Re: "Porn-surfing hits taxpayer IDs"

[Brendan Callahan <BCallahan () ROCKETREADY COM>]

Great line from this article...

 

"In the struggle against online data thieves, the incident highlights
the weakest link in the most advanced security systems: individuals who
break security rules and intentionally or unintentionally expose
computer systems to data thieves."

 

The human firewall needs continual updating, patching, and testing! I'm
talking to a company called Pearl Software (www.pearlsoftwarecom
<http://www.pearlsoftware.com/> ) that has software that lets you limit
a user's web browsing even if they're not on your VPN. That way, when
your laptop users go off your network, they can't infect their pc and
then spread it when they log back on. I haven't met with them yet, so
I'm not endorsing the product (though I'm sure it's fine) but it seems
like it would help in such situations.

 

Brendan Callahan

RocketReady

888.395.1996 x224 

www.RocketReady.com

The Human Side of Security (tm)

 

 

-----Original Message-----
From: Jere Retzer [mailto:retzerj () OHSU EDU] 
Sent: Wednesday, June 14, 2006 3:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] "Porn-surfing hits taxpayer IDs"

 

From today's Oregonian. Here is another threat/risk to consider. Does
anyone know about other incidents of trojans stealing personal data? I'm
also looking for safeguards to build into web-based applications used to
access sensitive data to prevent malware on individual PCs from
harvesting the data. Thanks

 

Article from the Oregonian follows:

 

Porn-surfing hits taxpayer IDs

Security breach - More than 1,300 people face identity theft after a
state employee let in data-stealing spyware

Wednesday, June 14, 2006

JOE ROJAS-BURKE

The Oregonian

 

Oregon Department of Revenue officials thought they were tightly secured
against data theft. An elaborate firewall around their computer system
fended off hackers. Virus detection software, updated every two hours,
constantly screened incoming e-mail and downloads for malicious
programs.

 

But the technology did not stop an employee from using an office
computer to surf porn sites and download a Trojan horse, a hidden
spyware program not yet known to intrusion-detection software The
Trojan installed itself Jan. 5 and for the next four months secretly
captured and relayed data to the hackers who created it.

 

More than 1,300 taxpayers are now at risk of identity theft. The
Department of Revenue, which disclosed the security breach Tuesday, said
the confidential data consisted of Social Security numbers, names and
addresses but included no tax records or financial or credit card
information.

 

In the struggle against online data thieves, the incident highlights the
weakest link in the most advanced security systems: individuals who
break security rules and intentionally or unintentionally expose
computer systems to data thieves.

 

"No matter how hard you try, no matter how many policies you have in
place, no matter how many times you've trained your people, these things
will happen," said Jim Hudson, president of Amcrin Corp., a security
firm in West Linn.

 

"Everybody who handles confidential data should have a plan on how to
handle this risk," Hudson said.

 

Like many institutions, the Department of Revenue appears to have been
caught flat-footed. On Tuesday, officials had not finalized a plan for
responding to the security breach, which they discovered May 15 while
searching the computer hard drive of an employee who had been caught
downloading pornography at work and fired.

 

The department has not decided whether to pay for credit monitoring or
other protective services, which banks and other private institutions
often provide to customers after a data theft.

 

"We are trying to figure out how that would be done and what the cost
would be," said Don O'Meara, administrator of information processing for
the Department of Revenue. He said the department intends to inform each
affected taxpayer and began mailing notices Monday.

 

The vulnerability to such an attack surprised the department's
technology staff, O'Meara said. In addition to the firewall with
frequently updated intrusion-detection software, the department
routinely blocked employee access to thousands of porn and other Web
sites known for transmitting malicious spyware.

 

The department updated the list of blocked sites every 24 hours, but
like fast-multiplying germs, the Web sites overwhelmed its defenses.

 

"There are so many new sites, we couldn't keep up with them," said
Rosemary Hardin, a department spokeswoman.

 

"We maybe had a false sense of security," O'Meara said.

 

The risk to the affected taxpayers is difficult to estimate. The
creators of Trojan horses typically unleash them in hopes of capturing
log-in names and passwords to bank and credit card accounts to steal
from directly, Hudson said.

 

The Trojan horse gathered the equivalent of 7,000 text pages of data.
But O'Meara said his staff spent weeks poring over the data and found no
tax files or financial information. He said it was limited to Social
Security numbers, names and addresses.

 

He said the department is taking steps to heighten security and also has
banned employees from accessing Web sites for personal use.