Security Breaches

Spending doesn't guarantee data security

Judi Hasson — Tue, 08 Jul 2008 22:34:07 -0400

InformationWeek recently polled 1,100 IT and business professionals about their plans for security and found that they believe their data is safer, even with budgets holding steady or increasing. Sixty-six percent of respondents said their vulnerability to breaches and malicious code attacks was either the same as last year, or even worse.

If money is not the issue, what gives? One answer is the need to focus risk management processes, carefully evaluating threats and placing the resources where the needs are the greatest. The survey found only about half of the respondents actually had risk management plans, and only 22 percent paid attention to such issues as code security. The survey also found companies behind in implementing encryption to protect customer and employee data.

All the while, viruses, phishing attacks, and worms continue to cause major headaches. What's the problem? Complexity was cited as the biggest security challenge by 62 percent of respondents. "More data is ending up on the network. More agents are running on company computers, and employees expect some control over the PCs they use,'' the article stated.

For more:
- check out this InformationWeek.com article

Domain registration SCAM derailed

Thu, 19 Jun 2008 06:59:59 -0400

A federal judge has stopped a Toronto company from continuing to deceptively pose as a domain name registrar and sending bogus bills to thousands of U.S. small businesses and nonprofit organizations for their annual "WEBSITE ADDRESS LISTING."

Many of the businesses and nonprofits believed they would lose their website addresses unless they paid the bill. The Federal Trade Commission alleged that, in most cases, the defendant did not provide domain registration services or the "search optimization" services it claimed to provide, and bilked small businesses and nonprofits out of millions of dollars.

For more on this scam:
- check out this FTC press release

Another way to spot a hacker

Thu, 05 Jun 2008 06:59:58 -0400

It continues to be hard to spot security vultures, but McAfee's "Mapping the Mal Web Revisited' outlines data from 9.9 million websites to spot the biggest security threats.

The report said that nearly 20 percent of all Hong Kong websites present a security threat. The other most dangerous sites are registered in China (.cn) and the Philippines (.ph). With that kind of information in your hip pocket, it just might be easier to spot and block sites from those locales.

For more:
- see this InformationWeek.com article

HP accused of crippling its own BIOS password security

Paul Mah — Tue, 03 Jun 2008 06:22:56 -0400

HP has come under fire from UK-based security company SecureTest for effectively crippling the BIOS password security measure for its laptops by publishing reset data on its website. This comes against a backdrop of an increasing number of security breaches stemming from stolen laptops. Unlike desktop BIOS reset procedures that involve the shorting together of (guessable) jumpers on the motherboard, laptop BIOS resets typically involve calling up your vendor and enduring a challenge-response, or perhaps even a visit to a dealer. While relying on BIOS security is hardly absolute, the argument is that it does form one layer of an in-depth defense paradigm. Not everyone agrees though, with some putting BIOS passwords down as a "redundant" option. HP, so far, remains silent on the matter.

For more on HP's BIOS password security:
- check out this Channel Register article

Staffer fired for discussing security lapses

Tue, 27 May 2008 06:59:59 -0400

Many companies encounter security issues, but none want their IT network problems aired in public. A low-level TJX Kansas employee recently found out about this code of silence, having lost his job for violating corporate policy by disclosing proprietary information and not going through proper channels.

The employee, it turns out, took part in a computer security online discussion group and criticized the company's password policy, its server security settings, and the competence of the technicians who install firewalls at the T.J. Max company stores. The company previously suffered a breach that compromised 94 million credit and debit card accounts, costing it tens of millions of dollars in legal settlements.

To read more about this faux pas:
- check out this infoworld.com article

Feds encrypt 800,000 government laptops, 1.2 million more to go

Paul Mah — Fri, 23 May 2008 05:50:06 -0400

Government agencies in the United States are scrambling to plug a glaring security hole in the form of sensitive information stored on laptops and portable media such as thumb drives. More than 800,000 licenses for encryption software were purchased by agencies last year alone. Still, the brisk upswing came only after repeated headliners of gross security breaches and against a backdrop of increased risk of identity theft.

Various software from up to 10 leading vendors are available under steep discounts under the DAR (Data at Rest) Encryption program--run jointly by the General Services Administration and the Department of Defense--though the most popular products are hybrid packages that offer both full disk and file folder encryption.

For more on the DAR Encryption program:
- check out this Network World article

Spam turns 30

Mon, 05 May 2008 06:59:59 -0400

Spam, the bane of every office and personal email system, celebrated its 30th birthday on May 3 and as every CIO knows, age hasn't stopped the scourge from remaining ubiquitous. Microsoft founder Bill Gates predicted in 2004 that the spam problem would be solved in two years. But Sophos, an email security company, says that 95 percent of all email today is spam, while Symantec says that figure is more like 80 percent to 85 percent. Due to sophisticated solutions, email service providers and the hard work of IT managers, end users only see a fraction of what's out there. But the spammers are an industrious lot, constantly presenting new security risks to company systems and offering an unrelenting array of solicitations for unwary victims. Princeton computer science professor Ed Felten says "there is more spam than ever and no end is in sight."

For more on spam's significant birthday:
- See this InformationWeek article

Security pros: don't forget common sense

Thu, 27 Mar 2008 07:59:58 -0400

You can run as much anti-virus software as you can afford, but that's still no substitute for common sense. Remember: today's cyber criminals are continuously updating the malware that they have managed to install on a victim's computer. No safeguard is good enough if the computer user does not remember to stay away from links or open attachments that arrive unexpectedly via email or instant messaging. Also, remember that anti-virus programs are the most effective when part of a layered security approach. That includes frequent software patching and using a (hardware and/or software) firewall. Every IT department should have a secure system, using the latest technology and making sure that computer users are properly trained.

For more on the best kind of security:
- See this Washington Post article

ATM machines cry out for security

Mon, 25 Feb 2008 06:59:59 -0500

ATM machines may be a new target for hackers. A report by the managed security firm, Network Box, outlined several threats to these commonplace banking tools. They include IP worms, disruption of the IP network, denial of service and the harvesting of transaction data for malicious purposes. The report said that banks and financial institutions are not securely protecting customers' data. The reason may be because the technology is too old.

An estimated 70 percent of current ATMs are based on PC/Intel hardware and commodity operating systems using standard IP networking. Many financial institutions have opted for cheaper systems rather than the best security. And that means that credit/ATM card numbers, transaction amounts and account balances could be easily captured by hackers.

"Most people simply assume that because an ATM is invariably provided by a bank, the transactions and the data being transmitted must be secure," said Mark Webb-Johnson, chief technology officer at Network Box. But that might be assuming way too much. Network Box recommends that all traffic to and from ATM machines should be encrypted, not just the PIN number. ATM networks should also be separated from the rest of the bank's network, thereby allowing them to be closely monitored and controlled. If your ATM machine isn't secure, what is?

For more on ATM vulnerabilities:
- See this VNunet article

ALSO NOTED: The CIO must think like a politician;Are CIOs facing pressure to trim staff?;

Thu, 31 Jan 2008 06:59:58 -0500

> The CIO must think like a politician. Article
> Are CIOs facing pressure to trim staff? Article
> Four cases of data security breaches. Article
> Get paid for a job interview. Article
> Management gets the bulk of corporate training $$$. Article
> For CIOs: 10 free technology tools. Article
> Internet breakdown in Egypt and India. Article

And Finally... Watch out for the Valentine's Day worm. Article