 Featured Resource |
|
|
| |
|
|
|
| FBI Reporting Form |
|
|
| |
|
|
|
| Login |
|
| Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name. |
|
| |
|
|
|
| Modules |
|
|
| |
|
|
|
| Partners |
|
|
| |
|
|
|
|
| F.B.I. Looks Into a Threat to Reveal Patient Data |
|
 pfroehlich writes "November 7, 2008
F.B.I. Looks Into a Threat to Reveal Patient Data
By JOHN MARKOFF
SAN FRANCISCO — The Federal Bureau of Investigation is investigating an extortion letter threatening to expose millions of patient records stolen from Express Scripts, a medical benefits management company.
The company said Thursday that it had been investigating the threat since early October, when it received a letter that contained personal information on about 75 of its members including names, dates of birth, Social Security numbers and, in some cases, prescription information.
The company said that it had immediately notified the F.B.I. and that it had retained outside experts in data security and computer forensics to aid in the company’s internal investigation.
“We have been conducting a thorough investigation since we received this threat and we are taking it very seriously,” said George Paz, chairman and chief executive, in a statement. “We are cooperating with the F.B.I. and are committed to doing what we can to protect our members’ personal information and to track down the person or persons responsible for this criminal act.”
The company also announced that it had created a Web site for members to obtain information about the incident and learn how to protect themselves from identity theft. The Web site is www.esisupports.com.
Express Scripts, based in St. Louis, is one of the largest pharmacy benefits management companies in the United States. It handles prescription benefits for approximately 50 million people through clients like health insurers, employers and union-sponsored medical plans.
A spokesman for the company said that Express Scripts was still trying to ascertain the exact nature of the theft.
“All we know about the nature of the data taken is that the letter enabled us to tell where in our system it was taken from,” said the spokesman, Steve Littlejohn. “We’re not ruling anything out.”
He said that because of the investigation, the company was not willing to give details about the nature of the threat letter, such as whether it was sent as an e-mail message or through the United States postal system. He also said that the extortion threat was for money, but would not disclose the amount.
Mr. Littlejohn said the company was still not certain how much data had actually been stolen. He also said the company had not ruled out the possibility of an insider theft.
Copyright 2008 The New York Times Company
"
|
|
Posted by johntierney on Wednesday, January 28 @ 12:42:05 CST (1090 reads)
(Read More... | 2679 bytes more | Score: 0) |
|
|
|
|
| Police investigate BT's secret internet monitoring trials |
|
| jconcannon writes "City of London police examine dossier complied by BT customers unhappy with the Phorm Webwise trials run by BT Dinah Greek, Computeract!ve 11 Sep
2008 ADVERTISEMENT
Police are examining a dossier concerning the secret trials of the Phorm Webwise internet monitoring software carried out by BT in 2006 and 2007.
The move by the City of London Police came after the force was handed the information by IT specialist Alex Hanff, following a protest by BT customers outside the telecom giant’s annual general meeting in July.
Mr Hanff and privacy experts believe that BT’s trials were illegal and that Webwise breaches privacy laws including the Data Protection Act and the Regulation of Investigatory Powers Act (RIPA).
Dr Richard Clayton, a privacy expert at Cambridge University, who has analysed the software, has written that he is “not happy at all”, and believes that it “performs illegal interception” as defined by the RIPA.
The software, which tracks people’s surfing habits with the stated aim of delivering more targeted adverts, has caused a storm of controversy. As well as BT, two other key UK internet service providers, Talktalk and Virgin Media, have said they have plans to use the software.
Mr Hanff and privacy experts are also deeply concerned about what may eventually happen to any data that is intercepted.
“We are concerned about the potential for further use of individuals’ data in light of the US patent application and Phorm’s DPA registration. The DPA registration makes clear reference to holding financial and personal data and being allowed to ‘export’ this,” Mr Hanff said.
Phorm said it was certain that Webwise didn't breach any UK laws and it is not clear yet if BT faces any further action by the police concerning the trials it did not inform customers about.
A representative for the police said: "City of London Police has not launched a criminal investigation in connection with this matter. We are establishing if any criminal offence has been committed.”
BT said it had no comment to make on the matter of the police investigation.
The Information Commissioner's Office has said in its view, from the information available at this point, Webwise can be used in a way that will not breach UK laws. However it also said it would continue to monitor the situation.
The EU has also stepped into the row and asked the UK Government to clarify if the software breached the laws. However the UK has not responded to the EU yet."
|
|
Posted by joeconcannon on Thursday, September 11 @ 16:23:53 CDT (1765 reads)
(Read More... | 2587 bytes more | Score: 3) |
|
|
|
|
| Automated HTTPS Cookie Hijacking |
|
| jconcannon writes "Submitted by mikeperry on Thu, 08/14/2008 - 01:39
This past weekend I gave a talk at DEFCON 16 describing a very common vulnerability with many SSL-secured websites (slides are here). It actually all started last year when I began development on The Torbutton Firefox Extension and agreed to speak at Black Hat USA 2007 and DEFCON 15 on my findings with respect to Tor Security. In that talk, I announced that many sites used over Tor were not setting the 'Encrypted Sessions Only' bit on cookies they set over https. This is the case with GMail, addons.mozilla.org, most Drupal sites, Facebook, Amazon's purchase history, Yahoo mail, Hotmail/MSN, many many online merchants, and a few of my friends' banks.
It turns out an adversary able to position themselves in between you and a website is able to inject arbitrary http-based content elements for domains that do not set the 'Encrypted Sessions Only' property of their cookies, and thus cause your client to transmit these cookies via clear text, intercept them, and impersonate you. The important thing to note is that they can do this when you visit ANY website. You do not ever have to leave SSL for the vulnerable site.
I described this attack in detail in a post to BugTraq and notified Google a year ago, but unfortunately, my announcement was largely overshadowed by Robert Graham's 'SideJacking' demonstration at Black Hat. His tool was simply a sniffer that just gathered cookies for sites as users on the local network visited them. The attack I described was much more flexible, much more powerful, and just as automated, but without a tool and a demonstration to back up my claims, nobody listened. How an Automated HTTPS Cookie Hijacking is Performed
This attack can happen via a number of mechanisms, including via the local wired or wireless network, via Dan Kaminsky's DNS hijack attack, via the Tor network, or via the cable modem network (though this would require a custom modem). The steps are as follows:
1.
Cache all DNS responses on the network to obtain a mapping of what host name clients are resolving, so you know the host they are using for server IPs.
2.
When a client IP connects to a server IP using https (port 443), look up what hostname they resolved in the DNS cache to get this IP.
3.
Add this domain as a target for that client IP.
4.
When that IP then connects to ANY http website, look up what targets it has accumulated, and optionally add on a list of custom targets for completely insecure sites such as mail.yahoo.com and mail.live.com. Inject images for each of these into that TCP connection.
5.
When the browser fetches these images, it will transmit any insecure cookies for that domain and path. Record the resulting cookies (and any others we happen to see while we're at it) to a Firefox-compatible cookies file.
The key property to notice here is that the tool automatically targets ALL insecure sites, not just Gmail. It does not require configuration for the common case. This means you do not get to hide behind obscurity! Just because no one has heard of your dinky little SSL site does not mean you are secure if your cookies are not set to be.
Furthermore, the additional optional list of completely insecure sites to always hijack (even if their users never visit them during the attack
session) means that popular sites that completely refuse to implement SSL are now incentivized to do so.
It is for both these reasons that I have opted to wait another two weeks after my talk before releasing this tool, because I figured these facts would take the longest to sink in. It is possible to cobble together a tool that targets specific sites in a couple hours or maybe a weekend (depending on how well you leverage existing tools, and how extensible the result is). In fact, a site-specific tool has already been released by Enable Security.
However, doing the additional work to fully automate the process is probably another weekend or two worth of work, and its work that would be done in secret without people realizing the seriousness of the vulnerability. In fact, despite it taking a year for me to grow impatient enough to opt for a full disclosure shitstorm, coding the tool itself only took 2-3 weekends of my time and about one of Damon McCoy's (who helped make sure it didn't break on his more exotic and heterogeneous wireless test lab network). How to Tell if Your Sites are Secure
Since so many sites are likely vulnerable, the actual reporting process is probably going to fall on the shoulders of users. To check your sites under Firefox, go to the Privacy tab in the Preferences window, and click on "Show Cookies". For a given site, inspect the individual cookies for the top level name of the site, and any subdomain names, and if any have "Send For: Encrypted connections only", delete them. Then try to visit your site again. If it still allows you in, the site is insecure and your session can be stolen. You should report this to the site maintainer.
Note that some sites do janky things like requiring a random Session ID in the URL, referrer information to be correct, or hidden form elements to be present during navigation. This may end up preventing the above simple test from allowing you in, despite having insecure cookies.
These approaches may or may not be secure, depending upon how they implemented it (and why), and really should be considered a "worst practices" sort of thing for protection for this particular attack. For instance, the randomized session ID in the URL may have been specifically designed to protect against CSRF attacks, with no thought whatsoever put into the fact that it can be transmitted on the local network in the 'referrer' string as soon as you navigate to an insecure page (ie, the "about", "routing info", and "help" links of many banks are http, not to mention off site links they might provide).
Because of this, is probably best to contact these sites anyway, since hacks like these are homebrew solutions (and potentially designed to defend against completely different attacks) and are much more likely to be failure prone than the tried and tested existing browser security model."
|
|
Posted by joeconcannon on Thursday, September 11 @ 16:23:38 CDT (1128 reads)
(Read More... | 6351 bytes more | Score: 0) |
|
|
|
|
| TJX's Security System Faulted in Canada Probe |
|
| jconcannon writes "http://online.wsj.com/article/SB119076398490039298.html
By Joseph Pereira September 26, 2007
TJX Cos., owner of the T.J. Maxx and Marshalls discount chains, failed to upgrade its data-encryption system in time to thwart one of the largest credit-card data thefts in North America, a Canadian government investigation found.
Investigators also found that the Framingham, Mass.-based retailer was holding on to its customers' personal information unnecessarily and for too long, exposing data on at least 45.7 million credit-card numbers to hackers.
As a result of their findings, the privacy commissioners of Canada and the province of Alberta -- which jointly conducted the seven-month probe
-- recommended a number of corrective actions by TJX, including the use of a sophisticated coding system to protect driver's-license information and the deletion of all credit-card data after 18 months.
"Basically, what we're asking for is standard practice in the industry,"
said Wayne Wood, a spokesman for the Office of the Information and Privacy Commissioner of Alberta.
In a statement, TJX spokeswoman Sherry Lang said, "While we respectfully disagree with many of the commissioners' factual findings and legal conclusions, we have chosen to implement their recommendations."
Investigators found that TJX was using a weak encryption protocol to protect its consumer data in July 2005, when hackers first broke into its computer system. The protocol, known as Wired Equivalent Privacy, or WEP, isn't recommended by securities experts even for wireless home networks because it is so vulnerable to hackers.
TJX decided to upgrade to a more secure Wi-Fi Protected Access encryption protocol at the end of September 2005, Canadian officials said. By then, however, hackers had been able to access the company's internal transaction database. They did so initially from outside two stores in Miami, the probe found.
The breach was discovered by TJX this past December and publicly disclosed in January.
TJX is now under investigation by the Federal Trade Commission and other U.S. government agencies. Several lawsuits also have been filed by banks for losses as a result of the credit- and debit-card data theft.
Last week, the company settled a number of class-action lawsuits filed on behalf of U.S. and Canadian consumers whose names, addresses, driver's-license information and credit-card information were stolen in the computer-system break-in.
"The TJX breach is a dramatic example of how keeping large amounts of sensitive information -- particularly information that is not required for business purposes -- for a long time can be a serious liability,"
Jennifer Stoddart, Canada's privacy commissioner, said in a statement.
"
|
|
|
|
|
|
| Judge Pushes Back on TJX Settlement |
|
| jconcannon writes "http://www.eweek.com/article2/0%2C1895%2C2190263%2C00.asp
Judge Pushes Back on TJX Settlement
By Evan Schuman, Ziff Davis Internet
September 28, 2007
The federal judge overseeing the consumer portion of the TJX case wants vouchers replaced by cash.
The federal judge overseeing the consumer portion of the TJX case wants to see TJX vouchers offered in the proposed settlement replaced by cash.
U.S. District Court Judge William Young told attorneys in a hearing in Boston Sept. 27 that he "had a lot of questions and concerns" about the settlement, in which wronged consumers would be given $30 TJX vouchers, according to Thomas Shapiro, an attorney representing some of the consumer plaintiffs, who was present in the courtroom.
Attorneys on both sides had asked that the judge approve the proposed settlement and that he remove the trial—currently slated for July 2008—from the court calendar. However, Young refused to do that and ordered that the trial date be maintained. He scheduled another hearing for October.
According to two attorneys involved in the hearing and notes filed with the clerk's office, Young had concerns about the vouchers and asked what they were truly worth. "He expressed a preference that the class members have the option of receiving cash," Shapiro said.
Said another attorney, who did not want to be identified: "Trial dates are sacrosanct with this judge." In response to a question about having the trial suspended, the judge said, "I'm not staying anything,"
according to the attorney.
Young also posed some detailed legal questions involving jurisdiction and whether consumers should have 60 days to file a claim (as sought in the settlement) or 90 days. "The judge wanted 90 days," said one participant, who also didn't want to be identified.
Young also asked if there was a practical way for TJX, of Framingham, Mass., to send notices to all 46 million consumer victims; a TJX attorney said the retailer did not have those addresses.
PointerWhat was behind the TJX settlement? Find out here.
Court observers said that it's not unusual for a judge who is being asked to approve a class-action settlement—especially such a high-profile case as TJX—to ask for changes. Unlike a traditional civil settlement where it's assumed that the interests of both sides have been protected, many of the consumers being represented by such a case have no input. Therefore, a judge will often push back harder.
Typically, the settlement will be adjusted somewhat to try to accommodate the judge. How far TJX will bend—the judge's concerns were all in the pro-consumer direction—and whether the judge will ultimately reject the agreement are the magic questions.
"
|
|
|
|
|
|
|
| Become A Member |
|
|
| |
|
|
|
| Sponsors |
|
|
| |
|
|
|
| DHS Threat Level |
|
|
| |
|
|
|
| Hosting |
|
|
| |
|
|
|
|
