1Server, 3 Weeks, 1.4GB Personal Information

A server was found this week chock full of personal information - 1.4GB of personal information. The information had been stolen from around the world and included health records and email - and within the email there was even more information relating to contacts, account details, pension savings plans (401k) and so on… 1.4GB can house a lot of useful information.

This server was quite a find… but it is not alone, we see compromised servers which receive stolen information everyday and there are a lot of them. OK, so most don’t have 1.4GB but they do contain tens of thousands of pieces of information. The latest Internet Security Threat Report (ISTR Vol. XIII, April 2008) reported more than 60,000 bot infected computers per day (a 17% increase over the previous 6 months). These aren’t all collecting information - most are sending it out (spam, phishing, DoS, …) however some of them are. It also highlighted that of the 54,609 applications installed, 65% were malicious.

So (and I’m starting to sound like a broken record)… if you value your information and something asks to install itself, especially if you are in a web browser (also known as a plug-in), be very sure that the source of the request is valid - if not, then just click away. 

May 9, 2008 | Filed Under Spam, data-loss, security | Leave a Comment 

It’s Out Today…

Symantec released its Internet Security Threat Report (ISTR) today. This is volume XIII and as per usual there are some interesting numbers in there - you can download the report from symantec.com. The data is collected from the Global Intelligence Network which operates in 180 countries with more than 40,000 sensors and 2,000,000 managed dummy email accounts.

Some of the new metrics are:

  • Malicious attacks on ISPs. These are targeting new subscribers who perhaps don’t have security on their machines that they should.
  • Site specific cross-site scripting. Targeting well known sites with invisible changes which downloads trojans on unwary visitors. This is now the most common attack.
  • Malicious code which modifies web pages. This is on the increase - and is making it increasingly difficult for the visitor to distinguish a real site from a fake one.

While there is no silver bullet to prevent this from happening - the main watchword is caution. If a site is asking for more information than you are willing to give (do you really need to give your birthday or mother’s maiden name - to any website?) then navigate away unless you are sure that there is a genuine reason for them to have it. Social network sites are springing up and some are not all that they seem to be - just be wary. Also, make sure that you have a personal firewall, anti-virus, anti-phishing toolbar installed and up to date.

I will post some more articles over the next week - highlighting some of the other interesting data points that the report has shown up.

In the meantime hear my views on a podcast: http://www.bitebroadcast.com/symantec/istr08_01/

April 8, 2008 | Filed Under announcements | Leave a Comment 

What Price Information?

In the latest release of the Symantec Internet Security Threat Report we have an update on the price of information. Perhaps one of the most scary aspects is that you can now get volume discounts!

Top of the list are bank account and credit card details which range from 20p to £500. Next are full identities which come in at between 50p and £7.50 - while these do not give instant access to money they do enable cyber criminals to apply for bank accounts and credit cards in the victims name and then perpetrate the fraud without the victim knowing… until they find they have lost their credit rating due to bad debts.

Also making it to the top 5, for the first time, are eBay accounts and go for between 50p - £4. This shows that all information is worth money to someone (further down the list are gaming accounts, social network accounts and others). So… if you have information that you think is valuable to you then it is probably of value to someone else - protect it wisely.

April 8, 2008 | Filed Under Uncategorized | 2 Comments