An ounce of prevention – 1.3 actually

What do the following have in common?

  1. Data relating to approximately 600 maternity patients and names and dates of birth of 30 children on an unencrypted memory stick lost.
  2. Missing memory stick from a nursery contained 80 childrens’ contact details and dates of birth
  3. Lost memory stick contained personal details of 1,075 young school children
  4. Memory stick with 1,500 pediatric patients’ information missing
  5. An employee for a Nuclear Regulatory Organization lost an unencrypted USB memory stick containing a nuclear plant safety assessment.

Answer: Storing sensitive information on an unencrypted USB memory device. The other thing they have in common is, they’ve all happened in the last month.

How big is the problem?  70% of respondents in a study of security professionals conducted by the Ponemon Institute say they are absolutely certain (47%) or believe it was most likely (23%) that a data breach was caused by sensitive or confidential information being lost on an unencrypted USB drive.

Face it, they are a simple and easy way to move large amounts of data about. We’re not going to see these handy little devices go away in the near future.  But what we can do is to make sure the ones we use are encrypted from day one.

Kingston Storage is making it easy for us all to do the right thing. Their line of DataTraveler Locker+ USB storage devices come with built-in 256-bit AES hardware based encryption. Plug them in, set your password and your data is ready for safe travels. If you lose it and someone tries to guess your password, after the tenth try, all the data on the device is destroyed. With a street price of around $15 for 8GB this 1.3 ounces of prevention can certainly be worth its weight in gold.

Posted in Current Threat, encryption, ID Theft, Small Business Security Tips | Leave a comment

Isn’t that just the Berry’s – Hyatt hyping weight loss

Facebook, Twitter, Pinterest; the list of “gotta be on” Social Media outlets marches on. The good news; these allow you to project your brand and your message cheaply, efficiently and effectively. The bad news? If you’re not careful, all that work can be quickly undone when a hacker compromises your account and Posts, Tweets or Pins something for their benefit at your expense.

Hyatt Hotels found this out the hard way when their Concierge account Tweeted, ”An amazing new weight loss product! It worked for me and I didn’t even change my diet!” with a link to what appeared to be TV News footage about the product. The bad guys do this because they get paid for driving traffic to the site.

Fortunately, the folks at Hyatt regained control of the account within an hour and Tweeted a response. Lest we think only Hyatt has this kind of problem, it’s happened to the NY Times on Twitter and Pfizer’s Facebook page has been hacked.

What to do about this?

  1. Often, the bad guys just guess the password or use password cracking tools. Use unique, hard-to-crack passwords.
  2. Keep those with access to the account to the minimum.
  3. Keep the computers used to access the account up-to-date with all software patches and security software.
  4. If you’ve outsourced any of the update activities to an outside organization such as a PR firm, make sure they observe the above rules.
Posted in Current Threat, Facebook, IT Contractors, Pinterest, Small Business Security Tips, Social Media, Software Patches, Twitter | Leave a comment

Clouds and their Silver linings – First the Clouds

Verizon has just released their 76 page 2012 Data Breach Investigations Report. This is a study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit, and United States Secret Service.

The study contains a wealth of information for both small and large organizations. Since most small businesses don’t have full-time, dedicated IT security staff pouring over these kinds of reports, we thought we’d do that for you and give you the high points. If you like to read it for yourself, you can find it here. http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

Our next posts will cover how these findings provide a clear road-map for the security conscious small business.

From the Report –

Cyber-Criminals continued to automate and streamline their methods of high-volume, low-risk attacks against weaker targets. Thus creating an “industrialized” approach.

Target selection is based more on opportunity than on choice . Most victims fell prey because they were found to possess easily exploitable weakness rather than because they were pre-identified for attack. Whether targeted or not, the great majority of victims succumbed to attacks that cannot be described as highly difficult .

  • 79% of victims were targets of opportunity
  • 96% of attacks were not highly difficult

Smaller organizations represent the majority of victims. This relates to the breed of “industrialized” attacks mentioned above; they can be carried out against large numbers in a surprisingly short time-frame with little to no resistance. Smaller businesses are the ideal target for such raids, and money-driven, risk-averse Cyber-Criminals understand this very well . Thus, the number of victims in this category continues to swell

Organized criminal groups were once again behind the lion’s share of all breaches. Why are they doing this? They do it for the money, most data thieves are professional criminals deliberately trying to steal information they can turn into cash

It is apparent money-driven crooks continue to focus more on opportunistic attacks against weaker targets. Instead of major and risky heists, they pilfer smaller hauls of data from a multitude of smaller organizations that present a lower risk to the attacker . Think of it as a way to streamline business processes .find an easy way to prey on the unsuspecting, the weak, and the lame, and then simply repeat on a large scale . This high-volume, low-yield business model has become the standard MO for organized criminal groups

The most effective and efficient approach is almost always to stop assailants before they get in the door. Most opportunistic criminals will not expend their resources on a hardened target while a softer one of similar perceived value is available .

Smaller organizations often do not have the knowledge or resources necessary to address flagrant weaknesses in their Internet-accessible assets that cause them to be identified for opportunistic attacks.

Well over half the time, the victim’s data was removed within hours of initial compromise

Perpetrators rarely know who they are hacking. In most cases they only learn the identity of their victim after they have gained unauthorized access

Posted in Current Threat, Small Business Security Tips | Leave a comment

Apple + Java = 600,000 Node Botnet

Researchers have found approximately 2% of Macs have been infected by the Flashback malware.

How could this happen? Oracle, who now owns Java after their acquisition of Sun, discovered and fixed 14 security weaknesses in Java on 2/14. These patches were made available to those using the Windows and Linux operating systems at that time. Apple, who controls the update process for Java on Macs, waited until 4/3 to apply the patches. During that 7 week window of vulnerability, cyber-criminals were able to develop a Trojan which exploited over 600,000 of the unpatched Macs. Over half are believed to be in the US.

Am I in the 2%? The security company Kaspersky has provided a way for you to check your Mac to see if it has been compromised and how you can deal with the issue at http://flashbackcheck.com/ .

Posted in Current Threat, Java, Mac, Small Business Security Tips, Software Patches | Leave a comment

Pinterest = PinToScam?

As one of today’s fastest growing social media sites, Pinterest is generating a lot of interest. Because of all this interest it’s also getting some undesirable attention from cyber scammers. Its “click the picture” nature makes it easy to visit the latest fashion site but also makes it easy for someone to send you to a very unfashionable fake survey site or malware site.

The current fiendish fad is to whisk you off to a fake survey site promising the likes of a $10 Starbucks gift card or a chance to win a Coach bag. Their real goal is to get you to first, pin the picture to your board to help propagate the scam. Second, they may send you to a legitimate survey site for which the scammer will be paid a few cents or you’ll end up on a not-so-legitimate survey site where they will try to get you to enter personal information, account numbers, card numbers, passwords and anything else the criminals feels they can turn around and sell. Symantec estimates scammers running this little game are netting a few hundred dollars a day for their efforts. At $10,000 a month, it’s doubtful these will be going away in the near future.

How to protect yourself?
1. If you’re being promised something for free but are required to re-pin before you can proceed, it’s probably a scam.

2. Don’t ever enter personal information into any kind of “survey”.

3. Don’t download or buy anything based on a site you reached indirectly through Pinterest. If you see something you like go to the site directly. That way, you are sure to be dealing with the real thing and not a phony, cloned site designed to do nothing more than steal your credit card information.

Posted in Current Threat, ID Theft, Pinterest, Scams | Leave a comment

Join my LinkedIn Network = Join my Evil Botnet Empire?

That “Invitation Reminder” in your InBox from LinkedIn may be neither. Although it looks to be a legitimate message from LinkedIn telling you of a pending message from a colleague it maybe a phishing expedition.

Cyber-criminals are busy spewing out phony emails trying to entice you into clinking on a link that leads to malware. This malware attempts to take advantage of system vulnerabilities in order to take over your computer. Typically these vulnerabilities are weaknesses that have been known for a while and which have fixes or patches available to eliminate the exposure. The bad guys are counting on you not keeping your system up-to-date thereby giving them an easy way to infect your computer.

What to do about this? First, if you receive an email regarding a LinkedIn connection or action, DON’T click on the link supplied in the email. Go to your browser, log into your LinkedIn account and deal with it there. Second, make sure to apply all security patches and updates to your computer as soon as possible. No need to make it easy for the cyber-criminal to have his way with your computer.

 

Posted in Current Threat, eMail Attachment, LinkedIn, Phishing, Scams, Small Business Security Tips | Tagged | Leave a comment

How safe is your Remote Desktop?

Microsoft’s Windows Remote Desktop Protocol (RDP) is a tool that lets users remotely access a PC or server. RDP is frequently used by off-site users and IT support organizations to remotely manage servers

Yesterday Microsoft released a security patch to address weaknesses in their RDP application. According to Microsoft the critical vulnerability, CVE-2012-0002, could be exploited by an attacker who simply sends specially-crafted data packets to a system with RDP enabled.

Microsoft has tagged this with an exploitability index rating of “1,” meaning it expects exploits to appear within 30 days, and ranking the update as the one to patch before all others.

Once these exploits are developed we can expect widespread attacks where hackers use search engines and port sniffing to find as many RDP-enabled machines as possible.

What should you do about this? If you are currently using RDP, apply the patch. If you are using an outside IT support organization, find out if they are using RDP to administer your server. If they are, have them apply the patch.

Posted in Current Threat, IT Contractors, Microsoft, Small Business Security Tips, Software Patches | Leave a comment