Archive for July, 2009

According to The Times, more than 4 million British identities and more than 40 million individuals’ identities worldwide are being offered for sale on the internet. The information available for sale includes sensitive financial information (credit card / bank details, some PINs).

This information was reportedly made available online as the result of several initiatives. From what the report indicates, at least 250,000 bank / credit accounts were hacked into. Other information was the result of phishing, a process that dupes individuals to give over their details (such as log in details or credit card details). The information was intercepted over a four-year period by a British company, Lucid Intelligence, and collated into a single database, allowing these figures to be determined for the first time:

The Lucid Intelligence database contains the records of four million Britons, and 40 million people worldwide, mostly Americans. Security experts described the database as the largest of its kind in the world.

The report from The Times indicates that other sensitive information, such as corporate email access details, is being sold in online forums or hacking websites. This puts companies at risk for data breach issues.

Individuals can search the database for free, for now, to see if their information has been sold online. It will specify what information about you is known – whether it’s just your email address, your mailing address, or more high risk information such as banking details. You can learn more about the initiative here.

It’s quite an interesting venture – what do you think about it?

According to the Cisco 2009 Midyear Security Report, internet criminals are becoming more sophisticated, using increasingly targeted attacks. However, Cisco predicts that increased collaboration between organizations, like what we saw with Conficker, and new security policies may make it more difficult for attacks to infiltrate and spread.

The Midyear Security Report provides an overview of Cisco security intelligence, including information about new threats and trends, for the first half of 2009. Highlights from the Report:

• Criminals are exploiting traditional vulnerabilities because they believe security experts and users are paying little attention to these types of threats.
• Compromising legitimate websites to propagate malware remains a highly effective technique
• Web 2.0 applications have become lures for criminals
• Criminals are now targeting online banking customers using well-designed, localized text message scams
• The Obama administration has made strengthening U.S. cybersecurity a high priority, and plans to meet threats by using technological innovations and partnering with the private sector. Other countries are following suit.
• Compared to 2008, the number of vulnerabilities and discrete threats has not risen as quickly.

Given the interest in insider threats, the report also details a possible increase in this threat given the current economic instability. This section of the report simply reiterates other studies and articles on the topic, simply providing context for what could be a growing security trend.

Download the report here.

Via eweek

Driving home for Spring Break, a North Dakota student left his laptop in the backseat while he stopped for a quick coffee. When he returned to his vehicle, the back door was ajar, and his laptop – along with several other belongings –was missing. The student contacted police, who collected eye-witness accounts from the scene. The student then reported the theft to Absolute, who began to trace the laptop’s whereabouts.

Four days later, the Absolute Theft Recovery Team had pinpointed the location of the laptop– which had since made its way south to Georgia. The team was also able to identify the laptop’s user – a man that eye-witnesses had earlier identified as a prime suspect in the case. This information was passed over to Georgia police.

Now armed with enough evidence to obtain a search warrant, Georgia authorities visited the user’s residence. The laptop was recovered from the home, along with a number of the victim’s missing possessions. The suspect was charged, and a relieved student reunited with his laptop and belongings.

Missouri has become the 45th state to enact data breach notification legislation! On July 9th, Missouri Governor Jay Nixon signed House Bill 62 into law; the law will go into effect on August 28, 2009. Though House Bill 62 deals with a number of different provisions in one law, it contains a section of security breaches.

The new data breach notification law would require that individuals be notified when their personal information were breached. The new law has broadly defined personal information to include not just financial information or Social Security numbers, in combination with names, but also any unique electronic identifier or medical information.

The new law requires that the Missouri Attorney General and national consumer reporting agencies be notified if the breach affects more than 1,000 individuals. Civil penalties for violating the statue may reach up to $150,000 per breach.

Via digestible law

There have been a number of very useful articles out in the last week or so. Too many to share one at a time. So, I thought I’d put together another link post to point you towards some very useful articles:

• Eric Geier writes for InformIT some “Tips to Secure your Home Wi-Fi Network“
• Bruce Schneier also has a new article out about securing your data while traveling that’s worth some consideration: “Protect Your Laptop Data From Everyone, Even Yourself“.
• Another thoughtful article on SafeKids.com by Larry Magid: “How to stop cyberbullying.“
• Forbes.com’s Amanda Berlin puts together an article on “How to Protect Your Online Reputation.“
• NetworkWorld continues their IT Best Practices series with this article by Linda Musthaler and Brian Musthaler: “The notification chain when a breach is suspected“

If you find any articles you think would interest the readers here, let me know!

Image: Clipart

Absolute Software celebrated its new U.S. headquarters in Austin, Texas with an open house on July 16th! Absolute Software CEO, John Livingston, flew down to Austin to cut the symbolic red ribbon at the open house. Also with him in the photo below are Carter McCrary, COO of Absolute, and Rob Chase, CFO of Absolute:

Here’s another shot of the lobby of the new Austin, Texas U.S. Headquarters!

A home burglary left a Computrace LoJack for Laptops customer without her laptop. Less than one week later, the stolen laptop connected to the internet, allowing the Absolute Theft Recovery Team to begin work on recovery.

Absolute Recovery Officers were able to glean a recurrent username from the machine, and traced the laptop’s location to a nearby suburb. This information was passed on to police, who used it to obtain a search warrant for the identified residence.

In a fruitful search, police recovered more than just the stolen computer – over $2,000 in narcotics, $5,000 in firearms, and $3,000 in criminal proceeds were also seized. And if over $10,000 in recovered collateral was not enough, an established cock fighting game operation was uncovered in the home’s basement. Further investigation revealed that the suspect had a history of charges relating to underground game fights. 

The officer was happy to add to this criminal record; the suspect now faces charges of Receiving Stolen Property and Possession of Narcotics. Further charges in relation to the other findings are pending.

This is the second Computrace-equipped laptop that the involved officer has recovered (although notably, his first recovery was less exciting!). He remarked to an Absolute Recovery Officer that Computrace LoJack for Laptops is “a very handy piece of equipment”.

Learn more about the Absolute Theft Recovery process

Please note that indictments and criminal complaints are merely unproven accusations and the accused in all cases are presumed innocent until proven guilty.

According to the 2009 Annual Study on Enterprise Encryption Trends, completed by Ponemon Institute and sponsored by PGP, indicates that while encryption strategies have become more consistent, data breaches continue to be an issue. In addition, the data indicates that mobile security is becoming more of an issue, with 51% of respondents indicating a complete lack of encryption on mobile devices (smartphones, PDAs).

This is the 4th annual study on enterprise encryption, basing the data this year on 997 IT and security practitioners in the US (a UK study is also available). The study looks at trends in encryption use, planning strategies, budgeting, and deployment methodologies in enterprise IT.

Highlights from the study:

• 78% of organizations have an encryption strategy in place (74% in 2008)
• 85% experienced at least one data breach in the last 12 months (84% in 2008)
• 22% experienced >5 data breaches in the last 12 months (13% in 2008)
• 58% say data protection is a very important part of overall risk management
• 59% say encryption of data on mobile devices is very important or important
• 26% indicate they encrypt their smartphone or PDA ‘most of the time’
• 51% have no encryption in place for the smartphone or PDA

I was surprised that the repeat data breach figures had gone up so dramatically, showing perhaps that data breaches are becoming chronic issues in some companies. This could indicate a lack of proactive security planning and risk assessment.

The study does indicate that companies are seeking out encryption solutions to preserve brand and reputation, in addition to mitigating breaches and meeting compliance regulations. This shows, perhaps, that companies are ready to take a more pro-active approach to security planning. Remember, too, that encryption is only a part of the solution to pro-active security planning. Absolute Software can help with other pieces of that puzzle, providing IT Asset Management & Theft Recovery for laptops and mobile devices.

Download the report, for the UK or the US, here.

Via SC Magazine

A few minutes was all it took: a New Jersey student set his belongings down outside of a study hall while he left to answer a call, returning to find that his laptop was missing.  Luckily, the student had installed Computrace LoJack for Laptops upon purchasing his computer and could do something about the theft. 

The student reported the theft to police and Absolute that day – spurring the Absolute Theft Recovery Team to deploy the forensic tools necessary to trace the computer. It quickly became clear that the laptop was still on campus, and being used by a female user. It was also determined that the user was a classmate of the victim…perhaps making for an awkward semester… 

Absolute Software CEO John Livingston was recently interviewed by FOX Business. The interview follows the announcement that Absolute had opened a new U.S. headquarters in Austin, Texas. Despite reports of the economic downturn in the U.S., Absolute has plans to double the number of employees in the new U.S. office in the next 2 years!

Check out John on the “Small Business, Big Ideas” segment below: