Archive for April, 2008

Even the most carefully laid plans can go awry. Federal prosecutors charged a Southern Californian woman this week with aggravated identity theft after she used a genealogy website to locate people who had recently died and to take over their credit cards.

Tracy June Kirkland was using Rootsweb.com to find the names, Social Security numbers and birth dates of people who had died. She would then call credit card companies randomly to see if "she" had an account, if "she" did, she would request a mailing address change and, in some cases, would add her own name as an authorized user. Ms. Kirkland repeated this scheme at least 100 times between October, 2005 and last month.

Rootsweb.com is a genealogical research site that, amongst other services, reproduces the Social Security Administration’s Death Index, which is a public list of people who have died, along with their birth dates and Social Security Numbers. The government publishes this list with such detail in order that banks can prevent people from applying for credit under any deceased people’s identities. The information is made public by the Freedom of Information Act.

Tracy Kirkland has found a loophole in the system by, instead of applying for new credit, simply co-opting existing credit accounts. This is the first time this exploit has been found, according to a spokesperson for the Social Security Administration.

"The reason the Social Security Administration has it out there is to prevent fraud, and when it’s used to perpetrate fraud it’s because not all the checks and balances were in place on the financial institution’s end."

So, what do you think? Should the Social Security Numbers be reported on the Death Index? Do you think the benefits to the prevention of identity theft outweigh the risks shown here?

You can feel the full court indictment here [PDF]

Via wired ; Logo: Rootsweb, a part of Ancestry.com and MyFamily.com Inc.Tags: rootsweb, identity theft, id theft, death index, breach

The number of data breaches in the health care sector could undermine the health care industry’s efforts to promote widespread adoption of Electronic Health Record Systems (EHRs).

The latest Wall Street Journal reports that the number of people who can quickly access EHRs has raised privacy concerns, but many hospitals have been reluctant to restrict access that would create barriers to care delivery.

"The internal [hospital] mistakes and the internal carelessness seem to be more prevalent than the stranger from the outside trying to crack into your system." – Jill Dennis, Senior VP, American Health Information Management Association

In order to increase security, while balancing the needs for fast and widespread access to information, many hospitals are encrypting their computers and increasing employee education about privacy. Other hospitals may limit the kinds of information that can be accessed by employees. As more information is available to more employees, time will tell how successful these efforts have been.

Some recent medical data breaches:

• Health Gloria Tam (April 25th) – 700 affected
• University of Texas Health Science Center (April 23rd) – 2000 affected
• Boots Dental Plan (April 22nd) – 34,000 affected

Via iHealthBeat, Wall Street Journal (4/29), Attrition.org ; image: wax115 @morguefile ; Tags: hipaa, health care, data breach, data breaches, ehr, ehrs, electronic health records, security, data security

Web 2.0 is changing the way we do business, and the way we do Internet security. With advances in the web that allow for a more "social" sphere of information sharing, collaboration, and ways of doing business. Here is a definition of Web 2.0 from John Battelle and Tim O’Reilly:

"the web had become a platform, with software above the level of a single device, leveraging the power of the "Long Tail", and with data as a driving force…" (Wikipedia)

Web 2.0 encompasses social networking sites like Facebook, blogs such as this one, Skype, Wikipedia, and so much more. No matter how you define Web 2.0, companies are in a transition period of adopting and developing around this new way of doing things.

All of these new tools and technologies of the interactive web have shepherded a new era of security vulnerabilities. Research group Fortify gave a talk at the Web 2.0 Expo in San Francisco recently about the new wave of internet security threats.

"Security was a challenge to begin with, but, if anything, it’s getting harder in the Web 2.0 world." – Jacob West, Manager, Fortify

Fortify foresees that JavaScript will be a growing issue in security as the adoption of Ajax (based on JavaScript) increases and the existing vulnerabilities become more widespread. At the same time as vulnerabilities are spreading, attack techniques are improving at a rapid rate. Some of the makers of JavaScript & Ajax toolkits are proactively closing up security issues, but others (particularly the big ones like Microsoft) are not.

This is just one example of the security issues associated with Web 2.0. Many issues with integrating Web 2.0 technologies internally or into the company website come from poor planning. A "rush to embrace" to what is trendy (InformationWeek). Additionally, social networking sites such as Facebook and MySpace can be laced with malware. Cyber criminals are co-opting social networking sites as the delivery vehicles for cyber attacks.

Companies are going to be faced with many Web 2.0 challenges, from planning the integration of new technologies to creating effective security policies outlining the use of such technologies.

"Companies need to adjust their security policies for Web 2.0 world today, they need to tailor their Internet use policies and create rules that include social Web sites, blogs, and all the other types of sites being created out there, the usage policies need to be spelled out specifically and enforced.

Beyond that they need technical safeguards to back those policies, but the outlook for all this is still pretty grim. Most companies are barely providing sufficient protection in the context of Web 1.0." – Paul Henry, Secure Computing (via InfoWorld)

Via CNet Tags: web 2.0, security, internet security, it security, business security, web security, internet, website, flaws, security policy, security planning

A new study from the School of Management at Royal Holloway, University of London, in collaboration with Nammis, has found that the government in the UK is failing to provide advice to small and medium sized enterprises (SMEs) about information and communication technology (ICT), including about security.

The study questioned over 500 SMEs across various industries in order to determine the usage and adoption of ICT, including wireless access, websites, intranet and video/audio conferencing. The study was to determine if SMEs were adopting ICT at the rate considered critical for competitiveness in the global market and digital economy.

Most of the small and medium businesses contacted were fully in favor of information and communication technologies, but their limited money and expertise hindered their ability to adopt and use the technologies. The government is one of the few resources that SMEs can turn to for guidance, but unfortunately this part of the equation falls apart.

Across all sectors, it was found that businesses do not turn to the government or local authority for advice. Less than 5%, and as low as 1%, of companies in the various sectors will seek support from the government. It is not clear how much of this is a lack of provision of proper support or how much of it is poor advice.

Although the point of this survey was to point out the critical needs of SMEs to become competitive in the global market by doing things such as online sales, it does point to the growing issue of IT security and its accessibility to SMEs as well. Regardless of the size of the business, the compliance regulations require that businesses protect the personal information of their stakeholders. As the SMEs attempt to scale their IT infrastructure with little guidance on how to do so, we will likely see more (not less) security issues developing as a result.

While the government does not bear the entire responsibility for IT security in the corporate sector, I believe that it does share in the responsibility of providing educational resources to help companies manage their overall IT, and particularly IT security, needs.

What do you think? Do you think the government should provide IT security resources to SMEs?

Via intergovworld Image: ridge @moreguefile Tags: it security, government, sme, small business, medium business, information security, global market, global economy, technology, it, business

Microsoft has released their latest Security Intelligence Report this week, and Symantec released their Internet Security Threat Report earlier this month. Both reports look to the changing security landscape, looking to past data and future trends.

Microsoft’s twice-yearly report, based on data from more than 450 million Windows users and from Internet services, looks at the changing threat landscape including software vulnerability disclosures and exploits, malware and other trends in security. The latest report, Volume 4, was expanded to include a focus on privacy and breach notifications and on cyber crime.

The report indicates that the total number of vulnerabilities in 2007 were down by 5%, though overall there were more high severity vulnerabilities in 2007 than in 2006. About a third of all security vulnerabilities had publicly available exploit code, a percentage that held from 2006 to 2007.

Exploits, malware and hacking accounted for less than 23% of all security breach notifications from 2000 – 2007, and accounted for 13% of notifications in the second half of 2007. The cause of most data breaches was, and is, lost and stolen equipment. 57% of the security breaches publicly disclosed in the second half of 2007 were the result of lost or stolen equipment.

As the graph indicates, that while hacking has been going down over the past few years, security incidents as a result of stolen equipment have been on the rise.

Malware removed by the Microsoft Malicious Software removal tool increased over 40% during the second half of 2007. Malware has increased in absolute numbers and in the rate of increase over the past few years. Trojans, for example, went up 300% in the second half of 2007. Rogue security software continues to increase, and individuals and businesses alike should be aware of these malicious programs.

These findings come on the tail of the most recent Symantec Internet Security Threat Report. The thirteenth version of the report indicates that the US accounted for 31% of all malicious activity, a percentage up from the first half of 2007.

In terms of data breaches, the education sector accounted for 24% of all data breaches, the most of all sectors, that could lead to identity theft in the second half of 2007. That said, the government was responsible for breaching 60% of the total identities exposed. As with the Microsoft report, 57% of these breaches were the result of the loss or theft of computer equipment.

Download both reports at these links:

• Symantec Internet Security Threat Report Volume XIII: April, 2008 [PDF]
• Microsoft Security Intelligence Report (July – December 2007)

Via security focus Tags: microsoft, symantec, internet security, report, internet security report, malware, malicious software, security, it security, security intelligence, security intelligence report, business security, data security, data breach

Who Breached: University of Miami
Number Affected: 2.1 million
Information breached: Social Security Numbers, some financial data
How: laptop

The University of Miami has lost a case of computer tapes containing the confidential information of 2.1 million patients. The case was stolen from a van used by a private off-site storage company.

Anyone who was a patient of a University of Miami physician since 1999 has been affected by the breach. The University will be notifying only those customers whose financial data may have been included (credit card or other billing information), which affects 47,000 patients. The data included Social Security Numbers or health information in all instances, so it’s not clear why the breach notification is being restricted.

The University of Miami hired an security expert from Terremark Worldwide to determine if the data on similar tapes could be accessed. The expert believes, after a week of trying, that the proprietary compression and encoding would make the data difficult to access.

More information from the University of Miami about this breach can be found here.

Other sizable data breaches this week:

• Central Collection Bureau - 700,000 affected after computer server stolen
• Boots Dental Plan in the UK – 34,000 affected after data tapes stolen from a courier car
• Connecticut State University System - 3,400 affected after laptop stolen
• LendingTree – unknown number affected, three lending companies being sued for the breach
• Bank of Ireland – 10,000 affected in breach the result of 4 laptops stolen last year

Via attrition.org, miami herald Tags: data breach, breach, security breach, um, university of miami, financial data, identity theft, it security, offsite storage, data tapes, data backup

The UK government has admitted that the current state of patient security and confidentiality is in need of improvement. Despite the number of data breaches, the UK government has still been pursuing initiatives to revamp the health system to have centralized, and more accessible, health data.

The problems about protecting patient data are not going away – indeed, they are only getting more complicated with the centralized National Health Service (NHS) system on the way. Those concerns are compounded with the decision to allow pharmacists access to patient Summary Care Records (SCRs), which contain patient and treatment details.

The [Department for Health] admitted that maintaining the security and confidentiality of this data could be a challenge. “The NHS Care Record Guarantee [which promises careful and secure patient data handling] has been drawn up and agreed by key parties as to what patients have a right to expect about how any information about them in the Care Record Service may be stored, used, shared and transmitted.

“However, there have been specific concerns about the use of the Care Record Service in community pharmacies, also often thought of as a retail setting.”

As of yet, the government is saying that more discussions and assessments (read: red tape) need to take place in order for a decision to be made about how to protect patient data. So, it would seem that actually protecting that data is a long way off.

The new push to allow pharmacists access to SCRs has been a part of a UK$12.4 billion investment into the Connecting for Health program. This program could play a part in the push to enable patients to consult with pharmacists for non-serious issues, lifting some weight off the GPs’ shoulders. But, it may open the door for more data breach incidents. Only time will tell.

Via intergovworld Tags: nhs, health, health security, data, data breach, data security, health data, id theft, health id theft

Who Breached: Oklahoma Department of Corrections
Number Affected: Tens of thousands
Information breached: Social Security Numbers
How: Unsecured website

Another security breach caught my attention today. Some very bad website programming left a huge hole in the Oklahoma Department of Corrections website for at least three years - a hole that would allow anyone with very basic SQL knowledge to access the names, addresses and Social Security Numbers of tens of thousands of Oklahoma residents.

Not only was this data freely available to anyone with basic SQL knowledge, but the data could be possibly be changed. All of the databases for the Department of Corrections could be accessed and possibly changed. That means that public records could be tampered with. You could turn your neighbor into a sex offender or wipe clean your criminal record.

The writer for “thedailywtf” is the one to discover the breach. In a routine search of a site, he stumbled across information that led him to believe it could be hacked. Which he proved in mere seconds.

So, how was this possible? Well, the search function on the Sexual and Violent Offender Registry gave you a little link to “list all results in a printer-friendly format.” That link contained a very long URL containing the SQL statement that created the search results (something it shouldn’t show), and the link could be modified (also bad). So, by changing that URL, you could bring up all the “hidden” information, like SSNs.

Although this “hack” was brought to the attention of the Department of Corrections, the “fix” also was hack-able easily. The author of “thedailywtf” then gave them specific instructions to take down the roster pages completely to make the site secure. This fix has now been put in place. You can read the full details here.

Still, it is unknown if the data was accessed, since it was very easily available. Identity thieves have long been exploiting security issues of this kind. What is known is that it is a scary breach to happen, and one that definitely could make you concerned about the security of important public records.

hat tip to schneier Tags: data breach, data leak, department of corrections, oklahoma, hack, hacked, sql, breach, thedailywtf, hacker, identity theft, id theft, sex offenders, registry

Who Breached: University of Virginia (UVa)
Number Affected: 7,000
Information breached: Social Security Numbers
How: laptop theft

Daily Progress is reporting that the University of Virginia (UVa) has breached the information of 7,000 students, staff and faculty members as the result of a laptop theft. The laptop contained personally identifiable information including names and Social Security Numbers.

The laptop was stolen from an employee at an “undisclosed location” off-campus in Albemarle County. Carol Wood, UVa spokeswoman, said that letters have been mailed to those affected by the data breach.

Students have been expressing their concern and frustration that their personal data would be left on an unsecured laptop despite the myriad of data breaches caused by such negligence.

The University of Virginia experienced a data breach in June, 2007 that was the result of a hacker accessing 5,735 faculty records over a two-year period. The University claims that the use of Social Security Numbers as a personal identification number was being phased out. Obviously, not soon enough.

Other notable data breaches this week:

• Joliet West High School hacked, breaches data for “about every student”
• New York-Presbyterian Hospital/Weill Cornell Medical Center finds 40,000 person breach in audit, likely stolen by an employee

hat tip to Attrition.org ; Tags: laptop theft, laptop security, data breach, breach, security breach, education breach, identity theft, id theft, breach notification

You know about thieves stealing your credit cards, or even accessing your bank statements. But did you know that your tax refund is also at risk?

The Seattle Post Intelligencer has exposed the story of a woman who found a case of fraudulent tax return under her name – a thief who has filed taxes under her Social Security Number that would result in a refund. It could be that many other people will find themselves the victims of identity theft this tax season.

An unnamed woman sat down at her computer to file her taxes, but they kept being rejected with an error that a tax return had already been filed under her Social Security Number. After calling the Social Security Administration and the IRS, she found that the tax return had been filed under a different address – not hers.

The thief had filed a fraudulent tax return under her name – this tax return would yield a cash refund. And so, the woman now has to file a police report, a complaint with the FTC, put a fraud alert on her credit report, and to go through the process to prove her identity in order to submit her real tax return.

An earlier Seattle PI story painted a dire picture of the process: another tax preparer who found herself a victim of identity theft was unable to receive her tax refund until two months, and many calls, later. And she may have been lucky. Finance Committee Chairman Max Baucus says that it takes a year, on average, for the IRS to sort out the real tax payer and to issue a refund.

According to a new audit [PDF] out from the Treasury Inspector General for Tax Administration, fraudulent tax returns are becoming all too common. Complaints of this type jumped 579% in the five years leading to 2007, with 20,000 complaints in 2007.

Sadly, the report found that the IRS is doing very little to stop or to prosecute those who commit this form of identity theft. Prosecution is only pursued if the identity theft occurs in conjunction with other criminal offenses.

IRS policy is that the actual crime of identity theft will only be investigated by the Criminal Investigation Division if it is committed in conjunction with other criminal offenses having a large tax effect.

Such a lack of prosecution may explain the huge jump in incidents seen over the last few years.

image: penywise via morguefile ; Tags: identity theft, id theft, fraud, tax fraud, identity fraud, irs, government, irs policy, taxes, tax, criminal