Archive for June, 2007

Here are some recent happenings in the security field:

• Sharon Gaudlin of InformationWeek: “Hackers Blamed for Data Breach that Compromised 300,000“
• The University of Ontario Institute of Technology is offering Canada’s first Masters in IT security.  Offered via IT Business
• Jon Brodkin of Network World: “Shoppers willing to pay extra for privacy confidence“
• Kim Zetter of Wired: “Secret Service Operative Moonlights as Identity Thief“
• Klea Theoharis on TMCnet: “Identity Theft: How Major Corporations May be Exposing Your Private Records without Knowing It“

Tags: data breach, security, security information, business security, data security, identity theft

A study by Cyber-Ark Software of 200 IT professionals indicates that IT employees are using their special administrative access to look at confidential employee data. IT employees are given special administrative passwords to access confidential information anonymously, and the anonymity is making them bold.

One in three IT employees admit to snooping in company systems to look at confidential information: private files, wage data, personal emails, and HR background. Additionally, one third admitted that they could still access this confidential information once they had left their job with the company. 15% of the companies interviewed had experienced insider sabotage, which in part can be attributed to the phenomenon of ”IT snooping.”

The study also revealed that 50% of IT professionals store their administrative passwords on Post-It notes. Administrative passwords are essentially the “master keys” to stored information. Given that these passwords are not tracked, this poses a major security risk.

As one IT Administrator explained: “Sure, it’s easy for an employee to update the personal password on their laptop, but to change the Administrator password on that same machine? It would take days for IT to do them all by hand. In the end, we just pick one password for all the systems and write it down.”

The storage of administrative passwords needs to be well managed. Not only should the passwords be changed regularly and diverse across the system, but they should be stored securely. Simply remembering the passwords is a non-secure practice as it hinders password administration and can cause problems with employee turnover.

Given that one password is used for all machines, this poses a significant security risk itself and one would expect that these passwords would be changed regularly. However, one-fifth of all organizations admit they rarely change the administrative passwords, with 7% saying they never change them, and 8% admitting the default manufacturer admin password has never been changed. This, in part, explains why past employees can continue to obtain access to private systems.

Matt Hines of InfoWorld sums up these issues well:

The study not only backs up the idea that insiders do represent a significant threat to corporate data, but also that some IT people are openly lecherous.

In a broader sense, the study also validates the idea that companies aren’t sufficiently watching the activity of their IT administrators.

Neither current nor past employees should have such universal and untraced access to information. Companies need to restrict access to vital information, manage passwords more effectively, and add further security layers to deter not only snooping, but sabotage, hacking and potential data breaches.

Tags: password storage, password administration, it snooping, admin password, computer password, password management, confidential information, internal sabotage, it security, business security, data security

The Trust and Risk in the Workplace Study, conducted by Dr. Monica Whitty of Queen’s University Belfast, reveals that employees are taking unnecessary risks with their laptops.

The study surveyed 1000 mobile and desktop employees across the US, Australia, the Netherlands, Singapore and the UK. The study indicates that employees in all regions take unnecessary security risks, but that mobile users take more risks. In fact, laptop users take risks far more than their desktop counterparts – with two thirds using unsecured wireless hotspots.

“Almost two thirds of our sample would blame their employer if confidential data was stolen from their work computers,” Whitty said. “Given that security breaches and careless mistakes can lead to the loss or theft of confidential information, employers should be cautious when it comes to protecting confidential data.”

Laptops pose an increased risk for data security and security policies often overlook the extra protocols that should be applied to mobile devices. Risky behaviours included using USB keys, Instant Messaging, downloading music, and sending confidential information via email. Whether these activities are conducted internally or via an offsite (and potentially unsecured) wireless access point, the company is put at risk.

Some facts from the study:

• 58% of respondents send confidential information via email
• 80% use USB devices
• 67% use wireless hotspots on their work laptops
• 53% would blame the company if their identity were stolen
• 64% would blame the company if a data breach occurred on their computer

The data indicates that employees are not willing to take responsibility for data security, particularly in the case of laptops. Security policies must address these issues with proper employee training and protocols.

Via futuresoft, The Telegraph, CNBC ; Tags: laptop security, data security, data breach, security policy, employee training, employee responsibility, confidential information, computer practices

On May 17, Deputy Chief of Staff for the US Department of Education (DOE), Holly Kuzmich, testified before the House Homeland Security Committee about emergency management and how to keep the nation’s schools safe.

Following the incident at Virginia Tech, President Bush had members of the government meet with educators, mental health experts, and law officials to discuss how to better manage school security. The testimony given by Holly Kuzmich’s (available here) is the summation of this investigation.

School safety is ultimately the responsibility of the State, with the DOE working to supplement the efforts of State and local school systems. School safety is a broad mandate: from critical incidents such as those at Virginia Tech, to drugs, alcohol and bullying. All of these issues compromise the educational experience for students, teachers and staff.

“Schools are generally safe, but all of us – Federal, State and local government organizations, community-based organizations, and parents and students – share the responsibility to work to make them safer.”

The DOE has implemented many guides, studies and efforts under the Safe School Initiative covering threats such as school shootings – how to prevent them, plan for them, and respond to them. There are four phases of emergency management: Prevention-Mitigation, Preparedness, Response, and Recovery. The government provides grants to cover many of these efforts.

The DOE is recommending many changes to the national approach to School Safety including replacing many of the overlapping programs with a single program. This program would be more flexible in terms of responding to school safety issues and would make the grant process more efficient.

For more resources on School Safety, visit the DOE’s National Dialogue on Safe Schools website.

Tags: DOE, department of education, school safety, safe schools, national safety, homeland security

For those of you in the Education field interested in laptop security, we’ve put together an Laptop Security for Education E-Newsletter. The newsletter features snippets from this blog on all our education topics, as well as news and information from Absolute Software.

Here is what you’ll see in the first newsletter – Teens learning to protect online identities, 22,000 Social Security Numbers Stolen from U. of Missouri, and information about the Absolute Software guarantee:

Computrace gets stolen laptops back – guaranteed up to $1,000*
Today, 14 of the top 25 school districts in the US are using Computrace® to protect their computing assets.

You can go here to subscribe to the newsletter, and don’t forget to subscribe to the Laptop Security blog for even more security news.

Tags: absolute software, education security, laptop security, education

Physical security is an important part of laptop security. As well as being aware of the risks and using a good laptop lock, the use of a fingerprint reader can strengthen your physical laptop security measures.

The Hyundai USB Fingerprint Reader is an inexpensive ($25) standalone reader. Available for most Windows computers, the fingerprint reader plugs into the USB drive and requires fingerprint approval to log into Windows. Since a fingerprint is more secure than a password, this provides a secure authentication method.

The reader can be used to prompt login to Windows or to any file or folder and can be used to activate a hidden disk, adding another layer of security.

Via popgadget ; Tags: laptop security, physical laptop security, laptop fingerprint, fingerprint reader, usb fingerprint reader, biometrics

Scott McLeod, Director of the UCEA Center for the Advanced Study of Technology Leadership in Education (CASTLE), has published a 24 minute Flash presentation titled “Administrator’s Guide to Cyberbullying.” The presentation is meant to be an aid for administrator’s in K-12 education to understand the legal issues related to cyberbullying.

The presentation covers:

• What options are there to deal with cyberbullying?
• What actions are legal for school administrators?
• How do you balance security with freedom of speech?
• Cyberbullying case precedents
• Employee cyberspeech
• Cyberbullying policies

Additional cyberbullying resources:

• National Crime Prevention Council on cyberbullying
• Cyberbully.org – includes articles for educators, guides, and other resources
• Stopcyberbullying.org – includes age-appropriate information and resources for educators

Hat tip to Web 2.0 and School Administrators ; Tags: cyberbullying, cyberbullies, cyberspeech, online security, education, education security, bullying, online education

A study by inTechnology.com confirms that people won’t willingly choose secure passwords. The main reason is memory – secure passwords are hard to remember. Often a “secure” password is written down so it can be referenced when needed – which poses another security issue.

The 10 most common passwords are:

1. password
2. 123456
3. qwerty
4. abc123
5. letmein
6. monkey
7. myspace1
8. password1
9. link182
10. (your first name)

Password security is important when it comes to laptop security. If a laptop is lost or stolen, and passwords are not secure, people may too easily be able to access confidential data. The same goes for web-based passwords, which can be a source of security problems if passwords are not secure.

When it comes to passwords and security, it all boils down to training. Employees must be made aware of the importance of using more secure passwords and of logging out of systems/programs when not in use. Ideally, examples would be given to help employees choose secure passwords. Additionally, it should be stressed that passwords should be changed on a regular basis.

How to create a secure password:

• Make it at least 8 characters long (>14 is ideal)
• Combine letters, numbers, symbols, capitol letters and spaces (when allowed)
• Create a phrase easy for you to remember, but hard for others to guess, and convert it as above 

• For example - ”My horse has three legs and lives with pigs and chickens” could become “mhhtlalwpac”, taking the first letter of each word. It could then mix in numbers, symbols and capitalization to become “mHh3l&LwP@C” – still possible to remember, but hard to decipher

As an alternative to password-based security, biometrics can be used as an authentication method. It does not require people to remember or change passwords, and does not run the risk of being “found” like a password.

Via Michael Overly, CSO Online; Microsoft

FOXNews has set out a number of steps to help protect your identity online and keep your personal information safe. In abbreviated form, the 12 rules are:

1. Fill only required fields in registration forms and uncheck boxes related to sharing your personal information
2. Use fictitious information on registration forms if it’s not important to your business (or use login information shared online)
3. Look for the “lock symbol” in your browser’s Status Bar and for “https” in the Address Bar as indications of a secure connection
4. Don’t click on links in emails that seem “phishy” – these are often related to your financial information
5. Turn on your browser’s (IE 7 or Firefox 2) built-in website fraud detection analysis feature
6. Search safely, avoiding dangerous websites (read more at PCMag)
7. Use data protection software
8. Use one-shot credit cards (contact your credit card company to see if they offer this)
9. Educate your family, especially your kids, about what information should not be emailed or IM’d (or use parental controls)
10. Secure your systems with strong passwords, and always log out
11. Be skeptical of what you get in the mail/email and shred everything with sensitive information
12. Learn about identity theft and how to protect yourself

This is a comprehensive list of steps to protect your online identity. Some of the steps could use fleshing out; for example, I would stress the importance of not sending personal information over unsecured wireless connections. Nonetheless, it’s a helpful set of tips for individuals as well as businesses.

Tags: identity theft, identity protection, online identity, identity education, security, online security

The White House has issued a memo [PDF] on information protection and data breach response to the heads of all federal government departments. The memo outlines new rules for responding to data breaches as well as new rules on information-handling procedures.

The memo, issued by Clay Johnson III, Deputy Director for Management for the Office of Management and Budget issued the 22-page memo, with the subject line “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.” This memo is a part of the federal government’s Identity Theft Task Force.

The memo states that federal agencies must develop and implement a breach notification policy within 120 days. The memo outlines the framework for this breach notification policy, which must include specifics on incident reporting & handling and external breach notification. The memo also states that federal agencies must develop a policy about who can be authorized to access personal information and their responsibilities. Information on what constitutes a data breach and what the appropriate response should be are provided in the attachments to the memo.

The data security memo requires federal agencies to:

• Eliminate the collection and storage of unnecessary information
• Limit access to personally identifiable information
• Set rules for those who work with personally identifiable information
• Use encryption and authentication
• Physically and electronically protect information
• Make all employees aware of data security
• Maintain accurate and up-to-date information
• Assign sensitivity levels to all data
• Certify information systems (internal or contracted) that hold sensitive data
• Control remote access to information
• Implement procedures for detecting, reporting and responding to security incidents
• Make publicly available any responses to the memo

These requirements go above and beyond what is required by the Federal Privacy Act. Although failure to meet the requirements will not be considered criminal negligence, it is clear that government agencies will be held accountable for data protection and data breach notification. By setting a timeframe for implementation of these initiatives, the federal government is ensuring stronger compliance with the new rules.

Read the full White House security memo here.

Via Matt Hines of InfoWorld’s ZeroDay Security