Wednesday, May 20, 2009

Millions of Potentially Sensitive Records from the Clinton Era Gone Missing!

A computer hard drive which contained huge amounts of personal and sensitive information from the Clinton administration is missing. Some of this information includes Social Security numbers, personal addresses and even scarier, Secret Service and White House operational procedures.

Yesterday, government officials were briefed about the compromise, which was originally discovered in April. The hard drive held a terabyte of computer data that could contain millions of individual records. A terabyte of data would be enough to fill millions of books, according to this article published by the AP.

The media is reporting that the personal information of one of Al Gore's three daughters was one of the millions of records gone missing – although it is not clear which daughter's information was compromised. Given the amount of information stolen, it's likely a lot of other notable as well as ordinary people have been compromised, too. According to articles I read, authorities are still trying to figure out exactly what was on the hard drive.

The drive was lost sometime between March 2008 and April 2009 from the National Archives and Administrations in College Park, MD, which is a Washington suburb near the University of Maryland.

The drive was left out, unsecured, in a room that is frequently left unlocked for ventilation. According to an unidentified source, a researcher who was converting the information to a digital records system left the hard drive on a shelf for an unknown period of time. When the researcher tried to resume work on the project, it was discovered to be missing.

According to Rep. Edolphus Towns, Democrat-N.Y., chairman of the House Oversight and Government Reform Committee, they are seeking more information on the breach, and the FBI is investigating.

The FBI will have a lot of suspects in this case. One hundred badge holders had access to the area. Additionally,the point of compromise is an area where workers, interns and even visitors pass on their way to the restroom.

This information would normally be stored in a secure area. Thus far, officials are quick to point out that it is unknown whether the hard drive was stolen or accidentally lost, and if any sensitive security information was lost.

At this time, either it isn't clear, or no one is saying, whether or not the data was encrypted. Encrypting data is considered a "safe and sane" security practice when dealing with data in transit and has become a legal requirement in many situations.

The House Oversight and Government Reform Committee have pointed to a problem with government agencies being compromised in the past. In a report released in 2006, the Committee came to the conclusion that the problem with agencies being compromised was government-wide. Other findings in the report include: agencies do not always know what was lost, physical security of data is essential and contractors are responsible for many of the breaches.

The report covers from 2003 to 2006 and, in light of this latest occurrence, it appears the problem still exists.

More recently, President Obama has pointed to another problem which does have national security implications and which involves protecting cyberspace from the threats that exist today. Thus far, a study has been conducted, and is being reviewed. Stories in the media have pointed to a concern with cyber warfare and with hackers from foreign countries (notably China and Russia), who have been suspected of targeting government systems.

If you are interested in learning more about Chinese hackers, there is a well written blog on the subject titled "The Dark Visitor (Information on Chinese Hacking". Another non-government source which covers data breaches in general is the Open Security Foundation.

While the implications of this latest issue have yet to be determined, it is not good news from the standpoint of how easily the information was compromised. Of course, this is merely one incident, and if you follow the news, we get bad news about data compromises all the time.

Update 5/20/09: It has now been confirmed that the missing hard drive had no encryption and a $50,000 reward is being offered for information leading to it's recovery. Source: CNet.

Sunday, May 17, 2009

FaceBook Hack Reveals Trend in Targeting Social Networks

Attacking social networking websites is becoming more common all the time. My guess is that they are being leveraged by criminals, who are after the vast amount of personal information people willingly put up on these sites.

For the past couple of weeks, the ongoing attack on FaceBook has figured prominently in the media. The attack isn't much different than some of the other ones we've seen in recent years – which are to take over a user account – and then use it to trick people into falling for a scam. In this instance, a phishy link is being used to direct the effort.

The intended victim receives a communication from someone they know (who has already been compromised), which directs them to a page that appears to be a FaceBook login. They are then prompted to put in their user name and password. If they do, their information is stolen and will be used to trick even more people into doing the same thing.

Stealing stolen user accounts on eBay has been a problem for years. On eBay, it is a means of using an established seller's credentials to trick people into thinking they are dealing with a "trusted seller." The only difference here is that instead of selling bogus or non-existent merchandise, the intent on FaceBook is probably to trick people into giving up personal or financial information.

This information can then be used to commit financial crimes, using the victim’s identity.

I found some information about the FaceBook attack on Symantec's Security Response blog. Thus far, according to the research conducted on this at their lab, no computers have been infected.

According to Marian Meritt at Symantec, the danger of giving up your FaceBook credentials might go beyond having your account compromised. She believes the hackers behind this are looking to compromise other accounts, where you might use the same credentials. I read some other articles on this and thus far this seems to be the consensus of why the attack is occurring, but no one seems to know for sure.

Whether this is the intent, or not – the advice given in the post is something that should be considered when dealing with the multiple accounts a lot of us have.

First and foremost, you should pay attention to the address in the bar at the top of your page. If it is not exactly the address of the legitimate site, you are probably being tricked into thinking that it is. For instance, www.faceboot.com is not www.facebook.com. Even better, if you spot a suspicious link, hover your mouse on it (without clicking on it) and the actual address will appear at the bottom left-hand of the page. Entering the legitimate address in your address bar is always smarter than clicking on a link, too.

Of course, it's also wise to check out the address at the top of the page after arriving at your destination, also. You should also stop and think when something pops up instructing you to enter your user and password information.

Also recommended is to use complex and unique passwords for each of your accounts, maintain an up-to-date browser and operating system and use updated security software from a reliable vendor.

When purchasing security software, ensure you are not buying counterfeit software or being tricked into purchasing scareware. Scareware is bogus security software that normally prompts a user to run a scan of their system, which reflects all kinds of bad things going on. The problem is that the problems normally do not really exist and the protection they are selling doesn't really protect you, either.

So far as buying counterfeit software, it normally doesn't protect you very well and it might even have some malicious code built right into the program.

While the FaceBook attack is the flavor of the week, it’s not the only social networking site that has been targeted in the recent past. Twitter and MySpace have been the targets of recent attacks, too. SC Magazine did a recent article where a security researcher from Websense was quoted as saying they have detected more than 200,000 sites impersonating the above mentioned social networking sites.

Going beyond social networking sites, financial, auction, e-commerce are frequently attacked, too. The common denominator is sites where criminals can harvest information and turn it into money. Please note that people interested in doing a little bit of due diligence on you personally might see what you are putting up on these sites. I’ve recently seen this presented as a “best practice” when doing background checks on people.

The key is to adopt the known best practices if you enjoy using these sites. Another wise thing to do is to be extremely thoughtful about what information you post on them and how it might be used against you.

Anything you post on these sites can and will be used against you if the wrong person gets their hands on it. In the end, being mindful of the information you are posting on a social networking site is probably the best defense you have. After all, you never know who is looking at it!