determine the information contained within the stolen property.

There has been no indication that any misuse of this information has occurred in connection with the breach described above.
[Evan] A breach notification almost wouldn't be a breach notification without this statement (or similar).

Notification to the 142 affected New Hampshire residents was mailed in the form of a letter on or about May 13, 2008
[Evan] This is 6 months and 20 days (or 203 days) after the incident occurred! Why the delay? Do you suppose that a "forensic investigation" of the information that may have been on the laptop took this long? Ugh. Maybe the police asked them to wait. Either way, this amount of time seems extraordinarily long.

Axcess Financial fully intends to cooperate with law enforcement in this ongoing criminal investigation and to assist customers with concerns relating to this unfortunate event.

Notification to customers:

We are writing to advise you of a petty crime involving an employee's stolen belongings on October 23, 2007, which happened to include a secure computer that may have contained data with some of your personal information (such as name, address, or social security number).
[Evan] Really? A "petty crime"? Petty as in "of little or no importance or consequence"? This seems like a very poor choice of words, in my opinion. Affected customers may beg to differ.

It is highly unlikely any information has been breached because of password protection security measures.
[Evan] Come on! Password protection (OS-level) in and of itself certainly does not make a breach "highly unlikely".

There are no reported incidences of any issues.

While we are still awaiting the outcome of the police investigation, we are being proactive out of abundance of caution.
[Evan] A display of proactive abundance of caution would be to encrypt laptops and apply tight controls around what information is allowed to be stored on them (among other things).

Because there is a possibility that your personal information could have been subject to unauthorized disclosure, we have arranged to provide you - at our expense - 12 months of a credit monitoring service.
[Evan] How nice.

For any questions, please call 1-888-347-3595

Commentary:
In my opinion, this is one of the worst breach notifications that I have read in some time (if ever). The notification is full of statements meant to minimize importance and risk. There isn't even an apology to customers. Personally, I am glad to not be a customer with personal information under the custodial care of this company.

Disclaimer:
Due to the fact that I was a little harsher in my comments regarding this breach and in my opinion rightly so, I should state that my comments are my opinions. I am limited in the amount of information I have about this breach, so many of my opinions are based on what I read and my own experience. Axcess Financial has much more information surrounding this breach, and as instructed in the notification letter call them with questions.

Past Breaches:
Unknown

Oklahoma State University Parking Services server is compromised

Thu, 15 May 2008 11:08:54 +0000

Technorati Tag: Security Breach

Date Reported:
5/14/08

Organization:
Oklahoma State University ("OSU")

Contractor/Consultant/Branch:
OSU Parking & Transit Services

Victims:
OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008

Number Affected:
as many as 70,000

Types of Data:
"names, addresses and Social Security numbers"

Breach Description:
"Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008."

Reference URL:
Oklahoma State University Alert
KOCO Channel 5 News
The Daily O'Collegian
The Oklahoman

Report Credit:
Oklahoma State University

Response:
From the online sources cited above:

STILLWATER, Okla. -- Personal information belonging to anybody who got a parking pass at Oklahoma State University over the last five years has been compromised, university officials said Wednesday.

Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008.
[Evan] What does the OSU Parking and Transit Services department need Social Security numbers for? Do you suppose information security personnel knew that sensitive personal information was stored on the server prior to this incident?

Upon discovering this intrusion, the IT Information Security Office immediately removed the server from the network to evaluate server activity to ascertain if personal information had been accessed.

The confidential information has been removed from the database.

The illegal access was limited to the parking and transit server.

As a result of its investigation, OSU believes the intruder's purpose and only action was to use the OSU server for storage capacity and bandwidth to upload and distribute illegal and inappropriate content.
[Evan] I wonder if I am getting this right. Was there a direct network path from the public Internet through a firewall to the compromised database server running http, ftp, or some other file transfer protocol? That's not cool. A database server storing confidential information should not be accessible from the internet directly through a firewall. It is generally a good practice to separate the database function from the file transfer function into different servers and different firewall DMZs. All this for parking? Ugh.

OSU contacted and worked with federal law enforcement authorities.

After evaluation of all available data related to this incident, OSU found no evidence which would indicate that the database was copied or viewed by the hacker; however, OSU cannot say with 100 percent certainty that the hacker did not access personally identifiable information.
[Evan] I wonder what evidence they looked for and how they went about gathering it.

We are not aware of any instances of misuse of this information or of any identify theft as a result of the temporary availability of this information.

OSU recommends you carefully review any bills or financial transactions you receive in the near future to ensure that the charges associated with your accounts are accurate.
[Evan] Yeah! Review your bills (pay them occasionally) and financial transactions carefully. But wait, you do this already? Disappointing statement coming from an organization that did not carefully review their controls in securing your personal information.

OSU President Burns Hargis said, "This breakdown in security is totally unacceptable. We are conducting a full review and will take whatever steps are necessary to protect our network from unauthorized access. This is a serious matter and we will deal with it aggressively. We regret the circumstances and concern this situation has caused."
[Evan] This is my favorite statement from this story! What do you suppose his stance was prior to being notified of the breach?

In my experience, there are primarily ("primarily" because there are always exceptions) four types of senior information security management. You have the organizations that just don't get it and don't really care or know that they don't get it. These organizations lose information over and over and dangerously continue to operate in a business as usual manner.

Secondly, you have the organizations that didn't get it, suffer some adverse event, then HOLY &$#^! They respond with all guns blazing and overspend on controls they don't need and run a very cost ineffective security program (I guess they really never got it either).

Thirdly, there is the company that didn't get it, suffered an adverse event and admitted they have a problem. These companies may seek guidance and consultation in the effort to build a comprehensive information security program. These programs should be built around business objectives and sound risk management.

Lastly, there are the companies that were proactive and built a sound information security program because it was good business. These organizations didn't need an adverse event or breach before taking action. These organizations don't panic when an adverse event occurs. They know that eventually an adverse event will occur and they will be prepared when it does.

The server is believed to have been compromised on November 23, 2007. OSU learned of the breech [sic] on March 20, 2008 and blocked access to the server immediately.
[Evan] Wow. The server was 0wn3d (like my 1337 5p34k?) for almost 4 months before anyone noticed?! That is way, way, way too long for a compromised server to go unnoticed. We can now assume that there was no effective IDS/IPS (host or network) and no effective logging and monitoring of the server.

The OSU Parking Department has altered their procedures for the collection of private information. Additionally, the server which was located at the OSU Parking Service's office will be relocated to the IT Data Center for enhanced security. OSU is conducting a full review and will be taking additional steps to protect our network from unauthorized access.
[Evan] It's a very good idea to not collect private information if it is not required. It's too bad that it took a breach for this to happen. Moving the server from the Parking Service's office to the IT Data Center will help protect against physical security attacks, but this was a logical attack. Maybe the IT Data Center has better firewalls or something . I like the "full review". This should be done no less than annually.

The IT Information Security Office has made security recommendations to the OSU Parking Office which include physical relocation of their server and database to a more secure location, additional training for server administrators, and added vulnerability assessments.

Q. How will I know if any of my personal information was used by someone else?
A. The best way to find out is to obtain your credit reports from the three major credit bureaus: Equifax, Experian and Trans Union. If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make, these could be indications that someone else is using your personal information, without your permission.
[Evan] "If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make", then chances are you have already become an identity-theft victim. I'm not saying whether this is likely, or not.

Q. Why did you have my personal information?
A. You provided this information to us when you applied to Oklahoma State University, or during your tenure as a student or employee here. Oklahoma State, like other institutions, maintains records of all employees and students who have attended the University.
[Evan] Great question! Why did you have my personal information (on a publicly accessible server used in a department that doesn't really need it without proper protections and without proper monitoring)?

Commentary:
This breach torques me a little, in case you didn't pick up on that from the comments above. I made plenty.

Past Breaches:
Unknown

The Oracle speaks

Wed, 07 May 2008 15:55:42 +0000

No not Larry Ellison. StillSecure's oracle of NAC, Dave Greenstein, Chief Security Architect at StillSecure. I write and speak a lot about NAC, but Dave actually lives NAC. He led our development team that developed Safe Access. Now he is way out in front researching and designing the next generations of Safe Access and our other products. Dave doesn't comment on my posts a lot. I am always bugging him to start his own blog. The best I get is occasionally he will write an article or white paper. So when he commented on Joel Snyder's article on NAC and my comments, I figured it would make sense to give it some main column play. Here is what Dave had to say:

In order to use NAP you only need server 2008 for the NPS... Your domain and AD can still be 2003 so I think adoption of NAP will be faster for that reason. Also, XP SP3, which has NAP capabilities, adoption should be pretty fast compared to Vista.
On ACLs, I agree with Joel that ACLs are a great way to do things... But not with routers and DHCP enforcement. If you have HP switches or Extreme Switches then you can do dynamic ACLs per port. Similar to how you assign a VLAN via RADIUS attributes, you can assign ACLs for that port in addition to assigning a VLAN. This is great if you have the right switches. It helps protect the other endpoints within a quarantine VLAN and adds an extra layer of security. Cisco switches do not have this capability unless you’re running Cisco NAC and a Cisco ACS server (ugh). So, buy HP and Extreme switches!
What’s more likely to slow NAP adoption down is it’s total lack of endpoint administration... How do you keep track of what endpoints have which problems? How do you get an endpoint on the network in an emergency even if it has an issue? How do you update the SHAs on your thousands of endpoints? There are a whole host of issues not solved by NAP that make it unusable. That’s where products like StillSecure Safe Access come in.

BTW, if you think Dave makes some sense here and would like to hear more from him, let me know and I will coax him into writing some more! I should also add that I twisted his arm to give Safe Access a plug at the end there. Thanks Dave!

SCSU web server becomes spam server and exposes personal information

Fri, 02 May 2008 07:12:47 +0000

Technorati Tag: Security Breach

Date Reported:
4/24/08

Organization:
Southern Connecticut State University

Contractor/Consultant/Branch:
None

Victims:
Current and former students

Number Affected:
11,000

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
"Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised."

Reference URL:
SCSU Alert
PCWorld
NBC Channel 30 News
Chronicle of Higher Education

Report Credit:
Southern Connecticut State University

Response:
From the online sources cited above:

From the University's Alert Page:
During a recent security review of the Southern Connecticut State University Web server, it was discovered that certain identifying information pertaining to current students and alumni could have been vulnerable to access by unauthorized individuals.
[Evan] As you will read further in this posting, the web server appears to have been compromised. I don't think "could have been vulnerable" is an accurate assessment. The information WAS vulnerable.

The information, including names, addresses, and Social Security numbers, was contained in a protected records office file in which students would register for graduation.

Records of about 11,000 students had been stored in the file dating back to 2002.
[Evan] Personal information belonging to thousands of people on a public web server. UGH.

Upon discovering this potential vulnerability, the university immediately disabled the application and secured the file.

There has been no determination that the personal information contained in the file was accessed, nor is there any indication that this data has been or will be used for purposes of identity theft.
[Evan] Even novice web site administrators log access to web pages and files. If the attacker accessed the file through the web service/daemon, then access was probably logged. If the attacker had completely compromised the web server or taken a different avenue of attack, then there might not be easily obtained evidence of access. Either way, I assume that the file could have been accessed easily.

The university has notified all the affected individuals by letter and taken a number of proactive steps, along with a full security review of the university's Web server.
[Evan] What is proactive in a response?

The University has undertaken a review of all files containing personal information on its Web server and there is no evidence to date that any of them have been compromised.
[Evan] The University should undertake a review of all files containing personal (and other confidential) information everywhere, not just its Web server. Why would personal information storage be permitted at all on a web server?

Identity protection services will be provided at the university's expense to the affected individuals, for a period of up to two years. To obtain this optional coverage, registration for this service is necessary.
[Evan] At the "university's expense" means at the current and future student's expense. As the cost of business goes up, so does the cost of service (at some point) which means an increase in the price of tuition or increase in taxes (SCSU is a member of the Connecticut State University System). Does this sound like good management?

A help desk has been established to respond to questions. The help desk number is: (203) 392-7216 and will be staffed between the hours of 8:30 a.m. to 4:30 p.m.

A dedicated Web page, containing updated information, has been created and may be accessed at www.southernct.edu/creditmonitoring/

Now From Outside Sources:
Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised.
[Evan] Do you see how the school's alert web site differs from outside sources? See a spin (one way or the other)? Do you think that the outside sources try to sensationalize the story, or do you think that the school doesn't want the embarrassment that their web server was a spam-related site for some time? Maybe a combination of the two.

The personal data was in a file on the university's Web server, which was accessed by criminals who were using the university's site as part of a spam operation, said Patrick Dilger, the university's director of public affairs.
[Evan] Not only was personal information stored on a public web server, but it was stored on a poorly secured (and probably poorly monitored) public web server.

"The hackers were using our Web server as a host for their own Web site," he said.

Pages on the university's site contained ads for diamond rings, Viagra and Cialis.

After noticing the ads on April 9th, IT staff discovered the file containing the sensitive information. "When we were doing the security review after the hacker incident, we saw this file there and it wasn't properly secured, so it could have been targeted by someone," Dilger said.

The university believes that the hackers came from outside the U.S., and it is working with Connecticut's attorney general's office to investigate

Richard Blumenthal, Connecticut’s attorney general, sent a letter last week to Michael J. Hogan, president of the University of Connecticut, describing the breach and advising him that the many campuses he oversees should be vigilant about their storage, use, and disposal of confidential data.

Commentary:
There are so many things wrong with this, it is hard to know where to start. Will anyone be held accountable.

Past Breaches:
April, 2008 - Stolen SunGard laptop affects at least 10 post-secondary schools (PogoWasRight has been keeping a running update of the Sungard breach, check out their search.)

Stolen Griffin Electric laptop exposes employee information

Fri, 11 Apr 2008 07:40:02 +0000

Technorati Tag: Security Breach

Date Reported:
3/21/08

Organization:
Wayne J. Griffin Electric Inc.

Contractor/Consultant/Branch:
None

Victims:
Employees

Number Affected:
Unknown*

*The New Hampshire State Attorney General was notified of "approximately 55 New Hampshire residents"

Types of Data:
"employee names, social security numbers and dates of birth"

Breach Description:
"Please be advised that our company experienced a potential data breach that occurred when one of our Human Resources employees had their home broken into which involved a theft of personal items, along with a password protected company laptop computer and company health plan insurance invoices. The theft occurred over this past weekend."

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

This letter is to notify you that an employee in our Human Resources Department had personal items stolen from her home over the weekend, along with a password protected Company laptop computer, and Company health plan insurance invoices.
[Evan] Yeah, don't forget to mention "password protected", even though it likely provides little to no value of protection.

The Worcester, MA city police department was alerted the same day as the theft and an investigation is underway.

The laptop contained the names of certain employees, their social security numbers, and dates of birth.
[Evan] This information should NOT be on a laptop (or other mobile device) without additional controls. Although no control is perfect, clearly encryption would be a control that could have significantly reduced the risk of exposure.

The health insurance paper invoices listed employee names and social security numbers, although those security numbers were identified as "sub. numbers" and not "social security numbers."
[Evan] Ugh. Why would this information ever be allowed outside of (what would be assumed as) a secured or controlled office environment. It would take a complete idiot to not identify a xxx-xx-xxxx pattern of numbers as a Social Security number, even if you call it something different. Even a xxxxxxxxx number on a health insurance invoice would be pretty easy to identify.

The invoices did not include any personal medical information, addresses or dates of birth.
[Evan] No need. A potential identity thief already has enough information with what was disclosed.

We take the possibility of identity theft very seriously and, therefore, are sending this precautionary advisory.

The purpose of this letter is to make you aware of this incident so that you can take steps to protect yourself, minimize the possibility of misuse of your information and mitigate any harm that could result.
[Evan] It is a shared responsibility of the data owner (victim) and the data custodian (company) to "take steps to protect". The data custodian did not "take steps to protect" in this breach by adequately securing personal information.

Based on what we know to date, we are not aware of any specific cases of misuse of personal information obtained in connection with the incident.

We apologize for this situation and any inconvenience it may cause you.

We treat all sensitive employee information in a confidential manner and try to be proactive in the careful handling of such information.
[Evan] I am interested to know what the company's definition of "confidential manner" is. I think it probably differs from the definitions of many information security professionals.

We continue to assess and modify our privacy and data security policies and procedures to prevent similar situations from occurring.
[Evan] The word "continue" in my mind implies that this was done prior to the breach. Do you think that this was the case? It should be.

Due to the details of the above crime, we do not believe your information will be misused as a result of this incident.
[Evan] How is the conclusion drawn? Why would the thief take the health insurance invoices? Maybe the company doesn't think that identity theft and fraud are profitable for a thief, or maybe the company thinks that identity theft doesn't really happen.

However, as a precaution, we are finalizing arrangements to provide you with credit monitoring services (at the company's cost) should you wish to use such a protective measure.

Any employee who wishes to use such a service can call the Holliston, MA office at 1-800-421-0151 and talk with Sandy Crowe at Extension 5251 or Mark Danielson at Extension 5349 for assistance.

Again, we apologize for any inconvenience this incident may cause you or your family and we encourage you to take advantage of the resources we will provide to you to protect your personal information.

Commentary:
I am puzzled every time I read about people leaving confidential information at home, in a car, or in a public place on a mobile device such as a laptop without encryption (at a minimum). Ideally, we would all like confidential information to remain at the office, but sometimes this just isn't feasible for a business. Was the company never approached by anyone trying to sell them data encryption products? Did anyone at the company ever conduct any research into the risks involved? Did anyone at the company ever read one of the hundreds (or maybe thousands) of stories concerning stolen laptops with personal (or other confidential) information?

Nothing personal with Griffin, I am venting again.

Past Breaches:
Unknown