The Enemy from Within

In the era of technology where words like “cyber-attacks” are utter as part of everyday lingo corporations are spending millions of dollars protecting themselves from viruses and hackers, but they are neglecting one of their biggest enemies. This enemy has already infiltrated their ranks; the enemy is one of their own. Last week a former employee of CME group pleaded guilty to theft of trade secret after he stole source code and other proprietary information (News, 2012). I think that is amazing that people think that they are going to get away with it, especially when most companies make employee sign confidentiality a agreement and they are told they are monitoring every system.

Trade secrets stolen by employees is higher than most people think; 85% of the trade secret cases, the alleged thief were someone the trade secret owner knew—either an employee or a business partner (Almeling, Snyder, Sapoznikow , McCollum, & Weader, 2010).

Stealing trade secrets is more lucrative than stealing cash. Trade secret theft costs corporations billions of dollars each year and no one is immune. This lost also includes piracy, counterfeit products, and corruption (Passman, 2012). In his article Passman says that the rise in cyber theft has this issue more difficult to address, what is worse many countries such as India, Singapore, Malaysia and Hong Kong do not provide statutory protection for trade secrets or confidential information.

On my September 10, blog I wrote about outsourcing and the potential risk of customer information being stolen, this week we see that corporation can lose as well. Maybe outsourcing is a lose, lose situation because consumers and corporations end up as the looser.

Not all is lost Corporation can prevent these types of incidents by taking some basic steps:

• Educate and regularly train employees on security or other protocols.
• Ensure that proprietary information is adequately, if not robustly, protected.
• Use appropriate screening processes to select new employees.
• Provide non-threatening, convenient ways for employees to report suspicions.
• Routinely monitor computer networks for suspicious activity.
• Ensure security (to include computer network security) personnel have the tools they need (The Insider Threat An introduction to detecting and deterring an insider spy.)

I think no matter what steps corporations take is not possible to stop information from leaving a company because not only happens intentionally but inadvertently. For example, Joe he works for company A marketing department, then one day goes to company B to work in their marketing department. At company B he is asked to create a marketing plan, at the end this plan is very similar to the plan from company A. This is what is called unintentionally theft. I think that is up each one of us to protect our employers, by keeping information protected, trust no one, if we see a co-worker committing an action that could be construed as theft we should report it.

This is one battle that can never be won, the enemy always will be the one that we least expect. Like a famous saying goes “Keep your friends close and your enemies even closer”.

References

Almeling, D., Snyder, D., Sapoznikow , M., McCollum, W., & Weader, J. (2010, March 30). United States: A Statistical Analysis of Trade Secret Litigation in Federal Courts. Retrieved September 22, 2012, from Mondaq

News, S. (2012, September 21). Software Engineer Pleads Guilty To Stealing Source Code. Retrieved September 22, 2012, from Security Week

Passman, P. (2012, May 5). Trade Secret Theft: Businesses Need To Beware And Prepare. Retrieved September 22, 2012, from Forbes

The Insider Threat An introduction to detecting and deterring an insider spy. (n.d.). Retrieved September 22, 2012, from FBI

Security Breaches Truth or Myth

Twitter by far can be considered one of the largest social websites, it boast over 500 million active users and generating 340 million tweets daily and over 1.6 million billion searches per day (Twitter). So what has been going with Twitter? If you are a Twitter user you were one of those disconnected from the world. For those who are not Twitter users they have had two major incidents in the last two months and a one third in 2010 or just what I was able to find. These incidents affected most or all of its users. The first incident occurred July 26 and I will discuss that in details later on, preceding this incident there was one there was a black out on June 21 but Twitter is not disclosing what happened.

The incident on July 26 according to VP for Engineering Mazen Rawashdeh said the problem was caused by an “infrastructural double-whammy” at its data center. The data centers are designed to be redundant, what is noteworthy is that two parallel systems failed nearly at the same time (LIEBERMAN, 2012). The fourth incident that I found Lieberman commented on his article that according to Twitter this incident was attributed to a “cascading bug”, which essentially is a software problem that spread across its systems. Twitter has become the central source of socially aggregated information (Cohen, 2012). Cohen says that Twitter is the first place I look when there is a story worth following. The first place he looks for opinions, and the first place I go to share. Twitter has become the beating pulse of the Internet, and an outage such as todays shows this in the most intimate and immediate of ways according to Cohen.

In my opinion a double failure seems to be a rare event which for me is hard to believe, what I think is more feasible is that someone found a vulnerability which caused the double failure. I think Twitter does not want to admit this happened for the second time in a two year span that someone was able to penetrate their systems. Back in September 21, 2010 Twitter suffered from is called a "security exploit". The security exploit that caused problem was caused by cross-site scripting (XSS). Cross-site scripting is the practice of placing code from an untrusted website into another one (Twitter: Here's What Happened With That Bug This Morning, 2010). In this case, users submitted Java script code as plain text into a Tweet that could be executed in the browser of another user. The system in this case was not down but it more of a prank as it was turning Tweets into different colors and causing other errors.

A breach in a system are not to uncommon, a fine example happened this week to GoDaddy. GoDaddy was down for about six hours following an attack by @AnonymousOwn3r using SQL Injection. Of course GoDady has denied that it was an attack, according to the official statement released by Go Daddy CEO, Scott Wagner, “The service outage was not caused by external influences. It was not a ”hack” and it was not a denial of service attack (DDoS). We have determined the service outage was due to a series of internal network events that corrupted router data tables.” (Vaughan, 2012 ). Vaughan said that in a article by Wired Magazine said that one change made by GoDaddy was to point the GoDaddy DNS to Verisign – effectively letting a competitor manage the GoDaddy DNS.

No matter what happened in the case of Tweeter or GoDaddy the truth would never be known, corporations are never going to admit the truth. I think by now we all know that security beaches are not a myth.

References:

Twitter: Here's What Happened With That Bug This Morning. (2010, September 21). Retrieved Septemeber 17, 2012, from Business Insider.

Cohen, R. (2012, July 26). When Twitter Goes Down, So Does the Social Web. Retrieved September 17, 2012, from Forbes .

LIEBERMAN, D. (2012, July 26). UPDATE: Twitter Says System “Double-Whammy” Caused Blackout. Retrieved September 16, 2012, from Deadline.

Twitter. (n.d.). Retrieved September 16, 2012, from Wikipedia.

Vaughan, D. (2012 , September 14). GoDaddy Outage – What Happened? Retrieved September 17, 2012, from Web Host Industry Review.

Outsourcing is our information safe?

Outsourcing especially with in the call center industry continues to be a hot trend. One place in particular where most companies are going is the Philippines. The list contains some very well-known corporations, Polaroid, West Corporation, Convergys, Ford Motor, Frito Lay, amongst other. The list is part of a book written in 2004 by journalist Lou Dobbs titled “Exporting America”.

The Philippines is as well known for being a hot bed for scammers at the same level as Africa and the Ukraine. If you were to Google “Philippines and Scams” the results would make your head spin. The FBI in 2010 in one of their Reports and Publicationsit list the Philippines as one of the country of origins for an international mass marketing scheme.

On August 23 of this year there was an operation conducted in the Philippines conducted by the Criminal Investigation Detection Group and the Presidential Anti-Organized Crime Commission in the Philippines which resulted in 357 arrests. This is the largest cybercrime operation in the nation’s history. The aim of this raid was to stop a scam that was going on in China.

I can understand from the economical point of view as to why companies want to outsource, but from a security point of view I cannot. There is already an inherit risk when companies in general trust their employees with sensitive information even here in the United States. To some access to this information is call to commit a crime, but when you place the same information in countries where they are well known for international crimes the risks doubles. If companies want to outsource great, just don’t provide sensitive information.

Java Flops Agains

If you have not been keeping up with the news this past week I am referring to Oracles latest flop with Java. On August 28, Oracle released Java version 7 which shortly after the launch it was discover that it had a security flaw that could be exploited on Windows, OS X, and Linux (Horowitz). According to Cnet following the news of this exploit and the potential for it to do harm, concerns arose regarding Oracle's release schedule for Java updates which are usually released quarterly.

In this case a patch was available within days. On August 30th Horowtiz posted on his website Java tester that Oracle release a patch for Java 7. He then followed this post on September 1 stating Java 7 still is still dangerous. Issues with Java has been known for a while, some month after Oracle acquired Sun Systems in April 2012 they were being criticized for not addressing the issues that were brought to them in regards security flaws with the program (Heath, 2012).

I understand that software programs cannot be perfect, but Java has a long history of being vulnerable. I think it is irresponsible for companies to launch programs that can be open to attacks. I am not saying companies do not bother to test their programs, what I am questioning is to what extent do they check for areas of vulnerability? After some research I found the answer and that is not much, this is not a new problem. In April 2003 following the "The Slammer Worm" attack that occurred in January of the same year PBS interview Amit Yoran in regards to this same very issue. At the time he was the Vice President of Managed Security Services Operations for Symantec Corporation. PBS during his interview Yoran was asked why does vulnerabilities happen and if there's such thing as code review. Yoran responded as follows:

"The code review process and the entire software development process does not have an appropriate level of emphasis on security. The consumers and clients of most software companies are so demanding of new features and capabilities that those features take priority over better software development practices and techniques. So our demand for new features essentially fuels the fire of increased vulnerabilities in software."

Fast forward 9 years and we are still in the same boat. I guess companies that offer anti-virus programs call such errors job security, but if consumers knew that companies are placing their computer at harm’s way by what it seems by design the uproar would be such that software companies would start doing better job before launching a new product or update.

References :

Cyber War! (2003, April 24). Retrieved September 2, 2012, from PBS

Heath, D. (2012, September 2). Oracle's recent Java patch is broken . Retrieved September 2, 2012, from ITWire

Horowitz, M. (n.d.). Java Tester. Retrieved September 1, 2012, from Java Tester

Kessler, T. (2012, August 30). Oracle patches Java 7 vulnerability. Retrieved September 1, 2012, from CNet