Laptop Security Blog

Absolute Software: Finalist in TIA Company of the Year Award

Related entries in Absolute Software

Absolute Software has been named a finalist for “Company of the Year” in the 2008 Technology Impact Awards.

The TIAs celebrate innovation and high-tech excellence within British Columbia, as hosted by the British Columbia Technology Industry Association (BCTIA). Awards are given in three groups: technology, company and personal recognition.

The three finalists for Company of the Year are:

Congratulations to all the finalists for highlighting excellence in the BC technology sector!

The winners of the TIAs will be announced at an awards ceremony here in Vancouver on June 12th.

Tags: , , , , , , , ,

Posted by Arieanna | May 9, 2008 | 0 Comments

LoJack for Laptops Review by Hardware Logic

Related entries in Absolute Software, CompuTrace, LoJack for Laptops

Hardware Logic has done a very in-depth review of Computrace LoJack for Laptops, the consumer laptop security software offered by Absolute Software.

The review looked at the performance of an HP Pavillion laptop before, and then after, install of LoJack. They compared startup, shutdown, use of computer while gaming, and much more. The conclusion: LoJack has no discernible impact on system performance. Hardware Logic gives LoJack a stamp of approval and a strong recommendation for any laptop owner:

“It won’t prevent your laptop from theft, but it will do everything it can to get it back. From IP tracking to assisting local authorities with obtaining a search warrant, having LoJack on your side gives you a serious advantage over any unsuspecting crook. High tech thieves will find themselves at a disadvantage too, as LoJack is nearly undetectable and virtually impervious to most attempts at thwarting the software.”

LoJack for Laptops is considered by Hardware Logic as a “no-brainer” ending the review with “can you afford not to have LoJack on your side?”

A very good question indeed. You can learn more about LoJack for Laptops here, or alternatively corporate customers can upgrade to the compliance-level Computrace suite.

Tags: , , , , , , , , ,

Posted by Arieanna | May 6, 2008 | 0 Comments

Trusting Contractors with Laptops

Related entries in Absolute Software, CompuTrace, Laptop Security, Laptop Tracking, Security Policy, Theft Prevention

CSO Online’s Michael Overly has a good article about businesses trusting their sensitive information to consultants, and what best practices to follow. The first guideline: do not let your consultant store any of the information on a laptop.

There are practical considerations that make it difficult to ban the use of laptops in all situations. Consultants may need to move from site to site easily, with constant access to the data. One solution is to provide laptops to the consultant yourself - that way you can be satisfied with the security systems in place. When that is cost prohibitive, here are some suggestions offered for a laptop security policy to enforce with contractors:

  • WiFi access should be limited to approved secured means, and used only when necessary
  • Hard disk must be encrypted
  • All ports on laptops to be disabled
  • Strong authentication required (e.g. biometric)
  • Security software installed and kept up-to-date
  • Secure and irreversible erasure of data to be enforced at end of data-use period
  • Tracking software with remote data delete should be used (like Absolute Software’s Computrace products)
  • Breach notification protocols should be in place in the event that the laptop goes missing

You can read more suggestions here.

Tags: , , , , , , , ,

Posted by Arieanna | May 5, 2008 | 0 Comments

80% of Americans Worried About Identity Theft

Related entries in Identity Theft, Surveys & Reports

Bankrate’s recent poll about the consumer knowledge of identity theft indicates that 80% of Americans are worried about identity theft.

Gfk Roper America conducted a random survey of American households, compiling results from 1006 adults (524 women, 482 men). According to the survey, respondents who know someone who has been a victim of identity theft (34% of the respondents) are more likely to fear becoming victims of identity theft themselves.

Respondents who are concerned about identity theft are more likely to be taking steps to prevent it. These steps include shredding documents and monitoring credit reports.

Surprisingly, 35% of people who are concerned about identity theft have taken no steps to avoid identity theft. This number shows a great deal more avoidance of the issue than I expected. Indeed, for people not concerned about identity theft, only 19% haven’t made any changes to avoid identity theft. So, the data is indicating that although some people concerned with identity theft go above and beyond to protect themselves, in some cases the knowledge of identity theft leads to an increase in the "head in the sand" approach.

Participants’ Response to ID-Theft
(Bankrate - GfK Roper survey -
North America - April 2008)		 Concerned
About
ID-Theft		 Not
Concerned
About
ID-Theft
More likely to shred documents with sensitive personal data 82% 52%
Use a secure snail-mail mail box (at post office or a locked box at home) 63% 51%
Avoid online banking 54% 55%
Check credit reports regularly 53% 30%
Refuse to shop online 42% 47%
Requested a Security Freeze on their credit reports 23% 6%
Only pay bills online 16% 13%
Haven’t made any changes to avoid identity theft 35% 19%

In terms of defining which avenue of identity theft most scares the respondents, information obtained over the web (45%) and information obtained from a business (25%) dominated the results. The data indicates a strong fear of e-commerce as leading to identity theft, which is largely unsupported by the data breaches happening today.

"Consumers tend to blame security breaches and incidents on the ‘Internet’ and they are more likely to change their online behavior than their behavior in the physical world as a result. This reaction is not based on the facts. The fact is that the large security breaches are happening at brick-and-mortar companies like TJX and Hannaford." - Avivah Litan, VP and Analyst, Gartner

Identity theft is misunderstood by consumers - both how it happens and what the consequences are. Much more consumer education is needed, in addition to safeguards that service providers can put in place to proactively protect consumers.

Via I’ve Been Mugged Tags: , , , , , , , ,

Posted by Arieanna | May 1, 2008 | 0 Comments

ID Theft Safeguard used to Steal IDs

Related entries in Identity Theft, Privacy & Security Laws

Even the most carefully laid plans can go awry. Federal prosecutors charged a Southern Californian woman this week with aggravated identity theft after she used a genealogy website to locate people who had recently died and to take over their credit cards.

Tracy June Kirkland was using Rootsweb.com to find the names, Social Security numbers and birth dates of people who had died. She would then call credit card companies randomly to see if "she" had an account, if "she" did, she would request a mailing address change and, in some cases, would add her own name as an authorized user. Ms. Kirkland repeated this scheme at least 100 times between October, 2005 and last month.

Rootsweb.com is a genealogical research site that, amongst other services, reproduces the Social Security Administration’s Death Index, which is a public list of people who have died, along with their birth dates and Social Security Numbers. The government publishes this list with such detail in order that banks can prevent people from applying for credit under any deceased people’s identities. The information is made public by the Freedom of Information Act.

Tracy Kirkland has found a loophole in the system by, instead of applying for new credit, simply co-opting existing credit accounts. This is the first time this exploit has been found, according to a spokesperson for the Social Security Administration.

"The reason the Social Security Administration has it out there is to prevent fraud, and when it’s used to perpetrate fraud it’s because not all the checks and balances were in place on the financial institution’s end."

So, what do you think? Should the Social Security Numbers be reported on the Death Index? Do you think the benefits to the prevention of identity theft outweigh the risks shown here?

You can feel the full court indictment here [PDF]

Via wired ; Logo: Rootsweb, a part of Ancestry.com and MyFamily.com Inc.Tags: , , , ,

Posted by Arieanna | April 30, 2008 | 0 Comments

Data Breaches Undermine EHR Adoption

Related entries in Data Breach, Health Security, Security Policy, Surveys & Reports

The number of data breaches in the health care sector could undermine the health care industry’s efforts to promote widespread adoption of Electronic Health Record Systems (EHRs).

The latest Wall Street Journal reports that the number of people who can quickly access EHRs has raised privacy concerns, but many hospitals have been reluctant to restrict access that would create barriers to care delivery.

"The internal [hospital] mistakes and the internal carelessness seem to be more prevalent than the stranger from the outside trying to crack into your system." - Jill Dennis, Senior VP, American Health Information Management Association

In order to increase security, while balancing the needs for fast and widespread access to information, many hospitals are encrypting their computers and increasing employee education about privacy. Other hospitals may limit the kinds of information that can be accessed by employees. As more information is available to more employees, time will tell how successful these efforts have been.

Some recent medical data breaches:

Via iHealthBeat, Wall Street Journal (4/29), Attrition.org ; image: wax115 @morguefile ; Tags: , , , , , , , ,

Posted by Arieanna | April 29, 2008 | 0 Comments

Security Challenges in Web 2.0

Related entries in Business Security, Security Policy, Theft Prevention

Web 2.0 is changing the way we do business, and the way we do Internet security. With advances in the web that allow for a more "social" sphere of information sharing, collaboration, and ways of doing business. Here is a definition of Web 2.0 from John Battelle and Tim O’Reilly:

"the web had become a platform, with software above the level of a single device, leveraging the power of the "Long Tail", and with data as a driving force…" (Wikipedia)

Web 2.0 encompasses social networking sites like Facebook, blogs such as this one, Skype, Wikipedia, and so much more. No matter how you define Web 2.0, companies are in a transition period of adopting and developing around this new way of doing things.

All of these new tools and technologies of the interactive web have shepherded a new era of security vulnerabilities. Research group Fortify gave a talk at the Web 2.0 Expo in San Francisco recently about the new wave of internet security threats.

"Security was a challenge to begin with, but, if anything, it’s getting harder in the Web 2.0 world." - Jacob West, Manager, Fortify

Fortify foresees that JavaScript will be a growing issue in security as the adoption of Ajax (based on JavaScript) increases and the existing vulnerabilities become more widespread. At the same time as vulnerabilities are spreading, attack techniques are improving at a rapid rate. Some of the makers of JavaScript & Ajax toolkits are proactively closing up security issues, but others (particularly the big ones like Microsoft) are not.

This is just one example of the security issues associated with Web 2.0. Many issues with integrating Web 2.0 technologies internally or into the company website come from poor planning. A "rush to embrace" to what is trendy (InformationWeek). Additionally, social networking sites such as Facebook and MySpace can be laced with malware. Cyber criminals are co-opting social networking sites as the delivery vehicles for cyber attacks.

Companies are going to be faced with many Web 2.0 challenges, from planning the integration of new technologies to creating effective security policies outlining the use of such technologies.

"Companies need to adjust their security policies for Web 2.0 world today, they need to tailor their Internet use policies and create rules that include social Web sites, blogs, and all the other types of sites being created out there, the usage policies need to be spelled out specifically and enforced.

Beyond that they need technical safeguards to back those policies, but the outlook for all this is still pretty grim. Most companies are barely providing sufficient protection in the context of Web 1.0." - Paul Henry, Secure Computing (via InfoWorld)

Via CNet Tags: , , , , , , , , , ,

Posted by Arieanna | April 28, 2008 | 0 Comments

Government Provision of IT Security Resources

Related entries in Security Policy, Surveys & Reports

A new study from the School of Management at Royal Holloway, University of London, in collaboration with Nammis, has found that the government in the UK is failing to provide advice to small and medium sized enterprises (SMEs) about information and communication technology (ICT), including about security.

The study questioned over 500 SMEs across various industries in order to determine the usage and adoption of ICT, including wireless access, websites, intranet and video/audio conferencing. The study was to determine if SMEs were adopting ICT at the rate considered critical for competitiveness in the global market and digital economy.

Most of the small and medium businesses contacted were fully in favor of information and communication technologies, but their limited money and expertise hindered their ability to adopt and use the technologies. The government is one of the few resources that SMEs can turn to for guidance, but unfortunately this part of the equation falls apart.

Across all sectors, it was found that businesses do not turn to the government or local authority for advice. Less than 5%, and as low as 1%, of companies in the various sectors will seek support from the government. It is not clear how much of this is a lack of provision of proper support or how much of it is poor advice.

Although the point of this survey was to point out the critical needs of SMEs to become competitive in the global market by doing things such as online sales, it does point to the growing issue of IT security and its accessibility to SMEs as well. Regardless of the size of the business, the compliance regulations require that businesses protect the personal information of their stakeholders. As the SMEs attempt to scale their IT infrastructure with little guidance on how to do so, we will likely see more (not less) security issues developing as a result.

While the government does not bear the entire responsibility for IT security in the corporate sector, I believe that it does share in the responsibility of providing educational resources to help companies manage their overall IT, and particularly IT security, needs.

What do you think? Do you think the government should provide IT security resources to SMEs?

Via intergovworld Image: ridge @moreguefile Tags: , , , , , , , , , ,

Posted by Arieanna | April 25, 2008 | 0 Comments

Microsoft and Symantec Security Reports

Related entries in Surveys & Reports

Microsoft has released their latest Security Intelligence Report this week, and Symantec released their Internet Security Threat Report earlier this month. Both reports look to the changing security landscape, looking to past data and future trends.

Microsoft’s twice-yearly report, based on data from more than 450 million Windows users and from Internet services, looks at the changing threat landscape including software vulnerability disclosures and exploits, malware and other trends in security. The latest report, Volume 4, was expanded to include a focus on privacy and breach notifications and on cyber crime.

The report indicates that the total number of vulnerabilities in 2007 were down by 5%, though overall there were more high severity vulnerabilities in 2007 than in 2006. About a third of all security vulnerabilities had publicly available exploit code, a percentage that held from 2006 to 2007.

Exploits, malware and hacking accounted for less than 23% of all security breach notifications from 2000 - 2007, and accounted for 13% of notifications in the second half of 2007. The cause of most data breaches was, and is, lost and stolen equipment. 57% of the security breaches publicly disclosed in the second half of 2007 were the result of lost or stolen equipment.

As the graph indicates, that while hacking has been going down over the past few years, security incidents as a result of stolen equipment have been on the rise.

Malware removed by the Microsoft Malicious Software removal tool increased over 40% during the second half of 2007. Malware has increased in absolute numbers and in the rate of increase over the past few years. Trojans, for example, went up 300% in the second half of 2007. Rogue security software continues to increase, and individuals and businesses alike should be aware of these malicious programs.

These findings come on the tail of the most recent Symantec Internet Security Threat Report. The thirteenth version of the report indicates that the US accounted for 31% of all malicious activity, a percentage up from the first half of 2007.

In terms of data breaches, the education sector accounted for 24% of all data breaches, the most of all sectors, that could lead to identity theft in the second half of 2007. That said, the government was responsible for breaching 60% of the total identities exposed. As with the Microsoft report, 57% of these breaches were the result of the loss or theft of computer equipment.

Download both reports at these links:

Via security focus Tags: , , , , , , , , , , , , ,

Posted by Arieanna | April 24, 2008 | 0 Comments

University of Miami Breach

Related entries in Data Breach, Real Theft Reports, Security Breach

Who Breached: University of Miami
Number Affected: 2.1 million
Information breached: Social Security Numbers, some financial data
How: laptop

The University of Miami has lost a case of computer tapes containing the confidential information of 2.1 million patients. The case was stolen from a van used by a private off-site storage company.

Anyone who was a patient of a University of Miami physician since 1999 has been affected by the breach. The University will be notifying only those customers whose financial data may have been included (credit card or other billing information), which affects 47,000 patients. The data included Social Security Numbers or health information in all instances, so it’s not clear why the breach notification is being restricted.

The University of Miami hired an security expert from Terremark Worldwide to determine if the data on similar tapes could be accessed. The expert believes, after a week of trying, that the proprietary compression and encoding would make the data difficult to access.

More information from the University of Miami about this breach can be found here.

Other sizable data breaches this week:

Via attrition.org, miami herald Tags: , , , , , , , , , ,

Posted by Arieanna | April 23, 2008 | 1 Comment
Next Page »