Who Needs Anonymous When You’ve Got the IRS?

Tuesday, July 16th 2013. | Internet News

By John P. Mello Jr.
TechNewsWorld
07/15/13 4:01 PM PT

There are many ways cybercriminals can access personal information online — hacking, phishing, etc. — but one unlikely pool of such data has been the Internal Revenue Service, which has exposed Americans’ Social Security Numbers on more than one occasion. Failure to remove SSNs from publicly posted databases “is an extraordinarily reckless act,” said Public.Resource.Org founder Carl Malamud.

While not many taxpayers consider the Internal Revenue Service a friend, most do expect the agency to protect their data like a brother.

That’s why news revealed last week about a database the IRS posted online of filings for so-called Section 527 organizations, such as political campaign committees, was particularly disturbing. (see Breach Diary below).

The IRS removed the database from public view after it was informed by a watchdog group, Public.Resource.Org, that it contained the Social Security Numbers of tens of thousands of Americans.

“This Section 527 database is an essential tool used by journalists, watchdog groups, congressional staffers, and citizens,” wrote Public Resource founder Carl Malamud in a statement posted online.

“While the public posting of this database serves a vital public purpose (and this database must be restored as quickly as possible), the failure to remove individual Social Security Numbers is an extraordinarily reckless act,” he added.

When the IRS posted the database online, it failed to redact Social Security numbers, most them located in appendices to the filings, explained Todd Feinman, founder, president and CEO of Identity Finder.

“Thousands of Social Security Numbers were there for anyone to take,” he told TechNewsWorld.

“Social Security Numbers never expire, and they’re harvested by identity thieves,” Feinman said. “Even if people have credit monitoring for the next few years, 10 years from now their Social Security Number could be sitting on an underground website and used to commit all sorts of identity fraud.”

What’s worse, this isn’t the first time the IRS has done this, he added. An analysis by Identity Finder of 2.9 million 990 tax returns of nonprofit organizations from 2001 exposed 472,866 Social Security Numbers.

“If you’re an identity thief, you have a one in six chance of downloading a 990 from 2001 and getting a Social Security Number,” Feinman said. “Those are better odds than Vegas.”

BYOD Civil Wars

When workers can use their own devices at the office, it’s supposed to boost productivity. Apparently, it can jump start suspicion, too.

Last week, Aruba Networks released a survey of 3,000 employees around the world that showed significant numbers of them distrust IT departments that try to control data on their personal devices.

Among the workers polled, almost half in the U.S. (45 percent), a quarter in Europe (25 percent) and nearly a third in the Middle East (31 percent) said they were “worried” about IT accessing their personal data.

That distrust could be fed by how organizations attempt to manage personal devices brought to work by their employees. One of the most common ways that’s done is through mobile device management systems that give corporate administrators all sorts of power over a worker’s precious phone — from controlling what apps can be installed on it to wiping all the data from it.

Less intrusive solutions have begun appearing in the market, however, that allow personal data on a smartphone to be segregated from company data. Aruba makes such a solution; so does BlackBerry.

BlackBerry’s solution on its branded hardware, called “Balance,” is particularly elegant.

“We’ve built Balance directly into the operating system so you don’t have to download an app to segregate your information,” Gregg Ostrowski, BlackBerry’s senior director of enterprise developer and tech partnerships, told TechNewsWorld.

“We’re able to segregate your work and personal data at the file level,” he continued, “so a user doesn’t have to do anything and an administrator can act on information that’s pertinent to work while completely leaving the personal perimeter alone.”

While Balance makes administrative control of a device appear less intrusive, the Chinese Wall between private and professional is still strong. “We even prevent you from copying and pasting data from one side to the other,” Ostrowski said.

Know Thy Adversary

At times, cyberwarriors can be a bit myopic in preparing their defenses against attacks by intruders. They may focus on their adversary’s tools at the expense of analyzing their motivations. That can be a mistake, maintained Jason Lancaster, senior intelligence analyst for security research field intelligence at HP.

“Identifying hackers’ motivations can play a huge role in predicting how an attack will materialize,” Lancaster told TechNewsWorld.

“We find that the motivations of the attacker play a key role in how the attack appears to the target,” he continued. “Where the attack targets an organization and how it is visible to those looking for indicators of compromise are directly determined, in many cases, by those motivations.”

“If you know what you are looking for, you will be able to tailor your defenses based on similar attack patterns,” he added.

Another benefit of that kind of intelligence, said Lancaster, is that it allows members of the defense community to weed out the most credible threats so they can focus their resources on the threats that pose the greatest risks. That can impact a company’s bottom line in a favorable way.

“By integrating this additional level of security intelligence with the business decision processes, an organization is able to make strategic decisions about where to focus their limited security resources, including personnel and capital,” Lancaster explained. “This will allow them to concentrate resources on the highest risk areas and the areas that will yield the highest return on investment.”

Breach Diary

  • July 8. Boing Boing reports IRS was removed from Internet database of filings for political organizations, like campaign committees, after it was discovered by a watchdog group, Public.Resource.Org, that the agency had failed to redact tens of thousands of Social Security numbers in the data.
  • July 10. Anonymous posts 3,400 records it claims are customer email addresses, names, usernames, and passwords for Brickcom Corporation, a maker of high-resolution surveillance equipment used by corporations and law enforcement. The company did not confirm the breach.
  • July 10. Missouri Attorney General Chris Koster finds the state’s data security laws were not violated in a breach involving 79 grocery stores in the Schnuck Markets chain and affecting 2.4 million payment cards.
  • Jun. 10. Konami, a Japanese game maker, reports one of its online portals experienced an onslaught of illegal login attempts that enabled 35,000 accounts to be compromised. Information exposed in breach included users’ actual names, addresses, telephone numbers and email addresses.
  • July 11. Long Beach (Calif.) Memorial Medical Center notifies 2,864 patients their medical records may have been breached by an employee. Information compromised includes name, sex, date of birth, home address, phone number, account number, insurance information and the reason for admission. Patients were offered one year of free credit monitoring and access to an information hotline. Hospital said there’s no reason to believe data was used in malicious manner or in a way that would impact patient care.
  • July 11. Texas Health Harris Methodist Hospital in Fort Worth begins notifying patients some 277,000 records on microfiche may have been compromised. The decades-old records were found in a Dallas parking lot instead of being destroyed by a contractor.
  • July 12. NHS Surrey fined Pounds 200,000 by UK Information Commissioner’s Office after 3,000 confidential patient records discovered on second-hand computer sold on an online auction site.

Upcoming Security Events

  • July 17. Accelerate Your Cloud Strategies: Strategies for Securing, Optimizing and Controlling the Cloud. 1 p.m. ET. Webinar sponsored by Akamai Technologies. Free.
  • July 18. Hacking Appliances: Ironic Exploits in Security Products. 2-3 p.m. ET. Webinar sponsored by Booz Allen Hamilton. Free with registration.
  • July 24. Cyber Security Brainstorm. Newseum, Washington, D.C. Registration: non-government employees US$ 495; July 24, $ 595.
  • July 24. New Trends in Advanced Persistent Threats. 2 p.m. ET. Webinar sponsored by Palo Alto Networks. Free with registration.
  • July 25. Wireless Security: Beyond the Basics. 2-3 p.m. ET. Webinar by Dark Reading. Free with registration.
  • July 27-Aug. 1. Black Hat USA 2013. Caesars Palace, Las Vegas. Registration: June 1-July 24, $ 2,195; July 25-Aug. 1, $ 2,595.
  • Aug. 1-4. Def Con 21. Rio Hotel and Casino, Las Vegas. Registration: $ 180.
  • Aug. 12-14. AIAA Aviation 2013: Focus on Cyber Threats to Airline Industry. Hyatt Regency Century Plaza, Los Angeles. Sponsored by American Institute of Aeronautics and Astronautics. Registration: By July 26, $ 1,000 non-member; $ 840 members. July 27-Aug. 10, $ 1,100 non-member; $ 940, members.
  • Sept. 24-27. ASIS International 59th Annual Conference. McCormick Place, Chicago. Registration: Before Aug. 21, $ 895 member, $ 1,150 non-member. After Aug. 20, $ 995 member, $ 1,295 non-member.
  • Oct. 1-3. McAfee Focus 13 Security Conference. The Venetian /The Palazzo Resort-Hotel-Casino, 3325-3355 Las Vegas Blvd., South Las Vegas. Registration: Early Bird to July 31, $ 875/$ 775 government; Standard to Oct. 3, $ 995/$ 875 government.
  • Oct. 29-31. RSA Conference Europe. Amsterdam RAI. Registration: Early Bird to July 26, 895 euros +VAT delegate/ 495 euros +VAT one day pass; Discount from July 27 -Sept. 27, 995 euros +VAT delgate/ 595 euros +VAT one day pass; Standard from Sept. 27-Oct.27, 1,095 euros +VAT delegate/ 695 euros +VAT one day pass; Onsite from Oct. 28-31, 1,295 euros +VAT.
  • Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $ 2,075; Standard, $ 2,375; Public Sector, $ 1,975.

Related For Who Needs Anonymous When You’ve Got the IRS?