Information Security Incidents

Thieves raid accounts of Dollar Tree customers
By TOM SHEAN, The Virginian-Pilot
© August 4, 2006
Last updated: 8:18 PM


Using stolen personal identification and account numbers, thieves have withdrawn hundreds of thousands of dollars from the bank accounts of consumers who used debit cards at Dollar Tree stores in California and southern Oregon, police departments in the two states said.

In Oregon, consumers have reported losing $250,000 from unauthorized withdrawals during the past month, said Lt. Tim George, a spokesman for the Medford, Ore., Police Department. The withdrawals, he said, were made from automated teller machines in southern California.

Police aren't certain how the account and ID numbers became available, George said, but the evidence suggests that thieves gained access to consumers' account data through a card-processing company, he said.

Tim Reid, a spokesman for Dollar Tree Stores, said the Chesapeake-based retailer has been working closely with local law enforcement agencies, the Secret Service and Visa, the marketer of card-payment systems.

"The safety and security of our customers is of utmost importance to us," Reid said. The problems with customers' losses from their bank accounts appear to be confined to "a small number of stores on the West Coast," he said. He declined to discuss the possible scope of those losses or when the company became aware of suspicious account activity.

Dollar Tree has more than 3,100 stores in 48 states. At the end of January, 209 of its stores were in California and 62 were in Oregon.

In Modesto, Calif., the Police Department has received about 150 reports from consumers who have lost $170,000 from their accounts after making purchases with debit cards at one particular Dollar Tree store, said Sgt. Craig Gundlach, a spokesman.

The thieves, he said, collected data about customers' accounts between mid-March and mid-April and tapped their accounts in June.

"The detectives here feel this is something more than kids or small-time criminals," Gundlach said. "This appears to be more sophisticated."

"I've been here 14 years, and I don't believe that we've experienced anything of this magnitude," he said.

Dollar Tree has its own investigative team at work on the West Coast, and the company is working closely with Modesto's Police Department, Gundlach said. "They've cooperated with every request that we've had, including that they not release any details of the investigation," he said.

The two police spokesmen said they did not know if there were any suspects in the cases.

The Secret Service has taken a major role in the investigation, Gundlach said. Calls to the service's field office in Sacramento for information about the cases were not returned.

The Secret Service investigates crimes involving financial institutions, including fraudulent access by means of debit and credit cards and fraudulent electronic transfers of money.

A large Sacramento, Calif.-based credit union, Golden 1 Credit Union, was one of the institutions where accounts were hit by thieves, according to a recent report by the Sacramento TV station KCRA 3. Teresa Halleck, the credit union's president and chief executive officer, declined to discuss the status of its members' accounts.

However, it appeared that the losses suffered by debit card users who made purchases at Dollar Tree stores involved a breach at a card-processing company rather than a problem at the retailer's stores, Halleck said.

Processors of credit and debit card transactions gather identification and payment data from retailers and route it to customers' financial institutions.

Last year, a break-in by a computer hacker called attention to the role that processors play in the payment system. Because of security weaknesses at the particular processor, CardSystems Solutions, more than 40 million card accounts were exposed to potential losses from fraud.



Reach Tom Shean at (757) 446-2379 or tom.shean@pilotonline.com.

Labels: Dollar Tree

Federal Breaches Spark Security Review Push
Jaikumar Vijayan
June 19, 2006 (Computerworld) The massive data breach disclosed last month by the U.S. Department of Veterans Affairs has triggered sweeping reviews of information security policies at the VA and at several other government agencies that recently suffered smaller data losses.

And last week, officials at the Government Accountability Office and the White House Office of Management and Budget (OMB) said that federal agencies as a whole need to review their processes for collecting and storing data and controlling access to it.

The string of data breaches highlights the fact that agencies have to take a more strategic approach to guarding personal information, said Linda Koontz, director of information management issues at the GAO.

"We are believers in the notion of privacy impact assessments -- of looking at the implications of the information you are collecting and how to protect that," Koontz said in an interview after she testified at a hearing held last Wednesday by the House Committee on Veterans' Affairs.

The recent breach disclosures prompted the OMB to direct all agency heads to describe the specific steps they are taking to implement the requirements of the Federal Information Security Management Act in their annual reports on their compliance with FISMA.

"Agencies have a responsibility to ensure that they are FISMA-compliant and that their employees are trained to work with tough security measures," an OMB spokeswoman said. She added that the OMB has set "sound standards and policies" based on FISMA's mandates and is working with agencies "to make sure practices match these policies."

A Stronger FISMA

Rep. Tom Davis (R-Va.), chairman of the House Committee on Government Reform, last week promised to introduce legislation seeking to strengthen breach-notification requirements at agencies. His vow followed a belated disclosure by the Department of Energy that the Social Security numbers and other personal data of about 1,500 employees and contract workers were compromised by a hacker last September.

In addition to the VA and the Energy Department, the Social Security Administration and the Internal Revenue Service recently acknowledged that they had been hit by data breaches.

Davis has said the recent incidents highlight the need to strengthen FISMA's requirements. At a VA-related hearing that the Government Reform Committee held on June 8, he called for the addition of unspecified penalties and incentives to foster better information-security practices.

During the same hearing, VA Secretary R. James Nicholson expanded on some of the measures the agency is taking to prevent further breaches. Among them are a complete ban on using personally owned computers and laptops to log into the agency's networks, and an indefinite suspension of the practice of permitting VA employees to download claims files and work on them from home. Nicholson said he has also ordered a complete recall of all agency-issued laptops for a comprehensive security review by the end of this month.

The VA plans to require laptop users to submit their systems for a monthly review but has not yet decided how that will be done, a spokesman said.

Daniel Galik, chief of mission assurance and security services at the IRS, said at the June 8 hearing that the tax agency is "aggressively reviewing" information security processes after an employee lost a laptop. He added that the agency is looking for security technologies that will enable automatic encryption of all data on its laptops. The goal, he said, is to fully deploy such technologies within six months.

Labels: US Dept. of Vetrans Affairs

Loan Firm, University Report Security Breaches
Jaikumar Vijayan
June 05, 2006 (Computerworld) Just days after the VA disclosed its data compromise, two other organizations reported similar incidents -- the latest in a long line of security breaches that have put personal information at risk.

Texas Guaranteed Student Loan Corp., a Round Rock, Texas-based nonprofit organization that administers student loans, last week announced that an outside IT contractor had lost an unspecified piece of equipment containing the names and Social Security numbers of approximately 1.3 million borrowers.

The loss was reported to the company on May 26 by Hummingbird Ltd., a Toronto-based software vendor that had been hired by Texas Guaranteed to develop a document management system.

Kristin Boyer, a spokeswoman for Texas Guaranteed, said the company had followed recommended security practices by encrypting all the information before transmitting it to Hummingbird. The data was then unencrypted by a Hummingbird employee and stored on equipment that appears to have been lost, Boyer said.

Hummingbird CEO Barry Litwin refused to disclose the type of media the information was stored on or how it was lost. But he said that the data had been password-protected at multiple levels, making it all but inaccessible to unauthorized users. "We believe that the chance of anybody actually getting at the data is minimal," Litwin said.

Meanwhile, Sacred Heart University in Fairfield, Conn., announced May 24 that one of its computers had been hacked, resulting in the potential compromise of the names, addresses and Social Security numbers of 135,000 alumni and prospective students.

The breach was discovered on May 8, when the university's IT staff noticed "an anomaly" during its daily system maintenance work, said Funda Alp, a spokeswoman for Sacred Heart. A rootkit program installed on the server -- apparently by an outside attacker - caused one of the computing services running on that system to crash, Alp said.

Preliminary investigations showed that the attacker appeared to have the expertise to access the information stored on the server, although Alp said it isn't clear if that actually happened. In addition to the personal data, the compromised server contained credit card information for 103 individuals, she said.

Labels: Texas Guaranteed Student Loan Corp

Privacy Predicament: How To Protect Customers' Data
Jennifer McAdams
August 07, 2006 (Computerworld) The Philadelphia Stock Exchange flows 300 million stock quotes per day over an electronic trading system at rates that climb as high as 20,000 quotes per second during peak periods. The systems also churns out extremely sensitive trading reports packed with proprietary customer information that must be stringently guarded from outside attacks and unauthorized internal access.

And beefing up security isn't the only challenge facing IT executives at the PHLX. Stock-trading information must be accessible to customers at all times. Therefore, the PHLX streams stock quotes, a practice that requires technology officials to comb the system constantly for attacks. Security measures include alarms and triggers so sensitive that even benign cases of runaway streaming will mimic denial-of-service attacks and kick off a series of safeguards.

Like most other large organizations, the PHLX is armed with firewalls, intrusion-prevention systems (IPS) and elaborate audit trails. The goal is air-tight security -- and reaching that goal is a daunting challenge, considering the complex infrastructures that exist in most big organizations.

"We have placed layers and layers of multiple vendor products to surround our networks with so much protection that we have created a defense akin to the Castle Keep," says Bernard Donnelly, vice president of the PHLX's quality assurance group.

But those safeguards deal with only part of the threat. "Don't become so overly focused on keeping intruders out that you leave yourself vulnerable to internal threats," says Donnelly.

Employees can walk out the door with gigabytes of sensitive data on tiny removable storage devices. Often overlooked are everyday occurrences, such as loud cell-phone conversations that reveal too much in public places like airports, says Eileen Hasson, president of The Computer Company Inc., an IT services firm in West Hartford, Conn.

Sadly, there's no one-size-fits-all model for protecting private information. The good news is that IT officials can learn from people in industries on the front lines of guarding precious customer information. "There are no guidelines for enterprises, except perhaps those being adopted by financial services and health care industries," says Hasson. Those industries are leading the way on privacy protection because the stakes are so high for them.

"Failing to comply with HIPAA mandates regarding protected health information has severe penalties and would not only compromise but cripple our business," says Gary D'Amato, systems manager at Health Access Solutions, a Foster City, Calif.-based provider of IT services to the health care industry.

THE ARSENAL
Bernard Donnelly of the Philadelphia Stock Exchange says that organizations that are serious about protecting customer information should have the following technologies in place:

Automated audit logs to collect information from all platforms
--------------------------------------------------------------------------------
Software to distribute security policies electronically
--------------------------------------------------------------------------------
Tools to authenticate internal and remote users
--------------------------------------------------------------------------------
Packages to protect USB ports for LAN PCs
--------------------------------------------------------------------------------
Intrusion-prevention system capabilities
--------------------------------------------------------------------------------
Antivirus software for the LAN environment
--------------------------------------------------------------------------------
Software designed to keep internal users from sites laden with malware
--------------------------------------------------------------------------------
Patch management products
--------------------------------------------------------------------------------
Systems to compare sensitive files and track changes
--------------------------------------------------------------------------------
Encryption

Follow the Leaders

At Care New England Health System in Warwick, R.I., compliance with the Health Insurance Portability and Accountability Act centered on an exhaustive gap analysis of the organization's computer network and major penetration testing -- an elaborate exercise that often frames corporate security plans, says IT Security Manager Larry Pesce.

Gap analyses entail top-to-bottom reviews of security policies and often wrap in all rules and regulations imposed on a particular organization. In Care New England's case, the analysis started with mapping HIPAA mandates to internal security policies and procedures. It soon became evident that the organization's security mechanisms fell short of HIPAA requirements. Security audits were in order, says Pesce.

"I knew the only way to get the audit results I needed would be to start performing regular penetration testing," says Pesce. "From my experience, I knew that would give me the most accurate view of the network and provide me with the precise audit information I would need."

However, Care New England's gap-analysis efforts proved onerous. "Manual testing placed a tremendous strain on my limited budget and resources," Pesce says. "It was time-consuming to write exploits, ensure they were safe to run, perform the attack, and update and manage the process." Finally, he eased these burdens by adopting Core Impact, an automated testing framework from Core Security Technologies in Boston.

Core Impact is a series of agents and modules that scour a network for security weaknesses. A common user interface or console triggers Core Impact programs that then activate specific modules to perform operations such as packet sniffing or scanning of active ports. Core Impact modules are written in the object-oriented Python programming language to lessen the learning curve for those running the network tests. The modules dump testing data and activity logs into a centralized repository, which is able to recognize different operating systems and open ports.

"We were able to determine what security procedures and products were doing their job and protecting us. We were also able to find out what areas could be improved," Pesce explains.

Turning to IPS

After gap-analysis exercises, many large organizations first turn to an IPS to block sneak attacks, says Ted Demopoulos, a security consultant who works with institutions such as investment firm T. Rowe Price Group Inc.

When considering IPS technology, however, it's wise to check out many options and to think about the reams of information such systems will churn out.

"A lot of people are looking at IPS because it is a hot technology, and a lot of other people are adopting it," says Demopoulos. "But you have to keep in mind that these systems will generate large log files of all the things that might have been intrusions. The problem many times is that there is no one there to look at all the data these systems are creating."

Choosing an IPS that's easy to put in place and begin using is crucial, according to Howard Scott, IT director at Merscorp Inc., a mortgage processing company in Vienna, Va. Merscorp picked NitroGuard IPS, a system offered by NitroSecurity in Portsmouth, N.H.

NitroGuard is designed to examine and protect enterprise networks from viruses, worms, spyware, denial-of-service attacks and other threats. The system depends heavily on a large library of behavioral anomalies. It includes technology called a security event aggregation and correlation engine that's designed to sift through a multitude of events every second. It supports encrypted in-band secure management channels in order to slip into a configured network without customization.

"I've modified the rules and switched back to the default configuration with no problems. I can quickly turn on blocking, once the traffic-monitoring phase is complete," says Scott.

Many general-use hardware and software systems are already bundled with security features, but they are often underused by systems administrators. "I highly recommend that corporations make sure they are configuring their equipment to make the most of the features that come free with the stuff," says Hasson.

When it comes to proper configuration, what you don't know can hurt you, says Tim O'Pry, chief technology officer at The Henssler Financial Group in Kennesaw, Ga. When Henssler IT personnel asked users whose systems were exploited why they hadn't patched or configured their systems to prevent an attack, the most common response was, "I didn't know," he says.

There is plenty of blame to go around when patches prove outdated or improperly configured, says Dan Lukas, lead security architect at Aurora Health Care in Milwaukee. "Patches and updates are usually not maintained, as no one from the enterprise wants to take on the extra task of managing these devices," he says. "Many times, the vendor won't even allow anyone else to touch these devices, which poses an increasing security risk."

PHLX's Donnelly recommends a patch management tool and says the exchange uses HFNetChkPro from Shavlik Technologies LLC in Roseville, Minn. HFNetChkPro pushes patches necessary to secure a variety of Windows systems, as well as automatically patching products such as WinZip and Apache.

Keeping outsiders at bay with up-to-date patches, IPSs, antivirus software and other protections, however, is not enough, Donnelly says. Internal users can pose lethal security threats. As many as 80% of security breaches can be traced to insiders, if you count incidents involving staffers, consultants or vendors, says Christopher Paidhrin, a senior security engineer at ACS Healthcare Solutions, a unit of Affiliated Computer Services Inc. in Dallas. "Auditing for abuse by legitimate workers is the challenge," he says.

There's a slew of products designed to map changes to crucial documents and provide detailed logs on the activities of workers who have access to corporate information. For instance, Alameda Hospital in Alameda, Calif., traces access to user credentials, rather than IP addresses or other equipment identifiers, using the Identiforce appliance from Applied Identity Inc. in San Francisco, says Robert Lundy-Paine, the hospital's systems administrator.

"Since we base access on the user, we can be sure that this user accessed this protected resource at a specific time," Lundy-Paine explains. Identiforce cranks out detailed event logs, making it easier to put together compliance reports and analyze incidents. "The appliance allows us to capture activity through the device to a log file based on easy-to-configure parameters," he says.

Auditing tools designed to trace internal activity abound, but few instances of data compromised by employees turn out to be malicious. "Fifty-nine percent of the organizations we surveyed recently indicated that their last security breach was due to human error alone," observes Brian McCarthy, chief operating officer at the Computing Technology Industry Association, reporting the results of a recent poll of 574 organizations by Chicago-based CompTIA.

Human errors also mark incidental mistakes, such as those surrounding efforts to dispose of unwanted IT assets. "Consider that even a fax machine ink roll is a potential risk," says Vera Lewis vice president of SoCal Computer Recyclers Inc., an e-waste removal company in Harbor City, Calif. Most companies are not even aware of regulations for the disposal of sensitive data, such as those contained in the Fair and Accurate Credit Transactions Act, she says.

In the end, it's the corporate IT team that has consciously examined its security risks from top to bottom that stands to lose the least, says Ira Winkler, president of Internet Security Advisors Group and a Computerworld.com columnist. "Most corporate intelligence losses are not the result of high-tech crime," he says. "They are the result of human errors or system loopholes that can be easily and cost-effectively remedied."

Ten computers stolen from Nashville-based hospital firm
Linda Rosencrance
August 18, 2006 (Computerworld) HCA Inc., a Nashville-based firm that owns and operates approximately 182 hospitals and 94 surgery centers in 22 states, England and Switzerland, said 10 computers were stolen during a break-in at an undisclosed HCA regional office.

HCA said in a statement that the computers held thousands of files listing unpaid bills from Medicare and Medicaid patients for hospitals in eight states. The records were required for government reports, according to HCA. The data also included some patient Social Security numbers, and in a small number of cases, codes used by the government to identify patient groups.

The computers, which require a password for access, were stolen from a secured building, protected by keypad lock technology and video surveillance, HCA said. Law enforcement agencies, including the FBI, have launched an investigation of the theft, HCA said.

"Authorities believe the computers were stolen by a gang that has committed numerous break-ins in the same area, looking for computers to be sold for their hardware and not the data," HCA said in its statement. "Despite a rigorous testing process and substantial security measures, this incident took place, showing criminals can sometimes bypass even the most effective security."

This theft affects Medicare or Medicaid patients who failed to pay their co-payments or deductibles, resulting in overdue accounts -- as well as Medicare and Medicaid patients who were seen in an HCA hospital in Colorado, Kansas, Louisiana, Mississippi, Oklahoma, Oregon, Texas or Washington, between 1996 and 2006.

HCA officials could not be reached for comment.

Labels: HCA Inc.

Laptop with data on 28,000 home care patients stolen in Detroit
Linda Rosencrance
August 23, 2006 (Computerworld) A laptop containing home care information on 28,000 patients has been stolen from the car of a nurse who works for Royal Oak, Mich.-based Beaumont Hospitals, according to a statement from the hospital.

The laptop was in the nurse's car, which was stolen in Detroit on Aug. 5 after the nurse had finished seeing patients. The vehicle was later recovered, but the laptop was missing. The computer contained personal and health information of Home Care patients who had received care over the previous three years, the hospital said.

The Home Care staff uses laptops to document patient care; The data on the stolen laptop -- a Dell Latitude model -- includes patient names, addresses, birth dates, medical insurance information, Social Security numbers and personal health information relating to their home care services. The computer does not include information on services received at the Beaumont Hospitals or other Beaumont outpatient services, the hospital said.

There is no evidence that anyone's personal information has been accessed or misused, the statement said, nor is there any no evidence that the computer was stolen for its data.

While Home Care laptops are encrypted and password protected, the nurse's ID access code and password were with the stolen computer, meaning personal information may be at risk of exposure. The nurse was a new employee still completing orientation.

"We have been working with the Detroit police in investigating the theft and attempting to recover the laptop," said Chris Hengstebeck, director of security for Beaumont Hospitals. "We have communicated the situation to all Home Care patients through a letter and tested and strengthened our computer security systems and processes. We deeply regret that the personal information of our Home Care patients may be at risk for exposure. We are taking aggressive measures to protect their personal and health information and to lessen the impact of the computer theft on them."

Beaumont said its IT department is reviewing and enhancing computer security systems with its software vendor. The hospital said it has also reinforced laptop security procedures with its Home Care staff.

Beaumont Home Care has arranged for affected patients to enroll in a credit reporting service, at the hospital's expense, for one year.

A reward for the recovery of the laptop is also being offered.

Labels: Beaumont Hospital

Cybersecurity: A job for Uncle Sam
Sarah D. Scalet
June 02, 2006 (CIO) Orson Swindle has long been one of the nation's most cogent advocates of the notion that industry self-regulation is the best way for American businesses to improve information security and privacy. A Republican appointee to the Federal Trade Commission by President Bill Clinton in 1997, Swindle used his seven-year term to promote the creation of a "culture of security" in which the government, businesses and consumers work together to improve security.

These days, however, Swindle is coming around to the idea that federal regulation -- carefully crafted and keeping in mind the costs and benefits to affected businesses -- may be necessary to protect American businesses and consumers. His experiences with the FTC have made him aware of the limitations in the country's existing infrastructure to protect consumers against identity theft.

Swindle, 69, is now chairman of security initiatives for the Center for Information Policy Leadership at the law firm Hunton & Williams, and he is also a distinguished fellow at the Progress & Freedom Foundation, a think tank. He spoke with Sarah D. Scalet, a senior editor at CSO, about the challenges of improving information security and privacy.

What's your perception of the state of information security today, and how close are we to creating this "culture of security" that you've envisioned? We do have problems. I don't think the problems are nearly as bad as they are perceived, and part of that has to do with how the media covers things. This past year we've had probably in excess of 100 disclosed breaches, but the jump from disclosed breaches to grievous harm having occurred is a huge one. You'll hear "40 million credit cards compromised," but it's a much smaller number than that -- a very low number -- where harm has actually occurred. Oftentimes a disclosure is an emotional thing. It causes people to overreact. But that is not to say we don't have a problem.

It's understandable that people would be upset when they hear about huge disclosures of information that are out of a private citizen's hands.Absolutely. I think there is reason to be concerned. I think consumers need to be always diligent in how they handle their own information. Perhaps of greater significance, those who are in the business of handling the information have to wake up to the reality.

How do we follow the path from when information is stolen, to the point maybe nine months from now when that breach results in identity theft or fraud?Great minds are working on this, and no one has a neat solution. Say a laptop with a lot of sensitive information on it disappears. Should the company immediately inform all those whose information was there on the lost laptop, when four days later it's found and nothing's been done to it? Do we want to cry wolf and scare people, or do we want to evaluate the whole sequence and determine if there is a real harm factor involved with this irresponsibility? As you say, we do have account numbers from credit cards exposed, and the effect of that doesn't show up for six months. How do you measure that? It's complicated.

Do you think the law leaves enough room for the company that gets that laptop back to do computer forensics on the hard drive, see that files weren't accessed in the past four days and not do a disclosure?Sometimes the information is, in effect -- I'll put quotes around it -- "compromised," yet it has no use because it is encrypted. On the other hand, if because of lousy security a database is hacked into, and the person was doing it for a reason, that's very different. There's a management decision to be made involving risk management and risk assessment -- trying to come up with the criteria by which you will implement certain reactive types of programs.

This fall, I attended a meeting where some businesses said, Look, we're not going to invest in enhanced information security because it's expensive; it has a low return on investment. I said, Really? Tell me how you crank in the risk to your reputation if you have a security breach. What about the cost or the liability of the lawsuits that are coming your way? The collateral damage is just enormous. Avoiding that cost, what does that do for your return on investment?

The marketplace has a way of working. Whether or not it works fast enough to avoid major calamities in the future, I don't know. But I know this. More burdensome regulation -- and certainly more burdensome regulation driven by an emotional circumstance or perceived crisis -- often gets us laws with unintended consequences. Cost of compliance is one. Cost-benefit analysis should be a part of any regulation imposing burdens on its targets.

It's been about a year and a half since the first disclosure law took effect in California, and similar laws have passed or are being considered in many states. Do you classify these disclosure laws as burdensome regulations?I'm sure some would argue that they're burdensome, but I think they're obligatory. I think we are coming to a time when we must assess breaches by some measure for harm, and when there is harm, the firm suffering the breach will be obligated to notify the person about whom the information pertains. It seems to me that if we can tell a bank that if you lose my money, you're going to be responsible for it -- that's why they insure it -- then why not take the same approach with information?

Now we come into that inevitable problem in our federalist system: Do we want to have a standard rather than 50 different ways of doing it? What you get with 50 different ways is, the marketplace will decide which is the most onerous, and [companies will] adopt it and all the others under it.

Right, from a compliance perspective, companies would logically conclude that if they comply with the strictest state law, that would put them in compliance with other laws as well. Are you suggesting that there's a need for a national disclosure law that's less strict than California's?I wouldn't begin to characterize it as less strict. Having each state be its own little laboratory is useful in some things, and in some things it creates chaos. I'm saying that there needs to be uniformity. Maybe a national disclosure law would be a mirror image of California. Maybe we combine two or three of the laws and come up with something that everybody says, "Well, that makes sense, let's do it that way."

What else do you predict for this legislative year?We're going to probably see a broadening or extension of the safeguard rule in the Gramm-Leach-Bliley Act to cover a significant number of organizations that handle sensitive information but that aren't financial services institutions. There is a new awareness that personal information is very valuable, and it needs to be protected whether we're talking about a financial institution or a university or a shoe store.

You've said in the past that we are not knowledgeable enough to begin regulating. Do you think we're getting close?The act of regulating is always moving by its very nature.

I remember the debate back seven or eight years ago we were having on taxing the Internet. I don't like the idea, and how would you do it? One study said that for a huge firm it might cost 13 cents to collect a dollar in taxes, whereas a little firm would probably have to spend 87 cents to collect that dollar. It just shows you the inequity of legislation. Again, that's not a product of evil intent. It's usually the product of No. 1, a complex problem, No. 2, influence on the way the legislation is shaped, and lastly, just not understanding and thinking through to the end, What's going to be the effect of all this? Does it make sense? That's why I have been consistently saying, Let's not rush in and start legislating. We don't fully understand this, and even if we did fully understand it right now, six months down the road the situation will have changed.

FTC enforcement of existing laws is certainly an alternative to new legislation. In your time as a commissioner, how effective do you think your attempts at enforcement were?We were moving. The case with BJ's Wholesale Club was an example. That was a settlement stemming from a case presented back in May of 2005. [The FTC charged that BJ's did not reasonably protect sensitive customer information, leading to fraudulent purchases made with counterfeit copies of credit and debit cards.] The FTC's Unfairness Doctrine relates to conduct that a firm might engage in, which has the consumer at a critical disadvantage. Either the consumer doesn't know anything about it or can't do anything to correct it, and there's no countervailing greater good that comes from the conduct. Using the Unfairness Doctrine, the FTC basically said that BJ's Wholesale Club, by collecting sensitive and critical information and not taking adequate steps to protect it, had committed an "unfair" act against the consumers. A subsequent case for the FTC was DSW. [The FTC charged that hackers gained access to account information of 1.4 million customers of the shoe discounter.] The FTC nailed them on the same Unfairness Doctrine.

But here's one of the troubling things about the FTC. It's a civil law enforcement agency. It has a hard time enforcing criminal-like penalties. To do that, it has to go to the Justice Department, and of course, their plate is just a wee bit full. The FTC can only do so much in the way of punishing, as a famous man in town would say, "the evildoers." I often out of frustration would say, Our punishment amounts only to a small line item on this guy's financial statement: penalties paid to the FTC for this. You just wonder about the effectiveness of the penalty structure.

Should the penalty structure be changed?We need to think about changing it in the context of what we're dealing with today, as opposed to what we were dealing with 30 years ago. Back then, if I had an important document that I kept in my office, and you wanted to do harm to me, you could break into my office and find it and steal it. That's a major crime. Today that document might exist in a digital format. It is within information systems that you can break into to steal the document. I'm not sure we think of that in the same way we did that physical thing. We need to rethink the nature of this type of crime and how it stacks up with those things we considered to be grievous crimes in the past.

Do you think the FTC needs criminal enforcement powers?It's a controversial thing because the Justice Department is considered our criminal law enforcement. That's a very hot political potato. I don't want to get into that. I've often been known to say we need criminal authority over at the FTC. What we did as a compromise, perhaps not often enough, was we let some of our attorneys who worked on cases be deputized, in a sense, for the Justice Department.

The FTC recently announced its largest civil penalty to date -- a $15 million fine against data broker ChoicePoint. [Disclosure: Hunton & Williams, the law firm where Swindle works, has represented ChoicePoint.] Are you surprised that the largest civil penalty in the FTC's history now involves privacy and information security?No. This is serious business. And I think that Chairman [Deborah Platt] Majoras is doing a terrific job of getting that message across. The DSW and BJ's settlements said similar things, but as I recall there were no dollar figures associated with those settlements. With the ChoicePoint case, there were a number of different violations, including the Fair Credit Reporting Act, thus the penalty criteria is quite different from the "unfairness" nature of BJ's and DSW. The case involving ChoicePoint is pretty well laid out, and the violation was grievous. The FTC held firm, which I'm proud of.

The position of assistant secretary for cybersecurity at the Department of Homeland Security has been open for months. Why do you think it hasn't been filled?I will refrain from answering. I'll tell you this: This administration, and every administration to follow, had better make a very concerted effort to put technology on the table and adequately stamp it so that we as a country and as a nation can maintain our supremacy in technology development and use. Sometimes I get the impression that we're not paying enough attention to technology. Every administration needs to pay a lot of attention to it. Information flows and the technology that makes it possible is the lifeblood of our economy -- it's the way we do everything. We have to get this right. Otherwise we're just setting ourselves up for a lot of misfortune. We have become incredibly lucrative targets of opportunity.

Survey: 81% of U.S. firms lost laptops with sensitive data in the past year
Linda Rosencrance
August 16, 2006 (Computerworld) Loss of confidential data -- including intellectual property, business documents, customer data and employee records -- is a pervasive problem among U.S. companies, according to a survey released yesterday by Ponemon Institute LLC and Vontu Inc., a San Francisco-based provider of data loss prevention products.

Eighty-one percent of companies surveyed reported the loss of one or more laptops containing sensitive information during the past 12 months, according to the survey, which queried nearly 500 information security professionals.

One of the main reasons corporate data security breaches occur is because companies don't know where their sensitive or confidential business information resides within the network or enterprise systems, Larry Ponemon, chairman of the Ponemon Institute, said in a statement.

"This lack of knowledge, coupled with insufficient controls over data stores, can pose a serious threat for both business and governmental organizations," Ponemon said. "Moreover, the danger doesn't stop at the network, but includes employees' and contractors' laptop computers and other portable storage devices."

Ponemon, whose research firm is based in Elk Rapids, Mich., is also a columnist for Computerworld.

Other findings of the study include the following:


Handheld devices and laptops ranked highest among storage devices that posed the greatest risk for sensitive corporate data, followed by Universal Serial Bus memory sticks, desktop systems and shared file servers.
Sixty-four percent of companies surveyed reported that they have never conducted an inventory of sensitive consumer information.
Sixty-four percent also reported never having taken an inventory of employee data.
Eighty-one percent of respondents reported that protecting sensitive "data at rest" is a priority this year, and 89% predicted that it will be a priority next year. The survey defines data at rest as all electronic information found on storage devices within an organization's IT infrastructure.
Asked "How long would it take to determine what actual sensitive data was on a lost or stolen laptop, desktop, file server or mobile device?" the most frequent answer was "never," according to the survey.

More than 53% of respondents believed that their companies would be unable to determine what sensitive or confidential information resided on a USB memory stick if it was lost or stolen. And approximately 49% of respondents said that their companies would be unable to determine what lost data resided on a handheld or comparable mobile device, according to the survey.

"Corporations are clearly struggling with the challenges of identifying and protecting sensitive data, as well as developing successful strategies for securing confidential information stored among the myriad devices that make up today's data networks," said Ponemon. "Our findings point to the shockingly high risk to both business and consumers of undiscovered confidential data, but we believe that the data also serve as a compass to help point organizations toward effective solutions to this vexing problem."

According to Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa., organizations can take the following steps to protect sensitive data.


Identify your most significant data elements. That's often personal information, but it could also be intellectual property, financial data or something else.
Determine where this data exists on your network, and where it is most likely to leak. Laptops are the typical answer here, but e-mail is another possibility. And some people are concerned about backup tapes or laptop outputs such as USB drives and CDs.
Monitor the network and possibly the endpoint for this information, and take appropriate action. In the beginning, this is simply logging. You could also prevent/block it, or even better encrypt it.
Encrypt data in the places where it is most likely to rest.
Plan your rights management strategy now. Data is ubiquitous.
In the future, organizations will have another option for data encryption, said Stephen Northcutt, president of the SANS Institute, a Bethesda, Md.-based cybersecurity training and certification company.
"The newest laptops and desktops are shipping with something called the Trusted Platform Module, and it's a chip that's designed for secure storage so it was built to play very nicely with [public-key infrastructure]," Northcutt said. "It's really a thing of the future. The laptops are shipping now, the software is available now, but the implementations don't exist right this second.

"We think this will really be the final answer," he said. "In the meantime, [organizations] are going to have to go with a third-party solution to [encrypt their data]."

U.S. DOT laptop with personal data on 133,000 Floridians stolen
Todd R. Weiss
August 10, 2006 (Computerworld) A laptop computer with the names, addresses, birthdates and Social Security numbers of about 133,000 Florida residents was stolen late last month from a government vehicle that was being used by an agent of the U.S. Department of Transportation's Office of Inspector General (OIG) in Miami.

In an announcement yesterday (download PDF), the OIG's office said the laptop was taken from the parked vehicle on July 27. Investigators said they do not believe it was taken for the personal information that it contained.

OIG spokesman David Barnes said today in an e-mail reply to questions that the agent's government-owned vehicle was parked and locked outside a restaurant in Doral, Fla., when the theft occurred. "The agent noticed the laptop was missing at the end of the day when he returned home and picked up the computer case, which felt light," Barnes said. "He opened it and discovered that the Dell Latitude laptop and its charger [were] missing. He searched his home and office. When he and his supervisor subesquentluy inspected the vehicle, they found that one of the door locks had been tampered with."

According to the OIG, the laptop was password-protected and contained four databases with personal information on about 42,792 Florida pilots, 80,667 Miami-Dade County commercial driver's license (CDL) holders and 9,496 people who received their driver's licenses and/or CDLs from the Largo, Fla., licensing examining facility near Tampa. No financial or medical information was on the laptop, the OIG said.

The data was being used by the agency in connection with multiagency task forces focusing on the use of fraudulent information to obtain CDLs or airman certificates, according to the agency. The Tampa-area driver's licensing data was used as part of an ongoing investigation involving fraud at the licensing facility.

"We are making every effort to recover the stolen laptop and resecure the data it contains," Acting Inspector General Todd J. Zinser said in a statement. "We seriously regret this matter and take our responsibilities seriously. We have taken action and will continue to take steps necessary to prevent this from happening again."

A reward has been offered by the OIG for the return of the stolen laptop.

The agency said it is now taking measures to ensure that no other OIG laptops or portable devices assigned to field offices and headquarters employees contain such data. It is also tightening policies regarding laptop computer use.

Labels: FL Dept. of Transportation

DOT says it has lost two laptops with agency data this year
Linda Rosencrance
August 17, 2006 (Computerworld) The U.S. Department of Transportation (DOT) this week reported that one of its laptops was stolen from a conference room in a Florida hotel in April. That theft preceded one that occured last last month, meaning the agency has lost track of two of its laptops this year.

The DOT had acknowledged last week that a laptop with the names, addresses, birthdates and Social Security numbers of about 133,000 Florida residents was stolen in late July from a government vehicle being used by an agent of the U.S. Department of Transportation's Office of Inspector General (OIG) in Miami.

The first laptop was stolen on April 24, from a conference room in a hotel in Orlando, said Clayton Boyce, a spokesman for the OIG.

Boyce said that laptop was being used by a Transportation Department special agent from the Miami office who was there to present an anti-fraud conference. The agent told police she had left the laptop in a locked room but it was missing when she returned 45 minutes later, according to another OIG spokesman.

The laptop contained fraud case files involving government contracts and grants, according to the spokesman.

"We continue to take further steps to control security of the laptops and the sensitive information contained on them," Boyce said. "If there's sensitive information on employee laptops that they don't need, it's being removed -- and if they do need it then it's being encrypted."

While he wasn't sure whether the information on the laptop stolen in April was encrypted, the data on the one stolen in July was encrypted -- at least initially.

"Because of a problem with files being moved to a new server the information wasn't encrypted at time of the July theft, but it was protected by password," Boyce said.

Labels: FL Dept. of Transportation

Defcon: Cybercriminals taking cues from Mafia, says FBI
Robert McMillan
August 06, 2006 (IDG News Service) The Web site offered to sell stolen credit card information for $100, but it was the title of the poster that caught FBI agent Thomas X Grasso Jr.'s attention. The cybercriminal identified himself as a "Capo di capo" -- a boss of bosses, in Mafia parlance.

As money has become the driving force behind online threats, cybercriminals have been taking a page from organized crime, adopting the same kind of organizational structures as these older crime groups, Grasso told an audience Friday at the Defcon hacker conference. Defcon immediately follows Black Hat, its sister show.

"This organized crime group, Carderplanet, organized themselves into the same structure as the Italian Mafia," said Grasso, a supervisory special agent who works at the National Cyber Forensics & Training Alliance.

And the costs of cybercrime are steep. The FBI estimates that it cost the U.S. more than $67 billion last year, Grasso said.

To illustrate how sophisticated these cybercriminals are, Grasso then played a slick promotional video offering Carderplanet "business" services. It could easily have been mistaken for a legitimate IT consulting ad.

"Just so there's no confusion here, these guys are not doing something legal," he told the audience after playing the video.

The Carderplanet Web site has now been shut down and the FBI is working with other law enforcement agencies in eastern Europe to put the group completely out of business.

But Carderplanet is just one part of a larger confederation of online criminals called the International Carder's Alliance. They use known Web sites and IRC (Internet Relay Chat) channels to coordinate their online attacks.

"This is really the heart of organized cybercrime," Grasso said of the alliance. Many other cybercrime groups, with names such as Mazafaka, Shadowcrew, and IAACA (the International Association for the Advancement of Criminal Activity), are affiliated with this organization.

One reason for the similarities between cybercriminals and traditional organized crime is that the gangs themselves increasingly are becoming involved in online crime.

"The [criminal activities] area is crowded, and cybercrime is a great outlet for these groups to move into," Grasso said.

"The average take on a bank robbery is, like, $3,000. The persons committing that crime run an extremely high risk of something bad happening to them," he said. "You can run a phishing scam and make hundreds of thousands of dollars. You can be a spammer and be rich off your rocker."

Yahoo service attempts to cut line on phishers
Juan Carlos Perez
August 18, 2006 (IDG News Service) Yahoo Inc. is testing a security service designed to prevent Web surfers from landing on sites that look like they are from Yahoo but that are fake ones set up by fraudsters to carry out phishing scams.

The service lets users know if they have landed on a legitimate Yahoo sign-in Web page, preventing them from entering their Yahoo ID and password on a phishing site.

The service, which currently supports only U.S. Yahoo Web sites, is being tested and hasn't been officially announced yet, a Yahoo spokeswoman said via e-mail on Friday.

Phishing is a monumental online security problem. Scammers set up legitimate-looking Web sites from well-known companies, such as banks, online stores and Web portals, and try to lure people to them via e-mail and other methods. The idea is to trick people into entering into the sites sensitive information, such as passwords and credit card numbers, for malicious purposes, such as ID theft and fraud.

Each Yahoo sign-in seal is associated with an individual computer, so users need to install it on every computer they use. Once installed, the seal will appear on Yahoo sign-in screens, letting users know the site is genuine. Creating a seal involves either entering some text terms or uploading an image. The text or the image are displayed in the seal, which will only appear on Yahoo sign-in screens and thus offers no protection on sites from other companies.

Yahoo cautions that there are reasons why the seal may not appear on otherwise genuine Yahoo sign-in pages. "For example, someone else using your computer may have deleted or changed your seal, your cookies or files on your computer may have been deleted, or you're using a partner or international Yahoo site," Yahoo's site reads. "To be safe, look for these other clues to make sure you're on a genuine Yahoo sign-in screen."

If the computer is shared among family or friends, it is a good idea to show everyone the sign-in seal so they recognize it. For computers in public places, like libraries, the sign-in seal should be created by the locales' administrators and not by visiting users, according to Yahoo.

Webroot uncovers thousands of stolen identities
Paul Roberts
May 10, 2006 (InfoWorld) Spyware researchers at Webroot Software have uncovered a stash of tens of thousands of stolen identities from 125 countries that they believe were collected by a new variant of a Trojan horse program the company is calling Trojan-Phisher-Rebery.

The FBI is investigating the stolen information, which was discovered on a password-protected FTP (File Transfer Protocol) server in the U.S. and is believed to be connected to a Trojan horse that is installed from the Web site teens7(dot)com. The information, organized by country, includes names, phone numbers, Social Security numbers, and user log-ins and passwords for tens of thousands of Web sites, according to information provided to InfoWorld by Webroot.

The discovery is just the latest evidence of rampant identity theft by online criminals who use malicious Web sites, common software vulnerabilities and keylogging software to harvest information from unsuspecting Web surfers.

The Trojan was discovered on April 25 by Dan Para, a member of Webroot's Threat Research Team, who was investigating one of a number of malicious files installed using "drive-by downloads" from the teens7(dot)com Web site. In drive by downloads, software vulnerabilities in Web browsers are exploited so that malicious software can be pushed down to the machine running the Web browser, usually without any warning to the computer's owner.

The Rebery malicious software is an example of a "banking" Trojan, which are programmed to spring to life when computer owners visit one of a number of online banking or e-commerce sites, said Gerhard Eschelbeck, chief technology officer at Webroot.

Webroot notified the FBI after it discovered the stolen information, which had been groomed and organized in folders by country where it was "ready to be sold," Eschelbeck said. The stolen data was hosted on an FTP server hosted by nLayer Communications in New York, according to Webroot. However, the company does not know who is behind the scam, Eschelbeck said.

"It's probably an individual who set it up," said Eschelbeck. However, it is unlikely that the individuals running the Web site or hosting the FTP server have any direct knowledge of the scam, he said.

Rebery is still "running wild" on the Internet, Webroot said. The company believes there are more than 12,000 systems infected with the Trojan, 1,200 of them in the U.S.

The stash of stolen identities is just one of many that have been uncovered in recent months, as identity theft has evolved into a lucrative operation for online criminal groups.

Researchers at antispyware firm Sunbelt Software have also uncovered stashes of stolen information harvested by keyloggers on more than one occasion, and company employees have, in the past, informed some consumers that their identities have been stolen.

Catching the perpetrators is a different matter, however. Often, criminals conduct their affairs from afar, connecting to their servers through one or more compromised machines, which are often scattered around the globe, making criminal investigation and enforcement difficult, experts say.

Man charged in Hurricane Katrina phishing scams
Robert McMillan
August 18, 2006 (IDG News Service) A Miami man has been charged with setting up a number of phishing Web sites designed to steal credit card information from Hurricane Katrina relief donors.

Jovany Desir, 20, was indicted Tuesday on five counts of wire fraud related to several scams, the U.S. attorney's office said in a statement. He is alleged to have set up fake Web sites designed to look like those of the American Red Cross, PNC Bank, eBay Inc. and Paypal. Two Canadian banks were also spoofed: Banque Nationale and Desjardins Credit Union.

There were reports of widespread scamming in the weeks after Hurricane Katrina devastated New Orleans and parts of the Gulf Coast. Last September, the FBI warned that more than half of the Hurricane Katrina aid sites that it had reviewed were registered to people outside of the U.S. and likely to be fraudulent.

The U.S. attorney's office did not say how many victims were taken in by these most recent scams, but the Banque Nationale site received about 8,500 hits, it said.

The charges carry a maximum sentence of 50 years in prison and a fine of $1 million.

For all this risk, Desir may not have made much money from the affair. According to the U.S. attorney's statement, he sold the phishing sites to "would-be scammers."

His take: $150 each.

Poly heist risks identity thefts

Current and former students advised to put fraud alerts on credit reports; thefts of Social Security numbers have happened before
By Sally Connell
sconnell@thetribunenews.com
Read letter Cal Poly officials sent to student (PDF)
Cal Poly has notified 3,020 current and former students that their names and Social Security numbers were on a laptop computer stolen earlier this month from a physics professor's San Luis Obispo home.

Cal Poly used names and Social Security numbers on class lists before 2004, according to Vicki Stover, campus information security officer.

The informational letter, which Cal Poly is required under state law to distribute to those affected, went to students who took the physics and astronomy lectures taught by physics professor John Mottman from 1994 to 2004.

Cal Poly is trying to change its practice of using Social Security numbers as the main identifier for students, something that was once common in the halls of higher education.

"We are coming up with a new identifier for new students," she said, adding that the campus is also working on giving older students a new student identification number.

Experts in the field say that while there are many such identity theft exposure cases reported in the press, each one is important when Social Security numbers and names are obtained.

"They've got the keys to the kingdom," said Jay Foley, executive director of the San Diego-based Identity Theft Resource Center. "They have the starting point for all of your credit."

Foley said students are particularly bad at monitoring their credit, and he has seen cases where students face huge debt, incurred by others, because they failed to keep track of it.

Foley said Poly's recommendation, that affected students put fraud alerts on their credit report with one of the large credit reporting agencies, is a good one.

The case involving Mottman's laptop is the largest of recent cases involving student records that were exposed because of thefts or computer errors. Others include:

• In February, 19 animal science students were informed of their risk after professor Debbie Beckett had grade books stolen from a car in Atascadero.

• In December, a file was accidentally posted with detailed information about 196 students who had attended a 2001 computer science class taught by professor Lewis Hitchner.

• In May 2005, incidents involving 77 physics students and 411 aerospace engineering students were reported. One involved a flash computer disk theft, the other an information-filled e-mail which went astray.

The largest Cal Poly-related identity theft exposure reported in recent years originated off-campus in August 2004 when a California State University auditor lost track of a hard drive containing information on multiple campuses in the 23-campus system.

That contained information on 13,500 students and staff from Cal Poly. The disk has not been found.

Labels: Cal Poly

Trojan Hits 10,000 Computers in Australia; Tax File Numbers Stolen
(3 & 2 August 2006)

The Australian Tax Office has warned that nearly 180 citizens have had their tax file numbers stolen while accessing the e-tax system on line. The data theft was accomplished because the victims' computers had been infected with the Backdoor.Haxdoor.M Trojan horse program, which captures keystrokes and, in the case of the Australians' tax file numbers, posts them to the Internet. The attack is not specific to the Tax Office web site. More than 10,000 computers in Australia have been infected with the Trojan. http://www.theage.com.au/articles/2006/08/02/1154198183117.html
http://www.smh.com.au/news/security/trojan-infects-10000-computers/2006/08/0
3/1154198244503.html

Labels: The Australian Tax Office

Visa Will Require Some Merchants to Adhere to Stricter Security Rules
(26 July 2006)

Visa USA has reclassified roughly 1,000 merchants under the Payment Card Industry (PCI) standards program, making them subject to more stringent security requirements. Merchants who processed fewer than 6 million card transactions annually were previously designated Level 4, but have been moved to Level 2, meaning they are "required to submit quarterly network-vulnerability scans" and complete a self-assessment questionnaire. Level 4 merchants were not required to comply, though VISA USA has suggested they do. The affected merchants must be in compliance with the security measures by September 30, 2007. In addition, approximately 1,000 merchants who process fewer than 1 million card transactions annually will be moved from level 3 to level 4, diminishing their security requirements.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9002011

[Editor's Note (Schultz): The fact that VISA USA is requiring merchants to conform to more rigorous security standards is a very positive development in the fight against identity theft and other types of fraud. However, the fact that VISA USA has relaxed security requirements for other merchants without offering any explanation is troubling.]

Ways Google is shaking the security world
Sarah D. Scalet
May 16, 2006 (CSO) Ask Google anything -- what's happening to GE's stock price, how to get to 881 Seventh Ave. in New York, where Mission: Impossible: III is showing, whatever happened to Brian W. after he moved away in the ninth grade -- and you'll get an answer. That's the power of this $6 billion search engine sensation, which is so good at what it does that the company name became a verb.

That kind of power keeps Google on the front page of the news -- and sometimes under unfavorable scrutiny, as demonstrated by Google's recent clashes with the U.S. Department of Justice and also with critics displeased by the search giant's stance on Chinese government censorship.

CSOs and CISOs have a different reason to think carefully about Google and the implications of having so much information online, instantly accessible by almost anyone. Although these issues relate to all search engine companies, Google gets most of the attention­ -- not only because of its huge share of the Web search market but because of its unabashed ambitions to catalog everything from images and libraries to Earth, the moon and Mars.

"We always get enamored of a new technology, and it takes us a while to understand the price of that technology," says Robert Garigue, vice president of information integrity and chief security executive of Bell Canada Enterprises in Montreal. For security pros, the price is that Google can be used to dig up network vulnerabilities and locations of sensitive facilities, to enable fraud and cause other sorts of mayhem against the enterprise. Here, CSO examines the ways Google is shaking the security world, and what companies can do about them.

1. Google Hacking (strictly defined)

What it is: Using search engines to find systems vulnerabilities. Hackers can use carefully crafted searches to find things like open ports, overly revealing error messages or even (egads!) password files on a target organization's computer systems. Any search engine can do this; blame the popularity of the somewhat imprecise phrase "Google hacking" on Johnny Long. The author of the widely read book Google Hacking for Penetration Testers, Long hosts a virtual swap meet where members exchange and rate intricately written Google searches.

How it works: The way Google works is by "crawling" the Web, indexing everything it finds, caching the index information and using it to create the answers when someone runs a Web search. Unfortunately, sometimes organizations set up their systems in a way that allows Google to index and save a lot more information than they intended. To look for open ports on CSO's Web servers, for instance, a hacker could search Google.com for INURL:WWW.CSOONLINE.COM:1, then INURL:WWW.CSOONLINE.COM:2, and so on, to see if Google has indexed port 1, port 2 and others. The researcher also might search for phrases such as "Apache test page" or "error message," which can reveal configuration details that are like hacker cheat sheets. Carefully crafted Google searches sometimes can even unearth links to sloppily installed surveillance cameras or webcams that are not meant to be public.

Why it matters: Suppose someone is scanning all your ports. Normally, this activity would show up in system logs and possibly set off an intrusion-detection system. But search engines like Google have Web crawlers that are supposed to regularly read and index everything on your Web servers. (If they didn't, let's face it -- no one would ever visit your Web site.) By searching those indices instead of the systems themselves, "you can do penetration testing without actually touching the victims' sites," points out consultant Nish Bhalla, founder of Security Compass.

What to do: Beat hackers at their own game: Hold your own Google hacking party (pizzas optional). Make Google and other search engines part of your company's routine penetration testing process. Bhalla recommends having techies focus on two things: which ports are open, and which error messages are available.

When you find a problem, your first instinct may be to chase Google off those parts of your property. There is a way to do this -- sort of -- by using a commonly agreed-upon protocol called a "robots.txt" file. This file, which is placed in the root directory of a Web site, contains instructions about files or folders that should not be indexed by search engines. (For a notoriously long example, view the White House's file at www.whitehouse.gov/robots.txt.) Many companies that run search engines heed the instructions in this file.

Notice I said "many"? Some search engines ignore robots.txt requests and simply index everything anyway. What's more, the robots.txt file tips off hackers about which public parts of your Web servers you'd prefer to keep quiet. Meanwhile, the information that your pen testers found through Google is already out there. Sure, you can contact search engines individually and ask them, pretty please, to remove the information from their caches. (Visit www.google.com/webmasters for instructions.) But you're better off making the information useless.

"The persistence of these caches is impossible to manage, so you have to assume that if it's there, it's going to be there forever," says Ed Amoroso, CISO of AT&T. His solution? Simple. "Let's say you found a file with a bunch of passwords. Change those passwords."

Then, fix the underlying problem. Eliminate or hide information that shouldn't be publicly available. Long term, you'll have to do the heavy lifting too, by closing unnecessary ports or fixing poorly written applications.

Shock waves: 4 (highest). It's up to you to make sure your company isn't accidentally publishing instructions on how to hack its systems.

2. Google Hacking (loosely defined)

What it is: Using search engines to find intellectual property. It's Google intel: The researcher uses targeted Web searches to find bits and pieces of information that, when put together, form a picture of an organization's strategy. Unlike, say, launching a SQL injection attack, doing competitive intelligence using public sources is quite legal (and may in fact be good business).
How it works: The researcher scours the Web for information that might include research presented at academic conferences, comments made in chat rooms, résumés or job openings. "Companies leave bread crumb trails all over the place on the Web," says Leonard Fuld, founder of Fuld & Co. and author of the forthcoming book The Secret Language of Competitive Intelligence. One common tactic is using search queries that reveal only specific file types, such as Microsoft Excel spreadsheets (filetype:xls), Microsoft Word documents (filetype:doc) or Adobe PDFs (filetype:pdf). This kind of search filters out a lot of noise. Say you want information about General Motors. Searching for "GENERAL MOTORS" "FINANCIAL ANALYSIS" one day in February yielded 56,400 results. Searching for "GENERAL MOTORS" "FINANCIAL ANALYSIS" FILETYPE:XLS brought up only 34 documents. One of those documents was a spreadsheet from a recruiting agency that contains the current jobs and work history (though not the names) of executives at numerous companies (including GM) who may be on the job market.

Another common approach is searching for phrases that may indicate information that wasn't intended to be public. For this, keywords such as "personal", "confidential" or "not for distribution" are invaluable. These targeted searches don't always hit pay dirt, but they can be fascinating. For instance, on that same day in February, the top hit on a search for "GENERAL MOTORS" "NOT FOR DISTRIBUTION" was a PDF from a credit-rating company with poorly redacted information that could be easily viewed by pasting the text into another document. (Oops!)

A final tactic is to target the organization's site itself for information, such as phone lists, that could be useful for social engineering scams. Researchers might use the site search function and look for the phrase "phone list" or "contact list". (An actual search might be SITE:CSOONLINE.COM "PHONE LIST", and if you run that particular search, you'll find stories CSO has published about why your company's phone directory is better kept under wraps.)

Why it matters: "If it's on Google, it's all legal," says Ira Winkler, information security consultant and author of Spies Among Us. Competitive intelligence of this sort is illegal espionage only when it involves a trade secret--and if something is public enough to appear in Google, can you really argue that it was protected like a trade secret?

What to do: That Google hacking party we mentioned earlier should involve a few site searches for sensitive files, such as financial records and documents labeled "not for distribution." Beyond your own borders, it's a good idea to know what people are saying about your organization, even if there's little you can do about it. "Using search engines to figure out what your public-facing view looks like has become a de facto element in any corporate security program," Amoroso says.

Brand protection companies such as MarkMonitor and Cyveillance will work the beat for you, if you'd prefer. Creating (and enforcing) good policies about employee blogging or the use of message boards and chat rooms can also limit your exposure.

Shock waves: 3 (significant). This kind of competitive intelligence has been going on forever, and it is damaging. The Web means more information gets out, and it's easier to find.

3. Google Earth

What it is: A software download that provides highly navigable satellite and aerial photography of the entire globe. (The same images are also available through Google Maps at http://maps.google.com.) The scope and resolution of the photos are eye-popping enough that Google Earth drew ire even as a beta product in 2005. Some people feel threatened that a photo of, say, their backyard is only a few clicks away, and others fear that terrorists will use the images of landmarks or pieces of the critical infrastructure to plot attacks.

How it works: After the user installs the software (the basic version is free at http://earth.google.com), he can zoom to any spot on the planet, often with enough detail to see driveways, if not cars. The virtual globe can be overlaid with information on roads, train tracks, coffee shops, hotels and more. Enterprising researchers are also overlaying Google Maps with everything from locations of murders to public rest rooms that have baby-changing tables. Images are up to three years old and come from commercial and public sources, with widely varying resolution.

Why it matters: The privacy implications of having this information so readily available are certainly worth discussing as a society, but the security risks to U.S.-based companies are low. Much of the information was already available anyway. For instance, Microsoft stitched together images from the U.S. Geological Survey a decade ago with its Terraserver project It just doesn't work as smoothly.

Not only have these types of images long been available online, but they can also be easily purchased from government and private sources, says John Pike, director of the military think tank Global­security.org. There are only a couple of legal restrictions. First, the images must be at least 24 hours old. Second, the U.S. military has what Pike calls "shutter control": the ability to tell commercial satellite companies not to release imagery that might compromise U.S. military operations. To the best of Pike's knowledge, the U.S. military has never invoked this power, nor have the regulations governing satellite imagery changed during the Bush administration's war on terrorism.

"If Rummy's not worried about it," Pike says, referring to Secretary of State Donald Rumsfeld, "it's hard for me to see how anyone can lose much sleep over it."

What to do: If your organization's security plan is based on no one being able to obtain aerial or satellite photography of a facility, then it probably ain't much of a plan. "Anybody who has the capacity to constitute a threat that rises much above graffiti is going to have it in their power to get imagery of a facility," Pike says. "If security managers have something that they don't want to be seen, they need to put a roof on it."

Beyond that, be prepared for cocktail party banter about the risks and rewards of Google Earth and Google Maps. At the U.S. Food and Drug Administration, for instance, CISO Kevin Stine finds Google Earth personally fascinating, and he likes to muse about its potential for use in, say, disaster planning. "From a CISO perspective, I think we need to be aware of these kinds of tools," he says. But for his security group, the only impact he thinks Google Earth might eventually have, if it begins to encompass more business applications, is a drain on bandwidth. In other words, it's a concern about as big as your lawn chairs seen from space.

Shock waves: 1 (minimal). Security by obscurity is so 20th century. Google Earth just illustrates why.

4. Click Fraud

What it is: The act of manipulating pay-per-click advertising. Perpetrators inflate the number of people who have legitimately clicked an online ad, either to make money for themselves or to bleed a competitor's advertising budget.

How it works: With pay-per-click advertising, an advertiser pays each time someone clicks an ad hosted on a website. Google, Yahoo and other search engine companies make their money by selling advertisers the right to have their text-only ads appear when someone searches for a particular keyword. There are two ways to manipulate pay-per-click advertising: competitor click fraud and network click fraud.

First, the competitor variety: Let's suppose a company that sells life insurance wants to advertise on Google. The company might bid for and win rights to the phrase "life insurance". Then, when someone runs a Google search for that exact phrase, the company's ad appears next to the search results as a sponsored link. (How close to the top of the list depends on both the price per click and the superpowered algorithms that constitute Google's secret sauce.) Each time someone clicks the sponsored link, Life Insurance Co. pays the agreed-upon price­ to Google -- say $5. With competitor click fraud, an unscrupulous competitor tries to run up Life Insurance Co.'s advertising bill by clicking the link. A lot.

Network click fraud, on the other hand, cashes in on the fact that Google isn't the only company that hosts Google advertising. Suppose someone has a blog about insurance. She can sign up as a Google advertising affiliate and have ads for insurance run on her site. If Life Insurance Co. is paying Google $5 per click, Ms. Insurance Blogger might pocket $1 for each click her site generates. Network click fraud is when an affiliate generates fraudulent traffic in order to boost its revenue.

Google insists it is trying to keep the problem in check. Shuman Ghosmajumder, product manager for trust and safety at Google, says the company monitors for all kinds of what it dubs "invalid clicks," and that it routinely issues refunds to advertisers and closes down fraudulent affiliates. In 2005, Google even won a lawsuit against an affiliate it charged with click fraud. But some advertisers say that Google isn't doing enough to prevent and monitor for fraud because it profits from the fraud. Google faces a class-action lawsuit led by AIT, a Web-hosting company, and is in the midst of reaching a $90 million settlement with Lane's Gifts & Collectibles, a mail-order store. (At press time, the proposed settlement was before a judge.)

Why it matters: Click fraud is following a trajectory that will be familiar to any CSO, and it's a telling example of how sophisticated and profitable electronic crime has become. First, the good guys started looking at server logs to find IP addresses in patterns that indicated fraud. The bad guys responded by creating automated bots that simulated different IP addresses and had varying time stamps. Then, the good guys improved their click-fraud detection tools, with a cottage industry sprouting up that specializes in helping online advertisers monitor for fraud. Queue up "click farms," where the bad guys hire people in other countries to do the clicking in a way that looks more realistic. "It's a cat-and-mouse game," says Chris Sherman, executive editor of SearchEngine-Watch.com.

What to do: The first step is to put tracking measures in place. In a recent survey done by the Search Engine Marketing Professional Organization (Sempo), a trade group, 42% of respondents said they had been victims of click fraud, but nearly one-third of respondents said they weren't actively tracking fraud. "The way you monitor it is you look for something that doesn't make sense," explains Kevin Lee, chair of the group's research committee. "If you spent $100 every day last week, and then this week you spent $130 every day and didn't get any more conversions, or whatever your success metrics are," then you might have a problem, he says.

"Usually the engines will catch the obvious fraud, and they won't even bill you for it," Lee continues. But if you have a larger problem, you may need to gather information about why you believe some of the clicks are fraudulent and ask the company hosting the ads for a refund. Ghosmajumder says Google devotes significant resources to a team of investigators who proactively monitor for fraud and also do research about possible fraud reported by advertisers. Google also has engineers working on technical means to identify invalid clicks. According to the Sempo survey, 78% of advertisers that have been victims of click fraud have received credit from a paid search provider, and 40% of the time it was based on their request.

The question, of course, is whether to bother making a request. Who better than the CSO to help the advertising department figure out whether it would cost more for the company to tamp down on the problem or simply to pay for the fraud?

Shock waves: 2 (moderate). For companies using pay-per-click, this is one to watch. Click fraud has the potential to dramatically reduce the effectiveness of online advertising. But with more than 90 percent of Google's revenue coming from advertising, the company has a serious incentive to keep the problem in check so that advertisers don't lose faith in the pay-per-click model.

5. Google Desktop

What it is: A free tool offered by Google that allows users to quickly search the contents of their hard drives. (Similar tools are offered by MSN, Yahoo and others.) The latest version can also be used to share files between computers.

How it works: After the user downloads the tool, it works in the background to index everything on his hard drive, much like Google indexes the Web. All fixed drives are indexed by default, but the user can specify folders to exclude or extra drives to add. The software can be set to return results on text files, spreadsheets, PDFs, Web history, e-mail and more. Once the indexing is done, when the user runs a Google search, items from his own computer appear at the top of the results. Alternately, he can use the tool by itself by opening it on his desktop; he doesn't even need to be connected to the Web.

A new version also has a controversial feature that allows a user to share files between computers. With this setting enabled, Google indexes the files on one computer, pulls them up on its servers, then pushes them down onto another computer (which is similarly configured with the software). Then, a search done on one computer returns results from both.

Why it matters: It's easy to see why people get all prickly about this one. Once the tool is installed and files are indexed, a snoop needs only a coffee break, rather than a lunch hour, to search someone's hard drive for files about, say, Bob Jones's salary. To make matters worse, freewheeling users may not pay attention or understand how to make sure that sensitive documents aren't indexed.

To its credit, Google has tried to improve the standard configuration of the tool. An early version automatically returned results with password-protected files and secure HTTP pages; now, those types of files aren't indexed unless the user changes a setting. "People screamed about that, and Google changed it very quickly," SearchEngineWatch.com's Sherman says. Even so, setting up appropriate exclusions can get complicated. Some companies -- as well as many individuals who are concerned about their personal privacy -- are also leery of making so much information available to Google.

The new Search Across Computers feature only heightens these concerns. With this feature, Google says, copies of users' personal files can sit on Google's servers for up to 30 days. Google downplays this time frame. Says Matthew Glotzbach, product manager for Google Enterprise, "If both of your computers are on and syncing, [the files are on Google's servers] only a matter of minutes"--the time it takes for Google to pull up the information and push it back down onto the second computer.

But having the information saved on Google's servers at all is troubling, given that search engine companies are routinely subpoenaed by prosecutors. (Google's privacy policy states: "We may also share information with third parties in limited circumstances, including when complying with legal process, preventing fraud or imminent harm, and ensuring the security of our network and services.") In one especially charged case, Google fought a subpoena from the U.S. Department of Justice, which wanted search results to help analyze its enforcement of the Children's Online Privacy Protection Act. A judge reduced the amount of information Google must turn over, and the ensuing debate raised awareness about the amount (and nature) of information that Google has in its stores.

The fact that the software is relatively untested raises additional questions. Last November, an Israeli researcher reported that he had found a vulnerability in Microsoft Internet Explorer that allowed him to illicitly access information in Google Desktop. Google fixed the problem, but legitimate concerns linger. "Anytime you install software from a third party directly on a hard drive of a particular machine, you're potentially opening up holes in the security of that machine," says Matt Brown, a Forrester senior analyst.

What to do: It's time to catch up -- something that Brown says is especially important given the fact that Sarbanes-Oxley requires companies to keep tabs on where and how long their information is retained. Consider whether your users actually need desktop search for their jobs. If they do, you'll want to have a hand in how it's configured and used. (Bonus points go to the CSO who makes sure that users understand the privacy implications of all these tools, beyond just telling them to read the privacy policy.)

At the FDA, Stine is in the early stages of looking at the tool. "There have been some requests [for desktop search] here and there, but there hasn't been a user outcry," he says. If (or when) there comes a point when a lot of users have a legitimate need for desktop search, Stine says he'll look carefully at how the technology identifies, indexes and presents information. "We'd have to ensure that we still maintain complete control -- at least as complete as possible -- over the information," he says.

Fortunately, he'd have plenty of options. Several companies have enterprise desktop search tools that help CISOs keep tabs on the information. Google Desktop 3 for Enterprise, currently in beta, allows administrators to completely disable features such as the Search Across Computers feature. Google says it is working make future versions of this tool easier to manage. "I don't think we anticipated such a concerned or negative response," Glotzbach says. "We've taken to heart the feedback on the Search Across Computers feature, especially in the enterprise context, and we're actively working on making it even easier for the companies to use" in a secure manner, he says.

X1 Technologies, which has partnered with Yahoo, offers a competing enterprise search tool that Brown says is more manageable from an IT perspective. "Part of the problem with these technologies is they get announced and people immediately start downloading," Brown says. "It takes companies a little while to catch on to what's happening."

Shock waves: 4 (highest). Desktop search is an untested technology with a wide potential for misuse. If your users don't need it, don't let them use it; if they do need it, consider enterprise tools that can be centrally managed and controlled.

Future Shocks

Google has shaken us, by holding up a mirror and forcing us to look at what we've put online. "Google provides a lot of capability that can do you harm as well as providing you search capabilities," Winkler says. "What makes it its strength makes it its danger."

The future will make search technology only more dangerous. Bell Canada's Garigue points out that search technology is still in its very infancy, barely scratching the surface of what he calls the shallow Web. "The shallow Web is everything that's public on Web servers," he says. "The deep Web is what's hidden inside databases." From the Library of Congress to Lexis-Nexis' legal and news archives, to Medline's medical databases, the great bulk of information that people access online is still available only to subscribers, not to Google. "Google is the first generation of tools," Garigue says. As those tools get more sophisticated, the shock waves will only grow stronger.

Idaho utility hard drives -- and data -- turn up on eBay
Sharon Fisher
May 04, 2006 (Computerworld) Anybody with five bucks and a little patience may be able to score sensitive corporate or customer data on eBay.

If your organization has engaged in the common practice of disk drive recycling -- selling unneeded disk drives directly or through a service -- company data might wind up for sale on eBay Inc.'s auction site, even if the drives have been wiped first.

Idaho Power Co. discovered that possibility last week as it scrambled to track down company disk drives that had been sold on eBay without having been scrubbed first. The Boise, Idaho-based utility serves approximately 460,000 customers in the southern part of Idaho and in eastern Oregon.

Data on the drives, which had been used in servers, contained proprietary company information such as memos, correspondence with some customers and confidential employee information, the company said.

Idaho Power had recycled approximately 230 SCSI drives -- a year’s worth of updates -- through a single salvage vendor, Grant Korth, which then sold 84 of the drives to 12 parties through eBay. The company recovered 146 of the drives from the vendor. It also got assurances from 10 of the 12 parties that bought them on eBay that the drives would be returned or the data on them would not be saved or distributed. The other two drives are still being tracked down; an Idaho Power spokesman did not know what information was on them.

Nampa, Idaho-based Grant Korth refused to comment. In the meantime, Idaho Power has launched an independent investigation through Blank Law & Technology PS in Seattle into why its policy on scrubbing drives was not followed. Typically, Idaho Power was to have either physically destroyed the drives or scrubbed them to U.S. Department of Defense standards -- which involves degaussing them or overwriting the data with a minimum of three specified patterns -- and the salvage vendor was to have done the same, the Idaho Power spokesman said. The company’s probe could take several months, depending on what data was on the drives, he said. Similarly, Idaho Power will not know what regulatory penalties might apply until its investigation is completed.


Idaho Power is not alone, said Frances O’Brien, a research vice president for asset management at Gartner Inc. “It happens all the time,” she said. Typically, a user either doesn’t know to clean the drives or doesn’t do it correctly, she said.

According to a Gartner survey, organizations use outside companies to dispose of PCs 29% of the time and to get rid of servers 31% of the time. Other methods included donating hardware, putting it in storage, selling it to employees, returning it to the vendor and selling it to third parties.

Aside from the financial concerns with losing data, organizations that improperly recycle disk drives can run afoul of a number of regulations, depending on their industry: the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley for the banking industry, the Family Educational Rights and Privacy Act for educational institutions and the Fair and Accurate Credit Transactions Act. In addition, several states, including California and New York, have broad-based privacy regulations, said Robert Houghton, president of Redemtech Inc., a Columbus, Ohio-based outsourcer.

The problem is widespread. Gartner estimates that through 2009, consumers and businesses will replace more than 800 million PCs worldwide and dispose of an estimated 512 million.

What’s more, a company can get a bad reputation for not taking proper care of personal data, O’Brien said. When companies hire an outsourcer -- which is a practice that Gartner recommends -- it needs to be careful of what the salvage company will do and how they will prove it. “If everyone else is charging $20, and someone says they’ll do it for $2, you’ve got to wonder why,” she said.

Simson Garfinkel, a postdoctorate fellow at Harvard University’s Center for Research on Computation and Society, researched the issue by buying more than 1,000 hard drives on eBay to see what sort of data could be gleaned from them. He found disk drives that held information from an automated teller machine, a drive from a medical center that held 31,000 credit card numbers, a supermarket credit card processor and a travel agency that had discarded data on travel plans, credit card numbers and ticket numbers. “One of the drives had consumer credit applications on it -- names, work histories, Social Security numbers -- all the information you need to apply for credit.”

Even though drives may have been wiped of data, someone with the know-how and patience could still retrieve information, Garfinkel said. Standard tools such as Format and Delete simply remove the reference to the files -- the data is still there. Garfinkel himself has written a number of tools to retrieve information such as e-mail addresses and credit card numbers on wiped disks.

Despite his findings, Garfinkel said companies seem to be doing a better job protecting data, and he pointed to the Fair and Accurate Credit Transactions Act as a possible reason. “The percentage of drives out there that have usable data is going down, so companies are more aware of the issue,” he said.

Similarly, when Houghton’s company has done an audit on clients’ supposedly wiped disk drives, 25% to 30% of them still had readable data, he said.

Idaho Power said that in the future, it will destroy drives rather than sell them for salvage -- a policy Garfinkel backs. “The resale value of a hard drive is really minuscule, and it’s easy to verify it’s been destroyed,” he said. “These things are worth $5 to $20 each. I don’t think anyone’s buying them on the secondary market for extortion, but you never know.”

Labels: Idaho Power Co.

Ohio University reports two separate security breaches
Jaikumar Vijayan
May 03, 2006 (Computerworld) Ohio University this week disclosed two separate but apparently unrelated incidents of data theft involving its computers.

On April 24, IT officials at the university noticed that someone had hacked into an alumni database server containing personal and biographical information for more than 300,000 individuals and organizations, said Bill Sams, the Athens-based university’s CIO. Faculty and staff members hired by the school before January 2004 were also affected.

The compromised files did not include credit card or bank information, but they did include Social Security numbers for 137,800 individuals, Sams said.

The breach was discovered after IT officials noticed the affected server was being used to launch a denial-of-service attack against an external target, Sams said.

“We immediately took it off-line and got into the logs. We discovered that it had been compromised as far back as 2005,” he said. In the 13 months since the server was breached, “we have found that people have accessed it from both domestic and international IP addresses,” he said.

The compromised server was supposed to have been decommissioned more than a year ago, and IT officials assumed the system had been taken off-line, Sams said. As a result, it had not received any security updates and patches for more than a year. He did not disclose how the server was breached or what operating system was running on it.

The second data compromise involved a server at the Technology Transfer Department, which is part of the University’s Innovation Center. FBI officials told the university about that breach on April 21. The server, which contained patent data and intellectual property files, was apparently involved in another incident that the FBI was investigating, Sams said, without providing further details. The university had no idea that the server had been broken into until the FBI pointed it out, he said.

The FBI is currently investigating both incidents, he said.

Ohio University today started sending out e-mails to those affected by the hack of the alumni database server. “We are sending them at the rate of 10,000 an hour,” Sams said. He added that the University has also set up a Web site providing details about the incident and instructing affected individuals on the steps they can take to mitigate the risk of ID theft.

Labels: Ohio Univ.

ATMs linked to IP networks vulnerable to threats, security firm says
Jaikumar Vijayan
May 04, 2006 (Computerworld) A continuing trend by banks to take automated teller machines off proprietary networks and put them on the banks’ own TCP/IP networks is introducing new vulnerabilities in the ATM transaction environment.

The reason? Most ATM transaction data is not encrypted and can be more easily compromised when it is traversing an IP network compared with dedicated lines, according to a white paper (download PDF) from Redspin Inc., a security auditing company in Carpinteria, Calif.

“A number of bad scenarios can come out of this situation, the biggest being mass card theft,” said John Abraham, president of Redspin, which released the white paper last month.

But ATM industry representatives said the issues raised by Redspin have been well understood for some time and that several measures can be taken to mitigate the risks posed by the migration to IP networks.

According to Abraham, the situation is the result of a move by banks over the past few years to comply with regulations requiring them to convert electronic funds networks to the secure triple Data Encryption Standard (DES) from the older DES standard. The rules are mandated by MasterCard International Inc., Visa U.S.A. Inc. and associated network providers (see "Encryption mandate puts strain on financial IT").

Many banks have used the opportunity to migrate ATMs from proprietary networks to open TCP/IP infrastructures, he said. For banks, such networks have proved to be easier to manage and less expensive than having a bunch of individual, dedicated point-to-point connections between an ATM and a processor, he said.

But it is also less secure, Abraham claimed. That’s because, apart from the personal identification number (PIN) data, all other ATM transaction details such as the card number, expiration date, account balances and withdrawal amounts frequently remain unencrypted. This was not as much of a problem when the data was traveling over dedicated lines, but it does pose a security risk on an IP network, he said.

Unless protective measures are taken, a hacker tapping into a bank’s network would have access to every ATM transaction flowing over its network, he said. The situation also is open for other possibilities, including so-called man-in-the-middle attacks, that could, for instance, spoof a processor’s response to an ATM and instruct it to keep on dispensing cash, he said. The risks are especially severe in the cases of ATMs located outside of banks in places such as grocery stores, where the machines are simply plugged into a standard Ethernet cable outlet in the wall, he said.

But many banks appear to be unaware of the issue and are not taking the fairly simple measures needed to mitigate the risk, such as implementing firewalls, installing antivirus software and putting ATM traffic on a separate network segment, Abraham claimed.

Ironically, the move to triple DES encryption has only masked the threat because most banks simply assume that all transaction data is safer, when in fact it is most often only the PIN data that is being encrypted using the stronger standard, he said. For instance, Redspin learned of the problem only when it was conducting an audit for a banking client and noticed ATM transaction data flowing over its networks in clear text, Abraham said.

“Bank managers are surprised when we tell them this. They think that everything is encrypted,” especially after upgrading to triple DES, he said.

Mike Lee, CEO of the ATM Industry Association based in Brookings, S.D., acknowledged that the move to mainstream technologies such as Windows XP operating systems and IP networks over the past few years “is altering the vulnerability landscape associated with this traditionally proprietary system.”

“The use of proprietary technologies afforded ATMs a degree of defense against malware, hacking tool kits and utilities, denial-of-service attacks and other threats that have been used to exploit vulnerabilities in more prevalent operating systems and networks,” he said. Most modern ATMs are running on operating systems and network communication protocols “known by and familiar to the majority of computer users,” Lee said.

At the same time, Redspin’s white paper ignores the fact that ATM manufacturers support firewall integration, antivirus integration and vulnerability patching to mitigate some of these risks, he said.

“The paper also confuses private, nonrouteable IP addresses -- which most IP networks use -- with publicly addressable IP addresses,” Lee said. “Triple DES is a very comprehensive global end-to-end encryption standard, but of course there are degrees and stages of implementation. In reality, there will always be cases of noncompliance and failures to implement best practices in any industry."

More banks than Redspin assumes also appear to know about the security vulnerabilities involved and have taken steps to mitigate them, said a spokesman at a major payments-processing network who requested anonymity. Earlier industry research into this issue has shown many “financial institutions securely configuring ATMs by implementing firewalls, diligently applying security patches and utilizing virtual private networks as opposed to ones with public IP addresses,” he said.

Webroot uncovers thousands of stolen identities
Paul Roberts
May 10, 2006 (InfoWorld) Spyware researchers at Webroot Software have uncovered a stash of tens of thousands of stolen identities from 125 countries that they believe were collected by a new variant of a Trojan horse program the company is calling Trojan-Phisher-Rebery.

The FBI is investigating the stolen information, which was discovered on a password-protected FTP (File Transfer Protocol) server in the U.S. and is believed to be connected to a Trojan horse that is installed from the Web site teens7(dot)com. The information, organized by country, includes names, phone numbers, Social Security numbers, and user log-ins and passwords for tens of thousands of Web sites, according to information provided to InfoWorld by Webroot.

The discovery is just the latest evidence of rampant identity theft by online criminals who use malicious Web sites, common software vulnerabilities and keylogging software to harvest information from unsuspecting Web surfers.

The Trojan was discovered on April 25 by Dan Para, a member of Webroot's Threat Research Team, who was investigating one of a number of malicious files installed using "drive-by downloads" from the teens7(dot)com Web site. In drive by downloads, software vulnerabilities in Web browsers are exploited so that malicious software can be pushed down to the machine running the Web browser, usually without any warning to the computer's owner.

The Rebery malicious software is an example of a "banking" Trojan, which are programmed to spring to life when computer owners visit one of a number of online banking or e-commerce sites, said Gerhard Eschelbeck, chief technology officer at Webroot.

Webroot notified the FBI after it discovered the stolen information, which had been groomed and organized in folders by country where it was "ready to be sold," Eschelbeck said. The stolen data was hosted on an FTP server hosted by nLayer Communications in New York, according to Webroot. However, the company does not know who is behind the scam, Eschelbeck said.

"It's probably an individual who set it up," said Eschelbeck. However, it is unlikely that the individuals running the Web site or hosting the FTP server have any direct knowledge of the scam, he said.

Rebery is still "running wild" on the Internet, Webroot said. The company believes there are more than 12,000 systems infected with the Trojan, 1,200 of them in the U.S.

The stash of stolen identities is just one of many that have been uncovered in recent months, as identity theft has evolved into a lucrative operation for online criminal groups.

Researchers at antispyware firm Sunbelt Software have also uncovered stashes of stolen information harvested by keyloggers on more than one occasion, and company employees have, in the past, informed some consumers that their identities have been stolen.

Catching the perpetrators is a different matter, however. Often, criminals conduct their affairs from afar, connecting to their servers through one or more compromised machines, which are often scattered around the globe, making criminal investigation and enforcement difficult, experts say.

Card fraudsters: A world unto themselves
Michael Crawford
May 30, 2006 (Computerworld Australia) Some 12 online credit card fraud networks are in operation today, with active traders on some Web sites numbering between 7,000 and 9,000, according to a Secret Service agent going by the name of Jake Jacobson.

With quasimilitary business models, alleged parliamentary links and even feedback forums on the more current "carding forums," the proceeds of some heists have reaped more than $15.9 million from stolen data, according to the interior minister of one country.

But who had any idea there was a funny side?

At times, Jacobson had those attending his presentation at this year's Australia Computer Emergency Response Team (AusCert) conference in Queensland last week laughing out loud -- not at the terrible crimes of teenage Ukrainian youth, but at the extent of the operations with one crudely named network even sponsoring state-endorsed cultural events and advertising an online site.

"All you have to do is set up a bulletin board, and the Web provides order and stability," Jacobson said.

"You control membership and kick out time wasters. At any time, there are at least a dozen [sites] operating and if you divide the traffic a big part of it is transactional -- buying and selling hacked databases, counterfeit credit cards and drivers' licences.

"Another aspect of the traffic is recruitment. They bring kids in or find high-level partners with different capabilities. And then there's knowledge sharing. The criminals are better at sharing knowledge than any U.S. government I have worked with."

Jacobson described his work as tracking millions of dollars to shady characters in dodgy parts of the world, and admitted that in far too many cases nobody knows what the money is used for. He outlined one operation, Operation Firewall, which in July 2003 netted the perpetrators behind Shadowcrew, Carderplanet and Darkprofits sites.

"By early 2003, things were rolling; we saw sites like the Brotherhood of Carders (8,600 user accounts) as well buying and selling information hacked out of the system, but there was no resource more responsible than Carderplanet," Jacobson said.

"Carderplanet had 7,000 active users from May 2001 and by August 2004 was the most reliable source for every criminal goods or service available on the Internet. The Russian-speaking community, the Ukraine Belarus, and the Baltic communities are unmatched as a source for [financial] crime and no other community comes close."

Jacobson said that more recently, carding forums have added feedback forums.

"One guy had completed 25 deals, with a 100% positive feedback rating; they have adopted rankings unabashedly," he said. "They now have specialized equipment to create bank-quality cards, offer phishing services, and even re-shipping. You can choose from reviewed vendors and compare pricing, everything you want is available and you can buy credit card "dumps" and track data."

Jacobson said a December 2005 bust of one Eastern-bloc trader led to problems with prosecution, because the perpetrator "had a remote control destruction device more like an NSA spy plane, but on a home PC" that destroyed all evidence on his hard disk. Two members of the Ukrainian parliament had personally vouched for him.

PC-based sniffer makes the rounds of public places
Robert McMillan
June 07, 2006 (IDG News Service) If you happened to fly through Milan's Malpensa Airport last March, your mobile phone may have been scanned by the BlueBag.

Billed as a research lab on wheels, BlueBag was created by Milan's Secure Network SRL to study how malicious software might be able to spread among devices that use the Bluetooth wireless standard.

Basically, it's a Bluetooth-sniffing computer hidden in a suitcase that was rolled through train stations, a shopping center, and even a computer security conference show floor this year to see how many Bluetooth-enabled devices attackers could potentially infect with a worm or a virus.

The answer: quite a lot (PDF link). In just under 23 hours of travel, BlueBag was able to spot more 1,400 devices with which, in theory, it could have connected. Among the discoverable devices were a number of Nokia Corp.'s mobile phones and TomTom International BV's Go global positioning systems, said Stefano Zanero, Secure Network's co-founder and chief technology officer.

"Most of the devices that we found were from the same manufacturers because their default Bluetooth connection setup is to be discoverable, which is very good for ease of use, but very bad for security," he said.

Though many Bluetooth devices are designed to be hidden or detectable for very short periods of time, some manufacturers make their products detectable by default to simplify hook up with other Bluetooth-enabled machines -- a car sound system for example. Unfortunately, this practice also makes life easier for hackers, Zanero said. "Any discoverable device is potentially vulnerable to attacks," he said.

For example, BlueBag found 313 devices with the OBEX (Object Exchange) vCard and vCalendar exchange service enabled, making them prey for known Bluetooth virus attacks.

BlueBag's data is going to help Zanero and his researchers understand how attackers might use Bluetooth's ability to connect with other devices to create a targeted attack.

In a scenario they've envisioned, the bad guys could infect Bluetooth devices in a train station one morning, telling them to infect other equipment and seek out specific pieces of information. "You can deliver your malware, leave it for a few hours, and then catch it when [the user] goes home," Zanero said. "This makes it possible to perform the targeted attack that we have in mind."

At the August Black Hat USA 2006 conference in Las Vegas, the Secure Network team plans to unveil some proof of concept malware showing how this type of attack might work.

The hard part has been devising a protocol that will allow the malware to report back to an attacker. And since the researchers can't actually infect a bunch of Bluetooth phones, they need BlueBag to provide them with data so they can estimate how such malware might spread. "This gives you the figures you need for creating some small, not-very-reliable models of how these worms could interact," Zanero said.

Secure Network's research, which was co-sponsored by antivirus vendor F-Secure Corp. is not the first to highlight Bluetooth's security vulnerabilities.

A year ago, hackers showed how they could connect to hands-free Bluetooth systems in some cars to eavesdrop on telephone conversations and even talk to unsuspecting drivers. The software, called Car Whisperer, took advantage of poor security programming techniques on the part of the car manufacturers.

And variants of the Cabir Bluetooth viruses have been around for two years now. Cabir, which has never become widespread, preys on the kind of discoverable phones that BlueBag measured.

To avoid being bitten by Bluetooth attacks, Zanero says users should check their settings and make sure their device is set to be "hidden" or "non-discoverable."

This isn't a panacea, but it will make things harder for attackers. Using Bluetooth is "like sex," Zanero said. "It's better with precautions."

Labels: Malpensa Airport

ID thefts may prove business opportunity for banks
Stephen Bell
May 30, 2006 (Computerworld New Zealand) Banks can enhance their reputation for security by acting as custodians for personal identity credentials designed to make identity theft difficult.

This idea was advanced by Graham Alston, a partner in Unisys Corp.’s global financial services division, when he addressed conference of the Financial Services Institute of Australasia, held in Wellington last week.

Last year, Unisys conducted a worldwide survey on identity fraud. This was then followed up with a survey designed to elicit the public’s perception of how identity issues were being managed.

Two prominent findings were that most customers of financial institutions expected the institution concerned to take the responsibility for detecting, preventing and remedying identity fraud, and that banks are the most highly trusted organizations when it comes to issuing multipurpose identity credentials.

In this respect, they are ahead of government agencies, which have taken the initiative on ID matters in New Zealand, and the police and tax authorities. The police are mistrusted when it comes to ID custody in both North America and Latin America, although somewhat more trusted in the Asia Pacific region. Tax authorities scored negatively on trust in all regions.

Identity theft is shaping up as a big public worry. To some extent this worry is substantiated by experience. An average of 11% of bank customers in all regions report having been subjected to some form of identity theft. The figure for the U.S. is 17%.

Asked how much they worried about becoming a victim, 66% of people, on average, say they are "a little worried." However, in Mexico and Brazil 78% and 70% of people, respectively, worry "a lot" about this possibility.

In most countries concern is greatest among the middle-aged and financially prosperous -- precisely those customers the banks would be least happy losing. Of course, the loss to a bank of any identity-theft scandal would also be to its overall reputation, as well as loss of customers, said Alston.

The two surveys also show there is relatively little public resistance to giving up personal data, including biometrics, if this is the price of greater security against identity theft. In North America 71% of customers said they would consider using biometrics to safeguard their identity. The figure for the Asia-Pacific region was 68%.

If they take this trust and interest seriously banks have an opportunity to "convert a bottom-line loss into a top-line benefit," said Alston. However, any bank response must not be limited to just technology -- good marketing and communication, and the sensitive management of any problems are also important.

At present, Alston said, many customers experience a very negative attitude from their bank when they report a possible fraud. "You’re almost treated as the guilty party until you prove you’re innocent," he said. This is something banks will have to change, he said.

The Federal Trade Commission, responsible for protecting Americans from fraud and identity theft, reported on Thursday the theft of two of its own computers with personal information about 110 people.

The incident was the latest in a series of recent thefts and data breaches involving government computers.

The Department of Veterans Affairs said last month an external hard drive containing information on 26.5 million veterans was stolen. The Department of Energy discovered that personal information of about 1,500 employees and contractors was compromised in a cyberattack, and the Department of Agriculture said a hacker may have obtained data about 26,000 of its workers.

The FTC laptops belonged to staff attorneys who were using them to prepare an enforcement lawsuit, said Betsy Broder, the FTC assistant director for privacy and identity protection.

The computers, which were password-protected, contained names, addresses, Social Security numbers and some financial account numbers. The laptops were stolen from a locked vehicle last week.

"We wish this hadn't happened," Broder said. "No data security is perfect, and we're going to use this as a way to improve our practices and security."

The FTC sent letters to the 110 individuals, notifying them of the theft and offering one year of free credit monitoring.

The FTC is developing a new laptop computer security policy that would require an employee to remove any personal identifying information in the machine before it leaves an agency office. If the personal data was needed for an investigation, an FTC manager would have to approve allowing the laptop to leave the building, Broder said.

Labels: FTC