Compromised Data Not Just an Online Deal

As consumers when we hear that data was hacked or compromised immediately we think of online transaction. Well that is not the case, this past week Barnes & Noble hackers stole credit information over the last month in 63 of their stores according to the New York Times. The hackers broke into the key pad where customer enter their credit card information and PIN number. The company is still trying to determine how it happened, what is more interesting about the case is that only on key pad per store was compromised. Security experts said company insiders could have inserted malicious code, or criminals could have persuaded unsuspecting employee to click on a link containing malicious code in order to penetrate Barnes & Noble systems.

This case is not an isolated case; on December 7 2011 a Federal Indictment was unsealed in New Hampshire, the case was against four Romanians that allegedly from 2008 to May 2011 conspired to remotely hack into more than 200 US based merchants point-of-sale systems to obtain credit card information, the victim in this case was Subway restaurants.

There are more than just these few examples out in there, this is much more sophisticated than the old credit card skimming issues, this is one problem that consumers have no control over. The only way consumers can avoid this is paying cash, which many no longer do so.

References

Perlroth, N., & Schmidt, M. S. (2012, October 23). Credit Card Data Breach at Barnes & Noble Stores. Retrieved October 31, 2012, from New York Times.

Singer, B. (2012, September 17). Subway Restaurant POS Hacking Case Yields Guilty Pleas. Retrieved October 31, 2012, from Forbes.

Once Again Android Users Beware

I am a recent convert to the world of mobile phones; I have to say that one aspect that I never thought I should consider is security vulnerabilities, until now. The first line of today’s article in Cnet is what caught my attention and prompted to research this matter further. The article first line read “Android applications are once again in the hot seat over possible security vulnerabilities.”

So what happened? In June of 2010 an article came out stating the 20% of the 48,000 Android applications allow third-party applications access to private or sensitive data. In fact some applications were found to make calls or send text message without any interaction from the user. In this article Google said that they make sure application developers confirm their real identities, if they are unable they disable their accounts. The reason for these checks and balances is because many developer names are aliases.

Fast forward two years and four months, when researchers at the Leibniz University of Hanover in Germany release a study looking at ways where legitimate Android applications respond to attacks on security protocols. The study finds that eight percent the applications used the security protocols improperly leaving sensitive data open to hackers. The team found in their study that over 1,000 applications were willing to communicate over SSL with anything that sends out certificate to communicate. Compare to the incident of 2010 Google did not offer any comments.

So if you remember in my last week blog I mentioned the FTC penalizing Wyndham Hotels and some it franchises for not having proper security measure in place. To me these issues with the Androids applications is another example where the FTC needs to intervene. Google needs to be more responsible and closely test and monitor the products that developers are creating. Ultimately no one is going to remember what developer did what, all they are going to remember is the name “Google”, bad applications in the end could tarnish Google’s image. Google needs to learn from the error Wyndham Hotels made, because I do not think the FTC is to far behind.

References Mills, E. (2010, June 22). Report says be aware of what your Android app does. Retrieved October 22, 2012, from Cnet Reisinger, D. (2012, October 22). Some Android apps could leak personal data, researchers find. Retrieved October 22, 2012, from Cnet

Who is looking out for us?

So after my last blog “Hackers are at Again” it left wondering who is protecting us the public. I can understand that some attacks are inevitable, but what about others that could have been prevented if the organization would have taken the appropriate measures. You will be glad to know that yes, there is an organization that is looking out for us the public and is call Federal Trade Commission.

In a testimony in 2003 the FTC Commissioner Orson Swindle addressed the House Commerce, Trade, and Consumer Protection Subcommittee, to discuss the importance of preventing information security breaches. Swindle stated that good security is an ongoing process of assessing risks and vulnerabilities. In addition, companies must assess risks they face on an ongoing basis and make constant adjustments to reduce those risks. Well apparently some companies have not paid attention, like Wyndham hotels.

Recently the FTC filed a suit against Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years. In 2008 hackers gained access to breach the network in AZ in one of their branded hotels, the intruders were able to install “memory scraping” malware and access the corporate mainframe, which allow them access to other property. The end result 500,000 payment credit card accounts were extracted to a domain in Russia. There were two more incidents one in the first part of 2009 which they were able to access 50,000 credit accounts and later in 2009 accessing 69,000 consumer accounts.

In addition the FTC reach goes further. I think at one point or another all of us have receive a message on a computer saying that is infected and to click on the banner or seen an advertisement offering a free scan . Well us in the IT business we know better and we know is a scam. Unfortunately millions of American falls for these types of scams, for example recently AARP publish an article titled "FEDS Crack Down on Tech Fix-it Scam” where the FTC issued 14 restraining orders against 14 companies that were scamming users. In this scam the “fake” tech support person would call code a consumer and pretend to be from Hewlett-Packard, Microsoft, amongst others. They would tell the user they received notification that they computer was infected. Once the scammer removed the bogus malware of course after a generous fee the scammer also got access to the system taking personal information or leaving a program that would allow them back door access to that computer.

There are more cases like this one, like in 2008 the FTC requested the courts to impose a $163 million dollar judgment against Kristy Ross (the defendant) for using “scare ware” tactics, making users think their PC were infected. The list just goes on, as we can see the government is finally doing something good, unfortunately I don’t think is enough. I know this because the number of scammers keeps growing, so either we need more than one agency or group protecting consumers or the fines or penalties imposed are not enough to deter scammers. I think in the meantime all I can suggest is to better educate the public in the dangers that lurk in cyberspace.

References:

FTC Working to Protect Consumers and Businesses From Information Security Breaches. (2003, November 19). Retrieved October 16, 2012, Federal Trade Commission

FTC Case Results in $163 Million Judgment against “Scareware" Marketer. (2012, October 2). Retrieved October 18, 2012, from FTC

Kirchheimer , S. (2012, October 3). Feds Crack Down on Tech Fix-it Scam. Retrieved October 18, 2012, from AARP

l

Hackers are at it Again

Are we able to stop hackers? The answer seems too obvious, NO! This last week a on Ocober 3 agroup of hackers calling themselves GhostShell claim to have stolen thousands of personal records by breaching servers of more than 50 universities around the world, including the top universities for higher learning here in the United States according to a report in Cnet. The group claims to have leaked about 120,000 records but they have more in their servers. In addition, the group says they have more projects in the works. What is worse this past August the same group released a vast quantity of data from banks, governments, consulting firms and many more.

How scary is hacking? Well after some searching I found some statics in a website called StopTheHacker that it would give anyone some pause and make them realize how serious is this problem.

• Play Station Network – Computers are not the only hacked, in 2007 the Sony Playstation Network had to shut down due to an “external intrusion” which compromised around 77 million accounts
• Intellectual Property – In 2008 alone around $1 Trillion dollars’ worth of intellectual properties were stolen.
• Password - it takes 10 minutes to hack a password that is 6 character longs, add two extra letters and it takes three years
• Victims – 73% of American have fallen victim to some type of cybercrime
• Time is not on your side – there is 156 days between the time a computer resources is compromised and the time the compromised is detected
• Business is Booming – StopTheHacker conducted a survey where 90% of the business that responded suffered some sort of hack and 77% of those felt they were successfully attacked
• Zombies – In 2009 a security firm Finjan discover a bot net run by a Ukrainian gang that consisted over 1.9 million zombie computers. Who much did the thieves make? Close to $190,000 per day
• Infected Sites – Currently there are over 30, 000 sites that are considered infected
• Vulnerable Sites – In 2010 the average website was found over 230 serious vulnerabilities
• Identity Theft – 27 million Americans have fallen victims, 9 million last year alone

So how all of this started? First of hacking was not all about stealing and malicious attacks. Hacking started for fun by two brothers from Lahore Pakistan in September 1986 to show the vulnerabilities in PC’s running DOS, demonstrating that they were not as secure as IBM and Microsoft lead to believe. Fast forward 25 years where 99 percent of malware comes from criminal gangs (Honan, 2011).

This blog is meant scare anyone, this blog is meant raise awareness as we celebrate security awareness during the month of October.

The FBI Scam & Safety article has some very easy but yet effective tip to keep your PC safe:

• Keep your firewall turned on
• Install or update your Antivirus software
• Install or Update Your Antispyware Technology
• Be careful what you download
• Turn off Your Computer

Just remember security is just like mother’s day, it does not happen just once a year, security awareness has to be 24/7.

References

Ten Scariest Hacking Statistics. (2012, Arpril 12). Retrieved October 7, 2012, from StopTheHacker

Honan , M. (2011, Augsut 13). Why hackers write computer viruses . Retrieved October 7, 2012, from MSNBC

How to Protect Your Computer. (n.d.). Retrieved October 7, 2012, from FBI

Musil, S. (2012, October 3). Hackers post data from dozens of breached college servers. Retrieved October 7, 2012, from Cnet

Are Employers Going too Far?

This week blog is in a way ties to last weeks. To refresh everyone’s mind Last week blog “The Enemy from Within” dealt with employees being the threat to employers as oppose to hacker and viruses. While researching this week blog I found articles that dealt with employers asking for social media account information from potential employees for screening purposes. Are employers looking for potential trouble makers before they are hired? What happened to the old methods, references, credit report, and background checks? Are employers trying to find more cost effective measures?

According to Alison Doyle from About.com this is a practice more commonly known as “Shoulder Surfing”, and that at the time this article which was written on August 11 of this year there were no laws that specifically protected the social networking privacy of job seekers from sneaky employers. This is now changing. This past Thursday September 27, California Governor Jerry Brown signed Assembly Bill 1844 and Senate Bill 1349 prohibiting universities and employers from demanding e-mail and social media passwords from prospective employees (Kerr, 2012).

This billed was authored by assembly member, Nora Campos. According her office there are more than 100 cases currently before the National Labor Relations Board that involve employers workplace policies around social media. According to the article Facebook has also said it has experienced and increase in reports of employers seeking to gain inappropriate access to people’s account.

Campos is not the only politician taking notice, Sen. Richard Blumenthal of Connecticut plans to propose legislation to ban employers from requesting access to Facebook accounts as a term of employment (Cooper, 2012).

As a reader I don’t even know what to think, this is such a violation of privacy and security. I think HR managers or who ever thought that this policy was legal missed the 101 class of policy making when they were in school. The last week chapter (Chapter 4) clearly outlines some basic rules:

• Policy should never conflict with law
• Policy must be able to stand up in court if challenged
• Policy must be properly supported and administered

So it is obvious these employers fail to follow the first two steps, these employers not only are violating the invasion of privacy of rules by the ACLU, but major network’s terms of service, furthermore these companies which have gained access to the social media account can be liable for any content posted therein (Buck, 2012) . Mrs. Buck states that if the prospective employee posted admission of guilt to a crime, his or her employer may find itself legally vulnerable.

I say employers need to continue with traditional methods of screening their perspective employees without violating their rights to privacy. Now, once employed by all mean they can snoop all the want is their right as an employer to make sure resources are used appropriately and is not a violation of privacy because employees have agreed to it.

References

Buck, S. (2012, April 5). What’s at Stake When Employers Ask for Social Media Passwords? [INFOGRAPHIC]. Retrieved September 30, 2012, from Mashable

Cooper, C. (2012, March 24). Fork over your Facebook log-on or you don't get hired. What? Retrieved September 30, 2012, from Cnet

Doyle, A. (2012, August 11). Employers Asking for Facebook Passwords. Retrieved September 30, 2012, from About.com

Kerr, D. (2012, September 27). Calif. law passed to halt employer snooping on social media. Retrieved September 30, 2012, from Cnet

Whitman, M., & Mattford, H. (2010). Why Policy? In M. Whitman, & H. Mattford, Management of Information System (p. 119). Boston: Course Technology.

The Enemy from Within

In the era of technology where words like “cyber-attacks” are utter as part of everyday lingo corporations are spending millions of dollars protecting themselves from viruses and hackers, but they are neglecting one of their biggest enemies. This enemy has already infiltrated their ranks; the enemy is one of their own. Last week a former employee of CME group pleaded guilty to theft of trade secret after he stole source code and other proprietary information (News, 2012). I think that is amazing that people think that they are going to get away with it, especially when most companies make employee sign confidentiality a agreement and they are told they are monitoring every system.

Trade secrets stolen by employees is higher than most people think; 85% of the trade secret cases, the alleged thief were someone the trade secret owner knew—either an employee or a business partner (Almeling, Snyder, Sapoznikow , McCollum, & Weader, 2010).

Stealing trade secrets is more lucrative than stealing cash. Trade secret theft costs corporations billions of dollars each year and no one is immune. This lost also includes piracy, counterfeit products, and corruption (Passman, 2012). In his article Passman says that the rise in cyber theft has this issue more difficult to address, what is worse many countries such as India, Singapore, Malaysia and Hong Kong do not provide statutory protection for trade secrets or confidential information.

On my September 10, blog I wrote about outsourcing and the potential risk of customer information being stolen, this week we see that corporation can lose as well. Maybe outsourcing is a lose, lose situation because consumers and corporations end up as the looser.

Not all is lost Corporation can prevent these types of incidents by taking some basic steps:

• Educate and regularly train employees on security or other protocols.
• Ensure that proprietary information is adequately, if not robustly, protected.
• Use appropriate screening processes to select new employees.
• Provide non-threatening, convenient ways for employees to report suspicions.
• Routinely monitor computer networks for suspicious activity.
• Ensure security (to include computer network security) personnel have the tools they need (The Insider Threat An introduction to detecting and deterring an insider spy.)

I think no matter what steps corporations take is not possible to stop information from leaving a company because not only happens intentionally but inadvertently. For example, Joe he works for company A marketing department, then one day goes to company B to work in their marketing department. At company B he is asked to create a marketing plan, at the end this plan is very similar to the plan from company A. This is what is called unintentionally theft. I think that is up each one of us to protect our employers, by keeping information protected, trust no one, if we see a co-worker committing an action that could be construed as theft we should report it.

This is one battle that can never be won, the enemy always will be the one that we least expect. Like a famous saying goes “Keep your friends close and your enemies even closer”.

References

Almeling, D., Snyder, D., Sapoznikow , M., McCollum, W., & Weader, J. (2010, March 30). United States: A Statistical Analysis of Trade Secret Litigation in Federal Courts. Retrieved September 22, 2012, from Mondaq

News, S. (2012, September 21). Software Engineer Pleads Guilty To Stealing Source Code. Retrieved September 22, 2012, from Security Week

Passman, P. (2012, May 5). Trade Secret Theft: Businesses Need To Beware And Prepare. Retrieved September 22, 2012, from Forbes

The Insider Threat An introduction to detecting and deterring an insider spy. (n.d.). Retrieved September 22, 2012, from FBI

Security Breaches Truth or Myth

Twitter by far can be considered one of the largest social websites, it boast over 500 million active users and generating 340 million tweets daily and over 1.6 million billion searches per day (Twitter). So what has been going with Twitter? If you are a Twitter user you were one of those disconnected from the world. For those who are not Twitter users they have had two major incidents in the last two months and a one third in 2010 or just what I was able to find. These incidents affected most or all of its users. The first incident occurred July 26 and I will discuss that in details later on, preceding this incident there was one there was a black out on June 21 but Twitter is not disclosing what happened.

The incident on July 26 according to VP for Engineering Mazen Rawashdeh said the problem was caused by an “infrastructural double-whammy” at its data center. The data centers are designed to be redundant, what is noteworthy is that two parallel systems failed nearly at the same time (LIEBERMAN, 2012). The fourth incident that I found Lieberman commented on his article that according to Twitter this incident was attributed to a “cascading bug”, which essentially is a software problem that spread across its systems. Twitter has become the central source of socially aggregated information (Cohen, 2012). Cohen says that Twitter is the first place I look when there is a story worth following. The first place he looks for opinions, and the first place I go to share. Twitter has become the beating pulse of the Internet, and an outage such as todays shows this in the most intimate and immediate of ways according to Cohen.

In my opinion a double failure seems to be a rare event which for me is hard to believe, what I think is more feasible is that someone found a vulnerability which caused the double failure. I think Twitter does not want to admit this happened for the second time in a two year span that someone was able to penetrate their systems. Back in September 21, 2010 Twitter suffered from is called a "security exploit". The security exploit that caused problem was caused by cross-site scripting (XSS). Cross-site scripting is the practice of placing code from an untrusted website into another one (Twitter: Here's What Happened With That Bug This Morning, 2010). In this case, users submitted Java script code as plain text into a Tweet that could be executed in the browser of another user. The system in this case was not down but it more of a prank as it was turning Tweets into different colors and causing other errors.

A breach in a system are not to uncommon, a fine example happened this week to GoDaddy. GoDaddy was down for about six hours following an attack by @AnonymousOwn3r using SQL Injection. Of course GoDady has denied that it was an attack, according to the official statement released by Go Daddy CEO, Scott Wagner, “The service outage was not caused by external influences. It was not a ”hack” and it was not a denial of service attack (DDoS). We have determined the service outage was due to a series of internal network events that corrupted router data tables.” (Vaughan, 2012 ). Vaughan said that in a article by Wired Magazine said that one change made by GoDaddy was to point the GoDaddy DNS to Verisign – effectively letting a competitor manage the GoDaddy DNS.

No matter what happened in the case of Tweeter or GoDaddy the truth would never be known, corporations are never going to admit the truth. I think by now we all know that security beaches are not a myth.

References:

Twitter: Here's What Happened With That Bug This Morning. (2010, September 21). Retrieved Septemeber 17, 2012, from Business Insider.

Cohen, R. (2012, July 26). When Twitter Goes Down, So Does the Social Web. Retrieved September 17, 2012, from Forbes .

LIEBERMAN, D. (2012, July 26). UPDATE: Twitter Says System “Double-Whammy” Caused Blackout. Retrieved September 16, 2012, from Deadline.

Twitter. (n.d.). Retrieved September 16, 2012, from Wikipedia.

Vaughan, D. (2012 , September 14). GoDaddy Outage – What Happened? Retrieved September 17, 2012, from Web Host Industry Review.