worst practices

Apr 23

a data breach story with a twist…

By alberg best practices, worst practices Comments Off

Public enemy #1?

Stories of data breaches have become annoyingly normal, so when Affinity Health Plans announced the accidental disclosure of personal information on over 400,000 employees, former employees, customers, applicants and business partners, most security folk just sighed, thanked their lucky stars that they didn’t work for that particular company and moved on. However, this breach was different than many of the other data losses that have been in the news recently.

Unlike your standard lost or stolen laptop or misplaced USB thumb drive, this breach resulted from the return of a leased multifunction copier to its owner. Like most business copiers, this one had a hard drive on which copies of documents copied, faxed or scanned were retained. When the copier was returned to the leasing company, Affinity failed to scrub the hard drive of this stored information, which “may have included Social Security Numbers, dates of birth and medical information,” according to a company press release.

The actual risk to the people whose information was found on this particular copier is actually quite small; the documents were found on one of four copiers purchased by a CBS News investigation team in NJ. The other three copiers’ hard drives contained data from the Buffalo, NY Police Department (Narcotics and Sex Crimes related documents) and a construction company (building plans, checks, pay stubs and employee info). However, the records described in this disclosure represent only a tiny fraction of the sensitive information routinely disposed of without proper security measures when copiers are sold or returned to lessors.

Affinity (and I would assume the other organizations whose data was found) have started taking corrective actions, such as inventorying its copiers to identify those with onboard storage, finding any other copiers which may have been returned to vendors recently, and making arrangements to ensure that devices are scrubbed before they are returned to vendors.

These types of data breaches are eminently avoidable; Manufacturers of multifunction devices such as Xerox and Sharp provide security software for their products which implements encryption and secure deletion of stored documents. By making sure that your devices come with these features and properly configuring them, you can plug this potentially damaging and embarassing hole in your information security defenses.

So, what are the takeaways for security professionals?

First, take a look at your existing multifunction copiers and make sure that they are equipped with the manufacturer’s security software and that the security features are properly configured and active.

Next, make sure that your organization’s specifications for the purchase or lease of copier/scanner/printer devices require security features such as encryption of stored information as well as the ability to securely erase all information from the hard drive.

Then, make sure that configuration process for new multifunction copiers includes setting the security options properly.

Now, add these devices to the list of things with blinking lights that are examined during security assessments. While you are at it, remember that these devices have network interfaces as well as upgradable software which could have vulnerabilities. Are you patching your multifunction devices?

Finally, have a process for decommissioning multifunction devices which includes wiping all data from them before they are returned to lessors, sold, donated or recycled.

As the non computer devices in our offices and homes get more intelligent, they also become more interesting to attackers. As an infosec professional, they should be more interesting to you – before your organization makes the news.

Tagged with: copier assessments

Mar 25

a plea to security vendors…

By alberg CSO, worst practices Comments Off

Have I got a deal for you...

Every day, I get at least 5 emails from vendors wanting to set up a meeting or web demo of their latest and greatest product as soon as possible. Of these, two or three will be totally unrelated to security. The rest are security related, but almost all of the messages are obviously canned (some with the wrong salutation as a result of mail merge errors). The vendors sending them have no idea what my company does (no, I don’t care about PCI compliance as we are an institutional brokerage) and tend to be from obscure companies. I usually ignore these messages, and block the sender from further contact.

Every once in a while, a vendor does something to distinguish themselves from the pack… the other day, a salesman for a vendor who shall remain nameless sent me a canned “I would like to arrange a meeting with you” message, which I opened, looked at and deleted. There must have been a web bug in the html, because this email was followed by a message which stated that the salesman “noticed I had read the email” and reiterated the request for a meeting. Bzzzzzt!

I find this kind of behavior invasive and creepy and that particular vendor will need to be offering a machine that turns water into gasoline before I will want to talk to them ever again – and I would insist on a different salesperson. It is one thing if I visit your web site, provide my contact information and give you permission to email me, but to spam me and then spy on me puts you and your company on the fast track to al-blivion as far as I am concerned.

Salespeople, I understand that you guys have a tough job and that recent economic conditions have made that job tougher. But please realize that sending spam (while quite effective for dodgy pharmaceutical sales, offers of great wealth from Nigerian princes and attempts to infect PCs with malware) is not how to sell enterprise security products that cost tens or hundreds of thousands of dollars. Want to sell to me? Get a good reputation and good PR – I will find you. If you are going to contact me, take a few minutes to learn something about my company before you email. And don’t cold call me – all I can think of when I get a cold call from a salesman is Jack Lemmon in Glengarry Glen Ross.

Rant over…

Mar 16

CSOs need to walk the walk before they talk the talk

By alberg CSO, online security, worst practices Comments Off

According to this article from CSO Magazine’s web site, “several security execs expressed surprise” over the CISO of the Commonwealth of Pennsylvania found himself unemployed after making a speech at the RSA Security Conference describing a cyber security incident at his state’s motor vehicle agency without getting prior approval. As a CSO myself, I don’t understand why anyone is surprised – I think that this firing was pretty easy to predict and, unfortunately, deserved.

Yes, the incident that the CSO talked about was pretty minor – it involved what sounds like an application error that allowed some people to jump the line when scheduling driving tests – but that is not the point. Like most organizations, Pennsylvania’s government has a policy requiring employees to get prior approval before disclosing official matters. I am sure that the CSO was aware of this policy and as a security professional and as a C level employee, he had a dual responsibility in this matter – to follow policies like any other employee and to set an example for others in his organization to follow in security matters. He also had a responsibility to protect the image of his organization… at the very least, before speaking about this kind of an incident in public, he should have made sure that management was on board and that there was a public relations plan for any negative blowback.

Could this incident have been discussed in public without the need for firing? I think so, although the final decision should have come from management. Had the CSO given them a chance to weigh in, his participation in the RSA panel could have been a positive event for the DMV – showing lessons learned and all that.

If this particular CSO reported to me, I would have some serious questions about their judgment and their ability to safeguard confidential information. I think it would be really difficult to regain that trust after this kind of incident.

Don’t get me wrong – I feel badly that this person was fired – this was probably one negative incident in a career filled with accomplishment and service. But in the end, he made the choice that ended his employment.

OK – I just can’t resist one thing… The Security on this site page of the DMV’s website recommends the use of Netscape Navigator 4.7 or IE 5.0 or greater as secure browsers and then goes on to tout the agency’s use of the “most recent versions of security software”… DOH!

Jan 04

there ain’t no pill for stupidity…

By alberg online security, worst practices Comments Off

Here’s an interesting twist on the old Internet Pharmacy scam… we’ve all gotten those emails offering to sell us various pharmaceutical products without the need for a pesky prescription. Now, I’m assuming that all of the readers of this blog are smart enough to keep their credit cards in their wallets and hit delete. However, there are apparently enough dimbulbs out there to keep these guys in business. They order the pills and get… real drugs? expired drugs? fake drugs? Who knows?

Well the scammers have come up with a new way to extract further profits from the stupid… according to a news release from the US FDA, version 2.0 of the scam now comes with a twist. After taking an order for Rx free drugs, the scammers apparently come back for a second round – they call the purchaser posing as FDA agents or other law enforcement types and threaten the mark with fines, arrest, deportation, property searches and the like. The “agents” then tell their victims to provide a credit card or wire transfer the money to pay their fines and avoid further trouble.

This is the kind of thing that makes me wish I was unafflicted by a conscience… seems a lot easier than working for a living…

Tagged with: scams

Dec 23

just saying…

By alberg worst practices Comments Off

If you get hacked because you clicked on a link about Brittany Murphy shuffling off this mortal coil, you most probably deserved it. Just saying.

Dec 22

an answer to your password problems…

By alberg best practices, hacks, online security, worst practices Comments Off

We shall bring the Great Satan to its knees... kill Twitter! Bwah hah hah!

As you know, the entire world was paralyzed a few days ago when Iranian hackers took down Twitter. Rather than finding out what their friends were having for dinner, people logging in to the web site got a message from one third of the axis of evil which proved that the level of English language instruction in Iranian schools is still better than that of most US public schools.

Now that we have begun the long road of recovery from this truly global tragedy, it is important to see what security lessons we can learn from it. It seems that the attack was pretty simple – the minions of Khomeini simply logged in to the DNS provider that provides the translation from “www.twitter.com” to the numeric IP address of their servers and instructed the DNS servers to send traffic to their server, which hosted their replacement home page. The attackers used valid credentials, which were probably filched from a compromised email account or document swiped from Twitter servers. The lesson here? Guard those user names and passwords and don’t use the same password for all of your accounts!

I know… passwords are a real pain in the ass and trying to remember a different password for each site is just about impossible. However, I have found an answer to this issue… LastPass is a web site and browser add in which allows you to store an encrypted copy of your passwords “in the cloud” and which can automagically log you in to web sites via its browser extensions for Firefox, IE, Safari and Chrome. When you start your browser, you type in one password to decrypt the password files and you are set to go. You can use 2 factor authentication on untrusted machines to further secure your precious passwords. Check out this series of screencasts for more information on how the system works.

I have been using LastPass for a while now and have found it to be be a breeze to use. Basic service is free; by paying $12 per year, you can get access to a bunch of premium features, which provide access on mobile devices like the iPhone, Blackberry and Android based phones.

The main question is… are these guys trustworthy? My research says yes… intercepting the data between my computer and LastPass showed no evidence of funny business – and the vendor even tells you how to conduct your own test in their FAQ.

I’m using LastPass, and I’m prettay, prettay paranoid..

Aug 07

kitty porn

By alberg Paranoid Peeps, worst practices Comments Off

The saddest thing about this story is that as a cat owner, I can half believe the guy. This is just the kind of thing that *my* cats would do if I didn’t make with the treats.

Next Entries

Free WordPress Themes

FYI

Everything you read here has been written by Al Berg, who, by day, is in charge of Security and Risk Management for the best darn Institutional Equity marketplace on this planet. The opinions expressed in this blog are mine and do not represent those of my employer or anyone else.

Housekeeping

Subscribe in a reader

Subscribe by Email

Tools

recent paranoia links

Scam preys on required TweetDeck update 2010/09/06
Russian Trojan blamed for credit card losses at US diner 2010/09/06
Privacy in iTunes Ping 2010/09/06

Links

Wired: Threat Level

Twitter

back on the bike after too long away... 45 mins and 11.7 milesSeptember 6, 2010 10:04
testing, 1, 2, 3, oopsie! http://is.gd/eXG6ySeptember 6, 2010 4:07
damn... since I left tokyo the other day, i'll miss the parade... http://bit.ly/a9dSYRAugust 29, 2010 9:40
ceo, cfo, pants on fire? http://is.gd/eJ1vmAugust 29, 2010 12:42
@carlohartelucci Since I am in Tokyo at the moment, had to subcontract to the yakuzaAugust 27, 2010 1:50

FYI

Housekeeping

Tools

Links

Social Links