Who’s Watching You Type?

While we have known for a while that keyboards were a great place to snoop for information, it now seems that they are more vulnerable than previously expected. Research from Switzerland has shown it is possible to snoop keystrokes from 20m away just by monitoring the slight changes in electromagnetic radiation each time a key is pressed.

Tests were done with a variety of keyboards and all were found to be susceptible to the attack.

As with all research, this just points the way to what is possible and therefore what will become reality out there in cyber-criminal land. And so a new attack vector is born… one where you don’t have to infect the target’s machine with malware, or a piece of additional hardware (one of the easiest ways to install a virtually undetectable keylogger - who looks for additional widgets on their desktop keyboard connectors?!?!)… you just have to get to within 20m, and it doesn’t even have to be direct line of sight - the method works through walls as well.

What to do? Perhaps it is time to start using ‘virtual’ keyboards for username and password input - as standard.

October 22, 2008 | Filed Under Information Policy, data-loss | Leave a Comment 

Presidents, Senators, You And Me

Another famous name has had their bank details stolen and money taken from their account. This time it’s the French President, Mr. Sarkozy. Of course it is not unusual for people to have their details stolen, we have seen other high profile cases in recent months, a US senator had their email account hacked and the Chief Executive of a bank also lost money. Of course if you happen to be you or me then it is unlikely to make the front pages of the news or spark quite the same level of campaign to find the perpetrators.

The interesting point in this latest case is that the thieves just skimmed off a little bit of money at a time, rather than empty the account. The thinking is that you won’t notice - so over time they would make off with more money. What can you do? Simple stuff really:

  • Don’t tell anyone (and I mean anyone) your logon or password details.
  • Regularly change your password.
  • Don’t make your password guessable. (This sounds obvious, but people evidently make them too easy to guess!)
  • Regularly check your statements and query any unknown transactions.

October 20, 2008 | Filed Under data-loss | Leave a Comment 

RSA Conference Europe 2008

I will be at RSA Europe next week and taking part in a round-table entitled “Threat Horizon 2010+ - To Infinity and Beyond” . This should be a lively debate. It’s on Tuesday 28th October at 11:45am. See you there.

 

 

October 20, 2008 | Filed Under Speaking, security | Leave a Comment 

How Long Did It Take…?

So Darkmarkethas finally been shut down. This was one of the underground economy websites where you could buy information such as credit card details - a cyber-criminal heaven. Unfortunately, there are quite a few of these sites around, so while this is an annoyance to some, it is really just a blip in operations for most. The really bad news is just how long it took to shut it down… it operated for three years… and it has taken the last two to shut it down! The wonders of the Internet means that the information it contained could have been copied and a new site re-opened within hours, somewhere else in the world.

If we are to beat information fraud, which is a global problem, then we need to become much more efficient at shutting down the illegal Internet-based information trade sites - quickly. Detection of such a site should start a (relatively) simple process which shuts it out, it needs agreements from a whole mass of people, including governments, service providers and application providers but if we are to tackle this problem we need decisions today… not prevarication as to why it is so hard to do. After all, at the basic level its just a case of cutting them off the net, wherever they may be located… right?

October 17, 2008 | Filed Under data-loss, security | Leave a Comment 

Recognising A Secure Website

We recently released a report on how much people trust companies with their data. The answer is that four out of five don’t trust companies and even more 89% think that reckless or repeated data loss should be punishable by prison.

Overwhelmingly the issue is with visiting websites, 18% of respondents said they didn’t check the security of the websites they use when shopping online. So here are some ways to identify a secure site:

  • Look for the security padlock. If it’s not there, don’t enter your details. If it is there (and you are uncertain then click on it to see the security certificate for the site.)
  • Stick to trusted brands - if a deal looks too good to be true, then it probably is!
  • If going to a new site, do any of your friends use it or recommend it?
  • Watch out for cyber-squatting on names. This is where you mistype the name of the website you want and a cyber-criminal has taken it and made it look like the real one… but it swipes your data!
  • Watch out for numbers in the web address. Often a link on ‘bad’ or compromised sites can look ok on the screen, but click on it and it turns into a number (called an IP address) - which is not where you want to go… the cyber-criminal strikes again!

Finally, make sure that you have an anti-phishing filter switched on in your browser. When it comes to defeating the cyber-criminal the more layers of security and the more aware you are of the risks the better change you have to remain secure while on the web.

You can get a complete copy of the findings and recomendations in our new online security guide (3MB).

October 15, 2008 | Filed Under security | Leave a Comment 

How Much For Your Name?

Symantec recently conducted some consumer research where we asked people to put a monetary value on different pieces of their identity. In other words,  the vital information that we all use when making transactions on the Internet. 
 
Most people thought that their name was worth about a pound, and 89 per cent would happily share it with someone they didn’t know. But when it came to their date of birth, people were a little bit more wary. Only 23 per cent of people said they would share it with someone they didn’t know, and people tended to put a value of £100 on it.
As for other pieces of important information, bank and credit card details, passports and password information, most people valued these at £100 apiece. Only 1 per cent of people said they would share their bank details, passport or password information with someone they did not know.
In reality your personal information isn’t worth all that much to the cyber criminal, unless they’re dealing in bulk.   A recent Symantec Internet Security Threat Report found that UK bank account details are being sold in bulk on “cyber crime supermarket” style underground economies, for as little as £5 an account.

So, how much is your name worth? Unfortunately not a lot, the price has come down for the cyber-criminal, while the impact to you should your information be compromised has gone up.

You can get a complete copy of the findings and recomendations in our new online security guide (3MB).

October 15, 2008 | Filed Under data-loss | Leave a Comment 

Not A Question Of ‘If’ But ‘When’…

Another day, another scandal around data loss. 1.7m people this time, but to me this was the comment that got me going…

“…it is unlikely that the device was encrypted because it was stored within a secure site that exceeded the standards necessary for restricted information.”

So… do people plan to lose laptops, CD ROMs, USB sticks…? No of course not. But they do. Do people plan to lose backup tapes or leave confidential reports on trains…? No. But they do. There is now a simple rule - if it is sensitive or confidential information and it can be easily transported then it should be encrypted (tough for printed materials - but in this day and age I’m sure there is an electronic copy as well… so leave the printouts at work, or better yet - don’t print it out). Even if it is destined to never leave the building, then it needs to be encrypted - because the best laid plans are always thwarted.

Data loss is not a question of ‘if’ it will happen, but ‘when’ and ‘where’ from. Encrypting data means that you should never make it to the front page of the news with a story that you just lost the information.

October 15, 2008 | Filed Under Information Policy, data-loss | Leave a Comment 

DLP Redefined

Ewe gotta laugh… 20,000 cows have gone missing (makes a change from data)… perhaps its time to redefine DLP… Dairy Loss Prevention… :-)

October 13, 2008 | Filed Under security | 1 Comment 

Whodunit?

With yet more data loss incidents occurring over the past few days it now seems like the time to ask ‘Whodunit?’ What do I mean, well, let’s say your credit card is cloned and used illegally, or more scarily someone has taken your ID and used it to open a new bank account or credit card and then run up a large debt. (The first you would know about it is when your credit is checked and turns out to be bad…) So, you wonder… who is responsible for that data leak?

The answer is… well, you just don’t know. Unless there is something very specific about the data that was lost and subsequently used. Even with breach notification in place, that will only let you know that the loss has occurred and you could have half a dozen or more of these every year! Of course you might have automatic credit checking in place as part of the data breach resolution (heck, there might even be a service to consolidate all the checks going on - else the same checks will be being run by multiple vendors, or even the same one over and over on your behalf), but it still won’t tell you whodunit. Furthermore, the notification only happens when the leak or breach is noticed - what about those which go unnoticed for years?

I believe breach notification is useful, after all, not being told would be worse than being told several times - but perhaps its time to look at what would be useful to the individual by taking a holistic view of their needs, rather than on a company-by-company basis.

October 13, 2008 | Filed Under data-loss | Leave a Comment 

Out And About

Well the Vision conference was a great success with lots of customers and partners to talk techie with, and of course we made the great announcement to acquire MessageLabs, which is really going to accelerate our software as a service offerings.

Anyway… next week I am out and about in public again(!), I’ll be at the Intellect meeting on Monday 13th October. We will be discussing “Securing Intellectual Property in the Networked Economy” which should prove to be fun.

On Thursday 16th October, I will be presenting at StorageExpo in London, with the session title of “Storage = Data = Risk: Technologies for Data Loss Prevention”. The interesting thing about StorageExpo is how it has morphed over the last couple of years such that it is now all about the information and its security and manageability rather than just being about the latest and greatest hardware.

If you’re there, then come and say hello.

Intellect StorageExpo

 

October 9, 2008 | Filed Under Speaking, announcements | Leave a Comment 

Next Page »