Archive for April, 2009

Absolute Software made two big announcements recently about it’s leading laptop security software platform, Computrace.

New Computrace Plug-In for McAfee ePolicy Orchestrator

Not only is LoJack for Laptops (Computrace for consumers) now available in the McAfee online store, but Computrace customers can now view asset tracking and security information within the McAfee ePolicy Orchestrator (ePO)!

This new plug-in allows IT administrators to use the ePO software to deploy Computrace to ePO managed assets, to view reports from one central place (vs two dashboards), and to set up summary reports on computers & mobile assets with Computrace installed.

The Absolute Customer Center will continue to offer additional ways to manage your Computrace-protected assets, including geolocation tracking, recovery of missing assets, and performance of remote data deletes. Learn more about this news here.

Computrace for Netbooks Now Abailable

Computrace for Netbooks was launched last week, extending our award-winning laptop security platform to a whole series of ultra-portable computers that are popular with schools, healthcare organizations and corporations.

“Computer populations now include desktops, laptops, smartphones, tablets and now netbooks – often of different ages from a variety of manufacturers. Our goal is to provide visibility and security regardless of form factor and computer brand.” – John Livingston, Chairman and CEO of Absolute

Computrace for Netbooks is available for both PC and Mac operating systems. Learn more about this news here.

The National Health Care Anti-Fraud Association (NHCAA) estimates that 3% of all healthcare spending – about $68 billion – is lost to fraud each year in the United States. The FBI / CDC estimate that figure could be as high as 10%, or $226 billion.

In the past, we’ve talked a great deal about the impact that fraud has on businesses and on consumers, including those affected by medical fraud. But we have yet to talk about the cost – the billions of dollars – this fraud is costing all of us in other ways.

Whether you have employer-sponsored health insurance or you purchase your own insurance policy, health care fraud inevitably translates into higher premiums and out-of-pocket expenses for consumers, as well as reduced benefits or coverage. For employers—private and government alike—health care fraud increases the cost of providing insurance benefits to employees and, in turn, increases the overall cost of doing business.

The NHCAA estimated in 2007 that $2.26 trillion was spent on health care and the 4 billion health insurance claims processed in the US. They conservatively estimated that $68 billion of this was lost to fraud, quite an astounding figure. The majority of health care fraud was found to be committed by a small number of dishonest health care providers submitting false claims to insurers and to public programs. Other types of provider-initiated fraud can be found here.

This abuse of claims can have damaging effects on patients who may find themselves victims of medical identity theft, with their insurance benefits affected by misuse. In addition to providers, organized criminal groups and individuals also perpetrate health care fraud. The report includes examples of crime rings that shifted from illegal drug trafficking to medical fraud schemes, resulting in millions of dollars in fraud.

If you want to learn more about health care fraud, read here.

Hat tip to I’ve been mugged ; Via dotmed ; Image: clipart

Melissa Hathaway, who was appointed earlier this year to conduct a 60-day review of the cyber security efforts of the U.S. Government, presented at the RSA Conference on information security, with the report set to be released in a few days.

Melissa notes that our global digital infrastructure is neither secure nor resilient, driven by interoperability and efficiency rather than security. She notes that previous attempts at cybersecurity have been made in isolation and have failed; the Federal government is not organized to address this growing issue because responsibilities for cyberspace are distributed widely across federal departments and agencies.

During the 60-day review, the cybersecurity team identified 250 needs, tasks and recommendations for a national cyber security plan. The recommendation outlines a top-down approach to cyber security, with the White House leading the way and overseeing and working with other government agencies, State and local stakeholders, as well as those in academia and the industry.

Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law. We need to demonstrate abroad and here at home that the United States takes cyberspace issues, policies, and activities seriously. Achieving this vision requires leadership and commitment from the highest levels of government, industry, and civil society.

Here’s a video of Melissa’s speech:

The speech, if somewhat repetitive and littered with political fluff, does hint at many changes to come. Almost nothing was specified yet, and many are critical of it. Let’s hope the report released in a few days will specify a bit more. Attempting to muster resources on the National and International level, across the government and private sectors, won’t be an easy task!

Download Melissa Hathaway’s prepared remarks here [PDF]

The Ponemon Institute, along with Intel, have released the results of a new study about the Cost of a Lost Laptop. The study concluded that the average cost of a lost laptop was nearly $50k, in both tangible and intangible costs.

The study was prompted by an increasingly mobile workforce carrying around more sensitive data on their laptops than ever before. The study focuses on samples of organizations in the US that have experienced laptop loss or theft within the last 12-month period. The 138 cases involved loss by employees, temporary employees and contractors.

Key Highlights from the Study:

• The average value of a lost laptop is $49,246 (replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses)
  • The occurrence of a data breach represents 80% of the cost associated with a lost laptop
  • Of the remaining 20% of cost, 59% of that can be attributed to intellectual property loss
• The faster a company realizes of a loss, the lower the average cost associated.
  • If a loss is discovered in the same day, the average cost is $8,950
  • If a loss takes more than 1 week to discover, the average cost rises to $115,849
• Director laptop losses are most costly
  • The average cost of a lost laptop for a senior executive is $28,449, with the highest costs for manager ($60,781) and director ($61,040)
• Encryption saves money, with an average savings of $20,000 for lost laptops with encryption vs those without – but that’s less than half the savings than if you discovered that the laptop went missing the first day it happened
• The cost of a lost laptop varies by industry. The average full cost of a lost laptop is highest for services industry ($112,853) and lowest in manufacturing ($2,184)
•  The average data breach cost of a lost laptop varies by industry. The highest average data breach cost is in the services industry ($108,699) followed by financial services, healthcare and pharmaceutical. The other industires were far less.

What the highlights demonstrate is the high cost associated with lost laptops, but also the possibilities for minimizing the damage if companies can identify when laptops are missing quickly. With software such as Computrace by Absolute Software, you can inventory all your mobile computers and devices, know when one is missing and when its stolen get the Absolute Recovery Team to help find it. You can also do a remote data wipe to ensure your lost data does not fall into the wrong hands. And Computrace with Intel Anti-Theft Technology can lock the computer so it can’t even be booted-up. It can easily help reduce the costs of a lost laptop.

Download the White Paper here [PDF]

Also check out Absolute Software’s recent study with the Ponemon Institute: The Human Factor in Laptop Encryption.

In a rush, a travelling Computrace customer left his laptop behind on an airport shuttle bus. Soon realizing the error, he contacted the shuttle company and requested the bus be searched. The search failed to turn up the computer, however, so the customer reported the laptop stolen to Absolute and the local police.

Absolute traced the laptop to a residence nearby the airport, where a family appeared to be using the machine. The information was passed on to police, who contacted the most frequent user. This user explained that she had been travelling when the laptop was acquired. Hopping on the same aforesaid shuttle bus, she was approached by an unknown male who held the laptop in hand. The man recounted a convincing story of how he was low on cash and stranded in the area. To pay for his airfare home, the man offered to sell her the laptop for just under $600 - which he assured was a fair price and just enough to cover his costs. As a gesture of goodwill, and knowing that her daughter would soon require a laptop for school, the woman alleged that she paid the amount without further question and happily took the laptop home.  

When police informed the woman that her laptop was a stolen item, she was both apologetic and cooperative, releasing the machine to authorities. The police were not able to get a lot of detail regarding the man who had originally sold her the laptop, however, and so the investigation continues.

The laptop has been returned to a relieved Computrace customer.

Verizon has released its 2009 Business Data Breach Investigations Report, following similar reports earlier this year from the ITRC and Ponemon. The report indicates that 285 million records were breached in 2008. This figure is much higher than the 35.7 million records that the ITRC estimated based on notification letters.

Highlights from the study include:

• 91% of all compromised records were attributed to organized criminal groups
• 99.6% of records were compromised from servers and applications
• 74% resulted from external sources
• 20% resulted from insiders
• 69% were discovered by a 3rd party
• 67% were aided by significant errors
• 32% implicated business partners
• 95% of data breaches were rated as high difficulty requiring advanced skills, significant customization, and/or extensive resources

The most successful breaches involved an attacker exploiting some mistake made by the victim, allowing them to hack into a network and collect data. Hacking and malware were the top single causes of breaches, both up from the figures for 2007.

Although much of the response to this survey has been on the thread of insider threats being lower than expected, I have to argue that the data seems in line with previous data. Although there is an indication that insider threats will go up for 2009, the 20% insider data breach figure quoted here is actually higher than the previously estimated 15.7%. I think fear of future insider threats has simply muddled our perspective of the past year.

The data about insiders, however, has been more revealing. On a per breach basis, insiders were responsible for more records lost, on average, per breach than other causes, such as external sources or partners.

The report suggests that mitigation efforts be focused on ensuring essential controls are met; finding, tracking & assessing data; collecting and monitoring event logs; auditing user accounts and credentials; and testing and reviewing web applications.

Download the breach report here [PDF].

A recovery tale that Absolute hears much too often -

The Absolute Theft Recovery Team recently tracked a customer’s stolen laptop to an Arizona residence, which housed the unauthorized female user that the Team had identified. Police visited the home, looking to recover the laptop and reveal further details of the theft.  

The female user answered the door and confirmed that the laptop was is her possession. When confronted with details of the theft, however, the surprised woman alleged that she had never suspected that the laptop was a stolen item as she had received it from a reliable source.

As it turns out, the woman’s boyfriend had given her the laptop a few weeks after the theft had occurred – as a Valentines Day present. Nothing says love like stolen property!

The laptop has been returned to its owner, and the less-than-romantic boyfriend remains under investigation.

Learn more about the Absolute Theft Recovery process

Please note that indictments and criminal complaints are merely unproven accusations and the accused, in all cases, are presumed innocent until proven guilty.

TechRadar.com put together a list of the “10 easiest ways to boost your online security“, a list that mostly focuses on minimizing your risk of infection online. With the rise, and continued threat, of Conficker, a list like this will help you augment your security defenses.

1. Augment your anti-virus tool
2. Switch to plain text mail
3. Don’t click mail links
4. Vet your email
5. Switch web browser
6. Check web sites before you visit (with Web of Trust)
7. Manage your passwords
8. Screen all downloads
9. Know P2P basics
10. Create a virtual sandbox

Some of this is a little technical, so read on here for full details.

The list is, however, missing one major thing, so I’m going to put that at item zero – UPDATE your software. This includes your operating system as well as the software that runs on it – most of this you can automate, but don’t keep dismissing those reminders to update and restart. At least 11% of PCs are currently unpatched with the latest Microsoft update, making them even more vulnerable to threats such as Conficker.

A new survey from Nationwide indicates that consumers impacted today from identity theft may not have enough money in reserve to get through the recovery process.

The survey, conducted with 400 adults in December of 2008, looked both to identity theft victims and to unaffected consumers in equal proportion. According to the survey, 10% of identity theft victims polled missed payments due to the crime. 80% say that they suffered serious repercussions as a result of identity theft, including lower credit scores, utilities shut off, bankruptcy, vehicle repossession, home foreclosure or jail time.

A previous survey talked about here indicates the average consumer cost per fraud incident was $496, but this does not include the time needed to recover from the fraud, which is likely increasing the odds of not being able to financially cope with the burden.

“If the identity theft involves your credit cards you can often resolve the problems quickly. However, if the fraud involves a debit card, a loan or your health insurance, the impact can be costly and time consuming. With so many Americans losing their savings and investments, people have less money to fall back on during the time it takes to stop the bleeding.” – Kirk Herath, Chief Privacy Officer for Nationwide Insurance

The survey found that most identity theft victims surveyed tend to be Caucasian, female, ages 35-54, college-educated, married, and employed full time. Those separated or divorced, and in high income households, are more likely to be affected.

Previous Nationwide surveys found that victims spend an average of 81 hours recovering from identity theft, with some going much longer. Other surveys have found similar average resolution times

Hat tip to George ; Image: clipart

A Computrace customer reported a laptop theft to Absolute after the laptop was stolen in an overnight burglary. The computer was quick to communicate with the Absolute Monitoring Center, allowing the Absolute team to trace its location to a nearby ranger station. Absolute contacted local law enforcement, who inventoried the station’s entire computer population to check for the stolen machine. The search came up negative.

Although none of the serial numbers on the inventoried computers matched that of the stolen machine, Absolute continued to trace the machine’s location to the same station. Authorities intensified their investigation.

It was soon revealed that the ranger station had purchased a number of refurbished computers from a local vendor. Explaining why Computrace continued to call from the ranger station despite none of the inventoried serial numbers matching up with that of the stolen machine, the stolen laptop’s motherboard had been removed. This motherboard was then placed in a new case with a different serial number, and sold to the unsuspecting rangers. The highly persistent Computrace Agent rebuilt itself in the new case, however, and maintained contact with Absolute - helping authorities to uncover crucial details of the incident.

Police located the vendor from which the stolen machine was purchased, along with the motherboard’s original casing. The investigation continues, and the laptop – both motherboard and case intact - is en route to its rightful owner.