Tuesday, November 21, 2017

UBER ! Oops. My Bad. 57 million records lost. Finally some good news.





I've been waiting for this.

Waiting a long time.

Finally someone has dropped the soap and come clean in a direct and "appropriate" way.

Obviously plenty of criticism is coming down the road for why it happened, why it took so long to let customers know, etc.

That's really part of the game.


What would you expect when Uber's Chief Security Officer is a Lawyer instead of a trained security expert.

There are still some funny things to laugh at.

For example paying the hackers $100,000 to delete the data.   Honour amongst thieves perhaps.  After all, we are all allowed to believe in Santa.  Some us believe more in Satan, oh well.


However here are some really nice tidbits that I find very positive:


"None of this should have happened, and I will not make excuses for it," he added (CEO). 
"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."
I love it when people just come clean and tell you they dropped the ball, very inspiring.
The only problem with the last statement, is that they ended up fined for a much smaller breach in 2014 and it appears... they still needed to learn from those mistakes.
So now, they will have to face the music for not disclosing when they uncovered, but once again, the lawyer(s) certainly had a large role in holding that off.
Perhaps many enterprises could re-visit their choice of CSO to ensure that the position is handled by a "real" security expert, but lets face it, traded companies focus on the shareholder and their return on investment.  So I guess most boards would go the route of a hardened politician, Lawyer, or Music Major since the talent they most want is not "security".  So I guess in this case, as is also the case in many other enterprises, this is pretty much the ingredients they wanted.  Some will call it "plausible deniability" some will call it "willful blindness".   Some will call it a Tuesday.
Note to my friend Robert M.  You wanted a positive post out of me.  Well this isn't it yet ;-)



Now on an even more positive note.  Maybe some people are starting to grasp that sensitive data in the cloud requires more then nice words and a pretty logo.   

Lesson learned:  Regardless of the size and glamour of the cloud provider, "Trust but Verify".  Or don't use it.
_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com



Thursday, November 16, 2017

Airplanes falling out of the sky - Part deux it seems


You guessed it, people are once again claiming that airplanes could be hacked over wifi and that the sky is falling.

https://www.theregister.co.uk/2017/11/15/airplanes_vulnerable_rf_hacking/

This time, they are talking about the Boeing 757 which it seems was hacked while parked at an airport.

Some interesting things about the Boeing 757.  First off, it isn't a fly by wire aircraft.  This means that you cannot hack it out of the sky or have it fly sideways as it is mechanically impossible to take over the controls from the pilot.

Most aircrafts have provisions for pushing updates and sending off flight data while they are on the ground.  This means that sensors are on the landing gear to detect weight on wheels in order to allow system updates to take place.

The big stink it seems is that the pilots hadn't been told that the aircraft was more vulnerable on the ground.

These journalists keep talking about how planes are more vulnerable because we have added wifi to the entertainment system and other rather silly claims.

Just to be clear, no commercial aircraft has their entertainment system talking freely to the avionics suite used by the pilots.

In other words, you can hack away at the entertainment system all you want, you CANNOT hack the plane in flight.

The data flow simply isn't there.   Flight data can be sent unidirectionally to the entertainment system, but the electronics to send data the other way simply isn't there.

Also, you cannot flash upgrade the avionics suite without weight being on the wheels as stated earlier.

This means, that a malicious actor would have to attempt to push this update while the plane is on the ground.

So lets take that and make it the worst possible scenario.

You are in flight and your GPS stops working, your autopilot stops working, everything techi stops working.

Wow, what an attack.

Does the plane fall out of the sky ?

No.

You see, in most modern aircraft you have something really old school.   A pilot.  Actually two of them.

The pilots have many responsibilities including overseeing the overall functionalities of the aircraft to ensure it's safety.

This means that if a pilot looks at the GPS and then looks at the MECHANICAL altimeter and notices that the GPS claims to be at 38,000 feet and the mechanical altimeter says 2,000 feet you are going to have two very motivated pilots looking into the problem.

They would identify that the GPS is faulty, turn it off, note it in the aircraft log and probably report it in flight to headquarters to have someone fix it when they land.

So what happens when two, three or four airplanes call in with the same problem....  The fleet would be grounded until someone figures out what went wrong.

So now I already hear the septics screaming yeah but what if they hack the autopilot to take over the plane and crash it.



Well, good news.  The autopilot isn't a steroids jacked up cocaine infused weight lifter that will immobilize the pilots and force the plane into the ground.

As soon as the pilots would feel the plane change altitude or veer to one side or another, they would notice.   Thats right folks, just like driving a car, when the sound of the engine changes.... you notice.

So what would happen.... they would hit this button called POWER on the autopilot and this button, by design, is not computer controlled.  It is a mechanical interrupter that kills the power to the autopilot.   If that button failed, the pilot would push or pull on the controls and overtake the autopilot.  The mechanical autopilot is not designed to be stronger then a human, you can override it because you are stronger then it's designed strength.  And they wouldn't have to do this long, just long enough to find the FUSE for the autopilot and pull it.  And yes, they simulate this.

That folks is what you call SECURE DESIGN.  Something lost in most markets, but very present in aviation.

So what if the pilots don't notice that they are descending lower and lower and lower....

Well, I'm a pilot.  And I can tell you that air traffic control doesn't appreciate it when you file a flight plane for a certain altitude and they see you at the wrong altitude.   They will even have the audacity to humiliate you on the radio by asking you to confirm altitude and altimeter settings.

You see, their job is to keep airplanes separated along flight paths.

They have a set number of airplanes under their watch, and they do indeed watch.

As one of my good friends "J" once expertly described while we both gave a conference on this very subject.  Airplanes like every complex mechanical system, have security weaknesses.  However these to not translate into a SAFETY issue because of the overall safe engineering of the entire ecosystem.

Aircrafts are extremely SAFE.

Take the radio system for example.  Any idiot can purchase an aviation band radio for a couple hundred dollars and learn to PLAY control tower.



This in the cyber security realm is called a non authenticated communication.  No username, no password.  Really the worst case in computer security.

So a rogue individual could call out to an airplane, make themselves sound like the control tower, and crash an airplane.

Well.... No.

Once again, we have something called "the pilots" who are the "BOSS" of that airplane.  The "Tower" isn't the boss.  The pilot is.

So hearing an order come in from a fake tower that results in an unsafe action wouldn't work, and also the real tower that hears the fake tower would most certainly call out that something is wrong.

So if the tower says "Air Canada Flight 1505 please descend at your discretion to 10,000 feet" while they are actually flying over the rockies.... I'm pretty sure the pilots would know that this isn't ideal.

As they would descend, the other safeguards in the airplane would start setting off alarms.

The GPS screen would turn RED.

The ground radar would starts saying "TERRAIN"  "TERRAIN"

So the unauthenticated radio communications is certainly a security issue....  but it isn't a safety issue, so we don't really care.

Here is a cockpit photo of a modern, extremely technology dependant aircraft, and I have highlighted the devices that are old school mechanical and are impossible to hack via wifi... or via any computer.



Don't let the headline grabbing journalists frighten you from flying.  It remains extremely safe, and my favourite way to get to where I'm going.




_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com



Saturday, October 21, 2017

Equiflop 101

You guessed it, someone is dropping the ball again.

Canadian "customers" of Equifax are receiving a letter today informing them that without any doubt, their sensitive data has been exposed.



What remains stunning is the lack of comments from our privacy commissioner and each and every bank that is sending our sensitive data to inadequately vetted third parties, who appear to be sending our personal data into another country.

Regardless of the claims that perhaps if the moon is lined up, only people with US banking would have had their data exposed, then why would these peoples PASSWORDS and SECRET QUESTIONS be stored on a US system ???

This indicates seriously flawed architecture, that not only violates common sense, but also violates data residency laws.

Equifax continues to offer a complimentary 12 month subscription to their identity theft solution, which in my view is a criminal act since they should be closed down, or be giving for free to everyone until we are all dead since the information exposed CANNOT BE UNEXPOSED.   My social insurance number, birthdate and mothers maiden name will never be changed.

The fact the passwords have been exposed including the responses to secret questions which are even more sensitive then the password themselves also shows a serious lack of security in the overall design of their infrastructure.

SO TWO THINGS:

1) Once again, we are not their customers, the banks are their customers as they send all our sensitive data to Equifax.   We havent heard a single word from the banks as to how they are going to ensure they no longer send our sensitive data to unqualified ass clowns who run a business using our data.  It is clear that the business model is not to offer a secure service, it is obviously a primary goal to offer a service and make money.  Our regulatory layer is sleeping through this, and each and every Canadian bank is to blame since they haven't come forward to tell you and I how they are taking concrete actions to safeguard our well being.

2) Equifax is sending off these nice letters telling us that WE are their priority.  This is complete nonsense.  We are way past having sunshine blown up our asses.  WE ALL KNOW that their priority is saving their asses and their investors asses.  Stop with the bullshit already.  That letter is a disgrace, offering 12 months of free service for something that will have life long affects on the people.  The reason we are seeing these types of responses is 100% because we are NOT their priority.  Their lawyers are reviewing these letters 20 times to minimise their exposure to lawsuits.

Here is how that letter should have read to score any positive points:

Dear Canadian Citizen,  we the board of directors of Equifax have taken charge following the significant security issues that have surfaced in the last months.   We have locked down the enterprise, fired all executives and are in the process of restarting the enterprise following concrete steps to ensure that the entrusted information handed to us by our partners is handled appropriately.

We have hired 5 security experts from 5 different enterprises who are overseeing our entire business process including our technological architecture for everything we do.

Every system accessible from the Internet has been shut down.  Only business-2-business communications remain along with our email and phone system.   All our offices no longer have access to the Internet.

Everything is being reviewed, and during this transition period, a toll free 1-800 number has been put in place to replace Internet type services with an actual highly trained customer service representative.

We have previously communicated that we would give out 12 months of free identity theft protection services and this was a mistake.  This service will be provided free of charge forever, for any citizen exposed during this breach.  Our core business is servicing the banks and it would be unethical to charge the citizens for a service that they now require because of our shortcomings.

......

I think you get the idea........

Equifax is so far from this that reading their letter is just plain upsetting.

Why haven't the banks and our privacy commissioner taken obvious and concrete steps to protect us ?

Why is our sensitive data still being sent to Equifax and their competitors without having a REAL vetting process.

By real I mean, NOT simply asking them if someone has audited them and if they have some certification.  The real security experts know that this is close to meaningless in publicly traded companies since management is always in "protect their ass" mode which results in people exaggerating (read here lying) about how well they do things.  

Equifax had several industry certifications (ISO, SOC 2 TPYE II, PCI, etc.), yet they are a disaster at all levels.


I'm talking about each bank sending their security experts over for an onsite audit and review of the entire Equifax architecture (and once again their competitors).

So why haven't they done it......   Simple.....   They too do not want the answer.  They rely on the data they get from Equifax to run their business and generate their revenu.  So once again, we seem to think that we are the banks "customers".... we are their product.

Our government needs to step up and stop protecting the big players and start making laws with some bite and start handing off fines and jail time for the senior executives who oversee these enterprises.  Letting incompetence rule is leading us down the wrong path.

Take the HIPAA law/regulation that helps protect healthcare data in the US.  This regulation was written by people who actually wanted things to change and had clearly been lied to in the past.

Three clear levels of penalties are presented.  

Level 1:  You shouldn't have known about an issue, yet had a breach, pay a fine.   
Level 2:  You should have known if you had an acceptable level of competence, pay a bigger fine.   
Level 3:  It's clear you knew you lying sack of shit, and didn't take charge, pay an even larger fine, and heck, go to jail too.



CALL TO ARMS

So what should we do, since our elected officials and our banking providers are not doing what they should.

Perhaps we all need to write a letter to Equifax and TransUnion and request that all our data be deleted from their systems.

I wonder how well that would go.

But lets use one of our existing laws instead.  In Quebec, our privacy laws does have some strict components, just no penalties.

Any enterprise that holds our data, must be able to tell us EXACTLY who has had access to our data (who has consulted it under all forms) and who has modified it.

I wonder if Equifax and TransUnion can actually tell me EVERYONE who has had access to my data.  This goes beyond the application layer.  Who has accessed the operating system, who has accessed the database backend, etc.

Should we all send off a letter to Equifax and TransUnion asking a long series of very well thought out questions and see what comes of it.....

Maybe the answer is yes.....

And should we also send off a letter to our elected officials asking them to take action...

I think the answer is yes in both cases.

Should I write the first draft ?

Turns out I'm not the only one that seems to think that one gigawatt of electricity should flow through Equifax:


Equifax Deserves the Corporate Death Penalty

Something has to change, since big business have very little motivation to protect the citizens FIRST.

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com





CRÉDIT QUÉBEC

Tuesday, September 19, 2017

EQUIFAX - There should be a limit to just how deep you go.


Second opinion piece within one week on the same subject, must be that kind of week.

The type of week that makes it simply too overwhelming to keep my fingers off the keyboard.

As it stands now, it is no longer a big secret that Equifax was not doing what they should have been doing and they exposed a vast amount of extremely sensitive personal information.

LAWSUITS 

The FTC (Federal Trade Commission) in the US has officially commented that they are investigating.  Also of interest, in Atlanta, a lawsuit has been filed for  “gargantuan failures to secure and safeguard consumers’ personally identifiable information … and for failing to provide timely, accurate and adequate notice”  Add to that Massachusetts who just announced legal action for failing to protect its residents and maybe a landslide of lawsuits is just around the corner.

This is very interesting, and I certainly wish someone... anyone.... in Canada decided that these services put together by chimpanzees with duct tape should ALL be investigated and audited to ENSURE that a REASONABLE level of security is in place.  All we have so far... is a rather weak statement from the privacy commissioner. 

TOP QUALITY SECURITY PROFESSIONALS

Something even more fascinating came out, this was the fact that their CSO (Chief Security Officer) was paid a ridiculously large salary which didn't seem to help their security posture since issue after issue have been reported over the last few days. Including the services in one country being accessible with the ever so complexe and secure username ADMIN and password ADMIN.

Several video and audio interviews performed in the past by EQUIFAX's CSO have been pulled from Youtube and SoundCloud.  Luckily the Internet is responding by finding their own copies and reposting them

It seems that watching these videos and listening to the CSO's discussions gave you little doubt that this breach was going to happen.

Luckily they have all been pulled from the Internet, only a few transcripts remain at http://archive.is/6M8mg

Unlucky for us since we cannot view these gems and make our own opinion.

What has surfaced is that the CSO's formal training appears to be in Music (Music Major).  This got the entire Internet in an uproar, however on it's own, it really is meaningless as good security requires intelligence and common sense, and I know plenty of musicians that have both.

This does however become very pertinent when under every stone the Internet lifts up, fumes from a pile of shit seem to rise.

So Equifax in Canada appears to have announced that at least 100,000 Canadians have been exposed, that they are protecting these accounts with their protection services for free, and that the ongoing investigation should conclude within a few weeks when they can finally announce who got screwed.   Fascinating that they are stating that they are protecting the 100,000 people right now, as they publish this news, yet they do not know who they are, and will let them know when their investigation concludes.

So just to recap, so far we have:
1) Hidden the breach for something that appears to be 5 months or more

2) Inside trading as senior execs sold stock after the breach was known and prior to it being announced

3) Someone with intimate knowledge shorted the stock to the tune of 4 million

4) Several senior execs just decided to retire

5) The CSO has no formal training yet is paid a multimillion dollar salary and has also just retired

6) Equifax was reported as compliant to PCI, ISO, SOX II TYPE II, etc.

7) Their critical systems where not patched and up to date

8) At least one system had no valid password to protect the ADMIN account yielding access to all client data

9) Their response to the incident is clearly amateur.

10) Somehow they had unencrypted credit card numbers just sitting there, or their encryption architecture was so so weak... Yes... weak it is as the private keys are accessible in the web panel.

11) They put together a credit monitoring service that is also exposed

12) They put together a site to tell you if your data has been exposed that returns random results.

13) They are erasing any Video/Audio traces of their Musical CSO

14) .....   I could go on, and on and on, but I'm tired of going through tons of notes on the subject... you get the idea....

This folks is how to NOT run an incident response.

SETTING A GOOD EXAMPLE

This week, another significant security breach has surfaced.  CCleaner is a utility program used by millions and it got hacked and ended up deploying malicious code on it's users workstations.

Listen up to how they managed this crisis.

They came out and said the following: (reference article here)

a) We are sorry
b) We screwed up
c) This is exactly how it happened
d) This is exactly what we did to fix it
e) This is exactly what we are doing to address the root cause so this doesn't happen again

So what do you think is going to happen.

It's going to go away.  They took responsibility and didn't cover it up, came right out and came clean.  It's over, move on.

This is clearly not the angle that Equifax is taking.

COMPARING WITH A TARGET

A few years back a significant breach had taken place at a small retailer called TARGET.

They too took the glamorous path of lies and the strategy of downplaying.

Day 1: We may have had a breach
Day 2: Some client data might have been touched
Day 3: Only 10 million client records could have been affected
Day 4: Only 40 million client records might have been affected
Day 5: Only 70 million client records involved
Day 6: Oh to hell with it, all our client records have been hacked.

What happened, the media ate them alive.

At the exact same time, another retailed had had pretty much the exact same breach.

Neiman Marcus had been hacked using the same technic.  They came out day one and said, we are not sure exactly what happened, but it looks like all our customer data was stolen.

The media wrote about it once, moved on.   What else is there to say.  

The Target went on for more then a month because they kept trying to cover it up.


So here we stand, with Equifax doing such a swell job.

ABSENCE OF CANADIAN LEADERSHIP

Where EXACTLY is our Canadian privacy commissioner ??????

Since Equifax is run by big business for big business... is it untouchable in Canada ?
Since they have all of our data, and most people aren't even their client, nor do we really want them to have our data...... is there anything we can do ?

Why aren't our elected officials taking direct, public actions to investigate a company that CLEARLY needs to be verified.

Also in the news this week, JPMorgan CEO calls bitcoins a fraud and says he will fire anyone in his firm that invests in bitcoins....  bitcoins plunge and JPMorgan shorts it and makes millions.   Yet JPMorgan has been fined 13 billion for fraud in that last years...

Just how far in does the apparatus have to be inserted before someone yells "HEY !  That's deep enough!"

In closing, I recommend reading through this post from SPUZ.ME that highlights some of the exchanges with the hackers who broke into Equifax.  The screen shots kinda of give a big secret away.  Equifax has all your shit accessible from the Internet.  

http://spuz.me/blog/zine/3Qu1F4x.html

or visit the hackers current onion site at :  equihxbdrjn5czx2.onion



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com




Saturday, September 9, 2017

Equifax is "SCREWING" their "customers".



This is an opinion piece... so grab a beer or a line of coke like the Equifax execs have been doing.






First they have repeated security issues, many reported to them and they do nothing.  And they have had breaches in the past (2 others in the last year or so).


Second they appear to be taking full advantage of this "breach" in a way that Donald Trump would appreciate.

Hey, business is business, not my fault you happened to be bent over while I was getting ready to...  All right, let's keep it clean.

Researchers (friendly hackers) noticed something really cool about the NEW service being offered by Equifax to check if your data is part of the breach.

Drum roll please.....

It doesn't really matter what you enter, the answers are random and they just want to push you to their TrustedID service.

Coincidentally subscribing to this service means you are agreeing with their terms and you give up your right to sue their sorry asses.

Take a look at this posting from Sarah Buhr at TechCrunch and your aggravation level is certain to rise unless your dead inside.   


PSA: no matter what, Equifax may tell you you’ve been impacted by the hack

A while back I wrote about the Ashley Madison "hack" and the fact that this company had self proclaimed themselves secure with a made up Security Award.  Well... seems they all went to the same business school as what Equifax is doing and how they are responding to this breach is inline with this type of business practice.

Combine all this with the fact that senior executives sold 2 million in stocks prior to the announcement, and then you add to that the unknown person or persons who shorted the stock and made another 4 million.... you have yourself a really nice picture generally called insider trading along with a few more terms not fit for small children.


Suspect trading in Equifax options before breach might have generated millions in profit



This all points to something missing in our wonderful world called PENALTIES.   Not penalties for the enterprise.  The executives do not care if the enterprise has to pay some penalties.  Penalities for the executives including jail time when their actions are criminal in nature.  

I'm not referencing the insider trading, which I hope is considered criminal.  I'm referencing the lack of respect for their customers data and willful blindness when serious security shortcomings are reported up the chain of command.

And by the way, why are we calling ourselves customers, when in fact we are their product, not their customers.  We are forced to deal with companies run by clowns, and the only time we are customers is if we subscribe to one of their shitty services to access our own damned data and make sure they are reporting accurately on our data !!!  What world are we allowing ourselves to live in.

I have to pay a monthly fee to access my data that I never wanted these idiots to have.  Why... because the banks "need" it the authorize my mortgage.  We certainly don't want the banks taking too much risk.  Wait... didn't they seriously screw up a few years back and lend billions of dollars that they shouldn't have and then the US government bailed them out and they all took in BONUSES !

If you want a really good laugh, take a look at Equifax's SOC 2 TYPE II attestation report.

https://www.equifax.com/assets/WFS/the_work_number_best_practices_in_data_security.pdf




Proof again, that traditional auditing mechanism are meaningless because people LIE. 

Listen up folks:  Companies on the stock market are filled with executives who have ONE priority, themselves.  Therefor they LIE, COVER UP, and IGNORE some pretty significant elements that lead to events like this.  Their bonuses are dependant on everything looking great.

So there you have it folks.  A great big company, audited by other great big companies, compromised at all levels including ethically and morally.

No wonder I prefer family run businesses.  My two most significant clients are family run (one is 500m revenue and the other is several billion) and surprise surprise, when something comes up as a security risk, the CIO brings to the the CEO and no one hides anything.   They just manage the risk, takes decisions, figure out how to be better and fix things.  

Wow.... that's revolutionary.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com







Friday, September 8, 2017

Slow News Week


The quality of journalism can certainly be challenged these days.   It seems that in order to keep your job, the title of every article must sound alarming and catastrophic in nature in order to "sell print".

Sad really, since we end up with a feeling of fake news, and many other side effects.

However, a significant mass of people will be reading these articles and believing the negative feelings being conveyed.  

This morning, in Montreal's very popular "Journal de Montreal", we find an article titled "He receives a strangers card" making reference to a medicare card.   Not a credit card, not a drivers license, but a medicare card.

Poor poor man.   How traumatizing to have received your own card along with a strangers.  How will you sleep through the night and get to work on Monday.

If you ordered underwear from Amazon and received someone else's order of socks would you call the newspaper or would you call Amazon to have the error corrected?

This is not the first time a shit article has been written on a shit subject.   Last year, someone received something from the government that was miss addressed and the newspaper did the same type of article.

Lets look at the risk.

The medicare card has only one piece of sensitive information, your birthdate.  Combined with your name, the person who erroneously received your card, now has a piece of plastic with physical countermeasures similar to a credit card, that has your picture, name and date of birth on it.

What is the risk here..... well....  if the person that received it is Frank Abagnale then maybe he can cannibalise the card, change the picture and used it to get free medical services.  Frank wouldn't have your address and know where you bank, so the damages to you are limited to say the least.

In order to sound like a journalist, let me say it this way..... 

"The statistics demonstrate that sending a random medicare card to a random individual will not result in that card being used maliciously"

Did I say statistics... sorry I meant common sense.

"A random citizen does not have access to the talent required to fraudulently use someone else's medicare card"

"A random citizen doesn't have access to the underground networks that use false medicare cards for profite"

Oh oh oh wait.... here is a good one...

"A random citizen can't do shit with your name and date of birth and your ugly mug shot".   Usually considered the same pairing of information that most idiots share with their 800 Facebook "friends".

As an other note.....  news is supposed to be pertinent (in my opinion).  These types of articles only make the security uneducated worry about something that is out of context and of no value.  The fact that a rubber bushing on an envelope stuffing machine felt fat one morning and spewed two cards into an envelope instead of just one is about as newsworthy as watching paint dry or linoleum curl under high humidity. 

Imagine your next family gathering where grandma wobbles over to her security expert grandson and asks "How bad is it dear, am I going to loose my medicare, I read that they sent out my card to the wrong address".

Charming.

I'm pretty convinced that there are large masses of worthy subjects to investigate and report on.   

This happens in security articles too

Take this example: 


Bug in Windows Kernel Could Prevent Security Software From Identifying Malware




According to Microsoft, this isn't a bug, it's a design feature.   Sure we can argue that Microsoft is covering their asses, but the article actually stipulates Microsofts response.   So in my opinion, the article title should have been "Windows Kernel Design makes security software creators work for their money".... but that is far less catchy!

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com