Rossander’s Security Reader

Online scams are up sharply since the start of the latest recession. According to MarkMonitor, phishes in Q1 2009 are up 36 percent over the same quarter 2008. The current trend is toward mortgage refinancing traps and phony get-rich-quick investments.

At the same time, the quality of the scams is dramatically better than in years past. Fraudulent “advertising” sites look just like the real sites. They pepper their pages with trusted financial, TV and/or newspaper brands to give the impression of legitimacy. Some even include encryption to give a greater appearance of legitimacy.

There is also a new trend to use social media to find and con victims. Just because it looks like a blog, if the author is bragging about how much money they got and has a link to a “home business kit”, it’s still a scam. Beware of any offer that asks you for personal information up front.

MarkMonitor also reports a huge increase in suspicious domain registrations, especially domains including the keywords “foreclosure”, “mortgage”, “refinance” and “unemployed”. These keywords are being combined with legitimate company names or domains to create fraudulent clone sites. And while most phishes are still targetted against large companies, an ever-increasing number are exploiting the trust and brand of small businesses. (This is especially true if your legitimate site accepts payments over the web. Payment services frauds are up 285 percent over last year.)

Be on the the watch for scams. And help your customers watch, too. In this economy, you have a right to be a little bit paranoid about offers that look too good to be true.

To read more, download MarkMonitor’s whitepaper on “brandjacking” at markmonitor.com.

According to the latest study from the Ponemon Institute, 88% of all breaches in 2008 were the result of negligent insiders.

That’s not to say that our employees are malicious – most are basically good people. But you didn’t hire them to be security experts. The care and justifiable suspicion needed to detect and deflect data breaches do not come naturally to most people. They need constant reminding of the importance of security and of the tactics to protect your customers’ data.

According to the Ponemon report, here are the top risks your staff take with your data.

Not protecting personal equipment. Stolen laptops and other portable media accounted 20% of all reported breaches. Make sure that your team understands that they are personally responsible for the device and the data on it.
You can also reduce your exposure to lost equipment through whole-harddrive encryption or by restricting or segmenting the data on the laptop such that customer names can not be tied to identifiers such as SSN or credit card number.

Trusting insiders too much. While most people are basically good, every company has it’s share of disgruntled staff. Insider theft is relatively rare but tends to be very severe when it happens. Pay attention to changes in behavior or attitude. Most insiders showed clear signs of their dissatisfaction well before beginning their crimes. Watch for unusually heavy uses of your databases or other information systems.
Minimize your exposure by setting role-based permissions for your team members based on their business need to the application or data. If they need it for their job, great – if not, take it away. That’s less risk for both of you.

Bypassing your security controls in the name of efficiency. The next largest category of breaches are the result of well-meaning insiders who are trying to improve the company but who don’t understand the implications of the change they are making. The store manager at TJ Maxx who installed his own wireless router is a classic example. He thought he was increasing the flexibility of his operations. His poor security configuration, however, exposed the company’s entire network to any hacker with a wireless laptop in the parking lot.
Never let anyone but your designated IT staff install equipment or make changes to your systems. And have their changes regularly tested.

Bypassing your security controls in the mistaken belief that it’s their computer. It’s not. It’s the company’s computer. Have a firm policy that they can not install peer-to-peer or other high risk software on the computer. Incidental personal use may be okay. Installing software is not.

Not watching your vendors as closely as you watch yourselves. According to the study, you should be watching your vendors far more closely. Breaches by outsourcers, contractors, consultants and business partners accounted for 44% of all breaches reported in 2008. Statistically, they were also more expensive, costing the company 35% more in direct and indirect costs than an equivalent breach of the company’s own systems. Vet your vendors carefully and set clear expectations on your security needs. Then follow up and check on their security practices. Conduct your own audits and ensure their compliance.

There’s a lot more in the Ponemon study worth reading. This is their fourth annual study of the costs of a data breach and the trends are enlightening. You can download a copy at encryptionreports.com.

If the Heartland story wasn’t depressing enough, the Veteran’s Administration just announced their settlement of a class-action lawsuit stemming from that lost laptop back in 2006. If you remember the case, a VA data analyst lost a laptop and external drive when his house was broken into. The device contained the names, birth dates and SSNs of over 25 million veterans. The laptop was later recovered intact by the FBI and a forensic analysis of the laptop and drive confirmed that no data was compromised.

That didn’t stop the lawsuits, though. Five groups alleging to represent the affected veterans filed suit asking for $1000 per person.

After three years in court, the VA agreed to pay $20 million into a fund which will pay out $75 to $1500 to any veteran who can “show harm from the data theft”. Any money left over will go to “veterans’ charities agreed to by the parties”. The judge still has to approve the settlement at this point that appears to be a formality.

The kicker here is that the veteran must show harm. Since the laptop was recovered intact and no data was compromised, I don’t see how anyone can make that claim in good faith. Maybe some people overreacted and canceled credit cards or paid for unnecessary monitoring services but I don’t see how that counts as harm. I didn’t cancel my credit cards when I got my notice from the VA. I don’t see why my tax dollars should pay for their overreaction. The payout is also available to anyone who “found themselves in extreme emotional distress” as a result of the breach. Again, this is a claim that I don’t see how anyone can make in good faith.

The only people who I see making money from this are the lawyers. I haven’t seen anything definitive yet on their take but one unofficial report estimates it at $5.5 million. Regardless of the amount, it’s going to come from your tax dollars.

This breach should never have occurred. But it did and the people responsible have already been fired. So were lots of other people at the VA. Congress held intrusive hearings and policies have been rewritten. For a non-breach, this breach has already been expensive enough. The settlement closes out the VA’s legal liability and admittedly, $20 million is less than the $25 billion that the suit originally sought but I just can’t convince myself that this outcome will be best for society.

In general, I think that the new breach disclosure laws are good for society. The one risk that I worried about but that all the consumer advocacy groups poo-pooed was the threat of frivolous lawsuits over good-faith attempts to comply with the disclosure laws.

I don’t know if that’s the case in the Heartland breach yet, but I’m worried about it. For those of you who haven’t been following the case, Heartland Payment Systems is a transaction processor for debit and credit card transactions, handling about 100 million transactions per month. On 20 January 2009, they disclosed that their systems had been compromised in 2008 by hackers using “sniffer malware” to capture numbers as they went through the processing platform. No SSNs or PINs were exposed but customer names and card numbers were. According to their release, Heartland’s security team started working on the incident in “late 2008“.

One week after making their announcement, Chimicles & Tilellis LLP filed a class action lawsuit asserting that Heartland “made unreasonably belated and inaccurate statements concerning the breach.” The complaint also says Heartland does not appear to be offering any credit monitoring services or other relief to consumers affected by the breach.

For a major incident involving the compromise of a core system, due diligence (and the law) requires an intense and detailed investigation. If they’re smart, Heartland also brought in several layers of law enforcement, each of whom would want more information and their own time to investigate. We don’t have the full details yet but based on what we do know so far, a disclosure in January seems pretty prompt to me.

As to the offer of credit monitoring service, I haven’t seen anything that would indicate that it’s justified. Compromised credit card numbers can’t be used to create new credit accounts or commit identity theft. The thieves could make charges on the cards, but 1) the accounts have been shut down so no further damage can be done and 2) even for the fraud committed so far, the victims’ liability is capped at $50 (and probably won’t even be that high in this case). Credit monitoring won’t provide any protection in this case.

Note that there’s nothing in the suit about whether the company properly protected the customers’ information. Clearly, they should have done something differently but that’s not what these lawyers chose to address. Nor are they talking about real damage or losses to the consumers. They’re arguing only about technical compliance with the breach notification laws.

Even if the company wins the suit, fear of similar suits will increase costs (which are inevitably passed along to customers) and may create a perverse incentive by future companies to cover up the breach rather than risk being sued after a disclosure. If left unchecked, that abuse will erode and quickly outweigh the societal good that comes from the breach disclosure laws.

Well, this will be the first post in the new location. I hope everyone is able to find and read the blog easily. Please let me know if there are any problems.

Back on 26 Sep, President Bush signed the Identity Theft Enforcement and Restitution Act of 2008. This new law should make it easier for federal prosecutors to deal with hackers and other cybercriminals.

Specifically, the law makes it a felony to damage 10 or more protected computers used by or for the federal government or a financial institution. That means we finally have a tool to start using against the malware writers.

The law also eliminates the current requirement that a prosecutor show that the illegal activity caused $5,000 in damages before he/she could bring charges. This is a big deal for us. Because so many of the damages are “soft”-costs – labor to investigate or repair the breach, etc – few cases were ever brought under the old rules. Now, it should be much easier to get federal support if someone commits a cybercrime against your company.

• If you suspect a cybercrime, be sure to call your local FBI office as soon as possible. They will have specific instructions on what to do in order to preserve as much evidence as possible.
• Keep detailed notes of everything you do and all the time you spend working on the cybercrime investigation, repairs, etc. Even if the FBI no longer needs that magic $5,000 to get involved, your records about the damages and costs will be important to the judge when the criminal is finally caught and prosecuted.

The new law allows the Feds to take jurisdiction even when both the criminal and victim live in the same state. Under the old law, the crime had to affect interstate commerce before the Feds could get involved. Since it’s often hard to know where the criminal is working from until far into the investigation, the states were too often left on their own.

Finally, the law has some restitution clauses for the victims of identity theft. Those clauses are rather vague and I suspect will be difficult to enforce. Still, it’s a step in the right direction.