Saturday, March 22, 2008

Barack, Hillary John - Does anyone know where our (your) privacy has gone?

About a week ago, I wrote a post about Britney having her privacy "jacked" by a bunch of "naughty" hospital employees. This occurred at one of the most respected medical and institutions of higher learning in the world, the University of California, Los Angeles.

Ironically, it's now been revealed that another highly respected institution, the State Department had some "naughty" employees "jack" the privacy of the three major presidential candidates, Barack, Hillary and John.

While a lot of us take Britney's exploits with a grain of salt, it's another example where too many people are being given access to too much sensitive information. Even if we take most of Britney's adventures in a not very serious light -- she is a human being and therefore worthy of a little respect and privacy in her personal affairs.

This should be especially true when someone is seeking medical attention of a sensitive nature.

The official spin in both instances is that these events were caused by naughty employees, who were snooping where they shouldn't have been. While it appears there was no sinister intent in all of this, it points to the fact that none of us can count on a little respect or privacy, anymore.

Maybe we have too many databases containing highly personal information that the wrong people have been given access to? You can spend millions on security, but no amount of it will prevent something from being compromised if the wrong person has been given access to it.

Of course, the there is a financial motive to not wanting to fix the problem anytime in the near future. It's no secret that selling personal information is a multi-billion dollar business. Implementing technology is a multi-billion dollar venture, also. It shouldn't surprise us that there is a lobby (with a lot of money), who wants to keep things the way they are.

Because of this, it shouldn't surprise us that we see criminals exploiting the loopholes in protecting information, either. After all, they're making a lot of money off it, also.

If naughty employees with a penchant for snooping could obtain the personal information of three political candidates, it isn't a far stretch that someone with more sinister intentions could have accomplished the same thing. I wonder, who failed to notice that we are now granting "contract employees" access to information of this nature?

After all, this isn't the first time a contract employee, government or otherwise, has compromised sensitive information.

I guess private businesses aren't the only entities outsourcing jobs (and a lot of people's personal information) in the process. We seem to live in a world, where in order to save a little on the bottom line, we seem to ignore basic principles (like need to know) when protecting information.

Perhaps, if we stopped storing sensitive information in too many places with little regard to who can look at it, we would stop being "shocked" when it's compromised?

All a reasonably intelligent person would have to do is look at the number of reported compromises involving sensitive information that occur and then wonder how many more there are that no one knows about? I threw that in because most people, who do something wrong normally don't disclose what they did to third parties.

After a compromise occurs, we all seem content that security enhancements will prevent the next one. Sadly, most of the enhancements introduced so far haven't put a dent in the problem and the saga goes on. In fact, it normally doesn't take very long before we hear about the latest security enhancement being defeated.

Maybe the problem needs to be taken to a more simple level? Perhaps if we weren't storing information in places -- where too many people have access to it -- we would see less of it being compromised?

We live in a world, where technology has made things easier and more productive. The problem is that "easy and productive" is taking a toll on what should be a basic human right, privacy.

The bottom line is that it has become too easy to compromise information and technology makes both good and bad people, more productive.

Saying all that, the three candidates are on record, when it comes to privacy. In July of 2006, Hillary Clinton spoke to a lot of same issues in a speech, where she said:

Privacy is at the crossroads of all these issues, and modern life makes many things easier… and many things easier to know. And yet, privacy is somehow caught in the crosshairs of these changes.

Our economy is increasingly data driven. We have dramatically ramped up surveillance in our efforts to fight terrorists who hide among innocent civilians.

But every day the news contains a story of how the records of millions of consumers, veterans, patients have been compromised.

At all levels, the privacy protections for ordinary citizens are broken, inadequate and out of date.

Likewise, Barack Obama has the following statement about this issue on his site:

Dramatic increases in computing power, decreases in storage costs and huge flows of information that characterize the digital age bring enormous benefits, but also create risk of abuse. We need sensible safeguards that protect privacy in this dynamic new world. As president, Barack Obama will strengthen privacy protections for the digital age and will harness the power of technology to hold government and business accountable for violations of personal privacy.
John McCain (as part of a bipartisan committee) has expressed frustration on the privacy issue, also. Here is what he was quoted as saying in a CNet story after a FTC report was released on the state of the state on privacy:

A bipartisan group of senators led by Sen. John McCain, R-Ariz., said it is determined to pass new laws restricting the ability of Web sites to collect and use information from a visitor without that person's consent.

For the last several years, Web sites have operated under a form of self-regulation, and industry groups have touted the ever-increasing number of sites posting privacy policies. However, members of the Senate Commerce Committee today decried those steps as inadequate and cited polls showing that the vast majority of consumers opposed industry self-regulation.
There is no doubt that by this point in the game, most of our politicians have made a statement on the privacy issue. Despite these statements, most of the legislation presented in Washington hasn't been passed yet?

In fact if memory serves me correctly, the last time we tried to pass some federal legislation, the end result was that it would have watered down more proactive laws already passed into law at the State level.

I know everyone is busy with the campaign underway so I'm going to include a reference to an article (with an interactive map) showing what State laws on this issue have already been enacted. Included on the map is a interactive flag over the District of Columbia showing which federal laws have not.

Well put together article by csoonline.com, here.

In case anyone reading this can't keep up with the record number of data breaches, Attrition.org had a chronology, here.

PogoWasRight is another place that helps me keep up with the record number of compromises, also.

Friday, March 21, 2008

OCCRP reports on Eastern European/Eurasian organized crime


(Photo courtesy of the OCCRP site)

Eastern European/Eurasian organized groups seem to have their hands in a wide variety of organized criminal activity. They are often mentioned when referring to anything from auction fraud to payment (credit/debit) card skimming and computer crimes.

eBay claims there are entire towns in Romania making a living via auction fraud on it's well known site.

A new site called the Organized Crime and Corruption Reporting Project has been launched by a group of journalists to cover this activity, which seems to have to have a global reach.

In their own words, here is their vision:

The Organized Crime and Corruption Reporting Project (OCCRP) is a joint program of the Center for Investigative Reporting in Sarajevo, Romanian Center for Investigative Journalism, Bulgarian Investigative Journalism Center, Media Focus, the Caucasus Media Investigation Center, Novaya Gazeta and a network of investigative journalists in Montenegro, Albania, Moldova, Ukraine, Macedonia and Georgia.

Our goal is to help the people of the region better understand how organized crime and corruption affect their lives. OCCRP seeks to provide in-depth investigative stories as well as the latest news pertaining to organized crime and corruption activities in the Eastern Europe and Eurasia. In addition to the stories, OCCRP is building an online resource center of documents related to organized crime including court records, laws, reports, studies, company records, etc that will be an invaluable resource center for the journalists and public alike.
The site has been given financial support by the Foundation Open Society Institute (FOSI) and the United Nations Democracy Fund.

Although many of the journalists aren't well known in Western Europe and North America, they have been recognized as putting out some award winning work:

Recently, the program’s first project on energy traders was awarded the Global Network of Investigative Journalists “Global Shining Light Award” for quality investigative journalism under adverse conditions. The project was done in cooperation with SCOOP.

Journalists who have participated in projects published on this website have included Stanimir Vaglenov, Alison Knezevich, Boris Mrkela, Sorin Ozon, Eldina Pleho, Beth Kampschror, Stefan Candea, Roman Shleynov, Mirsad Brkić, Michael Mehen, Mubarek Asani, Paul Cristian Radu, Milorad Ivanović, Vitalie Calugareanu, Vlad Lavrov, Michael Mehen and Altin Raxhimi. The Editors are Rosemary Armao, Paul Radu and Drew Sullivan.
The site covers a wide variety of organized criminal activity (besides what I mentioned above) coming out the the area. Some of these activities include narcoterrorism, illegal arms sales, shell companies and even tobacco smuggling.

Interestingly enough, by reading through the site, I discovered that organized crime even has it's hands in the energy business in the region.

This subject, or the underlying causes of it aren't covered in depth when we read about this phenomenon in the West. Normally, we hear rumors pointing to mysterious Eastern European gangs associated with a sophisticated scam that has surfaced in our own back yard.

In scam circles, some of these people are referred to as "Vlads," which refer to Vlad Tepes, who as the inspiration for the Dracula story. Recently, a person who goes by the name of "Vladuz" has given eBay and the authorities considerable grief when hacking into their system.

Given that this activity reaches far beyond Eastern Europe and Eurasia, this has always amazed me. If you live in any major city in North America or Western Europe, Eastern European/Eurasian organized crime groups are probably operating not very far from where you live.

As the site matures, my guess is that it will provide evidence to ties between these groups and terrorist organizations, also. In fact, if you read what is on the site, some of the evidence I mention is already being written about.

The OCCRP is an excellent and well-written resource for the lay person and professional writer to learn more about a problem, which has become International in nature. Furthermore, since it is written by journalists from the Region, it is a great research tool for anyone interested in the subject.

OCCRP site, here.

Wednesday, March 19, 2008

Security vendor removes Hannaford as a client on their site after data breach is revealed!

I ran into an interesting development in the Hannaford data breach on geeksaresexy.net. Allegedly, their IT security vendor of choice (Rapid7) decided to disavow all knowledge of their relationship with Hannaford right after the breach was made public.

From the blog post on geeksaresexy.net:

Instead, Rapid7 scrubbed all mentions of Hannaford from their client list. Rapid7 obviously didn’t want to be associated with one of the largest data loss incidents in history, and they certainly didn’t want to sully the name of their flagship appliance, the “neXpose” which is a vulnerability scanning device.

This information is from Attrition.Org, an online security community that has been around since the predawn of the dot-com boom. They have an outstanding article, with screenshots here, where they are much less kind to Rapid7 in light of their cowardly actions.

Atttition.org is one of the trusted sources on data breaches, so I decided to see what they had found:

You are a security vendor. You sell the mightiest security doohickey the world has ever seen. It does it all, including "...ensuring your network is safe from hackers..." and amazingly it "...scans for Web site and database vulnerabilities that hackers can use to capture credit card information without you being aware". Since your doohickey does what no others have ever successfully managed to do, you can tout your client list proudly, and pimp your customer implementations liberally.

Attrition.org did an excellent job showing (complete with compelling screenshots) how Rapid7 removed all the information on the Internet showing they were Hannaford's cyber-guardians.

To see all the evidence, which is convincingly presented on Attrition.org, I've provided a link:

Abandon Ship! Data Loss Ahoy!

As of this writing, Rapid7 has replaced the information on their site showing Hannaford as a client.

I decided to run a query on Google News and discovered that so far the Boston Globe is one of the few mainstream e-rags reporting this so far.

The Boston Globe was able to get a comment from the marketing VP at Rapid7. Here is the "official explanation" from the article:

Was it damage control? Embarrassment about being linked to the breach? An admission that its software failed?

A Rapid7 executive says none of the above.

David Precopio, the company's vice president of marketing, said Hannaford asked Rapid7 to remove its name from the site once the data breach was made public. But after some sharp-eyed observers spotted the deletion (including the security website attrition.org) Precopio said Rapid7 asked Hannaford to let it repost the company’s name.

The Boston Globe was unable to get a comment from Hannaford about this matter.

I guess I'll have to leave it to the reader's imagination what the true intention in all of this was?

Tuesday, March 18, 2008

Hannaford Brothers data breach might reveal current security standards are outdated

Hannaford Bros. Co., a grocery retailer based in the Eastern United States is the latest corporation to be victimized by a substantial data breach. Saying that, customers of Hannaford Bros. are going to be victimized, also. So will a lot of financial institutions, who have to deal with the fraud claims and trying to prevent the information from being used.

Whenever a data breach of this magnitude occurs, there are a lot of victims.

This breach occurred despite that fact Hannaford Bros. had met the payment card industry (PCI) standards for data protection and were not using wireless technology to transmit unencrypted data. Both of these factors were said to have caused the now infamous TJX breach, where approximately 98 million records were compromised.

This time only a reported 4.2 million records have been stolen, but it's still early in the game and historically these estimates tend to blossom with time.

A press release from Hannaford revealed that no personal information was stolen in this occurrence and that only payment card (credit/debit) card numbers are at risk.

Additionally, there have been 1800 reported cases of fraud tied into this data breach thus far.

Today, the AP was able to get a comment from their corporate headquarters:

It was during the card approval process that more than 4 million customer accounts at grocery stores in the Northeast and Florida were exposed to fraud, even though the company meets the latest standards for data security, a spokeswoman said Tuesday.

Hannaford Bros. Co. doesn't yet know how the breach — which began Dec. 7 and ended March 10 — occurred, said Carol Eleazer, vice president of marketing for Hannaford, based in Scarborough.

About 4.2 million credit and debit card numbers were exposed and at least 1,800 stolen during the seconds it takes for that information to travel to credit card companies for approval after customers swiped their cards in checkout-line machines, Eleazer said.

Brian Krebs of the Washington Post, who does the Security Fix blog quoted an industry expert, Bryan Sartin at Cybertrust as stating:

"I would say a trend we're seeing hitting a lot of retailers right now is that these organizations can be [compliant with the credit card industry security standards] and still have customer data stolen," Sartin said. "The data in transit is allowed to traverse private links and internal infrastructure without being encrypted, and the attackers are taking advantage of that."

Once these systems have been compromised, Sartin said, the attackers typically eavesdrop on the network using "sniffer" programs that can extract credit and debit card data as it moves across the wire, before it even leaves the store's network.
If the theory in Security Fix is pans out (probably will), some precedents might exist for the basic method the hackers used. The incidents, I will reference don't sound as sophisticated as what Mr. Sartin is describing, but they happened about a year ago and hacking methods tend to mature with age.

Stop and Shop was the subject of a data breach a little over a year ago. In this case, PIN pads were being replaced with "look-alike" devices that captured all the payment card details. This hardware was later removed to download all the information that had been captured when unsuspecting customers swiped their cards.

Shortly thereafter, another compromise of this type was reported in Edmonton, Canada. In this case, a blue tooth device was used to transmit the information to a waiting car in the parking lot.

The trend with PIN pad replacement continued with a smaller breach at a grocer in the San Francisco Bay area, Albertsons in April of 2007. At the time, I had the pleasure of speaking with Blanca Torres, who was doing an article on the story.

Interestingly enough, up North in Canada, where payment card skimming has increased six-fold in recent years, an announcement was made that they plan to introduce a smart card. This technology, which is known as "chip and PIN" is already in use in Great Britain and France.

The AHN story about this by Vittorio Hernandez included (what I consider) a sage comment:

But Peter Woolford of the Retail Council of Canada is wary that although the smart cards appear to be effective in reducing incidents of fraud, sinister minds may one day find a way to hack the smart chips. "Anything the human brain puts together, another human brain can take apart," Woolford pointed out.
Sadly, once this all pans out, it will likely reveal that PCI data protection standards can and will be compromised in the future. The reason, I say sad is because a lot of retailers have spent a lot of money becoming compliant.

Throw in all the finger pointing and litigation between the different parties in all these breaches and I fear we're going to be fighting a very costly battle over what is becoming a too common item in the news.

I'll sum this post up with a rant, I wrote when the TJX breach was attracting a lot of attention:

While everyone sues TJX, the criminals are laughing all the way to the bank

Press release from Hannaford about the breach, here. They list a telephone number on it, where more information can be obtained if you think you've become a statistic.

Sunday, March 16, 2008

The latest nightmare with RFID

A few days ago, it was reported that one-billion RFID access devices could be compromised by hackers. These devices (using the MiFare RFID chip) are currently deployed as an access device used for mass transit systems, and of far greater concern, secure government facilities.

Please note, ComputerWorld has now revised the estimate of MiFare RFID chips in use to two-billion. For the final tally, we'll have to wait until a more detailed report is published.

According to news sources, this report will be issued on Wednesday.

One person, claiming to be able to hack the RFID devices is a University of Virginia student by the name of Karsten Nohl, according to ComputerWorld. Nohl claims that all he would need now is a latop, scanner and a "few minutes" to start duplicating cards using the chip.

The article cites a computer security consultant, Ken van Wyk of KRvW Associates, as saying at least one European country has dispatched guards to secure facilities where this chip was used in access systems.

From the ComputerWorld article by Sharon Gaudin:

It turns out it's a pretty huge deal," said van Wyk. "There are a lot of these things floating around out there. Using it for building locks is the biggy, especially when it's used in sensitive government facilities — and I know for a fact it's being used in sensitive government facilities."

Van Wyk told Computerworld that one European country has deployed military soldiers to guard some government facilities that use the MiFare Classic chip in their smart door key cards. "Deploying guards to facilities like that is not done lightly," he added. "They recognize that they have a huge exposure. Deploying guards is expensive. They're not doing it because it's fun. They're safeguarding their systems." He declined to identify the European country.

While it probably is a good idea to be very specific about what sensitive government facilties use the card, Engadget mentioned some general places that use this particular RFID chip. They include, "London (Oyster Card, Boston, Netherlands (OV-Chipkaart Minneapolis / St. Paul, South Korea (Upass, T-money, Mybi), Hong Kong, Beijing, Milan, Madrid (Sube-T), Australia (Smartrider), Sao Paulo (Bilhete Unico), Rio de Janeiro (RioCard), Bangkok and New Delhi."

They also put up a YouTube video showing how easily these cards could be compromised. This video was created by the Digital Security section of the Radboud Nijmegen University in the Netherlands.



Full ComputerWorld story on this by Sharon Gaudin, here.

Other posts, I written about RFID nightmares, here.

Naughty UCLA employees peek at Britney's medical information

The LA Times is reporting that UCLA Medical Center employees were caught "peeking at" Britney Spears' medical records when she was recently hospitalized in their psychiatric unit.

I wonder if a total lack of privacy might be one of the underlying reasons Britney was admitted to this particular unit?

Charles Ornstein reports:

UCLA Medical Center is taking steps to fire at least 13 employees and has suspended at least six others for snooping in the confidential medical records of pop star Britney Spears during her recent hospitalization in its psychiatric unit, a person familiar with the matter said Friday.

In addition, six physicians face discipline for peeking at her computerized records, the person said.

The article states that this was the second time Britney's records were compromised at the UCLA Medical Center.

UCLA used stronger verbiage when reporting that their computer records were compromised in December of 2006.

As reported at the time by UCLA's Office of Public Relations:

UCLA is alerting approximately 800,000 people that their names and certain personal information are contained in a restricted database that was illegally and fraudulently accessed by a sophisticated computer hacker.

It should be noted that "illegally and fraudulently accessed" and "computer hacker" are stronger terms than "peeking" and "snooping." Maybe this is because the hacker is an outside entity and we can speculate they had a financial motivation when accessing information they weren't supposed to?

As long as we are speculating -- let me bring up another point -- which is there are a lot of people obviously making a lot of money from the Britney Spears saga. Her personal medical details might be worth a lot of money to the people, I'm referring to.

Recently, it was reported that People Magazine paid $4 million for the first pictures of Brad Pitt and Angelia Jolie's baby. Maybe a little privacy was one of the reasons they went to a remote place in Africa to have the baby?

Now I'd better get back to the larger problem, we face from too much information being stored in too many (not very secure) databases.

The problem is that with so many databases out there -- coupled with all the publicly disclosed data breaches -- tracking any one case of a person's information being compromised is nearly impossible.

Just ask anyone, who has actually investigated a case of identity theft. Most of the time, the best that can be done is to speculate where the information was actually compromised.

At this point in the game, a lot of people have been compromised in more than one location.

I would also speculate that there are even a greater number of data breaches out there that no one knows about. My guess is that the people, who steal information, would prefer to remain anonymous. Transparency has never been in the best interest of information thieves.

This brings up another problem that ties into this, or what is known as medical identity theft. While medical identity theft hardly ties into Britney Spears getting her information "peeked at," it has become a huge problem. The tie would be the ease in which naughty employees, with no business looking at it, were able to do so.

In the end, UCLA is a highly respected institution. They do seem to care that this happened and are taking the standard measures to prevent it from happening again. The problem here is that time and time again, it appears that some of these measures don't work very well.

The bottom line is that if things like this can happen at a respected institution of higher learning's medical center, it's probably happening at more places that we realize!

Speaking of this happening at more places than we realize, it was recently reported (3-12-08) that Harvard is one of the latest institutions to be victimized by a data breach.

As long as we rationalize things away by using terms like "peeking," I doubt the problem is going to get fixed in the near future. UCLA is probably only following standard data compromise protocol. Read the press releases after any compromise of data and there is a lot of rationalization and speculation.

This probably means we need to do a little less rationalizing and going beyond mere speculation when addressing what has become a serious issue. This will entail taking a hard look at the core reasons this keeps happening, one of which is, an ever increasing lack of privacy in the world today.

If you would like to see why UCLA isn't the only one who has had a problem with this issue, Attrition.org and PogoWasRight do a great (transparent) job of reporting the known spectrum of the problem.

If you want to read more about medical identity theft, the World Privacy Forum is an excellent resource.