Thursday, November 02, 2006
Tricky new malware unnerves security vendors
Tricky new malware unnerves security vendors
Jeremy Kirk
October 30, 2006 (IDG News Service) A tricky malicious program has become more prevalent in spam, but experts don't know what its creators plan to do with it.
Many vendors are rating the malware -- called "Warezov," "Stration" and "Stratio" -- as a low risk. But they also say that it is tricky to deal with.
The malware is a mass-mailing worm that affects machines running Microsoft Corp.'s Windows operating system. When the malware infects a computer -- usually after the user has opened an attachment containing the worm in a spam e-mail -- it sends itself out again to other e-mail addresses found on the computer. The code is then capable of downloading new versions of itself as frequently as every 30 minutes from a batch of Web sites, said Mikko Hypponen, chief research officer at F-Secure Corp., a security company in Helsinki.
Those new versions are created by a program on a server controlled by the hacker, Hypponen said.
In the past, malware has been known to create variations of itself, but the code to create those variations was contained inside the malware. So when a sample was obtained, security analysts could study it and identify potential new versions, he said.
Now, the hacker's program is compiling the code and rapidly churning out new versions, but analysts don't know how the new code is generated.
That characteristic is a headache for security software firms that issue special updates to their software to detect the malware. F-Secure alone has issued at least 150 signatures for the malware.
"It gets very complex to detect an attack like that because the code keeps changing," Hypponen said.
Security firm Sophos PLC has detected some 300 versions of the malware. For October, the malware was one of the most common pieces of malicious code found in spam messages, said Carole Theriault, senior security consultant with Sophos.
Since infected computers look to other domains to receive updated code, F-Secure has worked with ISPs (Internet service providers) to shut down domains hosting the new variants. So far, nine of 10 domains have been shut down, Hypponen said.
Oddly, the malware doesn't appear to do anything yet on the victim's computers. It's estimated up to a few hundred thousand computers are infected, a sizable number but not quite on the scale of large malware problems from a few years ago, Hypponen said.
A hacker could be waiting to harness enough infected computers to start a denial-of-service attack or send spam or rent out the network to a spammer, Hypponen said.
"We hope to one day find out why they are doing this," Hypponen said. "We hope it's nothing too bad."
Jeremy Kirk
October 30, 2006 (IDG News Service) A tricky malicious program has become more prevalent in spam, but experts don't know what its creators plan to do with it.
Many vendors are rating the malware -- called "Warezov," "Stration" and "Stratio" -- as a low risk. But they also say that it is tricky to deal with.
The malware is a mass-mailing worm that affects machines running Microsoft Corp.'s Windows operating system. When the malware infects a computer -- usually after the user has opened an attachment containing the worm in a spam e-mail -- it sends itself out again to other e-mail addresses found on the computer. The code is then capable of downloading new versions of itself as frequently as every 30 minutes from a batch of Web sites, said Mikko Hypponen, chief research officer at F-Secure Corp., a security company in Helsinki.
Those new versions are created by a program on a server controlled by the hacker, Hypponen said.
In the past, malware has been known to create variations of itself, but the code to create those variations was contained inside the malware. So when a sample was obtained, security analysts could study it and identify potential new versions, he said.
Now, the hacker's program is compiling the code and rapidly churning out new versions, but analysts don't know how the new code is generated.
That characteristic is a headache for security software firms that issue special updates to their software to detect the malware. F-Secure alone has issued at least 150 signatures for the malware.
"It gets very complex to detect an attack like that because the code keeps changing," Hypponen said.
Security firm Sophos PLC has detected some 300 versions of the malware. For October, the malware was one of the most common pieces of malicious code found in spam messages, said Carole Theriault, senior security consultant with Sophos.
Since infected computers look to other domains to receive updated code, F-Secure has worked with ISPs (Internet service providers) to shut down domains hosting the new variants. So far, nine of 10 domains have been shut down, Hypponen said.
Oddly, the malware doesn't appear to do anything yet on the victim's computers. It's estimated up to a few hundred thousand computers are infected, a sizable number but not quite on the scale of large malware problems from a few years ago, Hypponen said.
A hacker could be waiting to harness enough infected computers to start a denial-of-service attack or send spam or rent out the network to a spammer, Hypponen said.
"We hope to one day find out why they are doing this," Hypponen said. "We hope it's nothing too bad."
Hacker project puts spotlight back on Mac security
Hacker project puts spotlight back on Mac security
Robert McMillan
November 01, 2006 (IDG News Service) The security of Apple Computer Inc.'s wireless drivers is under scrutiny again, thanks to a new hacker project.
On Wednesday HD Moore posted code that exploits a flaw in the Proxim Wireless Corp. Orinoco wireless cards used by PowerBook and iMac computers built between 1999 and 2003, according to Moore.
Apple said the issue "affects a small percentage of previous generation AirPort enabled Macs and does not affect currently shipping or AirPort Extreme enabled Macs," according to a statement issued Wednesday.
The code was posted on a new blog called the Month of Kernel Bugs. It is modeled on Moore's own Month of Browser Bugs project, which disclosed one new browser vulnerability per day during the month of July.
The kernel bug project was launched with a reference to a controversy over Apple's products, kicked off at the Black Hat USA conference three months ago.
"With all the hype and buzz about the now infamous Apple wireless device driver bugs... hopefully this will bring some light (better said, proof) about the existence of such flaws in the Airport device drivers," wrote the blog's author, a hacker going by the name of LMH.
In August security researchers David Maynor and Jon Ellch claimed to have discovered a flaw that affected Apple's wireless device drivers. They played a video demonstrating how this flaw could be used to run unauthorized code on a Macbook at Black Hat, but their claims have been criticized because their demonstration used a third-party wireless card rather than the one that ships with the Macbook, and because the two hackers have not published the code used in their attack.
Apple later said that Maynor's employer, SecureWorks Inc., had "not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship."
A month later, Apple patched a number of flaws in its wireless products and soon after announced that it was working with SecureWorks on security issues.
Robert McMillan
November 01, 2006 (IDG News Service) The security of Apple Computer Inc.'s wireless drivers is under scrutiny again, thanks to a new hacker project.
On Wednesday HD Moore posted code that exploits a flaw in the Proxim Wireless Corp. Orinoco wireless cards used by PowerBook and iMac computers built between 1999 and 2003, according to Moore.
Apple said the issue "affects a small percentage of previous generation AirPort enabled Macs and does not affect currently shipping or AirPort Extreme enabled Macs," according to a statement issued Wednesday.
The code was posted on a new blog called the Month of Kernel Bugs. It is modeled on Moore's own Month of Browser Bugs project, which disclosed one new browser vulnerability per day during the month of July.
The kernel bug project was launched with a reference to a controversy over Apple's products, kicked off at the Black Hat USA conference three months ago.
"With all the hype and buzz about the now infamous Apple wireless device driver bugs... hopefully this will bring some light (better said, proof) about the existence of such flaws in the Airport device drivers," wrote the blog's author, a hacker going by the name of LMH.
In August security researchers David Maynor and Jon Ellch claimed to have discovered a flaw that affected Apple's wireless device drivers. They played a video demonstrating how this flaw could be used to run unauthorized code on a Macbook at Black Hat, but their claims have been criticized because their demonstration used a third-party wireless card rather than the one that ships with the Macbook, and because the two hackers have not published the code used in their attack.
Apple later said that Maynor's employer, SecureWorks Inc., had "not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship."
A month later, Apple patched a number of flaws in its wireless products and soon after announced that it was working with SecureWorks on security issues.
Spam that delivers a pink slip
Spam that delivers a pink slip
Cara Garretson
November 01, 2006 (Network World) Last week, a handful of employees at Dekalb Medical Center in Decatur, Ga., received e-mails saying they were being laid off. The subject line read "Urgent - employment issue," and the sender listed on the message was at dekalb.org, which is the domain the medical center uses. The e-mail contained a link to a Web site that claimed to offer career-counseling information.
And so a few employees, concerned about their employment status and no doubt miffed about being laid off via e-mail, clicked on the link to learn more and unwittingly downloaded a keylogger program that was lurking at the site.
Score another one for spammers.
Called targeted spam or spear phishing , this type of spam that's currently on the rise is particularly vexing because the spammer is able to "spoof" the sending e-mail address to make it look like it's coming from within the organization of the recipient, making it difficult for spam filters to catch. And, unlike traditional spam that is sent in the thousands, spammers are sending just handfuls of these messages at a time, again making it difficult for antispam technology to detect.
"We blocked a ton of spam at our e-mail gateway because the [sender] addresses are not valid, but these were," says Sharon Finney, information security administrator at Dekalb Medical Center that has 3,500 employees.
The IT department at the medical center found out about the scam when an employee in the HR department, who had received a frantic call from one of the scam's recipients, called the company's CIO. The first thing the IT department did was to set its Web filtering software to block all users from visiting the site linked to in the spam, says Finney.
Then Finney got on the phone with Proofpoint, the company's messaging security vendor, which used its automatic update service to add a rule to its customers' antispam filters that blocked e-mails containing the same link in attempts to protect others from the scam. Although these e-mails are highly targeted to their recipients and are sent in trickles instead of blasts, they're becoming more and common.
"I don't think we were the only ones targeted by this, I've talked to other local hospitals and they've gotten it, too," says Finney. "It's going to get ugly. Spammers are going to get stealthier and more targeted -- these recent e-mails had terminology specific to healthcare, so they knew we are a hospital."
Officials with Proofpoint, Dekalb Medical Center's messaging security vendor, agree that targeted spam is on the rise.
"We're seeing this more and more, typically either in large organizations or with very well-known brands," says Rami Habal, director of product marketing with Proofpoint. Once the company has been alerted to the scam, blocking it is easy. But detecting such well-crafted messages is becoming harder as the sophistication level of spam increases; gone are the days of simply filtering for the word "Viagra".
There are ways to detect even well-written fraudulent e-mails, says Habal.
"Our technology looks for clues in the message, even though it might look like it's perfectly formed, there might be ways that the HTML was written that alerts the system that it's suspicious," says Habal. Another way is by using sender-authentication technology that can check if a message really comes from the domain it claims to, although Habal adds that since not all organizations are using sender authentication that approach isn't perfect.
But in this case, the spam slipped by Proofpoint's filters unnoticed, and two PCs at Dekalb were infected with the keylogger program. The IT department spent roughly two hours cleaning them up.
Proofpoint's technology catches so much spam that Finney isn't fazed by these few that slipped by. However, she is concerned that the nature of spam is changing, making it more dangerous and harder to catch.
"Spam is something that is such a cheap method of intrusion, I think in the long term ... spam ... is going to get stealthier and more targeted, and the payload is going to be more about gathering information" than selling products, she says. "The more targeted spam becomes and the more specific to each industry, the harder it's going to be for [antispam] companies to detect it."
Cara Garretson
November 01, 2006 (Network World) Last week, a handful of employees at Dekalb Medical Center in Decatur, Ga., received e-mails saying they were being laid off. The subject line read "Urgent - employment issue," and the sender listed on the message was at dekalb.org, which is the domain the medical center uses. The e-mail contained a link to a Web site that claimed to offer career-counseling information.
And so a few employees, concerned about their employment status and no doubt miffed about being laid off via e-mail, clicked on the link to learn more and unwittingly downloaded a keylogger program that was lurking at the site.
Score another one for spammers.
Called targeted spam or spear phishing , this type of spam that's currently on the rise is particularly vexing because the spammer is able to "spoof" the sending e-mail address to make it look like it's coming from within the organization of the recipient, making it difficult for spam filters to catch. And, unlike traditional spam that is sent in the thousands, spammers are sending just handfuls of these messages at a time, again making it difficult for antispam technology to detect.
"We blocked a ton of spam at our e-mail gateway because the [sender] addresses are not valid, but these were," says Sharon Finney, information security administrator at Dekalb Medical Center that has 3,500 employees.
The IT department at the medical center found out about the scam when an employee in the HR department, who had received a frantic call from one of the scam's recipients, called the company's CIO. The first thing the IT department did was to set its Web filtering software to block all users from visiting the site linked to in the spam, says Finney.
Then Finney got on the phone with Proofpoint, the company's messaging security vendor, which used its automatic update service to add a rule to its customers' antispam filters that blocked e-mails containing the same link in attempts to protect others from the scam. Although these e-mails are highly targeted to their recipients and are sent in trickles instead of blasts, they're becoming more and common.
"I don't think we were the only ones targeted by this, I've talked to other local hospitals and they've gotten it, too," says Finney. "It's going to get ugly. Spammers are going to get stealthier and more targeted -- these recent e-mails had terminology specific to healthcare, so they knew we are a hospital."
Officials with Proofpoint, Dekalb Medical Center's messaging security vendor, agree that targeted spam is on the rise.
"We're seeing this more and more, typically either in large organizations or with very well-known brands," says Rami Habal, director of product marketing with Proofpoint. Once the company has been alerted to the scam, blocking it is easy. But detecting such well-crafted messages is becoming harder as the sophistication level of spam increases; gone are the days of simply filtering for the word "Viagra".
There are ways to detect even well-written fraudulent e-mails, says Habal.
"Our technology looks for clues in the message, even though it might look like it's perfectly formed, there might be ways that the HTML was written that alerts the system that it's suspicious," says Habal. Another way is by using sender-authentication technology that can check if a message really comes from the domain it claims to, although Habal adds that since not all organizations are using sender authentication that approach isn't perfect.
But in this case, the spam slipped by Proofpoint's filters unnoticed, and two PCs at Dekalb were infected with the keylogger program. The IT department spent roughly two hours cleaning them up.
Proofpoint's technology catches so much spam that Finney isn't fazed by these few that slipped by. However, she is concerned that the nature of spam is changing, making it more dangerous and harder to catch.
"Spam is something that is such a cheap method of intrusion, I think in the long term ... spam ... is going to get stealthier and more targeted, and the payload is going to be more about gathering information" than selling products, she says. "The more targeted spam becomes and the more specific to each industry, the harder it's going to be for [antispam] companies to detect it."
Antiphishing efforts try to keep pace
Antiphishing efforts try to keep pace
Cara Garretson
October 11, 2006 (Network World) While many experts say phishers will continue to stay one step ahead of even advanced preventive measures, some security companies are developing new ways to keep the public informed about fraudulent Web sites and cut down on scams.
These initiatives are designed to fight phishing by providing helpful data to ISPs, e-mail security firms and antimalware vendors whose products are designed to protect their customers from cybercrime, as well as the financial institutions and online retailers whose Web sites are mimicked by fraudulent ones.
Meanwhile, the fight against phishing also is playing out on the desktop, as tools to keep Web users from visiting fraudulent sites become more prominent. For example, the next version of Internet Explorer will include the Phishing Filter, designed to warn users if they visit a fraudulent Web site, according to Microsoft officials. The next version of the Firefox browser is expected to have a similar feature.
Yet by the time these upgrades are widely adopted, phishers will have found ways around the blocking mechanisms, one analyst says.
"Phishing attacks as we know them will go away, but I'm sure [phishers] will come up with something else," says Avivah Litan, a vice president at Gartner.
"I think it's spy vs. spy," echoes Todd Bransford,vice president of marketing with antiphishing vendor Cyveillance. "We see more variants of phishing as the bad guys get more creative and come up with new ways to circumvent security . . . they're just different enough so that they're not recognized by the security efforts."
Among the new initiatives designed to fight phishing is an offering from Cyveillance, whose service is used by financial institutions, online retailers and other companies to protect their brand on the Web. Last week the company announced it will make its data regarding phishing sites available for reuse by other vendors.
The OEM Content Program is designed for ISPs and security companies that need to block users from phishing sites, Bransford says. This phishing data from Cyveillance is used by AOL and Microsoft with their ISP offerings.
The company's crawlers and agents constantly scour the Web for misuse of its clients' brands, and often discover fraudulent sites. With the new offering, Cyveillance will make this information available to companies that interact directly with users to help protect them from these sites, Bransford says. The information provided via this service is backed by a no-false-positives service-level agreement.
Cyveillance competitor MarkMonitor late last month announced a private-label desktop application that it will sell to financial institutions looking to offer their customers protection against fraudulent sites. Called Trust Guard for Financial Services, the software performs real-time heuristics and contextual analysis to decide if a Web page is fraudulent and also checks sites against the MarkMonitor's own black list.
The software is available as a stand-alone application or can be integrated into existing applications and toolbars. Financial institutions can rebrand the software and distribute it directly to their customers.
This week Tipping Point, a division of 3Com, plans to announce a Firefox browser add-in designed for use by cybercrime investigators, network operators and security companies that provides instant information about the Web site the user is visiting. Called Monkeyspaw and based on open source code, the tool aims to help security professionals analyze and report fraudulent sites, says Tod Beardsley, lead counterfraud engineer with Tipping Point.
Monkeyspaw provides information such as the IP address of a Web server, its configuration information and its geographical location -- data that can prove helpful in determining whether a site is valid. While this information can be obtained by some digging, Monkeyspaw presents it quickly and clearly, Beardsley says. The tool also can be used to report a fraudulent site to CastleCops' Phishing Incident Reporting and Termination Squad, which takes down phishing sites.
Cara Garretson
October 11, 2006 (Network World) While many experts say phishers will continue to stay one step ahead of even advanced preventive measures, some security companies are developing new ways to keep the public informed about fraudulent Web sites and cut down on scams.
These initiatives are designed to fight phishing by providing helpful data to ISPs, e-mail security firms and antimalware vendors whose products are designed to protect their customers from cybercrime, as well as the financial institutions and online retailers whose Web sites are mimicked by fraudulent ones.
Meanwhile, the fight against phishing also is playing out on the desktop, as tools to keep Web users from visiting fraudulent sites become more prominent. For example, the next version of Internet Explorer will include the Phishing Filter, designed to warn users if they visit a fraudulent Web site, according to Microsoft officials. The next version of the Firefox browser is expected to have a similar feature.
Yet by the time these upgrades are widely adopted, phishers will have found ways around the blocking mechanisms, one analyst says.
"Phishing attacks as we know them will go away, but I'm sure [phishers] will come up with something else," says Avivah Litan, a vice president at Gartner.
"I think it's spy vs. spy," echoes Todd Bransford,vice president of marketing with antiphishing vendor Cyveillance. "We see more variants of phishing as the bad guys get more creative and come up with new ways to circumvent security . . . they're just different enough so that they're not recognized by the security efforts."
Among the new initiatives designed to fight phishing is an offering from Cyveillance, whose service is used by financial institutions, online retailers and other companies to protect their brand on the Web. Last week the company announced it will make its data regarding phishing sites available for reuse by other vendors.
The OEM Content Program is designed for ISPs and security companies that need to block users from phishing sites, Bransford says. This phishing data from Cyveillance is used by AOL and Microsoft with their ISP offerings.
The company's crawlers and agents constantly scour the Web for misuse of its clients' brands, and often discover fraudulent sites. With the new offering, Cyveillance will make this information available to companies that interact directly with users to help protect them from these sites, Bransford says. The information provided via this service is backed by a no-false-positives service-level agreement.
Cyveillance competitor MarkMonitor late last month announced a private-label desktop application that it will sell to financial institutions looking to offer their customers protection against fraudulent sites. Called Trust Guard for Financial Services, the software performs real-time heuristics and contextual analysis to decide if a Web page is fraudulent and also checks sites against the MarkMonitor's own black list.
The software is available as a stand-alone application or can be integrated into existing applications and toolbars. Financial institutions can rebrand the software and distribute it directly to their customers.
This week Tipping Point, a division of 3Com, plans to announce a Firefox browser add-in designed for use by cybercrime investigators, network operators and security companies that provides instant information about the Web site the user is visiting. Called Monkeyspaw and based on open source code, the tool aims to help security professionals analyze and report fraudulent sites, says Tod Beardsley, lead counterfraud engineer with Tipping Point.
Monkeyspaw provides information such as the IP address of a Web server, its configuration information and its geographical location -- data that can prove helpful in determining whether a site is valid. While this information can be obtained by some digging, Monkeyspaw presents it quickly and clearly, Beardsley says. The tool also can be used to report a fraudulent site to CastleCops' Phishing Incident Reporting and Termination Squad, which takes down phishing sites.
Hackers find use for Google Code Search
Hackers find use for Google Code Search
Robert McMillan
October 06, 2006 (IDG News Service) Google Inc. has inadvertently given online attackers a new tool.
The company's new source-code search engine, unveiled Thursday as a tool to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet in the first place, security experts said Friday.
Unlike Google's main Web search engine, Google Code Search peeks into the actual lines of code whenever it finds source-code files on the Internet. This will make it easier for developers to search source code directly and dig up open-source tools they may not have known about, but it has a drawback.
"The downside is that you could also use that kind of search to look for things that are vulnerable and then guess who might have used that code snippet and then just fire away at it," said Mike Armistead, vice president of products with source-code analysis provider Fortify Software Inc.
Attackers could also search code for vulnerabilities in password mechanisms, or to search for phrases within software such as "this file contains proprietary," possibly unearthing source code that should never have been posted to the Internet.
Security experts say that the security implications of Google Code Search are noteworthy, if not earth-shattering.
Skilled hackers may already be able to do this type of search with Google's Web search engine, but Code Search is "another tool that makes it a tad easier for the attacker," said Johnny Long, a security researcher with Computer Sciences Corp, in an e-mail interview.
For its part, Google did not have much to say about possible misuse of its new product. "Google recommends developers use generally accepted good coding practices including understanding the implications of the code they implement and testing appropriately," the company said in a statement.
Google has never said much about the steps it takes to cut down on this kind of misuse of its search engine, though the issue comes up from time to time. In July, Websense Inc. used a little known binary search capability within Google Inc.'s search engine to look for malware on the Internet.
While Google Code Search will probably not have much of an effect on popular open-source projects, which are already heavily scrutinized, it could help ferret out vulnerabilities in lesser known pieces of code, according to Lev Toger, a software developer with Beyond Security Ltd.
"Using Google's code search, it's much easier to find interesting code portions," he said via e-mail. "If your task is to find vulnerability in some random code, this filtering can save you a lot of time. "
Robert McMillan
October 06, 2006 (IDG News Service) Google Inc. has inadvertently given online attackers a new tool.
The company's new source-code search engine, unveiled Thursday as a tool to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet in the first place, security experts said Friday.
Unlike Google's main Web search engine, Google Code Search peeks into the actual lines of code whenever it finds source-code files on the Internet. This will make it easier for developers to search source code directly and dig up open-source tools they may not have known about, but it has a drawback.
"The downside is that you could also use that kind of search to look for things that are vulnerable and then guess who might have used that code snippet and then just fire away at it," said Mike Armistead, vice president of products with source-code analysis provider Fortify Software Inc.
Attackers could also search code for vulnerabilities in password mechanisms, or to search for phrases within software such as "this file contains proprietary," possibly unearthing source code that should never have been posted to the Internet.
Security experts say that the security implications of Google Code Search are noteworthy, if not earth-shattering.
Skilled hackers may already be able to do this type of search with Google's Web search engine, but Code Search is "another tool that makes it a tad easier for the attacker," said Johnny Long, a security researcher with Computer Sciences Corp, in an e-mail interview.
For its part, Google did not have much to say about possible misuse of its new product. "Google recommends developers use generally accepted good coding practices including understanding the implications of the code they implement and testing appropriately," the company said in a statement.
Google has never said much about the steps it takes to cut down on this kind of misuse of its search engine, though the issue comes up from time to time. In July, Websense Inc. used a little known binary search capability within Google Inc.'s search engine to look for malware on the Internet.
While Google Code Search will probably not have much of an effect on popular open-source projects, which are already heavily scrutinized, it could help ferret out vulnerabilities in lesser known pieces of code, according to Lev Toger, a software developer with Beyond Security Ltd.
"Using Google's code search, it's much easier to find interesting code portions," he said via e-mail. "If your task is to find vulnerability in some random code, this filtering can save you a lot of time. "
FERC, Medicare Unit Have Security Weaknesses
Report: FERC, Medicare Unit Have Security Weaknesses
Linda Rosencrance, Grant Gross
October 09, 2006 (Computerworld) The Federal Energy Regulatory Commission (FERC) and the U.S. Centers for Medicare & Medicaid Services (CMS) both face security vulnerabilities because of IT shortcomings, according to a pair of government reports.
In a report that was written in August and publicly released last week, the Government Accountability Office (GAO) identified 47 weaknesses in the way that the Medicare and Medicaid centers have been using a wide-area network operated by AT&T Inc. to transmit medical claims data. The weaknesses could expose the medical records and other personal information of patients to malicious hackers, the GAO warned.
The GAO said that the CMS and AT&T didn’t use adequate identification and authentication controls for network access, restrict access to only the programs and files needed by individual users, close off all access from the private network to the Internet or consistently encrypt sensitive data.
The report didn’t name AT&T, but the CMS confirmed that the company operates the WAN under a four-year, $76.6 million contract awarded in 2003. In a statement sent via e-mail, AT&T said it and the CMS “are confident that no proprietary data was ever exposed to unauthorized parties.” More than half of the weaknesses identified by the GAO have been resolved, AT&T added.
CMS Administrator Mark McClellan said in a July 10 letter to the GAO that corrective action or new controls had been completed on 22 of the 47 shortcomings at that point. Eight more were scheduled to be fixed by the end of September, according to McClellan. Another 11 weaknesses that “are somewhat more complex” should be addressed by Jan. 7, he wrote, adding that the CMS is still assessing the resource requirements and financial impact of fixing the final six flaws.
Meanwhile, the U.S. Department of Energy’s inspector general said in a report issued Sept. 25 that the systems used by the FERC are vulnerable to cyberattacks because the commission’s current IT security procedures don’t meet federal guidelines.
Although the FERC has strengthened its cybersecurity program, testing by the inspector general’s office revealed continued problems with default, blank or easily guessed passwords and user-account controls, according to the report. In addition, annual security reviews and security assessments done in connection with system certifications either weren’t performed properly or weren’t adequately documented, the report said.
In a written response that was included with the report, Thomas Herlihy, the FERC’s executive director, concurred with the inspector general’s recommendations but said the commission has “an effective security program” that meets the federal mandates.
Linda Rosencrance, Grant Gross
October 09, 2006 (Computerworld) The Federal Energy Regulatory Commission (FERC) and the U.S. Centers for Medicare & Medicaid Services (CMS) both face security vulnerabilities because of IT shortcomings, according to a pair of government reports.
In a report that was written in August and publicly released last week, the Government Accountability Office (GAO) identified 47 weaknesses in the way that the Medicare and Medicaid centers have been using a wide-area network operated by AT&T Inc. to transmit medical claims data. The weaknesses could expose the medical records and other personal information of patients to malicious hackers, the GAO warned.
The GAO said that the CMS and AT&T didn’t use adequate identification and authentication controls for network access, restrict access to only the programs and files needed by individual users, close off all access from the private network to the Internet or consistently encrypt sensitive data.
The report didn’t name AT&T, but the CMS confirmed that the company operates the WAN under a four-year, $76.6 million contract awarded in 2003. In a statement sent via e-mail, AT&T said it and the CMS “are confident that no proprietary data was ever exposed to unauthorized parties.” More than half of the weaknesses identified by the GAO have been resolved, AT&T added.
CMS Administrator Mark McClellan said in a July 10 letter to the GAO that corrective action or new controls had been completed on 22 of the 47 shortcomings at that point. Eight more were scheduled to be fixed by the end of September, according to McClellan. Another 11 weaknesses that “are somewhat more complex” should be addressed by Jan. 7, he wrote, adding that the CMS is still assessing the resource requirements and financial impact of fixing the final six flaws.
Meanwhile, the U.S. Department of Energy’s inspector general said in a report issued Sept. 25 that the systems used by the FERC are vulnerable to cyberattacks because the commission’s current IT security procedures don’t meet federal guidelines.
Although the FERC has strengthened its cybersecurity program, testing by the inspector general’s office revealed continued problems with default, blank or easily guessed passwords and user-account controls, according to the report. In addition, annual security reviews and security assessments done in connection with system certifications either weren’t performed properly or weren’t adequately documented, the report said.
In a written response that was included with the report, Thomas Herlihy, the FERC’s executive director, concurred with the inspector general’s recommendations but said the commission has “an effective security program” that meets the federal mandates.
Labels: FERC, Medicare/Medicaid
Online ID fraud is hyped; real problem is off-line
Analyst: Online ID fraud is hyped; real problem is off-line
Eric Lai
October 25, 2006 (Computerworld) Despite incidents such as the $22 million in losses suffered by E-Trade Financial Corp. and TD Ameritrade Holding Corp. from online identity fraudsters, the problem of online identity theft is vastly hyped when compared with its more prevalent off-line equivalent, according to one analyst group.
The two leading online stock brokerages have admitted in recent days that overseas hackers used software to steal personal customer data to access and create trading accounts as part of a stock-fraud scheme.
While keylogging software, phishing e-mails that impersonate official bank messages and hackers who break into customer databases may dominate headlines, more than 90% of identity fraud starts off conventionally, with stolen bank statements, misplaced passwords or other similar means, according to Javelin Strategy & Research.
"An insignificant portion of identity fraud actually starts with the Internet," said James Van Dyke, president of Javelin, who pointed out that many firms still rely on simple security questions such as one's mother's maiden name. "The Internet always grabs the headlines, but it is individuals who are close to the victims, such as family and friends, that are doing most of it," he said.
The Pleasanton, Calif.-based research firm has polled 5,000 consumers by telephone for the past three years. Extrapolating from that sample, Javelin estimates that identity fraud in all its forms resulted in $56.6 billion in losses last year.
While fraudsters often use the Internet to access existing bank, phone or brokerage accounts or to create new ones using stolen details, in only one out of 10 of those incidents did the actual theft of the personal data take place through e-mail or the Web or somewhere else on the Internet, according to Javelin. "No matter how you slice the data, it's really hard to arrive at a scenario where the Internet could be the source of the majority of identity fraud," Van Dyke said.
All told, 4% of Americans were affected by identity fraud in 2005, a statistic that is slowly shrinking, though the value of each fraud incident is growing, Van Dyke said. The total losses attributed to identity fraud has held steady the past three years.
Bank customers in the U.S. are not the most frequent targets of the most common form of online identity theft, phishing attacks. Statistics from antimalware vendor McAfee Inc. show that more than half of all recent phishing attacks involved e-mails from a sender masquerading as VolksBank, a German bank, with another quarter targeting customers of U.K. bank Barclays PLC.
EBay Inc., through its namesake auction site as well as its PayPal financial site, is impersonated in phishing e-mails 14% of the time. Fraudulent e-mails purport to be from Bank of America Corp. and Nationwide Bank 3% and 1.5% of the time, respectively.
Van Dyke argued that U.S. financial institutions, by and large, are taking the right steps to protect themselves and customers from identity fraud.
According to a report released this month, more than half of the 24 leading U.S. financial institutions surveyed met Javelin's criteria for having good policies for detecting identity fraud. That's up from a third that won praise for their efforts in 2005.
Policies that "deputize the customer," such as those that let customers set triggers to receive e-mail or phone alerts when their account status or personal information changes, or that allow them to opt out of receiving paper statements via the mail, aid in customer self-detection and reduce proven risks, Van Dyke said.
Bank of America was ranked the safest bank, followed closely by JP Morgan Chase & Co. Washington Mutual, according to Javelin's "Banking Identity Safety Scorecard."
Bank size does not always correlate with safety, said Van Dyke, pointing to KeyCorp, a large regional bank based in Cleveland. It ranked as the fourth-safest bank. The next five banks, in order, were Fifth Third Bank, Wells Fargo, Marshall & Ilsley Bank, Sun Trust and Citibank.
E-Trade, which said last week that it had lost $18 million to fraud, was ranked 17th. TD Ameritrade, which lost $4 million to identity fraud, was not ranked.
TD Ameritrade's CIO, Jerry Bartlett, agreed that eliminating risk on the consumer side is paramount. The Omaha-based online brokerage offers free downloadable software so customers can scan for and eliminate data snooping programs. It also lets customers set e-mail alerts when money transfers are requested or personal account details are changed.
But Bartlett was unsure whether conventional identity theft really remains a much bigger problem than fraud that begins online. "We know from experience that there is a lot of sharing of user IDs and passwords. And once you begin sharing them and writing them down, you lose control of them, like throwing away personal bills without shredding them first," Bartlett said. "But I'm not sure if regular fraud is an order of magnitude larger than online fraud."
Eric Lai
October 25, 2006 (Computerworld) Despite incidents such as the $22 million in losses suffered by E-Trade Financial Corp. and TD Ameritrade Holding Corp. from online identity fraudsters, the problem of online identity theft is vastly hyped when compared with its more prevalent off-line equivalent, according to one analyst group.
The two leading online stock brokerages have admitted in recent days that overseas hackers used software to steal personal customer data to access and create trading accounts as part of a stock-fraud scheme.
While keylogging software, phishing e-mails that impersonate official bank messages and hackers who break into customer databases may dominate headlines, more than 90% of identity fraud starts off conventionally, with stolen bank statements, misplaced passwords or other similar means, according to Javelin Strategy & Research.
"An insignificant portion of identity fraud actually starts with the Internet," said James Van Dyke, president of Javelin, who pointed out that many firms still rely on simple security questions such as one's mother's maiden name. "The Internet always grabs the headlines, but it is individuals who are close to the victims, such as family and friends, that are doing most of it," he said.
The Pleasanton, Calif.-based research firm has polled 5,000 consumers by telephone for the past three years. Extrapolating from that sample, Javelin estimates that identity fraud in all its forms resulted in $56.6 billion in losses last year.
While fraudsters often use the Internet to access existing bank, phone or brokerage accounts or to create new ones using stolen details, in only one out of 10 of those incidents did the actual theft of the personal data take place through e-mail or the Web or somewhere else on the Internet, according to Javelin. "No matter how you slice the data, it's really hard to arrive at a scenario where the Internet could be the source of the majority of identity fraud," Van Dyke said.
All told, 4% of Americans were affected by identity fraud in 2005, a statistic that is slowly shrinking, though the value of each fraud incident is growing, Van Dyke said. The total losses attributed to identity fraud has held steady the past three years.
Bank customers in the U.S. are not the most frequent targets of the most common form of online identity theft, phishing attacks. Statistics from antimalware vendor McAfee Inc. show that more than half of all recent phishing attacks involved e-mails from a sender masquerading as VolksBank, a German bank, with another quarter targeting customers of U.K. bank Barclays PLC.
EBay Inc., through its namesake auction site as well as its PayPal financial site, is impersonated in phishing e-mails 14% of the time. Fraudulent e-mails purport to be from Bank of America Corp. and Nationwide Bank 3% and 1.5% of the time, respectively.
Van Dyke argued that U.S. financial institutions, by and large, are taking the right steps to protect themselves and customers from identity fraud.
According to a report released this month, more than half of the 24 leading U.S. financial institutions surveyed met Javelin's criteria for having good policies for detecting identity fraud. That's up from a third that won praise for their efforts in 2005.
Policies that "deputize the customer," such as those that let customers set triggers to receive e-mail or phone alerts when their account status or personal information changes, or that allow them to opt out of receiving paper statements via the mail, aid in customer self-detection and reduce proven risks, Van Dyke said.
Bank of America was ranked the safest bank, followed closely by JP Morgan Chase & Co. Washington Mutual, according to Javelin's "Banking Identity Safety Scorecard."
Bank size does not always correlate with safety, said Van Dyke, pointing to KeyCorp, a large regional bank based in Cleveland. It ranked as the fourth-safest bank. The next five banks, in order, were Fifth Third Bank, Wells Fargo, Marshall & Ilsley Bank, Sun Trust and Citibank.
E-Trade, which said last week that it had lost $18 million to fraud, was ranked 17th. TD Ameritrade, which lost $4 million to identity fraud, was not ranked.
TD Ameritrade's CIO, Jerry Bartlett, agreed that eliminating risk on the consumer side is paramount. The Omaha-based online brokerage offers free downloadable software so customers can scan for and eliminate data snooping programs. It also lets customers set e-mail alerts when money transfers are requested or personal account details are changed.
But Bartlett was unsure whether conventional identity theft really remains a much bigger problem than fraud that begins online. "We know from experience that there is a lot of sharing of user IDs and passwords. And once you begin sharing them and writing them down, you lose control of them, like throwing away personal bills without shredding them first," Bartlett said. "But I'm not sure if regular fraud is an order of magnitude larger than online fraud."
ID Thefts Slam Online Brokers
ID Thefts Slam Online Brokers
Eric Lai
October 30, 2006 (Computerworld)
Two of the top online stock brokerages in the U.S. disclosed that overseas hackers broke into some of their customer accounts during the past three months, resulting in combined losses of at least $22 million and leading both firms to take steps to bolster their security measures.
Jerry Bartlett, CIO at TD Ameritrade Holding Corp., said in an interview last week that the attacks were launched by identity thieves in Eastern Europe and Asia who used keylogging software delivered via Trojan horses or other malware to steal the account information of users logging onto public computers or their own infected PCs.
Jerry Bartlett, CIO at TD Ameritrade Holding CorpThe hackers then used existing accounts or created dummy ones to buy shares in little-traded stocks, driving the prices up so they could sell previously purchased shares at a profit. Customers of ETrade Financial Corp. were also victimized by the so-called pump-and-dump scheme, according to ETrade officials.
Bartlett said no data was stolen from TD Ameritrade’s own databases, nor were its servers breached during the attacks. But he acknowledged that the company’s antifraud efforts, which include a security team that uses special software to monitor for anomalous activity such as users logging in from unusual IP addresses, failed to detect the stock scams quickly enough.
As a result, TD Ameritrade has installed new technology and reconfigured its existing tools to monitor for pump-and-dump activity, Bartlett said. “We could identify it [before], but certainly not to the sophistication of what we can do now,” he added. He declined to discuss the new capabilities in detail or disclose which security tools his firm uses to guard against online fraud.
ETrade has also beefed up its online security in response to the recent attacks, CEO Mitchell Caplan said during an Oct. 18 conference call on the company’s third-quarter financial results. Caplan said ETrade had cut the amount of fraudulent activity to “almost zero” over the previous three weeks as a result of the security changes.
The inability of ETrade and TD Ameritrade to promptly detect the hackers is hitting them in their pocketbooks. Although the money in brokerage accounts isn’t insured, both firms guarantee customers against losses caused by fraud.
ETrade officials said during the earnings call that the company had spent $18 million to compensate customers for losses from the attacks. Last week, TD Ameritrade disclosed during a conference call on its fourth-quarter results that it had reimbursed a total of $4 million to its customers.
To help it monitor accounts for unusual behavior, ETrade uses antifraud software developed by Cyota Inc., which is now a part of EMC Corp.’s RSA Security Inc. division.
Since February 2005, ETrade has also offered its customers a two-factor authentication option based on RSA’s SecurID token technology. The tokens generate new six-digit codes every 60 seconds. Customers must enter the codes along with their usernames and passwords when logging in, according to an ETrade spokeswoman.
She declined to say how many ETrade customers are using the RSA tokens and whether the hackers accessed any accounts guarded by the SecurID technology.
Persistent Challenges
Ryan Sherstobitoff, chief technology officer at security tools vendor Panda Software International SL, said skillful hackers can trick software such as Cyota’s, which relies in part on checking whether users are logging in from their usual IP addresses. And tokens are ineffective against identity thieves who use names and Social Security numbers to create new bank or stock-trading accounts, he said.
“We can protect against certain scenarios now, but there are certain ones we can’t protect well against at all,” Sherstobitoff said.
In a report released last month, Javelin Strategy & Research in Pleasanton, Calif., ranked ETrade 17th out of 24 financial institutions on efforts to protect consumers from identity theft. Javelin didn’t rank TD Ameritrade as part of its security scorecard, which primarily involved banks.
Identity theft in all its forms resulted in an estimated $56.6billion in losses in the U.S. last year, according to Javelin, with one in 25 people being affected by it. “Fighting identity theft is a cat-and-mouse game — there’s always room for improvement,” said Javelin President James Van Dyke.
Bartlett said new antifraud tools on the horizon could help bolster corporate defenses. “It’s been a lot of back and forth between vendors and the bad guys,” he said. “But I’ve recently seen a lot of products in beta that should leapfrog [hacking tools] and keep vendors ahead in the arms race.”
Eric Lai
October 30, 2006 (Computerworld)
Two of the top online stock brokerages in the U.S. disclosed that overseas hackers broke into some of their customer accounts during the past three months, resulting in combined losses of at least $22 million and leading both firms to take steps to bolster their security measures.
Jerry Bartlett, CIO at TD Ameritrade Holding Corp., said in an interview last week that the attacks were launched by identity thieves in Eastern Europe and Asia who used keylogging software delivered via Trojan horses or other malware to steal the account information of users logging onto public computers or their own infected PCs.
Jerry Bartlett, CIO at TD Ameritrade Holding CorpThe hackers then used existing accounts or created dummy ones to buy shares in little-traded stocks, driving the prices up so they could sell previously purchased shares at a profit. Customers of ETrade Financial Corp. were also victimized by the so-called pump-and-dump scheme, according to ETrade officials.
Bartlett said no data was stolen from TD Ameritrade’s own databases, nor were its servers breached during the attacks. But he acknowledged that the company’s antifraud efforts, which include a security team that uses special software to monitor for anomalous activity such as users logging in from unusual IP addresses, failed to detect the stock scams quickly enough.
As a result, TD Ameritrade has installed new technology and reconfigured its existing tools to monitor for pump-and-dump activity, Bartlett said. “We could identify it [before], but certainly not to the sophistication of what we can do now,” he added. He declined to discuss the new capabilities in detail or disclose which security tools his firm uses to guard against online fraud.
ETrade has also beefed up its online security in response to the recent attacks, CEO Mitchell Caplan said during an Oct. 18 conference call on the company’s third-quarter financial results. Caplan said ETrade had cut the amount of fraudulent activity to “almost zero” over the previous three weeks as a result of the security changes.
The inability of ETrade and TD Ameritrade to promptly detect the hackers is hitting them in their pocketbooks. Although the money in brokerage accounts isn’t insured, both firms guarantee customers against losses caused by fraud.
ETrade officials said during the earnings call that the company had spent $18 million to compensate customers for losses from the attacks. Last week, TD Ameritrade disclosed during a conference call on its fourth-quarter results that it had reimbursed a total of $4 million to its customers.
To help it monitor accounts for unusual behavior, ETrade uses antifraud software developed by Cyota Inc., which is now a part of EMC Corp.’s RSA Security Inc. division.
Since February 2005, ETrade has also offered its customers a two-factor authentication option based on RSA’s SecurID token technology. The tokens generate new six-digit codes every 60 seconds. Customers must enter the codes along with their usernames and passwords when logging in, according to an ETrade spokeswoman.
She declined to say how many ETrade customers are using the RSA tokens and whether the hackers accessed any accounts guarded by the SecurID technology.
Persistent Challenges
Ryan Sherstobitoff, chief technology officer at security tools vendor Panda Software International SL, said skillful hackers can trick software such as Cyota’s, which relies in part on checking whether users are logging in from their usual IP addresses. And tokens are ineffective against identity thieves who use names and Social Security numbers to create new bank or stock-trading accounts, he said.
“We can protect against certain scenarios now, but there are certain ones we can’t protect well against at all,” Sherstobitoff said.
In a report released last month, Javelin Strategy & Research in Pleasanton, Calif., ranked ETrade 17th out of 24 financial institutions on efforts to protect consumers from identity theft. Javelin didn’t rank TD Ameritrade as part of its security scorecard, which primarily involved banks.
Identity theft in all its forms resulted in an estimated $56.6billion in losses in the U.S. last year, according to Javelin, with one in 25 people being affected by it. “Fighting identity theft is a cat-and-mouse game — there’s always room for improvement,” said Javelin President James Van Dyke.
Bartlett said new antifraud tools on the horizon could help bolster corporate defenses. “It’s been a lot of back and forth between vendors and the bad guys,” he said. “But I’ve recently seen a lot of products in beta that should leapfrog [hacking tools] and keep vendors ahead in the arms race.”
Labels: TD Ameritrade Holding Corp.
Hackers break into water system network
Hackers break into water system network
Robert McMillan
October 31, 2006 (IDG News Service) An infected laptop PC gave hackers access to computer systems at a Harrisburg, Pa., water treatment plant earlier this month.
The plant's systems were accessed in early October after an employee's laptop computer was compromised via the Internet and then used as an entry point to install a computer virus and spyware on the plant's computer system, according to a report by ABC News.
The incident is under investigation by the FBI, but no arrests have been made in the matter, said Special Agent Jerri Williams of the FBI's Philadelphia office. The attackers are believed to have been operating outside of the U.S.
Williams said that the hackers do not appear to have targeted the plant. "We did not believe that they were doing it to compromise the actual water system, but just to use the computer as a resource for distributing e-mails or whatever electronic information they had planned," she said.
Still, the FBI is concerned that even without targeting the system itself, this malicious software could have interfered with the plant's operations, Williams said.
Had the breach targeted the water plant, it could have had grave consequences, according to Mike Snyder, security coordinator for the Pennsylvania section of the American Water Works Association. "It's a serious situation because they could possibly raise the level of chlorine being injected into the water... which would make the water dangerous to drink."
After the terrorist attacks of Sept. 11, 2001, computer security at U.S. water systems was beefed up, but water systems may still be tied to administrative networks that are connected to the Internet, Snyder said. "Sometimes if a hacker is pretty good, he can get into the computer via the administrative network," he said.
In the Harrisburg case, a laptop computer was apparently the source of the intrusion. Snyder said that laptops are used in the industry because water systems often have many different locations that need to be monitored. "Because of the way the water systems work, it is convenient to be able to use a laptop to check tank levels," he said.
The U.S. Environmental Protection Agency knows of no other similar incidents occurring in the region, said Rick Rogers, the chief of the EPA's drinking water branch for the mid-Atlantic region.
Rogers was not able to comment directly on the matter, since the breach is under investigation. "We are looking into it and working with the state and the water utility industry," he said. "But it is a concern that somebody was able to get into a system like this."
Robert McMillan
October 31, 2006 (IDG News Service) An infected laptop PC gave hackers access to computer systems at a Harrisburg, Pa., water treatment plant earlier this month.
The plant's systems were accessed in early October after an employee's laptop computer was compromised via the Internet and then used as an entry point to install a computer virus and spyware on the plant's computer system, according to a report by ABC News.
The incident is under investigation by the FBI, but no arrests have been made in the matter, said Special Agent Jerri Williams of the FBI's Philadelphia office. The attackers are believed to have been operating outside of the U.S.
Williams said that the hackers do not appear to have targeted the plant. "We did not believe that they were doing it to compromise the actual water system, but just to use the computer as a resource for distributing e-mails or whatever electronic information they had planned," she said.
Still, the FBI is concerned that even without targeting the system itself, this malicious software could have interfered with the plant's operations, Williams said.
Had the breach targeted the water plant, it could have had grave consequences, according to Mike Snyder, security coordinator for the Pennsylvania section of the American Water Works Association. "It's a serious situation because they could possibly raise the level of chlorine being injected into the water... which would make the water dangerous to drink."
After the terrorist attacks of Sept. 11, 2001, computer security at U.S. water systems was beefed up, but water systems may still be tied to administrative networks that are connected to the Internet, Snyder said. "Sometimes if a hacker is pretty good, he can get into the computer via the administrative network," he said.
In the Harrisburg case, a laptop computer was apparently the source of the intrusion. Snyder said that laptops are used in the industry because water systems often have many different locations that need to be monitored. "Because of the way the water systems work, it is convenient to be able to use a laptop to check tank levels," he said.
The U.S. Environmental Protection Agency knows of no other similar incidents occurring in the region, said Rick Rogers, the chief of the EPA's drinking water branch for the mid-Atlantic region.
Rogers was not able to comment directly on the matter, since the breach is under investigation. "We are looking into it and working with the state and the water utility industry," he said. "But it is a concern that somebody was able to get into a system like this."
Labels: Harrisburg Water Treatment Plant
12 hospitals in Indiana and Illinois missing personal information
INDIANAPOLIS ‹ The operator of 12 hospitals in Indiana and Illinois is notifying more than a quarter-million patients that compact discs containing their Social Security numbers and other personal information were lost for three days over the summer.
However, officials said they do not believe any of the 260,000 patients'information was improperly accessed.
The Sisters of St. Francis Health Services, which operates 10 hospitals in Indiana and two in Illinois, said in the warning letter that an employee of a medical billing contractor copied the data onto several CDs in July and placed them in a new computer bag to work from home.
That employee later decided the bag was too small and exchanged it at a store, accidentally leaving the discs inside, the letter said.
Lisa Decker, a spokeswoman for St. Francis subsidiary Greater Lafayette Health Services, said Monday that the person who later bought the bag three days later immediately returned the discs and officials were confident the data was not accessed.
Officials began contacting patients on Oct. 9. Decker attributed the delay to the prolonged investigation into the incident.
The letter to patients urged them to check their credit reports.
However, officials said they do not believe any of the 260,000 patients'information was improperly accessed.
The Sisters of St. Francis Health Services, which operates 10 hospitals in Indiana and two in Illinois, said in the warning letter that an employee of a medical billing contractor copied the data onto several CDs in July and placed them in a new computer bag to work from home.
That employee later decided the bag was too small and exchanged it at a store, accidentally leaving the discs inside, the letter said.
Lisa Decker, a spokeswoman for St. Francis subsidiary Greater Lafayette Health Services, said Monday that the person who later bought the bag three days later immediately returned the discs and officials were confident the data was not accessed.
Officials began contacting patients on Oct. 9. Decker attributed the delay to the prolonged investigation into the incident.
The letter to patients urged them to check their credit reports.
