22. May 2010 · Comments Off on Identity theft the old-fashioned way · Categories: Breaches · Tags: ,

We are constantly amazed at the new levels of creativity criminals apply to achieve their goals. However, sometimes the old-fashioned approaches work just as well. From the Office of Inadequate Security comes this report:

Silicon Valley Eyecare Optometry and Contact Lenses
State: California
Approx. # of Individuals Affected: 40,000
Date of Breach: 4/02/10
Type of Breach: Theft
Location of Breached Information: Network Server

An FAQ on the firm’s web site
says, in part:

What happened?
On Friday morning April 2, 2010 at 5:30 a.m., two burglars broke an
outside window to the administrative area of our office at 770 Scott
Boulevard in Santa Clara, CA. Our security cameras show the intruders
coming through the window, confiscating the computer, and pushing the
computer and a plasma TV back out the window of entrance, all within 50
seconds. Our cameras recorded the type of vehicle they were driving. The
alarm system was activated and the police were notified. A full police
report was filed.

What data was stored on the stolen computer server?
The server that was stolen contained our patient data base information.
The patient records contain names, addresses, phone numbers, and in some
cases social security numbers. E-mail addresses birthdates, family
members, medical insurances as well as medical and ocular health
information was included. No Optomap retinal images were stored on the
system. No credit card information was stored on the system.

Was the information secured?
Yes. There were 3 levels of security in place: physical, technical and
administrative. Physical security consisted of locked doors, an alarm
system to the police office, and surveillance cameras. For technical
security, the data was password protected on two levels: a detailed
password to access the server and a second password to access the
patient data base. Administrative security was in place allowing no
public access to the server.

Is all of my patient data lost?
No. Our patient data base is backed up nightly and an encrypted copy is
stored off-site. We were able to restore our data and retrieve our
patient records.

Note that the off-site backup copy of the data is encrypted but the on-site version was not.

22. May 2010 · Comments Off on Heartland settles with MasterCard for $41 million · Categories: Breaches, Legal · Tags: ,

DarkReading is reporting:

In a legal settlement over its 2008 security
breach, Heartland Payment Systems has agreed to pay up to $41.4 million
to MasterCard Worldwide and its card issuers to repay operational costs
and fraud losses attributed to the breach.

The article does not state whether this is included in the $139 million they said they set aside in a recent SEC filing. Given that the filing was recent, I would think, yes. As i posted earlier this month, $139 million is a far cry from the initial expected costs of $12 million.

12. May 2010 · Comments Off on Heartland breach expenses reach $139 million – so far · Categories: Breaches, Legal · Tags:

Computerworld is reporting that Heartland Payment Systems' recent quarterly financial filing revealed that the credit card payment processor's expenses related to their 2008 breach of 130 million credit cards have risen to $139.4 million.

This is a far cry from the $12 million CEO Bob Carr said was the appropriate amount to set aside in December 2009 when he settled with American Express for $3.6 million. In January 2010, just one month later, Heartland settled for $60 million with Visa.

The Computerworld article also reports that a recent Ponemon Institute study shows that the average cost per security breach in the U.S. rose to $6.75 million. The "per record' cost is averaging $204.

First, while not to invalidate, or even question, the results of this study, I would like to point out that it was sponsored
by PGP Corporation (being acquired by Symantec). 

Second, I am not a big fan of averages. See the Flaw of Averages by Sam Savage of Stanford. The point being that you cannot use the average when calculating your risk of the cost of a breach. And Heartland's costs make the point.

10. May 2010 · Comments Off on Facebook board member’s account hacked – used for phishing attack · Categories: Breaches, Phishing, Privacy · Tags:

From PEHub:

Sunday morning, some of the 2,301 Facebook friends of venture
capitalist and Facebook board member Jim Breyer received a message from
him, through Facebook. “Would You Like a Facebook Phone Number?” it
asked, presenting a link to “see more details and RSVP.”

While no one would be surprised by a service that allowed users to
call friends from their Facebook accounts, the message was a hack. “This
was a phishing scam and Jim’s account appears to have been
compromised,” says Larry Yu, a Facebook spokesman, late yesterday. “The
issue has since been resolved and we’re actively trying to block this

Breyer, a partner at Accel Partners, didn’t respond to questions
relating to the message.

At this point there has been no detailed explanation from Facebook explaining how this happened and what steps they are taking to reduce the likelihood of it happening again. Compare Facebook's approach to this breach to Apache's approach to their recent breach which I wrote about here.

Given Facebook's approach to privacy, I doubt anyone is surprised.

28. April 2010 · Comments Off on Blippy’s security/privacy strategy – do they deserve to survive? · Categories: Breaches, IT Security 2.0, Malware, Phishing, Privacy, Risk Management · Tags: , ,

Earlier this week, the CEO of Blippy posted an extensive explanation of the breach they suffered and the steps he is planning to take to improve the site's security and better protect the privacy of the users. I can only hope his explanation of the breach is accurate.

As to his "Plan" going forward, it reveals a shocking, but not untypical, heretofore lax attitude toward protecting the site's users.

I like their Rules page. The intent is to inform Blippy users of "Inappropriate Content and Use of Blippy," However, if I were considering signing up for Blippy, I might consider some of them the risks of using Blippy. Here are examples: 

Impersonation: You may not impersonate others through our
services in a manner that does or is intended to mislead, confuse,
deceive, or harass others.

Serial Accounts: You may not create serial accounts or
relationships in order to evade the block tools or to otherwise disrupt
the Services.

Name Squatting:You may not engage in name-squatting (creating
accounts for the purpose of preventing others from using those account
names or for the purpose of selling those accounts). Accounts that are
inactive for more than 9 months may be removed without further notice.

Links: You may not publish or post content
that disguises the content of a link in a misleading or deceptive way.

Malware/Phishing: You may not publish or link
to malicious content intended to damage or disrupt another user.s
browser or computer or to compromise a user's privacy.

Social Network Spam: Blippy provides a
variety of ways for users to interact with one another. You may not
abuse these tools for the purpose of spamming users. Some of the
behaviors we look at when determining whether an account is spamming

  • The user has followed and unfollowed people in a short time
    period, particularly by automated means.
  • A large number of people are blocking the profile.
  • The number of spam complaints filed against a profile.

And I can only hope that Blippy is taking steps to reduce the risks of these actions and worse. How long will it be before Koobface infiltrates Blippy, or there is a new botnet specifically targeting Blippy called "ypblip?"

26. April 2010 · Comments Off on 47 health care provider breaches between 9/22/09 and 2/15/10 · Categories: Breaches, Health Care, HIPAA · Tags:

Health Data Management Magazine's May issue notes that the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) posted 47 breach of unsecured protected health information in the United States between September 22, 2009 and February 15, 2010.

The criteria for posting is at least 500 individuals must be affected. In one case, 500,000 people were affected. The actual list is here. As of today there were seven more breaches posted.

Unfortunately the information on the list is very disappointing. There are no details of any significance about the breaches. For example, here is the latest one on the list (as of 4/26/10): 

Tomah Memorial Hospital
State: Wisconsin
Approx. # of Individuals Affected: 600
Date of Breach: 3/19/10
Type of Breach: Other
Location of Breached Information: Other

While creating this "wall of shame" has some value, posting more details would surely be more valuable to all health care provider security practitioners.

25. April 2010 · Comments Off on Aurora – Why was Gmail China’s Target? · Categories: Breaches, Privacy · Tags:

Larry Seltzer has an interesting post about a conversation he had with Mikko Hypponen of F-Secure about the reason for the Operation Aurora attack in China against Google's Gmail service.I wrote about Aurora here and here. However, the question remains – why Gmail and not Yahoo or Microsoft's free email service?

Perhaps it's because only Gmail offers SSL encryption which prevents sniffing on the wire to read emails. Because the other free email services don't offer SSL, you can simply sniff the wire to read the emails on those services.

End users who have some level of security consciousness gravitate to Gmail. And if you want to read messages on Gmail, you have no choice but to hack the service itself as you are not going to crack SSL.

17. April 2010 · Comments Off on Apache infrastructure breach analysis is a model of forthrightness and a learning experience · Categories: Breaches · Tags:

Last week, the Apache infrastructure team disclosed a breach to their issue tracking software where an XSS exploit led to root access which led to compromised passwords. What makes it interesting is the level of detail they provided about the breach, which security policies worked, which did not work, and what they are changing to reduce the risk of another such breach. No attempt at security by obscurity here. McAfee Labs did a nice blog post on it.

Do you think the use of Apache is going to go up or down? IMHO, the breach will have no effect or might actually increase Apache usage. The reality is that all organizations have breaches regularly. Sharing detailed information like this helps us improve our security.

BTW, if your organization is not experiencing breaches, it's due to lack of visibility.

26. March 2010 · Comments Off on HSBC database breach highlights need for better database security · Categories: Breaches, Database Activity Monitoring · Tags:

Dark Reading is reporting more details are emerging about the HSBC database breach where it now appears that data on 25% of HSBC's private clients' accounts were stolen by a "privileged" user.

Click on the Database Activity Monitoring Category on the right for my other posts about the need for Database Activity Monitoring.

26. March 2010 · Comments Off on TJX hacker sentenced to 20-year prison term · Categories: Breaches, Legal · Tags: , , , , , , ,

The IDG News Service is reporting:

Hacker mastermind Albert Gonzalez was sentenced Thursday in U.S.
District Court to two concurrent 20-year stints in prison for his role
in what prosecutors called the "unparalleled" theft of millions of
credit card numbers from major U.S. retailers.

The retailers who suffered breaches were TJX, Office Max, DSW, and Dave & Buster's. Gonzalez was also involved in the well known breaches at Heartland Payment Systems, Hannaford Supermarkets and 7-Eleven chains.

I applaud the stiff sentence, but I don't think this will have much effect on reducing cyber crime for two reasons:

  • The percentage of cyber criminals who are caught is very low.
  • Much of the activity now is coming from parts of the world where getting cooperation from local governments is difficult. In fact, some believe the governments are abetting the criminals.

Read more of the details here.