"Password protected" again

The BBC reported that over 38,000 patients' confidential health records have gone missing on a backup tape from an NHS Health Centre on the Isle of Wight. The tape was lost by a courier firm en route back to the centre after having been checked for integrity. Though the centre was clearly concerned about data integrity, confidentiality seems to have been further down their priority list:

"The risk of the tape being misused is extremely small," the trust spokesman added. "The tape requires specialist computer equipment to run it and the data is password-protected. Highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape."

The 'specialist computer equipment' is presumably some sort of tape drive. OK, so it's not the kind of thing that everyone has laying around in their bedroom but some do, and specialist data recovery firms almost certainly have them. The 'highly advanced computer skills' needed to read the data are probably not beyond the average IT geek, especially a hacker with sufficient motivation to explore the tape.

But the real strange comment is that "the data is password-protected". IF the spokesman meant that the data were encrypted with a trustworthy encryption algorithm and a strong, long key, why didn't he say so? "Password protected" is normally how missing laptops are described if they don't use encryption. I don't understand how one would 'password protect' a tape.

So, this looks to me like yet another serious personal data breach in the UK, one evidently involving medical data that could well be more sensitive than, say, credit card numbers.

IT professional accused of hacking former employer

An IT professional has been accused of hacking into a former employer's server to 4,000 confidential documents:

"A press note issued by S. Balu, Deputy Superintendent of Police, Cyber Crime Cell, said police had arrested M.S. Ramasamy, a 37-year-old software engineer from Avadi, on charges of hacking and stealing confidential and proprietary information from the server of Caterpillar, a US-based construction and mining company ... When contacted, Mr. Balu said the accused had gained access to the company’s server headquartered at Peoria in Illinois, US, using another employee’s user ID and password and downloaded over 4,000 confidential documents. A closed circuit camera had visuals of him accessing the server at the time when the files were downloaded. "

Privacy and insider threats collide in databases

A Ponemon Institute survey into database security found that:

"- Trusted insiders remain a significant, and largely unmonitored risk
- A majority of organizations do not have the technology or processes required to effectively manage against insider threat
- Due to perceived business value, many large organizations assign lower priority to the protection of customer and employee data versus intellectual property
- The vast majority of data exposed in the past two years has been confidential customer and employee information.
The survey found that “trusted” insiders’ ability to compromise critical data is the most serious concern for respondent organizations. Despite this concern, fifty-seven percent of those surveyed do not believe that their organizations have taken adequate measures to protect against malicious insiders and fifty-five percent do not believe that they have taken adequate measures to protect against “data loss.”
The survey also found that despite being aware of these threats, inadequate protection of corporate databases is the norm rather than the exception. Forty percent of those surveyed do not have the mechanisms in place, or are unaware of whether databases are monitored for suspicious activity. This shortfall can be attributed to the massive scale of corporate data stores and the lack of IT resources. Eighty-eight percent of those surveyed manage greater than one hundred databases and a majority of respondents manage in excess of 500 databases."

Although the survey was sponsored by a company with a vested interest in database security, the survey sample was large enough for the results to be statistically significant. The Ponemon Institute is a respected survey institution, for instance including notes in the report about possible biases in the respondants and responses. To a non-scientist, it may seem perverse that pointing out possible weaknesses in the method actually makes is stronger, but better that than to ignore or gloss over them.

As to what needs to be done about database security, the survey commentary merely suggests a few hints e.g.:

"Among core security and IT professionals, operational efficiencies and system optimization are consistently higher priorities than efforts related to Sarbanes-Oxley, PCI, NIST 800-53 or other similar compliance initiatives ... our results show that intellectual property and business confidential information in databases is not generally protected. Even in the face of frequent, expensive, and highly publicized breaches, respondents have not made protecting customer and employee information a high priority."

... so priorities need to be adjusted (but how?).

Perhaps Lloyds TSB has (part of) the answer?

An everyday privacy incident (averted)

Today I was fortunate enough (lucky me! How exciting!) to be invited to participate in an online Technology Management survey, "an opportunity for IT Executives to share their opinions on the evolving role and influence of the CIO in today's corporate enterprise" being conducted by CIO Magazine, apparently. I say apparently because the survey URL in the email took me first to a page on the CXOmedia.com website (which is presumably CIO Mag's publisher) and then auto-redirected me here. That final destination is a third party, and looks like a typical market survey site. Unfortunately, that page also looks a lot like a typical phisher site, complete with CIO logo (but not other elements of the CIO mag website's standard design) and typo i.e. "The drawing is open to legal U.S. and Canadian (expect Puerto Rico and Quebec) residents".

But it's OK because, according to the email, "Your responses are completely confidential and will be used only in combination with other survey responses." So, let's find out what CIO Mag means by 'competely confidential'. One of the links on the survey page points me at CIO's privacy policy which makes fascinating reading for those who take the trouble, like for starters the unfinished sentence at the end of section 1 part 4:

"For more information about our ad-serving company or for your choices about not having this anonymous information used, please visit" [sic]

And wait, it gets worse. I quote for a bit further down section 1:

"Postal addresses, and other personally identifying information and data will be used to promote CIO and other IDG companies ‘ products and services, and may be rented and/or licensed to selected outside firms for promotional purposes. Offers for which the personally identifying information and data are rented and/or licensed for use and the users are required to target their offers carefully.

Telephone numbers of CIO print subscribers are used by CIO to collect re-qualification data and may be used by CIO, IDG and other IDG companies, affiliates and it's advertisers for promotional purposes. CIO may rent and/or license for use phone numbers to selected outside firms for promotional purposes. Offers for which the numbers are rented and/or licensed for use are required to target their offers carefully."

So, by participating in this "survey", I am opening myself up to 'carefully targeted offers' (read spam and junk mail) from third parties. Yippee. Just what I need.

Of course, I need not actually enter the survey to participate in the prize draw. According to the full rules, I can simply ...

"legibly print your name, street address, city, state, zip code, telephone number, complete e-mail address, and your full entry code URL on a 8.5” x 11” piece of paper, and fax to Claudette Sears at IDG Research Services Group, fax # 508-370-0020. Please reference “Sweepstakes Drawing – CIO Technology Management Survey” in your fax."

You know, it hardly seems worth it for the infinitesimal chance of winning a pair of headphones, not least because as an NZ resident I am not even eligible to win them. So much for their oh-so 'carefully targeted' email!

Life in the fast lane

Two former Ferrari engineers have been convicted by an Italian court for stealing and passing confidential proprietary engineering data to their new employer, Toyota.

“This prosecution highlights the seriousness of the ‘insider threat’. Disgruntled employees still find it all too easy to take company secrets off the network and onto portable storage devices such as CDs and USB sticks,” said Matt Fisher, VP of Centennial Software. “You don’t have to work in Formula One for your secrets to be valuable to the competition. With corporate IP the fuel that keeps business running, all companies are vulnerable to damage from data leaks,” he added.

As we said in our latest newsletter on insider threats, there is no shortage of case study materials on this topic.

More insider threat links here

Pop it in the post

How does Torbay Council in sleepy Devonshire, England, send confidential information about council workers (names, addresses, salary, banking details - that sort of thing) to the auditors. Why, they simply cut a CD and pop it in an envelope ... and when the first one goes missing in the post, they do it again and that one also goes missing in action.

More links on keeping secrets

The oh-so-helpful Help Desk

"'Phone Phishing', a method of stealing confidential information over telephone, is on a steady rise and awareness is the key to tackle it, according to security experts here. The most prevalent method of gaining access to personal data is the simple process of picking up a phone and calling a customer service call centre of a service provider, they said. Customer service agents are trained to "take care" of callers and often they are more than willing to help." So says a piece in India's Economic Times. I must say that, in my experience, security aware customer service agents (those first two words are vital!) can be one of the information security manager's strongest allies in the battle against social engineers. Through security awareness/training/education, coupled with proper management support and sensible policies, guidelines and procedures, IT Help/Service Desk workers should not only be permitted to refuse to service dubious callers, they should be actively encouraged to be careful.
More social engineering resources

When POTS becomes VOIP

The transition from POTS (Plain Old Telephone System) to VOIP (Voice Over IP) is likened in an article by CSO Magazine to Swedes changing the side of the road on which they drive. It's a dramatic analogy but acts as a worthwhile counterpoint to the usual arguments about VOIP simply replicating POTS security issues. In fact, VOIP/IPtel introduces some novel risks:
- Confidentiality: unauthorized disclosure of information by snooping on calls, copying or redirecting them;
- Integrity: change management; authentication of users and security administration;
- Availability: additional complexity caused by implementing new IT/networking equipment to replace tried-and-trusted PABXs; convergence of voice and network technologies potentially creating new unanticipated technical issues;
- Financial: risks relating to the implementation project's business case;
- Operational: changing pattern of use of phone systems may open up novel working practices and business opportunities with unique security/risk implications (e.g. remote Internet teleworking potentially including offshore, wireless phones).
Analysing the risks on another axis gives a different view:
- Threats: accidental misconfiguration or operator errors causing software/system/network failures; man-in-the-middle attacks on voice calls (manipulating voice traffic in real time to change conversations);
- Vulnerabilities: new technology (compared to POTS); all the usual information or IT security vulnerabilities (e.g. bugs); all eggs in one basket;
- Impacts: simultaneous loss of network data and voice capability causing business disruption; disclosure of confidential information; regulatory or legal implications such as retention of calls.
More web and network security links

Information Protection Made Easy

Information Protection Made Easy: A guide for employees and contractors is a new security awareness book by David Lineman. In just 96 pages, it covers the basics of information security with an emphasis on its relevance to individual employees. Chapter titles are: Desktop and Personal Data Security • Electronic Records • Secure Web Browsing • Protecting Customer Privacy • Email and Instant Messaging Security • Compliance with Laws and Regulations • Handling Confidential Information • Employee right to privacy • Managing Passwords • Corporate governance.
More security awareness advice

Australian privacy breach

Around 100 staff have resigned, 19 have been sacked and around 350 have been disciplined as a result of a two-year investigation into their unauthorized use of database facilities at Centrelink, the Australian federal government's social security and welfare agency. As such, Centrelink staff have access to a wide range of personal information. Five cases were serious enough to be referred to the federal police. It is reported that spyware was used to track staff use of the systems. A Centrelink general manager said "It was done for a whole range of reasons - from just sticky-beaking, through to at the more serious end of records actually being changed ... What this shows is that we have zero tolerance for any people who have surfed the details of the family and friends or peeked at records of their neighbours in our system." This statement fails to acknowledge the potential for abusing such wideranging access to personal data in order to commit identity theft.
More identity theft resources

Untrustworthy insiders

A very public industrial espionage case involving allegations that an employee tried to sell proprietary information from Coca-Cola to Pepsi is a timely reminder of the issues arising from trusted insiders. It is alleged that the employee, an administratrive assistant in the marketing function having ready access to highly sensitive information, removed it from the office and offered to sell it to Coke's arch rival. Pepsi presumably alerted the auhorities who ran a 'sting' to catch the alleged perpetrator red-handed. Even with the benefit of 20-20 hindsight, it is unclear what Coke management might reasonably have done to address this risk. Better screening and supervision of employees, maybe? Clearer policies on control of sensitive information in whatever format, e.g. "secret information must not be removed from the office"? An employee who is prepared to offer secrets for sale to a competitor seems unlikely to heed such policies. Better detective and corrective controls might perhaps have identified the exposure before things got out of hand, especially if there were preliminary incidents. Due to the implending court action, there is limited information on the details of the case, for example the news article does not state whether the accused had an exemplary record.
More links on keeping secrets

Insider theft

Extrusion Prevention - the story of insider theft, a three-piece article from Israeli author, Danny Lieberman, is a useful summary of the threats, vulnerabilities and impacts of unauthorized information disclosure by insiders, along with the controls including legal measures.
More links on disclosure of confidential information

Boeing worker data on stolen laptop

The Seattle Times reports yet another security breach involving the potential compromise of thousands of confidential personal details. "The laptop was grabbed from a Boeing human-resources employee at an airport," said company spokesman Tim Neale. "The laptop was password-protected and was turned off," he said. But the file containing the names, Social Security numbers and in some cases, addresses and phone numbers for 3,600 current and former employees was evidently not encrypted, despite a directive issued five months ago to remove or encrypt all sensitive information on laptops.
Whereas a few years ago it would have been infeasible for anyone to carry 3,600 personnel records without a large trolley for the filing cabinets, all modern laptops have sufficient hard disk space for the data and a whole lot more. They also have the CPU capacity to apply strong encryption. Boeing is certainly not alone in failing to apply suitable security measures to protect senstive data on vulnerable hardware.
More confidentiality resources.

Safe browsing at Internet cafes

Microsoft's advice on Strong passwords: How to create and use them recommends "Do not type passwords on computers that you do not control. Computers such as those in Internet cafes, computer labs, shared systems, kiosk systems, conferences, and airport lounges should be considered unsafe for any personal use other than anonymous Internet browsing. Do not use these computers to check online e-mail, chat rooms, bank balances, business mail, or any other account that requires a user name and password. Criminals can purchase keystroke logging devices for very little money and they take only a few moments to install. These devices let malicious users harvest all the information typed on a computer from across the Internet - your passwords and pass phrases are worth as much as the information that they protect."
Sound advice. You need to balance the convenience of web access whilst waiting for your coffee, plane or train, against the inconvenience of having your identity stolen and your bank accounts cleaned out.
More links on keeping secrets

54m Americans' privacy breached

A paper from the Privacy Rights Clearinghouse giving A Chronology of Data Breaches Since the ChoicePoint Incident identifies that the privacy of well over 54 million Americans has been compromised since February 2005. The list of more than 150 reported incidents (meaning an average of around three per week) is an eye opener for anyone that thinks this is not a risk.
More confidentiality and privacy resources

Confidential pizzas

If you've ever ordered a pizza online and wondered what happens to all the personal data on the pizza company's telephone ordering database, take a look at this Flash movie. Unfortunately, the scenario is all too believable.
More confidentiality links

Keeping secrets

It's no secret that the latest NoticeBored awareness module covers confidentiality, privacy and related matters. NoticeBored customers receive posters, briefing papers, presentations, mind maps, awareness surveys, puzzles, checklists and newsletters on this important topic: the newsletter is also available separately as a PDF free of charge to anyone who cares about information security.
Sign up for the newsletter.

Microsoft antiphishing proposal raises privacy concerns

Microsoft is reportedly on the verge of releasing an optional utility to track the websites users visit and compare them against a blacklist of phisher sites. Maybe this would work if the blacklist is reliable (no false positives and few false negatives), but the downside is that (for some reason I can’t quite fathom) Microsoft plans to gather details of users’ surfing habits, raising privacy concerns.
More authentication resources

An upside to privacy breaches?

An editorial in Chief Marketing Officer Magazine hints at a possible upside to recent privacy breaches splattered across the press. "Privacy activists are up in arms over ChoicePoint and other high-profile security breaches at institutions such Bank of America, DSW and CardSystems, where 40 million credit card accounts from Visa, MasterCard and other card issuers may have been compromised. Legislation to tackle growing worries over credit report information, data breach disclosures and spyware is in the political pipeline. Wary consumers are increasingly reluctant to share personal information with marketers." Well OK, maybe calling it an 'upside' is a bit cynical, but if the general public are more security aware, we're happy :-)
More anti-hacking resources

Stego led CIA to a false alarm

There's an interesting story on MSNBC.com about the CIA drawing mistakenly concluding that Al Jazeera TV was broadcasting terrorist messages using steganography to hide the content in the ticker-tape news banner. It seems the high state of alert, verging on paranoia, led the CIA analysts to see phantom messages, yet they were credible enough to cause US authorities to cancel flights and raise the terror alert level from 'yellow' to 'orange'. I suspect the same false-alert could easily happen again due to the very nature of steganography but hopefully not without corroborating evidence from other sources. At least the false-alert was a fail-safe response.

More on confidentiality, crypto and steganography here

Trojan used for industrial espionage

A handful of well known companies are caught up in a scandal over the use of a Trojan horse program for industrial espionage against selected targets. The story is a rather sketchy at present but it appears that police discovered the plot following a lead from an Israeli author whose London-based former son-in-law is accused of disclosing parts of a book he was writing. The existence of the Trojan is evidently not in dispute, along with the fact that it was distributed on a 'promotional CD'. The author, however, claims that it is legal and is 'not his fault' if it was misused for illegal/unethical purposes.
More malware and privacy links

More backup tapes missing

There seems to have been a rash of security incidents involving the loss of backup tapes lately. Computerworld is now reporting that Time Warner lost an entire shipment of data backups en route to its off-site storage. The Register outlined a handful of similar incidents, pointing out that identity thieves would love to get their hands on backup tapes containing credit card numbers and other personal details, especially as so few are encrypted.
More risk management, physical security, privacy and confidentiality links

Benefits and risks of free email services

US-CERT Cyber Security Tip ST05-009 outlines the pros and cons of free web-based email accounts such as Yahoo, Hotmail and gmail. Three primary risks are identified: "security" (meaning confidentiality through SSL), privacy (confidentiality of personal and commercial information) and reliability (service availability).
More email security resources

Corporate espionage

This slightly xenophobic article nevertheless analyzes the threat of theft of proprietary information. "Experts say that company insiders are a much bigger problem than someone hacking into the system from the outside. 'Seventy-five to 85 percent of all theft per se is done by an insider,' said Julie Snyder, president of the Silicon Valley chapter of the International High Technology Crime Investigation Association."
More confidentiality resources