ebook img

Computers & Security (February) PDF

101 Pages·2007·3.301 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Computers & Security (February)

www.elsevier.com/locate/cose Number 1 February 2007 Contents What infosec changes are likely to result Bridging the gap between general from the recent US election? management and technicians – A case E. E. Schultz 1 study on ICT security in a developing country J. K. Bakari, C. N. Tarimo, L. Yngström, Security views 3 C. Magnusson and S. Kowalski 44 Biometric attack vectors and defences Organisational security culture: Extending C. Roberts 14 the end-user perspective A. B. Ruighaver, S. B. Maynard and S. Chang 56 Information Lifecycle Security Risk Assessment: A tool for closing A video game for cyber security training security gaps and awareness R. Bernard 26 B. D. Cone, C. E. Irvine, M. F. Thompson and T. D. Nguyen 63 Decoding digital rights management Phishing for user security awareness D. Bradbury 31 R. C. Dodge, C. Carver and A. J. Ferguson 73 IFIP workshop – Information security A privacy-preserving clustering approach culture toward secure and effective data analysis S. Furnell 35 for business collaboration S. R. M. Oliveira and O. R. Zaïane 81 Value-focused assessment of ICT security awareness in an academic environment Simple three-party key exchange protocol L. Drevin, H. A. Kruger and T. Steyn 36 R. Lu and Z. Cao 94 computers & security 26 (2007) 1–2 From the Editor-in-Chief What infosec changes are likely to result from the 5 recent US election? In the recent national election in the US the Democrats designedtoprotectindividualsagainstidentitytheftandspy- ended up with control of both branches of Congress. Wide- wareismorelikelytopass.DemocraticSenatorDianeFein- spread dissatisfaction with the war in Iraq coupled with stein is, for example, more likely to be successful in her concernovercorruptionbyRepublicanlegislatorsfuelledthe effort to pass legislation that requires notification of poten- Democrats’victory. tiallyaffectedindividualsifdatasecuritybreachesoccur.At Manychangesarelikelytoresultfromtherecentelection. thesametime,however,itisalsoimportanttonotbetooop- TheDemocratsare,forexample,nowinapositiontocontrol timistic;theDemocratsareinrealityunlikelytogettoofarin andverypossiblytolimitfundingfortheIraqiwar.National their legislative efforts. The Democrats hold only a narrow economic and environmental issues are likely to rise to the leadinbothbranchesofCongress,afterall,andtheRepubli- forefront. Efforts to raise the national minimum wage are can President has veto power over legislation. A two-thirds a certainty. The effect of the Democratic victory on infosec voteintheSenateisrequiredtooverrideaveto. is,however,muchlesscertain.Nevertheless,changesintwo The second area to consider is the practice of infosec major areas, national legislation and the practice of infosec within federal departments and agencies. Whereas not withinthefederalgovernment,arelikelytooccur. muchprogressinfederalanti-computercrimeregulationoc- ThefirstsixyearsoftotalRepublicancontroloftheExecu- curred while the Republicans controlled the Legislative and tiveandLegislativebranchesoftheUSgovernmenthavebeen Executive Branches of the government, the opposite is true markedbylittleifanyprogressinpassingcomputercrime-re- as far as the practice of infosec within government circles lated legislation. Many computer crime-related bills have goes.TheOMB,GAO,andseveralCongressionalcommittees been considered in the House and in the Senate, but fewof exerted great amounts of pressure on departments and themhavegoneveryfar.TheCAN-SPAMAct,astatutethat agencies to improve their security practices. This strategy representsonlyaminorstepforwardinthewaragainstcom- wasbyallappearancesmostlysuccessful.Althoughgovern- puter crime, is one of the few exceptions. Federal laws that ment departments and agencies did not exactly serve as prohibit the introduction of spyware into systems, that re- bestpracticemodels,theyimprovedtheirsecuritypractices, quire suitablelevels ofprotectionforpersonalandfinancial asindicatedbythegenerallyhighermarksthatCongressional information,regardlessofwhetheritisstoredortransmitted, oversightcommitteesgavethemovertime.Republicansalso andthatrequirepromptnotificationofpotentiallyaffectedin- ledthewayingettingtheFederalInformationSystemsMan- dividualswhendatasecuritybreachesoccuraremostneeded. agementAct(FISMA)passed. TheRepublicanParty’smainagendahasbeenfightingterror- The ‘‘bottom line’’ is that changes will almost certainly ism;fightingcomputercrimehaspaledinimportance.Addi- occurastheresultoftheDemocrats’gainingcontrolofCon- tionally,thisPartyhasthereputationofbeingpro-business. gress.Someofthesechangesarelikelytobeinfosecrelated. Legislationthatrequiresbusinessestoimplementadditional Agoodstartwouldbetopasslegislationdesignedtoprotect security-related controls generally results in extra costs to individualsagainstidentitytheft,ariskthathasbeengrowing businesses, something that has inhibited passage of secu- disproportionatelyovertheyears.Whetherornotsignificant rity-related legislation that requires compliance in the busi- changesininfoseclegislationandotherareaswilloccurde- ness sector. Additionally, the Republican Party tends to pends,however,onwhethertheDemocratscanmoveforward eschewbiggovernment,i.e,governmentthatcontinuallyin- despitethepresenceofnumeroussignificantobstacles,oneof terfereswithandregulatesorganizationsandindividuals. thegreatestofwhichiswhethertheDemocratscanandwill WiththeproverbialpassingofthebatontotheDemocrats, createadefinitiveagenda.Andifandwhensuchanagenda more concerted efforts to pass national computer-crime iscreated,thenextquestioniswhetherornotitwillinclude relatedlegislationarelikelytooccur.Additionally,legislation sufficientattentiontoinfosec-relatedissues. 5 Theopinionsinthiseditorialareentirelythoseoftheauthor,notofHighTowerSoftware.TheydonotinanywayrepresentHigh TowerSoftware’spositionontheissuesthatareaddressed. 2 computers & security 26 (2007) 1–2 Dr.E.EugeneSchultz,CISSP,CISM 0167-4048/$–seefrontmatter HighTowerSoftware ª2006PublishedbyElsevierLtd. 26970AlisoViejoParkway,CA92656,USA doi:10.1016/j.cose.2006.12.007 E-mailaddress:[email protected] computers & security 26 (2007) 3–13 Security views 1. Malware update is in Symantec’s anti-virus tool. W32.Spybot.SCYR has infected numerous computers at universities in the US and Up to 10,000 McDonalds customers in Japan received Flash Australia.Networkconnectionstoport2967,whichalsooccur MP3playersinfectedwithamutationoftheQQpassspyware whenSymantecsoftwareisrun,mayindicateaninfectionby Trojanhorseprogram.TheMP3players,givenbyMcDonalds thisTrojan.Patchesforallofthevulnerabilitiesexploitedby asprizes,werepreloadedwith10songs.TheTrojaniscapable thispieceofmalwareareavailable. ofstealingpasswordsandothersensitiveinformation.McDo- A few interesting new forms of malware have surfaced naldshasmadeanapology,setupanassistancelinetohelpin sincethelastissueof ComputersandSecurity,yetonceagain findingandrecallingtheinfectedMPsplayers,anddistributed nothing radically new in the malware arena has occurred. proceduresfordeletingtheQQpassTrojan. Although this would superficially lead one to conclude that AnumberofvideoiPodspurchasedafterSeptember12last viruses, worms and Trojan horse programs are becoming year has been infected with the RavMovE.exe worm (which lessofaproblem,thisunfortunatelyisnotthecase.Malware is also called the W32/Rjump worm). This worm infects isstillverymuchaliveandwell;ithassimplybecomemuch WindowsPCsandconnectedexternaldriveswheniPodsare moreclandestine. connected to infected computing systems. It also creates abackdoorondevicesthatitinfects.Applehasnotrecalled infected iPods; up-to-date anti-virus signatures are effective in identifyingand eradicatingthis worm.RavMovE.exe does 2. Update in the war against cybercrime notinfectiPodsorcomputersrunningMacOS. TheSpamThruTrojanhorseinstallsapiratedcopyofanti- FourRussianshavereceivedprisonsentencesofeightyears virussoftwareonWindowssystemsthatitinfects.Onceithas fortheirinvolvementinanextortionscheme.Theperpetra- infectedasystem,itstartsscanningthecomputeranderases tors threatened to launch distributed denial-of-service any other malware during the next reboot in an attempt to (DDoS)attacksagainston-linebookiesandcasinosintheUK monopolize computer resources. The Trojan, which is used if they did not pay the perpetrators a specific amount of to send spam for a ‘‘pump-and-dump’’ stock scam, uses money. Each of the recently sentenced individuals has also peer-to-peertechnologytocommunicate.Ifthecontrolserver been fined 100,000 rubles. As many as nine persons may isshut down,theindividual who perpetratesa spamattack haveparticipatedintheextortionscheme,whichcrossedsev- mustmerelycontrolonepeertoinformtheothersoftheloca- eralcountries’borders.Thesentencesforthesecrimesarethe tionofanewcontrolserver. harshesteverforRussiancomputercrime. SomepostingsoftheGoogleVideoemailgroupmayhave Daewoo Hanel Electronic Corporation, an affiliate of beeninfectedbytheW32/Kasper.Aworm.Thepostingshave Daewoo Corporation in Vietnam, must pay 15 million dong apparentlybeenremoved,butGooglestillrecommendsthat for using pirated copies of Microsoft Office and Windows, anyone who may possibly have an infected system due to AutoCADandothersoftware.Vietnam’sMinistryofCulture interacting with this group run anti-virus software. Google andInformationannouncedthatthepiratedsoftwarewasdis- haspostedanapologyonitsWebsiteandhasstatedthatit coveredduringarecentunannouncedinspectionofthecom- hasimplementedmeasuresdesignedtoprecludesuchinfec- pany’ssoftware.ADaewooHanelrepresentativesaidthatno tionsfromhappeningagain. onefromthiscompanyknewthatthesoftwarewasillegal;it ThefirstinstanceofMacOSXspywarehassurfaced.This waspre-installedonsystemsthatthiscompanybought. proof-of-concept codecould potentiallybe installed without ParkevKrmoianofCaliforniahasbeenchargedwithpilfer- users’ awareness. The program, known as iAdware, installs ing money from bank accounts of Dollar Tree customers in itselfasaSystemLibrary.Itdoesnotexploitanyvulnerability California and Oregon, allegedly using gift cards that were perse,butinsteadtakesadvantageofafeatureinMacOSX reprogrammed as ATM cards to steal money from these thatenablesittoexecuteeverytimeanapplicationisloaded. accounts.Lawenforcementofficersarealsotryingtofindan W32.Spybot.SCYR is spreading. It exploits six vulnerabil- additionalpersonwhoappearedinsurveillancephotostaken ities,fiveofwhichareinMicrosoftproductsandoneofwhich atanATMwherethereprogrammedcardswereused. 4 computers & security 26 (2007) 3–13 The US Securities and Exchange Commission (SEC) says obtain evidence concerning only four of the songs being that a dramatic increase in the number of attacks against shared. The man must pay a fine of 20,000 kronor. Sweden on-linebrokerageaccountssuchasAmeritradeandE-Trade hasrecentlytighteneditsmusicfile-sharingstatutes. accountshasbeenoccurring.Theindividualswhoareperpe- MatthewDeckerofKansashasreceivedasentenceoffive tratingtheseattacksaredeployingkeystrokeloggersandspy- yearsinfederalprisonforgainingunauthorizedaccesstoUS waretoillegallyaccessaccountsofunwarycustomers,steal Army computing systems and pilfering information associ- moneyfromtheseaccounts,and/ortoinitiateunauthorized ated with between 250 and 300 credit card accounts and trades.OrganizedcrimeringsinEasternEurope,particularly thenusingittorackupUSD12,557inunauthorizedcharges. intheUkraine,andRussia,appeartoberesponsibleforthese Decker entered into a plea agreement in which he pleaded attacks.E-Tradelossesinconnectionwiththeseattackshave guiltytoonecountofillegallyaccessingaprotectedcomput- totaled more than USD 18 million during the last three ingsystemandonecountofpossessionofunauthorizedcredit months.Ameritradesaysthatitwillcompensate customers cardaccountaccessdevices.Determiningthedamageresult- who lose money because of on-line fraud. Canada’s Invest- ing from the break-ins and restoring information and pro- mentDealersAssociationhasbeenseeingsimilarattacks. gramscosttheUSArmyUSD25,000. Illegalcomputer-relatedactivitybyhighschoolstudentsis JohnBombardofFloridahasbeenchargedwithlaunching increasing. Some North Branch, Minnesota high school stu- adistributeddenial-of-service(DDoS)attackagainstcaching dents have been suspended for allegedly gaining unautho- service provider Akamai’s Domain Name System (DNS) rizedaccesstostudentandstaffPINnumbersthatareused servers.Heallegedlycreatedabotnetbylaunchingavariant intheschoolcafeteriaandmediacenter.Otherstudentinfor- oftheGaobotwormovertwoyearsago;numerousAkamaicli- mation was not illegally accessed, and no indications exist entWebsiteswereknockedoutofservice.Ifconvictedofthe thatanyoftheinformationthattheaccusedstudentsalleg- chargesofdeliberatelygainingaccesstoaprotectedcomput- edly obtained was misused. The students are unlikely to ingsystemwithoutauthorization,hecouldbesentencedtoup facearrest.Acomputerlabmanagerforthehighschoolfound to two years of prison time and receive a maximum fine of thesecuritybreachwhilecleaningupfiles.NewPINswillbe USD200,000. issued.ThisincidentissimilartooneinJanesville,Wisconsin, Microsofthaswonaviolationoftrademarkcaseagainstan where a high school student allegedly gained unauthorized unidentified German spammer who sent unsolicited bulk access to the school’s computer system, causing troubles emailwithfalsifiedHotmailreturnaddresseswithoutMicro- thatresultedinasubstantiallossofclassandworktimefor soft’sconsent.Themanmustalsopayallthecostsinconnec- thewholeschooldistrict.Thestudentwasexpelled.Noevi- tionwiththevolumesofspamhesent. dencethatanypersonalinformationhasbeencompromised Twenty-twopersonsinFinlandmustpaydamagesofmore or that passwords, grades or student records were changed than EUR 420,000 for violating copyright laws by running exists. Finally, a joint investigation by the Broward County, a peer-to-peer file sharing network called ‘‘Finreactor.’’ FloridaSchoolDistrictandtheBrowardCountySheriff’sOffice Among the numerous plaintiffs were software and media is underway to determine if a student illegally accessed a companies.FinesrangedbetweenEUR60and690perperson Cooper City High School computer and altered grades. The and investigation and court costs to be borne by the defen- possibility that attendance and community service records dantsamounttomorethanEUR140,000. werealsochangedisalsobeinginvestigated.Misuseofdistrict Clarity1 Pty Ltd must pay a fine of AUD 4.5 million and technologyconstitutesafelonyinBrowardCounty;theperpe- Wayne Mansfield, the company’s director, must pay AUD 1 tratorinthisincidentcouldthusfacecriminalcharges. millionforsending280millionunsolicitedcommercialemail MathewBunning,theformerAustraliandrugsquaddetec- messagesoveratwo-yeartimespan.Additionally,Australia’s tive,hasreceivedajailsentenceofnearlysevenyearsforhis FederalCourthasprohibitedClarity1fromsendingsuchmes- havingprovidedadrugdealerwithinformationaboutpolice sages in the future. The conviction was the first ever under investigationsinreturnforgifts.Herana passwordcracker Australia’sSpamActof2003. to obtain his colleagues’ passwords, which he used to gain Terrence Chalk and his nephew, Damon Chalk, both of access to the information provided to the drug dealer. He NewYork,facefraudandconspiracycharges.Theyarebeing hadbecomemorphine-addictedafterabackinjury. accused of using the names, addresses and Social Security Nine individuals in the Peoples Republic of China (PRC) numbers(SSNs)ofCompulinxemployeesforthepurposeof havebeensentencedtoprisontermsandmustalsopayfines obtaining loans, credit cards and lines of credit. Terrence ofbetween40,000and200,000yuanfordigitalpiracy-related Chalk owns Compulinx; he could face a maximum prison activities.Fourofthoseconvictedreceived13-yeartermsfor termof165yearsandafineofUSD5.5million.DamonChalk creating and selling illegally copied materials, and another couldreceiveaprisonsentenceofupto35yearsandfineof receivedasentenceoftwoyearsforsellingbootlegsoftware USD1.25million. andDVDs. ThelaptopcomputerofanemployeeofaHarrisburg,Penn- Sweden’sfirstmusicfile-sharing-relatedtrialandconvic- sylvaniawatertreatmentfacilitywasinfectedandthenused tion ever occurred recently. A Swedish man whose identity toinstallmaliciouscodeononeofthefacility’scomputersys- has not been revealed was convicted for posting four copy- tems.Lawenforcementsaidthattheattackersdidnottarget rightedsongsontheInternetandmakingthemavailablefor the facility per se, but instead intended to use the infected downloading. The International Federation of the Phono- computertospewemailmessages. graphicIndustry(IFPI)claimsthemanhadmade13,000songs Four Chilean personshave been arrestedon the grounds available for downloading, but the prosecution was able to thattheybrokeintoNASAandChileanfinanceministryWeb computers & security 26 (2007) 3–13 5 sitesinadditiontositesofothergovernments,includingIsrael, hishometurnedupevidencethathealsowrotetheMirsa-A Venezuela, and Turkey. The number of compromised Web andMirsa-Bworms. sitestotals8000.Aneight-monthlonginvestigationinwhich AdrianRingland,aUKman,hasbeensentencedto10years ChileanpoliceworkedwithInterpolandintelligenceagencies ofimprisonmentfordeceivingadolescentgirlssuchthatthey inIsrael,theUS,andanumberofLatinAmericancountries. downloadedaTrojanprogramthattookcontroloftheircom- Atwo-yearlonginvestigationinvolvingtheFBIandPolish puters.AdrianRinglandalsousedpressuretacticstotrytoget law enforcement, ‘‘Operation Cardkeeper,’’ has targeted an thegirlstosendhimnudephotosofthemselves.Oncehehad on-line black market for illegally obtained financial account suchphotos,hetriedtoblackmailthegirlsintosendingmore informationusedinidentitytheftattempts.Fourteenpersons, photos.Hisarrestwastheresultofajointinvestigationthat 11ofwhomarePolishandthreeofwhomareAmericans,have includedtheUKSeriousOrganizedCrimeAgency,theRoyal been arrested so far, and more arrests of Americans and CanadianMountedPolice,theFBI,andMicrosoftCorporation. Romaniansareprobable.ElevenPolishandthreeAmericans Garyl Tan Jia Luo, a 17-year-old polytechnic student in persons have been arrested; two more Americans are Singapore,facesuptothreeyearsofimprisonmentandamax- expectedtobearrestedsoon. imum fine of SD 10,000 for allegedly ‘‘piggybacking’’ on AcasebroughtagainstaSpanishmanforillegalfile-sharing ahomewirelessnetwork.Aneighborofhisfiledacomplaint wasdismissed;thejudgeruledthatSpanishlawdoesnotpro- against him that led to his arrest. He has been released on hibit downloading music for personal use. The individual in SD6000bail. question allegedly downloaded songs and then offered them Joseph Harlen Shook of Florida has been indicted on the on CD through email and chat rooms. No evidence that the charges that he gained unauthorized access to a computer manprofitedfromhisallegedactivityexists.Promusicae,Spain’s systemofMuvicoTheaterslastyearinMay,resultingindis- recordingindustryfederation,planstoappealtheruling. ruption of the sale of on-line tickets and the processing of TheUSFederalTradeCommission(FTC)hasleviedafineof creditcardtransactionsatsixtheaters.Shookwasthedirector USD3milliononZango(called‘‘180Solutions’’untilrecently). ofinformationtechnologyforthecompanyuntilhisposition Zangowasaccusedofdownloadingadwaretocomputingsys- was eliminated shortly before the attack. If convicted of all temsintheUSwithoutusers’consentandalsoofneglecting the charges he faces, he could be sentenced to a maximum tomakeawaytoremovetheadwareavailable.Accordingto prisontermof10yearsandafineofUSD250,000.Investigators the FTC, Zango’s programs were covertly downloaded more matchedtheIDofthedeviceusedtogainaccesstotheMuvico than70milliontimes;morethan6.9billionpop-upadvertise- TheaterssystemtoawirelessadapterthatShookhad.Nocus- mentsresulted.Fromnowon,Zangowillaskforconsumers’ tomer information was accessed. He was released on USD consentbeforedownloadingprogramstotheircomputingsys- 100,000bail.ThecaseissimilartooneinvolvingStevanHof- temsandwillsupplyawayofremovingitsadware.Odysseus fackerofNewYork,whofacesonecountofunauthorizedac- Marketinganditschiefexecutive,WalterRines,havealsocon- cesstoaprotectedcomputernetworkforallegedlyaccessing sented to settle similar FTC charges that they broke federal his former employer’s computer system without authoriza- law by distributing software that installs itself covertly on tion.Heistheformerdirectorofinformationtechnologyand users’ systems and then changes configuration settings. also vice president of technology at Source Media Inc. Hof- JohnRobertMartinson,principalofMailwiper,Inc.anditssuc- fackerpotentiallyfacesuptofiveyearsofimprisonment. cessorcompany,SpyDeleter,Inc.,willalsosettleFTCcharges The Seoul Metropolitan Police Agency’s Cyber Terror of downloading spyware onto users’ computers and then Response Center arrested several phone sex company staff bombardingthemwithadwarethatencouragedthemtobuy and one other person in connection with the compromise anti-spyware products. Finally, a US District Court judge in and misuse of customer information from rival companies’ Nevada issued a temporary restraining order against ERG computing systems. The accused persons allegedly gleaned Venturesandoneofitsaffiliatesforallegedlysurreptitiously informationpertainingto8.5millionoftheircompetitor’scus- installing spyware and other malicious code on users’ tomersandthenusedittosendphonemessageswithsexual computing system. An FTC complaint seeks a permanent content,allegedlyusingphonesregisteredinothernamesto restraining order against both of these companies on the sendthemessages.Additionally,cellphoneswereduplicated groundsthattheyengagedinunfairanddeceptivepractices. tocircumventchargesforsendingtextmessages. Usersdownloadedfreescreensaversandvideofiles,butunbe- Spanish law enforcement authorities have arrested two knownsttothemaTrojanprogram,MediaMotor,wasdown- teenagersinAlicanteforallegedlywritingaTrojanprogram loaded to their computers. Media Motor then downloaded that they allegedly deployed to remotely control Web cams additionalmaliciousprograms. atacollegeandthenallegedlyusedtheembarrassingfootage MatthewByrne,theUKmanwhogainedunauthorizedac- theyobtainedtoblackmailthosewhowerefilmed.Twoadults cessto and defacedfour profileson the loveandfriends.com in Madrid who allegedly used a Trojan program that was dating Web site and then attempted to extort money by basedonthesamekindofmaliciouscodetopilferinformation threatening to erase the company’s database, will not have that they later used to commit credit card fraud were also toservejailtime.Heinsteadreceivedaneight-monthjailsen- arrested. The four arrests resulted from a Spanish law en- tencewhichwassuspendedfortwoyearsaswellastwoyears forcementoperationnamed‘‘OperationPraxis.’’ ofsupervisedparole.Hepleadedguiltytounauthorizedmod- Max Parsons of the UK was convicted of charges that he ificationofacomputingsysteminviolationofsectionthreeof usedhisMP3playertopilferATMcustomers’cardinforma- the UK’s Computer Misuse Act (CMA). Extortion charges tion.HegleanedtheinformationbyplugginghisMP3player againsthimwerealsodropped.Alawenforcementsearchof intofreestandingATMs;hethenusedthestoleninformation 6 computers & security 26 (2007) 3–13 to create bogus cards used to make purchases. Parsons re- 2006.Auniversityspokesmansaidthatpotentiallyaffected ceivedaprisonsentenceof32months. studentsarebeinginformedofwhathappened.Theuniver- AccordingtoL’Equipe,adailysportspublicationinFrance, sityhas posteda Web pagecontainingpertinentinforma- break-insintocomputingsystemsataFrenchnationalanti- tionabouttheincident. doping laboratory have occurred. The attackers reportedly (cid:2) A laptop computer holding SSNs of as many as 43,000 accessedinformationandthensenttheInternationalOlympic prior and current T-Mobile USA employees vanished after Committee(IOC)andtheWorldAnti-DopingAgency(WADA) aT-Mobileemployeecheckedthecomputerinatanairport. letterswrittentocastdoubtuponthelaboratory’stestingpro- T-Mobile has sent letters to everyone whose data were cedures by including information pilfered from the lab. The stored on the missing computer and is offering them lettersboreidentificationofalaboratory,Chatenay-Malabry. ayearofcreditmonitoringatnocosttothem. Apossiblesuspecthasbeenidentified. (cid:2) Alaptopsystemtakenfromthecarofan AllinaHospitals Microsofthasinitiatedlegalactionagainst129personsin and Clinics nurse has information pertaining to approxi- EuropeandtheMiddleEastfortheirallegedparticipationin mately14,000individualswhohavetakenpartinanobstet- phishingschemes.NearlyhalfofthecasesarebasedinTur- richome-careprogramsinceJune2005. key.Microsoft’ssuitsareinconnectionwithitsGlobalPhish- (cid:2) AlaptopsystembelongingtotheartdepartmentattheUni- ingEnforcementInitiativelaunchedlastMarch.Settlements versityofMinnesotawasstolenfromafacultymemberwho from the legal action range from fines of EUR 1000 to a 30- wastravelinginSpain.Thelaptopcontainspersonallyiden- monthjailsentenceforaTurkishman. tifiablestudentdata.Thisisthesecondrecentlaptoptheft TheSoftwareandInformationIndustryAlliance(SIIA)has forthisuniversity;lastyearinSeptembertheuniversityan- reachedasettlementforacaseagainsttwoindividualswho nouncedthattwoInstituteofTechnologylaptopsthatheld had been selling pirated copies of Norton security software studentdatawerestolen. oneBayforthelasttwoyears.KevinLiu,GTTianandKevin (cid:2) A desktop system pilfered from Affiliated Computer Sys- LiuhaveagreedtopayUSD100,000indamagesandhavecon- tems, which operates the Department of Human Services sentedtoceasesellingillegalsoftwareandtogiveSIIAtheir FamilyRegistry,containsChildsupportpayment-relatedin- recordsofcustomersandsuppliers. formationthatincludespersonallyidentifiableinformation The accelerated growth of computer-related crime con- pertaining to many Colorado Department of Human tinues, as once again shown by this long list of accounts of Servicesclients.Thecomputerwaslocatedinaphysically attemptstoidentify,charge,andconvictperpetratorsofthis secure area that was monitored by surveillance cameras. activity. I was, however, troubled by the case of Matthew Potentiallyaffectedclientshavebeeninformedoftheinci- Byrne.Itisdifficulttounderstandhowinthelightofhisegre- dent. Police detectives are cooperating with the Colorado giousdeedshewassparedfromhavingtoserveevenoneday Bureau of Investigation and Human Services Department injail.ThejudgeinByrne’scaseservesasanexampleofwhat officialsininvestigatingthetheft. issooftenwrongwiththelegalsystemwhenitcomestodeal- (cid:2) AlaptopsystembelongingtoaninsurancecompanyinPly- ingwithcomputercrime.Worstofall,Byrne’shavingescaped mouth Meeting, PA was stolen. On the computer were significant punishment for his computer crimes will send names, birthdates and driver’s license numbers of over apowerfulmessagetotheperpetratorcommunitythatpun- 1200VillanovaUniversitystudentsaswellasstaffwhoare ishmentforcomputercrimeisnothingtofear. insured to drive university-owned vehicles. Individuals whoseinformationwasonthestolenlaptopwerenotified ofthetheft. 3. More compromises of personal and (cid:2) StarbucksCorp.saysthatfourofitslaptopsystems,twoof financial information occur whichcontainnames,addressesandSSNsofabout60,000 current and prior employees, are missing. The computers Manymorecompromisesofpersonalandfinancialinforma- disappeared from the Starbucks corporate support center tion have occurred. Computer theft and loss of computers inSeattlelastSeptember.Thecompanyisinformingpoten- proved once again to be one of the major reasons for such tiallyaffectedindividuals.Noreportsthattheinformation compromises,asperthefollowingnewsitems: hasbeenmisusedhavesurfaced. (cid:2) TheUK’sFinancialServicesAuthority(FSA)isinvestigating (cid:2) Alaptopcomputeronwhichpersonalinformationof2400 thetheftofalaptopcomputeronwhichNationwideBuild- residentsoftheCampPendletonMarineCorpsbaseisstored ing Society customer information is stored. The computer is missing. Lincoln B.P. Management Inc., which manages wasstolenfromanemployee’shouselastAugust.AnFSA housingonthebase,reportedthatthecomputerwasmiss- representative said that the information does not include ing. Lincoln P.B. is informing people who have potentially PINs,passwordsorinformationrelatedtofinancialtransac- beenaffectedbythisincident. tions, although exactly what information is on the stolen (cid:2) Twocomputerspilferedfromthehouseof aUniversityof computer and how many people may be affected by this TexasatArlingtonfacultymemberlastyearinSeptember incident still remains unknown. Nationwide has begun contain personally identifiable information pertaining to informingits11millioncustomersaboutwhatoccurred. approximately2500studentsatthisuniversity.Thisinfor- (cid:2) Alaptopsystemonwhichpersonallyidentifiableinforma- mation includes names, Social Security numbers (SSNs), tion of Connors State College students and individuals gradesandemailaddressesofstudentswhoenrolledinen- whohavebeenawardedOklahomaHigherLearningAccess gineeringandcomputerscienceclassesbetween2000and Program scholarships is stored has been recovered. A computers & security 26 (2007) 3–13 7 studentatthiscollegehasbeenidentifiedasapossiblesus- appearedtobemotivatedbythedesiretolocateplacesin pectinthetheft. which to store digital video files. No evidence that the (cid:2) Two individuals have been arrested for their alleged SSNsandotherpersonalinformationwereaccessedexists. involvementinthewellpublicizedstealingofalaptopsys- Law enforcement has been informed about the security tembelongingtotheTransportationDepartment’sOfficeof breach. The University of Iowa has set up an FAQ web the Inspector General last summer in Miami. The laptop page to provide information about the incident and to waspilferedfromalockedcarinarestaurantparkinglot. answerquestions. Althoughthelaptophasnotbeenrecovered,aninvestiga- (cid:2) AperpetratorgainedunauthorizedaccessintoaBrockUni- tion into thetheftrevealedthe existence ofa laptoptheft versitycomputingsystemandaccessedpersonalinforma- ring in the area. Thieves appearto have motivated by the tion pertainingto approximately 70,000universitydonors. valueofthelaptopsratherthanforinformationstoredon Thefactthattheperpetratorloggedintothesystemright them. awayindicatesthattheperpetratoralreadyknewthepass- (cid:2) ThreelaptopsystemspilferedfromtheofficesofLogicaCMG word. The compromised information includes names, ad- containsensitivefinancialinformationpertainingtomore dresses, email addresses and in certain cases, credit card than15,000LondonMetropolitanPoliceofficers.LogicaCMG and bank account information. Individuals whose credit provides outsourced management of payroll and pension card and bank account information was exposed received payments.Amanhasbeenarrestedforhisallegedinvolve- phone calls within a day of the university having learned mentwiththetheft. ofthedatasecuritybreach.Theotherswhowerepotentially (cid:2) AlaptopsystemstolenfromtheOntarioScienceCentrehas affected were mailed letters that informed them of the a database with members’ registration information – incident. names, addresses and credit card information. Access to (cid:2) The Congressional Budget Office (CBO) has stated that at- thelaptopandthedatabaserequiresentryofseparatepass- tackers gained unauthorized access to one of its servers words. The laptop was stolen from a locked office last and stole email addresses of mailing list subscribers. The September.TheOntarioScienceCentrehasinformedpoten- vulnerability that the attacker exploited has been fixed, tiallyaffectedmembersbypostalmail.Aninvestigationis butsincetheintrusiontheattackershavemailedphishing beingconducted. messages that appear to originate from CBO to the stolen (cid:2) TwocomputingsystemspilferedfromaJeffersonville,Indi- addresses.Lawenforcementhasbeeninformedofthesecu- anahealthcenterlastNovembercontainpersonalinforma- ritybreachandhasstartedtoinvestigate. tion pertaining to more than 7500 Indiana women. The (cid:2) Perpetrators gained unauthorized access to two US Virgin healthcenterwasundercontractwiththestateofIndiana IslandgovernmentaccountsatBancoPopularandpilfered to manage information for the state’s Breast and Cervical USD 500,000 from the accounts. The bank has restored CancerProgram.Theinformationstoredonthecomputers USD 300,000to the accounts; theremainderofthe money includesnames,addresses,datesofbirth,SSNs,andmedi- is likely to be returned soon. The perpetrators stole the cal and billing information. Access to the information is moneylittle-by-littleovertwomonths. passwordprotectedattwodifferentlevels.Thehealthcen- (cid:2) Abreak-inintotwocomputerdatabasesatChildren’sHospi- tersentletterstothewomenwhowerepotentiallyaffected talinAkron,Ohiohasexposedpersonaldatapertainingto toinformthemofthetheft. approximately 230,000 patients and family members and (cid:2) Kaiser Permanente has announced that a laptop system 12,000 financial donors. Although aware of the security stolen from an employee’s locked car in California holds breachsoonafteritoccurred,hospitalofficialsdidnotcon- sensitivemedicalinformationfornearly40,000ofitsDenver tactlawenforcementuntilweekslater.Consultantshadat areapatients.Allinformationwaspassword-protected,and first told these officials that the incident was not serious, some of it was encrypted. Kaiser Permanente informed but over time these officials became aware the incident potentiallyaffectedpatientsoftheincident. wasmoreseriousthantheyinitiallybelieved.Thehospital has mailed letters to inform those potentially affected by Othercompromisesresultedfromunauthorizedaccessto theincident. systems,asdescribedbelow. Otherpersonaldataexposureincidentsweretheresultof (cid:2) PersonalinformationpertainingtoUKcitizensmaybebeing inadequateprotectionofpersonalinformationonWebsites: stolenfromIndiacallcentersandthensoldtothehighest bidder. The information may include credit card informa- (cid:2) A Florida woman reportedly learned that her marriage tion, passport and driver’s license numbers, and bank ac- licensecouldbeseenontheOrangeCounty,Floridacontrol- countinformation.Theperpetratorsmayalsohaveaccess ler’s Web site after someone filled out a loan application to taped conversations with US consumers in which per- using her name. Information in her marriage license sonalandfinancialinformationsuchascreditcardnumbers included her and her husband’s name, date of birth and isexchanged. SSN.OrangeCountyofficialsarereportedlypayingavendor (cid:2) TheUniversityofIowahascontacted14,500personswhose USD 500,000 to black out every SSN on the Web site by SSNs were on a computing system to which an attacker Januarynextyear. gained unauthorized access. The people had participated (cid:2) TheBowlingGreenOhiopolicedepartmentpostedtheincor- in research studies concerning maternal and child health rectversionofareportonitspoliceblotterWebsite.Posted for over ten years. The attacks were automated and reports on this site usually have personally identifiable 8 computers & security 26 (2007) 3–13 informationremoved,buttheincorrectreportversion,called Kingdom and possibly tens of thousands more in other an‘‘endofdayreport,’’revealedthebirthdates,SSNs,driver’s countries have been stolen. The stolen information was licensenumbersandotherdatapertainingtoeveryindividual foundoncomputersintheUS.Lawenforcementisinform- withwhichBowlingGreenpolicecameincontactthatday. ingindividualswhoseinformationwasstolen. Theexposedinformationisnolongeronthesiteandacached (cid:2) A laptop system that was once owned by Intermountain versionofthereportwasremovedfromGoogleservers. HealthcareinUtahsupposedlyhaditsharddrivescrubbed before it was donated to Deseret Industries. The person Severaldatasecuritybreacheswereduetomissingorsto- who purchased the laptop, however, found a file on the lenmedia: hard drive of the donated computer that held personally identifiable information that included names and SSNs of (cid:2) A Port of Seattle spokesperson announced that six disks morethan6000individualswhohadbeenemployedbyIn- have disappeared from the ID Badging Office at the Seat- termountainHealthcarebetween1999and2000.Potentially tle-TacomaInternationalAirport(SEATAC).Thediskshold affectedpersonshavebeeninformedofthedataexposure. sensitive personal information of nearly 7000 current and Intermountain stopped using SSNs as unique employee previousSEATACemployeessuchasnames,SSNsanddriv- identifiersseveralyearsago,andnowdestroysharddrives er’slicensenumbersscannedfrompaperforms.Individuals whentheyarenolongerbeingused. who are potentially affected by this incident will be in- (cid:2) A computer belonging to Hertz car rental on which the formedbyPostalServicemail;thesepeoplewillbeidentified namesandSSNsofmostUSHertzemployeeswerestored becausethedatawerebackedup. wasfoundatthehomeofaprioremployeeofthiscompany. (cid:2) TheSistersofSt.FrancisHealthServicesaremailinglettersto Lawenforcementisinvestigating.Hertzannouncedthatall over 250,000 patients whose personal information that in- employeeswhoseinformationwasonthecomputerwillbe cludedpatientnamesandSSNswasonCDsthatcouldnot informedoftheincident.Theformeremployeewasallowed be found for a while. A contractor had copied information to access this information in connection with job-related fromhospitalfilestotheCDstodoworkathome;theCDs duties. wereinacomputerbagthatsomeonereturnedtoastoreto getarefund.Anindividualwhopurchasedthereturnedbag Iamcontinuallyamazedbythesheernumberofdatasecu- foundandreturnedtheCDs.Theincidentpotentiallyaffects ritybreachesthatoccur.Onewouldthinkthatbynoworgani- patients from 12 hospitals, 10 in Indiana and 2 in Illinois. zations would realize that determined perpetrators are St. Francis did not notify potentially affected individuals continually trying to gain unauthorized access to personal untilapproximatelytwomonthsaftertheincidentoccurred. andfinancialinformation,andthatalargeproportionofthe (cid:2) AharddrivecontainingthenamesofSSNsof400ormoreair perpetratorsisanythingbutamateurs.Clearly, whatweare controllersismissingfromtheClevelandAirRouteTraffic seeinghereisalackofduediligenceonthepartofahighper- Control Center in Oberlin. A Federal Aviation Administra- centageoftheseorganizations.Unfortunatelyforthem,itwill tion (FAA) spokesperson says that the agency thinks that inmostcasestakeawidelypublicizeddatasecuritybreachor the drive was encrypted; the FAA is investigating what alawsuitortwobyangryindividualswhosedatahavebeen happenedtodecidewhetherthedrivewasactuallystolen. compromised to bringtheseorganizations outoftheircata- (cid:2) Athumbdriveonwhichnames,SSNs,andotherpersonal tonicstatewhenitcomestodatasecuritypractices. informationofcurrentandprioremployeesatthePortland, OregonInternationalAirportismissingfromtheTranspor- tation Security Administration’s (TSA) command center 4. Number of pieces of compromised there.Thefederalsecuritydirectoratthisairportsaysthe personal data approaches 100 million drivewasinalllikelihoodaccidentallythrownout. (cid:2) AdiskbelongingtoKSLServicesandthatcontainedperson- ThePrivacyRightsClearinghouserecentlyreporteditstallyof ally identifiable information of approximately 1000 Los thepiecesofpersonaland/orfinancialinformationthathave Alamos National Laboratory (LANL) contract workers has been compromised in data security breaches. According to disappeared. On the disk are data pertaining to KSL em- thisorganization,almost94millioninstancesofsuchinfor- ployees;LANL-relatedinformationisnotonthisdisk. mation being exposed have occurred since February 2005 (cid:2) Approximately200pagesofclassifieddocumentsandaUSB whenitbegantallyingthisinformation.Theupdatedtallyin- drivestoringclassifiedmaterialwerefoundatthehomeof cludesthousandsofrecentdatasecuritybreaches,including anotherformerLANLcontractor.Theclassifieddocuments 9250 customer credit card numbers lost by apparel retailer weremostlyolderonesthatarenolongerconsideredimpor- Life is Good and large numbers of student records illegally tant. LANL officials conceded, however, that some of the accessedatUScollegesanduniversities.Manyofthereasons documents were moderately important. The FBI has for data thefts and losses have little or nothing to do with launchedaninvestigation. technology; human error is far more likely to be a cause thanintrusionsorcomputermalfunctions.Datasecurityex- Some additional news items concerning data security posures include loss of USB drives, laptops being stolen or breachesinclude: misplaced, accidental printing and distribution of customer names, credit card and/or account numbers, and backup (cid:2) ScotlandYardisinvestigatinghowcreditcardinformation tapes being lost while in transit to storage facilities. Since and passwords from thousands of PCs in the United 2001,approximately1100laptopcomputersbelongingtothe

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.