Archive for November, 2007

The Virtual Hosting Blog created a list of resources a while back that I’ve been meaning to share. They provide 12 Resources to test your PC weaknesses – a list of tools to help you identify (and sometimes fix) system vulnerabilities.

The list includes:

1. Audit My PC helps you find free security tests
2. Qualys FreeScan checks server weaknesses
3. Proxy Way looks at your privacy settings and how much of your information can be accessed online
4. Test My Firewall advice on web security
5. Hijack This searches your system for hackers
6. GFI Email Security Testing Zone tests your email security against viral threats
7. WindowSecurity.com works as per #6
8. The PCman Website Virus Test plants a fake virus to gauge your computer’s ability to notice real viruses
9. Sophos Threat Detection Test tests your anti-virus software strength
10. Symantec Security Check free security scan and virus detection test
11. Nmap (Network Mapper) audits security on large networks
12. PC Security Test 2007 scans for viruses, spyware, and hacking threats

Continue reading the details of this list here.

Tags: security, computer security, pc security, it security, vulnerability check

Who Breached: U.S. Department of Veterans Affairs (VA)
Number Affected: 12,000
Information breached: Social Security Numbers
How: theft of 3 computers (2 desktop, 1 laptop)

The U.S. Department of Veterans Affairs is investigating another potential data breach after 3 computers (two desktop, one laptop) were stolen on November 11 from the Roudebush Veterans Affairs Medical Center. The computers contained Social Security numbers for as many as 12,000 medical patients and were protected only by password.

An Indiana congressman Steve Buyer says that the hospital failed to follow new safety protocols:

“The information that was accessed should have never been portable,” Buyer said in an interview Thursday from Washington. “That information should have been secure on a server in a data storage system in a remote location.”

The VA department has a long history of data breaches, including the May 2006 breach of information for 26.5 million veterans following the theft of a laptop and hard disk. Since this major breach, the VA has had other incidents of scale 1.8 million, 250,000, 16,000 and 16,5000 individuals affected. This is the third data breach related to the theft of computers.

Regulations on data security were reportedly strengthened after the May 2006 breach. Congressman Buyer lays the blame for the ongoing issues with poor security training and consistent security standards:

“I recognize that we’re dealing with human vices — theft — and we’re dealing with human negligence,” Buyer said. “That’s why it’s so important that information be encrypted and that we limit people’s access to certain information.”

This new breach just adds to the very troubling pattern of poor security standards that continue to plague the VA. A stronger security policy (including security software) and training scheme at all levels of the VA could help prevent such accidents from happening.

Arrest for theft of 1.8 million

An arrest has recently been made in relation to the theft of 1.8 million Social Security numbers in January of this year. Tae Kim was arrested after a month long-investigation when he was caught using fraudulent credit cards at a jewelry store. Kim was an auditor for Veterans Affairs from 2003 to February 2007 – his home computer contained 1.8 million Social Security numbers.

Via OC Register, ComputerWorld, Computer Weekly, IndyStar ; Tags: veterans affairs, data breach, data security, laptop security, laptop theft, fraud, identity theft, va

The West Virginia Department of Education has received a $48,000 grant from the Verizon Foundation to provide training to teachers on how to use the free online education resources on Verizon’s Thinkfinity.org. The goal of the program is to impart 21st century learning skills to students.

The grant will be used for training and an awareness program. Educators across the State will receive training on how to use the free resources available to them – to make them comfortable integrating technology tools into their lesson plans. Thinkfinity.org is made up of 55,000 educational resources for all grades and was created in partnership with educational and literacy organizations across the US.

The program offers a range of resources for K-12 classes in eight academic disciplines. Materials include lesson plans, interactive tools and other materials to improve student achievement; the site also provides a professional development program.

“Teachers are often our unsung heroes” said B. Keith Fulton, president of Verizon West Virginia and a former member of the 21st Century Skills board. “They work many hours outside of the classroom to prepare the best possible lesson plans to engage their students. Through Thinkfinity.org, teachers can gain immediate access to quality educational resources to more efficiently develop their lesson plans, giving them more time to work directly with students.”

West Virginia has been a national leader in incorporating technology into the classroom. They were awarded by Education Week’s Technology Counts 2007 a grade of A for access to technology and a grade of A- for the use of technology.

Via webwire Tags: west virginia, doe, department of education, thinkfinity, thinkfinity.org, technology classroom, education technology

Symantec has listed their top security trends for 2007 and issues to watch for 2008. High profile data breaches top the list of security trends for 2007.

Symantec’s Top 10 Internet Security Trends of 2007 were:

1. High profile data breaches – checking all points of data security, including contractors
2. Vista introduction - 16 security patches have been issued thus far
3. Spam - new techniques, botnet-driven spam
4. Professional attack kits – tool kits for aspiring attackers
5. Phishing – tool kits, lack of improvement here
6. Exploitation of trusted brands – as phishing scheme
7. Botnets – no end in sight for these complex attack schemes
8. ActiveX vulnerabilities – IE7 made some improvements, but new variants emerge
9. Vulnerabilities for sale - a marketplace to sell known vulnerabilities
10. Virtualization – security issues not yet understood

In 2006, Symantec predicted the following security trends: Vista, Web 2.0 technologies, Web-based applications like AJAX, and attacks directed towards youth. 2007 saw many Internet security issues that were unpredictable, and it is this same unpredictability that makes IT security so difficult.

Symantec’s Predictions for Internet Security in 2008 are:

1. Even stronger and more complex botnets
2. Malware threats that take advantage of Web 2.0 technologies such as AJAX
3. Larger numbers of attacks aimed at mobile devices
4. Continued evolution of spam
5. More focus by the bad guys on assailing virtualized machines
6. Attacks crafted to prey upon interest in the 2008 presidential election

Amrit Williams, CTO of enterprise security company BigFix and a former IT security analyst for Gartner, predicts that IT security in 2008 will see the convergence of security and systems management.

“It’s too costly, difficult, and challenging to maintain separate infrastructures”

Via zero day, network world, information week Tags: symantec, internet security, security, predictions, security predictions 2008, security trends, it security, business security

The Center for Identity Management & Information Protection (CIMIP) published a whitepaper on identity fraud last month. The project assessed 517 US Secret Service cases between 2000 – 2006 with an identity theft/fraud component. The study focused on known thieves and their methods, versus previous studies which looked at victims.

According to the study, most identity thieves are young, work alone, and rely on the Internet for less than one fifth of their crimes.

Findings from the study:

• less than 20% of identity theft crimes are committed online
• the most frequently used non-technological theft method was to reroute mail through address change cards (mail theft & dumpster diving cited after that)
• 61% of thieves stole fragments of personal information rather than entire documents
• 33% of identity thieves are ‘insider’ employees (mostly retail)
• 66% of identity theft cases were concentrated in the Northeast and South
• 42.5% of thieves were age 25-34 ; 18% between 18 – 24
• 66% of identity thieves were male
• 80% of the cases were solo operations or involved a single partner

There is a lot to learn from this study. Identity thieves are more than capable of piecing together your identity from scraps of personal information – so protect that information in secure locations or shred it. Since most theft is perpetrated by strangers, be wary of opportunistic thieves.

“We have to know more about the crime in order to fight it. This will help law enforcement understand the problem and it will help consumers better understand the risk.”

You can download the whitepaper here.

Via Associated Press Tags: identity theft, identity fraud, fraud, id theft

Who Breached: HM Revenue & Customs (HMRC), UK
Number Affected: 25 million
Information breached: Bank details, National Insurance Numbers
The HM Revenue & Customs (HMRC) department in the UK has breached the personal details of 25 million people.

Following 2 breaches affecting thousands of people earlier in the autumn (from a laptop theft and a lost CD), this latest data breach affects a record 25 million child benefit claimants in the UK. The breach is tied to the loss of two CDs in the mail.

The disc contained the names, National Insurance Numbers, bank details, full addresses, child benefit numbers and date of birth for 25 million individuals.

“The lost bank account numbers, names and addresses represents a gold mine for thieves and is much more valuable than credit card numbers or taxpayer ID numbers,” said Avivah Litan, vice president at Gartner Research.

Ironically, the previous breach associated with the laptop was applauded by the media. Given that the data on the laptop was protected, notification was not required. HMRC was commended for their responsibility towards data security.

However, in this incident, responsibility is not something that HMRC will be applauded for. According to the opposition party, senior officials were aware about the decision to put the personal information of millions onto computer discs.

Citing an internal e-mail, members of the Conservative party said blame for the scandal went higher than just the junior civil servant so far blamed by the government for violating security rules.

The National Audit Office (NAO) released a series of emails with the HMRC. The NAO, the intended recipient of the data, requested that personal information such as bank accounts be removed from the data request, as not needed. However, the HMRC did not want to incur the costs of filtering the data. The discs were sent by internal mail, and were not protected.

Ironically, this mistake could cost many millions of dollars more than filtering the data, or protecting it, would have. The cost of closing 15 million bank accounts would be enormous. The scope of this data breach is prompting the UK to look closely at security procedures and consider new regulations.

The emails implicate senior officials in knowingly passing on personal information despite earlier statements pinning the blame on a junior official. The head of HMRC has resigned since the breach went public. An investigation is now taking place.

You can read a timeline of events here.

Via Guardian Unlimited (2), Canada.com, vnunet (2), ZDnet Tags: hmrc, data breach, data loss, uk data breach, nao, identity theft, business security, it security, government security

Absolute Software recently surveyed its corporate and consumer customers about data security. The survey was completed by 402 corporate customers and 1842 consumer customers.

The survey found that computers have been lost without company awareness, and that such losses are costly. Companies who use Computrace reported a better ability to manage computer assets. For consumers, identity theft and the cost of losing a computer rank as important reasons for using laptop recovery software. However, most consumers do not take other precautions against laptop theft, such as encryption or password-protection.

John Livingston, chairman and CEO of Absolute Software, has this to say:

“Most of us store personal information, banking records, credit card information, passwords and other sensitive data that could be used to harm us if it falls into the wrong hands. For businesses, a lost or stolen computer can lead to the intense media scrutiny associated with a data breach. Consumers who experience the loss of a computer may be at increased risk for identity theft and often lose irreplaceable photos, records and music collections.”

Here are some highlights from the corporate survey:

• 62% of companies believe missing computers go unnoticed
• 20% believe data has been breached without company awareness
• 20% of companies have experienced a data breach ; 61% of those breaches are attributed to employee error or misconduct
• 16% believe a significant breach can cost $1 million dollars or more
• 83% of companies indicate they are better able to manage their computers with Computrace (to deter theft & recover missing computers)
• Data loss is 39% confidential business information, 22% employee information, 22% customer information, 16% Social Security Numbers

For more results from the corporate survey, read here.

From the consumer survey, results indicate that 20% of people know of someone who has had a computer lost or stolen. Concerns about lost computers were, in order of importance: losing their hardware, having someone steal their identity, losing files/data and having unauthorized persons access their files.

Read more from the consumer survey here.

Tags: absolute software, laptop security, data security, it security, business security, computrace, lojack for laptops, identity theft, id theft, survey, business survey

According to documents filed in Federal court on November 8, credit card company Visa was aware of the security problems at TJX as early as 2005 and gave the company a three-year grace period to remain non-compliant.

The letter, dated Dec. 29, 2005, was from Visa’s fraud control vice president, Joseph Majka. The letter, written to Diana Greenshaw of TJX’s credit card processor, Fifth Third Bank, reads:

“Visa will suspend fines until Dec. 31, 2008, provided your merchant continues to diligently pursue remediation efforts. This suspension hinges upon Visa’s receipt of an update by June 30, 2006, confirming completion of stated milestones.”

The letter shows a foreknowledge by Visa of security problems at TJX. In the summer of 2007, Visa did fine Fifth Third Bank $880,000 in fines. This fine may indicate Visa’s awareness that TJX was not improving security conditions as per the extended grace period agreement.

Unfortunately, thieves had already infiltrated the TJX systems prior to the December, 2005 letter. This continued security gap would eventually breach the data of 94 million (earlier estimated at 45 million) credit card holders.

Via eweek ; Tags: tjx, tjx data breach, visa, fifth third bank, data breach, data security, it security, identity theft

Canada’s Auditor General, Sheila Fraser, has issued her Annual Report; her verdict on data security is dire. The government audit looked at how sensitive information is safeguarded when outside contractors are engaged. The audit found that government agencies are failing to meet basic security standards and that data is at risk for breach.

“We found serious problems in the system that is supposed to ensure the security of government information and assets entrusted to industry,” Fraser said in her report.

Concerns from the report include:

• Failure to identify security requirements for defense contracts
• Funding is inadequate to hire and retain qualified professionals to support the Government Security Policy (GSP) and The Industrial Security Program (ISP), which delivers on the GSP objectives
• The GSP standard is ambiguous about responsibilities
• Data for the ISP resides on a controlled-access network, but it has not been certified under the government standard against data breaches
• The security policy does not include a disaster recovery plan

Public Works and Government Services Canada (PWGSC), who handle 90% of all government contracts, has responded to the concerns of the audit. They will be creating a Security Management Advisory Board and are revising security strategies. Perhaps the most important element to arise post-audit is a new training program to ensure staff follow procedures consistently.

The PWGSC will be reviewing all 3000 active contracts to ensure security requirements are being met.

Via InterGovWorld Tags: data breach, pwgsc, data security, it security, government security, government contracts, canadian government, audit

A new survey from iBahn, a provider of secure broadband services for hotels & conference centers, shows that travelers who carry sensitive information carry more than half a million dollars worth of data.

The survey, of 491 laptop or PDA business users, found that most travelers do not carry information of sensitive value on their laptops. However, those that do carry valuable information store an average of $525,000 worth of data.

Highlights from the survey:

• The average value of personal information on a laptop is $330,000
• 39% of respondents have experienced some form of malware, virus or theft
• 32% of respondents rate their travel WiFi connections as somewhat or highly secure

The survey indicates that business travelers who have sensitive information on their laptops or PDAs are putting said data at risk. Though the survey does not include information about how the data devices are secured, the fact that so many laptop computers with sensitive information are connecting to insecure WiFi networks is a serious security issue.

Via NetworkWorld, CIO.com Tags: laptop security, data security, private data, sensitive data, data breach, business travel