Archive for the ‘Surveys & Reports’ Category

Two researchers at Heinze College, Carnegie Mellon University, were able to successfully predict Social Security Numbers using only publicly available information. The study by Alessandro Acquisti and Ralph Gross, Predicting Social Security Numbers from Public Data, will be published in the ‘Proceedings of the National Academy of Sciences‘ and will be presented this July at the BlackHat convention.

Social Security Numbers (SSNs) are a primary piece of personal information sought by identity thieves, so it has always been cautioned that individuals and companies protect this sensitive information closely. However, this new study indicates that SSNs can be predicted from publicly available data.

Based on patterns in SSNs visible in the “Death Master File” (a database with SSNs of people who have died), Alessandro and Ralph were able to determine that date of birth and state of birth could be used to predict a narrow range of values likely to contain the individual’s assigned SSN. This information becomes more accurate for individuals born after 1988.

Within 2 attempts, the researchers were able to correctly guess the first 5 digits of SSNs for 60% of deceased individuals; within 1000 attempts, they could identify all 9 digits for 8.5% of the group (a number that would inevitably go up with more attempts). A hacker could then create a process to exploit existing services to test and verify SSNs.

Since SSNs are considered a primary form of identification, upon which you can apply for additional identification or for credit, there are troubling consequences to this discovery. From the executive summary of the study:

Since SSNs are predictable from public data, identity theft could occur even without events such as data breaches. Some of the implications are that 1) the SSA should randomize the entire SSN assignment process; 2) current policy initiatives in the area of SSN and identity theft should be reconsidered: most policy-making currently focuses on removing SSNs from databases or redacting their digits, so that they can still be used as “confidential information” – however, since SSNs are predictable from otherwise publicly available data, SSNs cannot be kept confidential even if they are removed from databases, and therefore those initiatives may be ineffective; 3) since SSNs can be predicted and are therefore, in a sense, semi-public information, consumers should not be required by private sector entities to use SSNs as passwords or for authentication.

The report makes some recommendations to government agencies, policy-makers, credit and financial institutions, online services and consumers regarding SSNs. You can read them here.

Via Wired ; Image: imelenchon

Symantec recently released a ranking of which countries are responsible for most of the world’s cybercrime. Countries with high rates of high-speed Internet connections rank the highest on the list, as we’d expect, with the top 3 countries being the US, China and Germany.

Symantec put together this list by looking at malicious code, spam zombies, number of websites hosting phishing sites, number of bot-infected computers controlled by criminals, and country of attack initiation. The study investigated data for 2008 to come up with this list.

Top 10 Countries with Most Cybercrime

1. United States - 23% share of malicious computer activity
2. China - 9% share of malicious computer activity
3. Germany - 6% share of malicious computer activity
4. Britain - 5% share of malicious computer activity
5.  Brazil – 4% share of malicious computer activity
6. Spain - 4% share of malicious computer activity
7. Italy - 3% share of malicious computer activity
8. France - 3% share of malicious computer activity
9. Turkey - 3% share of malicious computer activity
10. Poland – 3% share of malicious computer activity

As you can see, the US accounts for some 23% of the world’s malicious computer activity. That’s a big jump from those countries ranked lower on the list, with the US leading the way on nearly all of the malicious activities tracked by Symantec.

If you download the latest Spam Intelligence report, which looks at spam in the second quarter of 2009, you’ll see that overall levels of spam are on the rise. Malicious websites are also on the rise, with 67% more malicious websites blocked per day in June vs May of this year.

Via businessweek / Image: ppdigital @morguefile

The US Government Accountability Office (GAO) has released a draft report summarizing the progress government agencies have made in the implementation of information security polices and practices under the Federal Information Security Management Act of 2002 (FISMA).

6 years after FISMA was enacted, the GAO reports that poor information security is still a widespread issue in the Federal government. In the 2008 performance and accountability reports, 20 out of 24 major agencies noted that information system controls over their financial systems and information were either a “significant deficiency” or a “material weakness.”

The GAO summary notes that:

Over the last several years, most agencies have not implemented controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information. An underlying cause for information security weaknesses identified at federal agencies is that they have not yet fully or effectively implemented key elements for an agencywide information security program, as required by FISMA.

23 out of 24 agencies were found to have weaknesses in their agencywide information security programs in 2008. Although agencies reported an increased compliance in implementing security controls in 2008, the GAO notes that there are shortcomings with implementing key control activities for the year.

For fiscal year 2008 reporting, agencies reported higher levels of FISMA implementation for most information security metrics and lower levels for others. Increases were reported in the number and percentage of employees and contractors receiving security awareness training, the number and percentage of systems with tested contingency plans, and the number and percentage of systems that were certified and accredited. However, the number and percentage of employees who had significant security responsibilities and had received specialized training decreased significantly and the number and percentage of systems that had been tested and evaluated at least annually decreased slightly.

The GAO recommends that current reporting requirements change in order that inspector generals be required to report on the agencies’ effectiveness of activities, which would help determine if agencies are effectively implementing their policies, procedures and practices. The full list of GAO recommendations can be found in this PDF.

Qualys recently published a new report on the Laws of Vulnerabilities 2.0. The report reveals the vulnerability half-life, prevalence, persistence and exploitation for 5 industry segments. The report found that different industries are patching their systems at different speeds.

The report is based on an analysis of 680 million vulnerabilities, from 80 million scans, which resulted in 11% of those vulnerabilities being listed as “critical.” The service industry patches their system the fastest, with a half-life of 21 days (meaning 50% of all systems were patched in the first 21 days after a fix is released); Manufacturing ranked lowest at 51 days.

The 2008 data was compared against the same study done in 2003, revealing an average half-time for patching of 29.5 days, only a half a day faster than in 2003. While companies are not speeding up their patching practices, attackers are speeding up their exploits. 80% of vulnerability exploits are now available within single digit days after the vulnerability’s public release.

Check out the full Laws findings here

Also check out this interview with FBI Special Agent J. Keith Mularski, who spent 2 years posing as a cybercriminal as part of an undercover operation. Very interesting read.

Via security focus

McAfee has released the Q1 threat report for 2009 indicating that cybercriminals have taken over almost 12 million new IP addresses since January, a 50% increase over 2008. The report also indicates a shift in botnet activity, with the US now hosting the largest percentage of botnet-infected computers (80% of all zombie machines – those machines controlled by spammers and others).

Key Findings from the Threat Report:

• Spam levels are still 30% below their peak levels (due to the November 2008 McColo shutdown), though spam volumes have recovered about 70% so far and are rising (the increase in zombie computers will trend this upward)
• The US accounts for 35% of global spam output
• Servers hosting legitimate content have increased in popularity with malware writers as a means for distributing malicious and illegal content.
• Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their locations.
• Compared with the overall landscape, the Conficker worm represents a small subset of all threat reports. AutoRun-based malware is detected in far greater numbers than Conficker so far.

McAfee predicts that social networks will continue to offer attackers a popular means for social-entineering attacks, as we saw in Q1 with the Koobface variants being distributed on Facebook. Among other trends, customizing attacks and using fear tactics are also on the rise.

Download the report here.

According to a new report from Sophos, two thirds of businesses fear social networking and its impact on corporate security.

Sophos conducted a poll in February 2009 with 709 respondents. Of those, 63% of system administrators worry that employees share too much information on their social networking profiles. They believe this puts the corporation, and its data, at risk (since cybercriminals have access to more information for identity theft, malware or spam). A quarter of the businesses had been the recipients of spam, phishing or malware attacks via sites like Twitter, Facebook, LinkedIn and MySpace.

Over 40% of companies don’t control access to any of these major social networking platforms – for those that do, productivity still represents the largest share of concern, but security concerns are on the rise.

“We’re seeing more incidents of unwanted adverts and malicious links being spammed out, particularly to Facebook users, from their friends’ compromised accounts. Although social networking sites are going some way to mitigate threats to users – activating pop-up windows to confirm if a user really wants to visit that external link for example – unfortunately it’s just not enough. Organisations need to incorporate defences into their IT security policy, and a key part of this is to educate individuals to choose strong passwords and to take good care of them to prevent cybercriminals taking over online accounts which could provide an entry point to the IT infrastructure.” – Graham Cluley, senior technology consultant at Sophos

Sophos summarizes their study with the top 5 tips to combat social networking perils in the business environment, which include:

• Educate your workforce about online risks
• Consider filtering access to certain social networking sites at specific times
• Check the information that your organisation and staff share online
• Review your Web 2.0 security settings regularly
• Ensure that you have a solution in place that can proactively scan all websites for malware, spam and phishing content

Read more here.

Also, beware of an increase in Swine Flu pill spam!

The National Health Care Anti-Fraud Association (NHCAA) estimates that 3% of all healthcare spending – about $68 billion – is lost to fraud each year in the United States. The FBI / CDC estimate that figure could be as high as 10%, or $226 billion.

In the past, we’ve talked a great deal about the impact that fraud has on businesses and on consumers, including those affected by medical fraud. But we have yet to talk about the cost – the billions of dollars – this fraud is costing all of us in other ways.

Whether you have employer-sponsored health insurance or you purchase your own insurance policy, health care fraud inevitably translates into higher premiums and out-of-pocket expenses for consumers, as well as reduced benefits or coverage. For employers—private and government alike—health care fraud increases the cost of providing insurance benefits to employees and, in turn, increases the overall cost of doing business.

The NHCAA estimated in 2007 that $2.26 trillion was spent on health care and the 4 billion health insurance claims processed in the US. They conservatively estimated that $68 billion of this was lost to fraud, quite an astounding figure. The majority of health care fraud was found to be committed by a small number of dishonest health care providers submitting false claims to insurers and to public programs. Other types of provider-initiated fraud can be found here.

This abuse of claims can have damaging effects on patients who may find themselves victims of medical identity theft, with their insurance benefits affected by misuse. In addition to providers, organized criminal groups and individuals also perpetrate health care fraud. The report includes examples of crime rings that shifted from illegal drug trafficking to medical fraud schemes, resulting in millions of dollars in fraud.

If you want to learn more about health care fraud, read here.

Hat tip to I’ve been mugged ; Via dotmed ; Image: clipart

The Ponemon Institute, along with Intel, have released the results of a new study about the Cost of a Lost Laptop. The study concluded that the average cost of a lost laptop was nearly $50k, in both tangible and intangible costs.

The study was prompted by an increasingly mobile workforce carrying around more sensitive data on their laptops than ever before. The study focuses on samples of organizations in the US that have experienced laptop loss or theft within the last 12-month period. The 138 cases involved loss by employees, temporary employees and contractors.

Key Highlights from the Study:

• The average value of a lost laptop is $49,246 (replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses)
  • The occurrence of a data breach represents 80% of the cost associated with a lost laptop
  • Of the remaining 20% of cost, 59% of that can be attributed to intellectual property loss
• The faster a company realizes of a loss, the lower the average cost associated.
  • If a loss is discovered in the same day, the average cost is $8,950
  • If a loss takes more than 1 week to discover, the average cost rises to $115,849
• Director laptop losses are most costly
  • The average cost of a lost laptop for a senior executive is $28,449, with the highest costs for manager ($60,781) and director ($61,040)
• Encryption saves money, with an average savings of $20,000 for lost laptops with encryption vs those without – but that’s less than half the savings than if you discovered that the laptop went missing the first day it happened
• The cost of a lost laptop varies by industry. The average full cost of a lost laptop is highest for services industry ($112,853) and lowest in manufacturing ($2,184)
•  The average data breach cost of a lost laptop varies by industry. The highest average data breach cost is in the services industry ($108,699) followed by financial services, healthcare and pharmaceutical. The other industires were far less.

What the highlights demonstrate is the high cost associated with lost laptops, but also the possibilities for minimizing the damage if companies can identify when laptops are missing quickly. With software such as Computrace by Absolute Software, you can inventory all your mobile computers and devices, know when one is missing and when its stolen get the Absolute Recovery Team to help find it. You can also do a remote data wipe to ensure your lost data does not fall into the wrong hands. And Computrace with Intel Anti-Theft Technology can lock the computer so it can’t even be booted-up. It can easily help reduce the costs of a lost laptop.

Download the White Paper here [PDF]

Also check out Absolute Software’s recent study with the Ponemon Institute: The Human Factor in Laptop Encryption.

Verizon has released its 2009 Business Data Breach Investigations Report, following similar reports earlier this year from the ITRC and Ponemon. The report indicates that 285 million records were breached in 2008. This figure is much higher than the 35.7 million records that the ITRC estimated based on notification letters.

Highlights from the study include:

• 91% of all compromised records were attributed to organized criminal groups
• 99.6% of records were compromised from servers and applications
• 74% resulted from external sources
• 20% resulted from insiders
• 69% were discovered by a 3rd party
• 67% were aided by significant errors
• 32% implicated business partners
• 95% of data breaches were rated as high difficulty requiring advanced skills, significant customization, and/or extensive resources

The most successful breaches involved an attacker exploiting some mistake made by the victim, allowing them to hack into a network and collect data. Hacking and malware were the top single causes of breaches, both up from the figures for 2007.

Although much of the response to this survey has been on the thread of insider threats being lower than expected, I have to argue that the data seems in line with previous data. Although there is an indication that insider threats will go up for 2009, the 20% insider data breach figure quoted here is actually higher than the previously estimated 15.7%. I think fear of future insider threats has simply muddled our perspective of the past year.

The data about insiders, however, has been more revealing. On a per breach basis, insiders were responsible for more records lost, on average, per breach than other causes, such as external sources or partners.

The report suggests that mitigation efforts be focused on ensuring essential controls are met; finding, tracking & assessing data; collecting and monitoring event logs; auditing user accounts and credentials; and testing and reviewing web applications.

Download the breach report here [PDF].

A new survey from Nationwide indicates that consumers impacted today from identity theft may not have enough money in reserve to get through the recovery process.

The survey, conducted with 400 adults in December of 2008, looked both to identity theft victims and to unaffected consumers in equal proportion. According to the survey, 10% of identity theft victims polled missed payments due to the crime. 80% say that they suffered serious repercussions as a result of identity theft, including lower credit scores, utilities shut off, bankruptcy, vehicle repossession, home foreclosure or jail time.

A previous survey talked about here indicates the average consumer cost per fraud incident was $496, but this does not include the time needed to recover from the fraud, which is likely increasing the odds of not being able to financially cope with the burden.

“If the identity theft involves your credit cards you can often resolve the problems quickly. However, if the fraud involves a debit card, a loan or your health insurance, the impact can be costly and time consuming. With so many Americans losing their savings and investments, people have less money to fall back on during the time it takes to stop the bleeding.” – Kirk Herath, Chief Privacy Officer for Nationwide Insurance

The survey found that most identity theft victims surveyed tend to be Caucasian, female, ages 35-54, college-educated, married, and employed full time. Those separated or divorced, and in high income households, are more likely to be affected.

Previous Nationwide surveys found that victims spend an average of 81 hours recovering from identity theft, with some going much longer. Other surveys have found similar average resolution times

Hat tip to George ; Image: clipart