High Profile Data Breach Cases

Data breaches are high stakes, high drama crimes. Not only do they impact the target companies, but milllions of innocent consumers can have their financial worlds turned inside out as a result of one breach. Here is a run down of some high profile data breach cases.
Aetna Insurance
On May 28, 2009, Aetna Insurance contacted 65,000 users to let them know that their personal data may have been compromised. The company was alerted to the breach when customers began complaining of spam emails asking for personal information. While it wasn't clear if any Social Security Numbers had been compromised, Aetna erred on the side of caution, notifying 65,000 current and former employees of the breach and offering free credit monitoring services.
Corneilus Allison, a former employee is the plaintiff in a class action lawsuit alleging that Aetna failed "to adequately protect the private personal information of its current, former and potential employees."
This wasn't Aetna's first experience with data loss. In 2006 a laptop containing sensitive information was stolen from an employee's car. Aetna notified 38,000 customers of the breach, offering free credit monitoring to the victims. According to a company spokesman, the employee carrying the laptop did not follow corporate data protection policies.
LexisNexis
On May 1, 2009, LexisNexis disclosed a data breach to 32,000 customers. Although the data theft took place between June 2004 and October 2007, notification was withheld while the US Postal Service investigated. The USPS was investigating, apparently, because the thieves has set up phony post office boxes as part of the scam. LexisNexis bills itself as the "world’s largest collection of public records, unpublished opinions, forms, legal, news, and business information." According to Douglas Curling, COO of parent company ChoicePoint, the database company has suffered 45-50 breaches.
Heartland Payment Sytems
In 2008, credit card processor Heartland Payment Systems was breached. The exact number of financial records stolen remains a mystery, but on August 17, 2009 Albert Gonzales was indicted for stealing more than 130 million credit and debit records. Heartland was one of his high-profile victims, and the system he hacked processess 100 million card transactions every month.
Commonwealth of Virginia
Virginia was the victim of an interesting twist on identity theft. On April 30, 2009 a hacker posted a ransom note on the website of the Prescription Monitoring Program. The hacker claimed to have stolen a database containing millions of customer pharmaceutical records.
The note read "You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid".
The hacker demanded $10 million by May 7 in return for a password that would access the stolen records. The Commonwealth elected not to pay the ransom. As of this writing, the disposition of the database containing 8 million patient records and 35 million prescriptions is still unclear.
RBS Worldpay
In 2008, RBS Worldpay, a division of the Royal Bank of Scotland, admitted to a massive data breach involving 2.6 million records. In 2009, they were awarded an IRS contract to process taxpayer credit card payments.
Senator Norm Coleman
Norm Coleman was embroiled in a legal battle over his photo finish election loss to Al Franken. Adria Richards was an IT pro who exposed an unprotected donor data base stored on his campaign website. She says she did not download any information.
But the database turned up on Wikileaks, a website devoted to "untraceable mass document leaking." Whoever was responsible, one thing is clear; 4,700 of Coleman's on-line donors had their financial data strewn all over the Internet.

GPS Tracking: An Invasion of Privacy?

A Look at the Supreme Court's Decision in United States v. Jones

The Supreme Court's unanimous decision in the United States v. Jones GPS tracking case has been hailed as a victory by privacy rights advocates. Indeed, the fact that both sides of the ideological bench could mount a united defense of the Fourth Amendment makes a powerful statement. But many difficult questions remain unanswered.
Background
Before analyzing the court's decision, let's review the basic story line:
Antoine Jones owned a Washington DC night club. The FBI, as well as the Metropolitan Police Department, suspected Jones of dealing drugs and enlisted a plethora of surveillance techniques to make their case. These techniques included a camera trained on the front door of his night club, visual surveillance, and a wire tap of his cell phone. Beyond that, the authorities obtained a search warrant to attach a GPS device to a Jeep registered to Jones's wife.
The warrant for the GPS specified that the device had to be installed within 10 days in the District of Columbia. Authorities attached the device on the 11th day in Maryland. Ergo, they conducted a warrantless search.
Jones was convicted of possession of cocaine with an intent to distribute the same and sentenced to life in prison. The conviction was later reversed because of the warrantless use of GPS data.
The authorities contended that the GPS tracking did not constitute a search as defined by the Fourth Amendment. The evidence, therefore, should be admitted.
The Decision
The case of United States v. Jones eventually came before the Supreme Court and was decided on January 23, 2012. The Court's task was to determine whether attaching a GPS tracking device to a vehicle constituted a search under the Fourth Amendment.
Justice Antonin Scalia's Opinion opens with these words:

We decide whether the attachment of a GlobalPositioning-System (GPS) tracking device to an individual's vehicle, and subsequent use of that device to monitor the vehicle's movements on public streets, constitutes a search or seizure within the meaning of the Fourth Amendment.

By attaching a GPS tracking device, Scalia argued,

The government physically occupied private property for the purpose of obtaining information.

The Supreme Court unanimously decided that the FBI and the Metropolitan Police Department violated Mr. Jones's rights as defined by the Fourth Amendment.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The Supreme Court's decision, while hailed as a signal victory by privacy rights advocates, deals exclusively with physically attaching a GPS device to private property, and the Court has not outlawed this practice. Indeed, GPS tracking remains a common tactic in terrorism and narcotics investigations. But after this decision, it will be legally problematic to use these devices without first obtaining a Search Warrant.
What This Decision Does Not Mean
In a concurring Opinion, Justice Samuel Alito questioned the premise of the Decision, based as it is on physical property. In the digital age, he noted, physical trespass is not required for close tracking. And, he argued, accessing such tracking data may violate a citizen's reasonable expectation of privacy.

In some locales closed-circuit television video monitoring is becoming ubiquitous. On toll roads, automatic toll collection systems create a precise record of the movements of motorists who choose to make use of that convenience. Many motorists purchase cars that are equipped with devices that permit a central station to ascertain the car's location at any time so that roadside assistance may be provided if needed and the car may be found if it is stolen.

Scalia did not dismiss Alito's viewpoint, noting

It may be that achieving the same result through electronic means, without an accompanying trespass, is an unconstitutional invasion of privacy, but the present case does not require us to answer that question.

Looking at the decision from an entirely different angle, Justice Sotomayor questioned the traditional legal reliance on a "reasonable expectation of privacy" in the digital age.

People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries and medications they purchase to online retailers. I, for one, doubt that people would accept without complaint the warrantless disclosure to the government of a list of every Web site they had visited in the last week, or month, or year.

Sotomayor, alone, attempted to detach the question of privacy from technology. She maintained that individual privacy rights should not change as technology continues to develop.
Conclusion
While the Jones Decision set an important limitation on surveillance in the digital age, it leaves other important issues undecided. Among these are:

• How extensively can an individual be tracked, if that tracking does not require physical trespass? Tracking via cell phone data, toll booth records and vehicle guidance systems is not directly addressed in this decision.
• What expectation of privacy does an individual have when sharing or releasing information via search engines, email programs, and online purchases?

As new technology continues to make extensive data mining easier and more attractive to law enforcement, such questions will no doubt reach the Supreme Court. A Court which, at least for now, is united in its understanding of the Fourth Amendment.

Fingerprint Scanner :Help Remembering Passwords with Your Finger

Introdiction

Entry level biometrics have reached the price point that they are a great tool that could benefit many businesses. The fingerprint scanner is a form of biometrics which enables us to use something we have (in this case our finger) to help authenticate us to a computer or network. I have written about the virtues of tools to help with passwords such as PasswordSafe, but this is different. The more I deal with small businesses, the more I realize that users have a hard time remembering passwords. What do they do with them when they can’t remember them...they write them down where they can be found. With the fingerprint scanner, a user doesn’t even have to know what their password is and they can still access secure systems.
Apart from the James Bond-esque applications, Fingerprint scanners are starting to show up in many mom and pop shops all over. They are cheap and easy to configure. I still get a thrill logging into an application with the press of a finger.

How Does It Work?

The scanner remembers the patterns of ridges and valleys unique to your finger. The scanner then compares the stored pictures of your finger to the one that is being presented to the scanner. If there is a match, it lets you in. The Microsoft Fingerprint Scanner I use uses optical scanning as opposed to Capacitance scanning. You can check out the differences in scanning methods at HowStuffWorks.com. To configure the scanner you need to place each finger you want the scanner to recognize a total of four times on the scanner so it can get a good picture.

Pros and Cons of Fingerprint Scanners

The pros of such a system are many. It is fast and extremely easy to setup. Certain fingerprint scanners actually allow you to access Active Directory accounts although the one from Microsoft does not at present but Three scanners that are popular within the markert are the Verifi P2000, Fingkey Hamster II and the BioMini. does. Physically compromising a system is a lot harder than simply guessing passwords in many cases. You don’t often forget your fingers as you do a password. Even so, do as I have done and use multiple fingers from each hand to ensure you can survive an unfortunate accident. Multiple people can log onto the same computer with different profiles without ever having to know their passwords. The fingerprint scanner does not forget your password like you might after you go to Disneyworld for two weeks. So it is definitely a time saving device too. With that said, the systems are not error free. Never, never ,never substitute any device for a little common sense. If you do use a scanner to protect something like PasswordSafe, you will definitely want to verify that you remember the password in case of a mishap. If you use encrypted drives, and you use your finger to mount and dismount the drives, again have a backup. Lastly, (and it even says this on the fingerprint scanner package), think of such devices as a convenience.

Conclusion

Don’t trust everything you own to a fingerprint scanner. In my daily routine I have over 150 passwords I am responsible for. The combination of PasswordSafe and a finger print scanner is fantastic for me. However, I also make sure I back up my password database and know the password to manually open the password database. So for around $50 you can outfit a computer and make your user’s lives a little more convenient.

Vista's User Access Control

UAC Keeps You Safe While Using Vista

Introduction

With the release of Vista there have been many new security aspects in the operating system. One of the most talked about features is User Access Control or UAC. UAC has gotten a lot of bad press, but I disagree with them. Here is a quick run down on UAC and why it is a good thing. In the not to distant past, users of Windows would find themselves logged on automatically as an administrator when setting up Windows XP. If you install XP and do not join a domain, the default user you create has full administrative privileges and can access all aspects of the computer operating system.
What’s the big deal you ask?
Many computer users found it convenient to never have to elicit the help of the IT team to install a new software application or reconfigure the Windows registry or change the system clock. While convenient for the computer user, in a small company the effects can be devastating for two reasons.

1. Inadvertent Experimentation

Many users consider themselves Power Users and editing the registry or installing new drivers is old hat to them. However, problems arise when the latest drivers for that new video card are in beta only and have known issues with the accounting software you are also running. This causes the system to crash repeatedly. The user now loses productivity as hi system has to be rebuilt. In a smaller organization, this might actually mean installing from scratch as opposed to an imaging process. That equates to lost time and productivity.

2. Personal Use of Corporate Computers

This second reason is a little more ominous. Many users tend to use their work computers as their own private portals to the Internet. Surfing inappropriate sites, checking stocks and downloading bit torrents at work is fast becoming a major security issue. When a user downloads executable code such as a script or even a screen saver and then runs the code they are doing so as the administrator of the computer. If the code is nefarious, it get’s a bump start on its road to destruction as it does not even need to try to escalate its privileges as it is running as administrator already. The potential for loss and breach of security is huge. Microsoft has long touted the benefits of running as a non administrative user on a system. Until now it was impractical for many users and cumbersome. UAC was defined to address these shortcomings.

UAC Explained

User Access Control (UAC) which is enabled by default in Vista allows standard users (non administrators) to complete both standard and administrative tasks (if they have the administrative credentials on hand) without having to log off. Very similar to the ‘su’ command in Linux. The process works by assigning two security tokens to a logon. One token contains group membership information and the second controls the authorization and access data. Until Vista there was only a single token which stated what a user could do. It was all or nothing. With User Access Control (UAC) even administrators must provide acceptance for various tasks. For example, the user of a computer wants to add a file to the Startup Menu to begin a chat application at start up. This function is trying to write to the registry and will cause UAC to request access even if the user is the administrator. When the user attempts to create the shortcut they are presented with a similar screen. The only difference between a standard user and administrative user is that the latter will not be prompted for credentials.
While it may seem cumbersome at first, UAC prevents applications from writing to the registry inadvertently with out the user’s knowledge. It also prevents applications from installing without a user’s knowledge.
Some articles have said that UAC is in fact security vulnerability because by default users are still by default administrators when their account is created. True. But they will still need to use UAC to install program, perform system maintenance or run some applications. However, the onus is still on the owner to be using the correct account. Microsoft can’t do that for you. At the end of the day operating system and software application vendors can only do so much, computer users need to be aware of proper secure practices.
Some users complain that it is annoying having a popup extended every time they open the control panel. But let’s think for one moment. Let’s take the majority of users of systems. Standard everyday computer users. How many times a day to most users have to open MMCs, adjust video settings or monkey with the registry? The fact is, once the system has been configured, most users will probably not have to even see the popups. Even when I run my system in Admin mode I leave the UAC turned on as a secondary measure of security. This way I am notified when when operating system or a software application is doing a task that should have my approval to proceed.

Conclusion

I like to know what my system is doing and UAC is a great mechanism to allow me do that. For the average user, it may be cumbersome at first, but that will be up to a company’s security team to determine the benefit. Personally, I would enforce the UAC as an education experience to show users exactly what they are playing with and the ramifications of their actions.

8 Reasons for Full Disk Encryption

Protecting the Whole Hard Drive

Introduction

Disk Encryption is used to protect the entire hard drive or portable storage device such as a USB thumb drive or portable hard drive. Disk Encryption is used mainly on portable computers, but can also be used on any computer that contains highly sensitive data especially if it is located in high risk areas. As many operating systems, especially Windows, stores application data, configuration information, and temporary files in numerous locations, even a diligent user can have sensitive information stored on the computer in the clear. Full disk encryption protects the whole hard drive no matter the sophistication of the user, application or operating system – everything is protected all the time.
How it works in a nutshell.

When using full disk encryption, when the computer boots, the computer asks for a password and/or a USB token in order to load the operating system. It is very important that the boot password is complex as if the password is simple then the protection of the full disk encryption is nullified by simple password - remember, weak passwords trump strong security - always.
So what will encryption provide:

1. Protects Data When Laptop Lost

No matter who finds the laptop, the data on the hard drive is protected.

2. Protects Data When Laptop Stolen

If unfortunately your laptop is stolen then the data on the laptop is protected.

3. Better than Mountable Encrypted Volumes for Normal Users

Mountable encrypted volumes turns an encrypted file to a drive letter, like a “F” drive. The issue is the user has to remember to run the encryption software and mount the volume before they can save their data. Some would say, “Why don’t you have the drive automount?” Well it would not give you much protection if some one can boot your operating system. For users that are diligent TrueCrypt is an open source volume encryption software that I have been using for little less than a year and it works great.

4. Better than Encrypted File System (EFS)

Encrypted File System (EFS) is included with Windows 2000 and Windows XP Professional. It allows you to encrypt selected files, like files in you’re My Documents folder. EFS does not let you encrypt operating system files. It is good for securing data but as the operating system stores configuration and temporary files in many places EFS is not as effective as full disk encryption, but better than nothing.

5. Help Meet With Regulatory Concerns

If the laptop is lost or stolen, or if the laptop has private customer data on it then the loss of the data must be reported and customers notified. This can be a huge embarrassment for any company and bring about the PR fiasco that no one looks forward to.

6. Transparent to User

Unlike EFS and Volume Mounted encryption, the only evidence that full disk encryption is active is the password request when the computer boots. During heavy disk operations there is only a 5% performance hit while reading and writing to the encrypted drive. I have been running SecurStar for over a year I don’t even notice the performance difference.

7. Beyond Username and Password of the Operating System

Many people think the username and password protects the data on the laptop. This is not the case. Without full disk encryption if someone has physical access to your laptop, it is not your data anymore.

8. Protects Against Rip and Attack

Not only laptops need full disk encryption. There may be desktops in your organization that contain sensitive information if stolen would not be good. I am not talking about servers that are locked in server rooms guarded by men with guns, but maybe a CAD workstation and/or a research workstation that may have local files (even cached) that could be a target for attackers. Attackers could take out the hard drive, make a copy and put it back before anyone knows.

Conclusion

For portable data and confidential data in high risk locations consider full disk encryption to protection your corporate data.

Top 10 Reasons Security Pros Might Want Vista

Is Vista Under Your Christmas Tree?

1. Engineered for Security

Vista is the first operating system from Microsoft developed end-to-end with security as the focus. Microsoft is working toward Common Criteria (CC) certification with the goal of achieving an Evaluated Assurance Level 4 (EAL4) and Single Level OS Protection Profile certifications. Security from the ground up is not a bad place to “Start Me Up.”

2. Internet Explorer (IE) Protected Mode

This feature is only available in the Vista version of Internet Explorer 7 (IE). Protected mode does not allow other applications to access Internet Explorer. I worked on an application for Windows XP that hooked IE that could capture the data during a FORM POST even over SSL. Nice to know the bad guys can’t do this anymore, as long you run in protected mode.

3. Windows Defender

Anti-Spyware built in! When looking at friends and family PCs I find them full of malware. Windows Defender is a good start in protecting your computer when surfing the wild sections of the Internet.

4. Windows Firewall with Advanced Security

All the great features of the firewall in Windows XP SP2 with the added protection of securing outgoing traffic. The firewall also has an option to disable all incoming connections, especially useful when connecting to a high risk network like a free wireless network or a hotel network.

5. New Logon Architecture

New methods and APIs for independent software vendors (ISVs) and developers to build their own authentication methods, such as biometrics or tokens, by writing credential providers. This can open unique methods of authenticating to your Vista PC. As a software developer I find this very interesting.

6. Windows BitLocker™ Drive Encryption

BitLocker provides full disk encryption. This protects the operating system, boot files and all the data on the hard drive. Computers with a Trusted Platform Module (TPM 1.2) heightens the protection of user data, and helps to ensure that a client computer running Windows Vista cannot be tampered with while the system is offline.
This is a very useful feature for laptops. Lost and stolen laptops can cause serious business issues, especially when those laptops contain intellectual properties or private customer data.

7. Windows Service Hardening

Windows Service Hardening restricts critical Windows services from doing nasty activities to the file system, registry, or network. This protects the operating system from malware being installed or by compromised Windows Services. I will be watching the security bulletins for this exploit. Will there be security issues in Vista that are mitigated by this feature? Time will tell.

8. Improved Encrypted File System (EFS)

Under Windows XP, EFS was good at protecting your data, that was about all. Doing anything fancy became complex and cumbersome. One major downfall with the previous version of EFS was the difficulty storing the EFS certificates on a smart card. This now works! An interesting feature as well is the page file and cached offline files can now be encrypted.

9. Windows Security Center (WSC)

WSC is a method for third party software and web sites to query the security state of a computer before interacting with the computer. For example, a bank web site could make sure you have anti-spyware and anti-virus software with up to date signatures before allowing you to login to your online banking.

10. Device Control

Today’s USB drives can now hold 4 gigabytes of data, this is basically a whole DVD of data. This has been a security headache for a long time. Employees walking out of the office with all the company secrets on USB drives, ouch. Now there is a group policy setting that disables USB drives from being accessed in a corporate Vista PC.

Conclusion

I have been using Vista since Beta2. I am now running Vista Ultimate thanks to my MSDN subscription. I have been enjoying Vista and as a security pro, looking at ways that it can help the security of a small/medium business. Vista rolls many security features into an operating system which allows Vista to worry about the security and you worry about your business. Christmas Time
The 11th reason is not about security but the enjoyment of using your computer. It may be more secure, but is it Christmas time and it is time to relax and enjoy your family, friends and some downtime with your computer (geek out!). Vista sports the new glass interface which gives the environment a very solid feel. With Windows Media Player your can enjoy DVDs, music and last year’s Christmas Video. The upcoming DirectX 10 games will defiantly be a blast.