Protecting from Identity Theft? A good Start

Calendar November 12, 2009 | Posted by Dave

I apologize for delays in new post, business has been well keeping me busy.  2010 I hope to update more regularly.  Until here is an article I wrote for security magazine in 2008.  I hope you enjoy.

Protecting from Identity Theft? A Good Start

by Dave Chronister
April 1, 2008

Technology’s ever-growing importance is a mixed blessing.

On one hand, it keeps me employed, but many times I will find myself talking about “new threats” that aren’t really new, they are just finally coming to the public’s attention.

The issue “de jour” is identity theft, and, according to the general public, this never happened until the TJ Maxx break in. Am I the only one who watched Sandra Bullock in “The Net?” Granted this movie was a little far-fetched — I mean, come on, ordering a pizza online? But there we were in the mid-1990s watching a movie about a recluse woman whose identity was stolen in order to cover up a major conspiracy. Now, 13 years later, we live in a world where it seems the only data leak to worry about is consumer information.

Doesn’t a company with revolutionary ideas worry about corporate espionage and loss of trade secrets? Shouldn’t a publicly traded company need to ensure its financials are not released prematurely?

In reality, security professionals have to deal with data of different levels of security, much of which is unknown to even them. So while the rest of the world is focused on the little old ladies’ Social Security numbers, let’s look at the best strategies on keeping our sensitive information in our castle’s keep and maybe even use the identity theft hysteria to our advantage.

The decentralization of a company’s data stores and multiple facets of data retrieval have rendered the security strategy of building a bigger outside wall obsolete.  A silver-bullet solution will eventually become an Achilles’ tendon. Instead, you want to go for layers, defense in depth. Structure your security solutions to identify threats, guard against automated scans, and slow down and report possible intrusions. In the event of a successful attack, ensure containment and, if possible, identify the offenders of the data loss.

Let’s take a look at a few weapons that you may want to put in your arsenal.

First, there are network traffic analyzers — and we are not talking about your network administrator’s wire shark system. These analyzers will examine the content and determine if sensitive data may have been sent out to unauthorized recipients. Many traffic analyzers will even determine if information is being sent to correct destinations but over incorrect channels, say instant messaging or IM, or to the public network unencrypted.

The obvious concern with this technology would be the potential bottleneck that you would face even on a small network. Global Velocity, one of the newer companies in this realm, is about to release a hardware-based content analyzer that it claims can process 10gbps. The potential is a godsend, but it isn’t without limitations. It can only analyze clear text. Someone sending out binaries, say screen prints, or encrypted traffic, such as a virtual private network or VPN stream, would not be analyzed. It also only handles traffic heading out of your network to other networks either public or private.

This doesn’t address other avenues of “data escape,” such as mobile devices and USB keys. There are multiple solutions to this problem, from physical USB locks to software solutions, such as Devicewall’s Centennial, which can block various types of USB devices, such as MP3 players or PDAs, and provide a complete audit trail. Microsoft shops could even use network policies to lock USB ports.

Speaking of policies, let’s take a quick look at your greatest weapon and your worst enemy: The User.

Sometimes it may seem a better idea to give flamethrowers to your local Cub Scout troop than to depend on John Q. User to ensure the integrity of your data. No matter how much you secure your sensitive data, the simple fact is your employee will be retrieving and writing this data on a daily basis. You need to ensure your security awareness program prepares them to handle the various aspects of social engineering as well as prevent accidental data leaks. After all, hackers are targeting the secretaries, not the Certified Information Systems Security Professionals or CISSPs. Computer-based training and posters should be part of your program, not the entire program.

Finally, getting upper management’s buy-in to the cost of data protection in money and manhours can be a daunting task. The horror stories of other data breeches as well as the projected cost to a business for identity theft can be used as a case study during your presentation. If that doesn’t work, maybe you can bust out your VCR and hope Bullock’s stellar performance in “The Net” does.

http://www.securitymagazine.com/Articles/Feature_Article/BNP_GUID_9-5-2006_A_10000000000000298345

Category Categories: Best Practices, Original, compliance | Tag Tags: , , , | Comments 1 Comment »

The FAA was successfully attacked

Calendar May 8, 2009 | Posted by Dave

Note from Dave:  Soon I hope to start writing some more original content, until then I will continue to post hacker related news on here.  The reason I am post these articles is simple, Cyber Security is not an option.  Many businesses get it, others not so much.  If the FAA and the Pentagon can be successfully hacked,  how safe do you think you really are?  Better to understand your weaknesses and try to mitigate those vulnerabilities than to put you head back in the sand.

 

Dave

 

Hackers have broken into the air traffic control mission-support systems of the U.S. Federal Aviation Administration several times in recent years, according to an Inspector General report sent to the FAA this week.

In February, hackers compromised an FAA public-facing computer and used it to gain access to personally identifiable information, such as Social Security numbers, on 48,000 current and former FAA employees, the report said.

Last year, hackers took control of FAA critical network servers and could have shut them down, which would have seriously disrupted the agency’s mission-support network, the report said. Hackers took over FAA computers in Alaska, becoming “insiders,” according to the report dated Monday.

Then, taking advantage of interconnected networks, hackers later stole an administrator’s password in Oklahoma, installed “malicious codes” with the stolen password and compromised the FAA domain controller in the Western Pacific Region, giving them the access to more than 40,000 FAA user IDs, passwords, and other data used to control a portion of the mission-support network, the report said.

And in 2006, a virus spread to the air traffic control (ATC) systems, forcing the FAA to shut down a portion of its systems in Alaska, according to the report.

The attacks so far have primarily disrupted mission-support functions, but attacks could spread over network connections from those areas to the operational networks where real-time surveillance, communications and flight information is processed, the report warned.

“In our opinion, unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC systems encounter attacks that do serious harm to ATC operations,” the report concluded.

 

An audit of the FAA’s air traffic control cybersecurity protection measures finds them lacking and says there have been several breaches by hackers and a virus.

(Credit: U.S. Department of Transportation, Office of Inspector General)

 

The breaches were possible because Web applications that support the air traffic control system operations are not properly secured to prevent unauthorized access and network intrusion-detection software is not adequately being used to monitor and detect cyberattacks, the report concluded.

The FAA’s increasing use of commercial software and Internet Protocol-based technologies as part of an effort to modernize the air traffic control systems poses a higher security risk to the systems than when they relied primarily on proprietary software, the report said.

“Now, attackers can take advantage of software vulnerabilities in commercial IP products to exploit ATC systems, which is especially worrisome at a time when the Nation is facing increased threats from sophisticated nation-state-sponsored cyber attacks,” the report said.

In general, the nation’s critical infrastructure is increasingly at risk as previously isolated and closed systems are moved to the Internet and commercial software, like Windows, is used, security experts have said.

The air traffic control system auditors said they discovered more than 760 high-risk vulnerabilities in the Web applications tested, including holes that provided “front-door access” to the systems and could allow attackers to inject malicious code onto FAA user computers. Web applications were not adequately configured and the applications with known vulnerabilities were not patched in a timely manner, auditors found.

Meanwhile, intrusion detection systems (IDS) are deployed at only 11 of hundreds of air traffic control facilities and none of the IDS sensors is installed to monitor operational systems at those sites, the report said. Cyber incidents are not effectively monitored or fixed quickly, the report concluded.

In 2008, more than 870 cyber incident alerts were issued to the organization responsible for air traffic control operations and by the end of the year 17 percent (more than 150 incidents) had not been remediated, “including critical incidents in which hackers may have taken over control” of operations computers, the report said.

The FAA is “identifying and fixing weaknesses,” FAA spokeswoman Laura Brown told The Wall Street Journal. “We are working on developing security architecture for that whole system.”

However, Brown dismissed the notion that hackers could get access to critical air traffic control operational systems.

The audit of the air traffic control systems was requested by the ranking minority members of the House Committee on Transportation and Infrastructure and its Aviation Subcommittee.

 

http://news.cnet.com/8301-1009_3-10236028-83.html

Category Categories: Recent News, compliance | Tag Tags: , , , , , , , | Comments No Comments »

Walmart Data Breach – By Employees

Calendar April 21, 2009 | Posted by Dave

Almost half of all malicous attacks are done by an internal entity.  Do your employees know how to protect their data?  Don’t guess, get security awareness training from Parameter (End Shameless Plug) :)

– Dave

 

Wal-Mart suffers breach in computer data
News
Monday, 20 April 2009 08:22
It has come to light that Wal-Mart has suffered a breach in its staff data system due to a former employee leaving their job with confidential records. The information is said to refer to 48,000 members of staff in the state of Illinois, America. Security of information has also been a source of several news stories here in the UK as govermnment ministers have accidentally leaked information through mishaps. The breach occurred in mid-2007 and has only just emerged in the media. The language of the documents exposed was generalised, projected and chain-wide, begging the question: how many people’s personal security has been compromised by this? Considering the chain employs 1.8 million members of staff, this is a large loss of personal information which may take the form of private co-ordinates, bank account details for payrolls, tax codes and details, etc.

The breach is feared to be more than localised and is being looked into by senior staff.

Category Categories: Best Practices, Recent News | Tag Tags: , , , , , , | Comments No Comments »

Suprise! Crime is going up in a bad economy!

Calendar April 9, 2009 | Posted by Dave

Report says online crime surging in recession

 

 

By Jason Szep

Reuters
Monday, March 30, 2009; 3:53 PM
 

BOSTON (Reuters) – Fraud on the Internet reported to U.S. authorities increased by 33 percent last year, rising for the first time in three years, and is surging this year as the recession deepens, federal authorities said on Monday.

Internet fraud losses reported in the United States reached a record high $264.6 million in 2008, according to a report released on Monday from the Internet Fraud Complaint Center, run by the FBI and the National White Collar Crime Center.

Online scams originating from across the globe — mostly from the United States, Canada, Britain, Nigeria and China — are gathering steam this year with a nearly 50 percent increase in complaints reported to U.S. authorities in March alone.

“2009 is shaping up to be a very busy year in terms of cyber-crime,” the report’s author, John Kane, told reporters in a telephone briefing.

Last year’s losses compared with $239.1 million in 2007 and dwarfs the $18 million of losses of 2001.

The most common complaint of 2008 was non-delivery of promised merchandise, followed by auction fraud, credit card fraud and investment scams, according to the report.

Of 275,284 complaints received by the center in 2008, some 72,940 were referred to U.S. law enforcement agencies for prosecution. Those referrals spiked this year with 40,000 in the first quarter alone, said Kane.

“It is our belief that these numbers, both the complaints filed and the dollars, represent just a small tip of the iceberg,” said Kane, managing director of the National White Collar Crime Center in Richmond, Virginia.

UNDERREPORTED CRIME

“Our own research suggests that as few as 15 percent of cases of cyber-fraud are being reported to crime control agencies,” he said.

Scammers in the United States comprised 66 percent of complaints referred to authorities, followed by Britain at 11 percent, Nigeria 7.5 percent, Canada 3 percent and China 1.6 percent. Within the United States, the bulk originated in California (16 percent), followed by New York and Florida.

Fraudulent sales on online auction sites like eBay Inc and classified sites like craigslist.com contributed to a 32 percent rise in the hottest area of online fraud — non-delivery of promised merchandise, the report said.

That area alone made up about 33 percent of all complaints serious enough to be referred to law enforcement.

Other important areas included investment scams such as mini-versions of the $65 billion Ponzi scheme committed by New York financier Bernard Madoff in which money from new investors is used to pay existing investors.

About 74 percent of the scams were through e-mail messages last year, especially spam, while about 29 percent used websites. But criminals were increasingly tapping new technologies such as social networking sites and instant messenger services, said Kane.

The report highlights one new “significant’ identity-theft scam involving e-mail messages that give the appearance of originating from the FBI but seek bank account information to help in investigations of money being transferred to Nigeria. Recipients of the e-mails are told they could be richly rewarded by cooperating.

The report said almost 80 percent of known perpetrators of online scams are male. Of those bringing complaints, nearly half are between the ages of 30 and 50. The median dollar loss was $931 per complaint, although the median losses for check fraud reached $3,000 and that for investment scams was $2,000.

(Editing by Bill Trott)

Category Categories: Recent News | Tag Tags: , , , | Comments No Comments »