How Much Are You Worth?

No, I don’t mean, how much are you worth in terms of assets and earnings, but how much are your details worth? There is a story about one million people’s bank details being available on an auction site for only £35. So that makes it 268 people per penny… The story is a little ‘happier’ in that they were found on a second hand computer that was being bought - but it is still scary.

Old computer equipment is worth very little and so companies tend to get rid of them, for basically ‘free’. However, while the equipment may be out of date the data probably isn’t - and with bank details this is especially true. Disposal of equipment is now governed by the WEEE directive - disposal of the data before the equipment isn’t. Companies must put in place proper data disposal policies and procedures to prevent this type of error from happening. Thinking that ‘there is no data stored locally’ is not an option - it often happens as a mistake. How often have you saved work only to not be able to find it - because, through the magic that is computers (I didn’t do anything different - honest), it has been saved somewhere unexpectedly… and that is often to the local hard drive.

So how you you delete the data securely? Depends what it is… if it is really, really classified, then the hard disk needs to be ground up and even incinerated. If less important (and this is probably were most data sits), then deletion is fine - I don’t mean using the inbuilt ‘delete’ function, even a child can recover stuff out of the Recycle Bin, even if it has been emptied. You need to get something that will really delete the information, overwrite it a number of times (33 is the ‘best’!) and then ensure that all meta-data about the file is also deleted. There are a number of free tools out there which do this, I use one called ‘Eraser’ - it works.

Of course, to be completely sure, the whole hard disk needs to be erased - not just where you ‘think’ the data is. So, you do need a process - but it’s simple to do… so make it part of your standard hardware disposal procedure and Information Protection Policy.

August 26, 2008 | Filed Under Information Policy, data-loss | 1 Comment 

Lost Data - Pay Compensation?!?!

It was on the news today that a memory stick was lost with the details of 130,000 criminals. OK, so we should be used to this by now - the twist in this story was the thought of compensation. What? Firstly, the information has been lost - not compromised (i.e. used), at least it hasn’t yet. Secondly, what about the 25m who’s details were compromised in one go last year? Or the other 4m since then? What about them? What about the 45m TJX customers, or the ones from the other high profile cases - where the data was maliciously stolen (and in some cases used for fraud)? The answer is that there is already process in place for dealing with them. Legislation such as the data breach notification laws (disclosure laws) begin to define what is required - and it’s not to pay out random sums of money. Notification, measures to check credit ratings for 12-24 months and additional customer support all help - and it’s not cheap for the company. I’m not condoning data loss, far from it, there should be no excuse - but let’s not go over the top here.

We don’t want to move to an even more ridiculously litigious society (there was a story of someone delivering letters slipping over on a drive and sueing the owners). With data loss there does need to be some compensation if the data is used (but this tends to come from the banks / credit card companies at present - by default), there is also the need to check credit ratings - to watch if the information is used. But we don’t want to pay out - just for the heck of it.

This also brings up another couple of interesting points… In the US people regularly receive disclosure notices for lost data, but if your data is actuall used, who’s fault actually is it? Was it one from last week, or one from last year - was it one that hasn’t been disclosed yet - because the company doesn’t know they have been breached? Furthermore the long term effects of data loss are unknown at present - if the records of a child are compromised (name, address, NI number - the usual stuff), then at age 16 they can apply for a credit card, or rather a cyber-criminal could… of course, some would have moved by then and the incorrect data might be picked up… but it might not. What happens in this case - where fraudulent actions can take place more than a decade after the data loss occurred.

Perhaps it is time for banks and credit card companies to offer ‘free’ credit rating checks as part of their service - all the time? It’s also time for companies to stop thinking ‘it won’t happen to us’ and make the changes so they don’t become front page news - and perhaps subject to a massive compensation claim.

August 22, 2008 | Filed Under Regulation, data-loss | 3 Comments 

Whaling And Wailing

The Chief Executive of HBOS has been a victim of fraud after a thief stole his identification details - probably from a bank statement. What does this show? Well, anyone can be targeted and everyone needs to be careful. Whaling is the practice of targeting the people at the top of an organization, OK so its usually done by phishing rather than theft - of course the rewards are still the same for the cyber-criminal, money, with the benefit that (hopefully) the man at the top has more than those further down.

What to do? It all comes down to one thing, protect those paper based items from the bin rustlers (or dumpster divers) by shredding them. It doesn’t take much to buy a cross-cut shredder and then it is just a case of getting into the habit of shredding anything and everything with names, addresses and important numbers (bank account details, credit card details, etc) as well as any of those very annoying ‘you have been pre-approved’ applications for credit cards. Put the shredder somewhere where you open the post or where you store old statements so you do it immediately.

It may sound daft, but you need an Information Protection policy for home (as well as at work), protecting both electronic and paper based information. It doesn’t have to long and complex - just a set of simple rules for you and your family. Go out and buy a cross-cut shredder today - you can even get one that will mash up old credit cards and CD ROMs!

August 21, 2008 | Filed Under Information Policy, data-loss | 1 Comment 

Four Million And Counting…

That’s the number of personal details lost by the government in the last year - over and above the HMRC event last November. While this is obviously not good news, the good news is that someone is watching and counting. Without this how will we know if things are improving? Of course, this doesn’t count the ones which are not reported or those which people are unaware of - but it is a start. Metrics are essential if we are to measure improvements especially as new processes or procedures are introduced - roll on 2009 when (hopefully) the numbers will be going the other way.

August 21, 2008 | Filed Under Information Policy, data-loss | 1 Comment 

What Makes A Spam Trend?

Are the CNN and MSNBC spam emails that are going around at present a trend? Yes - this is an example of ‘brand jacking’, i.e. it leverages a popular and trusted brand. These particular examples also use another trend - current events. Eye-catching headlines around current events, particularly things like the Olympics and the US Presidential race, can make people click a link before they think about it - and when the email appears to come from a reputable sender, the likelihood of falling for it rapidly increases .

We are getting much better at not opening attachments from users we don’t know so the spammers have moved on. Social engineering is the biggest weapon in the cyber-criminals’ arsenal and one of the easiest to beat. Rapid communication and education as to new threats is critically important. An email to staff on the new trend, just to make them think twice about clicking a link in an email is a worthwhile investment. All staff need to become security aware - it’s not just a job for IT.

August 21, 2008 | Filed Under Education | Leave a Comment 

Thank-You To All My Readers

A quick thank-you to you all and especially those who voted for me in the Computer Weekly Blog Awards.

August 20, 2008 | Filed Under Miscellaneous, announcements | 2 Comments 

Web 2.0 And Virtualization

We did a survey at Black Hat in Las Vegas last week and top of the poll for security risks was Web 2.0, 46% of the respondents thought that was going to cause the most problems, followed by Virtualization at 35%.

It’s always good to hear where other people think the problems will be - because generally they are right. Generally at Black Hat the number of new exploits are enough to either turn you grey or pull your hair out and this year was no exception. The battles continue to be won to defeat the determined and increasingly sophisticated cyber-criminal but the war, most definitely, has not been won.

August 12, 2008 | Filed Under security | Leave a Comment 

Spam, Spam, Spam, Spam - Not So Lov-er-ly Spam

Symantec released its latest report on spam. July’s results were a 12% increase, year-on-year, to 78% of all messages. As expected the ‘big’ public interest events are still a big trend, so the Olympics and the US presidential race are up there along with ones targeting people’s fears for the economy and the old favourites of losing weight and superfoods.

One of the other trends that was ‘emerging’ before and is now becoming an increased trend is to hijack legitimate websites which then host the malware. Businesses should start looking, not just if their website is up-and-running but also that it hasn’t been silently hacked and is now being used as a tool for cyber-criminals. Cross site scripting has been in the news a lot over the past few months - companies cannot afford to think it won’t happen to them, they need to change their policies today to ensure that they do not become part of the problem.

August 11, 2008 | Filed Under Spam | Leave a Comment 

The Internet Never Forgets

So some of the cyber-criminals who were responsible for the massive TJX data breach are being prosecuted - well, 11 of them, is that all, probably not but its a good start.

This case was not one where a laptop was stolen, or some CDs were left on a train or anything so mundane. This was all about people driving around in cars looking for un-secured wireless networks and then hacking in to steal data. Not just once, but over a long period of time - and then the data was sold on in the underground economy.

The scary thing is that despite the original news of the breach and the method it was achieved, there are still open wireless networks out there. A quick scan at one point on the Thames reveals ~20 wireless networks and nearly 20% are open. Of course there might not be anything of interest there - but they are still open and that’s a starting point. In other news it was revelaed that a gang in Russia has control of 100,000 PCs, stealing usernames, passwords and other personal information. These PCs are not just individuals, but corporate machines as well.

If you do nothing else today, have a check for wireless networks in your workplace (and at home) and make sure they are secure - if you don’t know how to secure them, then look it up on the web - there are lots of pages offering help… use them. Ignorance isn’t bliss.

August 8, 2008 | Filed Under IT equipment, data-loss | Leave a Comment 

Not Me Guv

So, if you lost your laptop and it resulted in a data loss incident - who would you blame? In a recent surveyonly 17% of office staff and 21% of IT staff thought it would be their fault… the rest thought it was the CEO’s fault or the company’s. Bizarre but true.

Reality is that it is up to everyone to protect the data and the company should provide appropriate technology to help. If you have a company laptop and it contains sensitive information ask about full disk encryption, the same is true for mobile phones (well, the ones which get email, etc, etc). These are relatively simple to install and administer. If you send data out on a CD, then ask if it is encrypted - and if not, ask about encryption solutions to be added into the process. Again, this is not hard to do - and it does reduce the risk.

Finally, if you are really worried about data leaking through email and the like, then ask about content based data loss prevention - it’s not as simple as putting in encryption, but it does create a much better solution.

So… if you lose data - it is your fault. Especially if you haven’t been and asked for help in preventing it from happening in the first place.

August 5, 2008 | Filed Under Education, data-loss | Leave a Comment 

Next Page »