Harvard Graduate School of Arts and Sciences
http://www.news.harvard.edu/gazette/2008/03.13/99-hacked.html

Boston Globe - Harvard student, applicant files breached
http://www.boston.com/news/education/higher/articles/2008/03/13/harvard_student_applicant_files_breached/

Terrance Brooks, convicted of this identity theft crime had access to Tenet's billing systems which stored patient's personal data including birth data and social security numbers.  According to some news reports, the Brooks was arrested on November 25 after attempting to open a credit card account at a Costco store.  In his possession were data records on 90 patients.  Tenet called those patients immediately and has taken the precautionary step of informing the 40,000 patients who's data could have been accessed by Brooks during his employment.

No company can prevent 100% of insider attacks on their information systems or data by employees.  However, companies can do more and increase their employee education, monitoring, and implement stronger policies and controls to ensure that these types of incidents are minimized.

South Florida Sun-Sentinel
http://www.sun-sentinel.com/news/local/palmbeach/sfl-flpfraud0214sbfeb14,0,42801.story

Darkreading
http://www.darkreading.com/document.asp?doc_id=146095

Services start at $3 per user per year.  Providing enterprise level security products at affordable prices for small businesses is a major benefit of these service offerings by Google. 

For more information see: http://www.google.com/a/security

Georgetown is offering free credit monitoring for those affected by this data loss incident.  A toll-free telephone number (866-740-2458) has been setup to handle questions by those who may be affected by this information security breach.   Georgetown is taking the correct steps in recovering from this incident. 

However, it is still amazing to me with the current proliferation of portable storage devices such as external hard drives and USB memory sticks, that organizations don't put into place and enforce stronger IT policies to prevent storage of such sensitive data without any encryption on removable disks and/or memory media.

When will organizations learn to better protect the personally identifiable information they have been entrusted with by their clients, business partners, and employees?  It is my hope this lesson is learned and these types of data loss incidents don't keep occurring.

The $10 million payment if approved by the U.S. District Court in Georgia, would settle the lawsuit brought by shareholders against named defendants ChoicePoint and certain of its officers.  As part of the settlement, ChoicePoint will admit no liability in the data breach incident.

Score one for big business and shareholders.  However, consumers today still don't have comprehensive federal legislation to protect their data privacy allow impose stiff financial penalties on companies that put their personal information at risk.

Computerworld
http://computerworld.com/action/article.do?command=printArticleBasic&articleId=9059659

GE Money has publicly only identified one retailer, J.C. Penny Co. (NYSE: JCP) as being one of the affected retailers whose data was compromised on the lost backup tape.   In addition GE Money has stated that approximately 150,000 social security numbers for customers of retailers were stored on the backup tape.

GE Money is providing free credit monitoring for one year to those consumers affected and has informed consumers via letters mailed starting in early December 2007.

Data Breach Affects 650k Customers of 230 Retailers
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=311724

GE Money Backup Tape With 650,000 Records Missing At Iron Mountain
http://www.informationweek.com/story/showArticle.jhtml?articleID=205901244

PickyDomains.com, a domain naming company, has added an interesting twist to what has been a traditional marketing discipline.  I will try their services and report back at a later date on the results of this exercise in weblog and domain naming.

If you my readers have any recommendations on a new blog and domain name for this blog, your suggestions are welcome!   Thank you in advance for any suggestions.

The task force will be coordinated by the Office of the Director of National Intelligence (ODNI).  Under the auspices of the ODNI, the Department of Homeland Security (DHS) will coordinate protection efforts for the cyber security of the computer networks for all federal agencies.  The Pentagon will be in charge of coordinating strategic defensive and offensive responses to cyber attacks.

Although this order attempts to centralize the federal efforts to protect our federal agencies from cyber security threats both foreign and domestic, it falls short on one key element.  That element is the inclusion of the public sector industries that are part of our national critical infrastructure such as energy companies, telecommunications providers, and health care organizations such as hospitals, etc.  Failure to include the money and resources for these industries to better protect their critical information networks and assets is detrimental to our national security posture. 

I'm in agreement we need to protect federal agencies from cyber security threats.  However the Federal government must do more than pay lip service to private sector and provide some real economic incentives, technology transfers, research, and coordination efforts with private sector to protect industries critical to our national infrastructure and security.

Washington Post
Bush Order Expands Network Monitoring

The new standards were developed by the North American Electric Reliability Corporation (NERC).  However NERC is charged to manage future development of these standards and also follow the guidance of the National Institute of Standards and Technology (NIST) on issues of cyber security.  This move is a particularly smart move on the part of FERC to ensure that future cyber security standards developed and maintained by NERC are relevant and current to changes in technology and the field of cyber security research.

According to a FERC press release (See: http://www.ferc.gov/news/news-releases/2008/2008-1/01-17-08-E-2.asp) the eight new cyber security standards address the following topics:

• Critical Cyber Asset Identification;
• Security Management Controls;
• Personnel and Training;
• Electronic Security Perimeters;
• Physical Security of Critical Cyber Assets;
• Systems Security Management;
• Incident Reporting and Response Planning; and
• Recovery Plans for Critical Cyber Assets.

Recently we have seen news reports about other countries like China enhance their cyber security and warfare capabilities within their own government and military forces.   However, I'm glad FERC is creating these standards for critical infrastructure protection (CIP) of our nation's power grid to counter the potential threats from other governments and those who would choose to do our country harm.

I hope the power grid operators and electric utility companies quickly implement these standards and help contribute more investment dollars towards the protection of our critical infrastructure assets from cyber and physical security threats.

The fact that this attack may have originated in China is not surprising.   As early as 2006, the U.S.-China Economic and Security Review Commission (USCC), a U.S. Congressional Commission, warned about China's cyber threat capabilities.  According to the 2006 USCC annual report (http://www.uscc.gov/annual_report/2006/chapter3_sec1.pdf), China is creating military information warfare units and shifting its cyberwarefare to become offensive in an effort to disrupt enemy networks and information systems.

The U.S. Government is not alone in its assessment that China poses a major threat in terms of cyberwarefare capabilities.  Recently the United Kingdom's counter-intelligence and security service, MI5, warned that China is sponsoring cyber espionage against key industries in the British economy.

When nations with unlimited resources, like China, decide to integrate cyberwarefare capabilities into their military forces, this fact should cause both private industry and governments around the world to take notice and rethink their views about cyber security.  In the next few years, we will see that state sponsored cyberwarefare will increasingly become a major threat of national security importance.  In order to effectively counter this threat, there must be better cooperation and research between private industry and government.

State Web sites back after hack attack
http://www.mcall.com/news/local/all-a1_5web.6214422jan05,0,2068262.story

Hackers Force Pa. to Shut State Web Site
http://ap.google.com/article/ALeqM5iGKgY3SpKw7_p7A8MGHpTfSpN8mAD8TVE5SG0

The seriousness of the Rolls Royce and Royal Dutch Shell incidents and the increased level of state sponsored hacker attacks have prompted MI5, the United Kingdom's counter-intelligence and security service, to warn other companies to be vigilant against this type of industrial espionage.

State sponsored cyber espionage is a serious threat to the national security of all nations.

Retail merchants and financial institutions are waking up to the reality that they must work together to better protect the integrity, security, and privacy of their customers' financial information.   Let's all hope as consumers that industry can achieve those lofty goals.

For more information see:

• Boston Globe - TJX agrees to reimburse banks
• New York Times - Retailer to Pay $40 Million

"Operation Bot Roast II" is an excellent example of interagency cooperation by U.S. Federal and international law enforcement agencies in the fight against cyber crime.

While the law enforcement community has done their part, it is time for us as consumers to do our part prevent cyber crime.  If you have not already done so, please install anti-virus, anti-spyware, firewall, and wireless encryption defenses to protect your personal computer and networks.   In doing so, each of us can do our part to prevent cyber crime by following basic computer security precautions.

For more information:

• OnGuardOnline.gov
  http://onguardonline.gov/botnet.html
• See my June 13, 2007 blog post
  1 Million Computers Affected by Botnet; FBI Announces

Here are some tips for safe holiday shopping online:

1. Make sure your security software is up-to-date.  Update your anti-virus, anti-spyware, and firewall software to minimize the risk of falling victim to malicious threats like trojans or computer viruses that could attempt to steal your personal information or provide hackers access to your computer.
2. Don't conduct any online shopping on public computers such as those found at cybercafes, public libraries, etc.    The public computer you use, could have spyware or other malicious software installed that in turn could compromise your personal and financial information.
3. When in doubt about a retailer, check them out.  Do an online search on a retailer and read comments from other customers.  Contact the Better Business Bureau and find any additional information they may have on the company.
4. Monitor your credit.  Make it a habit to monitor your credit regularly with the major credit bureaus.

Here are some additional resources for safe online shopping this holiday season.

• The National Cyber Security Alliance
  http://www.staysafeonline.info/basics/shoppingTips.html
• Yahoo! Shopping
  http://docs.yahoo.com/docs/info/consumertips.html

Thanks in part to the collaboration by credit card issuers like Visa and MasterCard, today the PCI (Payment Card Industry) Security Standards Council, an independent organization, is leading efforts and developing industry standards for data security that banks, merchants, and credit card issuers can all agree to adopt as baseline for the protection of consumers' credit card data.  Despite all of these efforts data breaches have occurred because of the reluctance by organizations to implement appropriate data security measures.

It is my hope that the motivation for banks and merchants to act to protect consumers' personal and financial information is not only driven by self-regulatory industry actions.

The State of Nevada is enacting changes to ensure this type of data loss does not happen again including:

• Discs will be signed for and returned to the Personnel Department after every pay period
• Passwords will be required to read data stored on CDs
• State employee information will be correlated to unique employee ID numbers instead of social security numbers

In my opinion, these public relation driven policy changes are window dressing rather than substantive data security, access, and audit controls to prevent the misuse of sensitive personal and financial information for state employees.

It is time government agencies do a better job of protecting our personal and financial information.

The company has admitted customer account information including passwords may have been compromised by non-authorized parties.  According to the article by Australian IT there are more than 1,000 subscribers to Salesforce.com may have been affected in Australia alone.

For more information go to: http://www.administaff.com/idprotection/

When will organizations get serious and do something about the lax policies and procedures in their corporate culture to prevent incidents like these? 

Technology solutions such as data encryption and password protection are only a part of the solution in protecting confidential information.  Organizations must do a better job at defining good corporate policies and procedures for ensuring that confidential information is protected appropriately.  Organizations must do a better job at educating their workforce on the policies, procedures, and risks faced in protecting confidential information.

The "Comcast Cable Law Enforcement Handbook," (download PDF at: http://www.fas.org/blog/secrecy/docs/handbook.pdf) while supportive of U.S. law enforcement community, sets clear guidelines for protecting the privacy of Comcast customers.  Comcast is also requiring $1,000.00 as a setup fee and an ongoing $750.00 monthly fee, to install any device to comply with law enforcement surveillance requests that are authorized under the Foreign Intelligence Surveillance Act (FISA).

The FAS comments:

"The role of telecommunications companies in intelligence surveillance is under increased scrutiny as the Bush Administration seeks to shield the companies from any liability associated with their cooperation in what may be illegal warrantless surveillance." (see blog: http://www.fas.org/blog/secrecy/2007/10/implementing_domestic_intellig.html)

As a law abiding U.S. Citizen, I find it encouraging to see Comcast follow the law in requiring the law enforcement community to adhere to the letter of the law when fulfilling investigative requests, instead of blindly following the U.S. executive branch in support of any warrantless surveillance programs.

For more information see:

• Electronic Frontier Foundation - NSA Spying
• American Civil Liberties Union v. NSA
• Wikipedia - NSA Warrantless Surveillance Controversy

MSU states they have encryption technology controls on the stored data which may have been exposed.  The exposed data may include credit card and social security numbers. 

MSU has setup a dedicated web site with more information on this incident at: http://eu.montana.edu/security/