Tag Archive for PII

| October 1, 2010
2 comments

Banks & Bosses Use Social Media to Assess Risk

Updated 10-22-10 – GigaOm has a post about Rapleaf here.

If you’re among the 67% of the global online population which Nielsen Online says uses social media networks to stay in touch with friends, grow their business, or just have fun then your information is for sale to banks, insurance companies, employers, and the government. Some banks are turning to social media analytics firms to enhance their credit-check procedures.

Banks are now looking at an applicant’s social media profile, behavior, and associations on sites like Facebook (FB), Twitter, and MySpace according to a recent article on the banking industry site CreditCards.com. The banker’s theory is that people run with folks who share their values and behavior. If your Facebook friends are deadbeats, the banks theorize you are a deadbeat also. These assumptions may make it harder to get a credit card or mortgage, according to CreditCards.com.

Many banks are now outsourcing their social network data mining operations to firms such as Rapleaf. Rapleaf, is a San Francisco, CA-based company that specializes in social media monitoring. According to CreditCard.com, Rapleaf compiles everything you and your network do – including status updates, “tweets,” joining online clubs, linking a Web site or posting a comment on a blog or news Web site. These firms turn the conversations into consumer profiles called social graphs. Social graphs give companies insight into behavior patterns: what you like and dislike, want and don’t want, do well and do poorly.

Banks & Bosses Use Social Media to Assess RiskIn the article, Rapleaf characterizes its social network data mining operations as “a unique way to improve customer experience by whitelisting customers based on their social circles and friend relationships.”  Since the firm uses data to “whitelist” people, it may also very easily be used to “blacklist” people and deny them a credit card or a job. “Who you hang around with has empirical implications with how you behave,” Joel Jewitt, Rapleaf’s vice president of business development told FastCompany.

“It’s a marketing trend as opposed to a credit score trend,” says Jewitt.  Despite his assurances, Rapleaf’s Web site suggests that clients “use friend networks to enhance … credit scoring” according to FastCompany. Jesse Torres, president, and CEO of Pan American Bank in Los Angeles told CreditCards.com that online information aggregators fill a need within the banking community. “They’re able to scour the social media universe. They are constantly listening and reporting back.”

The bankers are protecting their bottom line, “credit card companies have been stung very hard during this downturn, and they’re going to work that much harder to avoid extending credit…,” Ken Clark, author of The Complete Idiot’s Guide to Boosting Your Financial IQ told CreditCards.com. Rob Garcia, senior director of product strategy at The Lending Club, a peer-to-peer lender, says his firm uses multiple sources of “social information collateral” for its decision-making processes “It’s a wealth of information about a person,” says Garcia.

Not everyone in the industry is data mining social networks. “It’s difficult to make a judgment about an individual’s credit based on the people around them,” says Gregory Meyer, community relations manager for Meriwest Credit Union in San José, CA.  Meriwest only assesses credit reports and application data to make lending decisions. “[Social media] is a great way to keep up with what my 10-year-old nephew is up to, but it doesn’t have a place in the credit process.”

What you divulge can have an unintended impact. “We’ve seen this with applicants not getting jobs and employees getting fired for their Facebook and Twitter-based escapades,” financial personality Clark told CreditCards.com, “so we shouldn’t imagine this to be any different.” There are steps to take to guard your privacy. “I think it is crucial that everyone visit the privacy notices for the sites they use, read them, and change their settings to limit who can see their information,” says Clark. “For example, on Facebook, you can change your privacy settings so that only your acknowledged friends can see the majority of your information.” You can also enable “private filtering” on your browser. Do so and your activity will be entirely out of the Web profiling system.

Scott Stevenson, president, and CEO of EliminateIDTheft.com told CreditCards.com people should:

  1. Don’t accept invitations until you check the profile out first.
  2. Be acutely aware of what you write. Don’t make public anything you don’t want public.
  3. Take an annual inventory of all your social networking sites and delete people and information that can potentially damage you in the eyes of a creditor or employer.

Rapleaf offers a service to discover your online footprint and see what others might see on your social graph. Google (GOOG) offers a similar tool, the Google Privacy Dashboard. which presents an overview of the accounts and information you are connected with through Google. Take advantage of tools like these to check your own online reputation. What you don’t know can hurt you. Rapleaf’s Jewitt reminds users that, “The custodian of the information is you.”

rb-

There is nothing illegal about social network data mining banks and firms like Rapleaf do. Facebook and the other social networks are legal commercial enterprises that openly broker user data for exactly these kinds of purposes. People freely put information on Facebook with the full knowledge that it will become permanent parts of the public Internet record. Users need to know about this kind of data mining for two reasons. First, the stakes are high. It’s about getting access to credit that might be necessary for your family or business or even getting your next job.

Second, data mining gives the lenders insights into relationships that are unknown to and often completely out of the control of the applicant. Maybe being a Facebook fan of NASCAR says something in the sum about your socioeconomic status and your creditworthiness or employability, according to some second-order derivative analysis of millions of data records.

The asymmetry in the relationship between data-driven marketers and consumers is structural and permanent. Institutions like banks (and, potentially, insurance companies, employers, and the government) will use it to gain an advantage, because that’s what they do.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Social Networking | Tags: , , , , , , , , , , , , , ,
| June 30, 2010
Comments Off on Copiers Get Politicized

Copiers Get Politicized

Copiers Get PoliticizedThe politicians in Washington have politicized the data breach threats posed by copiers. The FTC claims it is reviewing concerns that digital copy machines retain sensitive information and the Commission is reaching out to retailers and government agencies to safeguard users’ private data.

copy machinesFTC Chairman Jon Leibowitz recently said in a letter (PDF) to Rep. Ed Markey (D-MA) that the agency has launched an education campaign around informing users of copy machines. The FTC will try to educate users that copier hard drives keep critical information such as financial and health data. Unless this data is dealt with correctly, it creates a regulatory threat (SOX and HIPAA). Identity thieves can access the data kept on the machines, particularly as copiers are resold without wiping clean hard drives.

Like you, we also are concerned that personal information can be so easily retrieved by copiers, making it vulnerable to misuse by identity thieves,” Leibowtiz wrote.

The privacy implications of digital copy machines stem from a report by CBS that showed copiers were essentially acting like computers, with hard drives data being circulated among several parties as copiers were resold. Markey had called for an investigation into the issue.

rb-

I know I feel better about this risk now that the politicians and a federal bureaucracy are looking after my best interests. </snark>

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| March 19, 2010
Comments Off on Keyboard Crud Fingers Suspects

Keyboard Crud Fingers Suspects

Keyboard Crud Fingers SuspectsResearchers have developed a new technique to identify individuals by the hand bacteria they leave behind on their personal computers keyboard and computer mice. Researchers at the University of Colorado (CU) at Boulder have shown that “personal” bacterial communities living on the fingers and palms of individual computer users that were deposited on keyboards and mice closely matched the bacterial DNA signatures of users.

The development of the technique is continuing, but it could offer a way for forensics experts to independently confirm the accuracy of DNA and fingerprint analyses, says CU-Boulder Assistant Professor Noah Fierer, chief author of the study. “Each one of us leaves a unique trail of bugs behind as we travel through our daily lives,” said Fierer, an assistant professor in CU-Boulder’s ecology and evolutionary biology department, ” … we think the technique could eventually become a valuable new item in the toolbox of forensic scientists.

The team used gene-sequencing techniques to match bacteria DNA swabbed from individual keys on computers to bacteria on the fingertips of keyboard owners. Fierer said in the article that bacterial DNA from the keys matched much more closely to bacteria of keyboard owners than to bacterial samples taken from random fingertips and from other keyboards. In a second test, the team swabbed nine keyboard mice that had not been touched in more than 12 hours and collected palm bacteria from the mouse owners. The researchers were able to successfully match the owner’s palm bacteria and the owner’s mouse from a group of 270 randomly selected samples.

The study showed the new technique is about 70 to 90 percent accurate, a percentage that likely will rise as the technology becomes more sophisticated, said Fierer. The CU-Boulder team used a “metagenomic” survey to simultaneously analyze all the bacteria on the fingers, palms, and computer equipment, said co-author Rob Knight. The effort involved isolating and amplifying tiny bits of microbial DNA, then building complementary DNA strands with a high-powered sequencing machine that allowed the team to identify different families, genera, and species of bacteria from the sample.

Another reason the new technique may prove valuable to forensic experts is that unless there is blood, tissue, semen, or saliva on an object, it’s often difficult to obtain sufficient human DNA for forensic identification, said Fierer. But given the abundance of bacterial cells on the skin surface, it may be easier to recover bacterial DNA than human DNA from touched surfaces, they said. “Our technique could provide another independent line of evidence.”

Once further research is completed, Frier says the new technique may be useful for linking objects to users in cases where clear fingerprints cannot be obtained – from smudged surfaces, fabrics and highly textured materials, he said. The new technique would even be useful for identifying objects touched by identical twins since they share identical DNA but they have different bacterial communities on their hands.

The study was published March 15, 2010, in the Proceedings of the National Academy of Sciences. Co-authors included Christian Lauber and Nick Zhou of CU-Boulder’s Cooperative Institute for Research in Environmental Sciences, Daniel McDonald of CU-Boulder’s department of chemistry and biochemistry, Stanford University Postdoctoral Researcher Elizabeth Costello, and CU-Boulder chemistry and biochemistry Assistant Professor Rob Knight.

rb-

Fierer states that this new technique brings up bioethical issues to consider, including privacy. “While there are legal restrictions on the use of DNA and fingerprints, which are ‘personally identifying’, there currently are no restrictions on the use of human-associated bacteria to identify individuals,” he said. “This is an issue we think needs to be considered.”

It would be my recommendation that firms get ahead of this issue and review their employee privacy policies to deter the “expectation of privacy” until the courts decide if bacteria growing outside of an individual is eligible to be classified as “personally identifiable information” (PII).

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| August 22, 2009
Comments Off on Lessons From A Mega Data Breach

Lessons From A Mega Data Breach

Updated 04-05-09 Wired is reporting that on August 28, 2009, accused hacker, Albert Gonzalez accepted a plea agreement with federal prosecutors in Boston. According to the report’s Gonzalez has agreed to plead guilty to all the charges in a 19-count indictment and will face a sentence of 15 to 25 years for master-minding the mega data breach. He’s also agreed to forfeit nearly $3 million in cash as well as a Miami condo, a BMW car, a Tiffany diamond ring and three Rolex watches that he gave to others as gifts, a Glock 27 firearm seized from him at the time of his arrest and a 350C currency counter, among other items.

The agreement resolves the case against Gonzalez in Massachusetts — which charged him with hacking into TJX, Barnes & Noble, and OfficeMax — as well as a case in the eastern district of New York that charged him with hacking into the Dave & Busters restaurant change. There are still outstanding charges alleging that Gonzalez also hacked into Heartland Payment Systems, Hannaford Brothers, ATMs stationed in 7-11 stores, and two unnamed national retailers.

Gonzalez is scheduled to officially enter his plea at a court hearing on September 11. His lawyer, Rene Palomino, did not return calls seeking comment from the New York Times.

Updated 08-30-09 – On 08-24-09 The Financial Times reported that Gonzalez and crew penetrated a network linking 2,200 Citibank-branded ATMs kiosks inside 7-Eleven stores from late 2007 through to at least February 2008. The ATMs displayed Citibank’s logo. The network and the machines were owned by Texas-based CardTronics, which took in monthly fees from Citi. Reportedly the group lifted card and PIN codes from the system, and their allies manufactured new cards that were used to get about $2m in cash from Citibank ATMs elsewhere. An FBI affidavit said Yuriy Ryabinin of Brooklyn withdrew $750,000 from Citibank accounts in February 2008.

Lessons From A Mega Data BreachThe U.S. Department of Justice handed down an indictment in the Heartland Payment Services data breach on August 17, 2009.  The Heartland, data breach is the largest data theft on record in the U.S. The Feds allege that beginning in October 2006, 28-year-old Albert Gonzalez, aka “segvec,” “soupnazi,” and “j4guar17,” of Miami, FL, and his unnamed co-conspirators, in Russia and Virginia executed the Heartland data breach. This attack led to the theft of over 130 million credit and debit cards accounts. Gonzales faces two counts of conspiracy and conspiracy to engage in wire fraud.

Heartland Payment Systems data breach

accused hacker, Albert Gonzalez

In addition to stealing credit and debit card data from New Jersey-based Heartland Payment Systems; the conspirators also targeted 7-Eleven Inc., and Hannaford Brothers, a supermarket chain based in Maine, along with two other major national retailers whose names were withheld. According to the Government planning for the attacks began in 2006. The indictment says that in October of 2006, Gonzalez and his co-conspirators began to search for potential corporate victims by gathering intelligence such as the credit and debit card systems used by their targets.

7/11 data breach

In August 2007, 7-Eleven was hit with a SQL injection attack which resulted in an undetermined number of accounts being compromised. In November 2007, Hannaford reportedly detected a Trojan designed to skim magnetic stripe information from the checkout stations. This attack compromised 4.2 million accounts. Beginning on or about Dec. 26, 2007, Heartland was hit with a SQL injection attack on its corporate network that resulted in malware being placed on its payment processing system and the theft of more than 130 million credit and debit card numbers and corresponding card data.

According to the indictment, Gonzalez and his cohorts exploited vulnerabilities that are typically in many cybercrime cases. SQL injection attacks were used to insert specially crafted malware designed to evade detection. Once inside the corporate networks, the attackers used sniffers to conducted reconnaissance, find and steal credit and debit card numbers, and other information. According to the DOJ, the group tested their malware by putting it up against about 20 different anti-virus programs. The group used computers in California, Illinois, Latvia, the Netherlands, and Ukraine to stage attacks and store malware and stolen information.

Could have been defended against

While the attacks seem to be phased-in and coordinated, the attackers used classic and well-known methods that could have been defended against, experts say.  Robert Graham, CEO of Errata Security told Dark Reading that the attacks outlined in the indictment basically offer a roadmap for how most breaches occur, “This is how cybercrime is done,” Graham says. “If there is a successful attack against your company, this is roughly what the hackers will have done. Thus, this should serve as a blueprint for your cyber defenses.”

In a Dark Reading article, Rich Mogull, founder of Securosis, says the attacks were preventable, mainly because they employed common hacking techniques that can be foiled.  He points out that the attacks seem to mimic those in an advisory issued by the FBI and Secret Service that warned of attacks on the financial services and online retail industry that targeted Microsoft’s SQL Server. The advisory included ways to protect against such attacks, including disabling SQL stored procedure calls. “This seems to be a roadmap” to these breaches, Mogull says. “The indictment tracks very closely to the nature of attacks in that notice.

The attack took planning and organization, but ultimately it was done with relatively common attack techniques,” said Rohit Dhamankar, director of DVLabs at TippingPoint in an eWeek article, “It just goes to show that even the most basic type of attack can do serious damage and enterprises need to be more vigilant about protecting the outward-facing portions of their networks.

Rick Howard, intelligence director for iDefense, told Dark Reading that enterprises still aren’t closing known holes in their networks and applications. “They were using the same stuff that works all the time,” he says. “And it’s [an example of] another organization not diligent in closing up [vulnerabilities] we know about.”

Prevention

Upesh Patel, vice president of business development at Guardium, told Dark Reading the attackers must have exploited applications with authenticated connections to the database. “Since a SQL Injection attack exploits vulnerabilities in the database, the attack could have occurred from any end-user application that was accessing the database.

Errata’s Graham says the initial attack vector, SQL injection, is often dismissed by enterprises as unimportant. “We always find lots of SQL injection [flaws] with our clients. We talk to them about it, but get push-back from management and developers who claim SQL injection is just a theoretical risk.

As a fix, Graham recommends, ”The simple solution is to force developers to either use ‘parameterized’ queries or ‘sanitize’ input.” He also suggests that SQL-based servers be hardened. “Once they got control of the database, they were able to escalate the attack to install malware on the systems. The simple solution is to remove all features of the database that aren’t needed,” he says, such as “xp_cmdshell,” which attackers commonly abuse. Graham goes on to suggest that anti-virus doesn’t catch custom malware like the attackers wrote for their attacks, so add policies and technologies that can spot unknown threats.

Gonzalez crews’ alleged use of their own sniffers that copied card data from the network could have been thwarted with encryption according to Richard Wang, Sophos Labs‘ U.S. manager. Wang tells InternetNews that the data should have been encrypted while in transit on the wire.

Sopho’s Wang says that the databases need to be secured, “Businesses should secure the application code, and make sure that the underlying server and operating system are up to date with the latest patches.” Securosis’ Mogull says not to use a privileged account for the relational database management system. In a blog post, Mogull says to deploy data leakage protection to see if you can detect any card data internally before the bad guys find it, and l to focus on egress filtering.

This was preventable,” Securosis’ Mogull says of the major breaches. “There was some degree of sophistication — like they knew HSMs — but definitely the main way they got in is not the most sophisticated.

Gonzalez, who is in federal custody, faces a maximum sentence of 20 years in prison on wire fraud conspiracy, and another five years on conspiracy, plus $250,000 for each charge. In May 2008, the U.S. Attorney’s Office for the Eastern District of New York charged Gonzalez with an alleged role in the hacking of a computer network run of restaurant chain Dave & Buster’s. The trial on those charges is scheduled to begin in Long Island, N.Y., in September.

In August of 2008, the Department of Justice announced more indictments against Gonzalez and others for a number of retail hacks affecting eight major retailers and involving the theft of data related to 40 million credit cards. Those charges were filed in the District of Massachusetts. Gonzalez is scheduled for trial on those charges in 2010.

rb-

The work we do on behalf of our clients often includes many of the steps highlighted in this incident. We always insist that vendors harden any servers brought on to a client’s site and that unnecessary services be removed. Before we recommend the Owner accept any installation, the vendor has to fully patch the OS and any applications provided. More recently we have started to include internal and external facing port scans.

Heartland Payment Systems Reports Breach

TJX Hacker Charged With Heartland, Hannaford Breaches

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| July 4, 2009
Comments Off on Data Destruction Policy Suggestions

Data Destruction Policy Suggestions

Data Destruction Policy SuggestionsHumans have created more digital information than we have the ability to store according to EMC‘s digital universe survey. ComputerWorld recently published an excellent article with a lawyer’s point of view about data destruction. Attorney Mark Grossman is a tech lawyer and the founder of the Grossman Law Group and Tate Stickles a partner in the Grossman Law Group offers some insight for creating an effective data destruction policy.

Highlights of a data destruction policy

  1. Data destruction is intended to be permanent.
  2. Policies must be consistently enforced.
  3. The goal is to identify and classify what data the firm has and create effective policies for disposing of it.
  4. Legal and proper data destruction may prevent extensive fishing expeditions by your opponents.
  5. A regular business process addressing data destruction should provide some “safe harbor” protections under the Federal Rules of Evidence relating to electronic evidence.
  6. Have a data retention policy – A data destruction policy is the second part of your data retention policy which will help decide where data is stored and make it easier to delete old data.

General rules

  1. The general rule for the disposal of any data is that simple deletion and overwriting of data is not enough.
    • When reusing media, wipe the old data, confirm that the data is gone, and then document the process then the media can be reused.
    • Media that leaves the control of the firm by destroying old media or reselling it to another party need more processes up to the physical destruction of media.
  2. Obligations to take certain data destruction steps depend on the laws, rules, or regulations that regulate the firm:
    • Sarbanes-Oxley,
    • Gramm-Leach-Bliley,
    • The Fair and Accurate Credit Transactions Act,
    • HIPAA,
    • Check with your tech attorney who can provide guidance on what laws, rules, and regulations may apply to your company’s situation.
  3. Not heavily regulated firms can look to other destruction standards:
    • U.S. Department of  Defense standards and methods (DoD 5220.22-M,
    • National Institute of Standards and Technology’s Guidelines for Media Sanitation (NIST SP 80-88),
    • International, national, state, and local laws, rules, and regulations.
  4. Should address how to classify and handle each type of data residing on the media.
  5. Needs a process for the review and categorization of the types of data your company has and what kinds can be removed.
  6. Classifications and contents of data will play a role.
  7. Data and media containing confidential information, trade secrets, and the private information of customers require the strictest controls and destruction methods.
  8. Data and media containing little to no risk to the firm may have relaxed levels of control and destruction.
  9. Review contracts with other companies to ensure proper handling of data destruction within the terms of those contacts. I.e., non-disclosure agreements can contain data destruction terms that must be complied with.
  10. When reselling or recycling media, take samples to make sure that the proper levels of data destruction are maintained.
  11. In-house data destruction requires verification that the data sanitation and destruction tools and equipment are functioning properly and maintained appropriately.
  12. Document the entire policy so the firm will know what media is sanitized and destroyed. The documentation should allow easy answers to who, what, where, when, why, and how questions.

The last step of an effective policy is to have a process. in place so the firm can follow up with regularly scheduled testing of the process and media to ensure the effectiveness of the policy.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
« Older Entries   Recent Entries »