____________________________________________________
by Kevin M. Nixon, MSA, CISSP, CISM
Extended Abstract
Recently Alaskan Governor Sarah Palin's Yahoo! email account was compromised by a hacker.
From Gawker.com:
"Did the Internet just cause Sarah Palin to destroy evidence? The potential US Vice-President is in a bit of trouble for conducting state business using her personal, unarchived email address (gov.sarah@yahoo.com) instead of her official account (which is, of course, subject to laws requiring the retention of government records). Emails from that Yahoo account are already being sought in connection with the "Troopergate" investigation. Now comes word that Anonymous, the fun-loving Internet trouble-makers based loosely around the message board 4Chan, gained access to another Palin email account: gov.palin@yahoo.com. The offending posts, screenshots, heretofore unseen family photos, and emails have all been deleted from Imageshack and 4Chan. But Gawker.com has them plus her contact list and more."
Open, anonymous web based proxy servers may be honeypots to steal your information, or may be an incorrectly configured server (belonging to someone else, i.e., some big corporation) which has been left open accidentally. This allows the honeypot operator to snag your data on the fly, while appearing to be a legitimate "business". Do you really want your most confidential information "protected" by a business that "operates solely off money derived from advertising shown during the proxy session"?
____________________________________________________
Hello, is anyone in there ?!?
Why was the State of Alaska's Information Security Officer allowing private, non-public information, protected data to be transmitted by the State's "Executive Officer" via an uncertified, non-FISMA compliant, non-HIPAA compliant, non-FACTA compliant, non-GLBA compliant, non-NIST compliant, public, anonymous web-based, proxy server? Not only was the Security and Technology officer taking a big risk that information might be compromised but more importantly the State of Alaska was violating Federal Law!
Need more proof, just ask the maverick from Alaska, Sarah Palin who had her email Yahoo! account hacked by a guy using Ctunnel.com to get to her email .
Time Magazine reports that the Alaska governor could face charges for conducting official state business using her personal, unarchived e-mail account (a crime); some critics accuse her of skirting freedom-of-information laws in doing so. (See: "Sarah Palin's E-Mail Hacked" By M.J. Stephey, TIME.com, Wednesday, Sep. 17, 2008)
Why would anyone hand over trusted TCP/IP addresses (along with data being transmitted) to any company that has a policy like Ctunnel. Here is a portion of Ctunnel.com's disclosure statement (Note: The paragraph below is a direct quote from Ctunnel's website. The misspelled words alone should have given officials in the Alaskan government IT department a reason for pause.) :
"To earn your trust I will be as open and honest with you as possible. See below for information about who I am and why I run this service. Open proxies may be honeypots to steal your information, or may be left open accidentally and be down
tommorow, or be otherwise unreliable. Ctunnel however, operatessoleyoff money derived from advertising shown during the proxy session, and therefore will not be downtommorow. Because our visitors value their privacy, it is not in our interests to spy on you, lest we lose traffic and advertising revenue. Because governmentsubpenoacould require us to hand over our server access logs, access logs are regularly deleted to protect your privacy."
Most web based proxy server operators are not compliant with the Federal Information Security Management Act (FISMA), the Fair and Accurate Credit Transactions Act of 2003 (FACTA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) or the Sarbanes-Oxley Act of 2002 (SOX) compliant. These are the laws and regulations we depend on to protect our privacy and require specific steps to be taken to insure protection.
If State Governments or Federal Agencies use these types of unsafe services, how can we expect Banks, Corporations, Hospitals and the Executives and Senior Managers of those institutions to take the laws, regulations, fines and punishment seriously. A lack of knowledge or understanding of the law does not, (repeat DOES NOT) provide relief from prosecution.
Now, think about the current state of the global economy. If publicly-traded Corporations use these services and do not disclose the risk in their Sarbanes-Oxley (SOX) disclosures to the Securities and Exchange Commission (SEC) they are committing a Crime and deserve the fines and deserve to serve the time in prison as stipulated by law. We hear calls for stiffer regulations, oversight and transparency, but; do we really know how much of our private information is "out walkin' around" already?
In short, you get what you pay for. A "protection product" that earns money from web ads or charges $9.95 per month should be a great big red flag.
Companies, executives and security folks need to stop doing things on the cheap. All anyone has to do is view the hacker web sites and read how easy it is to obtain the info off of web based proxy servers. There are even new browser plug-in "toolz" that make hacking a "point and click" operation.
Anyone that considers open, anonymous web based proxy servers totally safe should simply post all of their bank account numbers, passwords and any other highly confidential data on a wide open website for all to see.
____________________________________________________
But wait, the story gets worse!
The Huffingtonpost.com on October 10th in an article written by Associated Press reporter Mark Thiessen as well as Karl Vick a reporter for The Washington Post on October 11th disclosed that Alaskan Governor Sarah Palin had more than one external account through which she conducted official state business AND to top things off, she shared confidential state information with her husband Todd by CC'ing him on many of the emails which were exchanged.
An Anchorage judge has ordered Alaskan Governor Sarah Palin to preserve e-mails from private accounts she has used to conduct state business.
Superior Court Judge Craig Stowers on Friday also ordered Alaska's attorney general to recover messages from a Yahoo.com account of Palin's that was breached by hackers last month. That break-in prompted Sen. John McCain's presidential campaign to order closed at least one additional private account Palin maintained.
The judge issued the orders at the request of Andree McLeod, an Anchorage activist whose pursuit of Palin's e-mails revealed that the governor did perform considerable state business from a Yahoo e-mail address -- an arrangement that bypassed the safeguards and accountability of the state's secure e-mail system. Then too, there are all those pesky Federal Data Privacy Laws which require strict protection of non-public private data. The fact that most of the regulations carry a "due diligence" requirement is also a matter of consideration. You see when an individual is responsible for protecting the privacy of information about other people, then any federal, state, or local agency and it's employees must insure that the creation, transmission, storage and access to the data is only performed by employees of those agencies on very narrowly defined need to know basis. Once the Governor began transmitting information in an unprotected manner via her personal web-based email account, which was outside the State of Alaska's highly secure and well protected network, there was no way to guarantee the safety and integrity of those date floating in cyber-space. In other words, there was no way for the Governor or other state employees to know if the information which was being transmitted was being intercepted and read by someone who was not authorized under the State's Data Security Policies and Procedures or the Federal Data Privacy Laws.
Had the hackers only gained access to the Governor's personal email, only the hackers would be under investigation. BUT, because the Governor also exchanged confidential state information (which contained information about other people) she failed to follow the data privacy regulations, which placed the confidentiality of protected data at risk of being intercepted by unauthorized individuals. Which is exactly what happened. Email containing information on DPS employees and the DPS department's budget were intercepted and posted on a website along with lists of potential judicial appointment candidates and their backgrounds, which may also be considered sensitive and protected data. As a result, not only did the hacker come under investigation for "gaining access in excess of authority", so too can the Governor potentially be investigated for failing to adequately insure the protection of private information entrusted to her, which may be considered "a dereliction of the Governor's duties". A violation of Federal Law.
What happened in Alaska is every Information Security Officer's worst fear as well as their toughest battle. Due to the proliferation of easy and simple Internet access, private information is flying past us every minute. We have become a "shoot me a quick email" society. As a result of time constraints corporate executives, federal and state employees and all those "good ole Joe Six-Packs and Hockey Moms" are willing to take risks that highly confidential information won't get accidentally intercepted. Now as long as the information being transmitted only contains the senders personal information, and they are willing to risk sending something like their bank account number or password on a "virtual postcard" then if compromised, the data breach only affects the sender.
However, when anyone that is granted the trust of another to protect information and is bound by law to do so, and either intentionally or unintentionally takes the same risks as they might with their personal data (regardless whether the information is compromised or not), they have potentially violated privacy laws and are subject to investigation.
Yes we all have busy schedules. We are all rushing to get somewhere else. But when, as a result of our actions someone else is negatively affected, then we are responsible. And we are as guilty as some of those Wall Street executives, who after being "bailed out" with our tax dollars took expensive "marketing trips". You know, all those guys that everyone is so angry with. Well, take a moment and think about the following, we live in a era where information at times is even more valuable than a few hundred thousand tax dollars. So why aren't we just as angry about all that private data flying past us each day? It is because we have a lack of knowledge about the value of information. The Internet isn't a dark alley we have to walk down afraid that we might be assaulted. Everyone feels safe and secure because we can't equate data bits with dollar bills. I guarantee you if bits were bills flying through the air, everyone would be attempting to grab them because they are just floating by. Be warned, some people would rather grab those bits instead of the bills, and Governor Palin will more then likely have to answer some really tough questions about the data which she was entrusted to protect.
Here is the perfect example of what I mean by everyone having a lack of knowledge regarding the importance of data protection. Alaska's Lieutenant Governor, Sean Parnell told the Associated Press; "Until she was hacked, we were communicating just about daily. "Now I'm talking with her chief of staff."
Judge Stowers called the effort to recover and preserve Palin e-mails relating to state business "important" and noted that Alaska's public record law was last updated before the rise of the Internet. However, Judge Stowers should also research those pesky Federal Laws, most of which snuck up on us after 9/11.
In closing, remember any federal, state, or local agency and it's employees (or anyone in a corporation, hospital, law office, bank, etc.) MUST insure that the creation, transmission, storage and access to personal, confidential non-public private data is only performed by individuals employed by the entity on a very narrowly defined need to know basis.
The Washington Post reported that Governor Palin is being requested to release of some 1,100 e-mails the governor held back from an earlier public records request, citing executive privilege presumably because they contained official state business. However, The Washington Post also noted that about 40 of the emails may have been copied to the Governor's husband Todd Palin, who is not a state employee, and therefore would have not been allowed privileged access! But, that will have to be the topic of another article. Perhaps something along the lines of "data classification, access controls, the law and you"?
Copyright © 2008 - Kevin M Nixon - All Rights Reserved.
This article may be referenced, quoted, reprinted in whole or part provided that the author is credited.