"Password protected" again

The BBC reported that over 38,000 patients' confidential health records have gone missing on a backup tape from an NHS Health Centre on the Isle of Wight. The tape was lost by a courier firm en route back to the centre after having been checked for integrity. Though the centre was clearly concerned about data integrity, confidentiality seems to have been further down their priority list:

"The risk of the tape being misused is extremely small," the trust spokesman added. "The tape requires specialist computer equipment to run it and the data is password-protected. Highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape."

The 'specialist computer equipment' is presumably some sort of tape drive. OK, so it's not the kind of thing that everyone has laying around in their bedroom but some do, and specialist data recovery firms almost certainly have them. The 'highly advanced computer skills' needed to read the data are probably not beyond the average IT geek, especially a hacker with sufficient motivation to explore the tape.

But the real strange comment is that "the data is password-protected". IF the spokesman meant that the data were encrypted with a trustworthy encryption algorithm and a strong, long key, why didn't he say so? "Password protected" is normally how missing laptops are described if they don't use encryption. I don't understand how one would 'password protect' a tape.

So, this looks to me like yet another serious personal data breach in the UK, one evidently involving medical data that could well be more sensitive than, say, credit card numbers.

Having a bad day at the office?

An IT systems administrator, fearing that he was about to be laid off, planted a logic bomb in his employer's systems. He survived the round of redundancies but detonated the logic bomb anyway. Fortunately for all concerned, bugs in the code prevented it working properly. In court, he was found guilty, sentenced to 30 months' jail time and found liable for $81,200 in restitution.

This story touches on quite a number of security topics:
- He was a trusted insider who went bad
- Logic bombs are a form of malware
- His office/day-job gave him privileged access to the company's IT assets
- Weak change management process controls did not prevent the bomb being installed
- The logic bomb had one or more bugs in the program/script
- Nevertheless it sparked a security incident
- He was called to account for the damage
- There was legal and presumably corporate policy noncompliance
- The risk of recurrence presumably remains

All in all, a nice multi-purpose security awareness case study.

PS The official US DOJ press release about the conviction is dated "Dec 8 2008", an integrity failure to boot.

One in two Brits at risk of identity theft, admits HM Government

After two CD-ROMs containing personal data on 25 million Brits from Her Majesty's Revenue and Customs office failed to arrive at the National Audit office, questions were asked in Parliament. Yes, AFTER the event.

Both the BBC and the Grauniad report on the "gasps of astonishment" from MPs when told of the incident. Given the British tendency for understatement, this is about as close as you'll get to a public expression of outrage.

The officials who posted the CD-ROMs evidently did not "follow procedures". If the data hadn't been going to the auditors, there is a very good chance we would never have heard about this incident ... but I can't help asking whether the NAO would have created a stink if the CDs had simply turned up in the ordinary post, instead of being send by a secure courier. I'd be willing to bet that all sorts of juicy stuff turns up in their mail and email every day, but I can't recall seeing them jumping up and down about the risk.

Whether Chancellor Alistair Darling swings for this is presumably in Her Majesty's hands. I believe the death sentence is still on the cards for treason in the UK. Now that's what I call accountability.

The ¥40bn typo

Does it matter if I offer to sell 610,000 things at 1 Yen each instead of 1 thing at ¥610,000? Errr, yes it does, especially if I'm a broker trading shares live on a busy Tokyo Stock Exchange. The broker's typo cost Mizuho Securities, Japan's second largest bank, ¥40.7bn (approximately US$340m) in charges to buy back the shares. The broker tried four times but was unable to cancel the trade due to 'a problem' with the exchange systems. In a typically Japanese form of accountability, the president, IT head and managing director/executive officer of the stock exchange all resigned, the cock-up following hard on the heels of earlier 'technical problems' i.e. capacity constraints, availability failures and functional limitations of the exchange's dealing systems.

It seems curious to me that the apparent lack of data validation on the brokerage's own systems is not even mentioned in the news reports. Being such as cheap price and more than 40x the actual number of shares in the company, the sell offer was so far out of whack with reality that the brokers' systems (both buyers and sellers) should have flagged it as a probable typo if not trapped the deal pending confirmation. It can't be easy to validate trades in such a high-pressure environment where occasional deals are bound to be outlying data values but surely if must be feasible to impose some pragmatic limits?

More links on integrity, incident management and accountability

Congressional aide socially engineered

A congressional aide has admitted asking two jokers at Attrition.org to hack into his college's network and adjust his college grades. The jokers (who he evidently believed to be l33t hax0rs, except that he would have not the foggiest idea what those words mean) led him into believing they would do what he wanted, and in the course of the incident, got him to reveal his Social Security Number and other personal information to make their hacking job easier. The email exchange is very amusing: the victim had no clue that he was being taken for a ride, even providing photographs of a [secret] squirrel at one point to validate his location. Be sure to read the news piece on Network World that revealed the victim's details and printed his admission and apology for making a big mistake ... and led to him being fired ... but his 15 minutes of fame now include a Wikipedia entry.

More social engineering, hacking and accountability resources

When SysAdmins go bad 2 - the terror returns

As if to reinforce our recent posting regarding the insider threat and, especially, the threat from employees in trusted/privileged positions, another former system administrator has been charged with planting a logic bomb on his employer's systems, fearing that he was going to lose his job following a merger. The bomb was safely defused before it exploded but the alleged bomber's career options don't look too bright right now.

More malware links

When SysAdmins go bad

Information Week reports that "A federal prosecutor says the sentencing of a former IT systems administrator to eight years in prison for an insider attack should sound a warning to hiring managers that they need to be more vigilant about who they're putting in critical IT positions. ... The March 4, 2002 attack brought down about 2,000 servers both in the company's data center, as well as in branch offices around the country. The financial giant reported that simply cleaning up the mess and getting back online cost UBS more than $3.1 million. ... Duronio [the guilty party] has a criminal record that includes charges of burglary and assault. A presentencing report from the Probation Office in U.S. District Court also lists charges against Duronio from the 1960s, 1970s, 1980s, and 1990s. ... A spokeswoman for UBS said that when Duronio was hired in 1999, the company only ran background checks on a select number of people. Duronio was not one of them". Background checks aren't perfect but, in this case at least, should have raised concerns about the candidate prior to his employment in such a responsible position. The attack was sparked by Duronio getting a $15k lower than expected bonus in the aftermath of 911.

More links on hacking, malware, accountability, roles & responsibilities, incident management and laws, standards & regulations

Online banks vs users

A well-researched and well-written article about online banking user authentication discusses the range of authentication methods being used or trialled at a number of primarily US banks. Whereas the FFIEC regulations were anticipated to force US banks into using tokens for user authentication by the end of this year, banking customers are proving resistant to the technology and want an easier way to authenticate to the bank [the problem of the bank authenticating to the user merits a brief mention too]. User authentication is crucial to the issue of accountability: a customer cannot be held totally accountable for dubious transactions on his bank account if the bank cannot prove that the customer, rather than 'someone else' (normally a fraudster), logged in and submitted or authorized the transactions. The article discusses device as well as user authentication, in other words 'fingerprinting' the users' PCs to identify their normal machines. Not surprisingly, it barely touches on the back-end anti-fraud systems the banks are using to identify unusual customer activities that might be symptomatic of a fraud in progress: these details are proprietary to each bank (which limits the amount of information sharing between banks) and a closely guarded secret (to avoid tipping-off the very fraudsters they are designed to trap).

More accountability and authentication links

DoS attacks outlawed in the UK

Amongst other police reforms, the new Police and Justice Act 2006 makes Denial of Service attacks illegal under British law and clarifies other aspects of computer misuse. The Computer Misuse Act 1990 made it an offence to alter a computer without authority, covering most hacking attacks but not explicitly DoS attacks. Criminal hackers who commit, for example, DoS-based extortion ("Send us loads of money or we will continue disrupting your online betting service ...") can now be called to account under the new Act.
More links on laws, regulations and standards and accountability

The value of security awareness

A new item at Silicon.com included the following quote: "'Companies must make strong and effective security practices part of their culture through awareness, education and accountability,' says Jan Babiak, head of the information security practice at Ernst & Young. 'This needs to be enforced by the CEO and the board, with organisations aspiring to implement well designed controls and fostering a security-conscious culture led from above. Without this top-down endorsement, employees will often ignore controls or worse avoid them, placing the entire enterprise at great risk.'" We'd certainly support the need for senior management's proactive support but there's rather more to the issue than that.
Take security policies for example. Policies without a management mandate are practically worthless. Policies with a clear mandate are fine, but are not in themselves effective. Policies with a clear mandate, a communications program to make sure people are aware of and understand their obligations towards the policies are an improvement ... but even that is not enough. People need to be led the extra mile to commit to the policies and, in time, adapt their behaviors to fall into line with the policies. Compliance activities can help but (yes, you guessed it) are not necessarily The Answer either - "comply or else" expletives from management can cause enormous damage to the changes necessary to achieve positive cultural shifts.
In a truly security-aware culture, people comply with security policies not so much because someone tells them to do so, but because they genuinely appreciate the need, just like an experienced driver instinctively uses mirror-signal-manouver whereas a learner driver consciously mutters the reminder under their breath. Get the security habit through awareness, training and education - but make sure your management get in the habit too. Awareness really does start at the top.
White paper on the value of security awareness

Whistleblower brokerage service

ReportLine, ComplianceLine, SilentWhistle and Shareholder.com are examples of commercial services handling calls from customers’ employees who wish to blow the whistle on dishonest/unethical behavior, fraud, health and safety breaches, HIPAA/data protection breaches and related matters. The Government Accountability Project and BlowTheWhistle support those blowing the whistle on wrongdoing affecting public bodies. Sarbanes-Oxley is yet another reason why organizations should take their responsibilities towards such whistleblowers very seriously indeed. Outsourcing this particular kind of service has a number of advantages. For instance, the call handling agency is independent of the organization and thus may be considered more trustworthy than insiders. Secondly, it builds a competence in assessing, prioritizing and dealing professionally with reported issues beyond the level achievable by an internal function. [We recently proposed the formation of an international not-for-profit organization to handle information security vulnerability reports in the same kind of way ...]
More IT governance resources here

NIST guide to HIPAA security

NIST Special Publication 800-66 is "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule". 'Nuff said.
More privacy/data protection and confidentiality resources