I apologize for the short notice, but this blog is in suspended animation until further notice. This was a business decision that I adamently disagree with, and I will be back with some noticable changes in the near future. In the meantime, please bear with me while I sort out some business decisions.
There’s been a lot of attention paid to “pretexting”,the practice of posing as someone else in order to gain access to their personal data, lately in the wake of the HP scandal. However, a British TV program has shown that there’s more than one way to skin the identity fraud cat, as an undercover reporter was offered the personal details of 100,000 UK bank customers, stolen by offshore call-center workers.
The knee-jerk reaction is simply to point the finger at outsourcing and offshoring, but they’re largely irrelevant to the situation. Lax corporate security and indifferent attitudes towards data breaches certainly aren’t restricted to a particular country, industry or line of work, so the suggestion that banks and other companies that allow offshored workers access to personal financial information could simply solve the problem by bringing outsourced functions back in-house is inaccurate.
Quite clearly, many companies’ security policies are inadequate, unenforced or nonexistent, whether for in-house employees or external suppliers, and there’s currently little motivation for them to take the problem seriously. Whether data is kept internally or shared with offshore workers doesn’t really seem to matter — it doesn’t appear particularly secure either way.
According to the Washington Post, developers for the OLPC project are working on implementing virus protection on each laptop’s kernal and the way the laptops deal with both security and code sharing:
“The developers of software for the One Laptop Per Child (OLPC) initiative are redefining security for the personal PC. Since the laptops have the potential of communicating with any other laptop, the developers have a unique opportunity to implement both virus protection on the kernel, master boot record and also the way in which the laptops deal with security and ‘code-sharing.’
The developers are currently seeking outside counsel from security experts and if you’re worried about these security schemes posing only problems to the children, ‘these security measures can be turned off by the PCs’ owners. To protect against that leading to disaster, the laptops will automatically back up their data up on a server whenever the machines get in wireless range of the children’s school. If a child loses data, the files can be restored by bringing the laptop within wireless range of the server.'”
The Bureau of Industry and Security (BIS), a branch of the Commerce Department, has sustained several successful attacks. Chinese hackers were able to gain access to its computers and install rootkits and other malware.”
From the Information Week article:
“This is the second major attack originating in China that’s been acknowledged by the federal government since July. Then, the State Department said that Chinese attackers had broken into its systems overseas and in Washington. And last year, Britain’s National Infrastructure Security Co-ordination Center (NISCC) claimed that Chinese hackers had attacked more than 300 government agencies and private companies in the U.K.”
I’m getting more and more concerned that the US Government does nothing to ensure the security of our records. I don’t know why they don’t move forward on making our federal computer systems failsafe.
ZDnet reported “The Sans Institute says the greatest concern for businesses should be the security of their laptops, as more companies replace desktops with notebooks. The mix of sensitive data being taken out of the organisation and a lack of encryption, coupled with incidences of human error that can see such devices lost or stolen, means companies should make this issue a top priority.
The Sans report also said the theft of other mobile devices, such as PDAs and smart phones, will increase because of the value of the data they may contain.”
I would of course agree that loss or theft of data on laptops is important … along with the introduction of malware on portable devices, the lack of backups and the use of portable (and especially wireless) devices to remove information illicitly from corporate networks. But, sure, loss or theft of data on laptops is an issue.
Would you leave your front door open for a month? That’s exactly what many individual Internet users are doing with their personal computers over the Net.
Internet criminals are increasingly targeting home users for identity theft, fraud and other financially motivated crime, reports the latest Internet Security Threat study released by anti-virus firm Symantec.
Home users are less likely to have established security measures in place and are careless with their data, making themselves a statistic on a security report. They account for 86 per cent of all targeted attacks and are followed by financial services sector and government, education and IT firms. E-mail, browsers and desktop applications are the window to your personal computer. Calling end-users the “weakest link in the security chain”, Mr Vishal Dhupar, Managing Director, Symantec India, said that with the emergence of Web 2.0, security concerns would increase. Web 2.0 is the new trend sweeping the virtual world, where concepts such as sharing, blogging, democracy of information, and `power to the individual’ are gaining momentum. Attackers will take advantage of the implied trust between the community of individual developers and the sites hosting content to compromise individual users and/or Web sites, warns Symantec.
Online threats made up 69 per cent of all vulnerabilities. Patches can be downloaded to fix them. However, the numbers give a reality check.
It takes three days to produce a malicious code (virus/ spam/ worm, etc). It takes 31 days to produce a patch for it. The gap of 28 days is open for the attacker to reach into your critical files and steal what information is required.
In a surprising revelation, Symantec reports that the open source Mozilla browser had the most vulnerabilities, 47, compared to 38 in Microsoft’s Internet Explorer. However, the more popular Internet Explorer was the most frequently targeted Web browser, accounting for 47 per cent of all Web browser attacks. Twenty per cent of all attacking IP addresses targeted the Firefox browser.
It also said that spam was up from 50 per cent (6 months ago) of all monitored email traffic to 54 per cent. In the last report, the firm reported a decline of spam, but the current reversal of this trend indicates that spammers may have found means to circumvent these measures, such as utilizing image-based spam. One out of every 122 spam messages contained malicious code.
It’s no secret that the government has been pushing for more stringent data retention laws, on the belief (which many question) that by forcing ISPs to collect all this data, it will better help criminal and terrorist investigations. At the same time, the recent leak of data by AOL has some pushing in the completely opposite direction, suggesting there should be laws that ban companies from collecting and holding onto too much data. In fact, I noted that the AOL leak may have caused some politicians to rethink their position on data retention.
Adam Thierer, over at the Tech Liberation Front, has also noticed these two diametrically opposed issues, and wonders how search engines are going to deal with being pulled from both sides. Hopefully, the answer is that the back and forth on these two issues has a better chance of making sure that nothing happens, and things are pretty much left as is. This may turn out to be the best solution for everyone.