As a fan of spy vs. spy, I thought this article was appropriate for a Friday:
http://www.theregister.co.uk/2008/05/29/brown_snake_attack/
“I come from the land downunder………….”
I’ll say………….
Archive for May, 2008
30
May
08
Snake vs. Snake
Well – AG Cuomo of NY is in the news again – he successfully stopped private information from being illegally sold by the company USSearch.com:
Attorney General Andrew M. Cuomo today announced his office has stopped a leading Internet company dealing in personal information from illegally selling the private credit bureau data of thousands of consumers across the nation.
Under the terms of the settlement, online data broker USSearch.com has also paid $250,000 in penalties and costs for violating federal laws designed to prohibit such abuses.
“Companies with access to a consumer’s private information must do all they can to keep it private,” said Attorney General Cuomo. “With the crime of identity theft running rampant across the globe, it is critical that personal data, including sensitive credit bureau information, not be readily available to anyone with Internet access. This settlement puts a stop to the practice that US Search was engaging in and requires penalties for breaking the law.”…..
A one-year investigation by the Attorney General’s Office uncovered that the company illegally accessed and sold consumer data compiled by these agencies as an “extra benefit” to business clients by falsely claiming to have a lawful purpose for the data. The data included sensitive information including consumers’ names, aliases, current/prior addresses, telephone numbers and birth dates. The company also accessed Social Security numbers as a way to verify the sensitive information.
In total, US Search illegally obtained private consumer information more than 2,385 times. More so, each request often resulted in additional information on the individual’s associates, relatives and/or neighbors, making the number of individuals whose information was wrongfully obtained much higher. All of the information requests were made unbeknownst to the consumer and US Search did not maintain records of individuals whose information was accessed.
Good for NY. I wish more states would step up to the plate, like both NY and CT have done recently.
Oh!! Looks like the chickens are coming home to roost for old Dell:
A New York state judge says Dell and its finance wing are guilty of making false promises to stir up more sales.
State Supreme Court Justice Joseph Teresi ruled the #2 computer maker repeatedly engaged in fraud, deceptive advertising, and failure to honor its warranties, service contracts, and rebates…
“For too long at Dell the promise of customer service was a bait and switch that left thousands of people paying for essentially no service at all,” said Cuomo in a statement today. “We have won an important victory that will force Dell to live up to its responsibilities and pay back its customers for profits that were pocketed but not deserved.”
Justice Teresi ruled that Dell did not give customers the technical support that were entitled to under warranty or service contract. Dell’s bag of tricks included failing to provide on-site repair to customers who purchased the service; pressuring customers with onsite service contracts to repair the boxes themselves; and discouraging customers from seeking technical support with lengthy wait times, frequent transfers and disconnections. Also, Dell had an “alarming pattern” of failing to provide rebates that were promised.
Justice Teresi determined Dell frequently lured customers to purchase products with “no interest” or “no payment” financing promotions — for which even those with very good credit scores were denied. Dell then often failed to clearly inform the customers they were unqualified for the promotional terms, leaving them to unknowingly buy a system at high interest rates.
I’m so glad that someone is taking Dell to task for their service and advertising issues. Their customer service has really gone downhill at the commercial level, they have been just awful, so I can only imagine what the consumer must be going through. I hope this will give them the impetus to CLEAN UP THEIR ACT.
http://www.theregister.co.uk/2008/05/27/new_york_judge_rules_against_dell_fraud/
Computerworld has an outstanding article this morning at: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9087441&pageNumber=1
What I found to be of interest is in the last few paragraphs:
Motivating the insufficiently alarmed
It took some very public scandals, including a takedown of the government’s Web site and published descriptions of vulnerabilities in the voter registration site, for the Commonwealth of Pennsylvania’s IT team to be able to free up the budget for penetration-testing tools and beef up security for its Web development practices.
“In government, there’s a big push for e-government and that’s great because we should be giving citizens access to resources. But there’s not enough testing of these new Web applications before they are deployed, and yet they have a huge door called Port 80 that’s not secure,” says Robert Maley, the commonwealth’s chief information security officer.
Maley, who came onboard almost three years ago, says he had been pushing for increased penetration testing of all systems but was told the technology and human resources required were too expensive. He was able to squeak a few dollars out of the budget to buy an automated tool and train his team to run it against the government’s 80,000 endpoints and 100,000 business partner connections.
But earlier this year, five portal Web sites were breached with a SQL injection launched from China. The government’s main Web site was down for six hours, making local and national headlines. Maley used his penetration-testing tool to do a post-mortem on the attack and shore up any other holes. Then, a month ago, the commonwealth came under fire again when someone published a vulnerability in the voter registration database that allowed citizen data to be viewed.
“That bad press was the final thing I needed to eliminate any pushback and to create a sea change in the culture here,” he says. Although there is still not enough money to bring in outside consultants, Maley is working closely with his own security team to test application code in development and in production and to train developers on security practices. “We have checks and balances on everything we do now,” he says; “for instance, before a site goes live, we do penetration testing against the hardware, software, operating system and application itself.”
Why is it that it takes a public scandal to get business and/or governments to use a little common sense?
I know it’s probably too much to hope – but I HOPE that TJX will realize that their handling of Cryptic_mauler has not worked out so well for them from a PR perspective. You would think that a company like TJX would make sure that EVERY EMPLOYEE knew they could report security violations to the company’s CSO or his/her group without fear of reprisal AND that every employee knows how to contact that individual or group. We have that policy in my company and it works quite well. Security issues should be exempt from the “chain of command” mentality, as very often it’s that same chain that covers up problems. They do this either because they don’t want to look bad to their superiors, or they don’t want to be the messenger of bad news.
During the three years I spent in whistleblower litigation I had to jump through a lot of hoops, as the defendant attorney’s strategy was to harass me to the point that I would drop the case. Or it could have been as a billable-hour-blank-check guy he was just milking them for every penny he could get. Or both. Whatever. Anyway, I had to spend 3 days in depositions (yes, that’s 24 hours of being asked the same stupid questions over and over again), produce thousands of pages of documents including my calendars which took hours of my time etc. Anyway, this lawyer was pretty goofy. One afternoon during a deposition he triumphantly threw pictures of Russell Crowe and Al Pacino in front of me, and demanded that I confess to secretly plotting with Hollywood moguls to make a film like “The Insider” – the movie about Big Tobacco whistleblower Jeffrey Wigand (with RC & AP). My answer was, “I saw Gladiator 5 times – does that count? I’ll watch anything with Russell Crowe in it.” Of course he got pretty mad at that point which was a good thing. At trial the pictures showed up again, and the court reporter got excited because she thought Russell Crowe was going to be a witness. I WISH!!
The ONLY thing I wanted during this whole process was for the defendant to address their data security problems. But NOOOOO! that was not an option. It makes much more sense to pay a goofy hired gun a half million dollars or so to defend something that probably could have been settled over a cup of coffee. That’s Corporate America for you!!
I was extremely disappointed to see at http://ha.ckers.org/blog/20080522/tjx-whistle-blower/ that an employee of TJX (CrYpTiC_MauleR) had been tracked down and fired for posting some comments about TJX’s data security flaws (TJX of HUGE SECURITY BREACH fame). As an information technology whistleblower that just finished with three years of whistleblower litigation against my former employer for data security problems, I thought it would be useful to post to the IT community how one goes about blowing the whistle in a way that gives you some chance of a successful outcome.
First off, this is not a path I would recommend to anyone unless you have a completely ethical reason for doing so, have a backbone of steel, and a very thick skin (don’t think you will make a million $$ in other words). In my case, the security problems were rampant, auditors were not told the truth, and I was in the direct path to be blamed if there was a data breach (I was the company’s database administrator in managing security for their databases with CC#s, SS#s etc)
Secondly – something all IT people in the USA need to be aware of; we don’t have a lot of protections when it comes to whistle blowing. There are basically two routes if you work in private industry (federal and state-employed whistleblowers have different avenues): Sarbanes-Oxley (SOX) whistleblower protection for publicly traded companies (see fact sheet at http://www.osha.gov/Publications/osha-factsheet-sox-act.pdf) and state “public policy” or whistleblower laws, for companies that aren’t publicly traded. State laws are usually weak, and SOX whistleblower protection is pretty much a joke, but there is a way to negotiate them and possibly get a positive change as LONG AS YOU FOLLOW THE RULES (fyi – these rules pretty much apply to all forms of whistle blowing):
- Know the law as it pertains to data security. Publicly traded companies are covered by SOX (internal controls rules CAN and SHOULD cover data security under the contractual obligations with VISA), financial institutions are covered by the Gramm-Leach-Blilely Act, and other OCC rules and regs. GLBA covers privacy data at a federal level. Nearly all states have some sort of laws for privacy and financial account protection these days and nearly all of them are similar to California SB 1386. They can be looked up online – good resources are www.privacyrights.org and www.consumersunion.org.
- If you find something that the company is doing that is not in line with these laws, document what you’ve found and tell your supervisor. IT IS CRITICAL TO STATE WHICH LAW YOU THINK IS BEING VIOLATED AT THIS TIME – THE EXACT LAW AND DO IT IN WRITING – EMAIL IS FINE. KEEP A HARD COPY. Once you do this, you have entered the protected activity phase, which means that the company has to tread carefully from that point on as far as disciplinary action etc.
- If you have gone to your supervisor 3 times and nothing has happened, escalate to his boss and/or the Information Security Department. I generally would recommend telling your supervisor that you intend to do this. Again – document everything and ALWAYS spell out which law is being broken.
- If you STILL see no change I would see if the company has an Internal Audit department and I would find out how to contact the Audit Committee (for publicly traded companies). At this point I would also consider going to Human Resources just as a CYA. But remember, HR is NOT YOUR FRIEND. IT IS GUARANTEED THAT WHATEVER YOU TELL THEM, THEY ARE GOING TO TELL YOUR BOSS. Forward your concern to the head of Internal Audit, and also the company’s Audit Committee. For non-publicly traded companies you might not have this option. ALWAYS KEEP THE DOCUMENTATION ON ALL THIS – and IF YOUR STATE LAW ALLOWS ONE-SIDED APPROVAL TO RECORD CONVERSATIONS I WOULD START CARRYING A SMALL RECORDER AND USING IT – ESPECIALLY WITH ANY DEALINGS WITH HUMAN RESOURCES. Cloak and dagger? Unethical? Against company policy? Will get you fired if they find out? Probably all of the above - but this was one of my biggest regrets – not doing it. If the judge and jury had heard the way that I was treated, I would have made all the difference in the world.
- At this point, the company is a) going to do nothing and hope you shut up and/or go away, b) start working to fix the problem, c) start a harassment campaign to get you to quit or d) fire you. If you start experiencing any evidence of hostility, change in schedules or job functions, changes in responsibilities, shunning etc DOCUMENT EVERYTHING. Look up the definition of hostile work environment and if you start experiencing any of this – KEEP A JOURNAL. But, remember, journals are not admissible as evidence, but can be used to refresh your memory. EMAILS are the main evidence these days, so document, document, document and ALWAYS BE PROFESSIONAL.
- If things reach this point and you STILL want to try to get the problem(s) fixed it’s time to consider going outside the company for a solution. Read the OSHA documentation for SOX whistleblowing listed above, if your company is not covered by SOX contact your attorney general’s office in your state to find out what to do (that may get you nowhere – be prepared for that). You can try contacting the Federal Trade Commission for data security violations in regard to credit card numbers, but as they have a 1.8% enforcement rate (after data breaches occur) I’m not sure I would bother. VISA/MC have no method of contact to my knowledge – although they are the ones that do enforcement of the PCI DSS. Also – now is the time to start getting the documentation you need together, including proof of wrongdoing and putting it somewhere for safekeeping (unless your company is the firing type – then I’d start getting the docs out from the beginning). Please be advised that this gets on shaky ground because of non-disclosure agreements, but as long as you intend to use the documentation ONLY for purposes of an outside investigation you should be OK. Don’t hand it over to the press in other words, or post it online.
- At this point you can still continue to do things on your own, but I would recommend contacting an attorney who specializes in whistleblower law – a good resource can be found at the Government Accountability Project, www.whistleblower.org
Sounds like a lot of work and hassle – you bet it is. But, I can say FROM EXPERIENCE that this is the about the only way to effect a positive change from whistle blower actions. Hopefully, everything can be solved in-house and you will never have to go outside the company to try to solve the problem.
FYI – I lost my SOX case because the federal judge said that as a database administrator (rather than an accountant) I could not have had a “reasonable belief” that the company was breaking the law, although all the evidence that was produced showed that they were CLEARLY in violation of many state and federal laws. The judge’s decision was totally bogus of course, and I think he regretted it after he saw all the evidence (case had a lot of “moving parts”, evidence came up in a jury trial on a state whistleblower claim). But, if I had followed all the steps I had outlined above, I would have had a better chance of winning.
Also be prepared for the “deer in the headlights” look whenever you start talking about IT security to anyone who is not in IT. Learn how to speak in layman’s terms.
Nell Walton, CISA, CISSP
Confirming suspicions I have had for years, a recent Gartner study has revealed that while many retailers suspect they have data breaches, only a few actually report them as required by law.
While nearly half of U.S. retailers have been hit with some kind of information security attack, only a small percentage of them have actually reported breaches to their customers, research company Gartner reports.
In a new study based on interviews with 50 U.S. retailers, Gartner found that 21 of them were certain they had had a data breach. However, just three of the retailers had disclosed the incident to the public. …
Gartner counted phishing attacks and data compromises at third parties as breaches, along with lost or stolen laptops, insider breaches and computer hacking attacks.
Litan said four of the retailers had been fined by credit card companies for not meeting Payment Card Industry (PCI) compliance requirements. Another 11 were threatened with fines for noncompliance.
Data breaches at retailers are the top cause of credit and debit card theft, accounting for about 20 percent of all incidents, Gartner said.
Good work by Gartner for staying on top of this issue, something the FTC is NOT doing with their 1.8% enforcement rate for companies that have reported data breaches. And this is just the retailers – what about the “service providers” i.e. all entities that may store credit card information but are not retailers…….I would be guessing that the percentages are the same if not lower.
Well, another day, another data breach. This time it was the ubiquitous loss of backup tapes (unencrypted of course) again, and YET again, we have a 3 month delay before any notification was given. Kudos to Connecticut Governor M. Jodi Rell who had CT Consumer Protection Commissioner Jerry Farrell Jr. issue subpoenas to Bank of New York Mellon Corp. The data was lost when the tapes were being transferred on behalf of another bank, People’s United Bank of Bridgeport.
The data – lost when BNY Mellon was transferring the information on behalf of People’s – includes names, addresses, dates of birth and Social Security numbers. It was lost in late February.Under Connecticut state law, banks are required to immediately notify customers when such information is lost. Yet BNY Mellon did not notify People’s of the breach until March 18, at which time it said information on about 170 shareholders was missing. It was not until May 13 – some eight weeks later – that BNY Mellon advised People’s that information on some 556,000 depositors was missing.“The disastrous effects of identity theft are virtually instantaneous in today’s computerized world, and the lag time between the theft and the notification only aggravates what is an already outrageous situation,” Governor Rell said. “For a major financial institution such as Bank of New York to lose such a massive amount of customer data is utterly unacceptable. To delay reporting the loss to appropriate authorities and potential victims for more than three months is not only irresponsible but shows a callous disregard for customers.
Callous disregard indeed, not just to customers to the public at large. What were they thinking? We can only hope that even though the backup tapes were not encrypted, hopefully they were at least password protected, with STRONG PASSWORDS.
An excellent blog on the issue:
News article
Well, here’s YET ANOTHER security breach lawsuit, allowing employees to mislead borrowers about interest rates is not enough, they also allowed employees to walk out with customer’s private data:
The lawsuit, filed in U.S. District Court in Manhattan on Friday, alleges that the Charlotte mortgage referral company failed to adequately safeguard confidential customer information contained in its customer loan request forms and that data was accessed and stolen by several LendingTree employees.
“As a result of defendant’s actions, millions of its customers have had their personal confidential information compromised, have had their privacy rights violated, have been exposed to the risk of fraud and have otherwise suffered damages,” the lawsuit said.
And again, as you read further into the article, it just gets better and better:
The lawsuit was filed on behalf of Bronx resident Marvin Garcia by the law firm Meiselman, Denlea, Packman, Carton & Eberz PC in White Plains, N.Y. It is seeking class-action status on behalf of all persons who submitted loan request forms to LendingTree between Jan. 1, 2006, and May 1, 2008.
The Privacy Rights website states:
Outside loan companies may have accessed information, including Social Security numbers, between October 2006 and early 2008 and used it to market their own mortgages to LendingTree customers. Several former employees may have shared confidential passwords with “a handful” of lenders that were not approved by the company.
So, for 2 years have Lendingtree employees been running in and out with customer information? OMG!! I think I may have applied with them at some time or another!! What to do??????
http://money.cnn.com/news/newsfeeds/articles/djf500/200805201751DOWJONESDJONLINE000740_FORTUNE5.htm
