Gov Website Access For Sale

Researchers from Imperva’s Hacker Intelligence Initiative have found a number of .mil, .gov and .edu web sites have been hacked using SQL injection vulnerabilities, with access up for sale, cheap.  The hacker claims to have control over a number of important websites, including the U.S. Army’s Communications-Electronics Command (CECOM) and other military sites, government sites, and those belonging to universities.    Administrative access to these sites is being sold for as low as $33 to $499 each. 

The hacker is also selling entire databases of personal information stolen from the websites for $20 per thousand records, data could be used by fraudsters to break into online accounts.

When Is A Malware Event A “Security Breach”?

Recent data breaches at 2 banks underscore what has always been a thorny issue for companies that collect and manage sensitive information:  When does a compromised PC constiture a data breach?

According to ComputerWorld’s Robert McMillan, One bank recently detected traffic destined to an unusual IP address, and discovered a keylogger installed on a company laptop.  It notified 50 customers that their data may have been exposed.  Another bank found that a compromised laptop had been used as a jump-off point for an attacker to access a customer database containing credit card, SSN and other sensitive information.  514 credit cards are being re-issued in that case.

The actions taken by these banks are admirable, and errs on the side of caution.  It is not uncommon for companies large and small to detect a malware infection and simply wipe the system, eliminating the symptoms while not addressing the potential exposure of their customers’ information or uncovering the how and why the attack was successful.  Forensic examinations are hard work, and time consuming.  But so is rebuilding your reputation.  There is the spectre of liability to deal with.  What few incidents are reported is generally a small percentage of what is actually taking place.

These 2 examples are BANKS.  Banks have large IT and security budgets, and employees are generally more security aware than most businesses.  So, how are these systems getting compromised?  Pure speculation from this point on, but;

  • Both systems noted appear to be transient laptops.  They often leave the comfortable security controls present within the company perimeter.
  • Were they patched against all known Operating System and application vulnerabilities?  Laptops are the hardest systems to keep patched due to their mobility.
  • Anti-virus is pretty common, but so is the practice of providing laptop users with admin privileges.  They can interfere with updates, scans, and can also be used to the attackers’ advantage when installing malware.
  • Web content filtering is one of the controls that is usually in place at a large financial institution, but is probably not present on the home-user LAN or while on the commuter train.  Drive-by web attacks are very very common these days.
  • While in transit, it is also possible that the laptop owner could have used a “free wireless” connection to maintain connectivity.  This is a common, and extremely dangerous practice, as you are trusting a middle-man that is providing something for no obvious gain, to handle and potentially capture all of your communications.
  • The possibility of unapproved software downloads, installations, and even allowing family members to use the equipment could have resulted in a Trojan.
  • There is also the potential that the users themselves were involved or complicit in the installation of the malware.  Unsavory, but not unheard of.

The possibilities are virtually endless.  Be aware of the risks and take reasonable precautions to counter the likely threats in your organization.  In this day and age, any time there is malware that makes any kind of outbound communication attempt, an investigation should be made as to where, why and what was communicated, as well as how the malware got onto the system.  In my humble opinion, if data was moved outside of the company, it should be considered a breach.  These guys made the right call.

There is much more information contained in this interesting article.  Read it and start making Incident Response plans that go beyond the standard “Got malware?  Nuke it!!” discover what data might have been compromised, and act accordingly.

Stats Canada Security Breaches

Stats Canada is taking some heat from the Toronto Sun today.  “Internal reports obtained through Access to Information reveal a number of incidents in the past five years where the federal information-gathering agency has probed and quietly done damage control on security lapses.”




Recent Examples:

  • OCT. 2010: Purolator envelope containing 11 unencrypted, non-password-protected CDs for the Vital Statistics Program in Alberta addressed to Ottawa head office sent July 9, 2010 is discovered missing. It contains more than 21,000 electronic images of confidential information about individual birth, death, stillbirth and marriage registrations. It is found Nov. 30, 2010 locked in a rarely-used filing cabinet.
  • SEPT. 2009: Stats Can library’s password access protocol constitutes “major security breach.”
  • DEC. 2008: A briefcase with documents and personal notes is stolen from the car of an interviewer from Quebec. Confidential addresses of respondents were included.
  • JULY 2008: An error in transmission meant e-mails of 108 subscribers of Health Reports notifications were “inadvertently revealed” to all recipients of message – constituting a breach of Privacy Act and Stats Can policy.
  • JUNE 2008: Stats Can is informed that on Feb. 12, 2008 Surrey RCMP and Canada Post recovered completed 2006 census questionnaires from a private residence in a bust of a major identity theft ring. Other items included equipment related to credit card/ID theft, drivers’ licences, 3,000 pieces of stolen mail, government-issued cheques, fake currency and more than 100 CDs with thousands of personal data profiles. Census questionnaires were not in the hands of census staff – it is believed they were obtained by tipping mailboxes or break-ins to homes and cars.
  • AUG. 2007: A laptop containing personal information about individuals who participated in the Labour Force Survey or Canadian Community Health Survey is stolen from the residence of an employee in Abbotsford, BC. Password was written on a sticky note stored in laptop case. Police called, affected people are informed and interviewer receives verbal reprimand.
  • JUNE 2007: Laptop with three completed household spending surveys stolen in home break-in in Delta, B.C.
  • MARCH 2007: Edmonton regional office reports two laptop thefts from field interviewers’ vehicles. Staff are reminded about protocol for securing material.
  • MARCH 2007: Privacy Commissioner’s office advised of inadvertent disclosure and loss of personal info after surplus filing cabinets with Records of Employment about 66 2006 census workers were sold at a Crown Assets Auction in Edmonton. Affected individuals are contacted and Stats Can implements more stringent procedures to avoid a recurrence.
  • JULY 2006: Enumerator leaves completed questionnaire instead of blank at Scarborough, Ont. respondent’s home.
  • APRIL 2005: Blank forms faxed to a business include additional pages of confidential information related to two other businesses. Staff receive retraining and posters/notices are displayed as reminders.
  • FEB. 2005: Marketing information collected for one user is reviewed by another user and possibly four other unknown individuals in a Corporations Returns Act survey.
  • FEB. 2005: Laptop being shipped from Williams Lake, B.C. to Edmonton containing 23 Survey of Household Spending cases – including 11 completed ones – goes missing. A flurry of e-mails ensues among senior managers at Stats Can and officials “pester” Canada Post to find the lost item. Confidential statistical info is encrypted. Laptop is found two weeks later.

Protecting Against Data Leaks

Wikileaks seems to have become a rather quiet issue.  Very little in the press lately, and not much discussion for such a high profile and potentially damaging experience.  In follow-up to “Could it Happen To You“, here are some thoughts on detecting data leakage, and protecting your sensitive data and intellectual property.

You will never completely eliminate the possibility that someone will leak documents to WikiLeaks or any other outside organization, and every organization, even those that operate legitimately and completely above board have SOMETHING to hide.  From the competition, from enemeies, everyyone has intellectual property and those special trade secrets.  The opportunities and methods for extricating information in its various forms are just too diverse.  In order for any organization to function, individuals need to be able to access, copy, manipulate and print information.  There will always be a chance that an individual will intentionally or accidentally make that information available to an unauthorized audience or individual.  It could be as easy as adding the wrong email address on a CC list.  Auto-complete is notorious for making this example more common.

Eliminate Common Means   In incident response, an attacker typically needs 4 things in order to launch a successful attack. 

  1. The opportunity to attack.  This is provided to insiders by having access to data, and poor internal controls.
  2. The ability to attack.  This is provided by the tools and knowledge available to anyone.
  3. The motive to attack.  This could be monetary, moralistic, vengeful, accidental, etc.
  4. The means to complete the attack.  This is the physical or logical device used to move the data.

Continue reading

Country of Myanmar DDoS

I skimmed an article on this earlier today, and didn’t pay much attention to it, thinking “eh, some tin-pot in another far-flung dictatorship’s up for “re-election” and wants to insulate the country from the rest of the world so his influence peddaling goes un-noticed”.  When my boss comes up to me and asks if I’m aware, I know that I had better be paying attention to more than whether we have an office there or not…

This is certainly a massive DDoS attack, estimated at between 10 – 15 Gigabytes per second of bandwidth being focused on the country’s Ministry of Post and Telecommunication, the main conduit for Internet traffic in and out of the authoritarian nation.  It has effectively cut Internet connectivity in Myanmar, just 3 days before the nation’s first election in 20 years.

Slow connections and occasional outages were being reported for more than a week, but today network traffic was completely halted, according to BBC reports.  Web service providers said outside attackers were to blame, but some residents suspect the military-ruled nation’s government is behind it all.

Britain, the United States and the European Union maintain long standing economic sanctions against Myanmar to pressure the military government to improve human rights and release over 2,000 political prisoners.  Foreign journalists have not been allowed into Myanmar to cover the polls, criticized by the west as a ploy to maintain the military’s control.  British ambassador Andrew Heyn said the vote was a “badly missed opportunity” offering no hope for democratic change.  With increasing tension, the government has canceled voting in 3,400 villages in ethnic areas and has increased its military presence throughout the countryside.

The military has ruled Myanmar, earlier known as Burma, since 1962, and the international community believes  that harsh restrictions on campaigning, the repression of opposition parties and the new constitution reflect the military’s intention to continue its commanding role.

7 Steps to Data Breach Readiness

An interesting article on BreachCenter from May of 2009 that is worth reading, again.  The threat of a data breach is real, if not certain.  Knowing that the threat of a data breach is real, your company needs to be prepared.  Planning ahead is the key to maintaining customer faith, complying with required regulation and ensuring the continuity of your day-to-day business.

Few events can damage a company’s reputation more than losing the personal confidential information entrusted to a business by its customers – a data breach.  Even before factoring in the negative impact to employee morale, business partner relationships and regulatory dialogues, a data breach can be very costly if not handled properly.  Customers have shown a propensity to stop doing business with companies that cannot protect their confidential information, and do not take care of their customers when a breach occurs.

Despite enormous investments in prevention, breaches continue to occur with alarming regularity.  According to the Identity Theft Resource Center (ITRC), in 2008 there were 656 data breaches that exposed over 35 million records, an increase of over 30% from the number of events in 2007.  The trend continues in the same direction.

Clearly prevention efforts are not enough. Companies also need to proactively plan for the worst case scenario that a breach actually occurs. “Breach Readiness” is a state of preparedness where all of the key decision makers have been identified, the key support relationships have been put in place, the applicable legal and regulatory requirements have been assessed, and the plan for action is ready to execute in the unfortunate event that a data breach occurs.

The purpose of the “Seven Steps to Data Breach Readiness” guide is to help organizations get started on the path toward taking care of customers when a data breach occurs.  It helps you to proactively define your organizational roles and responsibilities to avoid redundancy and mistakes by creating your crisis management team ahead of time.  Make sure you are able to fulfill your regulatory reporting by understanding the different requirements across the country.  Allow your company to provide assurance to your customers by being ready to respond, offering them protection services that include easy enrollment and making expert representatives available for counsel.  Avoid costly mistakes by executing a contract with a breach services provider before a breach occurs. Arrange to have your corporate communications plan, pre-drafted customer notification and call center capabilities established, as well as how you will message the event internally to your employees.


Chronology of Data Breaches

The Privacy Clearinghouse maintains a fairly comprehensive list of known data breaches derived mainly from the Open Security Foundation list-serve (offering a free email notification service, too!) which is in turn derived from verifiable media stories, government web sites, or blog posts.  Many breaches (particularly smaller ones) may not be reported at all.  If a breached entity has failed to notify its customers or a government agency of a breach, then it is unlikely that the breach will be reported anywhere.  This database is updated about twice a week.

TOTAL number of records containing sensitive personal information involved in a breach recorded Jan 2005 to Jan 2009.      342,056,319
What does the total number indicate?

For tips on what to do if your personal information has been exposed due to a security breach, read: