uncompiled.com

The Veterans Affairs Department’s inspector general has launched a criminal investigation into a physician assistant’s alleged downloading of veterans’ clinical data at its Atlanta medical center, sources have told Nextgov.

The assistant allegedly recorded two sets of patient data on to a personal laptop for research purposes. One set included three years’ worth of patient data and another held 18 years of medical information, according to a source familiar with the incident and who asked not to identified.

Roger Baker, VA’s chief information officer, commented on an item about the incident that was posted Monday evening on a Nextgov blog that the physician assistant’s laptop was never connected to the VA network and any data she recorded on her laptop was “hand entered.”

But the source told Nextgov the VA inspector general is investigating whether the assistant used two thumb drives to transfer the data to the laptop.

The department has not disclosed the number of patients involved in the incident, what kind of personal data was copied, or whether it plans to notify the veterans whose records were downloaded.

VA spokeswoman Katie Roberts said she cannot comment in detail on the Atlanta breach because it is under investigation. But in an e-mail, she stated, “VA is committed to protecting the privacy of veterans who have used our health care facilities. VA’s Office of Inspector General is currently investigating a report that a former VA physician assistant stored unauthorized clinical data about patients at the Atlanta [VA medical center] on a personal laptop computer.

“VA’s Office of Information and Technology is trying to gather more details about the circumstances, including the number of veterans whose information was involved and the nature of the information affected. The results of the investigation and analysis will help determine whether to send notifications and offers of credit protection services to the affected veterans.”

The inspector general has asked VA’s Office of Information and Technology, which Baker heads, to determine how many veterans were involved in the data breach and what kinds of personally identifiable or private health information might be involved.

The inspector general has determined that multiple documents on the laptop “appear to have come from an unapproved research project,” noted a document about the incident, which Nextgov obtained.

The incident is reminiscent of a 2006 cybersecurity breach at VA. In what was one of the largest security lapses in the department’s history, a Veterans Affairs analyst downloaded information on 26.5 million patients — practically every living veteran — on to the hard drive of his personal laptop so he could work on a research project at home. The laptop was later stolen and recovered. Investigators determined the personal information likely was not accessed.

But the breach resulted in VA instituting policies to bar the connection of personal computers to Veterans Affairs networks and to encrypt all patient data stored on department computers. Violation of the policies could result in could result in administrative, civil or criminal penalties.

In his comment on the Nextgov blog, Baker said those policies worked in the Atlanta case and the physician assistant was denied access to VA systems. In addition, a nurse scientist and visiting scholar at the medical center stopped the assistant from using the data after learning about the unapproved research project, according to the document on the incident. The nurse told the physician assistant to destroy the data, and when it was not destroyed, the nurse informed a research compliance officer in Atlanta on Feb. 8. The physician assistant resigned on Feb. 26, according to the document.

The breach illustrates the need for patients, not clinicians, to control their medical records, said Dr. Deborah Peel, founder of Patient Privacy Rights, a nonprofit based in Austin, Texas, that works to ensure medical information remains restricted. She said control should include a requirement to obtain a patient’s consent to send clinical information to another doctor or to use it for research. Peel added electronic consent software currently exists to automate the process.

Source

Hackers breaking into businesses and government agencies with targeted attacks have not only stolen intellectual property, in some cases they have corrupted data too, the head of the U.S. Federal Bureau of Investigation said Thursday.

The United States has been under assault from these targeted spear-phishing attacks for years, but they received mainstream attention in January, when Google admitted that it had been hit and threatened to pull its business out of China — the presumed source of the attack — as a result.

FBI Director Robert Mueller called these attacks a threat to the nation’s security on Thursday, speaking at the RSA Conference in San Francisco. “Just one breach is all they need in order to open the floodgates,” he said, speaking about the hackers behind these intrusions. “We have seen not only a loss of data, but also a corruption of that data.”

Mueller did not say exactly what he meant by corruption of data, but security experts worry that if attackers are able to alter source code, they might put back-doors or logic bombs in the software they gain access to.

“If hackers made subtle, undetected changes to your code, they could have a permanent window into everything you do,” Mueller said. “Some in industry have likened this to death by 1,000 cuts. We are bleeding data, intellectual property, information, source code, bit by bit, and in some cases terabyte by terabyte.”

Researchers investigating the Google attack — thought to have affected at least 100 companies including Intel, Adobe and Symantec — say that prime targets of the hackers were the source code management systems used by software developers to build code.

Companies often fail to put basic security controls on these systems, meaning that once an engineer or quality assurance tester’s workstation has been hacked, the company’s crown jewels are often accessible.

In some cases, hackers moved valuable intellectual property overseas using their victim’s wide area networks, and then moved the data from branch offices to outside servers via the Internet, researchers say.

“We are playing the cyber equivalent of cat-and-mouse, and unfortunately the mouse seems to be one step ahead most of the time,” Mueller said.

Source

Intel this week said it was the victim of a sophisticated cyberattack that occurred in January around the same time cybercriminals compromised systems at Google, Adobe and more than 30 other large companies.

In its annual 10-K report, a summary of a public company’s performance required by the U.S. Securities and Exchange Commission, Intel said hackers regularly attempt to infiltrate its information technology systems — and are sometimes successful.

“One recent and sophisticated incident occurred in January 2010 around the same time as the recently publicized security incident reported by Google,” Intel wrote in the filing, which was submitted Monday.

Intel did not provide any specifics about the attack, but said hacking attempts may be the result of espionage or others seeking to harm the company.

“It routinely happens,” Intel spokesman Chuck Mulloy told SCMagazineUS.com on Tuesday. “It is not unusual for us to see these sorts of attacks. As a matter of policy, we don’t talk about specifics.”

Mulloy said he could not confirm or deny if the attack that Intel suffered in January was part of the same wave of attacks that hit Google, Adobe and others.

“We mentioned Google because it was very prominent in the news at the time we saw that particular attack,” Mulloy said. “Based on what we know right now, there was no IP [intellectual property] loss.”

In the filing, Intel said it works to detect and investigate cyberattacks to prevent them from recurring, but sometimes the company is not aware of incidents that have occurred, or their effects.

Hacking incidents could lead to the unauthorized use or publication of trade secrets or other confidential business information, Intel said. In addition, cyberattacks also could negatively impact the value of a company’s investments in research and development, along with relationships with third parties and customers.

“Our business could be subjected to significant disruption, and we could suffer monetary and other losses, including the cost of product recalls and returns and reputational harm, in the event of such incidents and claims,” Intel said.

Cyberattacks cost enterprises an average of $2 million per year due to a loss of productivity, revenue and customer trust associated with such events, according to a study released Monday by Symantec.

In January, Google disclosed that its systems were compromised by organized and well-resourced cybercriminals, believed to be operating out of China and who stole intellectual property. The attacks were dubbed “Operation Aurora.”

Other companies reportedly targeted in Operation Aurora included Yahoo, Symantec, Juniper Networks, Northrop Grumman and Dow Chemical, according to the Washington Post, which cited unnamed congressional and industry sources.

Source

BEIJING (Reuters) – U.S. government analysts believe a Chinese man with government links wrote the key part of a spyware program used in hacker attacks on Google last year, the Financial Times reported on Monday.

The man, a security consultant in his 30s, posted sections of the program to a hacking forum where he described it as something he was “working on,” the paper said, quoting an unidentified researcher working for the U.S. government.

The spyware creator works as a freelancer and did not launch the attack, but Chinese officials had “special access” to his programing, the report said.

“If he wants to do the research he’s good at, he has to toe the line now and again,” the paper quoted the unnamed U.S. government researcher saying.

“He would rather not have uniformed guys looking over his shoulder, but there is no way anyone of his skill level can get away from that kind of thing. The state has privileged access to these researchers’ work.”

The report did not say how analysts knew about the man’s government ties.

The allegations over the spyware are the latest episode in a dispute that has pitted Google and the United States against China, with its wall of Internet controls and legions of hackers.

In January, the giant internet search engine company, Google, threatened to pull back from China and shut its Google.cn Chinese-language portal over complaints of censorship and sophisticated hacking from within China.

Washington has backed those criticisms and urged Beijing to investigate hacking complaints thoroughly and transparently. Beijing has said it opposes hacking.

The Financial Times report also quoted unnamed sources backing a New York Times report that analysts had traced the online attacks to two Chinese educational institutions, the prestigious Shanghai Jiaotong University and the Lanxiang vocational school.

The two establishments have denied the reports. And the allegation that the latter, a high-school level institute that also trains hairdressers, chefs and car mechanics, could take on one of the world’s most powerful Internet firms, have been widely mocked in Chinese cyberspace.

“How can these future cooks be such powerful hackers?” a web user from Zhejiang province said on the portal www.163.com.

The use of the school’s IP address could simply mean that hackers had taken over its computers to hide their tracks.

But Lanxiang’s website also claims to have the “biggest” computer laboratory in the world, a boast it says is confirmed by Guinness World Records.

There was less online comment about the well-respected Jiaotong University, which attracts top graduates and has a School of Information Security Engineering.

(Reporting by Emma Graham-Harrison; Editing by Alex Richardson)

Source

Wow. That’s quite a statistic, but there it is in front of me jumping off the pages of the latest global State of Enterprise Security study from Symantec. The two lines shining so brightly and grabbing my attention read “75 percent of organizations experienced cyber attacks in the past 12 months” and “these attacks cost enterprise businesses an average of $2 million per year”. I’ll say it again, wow!

Maybe that is not so surprising when you consider that the report states that every enterprise, yes 100 percent, experienced cyber losses in 2009. The top three losses being intellectual property theft, customer credit card data theft and the theft of other personally identifiable customer data. These losses translated into a financial cost 92 percent of the time mainly in terms of productivity, revenue, and tanking customer trust.

Of course, as I have said before the math is always hard on the brain when you read these reports. That 75 percent figure is revealed immediately after we are informed that apparently 42 percent of organisation consider that security is the number one consideration for their business, beating off competition from such things as natural disaster and terrorism and traditional crime. In fact, it is a bigger concern than all three of those things combined. The disparity between the two could, of course, be partly down to another revelation in the report: enterprise security is becoming more difficult due to understaffing, new IT initiatives that intensify security issues and IT compliance issues.

When it comes to understaffing, network security is the biggest problem for 44 percent of those responding, with endpoint security sharing the honours also on 44 percent. There there are the initiatives that IT rated as most problematic from a security standpoint include infrastructure-as-a-service, platform-as-a service, server virtualisation, endpoint virtualisation, and software-as-a-service. And not forgetting compliance, with your typical enterprise having to explore no less than 19 separate IT standards or frameworks and employ around eight of them.

“Protecting information today is more challenging than ever” said Francis deSouza, senior vice president, Enterprise Security, Symantec Corp. “By putting in place a security blueprint that protects their infrastructure and information, enforces IT policies, and manages systems more efficiently, businesses can increase their competitive edge in today’s information-driven world.”

Source

More than 74,000 PCs at nearly 2,500 organizations around the globe were compromised over the past year and a half in a botnet infestation designed to steal login credentials to bank sites, social networks, and e-mail systems, a security firm said Wednesday.

The systems were infected with the Zeus Trojan and the botnet was dubbed “Kneber” after a username that linked the infected PCs on corporate and government systems, according to NetWitness.

The Wall Street Journal reported that Merck, Cardinal Health, Paramount Pictures, and Juniper Networks were among the targets in the attack. NetWitness speculated that criminals in Eastern Europe using a command-and-control server in Germany sent attachments containing the malware in e-mails or links to the malware on Web sites that employees within the companies clicked on.

NetWitness said it discovered more than 75 gigabytes worth of stolen data during routine analytic tasks as part of an evaluation of a client network on January 26. The cache of stolen data included 68,000 corporate login credentials, access to e-mail systems, online banking sites, Facebook, Yahoo, Hotmail, 2,000 SSL (Secure Sockets Layer) certificate files and data on individuals, NetWitness said in a statement and in a whitepaper available for download from its Web site.

In addition to stealing specific data, Zeus can be used to search for and steal any file on the computer, download and execute programs and allow someone to remotely control the computer.

More than half of the compromised machines were also infected with peer-to-peer bot malware called Waledac, the company said. Nearly 200 countries were affected, with most of the infections found in Egypt, Mexico, Saudi Arabia, Turkey and the United States.

The news comes after Google announced an attack targeting it and what is believed to be more than 30 other companies and which was linked back to China. McAfee dubbed that attack “Operation Aurora.”

“While Operation Aurora shed light on advanced threats from sponsored adversaries, the number of compromised companies and organizations pales in comparison to this single botnet,” said Amit Yoran, chief executive of NetWitness and former Director of the National Cyber Security Division. “These large-scale compromises of enterprise networks have reached epidemic levels.”

Source

Swedish investigators are probing a hacker U.S. authorities accuse of unlawfully intruding into Cisco Systems, NASA’s Ames Research Center and NASA’s Advanced Supercomputing Division, the authorities said Monday.

Philip Gabriel Pettersson, known in the hacking world as “Stakkato,” allegedly seized computer code that controls internet traffic. After the 2004 breach of Cisco, the proprietary source code for Cisco’s IOS operating system was discovered on a Russian website.

Pettersson was indicted in the United States in May on five hacking counts, (.pdf) but could not be brought from Sweden to the United States for trial. Sweden does not extradite its own citizens, but said it was examining whether to prosecute him in Sweden after U.S. authorities in San Francisco initiated that request.

“The intrusions to Cisco Company and NASA are regarded as computer intrusion according to Swedish law,” Swedish prosecutor Chatrine Rudstrom told federal prosecutors in San Francisco, according to documents released Monday.

Still, Rudstrom told San Francisco federal authorities that Sweden was not guaranteeing it would charge the 21-year-old suspect.

Petterrson was convicted in 2007 of invading the networks of three Swedish universities and ordered to pay $25,000 in damages. He was 16 at the time of the intrusions.

Source

Many CSOs view ShmooCon as an event of small importance. You don’t see the suits and ties that are on display at RSA. In fact, to those who haven’t attended, this conference is just a place where twenty-something hackers come to get drunk and throw TVs out hotel windows. Another crazy Black Hat/Defcon-caliber conference, more than one high-level security exec has told me in the past.

As with any security event, things can get rough around the edges. The security podcasters’ meet-up on Saturday night was more like a Motley Crue concert than anything else. The podcasters on stage resembled the head table at a Klingon wedding. But drunken antics conference-wide were minimal, and some decent food for thought came out of the podcasting event despite the rowdiness.

The larger reality is that a lot of important talks happen here that have implications up and down the IT security food chain. It’s also important to note that a lot of the young ruffians who come here are the very people who find the security holes so they can be fixed. They also build a lot of the technology CSOs lobby their upper management to invest in.

Some examples:
# Tyler Shields of the Veracode Research Lab gave a talk about those BlackBerry phones security execs can no longer live without. His message: The BlackBerry is full of weaknesses an attacker can exploit to target the larger enterprise network.
# Many CSOs have become equally dependent on their iPhones, and they are increasingly being used to conduct business. Guess what? Those devices are equally at risk, according to Trevor Hawthorn, founder and managing principal at Stratum Security. He gave a presentation on how the bad guys can attack through your iPhone apps and tap into your GPS to track your whereabouts.
# Presenters also offered new insight into how attackers are targeting the P2P and social networking platforms your employees use all the time on company-owned computers. [See Inside FarmVille's Sinister Underbelly and P2P Snoopers Know What's In Your Wallet]
# Another running theme this year was about the failure of security spending; where companies spend millions to acquire all the best-of-breed security technology they can find in the rush to check off all the boxes on a compliance checklist but install it all so haphazardly that they actually increase their risk.

While most of the talks were tech-heavy, a lot of the discussion in the presentations and in the hallways were about the language disconnect that often exists between IT and upper management and how best to close the gap.

Source

Three notebook computers were stolen two weeks ago from an office at the Columbia College, containing personal information, including social security numbers, of 1,400 of current and prospective students, alumni, and past and present employees.

Columbia Spectator reports that the fact was revealed only this Friday, some 11 days after the security breach. The University offered to everyone who was affected a two-year subscription to a credit monitoring system (free of charge, of course) and are advising them to activate fraud alerts. They also said that up to that moment, there was no evidence of misuse of that information.

There is a high probability it never will be, since the computers were most likely stolen just to be sold as physical items. But low risk is not no risk, and the victims are not that easily satisfied with the results of the investigation, although they must know that once lost, this information will always present danger and that cannot be helped now. The only thing left to do is to check their credit report for suspicious transactions or the opening of a new credit card they haven’t performed themselves.

The University has promised to step up security. “We have already strengthened the physical security of the office in question and are in the process of increasing our laptop security through the installation of high level encryption programs. We also are taking a more aggressive approach to scanning computer equipment for potential security threats,” the Dean of Columbia College, Michele Moody-Adams, wrote in the letter to the victims.

Source

The cost of a data breach rose last year to $204 per customer record, according to the Ponemon Institute. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009.

The cost of a data breach increased last year to $204 per compromised customer record, according to the Ponemon Institute’s annual study. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009.

Ponemon Institute based its estimates on data from 45 companies that publicly acknowledged a breach of sensitive customer data last year and were willing to discuss it.

Breach costs increased just $2 per compromised customer record, as compared to 2008 costs. However in the five years that Ponemon Institute has conducted its study, costs have increased from $138 per compromised customer record.

In tallying the cost of a data breach, Ponemon Institute looks at several factors including: the cost of lost business because of an incident; legal fees; disclosure expenses related to customer contact and public response; consulting help; and remediation expenses such as technology and training.

There appear to be three main causes for a data breach, says Dr. Larry Ponemon, chair and founder of the Institute, as indicated by the 45 companies that shared their stories for the “Fifth Annual U.S. Cost of Data Breach Study,” sponsored by PGP.

“As part of our analysis, we try to get at the root cause of the data breach,” Ponemon says. “There’s negligence, where people make mistakes, such as lost laptops, accounting for 40% of the data breach cases. There are system glitches, such as a third-party sending out statements they shouldn’t, which was 36%. And there are malicious and criminal attacks, at 24%.”

Ponemon adds that 2009 brought “more sophisticated criminal attacks that didn’t show up on our radar screen” the previous year. These malicious attacks often involved botnets and were carried out for reasons of financial gain.

Overall, 42% of all cases in the Ponemon data-breach study involved third-party mistakes and flubs. In addition, more than 82% of the cases in the Ponemon study were organizations that had more than one data breach in 2009 involving the loss or theft of more than 1,000 records containing personal information. At about 40% of the companies that participated in the study, the chief information security officer (CISO) was in charge of managing the response related to the data breach.

The management skills of the CISO, or an individual in an equivalent position, seemed to help hold down the cost of a data breach: The average per capita cost of an incident was $157 per record for companies with a CISO, versus $236 for companies without one.

The magnitude of the breach events, according to the study, ranged from about 5,000 to about 101,000 lost or stolen customer records. Among the incidents reported, the most expensive data breach cost nearly $31 million to resolve, and the least expensive cost $750,000.

Source