Their are two clear lessons here; systems need to be designed to prevent the ability to dump unencrypted data onto removable storage and all staff need to have awareness training so they will know that posting disks full of data is akin to posting envelopes of cash.
Friday, 24 July 2009
FSA fine HSBC £3M over data breaches
Following an investigation HSBC have been fined £3M by the FSA for repeated incidents of sending large quantities of unencrypted personal data in the post!
Lucid Intelligence live with database of 120 million stolen records
We reported on the Lucid database before and now it is up and running. It enables you to search the millions of record they have obtained from sales of stolen data on the web. This allows you to get an idea as to whether your personal information has been compromised.
There are questions surrounding data protection of this base and potentially the ability to obtain details about somebody else by using their search.
SMBs can't keep up with ITSec in tough times
Probably not a surprising article but an important on never-the-less.
If you are a SME and have reduced your ItSec spend it is time to think smarter. We may seem a little strange to advocate more spending but a full (independent) review of legacy systems, procedures and cost centres often reveal significant savings.
We understand the preasures on SME's (we are one!) but also understand the conciquences of ignoring significant exposure. Security spend can only be justified against a threat and risk annalysis (just like an insurance policy). If the exposure is to big to accept sutiable measures must be implermented (head in sand is not an option).
For impartial advice contact us.
Wednesday, 22 July 2009
Laptop repair shop exposed - essential viewing
In a long overdue journalistic endeavour Sky sent in an undercover reporter to several laptop repair shops with a simple known fault and a laptop loaded with spy software to see what the repair shops got up to.
It will come as no surprise that they trawled through files and folders, attempted to access online banking account and more.
There is something important to understand here. You simply cannot give a computer to an unknown repair agent. Your laptop is not the same as another appliance as it far more that just hardware. It is akin to inviting a person to repair your office, letting them take all your bank books, photos and diaries off premises for investigation.
So what can you do? Some ideas include: buy laptops where you maintain the ownership of the hard drive, so in the event of a repair you keep you hard drive; create a second login called 'guest' with no data on it and only allow repair agents to use this login (please note this is not foolproof); establish a relationship with a respectable repair company and have them sign a privacy/NDA type contract. If you need help keeping your data private contact FaberBrent.
London Borough of Wandsworth has as many cctv cameras Dublin City Council, Johannesburg Police Dept, Boston Police Dept Sydney city Council combined!
A new BBC report on actual numbers of CCTV cameras in the UK makes for interesting viewing.
The much banded 4.4M UK cameras number is very questionable and is more like 3.2M (still quite a lot!). The original figure was calculated by using Wandsworth as an average!
UK Phone Tapping plans prove unworkable under current legislation
During secret testing Gordon Brown's proposed use of phone tapping has shown to be unworkable under current legislation.
A mock trial was run and the validity was examined. Quotes attributed to Sir Paul Kennedy, the Interception of Communications Commissioner, said that under RIPA there were “real legal and operational difficulties” and would “welcome the Government’s acceptance that intercept as evidence should not be introduced".
Sunday, 19 July 2009
£3 Million scam rocks the Royal Protection Police
A former royal Protection officer Paul Page was found guilty on Friday of committing a £3 million scam revolving around an investment fund.
The really shocking thing here is that at least 20 SO14 (the police Royal Protection Command) officers were investing in the fund, yet none of them performed any due diligence or questioned how Page could pay cash returns on property investments that had not yet matured.
In a tale worthy of a Hollywood movie the court heard of brown envelopes of cash, bank transfers to strangers accounts and multiple death threats.
One would imagine Her Majesty was not amused.
Saturday, 18 July 2009
Chateau Pétrus, Lafite-Rothschild and what you need to know about your alarm system vulnerabilities
A French wine thief has been caught during his second robbery on top Paris restaurants wine cellars.
Our interest in this story was almost lost in the copy but there is a very important bit on information for many people.
"Police found gloves and mobile telephone scramblers used to disable the restaurant's alarm systems."
"mobile telephone scramblers"... these are better known as jammers. Basically a small hand-held device that transmits radio noise on cellular frequencies causing the phones to drop to 'no service'. Why is this important, well an increasing number of our alarm systems are using GSM as a back-up to alert the police of an alarm (indeed a number of them advertise 'GSM protected' on their front panel!).
We have been advising our customers for a long time that this is a very poor method of alarm backup as it can be defeated by a £50 jammer which are freely available, although almost certainly illegal to turn on (info here, here, and here ).
I wonder when the alarm companies will take this seriously and stop just pushing product?
If you are concerned about asset protection be sure to engage a specialist independent audit of your systems and procedures.
ID's for sale - 4 million UK to the highest bidder
The Times are reporting that there is currently 4 million British ID's for sale to the highest bidder on the internet.
This problem is only going to get worse.
The best advice we can give for individuals to minimise the impact of credit-card theft is keep one credit card exclusively for use on-line. Set a low limit and monitor your statements closely.
If your business involves peoples personal data take your security seriously and contract external security experts (it is not reasonable any more to say 'I thought my IT guys took care of it'). Contact us if you need help.
Australian cops treating unprotected wifi networks as crime risks - plod-driving is born
In Queensland Australia police are hunting for unprotected wifi networks and advising owners as a crime-prevention measure.
Thursday, 16 July 2009
Watch out for unknown and spoof wireless hot-spots
A good article from Fox news reminding us of the danger of unknown (or believed known) wireless hot-spots. If in doubt do not use.
Tuesday, 14 July 2009
UAE BlackBerry update full of Spyware!
The Etisalat network in the United Arab Emirates have pushed out a BlackBerry update that aparrently contains spyware that can intercept emails and messages.
Apart from the obovious concerns it make us wonder what happens if you are just visiting (and roaming) and then return to your home country. Will the UAE continue to get sent all your info?
RIM - are you going to comment?
IronKey USB Drives - the best just got better
If you care about the security of your mobile data we have yet to find a better solution that IronKey. These are the only USB drives we use and the only ones we recommend and we are not alone, take a look at this review.
Not wanting to sound like an advert but if your data is worth more that $100 get one.... or several, they have enterprise level software control.
SMS TXT message phishing - next big scam, you need to know about this.
You receive a text like this....
You call the number and hear "Thank you for calling Abbey National, this call may be recorded for security and training purposes. We need to perform some security checks, please enter your card number followed by the hash key, please enter the 3 digit number on the back of your card followed by the hash key, please say your 'security' password......."
I think you get the idea.
The best way to protect yourself is to keep the real service numbers for your various accounts pre-programmed in your phone memory so if you receive a text you can call up the genuine security centre and validate (or not) the text.
New threat claimed, Keylogging via mains voltage emissions.
Two security consultants have claimed that they have developed a system for monitoring the variance in mains ground current to monitor keyboard strokes.
They say they can do this on a mains socket up to 15 meters away from the target computer for a hardware cost of $500. They are planning to demonstrate the device at the BlackHat 2009 conference at the end of July. We will report back on the results.
Shocking drive-by reading of RFID tags on passports, drivers licences, credit cards and more...
Clear and scary demos of how easy it is to read various RFID chip based devices in peoples pockets while driving or walking down the road.
This has very serious implications for cloning pass-cards (to gain entry to buildings) and tracking/identifying people on the move.
cloning video here...
electronic pick-pocketing here...
SpyPhone Software released for iphone 3GS
If you do not already know about SpyPhone software you need to take a look at our guide.
This software converts you mobile into a surveillance device and is designed to be invisible on the victims phone.
The latest phone to be effected is the iphone 3GS.
To protect your iphone go to settings/restrictions/installing apps and switch off. You do, of course, have your pass-code lock on.
If you are concerned you may already be infected back up your personal data (not apps) and perform a factory reset.
SpyPhone software guide here...
Connectivity, the controversial mobile directory, is down but not out....apparently
The much debated 'Connectivity' mobile phone directory has been down pretty much since its launch.
A barrage of complaints about the opt-out only nature of their data (and a barrage of requests to de-list numbers) appear to have had an effect. Of course (and according too the company) this is nothing more that early technical problems and all will be well soon, we shall see.
We suspect this service will succeed or fail based on public opinion on what is (in any real-world translation) an opt-out system, at the moment it is not looking good.
Saturday, 11 July 2009
70% of UK orgs hit by a data breach in the last 12 months
A new survey of 615 companies and public sector organisations has shown that 70% have experienced some kind of data breach in the last 12 months.
It appears (not surprisingly) that the biggest problem is lack of encryption.
Once again we say, encrypt all mobile storage now!
Trading system secrets stolen by former Goldman Sachs employees
In a rare example of public disclosure the FBI arrested an employee of Goldman Sachs who is accused of stealing computer code used for complex, high speed market trading.
The activity was detected by GS's automated monitoring systems that scan email for any transfer of code.
The suspect was on $400,000 a year, makes one wonder how much the code is worth?
Would you know if your employees were stealing data, if your answer is no, or don't know, contact us for help. Check out our Drilling info for some ideas.
Subscribe to:
Posts (Atom)
Posts
