Blog

Archive for December, 2009

So Much Data, So Easy to Lose

Wednesday, December 30th, 2009

USB thumb drives are very convenient. It was only about ten years ago that 3.5″ floppy disks that could only hold 1.44 megabytes of data were the norm. It was revolutionary when Iomega introduced the Zip disk that could hold 100 megabytes in the same amount of space. A lot changes in a decade.

Now there are flash drives the size of your thumb that can hold 128 gigabytes of information. That is the equivalent of more than 90,000 3.5″ floppy disks and it fits nicely in your pocket, or attached to a key chain. The same features that make them useful and convenient, though, also make them easy to lose or steal and make them a significant risk to data security.

In Canada recently a USB thumb drive containing personal information such as name, address, phone number, date of birth, health card number, doctor’s name and other health information for over 83,000 patients was lost. Companies and organizations need to realize the risk posed by storing gigabytes of sensitive, unencrypted data on a device the size of your thumb.

Policies should be defined and enforced to provide guidance regarding what data is allowed to be stored on portable media like USB thumb drives. Zecurion’s Zlock can provide the tools necessary to enforce that policy–providing controls to restrict access to external devices, including printers. For data that is allowed to be stored on USB flash drives, Zlock can create a shadow copy providing an audit trail detailing the data that was transferred.

Additionally, organizations should use secure USB flash drives like Ironkey or SafeStick, and/or protect the data using tools like Microsoft’s BitLocker-to-Go encryption to ensure that any data contained on the drive is protected even if the device is lost or stolen.

Tags: , , , , , ,
Posted in Data Storage Security | 2 Comments »

North Carolina Server Breach Exposes Sensitive Data

Sunday, December 20th, 2009

More than 50,000 users had sensitive information, including drivers license and Social Security numbers, exposed during a server breach in August. The breach of a server at the community college System Office in Raleigh occurred on August 23rd, and officials were aware as of August 24th. An investigation was allegedly begun immediately, but news of the breach was just made public this week–almost four months later.

The official press release regarding the incident explains “The NC Community College System Office began notifying nearly 51,000 library users from 25 community colleges that a security breach occurred on a computer server containing their personal information, including Social Security or driver’s license numbers. All reviews and investigations indicate that no personal information was accessed by the intruder. However, library users with such information on the server will soon begin receiving letters explaining the attack, steps being taken to prevent future breaches and actions they may take to protect their credit and to ensure protection from identify theft.”

The press release describes the attack as a succesful password cracking attempt via the Internet. There are some other questions to answer regarding password complexity and/or how an attacker was able to conduct a password cracking remotely from the Internet, but had the data on the server been encrypted it would have been protected even if the actual server security was breached.  

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Laptop Stolen, But Security Measures Make Data Compromise Unlikely

Thursday, December 17th, 2009

A story from CNN today reports that a laptop containing personal information on approximately 42,000 Fort Belvoir Morale, Welfare and Recreation (MWR) patrons was stolen over the Thanksgiving holiday weekend. The focus of the CNN story seems to center on the fact that it took two weeks for the military to respond and alert those whose information may be compromised by the theft. It goes on to exclaim that this is not the first time the military has had a laptop stolen, but assures us that there is a bill currently in the Senate which would call for greater protection for mobile data.

What seems to be somewhat glossed over in the CNN story is the fact that this data was protected. CNN does mention it when it says “information security experts for the Army say it’s unlikely that the information will be compromised because the data are guarded by three layers of security and encryption passwords.” But, somehow that part seems buried under the rest of the story as if we’re not supposed to care about it.

I am not sure we can ask much more. Portable computers like laptops and netbooks are trending up in sales, and portable storage like USB flash drives and external hard drives are relatively cheap.  The convenient and portable size of the computers also makes them easy and convenient to steal. The bottom line is that there is a lot of sensitive information being carried around on these devices.

Companies and individuals need to operate under the assumption that a laptop will be stolen. I am not suggesting that laptop theft is so rampant that there is no way to avoid it, I am just suggesting that the data on the laptop be treated as if its theft were a sure thing. If you knew, for a fact, that your laptop would be stolen tomorrow, what kind of security would you have on it to protect the information it contains? Which data is so sensitive that you would add extra layers of security and encryption to virtually guarantee that it can’t be compromised?

In this case, perhaps the military should have notified individuals sooner. It can also be argued that, because of the security controls and encryption in place, the military didn’t need to notify anyone at all. By placing adequate protection on the laptop the military essentially ensured that the thief might be able to use or sell the laptop, but they won’t be accessing any of the data it contains.

Tags: , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Minnesota Employee Data Exposed by Lookout Services

Tuesday, December 15th, 2009

Personal information related to hundreds of Minnesota state employees has been publicly available on the Web for months–unencrypted and without any sort of password protection. Minnesota entered into a two-year deal with Texas-based Lookout Services to use its “seamless Fail Safe I-9 E-verify process”, but all state agencies have been ordered to stop using the service following discovery of the data breach.

Exposed data included employee names, birth dates, Social Security numbers and hire dates for every Minnesota state agency using the service, as well as personal data from a variety of other Lookout Services clients.

Lookout Services is one of about 13,000 firms registered with the Department of Homeland Security (DHS) to process E-verify checks to determine citizenship and employment eligibility for prospective employees. However, Bill Wright, deputy press secretary for U.S. Citizenship and Immigration Services–the agency within DHS responsible for E-verify checks– responded saying “Is there a requirement to notify if there has been a security breach? The answer is no.”

The state of Minnesota, however, disagrees with  that philosophy. Minnesota is one of 46 states that does require victims be notified in the event of a data security breach. The Minnesota legislation requires that victims whose data has been exposed to unauthorized access be notified as soon as possible about the breach.

The responsibility for protecting the data ultimately lies with the companies or agencies it was originally entrusted to. Part of the process of engaging a third-party to handle such sensitive information is to ensure they have strong policies and procedures, and adequate security controls in place to safeguard the information. Apparently, Minnesota didn’t do its due diligence prior to partnering with Lookout Services.

Tags: , , , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Patient Data Leaked to Local Attorneys by Hospital Worker

Sunday, December 13th, 2009

The University Medical Center (UMC) in Las Vegas is in hot water after it was discovered that at least one hospital employee has been leaking personal information of accident victims to local attorneys so that the lawyers could solicit the patients as clients. The breach of patient data violates federal HIPAA (Health Insurance Portability and Accountability Act) guidelines and could result in fines up to $1.5 million.

According to an article from the Las Vegas Review-Journal, the potential HIPAA fines are divided into four categories with a total maximum of $1.5 million:

  • If the hospital shows it didn’t know about security leaks, even though it made a good-faith effort to ferret them out, it faces fines of $100 to $50,000 per violation.
  • If the violation resulted from a reasonable cause with no willful neglect, the hospital could be fined $1,000 to $50,000 for each offense.
  • If federal officials determine the hospital was negligent but fixed the problems within 30 days, the fines would run $10,000 to $50,000 per violation.
  • If it takes longer than 30 days, the fines start at $50,000.

The hospital received fairly high marks from a county auditor for HIPAA compliance, but with a few notable flaws. The auditor identified issues with patient records being left unattended, outgoing email with sensitive information being transmitted without encryption, and no record of what information was disclosed to third-parties in some cases. Any of these data protection weaknesses could come back to haunt UMC both with the federal investigation and fines, as well as with any subsequent civil suits arising from the breach of confidentiality.

Health and medical institutions like UMC would benefit from using tools to enforce data security policies and monitor and restrict the data that is sent to networked printers or saved to removable media, and software that can scan and filter outbound email to ensure sensitive information is not transmitted unencrypted.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

SC Virtual Symposium: Botnets

Thursday, December 10th, 2009

Join SC Magazine and Zecurion today (Thursday, December 10) from 2pm to 4pm eastern time for a virtual symposium on the threat posed by botnets.

Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, and Gunter Ollman, vice president of research at Damballa, will be the featured speakers presenting an overview of the threat posed by bots and botnets, as well as current trends for crimeware and social engineering tactics.

Presenters will also discuss how companies can defend against these threats, and strategies to ensure that corporate networks are not infiltrated and compromised by botnets and other malware security threats.

Be sure to stop by and chat with Zecurion while you’re there to learn more about Zecurion products and how we can help protect and secure your data.

SC Virtual Symposium: Botnets is free to attend. Click here to register and enter the virtual conference.

Tags: , , , , , ,
Posted in Events | No Comments »

Former Insurance Agent Accused of Breaching Customer Data

Tuesday, December 8th, 2009

Farmers Insurance in Nashville is investigating a breach and notifying customers that their data was compromised. The incident seems to be a result of a combination of weak server security and a disgruntled ex-employee.

An individual allegedly contracted to ‘hack’ into Farmers by a former agent “said a few months ago he discovered a flaw in the agent page for Farmers Insurance that allows someone to extract all the information from its database, such as insurance policies, names, addresses and Social Security numbers.”

Obviously, Farmers should have had better security in place on the Web server in the first place. In addition, though, the data stored on the server should be protected to ensure it can’t be compromised even if an attacker manages to gain access to the server itself.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Inadequate Server Security Results in Breach of 4000 Students’ Data

Monday, December 7th, 2009

Thousands of students found out the hard way that the University of Nebraska had their data on its servers. The university discovered that a computer in the College of Education and Human Sciences at the Lincoln campus was inadequately secured and allowed unauthorized access, revealing sensitive information.

Nebraska high schools shared the names, addresses, and Social Security numbers of students that graduated between 2002 and 2005 in cooperation with a study analyzing school district and standardized testing performance. The 4,000 students involved were unaware that the University of Nebraska had their data until informed that it might be compromised.

Breaches like this are far too common and seem to occur in disproportionate numbers at colleges and hospitals. Organizations that are entrusted with sensitive and confidential personal information need to have the proper controls and tools in place to protect that data even if unauthorized access occurs.

Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Malware Leads to Breach of Student Data

Sunday, December 6th, 2009

Eastern Illinois University revealed on Friday that an admissions office server had been infected with malware which it believes enabled attackers to freely access the system. EIU can not determine whether or not files were accessed, but IT technicians fear that as many as 9,000 files containing personal information on current and former students, as well as applicants, may have been compromised.

These stories are so common that companies and individuals alike may become de-sensitized over time. However, the fact that these stories are so common doesn’t reduce the impact on the institutions and individuals affected, nor does it eliminate the obligation of entities entrusted with sensitive information to take the necessary steps to ensure it is protected at all times.

Details are sketchy at this point for this breach, but it seems that the server was lacking antimalware protection, or that the antimalware signatures were not up to date. Its also possible that the malware was new or unknown and simply slipped right past the antimalware defenses. That is why the data on the server should also be encrypted to guarantee that it cannot be compromised even if the server itself is breached.

Tags: , , , , ,
Posted in Security Breaches & Data Loss Incidents | 3 Comments »

Best Practices for Protecting Against Insider Threat

Tuesday, December 1st, 2009

CERT, Carnegie Mellon University Software Engineering Institute’s center for conducting and coordinating information security research, has written the Common Sense Guide to Prevention and Detection of Insider Threats, Version 3.1.

In describing the audience for the guide the document notes “Insider threats are influenced by a combination of technical, behavioral, and organizational issues, and must be addressed by policies, procedures, and technologies. Therefore, it is important that management, human resources, information technology, software engineering, legal, security staff, and the “owners” of critical data understand the overall scope of the problem and communicate it to all employees in the organization.”

At 88 pages, the CERT guide is fairly comprehensive. It provides a range of best practices addressing the different aspects noted above–technical, behavioral, and organizational issues–that impact the insider security threat.

 

Tags: , , , ,
Posted in Data Storage Security | 2 Comments »