Category Archives: Compliance

Nine out of 10 hospitals lost personal data in last two years

These are pretty dismal statistics…

Ponemon Institute and security firm ID Experts … surveyed 80 health care organizations and found that 94 percent had experienced a data-loss incident in the past two years. Another 45 percent sustained more than five breaches during that period.

via Nine out of 10 hospitals lost personal data in last two years – SC Magazine.

All the requirements in the world won’t make a difference if the organizations do not allocate the resources to ensure compliance, and if the employees continue to fail to comply.

Changing the defaults

In a Salt Lake Tribune article, reporter Patty Henetz quoted Utah Department of Health spokesman Tom Hudachko, who said that in this particular incident, a configuration error occurred at the level where passwords are entered, allowing the hacker to invade the security system. Technology Services has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.

Michael Hales, the Health Department’s Medicaid Director, said, “It just looks like processes broke down,” according to the Tribune.

This sounds like a weaselly way of admitting that the default passwords were not changed.  Default passwords are the easiest way into any system!

via Utah Medicaid Breach Exemplifies Value Of Encryption And Access Control – Dark Reading.

Number of victims in state of Utah breach significantly rises

The state of Utah lost the personal information of at least 500,000 people because:

Attackers were able to compromise the server because an authorization component was not configured properly.

The state’s Department of Technology Services “has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.” The agency plans to bolster its controls with additional networking monitoring and intrusion detection functionality.

Hopefully they’ll add some auditors, too.  It’s a shame to have your system set up so you only find out about misconfigurations after outsiders do.

via Number of victims in state of Utah breach significantly rises – SC Magazine.

Two more articles on Global Payments breach

The first is from SC Magazine, Visa expels Global Payments following 1.5M-card breach:

“What’s the takeaway on PCI?” Litan asked on Monday in a blog post. “The same one that’s been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.”

And the second is from Adrian Sanabria, QSA at Sword and Shield, Global Payments Credit Card Data Breach:

The worst thing I’ve been able to determine from the details so far, is that it seems Global Payments was storing Track Data – information swiped from the magnetic stripe on the back of the card. The PCI DSS explicitly forbids storing track data (requirement 3.2.1), and PCI considers the storage of sensitive data to be one of the most serious PCI violations. CardSystems was effectively shut down for a lesser violation, though their breach was much larger.

It’s a doubly-bad violation of DSS to 1) Not be compliant in the first place, and 2) to suffer a loss of cardholder data.

I imagine the reinstatement audit, if there is one, will be quite extensive.

 

I’d bet cash money on this place being PCI DSS compliant

The 8-acre facility looks like any other industrial park in a sleepy suburb. But the serene setting masks hundreds of cameras and a crack team of former military personnel. Hydraulic bollards beneath the road leading to the OCE can be quickly raised to stop an intruding car going 50 mph. Any speed faster, and the car can’t navigate a hairpin turn, sending it into a drainage pond that functions as a modern-day moat.

The data center resembles a fortress, with dogged attention to detail. It can withstand earthquakes and hurricane-force winds of up to 170 mph. A 1.5-million-gallon storage tank cools the system. Diesel generators onsite have enough power, in the event of an outage, to keep the center running for nine days. They generate enough electricity for 25,000 households.

[…]

Visa’s core-transaction network is private, immune — the company says — from Internet dangers such as denial-of-service attacks by the likes of Anonymous. When hackers took down Visa’s corporate website in 2010, for example, it had no impact on the core network.

via Top secret Visa data center banks on security, even has moat – USATODAY.com.

The Tech Herald’s Analysis of the Stratfor Password List

Just before the holiday weekend, as their final act of defiance in 2011, AntiSec supporters published nearly a million records taken during the Christmas Eve attack on Strategic Forecasting Inc. The Tech Herald has examined the list of 860,160 passwords hashes that were leaked, and the results of our tests were both expected and pitiful.

We’re sorry to report that the state of password management and creation is still living in the Dark Ages.

via Report: Analysis of the Stratfor Password List.

The first half of the report describes their methodology, and the latter half describes the passwords they’ve cracked.

Do your employees or customers use passwords like these?  How do you know?

Antisec hits private intel firm; millions of docs allegedly lifted

In another great example of What Not To Do, the intelligence firm Strategic Forecasting, Inc, apparently made no attempt whatsoever to comply with PCI DSS.

via Antisec hits private intel firm; millions of docs allegedly lifted:

Antisec breached Stratfor’s networks several weeks ago, according to sources within the group that attacked the firm. On Saturday, Antisec began posting credit card details of a few Stratfor customers on Internet Relay Chat. But that’s just the start of a much larger data dump, the group claims. Anonymous is planning to release much more information—up to 200GB worth, in parts throughout the week leading up to New Year’s Eve. That trove allegedly includes 860,000 usernames, e-mails, and md5-hashed passwords; data from 75,000 credit cards, including security codes used for no-card-present transactions; and over 2.5 million Stratfor e-mails, internal Stratfor documents from the company’s intranet, and support tickets from it.stratfor.com.

[…]

According to Antisec, Stratfor was using the e-commerce suite Ubercart to handle customer information. The software has built-in encryption, but Stratfor apparently used custom modules that stored customer data in cleartext. Additionally, Stratfor appears to have stored the card security code of its customers, a practice generally prohibited by credit card companies.

So they stored the security code, stored the entire unencrypted credit card number, used plain-jane md5-hashed passwords, and left everything wide open, and disabled what security features were built-in to the software they were using.

Very Bad Practice.

Metasploit For The Masses

This could be quite useful:

Two years after Rapid7 acquired the Metasploit Project, the company has rolled out a free and more user-friendly version of the open-source tool that is aimed at less technical users.

The new Metasploit Community Edition is a combination of the popular open-source Metasploit Framework and a basic version of the user interface of Rapid7’s Metasploit Pro commercial product.

via Metasploit For The Masses – Dark Reading.