Archive for December, 2008

One of the tips in the Lifehacker article highlighted in the previous post was so relevant to mobile security that I thought it deserved a whole new post.

The tip was to ensure that you wipe the data off your smartphone – iPhone or BlackBerry – before you trade it in. Whether you’re donating it or selling it, or just giving it to a friend, it’s important that you take all of your data off of it.

iPhone – Erasing Data

If you have the latest stable version of software on your iPhone, the data can be wiped securely. If you are running software earlier than 2.0, there is a way to hack it to dump the data.

The steps to erase the data on iPhones running 2.0 or later versions of the OS are to go to:

Settings > General > Reset > Erase All Contents and Settings

BlackBerry – Erasing Data

On the BlackBerry, thanks to BBGeeks, incorrectly enter your password 10 times then enter the code “blackberry” to trigger a wipe OR go to:

Options > Security Options > General Settings > Click the trackwheel/trackball on the Password field > Select “Wipe Handheld” > Enter “blackberry” when prompted

Also, if you’ve been following along with this blog, you’ll know that Absolute Software is beta testing Computrace Mobile for the BlackBerry right now. This will enable you to do a remote delete of your BlackBerry data in the event that your phone is lost or stolen. Stay tuned for more news on that soon!!

Images: Apple & BlackBerry

Earlier in December, McAfee released their 4th annual Virtual Criminology Report, which outlines trends in global cybercrime. The report indicated that cybercriminals quickly shifted tactics to take advantage of emotional “hot ticket” items such as the economic recession. Botnets alone are capable of sending 100 billion spam messages per day, an infrastructure that is making it easier and more lucrative for cyber criminals to stay hidden.

Banking scams emerged soon after banks started to struggle during the start of the recession. Cybercriminals are taking advantage of the fear and uncertainty of this by asking users to “update account information” before their bank merged, for example. Targeted scams emerge as early as a day after news breaks, as they did also during the presidential race this year. In addition to a shift in tactics, the report indicates that criminals are becoming more aggressive:

“With almost all of today’s malware being financially motivated, even cybercriminals are looking for more business in tough economic times and are really stepping up their game.”

Analysts say these trends point out that cybercriminals are getting faster and smarter than ever before. Also tapping into fear that’s the result of the economic downturn, there has been an increase in scammers luring customers into “internet sales” jobs that are end up assisting cyber criminals in things such as money laundering. Some examples of various recent scams of these sorts can be found on the Avert Labs blog.

As with all security problems, with both consumers and the corporate environment, the solution to these issues comes by combining education with technology:

“Technology alone cannot solve the problem. Education alone cannot solve the problem. Both combined, however, can enable us all to use the Internet the way we want.”

In addition to these measures, the report strongly encourages governments to step up in fighting cybercrime. Law enforcement at every level has been ad-hoc and incapable of coping with cybercrime, with issues in cross-border law enforcement making the issues worse.

Download the McAfee Virtual Criminology Report here. And, along similar lines, the Anti-Phishing Working Group has published their quarterly report, indicating that the use of malware on websites to steal passwords and other sensitive information is at an all-time high.

The FBI is also reminding people to be aware of holiday-themed scams criminals are using to steal personal information and/or money. Be aware of greeting e-card scams, spoofing and phishing scams. They remind you not to respond to unsolicited email, not to click on links or attached files, to keep private information to yourself, and to verify with the business the email is supposedly from, just in case.

Last month we mentioned that Lanxoma was conducting a survey about insider threats and how companies are tackling that issue. The results of the survey came out, and were quite interesting!

The press release does not indicate how many people took the survey, so the results must be read with that in mind. Nonetheless, like many similar surveys, Lanxoma’s survey revealed that 43% of respondents had experienced fraud, theft or losses that are a direct result of employees with access to sensitive information.

Given the economic situation, many companies involved in the survey have had to make layoffs, cut raises or defer promotions. 72% of the respondents feel this has increased their risk for insider attacks.

The survey also revealed that 28% of respondents believe that employees with a technical background are more likely to commit insider attacks. However, industry experts have shown that it is not technical know-how that increases risk of attack, but rather the dissatisfied employee who simply has access to information. Employees with existing access to sensitive information do not need to know much in order to take it.

Of those surveyed, only 20% of respondents say they have processes and security measures in place to combat insider threats. Most respondents believed they could do more. One area needing improvement would be in user privileges, which determines which type of user has access to what kind of data. This helps restrict sensitive information to only those employees that need it. Most companies interviewed had no such safeguards, nor were they consistently monitoring what data was accessed and by whom.

As we announced about a month ago here on the blog and on Absolute.com, Absolute Software has been running a closed beta of its existing Computrace Mobile for the BlackBerry platform!

John Halamka, CIO for Caregroup, is one of our beta testers and he recently shared his experiences with the product on his blog, saying:

“Although the Absolute products are primarily encryption, tracking, and data protection systems, they are also a very cool geotracking system for Blackberry owners (with their consent).”

In addition to recognized benefits of tracking his BlackBerry, and wiping the data if it does go missing, John realized he could share the login for the Computrace Customer Care center with his family, so they’d always know where he was.

I had a chance to correspond briefly with John by email about his experience with the new service. John says that he’s never had a mobile device lost or stolen before, although had a close call when he left a Palm with personal information on an airplane. His current BlackBerry has contact information, no insecure corporate data, but the new Massachusetts Data Protection regulations have prompted an evaluation of products to encrypt / protect corporate mobile devices.

John Halamka was not a previous customer of Absolute Software, so this is his first experience using Computrace. He describes the installation process of the tracking agents to his MacBook and BlackBerry as “seamless”. You can read his full experience here.

Computrace Mobile is expected to be generally available for the BlackBerry for corporate customers in 2009. If you’re a journalist interested in doing a review, contact Absolute for a private demo.

Computrace Mobile currently is supported on all Windows Mobile 5 and 6 handheld devices including the HP iPAQ, HTC Touch, MOTO Q, Samsung BlackJack and Treo 750.

RSA’s Meena Raju asks if “you are scared of the word policy,” in a blog post about Asking the Right Questions When Implementing a Data Loss Prevention Policy. I think that’s a fantastic way to bridge into this topic. Scared is exactly the word. Individuals and companies are scared of putting together a policy on something that seems as complicated as security. Particularly since whatever is ’set down on paper’ becomes an actionable set of guidelines. What if it misses areas? What if it’s confusing? What if it is an accurate policy, but one that’s ‘wrong’ for your company?

The RSA team put together a series of best practices when considering a data loss prevention (DLP) policy.

What is the data that you want to protect? And how should you protect it? Sounds simple, right? As our customers find, there are many more questions that need to be asked upfront.

Some of the questions that RSA suggests asking are:

1. Who is the policy going to apply to and how does it impact them? 
2. What type of information are you trying to protect?
3. Why are you protecting it?
4. Where should you protect it? Is data in motion or in a datacenter? Is it being used at endpoints? Strategize which information state needs protecting first.
5. When should you trigger a violation?
6. How should you protect the information? Audits, encryption, blocking, etc. Choices should be made depending on the type of information. 

As Meena notes, “policy” isn’t a bad word or a word to be scared of. “Be smart and be strategic and you’ll love your policies.”

Stay tuned to our Security Policy category for tips on how to create effective security policies, as well as relevant studies or facts on the topic.

According to The Local, the German government has admitted to losing 332 top secret files over the past 10 years. Problem is, the files were so top secret that nobody knows what was in them.

The German Interior Ministry was forced to admit to the loss of files during a parliamentary session when they were questioned by the Free Democrats (FDP). The government admits that the 332 files are still missing, and that the files were of “considerable significance.”

The questioning also revealed that nearly 3,200 top secret files were destroyed rather than archived during the last legislature period. These files covered topics such as organized crime, surveillance, and ‘research’ of other states. This, as well as the breach / loss of the 332 files, points to issues with having a firm data retention policy. Although the two issues may not be related, given that the top secret files may have been destroyed in order to avoid any 30 year information release rule that may be created, it’s clear that governments all around the world are struggling to stay on top of information security.

In other Government data loss news, a FOX reporter was able to buy a McCain campaign Blackberry loaded up with confidential information – Computrace Mobile would have erased all of it. And Fergie, Duchess of York, is the victim of laptop theft and worries about private photos leaking – see what Absolute’s Bill Pound had to say about it.

Bit9 released its annual ranking of popular consumer applications with known security vulnerabilities. The list reveals ‘The Dirty Dozen’ – the most-used applications on Windows that are the most vulnerable to security flaws that could compromise systems and/or private data.

All of the programs considered a security risk in this listing are Windows-based, well-known, and not classified as malicious by IT organizations. However, these programs will have at least one critical vulnerability identified in 2008 or registered with a high security rating. These programs will also rely on end-users to upgrade software, not having the ability to run on centralized enterprise update tools.

In addition to requiring end-users to take responsibility for security updates, the list includes programs that often run outside control or knowledge of IT, resulting in compliance issues and breaches that could lead to heavy fines and losses. However, the list is a little biased, since it is not clear if they are more or less secure than the applications that can be centrally updated. For example, Internet Explorer can be centrally updated, but it is not necessarily more secure than Firefox, which tops the list of the ‘Dirty Dozen’.

The ‘Dirty Dozen’, as ordered by number of vulnerabilities, are as follows:

1. Mozilla Firefox 3.x, 2.x
2. Adobe Flash & Acrobat Flash: 10.0- 10.0.12.36 and 9.0- 9.0.151.0 Acrobat: 8.1.2, 8.1.1
3. EMC VMware Player, Workstation and other products ESXi 3.5 or earlier Workstation 5.5.x Player 2.0.x & 1.0.x ACE 2.0.x & 1.0.x
4. Sun Java Runtime Environment (JRE) Version 6 Update 6
5. Apple Quicktime, Safari & iTunes Quicktime: 7.5.5 Safari: 6.0.5.20B iTunes: 3.2, 3.1.2
6. Symantec Norton products 2.7.0.1
7. Trend Micro OfficeScan 8.0 SP1 before build 2439 8.0 SP1 Patch 1 before build 3087
8. Citrix Deterministic Network Enhancer (DNE), Access Gateway, Presentation Server DNE 2.21.7.233- 3.21.7.17464 Access Gateway 4.5.7 Presentation Server 4.5
9. Aurigma Image Uploader, Lycos FileUploader 4.6.17.0, 4.5.70.0, 4.5.126.0
10. Skype 3.6.0.248
11. Yahoo! Assistant 3.6
12. Microsoft Window Live Messenger 4.7 & 5.1

There has been considerable evidence that requiring end users to make security decisions has led to security incidents, due to lack of knowledge and/or understanding, so in the enterprise setting a centralized approach to IT asset management has often been the norm. The problem with this approach is incorporating the applications that users want and need and figuring out how to manage those appropriately.

Download the report here.

Via Internet News

Absolute Software created a new video about its corporate products and services. The video gives you an overview of mobile computing and security, and how Absolute Software fits into your IT planning. It gives you insight into the recovery team and how Computrace gives you control over your IT assets.

In the time it took to watch that video, 3 laptops were stolen. Do you know where all your laptops are?

Sophos has published its Security Threat Report 2009 [PDF], which examines the threat landscape from the last 12 months and tries to predict emerging cybercrime trends for 2009.

As the third quarter Sophos report indicated earlier, the U.S. led the way in malware. More malware was hosted on U.S. websites (37%), and more spam is relayed from U.S. computers (17.5%), than any other country. When one U.S. company accused of collaborating with spammers and hackers disconnected from the Internet in November, 2008, spam went down by 75%.

“Not only is the USA relaying the most spam because too many of its computers have been compromised and are under the control of hackers, but it’s also carrying the most malicious webpages.” – Graham Cluley, senior technology consultant for Sophos

Graham goes on to say that U.S.-based computers are making a “disturbingly large contribution to the problems of viruses and spam” today. The report also indicated that most malicious code is now found on innocent websites, mainly because corporations have secured their email gateways to prevent attacks and spam (though one in every 714 email messages contains a malicious email attachment).

Highlights from the study:

• Biggest malware threats – SQL injection attacks against websites and the rise of scareware
• New web infections – 1 new infected webpage discovered every 4.5 seconds
• Malicious email attachments – 5x more at the end of 2008 than at the beginning
• Spam-related webpages – 1 new webpage discovered every 15 seconds
• New scareware websites – 5 identified every day
• Amount of business email that is spam – 97%

The report indicates that 2009 will see growing attacks on Mac computers and cross-platform software, as well as mobile devices such as the iPhone and Google Android. The report suspects that data leaking will be a larger concern in 2009, especially given the use of mobile technologies, from laptops to thumb drives to phones. As Sophos notes, the problems are not insurmountable:

“Sound security practices, up-to-date protection and an active commitment to keep informed can all help defend business networks in the year ahead.”

In other news, the Pentagon has banned the use of thumb drives because of a virus threat detected on defense networks. I was kind of hoping it was to prevent data breaches, but perhaps this will force the government to update their security policy to be more comprehensive of new data devices – be they thumb drives or iPhones.

Symantec released their Report on the Underground Economy in late November. The report indicates that while the financial markets may be struggling on nearly a global scale, the underground markets are thriving and becoming more self-dependent.

The study, which looks at the July 2007 – June 2008 timeframe, seeks to examine the black market used to advertise and traffic stolen information such as Social Security numbers, credit card information, bank account details and more. Even email addresses are valuable, since they can be used to create phishing campaigns for more valuable information. The underground economy is a global market, with an estimated value of total advertised wares (this stolen information being used to obtain goods, services or loans) being over $276 million.

Credit card information was being sold for anywhere between $0.10 and $25 per card, often sold in bulk packages. In addition to the buying selling of stolen information, the economy also has people who buy and sell new exploits and scams. Often sellers will post samples of the information they have for sale, with Symantec monitoring 44,752 unique samples of sensitive information.

The Top Samples of Information Posted:

There is evidence that profits made from the sale of this stolen information is now being re-invested into the growing strength of these cyber criminals – purchasing new exploits, hiring developers to create more exploits, expanding infrastructure, etc. Given its lucrative nature, the underground economy is growing and becoming more sophisticated. There is evidence that attackers are sharing information to help each others’ work: another example of the organized nature of the underground economy.

Download the report here [PDF].

Other great security articles this week:

• Network World: Technical standards for managing a virtual environment
• Network World: How to Use Network Behavior Analysis Tools
• WSJ: Leaked Army Files Highlight Dangers of Peer-To-Peer
• McAfee blog: Christmas Worm Uses McDonalds, Coca-Cola as Bait
• CNet: Apple deletes Mac antivirus suggestion
• Security Watch: Online Malware Goes Vertical

Via Security Watch