June 25, 2006

Footloose And Fancy Free Security

One of the downsides of our technological age is the large inventory of security vulnerabilities it has brought with it. Like all advances in technology from the primitive to modern day, the new invariably phases out the old so that it eventually becomes a necessity, especially in business and government.

Electronic data storage isn’t new, but as it has evolved, so have the computer skills of criminals who know how to make use of data they steal. This has created a collosal and still blossoming branch of the Protection Industry called Information Security that attracts many of the best and the brightest in the computer field.

Unfortunately, even in these days of heightened security awareness, many companies that possess confidential information fail, for any of a number of reasons, to adequately address security concerns and as a result, a lot of confidential data, much of it criminally usable personal information on people who have no affiliation with the companies in question and therefore no “say” in how their information is secured, is stolen.

Here’s one government contractor that practically offers up its proprietary information to anyone who steals any of five thousand laptops from employees’ homes.

A laptop containing personal data — including Social Security numbers — of 13,000 District workers and retirees was stolen Monday from the Southeast Washington home of an employee of ING U.S. Financial Services, the company said yesterday.

ING, which administers the District’s retirement plan, known as DCPlus, notified the city about the theft late Friday.

The company is mailing a letter to all affected account holders to alert them to the risk of someone using the information to commit identity theft, spokeswoman Caroline Campbell said. The company is also telling customers that it will set up and pay for a year of credit monitoring and identity fraud protection.

The laptop was not protected by a password or encryption, Campbell said. Encryption safeguards information by scrambling it into indecipherable codes.

The letter should open something like this:

Dear Fragonard and Elise Boosprinhoffer;

Some time ago, your city government entrusted us with a quantity of your vital personal information, for whose security we automatically assumed responsibility. This letter is to inform you that we’ve screwed the pooch, and that your information is now in the hands of person or persons unknown.We are very sorry we didn’t even bother using security encryption in the 5,000 laptops containing your confidential data, scattered to hell and gone among employees nationwide….

A Social Security number can be used by thieves to open new lines of credit in the victim’s name. In the past 15 months, more than 85 million U.S. consumers have been told that their personal or financial data might have been compromised because of data breaches, disgruntled employees or incompetence.

Last month, the U.S. Department of Veterans Affairs announced that the personal information of 26.5 million veterans and military personnel was endangered after a laptop and external hard drive were stolen from an employee’s home in Montgomery County.

I must say, laptops with peoples’ confidential information on them are a hot item these days.

There is no reason in the universe for this kind of stupidity, and it really does demonstrate how seriously many firms don’t take security, especially yours and mine. A competent security director, unless he was constrained from so doing by the fine folks in the executive suite, which happens more often than many people realize, would centralize all the confidential data in one place, where it could be safeguarded much more easily, and according to their work needs, employees could access it via a password protection system, each with his or her own password. Further, access could be both monitored and restricted to individual employees’ specific need-to-know datum. All of that is within the range of modern security technology.

A lot of security people are in working environments in which, if permitted to do their jobs properly, they would have to “inconvenience” employees like “ladeedah” Larry the Latte Man, who wants to take home some confidential documents, breaching security policy, because it’s oh so much easier to work in his office at home, an employee who “accidentally” left his or her company ID at home, but is almost late and has to run. “Sorry, ma’am, I see you every day, but for all I know, you might have quit or been terminated yesterday, and policy requires that I check. Please be patient while I confirm that you still work here, and then I can issue you a one day pass.” Unfortunately, companies often require their security personnel to “look the other way once in a while” without actually documenting these requirements, all part of “promoting an employee friendly work environment”. Then there’s the PC factor that’s forced on people whose job is often anything but PC friendly. Protectors cannot protect if they are not given both the needed resources and the authority to do what they have to do to protect their principals.

However, in not taking security as seriously as it is needed — as in ING U.S. Financial Services, taking the path of least resistance, as it were, companies invite infinitely more costly problems down the road.

Isn’t it nice that thousands of people can take your confidential information home with them? What are the odds that ING and the U.S. Department of Veterans’ Affairs {one a city government contractor, the other a federal agency} are the only two such entities in the entire country that observe this practice? Not very good, I’m afraid.

I love this part:

ING executives say that they believe that their computer was stolen for its value as hardware and that thieves may not have been aware of the data it contained. ING said it is working with District police and has hired a private investigative firm.

How silly is that?

What they are really saying is, “We haven’t a clue, this incident has thoroughly embarrassed us and the lack of confidence it has no doubt inspired will cost us a lot of new business and very possibly a number of our present clients, so in an effort to circumvent any kind of uproar at our incompetent security measures, we’re feeding you this line of transparent bullcrap.”

ING executives say that they believe that their computer was stolen for its value as hardware and that thieves may not have been aware of the data it contained.

A. What evidence do they have to support that “belief”? How do they know it wasn’t stolen for the data within? It could as easily have been a dishonest friend or an ex with an axe to grind who knew what the employee brought home with him, because he had told them.

B. Even if the thief had stolen the laptop for its ‘value as hardware’, um, chances are that he or someone he fenced it to (there are computer savvy people in all walks of life, from flophouses to mansions) might discover the data and, both obviously possessing a criminal turn of mind, might either use it themselves or, if they weren’t that expert, bring it to someone who knows how. Maybe some computer wiz kid from the suburbs who occasionally buys crack from one of them, someone’s brother or someone’s aunt, for that matter. Or a nine year old who lives down the street and spends all his free time in front of his computer, hacking into places he doesn’t belong. This is a new age, friends, a real world remake of Alice In Wonderland, only rated R (and in some places, XXX).

C. Efficient crooks work just as hard at their respective trades as the rest of us do. Some use burglaries as camouflage for other crimes. To momentarily digress, I’ll relate an example from my casino security days when I lived in Nevada:

One of the charges we made a lot of arrests for was called “Uttering A Forged Instrument” and dealt, among other things, with cashing or attempting to cash checks that weren’t… well, weren’t made out to the casher by the party or company whose name appeared on the checks. Casino cages cash payroll checks all the time, knowing that at least some of the money will find its way into their slots, across their tables or into the cashiers’ windows in Race & Sports.

That said, there was a group of criminals in the city who bought up found or stolen IDs, passports and driver’s licences from street people, pickpockets, etc. Their “gig” was burglarizing small businesses — they would steal a couple of computers, whatever cash they found…. and then go into the business owner’s book of blank payroll checks, removing a few pages of checks from the bottom where nobody would discover they were gone for possibly months. The owner would call the police, they would take a report and the stolen office hardware would disappear into a lake or someplace.

Next, they would draw from the pool of street people(in Las Vegas or Reno, the only way a homeless person can live with even minimal “dignity” is by staying clean and respectable looking, and they find ways to do it) local druggies and other petty crooks, matching faces to IDs as closely as possible and making out stolen pay checks in the names on the IDs. The checks averaged $800.00 to $1200.00 in amounts, and the deal was that the casher got to keep half of the amount. This was very well organized, the only flaw being the inevitable one when a lot of people are involved — we were able to persuade a few of the cashers we caught to roll over on the people giving them the “work”.

My point being, if ING doesn’t know who pulled off the theft, how can they know the motive behind it? The employee from whom the lap top was allegedly stolen could, himself, have committed the “theft” in partnership with an identity thief who knows what he’s doing.

Monday’s burglary has prodded ING to analyze whether any of its other 5,000 laptops in circulation across the country lack adequate protection, Campbell said. Steve Van Wyk, the company’s chief information officer, said he did not know how many of its computers lacked security measures but believed it was a small number.

“For us, this is very unfortunate,” Campbell said. “But we’re moving forward, we’re very focused and committed to find any other laptops that don’t have encryption software and to fix that. This incident revealed a gap.”

It wasn’t the first time, however. Two ING laptops that carried sensitive data affecting 8,500 Florida hospital workers were stolen in December, and neither was encrypted, said Chuck Eudy, an ING spokesman.

Emboldening mine.

So it happened to two (count ‘em, 2) of their other unencrypted laptops about six months ago, and they didn’t fully(assuming they are telling the truth about most of their laptops being encrypted) address the problem then. There are still a few Lone Rangers out there with the laptops from hell.

To my thinking, this is a double whammy. Not only didn’t ING have competent information security policies in place before the first hit, but they didn’t correct the vulnerability that the incident had flung right in their face.

I believe, also, that some blame goes to the DC city administrators that placed this data in the hands of ING without first having competent, experienced Protection professionals do a security survey on the firm and see that such vulnerabilities were addressed adequately. This was, after all, citizens’ personal information their agency was sharing with a private sector company.

One thing about the Post article that shows someone, somewhere is thinking — just in case it was merely a “hardware theft”, they were smart enough not to release the employee’s name and address. The DC cops are also totally right in not releasing any information on their investigation.

by @ 2:15 pm. Filed under Security
Trackback URL for this post:
http://hardastarboard.mu.nu/wp-trackback.php?p=429

6 Responses to “Footloose And Fancy Free Security”

  1. GM Roper Says:

    When I got a letter from the VA saying my data was among those stolen from the VA employee’s lap top I went through the roof. Can you imagine how much damage this is going to cause… ING, what were you thinking?

  2. Seth Says:

    A lot of companies, GM, for some reason don’t consider spending money on adequate security to be a high priority, they believe it’s a waste of money. When disaster strikes, they find out that the cost of security that could have prevented it would have cost them far, far less. The smart companies spend what they have to in order not to have “incidents”, the less smart companies learn their lesson after the incident, but it doesn’t seem like ING did after the December thefts in Florida.

  3. Michael Says:

    I opened my VA letter today also. I just love the fact that someone was even able to move this type of personal data to a laptop. I deal with CC, bank, HIPPA, and other audits every week. there are many simple ways to protect sensitive data. allowing the data to be moved to a laptop is one of the biggest issues companies have. and this is also the most easiest to correct. with all of the issues over the last several years this should have been figured out a long time ago.

    I bet this is a cause of the lowest bidder defining the rules and getting the job.

  4. Seth Says:

    Most of these kinds of security flaws can be laid at the feet of bean counters, Michael. Of course, for some reason the thrifty souls who won’t allocate adequate funding for the security budget are much less likely to have their “heads roll” over an incident than the security directors, whose hands were tied by budgetary constraints, or by company policies that demand that employee convenience take priority over the “hassles” endured by following adequate security procedures.

  5. infosec Says:

    Thats all prove that information security awareness training is reallly important for each computer user!!!

  6. Seth Says:

    Infosec –

    Normally, I don’t accept comments linking to URLs that advertise products, but being in the Protection Industry myself and appreciating the importance of security, and in view of the fact information security protects millions of people outside the domain of those storing their personal information, I will leave this in place pending the results of inquiries I will be making through my own industry contacts as to the quality of your product.