Macrocosmic Technologies

Some 300,000 people and 9,000 employers have had their information placed at risk through a hacker accessing a backup server used by Nebraska’s Child Support Payment Center. Apparently, the hacker had access to the server for forty minutes, during which time they left a virus on it.

Why, if you had access to a system that handles $233 million a year, you would do something as mind-numbingly juvenile as planting a virus is beyond me. Fortunately, this is another example of one of the most important things that keeps society from crumbling down–Namely that criminals are stupid.

HSBC has recently had a fraud attempt originated by an offshore data-processing unit’s employee in Bangalore who accessed data and passed it along to associates in the UK. Around 20 accounts were compromised with losses pegged at approximately $425,000, for which HSBC is accepting full responsibility and reimbursing defrauded customers for. Needless to say, Indian officials are quick to point out that this kind of thing happens all the time, regardless of where the employees are.

According to a recent survey by the National Threat Assessment Center, the Secret Service’s research arm, some 85% of the threats against financial services firms come from insiders, not outsiders. Not surprisingly, financial gain motivates a vast majority of these attacks.  Surprisingly, 61% of these attacks are found by non-automated means. This underscores the need to ensure your employees are trained to recognize when things aren’t right and follow their instincts when it comes to potential fraud.

According to the KATU TV web site, a trojan downloaded from a porn site by an Oregon Department of Revenue employee exposed the names, addresses, and social security numbers of some 2200 residents.

There’s some bad juju out there, there’s no denying that. It’s painfully evident that spyware needs to be addressed at the enterprise level. Anyone who says otherwise is itching for a fight*.

* Apologies to Michael Feldman

You know, I REALLY don’t like just regurgitating whatever Bruce Schneier is writing about, but sometimes, he’s got some GREAT stuff on his blog. He points us toward a product called KRYPTO 2.0.

From the site: Krypto uses repeated 256 bits (full bits) a coding purely been based on information of the keys file, which are the technically highest coding depth at all on computers possible are.

Now, I understand that the author is German, and that it’s fairly evident English is NOT one of his primary languages, but it’s still no excuse.

This is also reminiscent of a presentation I was witness to recently. The author of a product for biometric encryption claimed that his product’s encryption was superior because it used Super S Blocks, rather than that dusty old crap everyone else uses. Now, mind you, this product was also explained as using the biometric identifier (such as a fingerprint) as the
key, rather than having the identifier open a certificate which serves as the key. Sucks when you have to revoke the credential, huh? Well, at least you still have nine other fingers that are perfectly functional!

According to a recent article, an unclassified computer belonging to the DOE was hacked in September of 2005, and had a file containing names, social security numbers, and security clearances for 1500 employees stolen. Frighteningly, senior management was only made aware of this two days ago, or nearly nine months after the fact.

What separates this incident from most data disclosures is that the article makes this out to be a TARGETED theft of data, rather than randomly stealing hardware that happens to contain sensitive data. In this case, the data was the target.

Personal information, including social security numbers, was stolen last month from the home of a VA official last month. Some 2.2 million people, including up to 80% of current active military personnel, are affected. The breakdown is 1.1 million active-duty military personnel, 430,000 National Guard members and 645,000 reserve members. The information includes names, dates of birth, and social security numbers.

One day, increasingly soon given the current rate of egregious data disclosures, anyone handling sensitive or confidential information will be required by law to encrypt it and protect it. Already, HIPAA and The Graham Leach Bliley Act place these requirements on entities that handle medical or financial information. While these are good ideas, they’re simply the first steps to providing comprehensive protection for all of everyone’s private information.

Particularly worrisome about this loss is the fact that while senior VA officials were aware of the loss within hours, it wasn’t until nearly TWO WEEKS later that the VA secretary was notified. According to the Washington Post article covering the data loss, the analyst who had the laptop and hard drive removed from his home had been taking the data for at least three years.

Ye Olde Register is reporting that Ernst & Young has followed up its February loss of four laptops with losing only one, but this one happened to contain information about nearly a quarter of a million of Hotels.com’s customers. From a joint letter by E&Y and Hotels.com to its customers:

“Unfortunately, the computer contained certain information about customer transactions with Hotels.com, and other sites through which we provide booking services directly to customers, from 2002 through 2004.

“This information may have included your name, address and some credit or debit card information you provided at that time.”

Maybe I should have given my itinerary to a globetrotting garden gnome instead… If you’re interested, Ernst & Young does offer an IT Security and Risk Management practice. I have to wonder though, if they’ve ever heard the phrase, “Eat your own dog food.”

Bruce Schneier has recently written an interesting piece in his blog about Caller ID. In it, he writes about an AP article that details the failings of Caller ID. He asks a VERY good question. Namely,

Q: What’s worse than a bad authentication system?
A: A bad authentication system that people have learned to trust.

This is why it is imperative that when building a system used for authentication, it must be secure. The more widely utilized the system is to be, it becomes that much more important.

The article goes through real-life examples of forged caller ID information, including a congressman who was targeted by having his phone appear as the caller ID, a SWAT team operation in response to a call from a spoofed phone number, breaking into voicemail boxes that automatically authenticate based on the caller ID, and even how caller ID spoofing played a role in the 2004 “hack” of Paris Hilton’s cell phone.

More interestingly, the article touches on how the last scenario, an example of “pretexting”, is a textbook example of social engineering. With the caller appearing to be the legitimate user, the target is lulled into a lowered sense of security. It’s been used to obtain all sorts of information, but most recently, has come under fire as shady operators make pretext calls to wireless carriers to obtain copies of cell phone bills, including calls placed and received.