Nevada Steps up to the Plate to Protect Consumer Data

A hassle for businesses – but kudos to the State of Nevada for taking real steps to protect consumer data…..

New Data Privacy Laws Set For Firms

Alicia Granstedt, a Las Vegas-based hair stylist who works for private clients and on movie sets, never worried about conducting most of her business through email.
Ms. Granstedt regularly receives emails from customers containing payment details, such as credit-card numbers and bank-account transfers. Since she travels frequently, she often stores the emails on her iPhone.

But a Nevada law that took effect this month requires all businesses there to encrypt personally-identifiable customer data, including names and credit-card numbers, that are transmitted electronically.
After hearing about the new law, Ms. Granstedt started using email-encryption software, which requires her clients to enter a password to read her messages and send responses. It is a hassle, “but I can’t afford to be responsible for someone having their identity stolen,” she said.
Nevada is the first of several states adopting new laws that will force businesses — from hair stylists to hospitals — to revamp the way they protect customer data. Starting in January, Massachusetts will require businesses that collect information about that state’s residents to encrypt sensitive data stored on laptop computers and other portable devices. Michigan and Washington state are considering similar regulations.
While just a few states have adopted such measures so far, the new patchwork of regulations is something many businesses will have to navigate, since the laws apply to out-of-state companies with operations or customers in those states.
That’s one reason the Massachusetts law has the attention of Andrew Speirs, information security officer for National Life Group, an insurance company based in Montpelier, Vt. “We do business in all 50 states so we’re definitely reviewing it,” he said. Mr. Speirs said that National Life has a program in place to protect data, but that the Massachusetts law “is a little more particular” than other state laws. He is checking his company’s program for any holes.
While it isn’t clear if state authorities intend to crack down on mom-and-pop businesses — the attorney general in Massachusetts is still developing an enforcement policy, a spokeswoman said — the laws establish a liability that could be used in civil suits against businesses following a data breach, privacy lawyers said.
In Nevada, companies that suffer a security breach but comply with the new law would cap their damages at $1,000 per customer for each occurrence. Those that don’t comply would be subject to unlimited civil penalties under the proposed enforcement plan, said James Earl, executive director of the state’s task force for technological crimes.

Some businesses have already started buying security technology in anticipation of the new laws. Papa Gino’s Inc., a Dedham, Mass.-based pizza and sandwich chain, began purchasing laptops with encrypted hard drives from Dell Inc. for its workers last year. Dell sells these computers for about $100 more than those with unencrypted drives. So far, the company has bought about 80 of the computers.
Papa Gino’s is also purchasing encryption software — which costs about $50 per computer — to protect files containing sensitive information on the 170 or so laptops that don’t have encrypted drives, said Chris Cahalin, manager of network operations for the company, which has 370 locations.
The new regulations mean “anybody in IT has to become a security guy,” he said.
Getting compliant with the new laws will require most businesses to open their wallets. According to Forrester Research, about 31% of large corporations and 22% of small- and medium-size firms currently have at least some laptops with encrypted hard drives, a way of protecting information on a computer if it is lost or stolen.
The Massachusetts government estimates that a business with 10 employees will need to spend $3,000 up front, plus an additional $500 a month in order to comply. Security executives at larger firms said they expect to spend a similar amount per employee.
Partners HealthCare System Inc., a Boston-based hospital operator, will have to spend more than $100,000 to comply with the new regulations, said Karen Grant, the company’s chief privacy officer. Partners is looking into encryption for laptops and technology that can trace lost or stolen devices.
The company may need to reprioritize its current projects in order to get the new technology in place by January, said Ms. Grant. “It’s a burden,” she added, “but it’s something you have to do.”
The new state data-security laws are stricter than past regulations, which only required businesses to notify people whose personal information they lost. The new laws establish a standard that can be used by plaintiffs in civil suits to argue that a business that lost data was negligent, said Miriam Wugmeister, an attorney with Morrison & Foerster LLP.
The so-called breach-notification laws, which were enacted in more than 40 states, ended up doing little to tamp down security breaches.
So far this year, more than 500 organizations have publicly disclosed a breach, up from the 446 disclosed in all of 2007, according to the Identity Theft Resource Center, a San Diego nonprofit group. In a September study, researchers at Carnegie Mellon University found that notification laws only reduce identity theft by around 2%.
“Breach-notification laws deal with what happens after the horse leaves the barn,” said Daniel Crane, undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation. The new regulation in his state “is intended to prevent the horse from getting out of the barn in the first place.”
Write to Ben Worthen at ben.worthen@wsj.com



Identity Theft – the terrorist connection??

I found this article from the Wall Street Journal profoundly disturbing, but not surprising.  I just wonder how much of the cash is being funnelled to the Hindu Kush and the terrorist hiding there?

European law-enforcement officials uncovered a highly sophisticated credit-card fraud ring that funnels account data to Pakistan from hundreds of grocery-store card machines across Europe, according to U.S. intelligence officials and other people familiar with the case.

The device can be told to copy certain types of transactions — for example, five Visa platinum cards or every tenth transaction. It can also be instructed to go dormant to evade detection. On average, only five to 10 card numbers would be phoned in to Pakistan, the person close to British law enforcement said.

Specialists say the theft technology is the most advanced they have seen, and a person close to British law enforcement said it has affected big retailers including a British unit of Wal-Mart Stores Inc. and Tesco Ltd.

The account data have been used to make repeated bank withdrawals and Internet purchases, such as airline tickets, in several countries including the U.S. Investigators haven’t pinpointed the culprits. Early estimates of the losses range of $50 million to $100 million, but the figure could grow, said the person close to British law enforcement.

The scheme uses untraceable devices inserted into credit-card readers that were made in China.

The devices selectively send account data by a wireless connection to computer servers in Lahore, Pakisan, and constantly change the pattern of theft so it is hard to detect, officials say.

“Pretty small but intelligent criminal organizations are pulling off transnational, multicontinent heists that only a foreign intelligence service would have been able to do a few years ago,” said Joel F. Brenner, the U.S. government’s top counterintelligence officer.

U.S. intelligence officials, including senior National Security Agency officials, are monitoring the case, in part because of its ties to Pakistan, which has become home to a resurgent al Qaeda.

The scheme comes on the heels of the August indictment of a fraud ring that stole more than 40 million credit-card numbers from U.S. companies, including TJX Cos., the parent company of TJ Maxx.

In March, security officials at MasterCard Inc. saw a pattern of potential fraud in northern England. Meanwhile, a security guard at a U.K. grocery store noticed suspicious static on his cellphone and alerted authorities. Scotland Yard learned of the report and eventually connected it with the warning from MasterCard, according to the person close to British law enforcement.

Examining the store’s credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology.

The bug would read an individual’s card number and the corresponding personal identification number, then package and store the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next.

A MasterCard spokesman declined to discuss details of the case but said safeguarding financial information is a top priority for the company.

There is no obvious visual indication that a machine has been altered, but those with the bugs weigh about four ounces more. For the past several months, teams of investigators have been weighing thousands of machines across Europe with a precision scale.

So far, investigators have found hundreds of machines in at least five countries: Britain, Ireland, Belgium, the Netherlands and Denmark. They have turned up at European grocery chains including Asda, which is owned by Wal-Mart; Tesco; and J Sainsbury PLC, according to the person close to British law enforcement.

A spokeswoman for Asda said, “It’s subject to a police investigation, so we can’t comment.” A spokeswoman for Sainsbury denied its stores were hit by the scheme. A spokeswoman for Tesco said: “We’re aware that this was an issue for retailers.” She said Tesco tested its devices and is confident they are now secure.




Data Breaches – 2008 update

The Identity Theft Resource Center (ITRC), a nonprofit organization that tracks data breaches in U.S., reported 516 incidents that resulted in a total of over 30 million personal records being compromised so far in 2008, out of which 97.5% were electronically stored.The ITRC gathers the reports from various media sources, several notification lists and state agencies. They are also working to confirm the breaches with several other specialized groups and websites. All the incidents that got included in the report resulted in loss of personal identifying information such as Social Security numbers, drivers’ license numbers, banking details, basically information that could favor identity theft.

The report defines five categories, banking/credit/financial, business, educational, government/military and medical/healthcare, based on the sectors where the incidents occurred. Incidents originating in the financial sector amount for almost 57% of the lost records, while the biggest number of incidents, 188 (36.4%), was recorded in the Business sector. This suggests that financial institutions in particular, which usually handle a lot of personal information, should adopt more solid security policies.

The report also sorts the incidents based on the breach type. According to the statistics, 47% of the records were lost while being moved in 95 incidents, while 36% were lost by subcontracted companies. In addition, almost 22% of the records were compromised as a result of hacking activities and 18% were stolen by employees. A surprise is the low percentage (3%) of records that were accidentally exposed.

Another classification concerns the protection level of the compromised data. This proves again the lack of data encrypting practices inside organizations, the information being protected in this way in only 1.1% of the incidents. In almost 10% of the cases, the data was password protected, while in 88% of the incidents, the lost personal details were unprotected and they amount for the vast majority (92%) of the total number of compromised records.

The report analyzed only data gathered in the first eight months of 2008 and the total number of incidents already exceeded the one registered for the entire year in 2007 (446). This could also be caused by the fact that many states have since introduced laws that require both public and private organizations to report such cases.

Even though in 2007 the number of compromised records was a lot bigger, 127 million, it is notable that in more than 40% of the breach events included in the 2008 report, such information was partially or completely unavailable. Because of this, ITRC advises that “the number of affected records is grossly incomplete and unusable for any statistic or research purpose.”



Massive Website Compromises Discovered – including USPS.GOV

This is scary – I have an account on USPS (but I NEVER let them get my CC#)

Several criminal gangs have acquired administrative log-in credentials for more than 200,000 Web sites — including the one used by the U.S. Postal Service — and have used the compromised domains to attack unsuspecting users’ PCs with a notorious hacker exploit kit, a researcher said today.

More than a month ago, Ian Amit, director of security research at Aladdin Knowledge Systems Inc., found and infiltrated a server belonging to a longtime customer of Neosploit, a hacker tool kit used by cybercriminals to launch exploits against browsers and popular Web software such as Apple Inc.’s QuickTime or Adobe Systems Inc.’s Adobe Reader.

On that server, Amit uncovered logs showing that two or three hacker gangs had contributed to a massive pool of Web site usernames and passwords. “We have counted more than 208,000 unique site credentials on the server,” said Amit, “and over 80,000 had been modified with malicious content.”

The site credentials were only the means to an end: The 80,000 modified sites were used as attack launchpads. Each served up exploit code provided by the Neosploit kit to any visitor running a Windows system that had not been fully patched.

By examining the server logs, Amit was able to identify the sites whose log-ins had been compromised; he is now working with law enforcement agencies in both the U.S. and overseas, as well as with organizations like the CERT Coordination Center, to tell site operators they need to change their administrative passwords, purge the malicious code and secure their sites.

The only compromised site he would name was the U.S. Postal Service’s at http://www.usps.gov. That site and others have been cleaned of the code that calls Neosploit down on unsuspecting visitors. Also on the list were sites for governments and Fortune 500 companies, universities and other businesses, including several unnamed weapons manufacturers. More than half of the affected sites belong to European companies and organizations. …



10 Sign of Compromise……..

SANS put out a good article last week on signs that you’ve had your network or data compromised:

  1. Your logging server hasn’t logged any events or you haven’t received alerts in the last 12 hours
  2.  Your FTP server/user hard drives etc. are suddenly out of disk space or maybe logs increase in size more than your normal variation
  3. Your competition’s products looks just like yours, but have a prettier color scheme
  4. Your customers start receiving spam on email addresses they used only to sign up for your service
  5. You get machine acts “funny” report from users (i.e. windows closing by themselves, browser homepage changed, etc.)
  6. Someone needs help connecting to the company’s wireless access point, you don’t have a wireless access point
  7. Complaints that software (payment processing software, web browser, etc) keeps crashing
  8. Complaints from user(s) that passwords/logins aren’t working
  9. Computer systems running unusually slow
  10. Visitors to your website complain that they get redirected to another site or one that just doesn’t “look” right

Another one we’ve seen – spikes in CPU usage, usually from dictionary attacks or DoS attacks.

October is Cyber Security Awareness month, so hopefully other organizations will be publishing other useful tips and information.



Secret Service Camera Sold on Ebay??

What’s up with this?

An unnamed 28-year-old delivery man from Hemel Hempstead bought a Nikon Coolpix camera for £17 on eBay. But when he returned from his holiday and downloaded the contents of the camera he found pictures of rocket launchers, log-in details for the Secret Service’s encrypted remote computer network marked Top Secret and a hand-drawn diagram linking different, named al-Qaeda cells including individual names and occupations.

There were also details on Abdul al-Hadi al-Iraqi – a 46-year-old captured by the CIA in 2007 and currently in Guantanamo Bay.

The man went to Hemel Hempstead Police Station but the situation was treated as a joke, declared the Sun.

However, days later Special Branch officers arrived at the man’s home, shared with his mum, and seized the camera and his computer. Officers also told the family not to speak to the media.

Journalist and author Neil Doyle told the paper: “These are MI6 documents relating to an operation against al-Qaeda insurgents in Iraq. It’s jaw-dropping they got into the public domain.

“Not only do they divulge secrets about operations, operating systems and previously unheard-of MI6 departments, but they could put lives at risk.”

Yesterday it was apparently decided to charge the civil servant who left top secret documents on a train from Waterloo with offences against the Official Secrets Act.

Although the CPS said it had given its advice to the Metropolitan Police, there is no official statement from the police on whether charges will be brought. ®

I’m a little confused as to whether charges were brought against the hapless deliveryman or not, but this is nuts.  It DOES not seem to be a joke.  I’m going to wait and see if this turns up to be some sort of hoax.



Limiting damage during a data breach

CSO has an excellent article on how to limit damage during a data breach.  Included are these excellent steps:

  1. Create a response plan or review your current one. Have a thought-out and actionable plan in place so your post-breach response can be as effective as possible. This is not time to play Russian roulette with the 31 percent of your customer base who is ready to walk away. For generations, the Boy Scouts have said it best with their motto: Be Prepared.
  2. Deliver timely and forthright notification. Large delays in notification signal to your customers that you are hiding something and/or they are not important to you, despite some realities that it takes time to assess the impact of a breach. Although it may not be possible to notify customers within a week, or even several weeks following a breach, your goal should be to notify them as soon as possible, with what reasonable information you can divulge at that time.
  3. Provide complete and believable information. For many of your customers, a breach itself will be enough reason for them to walk. But for others, the quality of information you provide will be the key determinate in their decision to stay. Within your notification, be sure to provide your customers with clear and concise information about the breach, including specific details on how the breach will affect them. Is their personal information in the hands of identity thieves? Do they have to close their credit card accounts?
  4. Develop your messaging, then rethink it. And rethink it again. Many respondents in the Ponemon study found communications to be unbelievable or misleading, failing to reduce their fears about potential harms they faced because of a breach. Even if you are being factual, think of how you are stating those facts. Notification letters and public communication about the breach are crucial in determining customers’ reactions, and you must carefully teeter the fine line in your communications between being firm yet friendly, and concerned yet in control and taking responsibility.
  5. Act as an educator. Although you are the barer of bad news, you also have the opportunity to be the barer of solutions. Lay out for your customers the next steps they can or need to take after they are notified. Include information, phone numbers and Web sites on freezing credit files, getting free credit reports and other tips customers might want to know and follow. At little or no cost to your organization, acting as an educator will not only help your customers recover from the incident, but maintain your organization as a trusted source.
  6. Consider offering free or subsidized identity protection services. Offering identity protection services has proven to have a positive effect on customer retention, and in many cases, offering such services is more affordable than new customer acquisition strategies. Individuals who receive free or subsidized services, such as credit monitoring, identity theft insurance or identity recovery services, feel less concerned and worried about the breach after it happens. Similarly, customers who receive these services are also less likely to terminate, or consider terminating, their relationship with your company.

Hopefully – companies will take note……..



Get every new post delivered to your Inbox.