Pages

Tuesday, December 09, 2008

Tuesday, November 04, 2008

Wednesday, September 24, 2008

Tuesday, September 16, 2008

Wednesday, July 30, 2008

Wednesday, July 23, 2008

Monday, July 14, 2008

Monday, May 19, 2008

Techworld.com - Computers at risk from Crazy Raspberry ants

Researchers find new ways to steal data | InfoWorld | News | 2008-05-19 | By Robert McMillan, IDG News Service

Protecting data from danger

As employees, hackers become more sophisticated, sensitive information is no longer safe

Pittsburgh Business Times - by Kim Lyons

Joe Wojcik
CERT Insider Threat Team technical leader Dawn Cappelli says data dangers are everywhere, and insider threats from company employees are becoming increasingly common.
View Larger

Dawn Cappelli isn't that scary.

But listen to her talk about her job as head of the Insider Threat Team at the Computer Emergency Response Team, part of the Software Engineering Institute at Carnegie Mellon University, and she becomes downright terrifying.

"I'm so paranoid," Cappelli said. "I try to tell people that their information isn't safe, because so many people have access to it."

Gone are the days when a company's biggest information concern was whether employees were downloading the wrong e-mail attachments. Whether it's big department stores unable to protect customers' credit card information, or smaller firms losing track of who has access to proprietary information, the threats to companies' sensitive data are constant and ever-changing.

And the long-term effects of a data breach can have an impact on a company well after the issue has been resolved, whether it's a loss of customers, or damage to the company's reputation.

Bill Shore, supervisor of the FBI's Computer Crimes Squad in Pittsburgh, said the days of hackers seeking fame and glory -- think of the "iloveyou" virus of 2000 -- are mostly over.

"Now, they try to keep under the radar," Shore said. "They are much more profit-motivated. They're trying to find ways to get access to money."

STEALING FROM THE INSIDE

Today, more threats to companies' data come from within, Cappelli said, as some employees deliberately take sensitive information.

Many are seeking personal gain from the sale of company or customer information. In this instance, the typical insider is in a fairly low-level position, the average age is 33 and offenders come from both genders. These insiders don't have to be particularly technical, but most are relatively low paid, Cappelli said. Such insiders are sometimes approached by someone from outside the company to steal the sensitive information, she said.

Another problem is industrial espionage, where employees steals trade secrets, often when they're about to start their own company, Cappelli said. In these cases of theft for personal gain, about 71 percent of them are very technical people, who have access to new strategies or projects being developed. And, in her experience, they're male, with an average age of about 37.

A large part of the problem is the attitude of upper-level management, Cappelli said.

"This isn't something that can be just handed off to the IT department," she said. "It's difficult to watch all your employees all the time, but companies need to recognize when people are acting suspiciously."

BREAKING AND ENTERING

Inside jobs are far from the only thing that business owners have to worry about when trying to keep critical information safe.

Identity theft is huge, and not just for individuals, Shore said. He's seen phishing attempts -- where hackers try to get users to divulge sensitive information like bank account numbers -- targeted at company CFOs. Such phishing scams can potentially drain millions of dollars from a company's coffers.

Even worse, he said, are malicious programs that record keystrokes -- all the program has to do is watch for activity on a bank account Web site, and it records account numbers and password information.

Savvy companies recognize the potential threats to their customer information and other sensitive data.

John McClelland, president of Strip District-based online produce supplier Good Apples LLC, said since 90 percent of his company's business is conducted on the Internet, he protects customers' credit card information by not storing any of it. Every time a customer places an order, they must re-enter their credit card number.

"Yes, it makes it a little less convenient for customers, but we don't have the amount of money we would need to invest in security to protect that information," McClelland said. "It would be irresponsible for us to store it."

Bruce Freshwater, CEO of Robinson-based Sierra w/o Wires Inc., an IT services company, said unfortunately many companies don't want to invest in protecting their critical data until after they've had a breach.

"Ninety-five percent of the time, they don't want to expend any money until after the data has been compromised, and they've taken a $100,000 loss," Freshwater said.

Sierra's own security includes an IPS, or intrusion protection system, at its network perimeters. It guards against the kinds of internal threats that Cappelli described by assigning controls based on access requirements; the sales team can't access IT information, for instance.

FUTURE THREATS HARD TO PREDICT

James Joshi, an assistant professor at the school of information sciences at the University of Pittsburgh, said he tries to avoid predicting the future.

"But I think -- or rather, fear -- more sophisticated, coordinated multi-attacks may be the next thing that the hackers will come up with," he said. "There is already significant issues with botnets indicating this. And in most cases, organizations and systems are not that well-prepared against such cyber events."

Botnets are programs that run automatically on "zombie" computers -- a machine that's been infected with a Trojan horse or other virus or worm -- and are controlled remotely, by someone usually up to no good.

Shore said the biggest threat he sees on the horizon is the increased use in peer-to-peer, or file sharing, networks. And with economic espionage becoming more and more lucrative, Shore said, ID theft is likely to become more prevalent for both individuals and companies.

Cappelli's colleague at CERT, Nick Ianelli, specializes in malware trends and analyzing future threats. He said the potential for data compromise via instant messenger programs is becoming bigger and bigger. Social networking sites are also an area where user information is highly vulnerable, he said.

And, Ianelli said there's also a lot of malicious code that works on cell phones. Since different cell phone manufacturers use different operating systems, it's hard to create one threat that works in the vast majority of devices.

"But once that gets on a machine, it can compromise all the data on there," he said. "Anytime you plug in your phone, you provide access to it."


klyons@bizjournals.com (412) 208-3827


All contents of this site © American City Business Journals Inc. All rights reserved.

Tuesday, April 29, 2008

Banks Told to Prep for New International ACH Rules - Bank Systems & Technology

HP ships USB sticks with malware - CNET News.com

Microsoft: Massive site attacks not our fault

Techworld.com - Xerox's PARC boffins show off new inventions

Techworld.com - Bank owns up to laptop disaster

PCI council clarifies impending application rule - SC Magazine US

Another Apple QuickTime bug reported - SC Magazine US

Skype users land in anti-malware net - SC Magazine US

Hacker denies using tool to break into Dish Network security - SC Magazine US

Massive hacker attack continues - SC Magazine US

Another college exposure, now in Colorado - SC Magazine US

"Highly critical" flaw in WordPress - SC Magazine US

Sunday, April 27, 2008

Thursday, April 17, 2008

Tuesday, April 08, 2008

Monday, April 07, 2008

PA-DSS secures payment applications

PA-DSS secures payment applications

Laptop theft easily preventable while on the road

un-excogitate.org � Blog Archive � Old School Biometrics Hacking And Enterprise Physical Access Control

2600: The Hacker Quarterly

The IT Security Guy: Spring 2600 Hits Newstands

IT 'Big Brothers' trying to keep internal users under control

Security chiefs urged to embrace risk

IT security budgets on the rise - vnunet.com

Remote workers ignoring security - vnunet.com

M&S rapped for Data Protection breach - vnunet.com

Watchdog slams Skipton over data loss - vnunet.com

Police lose yet more data - vnunet.com

HSBC loses 370,000 customer details - vnunet.com

Tuesday, March 18, 2008

Thursday, March 13, 2008

Wednesday, February 13, 2008

Wednesday, February 06, 2008

Tuesday, January 29, 2008

New data security breaches come in fours

Florida woman accused of deleting $2.5 million in data - SC Magazine US

Security tokens coming for eBay's PayPal customers - SC Magazine US

PayPal to acquire Fraud Sciences for $169 million - SC Magazine US

Western Union spam downloads keylogger - SC Magazine US

Super Bowl blitz begins: Bogus game sites with malware popping up - SC Magazine US

US

Security lessons from the top | InfoWorld | News | 2008-01-28 | By Matt Hines

Were People or Technology to Blame for Multibillion Dollar Societe General Fraud?

Security efforts hindered by untrained users

Metasploit attack app gets update

ChoicePoint to pay $10M to settle last breach-related lawsuit

Tuesday, January 22, 2008