Wednesday, August 27, 2008

ITRC reports record volume of data breaches in 2008

Almost 450 businesses and government agencies have reported lost of consumer identification data this year 2008. That is what the Identity Theft Resource Center of San Diego (“ITRC”) reports. 127 million consumer records were compromised, but 90 million belonged to one company, retail chain T.J. Maxx. That is more than was reported in all of 2007, and it is still August!

The story by Brian Krebs in the Aug. 26 Washington Post, “Data Breaches Have Replaced Level for all of ’07, Report Finds” is here. In fact, the ITRC press release (dated Aug. 22) is here.

Needless to say, the continual reports of businesses losing consumer data will affect work habits. Employers will have to be much tighter in letting workers take work (whether laptops or even diskettes or printouts) home (probably sign-out procedures) and even in keeping production material around in open spaces at work. The security of Internet connections (including firewalls) for telecommuters will become a bigger issues.

Reporter Brian Krebs is well known for his “Security Fix” blog at The Washington Post.

Friday, August 22, 2008

Consumer Reports discusses government compromise of individual identity

The September 2008 issue of Consumer Reports has an article on how government leaks personal information. The story is titled “ID Leaks: A Surprising Source Is Your Government at Work,” link here. You may need an online subscription or hard copy to see all the content.

The worst federal government offender is the Veterans Administration, but the IRS and TSA make the list. Often the problems are lost laptops or disks. Local and state governments, including Ohio and the City of Savannah, have been culpable for publishing social security and other compromising information. 28% of counties displayed social security numbers on the Internet. CR warns “you have no right to be notified if someone is using your SSN under another name.” Astonishing!

What do libertarians say, "government doesn't work".

Sunday, August 17, 2008

Novelist Jeffrey Deaver weighs in on "consumer identity protection"

Parade, the magazine-let insert into many Sunday newspapers, has an article today (Aug. 17) by novelist Jeffrey Deaver, “The Case of the Stolen Identity,” link here. He gives advice according to the acronym “SCAM” and also recommends buying and using a shredder to prevent dumpster diving. I still wonder why we have stooped to the point that we don’t expect our financial institutions to be more careful and expect private individuals to spend the time and expense of protecting themselves and their families.

Deaver gives a personal account of a credit card that got lost during a move, and that generated bogus charges. He got them cleared, but it took credit reporting company computers a year to clear his credit. He found himself paying cash deposits for utility hookups and he found himself locked out of mortgages and home-equity loans, because of the wrongdoing of others, not himself.

He says that 9 million people a year are victims of identity theft, if an annual cost to the national economy of $50 billion. He talks about some of the more “brazen” things that happen with the crime. In his latest thriller, Broken Windows (apparently in process because I don’t see it on Amazon yet), an identity thief actually frames his victims for his murders. People have been false prosecuted for crimes committed by others in their names, and the possibility increases with certain issues on the Internet, and apparently has happened sometimes already with illegal downloads. In Arizona, a teenager was accused in late 2006 of uploading c.p. that may have been placed on his family computer by hackers, although the facts in the case are murky. I covered this story on my Internet safety blog on Feb. 3, 2007, link here.

Deaver, with tongue in cheek, urges the public to forward Nigerian scam emails to him so he can dole out the proceeds.

Monday, August 11, 2008

San Francisco's city systems and records compromised by one dishonest employee

Now, local governments are finding that they have to take background checks on people they hire for network administration seriously. In San Francisco, an administrator (Terry Childs, 43) compromised the city’s systems (for police, payrolls, courts) and would only give the password from jail after several days. It was unclear what his motive could have been, other than to “prove something.” He had turned the whole municipal computer system into a “private network.”

Trustworthiness of employees who run such systems is becoming a critical issue. Background checks need to be run across state lines, with formal procedures (not just Internet “reputation”). The particular employee had a prison record.

The story is on p A3 of the Washington Post, is by Ashley Surdin, and is titled “San Francisco Case Shows Vulnerability of Data Networks: arrest spurs other cities to boost security”, link here.

But The San Francisco Chronicle has a curious story by Jaxon Van Derbeken, “S.F. computer tech had turned life around,” from July 27, 2008, here.

It’s not clear with the City can do to monitor or protect the credit records of its employees and even city residents who have any interaction with the City (almost everyone).

Sunday, August 10, 2008

Please: understand these news stories with the "right" perspective

I want to reiterate my original purpose in starting this particular (generally small) blog. That was to suggest that a system be developed for financial institutions and other businesses to verify customer identity, and that due diligence procedures that businesses should follow be developed. I first placed this proposal on this blog on June 6, 2006, and then moved it to the entry of September 25, 2006 (the archive links on the left may be followed to find these).

The media is constantly reporting incidents where large businesses and government agencies compromise consumer security. This is a developing issue, with many components. For example, in the past local governments used to publish many public records and other matters in open spaces on the Internet; many of them have stopped this practice to protect consumers. Businesses have allowed employees to take work home on laptops and have used live consumer production data for quality assurance testing of system upgrades; obviously, many practices in the way systems people and other employees work with live data have had to be changed and restricted. When I was working in a mainframe IT shop in the 1990s, there was much less attention to physical security of copies of data, because this sort of problem had not become public yet. (Even so, a Merrill Lynch credit card of mine became compromised with bogus telephone charges from Canada in 1995; fortunately the problem was cleared and money refunded, but not without three hours of my time.)

The media is also constantly warning consumers to “be very afraid.” Most of the time, the consequences of data compromise are limited to credit reports and to bogus charges that can be reversed, or to bank accounts that can be restored. But sometimes there is real harm, and in a few cases people have been wrongfully prosecuted when their identities were taken. I think I have to sound like CNN reported Lou Dobbs on this one. There is no reason why we cannot expect our financial institutions and vendors to be more careful and practice more due diligence with consumer data. We can develop new systems to help banks and vendors do this. That is one of the ideas that this blog is all about.

When making a proposal like this, one has to account for all the known vulnerabilities. Part of systems analysis is to write up all the “business requirements” and for consumer protection, it’s necessary to catalog all the ways consumers become vulnerable. In the past, documentation of proposed system requirements stayed within an organization, often as proprietary information. That would be true now. However, if an individual wants to propose this idea in a public forum and make it public, to attract money later, the speaker will need to enumerate and reference all the known problems.

That is certainly the case with my posting yesterday, where an overseas physicist had uncovered one of the most dangerous vulnerabilities deep within the Internet and published it on his own blog. If another blogger (me) gives a link to that, the purpose is to account for the problem, as well as to back up the details of a news story (in this case, in the New York Times) with more “original” research and links. The purpose is not, in any sense, to encourage anyone to try to experiment suggested in this or any other comparable link. The World Wide Web is full of accounts of how to do some very anti-social and illegal things, and they are easily found on all search engines. This particular original news story is particularly shocking, and may provide a clue to other important and unresolved security problems that have been reported recently on the web.

Journalists report on “bad behavior” and give some details all the time. Sometimes the details concern what make someone who commits criminal acts “tick.” There are plenty of examples of this in the past ten years (especially recently). Sometimes the details simply tell authorities or larger companies that they need to develop much more sophisticated security systems. Sometimes there is, in the view of the public, a nagging concern about the “motives” of an “amateur” who posts the same information when working outside the normal media or journalistic “establishment.” I’ve talked about these issues on other blogs, particularly in the context of “online reputation.” The fact is, to be worthwhile, a blog or website about a public problem needs to account for all the facts about it, however disturbing these facts are, regardless of the authorship of the website.

Saturday, August 09, 2008

DNS System has serious potential security issues, needing a long-term solution and not just a patch (from Las Vegas Black Hat convention)

Russian physicist Evgeniy Polyakov posted on his technical blog (you can go to it from his "About page",) an account of how he fooled the Internet’s domain name registry into returning an incorrect address, in a matter of hours. The domain registration industry has a patch for this problem which it has long known about, but according to Polyakov and others, that workaround apparently is inadequate.

At an ongoing "Black Hat" network security conference in Las Vegas, Dan Kaminisky, president of a security firm called IOActive explained this experiment there. You can visit this(link with releases about DNS problem; then read his Executive Overview pdf link there, as well as CERT’s account; and notice that his banner headlines change when you reload the page. Here is another of Kaminsky’s own postings, link.

The fear is that hackers (especially overseas) will take their devious plans a step beyond normal “phishing attacks” now familiar to experienced home email users and actually direct legitimate web requests to bank or financial institution websites to fake sites to steal account holder’s funds or formulate other kinds of identity theft. The story appears in The New York Times, by John Markoff, p B1 Business Day, August 9, 2008, “Patch for Web Security Hole Has Some Leaks of its Own,” link here. The story refers to a recent patch to make such a heist more difficult, but Polyakov and Kaminsky maintain that this patch is still inadequate. Polyakov's blog (mentioned above) refers to the New York Times article.

Brian Krebs wrote about the DNS flaw issue on his "Security Fix" blog on Aug. 7, "Kaminsky Details DNS Flaw at Black Hat Talk," link here. Brian writes that he recommends that webmasters (like me) who use conventional ISP's should use OpenDNS, which as reportedly fixed this problem. I'll have to check into this further myself. (The powerpoint link of Kaminsky's presentation available there did not work, at least for me.)

Financial institutions sound like the most obvious mark, but so could controversial websites. If the problem were not harnessed, hacks like this could be used to make others believe that particular individuals had posted illegal materials which they had not, and it could take law enforcement some time to understand a problem like this before there were false prosecutions.

There are good questions as to whether domain registry companies can and should implement encryption solutions like DNSSEC for regular individual and small business customers, as well as the big boys like banks. It would reduce or eliminate the risk of replacing a DNS entry with intentionally incorrect routing. This might complicate the way A-records work and the way website owners are encouraged to maintain them by the industry now.

The United States government and some European governments will start implementing it soon, especially for defense and intelligence sites, but it would take a lot more development and testing to make this economical and practicable for ordinary business and individual customers, apparently. I haven't yet seen any discussion of this by McAfee, but I presume it will appear and that SiteAdvisor could hook into it some day.

Thursday, August 07, 2008

DC area Bank of America branch, maybe others, hit by hidden camers and skimmers in brazen theft

A brazen scheme to steal information from ATM transactions was discovered by an employee at the Rockville, MD Bank of America branch on Aug. 6. Thieves had installed a skimmer and camera to steal bank account information (including PINs), and may have done so at other banks in Montgomery County, MD. WJLA reported that $60000 had been stolen from accounts. The NBC4 story is here. This incident is one of the most brazen “bricks and mortar” skimming incidents in recent times. Other banks in the region are checking today to make sure this has not happened to them. Both WJLA and NBC4 reported this in the 11 PM news last night in the Washington DC area.

Customers should consider having new cards reissued, with new pins, and verify balances. Customers with online banking should always look at their accounts online frequently, even when out of town (with properly secured connections). It is a good idea for banking customers to ask their banks to place daily limits on ATM withdrawals to prevent massive losses from holdups, and also to place “point-of-sale” limits to prevent fraud.

Bank of America had an incident in 2004 where a printing company owner in Florida had $90000 pilfered.

Tuesday, August 05, 2008

House to look at protection of privacy of web surfers

The House Energy and Commerce Committee will examine the role of surreptitious behavior by advertising companies on the web, and request statements from 33 Internet companies regarding their practices. The House is concerned that consumer privacy and security of consumer information can be compromised, despite claims to the contrary (with op-out provisions) from companies like Embarq, as discussed on my main blog July 25.

The companies include a lot of large players: AOL, AT&T, Comcast, Cox, Verizon, Yahoo! and Time Warner.

The committee chairman is Edward J. Markey (D-MA).

The story appears in the Business Section, p D3, “Lawmakers seek data on targeted online ads: Panel concerned about privacy on web”, by Ellen Nakashima, in The Washington Post today Aug 5, link here.

“For better or for worse,” on-line advertising is an important component of the business models that make free content on the web possible.

Friday, August 01, 2008

DHS can seize, hold laptops at borders; does this indirectly put more consumer data on business laptops at risk?

The Department of Homeland Security in the U.S. has recently disclosed a rule that allows federal agents to seize laptop computers at border checkpoints without suspicion of wrongdoing. The ruling and controversy were reported in a story by Ellen Nakashima in The Washington Post, “Travelers’ Laptops May Be Detained at Border: No Suspicion Required Under DHS Policies,” p A1. The Washington Post, Aug. 1, 2008, link here.

One disturbing observation is that laptops could be held for indefinite and unspecified time periods. They could be damaged. Many people store personal information on off-line files on laptops. If the laptops are out of their control, the personal information could become compromised. A few TSA employees have been caught and fired and prosecuted for stealing passenger items.

Some people use their own personal computers and laptops for both personal and business purposes. The physical danger to laptops increases the risk that business or consumer information could be compromised when employees travel (for business-owned laptops, or for personal laptops that, properly or not, have business information).

Another risk is the theft of laptops at security checkpoints because of the physical clumsiness of going through security, which has gotten more complicated with security rules, and with financial pressure from airlines not to check luggage.

Still another risk when traveling could come from compromise of laptops are wireless hot spots with poorly secured or vulnerable services abroad.