The Finjan MCRC Blog has a very interesting and detailed description of the investigation that revealed free and open Internet access to stolen identity information.

During our research for the latest Malicious Page of the Month that has just been released, we came across a domain that was being used as a command and control for the Crimeware that was executed on attacked machines. This domain was also used as the “drop site” for private information being harvested by that Crimeware.
When we further examined this server, we found that the stolen data on it was unprotected and freely accessible to anyone – we found no access restrictions, no encryption whatsoever!
In total, we found more than 1.4Gb of personal and business data (including emails and web related data) for grabs, collected from infected PCs.

They show how attacks were organized into “campaigns” and a Crimeware administrator could use a PHP-based web application to control infected systems. Real examples shown include bank and medical records.

This is an excellent case study of the current threat model to and consequences of weak data controls.

UCSF has had two security breach announcements already this year, both this month, according to etiolated.org. The latest news relates to patient data:

During the investigation, UCSF determined that an unauthorized movie-sharing program had been installed on this one computer on or about December 2, 2007, by an unknown individual. Installation of this program required high-level system access, which is why the incident is considered a security breach.

This computer contained files with lists of patients from the UCSF pathology department’s database. The data included information such as patient names, dates of pathology service, health information and, in some cases, social security numbers.

The Department of Pathology has notified 2,625 UCSF patients whose information was contained on the computer. The files also included 944 patients whose tissue samples had been referred by other health care providers to UCSF for analysis.

This brings up the usual questions for auditors:

• Do you know where sensitive data is stored?
• Do you know who has access to that data/those areas?
• Do you block and monitor torrents, P2P, and related “sharing” protocols in network segments with sensitive data?

And then my favorite…

• How do you know?

This case sounds like a research computer, which are infamous for being managed loosely by under-paid students who load things with sensitive “research” data along with music and movies. The argument made by researchers is usually that restrictions on their systems impacts their creativity and freedom to achieve results. This is true in high-tech companies that model themselves after academic environments too, not just educational institutions (ask me sometime about my visit to Google security in 2002). The reality, however, is that anyone who wants to play with high-risk material must learn to abide by proper handling procedures or be denied access. This is much easier to explain to a researcher who handles explosives, or radioactive material, where the danger is direct to their personal health and the welfare of the laboratory.

I would recommend UCSF start mandatory data handling examinations for anyone working with data. If someone does not pass the test, no access. Perhaps when the “other health care providers” start refusing to allow data to go to anyone with a prior-breach record the researchers will understand better how to self-police their systems and understand the enhancement to their success that comes from security.

Any guesses what the movie was?

The story is almost too strange to be true. It sounds like something you might read in the Onion:

An officer at Narita International Airport on Sunday stuffed 142 grams (five ounces) of the drug into the side pocket of a randomly selected black suitcase coming off an overseas flight so that the animal could detect it.

“The dog couldn’t find it and the officer also forgot which bag he put it in,” a customs office spokeswoman said.

“If by some chance passengers find it in their suitcase, we’re asking them to return it,” she said.

The 38-year-old officer was quoted by the spokeswoman as saying: “I knew that using passengers’ bags is prohibited, but I did it because I wanted to improve the sniffer dog’s ability.”

I wonder what other “improvements” will be attempted. I guess it’s a good thing the passenger was entering Tokyo and not outbound to another country for further security tests.

Network World tries to drive home the point that you should mature your IT governance if you want to be successful in business:

The most important finding cited in this report is that “organizations with best business results are the same firms with the most mature [IT GRC] practices and the organizations with the worst business results are the same firms with the least mature [IT GRC] practices.” The key takeaway from the report is this: “The way to improve business results and reduce financial risk, loss and expense is to increase or enhance the competencies, practices and capabilities governing the use and disposition of IT resources.” In other words, you’d better practice good IT GRC if you want to have a successful company.

I am biased so it is easy for me to agree, but the devil’s advocate in me says that this could be a misleading measurement. Perhaps successful companies practice good IT GRC. It would be most interesting to examine this relationship over time.

For example, I used to think Dell quality control and ethics were top notch. The components they used, the engineering and execution of their systems, and the support they offered were unparalleled for value in the early to mid 1990s. Then they became wildly successful, and by 2000 the wheels seemed to come off their wagon. Today I just read that they have been found guilty of fraud by the New York court. My guess would be that their IT governance, just like their other processes, were stellar in the big run-up to mega-success. Then management went awry and now they are still wildly successful, but if their governance of IT is anything like their current customer support or their engineering…see what I mean?