Welcome to the club!

As EC readers may know, I’ve been sort of a collector of breach notices, and an enthusiastic supporter of the Open Security Foundation’s DataLossDB project. Recently, I had an opportunity to further support DataLossDB, by making an additional contribution to their Primary Sources archive – a resource I find particularly valuable.

Unfortunately, that contribution was a breach notification letter[pdf] addressed to me! Since I now have some skin in the game, I figured I’d use the opportunity to take a close look at this incident and see what can be learned from it.

Who sent the letter, and how do I reach them?

Let’s start with the letter itself. While it identifies the data owner (“EHP”, an emergency room practice I had patronized), it provides no return address, and the letter is unsigned. Unsurprisingly given this opacity, the envelope return address is a post office box. While a toll-free number is provided, this is a requirement of many state breach laws, and repeated calls to the number resulted in my being placed in an ACD queue, rather than being routed to a human being. So far, it looks to me like they’re trying to ensure that all communication regarding this issue is either squelched by the magic of painful on-hold music, or diverted into a call center. In particular, there seems to be no enthusiasm for written correspondence.

What was exposed, and how?

Now let’s consider the nature of the exposed data. According to the notification letter, a hard drive was stolen from a 3rd party service provider (Millennium Medical Management Resources). That hard drive contained “unencrypted copies of records with health and financial information about [me]”. Furthermore, the service provider

…believes the hard drive contained personally identifiable information about EHP patients, including name, address, phone number, date of birth, and Social Security Number and, in some cases, other information such as diagnosis and/or diagnosis code, types of procedure and/or procedure code, medical record number, account number, driver’s license number, and health insurance information.

Surprisingly, the letter does not say that “the exposure appears to be the work of criminals interested in the hardware” or other such language often used to suggest that crooks don’t go after data. This even though the police report notes that the “suite [was] in disarray”. Kudos to EHP for this. And kudos to the Westmont, IL PD for handling my FOIA request same day. I understand they received literally hundreds of requests for this report. Anyone who handles a dramatic, unexpected increase in work so cheerfully deserves praise.

As to what was stolen, the notification letter — seemingly drafted by an attorney — states what the service provider believes, not what the service provider knows. This suggests there is some question as to what precisely was on the unencrypted drive. Clearly, though, health and financial information are involved, suggesting that this breach is subject to HITECH and HIPAA provisions, as well as to myriad state breach laws. Reading on, this is further reinforced, when EHP says they “…will report this security breach to the Office of Civil Rights of the U.S. Department of Health and Human Services.” Such a report is required by HITECH when more than 499 persons have been affected by a breach, which establishes a lower bound for the likely number of affected individuals in this incident. (In the few days I have been composing this blog post, the report has appeared on HHS’s web site. 180,111 folks impacted by this one. Ouch. Why not put this in the letter to me, if it will be one mouse-click away anyhow?)

How long did notification take?

HITECH requires that notification occur within sixty days of the discovery of the breach. This breach was discovered March 1st. The letter is dated April 30. I wonder if the delay would have been longer, were it legally permissible?

How will future incidents be prevented?

According to the letter,the service provider has

…implemented new and improved technical, physical, and administrative security measures to prevent future thefts and security breaches, including encryption of electronic personally identifiable information stored on portable storage devices. Millennium will also take additional steps to further secure patient information.

Meanwhile,

EHP is carefully monitoring these security measures to ensure that they meet regulatory requirements and appropriately secure information about its patients.

With a letter such as this, which undoubtedly was closely crafted by people who pay attention to word choice, it seems fair to read it as attentively as it was written. An admittedly cynical interpretation is that this “careful monitoring” is a new thing for EHP. After all, they didn’t say they would “continue to carefully monitor” or would “more carefully monitor”. As to what “technical, physical, and administrative” measures Millennium might be adding, who knows? It’s hard enough to audit ones own service provider. Knowing what somebody else’s is doing is harder still.

So what can I do?

The letter concludes with sections which roughly follow the guidelines provided by various sample breach notification letters. This is impressive. After reading many notification letters, I’ve come to expect some soft-pedaling of the risk of identity theft. This one does not do that. Again, kudos.

Closing Thoughts

So this has been a long blog post about one incident and one letter, and not exactly a man bites dog situation either. Apologies. I think two things are interesting about this particular letter:

  1. For matters that pertain to breaches generally rather than to this one specifically, it was straightforward, clear, and reasonably complete. The advice about what to do, how to interact with credit bureaus, when to notify law enforcement, etc., was all sound, with little or no “spin”.
  2. With respect to the details of this specific incident, the letter was more circumspect, with — to my eyes — more parsing of words.

Unsurprising, perhaps, but (I have not done a content analysis to verify this) I wonder how typical the openness would have been three or four years ago. Perhaps, if California’s SB 1166 is signed by the Governor (rather than vetoed, as was a previous version), this greater transparency will extend to incident-specific details as well. I don’t see the harm in it. I’ve already filled in the blanks with what I think really happened to my information. There isn’t too much EHP could say that would make me feel much different about their vendor management program, or about the degree of care Millennium evinced here, so they should just say it.

J.C. Penny knew best

JC Penney, Wet Seal: Gonzalez Mystery Merchants

JCPenney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August that $17 billion JCPenney chain was one of Gonzalez’s victims, even though JCPenney’s media representatives were denying it.

and

[The judge said] both retailers should have announced their involvement from the start, that consumers had the right to know. He said he would not provide the companies “insulation from transparency.” The judge stressed that the companies were seeking privacy as though they were individual victims, which he said was like “hermaphroditing a business corporation.”

Wired picked up the story and wrote:

It’s a bit jarring to see a lucid pro-transparency, pro-security argument from a federal prosecutor. For years, law enforcement has had an informal policy of protecting companies from the public relations consequences of their poor security — a kind of omerta among intruders, the companies they hack and the feds, where only the public is left in the dark. To be sure, it’s never been set in stone, and not all feds have played ball. But it’s a common practice, and it corrodes accountability.

Biggest Breach Ever

Precision blogging gets the scoop:

You’re probably talking about this terrible security disaster already: the largest database leak ever. Arweena, a spokes-elf for Santa Claus, admitted a few hours ago that the database posted at WikiLeaks yesterday is indeed the comprehensive 2009 list of which kids have been naughty, and which were nice. The source of the leak is unclear. It may have come from a renegade reindeer, or it could be the work of a clever programmer in the Ukraine. Either way, it’s a terrible black eye for Santa. Arweena promised that in the future, access to this database would be restricted on a “need to know” basis. And you know who that means!

Let’s see if customers really change their behavior. I know which way I’m betting.

We Take Your Privacy Seriously

So after BNY Melon dropped a tape with my social security number and those of millions of my closest neighbors, they bought me a one year subscription to Experian’s “Triple Alert” credit monitoring service. Today, I got email telling me that there was new information, and so I went to login.

experian-direct.jpg
Boy, am I glad to know they take my privacy seriously, because otherwise, their failure to fill out fields in their certificate might really worry me.

I mean, I’m not annoyed that BNY Mellon treated my information negligently. Oh, no. I expect that. I am a little annoyed that having done so, they offered me a year of “monitoring” rather than prevention. I’m annoyed that it’s a year, when there’s no evidence that risk of harm falls after a year. And I’m annoyed that the company offering monitoring doesn’t bother to get the little things right.

[Update: This may be a broader issue of all non-EV certs being treated like this. I admit, I rarely check because I rarely care. But when I do care, I reasonably expect it to be done right.]

Publius Outed

The pseudonymous blogger, Publius, has been outed. Ed Whelan of the National Review outed him in what appears to be nothing more than a fit of pique at a third blogger, Ed Volokh, and Publius commented on Volokh’s criticism of Whelen, so Whelen lashed out at Publius. Or so it seems from the nosebleed bleachers I sit in.

I suppose Publius isn’t completely blameless, but the only thing I’d criticize him for is his taste in names. “John J” would have been cuter, and heck why not just use “Jim Madison”?

However, the particulars aren’t really important. What’s important is the issues of pseudonymity, and so on. So I will move on to those.

Let’s get something straight from the start: pseudonymity and anonymity are not the same thing. I feel like it shouldn’t need constant repeating, but hey, if law professors can’t get it right, how can we expect other people to get it right? A pseudonym is an identity. It is an identity that is earned, because you don’t get to use any of your previous reputation. You’re starting from zero, especially when blogging.

There are many reasons people use a pseudonym. Publius did it because he’s a reasonably young law professor and has heard that there can be tenure issues for controversial blogging.

Maybe. If what you write isn’t very good, there’s a low cost to it, personally. But if what you write is good, then ironically, being known to be a pseudonym is better than the pseudonym itself. Mark Twain, Voltaire, and are better known than their so-called real names. Think of all the great actors and musicians who are known far better by their stage names.

This is why outing a pseudonym is a two-edged sword. It will likely irk the person using a pseudonym, but it’s less likely to hurt them, especially if they’re reasonably good. John Blevins is probably not going to have tenure problems, especially now that Whelan outed him. Ironically, he’s probably better off for having been outed than not and part of that is who outed him.

Well-known personages who are irked by pseudonymous writers may think they’re being attacked by some anonymous little nobody who is hiding, but no, they’re being attacked by an identity that’s just not easily tied to some SSN. The power relationship is such that the better-known person is unlikely to look good. Whelan certainly hasn’t come out on top on this one. While pseudonymity is somewhat controversial, it cuts across political lines and some of the most thoughtful criticism of Whelan comes from his admirers. And in the future, everyone in the law biz who remembers Publius will think better of Blevins. We human beings do that; that’s why the old movie star’s dictum about publicity is, “spell my name right.”

In other cases, the pseudonym still wins. Dan Lyons wasn’t hurt by being outed as Fake Steve Jobs. Joe Klein wasn’t hurt by being shown to be Anonymous. Juan Non-Volokh was probably helped by being outed, too, and Prof. Brian Leiter, who outed him, probably suffered in his reputation.

This is perhaps, I think the most important point, as it’s simply practical. If a pseudonym ticks you off, you’re better off letting them stew in their own juices. The better known a pseudonym is, the better it is for the author to be known as the pseudonym.

There are exceptions to this, of course. If Publius were a politically conservative professor blogging out his inner liberal, there’d be a hypocrisy issue that would hurt him, but it doesn’t make it any more right. Thoughtful people who out hypocrites usually talk about the outing being necessary despite it being questionable.

Nonetheless, an important lesson to this is that as Feedie said, outing a nym is “a matter of basic decency” and “unworthy of someone with [his] impeccable professional credentials”.

Who Watches the FUD Watcher?

In this week’s CSO Online, Bill Brenner writes about the recent breaks at Kaspersky Labs and F-Secure. You can tell his opinion from the title alone, “Security Vendor Breach Fallout Justified” in his ironically named “FUD watch” column.

Brenner watched the FUD as he spreads it. He moans histrionically,

When security is your company’s business, even the smallest breach is worthy of scorn. If you can’t keep the bad guys out of your own database, how can customers reasonably expect that you’ll keep theirs safe?

Oh, please. Spare us the gotcha. Let me toss something back at Brenner. In the quote above, he says, “theirs” but probably meant to say “them.” The antecedant of “theirs” is database, and Kaspersky isn’t strictly a database security company, but an anti-virus company. “Them” is a much better turn of phrase, and I hope what he meant to say. How can we possibly trust CSO Online as a supplier of security knowledge when they can’t even compose a simple paragraph? And how can we even trust your own tagline:

Senior Editor Bill Brenner scours the Internet in search of FUD – overhyped security threats that ultimately have little impact on a CSO’s daily routine. The goal: help security decision makers separate the hot air from genuine action items.

Why is FUD Watch creating the very sort FUD they claim to watch? Who watches the FUD watchers? I do, I suppose.

Is my criticism unfair and picayune? Yup.

People make mistakes, even Kaspersky and F-Seecure. And heck, even CSO Online. I forgive you.

Brenner came very close to writing the article that should have been written. If even the likes of Kaspersky and F-Secure fall victim to stupid things like SQL injection, what does that say about the state of web programming tools? How can mere mortals be safe if they can’t?

The drama about these breaks is FUD. It shows that no one is immune. It shows that merely being good at what you do isn’t good enough. It means that people need to test, verify, buy Adam’s book, read it, and act on it.

The correct lesson is not schadenfreude, but humility. There but for the grace of God, go all of us.

Abuse of the Canadian Do Not Call List

The Globe and Mail and the CBC each report that Canada’s Do Not Call list is being used by telemarketers both good and bad (where each term is relative).

This is a bit sad for Canada. The US’s DNC list has been very successful, and one of the very few places where the US has leadership in privacy. Before the DNC list, I used to get a dozen or so calls a day. The annoying ones would be the junk faxes coming to our main line between 3am and 6am. The nightly ritual had to include taking the phone off the hook for some time. These days, the only issue we have are the people we affectionately call “The Illegal Carpet Cleaners.”

On the other hand this is an opportunity. There’s a fine of up to $15,000 for violating the DNC list in Canada, and this could easily be a profit center for the privacy commission. If I were a legitimate firm in Canada, I’d be looking closely at my marketing plans now. No one’s going to feel sorry for the company that is found to have been calling people from a stolen DNC list.

Both articles point out that complete fraudsters are an issue, and companies such as “a Caribbean telemarketer selling fake Caribbean cruises” now have more numbers they can use. But those numbers are stolen property of a sort, and toxic. They can be a tool against foreign scammers. After all, the tourist board of said Caribbean island wouldn’t want to seem uncooperative to people trying to stop fraud and dinner interruptions. If I were a scammer, I’d also want to examine the phone numbers I have recently gotten, because those could be dangerous to have as well.

It remains to be seen how Canada will handle it, how they’ll track down the loss, how they’ll recover from it. It will be interesting to watch, because they’re good and they take privacy seriously. There’s the potential for some seriously tasty lemonade to be made from these lemons. I have my fingers crossed.

Breach Misdirection

While we were all paying attention to the Inauguration and having merry debates about how many Justices can deliver the Oath of Office on a pin, what may be the biggest breach ever tried to tiptoe past.

Heartland Payment Systems may have lost 100 million credit card details, surpassing the 94 million that was lost in the TJX breach.

There aren’t many details, yet. Apparently the hackers were on the network for months, having gotten in through malware.

We will of course hear many more details on this. The USA Today article has some news. AP has the best reporting I’ve read, but they are ambivalent about pixels, so you’ll have to find it on your own.

Now will you believe MD5 is broken?

I’m just sitting here blinking, having a Brecht moment in which I am laughing at those who are crying and crying at those who are laughing.

At the CCC congress, a number of people did something dramatic — they created a forged SSL certificate. It’s dramatic, but nothing special.

We’ve known that MD5 is broken for over a decade. It’s been undeniable for nearly five years. We have seen people create colliding PDF documents, we’ve seen a prediction of the last Presidential election by having a multi-collision. This is a clever bit of engineering, drama, and publicity, but anyone with cryptographic sense gives it a shrug.

Nonetheless, the twitterverse and blogosphere are chattering about this, which is what makes me laugh.

On the other hand, there are a number of CAs still using MD5, which made the attack possible and they are only now changing. This is what makes me cry.

In a year that has seen organizations crushed because of heads in the sand when chaos emerges, here’s just another.

New ID Theft Research And Blog For Debix

id-theft-frame.jpg
Adam and I have discussed Debix several times in the past, so it will come as no surprise, that I am again posting about them.
Debix now has a blog, which will be covering issues around identity theft, breaches and privacy.
Debix also released a new research study examining child identity theft. The most recent blog post, contains some highlights from the study, including that one in twenty people (or one in every classroom) suffers from some sort of compromise to their identity before they reach their maturity with an average of over $12K in fraudulent debt assigned to their names.
As the post says:

Kids are a great target for identity theft, because the younger you target them, the longer you have before it is likely that the act will be discovered and as a result the corresponding amount of fraud that is committed prior to discover is significantly higher with minors than with adults.

Check out the post and the full research study for much more detailed information.
[Image is identity-theft-2 from j_lovefool on flickr]

The Skype Issue

According to The New York Times in, “Surveillance of Skype Messages Found in China,” the Chinese provider TOM has software in place that reads Skype text messages, and blocks ones that use naughty words and terms, like “Falun Gong,” “Independent Taiwan,” and so on.

A group of security people and human rights workers not only found out that TOM-Skype is not secure, but found the list of banned words because, as usual, someone didn’t set up their servers very well. A report can be found here.

Skype president Josh Silverman replied to the issue today in this article. He says that yes, it’s happening:

It is common knowledge that censorship does exist in China and that the Chinese government has been monitoring communications in and out of the country for many years. This, in fact, is true for all forms of communication such as emails, fixed and mobile phone calls, and instant messaging between people within China and between China and other countries. TOM, like every other communications service provider operating in China, has an obligation to be compliant if they are to be able to operate in China at all.

He’s right: one of the quandaries of business in China is that you have to put your belief in freedom in a trust when you go there. This is why many of us do not like doing business there.

However, he also said:

We also learned yesterday about the existence of a security breach that made it possible for people to gain access to those stored messages on TOM’s servers. We were very concerned to learn about both issues and after we urgently addressed this situation with TOM, they fixed the security breach. In addition, we are currently addressing the wider issue of the uploading and storage of certain messages with TOM.

In other words — it’s bad for the Chinese to spy, and bad for people to catch them at it. Oh, naughty Chinese, and shame on you too, Infowar for dragging this into the daylight.

This comes on top of April’s flap in which the German and Austrian governments essentially said that they have no trouble listening in to Skype. Skype hasn’t commented on that. This is a different issue, as it appears that the surveillance is being done via malware.

Despite the fact that we still don’t know what goes on inside of Skype, it appears that the software is basically secure — or at least the voice parts are. Or was at one time. The noted cryptographer Tom Berson did an analysis of Skype and showed that it was reasonably secure. There were also reverse-engineering analyses done on Skype by Philippe Biondi and Fabrice Desclaux, presented at Black Hat in 2006 that showed it was secure, if eccentric in its design.

However, despite the security of the voice parts, the text parts are obviously not secure. And we have this uncomfortable set of circumstances:

  • Skype voice, while apparently secure in architecture, can be compromised by commercially available malware.
  • Skype text chat is obviously not secure, as shown by TOM-Skype in China.
  • Josh Silverman has washed his hands of l’affaire TOM-Skype.
  • We still don’t know what’s in the Skype source code.

The problem here is one of labeling, and the market effects. I’m sophisticated enough to know that when Josh Silverman says:

… Allowing the world to communicate for free empowers and links people and communities everywhere.

that he is stating that free (as in beer) is important, even if he’s unable to do a lot about free (as in speech) in repressive countries and in the face of law enforcement technologies.

But Skype has always touted itself as a secure technology. The reason that it became popular for free (as in beer) conversations was that we thought and were assured that it was also free (as in speech). Skype themselves paid for a security analysis.

Skype thus became not only the proverbial eight-hundred pound gorilla, but (it seems) the proverbial dog in the manger. Skype’s presence has actively hindered other secure-voice technologies. Phil Zimmermann’s Zfone, for example, has had to answer the question, “why do we need you when there’s Skype?” It seems that he’ll be answering that question less. Josh Silverman needs to do something to show us the basic integrity of the system. Presently it appears that he has empowered us to have communities everywhere but China, or Germany, or any place with a sophisticated and powerful government. At the very least, he should protect eBay’s investment, because if people conclude that Skype is not secure, eBay may wish they’d invested that $1.6 billion in mortgage-backed instruments instead.

This Week in Petard-Hoisting, the Palin Edition

pitbull.jpg

If you are the sort of person who looks at odd legal rulings and opinions, you may remember that a few years ago the US DOJ issued an opinion that stored emails are not protected under the Stored Communications Act. The DOJ reasoning is that when you leave read email on your server, it’s not a temporary copy that is needed for the communications (like a mail spool), and not a backup.

This reasoning is bizarre to people who use protocols like IMAP precisely as a backup. It’s also bizarre to people who wonder why the DOJ would argue that stored communications are not Stored Communications. Those people tend to think that perhaps this would mean that if those stored emails are not Stored, then it wouldn’t be illegal for the DOJ to just kindly request that copies of them be pulled from an ISP’s storage (as opposed to their Storage) and be handed over, just in case you’ve been doing whatever.

The EFF has posted an interesting opinion, one that points out that if stored email is not Stored, then the people who reset Sarah Palin’s password and read her email probably did not commit a crime under the DOJ’s own interpretations of the law.

There doesn’t seem to be much wrong with this reasoning. In any event, it’s going to make it hard to prosecute the miscreants, because they will have to explain to a judge why they changed their mind, or why there is one law for veep candidates and one or everyone else. Way to go, guys.

Whatever one’s opinion of Ms Palin, it’s hard to defend violating her privacy. Let’s hope this leads the DOJ to conclude that when you take communications and store them that they would be protected under the Stored Communications Act. As usual, the word is “oops.”

(Many people will note that there are undoubtably plenty of other laws to charge them under, starting with the Computer Fraud and Abuse Act. But any good prosecutor can find something to charge someone with. The point is about upholding and enforcing existing laws.)

Photo “Hockey Mom Makeover” by julie.anna.

That’s an address I haven’t used in a very long time.

Well, I got a letter from BNY Mellon, explaining that they lost my data. The most interesting thing about it, I think, is where it was sent, which is to my mom. (Hi Mom!) I had thought that I’d moved all of my financial statements to an address of my own more than a decade ago. I’ve been meaning to call BNY and ask questions, but haven’t had time.

The letter is dated June 9, regarding a February 27th loss by Archive Systems, Inc. The three-plus month delay annoys me. Archive Systems isn’t named in the letter. I had to look at Data breach at New York bank possibly affecting hundreds of thousands of CT consumers to discover that.

The signup experience for the “Triple Alert Monitoring” from Experian was not awful, but it was pretty poor. It demanded lots of personal information, wasn’t clear how it was going to be used. Experian stuffed a long terms and conditions into a three line at a time scroll box, clearly indicating that they don’t expect anyone to read it. Their web site silently relied on Javascript, and it wasn’t at all clear how long I’m enrolled for. I have little doubt I’ll start getting renewal notices in three months.

Incidentally, I’ve Been Mugged has a review of Triple Alert.