Stolen laptop puts Starbucks workers' IDs at risk

Story Published: Nov 24, 2008 at 9:16 PM PST. KOMO News Channel 4.
SEATTLE -- Starbucks Corp. has issued a troubling e-mail to more than half of its workforce, alerting workers a stolen laptop could put the personal information of 97,000 employees in jeopardy. 

"We are writing to inform you of a recent incident that may have involved a breach of your private information (including name, address and social security number)," stated the e-mail sent out on Monday.

According to Starbucks, the laptop was stolen back on October 29 at an unspecified location (Chula Vista, CA). It's unclear why the company waited four weeks to notify its employees. 

So far, there's no indication the data has been misused. Still, the company is advising employees to monitor their financial accounts, and be on the lookout for signs of identity theft.

This is not the first time Starbucks has had employees' personal information compromised due to a laptop theft. 

Two years ago, the personal information of more than 60,000 employees and contractors were compromised when four computers disappeared. At the time, the company said it was implementing a policy that forbids putting critical data such as social security numbers on mobile equipment.

On Monday, on a popular blogging site for Starbucks workers, comments echoed nervousness from those who got the emailed warning.

"This is very frustrating! I try so hard to watch who I give my personal information to and the company I work for doesn't seem to have any security guarding my information," one commenter wrote. 

To help those 97,000 workers keep on the lookout for identity theft, Starbucks is providing them with a full year of credit watch service for free. 

Starbucks could not be reached for comment.

IT security policy enforcement struggles

Dan Raywood | October 30, 2008

Companies are struggling to come to grips with the basics of vulnerability management, says Chris Schwartzbauer, vice president of development and customer operations at Shavlik Technologies.

During a presentation at the PCI Europe conference in Brussels, Schwartzbauer said organizations often seem to be working in the dark when it comes to enforcing IT security policy and compliance with external regulations, such as the Payment Card Industry Data Security Standard (PCI DSS) or ISO 27002. He added that security administrators are recognizing the need to develop a meaningful overview of what machines are on and connecting to their network.

“You can't secure what you don't know about, and unfortunately the unknowns are many," Schwartzbauer said. "IT administrators are often unaware of all of the servers live on their network, let alone their relevance or desired configuration, mobile computers are missed during scheduled vulnerability checks, old or unauthorized account privileges persist. And virtualization has made it all too easy for users to ‘create' more machines that must be protected.”

In his remarks, he said organizations are challenged by the complexity of their heterogeneous networks, an overwhelming amount of log data that is too time-consuming to interpret, and a reticence to automate where manual processes are no longer adequate.

“Decision makers, the CIO, security and risk managers assume the basics are resolved because the investment has been made in sophisticated security strategy and technologies,” he said. “But it is in the mundane processes, the policy and configuration management, where the vulnerability gaps are left wide open.”

He continued: “Until these basics are effectively managed, there will always be a risk to company security and any effort at compliance with security policy or external regulation.”

California laws will increase penalties for patient data snoopers

Dan Kaplan | October 01, 2008

California Gov. Arnold Schwarzenegger on Tuesday signed two bills into law that will allow the state to impose harsher penalties on hospital workers who inappropriately access patient data.

The bills -- authored by Democratic Sen. Elaine Alquist and Assemblyman Dave Jones -- hold health care providers responsible for protecting patient data from unauthorized access, and sets fines for violators of up to $250,000 per incident.

The legislation was spurred on by a March report in the Los Angeles Times that staff at the UCLA Medical Center snooped on the medical records of Britney Spears and California First Lady Maria Shriver.

"Medical privacy is a fundamental right and a critical component of quality medical care," Schwarzenegger said in a statement. "Repeated violations of patient confidentiality are potentially harmful to Californians, which is why financial penalties are needed..."

According to the governor's office, existing laws made it difficult to impose and enforce fines unless a district attorney or the state attorney general got involved.

Privacy advocates lauded the bills' passage.

"Your medical privacy is one of those areas where once the information is out, it's very difficult, if not impossible, to get it back," says Paul Stephens, director of policy and advocacy at the nonprofit Privacy Rights Clearinghouse. 

"With financial privacy, while it's bad when there's a disclosure, most of the time you're able to recover from it," he told SCMagazineUS.com on Wednesday. "Medical privacy issues are different, particularly with someone who may have a condition or a disease that may cause embarrassment. That's something you're going to have to live with for the rest of your life." 

Fake FedEx Email Borne Malware Alert

Over the last 24 hours we have seen a large influx of a new email borne malware campaign alleging to be a notification of non-delivery from FedEx.
The email alleges that you sent a package on July 25, but because the recipient's address was not correct when it was shipped it had not been delivered. It then asks the user to print out a copy of the attached invoice (a .zip file which contains malware) and to collect a copy of the package at the FedEx Office (address of office not given, which should be one clear indicator that something is fishy about the email).

Sample subject lines that we have seen in our Threat Operations Center include:

You Have A Package!!!
Tracking N

Volumes have been pretty high as we have seen over 21M of these fakes hit our systems within the last 24 hours, accounting for about 80% of all of the email borne malware that we have seen over that same period.

It's times like this that we are reminded that although many of the large scale malware campaigns that we now see are hosted on infected web sites, static malware distributed over email is still an active, viable tactic being employed by cyber criminals.

If You Predict It, Spam Will Come

I've taken a bit of heat internally because I neglected to announce last week's posting of the monthly MX Logic Threat Report and Forecast for September.  The latest edition can be downloaded here.

In that report we mention our prediction that as the Democratic and Republican National Conventions concluded and as the campaign season kicks into high gear that we expected to see a continuation of some of the more recent spam tactics that have been employed where hackers were using tabloid like news headlines as a lure to get people to open malicious emails, but with a political twist.  So, instead of using fake Britney Spears or Oprah headlines as a means to get unsuspecting users to view a video or news clip the movement has started toward targeting Barack Obama using similar means.

Some of the subject lines that we are currently seeing targeting Obama are:

Obama is ponstar now

Porno with Obama

Sex Video with Obama

Obama Sex Video

Barack Obama Hardcore

Barack Obama sex story with girl

Obama private porno

Barack Obama sex story with Ukrainian girl

Note that we have not yet seen any similar tactics targetting John McCain.

Volume on this tactic is currently extremely low (under 100 total have been seen thus far), but this is likely a proof of concept method that will play itself out over the next two months where more believable tactics are used by spammers.  Instead of using tabloid like headlines, be on the lookout for emails containing attachments or links to sites claiming to be hosting the latest candidate television commercial or video with excerpts from a speech at their latest campaign stop.

Obviously there is a bit of a shock factor with these tabloid like headlines that grab people's attention, but since this tactic has been around for several weeks now, expect it to morph to using lures that are far more plausible in the very near future.

Posted by smasiello at 12:15 PM at MX Logic

Keylogger Infects Laptops Used on Space Station

According to this story posted on Wired yesterday, a keylogger has been found on laptops being used in the space station. The reported malware, W32.Gammima.AG (see here for description on Symantec's web site), has been around since August 2007 and steals passwords from a few (rather obscure here in the United States) online games.

You are thinking "So what? What risk does an online game keylogger pose to a laptop on the space station? Why should I care?"

As you know, we like to think bigger picture here.

Let's start with the obvious question of why the anti-virus software running on the laptop didn't immediately identify and stop a one year old virus? I don't know about you, but that sends up lots of red flags to me! This obviously begs the question of how long this keylogger has actually been resident on the laptop and if there are other, yet undetected, rootkits and keyloggers on those machines? Also, what other computers were potentially exposed to these infected machines that this virus could have propagated to? What information has been exposed to theft or compromise either from the laptops or from other exposed machines on the NASA network? What was done with these laptops once the virus was detected? Were they merely cleaned to the virus scanners standards (which clearly aren't that high!) or was the computer completely taken out of commission so that it could be wiped to Department of Defense specifications and re-imaged before it was redeployed?

Obviously there are a lot of unanswered questions in relation to this story, and of course NASA will never make the answers to those questions public, but this certainly calls into question the validity of the security measures employed by one of the most important programs of the 20th and 21st centuries. Where else within the federal government does the potential for similar security breaches exist? Are potential data leakages like this something that the Department of Homeland Security is focused on preventing? If not, they should be! Let's be sure we aren't aiding and abetting the bad guys by giving them the exact information we are looking to protect!

Posted by smasiello at 2:22 PM at MX Logic

Underestimating the Insider Threat

The Computer Security Institute's annual Computer Crime and Security Survey reports that insider attacks are now surpassing computer viruses as the most common cause of security incidents within organizations. It also says, however that the losses incurred are not significant. The fact that insider threats have surpasses viruses in prevalence makes sense to me, but the argument that damage is minimal does not. Companies have been fighting the virus wars for years now. Granted, insider espionage has been a potential issue for much longer than computer viruses, it has generally not received the same level of attention.

It is estimated that a little less than one third of all security incidents are the result of an insider, whether the incident was a result of malicious intent or an honest mistake. What is not accounted for here, however is the level of ease by which insiders can obtain potentially damaging company confidential information. Some users have access to it by default as a result of their position within an organization. Others gain access by finding security weaknesses within the company's infrastructure. Either way, I believe that the reason companies are saying that the resulting losses from the insider threat are not the biggest cost is because they don't know how to estimate the damage.

Do they know how much data was really altered/copied/deleted? Do they have a good idea as to how much that data is really worth? Are the values being underestimated because they don't want to lose face in their respective industries? Do they not want to give their competitors ammunition to use against them? Do they not want their customers to lose confidence in them as a provider of a good or a service?

I think all of those are valid points to consider, but the real question at the root of the entire issue is not "Will you have a security incident?", rather "When will you have a security incident?" and are you equipped to respond?

We generally spend so much time trying to make sure that the bad guys can't get in from the outside, but we need to also consider the possibility that they are already "in" and have been for quite some time.

Do not underestimate the insider threat and the ease by which they can cause damage to your organization. Chances are that someone who may cause either inadvertent or intentional data leakage/deletion already has access to the information they need....they don't have to break in or be sneaky to get it.

Posted by smasiello at 8:49 AM at MX Logic