Posts Tagged ‘Identity Theft’

Network-Based IDS/IPS and Their Value and Challenges in the Current Market

Thursday, June 3rd, 2010

I was recently asked to answer some questions for a magazine article about network-based IDS/IPS and their value and challenges in the current market and environment.  These were some of my responses:

What are the greatest challenges now?

  • Attacks are becoming so sophisticated that hackers have developed methods to bypass or subvert traditional IDS/IPS systems.
  • Additionally, more and more hackers are using Malware to do their dirty work for them rather than traditional inbound attacks where IDS/IPS systems are most effective.  If the hacker can get malware on the internal system, it renders IDS/IPS systems useless.  This is why methods to install and spread malware have absolutely exploded; especially malware websites (although this is just one of several methods).  Once malware in installed in the local system, the bad guys can create encrypted tunnels back to their command and control networks.  IDS/IPS systems cannot read encrypted packets so essentially this all happens “under the radar” from traditional security solutions.

Which industries are most/least vulnerable?

  • Any industry that houses valuable data is always a greater target.  These include anything that can assist in identity theft or fraud for the hackers.  Usually this means companies that house financial data or personally-identifying data.  So, banks and healthcare providers are at the top of the list.

What are myths and realities about some of the current strategies and solutions?

  • Unfortunately, people still think that edge-based security solutions are enough to keep the bad guys out.  A firewall, network-based IDS/IPS and other technologies that are in the network or “cloud” are still necessary but are far from enough to keep the hackers at bay.


What are the key points you want to make in this interview?

  • See the answer above to myths and realities again…then…the only effective way to secure sensitive data and mission-critical systems are through the next generation HOST-BASED intrusion prevention system.  Rather than network-based systems that can be bypassed or subverted, HIPS can be installed directly on the system you are trying to protect.  It can protect it at a much higher level than traditional network-based solutions.  It combines signature matching capabilities to behavioral techniques.  When combined with 24×7 management and monitoring, it offers the greatest protection for these targeted industries.  And, don’t feel like you have to install HIPS everywhere…you only need it on those “mission-critical” systems that if they were compromised by a hacker or were unavailable for a period of time, it would be problematic for your organization.


Tags: , , , ,
No Comments »

Massive Mariposa Botnet Shut Down with Arrest of Administrators

Wednesday, March 17th, 2010

A very large botnet named “Mariposa” was recently shut down with the arrest of 3 of the main administrators. More arrests are expected in other countries.

Mariposa is said to have as many as 12.7 million compromised computers (Zombies) worldwide. The software acted as a Trojan horse and captured login credentials for online bank accounts. Following the arrests, police recovered personal information of more than 800,000 people. Zombies were in many of the Fortune 1000 companies as well as in 40 major banks. The Mariposa Working Group, which is a coalition of security experts, academics and law enforcement, were the ones who got it shut down.


Tags: , , ,
1 Comment »

Preliminary Approval Given for Countrywide Data Breach Identity Theft Settlement

Thursday, January 28th, 2010

A preliminary approval for the data security breach at Countrywide has been reached. It looks like Countrywide will be required to provide free credit monitoring for up to 17 million people and pay up to $50,000 for each individual identity theft case that results from the breach. That is a lot of money!

Just looking at round numbers, 17 million people at (lets say) $10/month will be $2 billion/year plus the fee for identity theft cases. Hannaford had 1,700 known cases on their 4.2 million records lost. So if you mulitply that by 4 to meet the same number or records lost in the Contrywide breach, they may see 6,800 identity theft cases. If they had to pay the maximum for each of those, it would be an additional $340 million.

Not surprisingly, the breach was committed by an insider over the course of two years.  Keep an eye out for our upcoming free webinar about Insider Threat.

You can read the ABCNews.com article here.


Tags: , , ,
1 Comment »

Time Frame Given for Heartland Payment Systems Breach

Friday, October 16th, 2009

For the first time, I have seen something that indicates how long malware was installed at Heartland Payment Systems that lead to the largest security breach to date. While no one is saying how many credit cards/records were compromised, it appears that the software was there for 18 months prior to detection. That happens to be the same amount of time malware was installed at TJMaxx, now at the #2 spot for most records compromised. The reason I think this is significant is because we were never told how many records were compromised, but that the malware was installed at a point in the system where 100 million records are processed each month. Well now I guess we can do the simple math of 18 x 100,000,000 and get 1.8 billion records compromised.  Now of course those aren’t all unique records. I am sure the same cards were swiped over and over again, but it is still significant. There are only 325 million people in the U.S., so on average every one of us had our card breached 6 times…yes I know that most of us have more than 1 card, so do the math however you want, this way a HUGE deal. No wonder Mr. Carr (CEO of Heartland) is making such a push for end-to-end encryption. Who would want to be the poster child of data security breaches?


Tags: ,
No Comments »

Sears Ordered by FTC to Destroy Data from Online Tracking Software

Thursday, October 15th, 2009

Did you participate in a program where Sears paid you to participate in a research project that monitors your online browser activity? Well, if so, you will be happy to hear that the FTC has ordered Sears to destroy that data because they weren’t forthcoming about exactly what information they were collecting.  As it turns out, they collected things like online banking session data, prescription drug purchases, emails, etc. Who knows if Sears really intended to get this information or just didn’t think through the whole thing and after the collection began they were like “holy crap, look at what we have here”, I don’t know. Either way, I am glad that organizations are being penalized for doing this type of thing.


Tags:
No Comments »

Bank Sued by Couple for Failing to Secure Account Information

Tuesday, October 6th, 2009

An Illinois couple is being allowed to sue their bank on the grounds that it failed to sufficiently secure their account. A criminal was able to obtain a $26,500 loan using their account credentials and information. The claim states that the bank failed to provide “state-of-the-art” security measure to protect their account. The court is allowing this novel case to continue through the system.

It sure seems like financial institutions are losing the game of “who is left holding the check.” Regulators are coming down on them harder and more often than ever. Consumers are rightfully expecting their personal information to be protected, but usually unwilling to pay any more for these measures. Criminals are getting better and better about effectively compromising systems in more diverse, complex, and innovative ways. FI’s vendors and partners are often the source of issues and breaches and yet the FI still has to pay the bill and do the clean-up…not to mention the reputational impact. It is tough to be a FI these days.


Tags: , ,
No Comments »

Travel Identity Company Ordered Not to Sell Private Customer Data

Friday, September 18th, 2009

There was a big win a couple of weeks ago when a federal court judge decided Clear (the travel identity company that made it easier to get through airport security) could not sell customer data.  The contracts stated that they would not sell customer data but they made an announcement on their website that stated they were looking for someone to sell the data to that could provide a similar service. Outraged customers immediately filed suits that they will likely win (if there are any assets left). It really bothers me when a company assumes that when a customer gives them their data, they can do whatever they want with it. My opinion is that this is the customer data and businesses are just stewards of that data and shouldn’t be allow to do whatever they want with it…especially if it is sensitive data like in this case. I think this is good for everyone (except maybe the Clear shareholders).


Tags:
No Comments »

Do you know where your sensitive data is?

Tuesday, August 4th, 2009

According to recent findings from IDC, “Two-thirds of loss cases involved data the organization did not know was present” and “67% of regulated or sensitive data resides outside the data center.”

What most organizations don’t realize is their data is all over the place. Sure it’s on the server, but Joe has also copied it to his laptop.  Sally has it on a memory stick that is in her purse. Jill burned it to a CD and left it at home. Sensitive data is all over the place and most organizations do not even know where it is, let alone how to find it.

There are some products available to help you identify sensitive data. Other products will also immediately encrypt the data if it is found. Still others will locate it, encrypt it, and apply access permissions. Depending upon what type of business you are in, you will have to decide what type of system you need.

Having sensitive data outside of your control is a growing problem and one that several regulators are trying to address. Even with new Red Flag Rules that go into effect November 1, these in part are meant to address rogue data in an effort to identify and stop identity theft.

I have been talking for some time how security is moving more and more towards the end-points. This is one of the reasons why. As time goes on, we will see more mature software products become available. IT Admins and compliance officers should begin thinking about how they will address this problem in their organizations.


Tags: , ,
No Comments »

Convenience Leads to Worried Travelers as Clear Goes Under

Thursday, July 23rd, 2009

I travel more than my fair share, but was never wooed by other travelers into signing up for “Clear” the approved frequent traveler program that allows travelers to speed their way through long security lines at U.S. airports. I have never felt good about a program like this…especially when a slight convenience can lead to the debacle they are now in. As some of you know, “Clear” went out of business suddenly a few weeks ago. Now the 260,000 customers of Clear are left wondering what will become of the information they provided to the company including Social Security numbers (SSNs), credit card numbers, driver’s license numbers, iris scans and fingerprints.

We as a society are all-to-often willing to trust other people or companies with our very identities. While this is scary enough, doing it for the purpose of saving a couple of minutes in line at the airport seems a bit reckless. But I believe that this might be just the first minor step in a much larger program that everyone may be required to participate in. Obama passed the HITECH healthcare law in February of this year that promotes the creation of a national healthcare system. This system will be tied to identities of participants…which will likely be all Americans, or nearly all Americans. Whether this will turn out good or bad remains to be seen.

The real problem of course is what they do with the data. In a more recent article, Clear said it may sell its sensitive customer data to a similar provider if it’s authorized to do so by the US government.

It just shows that when you turn this type of information over to a provider, you really don’t know where it will end up, or what it might be used for.

Now U.S. Legislators want to know what the company plans to do with the information. In a letter dated June 25, 2009, Representative Bennie Thomas (D-Miss.), chairman of the House Homeland Security Committee, expressed concern about the security of the collected data and asked the TSA to describe its plans to secure the data.


Tags:
No Comments »

How much is your client data worth to a malicious employee?

Wednesday, July 22nd, 2009

A man was recently arrested for aledgedly selling client data to a mailing list company for a U.S. equivelant of $3,335. While this wasn’t sensitive data (account numbers, social security numbers, etc.), customer were solicited as a result ending in more than 15,000 customer complaints.

I have mentioned several times that while the economy is poor, insiders are a major threat to organizations. When a company has a data security breach as a result of an insider, the losses are the worst of any class of breach. Greater than hackers, theft, etc. Many say there isn’t much you can do about the insider threat. While a sophisticated and motivated insider would likely always be able to be successful, a company can do a lot to prevent desperate employees with fear and a conscience looking to make extra money. Good hiring practices, end user security awareness training (creating a culture of security in the company), and other practices can positively impact the security posture of a company.

Read the Bloomberg.com article here – Ex-Mitsubishi UFJ Unit Worker Arrested for Data Theft


Tags: , ,
No Comments »

Social Security Number Code Gets Broken

Monday, July 20th, 2009

I read an interesting article recently about how researches have “essentially” broken the code for social security number distribution.  I say essentially, because it isn’t perfect, which the social security administration was quick to point out.  This is what happened.  You can now search for deceased persons online and get their social security numbers.  What the group did was take a list of these individuals that were more sequentially in specific states and then using computer algorythms, figured out the basic method the government uses to assign SS#.  It wasn’t a perfect science, but had quite remarkable results.  The accuracy largely depended on the population of the state you were born in (or got your SS# in).  Obviously the smaller the population, the easier it was to accurately guess.  What this means is that if someone learns where you were born, and what your birth date is, it wouldn’t be very difficult to figure out your social security number.  Social security numbers are of high value (in conjuction with other information like name, address, birthday, etc.) to criminals to perform fraud and identity theft.  This could make it quite a bit easier for criminals to gain this usually (more) illusive piece of information.  The Social Security Administration said that they are currently working on a process that will randomly select SS#’s rather than systemically assigning them.  Of course they didn’t mention that all the SS#’s that have been assigned systematically over the past decades will always be subject to this system of discovery.

Beware with fraud and identity theft being at all time highs, something like this (if it gets into the hands of criminals) can make it grow at an even faster pace.  Check your credit often as this type of data would most often be used to create new accounts.


Tags:
No Comments »

2008 Internet Crime Report

Friday, May 8th, 2009

The FBI has released their 2008 Internet crime report.  The information contained therein is from complaints made to the FBI regarding fraud that was sourced from the Internet.  There is quite a bit of good information in this report, but here are some of the highlights that I found interesting.

2008 had the highest number of complaints reaching 275,284.  This is a 33% increase over 2007 levels.

Total financial loses were $264 million with a median dollar loss of 931 per complaint.  Again, this was higher than 2007 numbers.

Non delivery of merchandise and online auction fraud accounted for more than 50% of complaints.  Other fraud types included credit/debit card fraud, confidence fraud, computer fraud, check fraud, and even Nigerian letter fraud (as opposed to all the legitimate Nigerian letters we all get).

Highest losses were check fraud at a median loss of $3000.  Nigerian letter fraud accounted for a median loss of $1,650.

Three quarters of perpetrators were men.  Two thirds of all perpetrators were in the United States. Half of all perpetrators were in one of the following states: California, New York, Florida, Texas, District of Columbia, and Washington.  Most of these being the most highly populated states shouldn’t surprise anyone.

Complainants were almost nearly split between men and women, but the men edged out by 55%.  Half of all of the complaints came from those ages 30 to 50.

Men seemed to lose more than women in these incidents by between 25-35 percent.

Probably most interesting is that 74 percent of all fraud complaints were sourced through email.  Nearly 29 percent included web sites.  I think the lesson to learn here is that a good SPAM filter, and web content filtering can reduce fraud.  If you can limit the amount of SPAM getting to your employees desktops, and block their access to inappropriate websites, you could be saving them thousands of dollars.  This also increases their productivity.  It does this in general, but also imagine the number of hours (often work hours) that they will use to fight whatever fraud they experience.  So implementing these solutions is best for everyone (except the criminals).


Tags:
No Comments »

Identity Theft Protection

Monday, March 30th, 2009

When people think about identity theft protection, they usually are thinking about themselves and their families…not the companies they work for or their customers.  But that is precisely where identity theft protection can be stopped!  Certainly you have purses that are stolen, close friends or family that may do something, but large scale identity theft comes from data breaches of companies.

Criminals target organizations in an effort to get their hands on sensitive data that would allow them to commit identity theft.  A social security number in conjunction with a name or other information.  Perhaps an account number or username.  Bad guys know how to correlate and use this information for malicious purposes.

As a result, it is up to each individual company to protect their customer and employee data.  There are of course several laws and regulations around this sort of thing, but just because a regulation says a company should do something, doesn’t mean that they do.

Data security is so much less expensive than it used to be.  For example, firewall, intrusion detection and prevention, web content filtering, anti-virus, SPAM filtering, virtual private network technology, and more are built into a single device smaller than a book and can offer even the smallest of businesses a great deal of protection.

Your employer could be the one that leaks your private information and causes the theft of your identity.  Ask your employer what measures they have taken to protect your identity.  Encorage them to implement additional solutions, policies, procedures and best practices to keep your data safe.  By doing so, you will be helping out yourself, your family, and many others as well.  Lets raise the water line when it comes to Internet and data security and keep our identities safe.


Tags:
No Comments »

3 Breaches in 3 months – Univ. of Florida Gainesville

Thursday, March 5th, 2009

University of Florida Gainsville has had 3 data security breaches in the last 3 months.  Two out of the three had to do with insider error.  The third was an intrusion.  The first one exposed nearly 100,000 records online.  The second was was a configuration error which exposed 100 records.  The third was an intrusion that compromised 330,000 records.

This shows how you cant look at security with the hopes that a single solution will solve your problems.  Data security requires a layered approach.  Also, technology can’t solve everything.  Polcies, procedures, enforcement, training in addition to technology are all needed for an effective security policy.

I guess what we should learn here is that if you do have several data breaches near the same time, announce them all at the same time in the hopes people will look at it as one breach rather than multiple.  :)


Tags: ,
No Comments »