data breaches Archives - Page 8 of 12

Entries Tagged "data breaches"

Page 8 of 12

Foreign Hackers Stealing American Health Care Records

What in the world is going on here?

Foreign hackers, primarily from Russia and China, are increasingly seeking to steal Americans’ health care records, according to a Department of Homeland Security analyst.

Mark Walker, who works in DHS’ Critical Infrastructure Protection Division, told a workshop audience at the National Institute of Standards and Technology that the hackers’ primary motive seems to be espionage.

Espionage? Um, how?

Walker said the hackers are seeking to exfiltrate health care data. “We don’t know why,” he added. “We want to know why.” At the same time, he said, it’s clear that “medical information can be used against us from a national security standpoint.”

How? It’s not at all clear to me.

Any health problems among the nation’s leaders would be of interest to potential enemies, he said.

This just has to be another joke.

EDITED TO ADD (3/13): More Posted on February 20, 2008 at 12:30 PM • View Comments

DHS in The Onion

Funny.

Posted on February 15, 2008 at 11:57 AM • View Comments

Swedish Army Loses Classified Information on Memory Stick

Oops:

The daily newspaper, Aftonbladet, turned the stick over to the Armed Forces on Thursday. The paper’s editorial office obtained the memory stick from an individual who discovered it in a public computer center in Stockholm.

An employee of the Armed Forces has reported that the misplaced USB memory stick belongs to him. The employee contacted his superior on Friday and divulged that he had forgotten the memory stick in a public computer. A preliminary technical investigation confirms that the stick belongs to the employee.

The stick contained both unclassified and classified information such as information regarding IED and mine threats in Afghanistan.

I wrote about this sort of thing two years ago:

The point is that it’s now amazingly easy to lose an enormous amount of information. Twenty years ago, someone could break into my office and copy every customer file, every piece of correspondence, everything about my professional life. Today, all he has to do is steal my computer. Or my portable backup drive. Or my small stack of DVD backups. Furthermore, he could sneak into my office and copy all this data, and I’d never know it.

Also this. Although why the Swedish Army doesn’t encrypt its portable storage devices is beyond me.

Posted on January 9, 2008 at 1:46 PM • View Comments

Security of Adult Websites Compromised

This article claims the software that runs the back end of either 35% or 80%-95% (depending on which part of the article you read) has been compromised, and that the adult industry is hushing this up. Like many of these sorts of stories, there’s no evidence that the bad guys have the personal information database. The vulnerability only means that they could have it.

Does anyone know about this?

Slashdot thread.

Posted on December 28, 2007 at 7:54 AM • View Comments

"The Top 10 Data Breaches of 2007"

According to CSO Magazine.

Posted on December 18, 2007 at 12:30 PM • View Comments

Security-Breach Notification Laws

Interesting study on the effects of security-breach notification laws in the U.S.:

This study surveys the literature on changes in the information security world and significantly expands upon it with qualitative data from seven in-depth discussions with information security officers. These interviews focused on the most important factors driving security investment at their organizations and how security breach notification laws fit into that list. Often missing from the debate is that, regardless of the risk of identity theft and alleged consumer apathy towards notices, the simple fact of having to publicly notify causes organizations to implement stronger security standards that protect personal information.

The interviews showed that security breaches drive information exchange among security professionals, causing them to engage in discussions about information security issues that may arise at their and others’ organizations. For example, we found that some CSOs summarize news reports from breaches at other organizations and circulate them to staff with “lessons learned” from each incident. In some cases, organizations have a “that could have been us” moment, and patch systems with similar vulnerabilities to the entity that had a breach.

Breach notification laws have significantly contributed to heightened awareness of the importance of information security throughout all levels of a business organization and to development of a level of cooperation among different departments within an organization hat resulted from the need to monitor data access for the purposes of detecting, investigating, and reporting breaches. CSOs reported that breach notification duties empowered them to implement new access controls, auditing measures, and encryption. Aside from the organization’s own efforts at complying with notification laws, reports of breaches at other organizations help information officers maintain that sense of awareness.

Posted on December 12, 2007 at 1:53 PM • View Comments

How to Secure Your Computer, Disks, and Portable Drives

Computer security is hard. Software, computer and network security are all ongoing battles between attacker and defender. And in many cases the attacker has an inherent advantage: He only has to find one network flaw, while the defender has to find and fix every flaw.

Cryptography is an exception. As long as you don’t write your own algorithm, secure encryption is easy. And the defender has an inherent mathematical advantage: Longer keys increase the amount of work the defender has to do linearly, while geometrically increasing the amount of work the attacker has to do.

Unfortunately, cryptography can’t solve most computer-security problems. The one problem cryptography can solve is the security of data when it’s not in use. Encrypting files, archives—even entire disks—is easy.

All of this makes it even more amazing that Her Majesty’s Revenue & Customs in the United Kingdom lost two disks with personal data on 25 million British citizens, including dates of birth, addresses, bank-account information and national insurance numbers. On the one hand, this is no bigger a deal than any of the thousands of other exposures of personal data we’ve read about in recent years—the U.S. Veteran’s Administration loss of personal data of 26 million American veterans is an obvious similar event. But this has turned into Britain’s privacy Chernobyl.

Perhaps encryption isn’t so easy after all, and some people could use a little primer. This is how I protect my laptop.

There are several whole-disk encryption products on the market. I use PGP Disk’s Whole Disk Encryption tool for two reasons. It’s easy, and I trust both the company and the developers to write it securely. (Disclosure: I’m also on PGP Corp.’s Technical Advisory Board.)

Setup only takes a few minutes. After that, the program runs in the background. Everything works like before, and the performance degradation is negligible. Just make sure you choose a secure password—PGP’s encouragement of passphrases makes this much easier—and you’re secure against leaving your laptop in the airport or having it stolen out of your hotel room.

The reason you encrypt your entire disk, and not just key files, is so you don’t have to worry about swap files, temp files, hibernation files, erased files, browser cookies or whatever. You don’t need to enforce a complex policy about which files are important enough to be encrypted. And you have an easy answer to your boss or to the press if the computer is stolen: no problem; the laptop is encrypted.

PGP Disk can also encrypt external disks, which means you can also secure that USB memory device you’ve been using to transfer data from computer to computer. When I travel, I use a portable USB drive for backup. Those devices are getting physically smaller—but larger in capacity—every year, and by encrypting I don’t have to worry about losing them.

I recommend one more complication. Whole-disk encryption means that anyone at your computer has access to everything: someone at your unattended computer, a Trojan that infected your computer and so on. To deal with these and similar threats I recommend a two-tier encryption strategy. Encrypt anything you don’t need access to regularly—archived documents, old e-mail, whatever—separately, with a different password. I like to use PGP Disk’s encrypted zip files, because it also makes secure backup easier (and lets you secure those files before you burn them on a DVD and mail them across the country), but you can also use the program’s virtual-encrypted-disk feature to create a separately encrypted volume. Both options are easy to set up and use.

There are still two scenarios you aren’t secure against, though. You’re not secure against someone snatching your laptop out of your hands as you’re typing away at the local coffee shop. And you’re not secure against the authorities telling you to decrypt your data for them.

The latter threat is becoming more real. I have long been worried that someday, at a border crossing, a customs official will open my laptop and ask me to type in my password. Of course I could refuse, but the consequences might be severe—and permanent. And some countries—the United Kingdom, Singapore, Malaysia—have passed laws giving police the authority to demand that you divulge your passwords and encryption keys.

To defend against both of these threats, minimize the amount of data on your laptop. Do you really need 10 years of old e-mails? Does everyone in the company really need to carry around the entire customer database? One of the most incredible things about the Revenue & Customs story is that a low-level government employee mailed a copy of the entire national child database to the National Audit Office in London. Did he have to? Doubtful. The best defense against data loss is to not have the data in the first place.

Failing that, you can try to convince the authorities that you don’t have the encryption key. This works better if it’s a zipped archive than the whole disk. You can argue that you’re transporting the files for your boss, or that you forgot the key long ago. Make sure the time stamp on the files matches your claim, though.

There are other encryption programs out there. If you’re a Windows Vista user, you might consider BitLocker. This program, embedded in the operating system, also encrypts the computer’s entire drive. But it only works on the C: drive, so it won’t help with external disks or USB tokens. And it can’t be used to make encrypted zip files. But it’s easy to use, and it’s free.

This essay previously appeared on Wired.com.

EDITED TO ADD (12/14): Lots of people have pointed out that the free and open-source program TrueCrypt is a good alternative to PGP Disk. I haven’t used or reviewed the program at all.

Posted on December 4, 2007 at 6:40 AM • View Comments

UK's Privacy Chernobyl

I didn’t write about this story at first because we’ve seen it so many times before: a disk with lots of personal information is lost. Encryption is the simple and obvious solution, and that’s the end of it.

But the UK’s loss of 25 million child benefit records—including dates of birth, addresses, bank account information, and national insurance numbers—is turning into a privacy disaster, threatening to derail plans for a national ID card.

Why is it such a big deal? Certainly the scope: 40% of the British population. Also the data: bank account details; plus information about children. There’s already a larger debate on the issue of a database on kids that this feeds into. And it’s a demonstration of government incompetence (think Hurricane Katrina).

In any case, this issue isn’t going away anytime soon. Prime Minister Gordon Brown has apologized. The head of the Revenue and Customs office has resigned. More is certainly coming.

And this is an easy security problem to solve! Disk and file encryption software is cheap, easy to use, and effective.

Posted on November 26, 2007 at 1:15 PM • View Comments

Unisys Blamed for DHS Data Breaches

This story has been percolating around for a few days. Basically, Unisys was hired by the U.S. Department of Homeland Security to manage and monitor the department’s network security. After data breaches were discovered, DHS blamed Unisys—and I figured that everyone would be in serious CYA mode and that we’d never know what really happened. But it seems that there was a cover-up at Unisys, and that’s a big deal:

As part of the contract, Unisys, based in Blue Bell, Pa., was to install network-intrusion detection devices on the unclassified computer systems for the TSA and DHS headquarters and monitor the networks. But according to evidence gathered by the House Homeland Security Committee, Unisys’s failure to properly install and monitor the devices meant that DHS was not aware for at least three months of cyber-intrusions that began in June 2006. Through October of that year, Thompson said, 150 DHS computers—including one in the Office of Procurement Operations, which handles contract data—were compromised by hackers, who sent an unknown quantity of information to a Chinese-language Web site that appeared to host hacking tools.

The contractor also allegedly falsely certified that the network had been protected to cover up its lax oversight, according to the committee.

What interests me the most (as someone with a company that does network security management and monitoring) is that there might be some liability here:

“For the hundreds of millions of dollars that have been spent on building this system within Homeland, we should demand accountability by the contractor,” [Congressman] Thompson said in an interview. “If, in fact, fraud can be proven, those individuals guilty of it should be prosecuted.”

And, as an aside, we see how useless certifications can be:

She said that Unisys has provided DHS “with government-certified and accredited security programs and systems, which were in place throughout 2006 and remain so today.”

Posted on October 3, 2007 at 6:50 AM • View Comments

House of Lords on Computer Security

The Science and Technology Committee of the UK House of Lords has issued a report (pdf here) on “Personal Internet Security.” It’s 121 pages long. Richard Clayton, who helped the committee, has a good summary of the report on his blog. Among other things, the Lords recommend various consumer notification standards, a data-breach disclosure law, and a liability regime for software.

Another summary lists:

Increase the resources and skills available to the police and criminal justice system to catch and prosecute e-criminals.
Establish a centralised and automated system, administered by law enforcement, for the reporting of e-crime.
Provide incentives to banks and other companies trading online to improve the data security by establishing a data security breach notification law.
Improve standards of new software and hardware by moving towards legal liability for damage resulting from security flaws.
Encourage Internet Service Providers to improve customer security offered by establishing a “kite mark” for internet services.

If that sounds like a lot of the things I’ve been saying for years, there’s a reason for that. Earlier this year, I testified before the committee (transcript here), where I recommended some of these things. (Sadly, I didn’t get to wear a powdered wig.)

This report is a long way from anything even closely resembling a law, but it’s a start. Clayton writes:

The Select Committee reports are the result of in-depth study of particular topics, by people who reached the top of their professions (who are therefore quick learners, even if they start by knowing little of the topic), and their careful reasoning and endorsement of convincing expert views, carries considerable weight. The Government is obliged to formally respond, and there will, at some point, be a few hours of debate on the report in the House of Lords.

If you’re interested, the entire body of evidence the committee considered is here (pdf version here). I don’t recommend reading it; it’s absolutely huge, and a lot of it is corporate drivel.

EDITED TO ADD (8/13): I have written about software liabilities before, here and here.

EDITED TO ADD (8/22): Good article here:

They agreed ‘wholeheartedly’ with security guru, and successful author, Bruce Schneier, that the activities of ‘legitimate researchers’ trying to ‘break things to learn to think like the bad guys’ should not be criminalized in forthcoming UK legislation, and they supported the pressing need for a data breach reporting law; in drafting such a law, the UK government could learn from lessons learnt in the US states that have such laws. Such a law should cover the banks, and other sectors, and not simply apply to “communication providers”—a proposal presently under consideration by the EU Commission, which the peers clearly believed would be ineffective in creating incentives to improve security across the board.

Posted on August 13, 2007 at 6:35 AM • View Comments

←Previous 1 … 6 7 8 9 10 … 12 Next→

Sidebar photo of Bruce Schneier by Joe MacInnis.