View
212
Download
0
Embed Size (px)
Citation preview
ava i lab le at www.sc iencedi rec t . com
journa l homepage : www.e lsev ie r . com/ loca te /cose
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 3 9 5 – 4 0 4
Security views
1. Malware update
A new Trojan horse called Mdropper-H that exploits a yet
unpatched vulnerability in Microsoft Word 2002 and 2003 is
infecting systems. Used in a number of spear phishing attacks,
Mdropper-H is often sent in email containing Word attach-
ments in which a backdoor program named Backdoor-Ginwui
resides. Microsoft is developing a patch for the vulnerability.
Until the patch is available, workarounds such as scanning
incoming attachments for the presence of this Trojan should
be used.
The yhoo32-explr worm uses Yahoo’s Instant Messenger to
spread. It installs a ‘‘Safety Browser’’ that hijacks Internet
Explorer homepages and then redirects it to a Web site that
injects spyware into infected systems.
A proof-of-concept macro virus named ‘‘Stardust’’ appears
to be the first piece of malware to target OpenOffice and
StarOffice. It opens an adult-theme graphic file from the Inter-
net. So far no instances of this virus have been discovered in
the wild.
Win32.GpCode.ae, a new mutation of ransomware, is
infecting computing systems in Russia. This malware en-
crypts information stored on computing systems on which it
runs with RSA encryption, a stronger type of encryption
than previous versions have used. Win32.GpCode.ae then de-
mands money in return for decrypting the information.
Once again the number of news items related to malware is
relatively small. This is, of course, not to say that malware has
become less of a problem than in previous years. The trend
towards having fewer news items describing new malware
is instead in large part due to the fact that malware has in
general become more surreptitious. The motivation for writ-
ing and installing such software has increasingly become
making moneydit is difficult to make money from malware
if it is immediately noticed and eradicated.
2. Update in the war against cybercrime
Jayson Harris of Iowa has received a sentence of 21 months of
imprisonment and three years of supervised release after-
wards after he pleaded guilty to two counts of fraud and
wire fraud. He operated a phishing site that appeared to be
an MSN billing site, defrauding between 50 and 250 people in
the process. In a plea bargain agreement Harris admitted guilt
0167-4048/$ – see front matterdoi:10.1016/j.cose.2006.07.003
for sending phishing messages to MSN users in an attempt to
induce them to visit a malicious Web site that gleaned credit
card numbers and other financial and personal information.
He must also pay restitution of approximately USD 57,000.
Three individuals, George Hayes, Aaron Jones, and Derek
Borchardt, have been sentenced for posting pre-release music
on the Internet. Hayes pleaded guilty to one count of copyright
infringement, something that resulted in a sentence of 15
months of jail time. Borchardt and Jones pleaded guilty to
one count of conspiracy to commit copyright infringement.
Jones will serve six months in jail, after which he must serve
six months of home confinement. Borchardt received a lesser
sentencedsix months of home confinement. Matthew
Howard, who was also involved in the pre-release posting ac-
tivity, is due to be sentenced soon. These individuals’ activity
was identified through the FBI’s Operation FastLink, an anti-
piracy operation.
Microsoft filed a civil suit in which it asked for GBP 12
million in damages against William Ling of the UK on the
grounds that Ling sold pirated copies of Microsoft programs.
Just last year Ling was prosecuted for selling pirated pro-
grams. After being fined merely GBP 10,000, he started selling
programs illegally only two months later. Microsoft and Ling
have reached an out-of-court settlement; Ling will pay an
undisclosed amount of money and will cease selling pirated
programs. Microsoft also teamed with the State of Texas in
a lawsuit against Ryan Pitylak on the grounds that he sent mil-
lions of spam messages every day. In a settlement Pitylak
agreed to pay USD 1 million. The assets Pitylak acquired
from his spam activity have also been confiscated. Pitylak
has now decided to become a security consultant to help
others combat spam.
Operation Global Con, an operation to identify bogus mar-
keting schemes in countries around the world, has resulted in
565 arrests so far. Nearly three million persons have suc-
cumbed to these schemes; losses have exceeded USD 1 billion.
One hundred and thirty-nine suspects have been arrested in
the US. Others have been arrested in Spain, The Netherlands,
Canada, and Costa Rica.
German law enforcement has charged 3500 individuals for
eDonkey-based peer-to-peer (P2P) file-sharing. Each defen-
dant could be sentenced for up to three years in prison or
a fine totaling up to 15,000 Euros in addition to being forced
to pay financial compensation to the entertainment industry.
Law enforcement conducted an investigation that keyed on
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 3 9 5 – 4 0 4396
people who uploaded large amounts of songs to file-sharing
networks.
The US Federal Trade Commission (FTC) and Cashier
Myricks of California have reached a settlement concerning
deception charges filed against Myricks. He sold subscriber-
ships to mp3downloadcity.com, alleging that subscribers
would be able to use P2P file-sharing programs to obtain copy-
righted materials from this site without breaking copyright
laws. The settlement’s provisions require that Myricks stop
making false claims about P2P services, communicate why
downloading copyrighted content without proper authoriza-
tion is illegal, and give back USD 15,240 to the over 600 individ-
uals who subscribed to mp3downloadcity.com.
Swedish police have shut down a Web site that some peo-
ple say facilitates digital content piracy. Seven months ago
those who operated Pirate Bay operators asserted that they
were not breaking copyright laws because their site simply
showed where movie, music, and software files could be
found rather than making files available to those who visited
the site. Police detained three individuals for questioning
and confiscated computer equipment after raids in ten places
were conducted. The operators of this site have announced
that they will seek compensation from the Swedish govern-
ment if they are found not guilty of breaking anti-piracy stat-
utes. A denial-of-service (DoS) attack against the Swedish
national police Web site after Pirate Bay was shut down may
have been motivated by reprisal for the police’s having acted
in this manner.
Law enforcement in Bulgaria has arrested two people for al-
legedly being involved in digital piracy. The suspects allegedly
made huge numbers of movies and songs available on a Bulgar-
ian Web site. Subscribers could download an unlimited num-
ber of files and songs for only a four lev charge every month.
The Electronic Crimes Task Force in Los Angeles has
arrested two individuals on the basis of suspicion that they
conducted an electronic extortion scheme. Saviero Mondelli
and Shaun Harrison, both teenagers from New York State,
have been charged with illegal computer access and attemp-
ted extortion. They allegedly gained unauthorized access to
MySpace.com to pilfer personal information pertaining to
members and then threatened to reveal the methods they
used to intrude into this site unless MySpace.com paid them
USD 150,000. Undercover officers from The Electronic Crimes
Task Force who pretended to be MySpace employees arrested
the accused, both of whom had come to Southern California
allegedly to collect the money they had demanded. If con-
victed of the crimes for which they have been accused, they
could be sentenced to up to four years of imprisonment.
Computer criminals accessed a server operated by Goldleaf
Technologies without authorization. This server runs several
Web sites of a number of community banks. The perpetrators
redirected the connections of on-line banking customers to
a bogus site controlled by the perpetrators, who gleaned ac-
count names, passwords, credit card numbers and ATM per-
sonal identification numbers (PINs). The security breach may
have affected as many as 175 banks for up to 90 min. One of
these banks, Premier Banks of Minnesota, has informed the
FBI of the incident and will send letters to its customers rec-
ommending that they change passwords they use for on-
line banking transactions.
The trial of Roger Duronio of New Jersey, a former system
manager for UBS PaineWebber who is facing charges related
to his allegedly having installed malware that deleted files
and information on company computing systems, recently
began. Duronio has been charged with one count of intruding
into computers, one count of mail fraud, and two counts of se-
curities fraud. The government claims that Duronio coordi-
nated the malicious activity, which UBS says cost USD 3
million in recovery costs alone, to make money from stock
price manipulation.
Miami police have arrested Robert Moore and Edwin
Andres Pena on the grounds that they engaged in computer
and wire fraud. Pena allegedly set up illegal connections into
Internet phone companies’ lines and then sold phone services
to others. Moore allegedly aided Pena by intruding into the
phone companies’ networks.
Timothy Mattos of California has received a sentence of 70
months imprisonment for pilfering and then reselling Verizon
Wireless prepaid cellular service card PINs stolen from one of
Verizon’s Computers. The thefts happened while Mattos was
a Verizon Customer service representative; they continued
to occur for one year after he quit his job there. Mattos must
also pay restitution of USD 21.3 million. After serving his
prison term, he will have to serve three additional years of
supervised release.
A high school in Bloomfield Hills, Michigan is looking into
an incident in which five students appear to have accessed
a school computer without authorization and changed grades.
The students, all from the International Academy, allegedly
installed a software tool on the system that enabled them to
steal login names and passwords. Discrepancies between
the computerized records and teachers’ personal records led
to the discovery of the incident. The suspected culprits could
receive punishments ranging from revoked academic credits
to expulsion. They also could face criminal charges.
Danny Ferrer of Florida has pleaded guilty to a count of
conspiracy and a count of criminal copyright violation in con-
nection with his having operated a Web site, BuysUSA.com,
that sold illegally copied software. The FBI shut down this
site last year. Additionally, he must forfeit several cars and
airplanes as well as a boat and helicopter that he bought
with the money that he made from the site. Due to be sen-
tenced soon, Ferrer may get up to 10 years in prison and
a fine of USD 500,000.
Tokyo law enforcement officers have arrested two people
for attempting to extort almost USD 90,000 from Japanese
phone company KDDI Corporation. Before a shareholder
meeting was to be held, these individuals allegedly threatened
to reveal that a loss of customer information had occurred;
storage media containing personal information pertaining to
four million KDDI customers were misplaced. Instead of pay-
ing the money, KDDI promptly informed police, who moni-
tored information exchanged between KDDI and the accused
before the arrests were made.
Bangalore police have reportedly arrested Nadeem Kash-
miri on charges related to his alleged participation in a plot
that resulted in GBP233,000 being pilfered from the accounts
of HSBC customers. Kashmiri worked at an outsourced HSBC
data processing center from which he allegedly broke into
a computing system and then allegedly handed over
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 3 9 5 – 4 0 4 397
information that allowed others to drain funds from the cus-
tomer accounts. HSBC has announced that it will repay all sto-
len money to the affected customers. The scam prompted
HSBC to drop its India-based call center, which was the basis
of a number of previous customer complaints.
Three people, two from the UK and one from Finland, have
been placed under arrest for their allegedly having installed
backdoor programs on numerous computing systems. They
are suspected of being members of an on-line group named
‘‘M00P,’’ which is known to include these programs as attach-
ments in unsolicited email messages. The illegal activity tar-
geted numerous unidentified companies, most of which are
UK-based.
Richard Sylvestre of Massachusetts, a US Navy contractor,
has been charged with gaining unauthorized access to a US
military computing system. He allegedly installed malware
on a US Navy European Planning and Operations Command
Center computer in Naples, Italy. Sylvestre, who owns Ares
Systems International, was allegedly irate over a failed Ares
Systems’ bid for another project. The malware could possibly
have disrupted the Navy’s ability to track the locations of sub-
marines and ships. A Naval Criminal Investigative Service
agent in Norfolk, Virginia has stated that Sylvestre has con-
fessed to the charge against him.
The variety in the nature of computer crime-related activ-
ity never ceases to amaze me, as also does the growth in this
activity. Digital piracy, unauthorized access to systems,
phishing schemes, and spamming are still among the most
prevalent types of computer crime, but ploys such as extortion
plots and selling bogus services appear to be growing rapidly.
Insider attacks such as the one at the high school in Michigan
and UBS PaineWebber continue to cause disproportionate dis-
ruption and loss, even if these attacks are not among the most
prevalent. As I have said so many times before, there appears
to be no end to computer crime; the only real consolation is
that law enforcement appears to becoming increasingly profi-
cient in dealing with it.
3. More compromises of personal andfinancial information occur
There appears to be no end of fallout in sight after numerous
security breaches at Ohio University that resulted in the com-
promise of personal information pertaining to 173,000 stu-
dents, faculty, staff and alumni. Findings from a recently
conducted independent audit suggest that Ohio University’s
computer services department did not implement suitable se-
curity countermeasures necessary to safeguard information
stored on university computing systems despite a budget
that was more than sufficient. Two graduate alumni of this
university have filed a lawsuit claiming that privacy violations
have occurred and requesting compensation for any financial
losses resulting from identity fraud as well as credit-monitor-
ing for all individuals potentially affected by the university’s
security breaches. The plaintiffs are seeking class-action sta-
tus for this lawsuit. Numerous Ohio University alumni have
announced that they will no longer donate money to the uni-
versity because of the data security breaches. In reaction to
the aftermath of the incidents, the university has created
a new position, Chief of Staff to the Chief Information Officer,
to handle security-related issues and has reorganized the uni-
versity’s computer services department. The director of com-
puter and network services and the Internet and systems
manager were placed on administrative leave pending the
findings of a disciplinary hearing. Additionally, university
trustees voted to allocate up to USD 4 million for improve-
ments in the university’s computing systems.
News of lost and stolen laptops and desktop computing
systems containing personal and financial information con-
tinues to proliferate:
� The Texas Guaranteed Student Loan Corporation, a com-
pany that issues US-guaranteed student loans, has an-
nounced that computing equipment lost by a third-party
contractor held information pertaining to approximately
1.3 million student borrowers. Fortunately, the information
was both encrypted and password-protected. This company
is informing those potentially affected by this incident by
sending letters and has also set up a special Web site.
� Hotels.com says Ernst & Young (E&Y), its external auditor,
has experienced yet another unaccounted for laptop com-
puter that potentially could result in information pertaining
to 243,000 Hotels.com customers being stolen and misused.
Individuals potentially affected by this incident were
notified.
� An Electronic Data Systems (EDS) employee checked a lap-
top system that was lost by a commercial airline. EDS sup-
plies data processing services for Ahold USA’s pension
plan; the lost system stored information pertaining to
Ahold USA retirees. Potentially affected former employees
have been informed in writing, but EDS is keeping the
number of individuals who have potentially been affected
secret. An EDS spokesperson has stated that the employee
who checked his laptop at the airport violated company
policy.
� An IRS employee lost a laptop containing data such as
names, Social Security numbers (SSNs) and fingerprints as-
sociated with 300 IRS actual and potential employees. The
IRS sent letters to every individual potentially affected by
the theft.
� Four laptops stolen from the offices of Buckeye Community
Health Plan in Columbus, Ohio contained information per-
taining to 72,000 subscribers in three counties and medical
information pertaining to 13,000 subscribers. The company
plans to inform everyone who is potentially affected in
writing.
� Two laptops that disappeared from the offices of the YMCA
of Greater Providence (RI) stored personal information in-
cluding names, addresses, SSNs, and credit card and bank
routing numbers pertaining to more than 65,000 YMCA
members. The YMCA will inform the potentially affected
members of this data security breach.
� The American International Group (AIG) has reported that
computer equipment stolen from one of its offices stored
personal information belonging to about 930,000 people for
whom their employers were trying to obtain quotes on cor-
porate health insurance terms, conditions and rates. The
data were supplied by almost 700 different insurance bro-
kers. AIG will send letters to those who were potentially
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 3 9 5 – 4 0 4398
affected. AIG suppressed notification of those who were po-
tentially affected for approximately three months.
� A theft of a laptop system belonging to ING resulted in the
potential compromise of personal and financial data of
13,000 individuals whose personal information was stored
in a laptop computer stolen from the home of an ING US Fi-
nancial Services agent. ING is putting a new security policy
for laptop security in place; data encryption and password-
based access are now required. Individuals affected by the
data security breach are all District workers and retirees.
� St. Paul, Minnesota police are investigating why three lap-
tops are missing from the state auditor’s office. The com-
puters stored a variety of information, including SSNs of
about 500 public employees and 1900 public program partic-
ipants. The information was password-protected, but not
encrypted. The incident has led to a security policy change;
computers must now be locked in cabinets or fastened with
cables when they are not in use. Encryption software has
also been installed on other computing systems. State law-
makers have called for a review of data security within the
auditor’s office.
� The US Federal Trade Commission (FTC) has admitted that
two laptops on which names, SSNs and financial account
information pertaining to about 110 persons were stolen
from a vehicle. The laptops, which are password-protected,
were assigned to staff attorneys. The agency is writing
a new information security policy that would mandate
that each employee erase all personal identifying informa-
tion in a computer before it could be taken out of an agency
office. If personal information on any laptop were required
for an investigation needed to be taken out of the office,
management approval would be necessary.
� A laptop pilfered from the car belonging to a San Francisco
State University faculty member contained information
such as SSNs pertaining to almost 3000 current and prior
students at this university. San Francisco State University
administration has not taken any action so far in response
to this incident.
Additionally, break-ins into systems that resulted in the
potential compromise of personal and financial information
continued to occur, as shown by the following news items:
� Perpetrators stole credit card information from an as yet
unidentified retailer and then used this information in
successful identity fraud attempts against 100 Frost Bank
customers. Frost Bank, which is based in Texas, is inform-
ing all 9300 potentially affected customers and has said
that it will repay any stolen money. Visa USA has said
that it was advised of the incident and that it has in-
formed the financial institutions that issued the credit
cards in question.
� Sacred Heart University in Fairfield, CT has reported an
intrusion into one of its computing systems on May 8. Law
enforcement has been informed of the incident and is
investigating it. According to a local television station,
Sacred Heart has informed 135,000 people that their
personal information may have fallen into unauthorized
hands. The university has not released any additional infor-
mation, such as when the incident happened or the type of
information that may have been stolen. A posting on the
university’s Web site states that an inquiry involving use
of both school resources and a security consultancy is also
being conducted.
� Florida International University has notified thousands of
its students that their personal information may have
been exposed because of a data security compromise.
A Trojan horse program was found on a computing system
that contained this information, leading university staff to
realize that the system had been compromised. The format
of the notifications caused some concerndthe postcard-
sized letter send by university administrators could readily
be misperceived to be junk mail.
� An Oregon Department of Revenue employee accidentally
downloaded a Trojan horse program on a department com-
puting system. The Trojan may have gleaned taxpayer in-
formation, including names, addresses and SSNs, and then
sent it to a perpetrator. Up to 2200 Oregon taxpayers have
potentially been adversely affected by this incident. The De-
partment of Revenue has mailed 1300 letters so far. Others
who have potentially been affected are still being identified
and informed. The incident has resulted in a change in pol-
icy; Oregon Department of Revenue employees are now for-
bidden from using their computers for non business-related
reasons.
� The US Department of Agriculture (USDA) has reported
that a break-in into computing systems may have
resulted in the compromise of personal information,
including names, SSNs, and photographs of about 26,000
of its employees and contractors. The USDA Secretary
has mandated that every person who was potentially
affected by the incident be informed both via email and
in writing and be offered one year of credit-monitoring
at no cost to anyone. USDA security staff found suspi-
cious activity in several systems two months ago, but at
first thought that the information was sufficiently pro-
tected against unauthorized access. Both the USDA in-
spector general and law enforcement are looking into
the incident.
Accidental leaks of personal and financial information also
continue to happen, as evidenced by the following news items.
� The University of Kentucky (UK) has informed roughly 1300
current and prior staff members that their personal infor-
mation, including SSNs, was publicly available on the Inter-
net for 19 days several months ago. The university has
rectified a mistake that made a folder containing the infor-
mation publicly available. There were 41 connections to
the folder while it was publicly accessible. UK is installing
a new system and discontinuing using SSNs as unique
identifiers.
� Humana Medicare has notified approximately 17,000 people
enrolled in its Medicare plans that their personal informa-
tion was found on an unsecured hotel computing system.
A Humana employee who stayed at the hotel apparently
opened an email attachment that contained the informa-
tion, but did not delete the information before he was fin-
ished using the computer system. A Medicare spokesman
decried the incident and demanded that Humana create
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 3 9 5 – 4 0 4 399
and implement a plan that will make certain that such inci-
dents will not occur again.
� The SSNs of more than 600 Catawba County, North Carolina
high school students were posted on school system’s Web
site and were publicly available via Google search. School
administrators assert that the Web page that contained
this information was password-protected, but they do not
know how the Web page became accessible through Google
search. The page, which also displays students’ placement
test scores, has been deleted from the Web site while Google
is taking steps to remove all links to the page. The posted in-
formation was several years old; the school district no lon-
ger uses students’ SSNs.
� Personal information, including names, SSNs and dates of
birth for about 28,000 US Navy sailors and family members
was found on a civilian Web site. The information was taken
off of the site shortly afterwards and the Navy has launched
a criminal investigation into how the information ended up
being leaked in this manner. Individuals who were poten-
tially affected by this incident are being informed.
A hard drive belonging to the American Institute of
Certified Public Accountants (AICPA) has been missing since
February. The drive stored cleartext personal information
pertaining to nearly every AICPA member. The drive was
damaged, causing AICPA staff to send it for repair at an out-
side data recovery service in violation of the AICPA’s policies.
After the disk was repaired, it was shipped via FedEx, but it
was lost in transit. Approximately 330,000 members have
been informed of the incident.
The number of data security breaches continues to grow
astoundingly because organizations and individuals continue
to fail to adequately protect personal and financial informa-
tion. Encryption is the most basic control measure; given
how potentially effective encryption is, one would think that
more organizations would use it to protect information. At
the same time, however, encryption solutions present some
very unpalatable problems such as the potential for loss,
destruction and/or corruption of keys that could render valu-
able and important information unreadable by those who
need to read it. Another alternative is to put a policy in place
that restricts the type of information that can be taken away
from the workplace. Several of the organizations in the above
news items have taken this approach. Although 100% compli-
ance with administrative control measures can never be
assured, restricting the removal of personal and financial
information can and should considerably lessen the odds of
a data security breach due to lost or stolen laptops. Strong
authentication and authorization mechanisms are also valu-
able in helping protect against data security breaches. There
is no ‘‘bulletproof’’ solution, however; defense in depth is
the key to better data security.
4. Results of security executives surveyannounced
Security vendor Courion and the Executive Alliance consul-
tancy announced results of a survey of 54 security executives
at the Converge ’06 Conference, Courion’s annual customer
meeting. The survey results indicated that security executives
have plenty to worry about. Primary concerns included unau-
thorized access to systems, auditability, compliance, cus-
tomer data security breaches, sabotage (internal and
external), theft of intellectual property, administration cost,
and unauthorized remote access. According to some of the re-
spondents, companies link their multiple sites with frame re-
lay-based WANs using Secured-Socket Layer Virtual Private
Networks (SSL VPN). Other companies use multiple vendors’
equipment and internetworking operating systems that in-
clude ISDN-based backup capabilities. Microsoft’s soon to be
released Vista operating system is perceived to be another op-
tion because it supports adding endpoint security for mobile
and remote access workers. An issue becoming more preva-
lent is that although manufacturing floor equipment used to
be low-ended, now seemingly every piece of equipment has
an operating system, has access to the corporate network,
and is an ‘‘intelligent’’ multifunction device, adding more rea-
sons for network security worries for business networks.
I find the results of this survey to be extremely interest-
ing, but at the same time I find them troubling. Most of the
security executives were worried about technology as if get-
ting the right technology in place were the major goal in in-
formation security. Technology can provide good control
solutions, but technology alone can only do so much. I
am thus surprised that critical issues such as keeping poli-
cies and procedures up to date and creating an effective
management infrastructure did not show up as critical
concerns.
5. CSI/FBI survey results show computercrime losses are declining
According to the 2006 annual survey by the Computer Secu-
rity Institute (CSI) and the FBI, financial losses incurred by
businesses due to security breaches such as computer
break-ins were about USD 168,000 per business. This consti-
tuted an approximately 18% decrease from the average of
USD 204,000 reported last year and a roughly 68% decrease
from the average loss reported the year before last. The
615 US CSI members who responded to the survey reported
experiencing fewer overall security-related incidents. The
most reported incidents still include worm and virus infec-
tions, laptop theft, and insider abuse of Internet access,
but all were less frequent compared to the 2005 survey re-
sults. About a third of those who responded reported that
they had no losses from insider threats; 29% indicated that
less than a fifth of overall losses stemmed from insider inci-
dents. Consistent use of security technology may also have
contributed to the reduced incident-related lossesdalmost
all of the respondents said that they use firewall and anti-
virus software and 80% said that they use spyware protection.
Spyware protection was not listed as a category of security
technology last year. Almost 50% of the respondents said
that less than 2% of their budget is spent on security. In con-
trast, last year they said 35% was spent on security. One
point made at the CSI NetSec conference last June was
that consumers might be the group that is most impacted
by computer crime-related losses, but the survey does not
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 3 9 5 – 4 0 4400
cover consumer losses. Identity theft costs and related in-
conveniences are suffered mostly by individuals, even if
a data security incident started at an enterprise.
Once again it is very difficult to interpret these results. On
the surface things appear to be getting better as far as security
goesdthe average cost of security breaches has been declin-
ing for several years now and organizations are increasing
deploying proven security solutions. At the same time, how-
ever, I worry about the validity of the survey results in that es-
timates of security-related loss are anything but objective. In
the absence of a more uniform and objective method of esti-
mating loss, the survey results’ trend towards declining losses
might simply mean that respondents are getting more conser-
vative in estimating the amount of loss.
6. Stolen Department of Veterans Affairslaptop triggers major reaction
In May, the Department of Veterans Affairs (VA) revealed that
a laptop computer and external hard drive containing per-
sonal information pertaining to about 26.5 million veterans
who have served in the military since 1975, including informa-
tion pertaining to 2.2 million active-duty National Guard and
Reserve troops, was stolen from the home of a VA employee.
The information included names, SSNs, dates of birth, and
disability ratings for veterans with disabilities, was taken to
the employee’s home without authorization. The data were
not encrypted. This data security breach, one of the largest
ever, set off a series of major reactions:
� The employee who took the laptop home without authoriza-
tion has been put on administrative leave.
� The VA is taking steps to inform veterans of the incident and
has created a Web site and a toll free number to answer
questions and address concerns. The VA has been heavily
criticized for its three-week delay after the theft occurred
in revealing it to the public. Meanwhile, the VA said it is
working with credit-monitoring services to see how to best
protect those who were potentially affected.
� To reduce the likelihood of security breaches, the VA
suspended use of employee-owned computers for official
agency business and has limited telecommuting at the
Veterans Benefits Administration. VA employees were
reminded that failure to comply with department policy
regarding safeguarding personal information could result
in administrative, civil, and/or criminal penalties. Although
about 35,000 employees have off-site access to the depart-
ment’s servers through a VPN, they no longer will be permit-
ted to access the agency’s VPN from their personal
computers. The VPN settings will also change every 30
days, forcing laptop users to return to the agency for
updates and security checks. Outside observers speculated
that the data security breach would not have occurred if
the employee had accessed the information he needed
over a network, rather than bringing it home.
� A group of veterans’ organizations filed a class-action
lawsuit filed against the VA in the US District Court in
Washington, alleging that their privacy rights were violated
after the VA employee’s laptop and hard drive were stolen.
The lawsuit demands that the VA fully disclose the particu-
lar military personnel who are affected by the data security
compromise and seeks USD 1000 in damages to each indi-
vidual who was potentially affected by the incident. The
lawsuit also asks for a court order preventing VA employees
from using sensitive data until independent experts deter-
mine whether or not proper safeguards are in place. The
suit refers to a 1974 federal privacy statute that mandates
that agencies have protections to guard against the unau-
thorized disclosure of personal information.
The FBI, local law enforcement agents and the VA’s inspec-
tor general continue to investigate the incident. Fortunately,
no evidence that the data have been used has surfaced. The
stolen laptop has been recovered; the FBI and the VA say it ap-
pears that the data on the computer were not accessed. The
external hard drive that was stolen in the burglary was also
recovered.
The VA is not the only department in the US government to
experience a major security lapse, however. In early May the
Internal Revenue Service (IRS) also reported a missing laptop
that contained SSNs, fingerprints, and names of 291 IRS em-
ployees and job applicants. Two weeks later the US Depart-
ment of Agriculture (DOA) revealed that a perpetrator broke
into its network and stole names, SSNs, and photos of 26,000
employees and contractors in the Washington DC Area. Addi-
tionally, the FTC reported that two laptops that contained
SSNs and financial data related to law enforcement operations
were lost. The Navy said it was investigating how personal
data for 28,000 sailors and family members wound up on
a public Web site (note: this news item was covered earlier
in this paper).
The VA data security breach as well as the ones within the
IRS, DOA, FTC, and Navy continue to show that something is
drastically wrong with the way the US government safeguards
information about individuals. The fact that the VA waited so
long to report the loss of the stolen laptop and hard drive adds
fuel to what is already a conflagration. The outcry has been
great, so great that many US government departments and
agencies have already made sweeping changes in the way
they practice data security. At the same time, however, they
all still have a long way to go.
7. US government tries to tighten datasecurity
The White House Office of Management and Budget (OMB) has
issued new guidelines that it calls ‘‘recommendations’’ rather
than ‘‘requirements’’ for laptop security. The guidelines allow
Federal civilian agencies 45 days in which to implement new
measures to safeguard the security of information pertaining
to employees and citizens. Among other things, the guidelines
call for:
� Having agencies maintain detailed records of any informa-
tion downloaded from sensitive information databases,
� Verifying that such records are deleted within 90 days
unless their use is still required,
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 3 9 5 – 4 0 4 401
� Encrypting all information on laptop or handheld com-
puters unless the data are classified as ‘‘non-sensitive’’ by
an agency’s deputy director,
� Implementing two-factor authenticationda password plus
a physical device such as a key carddif employees must
reach a work database through a remote connection, and
� Shutting down remote connections automatically after
30 min of inactivity.
The OMB said it would work with agencies’ Office of In-
spector General (OIG) to ensure compliance with the
guidelines.
David M. Walker, chief of the Government Accountability
Office (GAO), proposed that all federal agencies conduct a pri-
vacy impact assessment to determine how personal informa-
tion is collected, accessed, and stored. He also recommended
that agencies make sure that they comply with the 2002 Fed-
eral Information Security Management Act (FISMA). Accord-
ing to current government policy, all sensitive data on
laptops must be encrypted.
Optimists will see the measures that OMB and GAO are
pushing forward as major steps towards better protection of
sensitive information. Pessimists will point out how often
well-intended measures prescribed by the government so
often are, but how ineffectual government agencies and de-
partments have too often been in putting any such measures
in place. One thing is suredthe US public will not tolerate
many more major security compromises of information that
potentially involve them. At some point soon there will be
major pressure for legislation that makes failure to protect
personal and financial information a crime, the type of legisla-
tion that is already in place in other countries around the
world.
8. Cybersecurity Industry Alliance surveyresults show desire for better security legislation
Results of an April survey by the Cybersecurity Industry Alli-
ance of 1150 adults indicated that fewer than 20%t of the re-
spondents feel that existing laws are enough to protect them
when they connect to the Internet. Two thirds of the respon-
dents said that the US Congress should make protecting com-
puting systems and networks a higher priority. About 70% said
that Congress should pass strong data security legislation
such as California SB1386. About a third of the respondents
said they would have serious or very serious doubts about
voting for political candidates who do not support quick
action to improve existing computer security laws. Congress
has been proposing and debating various data security legisla-
tive actions for the past year, but has not passed anything. The
Cybersecurity Industry Alliance recommended that Congress
pass comprehensive federal data security statutes that,
among other things, puts reasonable security measures in
place, makes notification consistent and predictable, imple-
ments industry best practices, and bolsters enforcement.
They also recommended that legislation establish a safe har-
bor provision that encourages encryption of stored data,
something that would further protect organizations from
liability.
At the risk of excessive repetition of my comments in
previous issues’ Security Views, suffice it to say that it is in-
excusable that the US Congress has so pathetically dragged
its feet in passing legislation mandating better security in
computing, especially in the area of protection of personal
and financial data. The finding that 70% of the respondents
of the Cybersecurity Industry Alliance Survey indicated that
they wanted better security legislation should have sent
a very strong and clear message to US Congress members.
At the same time, however, roughly only one third of the re-
spondents indicated that their choice of political candidates
would depend on the candidates’ positions on passing com-
puter security legislation. It is almost as if people want bet-
ter legislation, but have not caught on what it would take to
pass such legislation. I thus seriously doubt that if these re-
sults are indeed representative of US voters’ opinions, there
is not yet sufficient momentum to pressure legislators to
push through the type of legislation that has been so sorely
needed for so long.
9. Copyright issues growing in importancein People’s Republic of China
The People’s Republic of China (PRC) passed a new statute
effective at the beginning of last month that bans upload-
ing and downloading of Internet material without the copy-
right holder’s consent. This statute requires that anyone
wanting to upload text, or performance, sound, and video
recordings to the Internet to enable others to download,
copy, or utilize them in some other manner must first ob-
tain the consent of copyright owners and pay any required
fee. The law prohibits producing, importing, and supplying
equipment that circumvents or violates copyright protec-
tion and technical services. The law also bans deleting or
changing digital material owned by others. Under the pro-
visions of this new law, copyright owners can send viola-
tors written cease and desist requests and Internet
service providers (ISPs) must delete violators’ works or
links to their works upon receipt of a valid notice from
a bona fide copyright owner. Copyright violators may be
fined up to 100,000 yuan and their computing equipment
may be confiscated.
Copyright-related lawsuits are now becoming increasingly
common in the PRC. For example, MP3 download software
company Kuro was sued in the first case involving P2P down-
loading in the PRC. In another case, a Shanghai-based music
firm sued Chinese search engine company baidu.com for
68,000 yuan on the grounds that baidu’s search function vio-
lated the former’s copyright.
The recent copyright protection statute that was passed in
the PRC is one of several copyright-related laws that has gone
into effect recently. Clearly, the PRC is getting serious about
cracking down on copyright violations, something that must
give great comfort to both Microsoft and the Recording Indus-
try Association of America (RIAA). At the same time, copy-
right-related lawsuits are also becoming more frequent. If
things keep going the way they are going, concerns about
piracy in the PRC will greatly diminish.
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 3 9 5 – 4 0 4402
10. Medical identity theft increasing
The problem of medical identity theft has been overshadowed
by the problem of financial identity theft, but the former is
growing at an alarming rate. The World Privacy Forum (WPF)
has estimated that 250,000 people in the US have already
been victimized by medical identity theft. Medical identity
thieves use the same type of information as do financial iden-
tity thieves, but sometimes the former also use pilfered med-
ical insurance information to obtain medical services and
goods without authorization or to make bogus medical treat-
ment claims. When these kinds of things happen, not only
do financial records point to victims with subsequent financial
repercussions, but also the false medical records can plague
victims in more sordid ways. In the US there are, for example,
no rights that permit individuals to correct errors in their
medical files. Although a growing number of hospitals are be-
ginning to recognize the crime and are setting up programs to
prevent it, medical records are decentralized and thus are
more difficult to correct if they are compromised. The stolen
medical identities then travel through the system, often
resulting in a proliferating number of false medical entries
in victims’ names. The false entries can then cause misdiag-
noses, incorrect medical treatments, and other possibly life-
threatening problems for the victims. Additionally, the false
medical histories can result in failed physical exams for em-
ployment, cancelled life and health insurance coverage, and
can even trigger criminal investigations. Medical identity theft
is difficult to discover because it can be obfuscated within the
widely dispersed databases and medical files in hospitals,
clinics, physicians’ offices, and insurance companies. Those
who regularly examine their credit reports, for example,
might not spot any evidence within their credit report that
a medical information problem exists, even if it is a serious
problem.
Statistics concerning the number of financial identity
thefts versus the number of medical identity thefts that
have occurred offer a good explanation for the fact that the
former has received considerably more attention than the lat-
terd57 million Americans have been victims of financial iden-
tity theft compared to 250,000 victims of medical identity
theft. Given the many egregious problems that medical iden-
tity theft can cause, it is nevertheless important to not lightly
dismiss this threat. I also predict that over time the financial
identity theft problem will diminish in magnitude due to
greater awareness within organizations, legislation that re-
quires better protection of personal and financial data, and
other factors. The same is not likely to be true of medical iden-
tity theft, however, given that little attention is currently being
paid to this problem. Medical identity theft is thus very possi-
bly a time bomb ready to explode soon.
11. Computer crime-related legislation movesforward in US Congress
The US House of Representatives Judiciary Committee re-
cently approved a bill that would make current federal com-
puter crime legislation stronger and also give officials
increased enforcement tools and funding. The Cybersecurity
Enhancement and Data Protection Act of 2006 would make
using botnets a federal crime. Under the proposed legislation,
the definition of computer-related extortion would be ex-
panded to include those who threaten to access a protected
computer to demand a promise from a victim. Current provi-
sions of the law forbid only threatening to damage a computer.
Those convicted of breaking the proposed law could receive up
to 30 years in prison. Currently, a defendant must only forfeit
proceeds gained as the result of committing a computer crime.
The bill makes failing to report security compromises to the
FBI or Secret Service that involve at least 5000 customers
a crime punishable by up to five years in prison. A section of
the proposed legislation also would allocate USD 10-million
annually to the FBI, Secret Service, and Department of Justice
(DOJ) to investigate and prosecute computer crime.
The US Senate recently introduced the Data Security Act of
2006 to create a uniform national standard to better protect So-
cial Security-related data, credit card numbers, driver’s license
information, passwords, and account access codes. The bill
would require businesses and government organizations to
safeguard all paper and electronic records containing informa-
tion that could be used to commit identity theft or account
fraud. State and federal regulatory agencies would be required
to oversee the operations and business practices of their enti-
ties, and the agencies themselves would be internally regu-
lated. The bill would mandate that consumers be notified
when there is a risk that stolen identities or accounts could
cause substantial harm or inconvenience. Although numerous
committees in the House of Representative have proposed sim-
ilar legislation, the House has not yet passed a final version.
I must confess that I am running out of enthusiasm for
what seems like the vast amounts of computer crime-related
bills that go before one committee or another, get passed in
committee, and then never go any farther. I will hopefully
be proven wrong with respect to the two new bills discussed
in this news item. In particular, the possibility of making
botnets a federal crime under the provisions of the Cyberse-
curity Enhancement and Data Protection Act of 2006 seems
extremely appropriate given the grave risks that botnets
have caused lately. History is the best predictor of the future,
however, and in the past bills that promised to go far in the
war against computer crime have for once reason or another
almost uniformly failed to pass. Getting one’s hopes up with
respect to the currently proposed bills is, therefore, once again
probably ill-advised.
12. VoIP wiretapping legality upheld in court
The US Court of Appeals for the District of Columbia has
upheld the Federal Communications Commission (FCC)
August 2004 ruling that mandates that voice over Internet
Protocol (VoIP) providers who offer a substitute service for
traditional telephone service conform to a 1994 telephone
wiretapping statute, the Communications Assistance for
Law Enforcement Act (CALEA). The deadline for compliance
is May 14, 2007. Contending that compliance could result in
security vulnerabilities in VoIP services and increase costs
for customers, organizations including the American Council
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 3 9 5 – 4 0 4 403
on Education, the Center for Democracy and Technology
(CDT), and Sun Microsystems had appealed the ruling.
It appears that opponents of the TCC’s ruling that VoIP
carriers must provide ways for law enforcement to wiretap
VoIP communications are going to lose their battle. I suspect
that their major motivation was trying to preclude what could
very well be major financial costs associated with conforming
to the FCC’s requirements. Still, personal privacy in the US has
suffered yet another fairly major blow with the US Court of
Appeals recent ruling. US residents’ telephone conversations
are already being recorded; now Internet-based phone conver-
sations will suffer the same fate.
13. EU Court nullifies airline passenger dataagreement with US
Arguing that the US did not assure sufficient data protection
and that submitting data of Europeans to the US violated
individual privacy rights, the European Parliament asked the
European Court of Justice to nullify a EU–US agreement requir-
ing airlines to provide passenger data to the US in an effort to
identify potential terrorists. The agreement required airlines
with US-bound European flights to provide US authorities
with certain information concerning passengers within
15 min of the scheduled departure time. This information in-
cluded passenger names, addresses, credit card information,
and other personal information. The US warned that any air-
line failing to comply with the agreement would face heavy
fines and would be refused landing rights. Additionally, pas-
sengers on non-compliant flights would be forced to go
through arduous security checks once they landed. The court
ruled in favor of the European Parliament, stating that Council
of the European Union and the European Commission had
based their decision to approve the agreement on the EU
Data Protection Directive, which did not apply to information
gathered for security purposes. The court, which set a Septem-
ber 30 deadline for finding a different legal solution to the US’
information needs, examined only the legal basis of the data
transfer and did not consider the privacy aspect of the ruling.
The court’s ruling does not in any way reduce data protection
standards, however. The US insisted on the tighter worldwide
airline security after the September 11, 2001 terrorist attacks.
The EU Court of Justice ruling is quite reasonable. Handing
information pertaining to EU citizens over to US officials
would constitute an invasion of the privacy of EU citizens.
Additionally, given all the compromises of personal and finan-
cial information that constantly occurs in the US and also that
no suitable federal legislation requiring suitable protection of
such information exists, the probability that this information
would fall into the wrong hands would be unacceptably high,
It will be interesting to find out how this extremely important
issue will be resolved in time. I predict that the Court’s ruling
will be only a temporary setback to the US effort to spot and
apprehend possible terrorists on flights before the flights
take off. The US government is likely to come up with another
proposaldperhaps one that would allow passenger data
pertaining to Europeans to remain in the exclusive control of
Europeans.
14. WestJet settles with Air Canada overunauthorized access to web site
At the request of Air Canada, Calgary-based WestJet Airlines
agreed to pay a CD 10-million donation to a children’s
charity as well as CD 5.5 million to offset Air Canada’s inves-
tigation and litigation costs associated with a CD 220 million
lawsuit that Air Canada filed against WestJet in 2004. The
suit complained that WestJet employees used the password
of a former Air Canada employee to access a confidential Air
Canada Web site to glean proprietary information concern-
ing Air Canada’s passenger traffic. Proprietary Air Canada in-
formation was compromised and, according to the lawsuit,
used to plan WestJet’s flight schedule and expansion strat-
egy. In its defense WestJet retorted that the Air Canada
Web site did not have any confidential information and
that the identical information could be also obtained by
counting Air Canada passengers at airports. In its counter-
suit, WestJet accused Air Canada of using private investiga-
tors to obtain shredded papers from the home of a WestJet
executive and of hiring another company to reassemble
the shredded papers.
Industrial espionage cases are always fascinating, and this
one is no exception to the rule. It sounds as if WestJet got
caught with its proverbial fingers in the cookie jar and did
not have much of a basis for its defense. Ideally, this will
make corporations around the world think a bit harder before
they allow their employees to go rummaging around their
competitors’ Web sites.
15. Sony BMG Rootkit court case penaltyapproved by District Court
The court case against Sony BMG reached its conclusion with
the penalty phrase. This music company was found guilty of
exposing thousands of computers to attackers through DRM
software embedded in Sony BMG’s music CDs. US District
Court Judge Naomi Reice Buchwald approved the penaltydthe
settlement requires that Sony BMG provide free downloads,
a patch to remove the XCP or MediaMax code, and new mal-
ware and vulnerability-free CDs for consumers.
Sony BMG lost its court case, and rightfully so. Sony BMG
must now conform to the terms of the penalty that the district
court approved, yet the time and resources needed to conform
will not begin to approach the amount that Sony BMG will
need to recover from the massive public image damage that
this company has incurred.
16. Barclays Bank provides customers withfree anti-virus software
UK-based Barclays Bank has bought 1.6 million licenses of
F-Secure anti-virus software with two years of updates to
ensure that its on-line banking customers’ computers are
adequately protected against viruses, worms and Trojan
horse. The bank also implemented a system for text messag-
ing to inform customers when money is transferred using
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 3 9 5 – 4 0 4404
their on-line account details. The bank sent letters to the cus-
tomers to inform them about the free anti-virus software and
to give them a code for unlocking it once they download it.
I included this news item because Barclays Bank has
taken an initiative that other banks so far have not, namely
providing customers with free anti-virus software. Custom-
er’s computers comprise a major weak link in customer
transaction security. Providing free anti-virus software to
customers will go a long way in bringing up the level of
security in customers’ computers. My guess is that Barclays
Bank carefully weighed the costs versus the benefits of this
new initiative and determined that it is less costly to spend
whatever it costs to obtain 1.6 software licenses of anti-vi-
rus software than to have to troubleshoot malware-related
problems in customers’ machines and to restore funds
lost from accounts that perpetrators accessed without au-
thorization because malware was planted in customers’
systems.