Jaime Chanaga, CISSP, CISA

This holiday season, some of us may do some of our shopping online.  Before doing our shopping online, we should follow basic security steps to guard our personal and financial information from fraud and identity theft.

Here are some tips for safe holiday shopping online:

1. Make sure your security software is up-to-date.  Update your anti-virus, anti-spyware, and firewall software to minimize the risk of falling victim to malicious threats like trojans or computer viruses that could attempt to steal your personal information or provide hackers access to your computer.
2. Don't conduct any online shopping on public computers such as those found at cybercafes, public libraries, etc.    The public computer you use, could have spyware or other malicious software installed that in turn could compromise your personal and financial information.
3. When in doubt about a retailer, check them out.  Do an online search on a retailer and read comments from other customers.  Contact the Better Business Bureau and find any additional information they may have on the company.
4. Monitor your credit.  Make it a habit to monitor your credit regularly with the major credit bureaus.

Here are some additional resources for safe online shopping this holiday season.

• The National Cyber Security Alliance
  http://www.staysafeonline.info/basics/shoppingTips.html
• Yahoo! Shopping
  http://docs.yahoo.com/docs/info/consumertips.html

Today I read about an interesting freeware software plug-in for email security.   FireGPG (http://firegpg.tuxfamily.org/)  is a FireFox web browser extension that has been created under the GPL (General Public License) and is available as free software.  FireGPG allows users of the FireFox web browser to use GnuPG to encrypt, decrypt, and sign email messages using GMail web mail account. 

Although most consumers can buy commercial email encryption products such as commercial PGP, this free plugin provides an easy way for anyone using Gmail web mail to send and receive secure email communications.  Perhaps email software vendors will take note of the fact that many consumers use free web mail services such as Yahoo Mail, Hotmail, GMail, etc. and provide integration with ther email encryption products.

In the end, all web mail users will benefit from the integration of email encryption and messaging solutions.  Remember, email is an insecure medium for transmitting sensitive information.  Encryption software can help protect your sensitive information, including while being sent via email.

Kudos to the developers who began the idea of FireGPG.

Stony Brook University has disclosed (www.stonybrook.edu/disclosure) a Health Sciences Center library web site had accidentally exposed a data file that contained the names, Social Security numbers, university ID numbers, for 89,853 Faculty, Staff, Students, Alumni, and other members of the University community.   

Although the university believes the data disclosure was accidental this incident is very troubling.  Why did the university keep this sensitive information in one computer file without any data encryption?   Why did the university keep such sensitive information (computer file) on a web server?   

Perhaps this incident at Stony Brook University will help other institutions of higher learning to rethink their information security governance and privacy initiatives.   How many more incidents like these will happen before the U.S. Congress mandates stricter information security and privacy measures for educational institutions?

The University of Colorado at Boulder has announced (http://www.colorado.edu/news/releases/2007/224.html) a data breach that has placed the names and Social Security numbers of 44,998 students at risk for identity theft (ID theft). 

The intrusion on the computer server for the College of Arts and Science's Academic Advising Center, was discovered on May 12 by university IT security staff.   Initial review indicated that an intruder was able to install a malicious program, known as a computer worm, on the affected computer server.   At this time the university does not believe the personal information including social security numbers were accessed by the intruder.   However, the university is providing a website with additional information for those affected students at: http://www.colorado.edu/its/security/aac052007/.

I agree, universities should foster a culture of openness and sharing, but must also balance the need for openness with robust information security governance and privacy protection programs.

A donor solicitation mailing by the University of Pittsburgh Medical Center (UPMC) exposed the Social Security numbers for 6,000 former patients.  According to the Post-Gazette (http://www.post-gazette.com/pg/07142/787898-28.stm) the mailing included donor response cards with each patient's social security number embedded in a tracking code.   The tracking code could then be visible in the window of the response envelope that could be mailed back to UPMC.    Last week, UPMC apologized to those affected and has offered one (1) year of free credit monitoring for those patients who are affected by this incident. 

In recent years, health care institutions have faced increasing challenges in complying with regulatory requirements for information security and privacy.   However, they should do more to protect the personal information of their patients.  In the U.S., health care institutions have not made information security and privacy areas of serious consideration or investment.  Most health care institutions seek to meet regulatory requirements, but fail to look beyond the myopia of regulatory compliance.

The Illinois Department of Financial and Professional Regulation (IDFPR) has acknowledged (http://www.idfpr.com/breachinformation.asp)  a data security breach that occurred in January 2007 and which was confirmed on May 3, 2007, at which time the IDFPR referred the incident to State and Federal law enforcement agencies.

This data breach incident is troubling because it has exposed the personal information including Social Security numbers for over 300,000 realtors, mortgage brokers, and loan originators licensed to operate in the State of Illinois.  The IDFPR delayed notifying the public at the request of the law enforcement agencies working on the case.  Although, as a consumer I don't agree 100%, as a security professional, I'll extend the benefit of the doubt to the law enforcement community because they may have good reasons to delay public disclosure in an attempt to bring those responsible for this crime to justice.   

Regardless of the outcome of criminal investigation of this incident, there should be more accountability, resources, and technology within state and local governments to better protect the information of all citizens.  If state and local governments fail to protect our personal information from being placed at risk for fraud and abuse, we will not as a nation or as local communities be able to meet the challenges of homeland security effectively.

On Friday May 18, Alcatel-Lucent (Euronext Paris and NYSE: ALU) acknowledged that a CD-Rom computer data disk containing the personal information including names, addresses, Social Security numbers, birth dates and salary information for several thousand employees and Lucent retirees and their dependents has been lost while being shipped via courier.   Alcatel-Lucent has stated the data only affects employees of Lucent Technologies before the merger with Alcatel.  The company is offering one (1) year of free identity theft protection and credit monitoring for affected employees.

Every week we read or hear news stories about data loses incurred by organizations of all sizes.  Most headlines fail to highlight the steps organizations can take to safeguard the information they are entrusted with.  In this case, Alcatel-Lucent made an error in judgment in failing to implement basic information security technologies, such as data encryption, to protect the personal information on employees stored on any computer media leaving their facilities.   This incident illustrates the fact that even technology savvy organizations can fail to protect sensitive information by ignoring the proper use of information security controls such as data encryption.

It is time for organizations to make the security and protection of sensitive information a forethought and not an afterthought. 

Alcatel Press Release
Alcatel-Lucent Notifies Employees and Retirees of Former Lucent Technologies of Missing Computer Disk Containing Personal Information

Imagine driving down the intersection of Interstates 287 and 684 in Weschester County in New York and seeing a few computer backup data tapes falling from the back of a truck.  This happened when a contractor was using the truck to transport computer equipment between IBM (NYSE:IBM) offices.  Although the incident occurred in late February 2007, to this date, the missing computer tapes have not been recovered.

IBM has quietly offered a reward for the return of the missing computer backup data tapes through ads in a few local New York newspapers.  IBM has confirmed that the missing computer backup data tapes contain sensitive personal information including, names, addresses, dates of birth, social security numbers, and employment service dates for an unspecified number of current and mostly former IBM employees.  IBM is offering affected employees free credit monitoring services for one (1) year.

IBM is a leading company in the information security services industry.   However this incident demonstrates the fact that all organizations are at risk for security lapses.   IBM is a large sophisticated organization with a broad and deep understanding of information security but has publicly acknowledged that some of the missing computer backup data tapes may have not been encrypted to protect the data they contained.

Data encryption is a basic information security control which can protect data from accidental disclosure.  Perhaps other organizations can learn from IBM's actions in this case and implement basic information security protection measures such as data encryption to protect all computer data backups.

Computerworld - IBM contractor loses employee data in transit
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9019518&intsrc=hm_list

Goshen College (www.goshen.edu) suffered a computer network security breach by an apparent attacker attempting to use Goshen's computer systems for distributing spam e-mail. 

The attack may have exposed the personal information of 7,300 students.   According to Goshen's public statements, the potential data breach may have included "names, addresses, birth dates, Social Security numbers and phone numbers of students and some information on some parents".

Goshen issued an advisory (http://www.goshen.edu/news/pressarchive/05-11-07-security.html) on Friday May 11, 2007.

When will educational institutions learn to protect the personal information of students, faculty, and staff?  How many more data breach incidents will we as a society have to suffer for organizations to do the right thing in protecting our personal information?

Visa International is urging payment software application vendors to conform to Visa's "Payment Application Best Practices"  or PABP.   Although most financial institutions and merchants already follow the "Payment Card Industry" (PCI) data security standards, Visa is taking the issue of credit card holder data security one step further. 

Recently Visa sent out a letter strongly urging financial institutions to stop using software from six vendors, who at this time provide software applications for credit card processing that do not meet the security guidelines of the PABP.   It is important to note that following the PABP is a voluntary step for software application vendors at this time.   While not mandatory, there are already over 155 payment software applications from 83 vendors that Visa has already certified under the PABP guidelines.

For a long time, information security professionals have been urging the need to implement stronger software application security.  Visa's actions in developing the PABP and encouraging software application security guidelines is commendable.

If your business is using payment processing software applications that are not certified under PABP, per Visa's stance your business will fail PCI compliance status.   With fines up to $500,000 (USD) for each incident of non-compliance with PCI guidelines, it is in the best interest of all businesses subject to PCI compliance to heed the PCI and PABP guidelines.

For more information including a list of certified applications under the PABP please visit: http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html