19. January 2011 · Comments Off on Experi-Metal vs. Comerica Case Heads to Trial — Krebs on Security · Categories: blog · Tags: ,

Experi-Metal vs. Comerica Case Heads to Trial — Krebs on Security.

Detailed update on the upcoming Experi-Metal vs. Comerica trial. In brief, Experi-Metal is suing its bank, Comerica, for money ($560,000) it lost due to fraudulent wire transfers that resulted from a security breach.

The bank, Comerica, claims the fault of the lost money is entirely with Experi-Metal, while Experi-Metal claims that Comerica should have realized that a large number of wire transfer requests within a few hours was suspicious, especially considering it had only done two wire transfers in the two years prior to this incident.

Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves, and most organizations will be held responsible for any losses due to phishing or account takeovers. But a rash of these attacks that has netted thieves more than $70 million over the last few years has caused some victim businesses and their lawyers to look for ways to hold banks more accountable, by pointing out ways in which the banks may not be living up to the somewhat nebulous state legal standards that govern commercial banking activities.

This case and other similar ones are putting pressure on small and mid-size banks, and the outsourcers who provide transaction processing services to them, to strengthen their security posture.

… more banks could and should offer the kind of technology employed by the major credit card networks, which try to build profiles of customer activity and then alert the customer or the issuing bank of any suspicious or unusual activity. But she said a large percentage of banks outsource the day-to-day customer transactions to third-party service providers, most of whom do not currently offer services that would conduct that transaction analysis.

When the costs of improving security posture are lower than the risk-weighted costs due to a breach, then these banks will move. I not mean to appear overly cynical here. It’s the banks’ fiduciary responsibility to move only when the risk analysis scale tips in favor of improving security. That’s what makes this trial so interesting.

17. October 2010 · Comments Off on Recent Higher Education Security Incidents · Categories: Breach · Tags: , ,

Here are four recent security incidents which were serious enough to require public notification. Thanks to Adam Dodge at Educational Security Incidents.

University of Florida web site contains former student social security numbers

Four Ohio State University breaches in 2010 expose personal information

Virus at Oklahoma State health services center exposes patient information

High Point University misuses student credit card information

BTW, Cymbel is an approved Massachusetts Higher Education Consortium vendor.

22. May 2010 · Comments Off on Identity theft the old-fashioned way · Categories: Breaches · Tags: ,

We are constantly amazed at the new levels of creativity criminals apply to achieve their goals. However, sometimes the old-fashioned approaches work just as well. From the Office of Inadequate Security comes this report:

Silicon Valley Eyecare Optometry and Contact Lenses
State: California
Approx. # of Individuals Affected: 40,000
Date of Breach: 4/02/10
Type of Breach: Theft
Location of Breached Information: Network Server

An FAQ on the firm’s web site
says, in part:

What happened?
On Friday morning April 2, 2010 at 5:30 a.m., two burglars broke an
outside window to the administrative area of our office at 770 Scott
Boulevard in Santa Clara, CA. Our security cameras show the intruders
coming through the window, confiscating the computer, and pushing the
computer and a plasma TV back out the window of entrance, all within 50
seconds. Our cameras recorded the type of vehicle they were driving. The
alarm system was activated and the police were notified. A full police
report was filed.

What data was stored on the stolen computer server?
The server that was stolen contained our patient data base information.
The patient records contain names, addresses, phone numbers, and in some
cases social security numbers. E-mail addresses birthdates, family
members, medical insurances as well as medical and ocular health
information was included. No Optomap retinal images were stored on the
system. No credit card information was stored on the system.

Was the information secured?
Yes. There were 3 levels of security in place: physical, technical and
administrative. Physical security consisted of locked doors, an alarm
system to the police office, and surveillance cameras. For technical
security, the data was password protected on two levels: a detailed
password to access the server and a second password to access the
patient data base. Administrative security was in place allowing no
public access to the server.

Is all of my patient data lost?
No. Our patient data base is backed up nightly and an encrypted copy is
stored off-site. We were able to restore our data and retrieve our
patient records.

Note that the off-site backup copy of the data is encrypted but the on-site version was not.

28. April 2010 · Comments Off on Blippy’s security/privacy strategy – do they deserve to survive? · Categories: Breaches, IT Security 2.0, Malware, Phishing, Privacy, Risk Management · Tags: , ,

Earlier this week, the CEO of Blippy posted an extensive explanation of the breach they suffered and the steps he is planning to take to improve the site's security and better protect the privacy of the users. I can only hope his explanation of the breach is accurate.

As to his "Plan" going forward, it reveals a shocking, but not untypical, heretofore lax attitude toward protecting the site's users.

I like their Rules page. The intent is to inform Blippy users of "Inappropriate Content and Use of Blippy," However, if I were considering signing up for Blippy, I might consider some of them the risks of using Blippy. Here are examples: 

Impersonation: You may not impersonate others through our
services in a manner that does or is intended to mislead, confuse,
deceive, or harass others.

Serial Accounts: You may not create serial accounts or
relationships in order to evade the block tools or to otherwise disrupt
the Services.

Name Squatting:You may not engage in name-squatting (creating
accounts for the purpose of preventing others from using those account
names or for the purpose of selling those accounts). Accounts that are
inactive for more than 9 months may be removed without further notice.

Links: You may not publish or post content
that disguises the content of a link in a misleading or deceptive way.

Malware/Phishing: You may not publish or link
to malicious content intended to damage or disrupt another user.s
browser or computer or to compromise a user's privacy.

Social Network Spam: Blippy provides a
variety of ways for users to interact with one another. You may not
abuse these tools for the purpose of spamming users. Some of the
behaviors we look at when determining whether an account is spamming

  • The user has followed and unfollowed people in a short time
    period, particularly by automated means.
  • A large number of people are blocking the profile.
  • The number of spam complaints filed against a profile.

And I can only hope that Blippy is taking steps to reduce the risks of these actions and worse. How long will it be before Koobface infiltrates Blippy, or there is a new botnet specifically targeting Blippy called "ypblip?"

16. January 2010 · Comments Off on Google discloses breach and new threat type from China – Advanced Persistent Threats · Categories: Advanced Persistent Threat (APT), Books, Botnets, Breaches, Malware, Phishing, Privacy, Risk Management, Security Management, Trade Secrets Theft · Tags: , , , ,

Earlier this week Google took the unprecedented step of disclosing a breach which does not legally require disclosure. Google's reasons for the disclosure are tightly linked to its concerns about human rights in China and its views on China's reasons for breaching Google's email systems. These last two points are well worth discussing and are being discussed at length all over the blogosphere. However, I am going to focus on the security and disclosure issues.

First regarding disclosure, IT risk reduction strategies greatly benefit from public breach disclosure information. In other words, organizations learn best what to do and avoid overreacting to vendor scare tactics by understanding the threats that actually result in breaches. This position is best articulated by Adam Shostack and Andrew Stewart in their book, "The New School of Information Security."

I blogged about Verizon Business's forensic team's empirical 2009 Data Breach Investigations Supplemental Report here. This report shows cause-and-effect between threat types and breaches. You could not ask for better data to guide your IT risk reduction strategies.

Organizations have been so reluctant to publicly admit they suffered breaches, the Federal and many state governments had to pass laws to force organizations to disclose breaches when customer or employee personal information was stolen.

Regarding the attack itself, it represents a type of attack that is relatively new called "advanced persistent threats" (APT) which in the past had primarily been focused on governments. Now they are targeting companies to steal intellectual property. McAfee describes the combination of spear fishing, zero-day threats, and crafted malware here. The implications:

The world has changed. Everyone’s threat model now needs to be adapted
to the new reality of these advanced persistent threats. In addition to
worrying about Eastern European cybercriminals trying to siphon off
credit card databases, you have to focus on protecting all of your core
intellectual property, private nonfinancial customer information and
anything else of intangible value. 

Gunter Ollman, VP of Research at Damballa, discusses APT's further here, focusing on detecting these attacks by detecting and breaking the Command and Control (CnC) component of the threat. The key point he makes is:

Malware is just a tool. The fundamental element to these (and
any espionage attack) lies with the tether that connects the victim
with the attacker. Advanced Persistent Threats (APT), like their bigger
and more visible brother “botnets”, are meaningless without that tether
– which is more often labeled as Command and Control (CnC).

Jeremiah Grossman points out the implications of Google's breach disclosure for all cloud-based product offerings here, countering Google's announcement of Default https access for Gmail.

Indeed, the threat landscape has changed.

10. January 2010 · Comments Off on Heartland to pay Visa up to $60 million for its 130 million credit card data breach in 2008 · Categories: Breaches, Legal · Tags: , ,

Heartland Payment Systems has agreed to pay up to $60 million to Visa and Visa Issuing banks for its 2008 breach of over 130 million credit card data. The press release offers very little in the way of details and simply says, "Visa will present the details of the settlement in coming days."

A key question is whether this settlement includes the issuing banks' costs for reissuing cards or just losses due to actual card fraud directly related to the illegal use of the stolen card data.

Recently, issuing credit card unions and their insurance company lost a lawsuit they filed against BJ's and its acquiring bank, Fifth Third, for losses they incurred which resulted from BJ's 2004 breach. The key  difference with this settlement is that Visa was directly involved in the negotiations. If Visa were to terminate Heartland's Visa card processing contract, it could be an existential blow to Heartland.

The amount of this settlement blows well past the $12 million CEO Bob Carr said Heartland set aside when he announced the $3.6 million settlement with American Express. Of course, it may be years before we know (if we ever find out) exactly how much Heartland actually has to pay.

03. January 2010 · Comments Off on BJ’s Wholesale Club and acquiring bank not liable for third party expenses resulting from the 2004 breach · Categories: Breaches, Legal · Tags: , ,

In mid-December, the Massachusetts Supreme Court affirmed the earlier dismissal of the case against BJ's Wholesale Club and its acquiring bank filed by credit card issuing credit unions and their insurance company for expenses incurred as a result of BJ's 2004 breach. Articles here, here, and here review the details.

The key to the dismissal of the lawsuit was the clause in the contract between BJ's and Fifth Third Bank, BJ's acquiring bank, which said, “This agreement is for the benefit of, and may be enforced only by,
(Fifth Third) and (BJ’s) … and is not for the benefit of, and may not
be enforced by, any third party.”

The court is saying that an agreement, in this case, between two parties (merchant and acquiring bank) that is well understood by the court to be part of an overall process (credit card transactions) that includes two other specific third parties (credit card issuing banks and their customers, the credit card holders) can simply agree that the benefit of their agreement does not include these other two third parties.

The opinion goes on to say (page 17) that the plaintiffs could have filed claims against Visa and MasterCard. The implication is that they did not. Why not? Perhaps the issuing banks were concerned that Visa and MasterCard would revoke their contracts to issue credit cards, a far greater loss of fees than the expenses they incurred as a result of the breach.

Or perhaps there is an understanding by issuing banks that in the case of a breach at a merchant, they are liable for their own breach-related expenses. In fact, CUMIS Insurance Society, a plaintiff in the lawsuit, insured these credit unions against losses to due fraudulent transactions.

Clearly these issuing banks bought insurance because they understood their risk and shifted it to the insurance company. Unfortunately for them, they only insured against fraudulent transactions, not the replacement of cards of customers whose credit card information was breached.

Furthermore, page 23 of the opinion states, "they [plaintiffs] continue to participate as issuers in the Visa and MasterCard system and to rely on the regulations [Visa's and MasterCard's] because the system is 99.94 per cent effective." And of course, they buy insurance to cover fraudulent transactions.

In summary, it appears that this judgment and the other similar judgments in similar cases make sense because the losses to credit card issuers and insurance companies are just part of the cost of doing business. Of course the banks and credit unions could get out of the credit card business if their losses become too high. Regarding CUMIS, if it feels its losses are too high, it can either raise its rates or exit the fraudulent credit card transaction insurance market. The bottom line is that the system is working.

28. December 2009 · Comments Off on Heartland pays AmEx $3.6 million for 2008 breach · Categories: Breaches, Legal · Tags: ,

Let the payments begin. Heartland Payment Systems settled the lawsuit brought by American Express due to Heartland's 2008 breach of 130 million credit cards (which I wrote about here) for $3.6 million. There are still many more lawsuits outstanding including Visa and MasterCard which no doubt represent the majority of the credit cards stolen.

The article quotes Heartland CEO, Bob Carr, as saying that Heartland "has set aside $12.6 million to charges related to the hack." I find this number to be a gross underestimation considering that TJX believes its breach will cost $250 million as reported here, here, and here.

24. November 2009 · Comments Off on Massive T-Mobile UK trade secret theft perpetrated by insider · Categories: Breaches, Data Loss Prevention, Trade Secrets Theft · Tags: , , ,

Last week T-Mobile UK admitted to the theft of millions of customer records by one or more insiders. These customer records which included contract expiration dates were sold to T-Mobile competitors or third party brokers who "cold called" the T-Mobile customers when their contracts were about to expire to get them to convert.

While this is a privacy issue from the customer perspective, from T-Mobile's perspective it's also theft of trade secrets.

And this is about as basic as theft of trade secrets gets. According to the article in the Guardian, in the UK this type of crime is only punishable by fine, not jail time, although the Information Commissioner's Office "is pushing for stronger powers to halt the unlawful trade in personal data…"

So if you steal a car, you can go to jail, but if you steal millions of customer records, you can't. Clearly the laws must be changed. Or, not being a lawyer, I am missing something.

Based on some research I've done, the same is true in the United States, i.e. no jail time. Here are some good links that cover trade secret law in the US:

Regardless of the laws and their need for change, organizations must invest in trade secret theft prevention appropriate to the associated level of risk.

Let's take a look at the components of Risk – Threat, Asset Value, Likelihood and Economic Loss -  in the context of trade secret theft.

The overall Threat is increasing as the specific methods of theft of digital Assets constantly evolve. Economic loss, depending on the Value of the trade secret Asset, can range from
significant to devastating, i.e. wiping out much or all of an organization's value.

It's hard to imagine the Likelihood of theft of any trade secret in digital form could ever be rated as low. Unfortunately we do not have well accepted quantitative metrics for measuring the degree to which administrative and technical controls can reduce Likelihood.

Therefore trade secret theft risk
mitigation is really a continuous process rather than a one time effort. New threats are always appearing. New administrative and technical controls must constantly be reviewed and where appropriate implemented in order to minimize the risk of trade secret theft.

30. September 2009 · Comments Off on Popular social news site infected with XSS exploit · Categories: Application Security, Breaches, Malware, Secure Browsing · Tags: , , ,

The popular social news site Reddit was breached with an XSS exploit. Of course, the article does not indicate what, if any, protection methods Reddit was using to prevent this most popular of web site exploits. I wonder how they would do if an auditor showed up tomorrow using CSIS's Twenty Critical Cyber Security Controls (I previously posted) as a reference.