2010
03.08

What we’re reading today, March 8th

Category: Commentary, FRSecure / Tag:  / Add Comment

Each and every day, we get up early and tune into the information security news of the day.  We check a variety of sources from all over the world.  We do this to help get us in the right frame of mind as information security consultants and to be the best information security consultants that we can in order to assist our clients.  We recognize that our clients have businesses to run and money to make.  Our role is help our clients to that end by protecting a very important asset; their information. So what are we reading today?

It’s been a while since we’ve written on our blog.  We’ve still been reading, but we haven’t had time to write about it.  Business has been very good!

Last week we found ourselves in Louisville, Kentucky and Baltimore, Maryland.  We met with some outstanding people and experienced some interesting information security stuff.  Maybe we’ll share some of this "stuff" later on.  For those of you who may have missed it, we have a new law to comply with.  March 1st was the deadline for organizations to comply with Massachusetts 201 CMR 17.00.  If you do any business in the state of Massachusetts, we strongly urge you to learn about this new law.

Well, let’s get to it.  Our Monday morning reading list…

Quote of the day:

Fall seven times, stand up eight. – Japanese proverb

[FRSecure]  The number is arbitrary.  Fall seven thousand times, stand up seven thousand one.

Breaches:
Fraudulent PIN pads used at two Hancock stores
[FRSecure]  We have more questions than answers on this one.  How do you protect yourself from this if you are a consumer?  Chances are good that the fraudlent PIN pads looked authentic. How did these PIN pads get switched without Hancock’s knowledge?  Somebody at Hancock needs to answer some questions.

At least two stores in Wisconsin are affected by this incident; one in Stevens Point and the other in Marshfield.  If you shopped at either on of these stores with a credit or debit card, work with the issuing bank to get new accounts and cards, even if you haven’t suffered any fraud.  Once a number is compromised, it’s compromised, no matter if it has been used for fraud or not.

Argos exposes customers’ credit-card numbers in emails
[FRSecure]  Most people in the U.S. have never heard of Argos, which is a UK company.  Argos is a part of the Home Retail Group, and according to the Argos website; "Home Retail Group is the market leader in the home and general merchandise market."  Anyway, what the heck happened here?

"The company has been including the customer’s full name, address, credit-card number and three-digit CCV security code in order confirmation emails, which are sent once a customer has placed an order on the Argos website."

Seriously?  Did anyone think about information security, or the risks of sending this kind of information in plain-text emails?  Why would a customer care to receive their credit card number and CCV (card not present) code in a confirmation email?  This is a good example of a bad mistake.

Stolen Shands laptop had info of 12,500 patients
[FRSecure] An unencrypted laptop containing sensitive personal information belonging to Shands patients was stolen from an employee’s home.  The personal information included "names, addresses, medical record numbers and medical procedure codes of the patients, as well as the Social Security numbers of about 650 people."  The employee downloaded the information because he/she thought that their laptop was encrypted.

Among the concerns:

  1. Why wasn’t this laptop encrypted?  Laptop encryption is nothing new and we have known about the risks of using laptops without encryption for quite some time.  If your organization uses laptops, you should seriously consider full disk encryption.  Seems like common sense, but common sense isn’t common sense if it isn’t so common.
  2. Why did the employee assume that the laptop was encrypted?  Poor employee information security training and awareness.  People’s behavior presents the most significant risks to information security.  The time and investment into good training and awareness programs pays off.  ‘Shands’ human resources department has since worked to "discipline and re-educate" the employee’

UWMC patient financial information compromised

"In early February, an employee of the National Collection Office (NCO) Financial Systems Inc., a debt-collection agency that UW Medicine contracts with, violated security and compromised at least 50 confirmed contacts, and as many as 80 more are being investigated."

[FRSecure] The risks involved with using debt collection agencies (and other third-parties in general) can be very significant and must be properly managed.  We are curious to understand how UW Medicine manages third-party risk.

Westin hotel in LA reports possible data breach
[FRSecure] "Hotel officials disclosed Friday that the hotel’s four restaurants, along with its valet parking operation, may have been hacked at some time between April and December, disclosing names, credit card numbers and expiration dates printed on customers’ debit and credit cards."  The hotel has posted a letter to it’s customers on it’s website.

In the letter to customers, the hotel claims that it’s point-of-sale (POS) system may have been illegally accessed by an outside "hacker".

UT Southwestern employee accused of selling patient information

DALLAS – Authorities arrested an employee at UT Southwestern Medical Center after she allegedly stole patient information and possibly their identities."

Hundreds of patients’ personal information – including birth dates, addresses, phone numbers and financial data – was stolen before Tracy Renay Thomas’  arrest and termination, police said.

[FRSecure] This employee (former) is accused of stealing and selling personal information belonging to as many as 10,000 UT Southwestern Medical Center patients.  Here’s the doozy:

Representatives have admitted that when Thomas was hired to work in the financial services department, she did have a prior misdemeanor for theft on her record. She worked at the medical center for six months.

What’s the use in performing background checks if you aren’t going to use the information in your employment decisions?

Other Security Stuff:
Monster botnet held 800,000 people’s details

Months of investigations by the Guardia Civil in Spain, the FBI and security firm Panda Security and Defence Intelligence led to the takedown of the 12.7 million strong zombie network in December and the arrest of three suspects in Spain two months later.

[FRSecure] This is an example of excellent work and cooperation between the private sector and public authorities.  We follow Panda Security’s tweets and blog.  If you are interested, you are encouraged to do the same.

At a press conference announcing the operation in Madrid on Wednesday, Spanish police said they recovered the personal details of 800,000 people from systems recovered from three alleged cybercriminals. This cache of stolen information includes bank login credentials from businesses and consumers as well as email passwords.

People often mistakenly think that bot networks are only used for disruptive attacks (DDoS).  The fact that over 800,000 personal records were found as part of this investigation drives home the fact that bots are more often used for financial gain.  Do these 800,000 people know that their personal information has been compromised?  Nope.  Will they ever know?  Only when something bad happens.

RSA Conference: Gonzalez may receive largest ever U.S. hacking sentence
[FRSecure]  The RSA Conference was held last week.  This is arguably one of the most popular and productive get togethers for information security professionals.  We had to miss this year’s event due to work engagements, but we are looking forward to attending next year.

If you have never heard of Albert Gonzalez; he is accused of (and pled guilty to) being the mastermind behind the attacks on TJX (40 million+ credit card numbers), Dave & Busters, and Heartland Payment Systems (130 million+ credit card numbers), among others.  It is widely agreed upon that Mr. Gonzalez will not see freedom for many, many years, if ever.

Smartphone Weather App Builds A Mobile Botnet
[FRSecure] Here is another story that came out of the RSA Conference.  Good research out of Derek Brown and Daniel Tijerina, with TippingPoint’s Digital Vaccine Group.  We are a little leary of conducting this type of research on live systems that aren’t owned and controlled by the researcher, but we are probably more averse to legal actions.

Fraudsters Bank on Business Accounts: How to Protect Your Funds Online
[FRSecure]  WARNING – This is a must read for small to medium-sized business.  We have seen good companies go out of business through unauthorized money transfers and this is an increasingly common attack.  The risks are real, and banks are not required to reimburse you for loses (and most don’t).  The protections for businesses are not the same as they are for individuals.  DO NOT ignore this type of attack and hope it doesn’t happen to you.

Yep, There’s a Patch for That
[FRSecure] Patching Windows software is not enough.  There are significant vulnerabilities in software made by other vendors in your systems.  Your patch management program should account for software from all vendors and developers.

Two insecure programs found among the 109 programs installed.

Secunia is a very good solution that we have used for the better part of three years.  It’s probably worth a look for you too.

The two insecure programs, with drop downs to additional information and links to patches.

‘Severe’ OpenSSL vuln busts public key crypto
[FRSecure] This vulnerability may be patched before you even get a chance to read this.  The article and paper are interesting to read, and stress the importance of protecting secret keys.

White House Cyber Czar: ‘There Is No Cyberwar’
[FRSecure] We like Howard Schmidt’s calm demeanor and approach, but we don’t see how we are not in the midst of a "Cyberwar" or whatever else you would like to call it.  We have read about a significant number of seemingly state-sponsored attacks on US companies and government systems.  What do we call state-sponsored cyber attacks?

USB battery charger installs Trojan
[FRSecure] According to the article:

Malware bundled in a charger-monitoring software download package opens up a back door on compromised Windows PCs. The contaminated file is automatically downloaded from the manfacturer’s website during the installation process, not bundled with an installation CD.

In a statement, Energizer acknowledged the problem and discontinued sale of the affected device, the Duo Charger (Model CHUSB). The battery maker has also launched an investigation into how backdoor functionality found its way into its software.

This didn’t happen on accident. There is no legitimate reason for Arucer.dll to be placed on computers as part of the install. This looks like a potential compromise of the company’s software development process.

Humor:
We are in the mood for spring, and we’ll be mowing our lawns before we know it.

Non-embedded link

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Technorati
  • Twitter

No Comment.

Add Your Comment

Your Comment

You must be logged in to post a comment.