Whenever you think of hackers, you think “how did they get in?” Well, the answer may not be as simple as “this one ‘door’ was left open,” where that door refers to an insecure point in security. This could be an unpatched software, phishing or other exploits. Andrew Whitaker explains that hackers often combine multiple exploits in order to achieve their goals.

In this article, Andrew outlines an interesting proposition to avoiding attacks: think like a hacker. Instead of thinking like a security professional, you must think of the passion and the drive that goes into hacking. In the same way a hacker will ‘think outside the box’, so too must the security professional.

It is, of course, easier said than done. The article is not a how-to, either. It is simply a reminder that there are many ways ‘in’ and that security must be a multi-faceted effort in order to thwart potential attacks. In addition, if your network is compromised, you may find that there is no single point of attack but rather a chain of attacks.

Via InformIT ; Image: Clipart

Absolute Software recently acquired the LANrev systems management platform from Pole Position Software. Absolute has brough this computer lifecycle management product into our brand family, and it’s now called Absolute Manage.

Absolute Manage provides organizations with an easy and automated way to manage PC and Mac computers, as well as iPhone devices, from a single interface. IT administrators using Absolute Manage can efficiently manage all their assets by automating time-consuming IT processes such as software distribution, patch management, asset inventory and imaging. Additionally, it helps organizations save money by allowing them to track installed applications and licenses, redeploy under-used licenses and hardware to maximize inventory, and avoid non-compliance fines. Absolute Manage can be added on to new or existing Computrace licenses or purchased as a stand-alone solution.

Enterprise Management Associates (EMA) put together an Impact Brief about this acquisition and how it benefits the user bases of both companies. You can download the brief here, read our news release here, or contact an Absolute representative.

Laptop theft equals big business for many thieves; online classifieds, auction sites, pawnshops and sometimes plain old street corners provide the perfect spot to flip a stolen machine. Yet while few of us will deny that computer theft is a seedy crime, many of us wouldn’t hesitate if offered a great deal on a good computer. But at what price?

Whether you unknowingly make an illegitimate transaction or simply chose to ignore better judgment to strike a good deal, the consequences of buying a stolen laptop are unfavorable. If you can smell a fishy situation but still make the purchase, you could potentially face charges for Possession of Stolen Property. And even if by chance you can prove you made the second-hand purchase in good faith, you’ll still be laptopless in the end– police will return the machine to its legitimate owner, and you’ll be out whatever cash you forked over.

Absolute recovers thousands of stolen computers each year, and knows the general rule of thumb when it comes to purchasing a used machine: if the situation feels suspicious, it probably is, and you should avoid it.

Although there are no real tell-tale signs of theft, there are definately ‘red flags’ to look out for when buying secondhand:

• The seller is unable to produce any documentation for the hardware.
• Kensington lock slot is damaged (suggests the computer was ripped from its security cable.
• Computer is being sold without its power cord.
• Computer is being sold for an unusually low price (most thieves are looking for a quick flip).
• Serial number is scratched out or blatantly obscured.
• The computer is password protected.
• There are clear signs of corporate branding (desktop, screen savers, naming schemes, stickers, etching, etc.).  

Even though the offer may be tempting, think before you buy – and be sure to do a bit of research first:

• Inquire into the reason for sale. Why is the seller getting rid of the laptop? What have they used it for in the past? Look for fumbling responses, or incoherent explanations.
• Ask where the laptop was originally purchased and for any original documentation the seller may have – manuals, receipts etc.
• Request a purchase receipt. An honest seller should have no qualms with this.
• Consider fair market price. Is the computer being sold for an unreasonably low amount?
• Using the laptop’s serial number, check with online theft registries or local police to see if the machine has been reported stolen.

Buyers beware, be careful and be smart!

Econsultancy has put together a list of 10 “Common Sense” Data Security Tips for businesses. This list includes many tips we’ve talked about repeatedly on this blog, including:

1. Don’t store data in plaintext
2. Don’t store data if you don’t have to
3. Manage server permissions
4. Filter input, escape output
5. Use a firewall
6. Manage users
7. Use SSL
8. Plan your infrastructure
9. Stay on top of software updates
10. Actively manage your security

Have a read through the list – are you on top of all 10 segments?

There are, of course, loaded areas to this list. It’s easy to list “plan your infrastructure”, but that includes looking at many areas of hardware and software. There are probably a number of items that could be added to the list, but one area I’d probably add is to actively plan, and manage, your mobile data security policy. This would include policies on the use of company information on mobile phones, laptops and USB keys. As we’ve seen from recent data breaches, this is a growing area of risk and concern.

image: mconnors @morguefile

When big news is breaking, a big tip to remember is to always search Google News, not just Google (or alternate search engines). Why is this? A crafty spammer can easily set up a keyword-rich site infected with malware. Such was the case with the announcement of the new iPad from Apple this week (and for the Haiti tragedy earlier this month).

Websense found that searches for “apple tablet announcement” were poisoned by attackers – one of the top 5 results all led to a site promoting rogue anti-virus products.

In order to avoid purposefully set-up malware sites like these, we recommend searching Google News directly, bypassing plain search results which can be skewed by malware in the results. This does not eliminate the threat of malware, which may just as easily be hosted on legitimate websites, but can reduce your risk.

In related news, Network Box has determined that phishing accounts for 55.59% of all malware sent on an email and Dasient reports that the number of websites infected with malware almost doubled in the last quarter in comparison to the previous year.

Who Breached: Ontario Teachers Insurance Plan
Number Affected: 8,600
Information breached: Social Insurance Numbers
How: laptops stolen

On December 3rd, laptops containing the private information (names, address, social insurance numbers) of about 8.600 Ontario teachers was stolen from the Waterloo offices of the Ontario Teachers Insurance Plan. Those affected were notified of the breach in mid-January.

The theft is characterized by police as a “smash and grab” with the laptops being one item among those stolen. This theft comes one month after a USB key containing some personal health information of 80,000 people was lost in Ontario.

It is not clear what security precautions, if any, were on the stolen laptops. We do know the laptops were unencrypted, so likely other security precautions were also not taken.

Act now to protect your own assets and the information on those assets by having a strong mobile data security policy and calling Absolute to ask about our laptop security solutions. For those in the healthcare field, please refer to our Healthcare Resources page.

Today’s World Data Privacy Day and what better way to spend it than to take a look at the effects of data breaches. The Ponemon Institute and PGP have released a new report about the Cost of a Data Breach in 2009. In 2008, the cost was found to be $202 per breached record. The 2009 cost per breached record increase to $204, a very marginal increase from the previous year. But it adds up.

The 2009 study examined the records of 45 U.S. companies that experienced a data breach that year, with records lost in the range from 5000 to over 101,000. The study found that, for the first time, companies are spending more on technologies to prevent and remediate breaches. The organizational cost of a data breach, on average, was $6.75 million. The most expensive breach resolution recorded in the study was $31 million.

Given the first-ever increase in technology spending in this category, the areas where spending was concentrated included technologies in encryption, identity and access management, data loss prevention and endpoint security.

In a similar study, the Ponemon Institute found that the cost of a lost laptop in 2008 was nearly $50,000. It is encouraging to see that companies are paying attention to these costs – which include lost customer trust and loyalty - and are investing in technologies, such as those offered by Absolute Software, to mitigate these costs.

What are you doing to help stop data breaches in your organization?

Image: clipart

I have to admit, I’m a sucker for a good title. This post on Help Net Security – “Online Fraud: Avoiding the Seven Deadly Sins” – caught my eye for obvious reasons. It’s a basic 7-step program to reduce the treat of online transactions from the corporate perspective – not the consumer perspective, as is so often the case. These tips can help reduce the risk for customers doing business with you online – a good thing!

1. Log transactions
2. Pay attention to browser and http header information
3. Don’t transact with automated scripts (BOTS)
4. Keep your fraud tactics covert
5. Pay attention to mobile commerce
6. Mask sensitive data
7. Don’t allow non-words in data fields

Read more about these ’sins’ here. And for further reading, check out this great article: Secure Online Transactions

Image: clipart

The first HIPAA-related lawsuit has just been filed by Connecticut Attorney General Richard Blumenthal. The AG is suing Health Net of Connecticut for failing to secure private patient medical records and financial information for 446,000 Connecticut residents and for failing to promptly notify those at risk from the breach.

In his lawsuit, Blumenthal is seeking a court order blocking Health Net from further HIPAA violations.

“Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months—most likely by thieves—before Health Net notified appropriate authorities and consumers,” said Blumenthal. “The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers.”

A forensic consulting firm had determined that the data at Health Net was easily viewable, lacking encryption or other protections from unauthorized access. This went against company policies and against HIPAA compliance law.

For more about HIPAA, see our past articles here and here.

Via IronKey Blog, Health Imaging ; Image: clipart

With the most recent update to Facebook privacy settings (December 2009), there are some new things you should know and steps you should take to safeguard your privacy. Though a “wizard” guided Facebook users through the changes after the new settings rolled out, several settings were changed by default and were not included in the wizard. Many of these changes made information public by default, which is not something many users would want (and which the FTC is complaining about).

There are 4 levels of privacy in Facebook, with “everyone” meaning that all your information is available to search engines. The most private setting is “Only Friends”.

In order to review your privacy settings, go to Settings > Privacy Settings in Facebook. You will want to review the privacy settings on all the first 4 sections. The website “Make Use Of” suggests the following actions to review your settings:

• Create / Make use of Friend Lists
• Control Search Visibility
• Control Who Sees Photos
• Control Wall Notifications
• Control Relationship Status / Contact Information Visibility

The new Facebook privacy settings offer a lot more options to protect your information at a granular level if you take the time to alter your settings. So, make yourself aware of the options and choose wisely!

Via makeuseof