Archive for May, 2009

Qualys recently published a new report on the Laws of Vulnerabilities 2.0. The report reveals the vulnerability half-life, prevalence, persistence and exploitation for 5 industry segments. The report found that different industries are patching their systems at different speeds.

The report is based on an analysis of 680 million vulnerabilities, from 80 million scans, which resulted in 11% of those vulnerabilities being listed as “critical.” The service industry patches their system the fastest, with a half-life of 21 days (meaning 50% of all systems were patched in the first 21 days after a fix is released); Manufacturing ranked lowest at 51 days.

The 2008 data was compared against the same study done in 2003, revealing an average half-time for patching of 29.5 days, only a half a day faster than in 2003. While companies are not speeding up their patching practices, attackers are speeding up their exploits. 80% of vulnerability exploits are now available within single digit days after the vulnerability’s public release.

Check out the full Laws findings here

Also check out this interview with FBI Special Agent J. Keith Mularski, who spent 2 years posing as a cybercriminal as part of an undercover operation. Very interesting read.

Via security focus

A state university recently received notice from a student that her school-leased laptop had been stolen.  The student alleged that the laptop had gone missing somewhere in her travel between states, and despite her best efforts, could not be retraced.  A Computrace customer, the university was confident that Absolute could locate and recover the stolen machine.

As Absolute tracked the computer and investigated its whereabouts, however, it soon became clear that ’stolen’ was not an applicable term. Instead, the same student who initally reported the theft was still actively using the machine. Officers attempted to contact the student to set the story straight; yet, despite numerous attempts, were unable to get in touch with the uncooperative suspect. Several weeks and unreturned phone calls later, police turned to the student’s mother for help.

Through the powers that only a mother can harness, the unimpressed mom was able to contact her daughter and ensure that the laptop was handed over to police mere hours later. The university got its missing laptop back, and the daughter had a bit of explaining to do. Thanks, Mom….

Please note that indictments and criminal complaints are merely unproven accusations and the accused in all cases are presumed innocent until proven guilty.

Who Breached: Virgina Prescription Monitoring Program

Number Affected: 8 million +

Information breached: Prescription records

How: hacker

This isn’t an April Fool’s Joke, though it may seem like it. Hackers allegedly broke into a Virginia state website used by pharmacists to track prescription drug abuse. The hackers then deleted records on more than 8 million patients and 35 million prescription records.

Not satisfied just with the data, the alleged hackers replaced the site’s homepage with a ransom note demanding $10 million for the return of the records. The site is now completely unavailable (the state shut down access after they detected the breach), though the message was recorded.

“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.”

Director of Virginia’s Department of Health Professions, Sandra Whitley Ryals, declined to discuss the reported hack, saying [PDF] only that an investigation is underway by federal and state authorities. She said that they are working with experts to restore systems and ensure they’re safe. The Virginia Department of Health Professions says that all data has been backed up and those files remain secure. There is no word yet if affected patients will be contacted about this breach.

Via consumerist, washington post, computerworld

McAfee has released the Q1 threat report for 2009 indicating that cybercriminals have taken over almost 12 million new IP addresses since January, a 50% increase over 2008. The report also indicates a shift in botnet activity, with the US now hosting the largest percentage of botnet-infected computers (80% of all zombie machines – those machines controlled by spammers and others).

Key Findings from the Threat Report:

• Spam levels are still 30% below their peak levels (due to the November 2008 McColo shutdown), though spam volumes have recovered about 70% so far and are rising (the increase in zombie computers will trend this upward)
• The US accounts for 35% of global spam output
• Servers hosting legitimate content have increased in popularity with malware writers as a means for distributing malicious and illegal content.
• Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their locations.
• Compared with the overall landscape, the Conficker worm represents a small subset of all threat reports. AutoRun-based malware is detected in far greater numbers than Conficker so far.

McAfee predicts that social networks will continue to offer attackers a popular means for social-entineering attacks, as we saw in Q1 with the Koobface variants being distributed on Facebook. Among other trends, customizing attacks and using fear tactics are also on the rise.

Download the report here.

Absolute Software recently attended the Infosec conference, and Bill Pound, VP international corporate development at Absolute, has an article out this week in ComputerWeekly about beating the airport data theft threat. Whether you’re a regular business traveler or gearing up for that big summer trip, Bill offers some great tips to keep in mind.

Airports are a prime location for the loss or theft of laptops; London’s Heathrow airport has up to 900 devices going missing per week, for example. Though some of these laptops may be password-protected or encrypted, data security concerns still exist. And with good reason – the data could be worth far more than the lost device.

Bill offers several pieces of advice, from laptop tracking software such as Computrace to beefing up security policies so that employees understand how to protect their devices against loss or theft. Basic airport security precautions include: not checking your laptop as luggage, using an inconspicuous bag, always watching your bag, adding identification to your bag, and being extra wary when going through security checkpoints. You can read more here.

Some other great reading for you:

• PCI DSS compliance: You can’t just check the boxes
• Survey: 37% of employees would become insiders given the right incentive
• Nine steps to halt data breaches

Image: clipart

According to a new report from Sophos, two thirds of businesses fear social networking and its impact on corporate security.

Sophos conducted a poll in February 2009 with 709 respondents. Of those, 63% of system administrators worry that employees share too much information on their social networking profiles. They believe this puts the corporation, and its data, at risk (since cybercriminals have access to more information for identity theft, malware or spam). A quarter of the businesses had been the recipients of spam, phishing or malware attacks via sites like Twitter, Facebook, LinkedIn and MySpace.

Over 40% of companies don’t control access to any of these major social networking platforms – for those that do, productivity still represents the largest share of concern, but security concerns are on the rise.

“We’re seeing more incidents of unwanted adverts and malicious links being spammed out, particularly to Facebook users, from their friends’ compromised accounts. Although social networking sites are going some way to mitigate threats to users – activating pop-up windows to confirm if a user really wants to visit that external link for example – unfortunately it’s just not enough. Organisations need to incorporate defences into their IT security policy, and a key part of this is to educate individuals to choose strong passwords and to take good care of them to prevent cybercriminals taking over online accounts which could provide an entry point to the IT infrastructure.” – Graham Cluley, senior technology consultant at Sophos

Sophos summarizes their study with the top 5 tips to combat social networking perils in the business environment, which include:

• Educate your workforce about online risks
• Consider filtering access to certain social networking sites at specific times
• Check the information that your organisation and staff share online
• Review your Web 2.0 security settings regularly
• Ensure that you have a solution in place that can proactively scan all websites for malware, spam and phishing content

Read more here.

Also, beware of an increase in Swine Flu pill spam!

In a somewhat unusual recovery, the Absolute Theft Recovery Team recently received a call from a man who had purchased a laptop from an unknown seller and had suspected that the computer was equipped with Computrace LoJack for Laptops. Suspecting that he had acquired a stolen good, the man contacted Absolute to help him track down the computer’s rightful owner.

Absolute quickly identified and contacted the laptop’s original owner, and confirmed that the computer had in fact been missing for a few weeks. Believing that the laptop was at a friend’s home, however, the owner did not report the computer stolen. 

In one of Absolute’s more simple recoveries, the laptop’s current user was put in touch with the original owner. The user arranged a meeting, and within days, had safely returned the laptop to the owner’s hands, with no further incident. 

Thanks to a savvy, good samaritan and a little help from Absolute, another stolen laptop has been successfully recovered.

Who Breached: Oklahoma Department of Human Services
Number Affected: 1 Million+
Information breached: Social Security Numbers
How: laptop stolen from car

It’s been a while since I’ve done a major highlight of any recent data breaches. They keep happening, to be sure, but the details often start to look the same. However, this one caught my eye from it’s magnitude. The Oklahoma Department of Human Services (OKDHS) is notifying more than 1 million residents of the state that their data has been breached as the result of a stolen, unencrypted, laptop.

According to their press release, a password-protected OKDHS laptop was stolen from an employee vehicle (a far too common theft location). The laptop contained names, Social Security Numbers, dates of birth and home addresses for clients who received Medicaid, Child Care assistance, and other program assistance. The laptop was stolen on April 3rd with a press release going out from OKDHS on April 23rd. Letters to affected clients started to go out in the same week.

OKDHS Director Howard H. Hendrick believes the “risk of the data being accessed is low because the computer uses a password protected system,” which is only a very minor security protocol. There’s no guarantee the password was strong and, even with strong password-protection, systems with no additional security precautions pose a high risk for being easily accessed. It is believed that the employee was not violating any policy in place, indicating that the current information security policy does not deal with taking data home or with proper data asset handling.

According to the Security Incident FAQ, OKDHS believes they have “numerous security measures” in place already to ensure client data is safeguarded, but plan to review all policy, procedures and training methods. Let’s hope this sheds some light through the entire organization about how much more can – and should – be done to protect sensitive information.

You can help prevent data breaches such as these, or recover from them more easily, with strong computer security policies, enforcement and training and software such as Computrace from Absolute, which offers many layers of security protection.

Via SC Magazine

Absolute Software will be hosting a webinar on May 20th at 11am PT / 2pm ET about navigating K-12 Computing in a time of shrinking budgets, high computer theft and drifting assets.

The webinar will include input from Eric Willard, Chief Technology Officer, Community Unit School District 300, and Carol Johnston, Senior Product Manager, Absolute Software.

Learn how one of Illinois’ largest districts proves accountability by:

• Tracking laptops at all times using minimal resources
• Minimizing the risk of loss and theft
• Monitoring hardware/software usage for effective budgeting
• Avoiding financial penalties by ensuring software license compliance

Learn more about the webinar here.

A couple was left without laptops after their hotel room was burglarized. The husband’s computer was not equipped with LoJack for Laptops, but the wife’s computer was - making for an interesting set of recovery stories. A local Bay Area news station reports on each laptop’s fate – and another LoJack for Laptops success.

Or view full news clip here