What enterprises must learn from Sony’s security mistakes

Thursday, October 13th, 2011

You might have thought that a large enterprise such as Sony, having suffered a very high profile and therefore very embarrassing (not to mention brand damaging) security breach earlier this year as reported by IT Pro would have done everything it could to ensure there could be no further security shocks for users. You would have been wrong though, if the news that Sony has locked down 93,000 online accounts is anything to go by.

It would appear that a number of unauthorised access attempts had been registered earlier this week, over a three day period, which succeeded as far as verifying the valid sign-in information for more than 90,000 accounts concerning Sony Entertainment Network, Sony Online Entertainment and PlayStation Network users. Although the fact that Sony reacted reasonably quickly in reaction to the hack attempt, coupled with no credit card information being put at risk this time around, might sound like good news for the entertainment giants, I’m not convinced that’s the case.

(more…)

Is the Pope a Scientologist?

Wednesday, October 12th, 2011

Let me rephrase that question: is 97 percent of wireless data really secure? The answer, whichever way you look at it, is quite obviously no. Yet, according to the latest research from the Wi-Fi Alliance, some 97 percent of folk appear to firmly believe that data held on their wireless devices and networks is both safe and secure.

In the name of investigative journalism, and because I needed a loaf of bread, I ventured out in the howling wind and rain of the Pennines this morning with my Wi-Fi detector in hand. As I drove past (I may be dedicated but I’m not daft, and I wasn’t walking anywhere in this weather) the row of small businesses, a nice mix of retail and office-based ones, the software displayed the encryption status of the networks it discovered. Of the 18 networks I found in this very unscientific test, five were completely open and unsecured while one relied upon the totally broken WEP encryption methodology. That, rather handily, equates to a third of the Wi-Fi networks I found operating in one small business area being totally, and undeniably, screwed as far as data security is concerned.

(more…)

Socially unacceptable security joke

Tuesday, October 4th, 2011

What do you get if you cross 4,650 IT professionals with social media in the workplace? A lack of Infosec policy that leaves the enterprise at risk. Boom boom! OK, so it’s not the funniest punchline I’ve ever heard, but the level of social media risk that the average enterprise is leaving itself exposed to is, frankly, something of a joke.

The 4,650 IT professionals mentioned above were questioned as part of the Websense/Ponemon Global Survey on Social Media Risks which covered people with an average of 10 years hands-on IT experience, with the majority being of supervisor level or above and some 42 percent representing organisations that employ more than 5,000 people. Yet of this number, 68 percent are still saying that social media is posing a threat in the workplace courtesy of how the staff use it, with 76 percent of them admitting their enterprises don’t have the necessary controls in place to mitigate that risk. Here’s another ‘yet’ to add to the growing list: 56 percent of those asked reckoned that malware infections are increasing as a direct result of that uncontrolled social media use.

Well stuff me sideways on a child’s tricycle, when are people going to actually get the message? Scrap that, stupid question, obviously. 45 percent of those asked said their companies don’t even have a policy regarding acceptable use in the social media sphere. Worse still, of those that do have such a policy, it remains un-enforced in 79 percent of organisations. Double duh with knobs on.

(more…)

Don’t get fobbed off with chavvy security standards

Thursday, September 29th, 2011

I have to admit that I’m not much of a public transport person; the word ‘public’ being the clue as to why I prefer travelling in the chav-free environment of my eco-friendly little Fiat 500 whenever possible. However, when I do risk jumping on a bus, or have won the lottery and can afford a train journey, I am always near terminally confused by the various ticketing options. What I would want, were I a regular public transport using type would be some kind of secure token system that I could just wave at a reader device and be on my way. Such things exist, of course, but there are a myriad different types and standards which just serve to confuse things as much as the paper ticketing mess does. And if things are bad for the consumer of such things, they are even worse for the transport providers when faced with proprietary technologies that are not interoperable across devices,which can be hellish expensive to acquire, deploy and maintain and, worse of all, are not as secure as they could be.

(more…)

It’s not just technotards who dislike mobile commerce

Friday, September 23rd, 2011

I recently exclaimed “Leave my laptop alone. I MEAN IT!” here at IT Pro, and was surprised at the venom of smartphone and tablet users who not only disagreed with me that the laptop was far from dead, but suggested I should join it. Proving that I am either thick-skinned or just thick, I thought I’d repeat the claim that laptops are just, well, better at so many things. This time the thing in question being shopping, and this time I am far from alone in making the claim.

A new survey on mobile commerce habits, published by a strategic information management company called Stibo Systems, suggests that most consumers remain unsatisfied with m-commerce with only 27 percent apparently bucking that trend and a meagre 8.6 percent rating the experience as excellent. Falling into the 73 percent majority myself, a very active user of mobile devices but not a very satisfied mobile shopper, I have been taking a closer look at the findings revealed within the ridiculously long-winded titled Stibo Systems’ ‘UK Online Shopping Trends 2001: Product Information: the key to successful multi-channel retail strategy’ whitepaper.

(more…)

Children are being ‘gamed’ into stealing your data

Wednesday, September 21st, 2011

Children, often too young to be reading yet, are being targeted by cyber-scum in the latest wave of malware attacks. Why bother targeting young kids, you may ask? To get access to your data, I might reply.

According to security vendor BitDefender, online games are being used as a vehicle for spreading malware with a deliberate intention to bypass security checks by encouraging kids to install the software with big flashy click buttons. Many of the games concerned would seem to be of the ‘virtual pet’ or ’swipe to paint a picture’ variety, obviously aimed at the very youngest of children.

During the last week alone, researchers at BitDefender have uncovered half a dozen such examples of these Flash-based, very colourful and highly attractive to kids type games which come complete with Trojans that are designed to steer the youngsters towards sites which download and install malware capable of stealing financial data.

(more…)

NHS or ICO: which is crappiest?

Tuesday, September 13th, 2011

The news that the Information Commissioner’s Office (ICO) has determined that yet another NHS trust is in breach of the Data Protection Act comes as no real surprise to anyone who has been following the myriad security breaches suffered by the NHS during recent years. But what does surprise me is the apparent lack of concern that the ICO has failed, yet again, to really do anything about it.

The University Hospital of South Manchester NHS Foundation Trust is quite a big name, yet ironically the data that it lost was contained on a very small thing: an unencrypted USB stick. Oh sweet Jesus H Christ, you heard that right, the NHS is still allowing staff to use unencrypted USB sticks to shift data around on. I’m sure that there will be some who disagree with me and point out that the NHS trust in question was following the NHS Connecting for Health guidelines on data security and forbidding any such thing. Unfortunately folks, my definition of ‘allowing’ stands: if you have a policy which says one thing but comes with no real world method to enforce that thing, then when someone breaches your policy you have for all intent and purposes allowed it to happen. See what I mean? And so it was, that this particular NHS trust allowed a medical student working in the burns and plastics department to put data relating to the treatment of more than 80 patients around on his own USB stick for ‘research purposes’ which was, as I’ve said, not encrypted at all. Said student then lost the USB stick, and all the patient data upon it.

(more…)

Can you get Fortune 500 data using typos?

Monday, September 12th, 2011

Stealing data is so flipping simple. There are so many ways to do it as well, not just through infecting machines with pernicious malware either.

As many simpleminded creeps have noted, buying up domains similar to big name companies and adding little typos into those domains can bring in that valuable data. People send emails to these domains – possible examples being Gookgle.com or Fleecebook.com – not realising they could be posting their data to the wrong people. Sometimes these people will be naughty boys and girls.

This is known as typosquatting. It’s a simple trick, but seemingly a rather effective one too. Surely you can’t get hold of actually valuable data with this technique though, right? Wrong.

During six months, two researchers, Peter Kim and Garrett Gee, managed to acquire a hoard of interesting data just through buying up 30 internet domains similar to Fortune 500 companies bar a few spelling mistakes.

They received 120,000 emails during that time. These included rather important things like passwords for an IT company’s external Cisco routers, as well as VPN details and passwords for a system managing road tollways.

There are more worrying consequences as well. By performing a remarkably simplified version of a man-in-the-middle attack, the researchers could have sent on the original email to the intended company, modifying their messages to feature a bogus return address. Just as in any standard MITM attack, they would be the silent middlemen watching over interactions between two parties who believe they are talking in private.

Is there much a company can do to solve this? On the sender’s behalf, simply getting the spelling right might help. As for companies who don’t want their name used in vain, buying up similar domains to their own is a good start. Of course, that requires time and money – something many of us are short on.

So encryption is the key (puntastic!). Encrypt all sensitive data being sent over emails. Simple advice that is so often not taken.

Research reveals senior security decision makers are dorks

Tuesday, September 6th, 2011

Sometimes I am not sure if I should be banging my head against the desk because of surveys that ‘reveal’ the obvious, or because there are businesses out there providing the ammunition for such research by refusing to remove their heads from their collective arses. Today I am leaning towards the latter as I read the new KPMG e-Crime report.

The survey itself was of 200 senior security decision makers, although I have to say that description seems almost laughable given the results, from global businesses including a bunch of FTSE 100 listed outfits. Here’s why my head is so sore, in a nutshell:

(more…)

Chinese data takeaway

Saturday, August 27th, 2011

Over the years I have written plenty about China in terms of censorship. I’ve also penned a fair amount relating to the Chinese role in government sponsored cyber-attacks against Western commercial and political targets, but much of that has been based on speculation (albeit well-informed) and suspicion. What has been missing was the proof of Chinese involvement in cyber-attacks. Until now.

It would appear that automated IP hacking does originate from China, and is sponsored by the Beijing government after all, if reports showing screenshots of an attack control console which appeared in a Chinese TV propaganda documentary are to be believed.

(more…)