Breaches

Saturday, 22 May 2010

Identity theft the old-fashioned way

We are constantly amazed at the new levels of creativity criminals apply to achieve their goals. However, sometimes the old-fashioned approaches work just as well. From the Office of Inadequate Security comes this report:

Silicon Valley Eyecare Optometry and Contact Lenses
State: California
Approx. # of Individuals Affected: 40,000
Date of Breach: 4/02/10
Type of Breach: Theft
Location of Breached Information: Network Server

An FAQ on the firm’s web site says, in part:

What happened?
On Friday morning April 2, 2010 at 5:30 a.m., two burglars broke an outside window to the administrative area of our office at 770 Scott Boulevard in Santa Clara, CA. Our security cameras show the intruders coming through the window, confiscating the computer, and pushing the computer and a plasma TV back out the window of entrance, all within 50 seconds. Our cameras recorded the type of vehicle they were driving. The alarm system was activated and the police were notified. A full police report was filed.

What data was stored on the stolen computer server?
The server that was stolen contained our patient data base information. The patient records contain names, addresses, phone numbers, and in some cases social security numbers. E-mail addresses birthdates, family members, medical insurances as well as medical and ocular health information was included. No Optomap retinal images were stored on the system. No credit card information was stored on the system.

Was the information secured?
Yes. There were 3 levels of security in place: physical, technical and administrative. Physical security consisted of locked doors, an alarm system to the police office, and surveillance cameras. For technical security, the data was password protected on two levels: a detailed password to access the server and a second password to access the patient data base. Administrative security was in place allowing no public access to the server.

Is all of my patient data lost?
No. Our patient data base is backed up nightly and an encrypted copy is stored off-site. We were able to restore our data and retrieve our patient records.

Note that the off-site backup copy of the data is encrypted but the on-site version was not.


Posted at 06:16 PM in Breaches | | Comments (0) | TrackBack (0)

Heartland settles with MasterCard for $41 million

DarkReading is reporting:

In a legal settlement over its 2008 security breach, Heartland Payment Systems has agreed to pay up to $41.4 million to MasterCard Worldwide and its card issuers to repay operational costs and fraud losses attributed to the breach.

The article does not state whether this is included in the $139 million they said they set aside in a recent SEC filing. Given that the filing was recent, I would think, yes. As i posted earlier this month, $139 million is a far cry from the initial expected costs of $12 million.

Posted at 04:05 PM in Breaches, Legal | | Comments (0) | TrackBack (0)

Technorati Tags:

Wednesday, 12 May 2010

Heartland breach expenses reach $139 million - so far

Computerworld is reporting that Heartland Payment Systems' recent quarterly financial filing revealed that the credit card payment processor's expenses related to their 2008 breach of 130 million credit cards have risen to $139.4 million.

This is a far cry from the $12 million CEO Bob Carr said was the appropriate amount to set aside in December 2009 when he settled with American Express for $3.6 million. In January 2010, just one month later, Heartland settled for $60 million with Visa.

The Computerworld article also reports that a recent Ponemon Institute study shows that the average cost per security breach in the U.S. rose to $6.75 million. The "per record' cost is averaging $204.

First, while not to invalidate, or even question, the results of this study, I would like to point out that it was sponsored by PGP Corporation (being acquired by Symantec). 

Second, I am not a big fan of averages. See the Flaw of Averages by Sam Savage of Stanford. The point being that you cannot use the average when calculating your risk of the cost of a breach. And Heartland's costs make the point.

Posted at 08:55 AM in Breaches, Legal | | Comments (0) | TrackBack (0)

Technorati Tags:

Monday, 10 May 2010

Facebook board member's account hacked - used for phishing attack

From PEHub:

Sunday morning, some of the 2,301 Facebook friends of venture capitalist and Facebook board member Jim Breyer received a message from him, through Facebook. “Would You Like a Facebook Phone Number?” it asked, presenting a link to “see more details and RSVP.”

While no one would be surprised by a service that allowed users to call friends from their Facebook accounts, the message was a hack. “This was a phishing scam and Jim’s account appears to have been compromised,” says Larry Yu, a Facebook spokesman, late yesterday. “The issue has since been resolved and we’re actively trying to block this activity.”

Breyer, a partner at Accel Partners, didn’t respond to questions relating to the message.

At this point there has been no detailed explanation from Facebook explaining how this happened and what steps they are taking to reduce the likelihood of it happening again. Compare Facebook's approach to this breach to Apache's approach to their recent breach which I wrote about here.

Given Facebook's approach to privacy, I doubt anyone is surprised.



Posted at 08:18 AM in Breaches, Phishing, Privacy | | Comments (0) | TrackBack (0)

Wednesday, 28 April 2010

Blippy's security/privacy strategy - do they deserve to survive?

Earlier this week, the CEO of Blippy posted an extensive explanation of the breach they suffered and the steps he is planning to take to improve the site's security and better protect the privacy of the users. I can only hope his explanation of the breach is accurate.

As to his "Plan" going forward, it reveals a shocking, but not untypical, heretofore lax attitude toward protecting the site's users.

I like their Rules page. The intent is to inform Blippy users of "Inappropriate Content and Use of Blippy," However, if I were considering signing up for Blippy, I might consider some of them the risks of using Blippy. Here are examples: 

Impersonation: You may not impersonate others through our services in a manner that does or is intended to mislead, confuse, deceive, or harass others.

Serial Accounts: You may not create serial accounts or relationships in order to evade the block tools or to otherwise disrupt the Services.

Name Squatting:You may not engage in name-squatting (creating accounts for the purpose of preventing others from using those account names or for the purpose of selling those accounts). Accounts that are inactive for more than 9 months may be removed without further notice.

Links: You may not publish or post content that disguises the content of a link in a misleading or deceptive way.

Malware/Phishing: You may not publish or link to malicious content intended to damage or disrupt another user.s browser or computer or to compromise a user's privacy.

Social Network Spam: Blippy provides a variety of ways for users to interact with one another. You may not abuse these tools for the purpose of spamming users. Some of the behaviors we look at when determining whether an account is spamming include:

  • The user has followed and unfollowed people in a short time period, particularly by automated means.
  • A large number of people are blocking the profile.
  • The number of spam complaints filed against a profile.

And I can only hope that Blippy is taking steps to reduce the risks of these actions and worse. How long will it be before Koobface infiltrates Blippy, or there is a new botnet specifically targeting Blippy called "ypblip?"

Posted at 08:58 PM in Breaches, IT Security 2.0, Malware, Phishing, Privacy, Risk Management | | Comments (0) | TrackBack (0)

Monday, 26 April 2010

47 health care provider breaches between 9/22/09 and 2/15/10

Health Data Management Magazine's May issue notes that the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) posted 47 breach of unsecured protected health information in the United States between September 22, 2009 and February 15, 2010.

The criteria for posting is at least 500 individuals must be affected. In one case, 500,000 people were affected. The actual list is here. As of today there were seven more breaches posted.

Unfortunately the information on the list is very disappointing. There are no details of any significance about the breaches. For example, here is the latest one on the list (as of 4/26/10): 

Tomah Memorial Hospital
State: Wisconsin
Approx. # of Individuals Affected: 600
Date of Breach: 3/19/10
Type of Breach: Other
Location of Breached Information: Other

While creating this "wall of shame" has some value, posting more details would surely be more valuable to all health care provider security practitioners.

Posted at 06:26 PM in Breaches, Health Care, HIPAA | | Comments (0) | TrackBack (0)

Technorati Tags:

Sunday, 25 April 2010

Aurora - Why was Gmail China's Target?

Larry Seltzer has an interesting post about a conversation he had with Mikko Hypponen of F-Secure about the reason for the Operation Aurora attack in China against Google's Gmail service.I wrote about Aurora here and here. However, the question remains - why Gmail and not Yahoo or Microsoft's free email service?

Perhaps it's because only Gmail offers SSL encryption which prevents sniffing on the wire to read emails. Because the other free email services don't offer SSL, you can simply sniff the wire to read the emails on those services.

End users who have some level of security consciousness gravitate to Gmail. And if you want to read messages on Gmail, you have no choice but to hack the service itself as you are not going to crack SSL.

Posted at 09:08 PM in Breaches, Privacy | | Comments (0) | TrackBack (0)

Technorati Tags:

Saturday, 17 April 2010

Apache infrastructure breach analysis is a model of forthrightness and a learning experience

Last week, the Apache infrastructure team disclosed a breach to their issue tracking software where an XSS exploit led to root access which led to compromised passwords. What makes it interesting is the level of detail they provided about the breach, which security policies worked, which did not work, and what they are changing to reduce the risk of another such breach. No attempt at security by obscurity here. McAfee Labs did a nice blog post on it.

Do you think the use of Apache is going to go up or down? IMHO, the breach will have no effect or might actually increase Apache usage. The reality is that all organizations have breaches regularly. Sharing detailed information like this helps us improve our security.

BTW, if your organization is not experiencing breaches, it's due to lack of visibility.

Posted at 06:24 PM in Breaches | | Comments (0) | TrackBack (0)

Technorati Tags:

Friday, 26 March 2010

HSBC database breach highlights need for better database security

Dark Reading is reporting more details are emerging about the HSBC database breach where it now appears that data on 25% of HSBC's private clients' accounts were stolen by a "privileged" user.

Click on the Database Activity Monitoring Category on the right for my other posts about the need for Database Activity Monitoring.

Posted at 08:53 AM in Breaches, Database Activity Monitoring | | Comments (0) | TrackBack (0)

Technorati Tags:

TJX hacker sentenced to 20-year prison term

The IDG News Service is reporting:

Hacker mastermind Albert Gonzalez was sentenced Thursday in U.S. District Court to two concurrent 20-year stints in prison for his role in what prosecutors called the "unparalleled" theft of millions of credit card numbers from major U.S. retailers.

The retailers who suffered breaches were TJX, Office Max, DSW, and Dave & Buster's. Gonzalez was also involved in the well known breaches at Heartland Payment Systems, Hannaford Supermarkets and 7-Eleven chains.

I applaud the stiff sentence, but I don't think this will have much effect on reducing cyber crime for two reasons:

  • The percentage of cyber criminals who are caught is very low.
  • Much of the activity now is coming from parts of the world where getting cooperation from local governments is difficult. In fact, some believe the governments are abetting the criminals.
Read more of the details here.

Posted at 08:40 AM in Breaches, Legal | | Comments (0) | TrackBack (0)

Technorati Tags:

Next »

About

Subscribe to this blog's feed

Recent Posts

My Favorite Books on Risk and IT Security