Archive for the ‘Theft Prevention’ Category

Secunia has followed-up to a survey done one year ago to see if PCs are any more secure this year than last. The data was collected from 20,000 new users of their software in the period of a week, mirroring the same sample from a year previous. The software is thus able to give a snapshot of how many installed programs are “secure” or “patched.”

Based on the data, PCs are more insecure than they were last year. Only 1.91% of PCs scanned could claim to have full secure / patched programs. The rest were not running the latest (and most secure) version of software available on at least one program.

• 0 Insecure Programs: 1.91% of PCs
• 1-5 Insecure Programs: 30.27% of PCs
• 6-10 Insecure Programs: 25.07% of PCs
• 11+ Insecure Programs: 45.76% of PCs

Quite scary that nearly half of those 20,000 PCs had more than 11 programs unpatched! Leaving programs unpatched makes them targets for hackers, which can lead to data leak issues if not stopped up. Mainstream programs like Microsoft Office, Adobe Flash and broswers are major targets for hackers.

So, perhaps now is a time to run your security updates? On PC and Mac, most programs can be updated automatically, or all together. In a few instances, you may need to ‘check for updates’ in individual programs. Of course, in a corporate environment, where you’re dealing with hundreds or thousands of computers, you need a way to manage this at once. Absolute’s asset tracking can help inventory what software and patches are installed, but other strategies (including Secunia PSI) can supplement in rolling out updates regularly.

Via security focus

Bruce Schneier put together a good article for The Guardian about choosing a strong password. Passwords are a huge security issue for businesses, as this report indicated.

Though the most common password used in a 2007 survey was “password”, not much has improved for 2008: the most common password is now “password1″. In order to describe what makes a “good” password, Schneier describes how programs are used to hack passwords. These programs are sophisticated, testing hundreds of thousands of passwords per second in an intelligent pattern.

The password-hacking programs will try the most likely passwords first, then will move on to typical password combinations of root+appendage (or prefix). Something like “nachos123″, for example. There are common number and letter sequences that people use to prefix or suffix common words. 24% of all passwords can be cracked with the first 100,000 combinations of these options. The password program will try different dictionaries, will replace letters with common symbols such as “@” for “a”, etc. Running all of these combinations, which could take weeks, will break two thirds of all passwords.

If the hacking program is fed personal information about you, like the name of a pet, birth date, or postal code, the effectiveness shoots straight up. If you save your password anywhere on your computer memory, including browser-recalled passwords, it can track them down.

So, how do you choose a good password?

Bruce Schneier recommends a password creation process that will turn a sentence into a password. His example was:

“This little piggy went to market” ===> “tlpWENT2m”

This way, you choose a sentence that is meaningful to you, and also choose your own method of code to break it down into a more secure character string. Once you have a password, don’t write it anywhere or use it for multiple applications. If you fear you won’t recall your password, write it down and keep it somewhere more secure, like in your wallet. If you can avoid writing the exact password, write the un-abbreviated sentence or a hint instead. You can also use a program such as Password Safe (free) to create an encrypted username / password list and a single Master Password.

Continue reading this post about choosing strong passwords.

Image: Clipart

Document Retention - understanding what documents to keep, for how long, and how to destroy what you no longer need. This is an area Michael Overly recently explored, providing a series of tips about basic elements to be considered in a document retention program. Using those tips as a jumping off point, and supplementing with other research, I came up with this list.

10 basic elements of a good document retention policy

1. Understand what documents to keep, looking first to type of record (employment, accounting / tax, legal, electronic). Understand legal requirements, as well as business requirements, as to how long to keep documents. In the master policy, list the rationale to any decisions made for each type of information. The retention period for each type of document should be listed.
2. Electronic documentation retention should be clearly defined on its own, particularly as it pertains to email and IM. List the location where electronic information will be stored and policies as pertain to backup tapes.
3. Define how data is disposed – for both physical and electronic information. This includes how information is shredded and disposed of, how old electronic devices are purged and/or resold, how electronic information is purged from the network, etc.
4. Choose a storage / backup method that matches with the continued demand for information. Accessing backup tapes is not cost effective, so retain information in a way that makes sense with its use
5. Restrict the copying of data so that it cannot be duplicated to local machines (if desired) and/or restricted devices such as USB keys or mobile devices
6. Detail actions associated with the policy – for example, if email >X days old is to be deleted, list that the network will automatically perform this function.
7. Define disposable documents – those documents that don’t need to be retained. For example, duplicates or “trivial” documents.
8. Assign a process to keep documents, if a legal claim arises to exempt them from regular disposal
9. Assign a person or group to maintain the program and answer questions
10. Audit the program regularly to ensure the program has been implemented correctly and that it stays up-to-date with changes in the business or legal environment

Also in security news:

• Four in five Australian companies suffered data breaches in past five years
• Express Scripts customers threatened on data breach (millions perhaps affected)

Supplemental research sources: nfib, it world, uofaweb, microsoft, abanet Image: ppdigital @morguefile

Joan Goodchild has put together an article entitled “Social Engineering: Eight Common Tactics” for CSO Online. Knowing some of these tricks, and integrating tips such as these into regular employee training, can help ward off some of the threats to data security. Several of the tactics regard employees unwittingly giving information to criminals via the phone, while others are more traditional cybercrime issues.

“Social engineering is the art of manipulating people into performing actions or divulging confidential information… The term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.” - Wikipedia

8 Common Social Engineering Tactics to Avoid

1. Ten degrees of separation - criminals may try to draw out information from the “front line” employees, each time gaining information to access employees further inside the organization. Another tactic is to be friendly, slowly drawing out more and more information.
2. Learning your corporate language - if a criminal sounds familiar, your guard may be down to disclosing confidential information
3. Borrowing your ‘hold’ music – to pretend to be from inside the company
4. Phone-number spoofing – as above
5. Using the news against you – as lures for spam, phishing and other scams. Particularly dangerous if targeted to company news.
6. Abusing faith in social networking sites – suggest typing site names manually, not clicking links
7. Typo Squatting – for web URLs
8. Using FUD to affect the stock market - FUD = fear, uncertainty, doubt. Can be used in a number of ways to scam stock prices.

You can read the full details here. You can also read the latest McAfee Security Journal report about the increase in use of social engineering techniques in cybercrime.

Also of interest, ScanSafe has released the 3rd quarter results of their Global Threat Report. [PDF]

Corporations, government agencies and academic institutions have formed together to study issues surrounding cybercrime, terrorism, narcotics trafficking and identity management. Together they have formed the Center for Applied Identity Management Research (CAIMR).

CAIMR is hosted by Indiana University and is a non-profit corporation of thought leaders who share a common interest in identity management. Their mission is to “study identity issues impacting commerce, government, and national security, their social implications, and the processes, technologies and policies designed to deal with them.” However, despite all that, the goal is to develop real world solutions to these issues. The outcomes may be in the form of industry or law enforcement best practices, technologies, policy adjustments or training and educational materials.

CAIMR notes that the goal is to be able to adapt more quickly to evolving identity fraud and cyber crimes, understanding the constraints and challenges faced by each set of stakeholders. Gary R. Gordon, scholar in identity management at Indiana University School of Law, will be executive director at CAIMR.

Four initial areas of study will be:

1. Public safety: identity theft, cybercrime, fraud, sexual predator detection, etc.
2. National security: cybersecurity, human trafficking, terrorist tracking, etc.
3. Financial and corporate fraud: mortgage fraud, data breaches, insider threats, healthcare fraud, etc.
4. Individual protection: identity theft, fraud, etc.

Partners in CAIMR include the US Secret Service, VISA, Wells Fargo & Company, and many more.

Via network world, security watch

31Consumerist has published an insider report that gives a disturbing look into the data security threats present when call centers are outsourced.

The insider, a former Chase call center rep, tells the story of a thief able to repeatedly commit credit card fraud by calling an outsourced security department. All he needed to know was a name, Social Security number and a mother’s maiden name.

The Chase call center employee, who worked in the US, flagged the caller as a potential thief. He had called repeatedly trying to sleuth out all the security questions that come up when attempting to access an account. As a result, the Chase employee forwarded the call to security – which had been outsourced to the Philippines.

The US security department had access to LexisNexis to verify more personal information, while the Philippine security department did not. As a result, for weeks the thief would be bumped to security, only to be approved and cleared back to the call center to complete his transactions. Some employees knew enough of the situation to block the transaction, but enough “newbies” did not so that the account holder (the same one each time) was stripped of more than $40,000 over time.

Although the account was repeatedly locked, the thief was able to unlock it with these details over and over again. Why? Because the handbook that the call center went by, the how-to guide that was followed word-for-word, was not set up to deal with this scenario. Although the US security department flagged the account and put on blocks and notes, the outsourced security department would unblock the account. The fraud only ended when the thief was caught.

This is just one example of the issues that arise when security is outsourced. Cultural issues, such as the gender associated with a name, could also come into play. Security is not a cut and dry issue, so many clever thieves are taking advantage of black-and-white security manuals in the hands of outsourced security departments to commit fraud.

Here are some additional stories I was able to dig up on outsourced call centers:

• Security Karma – Outsourced Call Centers + Security = !Sleep
• Paid article – Outsourced or Outsmarted?
• Tech Republic – Outsourcing, good and bad.
• Dark Reading – Hacking the Call Center

Image: milica sekulic

Some great news from Absolute Software – The ASUS B50 line of business notebooks will now provided embedded support for Absolute’s anti-theft and management solution, Computrace.

ASUS is one of the world’s top 10 notebook manufacturers, with the B50 taking into consideration the needs of mobile business executives. The B50 features an integrated biometric fingerprint scanner, Trusted Platform Module for secure login and encryption, and now embedded Computrace support. You can read more about this news here.

What does embedded support mean?

This means that all the great features of Computrace are embedded at the firmware level, not the software level. When consumers activate the service, Absolute can provide a level of security and recovery capabilities at a higher level.

Embedding support for the Computrace agent into the BIOS provides customers the highest level of persistence and allows the Computrace agent to survive operating system re-installations, hard drive reformats and even hard drive replacements. That means anyone trying to remove the security features to get at your data is going to have a much harder time.

For a full list of computers with embedded support for Computrace (Dell, Fujitsu, etc), check here.

Also in company news, Absolute will showcased it’s laptop security solutions at the Intel Developer Forum (IDF) in Taipei on October 20-21. For more information, read here.

In July, Verizon released a comprehensive study, the “2008 Data Breach Investigations Report”, that looked into 4 years of data breaches, based on forensic investigations and hundreds of data breaches. The report was discussed here on the blog. Verizon has now issued a supplemental analysis from that study.

The supplemental report compares risk factors among the various industries: finance, food, retail and tech. It identifies some important insights into the data, such as that, among all industries, the financial services industry is at the greatest risk of insider data breaches. In other sectors, business partners posed a higher risk to data.

“The supplemental report provides further insight into the nature of breaches, underscoring that good security does not lend itself to a cookie-cutter approach.” – Dr. Peter Tippett, vice president of research and intelligence, Verizon Business Security Solutions

The supplemental report indicates that financial service firms are the targets of more sophisticated attacks that often take weeks to discover. That said, financial organizations were shown to have a higher level of asset awareness and to detect breaches more quickly than other organization types. Breaches from lost systems, like laptops, tend to occur less frequently.

The data breach investigation report found that the majority of breaches could be avoided by reasonable security measures, so this supplemental report aims to help identify what industry-specific differences could lead to better proactive security measures.

Other key findings include:

• High-tech organizations: had a difficult time keeping track of information assets, affected by malicious insiders more than others, hacked more than others
• Retail: more data breaches than other sectors, wireless network attacks growing quickly, too reliant on third-parties to discover breaches, most attacks are opportunistic
• Food and beverage: many breaches involve third-party remote access to payment card data, poor security configurations are exploited, POS systems are used to spread malware, and breach detection is very poor

Resources:

• 2008 Data Breach Investigations Report [PDF]
• Verizon Business Supplemental Report [PDF]

And a fun piece of educational reading – spammers are more likely to use Obama than McCain in the subject line of spam emails [read here].

Via CSO Online, Information Week

In follow-up to the 10 Common Risks Employees Make That Put Data at Risk, another study recently showed that the majority of organizations require only passwords for employees to access critical data. In addition, the passwords used are found to be quite weak.

Quest Software conducted a study on User Authentication which showed that 52% of the 150 organizations surveyed have only basic user authentication (passwords) to access critical data. Stronger forms of authentication would include hardware tokens, digital certificates or risk-based scoring.

Other findings from the study:

• 88% of enterprise users have multiple work-related passwords, averaging between five and six
• 64% of organizations do not require users to change their passwords
• 45% of organizations allow standard dictionary terms (like “password”)
• 29% of organizations have no requirements for password length

For those investing in stronger user authentication, stronger risks from external users (remote employees, contractors, customers, etc) have prompted them to action.

Setting up a strong user authentication plan is crucial, but for those companies that are new to this area, the first and most basic area to enforce is to have your employees choose strong passwords. You can read more about that here.

Image: Clipart

This is just a common sense business tip: do not use shredded checks as packing material.

The WHH Ranch Company has been using shredded paper from a Texas-based bank for 20 years. Some of that paper came in the form of shredded checks.

When Michelle McBride ordered some food from WHH Ranch, she found it packed in shredded checks. The shredded paper was in wider strips (it was not cross-shredded) that could be easily pieced together. In fact, that’s what Michelle McBride did – she was able to easily re-assemble some checks and plainly read off account numbers and routing information for hospitals, medicare, schools, businesses and personal accounts.

After learning of the problem, WHH Ranch says they’ll ensure it doesn’t happen again.

So, two things to learn from this:

• If you are shredding sensitive information, use a good cross-shredder or confetti shredder. Particularly if you’re a business.
• If you are using shredded paper as packaging material, ensure it’s finely shredded material that contains only non-sensitive papers.

After the jump is a video of the CNN report about this incident (the video auto-plays): (more…)