Security professionals fear cyber-attacks and warn ab0ut them every chance they get. Countries all over the world are trying to put up the best cyber defenses technology advancements can buy, but it does take a well established institution in the field of global economy to actually make us all tremble and finally believe cyber attacks pose a great threat to global stability.

The World Economic Forum’s (WEF) Global Risks for 2012 report places cyber-attacks against governments and businesses among the top five risks in the world to global stability, in terms of likelihood. Cyber-attacks come right after income disparity, fiscal imbalances, and the rising greenhouse gas emissions, shows the report released in WEF’s annual conference held in Davos, Switzerland. 

The report put together by the WEF’s Risk Response Network is based on assessments of the tech industry which pointed out cyber-attacks as the biggest threat of all, as they can lead to devastating malfunctions in power plants, water supplies and other critical systems. The likelihood of such a globally debilitating attack is still up for debate, and other economic threats to global stability, such as income disparity, are far more pressing. WEF however believes we are not even close to understanding the risks posed to and handled by internet security.

Steve Wilson, chief risk officer for general insurance at Zurich and a member of the project, said:  ”We don’t even really understand the risks yet.”

The old-news threat to tech experts is now becoming an issue making its way into all the political agendas that matter. The the report calls “urgently” for new mechanisms to get private investment into exploring system vulnerabilities. It also pointed out how information about cyber-attacks and cybercrime is hard to get to in an objective fashion:

Research into cyber threats against governments and the private sector has largely been funded by those who are in the business of selling internet security solutions – a potential bias that causes scepticism. Academic and policy papers are based largely on anecdotal case studies.

Vendors of online security products have an interest in talking up the threats of cybercrime, while victims of cybercrime often have an interest in remaining silent. It is therefore very difficult for firms and organisations to get a clear picture of the true levels of the risk and needs for investment. Correcting such information asymmetries should be at the centre of policies to improve global cyber security and to ensure an efficient market.

The full report is available online here.

The Ramnit worm, first discovered a year and a half ago, a malware that used to target online banking and FTP credentials, makes victims among UK and French Facebook users.

A new version of the worm managed to steal more than 45000 Facebook usernames and passwords and tried to attack the e-mail accounts and virtual private networks of affected persons. The worm has sent malicious links to victims’ friends, links that downloaded malware to the person’s computer, which helped spread the worm even faster.

It seems like the attackers are adapting to market tendencies, targeting social networks rather than traditional communication means (such as email).

For more details, you can read the techweekeurope.co.uk report.

The ICO conducted an investigation on a case of hardware loss in May at the Rochdale Metropolitan Borough Council. The incident consisted in the loss of an unencrypted memory stick by a Council’s finance department employee, stick which contained names, addresses and payment details for 18.000 residents. The missing hardware was not found to the date.

The investigation concluded that the Rochdale Council has breached the Data Protection Act by not providing employees with encrypted memory sticks (although it was a known fact that these devices would be used to transfer private information) and by not training their employees to properly use portable devices for work purposes.

Sally Anne Poole, ICO’s head of enforcement qualifies this mishap as ‘unacceptable’ and says ‘This incident could have been easily avoided if adequate security measures had been in place.’ in a quote by eWeek.

The measures taken by the ICO in this case consist of signing an undertaking of actions to take to implement data protection policies by 31^st March 2012.

Let’s hope that more than one private data handling organization learns from this incident and encrypts their portable devices using proper solutions.

A whole lot was written on loss/theft of hardware (laptops, USB sticks, external hard drives, etc.) and we had thought that organizations would learn their lesson and encrypt sensitive data on such supports. Apparently, things aren’t quite like that and two recent incidents come to prove it.

A resident student at Vancouver Coastal Health lost a laptop and a USB stick (there is a high probability that the hardware was stolen) at the Toronto Airport. The information stored on the drives was password protected but it wasn’t encrypted.

A Vancouver Coastal Health official calls the incident ‘unfortunate’ and says that ‘This is the way physicians and other health care workers need to do their job. They need to use these devices.’ He admits that many professionals use laptops and that the agency has some issues handling mobile technologies.

Another mishap took place in the United Kingdom and the theft of a laptop that stored personal information of 100 young people who participated in inclusion programs. This laptop was in the house of a contractor of the Newcastle Youth Offending Team organization. The ICO (Information Commissioner’s Office) has established a fine for this organization for not encrypting the data. According to Sally-Anne Poole ‘Encryption is a basic procedure and an inexpensive way to ensure that information is kept secure.’ She underlines the fact that organizations working with contractors must make sure that the latter ones align to their security policies.

It’s so simple and cheap to track the use of portable devices and encrypt sensitive data stored on them, that we really ask ourselves why don’t organizations do it?

Let’s hope that at least legal constraints will force private data handlers to implement solutions and politics to maintain their data safe and secure.

Endpoint security developer CoSoSys has released a new version of their data loss prevention, device control and endpoint security solution for Windows and Mac OS, Endpoint Protector. Offering enhanced protection, increased effectiveness and the fastest implementation time in its segment, the out-of-the-box Hardware and Virtual Appliance is now available for small, medium and large companies and organizations.

Coming with a long list of new features targeting better security, reliability, ease of use and better adapting to company structures and organization charts, Endpoint Protector 4 is designed to protect networks ranging from 20 computers (endpoints) to more than 5.000 endpoints.

Some of the top benefits of this latest Endpoint Protector solution are:

• Seamless integration in business processes
• Saving time and money when the solution is installed
• Increased security through enhanced protection
• Reducing allotted resources of the security staff
• Optimum security through enhanced stability
• Enhanced protection through complex, adaptable end efficient security
• Reliable security through enhanced monitoring and policy control

An unauthorized email sent by the recruitment company Hays to 800 RBS (Royal Bank of Scotland) employees has uncovered the amounts paid to contractors working temporarily for the bank.

Even though the people who received the email are employees of the bank and therefore obliged to keep the confidentiality of the information they have found out, RBS says they are ‘extremely disappointed’ and they are collaborating with Hays to recover the exposed data. The recruitment company has already started an investigation on this breach.

After this incident, discussions on the big salaries offered to contractors by a bank that is majority-owned by the state were started.

More information on this insider data leak here.

According to the PlayStation blog, the 70 million users of Qriocity and PlayStation Network may have had their personal information compromised due to a successful hacker attack. Also the network has been shut down since April 20th and users have been unable to download content or play online.

The hacker attack resulted in personal information such as names, home addresses, e-mail addresses, birth dates and passwords being compromised, but the damage to credit card information has not yet been assessed.

“While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility,” said Sony Computer Entertainment and Sony Network Entertainment, which manage the two services, in a joint statement.

It is however certain that although purchasing histories, answers to security questions, card expiration dates and billing addresses could have been stolen, the credit card security codes were kept safe.

Sony strongly advises its customers to place fraud alerts with their credit bureaus and periodically check their credit card statements.

As to the exact number of compromised accounts, the company refuses to comment, this general attitude raising spirits and angering users.

“You waited a WEEK to tell us our (personal) information was compromised?” one PlayStation user wrote on a Sony blog. “That should have been said last Thursday” — the day when Sony first acknowledged the issue.

Apparently, the intrusion occurred between 17 and 19’th of April. On April 20, PlayStation and Qriocity networks have been shut down and continue to remain so until further notice, but according to some reports, the PS network my be down for another week.

Recent research involving solid state drives have revealed the fact that sometimes files stored on such drives are impossible to erase using traditional disk-erasure techniques. According to this research, as much as 75% percent of the data may still be present on the drive in question after erasure.

This difficulty comes form their radically changed internal design: SSDs use computer chips to store data and employ a flash translation layer (FTL) to manage the contents. This FTL component frequently writes files to new locations and updates its map to reflect the changes.

“These differences between hard drives and SSDs potentially lead to a dangerous disconnect between user expectations and the drive’s actual behavior,” scientists, from the University of California at San Diego, wrote in a 13-page paper. “An SSD’s owner might apply a hard drive-centric sanitization technique under the misguided belief that it will render the data essentially irrecoverable. In truth, data may remain on the drive and require only moderate sophistication to extract.”

“Our data shows that overwriting is ineffective and that the ‘erase procedures provided by the manufacturer’ may not work properly in all cases,” the paper warns.

Due to this difference in manufacturing and architecture, apparently even degaussing, a process in which a magnetic drive’s low level formatting is destroyed, has shown serious failures.

“The danger, however, is that it relies on the controller to properly sanitize the internal storage location that holds the encryption key and any other derive values that might be useful in cryptanalysis,” the researchers wrote. “Given the bugs we found in some implementations of secure erase commands, it is unduly optimistic to assume that SSD vendors will properly sanitize the key store. Furthermore, there is no way to verify that erasure has occurred (e.g., by dismantling the drive).”

The latest annual statistics from the UK’s National Fraud Authority show that more than £38bn have been lost over the last 12 months due to fraud. This amounts to an increase of more than 25%.The public sector (£21.2bn) reported the biggest part of the loss, while the private sector cost the government only £12bn, with another £4bn in losses from fraud against individuals.

According to the NFA the increase was to be expected, at least in part, due to improved reporting procedures. The figures include estimates for procurement (£2.4bn) and grant fraud (£515m) for the first time.

In the financial services industry £3.6bn in fraudulent losses have been recorded last year. The highest figure in the private sector was £3.8bn and represented a slight decrease from 2009. Losses attributed to plastic card (£440m) and cheque fraud (£30m) have also increased by up to 14%, reaching £60m. Insurance fraud (£2.1bn) and mortgage fraud (£1bn) both remain high.

According to Gavin Cunningham, director in the specialist forensic fraud investigation firm, BTG Global Risk Partners, fraudulent losses are only likely to rise in the future.

“These figures make grim reading for both private and public sector business leaders alike and reflect the significant financial impact of fraud in the UK,” Cunningham said. “With the UK still struggling to recover from the recession and some uncertainty as to what the future may hold, there is unlikely to be a reduction in fraud in the short term; historically, there is evidence that fraud increases as a recession ends, in part because businesses uncover fraudulent actions as the effects start to build up and in part because there is more scrutiny of hidden and unknown costs in tougher times.”

A professor at the Umeå University in northern Sweden has received the entire contents of his stolen laptop on a USB stick. As this data was the result of 10 years of work, one can imagine this gentleman’s relief.

In a statement addressed to the local Västerbottens-Kuriren newspaper he says that he is unhappy with the incident but the return of the data makes him “hope for humanity”.

The bag containing his computer was stolen from his apartment and then later returned, his papers and credit cards still being in there and only the computer missing.

“The backpack was there again. With all the papers, calendar and credit cards. It was just the computer that was missing,” the professor said. “Unfortunately, I have been bad at backing up my computer.”

A week after the incident, the professor received a USB stick with all of his work, this saving him several hours of backup work.

“It is my life. I have documented everything in it that has happened in the last 10 years and beyond. Often when people lose their computers and cameras, it is understandably not the gadget itself that is the most important. The content is often irreplaceable.”