Incident: Florida International University on alert after series of computers hacked

Once again, a university has been forced to advise students that they may be at risk of identity theft after Florida International Univeristy techs found that unknown hackers had compromized at least 165 computers. See Florida Uni on brown alert after hack attack | The Register, via Privacy Digest.

The university's notice is below:

::ALERT:::

"To: All FIU Faculty and Staff

From: Dr. John P. McGowan, Vice President & CIO

Subject: Critical IT Security Breach Notification - Faculty/Staff

Date: April 27, 2005

THIS IS AN IMPORTANT SECURITY NOTIFICATION. WE ASK THAT MEMBERS OF THE UNIVERSITY COMMUNITY READ THIS MEMORANDUM VERY CAREFULLY.

Last week, it was brought to the attention of the Information Technology Security Office (ITSO) that a file found on a compromised FIU computer indicated that a hacker had access to the username and password for 165 computers at the University. The ITSO, University Technology Services (UTS) and relevant FIU representatives have been working diligently on addressing this security incident.

To address this situation, and reduce the potential for additional computers being compromised (accessed without your consent/knowledge), UTS, working with the IT representatives from various academic and administrative units, and in consultation with the Faculty Senate Chairperson, will visit and check every computer in the University to ensure the appropriate level of security. Please note that this will include Apple (Macintosh) computers as well as Windows-based computers. Given the number of computers that need to be analyzed, we have established a site visit schedule that will allow us to focus our efforts first on those areas that may contain the most critical/sensitive data such as Social Security numbers (SSNs), credit card numbers, birthdates and the like. It should be noted that Panther ID numbers alone are not considered sensitive information. UTS will be in contact with each user/department to schedule these site visits; we respectfully ask for your patience during this process.

PLEASE REVIEW THE FOLLOWING ADDITIONAL INFORMATION RELATED TO THIS INCIDENT:

HOW DOES THIS AFFECT ME?

> While we have a confirmed list of 165 compromised computers, there is a possibility that someone could have connected to numerous other computers remotely and information on these computers could have been compromised.

HAS MY CREDIT CARD INFORMATION OR SOCIAL SECURITY NUMBERS FOR EMPLOYEES OR STUDENTS IN MY DEPARTMENT BEEN STOLEN?

> At this time, we have determined that a few of the compromised computers contained sensitive information (e.g., credit card numbers and SSNs), and are working to determine the extent to which such sensitive information on your computer or network file shares (M, N Drive etc.) has been inappropriately accessed. UTS officials are collecting the necessary information and are in the process of alerting the appropriate authorities to address this situation.

> A team of technical support representatives from UTS or your unit’s IT staff will be assessing each computer on an individualized basis.

WHAT SHOULD I DO?

> Remove sensitive information (birthdates, SSNs, credit card numbers, research information that may contain personally identifiable information, student records containing SSN such as class rosters, or health information, etc.) immediately from your computer; if you need to store this information elsewhere, please move it temporarily to an external storage device (CD, USB drive, floppy etc.) and place in a locked file cabinet in your office or department.

> Do not save Social Security numbers, credit card numbers, birthdates etc. on your computer or other devices such as Blackberries, Palm devices, cellular phones, etc.

> Turn your computer off at the end of the day or when away from your workstation for an extended period of time.

> Contact any of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert advises new and potential creditors that they should contact you before opening any new accounts in your name. Additionally your existing creditors are advised that they should contact you prior to making any changes (e.g., credit limit change) in your account. Once you notify one credit bureau, the fraud alert will be sent automatically to the other two. All three bureaus will send you credit reports free of charge once they receive the fraud alert. The three credit bureaus can be contacted as follows:

Transunion 1-800-680-7289

Equifax 1-800-525-6285

Experian 1-888-397-3742

> Continue to check all your accounts on a regular basis for unusual activity.

> The Federal Trade Commission Identity Theft Hotline gives a good overview of what to do when you think your information may have been stolen but have no evidence that it is being used. The number is 1-877-438-4338. Press #3. The Federal Trade Commission also has a website with extensive information about identity theft at http://www.ftc.gov/idtheft

DO I NEED TO CONTACT SOMEONE WITHIN FIU?

> No. Technical support representatives from UTS or your unit’s IT staff will be visiting each area; as such, it will not make the situation or mitigation efforts easier if the UTS Call Center becomes overwhelmed with calls from users seeking information or calling to schedule a technical site visit; users are encouraged to visit the UTS website at http://uts.fiu.edu for the most up-to-date information. Please note that service requests normally handled by the UTS Call Center and Field Team may be delayed as we re-assign resources toward this effort.

WHAT CAN I EXPECT WHEN A TECHNICAL SUPPORT REPRESENTATIVE VISITS ME TO SECURE MY COMPUTER?

> The technical support representatives from UTS or your unit’s IT staff visiting your offices will be completing a security mitigation checklist which may include: Gathering information on the TYPES of sensitive information (i.e., SSN, credit card numbers) saved on your computer or network file shares (M, N drives etc.), but NOT the actual numbers; updating your operating system; updating your anti-virus software; removing known Windows vulnerabilities; re-configuring your log-in accounts; scanning for applications that allow for unauthorized access; disseminating new information on effective password management and computer user access guidelines. The UTS representatives will NOT be opening your documents or requesting disclosure of personal information or intellectual property. If a UTS representative is granted access to work on your computer in your absence, he or she will turn your computer off once they have completed the steps in the security mitigation checklist - unless otherwise instructed.

> Please note that all UTS technical support representatives will be wearing the standard UTS identification badges with photo and name, or will be a member of your unit’s IT staff.

Thank you for your attention to this notification. We sincerely ask for your patience and cooperation as we address this situation. Once again, be sure to check the UTS website at http://uts.fiu.edu for updated information on this incident. "

Security problems with hidden data in Acrobat PDF files

Issues related to "metadata" arise all the time for users of Microsoft Word, but it is pretty rare to hear about problems with Adobe's PDF format. Today, Slashdot is hosting a dicussion of an interesting incident in which a PDF version of the redacted and declassified US military report on the shooting of Italian Nicola Calipari actually contained the classified bits, which were "hidden text" and could be revealed with a simple "cut and paste" or using "Save as ..." in Acrobat Reader. Be careful about leaking confidential information with your PDFs, I guess.

Copy-and-Paste Reveals Classified U.S. Documents "Posted by CmdrTaco on Sunday May 01, @09:43AMfrom the hate-when-that-happens dept.cyclop writes "In March, U.S. troops in Iraq shot to death Nicola Calipari, the Italian intelligence agent that rescued the kidnapped journalist Giuliana Sgrena. U.S. commission on the incident produced a report which public version was censored for more than one third. Now Italian press is reporting that all confidential information in the report is available to the public, just by copying "hidden" text from the PDF and pasting it in a word processor (Italian). The uncensored report can now be directly downloaded (evil .DOC format, sorry)"

On a related note, I received a draft sub-license agreement to review from a client a few weeks ago. The licensor, who created the draft, probably didn't notice that it included loads of information using "track changes." When viewed with "final showing markup" in Word, it could be seen that the license was actually created by modifying a settlement agreement with the original licensor. The entire previous agreement was right there ... For goodness' sake, people, use a metadata scrubber!

UPDATE: You can download the original PDF file at http://download.repubblica.it/pdf/rapportousacalipari.pdf. It looks like they just drew black boxes over the text. About as effective as doing this.

The Most Overlooked Component of Data Security: Your Employees

Thanks to Rob Hyndman (via Geoffrey G. Gussis) for pointing me to a good article on the weakest link in companies that handle personal information: employees. Read the article by By Miriam Wugmeister and Christine E. Lyon of Morrison & Foerster LLP here: The Most Overlooked Component of Data Security: Your Employees.

If you find that article interesting, you may also be interested in the following postings from this blog:

• Better develop a "culture of privacy"
• Handling customer complaints under PIPEDA

Free baby photos: A case study in privacy, consent, expectations and sensitivity

The blog Boing Boing bills itself as a "Directory of Wonderful Things." It has a huge readership and it often has postings related to privacy. Almost a month ago, there was a posting about the "Free Photos" that parents are often offered in the maternity wards of hospitals (Boing Boing: Free baby photo trojan gets new moms to sell baby-privacy). Often the photos are not free and manytimes it looks like a thinly veiled way of collecting information to aggressively market to new parents.

It is a good case study in privacy issues. They do attempt to get consent from parents, but brand-new mothers may not be in a state to fully comprehend the consent form they are being asked to sign (if they would be inclined to read it in the first place). The providers of this service often don't do anything to bring the marketing aspect to the attention of the parents, other than being buried in the fine print of the agreement. Is is reasonably anctipated that your agreement to a photo of your kid would lead to being marketed to by third parties? (The folks at Boing Boing call this a "trojan", suggesting the service is a thinly veiled marketing delivery system.) Also, unfortunately effects can result. In the blog post, Boing Boing refers to a new mother who had recently lost her child to crib-death, only to receive "ghastly" birthday cards for the child from companies with whom she had never dealt. This must happen hundreds of times a year. I wonder if the ill feelings this would cause are over-ridden by the sales they make to parents who still have their children.

I'm not going to comment on the legality or ethics of this practice, but only suggest that it really bears thinking about.

Faxing Tips: Avoiding common privacy incidents

The privacy incidents that have gotten the most press recently in Canada have been related to misdirected faxes. To name just a few:

• Incident: Canadian bank's internal faxes went to West Virginia for three years
• Canadian Privacy Firsts: Misdirected faxes leads to joint investigation and report by Alberta and Federal Commissioners
• BMO investigating faxes sent to wrong machine
• Alberta hospital faxes patient information to Edmonton newsroom

I've seen loads of "Faxing Guidelines" produced by organizations and privacy commissioners that include some pretty common sense suggestions to minimise the likelihood of problems. But problems almost always will occur simply because accidents to happen. (Luckily, in most cases it will be a one-off mistake.) Guidelines need to be implemented to make sure that the right people are informed of the issue and know how to practice safe faxing.

Below is a set of faxing tips I've developed over the last little while. A couple, which I've highlighted, do not appear in any other guidelines I've seen and are the results of lessons learned from various incidents I've seen or been involved with.

• Physically secure the location of any fax machine that receives incoming faxes.
• Use speed dial functions of your fax machine ... and verify each number by sending a test fax before sending any personal information.
• If you use a fax machine to send both sensitive and non-sensitive information, consider getting separate fax machines for the different kinds of information. Designate a fax machine for personal or confidential information and program the speed dial functions to include only trusted recipients. (I have heard the story of a physician who regularly faxed letters to the editor, so had the local papers on his speed dials. Unfortunately, one of these buttons was right next to the speed dial button for the local hospitals' records department. You can guess what happened.) If you can't have a separate fax machine, don't have "trusted" and "not-trusted" buttons next to each other.
• If particularly confidential information will be sent, contact the recipient in advance to tell them to expect the fax.
• Do not "retire" any of your fax numbers because it may continue to receive faxes from people who haven't updated their records. Phone companies, facing a shortage of numbers, will quickly reassign retired numbers and you have no idea where those faxes may end up.
• If you have a number of locations, branches or outgoing fax machines, make sure that all fax cover pages have one central number for reporting misdirected faxes and make sure that someone is at that number to keep track of problems. This one, simple and easy to implement precaution would have avoided all of the problems experienced by CIBC. Three faxes with the same error would have been all it would take to notice a pattern and figure it out. Of course, include a cover sheet that indicates that the information is confidential and should not be disclosed to any unauthorized persons.
• Double check the number before you push the "send" button.
• Check your confirmation sheets to make sure that the number called was the same as you intended.
• Use desktop faxing technologies or -- better yet -- scan materials to PDF and e-mail them. The risk of interception is greater with e-mail, but e-mail goes to one designated recipient and does not sit around on a fax machine.
• Many fax machines have the ability to encrypt or password protect faxes. If the information is sensitive, by all means use it! For internal faxes, as was the case with the CIBC incident, there is no reason why you shouldn't since you have control over both fax machines and you'll prevent the faxes from being read if they end up at the wrong machine.

Implementing all of the above should significantly reduce the likelihood of problems and should also allow you to identify any problems before they get out of control.

Charging fees for access under the Health Information Act

The Information and Privacy Commissioner of Alberta has sent a pharmacy back to the drawing board after it attempted to charge an additional $40.00 "professional fee" to process an access request. Read Order H2005-002 here. As is the practice in Alberta, the Commissioner named the offending pharmacy.

EPIC asks: which digital music service is selling your data?

This is an interesting series of postings at Boing Boing: Chris Hoofnagle of the Electronic Privacy Information Centre was perusing direct marketing publications and noticed a customer list for sale full of subscribers to a digital music centre. Boing Boing posted about the particular of the list and it wasn't long before the blog's readers had tracked down the company that sold the list. Of course, a discussion of the service's privacy policy ensued: See Boing Boing: EPIC asks: which digital music service is selling your data? (UPDATED).

As an aside, the DMNews' lists make interesting reading. My fave so far is a list of people who have recently purchased a firearm or have inquired about purchasing a gun for personal protection. That list might be useful for someone who wants to do something other than selling gun locks.

Incident: Hackers breach Brigham Young University security using keystroke loggers

What a day for privacy incidents. Brigham Young University is reporting that some nefarious character (or characters) installed keystroke loggers on systems in a campus computer lab, taking students' information: BYU NewsNet - Hackers breach Widstoe security.

Incident: Massive bank security breach uncovered in N.J.

MSNBC is reporting on what is characterised as the largest breach of security and leak of personal information is US banking history. Employees are implicated in providing information on 500,000 customers to bill collectors:

Massive bank security breach uncovered in N.J. - Nightly News with Brian Williams - MSNBC.com:

"Bank employees implicated in conspiracy; 500,000 victims alleged

By Tom Costello, Correspondent

NBC News

Updated: 7:22 p.m. ET April 28, 2005HACKENSACK, N.J. - In court Thursday, Orazio Lembo was described as the alleged ring leader of what police say was a massive scheme to steal 500,000 bank accounts and personal information, then sell it to bill collectors.

Lembo's alleged accomplices included branch managers and employees from some of New Jersey's biggest banks, including Bank of America, Wachovia and Commerce Bank.

All of them are accused of turning over customer bank account numbers and balance information for a profit of $10 per account. Even a state employee is accused of providing private information from state employment files...."

Incident: Georgia Southern University students' personal information compromised by hackers

Yet another American university has been hit by a breach of confidential personal information. This time, it is Georgia Southern University:

AP Wire | 04/28/2005 | Students' personal information compromised by hackers:

"STATESBORO, Ga. - Hackers broke into a Georgia Southern University server that contained thousands of credit card and Social Security numbers collected over more than three years.

The Saturday breach puts anyone who made a purchase at the university bookstores between Jan. 1, 2002, and April 25 of this year at risk of identity theft or unauthorized credit card usage, the university said Wednesday...."