If you think BP have their hands full with the oil spill and the whole environmental mess they’ve caused in the Gulf of Mexico, think again. It seems they lack all kinds of security – not only can’t they drill for oil in a safe environment, their data security is also poor.

The Defcon hacker contest organized in Las Vegas is a hacking competition that has its contestants trick employees of large companies into spilling out potentially sensitive information. The purpose is – and targeted companies should thank the organizers for that matter – to show how gullible people can be and how this becomes a major security vulnerability.

One of the contestants, Josh Michaels, made only two phone calls and got a computer support employee of BP into revealing data that could have helped launch a network attack against the oil giant. He managed to get details such as what model laptops BP used and the specific operating system, browser, anti-virus and even virtual private network software the company is using. He also won extra points for tricking the employee into visiting Social-Engineer.org.

“That was scary,” said Michaels, shortly after ending the call, in which he posed as a Louisiana-based employee handling claims stemming from BP’s massive oil spill in the Gulf of Mexico. “You never know what you’re going to get. There’s an adrenalin rush that comes with social engineering.”

What does the contest do? The Social Engineering Capture the Flag contest gives entrants 25 minutes to call a company chosen in advance by the organizers. They are free to make as many calls as they need and use what ever deceiving techniques they see fit. Awarded points depend on the types of collected “flags”: the version of Adobe Reader the company used, the garbage collector that hauled its trash, or success in getting the target to visit a website of the caller’s choosing.

Callers sat in a soundproof glass booth while about 80 people crammed into a conference room listened on, often chuckling and applauding as targets naively volunteered potentially sensitive information. Companies that were called during day one of the two-day competition included BP, Shell, Apple, Google, Microsoft, Cisco Systems, Proctor and Gamble, Pepsi, Coca-Cola, and Ford. Of the dozens of calls made to the 10 companies, only three of the targets refused to cooperate.

Contest organizers put great efforts into making sure the contest stays within legal boundaries. Requiring sensitive info such as credit card numbers or passwords is prohibited as is the strategy stating someone’s account has been compromised, or other such scenarios that might lead targets to believe they are at risk.

A thumb drive containing personal data of current and past graduate medical education residents and fellows at Cooper University Hospital has recently gone missing. Lost around July 8th, the incident has been reported to the proper authorites a few days later who are now looking into the potential security breach only two weeks later.

According to hospital sources, the lost data includes Social Security numbers, addresses, and phone numbers. As it always happens in such cases, the data was not in anyway encrypted or protected.

The University later released the following statement:

“Cooper University Hospital is investigating the circumstances surrounding a missing thumb drive. The thumb drive contained information with personal data about graduate medical education residents and fellows for the current and prior academic years. We have advised the residents and fellows who were advised to contact their local police. No other employee information was compromised. Further, No patient information or records were compromised. The incident was reported to the New Jersey State Police Cyber Crimes Unit on Friday, July 23 as per the state notification procedure. The hospital is conducting a thorough investigation and has initiated an aggressive plan to protect any personnel who could be affected by this potential security breach.”

As of yet there are no information on the number of individuals affected by the breach.

New York-based Lincoln Medical and Mental Health Center is the center of attention in security news after exposing sensitive patient information. The lost data was the result of a failed FedEx delivery – CDs with unencrypted data was sent to the Center but never made it to its destination.

The lost data included medical and psychological diagnoses and procedures for over 130 000 patients, as stated in an official notification. An investigation trying to locate the missing CDs was launched back in April, but it failed to recover the data: names, addresses, social security numbers medical record numbers, dates of birth and more, enough for any half-decent identity thief to have a blast.

According to the Register, Licoln is at least note alone in this mess:

Lincoln’s notification to the US Department of Health website came the same day officials at the University of Maine said sensitive details for 4,585 individuals who sought services at the school’s counseling center have been stolen by hackers who compromised two servers. The exposed data included names, clinical information and social security numbers for people who used the service over an eight-year span ending last week.

Other medical facilities to fess up to losing patient data in the past 24 hours, according to the Department of Health website, include Silicon Valley Eyecare Optometry and Contact Lenses, with 40,000 people affected, Kentucky’s Our Lady of Peace Hospital, with 24,600 affected, and the Cincinnati Children’s Hospital Medical Center, which affected 60,000.

Tired of being the main target of cybercriminals and other mean characters of the virtual world, SMBs are reconsidering their stand of security and starting to seriously apply it to their corporate infrastructures. These are the finding of a new survey conducted by Applied Research and published by Symantec. The new report shows that SMBs views have drastically changed over the past year, leading to more spendings on IT security and giving security policies a higher priority.

“Last year when we conducted this survey, a lot of SMBs were very confident in their security posture, but they weren’t always clear on the threat,” says Monica Girolami, senior product marketing manager at Symantec, who worked with Applied Research on the study. “This year they realize that they have gaps in their security stance, and they’re getting more serious — in fact, they rated data loss and cyberattacks as their top risks, even above natural disasters.”

If you’re wondering why this major shift, ask your self no more! It’s a mere cause and effect phenomenon: 42% of SMBs have lost data and the cost of a breach exceeds 188,000 USD. So insted of paying for the damages, better invest less in security and prevent them. Although it is happening rather late, it is still a smart move!

The respondents ranked data loss and cyberattacks as their top business risks, ahead of traditional criminal activity, natural disasters, and terrorism, according to the report. SMBs are now spending an average of $51,000 a year — and two-thirds of IT staff time — working on information protection, including computer security, backup, recovery, and archiving, as well as disaster preparedness.

Shands HealthCare has recently announced about 12,500 of their patients that their private medical data has been stolen in January, along with the laptop that contained the personal details. As it almost always happens in the case of hardware storing sensitive records, the laptop wasn’t encrypted in any way.

The stolen info contains names, addresses, medical record numbers and medical procedure codes of the patients, as well as the Social Security numbers of about 650 people. Luckily, up to know, there is no evidence of any misuse of the data, and we should keep hoping that the thief or thieves just needed the notebook to sell it or for personal use…

At least some measures have been taken: training for the employees and system-wide encryption policy to prevent such data breaches in the future. And of course, there’s protection for those affected, eligible for 12 months of free credit monitoring.

Let’s hope the new system works, as according to Gainesville.com, security breaches involving large amounts of patient data being exposed are some what of a recurring habit at Shands.

The USB ports leading to the computers in your network are somewhat of a hell hole, opening up the way to scary security breaches. It all comes down to the use of portable devices that can store large amounts of data that employees and visitors carry around, plug in and use, regardless of all the security red alerts popping up each step of the way.

But completely cutting access to USB ports, although still used, is not a smart move if you’re trying to protect your data against accidental loss or theft. Lawsuits, fines and seeing your customers drop like flies are all scary scenarios, but fear should never prevent you from playing it smart.

Thinking about it for a while, cutting USB access also means printers. So your employees cannot get their laptop connected to any office printer and start printing reports, contracts and offers. They need to only use some authorized printers, through the network, causing long queues, angry comments and general discomfort. Their way of working might be affected, rendering them less productive.

And almost always, all prohibitions turn people against the person making the decision and encourage attempts to circumvent them. I am sure you’ve all worked in companies where some people could circumvent the firewall to download movies and play online games! And I am sure you’ve heard all the nasty comments when some random policy was enforced causing more harm then good.

Plus, the data security you dream of is just an illusion. People can still email sensitive documents, use the very printers you have authorized to print out all your client list and take it to the competition. You might monitor such activity, but if you think you’re safe, why would you?

Why upset your employees with don’ts and forbiddens for a false sense of security when you can allow them to use authorized devices and monitor file activity and transfers instead? Why worry when you can use a file whitelisting system to make sure they can’t really access sensitive information? Why not use a data loss prevention and device control solution to allow the to use the latest technology and stay safe at the same time?

As many as 37 percent of German companies were the victim of economic crime in the last three years, a new study has found. Internet fraud and the theft of business secrets have become a particular problem.
The use of USB Flash Drive in high capacity has made it easy to steal even the most complex business or construction plans in just a few seconds.

A USB Thumbdrive is all that’s required to steal valuable information.

A new study carried out by the German research institute Emnid for the financial services firm KPMG has found that criminal methods are being used more and more often in the ruthless and competitive world of business.

The survey, which took in 375 companies of all sizes, found that around one in three companies had been the victim of business crime. Two thirds of the companies surveyed also expected the level of criminality to rise.

The biggest economic crimes remain fraud, theft, embezzlement and breach of trust, but money-laundering and the forgery of accounts and financial information have all risen since the last survey was carried out in 2006.

Ignorance breeds carelessness

According to KPMG spokesman Frank M. Huelsberg, companies still need to be more aware of how crimes operate. “Despite these alarming results, small and medium-sized companies are particularly prone to underestimate the danger of falling victim to crime,” he said.

Fifty-six percent of the employees surveyed said that their company was less likely to be a victim of economic crime than a major corporation, while 76 percent believe they have made adequate security arrangements.

“Privately- or family-owned companies like to put their trust in their employees. But that makes them vulnerable,” Huelsberg said, “Experience shows that basic security mechanisms are often neglected in such companies.”

Third-party threat

In 62 percent of economic crimes involving small and medium-sized companies, employees conspired with an external third party. This figure is only 40 percent with large companies.

The theft of business or operational secrets is a growing threat, according to the study. A third of small and medium-sized companies have been a victim of such theft, the study said.

“The sale of sensitive information to competitors or criminals is particularly strong in times of economic crisis,” Huelsberg says, “Nowadays even the most complex construction plans fit on a USB stick. Data theft and industrial espionage can be child’s play if security fails, and the loss of sensitive designs or formulas can be fatal for a small, innovation-based company.”

Read the enitre article here on DW.

A recent DOS attack on an Eugene School District server managed to succeed in breaching their security and access the said computer which contained the names, employee ID numbers and phone numbers of about 2500 current and former employees. While other sensitive information such as security numbers were not stored on the breached machine, the server was connected with others (apparently protected by other security systems as well), that contained private details on a total of 26000 people and vendors.

Luckily all student data are stored on different networks of the Eugene School District, so none of those studying in the region have been affected. The supposed breach seems to have only affected adults.

Yet the safetly of the 26000 different records is in no way guaranteed. There is no proof of further breaching, but there isn’t any to show there was none either. In the mean time, the breach is being investigated, while the school district’s website has been updated with information on the breach.

“A thorough investigation of the security breach has been initiated, police have been notified, and the district has taken measures to further safeguard the involved server,” the district said. “We are continuing to assess our information security systems to make certain that we have all appropriate measures in place to ensure that personal information is secure. We sincerely regret any inconvenience this may cause to our staff and vendors.”

More information here.

With security journalists complaining about hazy security predictions for 2010, we thought I thought I should get my crystal ball out and share with you what the future holds for the world of Endpoint Security! My predictions are based on what I’ve noticed in the past few years, on recurring issues and generally how things work in the industry. So here goes!

1. The much hyped and awaited US Cybersecurity Czar will spend at least 6 months sorting through inter-agency policies, egos and feeble budgets and only then starting to do some work! The boost the security industry is expecting to come from the authorities interest in cybertheats will continue to lag.

2. The economy is picking up. But slowly and mostly on paper. Security budgets won’t be much increased and cost effectiveness will remain an important factor in selecting security products. Let’s hope it will come into play after the ineffective products are eliminated and not before!

3. While misplaced laptops might not be as big of a cause for security threats – shrinking budgets might put an emphasis on accountability for company technology and hardware and people might start paying more attention to where they through their notebooks – portable hard drives, USB sticks and other such devices will still be grossly lost and left unencrypted. So we’re still up for plenty of news on misplaced hardware leading to humongous sensitive data exposures.

4. I completely agree with the ICSA labs prediction – “Network-attached peripheral security threats will continue to increase. With more network-attached devices than ever before, disgruntled employees and other insiders will find ways to use unsecured printers and other network-connected devices to steal data while covering their tracks.“

No surprises there! USB sticks, MP3 players, smart phones, portable hard drives, they’re all hooked to the corporate networks and can pretty much drain all the data out of your company. With people still being let go and the competition willing to do anything for and edge and a chance to survive the dire conditions of a barely recovering economy, the insider threat will continue to lead them all when it comes to data theft.

5. 2010 will be the year of Security as a Service. With so many companies relying on overworked and understaffed IT departments and unwilling to allot too much money to the IT infrastructure, security products offered as a service will all see significant increase. Of course only those that get the job done! Pretty obvious if you think about it: no time wasted on installation and maintenance, no additional hardware needed to accommodate the new software, easy to learn and intuitive interfaces, it makes sense.

6. As a consequence of point 5 up there, companies providing software as a service solutions will have to better explain and promote them. They need to address reliability, liability and other security concerns, as well as point out the many benefits of choosing this type of security service.

7. More lawsuits. Yes, more data breaches will lead to lawsuits. Customers are becoming more knowledgeable, so the lawsuit threat will increase for all companies mishandling private data of their customers. They might not all win, but companies need a better plan to handle breaches. For example, waiting for months to disclose them might not be the sharpest idea.

What do you think? Which of these will come true and which are your own predictions for 2010?

I’m quite convinced people who work for companies that protect their private data and do not allow it to be easily lost or stolen are happier. And I’ll explain why!

I work in such a company. This company uses software that ensures protection against confidential data theft, so no company data leaves the network. No data leaks means no financial loss on this side. No loss means stable revenue, investments in the growth of the company, which translates into a job that is secure, bigger salaries, more employees.

And even if money doesn’t buy us happiness, it is obvious that an employee who doesn’t worry much about tomorrow is more relaxed, more productive, in a better mood and finally happier.
So, a CEO and a CIO who want to add more value to their business, who want to reduce loss and increase revenue, who want more productive and happier employees will invest in a solution to protect their company against data theft and leakage.

What do you think? Can protecting a company’s confidential data make us happier?