 |
 |
|
Security News That Impact Your Existence |
Fall 2006 Issue #2 Vol.3 |
Today's top story:
WHAT'S THE DEFINITION OF A NON-SECURITY BREACH?
We all know what a security incident is, but what is a non-security incident? According to the American Red Cross, it is defined as a theft of 3 laptops, one of which contained personal, intimate and medical records on thousands of blood donors.
A laptop containing (allegedly somehow encrypted) personal information belonging to thousands of blood donors (including Social Security numbers and medical information) was stolen from the American Red Cross in Dallas, Texas. When prompted to comment on the incident, Darren Irby, spokesman for the national American Red Cross, said the following:
"We haven't viewed this as a security breach at this point"
This sentence has been reverberating in my brain all weekend as I have been struggling to put my finger on its exact implication. Let's see:
Did the story make the news? Barely. Is the American Red Cross above the law? Apparently.
Another office of the Red Cross also "lost" a laptop with encrypted donor information in June 2005, but the organization declined to provide details on that incident or any follow-up investigation. The issue continued to puzzle me until I came across Bruce Schneier's article on the topic. He wrote: "If a company loses a backup tape containing millions of individuals' personal information, it doesn't have to disclose if it believes there is no "significant risk of identity theft." If it leaves a database exposed, and has absolutely no audit logs of who accessed that database, it could claim it has no "reasonable basis" to conclude there is a significant risk. " So much for full disclosure.
In this "incident", the laptops were reportedly gone for a week before being reported. Donors were not notified about the missing information, and the Red Cross has no legal obligation to do so. In my view, because it is a healthcare organization, the Red Cross should at least be compliant with the Health Insurance Portability and Accountability Act (HIPAA), but evidence to that effect is nearly impossible to find.
What is clear is that the Red Cross has a history of serious security and privacy breaches that have gone unnoticed by the media and regulatory authorities. What's more, the HIPAA statute exempts medical professionals from requiring patient consent prior to surrendering their private medical details to the American Red Cross, meaning that all this information faces an uncertain future in the hands of the professionals who should be safeguarding it... and there's nothing that's being done about it.
Intrigued? Concerned? Think about where your private information goes next time you fill out a form or agree to sharing it. Always be sure to casually ask the healthcare provider about their privacy practices before agreeing to any data exchange.
Over the coming months, I will make a point of bringing you only the most relevant news about security topics that impact all of us. I'm not looking to crucify anyone, but criminally dishonest practices have to be exposed, in particular when they so blatantly abuse our trust, our intelligence and our security.
Read on, but please, don't let me stop you from passing this on to your colleagues.
Important Security News
AT&T changes its stance on customer privacy by eliminating it
The telecommunications behemoth has modestly announced changes to its privacy policy that it says are simply a clearer way to state what was implied before. Namely, that customer account data, usage statistics, content and traffic all belong to AT&T. You can take a minute if you need it.
The statement was met with outrage from concerned parties, including other telecommunications firms that accuse AT&T of accepting government payouts to surrender customer details. The company is quick to point that it only does this when it supports its "legitimate business interests" (read: making money) and of course, to support the administration's fight against terrorism.
In a ComputerWorld article (Sticking with AT&T? You're a Fool! dated June 27) Ira Winkler correctly points out that because of these blatant and insulting privacy violations, we should avoid doing business with anyone who is still connected to AT&T. After all, "claiming complete ownership of your data. That is a huge leap from cooperation with government for perceived national security purposes."
Let me remind you that this comes at a time when AT&T and other devious firms are seeking ways to defuse lawsuits claiming that they aided a U.S. government domestic spying program by giving the National Security Agency call records of millions of customers without their permission. The Bush administration and AT&T are actively trying the most creative solutions they can find to have the lawsuits dismissed before they even get to court (read AT&T forwards all Internet traffic to the NSA).
How does this affect you if you're not one of AT&T's 7 million customers? Consider this: AT&T delivers voice, Internet and video data to 240 countries around the world by linking 400 carriers through its 410,000 miles of high speed fiber backbone. Is your traffic likely to be scrutinized as part of the 4.6 petabytes (millions of gigabytes) of data the company handles each day? You bet! Wanna do something about it? Support the Electronic Frontier Foundation in fighting this crime.
Veterans threatening war to protect their personal information
A stolen laptop containing personal information on 26.5 million military veterans and their spouses has been recovered, and authorities believe the data on the computer was not accessed. The laptop, which belonged to the Department of Veterans Affairs, was stolen on May 3 from the home of a VA employee. The agency was harshly criticized for waiting until May 22 to disclose the theft, and some veterans sued the government for $1,000 per person affected--a total of $26.5 billion. Following the announcement of a $50,000 reward, an individual contacted law enforcement officials and led them to the laptop. In what's become an insulting and misleading tradition a-la Equifax, the VA Department offered 1 year of free credit monitoring for anyone who can prove they were affected, with some strings attached.
It seems veterans just can't get any peace: as a result of the above investigation, the Department came clean on June 30th about two more security breaches involving thousands of veterans' data records. The most recent of which happened this May and took almost a month to get reported to the authorities. The net result of these two breaches - one stolen backup tape and one laptop - was that 3% of those affected found that their stolen identity had been used.
In an unrelated matter, the US Navy announced that five spreadsheets with sensitive information on about 28,000 Navy personnel and their families were mistakenly posted on a public Web site. The spreadsheets included names, Social Security numbers, and birth dates. All the right ingredients for a potent ID theft cous-cous.
Identity theft guardians lose identity data ... and credibility
Not to be outdone, the Federal Trade Commission, in charge among other things, of protecting individuals against identity theft (see previous PULSE for a relevant article), has had a laptop stolen from a locked vehicle. The device contained personal data belonging to 110 individuals and had been collected as part of everyday activities. Was the data protected in any way? We don't know, but the FTC's Inspector General has promised to inspect the matter. The conclusion? Those 110 lucky people have been made an offer they could hardly refuse: one free year of credit monitoring. That's right, free!! Well, not quite.
How does this affect you? Unless you're one of the 110 people who happened to be dealing with the FTC at that particular moment, it doesn't. But it serves as a reminder to treat the risk of identity theft as the serious crime that it is. You may want to forward this brief but good article on financial fraud to someone you care about.
Famous Last Words
Atop the pile of boneheaded quotes from the past month, we find the words of John Thompson, Symantec CEO and no doubt an ardent believer in the invincibility of his company's software. When asked about his reaction to Microsoft Vista's large array of new security features that will compete directly with Symantec's products while ostensibly being available right out of the box as part of Windows, he indicated that he wasn't worried about Microsoft at all adding: "we know more about security than [Microsoft] ever will". Unquote.
I have no doubt that he's correct, in particular since Symantec has been forced to admit to at least one serious security vulnerability every year in recent memory, culminating with the May 24 announcement that a number of its products contain a buffer overflow bug capable of executing remote controlled code on the victim's machine. John's quote - indexed 163 times by Google at the time of this writing - preceded this embarrassing announcement by about 2 weeks.
Not Available: Health Data Privacy & Security at the National Health System
According to a new study just released in the UK, the National Health System's mobile security practices miserably fail to protect the privacy of customer data and the security of the organization's information. Among the findings: 50% of mobile employees use their own equipment to do their work, employing devices with no security at all (20%) while only 25% used more than a simple password.
Most of the healthcare workers used mobile devices for carrying data such as work contacts, corporate data and even medical records and patient records. Combine that with the whopping 76% who use USB sticks to store information and you have up to two of two things: a disaster waiting to happen and/or a massive breach that has continues to go undetected.
Dead Kids Online
In its unrelenting quest for growth, the Web's second most valuable property has gained a reputation for being an unsafe environment for kids and just about anyone impressionable enough to fall prey to to online criminals. MySpace.com's documented tales of deceit, rape and murder have accumulated fast over the past year, as the site's membership exploded to 87 million. Many of the stories are chronicled on this site: The Dead Kids of MySpace.com.
In conclusion
If you are a regular reader of the PULSE, you have no doubt felt the void in the past 3 months, which saw no published issues. I hope to make it up to you in the coming months with some great new content and a clearer focus on emerging topics of interest to you, my reader.
As for this issue, you may have noticed a slight turn in that direction, encouraging everyone to adopt a less cavalier attitude about security issues (and providing the relevant embedded links to make points that would make this issue much longer than it already is). While I believe the "sky is falling" is a blatantly misleading way of educating people about security, the task cannot be trivialized: the impact of security & privacy needs to be seriously articulated. While researching this issue I found that over 20 high level breaches have recently occurred at well known institutions (ING, AIG, a handful of universities, government departments and important companies that should know better).
In almost all cases, the problem was not a lack of security, but a mis-allocation of resources. This is something to consider in your own organization. Setting aside a disproportionate budget to mitigate the risk of some high-tech breach often means that the opportunity for a simpler crime is readily available to someone with a USB stick of even a simple email account.
To conclude with some 3rd party wisdom, I refer you to last week's published survey by Deloitte on security, culminating in the following summary: over 50% of companies detected security breaches in the past year and as a whole, the practice of information security is pretty sad indeed. The culprits:
Inadequate resources and funding. Ineffective actions that do not address the latest threats. A lack of awareness and support on the part of management. Insufficient attention to internal risks. A failure to plan for serious attacks and business disruption. I agree with Deloitte's bottom line: All these points amount to a lack of educated and experienced leadership which in turn points to a clear and far-reaching deficiency: a distinct lack of empowered, dedicated security management. Once companies get it, the picture will improve and not a minute sooner.
Virtually,
Claudiu Popa
EditorP.S. And now for something not quite entirely different: Sound best practices from the man in charge of network security at the world's second biggest sporting event: the FIFA World Cup.
P.P.S. One last note for those of you who always ask about anti-spyware programs. Now there's a site that will tell you which suspicious programs you need to avoid. Check it out!
Main Site | White Papers | Free Software | News & Articles | Forward to a Friend
Claudiu
Popa is a certified security
professional (CISSP, PMP, CISA) and president of Informatica Corporation,
a Toronto-based consulting company with a strong focus
on education. Over
the past decade, Claudiu has focused on helping companies
improve their information
security. Today, he brings effective security to corporate
boardrooms, helping organizations manage security, awareness and
compliance programs. Claudiu can be contacted by simply replying
to this message (and he promises not to respond in the third
person). He welcomes your suggestions and
comments regarding this publication.
About
your humble scribe:
About the Company:
At a governance level, Informatica Corporation is a Canadian security firm with unmatched expertise in regulatory compliance, information risk management and corporate education. At a lower, more technical level, a diverse, high profile clientele trusts Informatica to secure Web sites, applications and workplaces. At every layer, Informatica protects information security and data confidentiality. Visit us at http://www.informationsecuritycanada.com/
use this link to subscribe.