Thursday, May 31, 2007

How to Stop Political Attacks

Not all hackers are motivated by money. In fact, there is a growing number of politically-motivated attacks on businesses and government agencies, and the methods they use are different -- and potentially harder to stop -- than their cash-hungry counterparts, experts say.
Is your company ready to stop them?
Click here for the full story.

Wednesday, May 30, 2007

New Laws Don't Solve Global Problems

Legislators around the world are taking a stab at the computer crime problem. But experts say, in most cases, they don't have enough jurisdiction to solve it.
The U.S. House of Representatives made a splash last week by passing the Internet Spyware Prevention Act of 2007 and the Spy Act, two bills designed to reduce the use of spyware and give law enforcement more resources to pursue and prosecute spyware perpetrators.

At the same time, German legislators were passing a controversial new anti-cybercrime measure that defines hacking as penetrating a computer security system and gaining access to secure data, without necessarily stealing it. Offenders are defined as any individual or group that intentionally creates, spreads, or purchases hacker tools designed for illegal purposes. The law also extends prosecution to those who attack individuals, as well as businesses or government.

Click here for the full story.

Tuesday, May 29, 2007

Google makes GreenBorder its first security acquisition

Acquisition-happy Google has made its first security purchase by quietly snaring start-up GreenBorder Technologies, a provider of virtualized web browsing anti-malware software, for an undisclosed amount.

But industry experts do not believe the deal signals Google is planning to further flex its muscles in the IT security marketplace. Instead, experts told today, the search giant likely will use the purchase to secure its recently unveiled business application suite, not as the kick-off to a portfolio that would compete with the likes of Symantec and McAfee.

Click here for the full story.

Monday, May 28, 2007

SonicWall Unveils Security App

SonicWALL, Inc. (NASDAQ: SNWL - message board), a leading provider of Internet security solutions, today unveiled the SonicWALL Network Security Appliance (NSA) E7500, a new gateway security appliance that makes deep packet inspection security productive and easy to manage in larger network deployments. Designed to enable the highest level of Unified Threat Management (UTM) performance at its price point, the NSA E7500 is intended for campus networks, distributed environments and data centers. The NSA E7500 is the industry's first UTM appliance to harness the power of multiple processing cores in a single network platform.
Click here for the full story.

Friday, May 25, 2007

Report slams FBI network security

FBI network vulnerable to insider attacks, government watchdog group says

The Government Accountability Office, the federal government’s watchdog agency, Thursday released a report critical of the FBI’s internal network, asserting it lacks security controls adequate to thwart an insider attack.

In the report, titled “Information Security: FBI Needs to Address Weaknesses in Critical Network,” the authors -- Gregory Wilshusen, GAO’s director of information security issues, and Chief Technologist Keith Rhodes -- said the FBI lacks adequate network security controls.

The FBI “has an incomplete security plan,” the report concluded.
Click here for the full story.

Thursday, May 24, 2007

New Spec Could Cut Phishing, Spam

Phishers and spammers beware: It may soon be a lot harder to pretend you're somebody you're not.

The Internet Engineering Task Force, which sets the technical standards for the Internet, yesterday approved the DomainKeys Identified Mail standard as a proposed standard (RFC 4871). The specification, a three-year effort pioneered by Yahoo!, Cisco, Sendmail, and PGP, is an email authentication framework that uses cryptographic signature technology to verify the domain of the sender.

In a nutshell, DKIM allows email senders to "sign" each email to verify that it comes from their domain. If the receiving domain handles an email that does not contain the signature, it can raise a red flag to warn the recipient that the message might be a fake.

Click here for the full story.

Wednesday, May 23, 2007

DHS publishes sector-specific protection plan for IT infrastructure

It aims to protect 17 specific sectors against a range of terrorist and natural threatsThe U.S. Department of Homeland Security (DHS) yesterday released a broad blueprint of actions that technology companies and government entities can take to mitigate terrorist and other threats against the nation's IT infrastructure.

The Sector Specific Plan (SSP) for IT was released as part of a broader National Infrastructure Protection Plan (NIPP) developed by the DHS under a 2003 presidential mandate. That mandate called for the development of risk-mitigation strategies for protecting critical infrastructure targets in 17 specific sectors against a range of terrorist and natural threats.
The plans are designed to help infrastructure stakeholders in each area to identify and prioritize key assets that need to be protected and to provide recommendations on how to go about doing that.

Click here for the full story.

Tuesday, May 22, 2007

Thousands of Illinois realtors, mortgage brokers warned of data compromise

Alert prompted by May 3 breach of state agency server
The Illinois Department of Financial and Professional Regulation (IDFPR) is sending out letters to an estimated 300,000 licensees and applicants informing them of a potential compromise of their names, Social Security numbers and other personal data.

The warning follows the May 3 discovery of a security breach involving a storage server at the agency. Among those affected by the breach are real estate and mortgage brokers, pawn shop owners and loan originators licensed to operate in the state. The potentially compromised data is between six and 12 months old and includes names of people who may have applied for licenses with IDFPR, said Susan Hofer, a spokeswoman for the agency.
Click here for the full story.

Friday, May 18, 2007

Alcatel-Lucent reports employee data lost or stolen

CD with unencrypted data may have walked off a UPS truck
A CD containing personal information about thousands of Alcatel-Lucent SA employees and their dependents has been lost or stolen, the company said on Thursday.
The disk contains the names, addresses, Social Security numbers, dates of birth and salary information for U.S. employees who worked for Lucent prior to its merger with Alcatel SA, as well as Lucent retirees and dependents of both groups, the company said.
The disk was prepared by Hewitt Associates LLC, which administers Alcatel-Lucent's benefits plans, for delivery via United Parcel Service to another contractor, Aon Corp., Alcatel-Lucent said.

"We are still investigating this matter, but we believe the disk was lost or stolen between April 5 and May 3," Alcatel-Lucent told employees in a letter on its Web site.

Click here for the full story.

Thursday, May 17, 2007

IBM contractor loses employee data in transit

Apparently fell off the back of a truck, more or less literally
IBM on Tuesday said it has been unable to recover lost storage tapes containing sensitive employment-related information of some former and current IBM workers.

The tapes were lost more than two months ago just a few miles south of IBM's corporate headquarters, because of what a company spokesman called a "transportation incident" involving an IBM vendor.

The lost tapes primarily stored the archived personal information -- including Social Security numbers, dates of hire and dates of departure from IBM -- of an undisclosed number of individuals.

Click here for the full story.

Tuesday, May 15, 2007

Profit-Minded Trojans

The first Trojan horse was designed to win the war and get the girl. But according to new research from PandaLabs, Trojan software makers now have gone commercial.
Sixty-six percent of the new Trojans that emerged in the first quarter of 2007 were designed for financial gain, according to the security company's quarterly research report, which was published Wednesday.

Click here for the full story.

Monday, May 14, 2007

Security: Thumb sucking, slurping, snarfing…Excuse me?

The Dictionary of Wacky Security Threat TermsRemember when thumb sucking was considered an innocent activity, except that if you did it as a young child you might need braces as a teen? Today you’d need a lot more than a mouthful of metal to protect from thumb sucking.

This phrase is one of the latest in a new genre of IT terminology: Wacky Security Threat Terms. While the incidents described by such terms are indeed serious, security vendors and others have broken the rules of spelling and relied upon double entendres to develop this new collection of buzz words that succinctly refer to the latest threats, with the hope that giving the threat a memorable tag will raise awareness.
Click here for the full story.

Friday, May 11, 2007

The Phisher King

You see phishing attack attempts nearly every day, but what you don't see is the face behind the attack. In a rare glimpse into the mind of a phisher, hacker and security expert RSnake recently engaged an attacker who says he makes $3,000 to $4,000 dollars a day and was willing to share a bit about himself and how he operates.
RSnake, a.k.a. Robert Hansen, CEO of SecTheory and Dark Reading blogger, asked the phisher, called "lithium," how he operates, what technology he uses, and just how much money he makes off these scams. Lithium, who says he's 18 and has been phishing since he was 14, said he has stolen over 20 million identities, mostly via social networking worms. "I have so many hundreds of thousands of accounts to many websites I haven’t even got a chance to look through," he wrote to RSnake, who today published the responses on the blog.
Click here for the full story.

Wednesday, May 09, 2007

TSA Loses 100,000 Employee Records

Every day, in airports across the country, they ask people to lose their keys, their shoes, and their belts. This time, though, the Transportation Security Administration has lost something of its own: a removable hard drive containing about 100,000 employee records.
The (TSA) Friday notified employees that an external hard drive containing personnel data -- including name, Social Security number, date of birth, payroll information, and bank account/routing information -- was discovered missing from a controlled area at the TSA Headquarters Office of Human Capital on Thursday, May 3. The data includes records of TSA employees from January 2002 until August 2005.

"It is unclear at this stage whether the device is still within Headquarters or was stolen," said TSA Administrator Kip Hawley in a letter to TSA employees.

Click here for the full story.

Tuesday, May 08, 2007

StopBadware says majority of malware sites hosted by five ISPs on Friday identified five Web-hosting companies with myriad infected Web sites residing on their servers, which the industry watchguard says puts unwitting Internet users at risk.

Based on analysis of close to 50,000 sites, the group identified five companies as hosting a majority of those Web sites known to distribute malicious code. The hosting companies -- iPowerWeb, Layered Technologies, Internet Services, Internap Network Services and CHINANET Guangdong province network -- have the largest number of infected Web sites residing on their servers. For instance, some 10,834 infected sites were identified on iPowerWeb's servers.

Click here for the full story.

Monday, May 07, 2007

SEC: WFI Insider Stole $7.7M

The Securities and Exchange Commission (SEC) has filed charges against a stock options manager at Wireless Facilities Inc. for using software and online services to steal $7.7 million in stock from his company.

Vencent Donlan, 44, was charged with using the company's Equity Edge stock plan management and reporting application and E*Trade to route more than 700,000 shares of his company's stock into an account held by his wife, Robin Colls Donlan. He also is accused of falsifying entries in Equity Edge to cover his tracks.

WFI, ironically, is an outsourcing provider in the wireless industry that provides (among other offerings) "security systems and engineering services."

Click here for the full story.

Wednesday, May 02, 2007

Intro to hackernomics

Five laws of hacker economics
Legislation, financially driven attackers, and high profile breaches have changed the economics of security. We need to rethink the motivations of attackers and the new attacker economy given a growing stolen identity information trade and the rise of organized electronic crime. We need to study hackernomics. This is a new term so allow me to offer a definition:

Hackernomics (noun, singular or plural): A social science concerned with description and analysis of attacker motivations, economics and business risk. It is characterized by five fundamental laws and eight corollaries.

Click here for the full story.

Tuesday, May 01, 2007

Experts: US Not Prepared for Cyber Attack

The United States is vulnerable to a "strategically crippling cyber attack" by enemies around the world, experts told Congress yesterday.
Testifying before the House Committee on Homeland Security, high-profile experts said the federal government's cyber defenses have become dated and may leave the country open to an attack -- "not by a conventional weapon, but by a cyber weapon."

Click here for the full story.

Monday, April 30, 2007

Entrepreneurial hackers buy sponsored links on Google

Ad links sidetracked users, installed password stealer
A hacker scheme that involved buying search keywords on Google and then routing users to a malicious site when they clicked on sponsored links was revealed yesterday by a security company.

According to Roger Thompson, chief technology officer at Exploit Prevention Labs, the ploy involved sponsored links (the text ads that appear alongside search results on Google), a malicious intermediary and malware that steals online banking usernames and passwords.

"It's quite an investment on the bad guys' part," said Thompson. "Instead of just hacking into sites, they bought keywords."

Click here for the full story.

Tuesday, April 24, 2007

Olympics to bring London IT security challenges

ID cards may be an answer, but sponsorships pose a problem
Britain's IT industry is likely to see business surge as London prepares to spend at least $2 billion on security when it hosts the 2012 Olympics.

The cost could rise as the U.K. tries to fortify itself during the world's most prominent sporting event from a repeat of the July 2005 bombings on London's transport system, said Derek Wyatt, a member of Parliament who spoke at InfoSecurity Europe in London on Tuesday.

"I hope this gives you an inkling of what I think will be the biggest piece of business your industry is going to face over the next five years," Wyatt told a crowd of IT executives.

Technology will play a major role, although decisions on how it will be integrated are far from decided, Wyatt said. One security issue is authentication: how to ensure a person who holds a ticket is indeed the same person who bought it.

Click here for the full story.

Friday, April 20, 2007

Grading On a Curve

The government's security report card should be taken with a great big grain of salt
By now, almost everyone's heard about the "Federal Computer Security Report Card" released last week. Issued by the House Government Oversight and Reform Committee, the report card is based on the Office of Management and Budget's analysis of each federal agency's own reporting on its compliance with the Federal Information Security Management Act (FISMA).

This report card, like every one since FISMA was enacted in 2002, was abysmal. The federal government as a whole recieved a C-. The Nuclear Regulatory Commission and departments of Defense, State, Treasury, Commerce, Education and Agriculture all received failing grades. The Department of Homeland Security received a D, while the Department of Energy (which is responsible for the nation's nuclear weapons and energy programs) received a C-.

So what does this tell us about the security of government networks? Not all that much, actually.

Click here for the full story.

Thursday, April 19, 2007

No data stolen in 2006 computer intrusions, says Commerce Dept.

Hackers managed to get into 33 agency computers
Unknown intruders last year managed to infect 33 computers belonging to a bureau of the U.S. Department of Commerce (DOC) with data-stealing Trojans and other malware.

But the compromises were quickly detected and no information is believed to have been stolen, according to testimony presented today at a congressional subcommittee hearing on the extent to which federal networks and critical infrastructure have been compromised by foreign hackers. The hearing is being held by a subcommittee of the Committee on Homeland Security and is being chaired by Rep. James Langevin (D-R.I.).

Click here for the full story.

Wednesday, April 18, 2007

Targeted Attacks on the Rise

It's the other end of the threat spectrum: Instead of a massive attack on hundreds of your users, it's one message, sent to a single user, containing a backdoor Trojan -- or worse.

Such narrowly-targeted attacks are becoming more popular than ever, according to a new report issued today by MessageLabs. The messaging security company says it identified 716 emails in 249 targeted attacks last month. The attacks targeted 263 different domains, belonging to 216 different customers.

Click on here for the full story.

Monday, April 16, 2007

Study: Browser Warnings Don't Work

The lock-and-key icon was broken. The site-authentication image was not there. A security message popped up, warning that the site was not properly certified.

And still, more than half of them entered a password and tried to log in.

That's the bottom-line finding of a new study from researchers at Harvard University and MIT, who conducted a live test of banking users to measure the effectiveness of browser-based authentication and anti-phishing features earlier this year. The research is scheduled to be presented at the IEEE Symposium on Security and Privacy next month.

Click here for the full story.

Friday, April 13, 2007

Feds Under Fire Over Security

Congress is ticked off about computer security.
Over the last two days, members of both the House and Senate have registered complaints over the way government agencies are dealing with the security issue, and they've called for action to address the problems.

Earlier today, Rep. Tom Davis (R-Va.), ranking member of the House Government Oversight and Reform Committee, gave the federal government an overall grade of C-minus when it comes to safekeeping information on government computer systems.

Click here for the full story.

Thursday, April 12, 2007

Just how much will that data breach cost your company?

An online calculator lets companies estimate costs
Want to know just how much a data breach is likely to end up costing your company? Darwin Professional Underwriters Inc. may be able to help.

The Farmington, Conn.-based technology liability insurance company has released a free online calculator that it said allows businesses to estimate -- with a fair degree of accuracy -- their financial risk from data theft.

Click here for the full story.

Tuesday, April 10, 2007

How to avoid falling into the phishing hole

You never can defend yourself too much while online.
A PC World reader alerted me to a flaw on eBay's Web site that enabled a scam designed to trick people into handing over their personal information. eBay promptly patched the flaw last week, but experts I spoke with are wondering how long the fix will hold.

The flaw allowed a scammer to use an increasingly common type of attack called cross-site scripting , or XSS, to redirect people from an eBay listing to a spoofed eBay site. Though eBay may have plugged the hole for now, experts say, similar problems have surfaced in the past on eBay and other sites, and it's a safe bet they will again. The problem is not going away, and it will continue to cause visitors to eBay and other sites trouble for the foreseeable future.

Click here for the full story.

Monday, April 09, 2007

Nearly 500 IRS Laptops Lost or Stolen Over Three Years

Audit also finds unencrypted data of taxpayers on 44 laptops now in use
Nearly 500 Internal Revenue Service laptops — many likely containing unencrypted personal information of taxpayers — were lost or stolen over a 30-month period ending in June 2006, according to an audit released last month.

The audit, conducted by the Treasury Inspector General for Tax Administration, found that between Jan. 2, 2003, and June 13, 2006, a “large number” of laptops were stolen from the vehicles and homes of IRS employees, while 111 were stolen from various agency facilities.
Although auditors were unable to determine exactly what information was contained on the missing laptops, they did conclude that personal information of taxpayers is not adequately protected.

Click here for the full story.

Wednesday, April 04, 2007

Dude, Where's Your PC?

Do you know where all of your company's computers are?
The U.S. Department of Energy's Counterintelligence Directorate doesn't. In fact, the intelligence agency -- which is tasked with protecting sensitive data and operations against espionage by foreign entities -- is missing 20 computers that may contain classified data, according to an inspection report issued last week by the DOE's Office of the Inspector General.

At least 14 of the computers were known to have processed classified information, the report says. The Counterintelligence Directorate's inventory records "were so imprecise and inaccurate that [the agency] had to resort to extraordinary means to locate an additional 125 computers."

Click here for the full story.

Tuesday, April 03, 2007

Spam Costs $712 Per Employee Annually

As a luncheon meat, Spam is a bargain. As unsolicited marketing, spam is a rip-off: $712 per employee per year, or $71 billon to all U.S. businesses annually.

That's the cost of spam in terms of lost productivity, according to a survey released Monday by IT research firms Nucleus Research and KnowledgeStorm.

These figures come from a survey of 849 e-mail users conducted last month that found that two of every three e-mail messages received by businesspeople are spam, despite the fact that 60% of companies filter spam. The survey results are based on a $30-per-hour pay rate, a 2,080-hour work year, 100,249,046 U.S. e-mail-using workers, and that e-mail users are spending 16 seconds on average identifying and deleting spam that has evaded detection and landed in an in-box.

Click here for the full story.

Monday, April 02, 2007

TJX breach may spur greater adoption of credit card security standards

Experts say TJX either failed to encrypt or truncate credit card numbers or did not secure encryption keys

The exposure of 45.7 million credit and debit card numbers in the TJX data theft should serve as a wakeup call to retailers who risk losing money and credibility when they fail to protect sensitive customer data, say officials at the PCI Security Standards Council.

Click here for the full story.

Friday, March 30, 2007

Eight Faces of a Hacker

You fight against them every day: hackers, attackers, insiders. You know what they do, but not who they are. They are often nameless, usually faceless. You'd like to be able to guess their next move, but that can be pretty difficult when you don't even know what motivates them or why they're attacking you.
Is there a way to "profile" a hacker, the way the police might profile an arsonist or a serial killer? Not exactly. But quietly, a collection of university researchers and law enforcement agencies has been developing a taxonomy of the hacker community, much as an entomologist studies and classifies insects. And police and security experts hope that taxonomy will eventually help them identify and root out the vermin.
Click here for the full story.

Thursday, March 29, 2007

TJX data breach: At 45.6M card numbers, it's the biggest ever

It eclipses the compromise in June 2005 at CardSystems Solutions

After more than two months of refusing to reveal the size and scope of its data breach, TJX Companies Inc. is finally offering more details about the extent of the compromise.

In filings with the U.S. Securities and Exchange Commission yesterday, the company said 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. That number eclipses the 40 million records compromised in the mid-2005 breach at CardSystems Solutions and makes the TJX compromise the worst ever involving the loss of personal data.

Click here for the full story.

Wednesday, March 28, 2007

Web attacks get personal

Malware purveyors are increasingly tailoring their virus distribution and attack techniques to take advantage of different classes of end-users, according to researchers with the Internet Security Systems' X-Force team at IBM.

Top experts with the Atlanta-based research operation said that malware writers, phishing scheme operators, and botnet herders are more frequently employing so-called personalization tools to make their attacks more effective.

Much like the online marketing companies that gather bits of information to target advertising at individual Web users, cybercriminals are creating malware outlets and code executions that scan readily-available details about people's' computing posture to find appropriate recipients for their work.

Click here for the full story.

Tuesday, March 27, 2007

ID Theft Doubles in Two Months

Online identity theft grew at an unprecedented rate during the first two months of 2007, as its two chief components -- malware and phishing -- skyrocketed at rates of 50 to 200 percent.

A study scheduled to be released tomorrow by Internet monitoring firm Cyveillance Inc., found more than 3 million pieces of personal information available on the Web, including approximately 320,000 debit and credit card numbers, 1.4 million Social Security numbers, and 1.3 million account login credentials.

Click here for the full story.

Monday, March 26, 2007

What to Do When Your Security's Breached

Well, it's finally happened. Despite all your efforts to stop both internal and external attackers, someone has penetrated your defenses and stolen or damaged your data.

You've got a full-blown security incident on your hands. What are you going to do about it?

If you've been smart, experts say, you'll already have a computer security incident response team -- and a plan -- in place. You'll even have tested the team and plan in some sort of live simulation.

Click here for the full story.

Thursday, March 22, 2007

Stolen TJX data used in Florida crime spree

Police told company months before company told customers
Law enforcement officials in Florida have arrested six individuals suspected of carrying out a fraud scheme built around the misuse of credit card data stolen from retailer TJX Companies.

In partnership with the Gainesville Police Department, officials from the Florida Department of Law Enforcement said they have taken six of 10 suspects into custody for allegedly using the TJX customer data to purchase large quantities of gift cards from discount chains Wal-Mart and Sam's Club.

The series of arrests marks the first specific instance of crime to be connected to the TJX data heist, although some banks have previously reported that accounts held by consumers affected by the incident had been used in attempted fraud around the globe.

Click here for the full story.

Wednesday, March 21, 2007

Biggest security threat? Your users

How to protect against naive, careless or malicious users
Whether it is the FBI's sheepish acknowledgement that at least 10 of the 160 agency laptops that have gone missing in recent years contained "sensitive or classified information" or the drama of retailer TJX's February admission that the incident that put its customer credit card information in the hands of thieves impacted more people than originally thought, security incidents keep making headlines and vexing organizations.

Click here for the full story.

Tuesday, March 20, 2007

Huge Leak Revealed at Japanese Firm

One of Japan's largest printing companies today reported the theft of more than eight million pieces of customer information, including addresses and credit card numbers.

Dai Nippon Printing said around 8.64 million pieces of customer information related to 43 client companies -- including Toyota Motor Corp. and Aeon Co. -- were stolen in July by a former employee of a subcontractor, who absconded with a magnetic optical drive containing the data.

Click here for the full story.

Monday, March 19, 2007

Users Go for Data Lockdown

Removable storage devices are turning firms' employees into data security time bombs, forcing many CIOs to rethink their security strategies, according to concerned IT managers here today.

USB drives, in particular, are a major source of anxiety. "The ordinary person is like a mini-data center -- he is walking around with a lot of data in his pocket," warned Kumar Mallavalli, chief strategy officer of InMage and co-founder of Brocade, during a keynote this morning. "The most critical issues that we face today [involve] endpoint security [for] laptops, PDAs, and removable media."

Click here for the full story.

Friday, March 16, 2007

Seven Steps to Safer WiFi

We've all done it: You need quick access to email, so you jump on that free WiFi connection at the local coffee shop, the airport, or a conference hotel. What are the chances you'll get hacked, anyway?

Think again. If you use unsecured WiFi in the clear, without any encryption or security, you're asking for it. Your laptop is routinely broadcasting seemingly innocuous data that when put together, can compromise your system as well as your company's. Hackers have the sniffer tools that can grab login and passwords, or gather bits of information that can reveal who you are and possibly gain entry into your corporate applications. (See Joke's on Me, Tool Uncovers Inadvertent 'Chatter', and Data That Doesn't Drip... Drip... Drip....)

Ask any security expert, and they will say "just say no" to naked WiFi.

Click here for the full story.

Thursday, March 15, 2007

Smart USBs Gone Bad

You know those handy, smart USB drives that let you carry the contents of your computer around your neck when you're on the move, applications and all? These portable drives can also be used by an attacker to steal your user privileges and data.

That's what Bob Clary, a consultant with Secure Network Technologies, recently discovered within just a few minutes of purchasing a smart USB. "The minute I saw the U3 USB drive, I thought 'I can do anything with this.' Five minutes after I had bought it, I had it hacked," says Clary, whose company performs social engineering and penetration testing for its clients.

Click here for the full story.

Wednesday, March 14, 2007

Photocopiers: The newest ID theft threat

Newer models have hard drives that record what has been duplicated
Photocopiers are the newest threat to identity theft, a copier maker said today, because newer models equipped with hard drives record what's been duplicated. At tax time, when Americans photocopy tax returns, confidential information may be easily available to criminals.

Click here for the full story.

Tuesday, March 13, 2007

Burger, Fries & Security

Whipping out that credit or debit card at your local fast-food restaurant may be convenient, but it has also put the so-called quick-service restaurant (QSR) sector under the Payment Card Industry (PCI) standard microscope.

Just ask Wendy's franchisee Paul Haire, who co-owns seven Wendy's restaurants in the Monroe, La., area. Haire's restaurants were some of the first to accept credit cards. The Wendy's stores had also been rife with email-borne malware that spread from the manager's XP-based workstation in the back office to the XP-based electronic point-of-sale (POS) systems in the front of the stores.

"That would bring the whole system down and step these restaurants back into the 60s, with hand-written orders and checks," he says. "We had a huge issue with viruses."

So Haire outsourced his franchises' Internet and security services to BHI . The Eden Prairie, Minn.-based Internet hosting and managed services security provider for SMBs provides a turnkey service for QSRs like Wendy's. He's been using the MSSP for nearly two years now.

Click here for the full story.

Monday, March 12, 2007

'One of our laptops is missing'

These are words no IT manager ever wants to hear. Beyond the embarrassment, there is the danger of seriously bad publicity, damage to brand equity and legal liability. It is possible that losing even a single mobile computer loaded with sensitive information can kill an otherwise thriving business.

The good news is that current technologies and best practices can lower the risk dramatically when mobile computers are lost or stolen.

Click here for the full story.

Thursday, March 08, 2007

ID theft forecast: Gloomy today, worse tomorrow

Thieves are staying a few steps ahead of banks, retailers and the hoi polloi
Virtually every trend line for identity theft is bad news, a research analyst said today as she released a survey showing that 15 million Americans were victimized during a recent 12-month span.

For the year-long period that ended last August, 15 million people were burned by some kind of fraud related to identity theft, said Avivah Litan, a Gartner Inc. analyst. That number is 50% higher than 2003 data released by the Federal Trade Commission.

Click here for the full story.

Wednesday, March 07, 2007

Deep Threat

Enterprises are leaking an increasing amount of data from the inside, and they aren't sure what to do about it.

Those are the conclusions of two new studies -- one from the Ponemon Institute and one from Enterprise Strategy Group -- being published today. Both of the reports suggest that enterprises should be shifting their security attention from the outside to the inside.

"The insider threat is far and away the number one threat," says Eric Ogren, an analyst at Enterprise Strategy Group and one of the authors of the research.

Click here for the full story.

Monday, March 05, 2007

Getting to Know the Enemy Better

Experts agree: The best way to secure applications is to build security in during the development phase. The problem is that there are few standards or templates for doing it.

But that situation is about to change, according to speakers at the Black Hat conference here today. In fact, draft guidelines for specifying common security weaknesses and common attack patterns could be just weeks away.

Click here for the full story.

Thursday, March 01, 2007

Lessons from the DuPont breach: Five ways to stop data leaks

Follow the data, and protect it, say security experts
In the five months Gary Min was stealing $400 million worth of proprietary information from a DuPont database, he downloaded and accessed more than 15 times as many documents as the next-highest user of the system. But he wasn't caught until after he left the company for a rival firm.

Min pleaded guilty last November to misappropriating DuPont data and is scheduled to be sentenced on March 29. His case is only the latest to highlight a lack of internal controls for dealing with insider threats at many companies. Earlier in February, a cell development technologist at battery maker Duracell Corp. admitted to stealing research related to the company's AA batteries, e-mailing the information to his home computer, and then sending it to two Duracell rivals.

Click here for the full story.

Monday, February 26, 2007

Top 10 Admin Passwords to Avoid

In the end, it's all a big guessing game. You create passwords to protect your systems; hackers try to guess the password you created.

It's a game that's going on all the time. As we reported last week, researchers at the University of Maryland recently completed a study in which four live Linux servers were set out as bait to see how often they would be attacked. The study racked up 269,262 attempts in a 24-day period. (See Study: Two Hacks a Minute.)

During that time, 824 attempts were successful -- the attacker got the server's username and password. On average, that means that each of the servers was "cracked" almost 10 times a day. And these were relatively anonymous servers, sitting in a university data center and intentionally loaded with mundane, uninteresting data. We can only imagine what these attempt statistics might look like at, say, Bank of America or the U.S. Department of Defense.

Click here for the full story.

Tuesday, February 20, 2007

How to protect yourself at wireless hot spots

They can be an invitation to disaster, says Preston Gralla, who offers a surefire plan to avoid security breachesWi-Fi hot spots in airports, restaurants, cafes and even downtown locations have turned Internet access into an always-on, ubiquitous experience. Unfortunately, that also means always-on, ubiquitous security risks.

Connecting to a hot spot can be an open invitation to danger. Hot spots are public, open networks that practically invite hacking and snooping. They use unencrypted, insecure connections, but most people treat them as if they are secure private networks.

Click here for the full story.

Monday, February 19, 2007

What would you do first as chief information security officer?

Becoming the chief information security officer (CISO) of a corporation makes you a strategic IT advisor to business management, the chief information officer, and the rest of the information technology staff. Just as no company is the same as another, the job of CISO -- or alternately, “chief security officer,” which might include physical security as well -- isn’t either. The four security professionals who share their priorities with us make it clear there’s nothing cookie-cutter about the top IT security job.
Click here for the full story.

Friday, February 16, 2007

Massive Insider Breach At DuPont

The Delaware U.S. attorney on Thursday revealed a massive insider data breach at chemicals company DuPont where a former scientist late last year pleaded guilty to trying to steal $400 million worth of company trade secrets. He now faces up to a decade in prison, a fine of $250,000, and restitution when sentenced in March.

Click here for the full story.

Thursday, February 15, 2007

Getting Users Fixed

Dark Reading’s editorial advisory board held a meeting at last week’s RSA Conference in San Francisco, bringing together security experts from several different walks of life. During the meeting, hackers, industry analysts, and enterprise security people discussed some of the chief problems facing security managers today, and their views on the industry’s greatest obstacles. The following are excerpts from that conversation.

Botnets are the chief exploit facing IT managers today, according to Ira Winkler, security expert and author of Spies Among Us.

Click here for the full story.

Wednesday, February 14, 2007

Data Destruction, at Your Disposal

So what do you do with those old PCs and servers when you buy new equipment?

Some organizations out them in storage, delaying the inevitable, while others donate, auction, landfill, or recycle the equipment. Most companies still take responsibility today for wiping their own hard drives clean of data, although not always safely and thoroughly, which leaves data vulnerable to falling into the wrong hands. (See Second-Hand Drives Yield First-Class Data and A Garbage Can for Hard Drives.)

Click here for the full story.

Tuesday, February 13, 2007

E-mail retention policies, Part 2

Tips for defining e-mail retention policies
In the previous column, my friend and colleague Prof. Don Holden, MBA, CISSP-ISSMP, and I reviewed some of the issues arising from pre-trial discovery orders involving stored e-mail and e-mail archives.

As we looked through several articles on the subject and thought about the issues, we put together the following list of practical pointers for readers:

Click here for the full story (Part 2).

E-mail retention policies, Part 1

Why e-mail retention is not just a good idea
One of the big factors driving proper retention and destruction of e-mail is that e-mails are discoverable evidence in both civil procedures as well as criminal investigations. Retention of e-mail and other unstructured content such as instant messaging is also required in certain industries, particularly in the financial industries where brokerage house have been fined millions of dollars for failure to produce e-mails in a timely fashion.

For example, Morgan Stanley was fined $15 million by the Securities & Exchange Commission for failing to produce e-mail messages promptly in response to court-authorized demands for evidentiary discovery.

Click here for the full story (Part 1).

Monday, February 12, 2007

Are 'Sealed' Websites Any Safer?

Hacker Safe, ControlScan, VeriSign, Cybertrust -- what's in a Website label, anyway?

As consumers become more concerned about protecting their information online, more "secure" labels have emerged, each promising to serve as a "Good Housekeeping seal of approval" for Website security. Hacker Safe and ControlScan, for example, prove that a site has been vulnerability-scanned. The new Extended Validation SSL (EV SSL) moniker, championed by digital certificate vendors such as VeriSign and Cybertrust, help verify that a site is not a phish or a phony. (See Cybertrust Enters EV SSL Fray.)

And now ScanAlert is rolling its "Hacker Safe" seal into a service for enterprises, company executives say. Hacker Safe Enterprise is a fully managed service that includes vulnerability assessment, hands-on analysis, and support from ScanAlert's security experts.

VeriSign, whose VeriSign Secured Seal logo is displayed on over 65,000 Websites, and Cybertrust, are in the process of rolling out EV SSL. If a site is EV SSL-certified, its address shows up in green on newer browsers such as Internet Explorer 7.

But are sites with a Website seal really more secure?

Click here for the full story.

Thursday, February 08, 2007

Hackers find a wealth of victims on corporate Web sites

Secure software can help fight Web attacks, experts said at RSA Conference
Insecurely written software still looms as one of the greatest threats to Internet commerce, and user-generated Web content is becoming a vast new vulnerability hackers want to exploit, according to experts at RSA Conference.

Cross-site scripting attacks on Web sites can lead to malware taking over the browsers of machines that use the sites, said Caleb Sima, a member of the Secure Software Forum and co-founder of SPI Dynamics.

Click here for the full story.

Wednesday, February 07, 2007

Attackers Take Trojans to the Bank

Mobility, money, and malicious intent have formed a toxic brew, a researcher at Kaspersky Lab said yesterday on the eve of the security conference here. And it's a mix that threatens banks and their customers alike.

Cybercriminals are targeting financial services and consumer banking customers, which is no great surprise, acknowledged Eugene Kaspersky, head of research and development for the international antivirus vendor. But "bank Trojans," in particular, he told Dark Reading, have recently demonstrated more malevolence and effectiveness, threatening to overwhelm antivirus researchers and the methods they use to shut down such malware.

Click here for the full story.

Monday, February 05, 2007

Gates, Ellison to tout security at RSA

The annual RSA Conference, expected to draw 15,000 security professionals and more than 325 vendors from around the world to San Francisco's Moscone Center exhibit hall, kicks off this week with keynotes from industry luminaries Bill Gates and Larry Ellison.

Microsoft Chairman Bill Gates, accompanied by Craig Mundie, chief research and strategy officer, is expected to tout the security of Microsoft's new Vista operating system, plus how e-commerce can improve if Web sites make use of the industry's new Extended Validation Secure Sockets Layer (EV SSL) certificate for authentication.

Click here for the full story.

Friday, February 02, 2007

Call the cops: We're not winning against cybercriminals

Kaspersky seeks police help with fighting cybercrime
Kaspersky Lab Thursday will acknowledge that cybercriminals have the upper hand and cooperative international policing is needed to protect honest users.

"We don’t have the solutions," says Natalya Kaspersky, CEO of the company. "We thought it was possible to do antivirus and that was adequate protection. That time is gone."

Click here for the full story.

Wednesday, January 31, 2007

Three fundamental guidelines for determining backup health

A high backup success rate doesn't mean a risk-free environment
In previous columns, I've emphasized the need for backup reporting and metrics to ensure that data is protected appropriately. However, even with the benefit of regular, successful backup reports, the fact remains that the devil is in the details. It is important to go beyond a raw statistic, like the percent success or failure, to properly analyze and interpret the actual meaning. To that end, here are three fundamental guidelines to apply when attempting to determine backup health.

Click here for the full story.

Tuesday, January 30, 2007

FBI Faces Fresh Cyber Threats

From dirty bombs and high-tech spies to teenagers planning DOS attacks with Sony PlayStations, the F.B.I. has its hands full with a growing number of cyber-threats, according to David Thomas, deputy assistant director of the agency's science and technology branch.

The official, a keynoter at a conference here today, warned that the Internet is more important to U.S. national security than ever before. "We know that terrorists would like to create a dirty bomb," he said, explaining that his agency has to keep this know-how within the U.S. "Spying is changing -- whereas before people had to travel to the U.S., now they don't have to."

Click here for the full story.

Monday, January 29, 2007

Cybertrust Enters EV SSL Fray

Cybertrust today launched its Extended Validation SSL certificate offering, joining VeriSign and other certificate authorities in supporting the new browser security standard. But some experts are still skeptical that the emerging specification will really hinder serious hackers.

Click here for the full story.

Tuesday, January 23, 2007

Company Cuts Privileges to Cut Malware

One way to minimize your exposure to malware is to reset your Windows client machines to run without system administrator rights, a.k.a. least-privilege user. But is a least-privilege user underprivileged? (See The Truth About User Privileges.)

"Ideally when they come in and use their machine, they shouldn't see any difference," says Keith Brown, network administrator at Gwinnett Health Systems, which has eliminated systems admin rights on over 2,700 of its Windows XP clients. Gwinnett is an Atlanta-area nonprofit healthcare system with over 4,000 employees and 750 physicians.

Click here for the full story.

Monday, January 22, 2007

New secure VPN tunneling protocol in the works at Microsoft

SSTP intended for remote accessMicrosoft is working on a remote access tunneling protocol for Vista and Longhorn Server that lets client devices securely access networks via a VPN from anywhere on the Internet without concern for typical port blocking issues.

The Secure Socket Tunneling Protocol (SSTP) creates a VPN tunnel that travels over Secure-HTTP, eliminating issues associated VPN connections based on the Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP) that can be blocked by some Web proxies, firewalls and Network Address Translation (NAT) routers that sit between clients and servers.

The protocol, however, is only for remote access and will not support site-to-site VPN tunnels.

Click here for the full story.

Friday, January 19, 2007

Five Unsolved Mysteries of Security

Ever wonder what happened to a once-hot security revelation that went from the radar screen to near-obscurity -- or to so much exposure that it became passé -- with no apparent resolution? What was really behind big blow-ups like the defunct Week of Oracle Database Bugs (That Never Was)?

Some security issues remain a mystery, even to the experts, either because they're too tough to fix right now (think cross-site scripting), or because we want to know what's really going on behind the scenes among the players involved.

Click here for the full story.

Thursday, January 18, 2007

Retail breach may have exposed card data in four countries

TJX discloses network intrusion, says full extent of info theft not yet known

The credit and debit card data of a large number of shoppers in the U.S., Puerto Rico and Canada, and possibly in the U.K and Ireland, may have been compromised as the result of a hacking incident at The TJX Companies Inc. last month.

According to a statement issued today by the Framingham, Mass.-based retailer, the network intrusion took place in mid-December and involved systems used to process credit, debit, check and merchandise-return transactions at its TJ Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S and Puerto Rico.

Click here for the full story.

Wednesday, January 17, 2007

Spam Hidden in Email Newsletters

Careful what you read -- spammers are now hijacking legitimate newsletters and electronic advertisements from big-name brands such as the NFL, Amazon, Wal-Mart, eBay, ESPN, US Airways, Kohls, Verizon, and 1-800-Flowers.
Click here for the full story.

Tuesday, January 16, 2007

Worldwide IT spending to hit $1.5 trillion by end of decade

Global IT spending is expected to reach $1.5 trillion by 2010, according to new research.
Worldwide IT spending will grow by six percent each year until 2010, according to a newly-published IDC report. Global spending last year totaled $1.2 trillion.

Click here for the full story.

Monday, January 15, 2007

Two universities disclose data breaches

Personal data on more than 331,000 people may have been exposed in one breach

The University of Idaho in Moscow yesterday began sending letters to more than 331,000 people warning them about the potential compromise of their personal data following the theft of three desktop computers in November.

Meanwhile, in a separate incident, officials at the University of Arizona in Tucson are investigating a computer break-in that disrupted several school services this week and continued to keep an online procurement system offline even today.

Click here for the full story.

Friday, January 12, 2007

Canadian IT starting salaries to rise 3.5 per cent

A recruiting firm's compensation guide shows demand in several positions. CIOs lament their hiring woes as desparate employers troll for "passive candidates".

Canadian IT professionals will see a starting salary boost of 3.5 per cent this year, with operations managers and data security analysts enjoying the highest raises in base compensation.

Click here for the full story.

10 Ways to Get Users to Follow Security Policy

It's official: Users are the weakest link in the IT security chain. You can have firewalls, encryption, and NAC up to your ears, but it still won't save you from the guy who gives all of his access information to the members of his fantasy football league.

What does it take to get end users to follow company security policy? How can you ensure they understand the rules and respect them?

There are no easy answers, but after interviewing security pros and our crack team of industry experts, we came up with 10 that are pretty good. Is your organization employing all of these enforcement techniques? Take a look and see if there's more you and your managers can do to make security happen in your organization.

Click here for the full story.

Thursday, January 11, 2007

PayPal hopes it's got the key to thwart phishing

$5 gadget delivers a new numeric password every 30 seconds
Over the next few months, Ebay Inc. will be offering its PayPal users a new tool in the fight against phishers: a $5 security key.

The PayPal Security Key is actually a small electronic device, designed to clip on to a keychain, that calculates a new numeric password every 30 seconds. PayPal users who sign up to use the device will need to enter their regular passwords as well as the number displayed on the key whenever they log in to the online payment service.

Click here for the full story.

Wednesday, January 10, 2007

Data Demolition

The IT manager for a multi-site law firm was stumped. As part of a companywide security crackdown, he'd been given orders to ensure any disk drives that were replaced in his data center got destroyed. Overwriting disks with software would not be sufficient. Baffled but eager to please, he asked two of his technicians to bring in hand-drills and sledgehammers. An afternoon's hard work outside the company loading docks, and the job was done.

Sound extreme? Think again. A growing number of IT pros are faced with replacing NAS gear, tape drives, or storage arrays without risking the loss of sensitive data. And depending on their company's position on the matter, they may be going to the shed -- the garden shed -- for the solution.

Click here for the full story.

Monday, January 08, 2007

2007: Trouble Ahead

One thing's for sure about the security threat landscape in 2007: It'll get a lot more personal.

Everybody has an opinion about what the key security threats will be for next year. But the common thread among the plethora of punditry is that security is getting more of a human face, whether you're the victim of an identity theft scam or corporate espionage, or whether you're the double-agent bad guy behind the attack on your own company.

Click here for the full story.

Friday, January 05, 2007

Four Sure-Fire Spam Reducers

Is holiday spam bloating the inbox? Even if you haven't seen quite as much holiday-themed spam as expected sneaking by your email server -- hey, even spammers need a holiday once in a while -- you're probably ready to trim the fat from your email traffic.

But that isn't always so simple. The most frustrating thing about spammers is they keep getting smarter in their quest to evade detection. And spam volume is exploding: Spam-watchers at Symantec say they've witnessed a 55 percent increase in spam over the last six months.

Click here for the full story.

Wednesday, January 03, 2007

The Six Dirtiest Tricks of 2006

Since the dawn of humanity, man has taken pride in his achievements of days past. The courageous defense of his cave from long-toothed predators. A fruitful hunt of the elusive wildebeest. The successful programming of his complicated BlackBerry.

In ancient times, these great achievements were told and re-told in tales, in song, in poetry. Today, journalists have evolved this retelling to a higher art form: the annual "year in review" story. This story is done and re-done each year by virtually every publication in existence, from Sports Illustrated to Hog Monthly.

As a new, innovative Web destination, we thought about not doing one of those stories. Break the mold and all that. But it's the end of the year. The drums are beating. The fire is burning high. The smell of roasted wildebeest hangs pungent in the air. The ceremonial conch shell is passed to us -- it's our turn to, uhh, blow.

So, what the hell. Who are we to argue with evolution?

The following is Dark Reading's look back at six of the most clever and devious IT security exploits of 2006, which we call "The Six Dirtiest Tricks of 2006."

Click here for the full story.

Tuesday, January 02, 2007

Banks Ready for Compliance Deadline

Dec. 31, 2006 will bring out an array of party hats, confetti, and noisemakers across the globe. But in the recesses of data centers in many banks and financial institutions, that date may give IT workers another reason to pop the champagne cork.

New Year's Eve is the final deadline for financial organizations to meet multifactor authentication requirements outlined by the Federal Financial Institutions Examinations Council (FFIEC), which helps to govern security requirements for banks and other organizations that handle consumer funds. The FFIEC guidelines, which were issued in October of last year, require financial institutions to deploy a second form of user authentication by Dec. 31 or face fines of $10,000 and up.

Blog Archive

About Me

Choose Dyrand Systems as your virtual IT department and focus on growing your business—not on the technology that supports it. You deserve peace of mind when it comes to IT. When you choose Dyrand, you’re choosing more than just an IT firm—you’re choosing an extension of your own team.