From jericho at attrition.org  Tue Jul  1 06:53:52 2008
From: jericho at attrition.org (security curmudgeon)
Date: Tue, 1 Jul 2008 06:53:52 +0000 (UTC)
Subject: [Dataloss] follow-up: NHS manager is suspended after losing computer
Message-ID: <Pine.LNX.4.64.0807010653320.5109@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.theherald.co.uk/news/news/display.var.2371758.0.NHS_manager_is_suspended_after_losing_computer.php

By Chris Watt
The Herald
July 1, 2008

A senior hospital manager has been suspended after a laptop containing the 
unencrypted personal data of more than 20,000 patients was stolen, a 
health trust admitted yesterday.

The computer, which held the names, dates of birth, postcodes and medical 
information of thousands of patients, was stolen from the NHS staff 
member's car during a holiday in Edinburgh nearly two weeks ago.

All the individuals affected by the theft have been contacted, Colchester 
Hospital University NHS Foundation Trust said.

[...]

From hbrown at knology.net  Tue Jul  1 12:28:43 2008
From: hbrown at knology.net (Henry Brown)
Date: Tue, 01 Jul 2008 07:28:43 -0500
Subject: [Dataloss] stolen and or lost laptops (FRINGE)
Message-ID: <486A22FB.1020605@knology.net>

News story ...
http://www.cio.com/article/418163/Laptops_Lost_Like_Hot_Cakes_At_US_Airports

Some of the largest and medium-sized U.S. airports report close to 
637,000 laptops lost each year, according to the Ponemon Institute 
survey released Monday. Laptops are most commonly lost at security 
checkpoints, according to the survey.

Close to 10,278 laptops are reported lost every week at 36 of the 
largest U.S. airports, and 65 percent of those laptops are not 
reclaimed, the survey said. Around 2,000 laptops are recorded lost at 
the medium-sized airports, and 69 percent are not reclaimed.

Travelers seem to lack confidence that they will recover lost laptops. 
About 77 percent of people surveyed said they had no hope of recovering 
a lost laptop at the airport, with 16 percent saying they wouldn't do 
anything if they lost their laptop during business travel. About 53 
percent said that laptops contain confidential company information, with 
65 percent taking no steps to protect the information.

[...]

Complete study: 
http://www.dell.com/downloads/global/services/dell_lost_laptop_study.pdf


From lyger at attrition.org  Wed Jul  2 08:10:41 2008
From: lyger at attrition.org (lyger)
Date: Wed, 2 Jul 2008 08:10:41 +0000 (UTC)
Subject: [Dataloss] UT: U. patient records recovered
Message-ID: <Pine.LNX.4.64.0807020809490.6346@forced.attrition.org>


http://www.sltrib.com/news/ci_9761726

Stolen tapes containing millions of billing records for University of Utah 
patients have been recovered, the Salt Lake County Sheriff's Office 
confirmed Tuesday.

Details about where and when the tapes were recovered were not 
immediately available. Salt Lake County sheriff's Lt. Paul Jaroscak 
deferred questions until a 1 p.m. news conference scheduled for today to 
discuss the issue.

He said no arrests have been made in connection with the theft, but 
confirmed to The Salt Lake Tribune that missing tapes - which put an 
estimated 1.5 million patients of University of Utah hospitals and clinics 
at risk for identity theft - were recently found.

[...]

From hbrown at knology.net  Wed Jul  2 15:11:35 2008
From: hbrown at knology.net (Henry Brown)
Date: Wed, 02 Jul 2008 10:11:35 -0500
Subject: [Dataloss] Data Breach at AR Hospital
Message-ID: <486B9AA7.4090302@knology.net>

http://www.nwanews.com/adg/News/230290/

Baptist Health has sent letters warning about 1, 800 patients that the 
hospital system?s records may have been breached, the Arkansas 
Democrat-Gazette has learned.

The notification came after the arrest of a Baptist Health employee at a 
Wal-Mart store on 25 counts of financial identity fraud.

[...]

An investigation continues, said Sgt. Terry Kuykendall, a spokesman for 
the North Little Rock Police Department. The U. S. Secret Service is 
helping with the investigation.

The June 24 letter from Baptist Health to patients stated: ?Due to a 
breach of our information systems security policies, there is a 
possibility that some personal information, such as your name, address, 
date of birth, Social Security number, and reason for coming to Baptist 
Health, was accessed by an unauthorized person.? No information in the 
patient?s ?medical records? and no information about the patient?s 
diagnosis or prognosis was accessed, the letter said.

But while no ?medical record? information was accessed, the letter 
mentioned the patient?s ?reason for coming? to the system possibly was 
accessed. Lowman said a reason stated by a patient using the system 
isn?t considered medical information because the reason is a layman?s 
explanation, not one from a medical professional.

He said the breach wouldn?t violate the Health Insurance Portability and 
Accountability Act, or HIPAA.

But Pam Dixon, executive director of the San Diego-based World Privacy 
Forum, a privacy advocacy group, thinks all the information mentioned in 
the letter falls under HIPAA.

[...]

Several weeks passed before patients were notified by the letter. 
Baptist Health sent the letter after it learned more of the scope of the 
police investigation and audited what Hill had access to, according to 
Lowman.

[...]



From lyger at attrition.org  Wed Jul  2 16:10:55 2008
From: lyger at attrition.org (lyger)
Date: Wed, 2 Jul 2008 16:10:55 +0000 (UTC)
Subject: [Dataloss] NE: UNK Computers Hacked
Message-ID: <Pine.LNX.4.64.0807021609390.6346@forced.attrition.org>


http://www.nebraska.tv/Global/story.asp?S=8609047

Officials at the University of Nebraska at Kearney discovered a security 
breach involving nine university computers in early June, and this week, 
letters are going out to individuals who may be affected.

"The computers involved in the incident were immediately secured, 
and the university took additional steps to prevent unauthorized external 
access to any campus computers," said Deborah Schroeder, UNK assistant 
vice chancellor for Information Technology.

"The university has conducted a thorough investigation," Schroeder 
said. The incident took place on Sunday, June 8, and was discovered Monday 
morning, June 9. Of the nine computers involved, five contained names and 
partial or complete social security numbers.

The breach, which originated in the Republic of Slovenia, was 
confined to computers in the College of Natural and Social Sciences. 
Computers involved included two each in the biology, history and 
psychology departments; and one each in the mathematics, computer science 
and sociology departments. The files included advisees in the Department 
of History in 2002 and 2003, deciding students in Fall 2001 and Fall 2002, 
and students in the online Master of Science in Biology program since 
Spring 2005. In all, 2,035 letters are being mailed. No academic records 
were affected.

[...]

From rchicker at etiolated.org  Wed Jul  2 19:27:21 2008
From: rchicker at etiolated.org (rchick)
Date: Wed, 2 Jul 2008 15:27:21 -0400
Subject: [Dataloss] Colt Express breach exposes Google employees
Message-ID: <a20b4dac0807021227r269d3199w1521e5bde08c62fd@mail.gmail.com>

July 2, 2008
http://blog.washingtonpost.com/securityfix/2008/07/data_breach_exposes_info_on_pr.html?nav=rss_blog

A data breach at a California company that administers benefit plans
to businesses across the country involved personal information on all
Google employees hired prior to Dec. 31, 2005, the search engine giant
said.

Google's disclosure came in a letter (PDF) to the New Hampshire
Attorney General, which revealed that Google was a victim of a
break-in at Colt Express Outsourcing Services Inc.. Last month, Colt
warned that the theft of computer equipment from its offices resulted
in the loss of the names, birth dates and Social Security numbers of
6,500 CNET Networks employees. Google said that same information from
its employees also was included on the missing equipment.

[..]

From lyger at attrition.org  Thu Jul  3 00:54:34 2008
From: lyger at attrition.org (lyger)
Date: Thu, 3 Jul 2008 00:54:34 +0000 (UTC)
Subject: [Dataloss] MA: Freedom Credit Union warns customers of data breach
Message-ID: <Pine.LNX.4.64.0807030053390.3309@forced.attrition.org>


http://www.masslive.com/news/index.ssf/2008/07/freedom_credit_union_warns_cus.html?category=Business+category=Chicopee+category=Crime+category=Franklin%20County+category=Northampton+category=Springfield

Freedom Credit Union is warning customers of a security breach whereby 
debit card data was electronically captured by individuals who may have 
used it in a counterfeit scheme.

"We have been notified that your Debit card number was one of several 
obtained during the arrest and indictment of individuals in Eastern Europe 
and the United States," reads a June 27 letter from Freedom Credit Union 
to certain customers.

In response, the credit union has issued new debit cards and PIN numbers 
to affected customers.

Allen W. Reed, the credit union's information technology administrator, 
could not say today how many cards were involved.

[...]

From jschroeder at wavelink.com  Wed Jul  2 21:38:49 2008
From: jschroeder at wavelink.com (Jake Schroeder)
Date: Wed, 2 Jul 2008 15:38:49 -0600
Subject: [Dataloss]  (update) UT: U. patient records recovered
In-Reply-To: <Pine.LNX.4.64.0807020809490.6346@forced.attrition.org>
References: <Pine.LNX.4.64.0807020809490.6346@forced.attrition.org>
Message-ID: <AEF56CFE6FCD8043A1A71B1CCC6BD1194E88CA8B6E@wavelink-mail.headquarters.wavelink.com>

Sheriff: One arrest, two additional suspects located in U. patient records theft

Three people have been identified as suspects -- with one under arrest -- in the June theft of tapes containing University of Utah patient billing records, which have been recovered and do not appear to have been accessed, Salt Lake County Jim Winder said.
    Shadd Dean Hartman, 37, was booked into the Salt Lake County Jail early Wednesday on suspicion of possession of stolen property and unlawful possession of another's identification in connection with the theft.
    A second person is already in custody on unrelated charges and being interviewed; and the third person is expected to be booked into jail by the end of the day, Winder said. He did not rule out further arrests.
    They were stolen in early June after a courier for the U.'s contract storage company, Perpetual Storage, left them in his personal vehicle overnight outside his home in Kearns. He violated company policy by not taking them to the company's vault in Little Cottonwood Canyon.
    The group became aware of what they allegedly had - and a $1,000 reward - through media coverage of the theft, Winder said. But he said they did not appear to have the ability to access the information on the tapes.
    "They're not techies," Winder said. "I don't know if they could find their rear end with both hands."
    Hartman, 37, of Erda,Tooele County, has a criminal record dating back to 1992, according to state court records. It includes convictions for forgery, theft by receiving stolen property, drug possession and operating clandestine drug labs.
    The most recent case was filed in February by Tooele County prosecutors, who charged him in 3rd District Court with third-degree felony forgery and three counts of misdemeanor theft.
    The judge in that case issued a $20,000 warrant for Hartman's arrest after he twice failed to appear in court.
    The stolen tapes, containing personal information for 1.5 million patients, included driver license numbers, birth dates, physicians' names, insurance providers and medical procedure codes. In addition, Social Security numbers were listed for 953,000 patients.
    The tapes will be examined by the FBI, Winder said. He said the probability the tapes were accessed by the group was about 2 on a scale of one to ten, but added that even the FBI examination may not provide a definite answer.
    The U. has posted the following information on its Web site:
    "The tapes were recovered in their original container and condition and there is no indication that the information on the tapes has been accessed or misused."
    The U., which is offering free credit monitoring to some affected patients, said it will "keep our current measures in place" since the investigation is ongoing.
    The backup tapes contained billing records dating back to 1992.
    There is an individual the sheriff's office believes should receive the reward, Winder said, but he declined to identify the individual.
    Winder said the courier will not face charges and is instead considered a victim in the case.
    The U. has offered patients whose Social Security numbers were compromised one year of credit monitoring with a one year $25,000 "identity theft insurance."
    Plaintiffs in two lawsuits that are seeking class-action status say that isn't enough.
    They fear the possible theft of their personal information could result in a host of problems: ruined credit that could cost them jobs, loans and housing; being blackmailed to avoid the disclosure of sensitive medical information like HIV-positive status or drug addiction treatment; being issued a warrant for a DUI after their driver's license number was misused; being held responsible for taxes if their personal information is used to get a job.
    One lawsuit filed by Christensen & Jensen against Perpetual Storage and the U. demands the university extend credit monitoring for at least five years; offer five years worth of fraud protection that would alert patients before new lines of credit are opened; and provide victims money and legal counsel to restore their credit and identities and money to reimburse them for money lost due to identity theft.
    Before this afternoon's news conference, attorney Scot Boyd, who is representing 11 plaintiffs and potentially "hundreds" more in that lawsuit, couldn't say whether the recovery of the tapes would nullify the lawsuit. But in court filings, he wrote that it wouldn't, noting the thieves could copy the information and return the original tapes.
    In a separate lawsuit against Perpetual, patient Thelma Keachie demands $8 million to monitor and repair credit reports for at least five years and track the use of other private information for a lifetime.


Jake Schroeder

From mhill at idtexperts.com  Thu Jul  3 03:26:08 2008
From: mhill at idtexperts.com (Michael Hill, CITRMS)
Date: Wed, 2 Jul 2008 23:26:08 -0400
Subject: [Dataloss] (update) UT: U. patient records recovered
In-Reply-To: <AEF56CFE6FCD8043A1A71B1CCC6BD1194E88CA8B6E@wavelink-mail.headquarters.wavelink.com>
References: <Pine.LNX.4.64.0807020809490.6346@forced.attrition.org>
	<AEF56CFE6FCD8043A1A71B1CCC6BD1194E88CA8B6E@wavelink-mail.headquarters.wavelink.com>
Message-ID: <B199248E4FCD417BB22F94D3AB07A3EF@mkevhillpc>

You have to love this case.

>    Winder said the courier will not face charges and is instead considered 
> a victim in the case.

How is the courier a victim when their employee violated company policy and 
probably some state and/or federal laws as well?

>    One lawsuit filed by Christensen & Jensen against Perpetual Storage and 
> the U. demands the university extend credit monitoring for at least five 
> years; offer five years worth of fraud protection that would alert 
> patients before new lines of credit are opened; and provide victims money 
> and legal counsel to restore their credit and identities and money to 
> reimburse them for money lost due to identity theft.

Are there any identity theft protection plans that include access to legal 
counsel?

>    Before this afternoon's news conference, attorney Scot Boyd, who is 
> representing 11 plaintiffs and potentially "hundreds" more in that 
> lawsuit, couldn't say whether the recovery of the tapes would nullify the 
> lawsuit. But in court filings, he wrote that it wouldn't, noting the 
> thieves could copy the information and return the original tapes.

Can you detect whether a tape has been copied?  Can any techies out there 
answer that?

>    In a separate lawsuit against Perpetual, patient Thelma Keachie demands 
> $8 million to monitor and repair credit reports for at least five years 
> and track the use of other private information for a lifetime.

Now that's a solution.


Mike


Michael Hill
Certified Identity Theft Risk Management Specialist
www.idtheft101.net
404-216-3751


"If You Think You're Not At Risk, Think Again!"


NOTICE:
This email and any attachment to it is confidential and protected by law and 
intended for the use of the individual(s) or entity named on the email. 
This information and all email information from the sender is not legal 
advice nor legal representation and should not be construed as legal advice 
nor legal representation. Check with your attorney in your State for legal 
advice. If the reader of this message is not the intended recipient, you are 
hereby notified that any dissemination or distribution of this communication 
is prohibited.  If you have received this communication in error, please 
notify the sender via return email and delete it completely from your email 
system.  If you have printed a copy of the email, please destroy it 
immediately.


From tglassey at earthlink.net  Thu Jul  3 15:16:37 2008
From: tglassey at earthlink.net (TS Glassey)
Date: Thu, 3 Jul 2008 07:16:37 -0800
Subject: [Dataloss] (update) UT: U. patient records recovered
References: <Pine.LNX.4.64.0807020809490.6346@forced.attrition.org><AEF56CFE6FCD8043A1A71B1CCC6BD1194E88CA8B6E@wavelink-mail.headquarters.wavelink.com>
	<B199248E4FCD417BB22F94D3AB07A3EF@mkevhillpc>
Message-ID: <002c01c8dd1f$d69c95d0$0200a8c0@tsg1>


----- Original Message ----- 
From: "Michael Hill, CITRMS" <mhill at idtexperts.com>
To: "Jake Schroeder" <jschroeder at wavelink.com>; "lyger" 
<lyger at attrition.org>; <dataloss at attrition.org>
Sent: Wednesday, July 02, 2008 7:26 PM
Subject: Re: [Dataloss] (update) UT: U. patient records recovered


> You have to love this case.
>
>>    Winder said the courier will not face charges and is instead 
>> considered
>> a victim in the case.
>
> How is the courier a victim when their employee violated company policy 
> and
> probably some state and/or federal laws as well?
>
>>    One lawsuit filed by Christensen & Jensen against Perpetual Storage 
>> and
>> the U. demands the university extend credit monitoring for at least five
>> years; offer five years worth of fraud protection that would alert
>> patients before new lines of credit are opened; and provide victims money
>> and legal counsel to restore their credit and identities and money to
>> reimburse them for money lost due to identity theft.
>
> Are there any identity theft protection plans that include access to legal
> counsel?

Not that I am aware of. If you asked a lawyer what to do most of them 
couldnt tell you either... Unless they are cutting edge and have experience 
in this area. This is all new material for many of them.

>
>>    Before this afternoon's news conference, attorney Scot Boyd, who is
>> representing 11 plaintiffs and potentially "hundreds" more in that
>> lawsuit, couldn't say whether the recovery of the tapes would nullify the
>> lawsuit. But in court filings, he wrote that it wouldn't, noting the
>> thieves could copy the information and return the original tapes.
>
> Can you detect whether a tape has been copied?  Can any techies out there
> answer that?

Probably not. If it had been a disk drive there are some SMART control's 
that could be used with a proper Disk Management Regimen to tell if a disk 
had been powered up since its last shutdown, but copying tapes is not likely 
to be something that can be determined.

>
>>    In a separate lawsuit against Perpetual, patient Thelma Keachie 
>> demands
>> $8 million to monitor and repair credit reports for at least five years
>> and track the use of other private information for a lifetime.

I dont get that she is entitled to a lifetime's tracking. As it happens most 
of our financial info is already out in the open. So my take is that this 
wont fly too well.

Todd Glassey CISM CIFI

>
> Now that's a solution.
>
>
> Mike
>
>
> Michael Hill
> Certified Identity Theft Risk Management Specialist
> www.idtheft101.net
> 404-216-3751
>
>
> "If You Think You're Not At Risk, Think Again!"
>
>
> NOTICE:
> This email and any attachment to it is confidential and protected by law 
> and
> intended for the use of the individual(s) or entity named on the email.
> This information and all email information from the sender is not legal
> advice nor legal representation and should not be construed as legal 
> advice
> nor legal representation. Check with your attorney in your State for legal
> advice. If the reader of this message is not the intended recipient, you 
> are
> hereby notified that any dissemination or distribution of this 
> communication
> is prohibited.  If you have received this communication in error, please
> notify the sender via return email and delete it completely from your 
> email
> system.  If you have printed a copy of the email, please destroy it
> immediately.
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml


--------------------------------------------------------------------------------



No virus found in this incoming message.
Checked by AVG.
Version: 8.0.134 / Virus Database: 270.4.3/1529 - Release Date: 7/1/2008 
7:23 PM


From macwheel99 at wowway.com  Thu Jul  3 14:01:35 2008
From: macwheel99 at wowway.com (Al Mac Wheel)
Date: Thu, 03 Jul 2008 09:01:35 -0500
Subject: [Dataloss] (update) UT: U. patient records recovered
In-Reply-To: <B199248E4FCD417BB22F94D3AB07A3EF@mkevhillpc>
References: <Pine.LNX.4.64.0807020809490.6346@forced.attrition.org>
	<AEF56CFE6FCD8043A1A71B1CCC6BD1194E88CA8B6E@wavelink-mail.headquarters.wavelink.com>
	<B199248E4FCD417BB22F94D3AB07A3EF@mkevhillpc>
Message-ID: <6.2.1.2.1.20080703084423.042f28a0@pop3.mail.wowway.com>

, Michael Hill, CITRMS wrote:

<snip>


> >    Before this afternoon's news conference, attorney Scot Boyd, who is
> > representing 11 plaintiffs and potentially "hundreds" more in that
> > lawsuit, couldn't say whether the recovery of the tapes would nullify the
> > lawsuit. But in court filings, he wrote that it wouldn't, noting the
> > thieves could copy the information and return the original tapes.
>
>Can you detect whether a tape has been copied?  Can any techies out there
>answer that?

On IBM OS, you can get statistics on backup media # of usages & estimated life.
For example: this media is rated for 1 million usages, and so far it has 
had XX,XXX usages.  I do not know how accurate it is, I have not used it 
for this purpose.  The act of accessing the media to get the latest count, 
that is also a usage.

How I have used it for backup media ... I have a mountain of backup media 
used in rotation.  From time to time some wear out.  I can use this to warn 
me that some media is approaching the end of its useful life span.

Usages includes reading in a copy to any other media, or upload to some 
computer system.  Depending on how the data on the media is organized, you 
can also get at the # usages of various files, libraries, records 
etc.  With backup media, they should all be consistent with ... save / 
verify / restore, except where you know you used that media to restore a 
small volume of problem areas.

A problem with the latter could be that it is a feature of the IBM OS that 
any time stuff is accessed using that OS, certain aspects of the 
description of the objects are incremented by the usage count, but suppose 
the media is accessed by some other OS, that does not have that same 
security feature standard, or suppose the crooks have the geek skills to 
mess with the OS wherever they are operating, to circumvent or turn off 
some of the stuff the OS normally does.

<snip>

Al Macintyre
i/geek
Programmer etc. on IBM Midrange platforms 



From tglassey at earthlink.net  Thu Jul  3 15:57:17 2008
From: tglassey at earthlink.net (TS Glassey)
Date: Thu, 3 Jul 2008 07:57:17 -0800
Subject: [Dataloss] (update) UT: U. patient records recovered
References: <Pine.LNX.4.64.0807020809490.6346@forced.attrition.org><AEF56CFE6FCD8043A1A71B1CCC6BD1194E88CA8B6E@wavelink-mail.headquarters.wavelink.com><B199248E4FCD417BB22F94D3AB07A3EF@mkevhillpc>
	<6.2.1.2.1.20080703084423.042f28a0@pop3.mail.wowway.com>
Message-ID: <00bc01c8dd25$796379f0$0200a8c0@tsg1>

Folks - a tape is a 100% passive reading system. The processes which would 
have watermarked this for each use actually have to write on the tape's 
header or in other locations. And gee whiz,  depending on what type of tape 
this was, that simply may not be possible.

If it is a random access tape then this might work, but say its a streaming 
media cartridge. All that the hosting system gets is the cartridge's serial 
number so it really cannot tell how many times a tape was used.

The system Michael talks about below is part of an integrated volume 
management system which most OS's don't have. If this tape or tape cartridge 
(which is much more likely) was just copied from say a Unix system with DUMP 
or just DD there would be no record created on the media what so ever.

Todd Glassey CISM CIFI

----- Original Message ----- 
From: "Al Mac Wheel" <macwheel99 at wowway.com>
To: "Michael Hill, CITRMS" <mhill at idtexperts.com>; <dataloss at attrition.org>
Sent: Thursday, July 03, 2008 6:01 AM
Subject: Re: [Dataloss] (update) UT: U. patient records recovered


>, Michael Hill, CITRMS wrote:
>
> <snip>
>
>
>> >    Before this afternoon's news conference, attorney Scot Boyd, who is
>> > representing 11 plaintiffs and potentially "hundreds" more in that
>> > lawsuit, couldn't say whether the recovery of the tapes would nullify 
>> > the
>> > lawsuit. But in court filings, he wrote that it wouldn't, noting the
>> > thieves could copy the information and return the original tapes.
>>
>>Can you detect whether a tape has been copied?  Can any techies out there
>>answer that?
>
> On IBM OS, you can get statistics on backup media # of usages & estimated 
> life.
> For example: this media is rated for 1 million usages, and so far it has
> had XX,XXX usages.  I do not know how accurate it is, I have not used it
> for this purpose.  The act of accessing the media to get the latest count,
> that is also a usage.
>
> How I have used it for backup media ... I have a mountain of backup media
> used in rotation.  From time to time some wear out.  I can use this to 
> warn
> me that some media is approaching the end of its useful life span.
>
> Usages includes reading in a copy to any other media, or upload to some
> computer system.  Depending on how the data on the media is organized, you
> can also get at the # usages of various files, libraries, records
> etc.  With backup media, they should all be consistent with ... save /
> verify / restore, except where you know you used that media to restore a
> small volume of problem areas.
>
> A problem with the latter could be that it is a feature of the IBM OS that
> any time stuff is accessed using that OS, certain aspects of the
> description of the objects are incremented by the usage count, but suppose
> the media is accessed by some other OS, that does not have that same
> security feature standard, or suppose the crooks have the geek skills to
> mess with the OS wherever they are operating, to circumvent or turn off
> some of the stuff the OS normally does.
>
> <snip>
>
> Al Macintyre
> i/geek
> Programmer etc. on IBM Midrange platforms
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml


--------------------------------------------------------------------------------



No virus found in this incoming message.
Checked by AVG.
Version: 8.0.134 / Virus Database: 270.4.3/1529 - Release Date: 7/1/2008 
7:23 PM


From ADAIL at sunocoinc.com  Thu Jul  3 15:34:30 2008
From: ADAIL at sunocoinc.com (DAIL, WILLARD A)
Date: Thu, 3 Jul 2008 11:34:30 -0400
Subject: [Dataloss] Hackers Steal Millions from 7-Eleven ATM Network
In-Reply-To: <Pine.LNX.4.64.0807030053390.3309@forced.attrition.org>
Message-ID: <AAF9B5D29F7CE44CBDF032F4F523E9A339D2E0@mds3aex0e.USISUNOCOINC.com>


http://www.foxnews.com/story/0,2933,375484,00.html

SAN JOSE, Calif. - Hackers broke into Citibank's network of ATMs inside
7-Eleven stores and stole customers' PIN codes, according to recent
court filings that revealed a disturbing security hole in the most
sensitive part of a banking record.
The scam netted the alleged identity thieves millions of dollars.

But more importantly for consumers, it indicates criminals were able to
access PINs - the numeric passwords that theoretically are among the
most closely guarded elements of banking transactions - by attacking the
back-end computers responsible for approving the cash withdrawals.
The case against three people in U.S. District Court for the Southern
District of New York highlights a significant problem.

Hackers are targeting the ATM system's infrastructure, which is
increasingly built on Microsoft Corp.'s Windows operating system and
allows machines to be remotely diagnosed and repaired over the Internet.
And despite industry standards that call for protecting PINs with strong
encryption - which means encoding them to cloak them to outsiders - some
ATM operators apparently aren't properly doing that.
The PINs seem to be leaking while in transit between the automated
teller machines and the computers that process the transactions.

"PINs were supposed be sacrosanct - what this shows is that PINs aren't
always encrypted like they're supposed to be," said Avivah Litan, a
security analyst with the Gartner research firm. "The banks need much
better fraud detection systems and much better authentication."

It's unclear how many Citibank customers were affected by the breach,
which extended at least from October 2007 to March of this year and was
first reported by technology news Web site Wired.com.
The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc.
stores throughout the U.S., but it doesn't own or operate any of them.

That responsibility falls on two companies: Houston-based Cardtronics
Inc., which owns all the machines but only operates some, and
Brookfield, Wis.-based Fiserv Inc., which operates the others.
A critical issue in the investigation is how the hackers infiltrated the
system, a question that still hasn't been answered publicly.

All that's known is they broke into the ATM network through a server at
a third-party processor, which means they probably didn't have to touch
the ATMs at all to pull off the heist.
They could have gained administrative access to the machines - which
means they had carte blanche to grab information - through a flaw in the
network or by figuring out those computers' passwords.
Or it's possible they installed a piece of malicious software on a
banking server to capture unencrypted PINs as they passed through.

What that means for consumers is that their PINs were stolen from
machines that showed no signs of tampering they could detect.

In previous PIN thefts, thieves generally took steps that might draw
notice - sending "phishing" e-mails, for example, or installing
false-front keypads or even tiny cameras on ATMs.

Getting the PINs is a key step for identity thieves. It lets criminals
encode stolen account information onto blank ATM cards and withdraw
piles of cash from compromised accounts.

Don Jackson, director of threat intelligence for SecureWorks Inc., said
he has seen an "alarming" spike in the number of attacks on back-end
computers for ATM networks over the past year.

"This was fairly large, but I don't think it's anything out of the
ordinary - these kinds of scams go on every day," Jackson said. "What
makes this case unique is the sheer luck of happening upon these guys
and catching them red-handed. But there are a whole lot of other ATM and
PIN compromises going on that aren't reported."

The alleged plot is outlined in court papers supporting the prosecution
of three people - Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva.

They were indicted in March on two counts each of conspiracy and fraud.
Prosecutors say their activities generated at least $2 million in
illegal profits.

Defense lawyers for all three people did not return calls for comment,
and it was not clear where they had been living. The main defendant,
Rakushchynets, was described as having Michigan and Florida's driver
licenses in a February FBI affidavit for an arrest warrant.

Citibank, part of Citigroup Inc., has declined to comment on the
technique or how many customers' accounts were compromised. It said it
notified affected customers and issued them new debit cards.

"We want our customers to know that, consistent with legal requirements,
we do not hold them responsible for fraudulent activity in their
accounts," the bank said in a statement.

Cardtronics said it is cooperating with authorities but otherwise
declined to comment. Fiserv spokeswoman Melanie Tolley said the
intrusion didn't happen on Fiserv's servers.

"Fiserv," she said, "is confident in the integrity and security of our
system."

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.

From macwheel99 at wowway.com  Thu Jul  3 15:33:09 2008
From: macwheel99 at wowway.com (Al Mac Wheel)
Date: Thu, 03 Jul 2008 10:33:09 -0500
Subject: [Dataloss] (update) UT: U. patient records recovered
In-Reply-To: <00bc01c8dd25$796379f0$0200a8c0@tsg1>
References: <Pine.LNX.4.64.0807020809490.6346@forced.attrition.org>
	<AEF56CFE6FCD8043A1A71B1CCC6BD1194E88CA8B6E@wavelink-mail.headquarters.wavelink.com>
	<B199248E4FCD417BB22F94D3AB07A3EF@mkevhillpc>
	<6.2.1.2.1.20080703084423.042f28a0@pop3.mail.wowway.com>
	<00bc01c8dd25$796379f0$0200a8c0@tsg1>
Message-ID: <6.2.1.2.1.20080703100932.042a8b60@pop3.mail.wowway.com>

I agree, but it is also OS dependent what can be done, since different OS 
have different features for media support.
Plus the market can demand something better.  Look at the growth in 
encrypted backup support.

I once got a tape which my OS refused to load.
"This tape was created by PACIFIC, who is not a user on your system."
Since I had security officer access, I created user PACIFIC on our system, 
and was able to load the tape.
With IBM media, it is an issue of who owns the data, and who has what 
access privileges.  User PACIFIC has access privileges.  No other IBM OS 
will accept that data unless that computer system has a user by that name.

The # of usages XX,XXX I believe is related to looking at the magnetics of 
the media & doing an estimate from the wear, which is why I say I do not 
believe the accuracy is good enough for this purpose.  If it was, the 
backup log would record # usages, the restore log would record #, we would 
get an error message if difference is unexpected.

There is a heck of a lot more on the volume than the serial #.  Right now 
with IBM OS there's a date component ... "You are restoring from backup 
made 6/22 ... your most recent backup was 7/2" in other words it recognizes 
that we are not restoring from the latest backup media.

>Folks - a tape is a 100% passive reading system. The processes which would 
>have watermarked this for each use actually have to write on the tape's 
>header or in other locations. And gee whiz,  depending on what type of 
>tape this was, that simply may not be possible.
>
>If it is a random access tape then this might work, but say its a 
>streaming media cartridge. All that the hosting system gets is the 
>cartridge's serial number so it really cannot tell how many times a tape 
>was used.
>
>The system Michael talks about below is part of an integrated volume 
>management system which most OS's don't have. If this tape or tape 
>cartridge (which is much more likely) was just copied from say a Unix 
>system with DUMP or just DD there would be no record created on the media 
>what so ever.
>
>Todd Glassey CISM CIFI
>
>----- Original Message ----- From: "Al Mac Wheel" <macwheel99 at wowway.com>
>To: "Michael Hill, CITRMS" <mhill at idtexperts.com>; <dataloss at attrition.org>
>Sent: Thursday, July 03, 2008 6:01 AM
>Subject: Re: [Dataloss] (update) UT: U. patient records recovered
>
>
>>, Michael Hill, CITRMS wrote:
>>
>><snip>
>>
>>
>>> >    Before this afternoon's news conference, attorney Scot Boyd, who is
>>> > representing 11 plaintiffs and potentially "hundreds" more in that
>>> > lawsuit, couldn't say whether the recovery of the tapes would 
>>> nullify > the
>>> > lawsuit. But in court filings, he wrote that it wouldn't, noting the
>>> > thieves could copy the information and return the original tapes.
>>>
>>>Can you detect whether a tape has been copied?  Can any techies out there
>>>answer that?
>>
>>On IBM OS, you can get statistics on backup media # of usages & estimated 
>>life.
>>For example: this media is rated for 1 million usages, and so far it has
>>had XX,XXX usages.  I do not know how accurate it is, I have not used it
>>for this purpose.  The act of accessing the media to get the latest count,
>>that is also a usage.
>>
>>How I have used it for backup media ... I have a mountain of backup media
>>used in rotation.  From time to time some wear out.  I can use this to warn
>>me that some media is approaching the end of its useful life span.
>>
>>Usages includes reading in a copy to any other media, or upload to some
>>computer system.  Depending on how the data on the media is organized, you
>>can also get at the # usages of various files, libraries, records
>>etc.  With backup media, they should all be consistent with ... save /
>>verify / restore, except where you know you used that media to restore a
>>small volume of problem areas.
>>
>>A problem with the latter could be that it is a feature of the IBM OS that
>>any time stuff is accessed using that OS, certain aspects of the
>>description of the objects are incremented by the usage count, but suppose
>>the media is accessed by some other OS, that does not have that same
>>security feature standard, or suppose the crooks have the geek skills to
>>mess with the OS wherever they are operating, to circumvent or turn off
>>some of the stuff the OS normally does.
>>
>><snip>
>>
>>Al Macintyre
>>i/geek
>>Programmer etc. on IBM Midrange platforms
>>
>>
>>_______________________________________________
>>Dataloss Mailing List (dataloss at attrition.org)
>>http://attrition.org/dataloss
>>
>>Tenable Network Security offers data leakage and compliance monitoring
>>solutions for large and small networks. Scan your network and monitor your
>>traffic to find the data needing protection before it leaks out!
>>http://www.tenablesecurity.com/products/compliance.shtml
>
>
>--------------------------------------------------------------------------------
>
>
>
>No virus found in this incoming message.
>Checked by AVG.
>Version: 8.0.134 / Virus Database: 270.4.3/1529 - Release Date: 7/1/2008 
>7:23 PM
>



From tglassey at earthlink.net  Thu Jul  3 17:36:34 2008
From: tglassey at earthlink.net (TS Glassey)
Date: Thu, 3 Jul 2008 09:36:34 -0800
Subject: [Dataloss] (update) UT: U. patient records recovered
References: <Pine.LNX.4.64.0807020809490.6346@forced.attrition.org>
	<AEF56CFE6FCD8043A1A71B1CCC6BD1194E88CA8B6E@wavelink-mail.headquarters.wavelink.com>
	<B199248E4FCD417BB22F94D3AB07A3EF@mkevhillpc>
	<6.2.1.2.1.20080703084423.042f28a0@pop3.mail.wowway.com>
	<00bc01c8dd25$796379f0$0200a8c0@tsg1>
	<6.2.1.2.1.20080703100932.042a8b60@pop3.mail.wowway.com>
Message-ID: <007b01c8dd33$584078f0$0200a8c0@tsg1>

You mean the User ID of the File/Tape Owner didn't exist on your system - 
yeah this happens on many systems still. But hey - my point was that if you 
were trying to stop someone who knew what they were doing, the claims made 
by the Newspaper in response to their article are simply wrong IMHO.


Todd
----- Original Message ----- 
From: "Al Mac Wheel" <macwheel99 at wowway.com>
To: "TS Glassey" <tglassey at earthlink.net>; "Michael Hill, CITRMS" 
<mhill at idtexperts.com>; <dataloss at attrition.org>
Sent: Thursday, July 03, 2008 7:33 AM
Subject: Re: [Dataloss] (update) UT: U. patient records recovered


>I agree, but it is also OS dependent what can be done, since different OS
> have different features for media support.
> Plus the market can demand something better.  Look at the growth in
> encrypted backup support.
>
> I once got a tape which my OS refused to load.
> "This tape was created by PACIFIC, who is not a user on your system."
> Since I had security officer access, I created user PACIFIC on our system,
> and was able to load the tape.
> With IBM media, it is an issue of who owns the data, and who has what
> access privileges.  User PACIFIC has access privileges.  No other IBM OS
> will accept that data unless that computer system has a user by that name.
>
> The # of usages XX,XXX I believe is related to looking at the magnetics of
> the media & doing an estimate from the wear, which is why I say I do not
> believe the accuracy is good enough for this purpose.  If it was, the
> backup log would record # usages, the restore log would record #, we would
> get an error message if difference is unexpected.
>
> There is a heck of a lot more on the volume than the serial #.  Right now
> with IBM OS there's a date component ... "You are restoring from backup
> made 6/22 ... your most recent backup was 7/2" in other words it 
> recognizes
> that we are not restoring from the latest backup media.
>
>>Folks - a tape is a 100% passive reading system. The processes which would
>>have watermarked this for each use actually have to write on the tape's
>>header or in other locations. And gee whiz,  depending on what type of
>>tape this was, that simply may not be possible.
>>
>>If it is a random access tape then this might work, but say its a
>>streaming media cartridge. All that the hosting system gets is the
>>cartridge's serial number so it really cannot tell how many times a tape
>>was used.
>>
>>The system Michael talks about below is part of an integrated volume
>>management system which most OS's don't have. If this tape or tape
>>cartridge (which is much more likely) was just copied from say a Unix
>>system with DUMP or just DD there would be no record created on the media
>>what so ever.
>>
>>Todd Glassey CISM CIFI
>>
>>----- Original Message ----- From: "Al Mac Wheel" <macwheel99 at wowway.com>
>>To: "Michael Hill, CITRMS" <mhill at idtexperts.com>; 
>><dataloss at attrition.org>
>>Sent: Thursday, July 03, 2008 6:01 AM
>>Subject: Re: [Dataloss] (update) UT: U. patient records recovered
>>
>>
>>>, Michael Hill, CITRMS wrote:
>>>
>>><snip>
>>>
>>>
>>>> >    Before this afternoon's news conference, attorney Scot Boyd, who 
>>>> > is
>>>> > representing 11 plaintiffs and potentially "hundreds" more in that
>>>> > lawsuit, couldn't say whether the recovery of the tapes would
>>>> nullify > the
>>>> > lawsuit. But in court filings, he wrote that it wouldn't, noting the
>>>> > thieves could copy the information and return the original tapes.
>>>>
>>>>Can you detect whether a tape has been copied?  Can any techies out 
>>>>there
>>>>answer that?
>>>
>>>On IBM OS, you can get statistics on backup media # of usages & estimated
>>>life.
>>>For example: this media is rated for 1 million usages, and so far it has
>>>had XX,XXX usages.  I do not know how accurate it is, I have not used it
>>>for this purpose.  The act of accessing the media to get the latest 
>>>count,
>>>that is also a usage.
>>>
>>>How I have used it for backup media ... I have a mountain of backup media
>>>used in rotation.  From time to time some wear out.  I can use this to 
>>>warn
>>>me that some media is approaching the end of its useful life span.
>>>
>>>Usages includes reading in a copy to any other media, or upload to some
>>>computer system.  Depending on how the data on the media is organized, 
>>>you
>>>can also get at the # usages of various files, libraries, records
>>>etc.  With backup media, they should all be consistent with ... save /
>>>verify / restore, except where you know you used that media to restore a
>>>small volume of problem areas.
>>>
>>>A problem with the latter could be that it is a feature of the IBM OS 
>>>that
>>>any time stuff is accessed using that OS, certain aspects of the
>>>description of the objects are incremented by the usage count, but 
>>>suppose
>>>the media is accessed by some other OS, that does not have that same
>>>security feature standard, or suppose the crooks have the geek skills to
>>>mess with the OS wherever they are operating, to circumvent or turn off
>>>some of the stuff the OS normally does.
>>>
>>><snip>
>>>
>>>Al Macintyre
>>>i/geek
>>>Programmer etc. on IBM Midrange platforms
>>>
>>>
>>>_______________________________________________
>>>Dataloss Mailing List (dataloss at attrition.org)
>>>http://attrition.org/dataloss
>>>
>>>Tenable Network Security offers data leakage and compliance monitoring
>>>solutions for large and small networks. Scan your network and monitor 
>>>your
>>>traffic to find the data needing protection before it leaks out!
>>>http://www.tenablesecurity.com/products/compliance.shtml
>>
>>
>>--------------------------------------------------------------------------------
>>
>>
>>
>>No virus found in this incoming message.
>>Checked by AVG.
>>Version: 8.0.134 / Virus Database: 270.4.3/1529 - Release Date: 7/1/2008
>>7:23 PM
>>
>
>


--------------------------------------------------------------------------------



No virus found in this incoming message.
Checked by AVG.
Version: 8.0.134 / Virus Database: 270.4.3/1529 - Release Date: 7/1/2008 
7:23 PM


From lyger at attrition.org  Fri Jul  4 17:35:27 2008
From: lyger at attrition.org (lyger)
Date: Fri, 4 Jul 2008 17:35:27 +0000 (UTC)
Subject: [Dataloss] UK: Daily Mail publisher loses laptop with thousands of
 personal details
Message-ID: <Pine.LNX.4.64.0807041734190.31123@forced.attrition.org>


http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=9904

The publisher of the Daily Mail newspaper has said a laptop containing the 
financial and personal details of thousands of staff and suppliers has 
been stolen, according to reports.

Details such as names, addresses, bank account numbers and sort codes were 
on the laptop, which was password protected, the Guardian newspaper 
reported.

In a letter to those who details were affected, Simon Dyson, finance 
director at Daily Mail publisher Associated Newspapers, and Martyn 
Hindley, his counterpart at sister company Northcliffe, said it was likely 
that the details had been erased by the thief.

[...]

From lyger at attrition.org  Fri Jul  4 17:52:00 2008
From: lyger at attrition.org (lyger)
Date: Fri, 4 Jul 2008 17:52:00 +0000 (UTC)
Subject: [Dataloss] NV: Juror data breach is reported
Message-ID: <Pine.LNX.4.64.0807041751110.31123@forced.attrition.org>


http://www.lvrj.com/news/23025969.html

In a District Court security breach, a contracted vendor released personal 
information on about 380 potential jurors to an employee's private e-mail 
address, court officials said Thursday.

Clark County court officials said the people affected were notified by 
letters sent out Monday. Court officials did not specify whether the 
breach was intentional or accidental. They also didn't specify when the 
incident occurred.

The information was transferred from the printing company that prepares 
jury summons notices to an unidentified employee's e-mail account.

The information provided to the e-mail account could have included names, 
addresses, social security numbers and birth dates. After reviewing the 
matter, court officials determined much of the personal information 
released was incomplete.

[...]

From hbrown at knology.net  Sat Jul  5 20:29:59 2008
From: hbrown at knology.net (Henry Brown)
Date: Sat, 05 Jul 2008 15:29:59 -0500
Subject: [Dataloss] The cost of NOT properly disposing of Personnel Data in
	TX
Message-ID: <486FD9C7.90902@knology.net>

http://tinyurl.com/6xcnfa

Texas EZPawn Throws Away Its Security Promises and Customers' Privacy 
and Gets A Handed A Significant Penalty
[...]

On June 24 a Texas judge handed down a civil penalty of $600,000 against 
Texas EZPawn for tossing their customer PII, including Social Security 
numbers, bank account information, driver's license numbers, date of 
birth, and other identifying information, into their trash cans without 
first irreversibly and completely shredding the papers. You can see an 
example of the types of records found in the trash in the court documents.

[...]
Texas EZPawn actually operates in 13 states and has 600 locations with 
pawn shops and supplies third-party lender loans.

The judgment  
http://www.oag.state.tx.us/newspubs/releases/2007/050307ezpawn_pop.pdf 
requires:

    * $600,000 penalty
    * Texas EZPawn LP and its related businesses to shred or otherwise 
irreversibly destroy PII on customer records before disposing of them, 
or to contract with a company that provides such secure disposal services
    * Texas EZPawn LP and its related businesses to designate a data 
security compliance representative, create a written compliance program 
for the safe handling of consumer information, set up a training program 
for employees, and iimplement compliance verification procedures yo 
ensure that all stores are handling customer information properly and 
complying with state privacy law

The state indicated Texas EZPawn LP and its related businesses violated 
the Texas Deceptive Trade Practices Act, the Texas Credit Services 
Organizations Act, and Texas statutes governing identity theft, 
including the Identity Theft Enforcement and Protection Act.
[...]



From lyger at attrition.org  Mon Jul  7 13:42:52 2008
From: lyger at attrition.org (lyger)
Date: Mon, 7 Jul 2008 13:42:52 +0000 (UTC)
Subject: [Dataloss] Survey outfit exposes 41,000 private records
Message-ID: <Pine.LNX.4.64.0807071341160.14905@forced.attrition.org>


>From WK and InfoSec News (http://infosecnews.org):

http://www.theinquirer.net/gb/inquirer/news/2008/07/07/hackers-claim-survey-outfit

TOP MARKET RESEARCH firm TNS Infratest/Emnid has 'lost' 41,000 private
data records of its survey participants, the Chaos Computer Club (CCC)
has revealed in its official organ Die Datenschleuder.

According to CCC, it was a doddle for participants to read master data
records and consumer profiles.

The personal data was easily accessed without being checked by even the
most basic security measures. All you needed to do was change the
customer ID number in the browser's address bar and you could see
everything.

[...]

From rchicker at etiolated.org  Tue Jul  8 03:20:27 2008
From: rchicker at etiolated.org (rchick)
Date: Mon, 7 Jul 2008 23:20:27 -0400
Subject: [Dataloss] Breach in Fla. donor registry may have exposed 55,000
Message-ID: <a20b4dac0807072020y79b3b7an29d499952ddc87da@mail.gmail.com>

http://www.naplesnews.com/news/2008/jul/07/breach-fla-donor-registry-may-have-exposed-ids/

TALLAHASSEE ? State health officials say a security breach in the
Organ and Tissue Donor Registry may have exposed thousands of donors'
personal information, including their social security numbers.

The Agency for Health Care Administrations said Monday it has
corrected the flaw, which may have allowed unauthorized users to view
the personal information of roughly 55,000 donors.

The database includes donors' names, addresses, birth dates and driver
license numbers. The agency is sending letters to inform individuals
of the flaw.

[..]

From lyger at attrition.org  Tue Jul  8 12:43:10 2008
From: lyger at attrition.org (lyger)
Date: Tue, 8 Jul 2008 12:43:10 +0000 (UTC)
Subject: [Dataloss] HK: Yan Chai Hospital reports data loss
Message-ID: <Pine.LNX.4.64.0807081242320.8337@forced.attrition.org>


http://www.news.gov.hk/en/category/healthandcommunity/080708/html/080708en05008.htm

Yan Chai Hospital has lost a batch of backup floppy discs containing 3,000 
medical record applicants' names and identity card numbers.

The discs serve as backup copies storing the processing log sheet on 
medical report applications dated January 16, 2005, to January 15, 2006. 
They went missing during the encryption process and the hospital 
management was informed of the incident on June 30. The files do not carry 
medical information.

[...]

From lyger at attrition.org  Tue Jul  8 22:25:45 2008
From: lyger at attrition.org (lyger)
Date: Tue, 8 Jul 2008 22:25:45 +0000 (UTC)
Subject: [Dataloss] MA: Hackers compromised LPL security
Message-ID: <Pine.LNX.4.64.0807082224300.2703@forced.attrition.org>


http://www.investmentnews.com/apps/pbcs.dll/article?AID=/20080708/REG/134627256/1094/INDaily01

For the second time in a year, LPL Financial has experienced a major 
technology snafu, this time reporting that hackers "compromised" the logon 
passwords of 14 financial advisers and four assistants.

The hackers' goal was to use the passwords to gain access to customer 
accounts in order to "pump and dump" penny stocks.

The incidents, which began last July, affected 10,219 clients, 
Boston-based LPL said in a letter dated May 6 to Maryland Attorney General 
Douglas F. Gansler.

Valuable private client information was at stake, Keith H. Fine, senior 
vice president and associate counsel of LPL wrote in the letter, as the 
hackers potentially could get their hands on clients' unencrypted names, 
addresses and Social Security numbers.

[...]

From jericho at attrition.org  Wed Jul  9 09:12:30 2008
From: jericho at attrition.org (security curmudgeon)
Date: Wed, 9 Jul 2008 09:12:30 +0000 (UTC)
Subject: [Dataloss] Justice Breyer Is Among Victims in Data Breach Caused by
	File Sharing
Message-ID: <Pine.LNX.4.64.0807090912160.27940@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.washingtonpost.com/wp-dyn/content/article/2008/07/08/AR2008070802997.html

By Brian Krebs
WashingtonPost.com Staff Writer
July 9, 2008

Sometime late last year, an employee of a McLean investment firm decided 
to trade some music, or maybe a movie, with like-minded users of the 
online file-sharing network LimeWire while using a company computer. In 
doing so, he inadvertently opened the private files of his firm, Wagner 
Resource Group, to the public.

That exposed the names, dates of birth and Social Security numbers of 
about 2,000 of the firm's clients, including a number of high-powered 
lawyers and Supreme Court Justice Stephen G. Breyer.

The breach was not discovered for nearly six months. A reader of 
washingtonpost.com's Security Fix blog found the information while 
searching LimeWire in June.

[...]

From hbrown at knology.net  Wed Jul  9 12:35:59 2008
From: hbrown at knology.net (Henry Brown)
Date: Wed, 09 Jul 2008 07:35:59 -0500
Subject: [Dataloss] CO DMV data leakage issue(s)
Message-ID: <4874B0AF.8020401@knology.net>

http://origin.denverpost.com/breakingnews/ci_9822063

DMV puts Coloradans at risk of ID theft
By Jessica Fender
The Denver Post
Article Last Updated: 07/09/2008 06:10:43 AM MDT

The Division of Motor Vehicles put 3.4 million Coloradans at risk of 
identity theft due to flaws in the way driver's-license information is 
handled, lawmakers learned Tuesday at an interim transportation 
committee hearing.

The DMV regularly sends large batches of personal information over the 
Internet without encryption and has failed to properly limit access to 
its database, according to a recent audit. At one point, 33 former DMV 
employees could access names, addresses, dates of birth and Social 
Security numbers ? some workers more than a year after their departure, 
auditors found.

[...]

Auditors said the DMV's method for handling sensitive information was 
"fragmented, disorganized and poorly planned," partly because the 
division is made up of a number of decentralized offices scattered 
across the state. No one person is responsible for security.

[...]




From arshad.noor at strongauth.com  Wed Jul  9 17:03:25 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Wed, 09 Jul 2008 10:03:25 -0700
Subject: [Dataloss] [Fwd:  CO DMV data leakage issue(s)]
Message-ID: <4874EF5D.4010504@strongauth.com>

While I don't believe anyone has said this is a breach, for
all we know the data has already been used for illegal uses.
If it is classified as a breach, this will be the fourth
largest one (behind TJX, CardSystems and Hannaford).

An excerpt from the article:

"Colorado ranks eighth in the nation in identity-theft
complaints per person and first in the nation when it
comes to general fraud reports. On average, those frauds
cost victims $4,041 each for a total of $41.3 million in
2007, according to information from the attorney general's
office."

Do government officials know about open-source software and
that it can do mission-critical things at far lower costs
than commercial software?

Arshad Noor
StrongAuth, Inc.

-------- Original Message --------
Subject: [Dataloss] CO DMV data leakage issue(s)
Date: Wed, 09 Jul 2008 07:35:59 -0500
From: Henry Brown <hbrown at knology.net>
To: dataloss at attrition.org

http://origin.denverpost.com/breakingnews/ci_9822063

DMV puts Coloradans at risk of ID theft
By Jessica Fender
The Denver Post
Article Last Updated: 07/09/2008 06:10:43 AM MDT

The Division of Motor Vehicles put 3.4 million Coloradans at risk of
identity theft due to flaws in the way driver's-license information is
handled, lawmakers learned Tuesday at an interim transportation
committee hearing.

The DMV regularly sends large batches of personal information over the
Internet without encryption and has failed to properly limit access to
its database, according to a recent audit. At one point, 33 former DMV
employees could access names, addresses, dates of birth and Social
Security numbers ? some workers more than a year after their departure,
auditors found.

[...]

Auditors said the DMV's method for handling sensitive information was
"fragmented, disorganized and poorly planned," partly because the
division is made up of a number of decentralized offices scattered
across the state. No one person is responsible for security.

[...]

From lyger at attrition.org  Wed Jul  9 17:24:07 2008
From: lyger at attrition.org (lyger)
Date: Wed, 9 Jul 2008 17:24:07 +0000 (UTC)
Subject: [Dataloss] [Fwd:  CO DMV data leakage issue(s)]
In-Reply-To: <4874EF5D.4010504@strongauth.com>
References: <4874EF5D.4010504@strongauth.com>
Message-ID: <Pine.LNX.4.64.0807091717200.18726@forced.attrition.org>



On Wed, 9 Jul 2008, Arshad Noor wrote:

": " If it is classified as a breach, this will be the fourth
": " largest one (behind TJX, CardSystems and Hannaford).

Arshad,

Curious about what criteria is used when making this statement.  A search 
on etiolated.org shows 13 events with more than 3.4 million records 
involved in breaches.  Perhaps I'm not aware of what source you're using?

Lyger

From arshad.noor at strongauth.com  Wed Jul  9 17:42:36 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Wed, 09 Jul 2008 10:42:36 -0700
Subject: [Dataloss] [Fwd:  CO DMV data leakage issue(s)]
In-Reply-To: <Pine.LNX.4.64.0807091717200.18726@forced.attrition.org>
References: <4874EF5D.4010504@strongauth.com>
	<Pine.LNX.4.64.0807091717200.18726@forced.attrition.org>
Message-ID: <4874F88C.40504@strongauth.com>

I stand corrected, Lyger; I got my numbers mixed up with
an analysis I'd done of the largest breaches that did NOT
involve stolen laptops/desktops/tapes/etc. - essentially
breaches of live, running systems which could not have been
prevented by full-disk or storage-device based encryption.

Thanks for the link reference.

Arshad Noor
StrongAuth, Inc.

lyger wrote:
> 
> On Wed, 9 Jul 2008, Arshad Noor wrote:
> 
> ": " If it is classified as a breach, this will be the fourth
> ": " largest one (behind TJX, CardSystems and Hannaford).
> 
> Arshad,
> 
> Curious about what criteria is used when making this statement.  A search 
> on etiolated.org shows 13 events with more than 3.4 million records 
> involved in breaches.  Perhaps I'm not aware of what source you're using?
> 

From hbrown at knology.net  Wed Jul  9 19:06:43 2008
From: hbrown at knology.net (Henry Brown)
Date: Wed, 09 Jul 2008 14:06:43 -0500
Subject: [Dataloss] POTENTIAL data leakage from Wichita KS Medical group
Message-ID: <48750C43.5010700@knology.net>

http://www.kansascw.com/Global/story.asp?S=8643448

The Wichita Radiological Group received an anonymous call saying their 
patient records may have been stolen. On Monday, the executive director 
reported the information to Wichita police.

According to the police report, the caller claims a former employee 
stole patient records before being fired from the Wichita Radiological 
Group. The caller said the former employee is now using patients' 
personal and financial information to pay bills.

The radiological group is not sure how much, if any information was 
stolen. So far, they have not found any evidence of the theft. But tens 
of thousands of patient records were in the database could have been 
compromised.

An attorney for the Wichita Radiological Group tells Eyewitness News 
they have launched an internal investigation. The group changed internal 
passwords to make sure no more records are accessed.

Wichita police say they need identity theft victims from the case to 
come forward before they can proceed in their investigation.

[...]
Statement from the Wichita Radiological Group:

"We are aware that allegations have been made regarding the actions of a 
former employee.  The allegations were made by an anonymous caller and, 
to date, we have not uncovered any evidence of wrongdoing.  However, we 
take these matters seriously and, as a result, have reported the 
allegations to the Wichita police and are conducting an internal 
investigation.  We have safeguards in place to protect the privacy and 
confidentiality of our patients' information, which safeguards meet or 
exceed the requirements of federal and state law.  In the event our 
investigation reveals that patient information was used or disclosed in 
violation of the law, we will take appropriate action and will notify 
those patients affected.  We would emphasize to the public that the 
person alleged to have been involved did not have access to any 
patients' medical charts."

[...]



From cwalsh at cwalsh.org  Fri Jul 11 00:36:56 2008
From: cwalsh at cwalsh.org (Chris Walsh)
Date: Thu, 10 Jul 2008 19:36:56 -0500
Subject: [Dataloss] CA: Security breach compromises 5,
	000 social security numbers at Consumer Affairs [UPDATE]
In-Reply-To: <Pine.LNX.4.64.0806241704370.28788@forced.attrition.org>
References: <Pine.LNX.4.64.0806241704370.28788@forced.attrition.org>
Message-ID: <CAE2C2F6-4C49-4F96-B642-07236C37CC2B@cwalsh.org>

California state worker probed in ID security breach
By Andrew McIntosh - amcintosh at sacbee.com

Last Updated 12:09 am PDT Thursday, July 10, 2008
Story appeared in MAIN NEWS section, Page A4

A state worker recently married to a member of the Mexican Mafia who  
is in Corcoran State Prison for a gang murder is herself under  
investigation for downloading more than 5,000 names, addresses and  
Social Security numbers belonging to Department of Consumer Affairs  
staff, The Bee has learned.

The Department of Consumer Affairs disclosed that it suffered a data  
security breach last month, but at the time released few details about  
the incident.

Officials sent a letter to employees, warning them to watch their  
credit for signs of identity theft, offering them free credit reports  
and $25,000 worth of fraud insurance.

Court documents obtained by The Bee show the department's own  
investigators have raided the Sacramento home of Rachael Rivas  
Dumbrique, a 32-year-old former Consumer Affairs personnel specialist,  
as part of an ongoing criminal investigation.

Investigators are looking at why Dumbrique copied a confidential data  
roster with employee names, addresses and Social Security numbers and  
then shipped it to a private e-mail account on her last day of work at  
Consumer Affairs in June. They also want to know if her gang-linked  
husband had any involvement, the court documents show.

[...]

Full story at http://www.sacbee.com/111/story/1072332.html

From hbrown at knology.net  Fri Jul 11 01:31:42 2008
From: hbrown at knology.net (Henry Brown)
Date: Thu, 10 Jul 2008 20:31:42 -0500
Subject: [Dataloss] Personal data found along side road in Tate County MS
Message-ID: <4876B7FE.2040907@knology.net>

 From Channel 24 news in Memphis TN
http://tinyurl.com/5b3yn7
Eyewitness News Everywhere Uncovers the personal information of 
hundreds, maybe even thousands of people - dumped along a Mid-South 
road.  We even found W-2 forms, tax forms with people's names, addresses 
and social security numbers.  Investigators in Tate County are trying to 
figure out how the papers got there.

[...]

Financial records, shipping order forms, and W-2's of former employees, 
personal information that Davis says was handled irresponsibly.  
"Stupidity on the person that threw it out on the road.  The people who 
disposed of these, there should be some legal action against them, but 
to me that's mismanagement," said Davis.

Many of the records are from Liberty Furniture, a North Carolina based 
company with Mid-South ties to Cromcraft - a furniture warehouse in Tate 
County.

"There all from North Carolina, how did they get here?  This is 
Mississippi.  We got some strong wind, but they ain't that strong," says 
Davis.

Even Cromcraft employees were shocked when we brought this to their 
attention.  Most of the W-2's are from the late 1970's and early 80's.  
And we're told Liberty Furniture went out of business more than twenty 
years ago.

While the company is no longer around, some of the people are.  And 
personal information like their social security number will never change 
- making them easy targets for identity theft. 

[...]



From hbrown at knology.net  Fri Jul 11 01:39:42 2008
From: hbrown at knology.net (Henry Brown)
Date: Thu, 10 Jul 2008 20:39:42 -0500
Subject: [Dataloss] 4000 students ssn exposed in williamson county TN
Message-ID: <4876B9DE.6040009@knology.net>

http://www.wsmv.com/news/16843341/detail.html

Students' Personal Info May Be Compromised

FRANKLIN, Tenn. -- Parents in Williamson County are getting phone calls 
warning them that their children's identities may have been compromised.

Last August, a Williamson County school system employee mistakenly 
posted the Social Security numbers of some students on a private Web site.

Officials said that it's believed as many as 15 percent of students who 
were in the third grade through eighth grade in 2006 may be affected. 
This number is about 4,000 students that could be affected.

It's not clear if any of those Social Security numbers were misused.

The school system is investigating, and a representative said they plan 
to update parents within the next few days.

[...]


From lyger at attrition.org  Fri Jul 11 11:22:07 2008
From: lyger at attrition.org (lyger)
Date: Fri, 11 Jul 2008 11:22:07 +0000 (UTC)
Subject: [Dataloss] WA: Army records on stolen laptop
Message-ID: <Pine.LNX.4.64.0807111121101.17361@forced.attrition.org>


http://www.thenewstribune.com/news/local/story/409911.html

A laptop computer that was reported stolen from an Army employee.s truck 
last week contained personal information on about 800 to 900 Fort Lewis 
soldiers, said military and Lacey police officials.

A post spokeswoman said officials were notifying the involved soldiers out 
of concern that the case might put them at risk for identity theft.

Officials said the employee, a civilian military personnel specialist, 
appears to have violated Army standards and policies for protecting 
personal information and government property.

[...]

From lyger at attrition.org  Fri Jul 11 18:28:44 2008
From: lyger at attrition.org (lyger)
Date: Fri, 11 Jul 2008 18:28:44 +0000 (UTC)
Subject: [Dataloss] (update): Laptop with information about soldiers found;
 Lacey teen arrested
Message-ID: <Pine.LNX.4.64.0807111827020.28463@forced.attrition.org>


http://www.theolympian.com/377/story/504243.html

A 17-year-old Lacey boy faces a charge of suspicion of possession of 
stolen property after Tumwater police uncovered items from vehicle prowls, 
including a stolen Army laptop containing information about up to 900 Fort 
Lewis soldiers, police reported today.

The laptop, found among multiple items from a number of Lacey vehicle 
prowls, was returned to its owner Thursday, Tumwater police detective 
Jennifer Kolb said.

On July 4, an Army employee reported to Lacey police that someone had 
taken a laptop and a 500-gigabyte removable hard drive that he left on the 
seat of his unlocked Dodge truck overnight.

[...]

From lyger at attrition.org  Fri Jul 11 19:11:40 2008
From: lyger at attrition.org (lyger)
Date: Fri, 11 Jul 2008 19:11:40 +0000 (UTC)
Subject: [Dataloss] (update): Police arrest Texas man in Cal identity theft
	case
Message-ID: <Pine.LNX.4.64.0807111910410.30356@forced.attrition.org>


http://www.pe.com/ap_news/California/CA_Identity_Theft_Arrest_349407C.shtml

A man has been charged in Texas in an identity theft case that affected 
more than 1,100 students at the University of California, Irvine, 
authorities said Friday.

Michael Tyrone Thomas, 27, of Fort Worth, was arrested Tuesday at his home 
there and is charged by Dallas County prosecutors with one count of the 
fraudulent use of identifying information, UC Irvine campus police Chief 
Paul Henisey said.

[.]

Authorities allege Thomas breached computer security at the Dallas office 
of UnitedHealthcare's department of student resources while he worked 
there in December 2007.

Henisey said Thomas stole a file containing the names and Social Security 
numbers of 1,132 UCI graduate and medical students. He said fake tax 
returns were filed for 163 of them.

[...]

From mhill at idtexperts.com  Sun Jul 13 01:55:28 2008
From: mhill at idtexperts.com (Michael Hill, CITRMS)
Date: Sat, 12 Jul 2008 21:55:28 -0400
Subject: [Dataloss] 4000 students ssn exposed in williamson county TN
In-Reply-To: <4876B9DE.6040009@knology.net>
References: <4876B9DE.6040009@knology.net>
Message-ID: <3245C77B52E7416C9829E5FFC1D1C84F@mkevhillpc>

Maybe you legal beagles out there can answer this.  I think I know the 
answers to these questions, but want to see what others are saying.
Can an identity theft services monitor minors?
Are minors responsible for what happens to their credit, driving record, 
medical record, background/criminal record, SSN being altered or stolen?


Thanks,
Mike


Michael Hill | T3i
Director Risk Management & Compliance
Direct: 404.216.3751 | mhill at T3i.com |
www.T3i.com
INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS



"If You Think You're Not At Risk, Think Again!"


NOTICE:
This email and any attachment to it is confidential and protected by law and 
intended for the use of the individual(s) or entity named on the email. 
This information and all email information from the sender is not legal 
advice nor legal representation and should not be construed as legal advice 
nor legal representation. Check with your attorney in your State for legal 
advice. If the reader of this message is not the intended recipient, you are 
hereby notified that any dissemination or distribution of this communication 
is prohibited.  If you have received this communication in error, please 
notify the sender via return email and delete it completely from your email 
system.  If you have printed a copy of the email, please destroy it 
immediately.




----- Original Message ----- 
From: "Henry Brown" <hbrown at knology.net>
To: <dataloss at attrition.org>
Sent: Thursday, July 10, 2008 9:39 PM
Subject: [Dataloss] 4000 students ssn exposed in williamson county TN


> http://www.wsmv.com/news/16843341/detail.html
>
> Students' Personal Info May Be Compromised
>
> FRANKLIN, Tenn. -- Parents in Williamson County are getting phone calls
> warning them that their children's identities may have been compromised.
>
> Last August, a Williamson County school system employee mistakenly
> posted the Social Security numbers of some students on a private Web site.
>
> Officials said that it's believed as many as 15 percent of students who
> were in the third grade through eighth grade in 2006 may be affected.
> This number is about 4,000 students that could be affected.
>
> It's not clear if any of those Social Security numbers were misused.
>
> The school system is investigating, and a representative said they plan
> to update parents within the next few days.
>
> [...]
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
> 


From sromanos at andrew.cmu.edu  Sun Jul 13 21:26:38 2008
From: sromanos at andrew.cmu.edu (Sasha Romanosky)
Date: Sun, 13 Jul 2008 17:26:38 -0400
Subject: [Dataloss] Keeping track of idtheft victims of breaches
Message-ID: <000e01c8e52f$22a23ae0$6601a8c0@sribm>


Hey everyone, 

I'd like to start keeping a record of those stories that cite actual numbers
of identity theft victims from data breaches. 

I realize it's difficult to know, and there's much room for error, but it
seems to me there is currently no record -- even a bad one -- of this kind
of information. It also gives those interested a place to follow up for more
detail. 

I have to think other people would be interested in these stories, too. To
that end, I'd like to ask that if you come across any studies or articles
(and if they're appropriate for this list) that you forward them on.
Otherwise, please feel free to send them to me. 

Thanks a bunch, 
sasha


>From checking some of my notes, I know of the following: 
- Choicepoint: 2900 (GAO-07-737)
- UnitedHealthcare: 155,
http://www.networkworld.com/news/2008/060308-unitedhealthcare-data-breach-le
ads-to.html?code=nlsecuritynewsal142524
- And in aggregate, the 3 studies I listed in my WEIS paper (Table 2).



From david-scott at david-scott.net  Sun Jul 13 22:57:47 2008
From: david-scott at david-scott.net (David Scott)
Date: Sun, 13 Jul 2008 17:57:47 -0500
Subject: [Dataloss] Keeping track of idtheft victims of breaches
In-Reply-To: <000e01c8e52f$22a23ae0$6601a8c0@sribm>
References: <000e01c8e52f$22a23ae0$6601a8c0@sribm>
Message-ID: <000b01c8e53b$df27d560$9d778020$@net>

Why don't you sign up for Google alerts?  Pick your tags -  then news
articles, blog posts, etc. will be forwarded to your inbox based on your
criteria.

I currently receive articles on:

Data theft
Data breach
Identity theft

... and several others - this is how I became aware of your e-mail.  Good
luck.

David Scott
Author
I.T. Wars:  Managing the Business-Technology Weave in the New Millennium
http://businessforum.com/DScott_02.html


-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of Sasha Romanosky
Sent: Sunday, July 13, 2008 4:27 PM
To: dataloss at attrition.org
Subject: [Dataloss] Keeping track of idtheft victims of breaches


Hey everyone, 

I'd like to start keeping a record of those stories that cite actual numbers
of identity theft victims from data breaches. 

I realize it's difficult to know, and there's much room for error, but it
seems to me there is currently no record -- even a bad one -- of this kind
of information. It also gives those interested a place to follow up for more
detail. 

I have to think other people would be interested in these stories, too. To
that end, I'd like to ask that if you come across any studies or articles
(and if they're appropriate for this list) that you forward them on.
Otherwise, please feel free to send them to me. 

Thanks a bunch, 
sasha


>From checking some of my notes, I know of the following: 
- Choicepoint: 2900 (GAO-07-737)
- UnitedHealthcare: 155,
http://www.networkworld.com/news/2008/060308-unitedhealthcare-data-breach-le
ads-to.html?code=nlsecuritynewsal142524
- And in aggregate, the 3 studies I listed in my WEIS paper (Table 2).


_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml


From macwheel99 at wowway.com  Mon Jul 14 03:04:16 2008
From: macwheel99 at wowway.com (Al Mac Wheel)
Date: Sun, 13 Jul 2008 22:04:16 -0500
Subject: [Dataloss] 4000 students ssn exposed in williamson county  TN
In-Reply-To: <3245C77B52E7416C9829E5FFC1D1C84F@mkevhillpc>
References: <4876B9DE.6040009@knology.net>
	<3245C77B52E7416C9829E5FFC1D1C84F@mkevhillpc>
Message-ID: <6.2.1.2.1.20080713215837.0281ceb0@pop3.mail.wowway.com>

I am not a legal beagle, just a normal opinionated geek.

Minors are supposed to be guided by parents, teachers, etc. "it takes a 
village" to learn responsible behavior, but are not legally accountable for 
many things until they are adults, or penalties are muted for 
juveniles.  Like all of humanity, they can be victims, and they can be 
criminals.

With the permission of the adults who are responsible for minors, any 
number of services can be provided on their behalf.

It does not matter if juveniles or their adult supervisors are responsible 
or not, anyone can be a crime victim, and anyone can suffer the 
consequences of their records getting messed up, even though they 
themselves are blameless with respect to bad info in the records.

>Maybe you legal beagles out there can answer this.  I think I know the
>answers to these questions, but want to see what others are saying.
>Can an identity theft services monitor minors?
>Are minors responsible for what happens to their credit, driving record,
>medical record, background/criminal record, SSN being altered or stolen?
>
>
>Thanks,
>Mike
>
>
>Michael Hill | T3i
>Director Risk Management & Compliance
>Direct: 404.216.3751 | mhill at T3i.com |
>www.T3i.com
>INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS
>
>
>
>"If You Think You're Not At Risk, Think Again!"
>
>
>NOTICE:
>This email and any attachment to it is confidential and protected by law and
>intended for the use of the individual(s) or entity named on the email.
>This information and all email information from the sender is not legal
>advice nor legal representation and should not be construed as legal advice
>nor legal representation. Check with your attorney in your State for legal
>advice. If the reader of this message is not the intended recipient, you are
>hereby notified that any dissemination or distribution of this communication
>is prohibited.  If you have received this communication in error, please
>notify the sender via return email and delete it completely from your email
>system.  If you have printed a copy of the email, please destroy it
>immediately.
>
>
>
>
>----- Original Message -----
>From: "Henry Brown" <hbrown at knology.net>
>To: <dataloss at attrition.org>
>Sent: Thursday, July 10, 2008 9:39 PM
>Subject: [Dataloss] 4000 students ssn exposed in williamson county TN
>
>
> > http://www.wsmv.com/news/16843341/detail.html
> >
> > Students' Personal Info May Be Compromised
> >
> > FRANKLIN, Tenn. -- Parents in Williamson County are getting phone calls
> > warning them that their children's identities may have been compromised.
> >
> > Last August, a Williamson County school system employee mistakenly
> > posted the Social Security numbers of some students on a private Web site.
> >
> > Officials said that it's believed as many as 15 percent of students who
> > were in the third grade through eighth grade in 2006 may be affected.
> > This number is about 4,000 students that could be affected.
> >
> > It's not clear if any of those Social Security numbers were misused.
> >
> > The school system is investigating, and a representative said they plan
> > to update parents within the next few days.
> >
> > [...]
> >
> > _______________________________________________
> > Dataloss Mailing List (dataloss at attrition.org)
> > http://attrition.org/dataloss
> >
> > Tenable Network Security offers data leakage and compliance monitoring
> > solutions for large and small networks. Scan your network and monitor your
> > traffic to find the data needing protection before it leaks out!
> > http://www.tenablesecurity.com/products/compliance.shtml
> >
>
>_______________________________________________
>Dataloss Mailing List (dataloss at attrition.org)
>http://attrition.org/dataloss
>
>Tenable Network Security offers data leakage and compliance monitoring
>solutions for large and small networks. Scan your network and monitor your
>traffic to find the data needing protection before it leaks out!
>http://www.tenablesecurity.com/products/compliance.shtml



From macwheel99 at wowway.com  Mon Jul 14 03:13:57 2008
From: macwheel99 at wowway.com (Al Mac Wheel)
Date: Sun, 13 Jul 2008 22:13:57 -0500
Subject: [Dataloss] Keeping track of idtheft victims of breaches
In-Reply-To: <000e01c8e52f$22a23ae0$6601a8c0@sribm>
References: <000e01c8e52f$22a23ae0$6601a8c0@sribm>
Message-ID: <6.2.1.2.1.20080713220421.03d2ebc0@pop3.mail.wowway.com>

There are already several such efforts out there.  Perhaps your time could 
be better spent being a volunteer with attrition's open source data base of 
breaches.

There can be a large span of time between a breach, and the info used in id 
thefts.
I believe the US Congress is trying to pass legislation to give that job to 
the Secret Service.

According to the FTC, one in seven Americans at some time in their lives, 
will be a victim of id theft ... what's the US population now ... about 350 
million ... so that's 50 million names for the data base?  Plus similar 
volumes from other nations.

Not all of those victims are due to data breaches ... ther's also dumpster 
diving in garbage of ordinary people, proceeds from mugging, pkck pockets, 
insider crime, etc.

A lot of identity theft victims don't have a clear knowledge of which of 
the many breaches, some of which they were never notified of, were 
responsible for them becoming victims.  Sometimes when law enforcement 
captures some id theft criminals, they can back trace where they got the 
info, sometimes not.

Then many victims want to get their lives cleaned up, not become identified 
as a mark who was conned once, so is a potential victim for future con artists.

Al Macintyre

, Sasha Romanosky wrote:

>Hey everyone,
>
>I'd like to start keeping a record of those stories that cite actual numbers
>of identity theft victims from data breaches.
>
>I realize it's difficult to know, and there's much room for error, but it
>seems to me there is currently no record -- even a bad one -- of this kind
>of information. It also gives those interested a place to follow up for more
>detail.
>
>I have to think other people would be interested in these stories, too. To
>that end, I'd like to ask that if you come across any studies or articles
>(and if they're appropriate for this list) that you forward them on.
>Otherwise, please feel free to send them to me.
>
>Thanks a bunch,
>sasha
>
>
> >From checking some of my notes, I know of the following:
>- Choicepoint: 2900 (GAO-07-737)
>- UnitedHealthcare: 155,
>http://www.networkworld.com/news/2008/060308-unitedhealthcare-data-breach-le
>ads-to.html?code=nlsecuritynewsal142524
>- And in aggregate, the 3 studies I listed in my WEIS paper (Table 2).
>
>
>_______________________________________________
>Dataloss Mailing List (dataloss at attrition.org)
>http://attrition.org/dataloss
>
>Tenable Network Security offers data leakage and compliance monitoring
>solutions for large and small networks. Scan your network and monitor your
>traffic to find the data needing protection before it leaks out!
>http://www.tenablesecurity.com/products/compliance.shtml



From Michael_McDermott at reyrey.com  Mon Jul 14 13:02:30 2008
From: Michael_McDermott at reyrey.com (McDermott, Michael S)
Date: Mon, 14 Jul 2008 09:02:30 -0400
Subject: [Dataloss] 4000 students ssn exposed in williamson county TN
In-Reply-To: <3245C77B52E7416C9829E5FFC1D1C84F@mkevhillpc>
References: <4876B9DE.6040009@knology.net>
	<3245C77B52E7416C9829E5FFC1D1C84F@mkevhillpc>
Message-ID: <B4855E17DB6EE642A6B50AEEBA79F7D7094E30CC@OH18CL07VE1.reyrey.com>

Michael,

In answer to your question, most identity theft services can monitor a
minor's SSN and their credit report for any activity. 

Minors do suffer from identity theft in the same ways as the majority.
In fact some of the most despicable identity theft occurs from
unscrupulous parents when they max out their own personal credit
"identity" and move on to the misuse of their child's. In these
occasions the minor usually has to petition for a name change and a new
SSN in order to obtain a fresh start as a member of the adult
population.

So yes, minors do still carry the burden of cleaning up their credit,
medical and criminal records as tarnished by the identity thief. If
available in your state, the strongest protection for your child's
financial identity would be to request a freeze of their credit records
until they reach majority status. Again, the parents have to take a
significant role to protect their children from criminal malfeasance. 


Regards,
M McDermott CITRMS
Data Security Manager 
Reynolds and Reynolds
Phone: 1 (937) 485-9829

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Michael Hill,
CITRMS
Sent: Saturday, July 12, 2008 9:55 PM
To: Henry Brown; dataloss at attrition.org; lyger
Subject: Re: [Dataloss] 4000 students ssn exposed in williamson county
TN

Maybe you legal beagles out there can answer this.  I think I know the 
answers to these questions, but want to see what others are saying.
Can an identity theft services monitor minors?
Are minors responsible for what happens to their credit, driving record,

medical record, background/criminal record, SSN being altered or stolen?


Thanks,
Mike


Michael Hill | T3i
Director Risk Management & Compliance
Direct: 404.216.3751 | mhill at T3i.com |
www.T3i.com
INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS



"If You Think You're Not At Risk, Think Again!"


NOTICE:
This email and any attachment to it is confidential and protected by law
and 
intended for the use of the individual(s) or entity named on the email. 
This information and all email information from the sender is not legal 
advice nor legal representation and should not be construed as legal
advice 
nor legal representation. Check with your attorney in your State for
legal 
advice. If the reader of this message is not the intended recipient, you
are 
hereby notified that any dissemination or distribution of this
communication 
is prohibited.  If you have received this communication in error, please

notify the sender via return email and delete it completely from your
email 
system.  If you have printed a copy of the email, please destroy it 
immediately.




----- Original Message ----- 
From: "Henry Brown" <hbrown at knology.net>
To: <dataloss at attrition.org>
Sent: Thursday, July 10, 2008 9:39 PM
Subject: [Dataloss] 4000 students ssn exposed in williamson county TN


> http://www.wsmv.com/news/16843341/detail.html
>
> Students' Personal Info May Be Compromised
>
> FRANKLIN, Tenn. -- Parents in Williamson County are getting phone
calls
> warning them that their children's identities may have been
compromised.
>
> Last August, a Williamson County school system employee mistakenly
> posted the Social Security numbers of some students on a private Web
site.
>
> Officials said that it's believed as many as 15 percent of students
who
> were in the third grade through eighth grade in 2006 may be affected.
> This number is about 4,000 students that could be affected.
>
> It's not clear if any of those Social Security numbers were misused.
>
> The school system is investigating, and a representative said they
plan
> to update parents within the next few days.
>
> [...]
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor
your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
> 

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

From tglassey at earthlink.net  Tue Jul 15 00:31:06 2008
From: tglassey at earthlink.net (TS Glassey)
Date: Mon, 14 Jul 2008 17:31:06 -0700
Subject: [Dataloss] [Fwd:  CO DMV data leakage issue(s)]
References: <4874EF5D.4010504@strongauth.com>
Message-ID: <001701c8e612$145edc20$6401a8c0@tsg1>

Hey Arshad - didn't you have a list of the breaches at one time - I seem to 
recall it from the ISC list.

Todd

----- Original Message ----- 
From: "Arshad Noor" <arshad.noor at strongauth.com>
To: "ekmi" <ekmi at lists.oasis-open.org>; <ST-ISC at MAIL.ABANET.ORG>; 
<dataloss at attrition.org>
Sent: Wednesday, July 09, 2008 10:03 AM
Subject: [Dataloss] [Fwd: CO DMV data leakage issue(s)]


While I don't believe anyone has said this is a breach, for
all we know the data has already been used for illegal uses.
If it is classified as a breach, this will be the fourth
largest one (behind TJX, CardSystems and Hannaford).

An excerpt from the article:

"Colorado ranks eighth in the nation in identity-theft
complaints per person and first in the nation when it
comes to general fraud reports. On average, those frauds
cost victims $4,041 each for a total of $41.3 million in
2007, according to information from the attorney general's
office."

Do government officials know about open-source software and
that it can do mission-critical things at far lower costs
than commercial software?

Arshad Noor
StrongAuth, Inc.

-------- Original Message --------
Subject: [Dataloss] CO DMV data leakage issue(s)
Date: Wed, 09 Jul 2008 07:35:59 -0500
From: Henry Brown <hbrown at knology.net>
To: dataloss at attrition.org

http://origin.denverpost.com/breakingnews/ci_9822063

DMV puts Coloradans at risk of ID theft
By Jessica Fender
The Denver Post
Article Last Updated: 07/09/2008 06:10:43 AM MDT

The Division of Motor Vehicles put 3.4 million Coloradans at risk of
identity theft due to flaws in the way driver's-license information is
handled, lawmakers learned Tuesday at an interim transportation
committee hearing.

The DMV regularly sends large batches of personal information over the
Internet without encryption and has failed to properly limit access to
its database, according to a recent audit. At one point, 33 former DMV
employees could access names, addresses, dates of birth and Social
Security numbers ? some workers more than a year after their departure,
auditors found.

[...]

Auditors said the DMV's method for handling sensitive information was
"fragmented, disorganized and poorly planned," partly because the
division is made up of a number of decentralized offices scattered
across the state. No one person is responsible for security.

[...]
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.4.7/1542 - Release Date: 7/9/2008 
6:50 AM




From arshad.noor at strongauth.com  Tue Jul 15 02:41:40 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Mon, 14 Jul 2008 19:41:40 -0700
Subject: [Dataloss] [Fwd:  CO DMV data leakage issue(s)]
In-Reply-To: <001701c8e612$145edc20$6401a8c0@tsg1>
References: <4874EF5D.4010504@strongauth.com>
	<001701c8e612$145edc20$6401a8c0@tsg1>
Message-ID: <487C0E64.6030204@strongauth.com>

That was 4-5 years ago, Todd. I stopped maintaining the list some
years ago.

Arshad

TS Glassey wrote:
> Hey Arshad - didn't you have a list of the breaches at one time - I seem 
> to recall it from the ISC list.
> 
> Todd
> 

From lyger at attrition.org  Tue Jul 15 03:21:37 2008
From: lyger at attrition.org (lyger)
Date: Tue, 15 Jul 2008 03:21:37 +0000 (UTC)
Subject: [Dataloss] Open Security Foundation To Maintain Attrition.org's
 Data Loss Database - Open Source
Message-ID: <Pine.LNX.4.64.0807150321090.2368@forced.attrition.org>


http://attrition.org/news/content/08-07-15.001.html

RICHMOND, VA, July 14, 2008 - The Open Security Foundation (OSF) is 
pleased to announce that the DataLossDB (also known as the Data Loss 
Database - Open Source (DLDOS) currently run by Attrition.org) will be 
formally maintained as an ongoing project under the OSF umbrella 
organization as of July 15, 2008.

Attrition.org's Data Loss project, which was originally conceptualized in 
2001 and has been maintained since July 2005, introduced DLDOS to the 
public in September of 2006. The project's core mission is to track the 
loss or theft of personally identifying information not just from the 
United States, but across the world. As of June 4, 2008, DataLossDB 
contains information on over 1,000 breaches of personal identifying 
information covering over 330 million records.

DataLossDB has become a recognized leader in the categorization of 
dataloss incidents over the past several years. In an effort to build off 
the current success and further enhance the project, the new relationship 
with OSF provides opportunities for growth, an improved data set, and 
expanded community involvement. "We've worked hard to research, gather, 
and make this data open to the public," says Kelly Todd, one of the 
project leaders for DataLossDB. "Hopefully, the migration to OSF will lead 
to more community participation, public awareness, and consumer advocacy 
by providing an open forum for submitting information."

The Open Security Foundation's DataLossDB will be free for download and 
use in non-profit work and research. The new website launch 
(http://www.datalossdb.org/) builds off of the current data set and 
provides an extensive list of new features. DataLossDB has attained rapid 
success due to a core group of volunteers who have populated and 
maintained the database. However, the new system will provide an open 
framework that allows the community to get involved and enhance the 
project. "For a data set as dynamic as this, it made sense to build it 
into a more user-driven format.", states David Shettler, the lead 
developer for the Open Security Foundation. "With the release of this new 
site, the project can now be fed by anyone, from data loss victims to 
researchers".

[...]

From d2d at attrition.org  Tue Jul 15 16:04:57 2008
From: d2d at attrition.org (d2d)
Date: Tue, 15 Jul 2008 16:04:57 +0000 (UTC)
Subject: [Dataloss] TX: Personal records from Houston attorney's office
 found in trash dumpster
Message-ID: <Pine.LNX.4.64.0807151601550.5425@forced.attrition.org>


http://www.khou.com/business/stories/khou080711_tj_recordsfound.57f842ba.html

Personal records from Houston attorney's office found in trash dumpster

HOUSTON -- Harris County Sheriff's deputies uncovered hundreds of people's
personal financial files that had been discarded in a dumpster in 
northwest Houston on Monday. The records were mostly bankruptcy case files 
from a Houston attorney's office that found their way into a dumpster 
belonging to a Houston day care.

[...]

From d2d at attrition.org  Tue Jul 15 16:07:04 2008
From: d2d at attrition.org (d2d)
Date: Tue, 15 Jul 2008 16:07:04 +0000 (UTC)
Subject: [Dataloss] TX: SSN Numbers breached at UT
Message-ID: <Pine.LNX.4.64.0807151605010.5425@forced.attrition.org>


http://www.kxan.com/Global/story.asp?S=8676383&nav=0s3d

SSN Numbers breached at UT

AUSTIN, TEXAS (KXAN) -- The personal information of almost 2500 University
of Texas students and faculty has been exposed on the Internet.

An  independent watchdog discovered more than 5 dozen files containing
confidential  graduate  applications, test scores, and social security
numbers.

The files were inadvertently posted by at least 4 different UT 
professors to a file server for the School of Biological Sciences.

[...]

From lyger at attrition.org  Tue Jul 15 16:31:40 2008
From: lyger at attrition.org (lyger)
Date: Tue, 15 Jul 2008 16:31:40 +0000 (UTC)
Subject: [Dataloss] MO: Breach puts Mo. soldiers' personal data at risk
Message-ID: <Pine.LNX.4.64.0807151630560.5659@forced.attrition.org>


http://www.stltoday.com/stltoday/news/stories.nsf/news/missouristatenews/story/ca0fe7785a2d8471862574870051f7fd?OpenDocument

The Missouri National Guard has called for a criminal investigation after 
it learned that the personal information of as many as 2,000 soldiers had 
been breached.

"I am distressed that sensitive information has been compromised," Major 
General King Sidwell said in a prepared statement released today.

"I am especially concerned about the problems and inconveniences this may 
cause for our Missouri National Guard Citizen-Soldiers and their 
families," King said.

The Guard would not release how the personal information had been taken -- 
whether by computer hackers or other means -- because it has asked for a 
"full law enforcement investigation into the matter, the statement said.

[...]

From Terry.Miller at finra.org  Tue Jul 15 16:37:46 2008
From: Terry.Miller at finra.org (Miller, Terry)
Date: Tue, 15 Jul 2008 12:37:46 -0400
Subject: [Dataloss] State law breach notification websites
Message-ID: <B1D7025B0E7D1B4C8B98A0B09D98909B06E31BE3@RKV-NASD-EXCLP2.corp.root.nasd.com>

Does anyone know if there is a central listing of websites for breach
notifications made pursuant to state laws?  For example, here is
Maryland's site:  http://www.oag.state.md.us/idtheft/breacheNotices.htm.
I was made aware of New Hampshire's:
http://doj.nh.gov/consumer/breaches.html.

Terry


Confidentiality Notice:  This email, including attachments, may include non-public, proprietary, confidential or legally privileged information.  If you are not an intended recipient or an authorized agent of an intended recipient, you are hereby notified that any dissemination, distribution or copying of the information contained in or transmitted with this e-mail is unauthorized and strictly prohibited.  If you have received this email in error, please notify the sender by replying to this message and permanently delete this e-mail, its attachments, and any copies of it immediately.  You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. Thank you

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080715/a3254122/attachment.html 

From bill.carter at thehartford.com  Tue Jul 15 19:01:16 2008
From: bill.carter at thehartford.com (Carter, Bill (THIP, Corp))
Date: Tue, 15 Jul 2008 15:01:16 -0400
Subject: [Dataloss] State law breach notification websites
In-Reply-To: <B1D7025B0E7D1B4C8B98A0B09D98909B06E31BE3@RKV-NASD-EXCLP2.corp.root.nasd.com>
References: <B1D7025B0E7D1B4C8B98A0B09D98909B06E31BE3@RKV-NASD-EXCLP2.corp.root.nasd.com>
Message-ID: <9AA40A7B5375A4479054AB07F8A4E92403D23E9F@AD1HFDEXC305.ad1.prod>

There are several pretty goods sites that have an index to state breach
notification laws.  These two are pretty good.
http://privacylaw.proskauer.com/2007/12/articles/security-breach-notific
ation-l/updated-breach-notification-laws/
 
http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm
 
 

________________________________

From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Miller, Terry
Sent: Tuesday, July 15, 2008 12:38 PM
To: dataloss at attrition.org
Subject: [Dataloss] State law breach notification websites



Does anyone know if there is a central listing of websites for breach
notifications made pursuant to state laws?  For example, here is
Maryland's site:  http://www.oag.state.md.us/idtheft/breacheNotices.htm
<http://www.oag.state.md.us/idtheft/breacheNotices.htm> .  I was made
aware of New Hampshire's: http://doj.nh.gov/consumer/breaches.html
<http://doj.nh.gov/consumer/breaches.html> .

Terry 

Confidentiality Notice:  This email, including attachments, may include
non-public, proprietary, confidential or legally privileged information.
If you are not an intended recipient or an authorized agent of an
intended recipient, you are hereby notified that any dissemination,
distribution or copying of the information contained in or transmitted
with this e-mail is unauthorized and strictly prohibited.  If you have
received this email in error, please notify the sender by replying to
this message and permanently delete this e-mail, its attachments, and
any copies of it immediately.  You should not retain, copy or use this
e-mail or any attachment for any purpose, nor disclose all or any part
of the contents to any other person. Thank you



*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080715/4a0c00ce/attachment.html 

From Terry.Miller at finra.org  Tue Jul 15 19:06:23 2008
From: Terry.Miller at finra.org (Miller, Terry)
Date: Tue, 15 Jul 2008 15:06:23 -0400
Subject: [Dataloss] State law breach notification websites
In-Reply-To: <9AA40A7B5375A4479054AB07F8A4E92403D23E9F@AD1HFDEXC305.ad1.prod>
References: <B1D7025B0E7D1B4C8B98A0B09D98909B06E31BE3@RKV-NASD-EXCLP2.corp.root.nasd.com>
	<9AA40A7B5375A4479054AB07F8A4E92403D23E9F@AD1HFDEXC305.ad1.prod>
Message-ID: <B1D7025B0E7D1B4C8B98A0B09D98909B06E31C9E@RKV-NASD-EXCLP2.corp.root.nasd.com>

Thanks Bill.  I may not have been clear earlier.  I was actually looking
for links to sites which publish notifications made pursuant to state
laws.  I included as examples the sites hosted by MD and NH.  I feel I
have been on such sites for NY and CA but can't find them anymore.  Are
other users aware of such state sites?  If so, I would appreciate any
information or links you may have.
 
Terry

________________________________

From: Carter, Bill (THIP, Corp) [mailto:bill.carter at thehartford.com] 
Sent: Tuesday, July 15, 2008 3:01 PM
To: Miller, Terry; dataloss at attrition.org
Subject: RE: [Dataloss] State law breach notification websites


There are several pretty goods sites that have an index to state breach
notification laws.  These two are pretty good.
http://privacylaw.proskauer.com/2007/12/articles/security-breach-notific
ation-l/updated-breach-notification-laws/
 
http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm
 
 

________________________________

From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Miller, Terry
Sent: Tuesday, July 15, 2008 12:38 PM
To: dataloss at attrition.org
Subject: [Dataloss] State law breach notification websites



Does anyone know if there is a central listing of websites for breach
notifications made pursuant to state laws?  For example, here is
Maryland's site:  http://www.oag.state.md.us/idtheft/breacheNotices.htm
<http://www.oag.state.md.us/idtheft/breacheNotices.htm> .  I was made
aware of New Hampshire's: http://doj.nh.gov/consumer/breaches.html
<http://doj.nh.gov/consumer/breaches.html> .

Terry 

Confidentiality Notice:  This email, including attachments, may include
non-public, proprietary, confidential or legally privileged information.
If you are not an intended recipient or an authorized agent of an
intended recipient, you are hereby notified that any dissemination,
distribution or copying of the information contained in or transmitted
with this e-mail is unauthorized and strictly prohibited.  If you have
received this email in error, please notify the sender by replying to
this message and permanently delete this e-mail, its attachments, and
any copies of it immediately.  You should not retain, copy or use this
e-mail or any attachment for any purpose, nor disclose all or any part
of the contents to any other person. Thank you



************************************************************************
*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information. If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution
is
strictly prohibited. If you are not the intended recipient, please
notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
************************************************************************
*



Confidentiality Notice:  This email, including attachments, may include non-public, proprietary, confidential or legally privileged information.  If you are not an intended recipient or an authorized agent of an intended recipient, you are hereby notified that any dissemination, distribution or copying of the information contained in or transmitted with this e-mail is unauthorized and strictly prohibited.  If you have received this email in error, please notify the sender by replying to this message and permanently delete this e-mail, its attachments, and any copies of it immediately.  You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. Thank you

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080715/331e7207/attachment.html 

From Joanne.McNabb at OISPP.ca.gov  Tue Jul 15 19:32:16 2008
From: Joanne.McNabb at OISPP.ca.gov (McNabb, Joanne@OISPP)
Date: Tue, 15 Jul 2008 12:32:16 -0700
Subject: [Dataloss] State law breach notification websites
In-Reply-To: <B1D7025B0E7D1B4C8B98A0B09D98909B06E31C9E@RKV-NASD-EXCLP2.corp.root.nasd.com>
References: <B1D7025B0E7D1B4C8B98A0B09D98909B06E31BE3@RKV-NASD-EXCLP2.corp.root.nasd.com><9AA40A7B5375A4479054AB07F8A4E92403D23E9F@AD1HFDEXC305.ad1.prod>
	<B1D7025B0E7D1B4C8B98A0B09D98909B06E31C9E@RKV-NASD-EXCLP2.corp.root.nasd.com>
Message-ID: <C9F7C1BD6197EB4CB3E514D3C837E1910169AFAA@DTSEXEVS01C01.rf01.itservices.ca.gov>

Only a few of the state breach notice laws require reporting to a
government agency:  MD
<http://www.oag.state.md.us/idtheft/breacheNotices.htm> , NC, NH, NY,
for sure. Those are the states that might have sites that publish
notifications.

Joanne McNabb, CIPP/G
Chief, California Office of Privacy Protection


 

________________________________

From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Miller, Terry
Sent: Tuesday, July 15, 2008 12:06 PM
To: Carter, Bill (THIP, Corp); dataloss at attrition.org
Subject: Re: [Dataloss] State law breach notification websites


Thanks Bill.  I may not have been clear earlier.  I was actually looking
for links to sites which publish notifications made pursuant to state
laws.  I included as examples the sites hosted by MD and NH.  I feel I
have been on such sites for NY and CA but can't find them anymore.  Are
other users aware of such state sites?  If so, I would appreciate any
information or links you may have.
 
Terry

________________________________

From: Carter, Bill (THIP, Corp) [mailto:bill.carter at thehartford.com] 
Sent: Tuesday, July 15, 2008 3:01 PM
To: Miller, Terry; dataloss at attrition.org
Subject: RE: [Dataloss] State law breach notification websites


There are several pretty goods sites that have an index to state breach
notification laws.  These two are pretty good.
http://privacylaw.proskauer.com/2007/12/articles/security-breach-notific
ation-l/updated-breach-notification-laws/
 
http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm
 
 

________________________________

From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Miller, Terry
Sent: Tuesday, July 15, 2008 12:38 PM
To: dataloss at attrition.org
Subject: [Dataloss] State law breach notification websites



Does anyone know if there is a central listing of websites for breach
notifications made pursuant to state laws?  For example, here is
Maryland's site:  http://www.oag.state.md.us/idtheft/breacheNotices.htm
<http://www.oag.state.md.us/idtheft/breacheNotices.htm> .  I was made
aware of New Hampshire's: http://doj.nh.gov/consumer/breaches.html
<http://doj.nh.gov/consumer/breaches.html> .

Terry 

Confidentiality Notice:  This email, including attachments, may include
non-public, proprietary, confidential or legally privileged information.
If you are not an intended recipient or an authorized agent of an
intended recipient, you are hereby notified that any dissemination,
distribution or copying of the information contained in or transmitted
with this e-mail is unauthorized and strictly prohibited.  If you have
received this email in error, please notify the sender by replying to
this message and permanently delete this e-mail, its attachments, and
any copies of it immediately.  You should not retain, copy or use this
e-mail or any attachment for any purpose, nor disclose all or any part
of the contents to any other person. Thank you



************************************************************************
*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information. If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution
is
strictly prohibited. If you are not the intended recipient, please
notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
************************************************************************
*

Confidentiality Notice:  This email, including attachments, may include
non-public, proprietary, confidential or legally privileged information.
If you are not an intended recipient or an authorized agent of an
intended recipient, you are hereby notified that any dissemination,
distribution or copying of the information contained in or transmitted
with this e-mail is unauthorized and strictly prohibited.  If you have
received this email in error, please notify the sender by replying to
this message and permanently delete this e-mail, its attachments, and
any copies of it immediately.  You should not retain, copy or use this
e-mail or any attachment for any purpose, nor disclose all or any part
of the contents to any other person. Thank you

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080715/809282d2/attachment-0001.html 

From evan.francen at gmail.com  Tue Jul 15 19:36:08 2008
From: evan.francen at gmail.com (Evan Francen)
Date: Tue, 15 Jul 2008 14:36:08 -0500
Subject: [Dataloss] State law breach notification websites
In-Reply-To: <B1D7025B0E7D1B4C8B98A0B09D98909B06E31C9E@RKV-NASD-EXCLP2.corp.root.nasd.com>
References: <B1D7025B0E7D1B4C8B98A0B09D98909B06E31BE3@RKV-NASD-EXCLP2.corp.root.nasd.com>
	<9AA40A7B5375A4479054AB07F8A4E92403D23E9F@AD1HFDEXC305.ad1.prod>
	<B1D7025B0E7D1B4C8B98A0B09D98909B06E31C9E@RKV-NASD-EXCLP2.corp.root.nasd.com>
Message-ID: <530c940807151236ye009495vb67232fa9bc87d49@mail.gmail.com>

Wisconsin is here:
http://privacy.wi.gov/databreaches/databreaches.jsp.  It is not the
best resource, but it is something.

Evan


On Tue, Jul 15, 2008 at 2:06 PM, Miller, Terry <Terry.Miller at finra.org> wrote:
> Thanks Bill.  I may not have been clear earlier.  I was actually looking for
> links to sites which publish notifications made pursuant to state laws.  I
> included as examples the sites hosted by MD and NH.  I feel I have been on
> such sites for NY and CA but can't find them anymore.  Are other users aware
> of such state sites?  If so, I would appreciate any information or links you
> may have.
>
> Terry
> ________________________________
> From: Carter, Bill (THIP, Corp) [mailto:bill.carter at thehartford.com]
> Sent: Tuesday, July 15, 2008 3:01 PM
> To: Miller, Terry; dataloss at attrition.org
> Subject: RE: [Dataloss] State law breach notification websites
>
> There are several pretty goods sites that have an index to state breach
> notification laws.  These two are pretty good.
> http://privacylaw.proskauer.com/2007/12/articles/security-breach-notification-l/updated-breach-notification-laws/
>
> http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm
>
>
> ________________________________
> From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
> On Behalf Of Miller, Terry
> Sent: Tuesday, July 15, 2008 12:38 PM
> To: dataloss at attrition.org
> Subject: [Dataloss] State law breach notification websites
>
> Does anyone know if there is a central listing of websites for breach
> notifications made pursuant to state laws?  For example, here is Maryland's
> site:  http://www.oag.state.md.us/idtheft/breacheNotices.htm.  I was made
> aware of New Hampshire's: http://doj.nh.gov/consumer/breaches.html.
>
> Terry
>
> Confidentiality Notice:  This email, including attachments, may include
> non-public, proprietary, confidential or legally privileged information.  If
> you are not an intended recipient or an authorized agent of an intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of the information contained in or transmitted with this e-mail is
> unauthorized and strictly prohibited.  If you have received this email in
> error, please notify the sender by replying to this message and permanently
> delete this e-mail, its attachments, and any copies of it immediately.  You
> should not retain, copy or use this e-mail or any attachment for any
> purpose, nor disclose all or any part of the contents to any other person.
> Thank you
>
>
>
> *************************************************************************
> This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information. If you are not the intended
> recipient, any use, copying, disclosure, dissemination or distribution is
> strictly prohibited. If you are not the intended recipient, please notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> *************************************************************************
>
> Confidentiality Notice:  This email, including attachments, may include
> non-public, proprietary, confidential or legally privileged information.  If
> you are not an intended recipient or an authorized agent of an intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of the information contained in or transmitted with this e-mail is
> unauthorized and strictly prohibited.  If you have received this email in
> error, please notify the sender by replying to this message and permanently
> delete this e-mail, its attachments, and any copies of it immediately.  You
> should not retain, copy or use this e-mail or any attachment for any
> purpose, nor disclose all or any part of the contents to any other person.
> Thank you
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
>



-- 
Evan Francen, CISSP CCNP MCSE
email: evan.francen at gmail.com

From Brian.Krebs at washingtonpost.com  Tue Jul 15 19:40:50 2008
From: Brian.Krebs at washingtonpost.com (Brian Krebs)
Date: Tue, 15 Jul 2008 15:40:50 -0400
Subject: [Dataloss] State law breach notification websites
References: <B1D7025B0E7D1B4C8B98A0B09D98909B06E31BE3@RKV-NASD-EXCLP2.corp.root.nasd.com><9AA40A7B5375A4479054AB07F8A4E92403D23E9F@AD1HFDEXC305.ad1.prod><B1D7025B0E7D1B4C8B98A0B09D98909B06E31C9E@RKV-NASD-EXCLP2.corp.root.nasd.com>
	<C9F7C1BD6197EB4CB3E514D3C837E1910169AFAA@DTSEXEVS01C01.rf01.itservices.ca.gov>
Message-ID: <93B614F1CE48574E92CA91735BFC5FB806A75008@WPNIXCHG.wpni.com>

Wisconsin is another that publishes the data. I dont know about NC and NY though.
 
http://privacy.wi.gov/databreaches/databreaches.jsp
 
http://www.oag.state.md.us/idtheft/breacheNotices.htm
 
http://doj.nh.gov/consumer/breaches.html
 
 
Brian Krebs
www.washingtonpost.com/securityfix
703-469-3162 (w)
703-989-0727 (c)
 

________________________________

From: dataloss-bounces at attrition.org on behalf of McNabb, Joanne at OISPP
Sent: Tue 7/15/2008 3:32 PM
To: Miller, Terry; Carter, Bill (THIP, Corp); dataloss at attrition.org
Subject: Re: [Dataloss] State law breach notification websites


Only a few of the state breach notice laws require reporting to a government agency:  MD <http://www.oag.state.md.us/idtheft/breacheNotices.htm> , NC, NH, NY, for sure. Those are the states that might have sites that publish notifications.

Joanne McNabb, CIPP/G
Chief, California Office of Privacy Protection


 

________________________________

From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Miller, Terry
Sent: Tuesday, July 15, 2008 12:06 PM
To: Carter, Bill (THIP, Corp); dataloss at attrition.org
Subject: Re: [Dataloss] State law breach notification websites


Thanks Bill.  I may not have been clear earlier.  I was actually looking for links to sites which publish notifications made pursuant to state laws.  I included as examples the sites hosted by MD and NH.  I feel I have been on such sites for NY and CA but can't find them anymore.  Are other users aware of such state sites?  If so, I would appreciate any information or links you may have.
 
Terry

________________________________

From: Carter, Bill (THIP, Corp) [mailto:bill.carter at thehartford.com] 
Sent: Tuesday, July 15, 2008 3:01 PM
To: Miller, Terry; dataloss at attrition.org
Subject: RE: [Dataloss] State law breach notification websites


There are several pretty goods sites that have an index to state breach notification laws.  These two are pretty good. http://privacylaw.proskauer.com/2007/12/articles/security-breach-notification-l/updated-breach-notification-laws/
 
http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm
 
 

________________________________

From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Miller, Terry
Sent: Tuesday, July 15, 2008 12:38 PM
To: dataloss at attrition.org
Subject: [Dataloss] State law breach notification websites



Does anyone know if there is a central listing of websites for breach notifications made pursuant to state laws?  For example, here is Maryland's site:  http://www.oag.state.md.us/idtheft/breacheNotices.htm <http://www.oag.state.md.us/idtheft/breacheNotices.htm> .  I was made aware of New Hampshire's: http://doj.nh.gov/consumer/breaches.html <http://doj.nh.gov/consumer/breaches.html> .

Terry 

Confidentiality Notice:  This email, including attachments, may include non-public, proprietary, confidential or legally privileged information.  If you are not an intended recipient or an authorized agent of an intended recipient, you are hereby notified that any dissemination, distribution or copying of the information contained in or transmitted with this e-mail is unauthorized and strictly prohibited.  If you have received this email in error, please notify the sender by replying to this message and permanently delete this e-mail, its attachments, and any copies of it immediately.  You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. Thank you



*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information. If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited. If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************

Confidentiality Notice:  This email, including attachments, may include non-public, proprietary, confidential or legally privileged information.  If you are not an intended recipient or an authorized agent of an intended recipient, you are hereby notified that any dissemination, distribution or copying of the information contained in or transmitted with this e-mail is unauthorized and strictly prohibited.  If you have received this email in error, please notify the sender by replying to this message and permanently delete this e-mail, its attachments, and any copies of it immediately.  You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. Thank you

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080715/99cd8c2a/attachment.html 

From mcarlson at idanalytics.com  Tue Jul 15 19:44:37 2008
From: mcarlson at idanalytics.com (Carlson, Michael)
Date: Tue, 15 Jul 2008 12:44:37 -0700
Subject: [Dataloss] State law breach notification websites
In-Reply-To: <530c940807151236ye009495vb67232fa9bc87d49@mail.gmail.com>
References: <B1D7025B0E7D1B4C8B98A0B09D98909B06E31BE3@RKV-NASD-EXCLP2.corp.root.nasd.com><9AA40A7B5375A4479054AB07F8A4E92403D23E9F@AD1HFDEXC305.ad1.prod><B1D7025B0E7D1B4C8B98A0B09D98909B06E31C9E@RKV-NASD-EXCLP2.corp.root.nasd.com>
	<530c940807151236ye009495vb67232fa9bc87d49@mail.gmail.com>
Message-ID: <009261C53A091341BAF8CE8B1F073BE201B9CEB1@ida021.idanalytics.net>

http://www.loudsiren.com/security-breach.aspx  Notification Laws by
state available on this site.

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Evan Francen
Sent: Tuesday, July 15, 2008 12:36 PM
To: Miller, Terry
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] State law breach notification websites

Wisconsin is here:
http://privacy.wi.gov/databreaches/databreaches.jsp.  It is not the
best resource, but it is something.

Evan


On Tue, Jul 15, 2008 at 2:06 PM, Miller, Terry <Terry.Miller at finra.org>
wrote:
> Thanks Bill.  I may not have been clear earlier.  I was actually
looking for
> links to sites which publish notifications made pursuant to state
laws.  I
> included as examples the sites hosted by MD and NH.  I feel I have
been on
> such sites for NY and CA but can't find them anymore.  Are other users
aware
> of such state sites?  If so, I would appreciate any information or
links you
> may have.
>
> Terry
> ________________________________
> From: Carter, Bill (THIP, Corp) [mailto:bill.carter at thehartford.com]
> Sent: Tuesday, July 15, 2008 3:01 PM
> To: Miller, Terry; dataloss at attrition.org
> Subject: RE: [Dataloss] State law breach notification websites
>
> There are several pretty goods sites that have an index to state
breach
> notification laws.  These two are pretty good.
>
http://privacylaw.proskauer.com/2007/12/articles/security-breach-notific
ation-l/updated-breach-notification-laws/
>
> http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm
>
>
> ________________________________
> From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org]
> On Behalf Of Miller, Terry
> Sent: Tuesday, July 15, 2008 12:38 PM
> To: dataloss at attrition.org
> Subject: [Dataloss] State law breach notification websites
>
> Does anyone know if there is a central listing of websites for breach
> notifications made pursuant to state laws?  For example, here is
Maryland's
> site:  http://www.oag.state.md.us/idtheft/breacheNotices.htm.  I was
made
> aware of New Hampshire's: http://doj.nh.gov/consumer/breaches.html.
>
> Terry
>
> Confidentiality Notice:  This email, including attachments, may
include
> non-public, proprietary, confidential or legally privileged
information.  If
> you are not an intended recipient or an authorized agent of an
intended
> recipient, you are hereby notified that any dissemination,
distribution or
> copying of the information contained in or transmitted with this
e-mail is
> unauthorized and strictly prohibited.  If you have received this email
in
> error, please notify the sender by replying to this message and
permanently
> delete this e-mail, its attachments, and any copies of it immediately.
You
> should not retain, copy or use this e-mail or any attachment for any
> purpose, nor disclose all or any part of the contents to any other
person.
> Thank you
>
>
>
>
************************************************************************
*
> This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information. If you are not the
intended
> recipient, any use, copying, disclosure, dissemination or distribution
is
> strictly prohibited. If you are not the intended recipient, please
notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
>
************************************************************************
*
>
> Confidentiality Notice:  This email, including attachments, may
include
> non-public, proprietary, confidential or legally privileged
information.  If
> you are not an intended recipient or an authorized agent of an
intended
> recipient, you are hereby notified that any dissemination,
distribution or
> copying of the information contained in or transmitted with this
e-mail is
> unauthorized and strictly prohibited.  If you have received this email
in
> error, please notify the sender by replying to this message and
permanently
> delete this e-mail, its attachments, and any copies of it immediately.
You
> should not retain, copy or use this e-mail or any attachment for any
> purpose, nor disclose all or any part of the contents to any other
person.
> Thank you
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor
your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
>



-- 
Evan Francen, CISSP CCNP MCSE
email: evan.francen at gmail.com
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml



From chris at cwalsh.org  Tue Jul 15 20:21:40 2008
From: chris at cwalsh.org (Chris Walsh)
Date: Tue, 15 Jul 2008 15:21:40 -0500
Subject: [Dataloss] State law breach notification websites
In-Reply-To: <9AA40A7B5375A4479054AB07F8A4E92403D23E9F@AD1HFDEXC305.ad1.prod>
References: <B1D7025B0E7D1B4C8B98A0B09D98909B06E31BE3@RKV-NASD-EXCLP2.corp.root.nasd.com>
	<9AA40A7B5375A4479054AB07F8A4E92403D23E9F@AD1HFDEXC305.ad1.prod>
Message-ID: <aebe31730807151321g75f1247fi88b253817882dd2d@mail.gmail.com>

I think the question is about sites with the actual notices, not sites that
list the states' laws.

I know only of NH and MD.  NY and NC have been asked to do it, but have no
plans to.  NJ won't do it because the reports are held by the state police
and not considered public.  IN had that provision stripped from their
revised law.  I saw no evidence that ME has them on-line at the AG's site.
Unless I missed any, those are all the states with central reporting.

I personally have several hundred notices to NY and NC that I am slowly
scanning and making available.  Unfortunately, my site is off the net for
probably a couple weeks. Is your interest primarily in the notices, Terry,
or is your interest in knowing which state governments (as opposed to
individuals, etc) put the information on-line?

On Tue, Jul 15, 2008 at 2:01 PM, Carter, Bill (THIP, Corp) <
bill.carter at thehartford.com> wrote:

>  There are several pretty goods sites that have an index to state breach
> notification laws.  These two are pretty good.
> http://privacylaw.proskauer.com/2007/12/articles/security-breach-notification-l/updated-breach-notification-laws/
>
> http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm
>
>
>
>  ------------------------------
> *From:* dataloss-bounces at attrition.org [mailto:
> dataloss-bounces at attrition.org] *On Behalf Of *Miller, Terry
> *Sent:* Tuesday, July 15, 2008 12:38 PM
> *To:* dataloss at attrition.org
> *Subject:* [Dataloss] State law breach notification websites
>
>  Does anyone know if there is a central listing of websites for breach
> notifications made pursuant to state laws?  For example, here is Maryland's
> site:  *http://www.oag.state.md.us/idtheft/breacheNotices.htm*<http://www.oag.state.md.us/idtheft/breacheNotices.htm>.
> I was made aware of New Hampshire's: *
> http://doj.nh.gov/consumer/breaches.html*<http://doj.nh.gov/consumer/breaches.html>
> .
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080715/b316e4e5/attachment.html 

From jericho at attrition.org  Wed Jul 16 08:30:12 2008
From: jericho at attrition.org (security curmudgeon)
Date: Wed, 16 Jul 2008 08:30:12 +0000 (UTC)
Subject: [Dataloss] Security breach affects patients
Message-ID: <Pine.LNX.4.64.0807160829530.15766@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.news-record.com/content/2008/07/16/article/security_breach_affects_patients

By Ryan Seals
Staff Writer
News & Record
July 16, 2008

GREENSBORO - Patients at a Greensboro doctors' office have been notified 
that their personal information ? including Social Security numbers and 
addresses - was stolen in May.

In a letter mailed to patients, Greensboro Gynecology Associates said a 
backup tape of their computer database was stolen. The letter was dated 
June 16, but some letters weren?t postmarked until July 9.

The medical practice said a backup tape of patient information was stolen 
May 29 from an employee who was taking the tape to an off-site storage 
facility for safekeeping.

The stolen information included patients' names, addresses, Social 
Security numbers, employers, insurance companies, policy numbers and 
family members.

[...]

From lyger at attrition.org  Wed Jul 16 11:43:17 2008
From: lyger at attrition.org (lyger)
Date: Wed, 16 Jul 2008 11:43:17 +0000 (UTC)
Subject: [Dataloss] IN: ISU: Laptop with students' info stolen
Message-ID: <Pine.LNX.4.64.0807161142210.24561@forced.attrition.org>


http://www.tribstar.com/news/local_story_197221932.html

A password-protected laptop computer containing personal information for 
an estimated 2,500 or more current and former Indiana State University 
students was stolen during the weekend, the university reported Tuesday.

While there is no evidence to suggest that password security was breached, 
the university is taking the precaution of notifying all affected students 
for whom it has current contact information.

The laptop contained data for students who took economics classes from 
1997 through the spring semester 2008, estimated at more than 2,500 
individuals. The information includes names, grades, e-mail addresses and 
student identification numbers. Beginning in 2003, use of Social Security 
numbers as student ID numbers was discontinued in favor of 
university-specific identification numbers.

[...]

From jericho at attrition.org  Thu Jul 17 00:24:57 2008
From: jericho at attrition.org (security curmudgeon)
Date: Thu, 17 Jul 2008 00:24:57 +0000 (UTC)
Subject: [Dataloss] fringe: Open source laptop tracking
Message-ID: <Pine.LNX.4.64.0807170024410.15083@forced.attrition.org>



---------- Forwarded message ----------
From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade at shaw.ca>

I know some people who are going to be really upset by this, but 
personally, I'm delighted:

Researchers at the University of Washington and the University of 
California, San Diego, launched a new laptop tracking service, called 
Adeona, that is free and private. Once downloaded onto a laptop, the 
software starts anonymously sending encrypted notes about the computer?s 
whereabouts to servers on the Internet. If the laptop ever goes missing, 
the user downloads another program, enters a username and password, and 
then picks up this information from the servers, a free storage service 
called OpenDHT.  (The Mac version of Adeona even uses a freeware program 
called isightcapture to take a snapshot of whomever is using the 
computer.) Adeona provides the IP address that it last used as well as 
data on nearby routers. Armed with that information, law enforcement could 
track down the criminal. Because Adeona ships with an open-source license, 
anyone can take the code and improve it or even sell it. The researchers 
say they?re hoping that software developers will build all kinds of new 
features such as Global Positioning System-aware tracking systems for new 
platforms such as the iPhone. Later this month, the Adeona team will give 
a technical presentation at the Usenix Security Symposium in San Jose.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9110128&taxonomyId=17&intsrc=kc_top

http://adeona.cs.washington.edu/

From arshad.noor at strongauth.com  Thu Jul 17 01:05:15 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Wed, 16 Jul 2008 18:05:15 -0700
Subject: [Dataloss] fringe: Open source laptop tracking
In-Reply-To: <Pine.LNX.4.64.0807170024410.15083@forced.attrition.org>
References: <Pine.LNX.4.64.0807170024410.15083@forced.attrition.org>
Message-ID: <487E9ACB.7020601@strongauth.com>

Am I the only one who believes that an attacker (who is after
the data) with half-a-brain is going to make sure that the first
time they boot up a stolen laptop, they're NOT going to put it on
the internet, and they're going to disable any radio for wireless
communications.  (Laptop companies have to provide an external
radio switch I imagine so that there is confirmation of the radio
being OFF inside an airplane - I'm not sure how the iPhone gets
away with a software switch since we all know software can be
buggy and the radio may not go off despite a visible indication
that it is off - but that's another discussion.

Alternatively, the attacker could boot off of a Linux CD and then
copy the entire hard-disk contents (or what was most interesting)
and then blow away everything on the hard-disk to reclaim the HW.

In both cases, they have the HW and the data without anything
"calling home" to give away GPS positions or IP addresses of the
machine.  So, why do people think that this is an effective
counter-measure against data-theft?  How long do they anticipate
this to work? And with which type of attacker?  I've read examples
of attacks that go beyond anything most IT developers - or even
security developers - are capable of in the marketplace today, so
who is this expected to deter?  The guy who broke into your car
to get the hub-caps and radio, but got the laptop instead?

Very puzzled.....

Arshad Noor
StrongAuth, Inc.

security curmudgeon wrote:
> 
> 
> ---------- Forwarded message ----------
> From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade at shaw.ca>
> 
> I know some people who are going to be really upset by this, but 
> personally, I'm delighted:
> 
> Researchers at the University of Washington and the University of 
> California, San Diego, launched a new laptop tracking service, called 
> Adeona, that is free and private. Once downloaded onto a laptop, the 
> software starts anonymously sending encrypted notes about the computer?s 
> whereabouts to servers on the Internet. If the laptop ever goes missing, 
> the user downloads another program, enters a username and password, and 
> then picks up this information from the servers, a free storage service 
> called OpenDHT.  (The Mac version of Adeona even uses a freeware program 
> called isightcapture to take a snapshot of whomever is using the 
> computer.) Adeona provides the IP address that it last used as well as 
> data on nearby routers. Armed with that information, law enforcement 
> could track down the criminal. Because Adeona ships with an open-source 
> license, anyone can take the code and improve it or even sell it. The 
> researchers say they?re hoping that software developers will build all 
> kinds of new features such as Global Positioning System-aware tracking 
> systems for new platforms such as the iPhone. Later this month, the 
> Adeona team will give a technical presentation at the Usenix Security 
> Symposium in San Jose.
> 
> http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9110128&taxonomyId=17&intsrc=kc_top 
> 
> 
> http://adeona.cs.washington.edu/

From davi at poetry.org  Thu Jul 17 01:22:25 2008
From: davi at poetry.org (Davi Ottenheimer)
Date: Wed, 16 Jul 2008 18:22:25 -0700 (PDT)
Subject: [Dataloss] [ekmi] Re:  fringe: Open source laptop tracking
In-Reply-To: <487E9ACB.7020601@strongauth.com>
Message-ID: <809572.63010.qm@web32407.mail.mud.yahoo.com>

Actually, you give the perps far more credit than deserved (so far). There are some documented cases of laptops being recovered specifically because the thief not only connected to the net but allowed remote control and enabled the camera so investigators could take pictures of them. I would look at this more like just one method of many that would help catch a majority of criminals. 

I don't have the links handy or I'd send some example cases, sorry.

Davi



Arshad Noor wrote:
> Am I the only one who believes that an attacker (who is after
> the data) with half-a-brain is going to make sure that the first
> time they boot up a stolen laptop, they're NOT going to put it on
> the internet, and they're going to disable any radio for wireless
> communications.  (Laptop companies have to provide an external
> radio switch I imagine so that there is confirmation of the radio
> being OFF inside an airplane - I'm not sure how the iPhone gets
> away with a software switch since we all know software can be
> buggy and the radio may not go off despite a visible indication
> that it is off - but that's another discussion.
> Alternatively, the attacker could boot off of a Linux CD and then
> copy the entire hard-disk contents (or what was most interesting)
> and then blow away everything on the hard-disk to reclaim the HW.
> In both cases, they have the HW and the data without anything
> "calling home" to give away GPS positions or IP addresses of the
> machine.  So, why do people think that this is an effective
> counter-measure against data-theft?  How long do they anticipate
> this to work? And with which type of attacker?  I've read examples
> of attacks that go beyond anything most IT developers - or even
> security developers - are capable of in the marketplace today, so
> who is this expected to deter?  The guy who broke into your car
> to get the hub-caps and radio, but got the laptop instead?
> Very puzzled.....
> Arshad Noor
> StrongAuth, Inc.
> security curmudgeon wrote:
>> 
>> 
>> ---------- Forwarded message ----------
>> From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade at shaw.ca>
>> 
>> I know some people who are going to be really upset by this, but 
>> personally, I'm delighted:
>> 
>> Researchers at the University of Washington and the University of 
>> California, San Diego, launched a new laptop tracking service, called 
>> Adeona, that is free and private. Once downloaded onto a laptop, the 
>> software starts anonymously sending encrypted notes about the computer?s 
>> whereabouts to servers on the Internet. If the laptop ever goes missing, 
>> the user downloads another program, enters a username and password, and 
>> then picks up this information from the servers, a free storage service 
>> called OpenDHT.  (The Mac version of Adeona even uses a freeware program 
>> called isightcapture to take a snapshot of whomever is using the 
>> computer.) Adeona provides the IP address that it last used as well as 
>> data on nearby routers. Armed with that information, law enforcement 
>> could track down the criminal. Because Adeona ships with an open-source 
>> license, anyone can take the code and improve it or even sell it. The 
>> researchers say they?re hoping that software developers will build all 
>> kinds of new features such as Global Positioning System-aware tracking 
>> systems for new platforms such as the iPhone. Later this month, the 
>> Adeona team will give a technical presentation at the Usenix Security 
>> Symposium in San Jose.
>> 
>> http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9110128&taxonomyId=17&intsrc=kc_top 
>> 
>> 
>> http://adeona.cs.washington.edu/
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


From davi at poetry.org  Thu Jul 17 01:30:35 2008
From: davi at poetry.org (Davi Ottenheimer)
Date: Wed, 16 Jul 2008 18:30:35 -0700 (PDT)
Subject: [Dataloss] [ekmi] Re:  fringe: Open source laptop tracking
In-Reply-To: <809572.63010.qm@web32407.mail.mud.yahoo.com>
Message-ID: <35197.59009.qm@web32408.mail.mud.yahoo.com>

Here's an example:

http://www.mercurynews.com/mikecassidy/ci_9537933

My favorite part is how they use the data entered by the thief into dating sites to profile him. Makes me wonder how many dating/social networking sites use ssl for personal data like height, weight, hair color...?

Davi



Davi Ottenheimer wrote:
> Actually, you give the perps far more credit than deserved (so far). There are some documented cases of laptops being recovered specifically because the thief not only connected to the net but allowed remote control and enabled the camera so investigators could take pictures of them. I would look at this more like just one method of many that would help catch a majority of criminals. 
> I don't have the links handy or I'd send some example cases, sorry.
> Davi
> Arshad Noor wrote:
>> Am I the only one who believes that an attacker (who is after
>> the data) with half-a-brain is going to make sure that the first
>> time they boot up a stolen laptop, they're NOT going to put it on
>> the internet, and they're going to disable any radio for wireless
>> communications.  (Laptop companies have to provide an external
>> radio switch I imagine so that there is confirmation of the radio
>> being OFF inside an airplane - I'm not sure how the iPhone gets
>> away with a software switch since we all know software can be
>> buggy and the radio may not go off despite a visible indication
>> that it is off - but that's another discussion.
>> Alternatively, the attacker could boot off of a Linux CD and then
>> copy the entire hard-disk contents (or what was most interesting)
>> and then blow away everything on the hard-disk to reclaim the HW.
>> In both cases, they have the HW and the data without anything
>> "calling home" to give away GPS positions or IP addresses of the
>> machine.  So, why do people think that this is an effective
>> counter-measure against data-theft?  How long do they anticipate
>> this to work? And with which type of attacker?  I've read examples
>> of attacks that go beyond anything most IT developers - or even
>> security developers - are capable of in the marketplace today, so
>> who is this expected to deter?  The guy who broke into your car
>> to get the hub-caps and radio, but got the laptop instead?
>> Very puzzled.....
>> Arshad Noor
>> StrongAuth, Inc.
>> security curmudgeon wrote:
>>> 
>>> 
>>> ---------- Forwarded message ----------
>>> From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade at shaw.ca>
>>> 
>>> I know some people who are going to be really upset by this, but 
>>> personally, I'm delighted:
>>> 
>>> Researchers at the University of Washington and the University of 
>>> California, San Diego, launched a new laptop tracking service, called 
>>> Adeona, that is free and private. Once downloaded onto a laptop, the 
>>> software starts anonymously sending encrypted notes about the computer?s 
>>> whereabouts to servers on the Internet. If the laptop ever goes missing, 
>>> the user downloads another program, enters a username and password, and 
>>> then picks up this information from the servers, a free storage service 
>>> called OpenDHT.  (The Mac version of Adeona even uses a freeware program 
>>> called isightcapture to take a snapshot of whomever is using the 
>>> computer.) Adeona provides the IP address that it last used as well as 
>>> data on nearby routers. Armed with that information, law enforcement 
>>> could track down the criminal. Because Adeona ships with an open-source 
>>> license, anyone can take the code and improve it or even sell it. The 
>>> researchers say they?re hoping that software developers will build all 
>>> kinds of new features such as Global Positioning System-aware tracking 
>>> systems for new platforms such as the iPhone. Later this month, the 
>>> Adeona team will give a technical presentation at the Usenix Security 
>>> Symposium in San Jose.
>>> 
>>> http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9110128&taxonomyId=17&intsrc=kc_top 
>>> 
>>> 
>>> http://adeona.cs.washington.edu/
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


From netsecurity at sound-by-design.com  Thu Jul 17 03:01:15 2008
From: netsecurity at sound-by-design.com (Allen)
Date: Wed, 16 Jul 2008 20:01:15 -0700
Subject: [Dataloss] [ekmi] Re:  fringe: Open source laptop tracking
In-Reply-To: <487E9ACB.7020601@strongauth.com>
References: <Pine.LNX.4.64.0807170024410.15083@forced.attrition.org>
	<487E9ACB.7020601@strongauth.com>
Message-ID: <487EB5FB.90502@sound-by-design.com>

Arshad,

I don't think you analysis, which I agree with, goes far enough.

1) Steal laptop.
2) Remove battery.
3) Remove HD.
4) Use HD cloning software such as Apricorn - hardware and software 
only $40 - and clone to any HD that is laying about
5) Mount clone as USB attached to a desktop
6) Attach old HD as USB attached and wipe old HD with DBAN or 
similar tool
7) Use Aloha Bob or equivalent to selectively migrate OS and basic 
productivity software such as Office from clone.
8) Remount HD in laptop
9) Sell the sucker.

Best,

Allen

Arshad Noor wrote:
> Am I the only one who believes that an attacker (who is after
> the data) with half-a-brain is going to make sure that the first
> time they boot up a stolen laptop, they're NOT going to put it on
> the internet, and they're going to disable any radio for wireless
> communications.  (Laptop companies have to provide an external
> radio switch I imagine so that there is confirmation of the radio
> being OFF inside an airplane - I'm not sure how the iPhone gets
> away with a software switch since we all know software can be
> buggy and the radio may not go off despite a visible indication
> that it is off - but that's another discussion.
> 
> Alternatively, the attacker could boot off of a Linux CD and then
> copy the entire hard-disk contents (or what was most interesting)
> and then blow away everything on the hard-disk to reclaim the HW.
> 
> In both cases, they have the HW and the data without anything
> "calling home" to give away GPS positions or IP addresses of the
> machine.  So, why do people think that this is an effective
> counter-measure against data-theft?  How long do they anticipate
> this to work? And with which type of attacker?  I've read examples
> of attacks that go beyond anything most IT developers - or even
> security developers - are capable of in the marketplace today, so
> who is this expected to deter?  The guy who broke into your car
> to get the hub-caps and radio, but got the laptop instead?
> 
> Very puzzled.....
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> security curmudgeon wrote:
>>
>>
>> ---------- Forwarded message ----------
>> From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade at shaw.ca>
>>
>> I know some people who are going to be really upset by this, but 
>> personally, I'm delighted:
>>
>> Researchers at the University of Washington and the University of 
>> California, San Diego, launched a new laptop tracking service, called 
>> Adeona, that is free and private. Once downloaded onto a laptop, the 
>> software starts anonymously sending encrypted notes about the 
>> computer?s whereabouts to servers on the Internet. If the laptop ever 
>> goes missing, the user downloads another program, enters a username 
>> and password, and then picks up this information from the servers, a 
>> free storage service called OpenDHT.  (The Mac version of Adeona even 
>> uses a freeware program called isightcapture to take a snapshot of 
>> whomever is using the computer.) Adeona provides the IP address that 
>> it last used as well as data on nearby routers. Armed with that 
>> information, law enforcement could track down the criminal. Because 
>> Adeona ships with an open-source license, anyone can take the code and 
>> improve it or even sell it. The researchers say they?re hoping that 
>> software developers will build all kinds of new features such as 
>> Global Positioning System-aware tracking systems for new platforms 
>> such as the iPhone. Later this month, the Adeona team will give a 
>> technical presentation at the Usenix Security Symposium in San Jose.
>>
>> http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9110128&taxonomyId=17&intsrc=kc_top 
>>
>>
>> http://adeona.cs.washington.edu/
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 

From Brian.Krebs at washingtonpost.com  Thu Jul 17 03:18:09 2008
From: Brian.Krebs at washingtonpost.com (Brian Krebs)
Date: Wed, 16 Jul 2008 23:18:09 -0400
Subject: [Dataloss] [ekmi] Re:  fringe: Open source laptop tracking
References: <Pine.LNX.4.64.0807170024410.15083@forced.attrition.org><487E9ACB.7020601@strongauth.com>
	<487EB5FB.90502@sound-by-design.com>
Message-ID: <93B614F1CE48574E92CA91735BFC5FB806A75013@WPNIXCHG.wpni.com>

My big question is, assuming for a minute you can actually zero in on the person who stole your machine (what about crowded living areas, like apartment buildings), what is the likelihood you'll be able to get the police to knock on someone's door with that evidence?
 
Doesn't seem all that bloodly likely to me. Seems like it increases the chance that people running this software will confront the thief on their own and possibly put themselves in a very compromising situation.
 
Brian Krebs
www.washingtonpost.com/securityfix
703-469-3162 (w)
703-989-0727 (c)
 

________________________________

From: dataloss-bounces at attrition.org on behalf of Allen
Sent: Wed 7/16/2008 11:01 PM
To: Arshad Noor
Cc: security curmudgeon; ST-ISC at MAIL.ABANET.ORG; ekmi; dataloss at attrition.org
Subject: Re: [Dataloss] [ekmi] Re: fringe: Open source laptop tracking



Arshad,

I don't think you analysis, which I agree with, goes far enough.

1) Steal laptop.
2) Remove battery.
3) Remove HD.
4) Use HD cloning software such as Apricorn - hardware and software
only $40 - and clone to any HD that is laying about
5) Mount clone as USB attached to a desktop
6) Attach old HD as USB attached and wipe old HD with DBAN or
similar tool
7) Use Aloha Bob or equivalent to selectively migrate OS and basic
productivity software such as Office from clone.
8) Remount HD in laptop
9) Sell the sucker.

Best,

Allen

Arshad Noor wrote:
> Am I the only one who believes that an attacker (who is after
> the data) with half-a-brain is going to make sure that the first
> time they boot up a stolen laptop, they're NOT going to put it on
> the internet, and they're going to disable any radio for wireless
> communications.  (Laptop companies have to provide an external
> radio switch I imagine so that there is confirmation of the radio
> being OFF inside an airplane - I'm not sure how the iPhone gets
> away with a software switch since we all know software can be
> buggy and the radio may not go off despite a visible indication
> that it is off - but that's another discussion.
>
> Alternatively, the attacker could boot off of a Linux CD and then
> copy the entire hard-disk contents (or what was most interesting)
> and then blow away everything on the hard-disk to reclaim the HW.
>
> In both cases, they have the HW and the data without anything
> "calling home" to give away GPS positions or IP addresses of the
> machine.  So, why do people think that this is an effective
> counter-measure against data-theft?  How long do they anticipate
> this to work? And with which type of attacker?  I've read examples
> of attacks that go beyond anything most IT developers - or even
> security developers - are capable of in the marketplace today, so
> who is this expected to deter?  The guy who broke into your car
> to get the hub-caps and radio, but got the laptop instead?
>
> Very puzzled.....
>
> Arshad Noor
> StrongAuth, Inc.
>
> security curmudgeon wrote:
>>
>>
>> ---------- Forwarded message ----------
>> From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade at shaw.ca>
>>
>> I know some people who are going to be really upset by this, but
>> personally, I'm delighted:
>>
>> Researchers at the University of Washington and the University of
>> California, San Diego, launched a new laptop tracking service, called
>> Adeona, that is free and private. Once downloaded onto a laptop, the
>> software starts anonymously sending encrypted notes about the
>> computer's whereabouts to servers on the Internet. If the laptop ever
>> goes missing, the user downloads another program, enters a username
>> and password, and then picks up this information from the servers, a
>> free storage service called OpenDHT.  (The Mac version of Adeona even
>> uses a freeware program called isightcapture to take a snapshot of
>> whomever is using the computer.) Adeona provides the IP address that
>> it last used as well as data on nearby routers. Armed with that
>> information, law enforcement could track down the criminal. Because
>> Adeona ships with an open-source license, anyone can take the code and
>> improve it or even sell it. The researchers say they're hoping that
>> software developers will build all kinds of new features such as
>> Global Positioning System-aware tracking systems for new platforms
>> such as the iPhone. Later this month, the Adeona team will give a
>> technical presentation at the Usenix Security Symposium in San Jose.
>>
>> http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9110128&taxonomyId=17&intsrc=kc_top
>>
>>
>> http://adeona.cs.washington.edu/
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080716/c941ddef/attachment.html 

From lyger at attrition.org  Thu Jul 17 03:46:42 2008
From: lyger at attrition.org (lyger)
Date: Thu, 17 Jul 2008 03:46:42 +0000 (UTC)
Subject: [Dataloss] [ekmi] Re:  fringe: Open source laptop tracking
In-Reply-To: <93B614F1CE48574E92CA91735BFC5FB806A75013@WPNIXCHG.wpni.com>
References: <Pine.LNX.4.64.0807170024410.15083@forced.attrition.org><487E9ACB.7020601@strongauth.com>
	<487EB5FB.90502@sound-by-design.com>
	<93B614F1CE48574E92CA91735BFC5FB806A75013@WPNIXCHG.wpni.com>
Message-ID: <Pine.LNX.4.64.0807170324530.25119@forced.attrition.org>


My 0.76 cents (adjusted for inflation):

For the most part, I think any type of "tracking device" that relies on 
internet access is a sham.  To assume that every stolen laptop will be 
connected to the internet, either by wire or wireless, is just that... an 
assumption.  Certain companies are banking on this assumption, and it 
wouldn't hurt my feelings at all to see them fail.  

With that said, I'm also under the impression that most jerks who steal a 
laptop probably fall into at least one of the following categories:

1.  They don't know (or care) what data is on the laptop
2.  They don't know what Apricorn, Knoppix, or F.I.R.E. are, let alone 
know how to boot to a Linux CD or even know what "ls -al" means
3.  If they need to steal a laptop, they probably can't afford internet 
access (OK, that's probably a trolling point...)
4.  Even if they watched Mission Impossible 3, see #1 and #2.

Realistically, laptop tracking seems to be a "nothing" industry as far as 
data loss is concerned.  Is your average thief able to access the data if 
the hard drive isn't encrypted?  Sure.  Is it very likely?  Not so much.  
It seems to be more about hardware recovery than "is data at risk?".


On Wed, 16 Jul 2008, Brian Krebs wrote:

": " My big question is, assuming for a minute you can actually zero in on the person who stole your machine (what about crowded living areas, like apartment buildings), what is the likelihood you'll be able to get the police to knock on someone's door with that evidence?
": "  
": " Doesn't seem all that bloodly likely to me. Seems like it increases the chance that people running this software will confront the thief on their own and possibly put themselves in a very compromising situation.
": "  
": " Brian Krebs
": " www.washingtonpost.com/securityfix
": " 703-469-3162 (w)
": " 703-989-0727 (c)
": "  
": " 
": " ________________________________
": " 
": " From: dataloss-bounces at attrition.org on behalf of Allen
": " Sent: Wed 7/16/2008 11:01 PM
": " To: Arshad Noor
": " Cc: security curmudgeon; ST-ISC at MAIL.ABANET.ORG; ekmi; dataloss at attrition.org
": " Subject: Re: [Dataloss] [ekmi] Re: fringe: Open source laptop tracking
": " 
": " 
": " 
": " Arshad,
": " 
": " I don't think you analysis, which I agree with, goes far enough.
": " 
": " 1) Steal laptop.
": " 2) Remove battery.
": " 3) Remove HD.
": " 4) Use HD cloning software such as Apricorn - hardware and software
": " only $40 - and clone to any HD that is laying about
": " 5) Mount clone as USB attached to a desktop
": " 6) Attach old HD as USB attached and wipe old HD with DBAN or
": " similar tool
": " 7) Use Aloha Bob or equivalent to selectively migrate OS and basic
": " productivity software such as Office from clone.
": " 8) Remount HD in laptop
": " 9) Sell the sucker.
": " 
": " Best,
": " 
": " Allen
": " 
": " Arshad Noor wrote:
": " > Am I the only one who believes that an attacker (who is after
": " > the data) with half-a-brain is going to make sure that the first
": " > time they boot up a stolen laptop, they're NOT going to put it on
": " > the internet, and they're going to disable any radio for wireless
": " > communications.  (Laptop companies have to provide an external
": " > radio switch I imagine so that there is confirmation of the radio
": " > being OFF inside an airplane - I'm not sure how the iPhone gets
": " > away with a software switch since we all know software can be
": " > buggy and the radio may not go off despite a visible indication
": " > that it is off - but that's another discussion.
": " >
": " > Alternatively, the attacker could boot off of a Linux CD and then
": " > copy the entire hard-disk contents (or what was most interesting)
": " > and then blow away everything on the hard-disk to reclaim the HW.
": " >
": " > In both cases, they have the HW and the data without anything
": " > "calling home" to give away GPS positions or IP addresses of the
": " > machine.  So, why do people think that this is an effective
": " > counter-measure against data-theft?  How long do they anticipate
": " > this to work? And with which type of attacker?  I've read examples
": " > of attacks that go beyond anything most IT developers - or even
": " > security developers - are capable of in the marketplace today, so
": " > who is this expected to deter?  The guy who broke into your car
": " > to get the hub-caps and radio, but got the laptop instead?
": " >
": " > Very puzzled.....
": " >
": " > Arshad Noor

From arshad.noor at strongauth.com  Thu Jul 17 03:35:05 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Wed, 16 Jul 2008 20:35:05 -0700
Subject: [Dataloss] [ekmi] Re:  fringe: Open source laptop tracking
In-Reply-To: <487EB5FB.90502@sound-by-design.com>
References: <Pine.LNX.4.64.0807170024410.15083@forced.attrition.org>
	<487E9ACB.7020601@strongauth.com>
	<487EB5FB.90502@sound-by-design.com>
Message-ID: <487EBDE9.2020901@strongauth.com>

You've got this down to a science, Allen.  Makes me glad you're
on my side of the game.

Arshad :-)

Allen wrote:
> Arshad,
> 
> I don't think you[r] analysis, which I agree with, goes far enough.
> 
> 1) Steal laptop.
> 2) Remove battery.
> 3) Remove HD.
> 4) Use HD cloning software such as Apricorn - hardware and software only 
> $40 - and clone to any HD that is laying about
> 5) Mount clone as USB attached to a desktop
> 6) Attach old HD as USB attached and wipe old HD with DBAN or similar tool
> 7) Use Aloha Bob or equivalent to selectively migrate OS and basic 
> productivity software such as Office from clone.
> 8) Remount HD in laptop
> 9) Sell the sucker.
> 
> Best,
> 
> Allen
> 


From mhozven at tealeaf.com  Thu Jul 17 03:40:44 2008
From: mhozven at tealeaf.com (Max Hozven)
Date: Wed, 16 Jul 2008 20:40:44 -0700
Subject: [Dataloss] [ekmi] Re:  fringe: Open source laptop tracking
In-Reply-To: <93B614F1CE48574E92CA91735BFC5FB806A75013@WPNIXCHG.wpni.com>
References: <Pine.LNX.4.64.0807170024410.15083@forced.attrition.org><487E9ACB.7020601@strongauth.com><487EB5FB.90502@sound-by-design.com>
	<93B614F1CE48574E92CA91735BFC5FB806A75013@WPNIXCHG.wpni.com>
Message-ID: <771A26039D33ED489E23D9614DE630DD08E0B3BC@SFMAIL02.tealeaf.com>

If you could narrow it down the person who own's that IP address, maybe
you could file a police report, then sue the person in small claims
court. 

Presented with a court summons, maybe they'd just turn over the laptop
(saying they bought it used, not knowing it was stolen) and

case dismissed....

 

-Max

 

________________________________

From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Brian Krebs
Sent: Wednesday, July 16, 2008 8:18 PM
To: Allen; Arshad Noor
Cc: security curmudgeon; dataloss at attrition.org; ekmi;
ST-ISC at MAIL.ABANET.ORG
Subject: Re: [Dataloss] [ekmi] Re: fringe: Open source laptop tracking

 

My big question is, assuming for a minute you can actually zero in on
the person who stole your machine (what about crowded living areas, like
apartment buildings), what is the likelihood you'll be able to get the
police to knock on someone's door with that evidence?

 

Doesn't seem all that bloodly likely to me. Seems like it increases the
chance that people running this software will confront the thief on
their own and possibly put themselves in a very compromising situation.

 

Brian Krebs

www.washingtonpost.com/securityfix

703-469-3162 (w)

703-989-0727 (c)

 

 

________________________________

From: dataloss-bounces at attrition.org on behalf of Allen
Sent: Wed 7/16/2008 11:01 PM
To: Arshad Noor
Cc: security curmudgeon; ST-ISC at MAIL.ABANET.ORG; ekmi;
dataloss at attrition.org
Subject: Re: [Dataloss] [ekmi] Re: fringe: Open source laptop tracking

Arshad,

I don't think you analysis, which I agree with, goes far enough.

1) Steal laptop.
2) Remove battery.
3) Remove HD.
4) Use HD cloning software such as Apricorn - hardware and software
only $40 - and clone to any HD that is laying about
5) Mount clone as USB attached to a desktop
6) Attach old HD as USB attached and wipe old HD with DBAN or
similar tool
7) Use Aloha Bob or equivalent to selectively migrate OS and basic
productivity software such as Office from clone.
8) Remount HD in laptop
9) Sell the sucker.

Best,

Allen

Arshad Noor wrote:
> Am I the only one who believes that an attacker (who is after
> the data) with half-a-brain is going to make sure that the first
> time they boot up a stolen laptop, they're NOT going to put it on
> the internet, and they're going to disable any radio for wireless
> communications.  (Laptop companies have to provide an external
> radio switch I imagine so that there is confirmation of the radio
> being OFF inside an airplane - I'm not sure how the iPhone gets
> away with a software switch since we all know software can be
> buggy and the radio may not go off despite a visible indication
> that it is off - but that's another discussion.
>
> Alternatively, the attacker could boot off of a Linux CD and then
> copy the entire hard-disk contents (or what was most interesting)
> and then blow away everything on the hard-disk to reclaim the HW.
>
> In both cases, they have the HW and the data without anything
> "calling home" to give away GPS positions or IP addresses of the
> machine.  So, why do people think that this is an effective
> counter-measure against data-theft?  How long do they anticipate
> this to work? And with which type of attacker?  I've read examples
> of attacks that go beyond anything most IT developers - or even
> security developers - are capable of in the marketplace today, so
> who is this expected to deter?  The guy who broke into your car
> to get the hub-caps and radio, but got the laptop instead?
>
> Very puzzled.....
>
> Arshad Noor
> StrongAuth, Inc.
>
> security curmudgeon wrote:
>>
>>
>> ---------- Forwarded message ----------
>> From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah"
<rMslade at shaw.ca>
>>
>> I know some people who are going to be really upset by this, but
>> personally, I'm delighted:
>>
>> Researchers at the University of Washington and the University of
>> California, San Diego, launched a new laptop tracking service, called
>> Adeona, that is free and private. Once downloaded onto a laptop, the
>> software starts anonymously sending encrypted notes about the
>> computer's whereabouts to servers on the Internet. If the laptop ever
>> goes missing, the user downloads another program, enters a username
>> and password, and then picks up this information from the servers, a
>> free storage service called OpenDHT.  (The Mac version of Adeona even
>> uses a freeware program called isightcapture to take a snapshot of
>> whomever is using the computer.) Adeona provides the IP address that
>> it last used as well as data on nearby routers. Armed with that
>> information, law enforcement could track down the criminal. Because
>> Adeona ships with an open-source license, anyone can take the code
and
>> improve it or even sell it. The researchers say they're hoping that
>> software developers will build all kinds of new features such as
>> Global Positioning System-aware tracking systems for new platforms
>> such as the iPhone. Later this month, the Adeona team will give a
>> technical presentation at the Usenix Security Symposium in San Jose.
>>
>>
http://www.computerworld.com/action/article.do?command=viewArticleBasic&
taxonomyName=security&articleId=9110128&taxonomyId=17&intsrc=kc_top
>>
>>
>> http://adeona.cs.washington.edu/
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080716/9df89ec4/attachment.html 

From eric.dickinson at nih.gov  Thu Jul 17 10:24:19 2008
From: eric.dickinson at nih.gov (Eric K. Dickinson)
Date: Thu, 17 Jul 2008 06:24:19 -0400
Subject: [Dataloss] [ekmi] Re:  fringe: Open source laptop tracking
In-Reply-To: <487EB5FB.90502@sound-by-design.com>
References: <Pine.LNX.4.64.0807170024410.15083@forced.attrition.org>	<487E9ACB.7020601@strongauth.com>
	<487EB5FB.90502@sound-by-design.com>
Message-ID: <487F1DD3.9070402@nih.gov>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Will it work in every case?

No

Will it recover some hardware?

Probably

Will it protect your data?

Not at all.

Come on, it is a free little service that may be
the only change to recover some fairly expensive
hardware. Sort of like that Lo Jack thing for
your car. A real professional thief will get
your car. But still it gets people their car
back (heedless of condition) around 70% of the
time.

To protect your data, you WILL need to encrypt
it or better yet, not store it on your laptop.

eric


Allen wrote:
> Arshad,
> 
> I don't think you analysis, which I agree with, goes far enough.
> 
> 1) Steal laptop.
> 2) Remove battery.
> 3) Remove HD.
> 4) Use HD cloning software such as Apricorn - hardware and software 
> only $40 - and clone to any HD that is laying about
> 5) Mount clone as USB attached to a desktop
> 6) Attach old HD as USB attached and wipe old HD with DBAN or 
> similar tool
> 7) Use Aloha Bob or equivalent to selectively migrate OS and basic 
> productivity software such as Office from clone.
> 8) Remount HD in laptop
> 9) Sell the sucker.
> 
> Best,
> 
> Allen
> 
> Arshad Noor wrote:
>> Am I the only one who believes that an attacker (who is after
>> the data) with half-a-brain is going to make sure that the first
>> time they boot up a stolen laptop, they're NOT going to put it on
>> the internet, and they're going to disable any radio for wireless
>> communications.  (Laptop companies have to provide an external
>> radio switch I imagine so that there is confirmation of the radio
>> being OFF inside an airplane - I'm not sure how the iPhone gets
>> away with a software switch since we all know software can be
>> buggy and the radio may not go off despite a visible indication
>> that it is off - but that's another discussion.
>>
>> Alternatively, the attacker could boot off of a Linux CD and then
>> copy the entire hard-disk contents (or what was most interesting)
>> and then blow away everything on the hard-disk to reclaim the HW.
>>
>> In both cases, they have the HW and the data without anything
>> "calling home" to give away GPS positions or IP addresses of the
>> machine.  So, why do people think that this is an effective
>> counter-measure against data-theft?  How long do they anticipate
>> this to work? And with which type of attacker?  I've read examples
>> of attacks that go beyond anything most IT developers - or even
>> security developers - are capable of in the marketplace today, so
>> who is this expected to deter?  The guy who broke into your car
>> to get the hub-caps and radio, but got the laptop instead?
>>
>> Very puzzled.....
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>> security curmudgeon wrote:
>>>
>>> ---------- Forwarded message ----------
>>> From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade at shaw.ca>
>>>
>>> I know some people who are going to be really upset by this, but 
>>> personally, I'm delighted:
>>>
>>> Researchers at the University of Washington and the University of 
>>> California, San Diego, launched a new laptop tracking service, called 
>>> Adeona, that is free and private. Once downloaded onto a laptop, the 
>>> software starts anonymously sending encrypted notes about the 
>>> computer?s whereabouts to servers on the Internet. If the laptop ever 
>>> goes missing, the user downloads another program, enters a username 
>>> and password, and then picks up this information from the servers, a 
>>> free storage service called OpenDHT.  (The Mac version of Adeona even 
>>> uses a freeware program called isightcapture to take a snapshot of 
>>> whomever is using the computer.) Adeona provides the IP address that 
>>> it last used as well as data on nearby routers. Armed with that 
>>> information, law enforcement could track down the criminal. Because 
>>> Adeona ships with an open-source license, anyone can take the code and 
>>> improve it or even sell it. The researchers say they?re hoping that 
>>> software developers will build all kinds of new features such as 
>>> Global Positioning System-aware tracking systems for new platforms 
>>> such as the iPhone. Later this month, the Adeona team will give a 
>>> technical presentation at the Usenix Security Symposium in San Jose.
>>>
>>> http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9110128&taxonomyId=17&intsrc=kc_top 
>>>
>>>
>>> http://adeona.cs.washington.edu/
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> 
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
> 

- --




There's nothing better for the inside of a man than the outside of a horse.
                                             Ronald Reagan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkh/HdMACgkQsC88JNlLE4QwzQCg0kaugfEasKajFh4K6GeEalOF
FeoAoI9mSKPhX09FmXAyuw7eJLHqNL9M
=IlJj
-----END PGP SIGNATURE-----

From sovrevage at gmail.com  Thu Jul 17 12:00:51 2008
From: sovrevage at gmail.com (=?ISO-8859-1?Q?Stian_=D8vrev=E5ge?=)
Date: Thu, 17 Jul 2008 14:00:51 +0200
Subject: [Dataloss] [ekmi] Re: fringe: Open source laptop tracking
In-Reply-To: <487EB5FB.90502@sound-by-design.com>
References: <Pine.LNX.4.64.0807170024410.15083@forced.attrition.org>
	<487E9ACB.7020601@strongauth.com> <487EB5FB.90502@sound-by-design.com>
Message-ID: <bf6826070807170500g3dda17afgbce75a3a74e774c8@mail.gmail.com>

On Thu, Jul 17, 2008 at 5:01 AM, Allen <netsecurity at sound-by-design.com> wrote:
> Arshad,
>
> I don't think you analysis, which I agree with, goes far enough.
>
> 1) Steal laptop.
> 2) Remove battery.
> 3) Remove HD.
> 4) Use HD cloning software such as Apricorn - hardware and software
> only $40 - and clone to any HD that is laying about
> 5) Mount clone as USB attached to a desktop
> 6) Attach old HD as USB attached and wipe old HD with DBAN or
> similar tool
> 7) Use Aloha Bob or equivalent to selectively migrate OS and basic
> productivity software such as Office from clone.
> 8) Remount HD in laptop
> 9) Sell the sucker.
>
> Best,
>
> Allen
>

With expertise like this the thief could probably get by doing
something other than jacking laptops.

Without having done any research I believe that dataloss like this, in
most cases, is an unfortunate side-effect of hardware theft. The
thiefs objective is not the data stored on the device but the device
itself. It simply isn't economical for most thieves to do this:

1. Expensive in both time and competence.
2. Not the thiefs problem if data leaks.
3. It is easy to figure what kind of sensitive and valuable data is
stored on servers, not so easy on laptops. Thief either has to do some
hefty recon-work or steal many laptops to get what he is after.
4. Thief has to have a contact-network that allows him to resell
specific data to a very limited costumer-base, compared to generic
hardware which everyone can use.

So yes, I do believe that this will help in many cases. And if you
bother doing this you also bother encrypting your data so that
shouldn't really be an issue.

BRgds,
-- 
Stian ?vrev?ge

From brian.honan at bhconsulting.ie  Thu Jul 17 12:55:39 2008
From: brian.honan at bhconsulting.ie (Brian Honan)
Date: Thu, 17 Jul 2008 13:55:39 +0100
Subject: [Dataloss] [ekmi] Re:  fringe: Open source laptop tracking
In-Reply-To: <93B614F1CE48574E92CA91735BFC5FB806A75013@WPNIXCHG.wpni.com>
References: <Pine.LNX.4.64.0807170024410.15083@forced.attrition.org><487E9ACB.7020601@strongauth.com><487EB5FB.90502@sound-by-design.com>
	<93B614F1CE48574E92CA91735BFC5FB806A75013@WPNIXCHG.wpni.com>
Message-ID: <EE7C905E19664929BF671B5BB93F0701@BHConsulting.local>

Brian
 
As has been pointed out this type of technology does nothing to protect your
data and provides some recourse to recover the physical device if and when
it connects to the Internet. Indeed in some countries you may have to
carefully consider the legal and privacy implications of using such
technology.  The Data Privacy laws in some European countries may restrict
the use of such technology - this is something that I have yet to research
into further though.  In a similar vein some police forces may not be able
to act on the information you provide to them.
 
The most useful application I have seen for this type of technology is
recovering computers stolen by employees.  I know of one company that
installed similar technology onto laptops given out to employees and as a
result saw the number of "lost laptops" reduce.  They discovered that staff
were reporting their laptop had been stolen or lost but in actual fact were
keeping the laptop for their own use.  Of course this measure may only be
effective until employees realise how the company is tracking their laptops
and simply follow some of the steps outlined in an earlier email to remove
the software from it.
 
Regards
 
Brian
 
BH Consulting

  _____  

From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of Brian Krebs
Sent: 17 July 2008 04:18
To: Allen; Arshad Noor
Cc: security curmudgeon; dataloss at attrition.org; ekmi;
ST-ISC at MAIL.ABANET.ORG
Subject: Re: [Dataloss] [ekmi] Re: fringe: Open source laptop tracking


My big question is, assuming for a minute you can actually zero in on the
person who stole your machine (what about crowded living areas, like
apartment buildings), what is the likelihood you'll be able to get the
police to knock on someone's door with that evidence?
 
Doesn't seem all that bloodly likely to me. Seems like it increases the
chance that people running this software will confront the thief on their
own and possibly put themselves in a very compromising situation.
 
Brian Krebs
www.washingtonpost.com/securityfix
703-469-3162 (w)
703-989-0727 (c)
 

  _____  

From: dataloss-bounces at attrition.org on behalf of Allen
Sent: Wed 7/16/2008 11:01 PM
To: Arshad Noor
Cc: security curmudgeon; ST-ISC at MAIL.ABANET.ORG; ekmi;
dataloss at attrition.org
Subject: Re: [Dataloss] [ekmi] Re: fringe: Open source laptop tracking



Arshad,

I don't think you analysis, which I agree with, goes far enough.

1) Steal laptop.
2) Remove battery.
3) Remove HD.
4) Use HD cloning software such as Apricorn - hardware and software
only $40 - and clone to any HD that is laying about
5) Mount clone as USB attached to a desktop
6) Attach old HD as USB attached and wipe old HD with DBAN or
similar tool
7) Use Aloha Bob or equivalent to selectively migrate OS and basic
productivity software such as Office from clone.
8) Remount HD in laptop
9) Sell the sucker.

Best,

Allen

Arshad Noor wrote:
> Am I the only one who believes that an attacker (who is after
> the data) with half-a-brain is going to make sure that the first
> time they boot up a stolen laptop, they're NOT going to put it on
> the internet, and they're going to disable any radio for wireless
> communications.  (Laptop companies have to provide an external
> radio switch I imagine so that there is confirmation of the radio
> being OFF inside an airplane - I'm not sure how the iPhone gets
> away with a software switch since we all know software can be
> buggy and the radio may not go off despite a visible indication
> that it is off - but that's another discussion.
>
> Alternatively, the attacker could boot off of a Linux CD and then
> copy the entire hard-disk contents (or what was most interesting)
> and then blow away everything on the hard-disk to reclaim the HW.
>
> In both cases, they have the HW and the data without anything
> "calling home" to give away GPS positions or IP addresses of the
> machine.  So, why do people think that this is an effective
> counter-measure against data-theft?  How long do they anticipate
> this to work? And with which type of attacker?  I've read examples
> of attacks that go beyond anything most IT developers - or even
> security developers - are capable of in the marketplace today, so
> who is this expected to deter?  The guy who broke into your car
> to get the hub-caps and radio, but got the laptop instead?
>
> Very puzzled.....
>
> Arshad Noor
> StrongAuth, Inc.
>
> security curmudgeon wrote:
>>
>>
>> ---------- Forwarded message ----------
>> From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade at shaw.ca>
>>
>> I know some people who are going to be really upset by this, but
>> personally, I'm delighted:
>>
>> Researchers at the University of Washington and the University of
>> California, San Diego, launched a new laptop tracking service, called
>> Adeona, that is free and private. Once downloaded onto a laptop, the
>> software starts anonymously sending encrypted notes about the
>> computer's whereabouts to servers on the Internet. If the laptop ever
>> goes missing, the user downloads another program, enters a username
>> and password, and then picks up this information from the servers, a
>> free storage service called OpenDHT.  (The Mac version of Adeona even
>> uses a freeware program called isightcapture to take a snapshot of
>> whomever is using the computer.) Adeona provides the IP address that
>> it last used as well as data on nearby routers. Armed with that
>> information, law enforcement could track down the criminal. Because
>> Adeona ships with an open-source license, anyone can take the code and
>> improve it or even sell it. The researchers say they're hoping that
>> software developers will build all kinds of new features such as
>> Global Positioning System-aware tracking systems for new platforms
>> such as the iPhone. Later this month, the Adeona team will give a
>> technical presentation at the Usenix Security Symposium in San Jose.
>>
>> http://www.computerworld.com/action/article.do?command=viewArticleBasic
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&tax
onomyName=security&articleId=9110128&taxonomyId=17&intsrc=kc_top>
&taxonomyName=security&articleId=9110128&taxonomyId=17&intsrc=kc_top
>>
>>
>> http://adeona.cs.washington.edu/
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080717/f0ba6c49/attachment-0001.html 

From matthew.rosenquist at intel.com  Thu Jul 17 16:57:56 2008
From: matthew.rosenquist at intel.com (Rosenquist, Matthew)
Date: Thu, 17 Jul 2008 10:57:56 -0600
Subject: [Dataloss] [ekmi] Re:  fringe: Open source laptop tracking
In-Reply-To: <EE7C905E19664929BF671B5BB93F0701@BHConsulting.local>
References: <Pine.LNX.4.64.0807170024410.15083@forced.attrition.org><487E9ACB.7020601@strongauth.com><487EB5FB.90502@sound-by-design.com>
	<93B614F1CE48574E92CA91735BFC5FB806A75013@WPNIXCHG.wpni.com>
	<EE7C905E19664929BF671B5BB93F0701@BHConsulting.local>
Message-ID: <081862C1A509A14D94C18F3A45333F5B04FFA330@rrsmsx503.amr.corp.intel.com>

We may be missing the bigger point, as security is both technical as well as behavioral.

Yes, it is obvious this technology in its current state can easily be undermined by a determined attacker.  But will it be a deterrence?  Will it affect the casual laptop theft?  Will it give pause to people buying questionable laptops at the flea markets or from shady vendors?  Will it make laptops less attractive targets to thieves looking for any means of a quick buck?  Can it effect the resale economy of such 'hot' merchandise?  Will it give employees a second thought about swiping extra equipment for personal use?  Maybe.  This technology increases the risk of being caught.  If so, it will have an overall positive benefit.

We all know an effective security program does not need to provide real security.  We have locks on our home doors which are a joke to anyone who has the intention of getting into your house.  But it does help.  It thwarts opportunistic attacks where the thief is looking for the path of least resistance to reach their goals.  If your house is locked and the next house is not, then there is a good chance your neighbor will be the one victimized.

I see this technology, which could be evolved into something great eventually, as similar to engraving laptops with "Property of XXX company" or something obviously not easily resold or used in the open.  It is a deterrent and lowers the target-attractiveness factor.  I don't have any data handy, but last I read, most laptops are not stolen for their data.  Rather it is a hardware itself which is valued.

Matthew Rosenquist
Security Strategist
Intel Corporation
Matthew.Rosenquist at Intel.com
(916) 356-4882

From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Brian Honan
Sent: Thursday, July 17, 2008 5:56 AM
To: 'Brian Krebs'; 'Allen'; 'Arshad Noor'
Cc: 'security curmudgeon'; ST-ISC at MAIL.ABANET.ORG; 'ekmi'; dataloss at attrition.org
Subject: Re: [Dataloss] [ekmi] Re: fringe: Open source laptop tracking

Brian

As has been pointed out this type of technology does nothing to protect your data and provides some recourse to recover the physical device if and when it connects to the Internet. Indeed in some countries you may have to carefully consider the legal and privacy implications of using such technology.  The Data Privacy laws in some European countries may restrict the use of such technology - this is something that I have yet to research into further though.  In a similar vein some police forces may not be able to act on the information you provide to them.

The most useful application I have seen for this type of technology is recovering computers stolen by employees.  I know of one company that installed similar technology onto laptops given out to employees and as a result saw the number of "lost laptops" reduce.  They discovered that staff were reporting their laptop had been stolen or lost but in actual fact were keeping the laptop for their own use.  Of course this measure may only be effective until employees realise how the company is tracking their laptops and simply follow some of the steps outlined in an earlier email to remove the software from it.

Regards

Brian

BH Consulting

________________________________
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Brian Krebs
Sent: 17 July 2008 04:18
To: Allen; Arshad Noor
Cc: security curmudgeon; dataloss at attrition.org; ekmi; ST-ISC at MAIL.ABANET.ORG
Subject: Re: [Dataloss] [ekmi] Re: fringe: Open source laptop tracking
My big question is, assuming for a minute you can actually zero in on the person who stole your machine (what about crowded living areas, like apartment buildings), what is the likelihood you'll be able to get the police to knock on someone's door with that evidence?

Doesn't seem all that bloodly likely to me. Seems like it increases the chance that people running this software will confront the thief on their own and possibly put themselves in a very compromising situation.

Brian Krebs
www.washingtonpost.com/securityfix<http://www.washingtonpost.com/securityfix>
703-469-3162 (w)
703-989-0727 (c)


________________________________
From: dataloss-bounces at attrition.org on behalf of Allen
Sent: Wed 7/16/2008 11:01 PM
To: Arshad Noor
Cc: security curmudgeon; ST-ISC at MAIL.ABANET.ORG; ekmi; dataloss at attrition.org
Subject: Re: [Dataloss] [ekmi] Re: fringe: Open source laptop tracking

Arshad,

I don't think you analysis, which I agree with, goes far enough.

1) Steal laptop.
2) Remove battery.
3) Remove HD.
4) Use HD cloning software such as Apricorn - hardware and software
only $40 - and clone to any HD that is laying about
5) Mount clone as USB attached to a desktop
6) Attach old HD as USB attached and wipe old HD with DBAN or
similar tool
7) Use Aloha Bob or equivalent to selectively migrate OS and basic
productivity software such as Office from clone.
8) Remount HD in laptop
9) Sell the sucker.

Best,

Allen

Arshad Noor wrote:
> Am I the only one who believes that an attacker (who is after
> the data) with half-a-brain is going to make sure that the first
> time they boot up a stolen laptop, they're NOT going to put it on
> the internet, and they're going to disable any radio for wireless
> communications.  (Laptop companies have to provide an external
> radio switch I imagine so that there is confirmation of the radio
> being OFF inside an airplane - I'm not sure how the iPhone gets
> away with a software switch since we all know software can be
> buggy and the radio may not go off despite a visible indication
> that it is off - but that's another discussion.
>
> Alternatively, the attacker could boot off of a Linux CD and then
> copy the entire hard-disk contents (or what was most interesting)
> and then blow away everything on the hard-disk to reclaim the HW.
>
> In both cases, they have the HW and the data without anything
> "calling home" to give away GPS positions or IP addresses of the
> machine.  So, why do people think that this is an effective
> counter-measure against data-theft?  How long do they anticipate
> this to work? And with which type of attacker?  I've read examples
> of attacks that go beyond anything most IT developers - or even
> security developers - are capable of in the marketplace today, so
> who is this expected to deter?  The guy who broke into your car
> to get the hub-caps and radio, but got the laptop instead?
>
> Very puzzled.....
>
> Arshad Noor
> StrongAuth, Inc.
>
> security curmudgeon wrote:
>>
>>
>> ---------- Forwarded message ----------
>> From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade at shaw.ca>
>>
>> I know some people who are going to be really upset by this, but
>> personally, I'm delighted:
>>
>> Researchers at the University of Washington and the University of
>> California, San Diego, launched a new laptop tracking service, called
>> Adeona, that is free and private. Once downloaded onto a laptop, the
>> software starts anonymously sending encrypted notes about the
>> computer's whereabouts to servers on the Internet. If the laptop ever
>> goes missing, the user downloads another program, enters a username
>> and password, and then picks up this information from the servers, a
>> free storage service called OpenDHT.  (The Mac version of Adeona even
>> uses a freeware program called isightcapture to take a snapshot of
>> whomever is using the computer.) Adeona provides the IP address that
>> it last used as well as data on nearby routers. Armed with that
>> information, law enforcement could track down the criminal. Because
>> Adeona ships with an open-source license, anyone can take the code and
>> improve it or even sell it. The researchers say they're hoping that
>> software developers will build all kinds of new features such as
>> Global Positioning System-aware tracking systems for new platforms
>> such as the iPhone. Later this month, the Adeona team will give a
>> technical presentation at the Usenix Security Symposium in San Jose.
>>
>> http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9110128&taxonomyId=17&intsrc=kc_top
>>
>>
>> http://adeona.cs.washington.edu/
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080717/29cca837/attachment.html 

From arshad.noor at strongauth.com  Thu Jul 17 17:09:48 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Thu, 17 Jul 2008 13:09:48 -0400 (EDT)
Subject: [Dataloss] [ekmi] Re:  fringe: Open source laptop tracking
In-Reply-To: <081862C1A509A14D94C18F3A45333F5B04FFA330@rrsmsx503.amr.corp.intel.com>
Message-ID: <8017176.3981216314588224.JavaMail.root@gw.noorhome.net>

I don't disagree with the points you make, Matthew.  The problem is
that it will not stop the theft of laptops, but will force the theft
of laptops to become part of a professional operation.

During the prohibition, people bought liquor when it was illegal.  I
understand the market for illegal narcotics is at its highest levels
despite it being against the law.  As long as there are cheap laptops
available for sale somewhere, some people will buy them.  Maybe not 
on eBay, but definitely where credit-card numbers and social-security
numbers are being sold (who knows, if a laptop is engraved with "Bank
of Something or the Other", it might even fetch a higher price!).

Technologies such as these (the "phone-home" feature) give the false 
impression that they will deter thieves.  It will not.  The automobile
industry is a telling example.  Despite car locks, ignition locks, car
alarms, lo-jacks and RFID - cars get stolen.  People get careless, or
they relax too much relying on such technologies to protect them.  
While I will not deny their basic usefulness, it is far better for 
people to be vigilant and protect what is more important (the data) 
than rely on technology like this to somehow change the behavior of 
attackers.  

Arshad Noor
StrongAuth, Inc.

----- Original Message -----
From: "Matthew Rosenquist" <matthew.rosenquist at intel.com>
To: "brian honan" <brian.honan at bhconsulting.ie>, "Brian Krebs" <Brian.Krebs at washingtonpost.com>, "Allen" <netsecurity at sound-by-design.com>, "Arshad Noor" <arshad.noor at strongauth.com>
Cc: "security curmudgeon" <jericho at attrition.org>, ST-ISC at MAIL.ABANET.ORG, "ekmi" <ekmi at lists.oasis-open.org>, dataloss at attrition.org
Sent: Thursday, July 17, 2008 9:57:56 AM (GMT-0800) America/Los_Angeles
Subject: RE: [Dataloss] [ekmi] Re:  fringe: Open source laptop tracking

We may be missing the bigger point, as security is both technical as well as behavioral. 

Yes, it is obvious this technology in its current state can easily be undermined by a determined attacker. But will it be a deterrence? Will it affect the casual laptop theft? Will it give pause to people buying questionable laptops at the flea markets or from shady vendors? Will it make laptops less attractive targets to thieves looking for any means of a quick buck? Can it effect the resale economy of such ?hot? merchandise? Will it give employees a second thought about swiping extra equipment for personal use? Maybe. This technology increases the risk of being caught. If so, it will have an overall positive benefit. 

We all know an effective security program does not need to provide real security. We have locks on our home doors which are a joke to anyone who has the intention of getting into your house. But it does help. It thwarts opportunistic attacks where the thief is looking for the path of least resistance to reach their goals. If your house is locked and the next house is not, then there is a good chance your neighbor will be the one victimized. 

I see this technology, which could be evolved into something great eventually, as similar to engraving laptops with ?Property of XXX company? or something obviously not easily resold or used in the open. It is a deterrent and lowers the target-attractiveness factor. I don?t have any data handy, but last I read, most laptops are not stolen for their data. Rather it is a hardware itself which is valued. 

Matthew Rosenquist 
Security Strategist 
Intel Corporation 
Matthew.Rosenquist at Intel.com 
(916) 356-4882 


From: dataloss-bounces at attrition.org [mailto: dataloss-bounces at attrition.org ] On Behalf Of Brian Honan 
Sent: Thursday, July 17, 2008 5:56 AM 
To: 'Brian Krebs'; 'Allen'; 'Arshad Noor' 
Cc: 'security curmudgeon'; ST-ISC at MAIL.ABANET.ORG ; 'ekmi'; dataloss at attrition.org 
Subject: Re: [Dataloss] [ekmi] Re: fringe: Open source laptop tracking 

Brian 

As has been pointed out this type of technology does nothing to protect your data and provides some recourse to recover the physical device if and when it connects to the Internet. Indeed in some countries you may have to carefully consider the legal and privacy implications of using such technology. The Data Privacy laws in some European countries may restrict the use of such technology - this is something that I have yet to research into further though. In a similar vein some police forces may not be able to act on the information you provide to them. 

The most useful application I have seen for this type of technology is recovering computers stolen by employees. I know of one company that installed similar technology onto laptops given out to employees and as a result saw the number of "lost laptops" reduce. They discovered that staff were reporting their laptop had been stolen or lost but in actual fact were keeping the laptop for their own use. Of course this measure may only be effective until employees realise how the company is tracking their laptops and simply follow some of the steps outlined in an earlier email to remove the software from it. 

Regards 

Brian 
BH Consulting 

From: dataloss-bounces at attrition.org [mailto: dataloss-bounces at attrition.org ] On Behalf Of Brian Krebs 
Sent: 17 July 2008 04:18 
To: Allen; Arshad Noor 
Cc: security curmudgeon; dataloss at attrition.org ; ekmi; ST-ISC at MAIL.ABANET.ORG 
Subject: Re: [Dataloss] [ekmi] Re: fringe: Open source laptop tracking 

My big question is, assuming for a minute you can actually zero in on the person who stole your machine (what about crowded living areas, like apartment buildings), what is the likelihood you'll be able to get the police to knock on someone's door with that evidence? 

Doesn't seem all that bloodly likely to me. Seems like it increases the chance that people running this software will confront the thief on their own and possibly put themselves in a very compromising situation. 

Brian Krebs 
www.washingtonpost.com/securityfix 
703-469-3162 (w) 
703-989-0727 (c) 

From: dataloss-bounces at attrition.org on behalf of Allen 
Sent: Wed 7/16/2008 11:01 PM 
To: Arshad Noor 
Cc: security curmudgeon; ST-ISC at MAIL.ABANET.ORG ; ekmi; dataloss at attrition.org 
Subject: Re: [Dataloss] [ekmi] Re: fringe: Open source laptop tracking 

Arshad, 

I don't think you[r] analysis, which I agree with, goes far enough. 

1) Steal laptop. 
2) Remove battery. 
3) Remove HD. 
4) Use HD cloning software such as Apricorn - hardware and software 
only $40 - and clone to any HD that is laying about 
5) Mount clone as USB attached to a desktop 
6) Attach old HD as USB attached and wipe old HD with DBAN or 
similar tool 
7) Use Aloha Bob or equivalent to selectively migrate OS and basic 
productivity software such as Office from clone. 
8) Remount HD in laptop 
9) Sell the sucker. 

Best, 

Allen 

Arshad Noor wrote: 
> Am I the only one who believes that an attacker (who is after 
> the data) with half-a-brain is going to make sure that the first 
> time they boot up a stolen laptop, they're NOT going to put it on 
> the internet, and they're going to disable any radio for wireless 
> communications. (Laptop companies have to provide an external 
> radio switch I imagine so that there is confirmation of the radio 
> being OFF inside an airplane - I'm not sure how the iPhone gets 
> away with a software switch since we all know software can be 
> buggy and the radio may not go off despite a visible indication 
> that it is off - but that's another discussion. 
> 
> Alternatively, the attacker could boot off of a Linux CD and then 
> copy the entire hard-disk contents (or what was most interesting) 
> and then blow away everything on the hard-disk to reclaim the HW. 
> 
> In both cases, they have the HW and the data without anything 
> "calling home" to give away GPS positions or IP addresses of the 
> machine. So, why do people think that this is an effective 
> counter-measure against data-theft? How long do they anticipate 
> this to work? And with which type of attacker? I've read examples 
> of attacks that go beyond anything most IT developers - or even 
> security developers - are capable of in the marketplace today , so 
> who is this expected to deter? The guy who broke into your car 
> to get the hub-caps and radio, but got the laptop instead? 
> 
> Very puzzled..... 
> 
> Arshad Noor 
> StrongAuth, Inc. 
> 
> security curmudgeon wrote: 
>> 
>> 
>> ---------- Forwarded message ---------- 
>> From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" < rMslade at shaw.ca > 
>> 
>> I know some people who are going to be really upset by this, but 
>> personally, I'm delighted: 
>> 
>> Researchers at the University of Washington and the University of 
>> California, San Diego, launched a new laptop tracking service, called 
>> Adeona, that is free and private. Once downloaded onto a laptop, the 
>> software starts anonymously sending encrypted notes about the 
>> computer?s whereabouts to servers on the Internet. If the laptop ever 
>> goes missing, the user downloads another program, enters a username 
>> and password, and then picks up this information from the servers, a 
>> free storage service called OpenDHT. (The Mac version of Adeona even 
>> uses a freeware program called isightcapture to take a snapshot of 
>> whomever is using the computer.) Adeona provides the IP address that 
>> it last used as well as data on nearby routers. Armed with that 
>> information, law enforcement could track down the criminal. Because 
>> Adeona ships with an open-source license, anyone can take the code and 
>> improve it or even sell it. The researchers say they?re hoping that 
>> software developers will build all kinds of new features such as 
>> Global Positioning System-aware tracking systems for new platforms 
>> such as the iPhone. Later this month, the Adeona team will give a 
>> technical presentation at the Usenix Security Symposium in San Jose. 
>> 
>> http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9110128&taxonomyId=17&intsrc=kc_top 
>> 
>> 
>> http://adeona.cs.washington.edu/ 
> 


From tglassey at earthlink.net  Thu Jul 17 17:34:16 2008
From: tglassey at earthlink.net (TS Glassey)
Date: Thu, 17 Jul 2008 10:34:16 -0700
Subject: [Dataloss] Security breach affects patients
References: <Pine.LNX.4.64.0807160829530.15766@forced.attrition.org>
Message-ID: <014d01c8e833$5b2e0d60$0200a8c0@tsg1>

There is a follow-up - 
http://www.news-record.com/content/2008/07/16/article/47000_patients_affected_by_theft 
and the number of patient records is now listed at 47000.

Todd Glassey

----- Original Message ----- 
From: "security curmudgeon" <jericho at attrition.org>
To: <dataloss at attrition.org>
Sent: Wednesday, July 16, 2008 1:30 AM
Subject: [Dataloss] Security breach affects patients




---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.news-record.com/content/2008/07/16/article/security_breach_affects_patients

By Ryan Seals
Staff Writer
News & Record
July 16, 2008

GREENSBORO - Patients at a Greensboro doctors' office have been notified
that their personal information ? including Social Security numbers and
addresses - was stolen in May.

In a letter mailed to patients, Greensboro Gynecology Associates said a
backup tape of their computer database was stolen. The letter was dated
June 16, but some letters weren?t postmarked until July 9.

The medical practice said a backup tape of patient information was stolen
May 29 from an employee who was taking the tape to an off-site storage
facility for safekeeping.

The stolen information included patients' names, addresses, Social
Security numbers, employers, insurance companies, policy numbers and
family members.

[...]


No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.4.11/1554 - Release Date: 7/15/2008 
6:03 PM




--------------------------------------------------------------------------------


> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
> 


From tglassey at earthlink.net  Thu Jul 17 17:35:58 2008
From: tglassey at earthlink.net (TS Glassey)
Date: Thu, 17 Jul 2008 10:35:58 -0700
Subject: [Dataloss] fringe: Open source laptop tracking
References: <Pine.LNX.4.64.0807170024410.15083@forced.attrition.org>
	<487E9ACB.7020601@strongauth.com>
Message-ID: <015301c8e833$94e71f10$0200a8c0@tsg1>

If the party who stole that laptop is smart - they will pull the drive from 
the system, image it and return the new image to the system. Then they have 
the original image to play with on a forensic drive reader or just an 
imager.

Todd Glassey
----- Original Message ----- 
From: "Arshad Noor" <arshad.noor at strongauth.com>
To: "security curmudgeon" <jericho at attrition.org>
Cc: <ST-ISC at MAIL.ABANET.ORG>; "ekmi" <ekmi at lists.oasis-open.org>; 
<dataloss at attrition.org>
Sent: Wednesday, July 16, 2008 6:05 PM
Subject: Re: [Dataloss] fringe: Open source laptop tracking


Am I the only one who believes that an attacker (who is after
the data) with half-a-brain is going to make sure that the first
time they boot up a stolen laptop, they're NOT going to put it on
the internet, and they're going to disable any radio for wireless
communications.  (Laptop companies have to provide an external
radio switch I imagine so that there is confirmation of the radio
being OFF inside an airplane - I'm not sure how the iPhone gets
away with a software switch since we all know software can be
buggy and the radio may not go off despite a visible indication
that it is off - but that's another discussion.

Alternatively, the attacker could boot off of a Linux CD and then
copy the entire hard-disk contents (or what was most interesting)
and then blow away everything on the hard-disk to reclaim the HW.

In both cases, they have the HW and the data without anything
"calling home" to give away GPS positions or IP addresses of the
machine.  So, why do people think that this is an effective
counter-measure against data-theft?  How long do they anticipate
this to work? And with which type of attacker?  I've read examples
of attacks that go beyond anything most IT developers - or even
security developers - are capable of in the marketplace today, so
who is this expected to deter?  The guy who broke into your car
to get the hub-caps and radio, but got the laptop instead?

Very puzzled.....

Arshad Noor
StrongAuth, Inc.

security curmudgeon wrote:
>
>
> ---------- Forwarded message ----------
> From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade at shaw.ca>
>
> I know some people who are going to be really upset by this, but
> personally, I'm delighted:
>
> Researchers at the University of Washington and the University of
> California, San Diego, launched a new laptop tracking service, called
> Adeona, that is free and private. Once downloaded onto a laptop, the
> software starts anonymously sending encrypted notes about the computer?s
> whereabouts to servers on the Internet. If the laptop ever goes missing,
> the user downloads another program, enters a username and password, and
> then picks up this information from the servers, a free storage service
> called OpenDHT.  (The Mac version of Adeona even uses a freeware program
> called isightcapture to take a snapshot of whomever is using the
> computer.) Adeona provides the IP address that it last used as well as
> data on nearby routers. Armed with that information, law enforcement
> could track down the criminal. Because Adeona ships with an open-source
> license, anyone can take the code and improve it or even sell it. The
> researchers say they?re hoping that software developers will build all
> kinds of new features such as Global Positioning System-aware tracking
> systems for new platforms such as the iPhone. Later this month, the
> Adeona team will give a technical presentation at the Usenix Security
> Symposium in San Jose.
>
> http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9110128&taxonomyId=17&intsrc=kc_top
>
>
> http://adeona.cs.washington.edu/
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.5.0/1556 - Release Date: 7/16/2008 
4:56 PM




From chris at cwalsh.org  Thu Jul 17 17:43:21 2008
From: chris at cwalsh.org (Chris Walsh)
Date: Thu, 17 Jul 2008 12:43:21 -0500
Subject: [Dataloss] [ekmi] Re: fringe: Open source laptop tracking
In-Reply-To: <081862C1A509A14D94C18F3A45333F5B04FFA330@rrsmsx503.amr.corp.intel.com>
References: <Pine.LNX.4.64.0807170024410.15083@forced.attrition.org>
	<487E9ACB.7020601@strongauth.com> <487EB5FB.90502@sound-by-design.com>
	<93B614F1CE48574E92CA91735BFC5FB806A75013@WPNIXCHG.wpni.com>
	<EE7C905E19664929BF671B5BB93F0701@BHConsulting.local>
	<081862C1A509A14D94C18F3A45333F5B04FFA330@rrsmsx503.amr.corp.intel.com>
Message-ID: <aebe31730807171043t64c91b5dw9cd3ab40ce6fdbb5@mail.gmail.com>

Agreed!

To play the ever-popular security analogy game, if burglars can be deterred
with mere signs saying "Premises protected by Acme Faultless Alarm Company",
why not be happy if laptop thieves can be deterred by an actual product,
albeit one which is not (and is not billed as) a panacea.

Maybe the threat model that matters more is the one in which the hardware,
not the data, is being targeted.  In that case, measures to protect the
hardware make sense.  Of course, where the data are central -- as with
controls against loss of PII -- a measure such as this would be
inappropriate.

Chris

P.S. On the 'engraving' point, I can remember the police suggesting that one
engrave ones SSN on items of high value and high portability, such as tools
and bikes.  Times have changed :^)

On Thu, Jul 17, 2008 at 11:57 AM, Rosenquist, Matthew <
matthew.rosenquist at intel.com> wrote:

>  We may be missing the bigger point, as security is both technical as well
> as behavioral.
>
> Yes, it is obvious this technology in its current state can easily be
> undermined by a determined attacker.  But will it be a deterrence?  Will it
> affect the casual laptop theft?  Will it give pause to people buying
> questionable laptops at the flea markets or from shady vendors?  Will it
> make laptops less attractive targets to thieves looking for any means of a
> quick buck?  Can it effect the resale economy of such 'hot' merchandise?
> Will it give employees a second thought about swiping extra equipment for
> personal use?  Maybe.  This technology increases the risk of being caught.
> If so, it will have an overall positive benefit.
>
>
>
> We all know an effective security program does not need to provide real
> security.  We have locks on our home doors which are a joke to anyone who
> has the intention of getting into your house.  But it does help.  It thwarts
> opportunistic attacks where the thief is looking for the path of least
> resistance to reach their goals.  If your house is locked and the next house
> is not, then there is a good chance your neighbor will be the one
> victimized.
>
>
>
> I see this technology, which could be evolved into something great
> eventually, as similar to engraving laptops with "Property of XXX company"
> or something obviously not easily resold or used in the open.  It is a
> deterrent and lowers the target-attractiveness factor.  I don't have any
> data handy, but last I read, most laptops are not stolen for their data.
> Rather it is a hardware itself which is valued.
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080717/382527a1/attachment.html 

From lyger at attrition.org  Thu Jul 17 20:00:16 2008
From: lyger at attrition.org (lyger)
Date: Thu, 17 Jul 2008 20:00:16 +0000 (UTC)
Subject: [Dataloss] NY: Bristol-Myers: Tape With Workers' Personal Data Was
	Stolen
Message-ID: <Pine.LNX.4.64.0807171959330.23997@forced.attrition.org>


http://money.cnn.com/news/newsfeeds/articles/djf500/200807171514DOWJONESDJONLINE000844_FORTUNE5.htm

Bristol-Myers Squibb Co. (BMY) said a backup computer-data tape containing 
employees' personal information, including Social Security numbers, was 
stolen recently.

The New York drug maker learned of the theft on June 4, and began 
notifying current and former employees by letter in the past few days, 
spokeswoman Tracy Furey told Dow Jones Newswires Thursday afternoon.

It was the latest in a series of security breaches involving customer or 
employee data in the corporate world. A Bristol-Myers rival, Pfizer Inc. 
(PFE), said last year that personal data for some of its current and 
former employees were exposed.

[...]

From lyger at attrition.org  Thu Jul 17 23:49:50 2008
From: lyger at attrition.org (lyger)
Date: Thu, 17 Jul 2008 23:49:50 +0000 (UTC)
Subject: [Dataloss] [closing thread] fringe: Open source laptop tracking
Message-ID: <Pine.LNX.4.64.0807172341510.6464@forced.attrition.org>


Great discussion and definitely some good thoughts to consider, but we're 
closing the current thread to the general list since some of the responses 
were being cross-posted, lacked trimming quotes and footers (one sentence 
replies with 35k of quoted text) , and veered into realms away from the 
list topic.

Lyger

From lyger at attrition.org  Fri Jul 18 04:23:07 2008
From: lyger at attrition.org (lyger)
Date: Fri, 18 Jul 2008 04:23:07 +0000 (UTC)
Subject: [Dataloss] MD: UMD Released Students' Social Security Numbers
Message-ID: <Pine.LNX.4.64.0807180422200.10465@forced.attrition.org>


http://www.wjla.com/news/stories/0708/536794.html

University of Maryland said Thursday they accidentally released the 
addresses and social security numbers of thousands of students.

The University of Maryland's Department of Transportation Services sent 
all students, a total of more than 23,000, registered for classes a 
brochure with on-campus parking information. It was sent by U.S. Mail.

The University discovered the labels on the mailing had the students' 
social security numbers on it as well. The brochure was sent using third 
class delivery and some students may still have not received the item.

[...]

From rchicker at etiolated.org  Sat Jul 19 00:49:56 2008
From: rchicker at etiolated.org (rchick)
Date: Fri, 18 Jul 2008 20:49:56 -0400
Subject: [Dataloss] UK: Laptop with patient files stolen
Message-ID: <a20b4dac0807181749t22c5a8dakaef2cb3c9ef48254@mail.gmail.com>

July 18, 2008
http://news.bbc.co.uk/2/hi/uk_news/scotland/tayside_and_central/7513602.stm

A laptop containing the details of 89 patients has been stolen from Falkirk
and District Royal Infirmary, it has emerged.

NHS Forth Valley said the break-in happened last month at the hospital's
audiology department when the offices were closed.

The health authority said the laptop was kept in a locked cupboard and was
password-protected.

It contained names, addresses and audiology details of the patients.

NHS Forth Valley said the laptop had yet to be recovered and that it was
working closely with Central Scotland Police on the case.

[..]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080718/ca365c9b/attachment.html 

From lyger at attrition.org  Sun Jul 20 02:33:17 2008
From: lyger at attrition.org (lyger)
Date: Sun, 20 Jul 2008 02:33:17 +0000 (UTC)
Subject: [Dataloss] MN: Vets Home server held personal data
Message-ID: <Pine.LNX.4.64.0807200231090.20096@forced.attrition.org>


http://www.startribune.com/local/north/25652209.html?location_refer=Family%20+%20Relationships

A backup computer server stolen from the Minneapolis Veterans Home 
contained telephone numbers, addresses, next-of-kin information, dates of 
birth, Social Security numbers and some medical information, including 
diagnoses for the home's 336 residents, according to an official with the 
Minnesota Department of Veterans Affairs.

The burglars broke into the facility early last Sunday.

Gil Acevedo, deputy commissioner for Veterans Health Care, said the 
thieves, who also made off with a tool kit, a laptop computer, a guitar 
and a computer game, probably had no intention of stealing the data, which 
can only be accessed by using a password.

[...]

From rshavell at identityforce.com  Mon Jul 21 22:50:31 2008
From: rshavell at identityforce.com (Rob Shavell)
Date: Mon, 21 Jul 2008 18:50:31 -0400
Subject: [Dataloss] confirming victims of data breaches?
Message-ID: <9541644d0807211550g5972a6c9ifd318ffa683ce716@mail.gmail.com>

hi all,

as notification laws proliferate, i'm wondering, w/out a notification
letter, can consumers themselves really confirm if they are part of a
breach?

in my experience, calling up a company directly to ask if you are
affected by a breach results in a canned response saying "did you get
a letter"? or "contact your credit card company"

do companies have any responsibility to tell those who may have NOT
YET received a notification (state doesn't require it, moved,
whatever) that they are indeed affected?  if not, doesn't this reality
counter the spirit of the laws and companies doing the right thing?

i understand that SSNbreach (and maybe others?) are trying to do
something about this. is there any way to empower consumers here?

rgds,
rob
___________________
Rob Shavell
Director of Compliance
IdentityForce

From bputnam at digitalcomply.com  Mon Jul 21 23:50:25 2008
From: bputnam at digitalcomply.com (Brad Putnam)
Date: Mon, 21 Jul 2008 17:50:25 -0600
Subject: [Dataloss] confirming victims of data breaches?
In-Reply-To: <9541644d0807211550g5972a6c9ifd318ffa683ce716@mail.gmail.com>
References: <9541644d0807211550g5972a6c9ifd318ffa683ce716@mail.gmail.com>
Message-ID: <07f701c8eb8c$8f39ae50$800101df@bputnam>

Hi Rob;

I have to tell you, this is one of the best questions I've seen in regard to
helping consumers.  To my knowledge, there are zero laws that compel a
company to come clean upon verbal request of a client.  Obviously, it would
be good for the individual consumer; however, it could also be used
nefariously.  Steal a DB, call and confirm the data is good.  Your point is
well taken and I need to think on it a bit...

I would love opinion on the subject, but I don't want to request anything
without the permission of Attrition folks to utilize their list...

Lastly, this is one of the best managed mail lists I've been a party to.
Thank you Lyger and Co!

Best regards,
BP  

Brad Putnam
President and CEO
Digital Compliance, LLC
PO Box 792 
Billings, MT. 59103
406-325-9737 Phone
406-325-9738 Fax
BPutnam at digitalcomply.com
 

This email communication may contain CONFIDENTIAL INFORMATION WHICH ALSO MAY
BE LEGALLY PRIVILEGED and is intended only for the use of the intended
recipients identified above.  If you are not the intended recipient of this
communication, you are hereby notified that any unauthorized review, use,
dissemination, distribution, downloading, or copying of this communication
is strictly prohibited.  If you have received this communication in error,
please immediately notify us by reply email, delete the communication and
destroy all copies.


-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of Rob Shavell
Sent: Monday, July 21, 2008 4:51 PM
To: dataloss at attrition.org
Subject: [Dataloss] confirming victims of data breaches?

hi all,

as notification laws proliferate, i'm wondering, w/out a notification
letter, can consumers themselves really confirm if they are part of a
breach?

in my experience, calling up a company directly to ask if you are
affected by a breach results in a canned response saying "did you get
a letter"? or "contact your credit card company"

do companies have any responsibility to tell those who may have NOT
YET received a notification (state doesn't require it, moved,
whatever) that they are indeed affected?  if not, doesn't this reality
counter the spirit of the laws and companies doing the right thing?

i understand that SSNbreach (and maybe others?) are trying to do
something about this. is there any way to empower consumers here?

rgds,
rob
___________________
Rob Shavell
Director of Compliance
IdentityForce
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml


From ADAIL at sunocoinc.com  Tue Jul 22 15:01:49 2008
From: ADAIL at sunocoinc.com (DAIL, WILLARD A)
Date: Tue, 22 Jul 2008 11:01:49 -0400
Subject: [Dataloss] confirming victims of data breaches?
In-Reply-To: <07f701c8eb8c$8f39ae50$800101df@bputnam>
Message-ID: <AAF9B5D29F7CE44CBDF032F4F523E9A339D3A2@mds3aex0e.USISUNOCOINC.com>


Technically speaking, do you think most companies involved in a breach
perform triage on the consumers to determine who must be notified?
Personally, I do not think most companies have enough information to do
that.

I think some companies may make a conscious decision to break the law by
not reporting the incident at all (which is a different discussion in my
opinion), but most advice given by Privacy lawyers is to just notify
everyone and not to try to determine which state laws apply, and which
do not.  Also, you really do not want to get into the trap of trying to
determine actual risk to the consumer, as allowed by some breach
disclosure laws.  You will never make the right decision.

On a more technical level, at least in terms of payment cards (which is
my focus), we do not keep consumer information to correlate PAN's to
consumers.  Generally speaking, if we suffered a breach we would have a
list of PAN's and possibly expiration dates.  We'd provide that list to
our processor who would determine the issuers based on BIN range, and
notify the issuing banks.

At that point either the bank(s) would notify their customer that a
breach involving their card number had occurred, or if the bank(s)
wanted the merchant to foot the expense, the bank(s) would provide
customer contact information, and would probably want to see a copy of
the letter that went out.  Law enforcement, working with the attorneys
generals, would determine the schedule for notification.

Litigation would likely commence.


Sorry the process isn't more nefarious.


-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Brad Putnam
Sent: Monday, July 21, 2008 6:50 PM
To: rshavell at identityforce.com; dataloss at attrition.org
Subject: Re: [Dataloss] confirming victims of data breaches?


Hi Rob;

I have to tell you, this is one of the best questions I've seen in
regard to helping consumers.  To my knowledge, there are zero laws that
compel a company to come clean upon verbal request of a client.
Obviously, it would be good for the individual consumer; however, it
could also be used nefariously.  Steal a DB, call and confirm the data
is good.  Your point is well taken and I need to think on it a bit...

I would love opinion on the subject, but I don't want to request
anything without the permission of Attrition folks to utilize their
list...

Lastly, this is one of the best managed mail lists I've been a party to.
Thank you Lyger and Co!

Best regards,
BP 

Brad Putnam
President and CEO
Digital Compliance, LLC
PO Box 792
Billings, MT. 59103
406-325-9737 Phone
406-325-9738 Fax
BPutnam at digitalcomply.com


This email communication may contain CONFIDENTIAL INFORMATION WHICH ALSO
MAY BE LEGALLY PRIVILEGED and is intended only for the use of the
intended recipients identified above.  If you are not the intended
recipient of this communication, you are hereby notified that any
unauthorized review, use, dissemination, distribution, downloading, or
copying of this communication is strictly prohibited.  If you have
received this communication in error, please immediately notify us by
reply email, delete the communication and destroy all copies.


-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org]
On Behalf Of Rob Shavell
Sent: Monday, July 21, 2008 4:51 PM
To: dataloss at attrition.org
Subject: [Dataloss] confirming victims of data breaches?

hi all,

as notification laws proliferate, i'm wondering, w/out a notification
letter, can consumers themselves really confirm if they are part of a
breach?

in my experience, calling up a company directly to ask if you are
affected by a breach results in a canned response saying "did you get a
letter"? or "contact your credit card company"

do companies have any responsibility to tell those who may have NOT YET
received a notification (state doesn't require it, moved,
whatever) that they are indeed affected?  if not, doesn't this reality
counter the spirit of the laws and companies doing the right thing?

i understand that SSNbreach (and maybe others?) are trying to do
something about this. is there any way to empower consumers here?

rgds,
rob
___________________
Rob Shavell
Director of Compliance
IdentityForce
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.

From msimon at creationlogic.com  Tue Jul 22 16:16:34 2008
From: msimon at creationlogic.com (Mike Simon)
Date: Tue, 22 Jul 2008 09:16:34 -0700
Subject: [Dataloss] confirming victims of data breaches?
In-Reply-To: <AAF9B5D29F7CE44CBDF032F4F523E9A339D3A2@mds3aex0e.USISUNOCOINC.com>
References: <07f701c8eb8c$8f39ae50$800101df@bputnam>
	<AAF9B5D29F7CE44CBDF032F4F523E9A339D3A2@mds3aex0e.USISUNOCOINC.com>
Message-ID: <25d3931b0807220916q10f65cay5848e318a9c796b5@mail.gmail.com>

Interesting discussion, and great insight from each of you. One of the
problems I wrestle with is that one cannot always be clear about what
records were actually compromised. In a situation where (for example)
a hacker gains access to a transaction stream, the hacker doesn't get
the whole database, but just what flowed by while they had access. In
that case, it should be theoretically possible to notify only those
persons who's data was exposed during that window.

I'm usually all for broad notification and information sharing, but
the expenses of notification and remediation on a per-record basis
could mean the difference between a minor incident for the company and
bankruptcy. WRT this thread, as long as you have a handle on who's
data was exposed, you could certainly still respond to queries from
customers, but as was mentioned earlier, you would need extraordinary
means of authenticating the caller/inquirer so as to not further
compromise customers.

At some price point per record, it becomes cost effective to do the
analysis and notify only the affected rather than pay for
notification, credit monitoring and such for your whole database.

Mike Simon

From ADAIL at sunocoinc.com  Tue Jul 22 17:33:31 2008
From: ADAIL at sunocoinc.com (DAIL, WILLARD A)
Date: Tue, 22 Jul 2008 13:33:31 -0400
Subject: [Dataloss] confirming victims of data breaches?
In-Reply-To: <25d3931b0807220916q10f65cay5848e318a9c796b5@mail.gmail.com>
Message-ID: <AAF9B5D29F7CE44CBDF032F4F523E9A339D3AD@mds3aex0e.USISUNOCOINC.com>


The rule-of-thumb is that if you cannot positively rule something out of
scope for a breach, due care requires you to include it in the scope. 

I would argue that a company handling risky data should include the
possibility of a breach in its Business Continuity Plan.  A Breach
Response Plan (A Disaster Recovery plan that is customized to deal with
the possibility of a breach as opposed to a physical disaster) should be
developed for the data environment, and the concept of Maximum Tolerable
Downtime should be converted to Maximum Tolerable Breach Volume.  This
should be reviewed at least annually, and the assumptions should be
validated (for instance, the average cost of a breach, per record).

The company should then endeavor to ensure its logging and security
controls prevent any breach from exceeding the MTBV. This sounds pretty
difficult, but the use of file integrity monitoring, IDS and IPS
systems, good logging, and encryption will go far toward ensuring you
are not the "lowest hanging fruit".





-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Mike Simon
Sent: Tuesday, July 22, 2008 11:17 AM
To: dataloss at attrition.org
Subject: Re: [Dataloss] confirming victims of data breaches?


Interesting discussion, and great insight from each of you. One of the
problems I wrestle with is that one cannot always be clear about what
records were actually compromised. In a situation where (for example) a
hacker gains access to a transaction stream, the hacker doesn't get the
whole database, but just what flowed by while they had access. In that
case, it should be theoretically possible to notify only those persons
who's data was exposed during that window.

I'm usually all for broad notification and information sharing, but the
expenses of notification and remediation on a per-record basis could
mean the difference between a minor incident for the company and
bankruptcy. WRT this thread, as long as you have a handle on who's data
was exposed, you could certainly still respond to queries from
customers, but as was mentioned earlier, you would need extraordinary
means of authenticating the caller/inquirer so as to not further
compromise customers.

At some price point per record, it becomes cost effective to do the
analysis and notify only the affected rather than pay for notification,
credit monitoring and such for your whole database.

Mike Simon
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.

From lyger at attrition.org  Tue Jul 22 19:23:23 2008
From: lyger at attrition.org (lyger)
Date: Tue, 22 Jul 2008 19:23:23 +0000 (UTC)
Subject: [Dataloss] IN: Stolen Indiana State laptop returned to professor
Message-ID: <Pine.LNX.4.64.0807221922330.23283@forced.attrition.org>


http://www.wlfi.com/Global/story.asp?S=8716428&nav=menu591_3

Indiana State University officials say a computer stolen from a professor 
has been returned and none of its personal student information was 
accessed.

School spokesman Dave Taylor said Tuesday the laptop computer was mailed 
anonymously to the professor, who received it Friday, six days after it 
was stolen along with other personal items.

At the time of the theft, the professor was traveling in southern Indiana 
with his family.

[...]

From jericho at attrition.org  Wed Jul 23 14:01:29 2008
From: jericho at attrition.org (security curmudgeon)
Date: Wed, 23 Jul 2008 14:01:29 +0000 (UTC)
Subject: [Dataloss] Stolen tape puts Bristol-Myers employee data at risk
Message-ID: <Pine.LNX.4.64.0807231401150.5871@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110485

By Brian Fonseca
July 22, 2008
Computerworld

Bristol-Myers Squibb Co. officials last week confirmed that a nonencrypted 
backup tape containing the personal data of current and former employees 
and their dependents was stolen on June 4 from a delivery truck carrying 
the device.

Bristol-Myers spokeswoman Laura Hortas said the New York-based 
pharmaceutical company began notifying current, former and retired 
employees by mail on June 12 about the missing backup tape. Bristol-Myers 
would not disclose how many people are affected by the breach.

However, according to a security breach notification letter (download PDF 
[1]) sent by the company to the New Hampshire Attorney General's office, 
the personal data of 458 residents of that state was stored on the stolen 
tape.

[1] http://doj.nh.gov/consumer/pdf/bristol-myers.pdf

[...]



From mhill at idtexperts.com  Wed Jul 23 14:12:48 2008
From: mhill at idtexperts.com (Michael Hill, CITRMS)
Date: Wed, 23 Jul 2008 10:12:48 -0400
Subject: [Dataloss] DC: Records With D.C. Residents' Personal Information
	Found In Trash Bin
Message-ID: <F877BB68AB6544DDA6D8280784ED19BC@mkevhillpc>

http://www.nbc4.com/news/16957721/detail.html

WASHINGTON -- Documents with Washington residents' personal information, including Social Security numbers and canceled checks, turned up Tuesday in a trash bin in an alley in northwest Washington, Pat Collins reported First On 4. 

The trash bin on Paloma Way behind a storage building on U Street contained hundreds of real estate transactions. The papers contained bank balances, salary information and Social Security numbers. 

"This is a tragedy to find all these personal documents in a Dumpster in an alley," said D.C. police Lt. Bill Farr, who was at the scene investigating. 

Real estate agent Ron Sneijder said the files came from a settlement company that went out of business a few months ago. He said he knows the owner of the company, and he was working with police to identify the files and protect the information. 

"These should be with their underwriters. I don't know why they're in a Dumpster," said Sneijder. 

"I am the victim of identify fraud myself, so I know how serious this is," he said. 

One of the files contains the personal information of Luis Barr, a dentist in downtown D.C. He said he is scared and nervous and doesn't know what to do to protect himself. 

Officials said they will try to alert the people whose information was found. 






 

Michael Hill | T3i

Director Risk Management & Compliance
Direct: 404.216.3751 | mhill at T3i.com |
www.T3i.com
INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS


 



"If You Think You're Not At Risk, Think Again!"
 
 
NOTICE:
This email and any attachment to it is confidential and protected by law and intended for the use of the individual(s) or entity named on the email.  This information and all email information from the sender is not legal advice nor legal representation and should not be construed as legal advice nor legal representation. Check with your attorney in your State for legal advice. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination or distribution of this communication is prohibited.  If you have received this communication in error, please notify the sender via return email and delete it completely from your email system.  If you have printed a copy of the email, please destroy it immediately. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080723/87db92cf/attachment.html 

From hbrown at knology.net  Wed Jul 23 14:32:32 2008
From: hbrown at knology.net (Henry Brown)
Date: Wed, 23 Jul 2008 09:32:32 -0500
Subject: [Dataloss] Dumpster diving in San Francisco CA
Message-ID: <48874100.3070003@knology.net>

http://www.ktvu.com/news/16961916/detail.html
Major Security Breach At SF City Agency Exposed

[...]
Potentially thousands of people's personal information was exposed after 
a San Francisco agency left confidential files in unsecured curbside 
garbage and recycling bins.

It's trash day in the city and the scavengers are out rifling through 
the garbage bins in a San Francisco alley. A KTVU cameraman caught two 
individuals with pick-up trucks stopping briefly before hauling away 
armloads of paper. No one challenges them as they steal from the 
unsecured blue bins.

A closer look shows some of what they left behind: confidential 
documents from the San Francisco Human Services Department.

[...]

The agency handles the case loads of 8,000 San Franciscans and 
presumably safeguards the personal information it requires from its clients.

[...]

Trent Rohrer is the head of San Francisco Human Services. Rohrer showed 
KTVU how the personal information is supposed to be disposed of, placed 
in locked bins.

"We do have a whole set of policies and procedures to prevent this stuff 
from happening, and clearly there are flaws in that," said Rohrer

So are people simply not following procedures, or is there criminal 
activity going on inside the city department?

"We'll go from top to bottom to see if there's an internal identity 
theft ring going on or if there's something external going on. We'll get 
to the bottom of it," said Rohrer.

[...]


From hbrown at knology.net  Wed Jul 23 14:42:09 2008
From: hbrown at knology.net (Henry Brown)
Date: Wed, 23 Jul 2008 09:42:09 -0500
Subject: [Dataloss] University of MD mails 24000 SSN on front of envelope
Message-ID: <48874341.1010708@knology.net>

 From The University of MD Independent Daily Newspaper

http://tinyurl.com/6j6rhv

Social security numbers of students registered for fall 2008 classes, 
totaling nearly 24,000, were inadvertently printed on mailing labels for 
a parking brochure, the Department of Transportation Services said in an 
e-mail to students today.

"The University apologizes, and deeply regrets this unfortunate mistake. 
We are taking aggressive steps to ensure that this does not happen 
again. We strongly recommend that you take appropriate precautions to 
mask, black out, or destroy this document after use," said the e-mail, 
signed by DOTS Director David Allen.

The mailings were sent July 1, but the mistake was not discovered until 
July 8, when students began calling DOTS to complain, according to a 
website set up by DOTS specifically for this incident. The website can 
be found at http://www.transportation.umd.edu/parkingmailer/.

The university is not aware of anyone's social security number being 
misused, added DOTS in the e-mail.

The university will offer free Equifax reports to affected students, at 
a cost to the university of about $23 a person, said Vice President for 
Student Affairs Linda Clement. With Equifax, the students can monitor 
their credit or place a fraud alert on their account.

Clement explained that when a DOTS employee collected names and 
addresses for the brochure, social security numbers and e-mail addresses 
would have appeared in the search, but were supposed to be removed from 
the labels. DOTS saw the e-mail addresses on the labels but didn't 
identify the social security numbers because they were not separated by 
the typical two dashes, she said.

The incident is under investigation and the person involved has not been 
fired, Clement added. The delay in notifying students was due to the 
legal office negotiating a deal with Equifax.

"We sincerely regret it," Clement said. "This is just an awful 
situation; we're trying to do everything we can to mitigate it."

A letter explaining the situation and offering remedies will be sent to 
students Friday or Saturday, said Ann Wylie, the university president's 
chief of staff.

"We were horribly upset that this happened," she said. "It was a human 
error."


From k-dale at northwestern.edu  Wed Jul 23 16:07:24 2008
From: k-dale at northwestern.edu (Kim Z. Dale)
Date: Wed, 23 Jul 2008 11:07:24 -0500
Subject: [Dataloss] University of MD mails 24000 SSN on front of envelope
In-Reply-To: <48874341.1010708@knology.net>
References: <48874341.1010708@knology.net>
Message-ID: <FC67692E1A354407B6F37C5335F14138@2PW25G1>

It seems odd to me how many incidents of SSNs printed as part of a mailing
address occur.  Are all these places using the same software, or are people
just that bad at mail merge?  It seems like an odd thing to happen across
multiple organizations.


-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of Henry Brown
Sent: Wednesday, July 23, 2008 9:42 AM
To: dataloss at attrition.org
Subject: [Dataloss] University of MD mails 24000 SSN on front of envelope

 From The University of MD Independent Daily Newspaper

http://tinyurl.com/6j6rhv

Social security numbers of students registered for fall 2008 classes, 
totaling nearly 24,000, were inadvertently printed on mailing labels for 
a parking brochure, the Department of Transportation Services said in an 
e-mail to students today.

"The University apologizes, and deeply regrets this unfortunate mistake. 
We are taking aggressive steps to ensure that this does not happen 
again. We strongly recommend that you take appropriate precautions to 
mask, black out, or destroy this document after use," said the e-mail, 
signed by DOTS Director David Allen.

The mailings were sent July 1, but the mistake was not discovered until 
July 8, when students began calling DOTS to complain, according to a 
website set up by DOTS specifically for this incident. The website can 
be found at http://www.transportation.umd.edu/parkingmailer/.

The university is not aware of anyone's social security number being 
misused, added DOTS in the e-mail.

The university will offer free Equifax reports to affected students, at 
a cost to the university of about $23 a person, said Vice President for 
Student Affairs Linda Clement. With Equifax, the students can monitor 
their credit or place a fraud alert on their account.

Clement explained that when a DOTS employee collected names and 
addresses for the brochure, social security numbers and e-mail addresses 
would have appeared in the search, but were supposed to be removed from 
the labels. DOTS saw the e-mail addresses on the labels but didn't 
identify the social security numbers because they were not separated by 
the typical two dashes, she said.

The incident is under investigation and the person involved has not been 
fired, Clement added. The delay in notifying students was due to the 
legal office negotiating a deal with Equifax.

"We sincerely regret it," Clement said. "This is just an awful 
situation; we're trying to do everything we can to mitigate it."

A letter explaining the situation and offering remedies will be sent to 
students Friday or Saturday, said Ann Wylie, the university president's 
chief of staff.

"We were horribly upset that this happened," she said. "It was a human 
error."

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml



From mhozven at tealeaf.com  Wed Jul 23 16:23:44 2008
From: mhozven at tealeaf.com (Max Hozven)
Date: Wed, 23 Jul 2008 09:23:44 -0700
Subject: [Dataloss] University of MD mails 24000 SSN on front of envelope
In-Reply-To: <FC67692E1A354407B6F37C5335F14138@2PW25G1>
References: <48874341.1010708@knology.net>
	<FC67692E1A354407B6F37C5335F14138@2PW25G1>
Message-ID: <771A26039D33ED489E23D9614DE630DD08EF008A@SFMAIL02.tealeaf.com>


My guess is that many of these schools/etc are probably using different
software, but the common thread is that they all use the SSN's to
identify the students/etc internally (and are just careless about what
gets printed on the envelope).
In some cases, maybe they outsource the printing of the labels also (?),
sending database of who the students/etc to the outsourcing company.

-Max

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Kim Z. Dale
Sent: Wednesday, July 23, 2008 9:07 AM
To: dataloss at attrition.org
Subject: Re: [Dataloss] University of MD mails 24000 SSN on front of
envelope

It seems odd to me how many incidents of SSNs printed as part of a
mailing
address occur.  Are all these places using the same software, or are
people
just that bad at mail merge?  It seems like an odd thing to happen
across
multiple organizations.


-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org]
On Behalf Of Henry Brown
Sent: Wednesday, July 23, 2008 9:42 AM
To: dataloss at attrition.org
Subject: [Dataloss] University of MD mails 24000 SSN on front of
envelope

 From The University of MD Independent Daily Newspaper

http://tinyurl.com/6j6rhv

Social security numbers of students registered for fall 2008 classes, 
totaling nearly 24,000, were inadvertently printed on mailing labels for

a parking brochure, the Department of Transportation Services said in an

e-mail to students today.

"The University apologizes, and deeply regrets this unfortunate mistake.

We are taking aggressive steps to ensure that this does not happen 
again. We strongly recommend that you take appropriate precautions to 
mask, black out, or destroy this document after use," said the e-mail, 
signed by DOTS Director David Allen.

The mailings were sent July 1, but the mistake was not discovered until 
July 8, when students began calling DOTS to complain, according to a 
website set up by DOTS specifically for this incident. The website can 
be found at http://www.transportation.umd.edu/parkingmailer/.

The university is not aware of anyone's social security number being 
misused, added DOTS in the e-mail.

The university will offer free Equifax reports to affected students, at 
a cost to the university of about $23 a person, said Vice President for 
Student Affairs Linda Clement. With Equifax, the students can monitor 
their credit or place a fraud alert on their account.

Clement explained that when a DOTS employee collected names and 
addresses for the brochure, social security numbers and e-mail addresses

would have appeared in the search, but were supposed to be removed from 
the labels. DOTS saw the e-mail addresses on the labels but didn't 
identify the social security numbers because they were not separated by 
the typical two dashes, she said.

The incident is under investigation and the person involved has not been

fired, Clement added. The delay in notifying students was due to the 
legal office negotiating a deal with Equifax.

"We sincerely regret it," Clement said. "This is just an awful 
situation; we're trying to do everything we can to mitigate it."

A letter explaining the situation and offering remedies will be sent to 
students Friday or Saturday, said Ann Wylie, the university president's 
chief of staff.

"We were horribly upset that this happened," she said. "It was a human 
error."

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml


_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

From mhill at idtexperts.com  Wed Jul 23 16:27:10 2008
From: mhill at idtexperts.com (Michael Hill, CITRMS)
Date: Wed, 23 Jul 2008 12:27:10 -0400
Subject: [Dataloss] University of MD mails 24000 SSN on front of envelope
In-Reply-To: <FC67692E1A354407B6F37C5335F14138@2PW25G1>
References: <48874341.1010708@knology.net>
	<FC67692E1A354407B6F37C5335F14138@2PW25G1>
Message-ID: <63B9DD304C9A45D596400D9539E67119@mkevhillpc>

Lack of education and training given to employees, contractors and service 
providers to help spot security vulnerabilities.  Periodic training 
emphasizes the importance you place on meaningful data security practices. 
A well-trained workforce is just as important defense against identity theft 
and data breaches as are physical and electronic security.

In this case, I cant believe nobody in the whole process did not spot the 
SSN or at least question it when seeing a 9 digit number.  Training 
certainly could have uncovered this, though we will never know.




Michael Hill | T3i
Director Risk Management & Compliance
Direct: 404.216.3751 | mhill at T3i.com |
www.T3i.com
INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS | TRAINING



"If You Think You're Not At Risk, Think Again!"


NOTICE:
This email and any attachment to it is confidential and protected by law and 
intended for the use of the individual(s) or entity named on the email. 
This information and all email information from the sender is not legal 
advice nor legal representation and should not be construed as legal advice 
nor legal representation. Check with your attorney in your State for legal 
advice. If the reader of this message is not the intended recipient, you are 
hereby notified that any dissemination or distribution of this communication 
is prohibited.  If you have received this communication in error, please 
notify the sender via return email and delete it completely from your email 
system.  If you have printed a copy of the email, please destroy it 
immediately.



----- Original Message ----- 
From: "Kim Z. Dale" <k-dale at northwestern.edu>
To: <dataloss at attrition.org>
Sent: Wednesday, July 23, 2008 12:07 PM
Subject: Re: [Dataloss] University of MD mails 24000 SSN on front of 
envelope


> It seems odd to me how many incidents of SSNs printed as part of a mailing
> address occur.  Are all these places using the same software, or are 
> people
> just that bad at mail merge?  It seems like an odd thing to happen across
> multiple organizations.
>
>
> -----Original Message-----
> From: dataloss-bounces at attrition.org 
> [mailto:dataloss-bounces at attrition.org]
> On Behalf Of Henry Brown
> Sent: Wednesday, July 23, 2008 9:42 AM
> To: dataloss at attrition.org
> Subject: [Dataloss] University of MD mails 24000 SSN on front of envelope
>
> From The University of MD Independent Daily Newspaper
>
> http://tinyurl.com/6j6rhv
>
> Social security numbers of students registered for fall 2008 classes,
> totaling nearly 24,000, were inadvertently printed on mailing labels for
> a parking brochure, the Department of Transportation Services said in an
> e-mail to students today.
>
> "The University apologizes, and deeply regrets this unfortunate mistake.
> We are taking aggressive steps to ensure that this does not happen
> again. We strongly recommend that you take appropriate precautions to
> mask, black out, or destroy this document after use," said the e-mail,
> signed by DOTS Director David Allen.
>
> The mailings were sent July 1, but the mistake was not discovered until
> July 8, when students began calling DOTS to complain, according to a
> website set up by DOTS specifically for this incident. The website can
> be found at http://www.transportation.umd.edu/parkingmailer/.
>
> The university is not aware of anyone's social security number being
> misused, added DOTS in the e-mail.
>
> The university will offer free Equifax reports to affected students, at
> a cost to the university of about $23 a person, said Vice President for
> Student Affairs Linda Clement. With Equifax, the students can monitor
> their credit or place a fraud alert on their account.
>
> Clement explained that when a DOTS employee collected names and
> addresses for the brochure, social security numbers and e-mail addresses
> would have appeared in the search, but were supposed to be removed from
> the labels. DOTS saw the e-mail addresses on the labels but didn't
> identify the social security numbers because they were not separated by
> the typical two dashes, she said.
>
> The incident is under investigation and the person involved has not been
> fired, Clement added. The delay in notifying students was due to the
> legal office negotiating a deal with Equifax.
>
> "We sincerely regret it," Clement said. "This is just an awful
> situation; we're trying to do everything we can to mitigate it."
>
> A letter explaining the situation and offering remedies will be sent to
> students Friday or Saturday, said Ann Wylie, the university president's
> chief of staff.
>
> "We were horribly upset that this happened," she said. "It was a human
> error."
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
> 


From david-scott at david-scott.net  Wed Jul 23 17:32:06 2008
From: david-scott at david-scott.net (David Scott)
Date: Wed, 23 Jul 2008 12:32:06 -0500
Subject: [Dataloss] University of MD mails 24000 SSN on front of envelope
In-Reply-To: <FC67692E1A354407B6F37C5335F14138@2PW25G1>
References: <48874341.1010708@knology.net>
	<FC67692E1A354407B6F37C5335F14138@2PW25G1>
Message-ID: <006501c8ecea$0787ecb0$1697c610$@net>

It's not a systemic or technical failure, particularly, and Kim essentially
nails it ("...are people just that bad at mail merge?").

The challenge is people - no technical system, policy or plan can overcome
laxity or ignorance (even deliberate intent to harm can be handled).
Everyone needs to become a mini security officer, and all activity needs to
happen through a security prism.  How to get there?

Awareness - through training and refreshers.  Also, a dominant security
culture must be maintained - an eCulture.  You may find interest my
interview at Boston's Business Forum, with editor and found Thomas
Faulhaber:

http://businessforum.com/DScott_02.html 

Regards and success,

David Scott
Author
I.T. Wars:  Managing the Business-Technology Weave in the New Millennium
www.david-scott.net
Google:  I.T. Wars - I.T. Wars now supports MBA graduate level courses at
the University of Wisconsin

Prior to initiating any major systems implementation or business change,
David Scott should be required reading for the whole team.  - Thomas
Faulhaber, Editor and Founder of The Business Forum (R), Boston


-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of Kim Z. Dale
Sent: Wednesday, July 23, 2008 11:07 AM
To: dataloss at attrition.org
Subject: Re: [Dataloss] University of MD mails 24000 SSN on front of
envelope

It seems odd to me how many incidents of SSNs printed as part of a mailing
address occur.  Are all these places using the same software, or are people
just that bad at mail merge?  It seems like an odd thing to happen across
multiple organizations.


-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of Henry Brown
Sent: Wednesday, July 23, 2008 9:42 AM
To: dataloss at attrition.org
Subject: [Dataloss] University of MD mails 24000 SSN on front of envelope

 From The University of MD Independent Daily Newspaper

http://tinyurl.com/6j6rhv

Social security numbers of students registered for fall 2008 classes, 
totaling nearly 24,000, were inadvertently printed on mailing labels for 
a parking brochure, the Department of Transportation Services said in an 
e-mail to students today.

"The University apologizes, and deeply regrets this unfortunate mistake. 
We are taking aggressive steps to ensure that this does not happen 
again. We strongly recommend that you take appropriate precautions to 
mask, black out, or destroy this document after use," said the e-mail, 
signed by DOTS Director David Allen.

The mailings were sent July 1, but the mistake was not discovered until 
July 8, when students began calling DOTS to complain, according to a 
website set up by DOTS specifically for this incident. The website can 
be found at http://www.transportation.umd.edu/parkingmailer/.

The university is not aware of anyone's social security number being 
misused, added DOTS in the e-mail.

The university will offer free Equifax reports to affected students, at 
a cost to the university of about $23 a person, said Vice President for 
Student Affairs Linda Clement. With Equifax, the students can monitor 
their credit or place a fraud alert on their account.

Clement explained that when a DOTS employee collected names and 
addresses for the brochure, social security numbers and e-mail addresses 
would have appeared in the search, but were supposed to be removed from 
the labels. DOTS saw the e-mail addresses on the labels but didn't 
identify the social security numbers because they were not separated by 
the typical two dashes, she said.

The incident is under investigation and the person involved has not been 
fired, Clement added. The delay in notifying students was due to the 
legal office negotiating a deal with Equifax.

"We sincerely regret it," Clement said. "This is just an awful 
situation; we're trying to do everything we can to mitigate it."

A letter explaining the situation and offering remedies will be sent to 
students Friday or Saturday, said Ann Wylie, the university president's 
chief of staff.

"We were horribly upset that this happened," she said. "It was a human 
error."

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml


_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml


From arshad.noor at strongauth.com  Wed Jul 23 16:46:51 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Wed, 23 Jul 2008 09:46:51 -0700
Subject: [Dataloss] University of MD mails 24000 SSN on front of envelope
In-Reply-To: <63B9DD304C9A45D596400D9539E67119@mkevhillpc>
References: <48874341.1010708@knology.net>	<FC67692E1A354407B6F37C5335F14138@2PW25G1>
	<63B9DD304C9A45D596400D9539E67119@mkevhillpc>
Message-ID: <4887607B.9020709@strongauth.com>

Couldn't agree with you more, Michael.  In fact, the lack of training
of involved personnel, and the lack of a culture that encourages "risk
detection and management" is probably the single biggest weakness in
most IT environments today.  There is far too much trust placed in
technology and not enough in the ability and training of humans to
address security risks.  While I would like to say that companies lose
as a result of this myopia, in the long-term  we consumers wind up
paying for those losses, unfortunately.

Arshad Noor
StrongAuth, Inc.

Michael Hill, CITRMS wrote:
> Lack of education and training given to employees, contractors and service 
> providers to help spot security vulnerabilities.  Periodic training 
> emphasizes the importance you place on meaningful data security practices. 
> A well-trained workforce is just as important defense against identity theft 
> and data breaches as are physical and electronic security.
> 
> In this case, I cant believe nobody in the whole process did not spot the 
> SSN or at least question it when seeing a 9 digit number.  Training 
> certainly could have uncovered this, though we will never know.

From Kyle.Davis at apollogrp.edu  Wed Jul 23 16:56:43 2008
From: Kyle.Davis at apollogrp.edu (Kyle Davis)
Date: Wed, 23 Jul 2008 09:56:43 -0700
Subject: [Dataloss] University of MD mails 24000 SSN on front of envelope
In-Reply-To: <4887607B.9020709@strongauth.com>
Message-ID: <44CEE938427F734E9EE352587E901EB002FD592D@AMSGEV21.apollogrp.edu>


I'm rather new here, but thought I'd toss in my $0.02

I agree with much of what you've all stated regarding lack of education
but, having SSN so available to a person that does a mail merge for
envelopes seems silly to me.  There really does need to be better lock
down on some data (SSN being one of the top ones).  Is this kind of
thing still going to happen in the future even after locking down the
data better? You betcha it will happen, but at least there will be less
occurrences of it. And if it does happen, there will be a better feed
back program in place to help with situations like this in the future.

Also, Michael hit the nail on the head when he stated "periodic
training".  A single training event is NOT enough for most of the work
force out there.  They need to be hit with training on this topic at
least twice a year, if not more.  

Kyle R. Davis, Security Analyst
Apollo Group

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Arshad Noor
Sent: Wednesday, July 23, 2008 9:47 AM
To: Michael Hill, CITRMS
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] University of MD mails 24000 SSN on front of
envelope

Couldn't agree with you more, Michael.  In fact, the lack of training
of involved personnel, and the lack of a culture that encourages "risk
detection and management" is probably the single biggest weakness in
most IT environments today.  There is far too much trust placed in
technology and not enough in the ability and training of humans to
address security risks.  While I would like to say that companies lose
as a result of this myopia, in the long-term  we consumers wind up
paying for those losses, unfortunately.

Arshad Noor
StrongAuth, Inc.

Michael Hill, CITRMS wrote:
> Lack of education and training given to employees, contractors and
service 
> providers to help spot security vulnerabilities.  Periodic training 
> emphasizes the importance you place on meaningful data security
practices. 
> A well-trained workforce is just as important defense against identity
theft 
> and data breaches as are physical and electronic security.
> 
> In this case, I cant believe nobody in the whole process did not spot
the 
> SSN or at least question it when seeing a 9 digit number.  Training 
> certainly could have uncovered this, though we will never know.
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

From lyger at attrition.org  Thu Jul 24 11:20:39 2008
From: lyger at attrition.org (lyger)
Date: Thu, 24 Jul 2008 11:20:39 +0000 (UTC)
Subject: [Dataloss] IL: Computer tapes with Social Security umbers lost
Message-ID: <Pine.LNX.4.64.0807241119270.31346@forced.attrition.org>


http://www.chicagotribune.com/news/chi-ap-il-idtheft,0,1975150.story

Computer backup tapes that contain thousands of Social Security numbers of 
Tinley Park residents have been lost but officials say there's not much 
chance of identity theft.

Officials say the tapes containing information from as long ago as 15 
years were lost while being transferred from the village hall to another 
site within the Chicago suburb on June 23.

[.]

Village Manager Scott Niehaus says about 19,000 residents and another 
1,400 current, former or retired village employees will get letters about 
the incident.

[...]

From lyger at attrition.org  Thu Jul 24 11:31:41 2008
From: lyger at attrition.org (lyger)
Date: Thu, 24 Jul 2008 11:31:41 +0000 (UTC)
Subject: [Dataloss] NV: Hospital warns of possible data leak
Message-ID: <Pine.LNX.4.64.0807241130340.31346@forced.attrition.org>


http://www.rgj.com/apps/pbcs.dll/article?AID=/20080724/NEWS10/807240352/1321/NEWS

Saint Mary's Regional Medical Center sent warning letters this month to 
about 128,000 patients and clients after a possible intrusion into a 
proprietary databases.

The database, used for Saint Mary's health education classes and wellness 
programs, contained personal information such as names and addresses, 
limited health information and some Social Security numbers. The database 
did not contain medical records or credit card information, said Gary 
Aldax, marketing manager for Saint Mary's.

"What happened was that an unauthorized person may have accessed the 
database," Aldax said. "We're currently working with Equifax, which is one 
of the three major credit agencies, to help handle this for us.

[...]

From lyger at attrition.org  Thu Jul 24 22:37:36 2008
From: lyger at attrition.org (lyger)
Date: Thu, 24 Jul 2008 22:37:36 +0000 (UTC)
Subject: [Dataloss] FL: Loss Of HCC Worker's Laptop Spurs ID Theft Warning
Message-ID: <Pine.LNX.4.64.0807242234560.25490@forced.attrition.org>


http://www2.tbo.com/content/2008/jul/24/loss-hcc-employees-laptop-spurs-id-theft-warning/

Hillsborough Community College warned its roughly 2,000 employees on 
Wednesday to monitor their bank accounts because an HCC programmer's 
laptop was stolen from a hotel parking lot in Georgia.

The college also is looking into acquiring technology that will allow 
workers to remotely locate laptops and to encrypt computers or disks. In 
addition, it stressed to employees who use laptops to use extra caution 
when securing the devices, spokeswoman Ashley Carl said today.

The risk of employees' personal information being used is slim. The 
programmer had been working on a payroll project for a group of employees 
using their names, bank-routing numbers, retirement information and Social 
Security numbers, Carl said.

[...]

From macwheel99 at wowway.com  Fri Jul 25 01:45:45 2008
From: macwheel99 at wowway.com (macwheel99 at wowway.com)
Date: Thu, 24 Jul 2008 20:45:45 -0500
Subject: [Dataloss] Fringe:  e-banking not yet secure
Message-ID: <20080725013214.M14927@wowway.com>

Security flaws plague majority of e-banking sites 
http://www.finextra.com/fullstory.asp?id=18764

Over 75% of banking Web sites contain fundamental design flaws that could 
put customers at risk from cyber thieves, according to a study (of 214 bank 
web sites)conducted by researchers at the University of Michigan.

The flaws are not bugs that can be easily fixed with a patch, but are 
systemic, stemming from the flow and layout of the sites.

47% placed secure login boxes on insecure pages.

55% put contact information and security advice on insecure pages.

Some banks use social security numbers or e-mail addresses as user IDs. 

28% don't state a policy on passwords, or allow weak passwords.  

31% e-mail passwords or statements to customers. 

30% redirect customers to a site outside of the bank's domain for certain 
transactions without warning.

http://www.finextra.com/fullstory.asp?id=18764


From jericho at attrition.org  Fri Jul 25 02:26:18 2008
From: jericho at attrition.org (security curmudgeon)
Date: Fri, 25 Jul 2008 02:26:18 +0000 (UTC)
Subject: [Dataloss] Fringe:  e-banking not yet secure
In-Reply-To: <20080725013214.M14927@wowway.com>
References: <20080725013214.M14927@wowway.com>
Message-ID: <Pine.LNX.4.64.0807250208200.24744@forced.attrition.org>


ISN posted the article as well, cross-posting my reply.

: Security flaws plague majority of e-banking sites 
: http://www.finextra.com/fullstory.asp?id=18764
: 
: Over 75% of banking Web sites contain fundamental design flaws that 
: could put customers at risk from cyber thieves, according to a study (of 
: 214 bank web sites)conducted by researchers at the University of 
: Michigan.

Unfortunately, all I can find are articles mentioning the study. It still 
isn't available on Atul Prakash's home page [1]. Since all we have to go 
on right now are sound bytes and brief summaries, it is very easy to tear 
large holes in the results. I encourage Prakash and his team to make the 
original research more readily available.

: The flaws are not bugs that can be easily fixed with a patch, but are 
: systemic, stemming from the flow and layout of the sites.

The flaws are often very easy to fix, and do not require much 
work from the bank.

: 47% placed secure login boxes on insecure pages.

While a bad practice, this doesn't translate to "attackers can get access 
to customer information" necessarily. "He says this allows hackers to 
re-route data entered in the boxes or create a spoof page to harvest 
information." First, to re-route data entered in the boxes relies on 
something more than a mixed HTTP/S page. Exploiting cross-frame scripting 
in some browsers would be a good idea, but that can be blocked regardless 
of the page being served over SSL. Second, bad guys can spoof pages 
regardless of the presence of SSL, yet Prakash suggests otherwise.
 
"Prakash says in a wireless situation, it's possible to conduct this 
man-in-the-middle attack without changing the bank URL for the user, so 
even a vigilant customer could fall victim."

Certainly a risk, but the amount of customers accessing their bank over 
unsecured wireless are probably very minimal and changes the requirements 
of exploitation considerably.

: 55% put contact information and security advice on insecure pages. 

Again, having a static /contact.html on the legitimate domain, not served 
over SSL is not a vulnerability, and does not lead to customers being at 
risk from "hackers getting access to customer information". The summary 
and introduction to the article is poorly worded and misleading.

: Some banks use social security numbers or e-mail addresses as user IDs. 

This is definitely a bad practice and commonly seen, but this is half of 
the information needed to authenticate. Brute forcing a list of login IDs 
is time consuming, brute forcing valid passwords for them on top of that 
is very time consuming. There are certainly controls that can be put in 
place to make harvesting attacks more costly, regardless of the login name 
scheme.

: 28% don't state a policy on passwords, or allow weak passwords.  

Yes, they should state their policy, but how many of the 28% don't state 
the policy yet enforce a relatively strong one? This number is a poor 
metric.

I have a hard time believing that Prakash and his team got permission to 
test 214 bank web sites. If they did, it was still done without 
authentication based on the results in the article. The few results they 
do have are not near the risk implied by the summary wording or have 
caveats on exploitation. None of them are real eye-openers as each one 
would likely result in the compromise of a handful of accounts. While 
certainly bad, that is insignificant compared to an SQL injection or 
privilege escalation attack that allowed cross-user information disclosure 
(or manipulation).

All said and done, this research is quite limp so far.

- jericho

From adam at homeport.org  Fri Jul 25 09:57:36 2008
From: adam at homeport.org (Adam Shostack)
Date: Fri, 25 Jul 2008 05:57:36 -0400
Subject: [Dataloss] Fringe:  e-banking not yet secure
In-Reply-To: <Pine.LNX.4.64.0807250208200.24744@forced.attrition.org>
References: <20080725013214.M14927@wowway.com>
	<Pine.LNX.4.64.0807250208200.24744@forced.attrition.org>
Message-ID: <20080725095736.GD13711@homeport.org>

On Fri, Jul 25, 2008 at 02:26:18AM +0000, security curmudgeon wrote:
| : Over 75% of banking Web sites contain fundamental design flaws that 
| : could put customers at risk from cyber thieves, according to a study (of 
| : 214 bank web sites)conducted by researchers at the University of 
| : Michigan.
| 
| Unfortunately, all I can find are articles mentioning the study. It still 
| isn't available on Atul Prakash's home page [1]. Since all we have to go 
| on right now are sound bytes and brief summaries, it is very easy to tear 
| large holes in the results. I encourage Prakash and his team to make the 
| original research more readily available.

http://cups.cs.cmu.edu/soups/2008/program.html
http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf


From macwheel99 at wowway.com  Fri Jul 25 05:14:53 2008
From: macwheel99 at wowway.com (macwheel99 at wowway.com)
Date: Fri, 25 Jul 2008 00:14:53 -0500
Subject: [Dataloss] Fringe:  e-banking not yet secure
In-Reply-To: <Pine.LNX.4.64.0807250208200.24744@forced.attrition.org>
References: <20080725013214.M14927@wowway.com>
	<Pine.LNX.4.64.0807250208200.24744@forced.attrition.org>
Message-ID: <20080725050255.M49713@wowway.com>

Here is link to "Analyzing Web sites for user-visible security design flaws" 
by 3 authors: The professor & 2 graduate students.
http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf

The financial institutions that they studied
http://www.eecs.umich.edu/laura/webusability/websites.html

This paper is to be presented at the Symposium on Usable Privacy and 
Security (SOUPS) meeting at Carnegie Mellon University July 25.  
http://cups.cs.cmu.edu/soups/2008/

According to this other article, the study was done in 2006. Presumably (we 
would hope) some of the financial institutions have since upgraded their 
sites. http://www.eurekalert.org/pub_releases/2008-07/uom-sfi072208.php 

Relevant links here. http://news.yahoo.com/s/cmp/209600041

I originally saw the link on e-com sec & thought it also belonged on Data 
Loss, and Linked-In's Security before Implementation (I have not yet posted 
it there). http://packetfocus.com/proactive/index.php

Al Macintyre
Jack of all trades, master of some


security curmudgeon wrote
> ISN posted the article as well, cross-posting my reply.
> 
> : Security flaws plague majority of e-banking sites 
> : http://www.finextra.com/fullstory.asp?id=18764
> : 
> : Over 75% of banking Web sites contain fundamental design flaws 
> that : could put customers at risk from cyber thieves, according to 
> a study (of : 214 bank web sites)conducted by researchers at the 
> University of : Michigan.
> 
> Unfortunately, all I can find are articles mentioning the study. It 
> still isn't available on Atul Prakash's home page [1]. Since all we 
> have to go on right now are sound bytes and brief summaries, it is 
> very easy to tear large holes in the results. I encourage Prakash 
> and his team to make the original research more readily available.
> 
> : The flaws are not bugs that can be easily fixed with a patch, but 
> are : systemic, stemming from the flow and layout of the sites.
> 
> The flaws are often very easy to fix, and do not require much 
> work from the bank.
> 
> : 47% placed secure login boxes on insecure pages.
> 
> While a bad practice, this doesn't translate to "attackers can get 
> access to customer information" necessarily. "He says this allows 
> hackers to re-route data entered in the boxes or create a spoof page 
> to harvest information." First, to re-route data entered in the 
> boxes relies on something more than a mixed HTTP/S page. Exploiting 
> cross-frame scripting in some browsers would be a good idea, but 
> that can be blocked regardless of the page being served over SSL. 
> Second, bad guys can spoof pages regardless of the presence of SSL,
>  yet Prakash suggests otherwise.
> 
> "Prakash says in a wireless situation, it's possible to conduct this 
> man-in-the-middle attack without changing the bank URL for the user, 
> so even a vigilant customer could fall victim."
> 
> Certainly a risk, but the amount of customers accessing their bank 
> over unsecured wireless are probably very minimal and changes the 
> requirements of exploitation considerably.
> 
> : 55% put contact information and security advice on insecure pages.
> 
> Again, having a static /contact.html on the legitimate domain, not 
> served over SSL is not a vulnerability, and does not lead to 
> customers being at risk from "hackers getting access to customer 
> information". The summary and introduction to the article is poorly 
> worded and misleading.
> 
> : Some banks use social security numbers or e-mail addresses as user 
> IDs.
> 
> This is definitely a bad practice and commonly seen, but this is 
> half of the information needed to authenticate. Brute forcing a list 
> of login IDs is time consuming, brute forcing valid passwords for 
> them on top of that is very time consuming. There are certainly 
> controls that can be put in place to make harvesting attacks more 
> costly, regardless of the login name scheme.
> 
> : 28% don't state a policy on passwords, or allow weak passwords.
> 
> Yes, they should state their policy, but how many of the 28% don't 
> state the policy yet enforce a relatively strong one? This number is 
> a poor metric.
> 
> I have a hard time believing that Prakash and his team got 
> permission to test 214 bank web sites. If they did, it was still 
> done without authentication based on the results in the article. The 
> few results they do have are not near the risk implied by the 
> summary wording or have caveats on exploitation. None of them are 
> real eye-openers as each one would likely result in the compromise 
> of a handful of accounts. While certainly bad, that is insignificant 
> compared to an SQL injection or privilege escalation attack that 
> allowed cross-user information disclosure 
> (or manipulation).
> 
> All said and done, this research is quite limp so far.
> 
> - jericho


From traef at ebasedsecurity.com  Fri Jul 25 09:00:23 2008
From: traef at ebasedsecurity.com (Thomas Raef)
Date: Fri, 25 Jul 2008 04:00:23 -0500
Subject: [Dataloss] Fringe:  e-banking not yet secure
Message-ID: <C4A2DDDA4F0A5C46A91AE25DD243546E0738B2@ebs-2200.ebasedsecurity.local>

>>Security flaws plague majority of e-banking sites
>>http://www.finextra.com/fullstory.asp?id=18764

>>Over 75% of banking Web sites contain fundamental design flaws that could
>>put customers at risk from cyber thieves, according to a study (of 214 bank
>>web sites)conducted by researchers at the University of Michigan.

Tom Replies With:
 
I first saw this on Network World: http://www.networkworld.com/community/node/30229?t51hb&nlhtsec=mr_072408&nladname=072408securityal <http://www.networkworld.com/community/node/30229?t51hb&nlhtsec=mr_072408&nladname=072408securityal> 
 
where it states: "Like with a lot of research, the results take a while to emerge. In this case, the researchers took a look at web sites from 214 financial institutions back in 2006."
 
The results took awhile to emerge? 2 years? I found this article to be security fear mongers trying to get some backing for more research. Does anyone still think that 214 financial institutions haven't changed their security in 2 years? Or that their websites are still the same as they were back then?
 
I think someone got some grant money to conduct the research and was finally forced to cough up the results. Even 2 years later.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080725/ea919e87/attachment.html 

From lyger at attrition.org  Fri Jul 25 11:28:39 2008
From: lyger at attrition.org (lyger)
Date: Fri, 25 Jul 2008 11:28:39 +0000 (UTC)
Subject: [Dataloss] OH: Personal data put online in error
Message-ID: <Pine.LNX.4.64.0807251127530.3889@forced.attrition.org>


http://www.columbusdispatch.com/live/content/local_news/stories/2008/07/25/OUCORE.ART_ART_07-25-08_B2_LLARF48.html?sid=101

A clerical error led to the online posting of the names and Social 
Security numbers of 492 people who spoke at Ohio University's Centers for 
Osteopathic Research and Education, a spokeswoman said.

On July 16, the centers, known as CORE, removed a spreadsheet that 
contained the information. It had been accessible since March 20 and was 
discovered when a nurse found the information last week while conducting 
online research.

A document that should have been posted did not contain personal 
information, according to CORE.

There is no indication that any of the personal information was misused, 
said CORE spokeswoman Karoline Lane.

[...]

From lyger at attrition.org  Fri Jul 25 11:41:14 2008
From: lyger at attrition.org (lyger)
Date: Fri, 25 Jul 2008 11:41:14 +0000 (UTC)
Subject: [Dataloss] TX: Personal information of 259 UH students exposed
	online
Message-ID: <Pine.LNX.4.64.0807251139550.3889@forced.attrition.org>


http://www.chron.com/disp/story.mpl/front/5906640.html

The names and Social Security numbers of 259 University of Houston 
students were inadvertently posted on the Internet for more than two 
years, removed only after a Washington, D.C.-based advocacy group 
discovered the breach.

The university removed the information from its servers as soon as it was 
notified in May, school officials said in a statement released Thursday.

It took almost two months longer to ensure it had been removed from other 
Internet search engines.

[...]

From jericho at attrition.org  Fri Jul 25 15:05:25 2008
From: jericho at attrition.org (security curmudgeon)
Date: Fri, 25 Jul 2008 15:05:25 +0000 (UTC)
Subject: [Dataloss] Brief analysis of "Analyzing Websites for User-Visible
 Security Design Flaws"
Message-ID: <Pine.LNX.4.64.0807251458440.30574@forced.attrition.org>



After being provided a link to the original paper and reading additional 
comments, I wanted to follow-up to my original post [1] with more 
thoughts. If you want the slightly more technical review, search down to 
"methodology review". The paper in question is "Analyzing Websites for 
User-Visible Security Design Flaws" by Laura Falk, Atul Prakash and Kevin 
Borders [2]. I strongly encourage more security professionals to provide 
peer scrutiny to security research coming from universities.

As was pointed out, the research was done in 2006 (testing in Nov/Dec) but 
the results are just now being published. Three people working on a study 
on 214 web sites should not take that long to publish. To wait so long in 
publishing research on a topic like this, one must question if it is 
responsible, or more to the point, relevant. In the world of high end 
custom banking applications, my experience consulting for such companies 
tells me that many will do periodic audits from third parties and that 
these sites get continuous improvements and changes every week. One of the 
web sites I use for personal banking has changed dramatically in the last 
12 months, making huge changes to the functionality and presumably 
architecture, security and design. The results of a 2006 audit of that 
site are probably most irrelevant.

As with most research papers, the lack of publish date in the header is
annoying. The abstract does not mention the 2006 to 2008 time gap between
research and publication either. This time difference is seen almost
immediately in the citation of Schechter et al, regarding people
"disregarding SSL indicators". The current releases of several browsers,
most notably IE7 and Firefox 3 make pretty big shifts in how the browser
handles and warns about SSL indicators. Each browser is considerably more
paranoid and will throw a warning over more discrepencies that each would
have ignored in previous versions.

On page 1, Prakash et al list the criteria for the categories of "design
flaws" they examined. As expected and mentioned in my previous post, the
design flaws they examined are not necessarily a vulnerability, and often
times do not put customer data at risk or they require additional
requisites to be exploitable. To look at one of their design flaws as an
example, consider the following:

    Presenting secure login options on insecure pages: Some
    sites present login forms that forward to a secure page but
    do not come from a secure page. This is problematic because
    an attacker could modify the insecure page to submit
    login credentials to an insecure destination.

This summary of a design flaw is problematic in that it makes several
assumptions and/or does not fully qualify the attack vector. First, to
"modify" an insecure page being served from the bank to the user's client
(browser), the attacker would have to compromise the server (making this
attack moot) or conduct a Man-in-The-Middle (MiTM) attack. I assume the
latter is meant since the implication is that an attacker could not
effectively MiTM attack a page wrapped in encryption (SSL).

It is interesting that the lack of SSL encryption is chosen as a design
flaw with the notion that manipulation of an insecure page is the
preferred attack vector. Such an attack is considerably more difficult to
conduct compared to other threats (e.g. SQL Injection, Privilege
Escalation) and would essentially target a single customers. Many large
applications serving hundreds of thousands of users makes this trade-off
of mixed security pages for performance reasons, as the overhead of
encrypting all traffic can be costly.

Later in the paper when the team attempts to better define this design
weakness, they say:

    Consider the case where the customer service contact information for
    resetting passwords is provided on an insecure page. To compromise the
    system, an attacker only needs to spoof or modify the page, replacing
    the customer service phone numbers with bogus numbers.

Web pages can be spoofed regardless of the transport, so the presence of
SSL encryption means little to nothing. If his team is implying an
attacker "only need [..] modify the page", that would require compromising
the server or performing a MiTM attack. Again, this is not a trivial
attack by any means and in the latter, would affect one customer.

While this is only one of five design flaws Prakash's team looked for,
consider the third example which is the exact same design weakness:

    Contact information/security advice on insecure pages: Some
    sites host their security recommendations, contact information,
    and various other sensitive information about their site
    and company on insecure pages. This is dangerous because
    an attacker could forge the insecure page and present different
    recommendations and contact information.

This is the exact same issue as #2 in the list but just makes the
specification of the content on the page. Factor in that issue #1 will be
more prevalent in large organizations but a non-issue in smaller ones and
the criteria of five design weaknesses gets cut down from five to four,
with one that is likely not to be seen on some of the sites tested at all.

The paper quickly summarizes their findings before going in detail, before
concluding "Overall, only 24% of the sites were completely free of these
design flaws, indicating that some of the flaws we identified are not
widely understood, even among institutions where security is critical."
This assumption and conclusion is dangerous and irresponsible. The
implication that the presence of one or more of these flaws is indicative
of the site not understanding the threat is presumptious. With the example
given above about the high overhead of encrypting all content, some of the
"design flaws" may be business decisions and acceptable risk.

Prakash et al begin to demonstrate their lack of understanding of
client-server relationships and the transport mechanism for different
protocols. The following paragraph from page 2 immediately calls his
team's technical competence:

    One of the most interesting design flaws we discovered is the
    presentation of FAQs and contact information on insecure pages. In
    the past, FAQs and contact information were usually sent through the
    mail to the customer. It is not generally recognized that this
    information should be protected. However, when this information is
    presented online, the user becomes vulnerable to socialengineering and
    offline attacks as a result of the information being displayed on an
    insecure page.

Prakash's contention that unencrypted content delivered from a web server
to a browser is somehow different than when unencrypted content is
delivered from a mail server to a mail reader is silly. If an attacker has
the ability to MiTM attack a person, it isn't going to be limited to HTTP.
Sending that contact information via mail will result in a user deleting
it or maybe storing it in a folder. The first time the person needs to
contact the bank, they would check the web page for the contact
information. If said information is not available, it now further burdens
the bank as they may call a generic number and get transferred around
several times. This adds to customer frustration and causes bank employees
to spend extra time dealing with a customer that could have called the
correct number to begin with.

Prakash's team goes on to make more assumptions or not fully understand 
the importance of how web clients behave. Without getting into a full 
discussion on the philosophy of e-commerce sites adding mechanisms to 
invalidate client-side vulnerabilities, the general notion that it should 
be done if feasible seems reasonable. In this context, feasible means that 
it doesn't overly burden the bank web site, does not impact performance 
and is generally transparent to the end user. One example of this is a 
Cross-frame spoofing issue that made it trivial for an attacker to use a 
phishing attack to MiTM attack MSIE 6 users [3]. Web sites can add a small 
bit of javascript to help ensure that browsers load their pages in a new 
frame and essentially mitigates this risk. This is a good example of how 
many banks were helping protect customers, even though the vulnerability 
was in the customer's software, not the bank web site. Prakash's team 
claims:

    Our work is similar in that some of the flaws that we consider impair a
    user's ability to make correct security decisions. However, our work
    differs in that the cause is not poor or confusing client-side
    interfaces. Instead, the flaws originate in poor design or policy
    choices at the server that prevent or make it difficult for users to
    make correct choices from the perspective of securing their
    transactions.

While a mismatched SSL certificate used to be virtually ignored in some
cases, new versions of popular browsers now behave differently in how they
alert users, giving them the ability to more easily make correct choices.
Claiming that this research is not impacted by "poor or confusing
client-side interfaces" is misleading. While the older browsers were not
necessarily confusing, they handled some situations regarding establishing
trust poorly.

The next area of technology Prakash's team doesn't seem to fully
understand is vulnerability scanners. In the paper his team says:

    Network scanners, such as Nessus [11], and application-level
    website scanners, such as AppScan [17], can be used to analyze for many
    configuration and implementation bugs, such as use of unpatched
    services and vulnerability to cross-side scripting or SQLinjection
    attacks. As far as we are aware, the design flaws that we examine are
    currently not identified by these scanners.

Both Nessus and AppScan will identify several vulnerabilities that
directly relate to the design flaws outlined. Both will give warning over
invalid or expired SSL certificates, AppScan will warn about mixed-mode
security pages and neither will perform tests for some of the design flaws
listed (#3, #4, #5) because no scanner in the world can do it.

Methodology Review:

On page 8 (of 10), the team gives very brief descriptions of their testing 
methodology. The lack of description or their testing methodology 
undermines significant portions of the research. For "Break in the Chain 
of Trust", the paper says "Under no circumstance should an insecure page 
make a transition to a securitysensitive website hosted on another domain, 
regardless of whether the destination site uses SSL." This is an arbitrary 
'rule' that is not widely accepted by anyone including the banking 
industry. Many web pages are designed to act as portals that link to 
additional features. The 'rule' as quotes from the paper would force large 
bank organizations to consolidate all web resources on a single domain. 
While that may be nice, it simply isn't feasible to many businesses, 
especially ones with a large organization that includes multiple 
companies. Linking from http://bigbank.com/ to https://regionalbank.com/ 
is perfectly acceptable and should use proper SSL certificates and 
technology controls to help ensure the user ends up on the correct page, 
loaded directly by the browser.

The second design weakness studied was "Presenting Secure Login Options on 
Insecure Pages". The paper explains their methodology as ".. searched each 
web page for the string "login". If the string was found, we searched the 
same page for the strings "username" or "user id" or "password". If the 
string .login. and .username. or .user id. or .password. were found on the 
same page, we then verified whether the page was displayed using the HTTP 
protocol. If this was the case, we assumed this site contained the design 
flaw." The key word here being 'assumed'. There are scenarios where the 
above methodology could easily generate a false positive. Even back in 
2006, there were trivial ways to more easily determine the use of HTTPS 
with certainty.

The third design weakness studied was "Contact Information/Security Advice
on Insecure Pages" and is perhaps the most technically lacking testing
method one could perform:

   We searched each web page for the string "contact", "information",
   or "FAQ". If those strings where found, we checked whether
   the page was protected with SSL. If not, then we considered it to
   contain the design flaw.

The mere presence of these words on a site do not mean they are in the
context of listing bank contact information. While 'contact' will
frequently link to a 'contact us' page, looking for 'information' or 'FAQ'
is absurd.

In the fourth weakness, "Inadequate Policies for User IDs and Passwords",
the team openly admits that their methodology may produce "optimistic"
results and that they had no way to verify their results "without
generating an account on the website". Heaven forbid they find a couple
hundred students at the university to participate by logging into their
personal banks and checking this in more detail. That extra effort would
have made this portion the only positive and accurate test. From the
paper:

    Our count could be optimistic; some sites may require strong
    passwords without stating an explicit policy. We had no obvious
    means of verifying this without generating an account on the website.
    Our count could also be conservative for sites that have poor
    policies resulting in weak passwords. Thus, our results for this design
    flaw should only be taken as a rough estimate of the extent of
    this particular problem.

As before, the fifth design weakness was extrapolated using a glorified
'grep' of the web page, analyzing proximity of a few keywords and then
verifying the hits above an 85% threshold. And as before, this testing
methodology makes huge assumptions about the wording on the page, does not
positively account for HTML formatting that would impact the 'distance'
between words (especially in pages with frames) and does not begin to test
the functionality (see page 9, section 4.5).

Finally, the paper attempts to interpret the results of this poorly
conceived and improperly tested study. Table 1 on page 10 says that 30% of
the sites tested were affected by "Break in the chain of trust" but gets
contradicted (clarified) in the first paragraph of the results:

    With automated tools, such as the one used in our study, false
    positives are possible. To the extent feasible, we manually examined
    the results to eliminate false positives from the reported data.
    Our break-in-chain-of-trust data had a significant number false
    positives. Our automated tool reported about 30% of the websites to
    potentially use third-party sites in an unsafe way, but only 17% were
    found to do so without giving some sort of notification to the user
    about that transition.

Having such an admittedly large margin of error on the results based on
their own methodology should be an eye-opener in regards to the integrity
and accuracy of the results. Despite this revelation, the next paragraph
immediately cites the table with the 30% number and begins to make
conclusions based on the bogus numbers. They go on to further explain
their primary tool for gathering information (the wget tool) may not have
retrieved all of the information needed to properly assess the site.

Despite the weak methodology, 44% error rate on at least one test and 
admitted errors, Prakash et al go on to say "We found that 76% of sites 
have at least one design flaw." Such statements are certainly not factual 
or even statistically correct based on the research presented.

- jericho (security curmudgeon)


[1] http://attrition.org/pipermail/dataloss/2008-July/002565.html
[2] http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf
[3] http://osvdb.org/4078

From aprakash at eecs.umich.edu  Fri Jul 25 15:54:00 2008
From: aprakash at eecs.umich.edu (Atul Prakash)
Date: Fri, 25 Jul 2008 11:54:00 -0400
Subject: [Dataloss] Brief analysis of "Analyzing Websites for
	User-Visible Security Design Flaws"
In-Reply-To: <Pine.LNX.4.64.0807251458440.30574@forced.attrition.org>
References: <Pine.LNX.4.64.0807251458440.30574@forced.attrition.org>
Message-ID: <dcb84fd70807250854q1c93a86asd11310681cdd437@mail.gmail.com>

Thanks for your comments. You may want to see the copy of the
presentation and the videos from our presentation today at the
symposium we will be posting - plan is to do it tomorrow.

Irrespective of the quibbles one may have with the study (and we
disclose many limitations ourselves - that is the nature of research),
the key point we want to make is that there is substantial scope for
improvement in bank's web sites and we make specific recommendations.
What we are hoping is that bank sites will become both easier to use
and more secure for their customers as a result of this study.

We welcome other studies that look at more recent snapshots of bank
sites. It would be great if there is a finding by others that the
problems we observed have gone away.

We will post info on the presentation and videos at:

http://bankwebsecurity.blogspot.com



-- Atul


On Fri, Jul 25, 2008 at 11:05 AM, security curmudgeon
<jericho at attrition.org> wrote:
>
>
> After being provided a link to the original paper and reading additional
> comments, I wanted to follow-up to my original post [1] with more thoughts.
> If you want the slightly more technical review, search down to "methodology
> review". The paper in question is "Analyzing Websites for User-Visible
> Security Design Flaws" by Laura Falk, Atul Prakash and Kevin Borders [2]. I
> strongly encourage more security professionals to provide peer scrutiny to
> security research coming from universities.
>
> As was pointed out, the research was done in 2006 (testing in Nov/Dec) but
> the results are just now being published. Three people working on a study on
> 214 web sites should not take that long to publish. To wait so long in
> publishing research on a topic like this, one must question if it is
> responsible, or more to the point, relevant. In the world of high end custom
> banking applications, my experience consulting for such companies tells me
> that many will do periodic audits from third parties and that these sites
> get continuous improvements and changes every week. One of the web sites I
> use for personal banking has changed dramatically in the last 12 months,
> making huge changes to the functionality and presumably architecture,
> security and design. The results of a 2006 audit of that site are probably
> most irrelevant.
>
> As with most research papers, the lack of publish date in the header is
> annoying. The abstract does not mention the 2006 to 2008 time gap between
> research and publication either. This time difference is seen almost
> immediately in the citation of Schechter et al, regarding people
> "disregarding SSL indicators". The current releases of several browsers,
> most notably IE7 and Firefox 3 make pretty big shifts in how the browser
> handles and warns about SSL indicators. Each browser is considerably more
> paranoid and will throw a warning over more discrepencies that each would
> have ignored in previous versions.
>
> On page 1, Prakash et al list the criteria for the categories of "design
> flaws" they examined. As expected and mentioned in my previous post, the
> design flaws they examined are not necessarily a vulnerability, and often
> times do not put customer data at risk or they require additional
> requisites to be exploitable. To look at one of their design flaws as an
> example, consider the following:
>
>   Presenting secure login options on insecure pages: Some
>   sites present login forms that forward to a secure page but
>   do not come from a secure page. This is problematic because
>   an attacker could modify the insecure page to submit
>   login credentials to an insecure destination.
>
> This summary of a design flaw is problematic in that it makes several
> assumptions and/or does not fully qualify the attack vector. First, to
> "modify" an insecure page being served from the bank to the user's client
> (browser), the attacker would have to compromise the server (making this
> attack moot) or conduct a Man-in-The-Middle (MiTM) attack. I assume the
> latter is meant since the implication is that an attacker could not
> effectively MiTM attack a page wrapped in encryption (SSL).
>
> It is interesting that the lack of SSL encryption is chosen as a design
> flaw with the notion that manipulation of an insecure page is the
> preferred attack vector. Such an attack is considerably more difficult to
> conduct compared to other threats (e.g. SQL Injection, Privilege
> Escalation) and would essentially target a single customers. Many large
> applications serving hundreds of thousands of users makes this trade-off
> of mixed security pages for performance reasons, as the overhead of
> encrypting all traffic can be costly.
>
> Later in the paper when the team attempts to better define this design
> weakness, they say:
>
>   Consider the case where the customer service contact information for
>   resetting passwords is provided on an insecure page. To compromise the
>   system, an attacker only needs to spoof or modify the page, replacing
>   the customer service phone numbers with bogus numbers.
>
> Web pages can be spoofed regardless of the transport, so the presence of
> SSL encryption means little to nothing. If his team is implying an
> attacker "only need [..] modify the page", that would require compromising
> the server or performing a MiTM attack. Again, this is not a trivial
> attack by any means and in the latter, would affect one customer.
>
> While this is only one of five design flaws Prakash's team looked for,
> consider the third example which is the exact same design weakness:
>
>   Contact information/security advice on insecure pages: Some
>   sites host their security recommendations, contact information,
>   and various other sensitive information about their site
>   and company on insecure pages. This is dangerous because
>   an attacker could forge the insecure page and present different
>   recommendations and contact information.
>
> This is the exact same issue as #2 in the list but just makes the
> specification of the content on the page. Factor in that issue #1 will be
> more prevalent in large organizations but a non-issue in smaller ones and
> the criteria of five design weaknesses gets cut down from five to four,
> with one that is likely not to be seen on some of the sites tested at all.
>
> The paper quickly summarizes their findings before going in detail, before
> concluding "Overall, only 24% of the sites were completely free of these
> design flaws, indicating that some of the flaws we identified are not
> widely understood, even among institutions where security is critical."
> This assumption and conclusion is dangerous and irresponsible. The
> implication that the presence of one or more of these flaws is indicative
> of the site not understanding the threat is presumptious. With the example
> given above about the high overhead of encrypting all content, some of the
> "design flaws" may be business decisions and acceptable risk.
>
> Prakash et al begin to demonstrate their lack of understanding of
> client-server relationships and the transport mechanism for different
> protocols. The following paragraph from page 2 immediately calls his
> team's technical competence:
>
>   One of the most interesting design flaws we discovered is the
>   presentation of FAQs and contact information on insecure pages. In
>   the past, FAQs and contact information were usually sent through the
>   mail to the customer. It is not generally recognized that this
>   information should be protected. However, when this information is
>   presented online, the user becomes vulnerable to socialengineering and
>   offline attacks as a result of the information being displayed on an
>   insecure page.
>
> Prakash's contention that unencrypted content delivered from a web server
> to a browser is somehow different than when unencrypted content is
> delivered from a mail server to a mail reader is silly. If an attacker has
> the ability to MiTM attack a person, it isn't going to be limited to HTTP.
> Sending that contact information via mail will result in a user deleting
> it or maybe storing it in a folder. The first time the person needs to
> contact the bank, they would check the web page for the contact
> information. If said information is not available, it now further burdens
> the bank as they may call a generic number and get transferred around
> several times. This adds to customer frustration and causes bank employees
> to spend extra time dealing with a customer that could have called the
> correct number to begin with.
>
> Prakash's team goes on to make more assumptions or not fully understand the
> importance of how web clients behave. Without getting into a full discussion
> on the philosophy of e-commerce sites adding mechanisms to invalidate
> client-side vulnerabilities, the general notion that it should be done if
> feasible seems reasonable. In this context, feasible means that it doesn't
> overly burden the bank web site, does not impact performance and is
> generally transparent to the end user. One example of this is a Cross-frame
> spoofing issue that made it trivial for an attacker to use a phishing attack
> to MiTM attack MSIE 6 users [3]. Web sites can add a small bit of javascript
> to help ensure that browsers load their pages in a new frame and essentially
> mitigates this risk. This is a good example of how many banks were helping
> protect customers, even though the vulnerability was in the customer's
> software, not the bank web site. Prakash's team claims:
>
>   Our work is similar in that some of the flaws that we consider impair a
>   user's ability to make correct security decisions. However, our work
>   differs in that the cause is not poor or confusing client-side
>   interfaces. Instead, the flaws originate in poor design or policy
>   choices at the server that prevent or make it difficult for users to
>   make correct choices from the perspective of securing their
>   transactions.
>
> While a mismatched SSL certificate used to be virtually ignored in some
> cases, new versions of popular browsers now behave differently in how they
> alert users, giving them the ability to more easily make correct choices.
> Claiming that this research is not impacted by "poor or confusing
> client-side interfaces" is misleading. While the older browsers were not
> necessarily confusing, they handled some situations regarding establishing
> trust poorly.
>
> The next area of technology Prakash's team doesn't seem to fully
> understand is vulnerability scanners. In the paper his team says:
>
>   Network scanners, such as Nessus [11], and application-level
>   website scanners, such as AppScan [17], can be used to analyze for many
>   configuration and implementation bugs, such as use of unpatched
>   services and vulnerability to cross-side scripting or SQLinjection
>   attacks. As far as we are aware, the design flaws that we examine are
>   currently not identified by these scanners.
>
> Both Nessus and AppScan will identify several vulnerabilities that
> directly relate to the design flaws outlined. Both will give warning over
> invalid or expired SSL certificates, AppScan will warn about mixed-mode
> security pages and neither will perform tests for some of the design flaws
> listed (#3, #4, #5) because no scanner in the world can do it.
>
> Methodology Review:
>
> On page 8 (of 10), the team gives very brief descriptions of their testing
> methodology. The lack of description or their testing methodology undermines
> significant portions of the research. For "Break in the Chain of Trust", the
> paper says "Under no circumstance should an insecure page make a transition
> to a securitysensitive website hosted on another domain, regardless of
> whether the destination site uses SSL." This is an arbitrary 'rule' that is
> not widely accepted by anyone including the banking industry. Many web pages
> are designed to act as portals that link to additional features. The 'rule'
> as quotes from the paper would force large bank organizations to consolidate
> all web resources on a single domain. While that may be nice, it simply
> isn't feasible to many businesses, especially ones with a large organization
> that includes multiple companies. Linking from http://bigbank.com/ to
> https://regionalbank.com/ is perfectly acceptable and should use proper SSL
> certificates and technology controls to help ensure the user ends up on the
> correct page, loaded directly by the browser.
>
> The second design weakness studied was "Presenting Secure Login Options on
> Insecure Pages". The paper explains their methodology as ".. searched each
> web page for the string "login". If the string was found, we searched the
> same page for the strings "username" or "user id" or "password". If the
> string .login. and .username. or .user id. or .password. were found on the
> same page, we then verified whether the page was displayed using the HTTP
> protocol. If this was the case, we assumed this site contained the design
> flaw." The key word here being 'assumed'. There are scenarios where the
> above methodology could easily generate a false positive. Even back in 2006,
> there were trivial ways to more easily determine the use of HTTPS with
> certainty.
>
> The third design weakness studied was "Contact Information/Security Advice
> on Insecure Pages" and is perhaps the most technically lacking testing
> method one could perform:
>
>  We searched each web page for the string "contact", "information",
>  or "FAQ". If those strings where found, we checked whether
>  the page was protected with SSL. If not, then we considered it to
>  contain the design flaw.
>
> The mere presence of these words on a site do not mean they are in the
> context of listing bank contact information. While 'contact' will
> frequently link to a 'contact us' page, looking for 'information' or 'FAQ'
> is absurd.
>
> In the fourth weakness, "Inadequate Policies for User IDs and Passwords",
> the team openly admits that their methodology may produce "optimistic"
> results and that they had no way to verify their results "without
> generating an account on the website". Heaven forbid they find a couple
> hundred students at the university to participate by logging into their
> personal banks and checking this in more detail. That extra effort would
> have made this portion the only positive and accurate test. From the
> paper:
>
>   Our count could be optimistic; some sites may require strong
>   passwords without stating an explicit policy. We had no obvious
>   means of verifying this without generating an account on the website.
>   Our count could also be conservative for sites that have poor
>   policies resulting in weak passwords. Thus, our results for this design
>   flaw should only be taken as a rough estimate of the extent of
>   this particular problem.
>
> As before, the fifth design weakness was extrapolated using a glorified
> 'grep' of the web page, analyzing proximity of a few keywords and then
> verifying the hits above an 85% threshold. And as before, this testing
> methodology makes huge assumptions about the wording on the page, does not
> positively account for HTML formatting that would impact the 'distance'
> between words (especially in pages with frames) and does not begin to test
> the functionality (see page 9, section 4.5).
>
> Finally, the paper attempts to interpret the results of this poorly
> conceived and improperly tested study. Table 1 on page 10 says that 30% of
> the sites tested were affected by "Break in the chain of trust" but gets
> contradicted (clarified) in the first paragraph of the results:
>
>   With automated tools, such as the one used in our study, false
>   positives are possible. To the extent feasible, we manually examined
>   the results to eliminate false positives from the reported data.
>   Our break-in-chain-of-trust data had a significant number false
>   positives. Our automated tool reported about 30% of the websites to
>   potentially use third-party sites in an unsafe way, but only 17% were
>   found to do so without giving some sort of notification to the user
>   about that transition.
>
> Having such an admittedly large margin of error on the results based on
> their own methodology should be an eye-opener in regards to the integrity
> and accuracy of the results. Despite this revelation, the next paragraph
> immediately cites the table with the 30% number and begins to make
> conclusions based on the bogus numbers. They go on to further explain
> their primary tool for gathering information (the wget tool) may not have
> retrieved all of the information needed to properly assess the site.
>
> Despite the weak methodology, 44% error rate on at least one test and
> admitted errors, Prakash et al go on to say "We found that 76% of sites have
> at least one design flaw." Such statements are certainly not factual or even
> statistically correct based on the research presented.
>
> - jericho (security curmudgeon)
>
>
> [1] http://attrition.org/pipermail/dataloss/2008-July/002565.html
> [2] http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf
> [3] http://osvdb.org/4078
>

From lyger at attrition.org  Sat Jul 26 01:34:18 2008
From: lyger at attrition.org (lyger)
Date: Sat, 26 Jul 2008 01:34:18 +0000 (UTC)
Subject: [Dataloss] GA: Grady patients' medical records stolen
Message-ID: <Pine.LNX.4.64.0807260128540.11418@forced.attrition.org>


http://www.ajc.com/metro/content/metro/atlanta/stories/2008/07/25/grady_records_theft.html

The FBI is investigating the theft of medical records of patients at Grady 
Memorial Hospital, officials said Friday.

Grady spokeswoman Denise Simpson provided few details on the thefts that 
were discovered late Thursday. She said it remains unknown how many 
patient records were stolen, which patients were affected or how the 
records were stolen.

The records pertained to recorded physician comments that Grady sent to a 
vendor to transcribe into medical notes. The records were stolen from a 
subcontractor employed by the vendor. The missing records were kept on 
computer files.

Grady officials do not at this point believe the records contained 
patients' Social Security numbers or financial information such as credit 
card numbers, but Simpson emphasized that investigators are only starting 
their inquiry.

[...]

From lyger at attrition.org  Sat Jul 26 16:55:40 2008
From: lyger at attrition.org (lyger)
Date: Sat, 26 Jul 2008 16:55:40 +0000 (UTC)
Subject: [Dataloss] Hackers Breach Connecticut College Library System
Message-ID: <Pine.LNX.4.64.0807261654590.11418@forced.attrition.org>


http://www.courant.com/news/local/hc-cthack0726.artjul26,0,2016745.story

A Connecticut College library system was breached by hackers apparently 
looking to set up chat rooms or send spam e-mails, the school reported 
Friday.

The hackers broke into two servers holding data for a consortium of 
Connecticut College, Wesleyan University and Trinity College. The servers 
are located at the consortium's headquarters at Wesleyan.

The database includes the names, addresses and Social Security or driver's 
license numbers of approximately 2,800 Connecticut College library 
patrons, 12 Wesleyan University patrons and three from Trinity.

[...]

From jericho at attrition.org  Mon Jul 28 08:14:01 2008
From: jericho at attrition.org (security curmudgeon)
Date: Mon, 28 Jul 2008 08:14:01 +0000 (UTC)
Subject: [Dataloss] Police: 9 Mil. Stolen Files Traded by Loan Ring
Message-ID: <Pine.LNX.4.64.0807280813470.32752@forced.attrition.org>


---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://english.chosun.com/w21data/html/news/200807/200807280013.html

Digital Chosun Ilbo
July 28, 2008

Some 9 million files of Korean credit information stolen by a Chinese 
hacker ended up back in Korea and were illegally sold and distributed to 
Korean loan firms, police say.

The Seoul Metropolitan Police Agency's Cyber Crime Investigation Division 
on Sunday said it had requested an arrest warrant for a 42-year-old loan 
go-between, identified by his surname Chun, who has fled to China. Chun is 
charged with W2.7 billion in illegal gains (US$1=W1,010) earned through 
buying information stolen by a Chinese hacker from some 2,000 Korean bank, 
loan firm, Internet shopping mall and university computer networks, and 
then using the data to mediate deals for Korean loan sharks.

In addition to Chun, police arrested without detention six others 
including "Shin" (42), who ran a loan mediating company using illegally 
obtained credit information. A warrant was also requested for "Im" (29), 
who has also fled.

Police say the suspects bought 9 million files of stolen data from a 
Chinese-based hacker for W15 million in May 2006. The data include 
personal resident registration numbers, phone numbers and credit info. 
Using the data, the suspects allegedly called people who had previously 
borrowed loans or were thought to be in need of money and introduced them 
to loan sharks in the non-institutional financial market.

[...]



From hbrown at knology.net  Mon Jul 28 15:03:38 2008
From: hbrown at knology.net (Henry Brown)
Date: Mon, 28 Jul 2008 10:03:38 -0500
Subject: [Dataloss] Facebook publishes privacy information
Message-ID: <488DDFCA.4050503@knology.net>

ONLY Birthdates but...



http://www.securitypark.co.uk/security_article.asp?articleid=261853&Categoryid=1

Personal information accidentally publicly revealed on Facebook

Facebook accidentally publicly revealed personal information about its 
members, which could be useful to identity thieves. Earlier this month, 
the full dates of birth of many of Facebook's 80 million active users 
were visible to others, even if the individual member had requested that 
the information remained confidential.

According to Graham Cluley, senior technology consultant at Sophos, a 
security slip-up by the website during the process of a public beta test 
of its new design for members' profiles left birth date information exposed.

"I was shocked to see people's full date of birth revealed, even though 
I knew they had their privacy set up correctly to supposedly hide the 
information," said Cluley. "It's essential that users of social networks 
should have confidence that their privacy will be protected - and it's 
especially important with information like your date of birth, which can 
be a golden nugget for a committed identity thief."

Cluley says he informed Facebook as soon as he discovered the flaw, 
which now appears to have been fixed.

"It's good that Facebook fixed the problem - but can people feel 
confident that this kind of mistake won't happen again in future?" he 
asked. "My advice to Facebook users would be, even if your date of birth 
is set to be non-visible, change it to a made-up date in case this kind 
of blunder happens again. Facebook and other social networking websites 
need to be more careful about protecting their members' data, or risk 
losing users."


From hbrown at knology.net  Mon Jul 28 18:59:14 2008
From: hbrown at knology.net (Henry Brown)
Date: Mon, 28 Jul 2008 13:59:14 -0500
Subject: [Dataloss] ID theft ring in Texas Medical Clinics
Message-ID: <488E1702.2000801@knology.net>

>From  FortBendnow
http://tinyurl.com/575g9w

Local Medical Clinic Patients Among 500 Victimized In Major Identity 
Theft Ring

Sheriff's detectives are looking for a Fort Bend County medical clinic 
employee believed to have contributed patient information to a major 
area identity theft ring.

Tracy Spencer-Gilmore, formerly with Kelsey Seybold Clinic, was one of 
38 people indicted over the past several weeks in connection with an 
identity theft ring in which more than 500 people in four area counties 
were victimized, the Sheriff's Office said in a statement Thursday.

[...]

The last of those indictments were handed down by a Fort Bend County 
grand jury earlier this month.

[...]

Detectives believe Dixon used personal information from more than 500 
people in applying for more than 1,000 short-term "payday" loans valued 
at between $200 and $800 each, the Fort Bend Sheriff's Office said in a 
statement. Fraudulent loans are believed to have exceeded $230,000 in value.

[...]


From lyger at attrition.org  Tue Jul 29 11:39:16 2008
From: lyger at attrition.org (lyger)
Date: Tue, 29 Jul 2008 11:39:16 +0000 (UTC)
Subject: [Dataloss] GA: Private medical data exposed
Message-ID: <Pine.LNX.4.64.0807291137260.9661@forced.attrition.org>


http://www.ajc.com/news/content/news/stories/2008/07/29/bluecross.html?cxntnid=amn072908e

Georgia's largest health insurer sent an estimated 202,000 benefits 
letters containing personal and health information to the wrong addresses 
last week, in a privacy breach that also raised concerns about potential 
identity theft.

Blue Cross and Blue Shield of Georgia said Monday that the erroneous 
mailings were primarily Explanation of Benefits (EOB) letters, which 
include the patient's name and ID number, the name of the medical provider 
delivering the service, and the amounts charged and owed.

"A small percentage" of letters also contained the patient's Social 
Security numbers, said Cindy Sanders, a Blue Cross spokeswoman. The EOB 
forms were mailed to the addresses of other Blue Cross policyholders.

[...]

From lyger at attrition.org  Tue Jul 29 11:42:31 2008
From: lyger at attrition.org (lyger)
Date: Tue, 29 Jul 2008 11:42:31 +0000 (UTC)
Subject: [Dataloss] MO: Stolen laptop had Busch employees' personal info
Message-ID: <Pine.LNX.4.64.0807291141250.9661@forced.attrition.org>


http://www.dailypress.com/news/dp-local_busch_0729jul29,0,6332846.story

A laptop containing personal information of current and former employees, 
including some from Hampton Roads, was stolen from a St. Louis-area 
Anheuser-Busch office in June, according to a statement from the company.

The global beverage company, whose local properties include Busch Gardens 
Europe, Water Country and a brewery, recently mailed letters to an 
unspecified number of employees and ex-employees informing them of the 
break-in and offering a year of free credit reporting, Tim Farrell, the 
company's vice president for corporate human resources, said in a 
statement.

[.]

Anheuser-Busch's letter to employees indicates that information contained 
on the computer included employees' Social Security numbers, home 
addresses and marital status.

[...]

From lyger at attrition.org  Wed Jul 30 11:27:42 2008
From: lyger at attrition.org (lyger)
Date: Wed, 30 Jul 2008 11:27:42 +0000 (UTC)
Subject: [Dataloss] Canada: Thieves steal Vancouver client information from
	TD bank
Message-ID: <Pine.LNX.4.64.0807301126370.25078@forced.attrition.org>


http://www.canada.com/vancouversun/news/business/story.html?id=d11109e2-223a-4133-a931-6b46e869fbd3

TD Canada Trust officials waited three weeks this summer before telling 
customers their personal information might have been stolen from a 
Vancouver branch.

Bank representative Kelly Hechler confirmed Tuesday a piece of computer 
equipment stolen during a June 22 break-in at the 4597 West 10th Ave. 
branch contained confidential customer information.

"We first had to identify which customers may have been impacted," Hechler 
said in an interview.

[.]

The letter to customers said the stolen equipment may have contained 
names, addresses, birthdates, social insurance numbers, account numbers, 
bill payment details, transactions and balances.

[...]

From hbrown at knology.net  Wed Jul 30 21:24:10 2008
From: hbrown at knology.net (Henry Brown)
Date: Wed, 30 Jul 2008 16:24:10 -0500
Subject: [Dataloss] AZ city releases 300 SSN unintentionally
Message-ID: <4890DBFA.8010907@knology.net>

http://www.yumasun.com/news/city_43177___article.html/missent_numbers.html

City workers' Social Security numbers missent

[...]
BY JOYCE LOBECK, SUN STAFF WRITER
[...]
The Social Security numbers of about 300 city of Yuma employees were 
"unintentionally released" in an e-mail sent to city administrative 
personnel earlier this week, The Sun learned Thursday.

  However, the error was quickly taken care of it and "every step was 
taken to delete, retract and protect the information," according to a 
letter sent to those employees who were affected.

  The e-mail was quickly removed from employee computers by the city's 
technology department, said Greg Hyland, city spokesman. In some cases, 
he said, the information was removed so quickly, some recipients didn't 
even receive or open the e-mail.

  "There is no evidence any the information left the confines of the 
city walls," he said.

  Hyland said the inadvertent e-mail contained the Social Security 
numbers of about 300 city employees out of the total 1,150 people who 
work for the city either full- or part-time.

  As a precaution, letters were sent to employees whose information was 
in the e-mail, advising them that they might want to contact credit 
reporting agencies to put a fraud alert on their credit reports.

  The letters also contained information on what steps the employees can 
take if they think their personal information was being misused.

[...]


From hbrown at knology.net  Thu Jul 31 10:45:39 2008
From: hbrown at knology.net (Henry Brown)
Date: Thu, 31 Jul 2008 05:45:39 -0500
Subject: [Dataloss] dumpster diving in Folkston GA
Message-ID: <489197D3.2010607@knology.net>

from Redorbit.com

http://tinyurl.com/6f2owb

FOLKSTON - Residents combing through trash left at a closed physicians' 
office under renovation found a box of medical records this week.

[...]

State laws lay out clear guidelines for safeguarding medical records and 
notifying patients if physicians close their practices, officials said.

The records were apparently left in the office when physicians closed 
their practices there several years ago.

 The unidentified woman who discovered the records turned them over to 
Capt. Kenny Jones, a deputy with the Charlton County Sheriff's Office, 
on Tuesday.

Jones said several doctors had offices in the building in the past and 
he didn't look at the records to determine whose office they came from. 
He delivered them to Charlton Memorial Hospital and asked officials 
there to determine what should be done with them.

Interim hospital administrator Dee McKrow, said the 3-foot- square 
cardboard box was "heaping full" of records.

"We were asked to hold these records, even though they have nothing to 
do with the hospital," she said.

McKrow said she plans to look at the records in the coming days and 
consult with other hospital administrators to determine what to do with 
them.

[...]



From lyger at attrition.org  Thu Jul 31 21:23:59 2008
From: lyger at attrition.org (lyger)
Date: Thu, 31 Jul 2008 21:23:59 +0000 (UTC)
Subject: [Dataloss] TX: Computer breach at UT Dallas may have exposed
 students' personal info
Message-ID: <Pine.LNX.4.64.0807312122350.21984@forced.attrition.org>


http://www.dallasnews.com/sharedcontent/dws/dn/latestnews/stories/080108dnmetUTD.1f0bd372.html

A computer network attack at the University of Texas at Dallas may have 
exposed Social Security numbers and other personal information for 9,100 
individuals, school officials said today.

A security breach in UTD.s computer network may have exposed Social 
Security numbers along with names, addresses, email addresses or telephone 
numbers, officials said.

[.]

"We are very sorry this happened," Jim Gary, UTD vice president and chief 
information officer, said in a prepared statement. "We would never seek to 
minimize the impact of such an event, but we find no indication that the 
information has been disclosed, disseminated or used to anyone's 
detriment.  We are working to inform anyone who is potentially at risk."

[...]