A customer needed help with his Wi-Fi network and asked a friend for help with the configuration.  His friend, David Chen who writes the Chenosaurus blog, was surprised to discover the issue and wrote: “from within your own network, an intruder can eavesdrop on sensitive data being sent over the Internet and even worse, they can manipulate the DNS address to point trusted sites to malicious servers to perform man-in-the-middle attacks.  Someone skilled enough can possibly even modify and install a new firmware onto the router, which can then automatically scan and infect other routers automatically.”

That’s a very scary thought!  Most subscribers trust the equipment installed by their service providers and would never imagine that a router they have been given could leave them open to attack.  Time Warner has implemented a temporary patch but prior to Chen’s discovery, administrative access to the routers was allowed and attackers were free to run programs against them.

A permanent fix for the SMC 8014 wireless router and cable modem is expected sometime in the near future.

image: SMC.com

Apparently, businesses are looking at what kids are saying about a variety of things including movies, music and video games in order to come up with better marketing strategies.

This is especially scary since this software puts children’s personal information at risk.  Truly, the potential threat of software like this is huge. 

The company has defended themselves saying that they do not record the children’s names and addresses although they do know their ages. 

The software developer, EchoMetrix Inc. says that parent’s can opt out of having their children’s data shared by checking off a box, but it’s unclear how obvious this option is. 

For more information about this story and to learn more about the companies that do not share chat messages, click here.

image: Michal Zacharzewski, SXC

The industrial manufacturing company discovered that one of their employees, a senior research chemist, transferred confidential files containing trade secrets from his company-issued laptop to an external hard drive.

Immediately, I couldn’t help but wonder why DuPont wouldn’t have some sort of alert in place in case someone tried to attach a hard drive to company computers.  I was further baffled when I learned that this isn’t the first time they’ve been through this. 

After 10 years with DuPont, an employee gathered information from thousands of documents and scientific abstracts.  His mission?  To sell the information to rival company, Victrex.  He ended up being sentenced to 18 months of jail time.

Aside from setting up some sort of alert system for when data breaches occur and using laptop security products like Computrace, DuPont (and other companies) has to find a way to work around the fact that even people with legitimate access to their information need to be considered potential threats. 

image: www.sxc.hu

As the result of a hacker penetrating their e-commerce system, Network Solutions has determined that approximately 573,938 credit card holders may have had their data transfered. The company detected that hackers had placed unauthorized code on servers for some e-commerce merchants’ websites, and that this code may have been used to transfer data on some transactions. The credit card data was encrypted and PCI-compliant, and it is currently unknown how the malicious code entered the system.

From their news report:

The unauthorized code may have been used to transfer data on certain transactions for approximately 4,343 of our more than 10,000 merchant websites to servers outside the company. On July 13, 2009, we were informed by our outside forensic experts that the data being transferred may have included credit card information. The code may have captured transaction data from approximately 573,928 cardholders for certain periods this spring.

Merchants and their customers are currently being notified. Network Solutions has additionally put together an informational website for their merchants at careandprotect.com. Consumer information is also included there for reference. They have included a blog in the website to answer questions that have arisen in the last week.

The quick and forthright response by Network Solutions has been quite impressive. They seem very keen to answer questions and be public with their responses. In addition, they have offered to foot the bill for customer notification, rather than those costs falling to the merchants affected.

Other notable data breaches from July:

• HSBC Life, Lost Media, 180,000 affected (read more)
• University of California San Diego Moores Cancer Center, Hack, 30,000 affected (read more)
• LexisNexis, possible organized crime, >13,000 (read more)
• Alberta Health Services Edmonton, Virus, >11,000 (read more)

Via datalossdb, the register,

Number Affected: 8 million +

Information breached: Prescription records

How: hacker

This isn’t an April Fool’s Joke, though it may seem like it. Hackers allegedly broke into a Virginia state website used by pharmacists to track prescription drug abuse. The hackers then deleted records on more than 8 million patients and 35 million prescription records.

Not satisfied just with the data, the alleged hackers replaced the site’s homepage with a ransom note demanding $10 million for the return of the records. The site is now completely unavailable (the state shut down access after they detected the breach), though the message was recorded.

“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.”

Director of Virginia’s Department of Health Professions, Sandra Whitley Ryals, declined to discuss the reported hack, saying [PDF] only that an investigation is underway by federal and state authorities. She said that they are working with experts to restore systems and ensure they’re safe. The Virginia Department of Health Professions says that all data has been backed up and those files remain secure. There is no word yet if affected patients will be contacted about this breach.

Via consumerist, washington post, computerworld

It’s been a while since I’ve done a major highlight of any recent data breaches. They keep happening, to be sure, but the details often start to look the same. However, this one caught my eye from it’s magnitude. The Oklahoma Department of Human Services (OKDHS) is notifying more than 1 million residents of the state that their data has been breached as the result of a stolen, unencrypted, laptop.

According to their press release, a password-protected OKDHS laptop was stolen from an employee vehicle (a far too common theft location). The laptop contained names, Social Security Numbers, dates of birth and home addresses for clients who received Medicaid, Child Care assistance, and other program assistance. The laptop was stolen on April 3rd with a press release going out from OKDHS on April 23rd. Letters to affected clients started to go out in the same week.

OKDHS Director Howard H. Hendrick believes the “risk of the data being accessed is low because the computer uses a password protected system,” which is only a very minor security protocol. There’s no guarantee the password was strong and, even with strong password-protection, systems with no additional security precautions pose a high risk for being easily accessed. It is believed that the employee was not violating any policy in place, indicating that the current information security policy does not deal with taking data home or with proper data asset handling.

According to the Security Incident FAQ, OKDHS believes they have “numerous security measures” in place already to ensure client data is safeguarded, but plan to review all policy, procedures and training methods. Let’s hope this sheds some light through the entire organization about how much more can – and should – be done to protect sensitive information.

You can help prevent data breaches such as these, or recover from them more easily, with strong computer security policies, enforcement and training and software such as Computrace from Absolute, which offers many layers of security protection.

Via SC Magazine

The documents outline a Metropolitan Police Service and MI5 counterterrorist operation against al-Qaeda suspects. The document revealed details for a planned arrest of terrorist suspects following a long covert surveillance operation. Steps were made to censor the photographs (only successful in Britain) and Mr. Quick’s location fearing that information would tip off the suspects. The operation was able to continue, with arrests made sooner than was planned, but it is still a major security blunder.

Bob Quick says he “deeply regretted” revealing the documents to photographers, and some people seem willing to forgive him for simply holding the paper the wrong way. However, the secret documents should not have been carried outside of secure areas in printed format – at the very least, they could have been transported in an encrypted drive. This is not the first incident where a government official has accidentally shown secret notes to the journalists who often wait outside of Downing Street.

Bob Quick resigned soon after the incidence, following a meeting with the home secretary and the Metropolitan Police commissioner.

“I have today offered my resignation in the knowledge that my action could have compromised a major counterterrorism operation.

I deeply regret the disruption caused to colleagues undertaking the operation, and remain grateful for the way in which they adapted quickly and professionally to a revised timescale.”

It is a pity that the breach was made, but the repercussions are already wide-ranging. Not only has the public outcry damaged the trust in government security, but the MPS has lost its most senior, and experienced, counterterrorism specialist. This should underscore the importance of having a clear security policy and ongoing employee training – at all levels – to ensure compliance to basic security measures.

Via Schneier

1. Dozens of files with Social Security Numbers for public housing residents were dumped on the street in New York. People were seen picking up the loose papers, raising concerns of identity theft. The New York Housing Authority has policies to shred documents for disposal, but that policy was overlooked. [read more]
2. Medical records were found discarded in a trash bin at a convenience store in Shreveport; Social Security Numbers were included. A Doctor has admitted to his mistake in improperly disposing of the files. [read more]
3. Files about seriously ill patients at a New York hospital were found 2 miles away on the pavement. The files contained name, age and medical history, breaching confidentiality though not risking identity theft. [read more]
4. A Dallas man found a box of medical records, including Social Security Numbers, the the parking lot at a storage business. The storage unit belonging to a doctor was broken into and the records left out. [read more]

I think we can learn some important things from these breaches of trust and data. Most indicate a lack of awareness about the data and how it should be treated for storage and disposal. Policies to restrict how data moves about – whether paper or electronic – should be considered. The data retention policy should define how information is disposed of, which can include policies on shredding or purging electronic devices. In terms of data storage for physical papers, standard consumer storage facilities may not have enough security; try looking for companies that specialize in business data storage.

As we shared in a report earlier this month, data breaches at small companies often go unreported. There’s a great deal of education that needs to be done to small business owners – including those practicing in the medical fields – about how to securely handle confidential data in all stages of its life cycle.

Hat tip to databreaches.net ; image: clarita @morguefile

With more than 580 institutions affected by this data breach, it should be no surprise that lawsuits would follow. A PA-based law firm filed a class action lawsuit against Heartland in January, accusing Heartland of belated and inaccurate notifications of the breach and inadequate security precautions. In addition, this week 8 banks and credit unions filed lawsuits against Heartland over its failure to protect credit and debit card data. The lawsuits seek compensation for the costs of breach notification and re-issue of cards by the financial institutions. Where fraud has occurred, the banks also seek recompense.

Other large breaches: the Arkansas Department of Information Systems lost a data tape from storage (807,000 affected), and it appears that information about the communications, navigation and management electronics on Marine One (the Presidential helicopter) were accidentally leaked onto a peer-to-peer file sharing network. It was thought for a week that there was a new large payment processing breach, but Visa has issued a statement that clarifies that breach notifications pertain to existing, not new, issues.

It also caught my eye that the Berkeley Center for Law & Technology and the Berkeley Technology Law Journal are holding their 13th annual Security Breach Notification seminar on March 6th. The seminar talks about identity theft and changes coming in the future. You can learn more here. If you can’t make it, check out some resources here.

Image: Clipart

The National Nuclear Security Administration (NNSA) wrote [PDF] to the LANL about the most recent computer theft expressing concern that the apparent “robustness of cyber security implementation” was not being vigilantly overseen. They say there are issues with individual security controls but also configuration management and accountability issues.

“In treating this initially as only a property management issue, my staff and I, and apparently the cyber security elements of the laboratory, were not engaged in a timely and proactive manner to assess and address potential loss of sensitive information.”

The quote above indicates a common misconception – that the loss of data devices is a property issue, not a data security issue. The memo advices LANL to treat all loss of equipment that can carry data – not just computers – as a cyber-security concern.

The letter revealed that 13 LANL computers have been stolen within the last year and that 67 are currently “missing.” Very little data was available – or collected – about what data has been compromised as the result of these breaches. Jeffrey Berger, director of communications at LANM, says that no classified data was held on any of the lost devices and thinks the leaked memos “distorted” the situation.

Los Alamos has suffered 3 major public breaches in the past, so none of this experience is ‘new’ to them. A system like Absolute Software’s Computrace could help with the asset tracking that appears to be a major problem for the lab – so they would know, in seconds, where every single computer is.

Via AFP, eweek, CNet, Computerworld, WSJ