Archive for the ‘Theft Prevention’ Category

It’s almost unbelievable but hackers have found a way to steal personal information through electrical outlets.  It sounds implausible to many but, unfortunately, the threat is actually real.

I read an article about how hackers have found a way to “steal information typed on a computer keyboard using nothing more than the power outlet to which the computer is connected.”

How is that possible?  Typing on a regular keyboard sends an electrical signal through the unshielded cable to the computer which then leaks the information into the ground wire on the computer’s power supply.  All a thief has to do is set up in a nearby location and use a power socket in order to detect and grab the information in the ground leakage.  This is possible up to 15 meters away.

I never would have thought this sort of thing was possible but that’s why hackers are so good at what they do – they find ingenious ways to get other people’s vital information.  If only they used those skills to do something good for the world…like find a solution to this problem.

Dell has designed the new Inspiron Mini Nickelodeon notebook for kids, which is a great idea since it’s the right size for little hands, it’s super light (less than 3 pounds) and includes educational software that both parents and children will love. 

With so many kids using computers today, it’s no surprise that parents are looking for ways to  keep young ones, and their computers, safe. 

Absolute recognizes this need and has partnered with Dell to include a free 12-month subscription of Computrace LoJack for Laptops with their Inspiron Mini Nickelodeon notebooks. 

Absolute’s Vice President of Consumer Business, Mark Grace, had the following to say: “As any parent can tell you, once you put a highly portable computer like the Dell Inspiron Mini Nickelodeon Edition in the hands of your kids, they don’t want to put it down, let alone lose it altogether.  That’s why we have collaborated with Dell to include a subscription to Computrace LoJack for Laptops on every Nickelodeon Edition sold. With this protection conveniently built in, parents can feel secure knowing that Computrace LoJack for Laptops will help keep their kids safe by making their computers unattractive to thieves.”

This is definitely a great deal and the timing is perfect since school has just started and a lot of children are looking for a new computer. 

image: Dell

Absolute has opened a regional office in Tokyo, Japan in response to the growth in the Asian marketplace.  As a result, Japanese users will now be able to use Computrace for computer tracking as well as IT asset management and data protection. 

An Absolute Theft Recovery Team has been established in Asia better facilitate our computer recovery services.

This expansion means that Computrace is now available throughout North America, Europe, the Middle East and Africa, South America, Australia/New Zealand and, now,  Japan.

For more information about Computrace One as well as Computrace Mobile, Computrace for Netbooks, Computrace Data Protection, and Absolute Track in Japan, please visit www.absolute.com/japan.

Many of us think about protecting our data against the strangers of the world who might be trying to find a way to use our information to their benefit.  It can be surprising, therefore, when the breach occurs within our company (or circle of friends, family, etc…).  Unfortunately, DuPont is learning that insider theft is becoming more and more common.

The industrial manufacturing company discovered that one of their employees, a senior research chemist, transferred confidential files containing trade secrets from his company-issued laptop to an external hard drive.

Immediately, I couldn’t help but wonder why DuPont wouldn’t have some sort of alert in place in case someone tried to attach a hard drive to company computers.  I was further baffled when I learned that this isn’t the first time they’ve been through this. 

After 10 years with DuPont, an employee gathered information from thousands of documents and scientific abstracts.  His mission?  To sell the information to rival company, Victrex.  He ended up being sentenced to 18 months of jail time.

Aside from setting up some sort of alert system for when data breaches occur and using laptop security products like Computrace, DuPont (and other companies) has to find a way to work around the fact that even people with legitimate access to their information need to be considered potential threats. 

image: www.sxc.hu

The number of users affected by identity theft through malware has jumped by 600% in comparison with the data from this time last year.   The increase could be the result of the current economic crisis with so many people being affected by the crunch.

The numbers are staggering.  Every day, PandaLabs gets almost 37,000 samples of various types of internet threats and a whopping 71% are Trojans designed to steal banking and credit card information as well as passwords for commercial services.  An estimated three percent of users have been victimized by these silent threats since they normally don’t have any idea they’ve been affected until it’s too late.

There are some steps that users can take to protect themselves:

1. Be wary of any requests for personal data since most banks, payment services (i.e. Paypal) or social networks would never ask for that type of information in an informal way.  Never respond to requests for login information, for example, if they came in the form of an email or text message.

2. Avoid looking up your bank or online store websites through a search engine.   Type the address directly into your browser and double check that it is correct before hitting “enter.” 

3. Verify that the page has valid security certificates which are typically easy to identify by a “locked padlock” icon somewhere in the browser.  Banking websites might have the padlock image right beneath the login fields (see image below at left) whereas the little symbol appears at the end of the address bar in Internet Explorer (image at right). 

Sites like Paypal might also have the padlock above the login fields but you can also look for Verisign Identity Protection icon at the bottom of web pages.

4. Arm your computer with up-to-date security solutions such as Computrace LoJack for laptops.

5. Trust your instincts.  If something looks suspicious, contact the site’s customer service line.  Never enter your personal information if you think something looks wrong.

6. Look into getting identity theft insurance if you regularly shop or bank online.  This will provide coverage if you become the victim of identity fraud.

CSO Online’s Ben Rothke published a 2-part series about Why Information Must Be Destroyed (Pt 2). The series discusses why companies shouldn’t hoard information and how to destroy digitally stored information.

Ben points out that the sheer volume of paper and digital media that accumulates over time requires effective information destruction policies and practices. Every company has information that needs to be destroyed, though regulations may require that certain data be archived for a few years or permanently.

The discussion talks about why hoarding data records can be a liability, gives a list of information that can be shredded when no longer needed, and talks about the regulatory environment regarding data retention and destruction. Just tossing things into the garbage is not the answer, as trashing of records without appropriate destruction can be dangerous. The article suggests that destruction of data be done on a formal (documented) and regular basis.

While the discussion of physical data continued in Part 1, Part 2 of the series looked at electronic information. The destruction of data here includes the importance of sanitizing unwanted hardware (computers, backup tapes, etc) so that no information can be recovered. Computrace Data Delete capabilities can help you do this as part of your asset life cycle. If for some reason it’s not possible to delete the data (maybe it’s from an extremely old computer), the hardware should be destroyed. Various acceptable and unacceptable methods of sanitation and destruction are discussed.

The whole series is a great read and may help you establish or refine your own data policies.

Image: ppdigital @morguefile

Normally we hear about the massive data breaches that happen due to some loss of electronic data – whether it’s a lost data storage device or laptop or from hacking. However, we can’t forget that paper too is at risk for breaching data. This week there were 4 reports of data breaches the result of incidents with paper.

1. Dozens of files with Social Security Numbers for public housing residents were dumped on the street in New York. People were seen picking up the loose papers, raising concerns of identity theft. The New York Housing Authority has policies to shred documents for disposal, but that policy was overlooked. [read more]
2. Medical records were found discarded in a trash bin at a convenience store in Shreveport; Social Security Numbers were included. A Doctor has admitted to his mistake in improperly disposing of the files. [read more]
3. Files about seriously ill patients at a New York hospital were found 2 miles away on the pavement. The files contained name, age and medical history, breaching confidentiality though not risking identity theft. [read more]
4. A Dallas man found a box of medical records, including Social Security Numbers, the the parking lot at a storage business. The storage unit belonging to a doctor was broken into and the records left out. [read more]

I think we can learn some important things from these breaches of trust and data. Most indicate a lack of awareness about the data and how it should be treated for storage and disposal. Policies to restrict how data moves about – whether paper or electronic – should be considered. The data retention policy should define how information is disposed of, which can include policies on shredding or purging electronic devices. In terms of data storage for physical papers, standard consumer storage facilities may not have enough security; try looking for companies that specialize in business data storage.

As we shared in a report earlier this month, data breaches at small companies often go unreported. There’s a great deal of education that needs to be done to small business owners – including those practicing in the medical fields – about how to securely handle confidential data in all stages of its life cycle.

Hat tip to databreaches.net ; image: clarita @morguefile

Cisco recently released a whitepaper about data leakage and insider threats. Several predictions for 2009 have indicated that, particularly with the uncertain economic climate, insider data breaches would become more of an issue. With 88% of respondents admitting they’d take sensitive information if they were laid off, this is a clear and present threat to data security.

In 2008, insider theft accounted for 15.7% of data breaches and that 43% of surveyed companies had experienced fraud, theft or losses as a direct result of employees with access to sensitive data.

Bruce Schneier recently addressed the issue of insiders, which he points out are a perennial problem for organizations. Insiders have the means and opportunity to breach data – intentionally or not. The issues coming up lately refer to an increase in intentional data theft or fraud.

“With 1.5 million predicted job losses in the US alone, there’s an increased risk and exposure to these attacks. This is one of the most significant threats companies face” – Microsoft’s Doug Leland

So, given that you need to trust your employees in order to keep your company running, how do you go about addressing the problem of inside threats? Schneier recommends 5 basic techniques, many of which we’ve talked about here on the Absolute blog:

1. Limit the number of trusted people
2. Ensure that trusted people are also trustworthy
3. Limit the amount of trust each person has
4. Give people overlapping spheres of trust
5. Detect breaches of trust after the fact and prosecute the guilty

You can read these recommendations in detail here. Hopefully it will give you some ideas about how to prepare for insider issues. Just like with all security planning, it’s about being prepared and about having multiple layers of security in place.

—-

In other news, there have been a high number of data breaches thus far in February (see latest incidents). One getting a lot of attention is from the Federal Aviation Administration (FAA) that affects 45,000 FAA employees.

Image anitapatterson @morguefile

Bill Brenner of CSO Online shares “The Seven Deadly Sins of Network Security“, sins which he links with nearly all serious data breaches. Bill notes and asks, “Companies that suffer serious security breaches have almost always committed one (or all) of 7 deadly security sins. Is your company guilty?”

Just as Absolute Software recommends a multi-layered security solution, Bill Brenner notes that any solid security defense plan is built upon a multi-layered approach involving technology, policy and practice. The technology layers are just one piece there, but only account for part of the network security sins listed here:

1. Not measuring risk – failing to identify and protect important information assets, while doing so within the parameters of business needs and requirements
2. Thinking compliance equals security – regulations like HIPAA and PCI DSS are only a starting point for strong (and evolving) data security practices
3. Overlooking the people – the ‘people problem’ is a common thread on this blog. People who access data & technology pose a large risk to it – losing laptops, falling for phishing attacks, downloading rogue software, etc
4. Too much access for too many – having access controls set in both policy and in management technology
5. Lax patching procedures - the latest Verizon report showing that 90% of known vulnerabilities exploited in hack attempts had patches available for at least six months prior to the breach
6. Lax logging, monitoring – like with the first item, one must know what’s going on in the network prior to security it
7. Spurning the K.I.S.S. – ‘keep it simple, stupid’ or ‘keep it simple for security’ is often overlooked if security is approached without planning and ’solutions’ are tacked on one after the other.

The article looks at common issues that have led these seven items to becoming “sins” in network security terms. This can include, in the case of the first sin, a lack of understanding of business needs and requirements that results in end users circumventing security protocols and risking data even further. Continue reading it here.

The Federal Trade Commission (FTC) has released a report on Social Security Numbers (SSNs) and their correlation with Identity Theft. The report, which can be downloaded here [PDF], is a follow-up to a 2007 workshop on the same topic and the continued work of the President’s Identity Theft Task Force that was established in May 2006.

In the report, the FTC makes 5 recommendations to reduce the role of SSNs in identity theft. One of the recommendations is that Congress take action to strengthen procedures that private-sector organizations use to authenticate identities; they are pushing for nationwide standards in authentication. The task force believes that stronger authenticaton would make it more difficult for criminals to use stolen information, SSNs included, to impersonate consumers. As the report notes:

“Identity theft continues to be a major problem in this country, with victims numbering in the millions each year and out-of-pocket losses (primarily to businesses) in the billions of dollars.”

The Commission’s five recommendations are:

• Improve consumer authentication
• Restrict the public display and the transmission of SSNs
• Establish national standards for data protection and breach notification
• Conduct outreach to businesses and consumers
• Promote coordination and information sharing on use of SSNs

The task force believes that better authentication will make it more difficult to use SSNs to open new accounts or access existing accounts or services. They hope that this will, in turn, limit the demand for SSNs by criminals. Currently financial institutions that are federally regulated by banking agencies are the only private companies subjected to nationwide authentication standards.

You can continue reading more about that here, or read the more comprehensive Task Force Report here [PDF].

Via data breach watch