Jaime Chanaga, CISSP, CISA

An Indian computer hacker known as Yash K.S., has found a way to manipulate a computer to thwart the virtual keyboard user authentication security mechanism which Citibank had employed in its online banking presence in India.  Yash has published details of this exploit at http://www.tracingbug.com/index.php/articles/view/23.html. 

Ok, enough for the technology jargon geek speak.   I'm confident Citibank spent allot of time and money developing this security mechanism to ensure the security of its online banking services.  For being proactive in developing new methods of securing online banking, Citibank gets my sincere thanks as a banking industry consumer.   

The biggest lesson is that no matter what a business or organization does to protect their technology systems, there will always be someone willing to spend allot of effort (time and/or money) finding ways to breach your information security mechanisms.  Risk cannot be avoided only managed and minimized.

I still don't know why companies allow highly sensitive information belonging to their employees and customers to be stored on laptop computers.  Haven't organizations learned the painful lessons of data breaches and the potential for id fraud when information stored on laptop computers is either lost or stolen?

The latest retailer to commit a cardinal sin of information security in storing sensitive personal information on 160,000 employees is the luxury retailer Neiman Marcus.  The stolen laptop belonging to a Neiman Marcus consultant, contained the names, date of birth, social security number, AND salaries!  This is inexcusable for Neiman Marcus to allow this data loss/theft to occur.

The investor groups Texas Pacific Group and Warburg Pincus LLC who acquired The Neiman Marcus Group in October 2005 should strongly reprimand the senior and operational management of The Neiman Marcus Group for allowing this data loss/breach to occur under their watch. 

My sympathies to the 160,000 affected employees of Neiman Marcus. 

Press release from Neiman Marcus
http://media.corporate-ir.net/media_files/irol/11/118113/nmi_PressRel_070424.pdf

Neiman Marcus loses data on 160K employees - MSNBC
http://www.msnbc.msn.com/id/18298006/

Two laptop computers were stolen last week from the Chicago Public Schools (CPS) headquarters. The two laptop computers belonged to the accounting firm of  McGladrey and Pullen and were being used by their subcontractors, who were analyzing information related to the Chicago Teacher Pension Fund contributions.

Unfortunately, the laptop computers contained the Social Security numbers of employees within the CPS who had contributed to the pension fund from the years 2003 to 2006. CPS is offering to pay for one year of credit monitoring for anyone affected by having their Social Security number placed at risk. The CPS offering of a $10,000 reward for information leading to the arrest of the suspect(s) who may have stolen the laptops is insufficient, considering the level of risk of identity theft faced by over 40,000 educators.

CPS never should have permitted laptop computers belonging to subcontractors to contain sensitive information. If there was a justifiable reason for allowing those laptops to contain and process financial information, then CPS should have mandated basic security controls on those laptops--including data encryption.  Just last week another educational system, the University of California, San Francisco, acknowledged a data breach in their computer systems which had placed 46,000 people at risk for identity theft.

Educational institutions by design are places with a culture of openness, exactly a culture opposed to restrictive information security management policies. However, educational institutions should apply the lessons learned by business organizations in order to better protect personal information belonging to their constituents. When will educational institutions become savvier about protecting our information?

As a security professional and executive, I can share with you there is enough technology to protect our information. The problem in security is not about the tools (i.e. technology) but about how effectively and wisely you use them.  Chicago Mayor Richard M. Daley should make sure this never happens again.

Until next time.

NBC5.com
http://www.nbc5.com/news/11592000/detail.html

Chicago Tribune
http://www.chicagotribune.com/news/local/chi-070409cps,1,1399066.story?coll=chi-news-hed

CBS 2 Chicago
http://cbs2chicago.com/topstories/local_story_099184939.html

Click Download TheCSOBoard-Podcast.mp3 for this blog post, and be sure to subscribe to our podcast feed link on this page.

On April 4, 2007, the University of California, San Francisco (UCSF) has issued a warning to 46,000 people to be on alert for identity theft and provide counseling for anyone affected by a potential data breach at UCSF.

The data breach in question may have exposed the personal information for 46,000 people including their names, social security numbers, and bank accounts used for payroll information.  The data breach was detected on a server located at the University of California (UC) central data center.

To read the UCSF notices please visit:

http://pub.ucsf.edu/newsservices/releases/200704041/

http://pub.ucsf.edu/today/cache/news/200704043.html

http://oaais.ucsf.edu/notice/

UCSF is recommending those affected by identity theft can find assistance information from the following government entities and credit bureaus.

Federal Trade Commission (http://www.consumer.gov/idtheft/)

Social Security Administration fraud line (1-800-269-0271)

Major Credit Bureaus:
Equifax (1-800-525-6285)
Experian (1-888-397-3742)
TransUnion (1-800-680-7289)

California State Government Identity Theft Victim Checklist (http://www.privacy.ca.gov/cover/identitytheft.htm)

I've already commented twice on this blog on the TJX Companies, Inc. (NYSE: TJX) data security breach. 

What is alarming is the fact that now TJX is letting the public know that potentially over 46 million credit card numbers may have been compromised over a time period of 18 months.  What is even more alarming is the fact that TJX readily admits they may never be able to provide a full and complete number of the total number of credit cards compromised.

That's a candid admission, one I'm sure is not easy in this day and age of rampant litigation.  However as a former Chief Information Security Officer (CISO), I'm grateful that TJX has the courage to be an honest corporate citizen in admitting their errors publicly and taking very public steps to correct  their technical IT security deficiencies. 

It takes real honesty to make such admissions.  While most companies would be running for cover wishing the news story to go away, TJX has been candid with details on their investigation and corrective steps to ensure this never happens again within their organization. 

To TJX:  Thanks for being honest about your mistakes. May your experience serve as a lesson to other companies and organizations.

To Business Owners and Executives:  Please learn from the TJX's experience.  Make information security a critical business issue and top priority in your organizations.

CNN - T. J. Maxx owner: 46M card numbers stolen
http://money.cnn.com/2007/03/29/news/companies/tjx/index.htm?cnn=yes

As on-line consumers, most of us are accustomed to shopping on-line.  When shopping on-line most consumers look for websites that use SSL encryption for protecting secure order forms that require credit card numbers and other personal information.  In most web browsers, there is a padlock icon that the web page we are visiting, perhaps an order form web page, securely encrypts the data from the website to our computer's web browser.   

In order for SSL to work on our computers, most web browsers have built-in certificate authority (CA) certificates that work with the remote website to verify its authenticity and ensure the data connection between the remote website and our computer's web browser is secure (i.e. encrypted). 

One reason consumers have been fooled by fake websites pretending to be major sites such as on-line banks, has been the relative ease by which fraudsters have obtained SSL certificates easily.  Thus we were ushered into the age of phising emails and fake websites that have many times fooled consumers into divulging personal information such as passwords, credit cards, and more.   Consumers don't realize how easy it has been for anyone running a website to get an SSL Certificate.

In the past few months the Certification Browser Forum (CA/Browser Forum) has developed working guidelines for the creation and support across CA's and web browser publishers for a new standard in SSL Certificates.  The Extended Validation (EV) SSL Certificate standard has emerged as a result of this work. 

The cornerstone of the EV SSL Certificate standard lies in the much stricter industry accepted validation process for ensuring the integrity of the organizations to whom the EV SSL certificates are granted. 

To learn more about the requirements organizations will need to complete to be eligible to receive SSL Certificates, please visit:  http://www.cabforum.org/vetting.html.

EV SSL Certificates won't eliminate the need for consumers to be diligent about their on-line security practices.  End point security solutions are only as strong as the commitment of people and the good use of technology.  Let's hope the EV SSL Certificate standard helps slow down the pace of on-line scams and identity theft.  Although if history teaches us anything, eventually someone will try to find a way around this good step in ensuring on-line safety and security.

Seagate Technology has begun providing system builders with a new computer hard disk with built-in AES encryption.  The hard disks are being offered under the Momentus® line of products. 

The Momentus® 5400 FDE.2 hard disk drive offers hardware based encryption with support for the AES encryption algorithm, 5400 RPM performance, built in 8-MB cache, and SATA 1.5GB/s interface support. 

Ok, beyond the geek factor this drive provokes some important thoughts in terms of recent news stories of stolen or "misplaced" computer laptops in recent months.  Hopefully more hard drive vendors will follow Seagate's efforts to provide hardware based solutions to protect data stored in mobile computers.  Although hardware vendors' efforts are commendable, the real responsibility for the protection of data stored in mobile computers lies squarely at the feet of those responsible for information security and technology in organizations. 

Hardware or software end point solutions will never be the cure-all to stop lapses in judgment, poor information security policies and enforcement, and most importantly human behavior.  What technologies like hard disks with firmware based encryption do provide is one less excuse for poor information security policies and management in today's business organizations. 

It is time for those in areas of responsibility to act responsibly and attempt to prevent serious lapses in corporate information security. 

For more information:

Seagate
http://www.seagate.com/www/en-us/products/laptops/momentus/momentus_5400_fde.2/

The Associated Press (AP) is reporting that last Wednesday (February 28th), Texas A&M University forced 96,000 computer system users to change their passwords.  The University took action when a monitoring system detected someone attempting to access the computer server files containing the encrypted passwords for university users.

Texas A&M University's quick action to force 96,000 users to change their passwords is commendable.  As a former Chief Information Security Officer, I know its not always easy for those in leadership and responsibility for information security to take such bold actions. 

Take-away lesson:   Computer and information security starts with basic proactive steps we can all take.  Have you changed your passwords recently?  Have you used strong passwords for your on-line banking, e-mail, and websites you frequent?  For tips on creating, using, and managing effective passwords please see the following sites:

National Cyber Security Alliance
http://www.staysafeonline.org/practices/five.html

Microsoft
http://www.microsoft.com/athome/security/privacy/password.mspx

For more details on this news story see:

Texas A&M University
http://cis.tamu.edu/netid/

KTRK TV - Houston (ABC Affiliate)
http://abclocal.go.com/ktrk/story?section=state&id=5082936

On February 21, Carol Meyrowitz, President and CEO of The TJX Companies, Inc. posted a letter on the TJX.com website, informing consumers on the progress and preliminary findings of the recently disclosed credit data security breach they've suffered.  (See: http://www.tjx.com/tjx_message.html)

TJX is attempting to keep the general public informed of the findings uncovered so far in the ongoing credit card data breach investigation--that action is commendable.  TJX has gone one step further to admit that the scope of the problem was not accurate at the beginning of the investigation.  The ongoing investigation has revealed the data security breach to be more widespread and may have occurred much earlier than previously estimated. 

As an information security professional and as a consumer, I value and appreciate the updated communication attempts by TJX.   However I find it troubling that other retailers are not coming forth in the wake of these unfortunate events plaguing TJX, to detail to the public and consumers their commitment to more robust data security practices.   

A few months ago on this blog, I wrote about the Payment Card Industry (PCI) Security Standards Council (www.pcisecuritystandards.org).  The PCI Security Standards Council publishes the PCI Data Security Standard or commonly referred to as PCI DSS.  Quoting from the PCI Security Standards Council's website:

"The PCI DSS version 1.1, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis.

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data."

The PCI DSS is a good starting point for any retailer, merchant, or credit card processor to lay the foundations for stronger information security practices and defenses.  Up to this point TJX has not said if they adhere to the PCI DSS or if they intend to do so going forward.  TJX and other retailers, should publicly state and provide consumers with greater assurances that they are following industry standard methodologies for technical and operational security of our credit card transactional data. 

One important step in this direction is for retailers to publicly detail what industry standards for operational and technical security they are adopting.   Some may argue that in publishing that information may place retailers at a higher risk level of attack by hackers trying to prove an organization is deficient in their security.   Although that may be true, honest disclosure about what a company is doing to earn my trust as a consumer, is something I would value and welcome. 

Note to TJX:  Thank you for communicating to the public the progress of your investigation.  Please consider adhering to the PCI DSS and sharing with the public any other proactive measures you will be taking to ensure this unfortunate data breach does not happen again.

Tonight, I had the opportunity of attending the 2007 SC Magazine Awards Gala held in San Francisco.  The list of finalists for consideration in any of the 28 categories can be found at http://www.scmagazine.com/us/awards/categories/finalists.  Congratulations to all the winners!