[SecurityRatty] tag: unsecure

Dickson County School District employee information stolen

Thu, 12 Jun 2008 07:52:47 +0000

Technorati Tag: Security Breach

Date Reported:
6/11/08

Organization:
Dickson County School District

Contractor/Consultant/Branch:
None

Victims:
"employees who worked for Dickson County schools in the 2006-2007 school year"

Number Affected:
850

Types of Data:
Payroll information including names, addresses and Social Security numbers

Breach Description:
"DICKSON, Tenn. -- A laptop computer containing personal employee information disappeared over the weekend from the office of Dickson County's top school official."

Reference URL:
WSMV Channel 4 News
WZTV Channel 17 News
The Tennessean

Report Credit:
Chris Tatum, WSMV Channel 4 News

Response:
From the online sources cited above:

A laptop computer containing the Social Security numbers and payroll information of all the employees of the Dickson County school system has been stolen, and authorities are warning school officials to watch their bank accounts.
[Evan] Is a physically and technically unsecure mobile device a good place to store confidential information? You probably know the answer to this already.

The computer belongs to the new director of schools and was loaded with the name and Social Security number of every school employee from the 2006-2007 school year, a total of 850.

"It's all public record except for the Social Security numbers," Johnny Chandler
[Evan] Well yeah, except for the Social Security numbers! What the &@*#?

"It came up missing over the weekend, sometime between Friday until Monday," said Dickson County school superintendent Johnny Chandler.

Chandler became the district's school superintendent last week and said that the laptop was on this desk when the office closed Friday evening.
[Evan] I couldn't find any mention of whether or not the office itself was locked or secured. I presume that it was not. This is not a very good start to Mr. Chandler's tenure.

Police have launched an investigation, but found no signs of a break-in and haven't ruled out someone within the building being the cause of the theft.

Employees at the Board of Education and police investigators believe the person who stole the laptop walked right through the door without forced entry.

Chandler admits that a cleaning crew, several staff and students for a retirement party came into the building over the weekend.

He has warned all school employees to keep a close eye on their credit reports.

We sent letters to everyone that was on that database in '06 and '07

Chandler assures school employees that he'll make sure this never happens again.
[Evan] How?

"All of our laptop computers will not be allowed to have any personal information concerning any employee or student," said Chandler.
[Evan] This is one good step. Will this be in policy? Will employees be trained and made periodically aware of this mandate? How will this be enforced? Will this mandate include other mobile devices and media such as CDs, thumb drives, etc.?

He said the laptop is double password protected.
[Evan] Sounds impressive, doesn't it.

"It has a double password so it would take a computer genius to get into it."
[Evan] I am certainly no genius, but I am pretty sure I could get into it!

Chandler said he plans to upgrade the security system at the school board building.

In the meantime, workers will lock up any equipment that contains sensitive information when they're not using it.

Dickson police said they are notifying local pawn shops to be on the lookout for the stolen laptop.

Director Vivian McCord says, "I really wish they would return it."

"The office it was taken from was next to the computer office and there were multiple computers next door in that room. So I really feel like it was just a quick little taking of a computer."

Anyone with information should call the Dickson Police Department at (615) 441-9592

Commentary:
We see these kinds of breaches all the time, but why? It is frustrating.

Too many people collect and store personal information and are oblivious to the risks. A laptop computer + confidential information + unlocked office - encryption = unacceptable risk for most prudent people. A simplistic point, but you get it.

Past Breaches:
Unknown

Two students access confidential Dominican University files

Wed, 14 May 2008 18:40:18 +0000

Technorati Tag: Security Breach

Date Reported:
5/8/08

Organization:
Dominican University

Contractor/Consultant/Branch:
None

Victims:
Students

Number Affected:
5,215

Types of Data:
"names, addresses, phone numbers, birthdays and Social Security numbers"

Breach Description:
"CHICAGO -- Some Dominican University students and alumni were notified this week of a breach in security that could have put their personal information at risk. The university said two students were able to access records on a staff network storage area in April. The files were three spreadsheets from 2003, 2005 and 2007."

Reference URL:
WMAQ NBC Channel 5 News
RiverForest-Leaves
Dominican University

Report Credit:
Dominican University

Response:
From the online sources cited above:

Dominican University takes information security very seriously. In April, we discovered that two student workers had accessed Excel files containing limited student data by misusing passwords related to their work-study employment.

Two computer science sophomores who had password access through their work-study employment discovered three Excel files, containing a total of 5,215 student records.

These files were in an unsecure location that was to be accessible only to specific staff members.
[Evan] Is this password misuse or just poorly secured files and poor security? The confidential files were stored in an unsecure location that was supposed to be accessible by specific staff. Does this make any sense to you?

One of the students came forward earlier this month with the information that they had accessed files that were to be available to staff only. The students then disclosed the full extent of their access to the exposed data and demonstrated to the administration how the access occurred.
[Evan] I wonder if the school would have ever found out if the student didn't come forward. My guess is not.

We notified all affected parties in writing, set up a toll-free hotline, and have worked closely with both the local police and states attorney’s offices.

A letter was sent to all affected students and alumni on April 18 when the extent of the exposure could be determined.

The students went through a full university judicial process, were suspended temporarily and have been barred from future campus employment, among other sanctions.

The students are expected to return to classes next fall "under a lot of supervision, as you'd expect,"
[Evan] I don't know. There are probably students doing worse things on campus that probably need a lot more supervision than these two. Judging only by what I have read, these students seem to have been pretty honest. They came forward, they cooperated with the investigation and even demonstrated what they did.

The university is conducting a complete security audit and internal review.
[Evan] This should be done a regular basis anyway. All good information security programs conduct regular audits, assessments and reviews.

Dominican has conducted a complete internal security audit and has hired an external consultant to review all security processes.
[Evan] I endorse the school's decision to enlist a third-party consultant, assuming that the consultant is good at what they do. The last statement contained the word "conducting", this statement contains "conducted".

At this time we have no reason to believe that any information has been misused, but retain the right to prosecute as necessary.

"Steps have been taken to make something like this more difficult to do in the future. We've significantly tightened security,"
[Evan] If I had a dime for every time I heard this, I could retire very comfortably. If there are no details or facts to support statements like this, they don't mean much to me

If I have more questions, who should I call? You can call our toll-free number: (877) 387-8310.

Student Reaction:
"I was a little upset. I was nervous. I didn't know what to do. I knew that our family's been affected by this before, so I wanted to react right away,"

"I think that's crazy, because ... people can get your information, know things about you (and) you can't do anything about it,"

"Someone actually just charged on my debit card something. (It was) unrelated to this, I think, but it freaks me out every day now,"
[Evan] This student didn't just buy some Adobe education version software, did he/she?

Commentary:
I'm not sure if I am reading this right or not, but it seems almost like these students stumbled upon the confidential files and informed officials of their findings. I don't sense an dishonesty on their part. I could be wrong, but it also seems like the school didn't (and maybe still doesn't) properly secure confidential information. The statement about a secure file in an unsecured location is puzzling.

If assumptions are correct, then it may be ill-advised to sanction these students. Does anyone else see this the same way, or would you say that I am off base here?

Past Breaches:
Unknown

How Unsecure Is The Web?

Sun, 30 Mar 2008 08:54:58 +0000

In the course of doing research for my upcoming Internet threat report, I came across some worrisome statistics. A Google researcher recently reported approximately 1.3% of all Internet queries would return at least one URL that contain malicious content. A year ago, March 2007, this number was 0.3%. The same report also indicates that 6,000 out of the top 1 million most popular URLs, have been, at one point or another, classified as malicious.

These statistics are indeed worrying. The top one million URLs are the most frequently visited sites, and the fact that a non-trivial percentage of them could be malicious is a previously unknown phenomenon. This underscores the rising difficulty of Web threat detection and defense. The latest statistics from the anti-phishing working group have that the average life time of a phishing site is now at three days (2006 statistic was 4.5 days). Not only are Web threats more wide spread, they are more dynamic as well.

Companies who are using URL filtering and anti-virus only will continue to lose ground, in the face of the more dynamic and stealthy threats. You must consider proactive, real-time malware detection methods to complement your other, more static threat protection mechanisms.

WCU server "hacked several times" since 2006

Wed, 26 Mar 2008 04:54:16 +0000

Technorati Tag: Security Breach

Date Reported:
3/23/08

Organization:
Western Carolina University

Contractor/Consultant/Branch:
Department of Business Computer Information Systems and Economics

Victims:
Graduates

Number Affected:
555

Types of Data:
Social Security numbers and other personally identifiable data

Breach Description:
"Someone had hacked into a computer and had access to the Social Security numbers of 555 graduates of Western Carolina University who had signed up for a newsletter."

Reference URL:
Asheville Citizen-Times

Report Credit:
Carol Motsinger, Asheville Citizen-Times

Response:
From the online source cited above:

Someone had hacked into a computer and had access to the Social Security numbers of 555 graduates of Western Carolina University who had signed up for a newsletter.
[Evan] What? Give me your Social Security number, and I'll give you a newsletter?

WCU officials discovered the breach while trying to track down and eliminate private information on unsecure computer servers
[Evan] WCU deserves some credit for going through their systems like this. This is something that should be done semi-annually, and never less than annually.

The compromised information was on a computer server managed by the Department of Business Computer Information Systems and Economics. And it was hacked several times, as long ago as 2006, said Bil Stahl, chief information officer at WCU.
[Evan] Ouch! Several times since 2006 is bad news. See my note above.

"We know the data was taken off the server, but we don’t have any evidence that their data was used," he said.

Social Security numbers were included in the stolen information because up until last fall, campuses in the University of North Carolina system could use those digits as student identification numbers. While the practice was stopped then, old data on servers remains vulnerable.

The private information was immediately removed from the compromised server and the Federal Bureau of Investigation is now handling the case.

Letters informing effected alumni of the security breach were also sent quickly, Stahl said.

Despite the breach, Stahl said WCU has "very robust security."
[Evan] Really? I guess it depends on your definition of "very robust security". How does a server get hacked several times over the course of a year or so and not get detected? I think intrusion detection, logging, log management, penetration testing, and audits should all be added to the "very robust security" program (among other things).

"We haven’t had any problems on our secure servers," he said. The compromised information was stored on an unsecure server that is normally used for sharing class notes and assignments.
[Evan] Are the "secure servers" and the "unsecure" servers using the same security domain and centralized authentication (i.e. Windows domain)? If so, then the "secure servers" are likely "unsecure" too.

The biggest challenge facing WCU is not keeping computer criminals out: It’s finding all the Social Security numbers that are stored in documents on unsecured servers.

"Most servers are secure," Stahl said. "We manage more than 150 servers, but they are secure."
[Evan] 150 servers is not too many to run them all as "secure servers".

WCU is currently mounting a twofold attack. It is combing computers for Social Security numbers used for student identification. If the school doesn’t need the numbers, they are deleted. If the numbers are needed, they are placed on a secure server, Stahl said.

The school is using software that finds nine-digit numbers in documents.

However, "there is no easy way to determine whether it’s a Social Security number or not," Stahl said. "You literally have to look at every nine-digit number."

Remarks from an affected alumnus, Wesley Todd
"The process is just tedious, having to take time out to verify that everything is still OK from my end and that my identity has not been stolen,"

"It’s just something that people worry about enough without the university creating more concern for us by not protecting our secured information." So far, Todd has "not found any credit issues,"

Remarks from an alumnus, Tom Fisher
"the most important thing any company, school or government entity can do after a security breach and/or data leak is notify the victims and potential victims."

"not at all surprised that the event actually occurred."

"Data breaches like this are like car accidents - you might not see one every day, but they are happening many times a day all across the country. All you can do is wear your seatbelt and hope it doesn’t happen to you."
[Evan] Sad, but true. The analogy seems to fit. Just like road fatalities we know that we can't completely eliminate them, but we never stop trying to make the roads safer. Understanding this, our job is to reduce the frequency and number of incidents as much as possible. Today there are still WAY TOO MANY breaches affecting WAY TOO MANY people. Many of these breaches could/should have been easily avoided.

Commentary:
The fact that a server was compromised several times without detection is hard to explain away. Some people may claim that the compromise was detected, but in my opinion it was not. Stumbling upon a breach is not the same as detection.

I understand the challenge that WCU faces in trying to find Social Security numbers (and other confidential information) in all of the data they possess. This is a challenge facing thousands of companies and organizations throughout the world. Too many of these companies ignore that fact that data management is an issue and just continue to "throw more disk" at the problem rather than organize, manage, and secure. The longer the problem exists without attention, the worse the problem gets.

Past Breaches:
Unknown

Stolen laptop contained Centocor speaker-consultant information

Tue, 29 Jan 2008 08:08:47 +0000

Technorati Tag: Security Breach

Date Reported:
1/29/08

Organization:
Johnson and Johnson

Contractor/Consultant/Branch:
Centocor, Inc.*
Unnamed IT Vendor

*Centocor, Inc. is a wholly owned subsidiary of Johnson & Johnson, a worldwide manufacturer of healthcare products.

Victims:
People participating in National Faculty and Rounds on the Road Speakers programs

Number Affected:
Unknown

Types of Data:
Name, home of business city and state, and Social Security number/Tax Identification Number

Breach Description:
Several computers are missing from Centocor facilities in Horsham, Pennsylvania, of which one contained sensitive personal information belonging to speaker-consultants engaged by Centocor for the National Faculty and Rounds on the Road speakers programs. Centocor was notified by their IT vendor of the missing computers in early October, 2007, and was provided additional details on November 29th, 2007.

Reference URL:
New Hampshire Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

I am writing to inform you about a recent security incident affecting a number of
speaker-consultants engaged by Centocor, Inc.

a number of computers cannot be accounted for at Centocor's Horsham campus and are believed to have been stolen.

Centocor was initially notified by its IT vendor of the incident in early October 2007 and was provided specific details On Nov. 29, 2007.
[Evan] The letter to the New Hampshire Attorney General is dated January 2nd, 2008. This equates to 34 days between the time Centocor knew about the "specific details" and the time of notification. The unnamed IT vendor took more than a month to conduct their investigation. This is longer than I would have expected on both accounts. I wonder if this slowness is attributed to Centocor, the IT vendor or law enforcement.

Based on the subsequent investigation conducted by Centocor, one of the missing computers likely contained a file which included the name, city/state and social security/tax identification numbers of a number of people engaged by Centocor

one of the laptops likely contained a file with information that was intended for management of our National Faculty and Rounds on the Road Speakers program
[Evan] Why purpose does storing this file on a unsecure laptop serve?

Based on our investigation, Centocor believes that a former, contracted employee of the vendor removed the computers from our facilities
[Evan] It's good to know that they have a suspect in the theft.

Centocor reported this event to local law enforcement and they are currently investigating with full cooperation from Centocor and the vendor.

Centocor does not have any evidence that your infonnation has been misused, and
we believe that the likelihood of such misuse is low.
[Evan] I think the likelihood is higher than it would be in the case most "run of the mill" laptop thefts. In this case, the suspect is a contracted employee of the IT vendor which implies that this person may have IT skills.

we have arranged for a credit-monitoring product at no cost to you, which also includes unlimited access to your credit report
[Evan] Centocor has arranged for 1 year of credit monitoring with ConsumerInfo.com. Permanent information protected with one year of monitoring doesn't do much to reduce the risk to the affected individual. Monitoring is after the fact, and one year is 365 days.

Centocor is committed to working with the local law enforcement to try and recover the missing assets and your information
[Evan] It is important to remember that information is not like most physical assets. Once information confidentiality has been compromised, you can't "recover" it. You can't disclose a secret and then make it secret again. Nonsense.

Commentary:
I know for a fact that Johnson & Johnson runs a well-respected information security program, but even the well-respected companies experience breaches. I don't know too much about Centocor, and for all I know they may be an independently run IT organization.

Questions:
Why was this information on the laptop to begin with?
Why are Centocor laptops not encrypted?

Past Breaches:
September, 2007 - 68,767 Patients Affected by McKesson Stolen Computers