Seems like it would have been much cheaper to encrypt them in the first place!
Sunday 31 May 2009
Update - $50,000 reward offered for missing White House disks
Following our previous story it has now been revealed that there is a $50,000 reward on offer to recover the missing Clinton administration disks.
Massive NYC ID and banking scam busted - Bank insiders to blame
A major corporate identity theft ring has been broken up by police in New York.
The gang used insiders working in major banks (including JP Morgan Chase, TD and HSBC) to provide a stream of stolen data.
Once again we see an insider threat realised into a serious crime. If you want help covering the 'insider threat' due diligence within your organisation contact FaberBrent for specialist advice.
Thursday 28 May 2009
109,000 Pensions Trust records lost
Once again a huge amount of peoples data goes walking out the door on a stolen laptop.
The laptop was stolen from the company that developed the database for Pensions Trust. Data included: addresses, NI numbers, salaries and bank account details. In an all too common pattern the data was not encrypted.
It is key that if you are entrusting third-parties with your customer data that you specify the security level, and audit rights to ensure observation.
"Screensavers" is the web's most dangerous search, also watch out for "Jonas Brothers"
A new piece of research by McAfee has listed the search terms most likely to direct you to a site with malicious code.
In some circumstances more that half of the search returns for 'scrensavers' were dangerous sites.
If you browse the web you should read this.
Monday 25 May 2009
Stolen RAF hard drives contain senior staff vetting data including drug use, debt and use of prostitutes!
Three hard-drives containing sensitive information went missing from RAF Innsworth last September. The loss of these drives was made public but it has only now become apparent the extent of the information on them.
The data included security vetting information on senior officers. This included (down to fine detail including names, dates, times and places) information regarding drug use, extra-marital affairs, debt, use of prostitutes and medical conditions.
Once again these disks were unencrypted. We say ENCRYPT ALL PORTABLE DATA NOW.
Information Commissioner threatens NHS over thousands of lost medical records
The Independent have lead today with the ongoing pile of serious data breaches by the NHS (we have reported on several of these).
The Information Commissioner has threatened fines and other sanctions against the guilty parties.
We feel that fines will only take away from patient care and the only true deterrent for senior management is ultimately the possibility of a custodial sentence (a la Health and Safety legislation). Only then will we see Public Sector management take this problem seriously. There is a strong argument for a Disclosure Law which is an effective deterrent for the Private sector, but it will have no impact on which NHS trust you use as most NHS patients have to use whichever service falls in their geographic area.
If you run a public or private medical practice and need impartial advice on how to keep your patient data both accessible and secure contact FaberBrent.
Sunday 24 May 2009
UK to go live with full network of cctv vehicle tracking via APNR
It has been coming for a long time but it now looks like we are about to go live with possibly the most aggressive general intelligence gathering tool in the western world.
Many of us have noticed the ever increasing number of matt-black banks of cctv cameras appearing at road junctions. These are all part of the APNR (Automatic Number-Plate Recognition) system. These combined with existing local authority cctv networks make up a formidable array of cameras.
The software allows the tracking of all vehicle number-plate movements. It is a tremendous tool for addressing general automotive crime but there are some very considerable questions unanswered. There have been no published guidelines as to the who, what and where's regarding accessing the data. The second big question is what this means in court. Does it follow the 'speed-camera' model of definitive evidence, where you are guilty unless you can prove your innocence?
Thursday 21 May 2009
Bill Clinton's misssing hard drive - 1TB of data unaccounted for
Over 1 terabyte (1000 gigabytes) of data is missing on a lost hard-drive from the Clinton administration.
This data includes personal information about senior politicians and their families.
The drive was stored in an unsecured archive area where 100's of people had access including cleaners and visitors.
The problem of disposing of hard-drives and securely archiving data is a significant challenge.
House of Lords surveillance concerns rejected by UK Govt
A detailed list of concerns and recommendations regarding the very high quantity of surveillance undertaken by the Government has been rejected.
The House of Lords Select Committee reported back in February that over-surveillance was breaking the trust between Government and the people.
The House of Lords Select Committee reported back in February that over-surveillance was breaking the trust between Government and the people.
Wednesday 20 May 2009
So called "secret questions" are too easily guessed
We will see this week a new study showing how vulnerable our "secret questions" actually are.
Town Centre CCTV has little effect on crime
Home Office funded research shows what most security experts already knew. CCTV is not (and never was) a cure-all for the urban crime environment.
It can be very effective when used correctly for a specific purpose, but anyone who has ever tried to use cctv to identify suspects will know most cameras are defeated by a baseball cap.
Hundreds of millions of pounds have been spent on urban cctv systems in recent years with very little solid data on it's effectiveness (but sure looks impressive when you see a control room with walls of screens). If you have a legacy cctv system and want to know if it doing all it, can contact us for impartial advice.
Austrian Government hide security vulnerabilities in Citizen Card
It has been revealed that the Austrian government has known abouut security vulnerabilities in its Citizen card since 2006.
The real issue here is not that there are vulnerabilities in this system but to understand there are vulnerabilities in all systems. Therefore no single ID system will ever fix the security challenges they profess to address. A legitimate ID card is simply that, a legitimate card. It does not mean the person holding it is legitimate or the data on it is genuine. UK ID card fans please take note.
Personalities most likely to be victims of scammers
A new study by the Office of Fair Trading (OFT) has identified the 20% of people most likely to fall victim to scams and cons.
A very interesting study showing that likely candidates were often successful business men and people with extensive experience in the area the scams were targeted.
It is human nature that we can fall victim to cons (especially in a pressurised business environment where we encourage people to take any advantage) but this can be very costly if it is your companies funds or data that are the ultimate target. The two pillars to mitigate your risk are systemic controls and staff education. If you are concerned and need help contact FaberBrent.
Could GPS fail?
The Global Positioning System (GPS) is a free satellite service run by the US military.
Whilst it seems very unlikely there is a real problem it is an interesting to think of how many companies and individuals are reliant on a service with no contracts, SLA's or comebacks. One could imagine that this story is more about fundraising than anything else.
Tuesday 19 May 2009
Secret taping in Valeo boardroom by former Chief Exec
Accusations and denials are flying regarding the 'secret' recording of boardroom meetings at major French car parts manufacturer Valeo.
Thierry Morin, the former chairman and chief exec does not deny the recording system but claims it was "unthinkable that no one else was aware".
Thierry Morin, the former chairman and chief exec does not deny the recording system but claims it was "unthinkable that no one else was aware".
French Radio station RTL says that digital recording devices connected to the boardrooms conferencing system automatically activated when the mics switched on. The memory cards were then covertly removed after the meeting. Sounds a lot like a bugging device to us.
Conferencing equipment is a major vulnerability to your business privacy. It doesn't take much imagination to understand that several high-sensitivity microphones connected to a phone line (in other words a conference phone) can easily be manipulated to record/broadcast all of your meetings. Look out for the warning signs and contact FaberBrent to find out how to mitigate this risk.
Teens see hacking as a casual pastime
A report of 4000 14-18 year-olds shows some very surprising data.
20% have some 'advanced' hacking knowledge and a third of them sat they have used it.
66% say they have successfully hacked instant messaging and/or social networking accounts of people known to them.
Even allowing for teenage braggadocio these are still significant figures. What will it mean as this generation grows up?
Monday 18 May 2009
Controversial children's database ContactPoint launches today
The government today launched ContactPoint, the much debated and delayed database of children's information.
The idea of the database is to allow all agencies involved in children's welfare to share information. There has been a very mixed reception to the database from child welfare bodies and charities.
Our fear is with the current track record of major government IT projects it is only a matter of time before the first breach/failure of the system, lets hope we are proved wrong.
MoD loses 32 computers and 20 USB memory sticks so far in 2009!
Some pretty shocking numbers that seem to have got very little press.
In the first 131 days of 2009, 4 desktop and 28 laptop pc's are missing from the MoD. Additionally 20 USB devices are missing. No mention is made regarding data but one could probably assume that at least some of these 52 devices contained sensitive information.
Saturday 16 May 2009
Financial districts are wide open for Wifi hacking
A new survey of 6 US cities and London discovered an alarming number of unsecured and poorly secured wireless networks.
A shocking 57% had either no encryption or were using the older WEP system that can be easily cracked. If you want to know how to secure your systems contact FaberBrent.
Friday 15 May 2009
Another reason why you should never use pirate software
Whilst I am sure none of you ever use pirate software, can you say the same for your employee's or children.
Apart from the legal and moral issues there is a very real threat of compromising your data from malicious code.
A recent pirate release of Windows 7 contained malicious code to build a bot-net army and was infecting more than 200 machines per hour.
10,000 medical records may have been compromised
Police are investigating a string of identity theft cases that all appear to have a common thread; the victims all had records at Johns Hopkins hospital in Maryland.
Once again the breach appears to be caused by an insider threat.
$500K netted in NYC ATM fraud
It seems that we still do not close the doors even when a threat is well known.
Another skim and cam ATM fraud has been committed in NYC netting $500K.
Intelligent CCTV to spot retail fraud
StopLift Inc are trialing a new system that claims to be able to mathematically spot the signs of "sweethearting". This is when the checkout person obscures the bar code of some of the items, passing them free of charge to their accomplice.
This sounds like quite a challenge for a piece of software and the accuracy of its decision making will be under great scrutiny but there can be no doubt that we will see more behaviour based CCTV systems.
EU looses nerve for data breach disclosure law
The EU have been unable to agree a new disclosure law. Even though this legislation was only for communication and Internet providers they were still unable to reach an agreement.
We say DISCLOSE ALL DATA BREACHES NOW, the campaign starts here.
Despite increase in cases there is no increased budget for e-crime unit
Once again the goverment demonstraits that it puts no priority on our privacy by refusing to increase the budget for the (already underfunded) Police Central e-crime unit.
Social engineering and confidence tricks - the easiest way to obtain passwords?
This is a great article on the BBC showing how easy it is to obtain passwords and other confidential information by using basic social engineering and confidence tricks.
A recent report by PGP showed that 70% of all data breaches were down to insider failings, not outside hackers.
Sunday 10 May 2009
Scope Phase II scrapped - multi-million pound secret IT communications system scrapped by British government
It has been revealed that the government have had to scrap another major IT project. This one was a secret communications network called Scope and the plug has been pulled during the attempted implementation of phase II.
Friday 8 May 2009
US top secret missile defence system details on EBay hard drive
For the fourth time BT's information research team have carried out a random study of second-hand computer equipment to see if there is any significant data to be retrieved.
Some of the data found included patent medical records, security logs from embassy's, trading figures for a major fashion house and automotive manufacturer and details of a 50 billion proposed currency exchange.
Companies still do not grasp the importance of hard-drive disposal, if you need help contact FaberBrent.
Wednesday 6 May 2009
Medical details hacked and held for $10 million ransom
In a shocking (but inevitable) development of cybercrime, a criminal group have claimed that they have stolen and encrypted 8.3 million patient records from the Virginia government.
Whilst this claim remains unsubstantiated at the moment (including claims they have stolen their back-up data) there is no doubt that this type of crime will increase.
1,258,862 email addresses; 1,235,122 windows passwords; 8,300 banking login's...this is what the Torpig botnet achieved in 10 days
The University of California took control of a well known botnet for 10 days with some shocking results.
They were monitoring over 180,000 hacked computers and this gave a facinating and very worrying insight into the data that the criminals have access to.
Yet another call for mobile data encryption
Computing magazine have written a full article calling for the encryption of all public mobile data storage.
Lack of security awareness and training is the cause of most data breaches
At Infosec 2009 John Colley (managing director of ICS2) confirmed what we have been saying for a long time; the biggest risk to information security is people, not systems and the most effective thing you can do to minimise this risk is to educate.
Sounds like he has been reading our recent article on Security International.
Sounds like he has been reading our recent article on Security International.
Tuesday 5 May 2009
Wire-free wiretaps
More information from the recently released 2008 wiretap report from the US.
Interesting analysis shows the trend away from traditional monitoring to far more prolific and successful wireless surveillance.
1 million social security numbers stolen from a car!
Some things in life are challenging and some things are easy.
Knowing that you must never leave your laptop in an unattended vehicle as there is a high risk of theft is basic. Carying a laptop with no significant security measures containing 1 million social security numbers is criminal.
Knowing that you must never leave your laptop in an unattended vehicle as there is a high risk of theft is basic. Carying a laptop with no significant security measures containing 1 million social security numbers is criminal.
Sunday 3 May 2009
Government moving ahead with total Internet monitoring
So once again we have been misled by our spin orientated goverment.
Dispite Jacqui Smith making public statements about scrapping a central database to monitor all email and communications traffic it has been revealed (although not a supprise to some of us) that GCHQ's 'Mastering the Internet' or MTI program is already 1 year in, and costing £1 billion over 3 years.
Dispite Jacqui Smith making public statements about scrapping a central database to monitor all email and communications traffic it has been revealed (although not a supprise to some of us) that GCHQ's 'Mastering the Internet' or MTI program is already 1 year in, and costing £1 billion over 3 years.
This program is effectivly creating a master database by installing monitoring systems at ISP's and network hubs.
This contract has been split between Lockheed Martin and Detica who are all bound by the OSA (Official Secrets Act) not to reveal details; but for some reason GCHQ saw fit to place a job advert whose tasks include “operational responsibility for the ‘Mastering the Internet’ (MTI) contract”
Subscribe to:
Posts (Atom)
Posts
