Saturday, June 23, 2007

Data compromise in Ohio reveals the need to be more proactive in protecting information

The practice of sending computer back-up tapes containing a lot of personal/financial information home with interns went on for 2-3 years at a government office in Ohio, according to an article in the Columbus Dispatch.

The Columbus Dispatch is reporting:

In fact, it appears that the former technical manager for the Ohio Administrative Knowledge System didn't use regular state employees -- only two or three interns besides himself -- to take the data home on a rotating basis for safekeeping, said Ron Sylvester, a spokesman for the Ohio Department of Administrative Services.

Apparently, this was part of a security policy, to safeguard the information from fire, or some sort of other disaster.

According to a state policy that officials said was last updated in April 2002, two backup copies were to be made each day of the data in the state's $158 million payroll and accounting system, known as OAKS. The current day's backup tape was to be maintained on site in the network administrator's office, and the previous day's backup tapes were to be taken to the network administrator's home in case of a fire or other disaster at the office.

My question is, can they account for all of these tapes, made daily?

If two tapes a day were made, this would equate to anywhere from 730 to 1095 tapes, at this one agency. If these tapes were routinely backed up and taken home, it wouldn't be hard to make extra copies and not return them.

Of course, someone with the proper knowledge and expertise probably wouldn't have a hard time copying them away from the office, either.

In response to this, the State of Ohio has hired a security firm to look into this matter.
The panel also earmarked up to $100,000 for Interhack Corp. of Columbus to assess the security of the new state accounting setup and to verify that state officials have identified all important data that have been stolen.

Curtin, the founder of Interhack, said it would take time, expertise and money for someone to read the tape. Because the state has notified those whose personal data may be affected, it would be difficult for a thief to use the information, he argued.

"So at this point now, if somebody tries to use the data, they're going to be found out pretty quickly," he said.

According to this report, the data wasn't encrypted, therefore (in theory) it might be not very hard to access it. If the data were encrypted, it would take expertise and money, but it still could be accomplished by someone with the necessary knowledge and ambition to do so.

Organized criminals, who deal in stolen information, have been reported to hire experts, who probably have this "knowledge and expertise."

Even scarier, Mr. Curtin also revealed that this probably wasn't the only agency sending information home:
Curtin said the practice of sending backup data home with employees is fairly common because of the cost involved in hiring a company to do it or using another facility.
Mr. Curtin is probably right that this particular information won't be used anytime in the near future. Criminals would rather use information, nobody knows has been breached. They make (steal) a lot more money that way.

I'd be more worried about information, which might have been easily compromised, that no one knows about yet.

We can all learn something from what happened in Ohio and the key is to start being proactive about how we secure valuable information.

Reacting costs a lot of money, and does little, to solve to overall problem.

Revealing article by the Columbus Dispatch, here.

My original post on the Ohio Data breach, here.

Here is a post about people with the necessary knowledge and expertise to access (hack) information being recruited by organized criminals making a lot of money with stolen information:

IT Students Aren't the Only Human Resources that Internet Criminals Desire

Wednesday, June 20, 2007

FTC name impersonated to phish (steal information) from corporate executives

Spammers love to impersonate official agencies to hook their victims (phish). Recently, the attacks have become more specific targeting people by name, and or title. Here is a warning from the Federal Trade Commission (FTC):

Consumers, including corporate and banking executives, appear to be targets of a bogus e-mail supposedly sent by the Federal Trade Commission but actually sent by third parties hoping to install spyware on computers. The bogus e-mail poses as an acknowledgment of a complaint filed by the recipient, and includes an attachment. Consumers who open the attachment to this e-mail unleash malicious spyware onto their computer. The agency warns consumers who get this e-mail that purports to be from the FTC:

Don’t open the attachment.
Delete the e-mail.
Empty the deleted items folder.

The hoax e-mail is personalized, and contains the name of the recipient and their business. The bogus message explains how the complaint will be used, who will have access to it and states, “Attached you will find a copy of your complaint. Please print a hard copy of the complaint for your records in the upcoming investigation.” Opening the attachment downloads the malicious spyware.

The press release doesn’t specify exactly what the malicious spyware is.

Recently, the IRS and Better Business Bureau names were being used in a similar manner. In this attack, corporate executives were being specifically targeted, also. This type of attack is known as spear phishing.

Here is a post on the attack spoofing (impersonating) the IRS and BBB:

Spear phishermen target executives to steal company information

FTC release on this attack, here.

Sunday, June 17, 2007

How does a telemarketer get your unlisted number?

Ever get the idea that the credit bureaus enable a lot of problems, we now face with data-breaches, identity theft and the ever increasing loss of our personal privacy?

One of the main ways they make money is by selling your personal and financial information.

Read a good one on Pogo was Right (WE HAVE MET THE ENEMY AND HE IS US):

Terry Wyatt called his mortgage broker one morning about refinancing - and within hours began getting calls from other brokers and lenders he's never heard of.

... So how did brokers and lenders as far away as New York and Florida know - and know so fast - that Wyatt wants to refinance? Thank the credit bureaus.

When a lender or broker checks someone's credit report, it signals that person is in the market for a mortgage or to refinance. The credit bureaus turn around and sell that contact information to others in the mortgage business looking for leads.

Source - L. A. Times

PogowasRight is a good read for anyone interested in keeping up with privacy issues.

One way to stop the number of times your information is sold is to "opt out."

Information on how to opt out from unsolicited credit offers from places you already do business with, here.

Information on how to opt-out from places you don't do business with, here.

If you do not opt-out with places you already do business with and respond to their privacy notices (interesting way to classify them), they can and will sell your information. Of note, some of these notices are hard to respond to, or even understand what they actually say.

Here is a post, I wrote, which explains this further:

Warning if you don't open (and respond) to snail mail from American Express, they will sell your personal information!

You can opt out from telemarketing calls (one of the end results of your information being sold), here.