Archive for October, 2008

In July, Verizon released a comprehensive study, the “2008 Data Breach Investigations Report”, that looked into 4 years of data breaches, based on forensic investigations and hundreds of data breaches. The report was discussed here on the blog. Verizon has now issued a supplemental analysis from that study.

The supplemental report compares risk factors among the various industries: finance, food, retail and tech. It identifies some important insights into the data, such as that, among all industries, the financial services industry is at the greatest risk of insider data breaches. In other sectors, business partners posed a higher risk to data.

“The supplemental report provides further insight into the nature of breaches, underscoring that good security does not lend itself to a cookie-cutter approach.” – Dr. Peter Tippett, vice president of research and intelligence, Verizon Business Security Solutions

The supplemental report indicates that financial service firms are the targets of more sophisticated attacks that often take weeks to discover. That said, financial organizations were shown to have a higher level of asset awareness and to detect breaches more quickly than other organization types. Breaches from lost systems, like laptops, tend to occur less frequently.

The data breach investigation report found that the majority of breaches could be avoided by reasonable security measures, so this supplemental report aims to help identify what industry-specific differences could lead to better proactive security measures.

Other key findings include:

• High-tech organizations: had a difficult time keeping track of information assets, affected by malicious insiders more than others, hacked more than others
• Retail: more data breaches than other sectors, wireless network attacks growing quickly, too reliant on third-parties to discover breaches, most attacks are opportunistic
• Food and beverage: many breaches involve third-party remote access to payment card data, poor security configurations are exploited, POS systems are used to spread malware, and breach detection is very poor

Resources:

• 2008 Data Breach Investigations Report [PDF]
• Verizon Business Supplemental Report [PDF]

And a fun piece of educational reading – spammers are more likely to use Obama than McCain in the subject line of spam emails [read here].

Via CSO Online, Information Week

Who Breached: Deutsche Telekom’s T-Mobile
Number Affected: 17 million
Information breached: Social Security Numbers
How: laptop

T-Mobile, subsidiary of Deutsche Telekom, has issued notice that a major data breach from 2006, affecting 17 million customers, has resurfaced as an issue. The information included names, addresses and phone numbers. No banking details were lost.

The data loss occurred in 2006, but details of the breach event became public on October 4th, 2008 in this statement. The company published this report publicly after a German news magazine reported that the data was up for sale on the Internet.

Deutsche Telekom says that a data storage medium with records for 17 million people was found, and that there was no record of unauthorized use of the data. However, the German news magazine found the data online for sale. The data includes home address and unlisted phone numbers for celebrities, business leaders, government ministers and more.

Here is an excerpt from Duetsche Telekom’s response:

In spring 2006, Deutsche Telekom immediately reported the theft to the responsible public prosecutors’ office. Within the scope of their investigations, the public prosecutors’ office was able to recover storage media. Extensive research conducted over several months on the Internet and in data trading places could not reveal any clues indicating that the data had been offered or disseminated on the black market. Owing to this, Deutsche Telekom assumed that there would be no dissemination of the data. However, Der Spiegel was apparently able to access the data in question via third parties.

The company expresses concern that the breach incident is relevant once again, being previously under the assumption that the matter had been closed. They “regret to say that [they] have not been able to protect… customer data in line with [their] standards.”

Deutsche Telekom says that security measures have been significantly tightened since 2006. These measures include: complex passwords, access authorization, and access monitoring, among other measures. They have set up a FAQ on the data breach here.

Other recent notable data breaches:

• University of North Dakota – Stolen Laptop, 84,554 affected [more]
• University of Indianapolis – Hacker, 11,000 affected [more]
• The Whittington Hospital NHS Trust – lost CDs, 17,990 affected [more]
• CCN – hacker, 98,930 affected [more]

Via datalossdb.org, vnunet, NY Times

In follow-up to the 10 Common Risks Employees Make That Put Data at Risk, another study recently showed that the majority of organizations require only passwords for employees to access critical data. In addition, the passwords used are found to be quite weak.

Quest Software conducted a study on User Authentication which showed that 52% of the 150 organizations surveyed have only basic user authentication (passwords) to access critical data. Stronger forms of authentication would include hardware tokens, digital certificates or risk-based scoring.

Other findings from the study:

• 88% of enterprise users have multiple work-related passwords, averaging between five and six
• 64% of organizations do not require users to change their passwords
• 45% of organizations allow standard dictionary terms (like “password”)
• 29% of organizations have no requirements for password length

For those investing in stronger user authentication, stronger risks from external users (remote employees, contractors, customers, etc) have prompted them to action.

Setting up a strong user authentication plan is crucial, but for those companies that are new to this area, the first and most basic area to enforce is to have your employees choose strong passwords. You can read more about that here.

Image: Clipart

There are two pieces of news to report in terms of various consumer data protection acts at the state and national levels.

This month, President Bush signed into law a bill that will make it easier for prosecutors to go after cybercriminals, and for identity theft victims to be compensated. The Identity Theft Enforcement and Restitution Act of 2008 [HR 5938], which passed the Senate in July, would remove the $5000 damages floor that was previously required for prosecutors to charge individuals under the federal cybercrime laws.

Identity Theft Enforcement and Restitution Act (HR 5938) would:

• Give identity theft victims the ability to seek restitution
• Ensure cyber criminals posing as businesses can be prosecuted
• Make it a felony to employ spyware or keyloggers that damage 10+ computers
• Extend cybercrime definitions to include cyberextortion cases
• Allow prosecution when cybercriminal and victim live in the same state

In other legislative news, the Massachusetts Office of Consumer Affairs and Business Regulation has released a new set of rules requiring companies to encrypt personal data on laptops and monitor employee access to data. These new rules apply to credit card information and Social Security Numbers. Companies and government agencies are required to comply with the new regulations by January 1, 2009.

In August, Governor Patrick signed an identity theft prevention law that requires the reporting of data breaches to the Office of Consumer Affairs and Business Regulation. Since then, 320 breaches have been reported, affecting 625,365 Massachusetts residents. A report outlining the incidents has been released here [PDF].

Via i’ve been mugged, 2, boston globe, washington post ; Image: clip art

Cornell University School of Hotel Administration has released the results of a study on “Hotel Network Security“. The study concluded that US hotels are “generally ill-prepared” to protect their guests from network security issues.”

The study was conducted by Josh Ogle, Erica L. Wagner Ph.D. and Mark P. Talbert of Cornell University’s Center for Hospitality Research. The study of 147 US hotels found that there was a mixed picture with regard to the security of guest connections to the hotel wired and wireless networks.

Many business travelers use their hotel to continue working on the road, an increasingly common practice with the mobile workforce of today. However, as we’ve talked about in many instances on the Absolute blog, this places sensitive corporate information at risk.

According to the study, some hotels still rely on basic hub technology for their networks, which broadcasts every packet from every user to other users (no security). Others may have upgraded to more secure switches or routers, or may have encryption for Wi-Fi connections. Even with all of these upgrades, malicious lurkers can still intercept guest transmissions.

Highlights from the study:

• 20% of hotel networks use hub topologies
• 90% of hotels offered wireless access
• Out of the 39 hotels that had supplemental site visits, only 6 had wireless encryption
• 21% of hotels reported that malicious activity had taken place on their networks

The report outlines an example of best practice, with the case of the W Dallas Hotel – Victory. They have set up virtual local area networks (VLANs) for all hotel guests, inhibiting attackers from using the most common means of data intercept. The study goes so far as to lay fault on hotels that are not using available technology to protect hotel guests.

A number of recommendations were also made for hotel guests, including having an updated firewall, using the secure socket layer (SSL) protocol for transactions, and using virtual private network (VPN) or SSL-based email.

Download link: Hotel Network Security: A Study of Computer Networks in U.S. Hotels [PDF] Author note: at the time of publishing, the PDF link was not working well.

Via GCN ; Image: Microsoft Clipart

Despite the indications that the Consumer Data Protection Act [PDF] would be passed by California’s Governor Arnold Schwarzenegger, it has been vetoed for the second time. Read the veto here [PDF].

The Consumer Data Protection Act would have required retailers and businesses in California to take more strict steps to protect credit and debit card data, and to disclose more details about data breaches to those affected. The State Assembly and Senate both approved the bill for the second time in 12 months, after modifications had brought it back to a vote.

Governor Schwarzenegger says that he has rejected the bill for the same reasons as before, the belief that legislature should not interfere with business, and that the bill attempts:

“to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers,” he wrote.”

Schwarzenegger believes the payment card industry (PCI) is in a better position to set standards in technology and the marketplace, and believes legislation would create a conflict with private sector standards.

According to Visa, only 45% of large retailers are compliant with current PCI standards, so I would think that the private sector needs some assistance with enforcement.

What’s your opinion on legislation like this? Good or bad?

Thanks to Charles for the tip! Via computerworld, IT business, Washington Post Image: gov.ca.gov

Cisco announced the findings for a new study about data loss and its sources. The survey, conducted by InsightExpress of more than 2000 employees, outlines 10 common risks and mistakes employees make that put data at risk. The study, which was conducted across 10 countries, also found that behavioral risks of employees can vary by country and culture. 100 employees and 100 IT professionals were surveyed in each country.

The study was commissioned in order to understand the risks of an increasingly distributed and mobile business force. With the lines between work life and personal life blurring on a global scale, there are new risks. The collaborative tools that make this type of workforce possible also pose new challenges. Given that security is not just about technology, but about people and their behavior, this is a very interesting examination of the behavioral side of risks to data loss. The results could help businesses better tailor their security policies.

The 10 most noteworthy risks and mistakes by employees were:

1. Altering security settings on computers – 20% of employees bypass IT policy to access unauthorized websites
2. Use of unauthorized applications – 70% of IT professionals said unauthorized applications and websites resulted in as many as half of the data loss incidents
3. Unauthorized network/facility access - 39% of IT professionals said they have dealt with an employee accessing unauthorized parts of a company’s network or facility
4. Sharing sensitive corporate information – 24% of employees admit to verbally sharing sensitive information
5. Sharing corporate devices – 44% of employees share work devices with non-employees
6. Blurring of work and personal devices, communications – nearly two thirds of employees use work computers daily for personal use – music downloads, banking, blogging, chat rooms, personal email
7. Unprotected devices – at least one in three employees leave computers logged on and unlocked when away from their desk. Laptops often are left on desks without logging off.
8. Storing logins and passwords – one in five employees store login / password information on their computer or write them down near their computer
9. Losing portable storage devices - 22% of employees carry corporate data on portable storage devices
10. Allowing “tailgating” and unsupervised roaming – 13% of employees allow non-employees to roam around their offices unsupervised, 18% have allowed unknown people into corporate facilities

Some of these figures have been broken down by country in a great analysis here.

Check out more here:

• Data Leakage Worldwide: Common Risks and Mistakes Employees Make – Summary

Data Leakage Worldwide: Common Risks and Mistakes Employees Make [pdf]

Via network world

A new study from SecureWorks indicates that the United States now leads, geographically speaking, as the host for cyber attacks. This means that the United States is hosting computers that are responsible for the most attacks, regardless of who is doing the attacking.

Host computers responsible for cyber attacks may have been compromised and are being used as bots, or they may originate from cyber criminals within the U.S. Hunter King, security researcher for SecureWorks, warns that not only are “organizations and personal computer users… putting their computers and networks at risk by not security them, but they are actually providing these cyber criminals with a platform from which to compromise other computers.”

Attempted cyber attacks by originating country:

• United States – 20.6 million
• China – 7.7 million
• Brazil- 166,987
• South Korea – 162,289
• Poland – 153,205
• Japan – 142,346
• Russia – 130,572
• Taiwan – 124,997
• Germany – 110,493
• Canada – 107,483

The figures for this study were based upon threats intercepted on behalf of its customers during the first 9 months of 2008. The report, as described here, outlines how Chinese hackers are taking control of unprotected networks, versus just using distributed bots.

Via security watch ; image: istockphoto

The Psychology Department of North Carolina State University recently pursued a study about pop-up boxes in order to understand user behavior. The study, which will be published in the Proceedings of the Human Factors and Ergonomics Society, was discussed by John Timmer of Ars Technica.

The researchers created a number of fake dialog boxes with various clues indicating to users that they were not real dialog boxes (what they said, mouse behavior, flashing text). One of the boxes read:

Warning! You are about to install some malware. Malware is bad. By reading this warning through to the end and still clicking yes you’re failing the Windows Darwin Test. Don’t be that guy, if you’re reading this message still then wise up and for the love of your family photos on your hard drive click the ‘No’ button.

A panel of 42 college students were told to watch as a series of websites loaded, with questions about the sites to follow. The fake dialog boxes were loaded in a random order, and user behavior was tracked. The study found that students were so anxious to get the dialog boxes out of the way that they ignored them. Here are the results:

• 26 out of 42 students clicked “OK” for the “real” dialog, but 25 out of 42 students clicked “OK” for two of the fakes and 23 on the third
• 9 out of 42 students closed the window (11 closed the dialog box)
• A few users would minimize the dialog window or drag it out of the way
• The response time between dialog boxes, real and fake, did not vary, indicating little time was spent evaluating them

When interviewed after, students indicated that they only cared about “getting rid” of the boxes. Many expressed a “degree of contempt” for the dialog boxes, after long-standing experience with them, which made them not care what the boxes said any longer.

In general, this type of user behavior is quite risky. It opens the opportunity for fake dialog boxes to infect a user’s computer by predicting this type of disinterested user behavior.

There is a lot of talk around this issue, some believing that software designers have some responsibility to make software easier to use, so users won’t be desensitized to clicking through dialog boxes, while others believe that users are at fault / are lazy. I believe that users lack education about potential risks, but also about what to do with pop-up dialogues. Even valid dialog boxes can be hard to decipher, so it’s no surprise that the ubiquity of confusing dialog boxes has created an environment of dismissive user behavior.

Via emergent chaos, ars ; Image: ppdigital @morguefile

The Identity Theft Resource Center (ITRC) has issued a press release indicating that the number of breach incidents in 2008 already surpass those in all of 2007.

The ITRC had recorded, as of August 22nd, 449 data breaches in 2008. The total number of breaches for 2007, for the entire year, was 446. In both cases, the actual number of breaches are likely higher due to under-reporting and lack of detection. These breach figures speak to incidents, not the number of entities involved in each event or the number of people affected by them.

Linda Foley, founder of ITRC, attributes part of the growth of the breach list to the ability to access Attorney General notification lists in three states, which outline data breaches that don’t always make it to the mainstream media. Linda also believes that more companies are pro-activiely auditing their systems and identifying breaches that were previously undetected.

The current breach list at the ITRC, which reflects more than 22 million compromised records, is also only a partial list of the problem. In more than 40% of breach events, the number of records exposed is not disclosed or known. Although figures of records breached are often more newsworthy, breach events themselves are a more usable statistic for research purposes, ITRC notes.

Of the 449 breaches in 2008, 11% of them have been the result of contractor breaches. That’s an obvious huge area of concern for businesses to identify, and for security policies to step up.

PogoWasRight asks some very pointed questions about the need for a full disclosure law, the role of the federal government in breach situations, and who exactly is responsible to ensure affected individuals in any case are notified of a breach. The same author also talks about the correlation between breach notification, types of breaches, and fraud.

Via emergent chaos ; image ppdigital @morguefile