From: rakesh@sysman.in
To: rakesh@sysman.in
Subject: [CCCNews] CCCNews Newsletter - dated 2010 March 31
Date: Wed, 31 Mar 2010 17:25:15 +0530
March 31, 2010
Editor - Rakesh Goyal (rakesh@sysman.in)
In today's Edition - (This is a news-letter and not a SPAM)
SUBMISSIVE : CEOs resigned to a data breach in the next 12 months
RISK : Weak passwords stored in browsers make hackers happy
CHALLENGE : Constantly Changing Threats Challenge Cybersecurity Pros
HIDE : Organizations Rarely Report Breaches to Law Enforcement
IT Term of the day
Quote of the day
* Direct Circulation in 4 Google groups (control-computer-crimes@googlegroups.com and IT-Sec-NSE@googlegroups.com) and 2 more groups
--
You received this message because you are subscribed to the Google Groups "control-computer-crimes" group.
To post to this group, send email to control-computer-crimes@googlegroups.com.
To unsubscribe from this group, send email to control-computer-crimes+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/control-computer-crimes?hl=en.
--Forwarded Message Attachment--
IT and Related Security News Update from
Centre for Research and Prevention of Computer Crimes, India
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
March 31, 2010
Today�s edition ��
SUBMISSIVE : CEOs resigned to a data breach in the next 12 months
RISK : Weak passwords stored in browsers make hackers happy
CHALLENGE : Constantly Changing Threats Challenge Cybersecurity Pros
HIDE : Organizations Rarely Report Breaches to Law Enforcement
(Click on heading above to jump to related item. Click on �Top� to be back here)
SUBMISSIVE : CEOs resigned to a data breach in the next 12 months
29 March 2010
Research just released has come up with the fascinating premise that a large majority of CEOs are resigned to the possibility of their organisations suffering a data breach of some type in the coming year.
The study � sponsored by IBM and carried out by the Ponemon Institute � suggests that a radical rethink in the way businesses prioritise and plan their IT security strategies.
The survey took in 115 responses from CEOs at UK businesses and, says IBM, looked to get an idea of how companies are changing their IT security strategies in the face of a barrage of cyber attacks and high-profile data breaches.
The most interesting aspect of the research, Infosecurity notes, is that the average cost of each data breach was estimated at �112 per compromised record, and the average cost savings or revenue improvements resulting from data protection programmes totalled �11 million.
Equally interesting is that all the respondents to the survey said that their companies had their IT systems attacked at least once in the past year, with 77% saying they had endured a data breach at some point.
As a result, 76% of the CEOs said that they now view reducing potential security flaws in their business-critical applications as the single most important aspect of their IT security plan.
Commenting on the results, Larry Ponemon said: "In the face of growing security threats, business leaders are finally recognising that a strong data protection strategy plays a critical role to their bottom line."
"Once viewed as purely a technical issue, the responses garnered in our survey highlight a shift in how organisations are treating their investments in security software", he said.
RISK : Weak passwords stored in browsers make hackers happy
Insecurity complex still rife shock
By John Leyden
30th March 2010
http://www.theregister.co.uk/2010/03/30/password_security_still_pants/
Nearly a quarter of people (23 per cent) polled in a survey by Symantec use their browser to keep tabs on their passwords.
A survey of 400 surfers by Symantec also found that 60 per cent fail to change their passwords regularly. Further violating the 'passwords should be treated like toothbrushes' maxim (changed frequently and not shared), the pollsters also found that a quarter of people have given their passwords to their spouse, while one in 10 people have given their password to a �friend�.
Password choices were also lamentably bad. Twelve of the respondents admitted they used the phrase 'password' as their, err, password while one in ten used a pet's name. The name of a pet might easily be obtained by browsing on an intended target's social networking profile.
Eight per cent of the 400 respondents said they used the same password on all their online sites, a shortcoming that means a compromise of one low-sensitivity account hands over access to a victim's more sensitive webmail and online banking accounts. The survey respondents came from readers of Symantec's Security Response blog, who might be expected to be more security savvy than the general net population, though the survey shows many of them making the same basic errors that crop up time and again in password security surveys.
Symantec has put together its findings together with a list of suggestions for picking better passwords, a basic but woefully overlooked security precaution, in a blog post at �http://www.symantec.com/connect/pt-br/blogs/password-survey-results.
The net security firm advised computer users to pick a mix of numbers, letters, punctuation, and symbols when picking passwords. This may be derived from taking a memorable phrase and altering it by replacing characters with symbols, for example. Surfers should avoid personal information, repetition and sequences in passwords, Symantec further recommends.
CHALLENGE : Constantly Changing Threats Challenge Cybersecurity Pros
30 March 2010
Cybersecurity, a system of protecting data, computer networks and computers from intrusion, data theft and hijacking, is a moving target that changes moment by moment, while at the same time the medium and the way it is used by individuals and businesses evolves.
With business computing moving more and more online, whether through social media marketing, e-commerce or using Internet-based cloud computing resources, ranging from Google documents to distant servers, protecting systems from vandalism, theft and espionage is becoming a broader and more complicated notion.
�The whole concept of technology crime falls into the notion of the Wild West,� said Maria Fischer, founder of Bientech International, a local technical, scientific and professional services provider. �As it becomes more sophisticated, we have to pay more attention to small businesses because they can be used as a tool against larger companies and national resources. They are open doors for criminals to go through.�
Threats evolve as security experts strive to stay a step ahead of equally cunning and determined hackers, hijackers and spies, according to experts who say that the best criminals and spies are already using the existing defense software to craft new ways to get around it.
�The two core business communication channels are the Web and e-mail,� said Dave Meizlik, director of product marketing for San Diego-based Internet security company Websense Inc. �Most of today�s threats are blended attacks propagated on legitimate sites like Google, Facebook, Yahoo! and many others.�
Blended threats are a combination of the old line up of dangers. For instance, a phishing e-mail that takes the user to a corrupted legitimate Web site that carries a malicious script that attaches to the system and begins unobtrusively exploring the combined flaws of the network and software.
Slipping Through the Cracks
Vulnerabilities in software, Web browsers and operating systems are constantly being discovered and companies are designing and issuing patches for security flaws, but users don�t always stay up-to-date with the latest defense mechanisms. So the scripts slip in through those holes.
From inside, the script finds a way to steal a business�s data.
"They�re after specific organizations� most valuable assets: customer lists, employee data, health data and intellectual property,� Meizlik said. �They come in as scripts rather than files, and most anti-virus programs are still looking for files.�
Blended threats are rampant and frequently unreported. Meizlik points to a recent blended attack launched from Facebook � Justin Timberlake�s fan page among the victims � that infected up to a quarter of a million computers.
Fischer recalls receiving an e-mail shortly after shipping packages through United Parcel Service of America Inc. online that asked her to click and confirm that she�d placed the order.
"It was not legitimate,� she said. �But people don�t know how to report it or who to report it to. Businesses may recognize that it�s not right, but who do you call?�
Brendan McHugh, a San Diego County deputy district attorney, is someone who does get those calls.
"There�s a notorious amount of underreporting of the theft of data,� he said. �Most businesses think about the litany of problems reporting could create � the loss of reputation and credibility, and the liability � and decide there�s nothing to gain by reporting.
"If it goes unreported and un-investigated, the people who did it continue without significant repercussions,� added McHugh, who is also a project director for the Computer and Technology Crime High-Tech Response Team, or CATCH, a multi-jurisdictional task force covering San Diego, Imperial and Riverside counties.
Small Biz Susceptible to Attacks
One of the biggest sources of problems for small businesses is that their security systems (firewalls and virus software) are not sufficiently integrated into the software and operating systems, Fischer says.
"In smaller businesses where a permanent IT (information technology) person may not be present or maybe be overwhelmed with other tasks, employees are more on their own and are more at risk of acquiring viruses or malicious software and being hacked or having their identity compromised,� she explained. �It can become very time intensive, inefficient and costly to maintain adequate IT security for a small business, and lapses in security are much more likely to occur without anyone noticing until the damage has already happened.�
Computer networks in San Diego, home to a large military presence and defense contracting community, compounded by a startling amount of wireless, bioscience and medical innovation projects under way, are also a target for espionage.
"The Internet is God�s gift to spies,� said Alan Paller, director of research for The SANS Institute. The institute is a leading cybersecurity training organization based in the Washington, D.C., metropolitan area that reaches 165,000 security professionals each year. �There are at least 100 countries actively doing cyber-espionage. Thousands of companies have been attacked, even though we�ve heard only of hundreds.�
Paller recounted the story of how, in November 2007, the head of The Security Service, the British spy agency known as MI5, sent letters to the 300 largest businesses in the United Kingdom, telling them that if they do international business, their computers, their lawyers� computers, their accountants� computers are being compromised by hackers.
"The managing partner of a large U.S. law firm contacted the Federal Bureau of Investigation to report that every single document in the firm�s electronic files had been taken,� Paller said.
"Their client had been raided by the Chinese or people working for them and they were after the playbook for negotiations,� Paller said. �They raided every adviser they could identify to get that playbook and gain a radical advantage in negotiations.�
San Diego defense and military businesses, including SAIC, are most certainly targets, Paller says. SAIC, a scientific, engineering and technology applications firm, did not return calls for comment by deadline.
"SAIC is a very high-priority target because of the amount of sensitive work they do,� he said. �When you are a high-priority target, the bad guys do not fail.�
Developing Advanced Protection Tools
Defense contractors, including Accenture and Kratos Defense & Security Solutions Inc., are developing and using advanced tools that meet U.S. Department of Defense specifications to protect data.
Jim Wangler, who was the CEO of Maxim Systems Inc. when Accenture acquired it, says the best approach is a dynamic one.
"The idea is to be in a position to identify threats before they penetrate the system,� Wangler said. �We have a background technology that runs on the Web that proactively identifies threats.�
Wangler says that the health industry, which increasingly has an online presence, the pharmaceuticals industry and defense companies will continue to drive the corporate cybersecurity industry as they try to protect more data from unauthorized access.
While penetration from hostiles is a major concern, whether it�s thieves searching for credit card numbers, spies seeking trade secrets or teen hackers looking to prove themselves, the most treacherous threats often come from within.
"I can�t tell you how often I get a call from someone who says, �We had to lay off our IT guy last week and now our Web site and all our software is locked down. Could that be connected?� � said McHugh, from the district attorney�s office. �People are very thorough securing their physical property, locking up the doors every night, but they don�t worry about the Etch A Sketch thing on the desk � until they can�t access their own data.�
HIDE : Organizations Rarely Report Breaches to Law Enforcement
Meanwhile, FBI says it's making the process more private and more of a two-way street
Mar 30, 2010
By Kelly Jackson Higgins
DarkReading
http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=224200824
Most organizations hit by breaches that don't require public disclosure don't call in law enforcement -- they consider it an exposure risk, with little chance of their gaining any intelligence from investigators about the attack, anyway.
FBI director Robert Mueller has acknowledged this dilemma facing organizations that get hacked, noting in a speech at the RSA Conference last month that disclosing breaches to the FBI is the exception and not the rule today. But the FBI will protect victim organization's privacy, data, and will share what information it can from its investigation, he said, rather than continue with the mostly one-way sharing that organizations traditionally have experienced when dealing with the FBI.
Gary Terrell, president of the Bay Area CSO Council and CISO at Adobe, says different companies have their own rules about reporting to law enforcement. "[Many] won't talk to law enforcement without an NDA [non-disclosure agreement]," says Terrell, who was speaking on behalf of the Council. "The FBI has a hard time signing it. That hasn't been successful so far, so sharing with the FBI has been minimal."
He says the feds have their own communications "protocol" for sharing classified information, but they don't have a standard and confidential way to work with the private sector on breach investigations. And until the feds can work with NDAs, there won't be much back-and-forth between companies and these agencies about breaches, he predicts.
Acting deputy assistant director for the FBI's Cyber Division Jeffrey Troy says it helps the attackers if companies aren't disclosing breaches to the FBI or law enforcement. "We are most concerned with gathering that information and sharing it with everyone else [affected] so we can harden the systems," Troy says. "If you are not telling us you have been penetrated ... that [may be] another attack vector we can't protect everyone else from.
"It's to the advantage of the bad guys if you don't share that information. We're trying to get people to understand that."
Troy says the bureau has had breach cases where it collected evidence of attackers getting into hundreds of companies. "They [the victims] hadn't come to us and told us, but we found the evidence because we caught the hacker that did it. You may not come to me, but it's likely I'm going to come to you."
Security experts and forensics investigators say the best way to defend against targeted attacks as well as other breaches and help unmask who's behind them is to gather and correlate attack information among various victims. Connecting the dots also helps companies defend against similar types of attacks. The unprecedented voluntary disclosure earlier this year by Google, Adobe, and later, Intel, that they were victims of targeted attacks out of China demonstrated how victims can benefit from collaboration with one another and law enforcement. But security experts say Google and Adobe's disclosures were an anomaly rather than a trend.
Companies hit by breaches where customer information or credit and debit card numbers weren't exposed aren't necessarily required by law to go public about the hacks. So rather than suffer bad PR or stock market ramifications, they merely keep quiet. JC Penney, for instance, reportedly fought but ultimately lost its bid to keep its name secret in the recent trail of convicted Heartland Payment Systems hacker Albert Gonzalez. While JC Penney's computer system had been breached, prosecutors said the government didn't have evidence that any payment card numbers were taken. Wet Seal was another retailer also hit by the attackers, but there was no evidence card numbers were taken from its system, either.
Those companies that do voluntarily report attacks to law enforcement sometimes suffer productivity issues as well as worries of bad publicity. Some that have voluntarily tried to work with law enforcement have had their data centers confiscated, hampering their day-to-day operations while the FBI finishes its investigation.
"We've seen where the FBI has gone in and cleaned out data centers. How do these companies recover?" says Patricia Titus, chief information security officer for Unisys Federal Systems and former CISO for the Transportation Security Administration (TSA). "They need to get back up and running versus protecting forensics data" for the FBI, she says.
"Where's the incentive" for reporting to the FBI? Titus says. "Companies are in business to make money and stay up and functioning."
New IT Term of the day
pop-up blocker
A pop-up blocker refers to any software or application that disables any pop-up, pop-over or pop-under advertisement window that you would see while using a Web browser. Some pop-up blockers may try to close all pop-up windows, some may remove all advertising from a publisher's Web site, and still others may help you choose which pop-up windows you want to be closed with block list feature.
Are right and wrong convertible terms, dependant upon popular opinion?
William Lloyd Garrison
(1805-1879)
Note -
- As a member of this group, you get useful information to protect yourself and your IT assets and processes from various Computer and Related Crimes.
- If you think that your other friends/colleagues/acquaintances/relatives/foes/enemies also needs this information, forward the mail to them and request them to send their e-mail addresses and names to us with subject as "Subscribe".
- If you or someone has become victim of Computer Crimes or has any query on prevention, you are welcome to write to us.
- If you are not interested in it and would like to unsubscribe - send a reply mail with subject as "Unsubscribe".
- Disclaimer - We have taken due care to research and present these news-items to you. Though we've spent a great deal of time researching these matters, some details may be wrong. If you use any of these items, you are using at your risk and cost. You are required to verify and validate before any usage. Most of these need expert help / assistance to use / implement. For any error or loss or liability due to what-so-ever reason, CRPCC and/or Sysman Computers (P) Ltd. and/or any associated person / entity will not be responsible.
The battle for the FIH Hockey World Cup Drag n' drop
Posts
No comments:
Post a Comment