View From The Bunker
A blog about security and availability from some of the folk at Symantec

• Home
• About
• RSS
• Get in contact

• Search

  Search for:

• Pages

  • Anyone need help with their VCR? Thought not.
  • Keep Your Data Safe Tool
  • About
  • Get in Contact
  • Books
  • Internet Security Threat Report – Podcast
  • Symantec Fast Response TV Widget
  • Contributers:
    • Darren Thomson
    • Dominic Cook
    • Gareth Fraser-King
    • Guy Bunker
    • John W. Turner

• Recent Posts

  • Spammers attempt Grand Theft from Auto Recall
  • And the Academy Award for the most dangerous search term goes to…
  • Importance of end-to-end encryption in the retail space
  • Lock Up Your Code
  • Storage Goes Wild…
  • UK ID fraud cases jump a third as malicious insiders turn to cybercrime
  • The Butterfly effect – Mariposa
  • The RSA Conference – Cloud, devices & social changing the game?
  • Financial Data and the Mobile Generation
  • Is online security hindered by computer jargon?

• Tags

  backup book bot botnet business continuity Cloud CNI conficker cyber-criminal data-loss Denial of service Downadup Education email encryption fraud Get Safe Online Identity impersonation InfoSec ISTR Las Vegas legislation Malicious insider passwords Phishing policy Privacy Ransomware Reputation RSA Conference security SMB SNIA social networking Spam Speaking StorageExpo underground economy USB Vision vulnerability website whaling wireless

• Blogroll

  • Bruce Schneier’s Blog
  • Get Safe Online (The Blog)
  • Gizmodo Gadget Blog
  • Jonathan Schwartz’s Blog
  • Phil Windley’s Technometria
  • Security Bloggers Network
  • Toby Stevens’ Data Trust Blog

• Multimedia

  • Symantec Guide to Scary Internet Stuff – Botnets
  • Symantec Guide to Scary Internet Stuff – Drive-by downloads
  • Symantec Guide to Scary Internet Stuff – No 5 Rogue AV
  • Symantec Guide to Scary Internet Stuff – No 6 Denial of Service Attacks
  • Symantec Guide to Scary Internet Stuff – No7 Pests on your PC
  • Symantec Guide to Scary Internet Stuff – No8 Losing your Data
  • Symantec Guide to Scary Internet Stuff – Phishing
  • Symantec Guide to Scary Internet Stuff – Underground Economy

• SYMC Blogs

  • Ask Marian Consumer Security Blog
  • Con Mallon’s Symantec Consumer Blog
  • Gareth’s BE Blog
  • Symantec French contributor
  • Symantec podcast channel
• 
• 

Data Privacy Day – 28th January 2009

With all the excitement of data leak incidents and secondhand MP3 players you could be forgiven for missing the fact that Data Privacy Day is nearly upon us, and this year it includes North America as well as Europe. What are you supposed to do? Well, I suggest a little thinking and a little talking – about data and how to keep it safe.

Where do you come into contact with sensitive electronic data – at work and at home? What are you doing to ensure their safety? If you have a job, bank account, credit card, pay taxes and do a little shopping on the Internet, then your details will be in around 800 databases… looked after by people like yourself - or at least that is what you hope. So when you copy the information to a CD ROM to put in the post – perhaps ask if the data is encrypted. When you are clearing out your desk, don’t throw away old CD ROMs or USB sticks without checking that they have no sensitive information on them… if they do then dispose of the items properly. If you are replacing your PC at home then think about the data you have stored on it – get a free data eraser from the web and clear down the old machine if you want to resell it, destroy the hard-disk if you don’t. My friend Toby from the EPG likes the Landrover approach – which is certainly one way to put the data out of reach.

Talk to your colleagues but also talk to your parents, spouses, children about why it is important to keep some information private – I’m sure they have read about it, but if it comes from you in a personal manner, along with a couple of examples of what could happen should their information fall into the wrong hands then perhaps they will change the way they behave… and that is what Data Privacy Day is all about – changing our approach to information privacy and protection.

 

Singing Secrets

Another second-hand data scandal has hit the news, this time it is an MP3 player full of details of US soldiers. The device was bought from a secondhand shop and as it didn’t work the buyer took a closer look and found the data. While the data is relatively old (2005), some of the phone numbers still worked… and this is the problem with personal data – it doesn’t age at the same rate as the systems it is on. I spoke at a conference last week and one of my standard questions to ask is how many people have changed addresses in the last 5 years – to which there was quite a few, and then to ask how many have changed bank details in the past 5 years – and there wasn’t anyone who had. So if your details are compromised today, the chances are they will still be valid in a number of years time.

MP3 players are a very convenient way to transfer large quantities of data, but if this is the case then they need the data to be disposed of in the same way as you would a PC – and this doesn’t mean just throwing them away. Standard ‘delete’ won’t cut it – it needs to be securely erased (including being overwritten a number of times – this is not completely foolproof, but is adequate for most data), degaussed or physically destroyed.

15 Million And Counting…

So, the Downadup / Conficker worm has now infected 15 million systems – that’s pretty impressive considering that there was a fix last October to prevent it. What it does show is just how infrequently a significant number of users actually update their systems – even though they probably have a link to the Internet.

While the vast majority of the infections are in Asia, it now seems that there are outbreaks occurring closer to home – and within local government and business. This is more worrying – is the trend for patching vulnerabilities getting worse? Or are we seeing something different going on here? There is an increasing trend towards something call ‘consumerization of IT’. In essence, this is where you are allowed to use your own IT equipment for work – in some cases you get an allowance to purchase a system. The reason behind it is money – on a number of different levels and efficiency. However, what happens if there is a problem with the device, or it gets infected with a virus or worm. Who is responsible for sorting it out – the company, after all, if you have a worm like Downadup spread through your organization it is very expensive to resolve – or the individual, who might not be so worried or even know about the problems they are creating. Either way, these sorts of issues need to be resolved – as the problem is only going to get worse.

How’s it going to get worse? Well, connectivity is increasing, especially with the advent of Software as a Service and cloud computing, so more systems which are out of the IT department’s control will be attaching to the corporate network, furthermore consultants and other 3rd parties will also create this increased risk. The good news is… firstly, a lot of this can be prevented by regularly patching vulnerabilities in applications and the OS – so check your policy today. Secondly by using an anti-malware application for anti-virus, phishing, worms, rootkits etc you can be protected, but, again, only if they are kept up-to-date. Finally, there is a set of guidelines created by The Jericho Forumwhich will help in this new deperimiterised world… watch out for more on this next week!

Phishing For The President

So today the US gets a new President – but I guess you know that! However, there has also been an increase in phishing around the event. Especially trying to sensationalize the news by indicating that Obama might not take up his post or similar. Remember, the sole goal of the phisher is to pique your interest and get you to click on a link – and then infect you with something to steal your confidential information. So, if you receive email, tweets, instant messenger alerts surrounding the president elect then think twice before clicking on them.

Scams TNG: Impersonating The Authorities

What happens when everyone knows your scam… you get a new one. Nigerian fraudsters are well known for their 419 scams whereby you can be conned out of a large amount of money (if you are foolish enough to believe the story to begin with)… but in this case, the next generation of fraud has occurred. The person fell for the original scam, but was then contacted by ‘the FBI’ to be told that it was a scam, only to be scammed out of even more money – as they weren’t the FBI after all.

Impersonation is a big problem (and always has been) and we trust people, especially those with badges and uniforms too much – without necessarily verifying their identity properly. Their default reputation, or rather their jobs’ default reputation is what gives them an air of authority and therefore put us off our guard. So whether it’s a policeman or even just someone reading a meter, it pays to take a close look at their credentials – and if you are unsure find another way to verify they are who they say they are. For meter readers, you can always ask for them to come back another time and check with the utility company that they are an employee. For others, you can ask for a telephone number or look it up yourself and get verification. As for the FBI… well, I would expect the US Embassy would probably be able to verify (or not) whether they are real.

As one scam becomes well known, another arises… and as that is reported as being successful, so more people will try it… just be careful about whether people are who they say they are, whether it is on the Internet or online.

Census Data A Data-Loss Threat?

So the 1911 census information has just gone online. For me one of the most interesting statistics was that the 11 million or so pieces of paper took up roughly 2km of shelf space… and now… well, to be honest you could probably get it all on an iPod – or at least all the transcriptions.

So, herein lies one of the issues we have with trying to create a culture around protecting personal information. When a record is physical, we can sort of see it as an individual, when it is reduced to a pile of bits and coupled with millions of other records, it becomes anonymous – and tends to be thought of in the same way as an MP3 music file. No care is given to where it goes and who sees it. Add to this that we talk about protecting what information is online about you, name, address, date of birth, mother’s maiden name and the publishing of this data seems at odds with what we are trying to achieve – a society that is careful about personal information. Hard to do when you can readily look most things up online.

It’s good to be able to check details, but it also becomes apparent that it would be useful to know who else is looking at the record – and why. If someone is looking up my record (I’m not in the 1911 census by the way) and my mother’s maiden name, then why are they doing it – what might they be thinking of doing with it? Impersonating me? If it is so simple to do, then it is now time for banks and credit card companies to stop using such information as a standard security question and we start to look at other technology to be able to prove you are who you say you are?

The State Of The Datacentre

Symantec has just released a new piece of research on the state of the datacentre. While much of the report is what you would expect – do more with less and go green, there are a few interesting indicators in there as well.

70% of companies outsource some tasks primarily in order to give IT staff more time to concentrate on other things and to reduce cost. With all the talk of Software as a Service (SaaS) and cloud computing , this really points to it being a reality today and with increasing functionality becoming available, it will only increase.

Training was also seen as being strategic and 80% see their training budgets rising or staying the same over the next two years. This is good news for all – with training, IT staff can remain up-to-date with the rapidly changing technology and increasingly complex IT environments they are having to work in.

Finally, Disaster Recovery (DR) is also in there with only 42% of people thinking their plan was above average, furthermore there were more than 20% who said it needs work. Given how many natural disasters occur and that companies recognise that 25% of outages are from human error, I would have expected that DR would be in better shape. The introduction of new technology doesn’t help when it comes to keeping DR plans up to date, but it does need to be a part of the consideration when looking at new stuff. After all, if it gives business benefit today and you suffer an outage tomorrow, where does that leave your business?

Use Your Employees To Help Focus Security Spend

So, security spending is up in response to cybercrime - even in this time of economic downturn. However, it still needs to be targeted. Lost laptops, one of the most common causes can be readily protected using full disk encryption – but that won’t prevent people sending email to the wrong person. A great deal of spending (in IT in general) is done in a knee-jerk reaction to an event. Careful planning and an understanding of the risks and the consequences can focus the budget.

However unless your staff are right behind you – it will be wasted as they will work around any newly imposed security measures. So, first stop should be to create a security awareness and education program – let them know the risks and consequences – ask them what they would do. You might find that some subtle changes in processes will result in a more secure information environment with little to no outlay at all. Of course there will still need to be some outlay – however a holistic view of the problem from all areas will give the best ‘bang for the buck’.

All Twittered Out?

So, now Twitter has been targeted by the hackers and the phishers… are we surprised? No, of course not. Remember phishing is like an arms race and the first to implement an idea will win the battle (but not the war). We had a similar issue at the end of last year with cyber-criminals targeting social networking sites and just as that has gone off the boil, they have moved on to Twitter – that will reduce and then we will be onto the next thing… probably dedicated photo sharing sites, after that, well who knows. One thing is for sure, it will happen – where there are people there is money to be made. The more people, the more money.

It can be tough to spot a rogue URL when it purports to having been sent by a ‘friend’ but we need to continue to be vigilant and raise awareness. So, if you do follow a link and end up at a site that asks you to install something – don’t. If it asks you to confirm your username and password – don’t.

If your organization has a regular security education bulletin that goes out to staff then make sure this is included as one of the latest scams – if you don’t have regular bulletins, then send out a special one to remind people that these scams are doing the rounds and to be careful.

While we often think that social networking sites and other Web 2.0 collaboration tools are used by individuals rather than companies, the truth is that they are often visited while at work and you really don’t want your work systems compromised any more than you would like you home PC to be.

Who Did That?

Bharrat Jagdeo, the president of Guyana has asked police to find out who has put up a Facebook site masquerading as him… I have written about the troubles of impersonation on social networking sites on several occasions before and the problem is that this is only going to get worse.

“On the Internet no-one knows you’re are a dog”… and the same is true today, it’s just today not only may you be a dog, but you also could be impersonating someone else. This has been true for a long while and so cracking down on chat rooms has been somewhat of a priority. However, we may now see renewed interest as the impersonators move to government officials and celebrities and more legislation and technology comes into being to prevent it from happening (quite so easily). Think of a celebrity and put it into any social networking site and it will return with multiple entries… OK, so if you are looking for John Smith then you will find many hundreds or thousands of entries but the same is true for celebrities with more unique name. Herein lies the problem… your name is not you. You might think that it is, and unfortunately your friends might think that it is – but it isn’t. Anyone could have the same name or, if they really wanted to, change their name to be the same as yours.

There have been a number of relatively low profile cases of cases against impersonators and hoaxers using social networking sites as their means to an ends, but this will no doubt get worse before it gets better. 2009 with its gloomy economic outlook may well be the time when fraudulent use of other people’s reputation takes off. In the mean time, you should keep an eye on your on-line profile and the associated reputation and double check that what has just arrived from ‘a friend’ really has come from the person you thought it was – just to make sure that it doesn’t come back to bite you.

• Subscribe

  

  Enter your email address:

  Delivered by FeedBurner

• 
  

• 
  UK Orders
  US Orders

• 
  UK Orders
  US Orders

• Links, downloads and other resources

  Symantec UK
  Symantec Podcast Directory
  Symantec Security Response