Articles from last posting
Who's lookin' at you kid? Spying on hotel guests -and 'fixing' the mini bar tab
US banking regulators issue guidance on spyware prevention and detection
Chinese student hacker cracks Adecco to pay tuition fees
Microsoft bounty pays off
"Act of provocation" leads to jail time for Hungarian hacker
Microsoft goes on buying spree and Ciscogate debacle
MS shames developers with hacker feats
MS anti- piracy initiative broken in one day
Cisco's security woes continue
Finger pointing begins in 40 million credit card hack
Media
Why security matters
Read an article by Mary Kirwan, CEO of Headfry, making a case for a new, more rational approach to creating an ROI (return on investment) equation for security investments - that will not fry your head, or that of your audience
The joys of encryption
Mary @ Headfry was quoted in IT Business in a story about encryption. Certicom - a Canadian encryption company - purports to have exponentially increased the speed of an important algorithm used to encrypt data, especially on small devices, where chip size inhibits the processing power available to the device to do complex calculations in a cost effective and non intrusive manner.
Her comments on the challenges facing businesses trying to manage big encryption operations - the so- called ‘key management’ issue- are endorsed by a recent UK survey carried out by UK encryption company nCipher, ‘sampling 237 "decision makers" at large enterprises across the globe’.
The survey found that ‘ 31 percent of managers with 500 or more encryption ‘keys’ (a term used to refer to the method by which data is encrypted and decrypted) to manage, ‘knew little or nothing about available key management systems’.
This is not good news, as it is all very well being able to encrypt or encode data, but you have to be able to recover it too– often very quickly at the behest of regulators and possibly law enforcement -while all the while preserving the confidentiality and integrity of the data.
The good news for encryption companies was that 82 percent of the respondents to the survey said they would be using encryption to secure stored data within 18 months. Hopefully they will take the time to actually understand the process before getting in knee deep.
Going spear phishing?
Mary was also quoted in IT Business in a story about targeted phishing scams called ‘spear phishing’.
The general idea is that bad guys use a combination of guile and intimidation to get you to give them what they want. They send you e-mails that seem to come from your boss or a person in a position of authority over you asking you to reveal sensitive data such as passwords.
Experts at the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md have worked with cadets at the U.S. Military Academy in West Point, N.Y, and they found that awe- stricken and naïve cadets were willing to ‘give sensitive information to an attacker posing as a high-ranking officer’, in what they called ‘the colonel effect' -military personnel are trained to do what they are told, and ‘ask questions later’.
With the aid of training and shaming exercises, the unfortunate, and undoubtedly newly befuddled cadets, have been more willing to rat out suspicious activity, even if seeming to come from on high.
However, it is not difficult to envisage scenarios where de- programming the fighting men and women might have unintended consequences, for good and for ill.
News
Spyware and Star Wars confusion in the UK
Supposedly 11 per cent of the British population think spyware is "a gadget from Star Wars", according to a survey carried out by NOP and commissioned by security company Blue Coat.
In addition, more than half of those who do not think Dart Vader is using it, were 'unaware that spyware is software on a user's computer that tracks their behaviour and reports it back to a third party'. So they are only moderately better informed than the Lucas admirers.
Where is Princess Leah when you need her?
Briton on Crete extorts UK insurer
A 54 year old UK computer scientist had his home searched and computer seized by police on Crete. It seems he has not been arrested yet due to legal issues between Greece and the UK, but if the eye popping allegations are true, his days on the lam in Greece are numbered.
Greek police, in a statement, alleged that he extorted a UK insurer, as follows: he 'cancelled dozens of insurance contracts; changed the firm's share price listed on the company's website; posted false statements claiming company executives had been involved in fraud', and 'alleged that the firm adopted discriminatory policies against Muslims following the July 7 terrorist bombings in London'.
Supposedly this individual is actively involved in the real estate market on Crete. Not a man to cross it seems.
However, climate aside, he could have picked a safer base for his nefarious operations. Crete is newly invested not merely with pale faced Britons and Germans baking themselves to a crisp on local beaches, and generally getting hammered, but the entire staff of the newly formed 'European Network and Information Security Agency (ENISA).
Bank security chief, 26, steals USD$245,000
A Finnish subsidiary bank of GE in Helsinki was robbed by the head of data security through an unsecured Wi-Fi network.
Much is made in the story about the Wi-Fi aspect, but it is largely irrelevant to the moral of the story, namely that trusted insiders will rob you blind.
He seems to have planned the job with the help of various accomplices for many months, transferring the stolen funds to another corporate account established six months earlier.
The funds have been recovered, but another cautionary tale, nonetheless. It is unclear at this stage if a background search would have yielded anything useful in this particular case.
Ex- employee steals backup tapes to sell to competitor
Brent Woodward, the former IT director of optical components company Lightwave Microsystems, pleaded guilty to stealing backup tapes from his previous employer, and trying to sell the data on them to the CTO of JDS Uniphase, a Lightwave competitor.
The CTO told the FBI - a sting was conducted - and he was ultimately caught in the act, and even admitted his guilt. Woodward will be sentenced in December and faces up to 10 years in prison.
It is not known as yet what his motive was for the crime, but one can hazard a safe guess that he was unhappy about the circumstances of his departure from Lightwave, and had a beef to settle.
New Jersey teen gets 5 years for 'denial of service for hire scam'
Jasmine Singh, 17 pleaded guilty to attacking the web site of an online sporting goods store on behalf of a teen who ran a competing 'retro sporting apparel store.
According to a report in Newsday, 'he recruited the teen to conduct the attacks in return for some of the historic uniform reproductions he sold, along with high-end sneakers and a watch'.
Singh was alleged to have used zombie botnets (fleets of compromised PCs) to flood the company hosting the victims web site with traffic to take it down, and to have caused $1.5 million in damage. Newsday report that the attacks "were so severe that they affected service to other customers of the Web hosting company" used by the New Jersey company, causing those customers to dump the hosting company".
Singh was sentenced to 5 years in a youth detention centre after his case was transferred to adult court on a motion by state prosecutors, and he was also ordered to pay $35,000 in compensation to the victims.
His alleged puppet master, Jason Arabo, 18, has yet to be dealt with by the courts in Newark, but he must be quaking.
Acxiom 'hacker' convicted
Scott Levine, 46, from Florida, was convicted of stealing huge wads of data - some 1.6 million customer records - from data miner Acxiom Corporation, in what prosecutors alleged was the largest federal computer theft trial to date. However, there was no evidence of identity theft, or computer hacking, in the traditional sense.
Rather, Levine, the owner of Snipermail, an alleged spam factory, was alleged to have used various aliases to get access to data he had no right to view. Atlanta-based Experian, a large credit check agency, stated that Snipermail had approached it trying to sell its ' contact lists', which had been 'artificially enlarged through the theft of Acxiom's data' - with the ultimate aim of making Snipermail appear to be a more attractive acquisition target.
Levine denied the charges, and insisted in his defence that several of his employees, who testified against him to save their collective skins, had obtained the illicit data and pinned it on him when they were caught.
One of these employees gave evidence to the effect that gaining access to sensitive Acxiom data did not require any particular talent and that once access was granted for a limited purpose, the database was essentially wide open.
The art of bobbing and weaving..
Acxiom has been at pains to state that it has improved security around data since that time, and it has emphasized that no identities have been stolen as a result of the breach.
However, it has also maintained (a disease it seems to have caught from fellow data miner Choicepoint) that it was never 'hacked', as there was 'no intrusion of Acxiom's internal security firewalls or internal databases.' Thus, or so the inference reads, rendering it less culpable for the breach.
There is surely a lot to be said, from a PR and crisis management perspective alone, for companies, especially these massive data mining operations, who control data on millions of individuals without their knowledge or consent, to at least own up when they mess up.....
SA bank takes steps to protect customers
After watching various phishing and pharming scams unfold before its eyes, Standard Bank in South Africa is taking new steps to protect customers, akin to the types of measures it uses internally to protect the bank.
It will renew an offer of free access to McAfee security software that it has offered for the last three years, and expand its SMS- short messaging- notification service.
According to a story in Computerworld, customers will be 'alerted immediately about all transactions on their accounts', and when a transaction is completed, both the payer and payee will be advised. This step simply tries to ensure that rogue transactions are spotted early, and chased down before it is too late.
The bank also plans to introduce digitally signed mail (to try to identify users of email), and one-time passwords that will be sent to the customer by cell phone for use within a short timeframe. The use of 'out of band' notification services is a ruse to try to defeat hackers as they pick off passwords and access points to online banking accounts.
However, they will rarely defeat keyloggers (a device or software that logs your every keystroke), but they do up the stakes somewhat, and make it a race to the finish line.
Credit card customers must also register their cards for online use with the bank, as transactions will be verifed with the assistance of the MasterCard SecureCode service- providing another level of security before a sale is completed online.
Benchmarking needed
Many of these measures are being enforced in banks around the world, but US and Canadian banks have been slow to follow suit.
Indeed, some banks in Canada (HSBC Canada for one) have adopted the stance of attempting to pass liability to customers to protect themselves, without doing anything overly strenuous to get involved in what must surely be a highly collaborative process.
In the event customers suffers large losses through online banking, I believe that some evidence would have to be presented by the financial institutions that they take every reasonable precaution, and make every effort to protect customers, including following industry best practices.
US banks poor on access control
At this juncture, a little international benchmarking exercise would not go astray. Especially as a recent GAO (US government agency watchdog) survey has indicated that US financial institutions do a poor job of controlling access to their networks and systems, and that there is a lack of adequate controls in place at all key points of their networks.
|
