1Server, 3 Weeks, 1.4GB Personal Information

A server was found this week chock full of personal information - 1.4GB of personal information. The information had been stolen from around the world and included health records and email - and within the email there was even more information relating to contacts, account details, pension savings plans (401k) and so on… 1.4GB can house a lot of useful information.

This server was quite a find… but it is not alone, we see compromised servers which receive stolen information everyday and there are a lot of them. OK, so most don’t have 1.4GB but they do contain tens of thousands of pieces of information. The latest Internet Security Threat Report (ISTR Vol. XIII, April 2008) reported more than 60,000 bot infected computers per day (a 17% increase over the previous 6 months). These aren’t all collecting information - most are sending it out (spam, phishing, DoS, …) however some of them are. It also highlighted that of the 54,609 applications installed, 65% were malicious.

So (and I’m starting to sound like a broken record)… if you value your information and something asks to install itself, especially if you are in a web browser (also known as a plug-in), be very sure that the source of the request is valid - if not, then just click away. 

May 9, 2008 | Filed Under Spam, data-loss, security | Leave a Comment 

Don’t Send The Password With The Data

It emerged this week that one organization had to send out a memo to its staff reminding them not to send out encrypted documents with the password! I won’t mention which organization it is - as I have a feeling there are quite a few with this problem. The other one I have seen very recently, is the yellow sticky with the password attached to the laptop!

These are great examples of where the people, process and product story has broken down. In both cases encryption is the technology - and that works to protect data. The process is in place - encrypt sensitive data if it might get lost (so, on a laptop, or in an email going out of an organization, or on a CD, or on a mobile phone, or … you get the picture) but the process is incomplete - what do you do with the password, how do you communicate it, if required. Finally there is a lack of education to the staff (or in this latest case the education is retrospective and reactive rather than proactive) - why are we doing this… to protect individuals’ information, or corporate information… and so if you send the password at the same time you may just as well have not encrypted it. Of course, there is some irony here - in the US with its disclosure laws if the data was encrypted when it was lost, then that is the end of it - no disclosure - even if the password was on a note!

Education needs to happen from the top to the bottom of an organization and processes need to reflect every step which includes how to communicate passwords when needed.

How do you send a password… well that just depends… in many cases you can just phone the person up and tell them, or you could send it by SMS text message… or… well you decide - it’s your organization. Just make sure that there is a policy and people know what it is.


Your Password Here

May 9, 2008 | Filed Under Information Policy, data-loss | Leave a Comment 

Technologies For Data Loss Prevention

I am speaking at the SNIA Europe Academy on 20th May 2008 in London - and “Technologies For Data Loss Prevention” is the title of my session.  So… two things here… firstly, I have been involved with SNIA since it first started and it is good to see an organization ‘grow up’ with its customers needs and the ever changing technology. So while there are some sessions on fibre channel and other more usual storage related items, there are also sessions like mine and on compliance challenges which talk at a different level - not the just physical storage but the information that is there and what it means to the enterprise.

Secondly, I was in with an account team at a customer to talk about futures in both storage and security and data loss came up. The rep did a great job of explaining our latest and greatest technology (which we acquired late last year when we bought Vontu), but missed out on some of the obvious ones… such as encrypting backup tapes if they are going off-site, or keeping anti-virus definitions up to date - some of the things we often think of as obvious but, as with all good management books, it is not until the obvious is pointed out that it becomes ‘obvious’.

Anyway… my session will cover the range of technologies that can (and should) be considered and it is most definitely not a ‘one size fits all’ - to be effective and cost efficient you need a holistic approach - some of which will be ‘obvious’ and others, less so. Hope to see you there.

May 9, 2008 | Filed Under Speaking, Uncategorized, data-loss | Leave a Comment 

5 Million And Counting

The White House has lost 5 million emails which is a pretty impressive feat. More worrying is that there is confusion over what is there, what isn’t, and who is responsible. If this had been a company then they would have been hauled up in front of a judge and forced to answer diffcult questions, however governments are a different story and seem to operate on their own rules. When it comes to data loss a government does have a reputation, but there isn’t the competition - you can’t choose to pay your taxes to country X… however it is up to a government to set a standard and precedent which will give give its citizens confidence that, if nothing else, they can look after your information.

Perhaps it is time to have a watchdog for governments and information protection?

May 9, 2008 | Filed Under Compliance, Reputation, data-loss | Leave a Comment 

There Goes The Neighbourhood

In this case it was the neighbourhood that funded a glamorous lifestyle - even if they didn’t know it. This is a case of identity theft taken to a whole new extreme with multiple neighbours of a Philadelphia couple being defrauded of $100,000. The couple had keys to neighbours flats and post boxes and used them to take all kinds of information, including bank account details as well as installing spy-ware on their computers.

How didn’t the neighbours realize? Well, it seems that the couple had opened bank accounts and credit cards in their neighbours names - in this case they used a fake driving license. (So you wouldn’t know until you tried to open an acocunt or a credit card and the credit check fails.) Try a Google image search for driving licenses and you will be amazed at how many there are… people need to realise the importance of the information they hold and more to the point the consequences of what can happen if it falls into the wrong hands. So… if you happen to have just past your driving test, and you want to tell your friends about it - then tell them, but please don’t post a  picture of your license on your social networking site!

May 9, 2008 | Filed Under Uncategorized | Leave a Comment 

Free Music… Come And Get It

And 360,000 people responded - and got adware instead. The difficulty is to know what is genuine and what isn’t. A number of big name bands, Coldplay being the latest, have released their upcoming single ‘for free’ as an MP3 - and that was genuine. So where’s the difference? In this particular case the MP3 turns out to be an executable - so it’s a program, not a music file. This brings us quite nicely to browser plug-ins which you (the user) are told are required for a web page to load correctly - but it turns out that a large number of these are also malware (adware and keyloggers top the list).

If you are on a web site you don’t know and it asks you to run a program, or install a browser plug-in. Just say no… navigate away. Remember… If a deal sounds to good to be true - then it probably is, and its better to be safe than sorry.

May 9, 2008 | Filed Under Uncategorized | Leave a Comment 

Happy Birthday Spam

This month marks 30 years since the first spam email message was sent. Back then the system could only cope with just over 300 email addresses at a time. The recipients gave the sender a hard time - they all sort of knew each other anyway!

My how times have changed, more than 85% of email traffic today is spam, billions of messages are sent everyday. Back then it was a simple invite - where the sender wanted to see the recipients, today it is much darker with one purpose in mind, making money. The past decade has seen an enormous rise in Internet users, spam and education as to the dangers of spam - but it doesn’t seem to matter there are still people who open attachments or visit websites without second thought to the potential consequences.

Anti-spam appliances and services have also grown up in the last decade and can virtually eliminate spam from arriving in the enterprise… new internet services offer ‘clean’ email feeds where spam is removed before it get to the enterprise. Various consumer email providers also offer great anti-spam functionality… isn’t it time we all used something… or will we all still be complaining about spam 30 years from now?

May 2, 2008 | Filed Under Spam | Leave a Comment 

Don’t Read The Interesting Stuff

It emerged that more than 600 HMRC staff have been disciplined for reading information about UK citizens that they shouldn’t have - unless they have a specific need to do so. I wrote about the decline of implicit trust a while ago and this is just another example. Of course it is impossible for people to avert their eyes if there is something sensitive on the screen - and human nature is always drawn to things that are interesting (just think of surfing the web and the tangents you follow). There is technology that can help in this instance…

Automated redaction technology has been around for a while - in essence this ‘hides’ interesting information from unauthorized eyes from within a document. For example it might hide names and addresses, or bank details - or tax return information.

With a database application, it is the application that need to be altered so that sensitive information is not displayed. Not only is it time to revisit who has access to applications but also exactly what information they have access to - and is it really necessary.

In the cases where information is needed to be viewed on occasion, then a well communicated corporate policy coupled with an on-screen question / warning followed by an audit trail works… That way people won’t be tempted to look at the interesting stuff that’s out there.

May 2, 2008 | Filed Under Application, Information Policy | Leave a Comment 

Dataloss At The Border?

The US announced this week that they would be able to search laptops, or rather search the information on laptops without any reason being given. They have been able to search laptops for a while, but have needed to have a good reason, or suspicions, to do so. The result of this change is going to mean a number of things, firstly; longer delays to get in (hopefully they won’t be searching everybody’s data… else we could be waiting in line for weeks…) and secondly the possibility of data being compromised.

It is difficult to know what to suggest… if you are waiting to get into the US, especially if you are a visitor rather than a national, then you are unlikely to decline a request for them to look at the laptop contents - as that would no doubt give rise to a quick trip back home on the next plane. You probably wouldn’t want to leave the laptop there - just in case it gets lost. Perhaps it is time to look at all that information on there - and decide that it would be better left ‘at the office’ and the laptop is just a portal that you can use remotely. It will still take customs a while to go through an empty laptop - but at least there will be no chances of the data being compromised.

April 29, 2008 | Filed Under Uncategorized | Leave a Comment 

Minnowing… The Opposite Of Whaling

A couple of weeks ago I wrote about phishing at the top of an organization or whaling. There is, of course, phishing at the lower end of the organization - minnowing. This is where the cyber-criminal targets the people in departments such as Accounts Payable to get them to pay a fictitious bill. We saw this happen late last year when a supermarket chain was targeted and the criminals were caught. This is happening more frequently and is either not reported, or not even noticed.

To begin with you need to pick the company - it needs to be ‘big’ so that people in accounts payable don’t necessarily know what has or hasn’t been done. You then need to find out a little more information about an individual - and this is where social networking sites prove to be a risk. People put other information (along with pictures) including where they work, the department and even phone numbers on the web for all to see. Armed with this, the attack vector is the same as the FAX scams of old, you email to find what has happened to payment and then escalate from there. If impersonating a real supplier, then a quick phone call can ascertain an outstanding bill… “I was just checking to see what happened to payment for invoice 1234″, “Don’t you mean 5678″… “oh, did you get the change in our bank details / address for payment…”

What can be done? In the same way as whaling needs people to pay more attention to the content, the same is true for minnowing. Awareness and education to those staff most at risk that this threat has been seen is important. Additionally, other process changes may be required to establish that the person on the end of the phone, or email is the actual supplier and not an impersonator.

April 29, 2008 | Filed Under Reputation, security | Leave a Comment 

Next Page »