Two months ago we posted about the massive data breach at South Shore Hospital in Weymouth, Massachusetts, “800,000 Reasons Why MFT is Important“.

Well, the drama and the headaches continue.

What originally happened was that computer files containing personal information of about 800,000 people, information such as names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, diagnoses, treatments relating to hospital and home health care visits had been misplaced, possibly lost or maybe even stolen.

Aspirin worthy.

On September 8th, 2010 Wickedlocal.com reported that “South Shore Hospital initially informed the Attorney General’s Office and the public that it would send individual written notice of the data breach to each affected consumer.”

Aspirin worthy, but the legal and responsible thing to do…that is until a brilliant idea occurred:

However, South Shore Hospital has informed the Attorney General’s Office that it does not plan to send individual written notice to affected consumers. Instead, South Shore Hospital has chosen to invoke a provision under state law to notify consumers through the ‘substitute notice’ process, which means rather than receiving individual letters at their homes, consumers who are affected by the breach will be generally notified of the data loss through a posting on South Shore Hospital’s website, publication in newspapers throughout the Commonwealth, and by e-mail for those consumers for whom South Shore Hospital has e-mail addresses.”

So the move here is that to notify the people who’s data they lost, they’ll put that information in a place where everyone can see it. Isn’t that counter-intuitive? 

In a related story on Healthdatamanagement.com – Joseph Goedert reports that:

Massachusetts Attorney General Martha Coakley ‘has objected to South Shore Hospital’s revised notification plans and maintains that affected consumers should receive individual notification as originally represented by South Shore Hospital in its prior public announcements concerning the data loss,’ according to a statement from her office.”

What are your thoughts on how South Shore Hospital is handling this? Am I the only one reaching for the Anacin?

A top Pentagon official has confirmed a previously classified incident that he describes as ‘the most significant breach of U.S. military computers ever,’ a 2008 episode in which a foreign intelligence agent used a flash drive to infect computers, including those used by the Central Command in overseeing combat zones in Iraq and Afghanistan.”

Brian Knowlton, in a NYTimes.com article gives us the rundown on what happened, and what this all means to the military and to the future of cyberdefense and the U.S. Cyber Command.

Deputy Secretary of Defense, William J. Lynn III, referred to the breach as “…a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” and he also describes it as “a digital beachhead, from which data could be transferred to servers under foreign control.”

The nightmare of this happening to the military is enough to keep you awake at night, and thinking of this closer to home doesn’t make sleep come that much sooner.

Think of your own office where USB flash drives, removable disk drives and cell phones are making it easier than ever for employees who need to transfer large files. It’s harder than ever for companies to monitor and protect sensitive information.

Portable devices are far too easily lost or stolen, and while most employees have good intentions, USBs are one of the easiest ways for insiders to compromise business-critical information. IT managers need to make it easier for people in their organization to move information securely. By decreasing reliance on transferring physical media and focusing more on easy-to-use browser-based or email plug-in solutions, information will be better governed.”
Frank Kenney, VP of Global Strategy at Ipswitch File Transfer.

Last year (2009) there was a study by the Ponemon Institute of nearly 1,000 recently terminated individuals. The study revealed that 42% of them used USB memory sticks to take business data and that 38% sent documents as attachments to personal email accounts.

Digital beachhead” is such a great way to put this, especially coming from Deputy Secretary of Defense, William J. Lynn III. The images one can conjure up of storming the “digital beach” and imagining the data security version of those first 15 minutes of “Saving Private Ryan” is truly powerful stuff and should keep us up a little later at night.

Give Knowlton’s article a read and if you’re interested in hearing more from Frank Kenney on this topic, check out his surprised reaction at a recent RSA event.

Please do not send the Sept. and Oct. payment together in one wire transfer. Anything over $10,000 wired could draw too much attention.”
Alleged email written by Paul Shim Devine on October 5th, 2007

Is your business-critical information walking out the door?

A few months ago Ipswitch conducted a survey at an RSA Conference. The line of questioning regarding visibility into files moving out of organizations produced some shocking results:

  • 83% of IT executives surveyed have no idea what files are moving both internally and externally at their organizations.
  • 25% of IT professionals surveyed admitted that they used personal email accounts to send files that were proprietary to their own organizations, with the intent of using that information in their next job.

Both of those figures are frightening. Some companies have refused to seriously consider these numbers, so consider this tale as devine intervention (yes, that’s a play on Paul Shim Devine’s name.) This is the saga of one man getting caught with his hand in the cookie jar. It’s actually a perfect example of the reality and consequences of not knowing what files are moving in and out of your organization. It’s the story of a recent case involving Apple and Paul Shim Devine.

See Martyn Williams’ article for the full details, but here’s the 2 cent version. Back in April 2010 “Apple investigators discovered a Microsoft Entourage database of e-mails and a cache of Hotmail and Gmail messages on Devine’s Apple-supplied laptop. The company took a copy of the drive and began working through its contents,” and as for what they found Apple says “the e-mails contained details of payments, and the supply of confidential information that began in October 2006 with a Singaporean company called Jin Li Mould Manufacturing.”

This is happening. Employees are using private e-mail accounts to transfer confidential company information, but really, how often is this happening?

Not only is it common, but it’s startling in its frequency,” said Ipswitch’s own Hugh Garber, recently quoted in a ComputerWorld article.

Garber goes on to say that it’s not always done with bad intentions and that “of course, most of that privileged information misuse is not malicious. Many of the times, it’s your hardest-working employees just trying to get the job done.”

To Hugh’s point, that’s true. I know that in other jobs that I’ve had I’ve emailed spreadsheets or word docs home (to my Yahoo account) to work on so I wouldn’t have to schlep my laptop home.

But what about the “other” kind? How do you deal with the malicious kind?

I received your e-mail on my Apple account. Please avoid using that e-mail as Apple IT team will randomly scan e-mails for suspicious e-mail communications for forecast, cost and new model information.”
Alleged email written by Paul Shim Devine on Sept. 16, 2008.

Ok, that’s one way. Randomly scanning emails for something suspicious. Seems like a good policy to have. Do you know where your organization is in terms of these kinds of policies?

With hundreds of data breaches over the past five years resulting in multi-million-dollar consequences, it’s hard to believe that organizations still don’t have the right solutions in the right places to protect sensitive information,” said Frank Kenney, VP of Global Strategy at Ipswitch File Transfer. “You may be investing heavily on business applications and their inherent security requirements but if you’re not monitoring and enforcing policies with respect to the information moving both internally (between business applications and people) and externally (between you and your business partners and collaborators), the consequences are dire.”

You can check out more of what Frank has to say on this issue, and see what else Hugh has to offer.

And, with this issue in particular, we’d love to hear your thoughts. Do the numbers surprise you? What is your organization doing? Any crimes or misdemeanors you’d care to confess to?

Reports are appearing this morning about a major security hole in iTunes accounts linked to PayPal. At least one group of scammers has found a way to charge thousands of dollars to iTunes accounts through PayPal.”

Erick Schonfeld, on TechCrunch.com, gives us this breaking news on the latest iTunes security breach: “Fraudsters Drain PayPal Accounts Through iTunes“.

We just dealt with something similar back in July.

So, what is Apple doing about it?

In a related article by Dennis Rockstroh on MercuryNews.com, Rockstroh reports that Jason Roth, an Apple spokesman, has said:

Among other new security measures iTunes now requires more frequent re-entry of a customer’s credit card security code. But if your credit card or iTunes password is stolen and used on iTunes, we recommend that you contact your financial institution and inquire about canceling the card and issuing a charge-back for any unauthorized transactions. We also recommend that you change your iTunes account password immediately.”

As we asked back in July, we’d love to hear your thoughts on this and I hate to be the one to say it, but it seems that this summer has been … Apple picking season.

As more and more of our personal information is collected and stored online and on computers, we need to ensure that the businesses storing this information are keeping it safe and giving us quick warning if it falls into the wrong hands.”
Senator Mark Pryor (D-Ark.) and chairman of the Subcommittee on Consumer Protection, Product Safety and Insurance.

Senator John Rockefeller (D-W.V.) and Senator Mark Pryor (D-Ark.) have introduced The Data Security and Breach Notification Act. The goal of this is to make sure that any firm that collects and stores personal information must then be responsible for making sure that they have “reasonable security policies and procedures” put into place that will prevent leaks or breaches.

Kenneth Corbin, Associate Editor at InternetNews.com, gives his account of this bill, and what’s happening with it, in this recent article.

It’s interesting that there have been two similar bills introduced, but those bills never made it past the senate floor.

With all the threats and breaches we’ve been seeing, coming from outside organizations AND inside them, you’ll want to give Corbin’s article a read and see where your tax dollars (if you’re in the US) are going.

Estimate how many pieces of sensitive files and data your company has … Now multiply that by $204. I’m sure you’ll agree that the ROI on the time and resources spent to protect company data are well worth the investment.
Hugh Garber – in a July 28th, 2010 blog

Hugh and the rest of the world have been talking about the 2010 Data Breach Report from Verizon Business that was released last week.

One of the many frightening figures given was that “96% of breaches were avoidable through simple or intermediate controls.”

Here’s a bit of a catch 22 though, in a recent article by Stuart Sumner of Computing, he says that “while technological advances can provide more capable security, they can also often provide opportunities to cyber criminals.”

What can we do?

Here’s where things get … interesting, and leaves me thinking that perhaps Cyberdyne Systems isn’t such a fictional company after all (yes, that’s a “Terminator” reference – c’mon “cyborg” is in the title of this post)

Sumner suggests that CIO’s can fight back against these data breaches with enforced encryption, reporting and biometric technology, and that “selecting the correct blend of tools to protect the business is key for CIOs today, and encryption and end point security can help.”

The concept and practice of biometric technology is not new to us, and it seems that the case can be made that biometric technology is truly becoming a necessary solution for all businesses.

The article is a quick read on what CIO’s can do to help fight data breaches and it makes a motivating case for biometric technology.

In writing this blog post I find myself interested in your thoughts on that, is biometric technology something that your company would benefit from?

Of the 385 organizations hit with data breaches so far this year, 113 were in health care.”
The Identity Theft Resource Center (ITRC).

Are Dr. Howard, Dr. Fine and Dr. Howard in charge of the health care industries data security? You’ll most likely need 113 aspirin after reading this article on eWeek.com by Brian T. Horowitz.

In it Horowitz quotes Jay Foley, executive director of the ITRC, who says that when it comes to data breaches that “hospitals are vulnerable to insider data breaches with the multitude of doctors, nurses, lab technicians, janitors and food service personnel circulating throughout the facility.

The article also quotes Ipswitch’s very own Frank Kenney, VP of global strategy, who confirms the ITRC’s diagnosis. Frank notes that “health care facilities are not complying with HIPAA (Health Insurance Portability and Accountability Act) and regional government regulations on data privacy.”

As usual Frank has a way of breaking the issue down to it’s most honest and simplest point, and he stats that “even signing your name in at the front desk in a doctor’s office for all to see is a breach of HIPAA regulations.”

It’s an interesting read that may have you reaching for the Anacin.

Have you ever seen “Runaway”? It’s a 1984 flick staring Tom Selleck as a police officer who specializes in malfunctioning robots. There’s a famous scene where he’s being chased and attacked by these electronic spidery spybots.

This scene is actually playing out right under your nose. Think of your data as Tom Selleck and the spidery spybots as … well, spybots.

The quiet threat: Cyber spies are already in your systems.”

Bob Violino poses the question in a recent article on InfoWorld.com: “Is your company’s data under surveillance by foreign spybots looking for any competitive advantages or weaknesses they can exploit?

Violino states that “this might sound far-fetched, but such electronic espionage is real. It’s an insidious security threat that’s a lot more common than you probably realize,” he goes on to say that “a growing number of companies are being spied upon electronically by sources from other countries, most notably China. What makes these attacks so troublesome is that their techniques are often undetectable by the usual security tools. Electronic spies try to get into systems without causing disruptions, so they can quietly gather information over a period of time.”

Sounds like an article you should check out, and sounds like a job for Sgt. Jack R. Ramsay.

Facebook helpfully informs you that “[a]nyone can opt out of appearing here by changing their Search privacy settings” — but that doesn’t help much anymore considering I already have them all (and you will too, when you download the torrent). Suckers!
Ron Bowes | SkullSecurity.org

It seems lately that when it comes to Facebook I’m noticing two big problems:

(1) My friend Robin is obsessed with Farmville, and every 5 minutes with the updates.
(2) Facebook has no respect for people’s privacy, and 100 million Facebook users information has published online.

Let’s discuss the latter.

Ron Bowes used code to scan the 500 million Facebook profiles for information not hidden by privacy settings. He collected the personal information of 100 million, and posted the information online.

Once I have the name and URL of a user, I can view, by default, their picture, friends, information about them, and some other details,” Bowes goes on to say that “If the user has set their privacy higher, at the very least I can view their name and picture. So, if any searchable user has friends that are non-searchable, those friends just opted into being searched, like it or not! Oops :)

Check out this article on MSNBC.com for the full story.

Also, there’s some interesting results from a survey by the University of Michigan and Foresee Results, where it’s revealed that Facebook has scored extremely low in the area of customer satisfaction.

According to the study, and this article on Epic.org, Facebook winds up “in the bottom 5% of all measured private sector companies and in the same range as airlines and cable companies.” Epic’s report states that the low scores can be contributed to “privacy concerns, frequent changes to the website, and commercialization and advertising.”

Both articles are interesting reads. Now, if anyone has any advice or thoughts on how to deal with Robin, that’d be greatly appreciated.

Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address.”
Jeremiah Grossman, founder and CTO of WhiteHat Security

Here’s another new threat to your personal information, and another example how no company is exempt from security breaches.

According to an article written by Thomas Claburn of InformationWeek: “a flaw in the implementation of Safari’s AutoFill mechanism can be exploited to grab Mac users’ names, street addresses, and e-mail addresses.”

[The] entire process takes mere seconds and represents a major breach in online privacy,” says Jeremiah Grossman who believes that “the security flaw may reside in the open-source WebKit engine used by Safari and that the flaw may be present in older versions of Google’s Chrome browser, which also relies on the WebKit engine.”

The article and Grossman’s own blog are worth checking out as it was once all too rare to hear the words “Apple” and “security flaw” in the same sentence.

We are sorry for any concern we are causing anyone at this time.”

It’s pretty certain that those are 13 words that no CEO ever wants to have to say. Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

Seems that some computer files containing the personal information of about 800,000 people might have been misplaced or possibly lost or maybe even stolen.

We’re talking about information such as names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, diagnoses, treatments relating to hospital and home health care visits … just to name a few pieces of personal information, you get the picture.

800,000 records. 800,000 reasons why Managed File Transfer is important. Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

Seems that somewhere in the process of these 800,000 records being shipped to a contractor to be destroyed, and actually getting to the contractor to be destroyed they disappeared.

Boston.com has some information worth reading.

Forgive the obvious Ipswitch plug here, but c’mon, any one of these solutions could help any CEO avoid having to say those 13 words.

So, that’s today’s 800,000 reasons why MFT is important, and how to avoid those 13 words. As a special bonus for you, here’s 7 words you’d surely like to steer clear of:

We are still searching for those files.’’

Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

There’s some interesting news going on regarding a warning that Microsoft gave on Friday (7/16/10) about hackers exploiting a critical unpatched Windows vulnerability.

I read on Networkworld.com that “hackers have been exploiting a bug in Windows ‘shortcut’ files, the placeholders typically dropped on the desktop or into the Start menu to represent links to actual files or programs.”

Also in the article, Dave Forstrom, one of the directors in Microsoft’s Trustworthy Computing group, said:

In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware.”

If you’re unfamiliar with Stuxnet, it’s a “clan of malware that includes a Trojan horse that downloads further attack code, including a rootkit that hides evidence of the attack.”

Siemens, according to this Computerworld article, sees this virus as “new and highly sophisticated“, and in the same article there’s a disturbing quote from a large utility IT professional:

This has all the hallmarks of weaponized software, probably for espionage,” said Jake Brodsky, who asked that his company not be identified because he was not authorized to speak on its behalf.

In the end, I think that Chester Wisniewski, senior security advisor at Sophos, is right on when he perfectly summed up the virus with one word. He simply called the threat “nasty“.