ESET Threat Blog

Do you ever use a public computer? Do you realize that potentially everything you type and read may be public information?

I was checking a hotel business center computer this weekend. I found some interesting stuff. A military document for a local air force base. It wasn’t classified. The confidential test results for a semi-synthetic lubricant, the sales figures for a medical supplier and an aircraft flight log. On the personal side I found a Yahoo email message with a purchase confirmation that included the person’s name, address, email address, a link to their online purchase account and what they bought. There was a letter to “one of the other women”. A picture of a cute young girl she took with her cell phone in a fitting room was amusing. At least she was fully clothed.

When you use a business center computer, a library computer, or any public computer it is safest to assume that all you type and read is public information. For that reason I never use such computers for banking, email, VPN access, or anything with a password.

Anything you do on a public computer is everybody’s business!

Randy Abrams
Director of Technical Education

SC Magazine included an interesting item today on security and confidentiality in the UK’s National Health Service. Anders Pettersson has suggested that the NHS is too busy to be harrassed over data protection/data leakage issues, and that the security industry should "come together to educate NHS Trusts and other organizations on simple measures to protect data."

That sounds fair enough, given the constant emphasis in the media on leakage incidents from the NHS and other public sector organizations, but I think it stems from a very simplistic perception of both the NHS and its security problems. There’s a very English perception of the NHS either as a monolithic organization, and as a collection of loosely coupled hospitals and doctors’ surgeries. Actually, it’s both and neither. (For a start, there are a great many people working for the NHS who don’t work in hospitals and surgeries: there’s an immense support system that most people are not really aware of.

The NHS is actually more like a disparate collection of departments and subsidiary organizations linked by a more-or-less common infrastructure, and itself subsidiary to the Department of Health and interfacing on several levels with local and central government (and, indeed with itself: your view of what constitutes the NHS can be quite different according to which of the countries that make up the UK you happen to be in.)

And it’s pretty big. Figures like 1.25 to 1.4 million employees, around three million network nodes, 9-10,000 sites are sometimes quoted, and comparisons with the Chinese army and the Indian railway system are often made. So educating all those people at all those end sites is not a matter of simply writing a pamphlet and holding a couple of seminars. Is that the job of the security industry, though?

Well, I do believe, we have a responsibility to make good information available and raise the general level of education. But I happen to know that the NHS is not fully-staffed with IT illiterates. In fact, there was some pretty solid security expertise in the NHS earlier in this decade, both in the centre and at many of the end sites, though some of the effectiveness of those people was reduced by corporate dogma, even then.

As the new millennium wore on, it appeared to be taken as read in the corridors of power that the NHS should not be involved in hands-on security, at any rate as a central function. Instead, a model came in whereby end-site security was essentially the responsibility of end sites, responsibility for outsourced services was with the service provider, and the Information Governance team at NHS Connecting for Health would essentially concentrate on the security of central applications.

One of the by-products of this approach is that NHS organizations of any size are supposed to have specialized staff such as Data Protection Officers, who would deal with the requirements of the Data Protection Act and related issues, and Information Governance Managers who tend to be tasked with the whole range of security management. If some of them fail to convey messages about security and data protection to everyone they work with, is that because they’re naive incompetents, or is it because they’re struggling to keep up with the inconsistent demands imposed from above? (I mean national government, not just the next layer of local bureaucracy, though I’m sure it’s possible to find both spectacular ability and naive incompetence at all levels…) 

Here’s a naive thought: perhaps when you outsource a service or devolve responsibility back to an organization at the perimeter, that’s not the same as absolving yourself of responsibility. If end sites have not been adequately prepared for devolution, maybe that transition hasn’t been entirely their fault.

Curiously enough, there’s a recent initiative by the British Computer Society (BCS) that may offer some hope. The Personal Data Guardianship Code is aimed squarely at changing the culture of organizations as regards the handling of personal data, and addresses many of the issues Anders Pettersson wants addressed, without necessarily delivering the public sector into the hands of the security industry. Why is that a good thing? Because while (most of us) do have a sense of morality and conscience,, and while we certainly can come together in the public interest (AMTSO is a pretty good example of that, though I can’t deny that the industry also benefits from good testing), we’re not always impartial.  Having looked through that document, I think it would give any organization in the UK (not just in the health service) a good starting point for educating its users. Indeed, it will work for organizations outside the UK and Europe (many European countries have similar legislation to the Data Protection Act, based on EC directive 95/46/EC ) because it focuses on general principles, not on a single technical solution.

That’s where responsibility starts, and that’s the first step towards effective security.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

• Data Breaches continue to be a huge problem: Eight-five percent of organizations surveyed had had at least 1 data breach in the last 12 months, demonstrating that there is no let up in breaches as this is consistent with 84 percent sited [sic] in the 2008 report. Companies suffering more than 5 data breaches rose to 22 percent in 2009 up from 13 percent in 2008.
• More than 70% have fully executed or just launched data encryption strategy in their organization. Once again data encryption strategies are being implemented across a majority of the respondent participants. The majority of organizations, 78 percent, have some type of encryption strategy, up from 74 percent in 2008 and from 66 percent in 2007.
• Encryption of data on mobile data-bearing devices used by employees is very important or important. More than 59 percent of respondents say it is very important or important to encrypt employees’ mobile devices – a sign that organizations recognize that valuable data is more mobile than ever.
• On average a company will pay $202 per record compromised, and, in total an average of $6.6M should they experience a data breach.

• Domestic population (census.gov): 307M
• Personally-identifiable records involved in data breaches (privacy rights clearing house): 262.5M
• Domestic Internet penetration rate (internetworldstats.com): 74.4% (251M users)

Sadly, I’m now back in not-so-sunny England, but one of my colleagues forwarded me an item about security breaches reported by healthcare organizations. On January 1st it became mandatory in California for such organizations to report incidents where non-anonymized patient data may be been intentionally or unintentionally disclosed to someone unauthorized. In the first five months, more than 800 incidents were reported by organizations and patients.

While most of the incidents reported so far seem to have been incidental (such as faxing documents containing personally identifiable patient data to the wrong number), there are one or two reports that have a much higher profile. According to Kim Zetter’s article in Wired, 23 hospital workers accessed, without authorization, the records of a single mother on public assistance who gave birth to octuplets, while the actress Farrah Fawcett filed a complaint before her death accusing employees of the UCLA Medical Center of leaking information about her to the National Enquirer.

Zetter also notes that healthcare providers in California have criticized this legislation for being “too rigid”. Perhaps that’s not surprising, since a breach can cost an organization or individual up to $250,000. However, it seems fairly mild from a European perspective.

There, all personal data (not just medical data) are subject to legislation like the UK’s Data Protection Act based on an EC (European Community) directive (95/46/EC), which every EU member state has used as the basis for national legislation. The UK Act, for example, defines eight Principles that data controllers are required to abide by. However, there is also a great deal of healthcare-specific legislation to which both private and public sector organizations are required to conform, some of which also has a direct impact on privacy and data control. (In the UK, most healthcare comes within the domain of the National Health Service, which in turn is controlled by the government’s Department of Health.)

The NHS Code of Practice on Confidentiality published by the Department of Health actually defines three main classes of data:

• Patient Identifiable Information includes information that identies an individual patient directly or indirectly
• Anonymised Information has had data removed that could be used to identify the individual.
• Pseudonymised Information includes data keys (unique references such as a patient number or code) that cannot be ascribed directly to an individual in the context of that specific data, but which can be used by authorized persons to access personal information where necessary from other data sources.

The many recorded instances of data breaches within the NHS and other government organizations shows that there’s a lot more to data protection than classifying data. However, the implementation of such classifications, in combination with measures for controlling who has access to information once it has been classified, can go a long towards reducing the impact of security breaches.

Strict legislation may be irksome, but sometimes you just have to balance an organization’s aversion to the risk of paying large fines against the need to protect the privacy of the individual.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Threatblog notifications: http://twitter.com/esetresearch
White Papers Page: http://www.eset.com/download/whitepapers.php

The City of Bozeman, Montana effectively joined the ranks of phishers when they asked job candidates for their usernames and passwords for social networking sites that the applicant belongs to.

In a report at , after considerable outcry the city rescinded its mindless policy.

To begin with, the city was asking applicants to breach their terms of service with the social networking sites that require passwords and account access to be kept confidential. The city went further in promoting exceptionally poor security practices. You don’t ask people for their usernames and passwords.

The city simply rescinding the policy falls a million miles short of doing the right thing. If the city is going to act responsibly they will immediately inform the social networking site of which users accounts were compromised by the city collecting the username and passwords and the social networking sites will immediately force a password reset. Additionally the city should proactively inform all applicants whose passwords were collected that they should change their passwords as their accounts are at risk to insiders. It is not unheard of for employees of governments and private organizations to abuse data.

With the massive amounts of data being lost and the low level of security expertise demonstrated by the city in even collecting this information, all applicants who provided passwords to the city must assume that the city will lose their data and criminals will have their usernames and passwords.

Upon notifying the social networking sites and affected applicants, the city needs to purge the data from their systems and their backups. It is an unacceptable and completely ignorant security risk for the city to have collected the data in the first place, and then to keep the data.

Evidently, some in the government of the city of Bozeman think that civic duty is the import tax paid on a Honda automobile.

Randy Abrams
Director of Technical Education
ESET LLC

Data protection in the UK and Europe may mean something a little different to the way most Americans would understand it. The UK’s Data Protection Act is, like other local legislation in EC countries enacting the EU directive Data Protection Directive 95/46/EC, concerned less with the security mechanisms you use (or don’t use) to protect your data than with how you handle other people’s data.

By handle, I don’t just mean protection in terms of securing it, but whether you meet requirements for processing and using it appropriately.as set down in the eight principles that are the backbone of the act. So it was interesting and a little disquieting to read an item that claims that SMEs(Small and Medium Enterprises) routinely breach the Data Protection Act. That assertion is based on the results of a survey of more than 500 businesses carried out ob behalf of the BSI (British Standards Institution) which found that:

• Nearly half thought they’d breached the act more than once
• 18% weren’t sure whether they had
• 15% weren’t "confident" that their data sharing was compliant with the DPA, and about 1/3 of them shared it anyway.

BSI have just launched a new British Standard (BS 10012 – "Data Protection. Specification for a personal information management system." So it’s not surprising that the survey reflected concerns that the new standard is presumably meant to address. (At £100 a shot I’m not in a hurry to buy my own copy to see how well it does that!) Still, the results do seem to back up a claim by Gordon Wanless, Chairman of the Data Protection Forum, that organizations are finding the DPA too complex to comply with effectively.

From the other end of the telescope, there have been instances where a misunderstanding of the DPA has led to problems and even tragedies because an organization invoked the Act inappropriately, through misunderstanding (or self-protection, on occasion).

I don’t think complexity is the only issue, though. Further findings were that:

Just last Saturday, June 6th; there was a new posting on the Full Disclosure mailing list from a source that calls themselves pwnmobile (at least that’s part of their email address). In the post, pwnmobile claims they have harvested information from T-Mobile USA’s servers. The data they claim to have acquired is:

• various databases
• confidential documents
• scripts
• applications

Interestingly enough, the poster of the message stated that they supposedly approached T-Mobile’s competitors, but there was no interest and now the data will be sold to the highest bidder. T-mobile USA, the subsidiary of Deutsche Telekom AG, is currently investigating this claim, and if found to be true, will contact their customers according to breach notification laws. T-Mobile USA’s 32.8 million contract customers make up 81% of their total customer base – you can also add to that the addition of 36,000 employees. If there truly was a breach of this magnitude, and based on the findings regarding the source of the breach, it could be costly for the carrier.

So far, the only evidence pwnmobile has shown as evidence of breaching T-Mobile USA’s systems are system logs that could have been copied by one or more employees or contractors working for the carrier. This would not indicate a data breach by any means and could simply be a ploy to “take the money and run.” 

The pwnmobile safe-mail email address is a good place to start in discovering the identity of the person or group that made the post. According to safe-mail, “We can access data and/or delete an account *only* according to the Terms and Conditions in the Agreement.” Those terms clearly state:

“You may use Safe-mail in ANY legal way for your personal, business or other needs.”

The terms also state:

“You may not use Safe-mail in a way that is threatening, harmful, or invasive of the rights of other; for spamming, chain letters, pyramid schemes, junk mail, unsolicited advertising or bulk e-mail; or otherwise in a way that is damaging, offensive, or that creates a nuisance. Disguising the origin of transmitted content is prohibited. You agree to abide by all laws and regulations applicable to this agreement and use of the e-mail system. This agreement is made under and shall be construed according to the laws of the State of Israel and Israel’s courts will have exclusive jurisdiction over any dispute related to the system or this agreement.”

With increased international collaboration regarding cybercrimes, regardless if they are committed across borders or within their own borders, the pressure is on for the criminals. The old adage, “You can run, but you can’t hide” is slowly, but surely, starting to make more headway. 

Jeff Debrosse
Research Director

I really ought to be concentrating on some writing deadlines, but I couldn’t ignore this item, flagged by Graham Cluley, Sophos blogger-in-residence and karaoke star. (I have to say that because I was rather rude about his singing at Infosec last month.) Graham and I both live in the UK, so the state of health of our National Health Service (NHS) is rather important to both of us.

Graham’s blog concerns the news that the UK Information Commissioner, whose office is concerned with such issues as data protection, privacy and freedom of information, has taken action against 14 NHS organizations that breached data protection legislation in some way, resulting in the loss or potential exposure of personal data.

The BBC reported that "between January and April this year there were 140 reported security breaches within the NHS – more than from central government and local authorities combined," while the Independent claims that the number of security breaches reported was only slightly less than the total number of breaches reported in the private sector. But perhaps we should get a little perspective here. Even in the UK, there is little understanding of what the NHS is, and how it works.

A great deal of NHS (and other public sector) functionality has been farmed out to private industry in the hope of cutting costs (yeah, right) and transferring risk. (Unfortunately, you can only transfer risk if the other party is prepared to accept it.) A significant number of press reports about data leakage in the public sector have taken little account of the involvement of private contractors and fuzzy interfaces with other groups such as local government, the prison service and so on. Nor is it generally realized that the NHS in general is subject to a degree of scrutiny that simply doesn’t happen in the private sector, or even in the more secret nooks and crannies of the State. Who really believes that the incidents reported to the Information Commissioner’s Office represent more than a fraction of all the data leakage incidents that take place in an era where massive databases can be carried back and forth on a DVD or a thumb drive?

The NHS isn’t one monolithic organization: it’s an "umbrella" directly employing (last time I checked) well over 1 1/4 million people in many thousands of semi-independent organizations, subject to strict budgetary and administrative controls imposed from central government via the Department of Health. The whole is loosely tied together by central networks and systems where some security functions such as messaging security are administered centrally (albeit by proxy: very little hands-on security is administered "in-house" in Leeds and Whitehall), but the local organizations that make up the bulk of the Service were told several years ago that they were responsible for their own local security and central guidance was withdrawn, or reduced to generic policy statements.

There does seem to have been some softening of the "you’re on your own and it’s your fault if it goes wrong" position: for instance, a centrally negotiated disk/media encryption solution became available some time ago which should have been deployed by now and may have mitigated the potential damage from some of those 140 breaches, but who knows?

However, the real issues here have little to do with security and everything to do with politics, the media, and the psychology of society. NHS and other public sector sites have fallen victim to the electioneering bluster of politicians of all parties, the media thirst for drama and bad news, and public disillusion with a government that has unaccountably failed to return England to a golden age where prescriptions were free, banks didn’t crash, most adults had a job, no-one had heard of AIDS or MRSA,and the Beatles were still together.

There is certainly a lot wrong with NHS security, and some of those million+ people have made massive blunders, but the Service still employs a great many competent and motivated people who don’t deserve to be treated as a political football and national scapegoat by a government and society that’s still struggling with the difficulties of online culture and finding its own place in the modern world.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

CNN reported that there a new sleeper virus out there. http://www.cnn.com/2009/TECH/ptech/01/16/virus.downadup/index.html

There is nothing sleepy about the Conficker worm, it is wide awake and looking for people who are asleep at the security wheel.

CNN reports that Conficker could allow hackers to steal personal and financial data, and they also report that it “it is not very serious in terms of what it does. So far it doesn’t try to steal personal information or credit card details.”

Huh? Ok, I’ll follow suit… Conficker could allow hackers to rig elections and shut down critical power and communications infrastructure, but it doesn’t.

What Conficker could allow hackers to do is truly as irrelevant as it gets. The conditions that allow Conficker to spread mean that any semi-skilled hacker or malware author can do the same and much worse with complete and total impunity.

Conficker was one of the first worms to exploit a fairly recent and serious security vulnerability in Windows (MS08-067). Conficker doesn’t stop there though, it also is able to guess passwords set by people who do not understand security (think Twitter admin). Yes, Conficker can guess weak passwords. Conficker also exploits autorun, a vulnerability that Microsoft should have patched a long time ago, but MS insists that auto-infection is a feature. Companies that make digital photo frames, MP3 players, GPS systems, and other assorted USB devices have really embraced the auto-infect technology too!!!

To Microsoft’s credit, most of the infections are coming from the corporate space. Why is this to Microsoft’s credit? Because it means that Windows Update is working pretty well in homes, where it is usually allowed to work.

For businesses this is a dismal finding. This means that standard security basics are not being enforced. There is really sobering news here. Perhaps businesses are not investing in security. An IT person needs some budget and time to do his or her job. Maybe businesses do not know how to evaluate competent security professionals to put in charge. “We needed time to test” is not an excuse for not having deployed the patch for MS08-067. If there is a legitimate reason for not having deployed the patch then there are other many other layers of defense that should be in place for protection.

Conficker should be a complete non-story, and actually it is not the story. The real story is that people are still not doing the basics. Keep your systems patched, keep your applications patched, and require and use strong passwords.

Randy Abrams
Director of Technical Education

Many people in the US associate HIPAA with the rules required to protect medical data. It actually is a lot more than that, but the HIPAA laws do require some minimal standards for medical providers.

I recently came across an example of where HIPAA is ineffective. The medical providers are required to protect your data, but they are not required to allow you to protect your data!

I have vision insurance through a company called VSP (www.vsp.com). To set up an account I needed to create a user name and password. So, I created a great password and was promptly told I could not use is because it contained “special characters”. That isn’t a smart approach to security, but I know I can overcome these restrictions by using a long password. I decided to use the password “VSP Security really sucks”. The password was rejected, not because their security does not suck, but because I can’t have spaces in the password. “vspsecurityisstupid” was a perfectly acceptable password, but I had to change it because I just posted it on a blog ?

Sometimes you really have to take security into your own hands. If you can’t use special characters then is becomes very important to use a very long password.

Next time I’ll write about a popular social networking site with stupid password requirements.

There is a reason that some sites don’t allow special characters. It requires more security work. The special characters can be security vulnerability for people who do not know how to use databases securely. More on that another time.

Randy Abrams

Director of Technical Education