Cymbel is an Information Technology Solutions Provider, 100% focused on security and compliance. We help organizations rethink and re-implement defense-in-depth in response to changes in business needs, technology, threats, compliance requirements, and the economy. Benefits include:
- Reduced IT Security risks
- Reduced costs of meeting compliance requirements
- Reduced IT Operations costs
- Increased IT Service availability and performance
- Improved IT alignment with business needs
Learn more: About Cymbel the company, and Cymbel’s Approach to Information Security.
We are constantly amazed at the new levels of creativity criminals apply to achieve their goals. However, sometimes the old-fashioned approaches work just as well. From the Office of Inadequate Security comes this report:
Silicon Valley Eyecare Optometry and Contact Lenses
Approx. # of Individuals Affected: 40,000
Date of Breach: 4/02/10
Type of Breach: Theft
Location of Breached Information: Network Server
An FAQ on the firm’s web site
says, in part:
On Friday morning April 2, 2010 at 5:30 a.m., two burglars broke an
outside window to the administrative area of our office at 770 Scott
Boulevard in Santa Clara, CA. Our security cameras show the intruders
coming through the window, confiscating the computer, and pushing the
computer and a plasma TV back out the window of entrance, all within 50
seconds. Our cameras recorded the type of vehicle they were driving. The
alarm system was activated and the police were notified. A full police
report was filed.
What data was stored on the stolen computer server?
The server that was stolen contained our patient data base information.
The patient records contain names, addresses, phone numbers, and in some
cases social security numbers. E-mail addresses birthdates, family
members, medical insurances as well as medical and ocular health
information was included. No Optomap retinal images were stored on the
system. No credit card information was stored on the system.
Was the information secured?
Yes. There were 3 levels of security in place: physical, technical and
administrative. Physical security consisted of locked doors, an alarm
system to the police office, and surveillance cameras. For technical
security, the data was password protected on two levels: a detailed
password to access the server and a second password to access the
patient data base. Administrative security was in place allowing no
public access to the server.
Is all of my patient data lost?
No. Our patient data base is backed up nightly and an encrypted copy is
stored off-site. We were able to restore our data and retrieve our
Note that the off-site backup copy of the data is encrypted but the on-site version was not.
DarkReading is reporting:
In a legal settlement over its 2008 security
breach, Heartland Payment Systems has agreed to pay up to $41.4 million
to MasterCard Worldwide and its card issuers to repay operational costs
and fraud losses attributed to the breach.
The article does not state whether this is included in the $139 million they said they set aside in a recent SEC filing. Given that the filing was recent, I would think, yes. As i posted earlier this month, $139 million is a far cry from the initial expected costs of $12 million.
The Phoenix New Times (via Wired) is reporting that LifeLock's CEO Todd Davis's identity was stolen 13 times. That's 12 more than had been previously reported. The question is, who's fault is it?
Clearly from a security perspective, it's not a good idea to display your Social Security Number on billboards and TV advertisements. However, from a marketing perspective it was brilliant. The actual dollar amounts lost due to these identity theft incidents were low. If those costs were simply written off as marketing expenses, it was a good deal for Todd Davis.
On the other hand, the legal expenses LifeLock has incurred are a different matter. I am not sure if the $12 million in legal judgments could also be simply written off as marketing expenses. I previously wrote about the $11 million and $1 million judgments
against LifeLock here.
LifeLock's identity theft protection is really limited to automatically posting "Initial Fraud Alerts" with the three consumer credit agencies, Equifax, Experian, and Trans Union.
The actual FTC complaint, in section 18 details the limitations of an "Initial Alert." In other words, there are many ways you can still suffer an identity theft attack with an Initial Alert turned on with all three consumer reporting agencies. Many of these are due to third parties not exercising the due diligence they should.
To my knowledge, only Equifax provides a service that actually enables you to LOCK your account. However, locking is not the silver bullet either as there are forms of identity theft that can be perpetrated without accessing your credit report. And since you can only lock Equifax, you are still vulnerable to Experian or TransUnion being abused. Finally, even if Experian and TransUnion added an easy locking process similar to Equifax's, you would have to pay fees to them as well.
Computerworld is reporting that Heartland Payment Systems' recent quarterly financial filing revealed that the credit card payment processor's expenses related to their 2008 breach of 130 million credit cards have risen to $139.4 million.
This is a far cry from the $12 million CEO Bob Carr said was the appropriate amount to set aside in December 2009 when he settled with American Express for $3.6 million. In January 2010, just one month later, Heartland settled for $60 million with Visa.
The Computerworld article also reports that a recent Ponemon Institute study shows that the average cost per security breach in the U.S. rose to $6.75 million. The "per record' cost is averaging $204.
First, while not to invalidate, or even question, the results of this study, I would like to point out that it was sponsored
by PGP Corporation (being acquired by Symantec).
Second, I am not a big fan of averages. See the Flaw of Averages by Sam Savage of Stanford. The point being that you cannot use the average when calculating your risk of the cost of a breach. And Heartland's costs make the point.
Researchers at matousec.com, a security research and consulting group, released a paper describing a vulnerability in the way that anti-virus vendors integrate their products with Windows – System Service Descriptor Table (SSDT). They also built code that exploits this vulnerability which enables them to bypass these anti-virus programs. The Register has a good summary.
My first reaction is "so what?" Anti-virus programs have become almost irrelevant as the primary attack vector has shifted to browser-based applications. On the other hand, this vulnerability could lead to a resurgence of more direct viruses.
Second, how and how quickly will Microsoft and the anti-virus vendors react?
Third, what are the implications for Intel's vPro technology?
Fourth, is there an anti-virus vendor out there that does not use SSDT to integrate with Windows?
Sunday morning, some of the 2,301 Facebook friends of venture
capitalist and Facebook board member Jim Breyer received a message from
him, through Facebook. “Would You Like a Facebook Phone Number?” it
asked, presenting a link to “see more details and RSVP.”
While no one would be surprised by a service that allowed users to
call friends from their Facebook accounts, the message was a hack. “This
was a phishing scam and Jim’s account appears to have been
compromised,” says Larry Yu, a Facebook spokesman, late yesterday. “The
issue has since been resolved and we’re actively trying to block this
Breyer, a partner at Accel Partners, didn’t respond to questions
relating to the message.
At this point there has been no detailed explanation from Facebook explaining how this happened and what steps they are taking to reduce the likelihood of it happening again. Compare Facebook's approach to this breach to Apache's approach to their recent breach which I wrote about here.
Given Facebook's approach to privacy, I doubt anyone is surprised.
Adobe Flash Player 10.1 will make "its privacy settings more prominent and explicit to the user and also supports private browsing, which lets a user browse without logging his browsing history on his machines," according to an article in Dark Reading. The side effect is that e-commerce sites which have been using Flash's Local Storage to store machine ID's without the user's consent or knowledge will no longer be a viable machine authentication method.
This is actually good news because e-commerce sites will be forced to use technology designed specifically for authentication rather than relying on this Adobe externality.