Archive for September, 2008

Who Breached: GS Caltex
Number Affected: 11,000,000
Information breached: Social Security Numbers
How: Insider stealing data

Four people have been arrested in connection with a major data breach at GS Caltex, a Total Energy Service provider based out of South Korea. This is being called the country’s largest data breach to date.

Earlier this month, CDs and DVDs containing the names, Social Security numbers and email addresses of 11 million GS Caltex customers were found in the garbage in Seoul. The data included information on government officials, lawmakers and politicians.

Investigators on the case say one of the suspects exposed the leak to the media in a publicity campaign aimed at boosting the market value of the data! This is the first time I’ve heard of such a tactic.

The four people arrested on Sunday included two employees of a GS Caltex subsidiary. One suspect is alleged to have copied the data base while working at a call center.

The data was copied onto several CDs and DVDs, which presents several issues: that sensitive data could be accessed by a call center employee, that data could be copied to external devices, and that none of this was being tracked internally.

Other recent large data breaches:

• National Technical Institute for the Deaf, 13,800 Affected, Stolen Laptop – more here
• Louisiana Real Estate Commission, 13,000 Affected, Insider Accident – more here
• InterActive Financial Marketing Group (IFMG), 92,095 Affected, Hacker – more here

Via datalossdb.org, AFB

This is just a common sense business tip: do not use shredded checks as packing material.

The WHH Ranch Company has been using shredded paper from a Texas-based bank for 20 years. Some of that paper came in the form of shredded checks.

When Michelle McBride ordered some food from WHH Ranch, she found it packed in shredded checks. The shredded paper was in wider strips (it was not cross-shredded) that could be easily pieced together. In fact, that’s what Michelle McBride did – she was able to easily re-assemble some checks and plainly read off account numbers and routing information for hospitals, medicare, schools, businesses and personal accounts.

After learning of the problem, WHH Ranch says they’ll ensure it doesn’t happen again.

So, two things to learn from this:

• If you are shredding sensitive information, use a good cross-shredder or confetti shredder. Particularly if you’re a business.
• If you are using shredded paper as packaging material, ensure it’s finely shredded material that contains only non-sensitive papers.

After the jump is a video of the CNN report about this incident (the video auto-plays): (more…)

Cyber-Ark Software has released the results of a new survey indicating some disturbing facts about insider data breaches by exiting employees.

Cyber-Ark interviewed 300 IT security professionals for their annual survey. This year, 88% of respondents said that, “if laid off tomorrow, would take valuable and sensitive company information with them.” And that’s just counting the respondents who were honest enough to admit they’d act unethically!

When asked what information employees would take, the target information includes: CEO’s passwords, customer database, R&D plans, financial reports, M&A plans and a list of company passwords.

“Most company directors are blissfully unaware of the administrative or privileged passwords that their IT staff has access to which allows them to see everything that is going on within the company. These privileged identities, which lie on hundreds of servers and applications, very rarely get changed as it’s often considered too much hassle. When people leave the organization, they can often still access the network using these passwords to acquire highly sensitive data” – Udi Mokady – president and CEO of Cyber-Ark.

Most companies may be unaware of the full list of admin passwords that an IT employee has access to, and this could prove dangerous. Privileged passwords that access sensitive information should be secured and routinely changed, particularly when IT employees leave.

Other interesting survey results:

• One third of companies believe internal espionage and data leaking has resulted in data going to competitors or criminals
• One quarter have suffered data breaches by internal sabotage and/or IT security fraud
• 35% send sensitive or confidential information via email (an insecure medium, most of the time)
• One third of IT administrators admit to keeping passwords on post-it notes
• One third admit to snooping on the network to look at confidential information like salary details, personal emails, meeting minutes, etc

Via network world ; Clipart via Microsoft / Presentation Pro

The Consumer Data Protection Act (AB 1656; PDF) has been put before California’s Governor Arnold Schwarzenegger once again. The bill was vetoed by him in October 2007, saying the costs for merchants would have been too prohibitive. He said that the bill had the “potential for California law to be in conflict with private sector data security standards.”

The bill has now been amended, approved by the Senate in a 74-1 margin, and is headed back to the Governor’s desk for approval. The Consumer Data Protection Act would require that retailers:

• Take more stringent protection measures
• Notify consumers about data breaches (provision to reimburse financial institutions for cost of breach removed from the bill)
• Specify a date range when the data breach was thought to have occurred
• Not store certain types of cardholder data, even if encrypted
• Develop data retention & disposal policies
• Encrypt data transmissions

Given that the financial reimbursement provision has been lifted, it is a much more conservative bill. Still, it is unclear if Governor Arnold Schwarzenegger will re-iterate his desire for added security measures to be the responsibility of private governing bodies, rather than by law. Analysts suspect the bill will be approved and that California will lead the way toward other states adopting similar statutes. 

Minnesota is currently the only state with law such as this – their Plastic Card Security Act is more strict than the proposed California bill.

—

In other security news, Roger Grimes has a very thorough analysis of Google’s new open source browser, Chrome, here.

Hat tip to PogoWasRight ; Via ComputerWorld

McAfee’s Igor Muttik has put together the results of a white paper on online gaming & security [PDF]. The white paper lists the various security problems associated with online gaming, and some potential solutions. Given the growth of online gaming, you won’t be surprise to learn that security issues have gone up dramatically in 2007, and even more so in 2008. Approximately 40-50% of password stealing Trojans out there target online gamers specifically - which is huge!

Online gamers are starting to suffer from real-world problems such as identity theft, extortion, and theft of virtual assets. Given that virtual money in various of these virtual online communities can be exchanged for real money, it’s not surprising that these attacks have sprouted up. The white paper goes into all of this in detail. 

Security issues associated with online games:

• Data-stealing Trojans – to record access information to steal virtual assets. These Trojans are second only to those that steal banking data.
• Phishing – to gain access to virtual assets
• Viruses / malware – to deliver the data-stealing code

About half of the document goes into the best practices associated with creating secure gaming environments. This talks about scripting but also about the “3 pillars of security” of technology, economic measures and human factors.

Download the report here.

Absolute Software will be presenting at a couple of upcoming conferences.

Deutsche Bank 2008 Technology Conference

Official Website
Where: The Palace Hotel, San Francisco
When: Tuesday, September 9, 2008 at 1:20pm
Presenters: John Livingston (Chairman and CEO of Absolute) & Rob Chase (CFO)

Tune in for the live webcast here.

Jeffries 2nd Annual Technology Conference

Official Website
Where: New York City
When: Thursday, September 11, 2008 at 9:00am
Presenter: John Livingston (Chairman and CEO)

Tune in for the live webcast here.

Congratulations to the Absolute Software sales team for winning a Stevie Award!

Absolute Software was recognized for the “Best Sales Team” Award in the 2008 International Business Awards.

The finalists for this award were: Dow Jones, International Paper, Reliance Mutual Fund, Richardson, SalesLabs, Sherwin-Williams and WebEx Communications.

Carter McCrary, Chief Operating Officer at Absolute, had this to say in the press release:

“The go-to-market team has grown our contracted subscriber base by 110% over the last year, doubling the Company’s subscriber base, without losing sight of delivering a world-class customer experience for our clients.”

The International Business Awards, known as the Stevie Awards (for the Greek word “crowned”), are a global business awards program. Entries in the 2008 awards grew by 65% to 1700 entries from organizations and individuals in 30 countries. There are more than 40 categories of awards, with finalists determined by a panel of judges and advisors.

In addition to this fabulous recognition of hard work, the winners will be honored with a dinner in Dublin, Ireland on September 8th! Check out the full list of Stevie winners here.

Bruce Schneier has written a great article on the use of ROI (return on investment) in business security decision making. Following this, businesses would only invest in security solutions that had a positive ROI – that the ratio of money gained (realized or unrealized) be higher than the cost invested. When comparing options, a company would choose that which had the greatest return for the stockholders.

So the question remains – do ROI models accurately determine if a security investment is “worth it”? Bruce Schneier notes:

“‘ROI’ as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It’s an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn’t make sense in this context.”

A data breach would have associated costs, so preventing one would have cost savings. This does impact the bottom line, although it’s an intangible figure.  As Schneier notes, though many security vendors provide an ROI model to meet the business demand for this measurement, the numbers cannot reflect accurate figures applied to your business.

So, how do you measure security investment?

• Don’t spend more on a security problem than it’s worth
• Don’t ignore security problems that cost money if cheaper mitigation alternatives are available

One option is to use annualized loss expectancy (ALE), a model that calculates the cost of a security incident (tangible & intangible) multiplied by the chance of that incident happening in a given year. This model will tell you what to spend to mitigate the risk. However, the model relies on good data, and it’s difficult to apply that to all areas of IT security. When it comes to cybersecurity, not enough data about crime or effectiveness of countermeasures exists to create an accurate model. The model also cannot anticipate large / expensive security issues.

So, the end result of all this is to trust your own analysis based on your own numbers and to use results as a general guideline only. Use your numbers along with sound risk management and compliance strategy when deciding on what security solutions you buy.

Image: Stockxpert.com

Identity Theft 911 has published a white paper about Identity Theft in California [PDF]. The white paper examines identity theft within the state and what steps are being taken by the government officials and businesses to combat the issue.

In 2007, California was ranked as the second-worst state in terms of identity theft complaints per capita, according to Federal Trade Commission (FTC) data. From 2002-2006, it held the third position on this list, so it’s clear that identity theft is a growing and persistent issue in California.

“Each year, more and more consumers fall victim to various forms of this insidious crime. This report puts a spotlight on California, highlighting several issues that are likely responsible for driving up these numbers in the state,” said Judd Rousseau, Chief Fraud Officer of Identity Theft 911.

According to the FTC, 1.5 million Californians were victims of identity theft in 2007 (out of a population of 36.5 million). The most common forms of identity theft were credit card fraud and employment-related fraud. The incidents of 2007 cost an estimated $749 million in out-of-pocket expenses for victims (and 6 million hours in resolution time). That’s an astronomical figure.

California has been responding to the issues of identity theft at the government level. New legislation has been passed, including breach notification laws, prohibitions for the public display of Social Security Numbers, and restrictions on the sharing / selling of personally identifiable information. The white paper outlines various other types of legislation that might mitigate the identity theft issue in California.

Via press release

For almost every password-protected website there’s a way to recover your password – the “Forgot Your Password?” link is ubiquitous. But it’s also dangerous. 

If you want to recover your password, chances are someone else can recover it for you. Most password-recovery systems will ask you a series of “security” questions such as ‘What is your cats name?’ or ‘Where did you grow up?’… problem is, in the age of Google and social networking sites like Facebook, that data is no longer secure.

Some web security experts are now calling these password reset tools the weakest link in Web security.

One web expert asked permission to hack into the bank accounts for several friends. Using only information he found online, he was able to trigger the bank reset, access the email via another password reset, then access the bank accounts. You can read more about his “social hack” experiment published here on Scientific American.

Security experts are positing that it won’t be long before portfolios of personal information will be bought and sold for large-scale password-reset hacking attempts.

So, what’s the solution? Coming up with secure challenge questions is not an easy task. A preference-question (such as “Do you like opera?”) set may work more effectively than fact-based questions. There’s a fabulous discussion about this password issue going on at MSNBCs Red Tape Chronicles here.

Great reference for additional reading: Security Questions in the Era of Facebook (PDF) by Ariel Rabkin.

Via red tape ; image: clarita @morguefile