Thursday, June 09, 2011

I couldn't ask for a better summary for my Intro to Computer Security class.

http://www.databreaches.net/?p=18692

Check Point and Ponemon Survey Reveals 77% of Businesses Experienced Data Loss Last Year

June 8, 2011 by admin

Check Point and the Ponemon Institute released the results of a new survey today. From their press release:

77 percent of organizations surveyed have experienced data loss in the last year. Key findings from the report, “Understanding Security Complexity in 21st Century IT Environments,” show respondents cited customer information (52%) as the most common type of information compromised — in addition to intellectual property (33%), employee information (31%) and corporate plans (16%). With the adoption of Web 2.0 applications and more mobile devices connecting to the network, organizations are challenged with enforcing better data security and IT Governance, Risk and Compliance (GRC) requirements.

According to the survey of over 2,400 IT security administrators, the primary cause for data loss resulted from lost or stolen equipment, followed by network attacks, insecure mobile devices, Web 2.0 and file-sharing applications and accidentally sending emails to the wrong recipient. In addition, approximately 49 percent of all respondents believe their employees have little or no awareness about data security, compliance and policies — encouraging business to integrate more user awareness into their data protection strategies, as people are often the first line of defense.

[...]

The survey, “Understanding Security Complexity in 21st Century IT Environments,” was independently conducted by the Ponemon Institute in February 2011, surveying IT security administrators located in the U.S., U.K. France, Germany and Japan. The survey sample represents organizations of all sizes and across 14 different industries. For more information about Check Point DLP or access to the full report, visit: http://www.checkpoint.com/products/dlp-software-blade/index.html.

Okay, let’s do the math. 77% of 2400 organizations = 1848 organizations that had data loss from their sample. If half of those losses involved customer data, that’s 924. Did we have 924 data breach disclosures last year from their sample? And that’s without counting the ones where employee data were compromised. It would appear that the media or sites that track breaches did not find out about most of these breaches. And that’s just from one sample. Hmmmm….



How valuable are accurate logs? Notice that two out of three students didn't report the problem.

http://www.databreaches.net/?p=18695

VA: University of Mary Washington notifies students of data breach (update1 with memo to students)

June 8, 2011 by admin

Jeff Branscome reports UMW sent the following e-mail to all employees to remind them of security policies in the wake of a breach involving student information:

To All Faculty/Staff:

This is to advise you that UMW experienced an information security incident, which you may read about in the news media. The attached letter was sent to all students whose personal information was subject to unauthorized exposure. The exposure was very limited and we have no reason to believe that there will be further harm to the privacy of the individuals involved. In compliance with the policies and procedures of UMW and the Commonwealth of Virginia, the incident was brought to the attention of all affected students. In brief, a UMW student who was searching the EagleNet portal for his own information found student data files on a departmental EagleNet site. The data files included personal information for a large number of UMW students. The student proactively and responsibly reported this fact to university officials and immediate steps were taken to prevent further access to this information and to remove the files from the departmental EagleNet site. Based upon our review of the situation, we have determined that a total of three currently enrolled students opened these files. [That's why you keep logs! Bob] We have spoken with all three students and have no reason to suspect there was any malicious intent involved or that any student data will be targeted for identity theft.

Earlier this year, all faculty and staff were notified of the requirement to complete Information Security Awareness training. This training reviewed various information security related policies, including the Electronic Storage of Highly Sensitive Data Policy. These policies require all of us to diligently safeguard and protect the university’s data, and to take extra precautions to ensure the protection of highly sensitive, personally identifiable information involving members of the UMW community. All university employees should review these policies, found at: http://www.umw.edu/doit/itsecurity/it_security_policies.php.

So far, I don’t see any notice on UMW’s web site or in the media, but have e-mailed the university to request more information and I imagine we’ll see more details revealed soon.

Update 1: The university kindly sent me a copy of the notice sent to students, which indicates that Social Security numbers were involved. In a separate email, a university spokesperson informs DataBreaches.net that 7,566 students were notified of the problem.



Another rash of card skimmers on their ATM's?

http://www.databreaches.net/?p=18718

Citibank confirms hacking attack

June 9, 2011 by admin

Hackers have stolen data from thousands of Citibank customers in the US, the bank has confirmed.

The breach exposed the names of customers, account numbers and contact information.

But other key data, such as date of birth and card security codes were not compromised, the bank said in a statement.

Citigroup is the latest in a string of high profile companies to be targeted by cyber criminals.

It has been criticised for not telling customers about the breach when it happened in May.

[...]

Around 200,000 customers were affected the statement said although earlier the bank had said it could affect up to 1% of its 21 million users.

It did not detail how the breach had occurred.

Read more on BBC or any of the hundreds of news sources that are covering this breach this morning. I expect we’ll have more to add to this one. I don’t see any statement linked from citibank.com at the time of this posting.



Huge (and wrong)

Court Rules Passwords+Secret Questions=Secure eBanking

"A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. This case would be the first to add legal precedent to banking industry guidelines about what constitutes "reasonable" security. The tentative decision is that a series of passwords + some device fingerprinting is enough to meet the definition of "something you know" + "something you have". The case has generated enormous discussion over whether the industry's "recommended" practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC"

[From the article:

The magistrate was unswayed by evidence presented by Patco’s lawyers that modern malware threats like ZeuS can modify content in the victim’s browser (and thus prompt users for the answers to all of their secret questions). ZeuS also allows attackers to tunnel their communications through a victim’s own PC and browser, an attack method that can negate the value of a device ID as a second factor. Navetta said Patco’s main theory concerning the weakness of the bank’s security was that the lower dollar threshold set by the bank made customers easier prey for predators like the ZeuS Trojan, but that the magistrate was unconvinced by that argument because Patco did not have actual forensic evidence that a keystroke logger was the culprit. The magistrate said Patco erred by “having irreparably altered the evidence on its hard drives by running scans on its computers and continuing to use them prior to making proper forensic copies.”

… The FFIEC was on the verge of releasing updated guidance at the end of last year to clarify the new and stronger types of multi-layered defenses required in 2011. Litan said those updates were expected to explain that the examples of strong online banking security measures which they listed in 2005 have been rendered useless and obsolete by next-generation cybercrime techniques.

“It’s truly disappointing that the much-needed update was never issued, no doubt because of internal politics and disagreements among the regulatory agencies,” she said. “The regulators should not leave these matters in judges’ hands to decide and should protect U.S. businesses from bank shortcomings that compromise the safety and security of their accounts, just as consumers are protected under Regulation E. In my opinion, this judge did not correctly interpret the 2005 FFIEC authentication guidance.”

… “The one thing the judge mentioned in his decision is that there is basically zero case law on [question of what constitutes reasonable security] for the banks,” Patterson said. “Not anymore. That’s why we’re concerned this could have national implications. Tons of small businesses continue to be at a huge risk for this type of thing happening to them.”

… A copy of the recommended decision is available here (PDF).


(Related)

http://www.bespacific.com/mt/archives/027460.html

June 08, 2011

Commerce Department Proposes New Policy Framework to Strengthen Cybersecurity Protections for Businesses Online

News release: "The U.S. Department of Commerce today released a report that proposes voluntary codes of conduct to strengthen the cybersecurity of companies that increasingly rely on the Internet to do business, but are not part of the critical infrastructure sector. The report, Cybersecurity, Innovation and the Internet Economy, focuses on the “Internet and Information Innovation Sector” (I3S) – these are businesses that range from small and medium enterprises and bricks-and-mortar firms with online services, to social networking sites and Internet-only business, to cloud computing firms that are increasingly subject to cyber attacks."



Welcome to the Cloud... Not just a jurisdictional question – how do you shut down users who are breaking the country's law?

Google Redirects Traffic To Avoid Kazakh Demands

"Google has rejected attempts by the Kazakh government 'to create borders on the web' and has refused a demand to house servers in the country after an official decree that all Internet domains ending with the domain suffix for Kazakhstan be domestically based. Bill Coughran, Google senior vice president said in his blog that from now on, Google will redirect users that visit google.kz to google.com in Kazakh: 'We find ourselves in a difficult situation: creating borders on the web raises important questions for us not only about network efficiency but also about user privacy and free expression. If we were to operate google.kz only via servers located inside Kazakhstan, we would be helping to create a fractured Internet.' Mr. Coughran said that unfortunately, it would mean that Kazakh users would have a poorer experience as results would no longer be customized for the former Soviet republic."


(Related) Apple's vision for the Cloud... Out of sight, out of mind, out of control?

http://techcrunch.com/2011/06/08/apple-icloud-google-cloud/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

It Just Works.”

With iCloud, Apple is transforming the cloud from an almost tangible place that you visit to find your stuff, to a place that only exists in the background. It’s never seen. You never interact with it, your apps do — and you never realize it. It’s magic.



“Why should we follow our own Privacy guidelines?”

http://www.bespacific.com/mt/archives/027459.html

June 08, 2011

EPIC: WhiteHouse.gov to Track Users for Two Years

EPIC: "The White House modified its privacy policy for WhiteHouse.gov on June 3, 2011. The new policy is more than twice as long as the old policy. The new policy states the White House web site now uses persistent Google Analytics cookies that track users for up to two years. Previously the site employed only single-session cookies, which were automatically deleted when users closed their browsers. The site does not provide a means for visitors to opt out of receiving cookies. The present policy reflects changes the administration made last year to allow for use of tracking cookies by federal websites. For more information, see EPIC: White House Adopts Weird Opt-Out Privacy Policy for Public Access to Government Web Sites."



...so, no doubt there will be more incidents like Weiner's...

http://www.usatoday.com/yourlife/sex-relationships/2011-06-08-sexting-adults-power_n.htm

Adult sexting tied to power, 'unlimited partners'

Embattled Rep. Anthony Weiner, D.-N.Y., may have been the only person in the past week to gain national media attention for sending suggestive pictures of himself via social media, but his behavior follows a common pattern.

Though research exists into so-called "sexting" by teens, including a widely publicized study by the Pew Internet & American Life Project in 2009, studies on the sexting and online flirtation habits of adults are much more sparse.

Some information does exist, albeit with widely varying estimates on how widespread the behavior is. Findings from Pew in October suggest 6% of adults have sent sexually explicit messages over the Internet.

But some other recent surveys point to higher numbers.

A 2009 survey of more than 1,200 respondents by the Cranfield School of Management in the U.K. showed that more than half of participants have used the Internet for flirting, affairs and sexual advances.

And a 2009 online survey of 323 people ages 13 to 72 by psychologist Susan Lipkins of Port Washington, N.Y., found 66% of the sample had sent sexually explicit messages.


(Related) Attention Congressman Weiner!)

http://techcrunch.com/2011/06/08/twitter-has-begun-rolling-out-new-photo-service-to-users/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Twitter Has Begun Rolling Out New Photo Service To Users



For your personal toolkit.

http://www.makeuseof.com/tag/3-free-realtime-malware-protection-removal-tools/

3 Free Real-Time Malware Protection & Removal Tools

ThreatFire

Ad-Aware

Spyware Terminator

Malware protection and removal tools are only one level of security. In addition, you should use a firewall and a traditional anti-virus program. Please check out these MakeUseOf articles for more advice on how to keep your system protected:


No comments: