Staples Breaches Privacy Laws – Again

CBC reports that Staples Business Depot has breached Canadian privacy law by not wiping customer data from laptops and storage devices that are returned by customers before reselling them, according to Canada’s privacy commissioner.  Banking information, tax records, social insurance numbers, health card and passport numbers, as well as academic transcripts were among the information found during an audit by the office of Privacy Commissioner Jennifer Stoddart on 54 of 149 data storage devices destined to be resold by Staples.

Staples has 300 stores across the country.  Customer data was found on devices from 15 of 17 stores audited in B.C., Alberta, Manitoba, Ontario, Quebec, Nova Scotia, and Newfoundland and Labrador.  The privacy commissioner cannot impose sanctions, but recommended that Staples implement controls to ensure personal data is not disclosed.  In a statement Tuesday, Staples said it co-operated fully with the privacy commissioner’s office and responded “positively” to all recommendations.  Contrary to what is in the report, Staples claims that its practices “meet the level requested by the Privacy Commissioner.”

Stoddart said her findings were “particularly disappointing” given that her office had already investigated previous complaints against Staples involving returned storage devices in 2004 and 2008.  Both times, Staples had committed to corrective action.

What can we learn here?

  • As a consumer, if you return an item to Staples (or other vendors) that could contain personal or sensitive information, find out what their data policy is IN WRITING.
  • If you are uncertain about their ability or interest in carrying out what the policy says they do, don’t return the device.
  • Encryption would have really helped here.  Encrypt your personal data.  It also helps protect your data if your PC is stolen.
  • Weigh the cost of the storage device against the risk of the data being exposed, then decide if YOUR policy should be a drill bit and sledge hammer.
  • It is your data and your money.  Spend it wisely.
  • I love power tools!

Staples hasn’t learned a damn thing, because they just keep on doing what they have been doing.  Except the fact that the Privacy Comissioner is a well meaning tiger, but has false teeth.

One desk drawer in my office at home holds a number of hard drives.  They are there because they have either failed, alerted me to their imminent death, or because I no longer have a subsystem for connecting them to a modern PC.  Some are SCSI drives from when I used to have a rack of servers, some are old IDE drives, some are SATA or even USB or firewire.  The latter 3 types might have been stuck in the drawer while still being under manufacturer’s warranty, but the manufacturer wants you to send the drive to them for testing, examination, refurbishing or replacement.  Each one will eventually get cooked by me with a degausser, get drilled out by me, and/or physically obliterated by me with a 25 lbs sledge.  As soon as I get my tools back from my kids, or locate a working degausser…

Scotiabank Lost 3 CD’s

The Star is reporting that some Toronto clients of Scotiabank are concerned about possible exposure of their personal information after three CD-ROMs listing clients’ names, SIN numbers, registered account type and account numbers have gone missing.  The CD-ROMs were mislaid last Wednesday and the bank believes that they have been lost internally.  However, the bank is warning clients just in case, so that they can monitor their accounts and make sure there was no fraudulent activity.

The discs were to be sent to the Canada Revenue Agency as part of the bank’s requirements to provide such information.  The parcel containing the three CDs went missing while in internal mail between two Scotiabank departments.  The number of people affected remains unclear.  Scotiabank would only say a “small percentage” of clients had their confidential information on the CD-ROMs.  In an email to the Star, Scotiabank confirmed the CD-ROMs were missing, calling the incident an “extremely rare occurrence.”  Based on thier investigation, they have no reason to believe that this incident puts customers at risk.

Scotiabank has strict processes and procedures in place to protect customer privacy and confidentiality.  I could find no information regarding whether or not the data was encrypted, so I must assume they were not.  I hope the CDs are found quickly, and there is no data exposure.

Prepare For Memory Scraping Malware Bypassing Encryption

SANS is reporting that “pervasive memory scraping” malware is to become one of the most dangerous attack techniques likely to be used this year.  Pervasive memory scraping is a technique used by attackers who have gained administrative privileges on a computer in order to access encrypted data.  Evidence of this type of attack is appearing more often in new data breach cases.

Encryption is often touted as a quick and fairly easy solution to many privacy and confidentiality concerns and is a requirement of some regulations such as PCI, however encrypted data must be unencrypted in order to be viewed, used and processed.  In order to do this, the computer copies the encrypted data out to memory.  If the data set is large enough, it could also be written to temporary files.  Once the application that unencrypted the data is closed, there is the potential for leaving these remnants behind, at least for some period of time, unencrypted and unprotected.  Memory scraping malware takes advantage of these lapses and harvests the unencrypted data.

Continue reading

Ransomware Making A Comeback

Security firms are reporting a resurgence of ransomware, malware designed to encrypt and hold users’ data hostage on their own computers until payment is made.  The newest variants are demanding payment of as much as US $120 to provide the decryption keys to user data. 

Infected PDF files are being used by some malware to exploit known vulnerabilities in unpatched Adobe Reader software installations.  Other variants target the master boot record of Windows hard drives. 

Make sure that your applications are all patched up, and ensure that you update your backups.  External hard drives are cheap commodity items these days, so make the investment.  Or get that significant other to set one under the tree for you this year.  I have seen 1TB USB drives going for under $200! 

WikiLeaks – Could It Happen To You?

For enterprise IT managers and security professionals, the on-going WikiLeaks disclosures underscore the information security gaps that exist even when common security controls are in use by large organizations.  It is not necessarily the controls themselves that are flawed, but more often the supporting processes and procedures that were quickly pulled together under pressure, and seldom if ever revisited or audited at a granular level for optimal performance and completeness.

This entire ordeal also serves to highlight the importance of adopting a “trust, but verify” approach to hiring practices and access control.  This means that you need to be just a little bit more paranoid regarding your practices, without distrusting your employees.  Remember that everyone that you hire is human, and that people will make mistakes if mistakes are possible.  They are (hopefully) hired due to their capabilities and experience, but what really separates them from the other candidates that showed up for an interview?  Were you able to validate their claims of reliability and trustworthiness?  Trust that they will exercise good judgement, work towards corporate betterment, but verify that each access to sensitive data or corporate intellectual property is properly justified.   Remove the temptation to go astray, and by all means, let them know that you verify.  Your intentions are to DISCOURAGE criminal or damaging behavior, not ENTRAP those who may err or fall prey to social engineering.

What controls should be in place?  That depends on the type and classification of the information that is at risk.  When it comes to client financial and personal information, it is clear that monitoring, notification and escalation controls are a requirement.  Take a lesson from PCI, even if you don’t adopt it formally.  The PCI DSS is simply basic computer security.  A quick review of the 12 main PCI requirements shows nothing revolutionary, and they offer a solid starting point for virtually any security compliance engagement. 

Continue reading

Well, There Goes The e-Neighborhood!

Nearly 15% of the world’s Internet traffic — including data from the Pentagon, the office of Defense Secretary Robert Gates and other US government websites — was redirected through computer servers in China last April, according to a congressional commission report obtained by

According to a draft report, a state-owned Chinese telco, China Telecom, hijacked” massive volumes of Internet traffic during the 18-minute incident.  It affected traffic to and from .gov and .mil websites in the United States, as well as websites for the Senate, all four military services, the office of the Secretary of Defense, the National Oceanic and Atmospheric Administration and “many others,” including websites for firms like Dell, Yahoo, IBM and Microsoft.

I hope the report is released publicly, as I would like to understand how we can start building IP’s replacement protocol suite, since the baby AND the bathwater are tainted, FUBAR.  I’ve said it for over 10 years, IP is crap, build a new suite with security at its heart!  I hope the governments and big corporations regularly super encrypt their really sensitive stuff…



20 Critical Security Controls

In 2009, the State Department implemented a bold strategy to continuously monitor cyberspace for malicious computer attacks.  Chief Information Security Officer John Streufert led the effort.  Part of what Streufert wanted to determine was whether or not he could tailor his security model to the 20 critical security controls, a set of risks that over 100 security experts determined to be the most common and likely security vulnerabilities facing government computer systems.

Prior to these controls, the National Institute of Standards and Technology concluded that there were 110 or more ways computer systems could be attacked.  Former Energy Department and Air Force CIO John Gilligan changed all that when he brought together a powerful consortium to determine if there was a subset of those risks that was substantially more important based on the damage they could inflict and the likelihood of them occurring.  As a result, the 20 critical controls were born.

Streufert opened a 24-hour security help desk to count the number of security incidents occurring on a daily basis.  For 2008, State opened 2104 tickets.  By 2009, the number went up to 3085.  Different kinds of attacks occurred, but the most prevalent was malicious code, which rose from 39% in 2008 to 70% in 2009. 

The 20 Critical Controls are judged by leading cybersecurity experts to be the most commonly used and effective ways computer attackers gain entry to systems and networks.  The automation of these controls has radically lowered the cost of security while improving effectiveness.


SANS 20 Critical Security Controls