Archive for May, 2009

Just how “secret” are your “secret questions”? You know, when you sign up for many websites, they have a password-retrieval system that allows you to use a pre-set question, or a question of your own.

Most of the time, the secret questions we tend to gravitate towards are easy – things like “What’s your mother’s maiden name?” or “What’s your pet’s name?”. We’ll remember those answers fairly easily… but others may figure them out just as easily.

Research presented by Microsoft and Carnegie Mellon University at the IEEE Symposium on Security and Privacy this week indicates that 28% of people surveyed (130 ppl surveyed) could guess the correct answers to other people’s secret questions if they “knew and were trusted” by them. For those without such a close tie, there was still a 17% chance that the answer to the question could be guessed.

“Secret questions alone are not as secure as we would like our backup authentication to be,” says Stuart Schechter, a researcher with software giant Microsoft and one of the authors of the paper. “Nor are they reliable enough that their use alone is sufficient to ensure users can recover their accounts when they forget their passwords.”

This study doesn’t even take into account a hacker who may be willing to take the time to dig up information about you! So, ask yourself, how “secret” are the answers to your questions?

Answers that require only a little personal knowledge to guess should be considered unsafe. Those questions could include “What’s your favorite sports team?” or “Where were you born?”

The study found that memorable questions still pose a risk to legitimate users. The study found that 16% of the participants forgot the answers to their secret questions 3-6 months later, if memorable, and 1 in 5 will forget all the answers to their secret questions.

Bruce Schneier, a security expert, says that he’ll often type in a random answer to a security question and will call the company if he needs to retrieve a password.

Via technology review ; Image: Clipart

The US Government Accountability Office (GAO) has released a draft report summarizing the progress government agencies have made in the implementation of information security polices and practices under the Federal Information Security Management Act of 2002 (FISMA).

6 years after FISMA was enacted, the GAO reports that poor information security is still a widespread issue in the Federal government. In the 2008 performance and accountability reports, 20 out of 24 major agencies noted that information system controls over their financial systems and information were either a “significant deficiency” or a “material weakness.”

The GAO summary notes that:

Over the last several years, most agencies have not implemented controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information. An underlying cause for information security weaknesses identified at federal agencies is that they have not yet fully or effectively implemented key elements for an agencywide information security program, as required by FISMA.

23 out of 24 agencies were found to have weaknesses in their agencywide information security programs in 2008. Although agencies reported an increased compliance in implementing security controls in 2008, the GAO notes that there are shortcomings with implementing key control activities for the year.

For fiscal year 2008 reporting, agencies reported higher levels of FISMA implementation for most information security metrics and lower levels for others. Increases were reported in the number and percentage of employees and contractors receiving security awareness training, the number and percentage of systems with tested contingency plans, and the number and percentage of systems that were certified and accredited. However, the number and percentage of employees who had significant security responsibilities and had received specialized training decreased significantly and the number and percentage of systems that had been tested and evaluated at least annually decreased slightly.

The GAO recommends that current reporting requirements change in order that inspector generals be required to report on the agencies’ effectiveness of activities, which would help determine if agencies are effectively implementing their policies, procedures and practices. The full list of GAO recommendations can be found in this PDF.

The FBI and the US Marshals Service (USMS) were both forced to shut down parts of their computer networks on May 21st as a mystery virus struck. Reports today indicate the virus is believed to be Neeris, a new malware variant exploiting the same vulnerability as the Conficker worm.

Nikki Credit, a spokeswoman for the Marshals, says that multiple computers may have been infected. The infection occurred because the Marshals computer network was not running the latest version of their OS and they were missing needed anti-virus software.

“Neeris and Conficker look for missing patches. If the PCs and servers are patched, the malware doesn’t work,” John Pescatore, research director and vice president at Gartner, told SCMagazineUS.com in an email on Friday. “The patch for this has been out since October 2008.”

When the virus was detected, the IT staff at the Marshals disconnected the computers from the Justice Department’s network to prevent further spread. Anti-virus software was updated and updates were pushed to all agency computer. No data was compromised at the USMS, though they were lucky that was the case. The FBI have not provided details about their “network issue.”

The biggest step you can make in protecting your company is to always keep your software up to date. This minimizes the risk of data being unnecessarily exposed to known threats. If you have Computrace by Absolute Software, you can use it to identify which of your devices is missing the latest patch.

Via CNet, AP, SC Magazine

McAfee launched a new web series this week entitled H*Commerce: The Business of Hacking You at StopHCommerce.com

H*Commerce, Hacker Commerce, is the “business of making money through the illegal use of technology to compromise personal and business data.” The new series will air 6 episodes, one episode being added every two weeks. Each episode involves real people doing normal online activities who are then attacked by cybercriminals. Each episode focuses on real stories in a documentary-style.

Here is the first webisode, “Unexpected Beginnings”, telling the story of Janella Spears, who lost more than $440,000 as the result of an email scam. The video explores the effects this cybercrime had on Janella and her family as well as Janella’s education in how to clean her system, handle hackers and stop cybercrime scams.

McAfee also recently launched a Cybercrime Response Unit designed to help victims of cybercrime.

Earlier this year, we posted about one of the largest data breaches to ever come to light: the Heartland Payment Systems breach that affected as many as 100 million people after their network was compromised. News this month indicates that the breach has cost the company $12.6 million in legal costs and fines from MasterCard and Visa.

In a conference call with investors, Heartland’s CEO, Robert Carr, shared the financial damage that was the result of the Q1 breach. They say that of the $12.6 million charge, less than $1 million is related to fines by Visa, but more than 50% of the cost is associated with a fine from MasterCard. The company is contesting the fines, which allege a failure by Heartland to take appropriate action upon learning of the network compromise.

Carr has been frank about talking about the data breach, and lays some blame on the payment industry itself for not having stringent enough best practices. Though I think it’s great that Heartland is encouraging new best practices, those best practices are a baseline of efforts in any industry. Companies should always be considering their particular risk factors and taking any added measures necessary to mitigate those.

Heartland was recently re-certified as PCI DSS compliant by Visa, MasterCard and Discover. However, much damage has been done to their reputation and, fines aside, the costs of this breach have been severe.

Image: Clipart

Last month we announced that Absolute Software’s Computrace Mobile was nominated for a  Stevie Award for “New Product or Service of the Year – Software as a Service.” Computrace Mobile has now been selected as a Finalist for the awards!

During the month of preliminary judging, Absolute Software joins 11 other companies listed as finalists in this category. Final Stevie winners will be determined in the final judging that began this week. If you took the time to vote for Computrace Mobile, thanks!

The names of Stevie winners will be announced at the 2009 awards dinner and presentations in New York’s Marriott Marquis Hotel on Monday, June 22.

The California State Senate has approved a new law requiring companies to provide victims of a data breach with additional information.

The new law, SB-20, would require that companies tell customers what type of personal information was breached and when the breach occurred. The previous law required only that companies say that a breach had occurred.

“No one likes to get the news that information about them has been stolen, but when it happens, people are entitled to get a notice they can understand, and that helps them decide what to do next. The premise is simple. What you don’t know can hurt you. Ignorance is not bliss. And you can’t protect yourself if you don’t know you’re at risk.”

Over 40 states currently have breach notification laws, though this is just one added step that California has taken to protect consumer information. Simitian argues that requiring detailed notifications is not just important for consumers, but also for law enforcement in order to get an understanding of the patterns associated with data theft.

SB-20 was introduced by Democrat Senator Joe Simitian. The new bill is up for approval by the state Assembly before it is finalized. Learn more about SB-20 here. Computrace can help you identify what information was breached. Find out how Computrace can help

Via SC Magazine, CSO Online ; Image: Clip Art

Steven Hopper, an Education Administration Master’s student at the Iowa State University, put together a 2-minute inspirational video about the need to meet the demands of a new age in education:

As Steven notes, embracing technology in the classroom is about educating our kids to meet the needs of an evolving society. We touch on topics of eLearning and technology in education from time to time on the blog, but we don’t often sit back to think about how important it is that these changes happen in education. I hope you enjoy the video!

Via dangerously irrelevant

CSO Online’s Ben Rothke published a 2-part series about Why Information Must Be Destroyed (Pt 2). The series discusses why companies shouldn’t hoard information and how to destroy digitally stored information.

Ben points out that the sheer volume of paper and digital media that accumulates over time requires effective information destruction policies and practices. Every company has information that needs to be destroyed, though regulations may require that certain data be archived for a few years or permanently.

The discussion talks about why hoarding data records can be a liability, gives a list of information that can be shredded when no longer needed, and talks about the regulatory environment regarding data retention and destruction. Just tossing things into the garbage is not the answer, as trashing of records without appropriate destruction can be dangerous. The article suggests that destruction of data be done on a formal (documented) and regular basis.

While the discussion of physical data continued in Part 1, Part 2 of the series looked at electronic information. The destruction of data here includes the importance of sanitizing unwanted hardware (computers, backup tapes, etc) so that no information can be recovered. Computrace Data Delete capabilities can help you do this as part of your asset life cycle. If for some reason it’s not possible to delete the data (maybe it’s from an extremely old computer), the hardware should be destroyed. Various acceptable and unacceptable methods of sanitation and destruction are discussed.

The whole series is a great read and may help you establish or refine your own data policies.

Image: ppdigital @morguefile

Robert L. Mitchell of Computerworld decided to tackle his own identity online to see just what information about himself he could dig up. After a privacy activist was able to retrieve his Social Security number, full name, address and a digital image of his signature online, Robert was both concerned and intrigued about what else could be out there.

Robert spent a few weeks combing through public and private resources (some paid) on the web to build up a dossier on himself. He spoke with everyone from private investigators to privacy experts. And in the end, Robert found that there was a vast amount of information about him online, and not all of it accurate. Many states have not taken adequate steps to redact sensitive information from the documents, such as mortgage documents, they make available to the public.

Robert put his full findings online, also breaking down the information by type of source. His first source was government records, that let him pull up his full legal name, address, Social Security number, spouse’s name and Social Security number, price paid for home, mortgage documents, and signature. Robert continued his search with free people searches, search engines, image searches, social network searches, and paid searches. And that may only be the “tip of the iceberg”, in terms of what else is easily accessible.

“Of the information available about me on the Internet, the most troubling was my Social Security number, blatantly posted online by my own county government, for the convenience of lawyers, insurance agents — and petty criminals interested in identity theft. Today, you need more than just a Social Security number to commit identity fraud, but a criminal who has that number is off to a great start.”

I was surprised to learn from this article that public records that contain Social Security numbers are not well regulated, and that if the government makes those records public, it can open that information to republishing without repercussions. You can read more about that in the call-out box at the bottom of this page. 

Robert’s search was very revealing, and certainly had him reviewing all the information available about him online. He’s taken steps to redact his Social Security number from government records online and has gone so far as to call his credit card and bank companies to test their authentication policies. In some cases, he was authenticated using this information he found online and, to his credit, he’s suggested those companies review their authentication protocols. We mostly consider identity theft the result of lost or stolen information, but this exercise shows that you may be at risk already.

Have you found your Social Security number or other sensitive information online? Let us know in the comments.

Also check out this 3D artistic representation of security threats. Makes all these horrible threats seem almost beautiful!

image: mconnors @morguefile