Staples Breaches Privacy Laws – Again

CBC reports that Staples Business Depot has breached Canadian privacy law by not wiping customer data from laptops and storage devices that are returned by customers before reselling them, according to Canada’s privacy commissioner.  Banking information, tax records, social insurance numbers, health card and passport numbers, as well as academic transcripts were among the information found during an audit by the office of Privacy Commissioner Jennifer Stoddart on 54 of 149 data storage devices destined to be resold by Staples.

Staples has 300 stores across the country.  Customer data was found on devices from 15 of 17 stores audited in B.C., Alberta, Manitoba, Ontario, Quebec, Nova Scotia, and Newfoundland and Labrador.  The privacy commissioner cannot impose sanctions, but recommended that Staples implement controls to ensure personal data is not disclosed.  In a statement Tuesday, Staples said it co-operated fully with the privacy commissioner’s office and responded “positively” to all recommendations.  Contrary to what is in the report, Staples claims that its practices “meet the level requested by the Privacy Commissioner.”

Stoddart said her findings were “particularly disappointing” given that her office had already investigated previous complaints against Staples involving returned storage devices in 2004 and 2008.  Both times, Staples had committed to corrective action.

What can we learn here?

  • As a consumer, if you return an item to Staples (or other vendors) that could contain personal or sensitive information, find out what their data policy is IN WRITING.
  • If you are uncertain about their ability or interest in carrying out what the policy says they do, don’t return the device.
  • Encryption would have really helped here.  Encrypt your personal data.  It also helps protect your data if your PC is stolen.
  • Weigh the cost of the storage device against the risk of the data being exposed, then decide if YOUR policy should be a drill bit and sledge hammer.
  • It is your data and your money.  Spend it wisely.
  • I love power tools!

Staples hasn’t learned a damn thing, because they just keep on doing what they have been doing.  Except the fact that the Privacy Comissioner is a well meaning tiger, but has false teeth.

One desk drawer in my office at home holds a number of hard drives.  They are there because they have either failed, alerted me to their imminent death, or because I no longer have a subsystem for connecting them to a modern PC.  Some are SCSI drives from when I used to have a rack of servers, some are old IDE drives, some are SATA or even USB or firewire.  The latter 3 types might have been stuck in the drawer while still being under manufacturer’s warranty, but the manufacturer wants you to send the drive to them for testing, examination, refurbishing or replacement.  Each one will eventually get cooked by me with a degausser, get drilled out by me, and/or physically obliterated by me with a 25 lbs sledge.  As soon as I get my tools back from my kids, or locate a working degausser…

Scotiabank Lost 3 CD’s

The Star is reporting that some Toronto clients of Scotiabank are concerned about possible exposure of their personal information after three CD-ROMs listing clients’ names, SIN numbers, registered account type and account numbers have gone missing.  The CD-ROMs were mislaid last Wednesday and the bank believes that they have been lost internally.  However, the bank is warning clients just in case, so that they can monitor their accounts and make sure there was no fraudulent activity.

The discs were to be sent to the Canada Revenue Agency as part of the bank’s requirements to provide such information.  The parcel containing the three CDs went missing while in internal mail between two Scotiabank departments.  The number of people affected remains unclear.  Scotiabank would only say a “small percentage” of clients had their confidential information on the CD-ROMs.  In an email to the Star, Scotiabank confirmed the CD-ROMs were missing, calling the incident an “extremely rare occurrence.”  Based on thier investigation, they have no reason to believe that this incident puts customers at risk.

Scotiabank has strict processes and procedures in place to protect customer privacy and confidentiality.  I could find no information regarding whether or not the data was encrypted, so I must assume they were not.  I hope the CDs are found quickly, and there is no data exposure.

Prepare For Memory Scraping Malware Bypassing Encryption

SANS is reporting that “pervasive memory scraping” malware is to become one of the most dangerous attack techniques likely to be used this year.  Pervasive memory scraping is a technique used by attackers who have gained administrative privileges on a computer in order to access encrypted data.  Evidence of this type of attack is appearing more often in new data breach cases.

Encryption is often touted as a quick and fairly easy solution to many privacy and confidentiality concerns and is a requirement of some regulations such as PCI, however encrypted data must be unencrypted in order to be viewed, used and processed.  In order to do this, the computer copies the encrypted data out to memory.  If the data set is large enough, it could also be written to temporary files.  Once the application that unencrypted the data is closed, there is the potential for leaving these remnants behind, at least for some period of time, unencrypted and unprotected.  Memory scraping malware takes advantage of these lapses and harvests the unencrypted data.

Continue reading

Ransomware Making A Comeback

Security firms are reporting a resurgence of ransomware, malware designed to encrypt and hold users’ data hostage on their own computers until payment is made.  The newest variants are demanding payment of as much as US $120 to provide the decryption keys to user data. 

Infected PDF files are being used by some malware to exploit known vulnerabilities in unpatched Adobe Reader software installations.  Other variants target the master boot record of Windows hard drives. 

Make sure that your applications are all patched up, and ensure that you update your backups.  External hard drives are cheap commodity items these days, so make the investment.  Or get that significant other to set one under the tree for you this year.  I have seen 1TB USB drives going for under $200! 

WikiLeaks – Could It Happen To You?

For enterprise IT managers and security professionals, the on-going WikiLeaks disclosures underscore the information security gaps that exist even when common security controls are in use by large organizations.  It is not necessarily the controls themselves that are flawed, but more often the supporting processes and procedures that were quickly pulled together under pressure, and seldom if ever revisited or audited at a granular level for optimal performance and completeness.

This entire ordeal also serves to highlight the importance of adopting a “trust, but verify” approach to hiring practices and access control.  This means that you need to be just a little bit more paranoid regarding your practices, without distrusting your employees.  Remember that everyone that you hire is human, and that people will make mistakes if mistakes are possible.  They are (hopefully) hired due to their capabilities and experience, but what really separates them from the other candidates that showed up for an interview?  Were you able to validate their claims of reliability and trustworthiness?  Trust that they will exercise good judgement, work towards corporate betterment, but verify that each access to sensitive data or corporate intellectual property is properly justified.   Remove the temptation to go astray, and by all means, let them know that you verify.  Your intentions are to DISCOURAGE criminal or damaging behavior, not ENTRAP those who may err or fall prey to social engineering.

What controls should be in place?  That depends on the type and classification of the information that is at risk.  When it comes to client financial and personal information, it is clear that monitoring, notification and escalation controls are a requirement.  Take a lesson from PCI, even if you don’t adopt it formally.  The PCI DSS is simply basic computer security.  A quick review of the 12 main PCI requirements shows nothing revolutionary, and they offer a solid starting point for virtually any security compliance engagement. 

Continue reading

Well, There Goes The e-Neighborhood!

Nearly 15% of the world’s Internet traffic — including data from the Pentagon, the office of Defense Secretary Robert Gates and other US government websites — was redirected through computer servers in China last April, according to a congressional commission report obtained by FoxNews.com.

According to a draft report, a state-owned Chinese telco, China Telecom, hijacked” massive volumes of Internet traffic during the 18-minute incident.  It affected traffic to and from .gov and .mil websites in the United States, as well as websites for the Senate, all four military services, the office of the Secretary of Defense, the National Oceanic and Atmospheric Administration and “many others,” including websites for firms like Dell, Yahoo, IBM and Microsoft.

I hope the report is released publicly, as I would like to understand how we can start building IP’s replacement protocol suite, since the baby AND the bathwater are tainted, FUBAR.  I’ve said it for over 10 years, IP is crap, build a new suite with security at its heart!  I hope the governments and big corporations regularly super encrypt their really sensitive stuff…

FoxNews

TheNextWeb

20 Critical Security Controls

In 2009, the State Department implemented a bold strategy to continuously monitor cyberspace for malicious computer attacks.  Chief Information Security Officer John Streufert led the effort.  Part of what Streufert wanted to determine was whether or not he could tailor his security model to the 20 critical security controls, a set of risks that over 100 security experts determined to be the most common and likely security vulnerabilities facing government computer systems.

Prior to these controls, the National Institute of Standards and Technology concluded that there were 110 or more ways computer systems could be attacked.  Former Energy Department and Air Force CIO John Gilligan changed all that when he brought together a powerful consortium to determine if there was a subset of those risks that was substantially more important based on the damage they could inflict and the likelihood of them occurring.  As a result, the 20 critical controls were born.

Streufert opened a 24-hour security help desk to count the number of security incidents occurring on a daily basis.  For 2008, State opened 2104 tickets.  By 2009, the number went up to 3085.  Different kinds of attacks occurred, but the most prevalent was malicious code, which rose from 39% in 2008 to 70% in 2009. 

The 20 Critical Controls are judged by leading cybersecurity experts to be the most commonly used and effective ways computer attackers gain entry to systems and networks.  The automation of these controls has radically lowered the cost of security while improving effectiveness.

NextGov

SANS 20 Critical Security Controls

DLP – Protecting What Matters Most

Data Loss Prevention (DLP) products exist to help organizations monitor and protect sensitive data.  This data could be customer information, credit card numbers, employee’s personal information, project plans, intellectual property, trade secrets, whatever the crown jewels may be.  If this data were to be lost or stolen, it could create significant legal liability, financial loss, security risks, as well as reputational and regulatory hardships.  DLP keeps sensitive data from falling into the wrong hands.  NetworkWorld has a collection of excellent DLP articles for those that are concerned with the topic.  Find the related items at the end of this entry.

You can put in place all of the intermediary policies and risk mitigating conrols from perimeter to storage server that you can afford.  One thing with technical security controls is almost certain,  a determined attacker will find a way to violate your strongest safeguards.  Filter web traffic and they resort to encryption and obfuscation.  Isolate sensitive systems from the Internet and they plug in a USB drive.  Disable USB support and they reboot a with CD.  Disable CD/DVD booting in CMOS and block the USB ports with super glue and they use a cellphone camera to snap a picture of sensitive material on screen.  Create a policy barring cameras and enforce it, and the attacker will reach for a pencil.  DLP is just shy of a silver bullet from my perspective in Incident Response.  It is a security control that if implemented and managed correctly, protects the data from inappropriate exfiltration. 

Continue reading

Security Panel to IT: “Expect a Breach”

How big is the security threat facing IT?  That depends on who you ask.   At an event at the Churchill Club, a panel of security vendors agreed it’s serious, but emphasized different aspects of the challenges ahead.

SonicWall’s CEO Matt Medeiros offered a cautionary note, warning that IT security is “not going to get better in 2011 and probably a bit worse. We don’t know when the strike will come, because so much of this is done in stealth.”   Ken Silva, CTO of VeriSign, was far more explicit.   “Security threats today are less like a disease or a cancer — it’s more like a sniper shooting you in the head as you come out the door,” he said. “Malware is slipping through our most protected systems and we can’t even see the threat coming.”   Trend Micro argued that malware is the biggest security threat facing IT, siting a new threat every second.  Mocana, a company that focuses on “the 20 billion non-PC devices” being connected to more and more computer networks, said the two biggest security threats are the consumerization of the enterprise, including devices like the iPhone and social media services like Facebook and Twitter, as well as the shift to cloud computing.   Several panelists emphasized vendors need to do more to secure their products “out of the box”.

Overall, the panelists painted a bleak picture of IT security, warning about the increasing number of entry points into corporate networks, and urging businesses to codify policies governing the use of consumer technologies at work.

Verisign’s Silva added “Any company not preparing for a data breach is making a mistake.”

Datamation

£500k Fines for UK Breaches of Data Protection Act

New legislation comes into force in the UK today which empowers the Information Commissioner’s Office (ICO) to levy fines on businesses of up to £500,000 for breaches of the Data Protection Act.  Fines are avoidable if adequate security best practices are adopted now.

The ICO is clearly concerned about cases where unencrypted, confidential data residing on laptops and USB sticks has been lost and stolen.   The impact of the majority of these cases could have been avoided altogether by following security best practices.  The ICO must be satisfied that a breach is likely to cause “damage or distress” and that it was either deliberate or negligent, and that the organisation “failed to take reasonable steps to prevent it” before it will attach a punitive assessment.

Develop and enforce a robust security policy:

  • Governance regarding use of customer data – it should not physically leave the premises unless absolutely necessary.
    • Use advanced encryption for data that does have to leave the premises.
    • Restrict access to customer data only to those staff for whom it is critical.
    • Ensure that confidential data cannot be copied to portable media such as USB or CD/DVD.
    • Monitor information leaving via email and websites for appropriateness.
  • Protect and manage all PCs, laptops and servers
    • Maintain active, up-to-date antivirus, spyware and firewall protection.
  • Create strong passwords for all systems and hardware.
    • Use at least 8 characters combining numbers, letters and punctuation.
    • Don’t use the same password which is active on other accounts.
  • Don’t forget physical security
    • Shred documents containing personal information.
    • Don’t leave financial and sensitive information unsecured.
    • Educate employees to improve awareness of appropriate behaviours.

The Register

ComputerWeekly