Jaime Chanaga, CISSP, CISA

The social security numbers, direct deposit bank information, and payroll data for 100,000 employees of the United States Transportation Security Administration (TSA) have been lost by the agency on a missing computer hard drive.

According to ABC News (http://abcnews.go.com/Politics/wireStory?id=3142155), the hard drive was lost from a "secured area" at the TSA's headquarters in Washington, D.C. 

While the U.S. White House and the U.S. Department of Homeland Security attempt to reassure the American People that they are doing everything possible to secure our country from people who wish to harm us, it is not reassuring knowing that even secure government buildings can have security breaches.   The TSA is not publicly commenting if the missing computer hard drive is only misplaced inside TSA headquarters or had been stolen. 

Until this computer hard drive is found, as  a law abiding United States Citizen, I'm concerned about someone being able to use the information on this device to somehow gain access and circumvent the security of facilities monitored and protected by the TSA (including airports, ports of entry into the United States, etc.).

A blogger changed an image being linked to on Senator John McCain's MySpace to display a message stating Senator McCain supported gay marriage.

The prankster was actually the author of the prank is Mike Davidson, CEO of Newsvine.com.  Davidson claims no laws were broken, since the image displayed on John McCain's MySpace web page was hosted on Davidson's servers.

Lessons for McCain campaign: Don't use intellectual property of other's without proper attribution.  Don't steal data bandwidth from other web servers not under your financial support.

MSNBC
http://thenewshole.msnbc.msn.com/archive/2007/03/27/102866.aspx

Mike Davidson's Blog
http://mike.newsvine.com/_news/2007/03/27/633799-hacking-john-mccain

CNet News - Oops! John McCain's MySpace page gets pranked
http://news.com.com/2061-10802_3-6170883.html

The Associated Press is reporting that a laptop computer containing 16,000 social security numbers and payroll information of civilian employees for the U.S. Army Training and Doctrine Command (TRADOC) based in Fort Monroe, Virginia has been stolen.

My question for TRADOC is why was this data in the first place stored on a laptop computer?   Have the lessons the U.S. Department of Veterans Affairs learned when a laptop containing the personal information including social security numbers of 26.5 million U.S. military veterans and their spouses been lost?  TRADOC and the U.S. Army, moreover the U.S. Department of Defense should never allow this type of information to be stored on laptop computers.

According to the AP news story, a letter was sent to the potentially affected employees informing them the U.S. Army is committed to preventing similar events from happening again.  The news story does not mention if TRADOC or the U.S. Army will be providing free credit monitoring for those affected.

Call to action: To the Acting Secretary of the United States Army, Mr. Pete Geren, please investigate this egregious data security breach and help institute policies and procedures to prevent this type information security breach from happening again.  Please consider offering free credit monitoring to those affected by this data security breach.

Beyond the identity theft risks facing those civilian employees for TRADOC, I'm also very concerned with the potential national security implications for the loss of this data.  What if a foreign terrorist group were to get a hold of the social security numbers and payroll data for civilian employees of the U.S. Army?  Would this stolen information be of use for foreign terrorists to be able to exploit the information to gain access or information from the U.S. Department of Defense or the U.S. Army?   Perhaps, U.S. Army leadership should look into this incident beyond the identity theft or financial fraud implications.

I hope this type of event does not happen again, however that may be just wishful thinking on my part.

AP - Govt. Laptop With Employee Data Stolen
http://biz.yahoo.com/ap/070327/stolen_laptop.html?.v=1&printer=1

The Associated Press is reporting that on January 3 a computer hacker who broke into a State of Indiana web site.  The computer thief managed to access 5,600 credit card numbers belonging to individuals and businesses and in the process obtained the personal information including Social Security numbers for 71,000 health care workers.

The State of Indiana sent letters to those affected by this data breach in March after an audit was completed following the January 3 data security breach.  I find the delay unacceptable between January and March for notification to those affected .   Although data security investigations take time to complete, the state government should have been more open in disclosing this data theft much earlier to the general public. 

Note government agencies and business entities:   Please, please, please establish, continually test, and audit your on-line web applications for security vulnerabilities.  Research has been indicating for a several years that on-line attack are targeting the applications.  The technology and data security technologies for protecting personal and financial information are available today.  There is no excuse for poor information security governance and practices.

Note for consumers: When an organization tells you they have completed periodic security testing of their web sites which hold your personal information, ask for details on what type of security testing was conducted.  If a business or government agency touts they perform "periodic network security scans" that is not a true application security audit conducted by skilled application security specialists.  Most success data theft attacks happen because of poor application security.

As consumers and citizens, we need to start holding companies and government agencies more accountable for how they protect and manage the security of our personal and financial information. 

FortWayne.com
http://www.fortwayne.com/mld/fortwayne/news/local/16945009.htm

Federal Trade Commission
http://www.ftc.gov/idtheft

The Open Web Application Security Project
http://www.owasp.org

As I was traveling on business this week and had  a few minutes to spare while waiting at the airport, I ran across a report by Symantec Corporation, a leading security software company.   

Symantec publishes their "Internet Security Threat Report" twice a year.   Consider this report a summary of Internet threats that Symantec has tracked from July through December 2006.  The data Symantec collects is based on a network of 40,000 computer sensors deployed worldwide in over 180 countries, plus the data seen and sent to Symantec by over 120 million computers that run Symantec's security software.   The data is collected and analyzed for trends in how computer and data security threats are originating and evolving.

Some of the key findings by Symantec are worthy of noting not only by businesses but also by consumers.   

• Home computer users were the most targeted by all attacks (targeted 93% of the time).
• 86% of the credit/debit cards advertised for sale on hacker (underground) community were issued by U.S. Banks.
• Increase in using multiple attack methods to gain access to financial and personal data that could be used for financial fraud (i.e. identity theft).

I've always felt that information and data security is a two way street.  Although the business community has a great responsibility in protecting the personal and financial information of the customers, consumers also have to share in that responsibility.   An educated consumer should also do their part for protecting their personal and financial information.

If you would like to read the Symantec report, please visit:  http://www.symantec.com/threatreport

Politics.  Talk of politics can awaken strong agreements or disagreements even among friends.  Hence my hesitation for bringing the following news story for commentary and dialog.   I came across a political news story worthy of mention, based on the issues the story intersects, namely the crossroads of politics, technology, and ethics. 

A political firestorm is brewing in France.  The far right political presidential candidate Jean-Marie Le Pen, made accusations on Monday of this week, that a computer hacker working for or on behalf of the political opposition has stolen some sensitive information (i.e. a list of leaders willing to support Le Pen's candidacy for president).  Although this may seem to be a news story that has marginal value, we should all be concerned about the implications and ethical considerations this situation brings up.

Commentary: Political arguments aside, I find it reprehensible that any person (i.e. citizen) of a free and open society, would misuse technology in this alleged manner.  Breaking, entering, and stealing electronic data is unethical and inexcusable.   The ends do not justify the means--especially when conducted with malice and based ideologically driven political aims.   It is my hope this unfortunate incident in French politics, will not damage the freedoms of a free and open society in that country.

Associated Press - Forbes
http://www.forbes.com/feeds/ap/2007/03/05/ap3487120.html

The U.S. White House Office of Management and Budget (OMB) on March 1, 2007 released their fiscal year 2006 report on the progress of federal agencies to secure their computer and information systems.

Of note in FY 2006, U.S. Federal agencies spent $5.5 billion for information security out of an approximate total IT budget of $63 billion.  That's approximately 9 percent of all IT investments.  Although some Federal agencies have made significant progress in securing their systems, there are still many agencies and systems that need to do more to enhance their security posture. 

Glad to see our government doing more to secure their information systems.

FY 2006 Report to Congress on Implementation of The Federal Information Security Management Act of 2002 (March 1, 2007)http://www.whitehouse.gov/omb/inforeg/reports/2006_fisma_report.pdf

The Story:

A public school elementary substitute teacher in Norwich, Connecticut may face up to 40 years in prison for an incident that happened while she taught seventh-grade students.

Last month, Julie Amero, was convicted of exposing students in her class to pornography on her classroom computer.  Amero contends the pornography displayed on the computer was caused not by her willful actions, but rather accidentally caused by spy-ware and ad-ware programs.  Authorities in Connecticut who prosecuted this case believe it was not accidental and continue to believe she is guilty of her crime.

My commentary:

According news reports, the school Principal admitted the school district hadn't renewed the software license for the firewall software that protected the computer in Amero's classroom.  This fact doesn't sit well with me.  Why isn't the school district on trial?  Where is the moral, ethical, and fiscal responsibility of the school administrators and school district officials in ensuring that ALL computers in the school district have the appropriate anti-virus/anti-spyware and firewall software?

One other fact bothers me.  The prosecution, according to media reports, didn't search the computer's hard drive for the presence of spyware or ad-ware!   That is poor computer forensics examination of the seized computer's hard drive--there is no excuse for that on the part of the prosecution.

In my opinion, part of the blame rests also with the school board, the school administration who knowingly allowed the use of classroom computers by teachers without the appropriate anti-virus/spyware and firewall security software protections in place.  Are any parents mad at the school district about this fact?

This case looks to be based on poor evidence handling by the authorities and a prosecution more interested in headline grabbing than searching for the truth. Unfortunately, here is a teacher who's been crucified based on technically circumstantial evidence.  I'm sorry but this is still the United States of America, where I thought people were presumed innocent until proven guilty.  In my book, the burden of proof in this case is at best circumstantial and not even close to meeting a higher degree of conclusive proof based on sound computer forensics examination of the classroom computer's hard drive. 

OK, I'll get off my soap box for now--Just my $0.02 from a distance.  To learn more about this case here is a link:

ABC News
http://abcnews.go.com/US/print?id=2872230

ID Theft Fraud Alert for Consumers

Last week, TJX Companies Inc., the parent company of retail stores TJ Maxx and Marshalls, had announced they'd been a target of a data breach by hackers.

The interesting part of the story is that today the Massachusetts Bankers Association (MBA) announced that several recent incidents of fraud were related to the TJX data breach.  Credit and debit card numbers and customer information has been used for fraudulent purchases according to the MBA.

According to some press reports, TJX has hired General Dynamics Corporation and IBM to help evaluate the data breach and help them re-evaluate their data security systems and practices.  That's a positive step in the right direction, however TJX would have benefited more by getting external expert advice long before this incident occurred.

Take-away for leaders and organizations: Seek expert help before a significant data breach occurs.  Invest in your information security and risk management programs as a top priority.

TJX Companies, Inc.
http://www.tjx.com/tjx_message.html

The Boston Globe
http://www.boston.com/business/ticker/2007/01/banks_begin_rep.html

Computerworld
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9008599&intsrc=hm_list

BusinessWeek
http://www.businessweek.com/ap/financialnews/D8MRPDNO1.htm

In another example of executive power being stretched to the limit of constitutional interpretation, President Bush has authorized the right of the federal government to open your postal mail without a court issued warrant. 

This decision comes after a much publicized action on the part of President Bush to allow the National Security Agency (NSA) to monitor American's telephone calls and e-mail without court issued warrants.

As a law abiding U.S. Citizen, I have nothing to fear or hide in my mail and don't mind sharing it with the government if requested.  However, I'm concerned at the possibility that this new authority could be abused without the proper system of checks and balances.  I'll leave this one to the legal scholars and constitutional law experts.

News coverage:

The Seattle Times
http://seattletimes.nwsource.com/html/nationworld/2003508676_mail04.html

San Jose Mercury News
http://www.mercurynews.com/mld/mercurynews/news/politics/16380470.htm

New York 1 News (NY1)
http://www.ny1.com/ny1/content/index.jsp?stid=3&aid=65622

Denver Post
http://www.denverpost.com/news/ci_4945109