DoD can’t handle inside threats
The Department of Defense seems to have quite some trouble handling threats in his own backyard. One of their officials with top-secret security clearance, as it happens, has allegedly been leaking classified department data and documents to an official working for the Chinese government.
According to a Department of Justice announcement quoted by Dark Reading, James Wilbur Fondren Jr., deputy director for the U.S. Pacific Command (PACOM) Washington Liaison Office, has been charged with espionage conspiracy for providing classified information to an agent of a foreign government. Fondren is believed to have sold information to a Taiwanese-American man. The information was subsequently sold to a Chinese government official, but apparently Fondren was unaware of this secon sale.
How was the leak possible? Poor security: Fondren had both a classified DoD computer and an unclassified one on his desk. One would expect a little less trust in high level clearance staff. It’s espionage we’re talking about!
Fondren, 62, allegedly funneled the data to Tai Shen Kuo, who was one of his consulting clients, between November 2004 to Feb. 11, 2008, according to the affidavit. Kuo purchased reports from Fondren for anywhere between $350 to $800, eight of which included classified information. Among the classified data Fondren supplied Kuo was information about a joint U.S.-China naval exercise, U.S.-China military meetings, and a DoD draft report on China.
In his turn, Kuo got around 50,000 US dollars for certain documents he obtained from Fondren and other DoD officials. I wonder who the other officials are. Will they be charged soon?
Dark Reading Starts Educational Series
The Dard Reading reporters have set their mind on educating their readers and helping them understand IT security better. The series is also designed to help IT people explain such topics to atechnical employees easier and faster. They have started with a piece explaining Data Loss Prevention (DLP) – the concept, what DLP solutions can and can’t do.
Here’s a short excerpt of the article defining and explaining what a Data Loss Prevention solution is and does:
In a nutshell, DLP is a type of software that is designed to seek out sensitive data — either traversing the network or sitting idle on your computer systems — and enforce policies for handling it. If a user attempts to send out sensitive data via email, post it to a Website, or copy it to a USB storage drive, DLP technology can identify that activity and record it.
More important, most DLP applications are also designed to prevent the user from executing tasks that might compromise the data or cause it to leak out to unauthorized sources. The DLP software might turn off the “write” capability that would allow a PC to copy certain data to an external storage device, or it might disallow an email user from sending the data to another user.
Read more on Dark Reading and make sure to read the next articles on this subject as well.
The Latest Trick in Biometrics: Finger Vein Authentication
When I say biometrics, most people think of fingerprints, face recognition, eye scanning and other cool but rather common tricks we’ve seen in movies and run across in real life. I might add a ear scan from some Batman movie, but that’s it.
Sony has come up with a new idea, recently covered by The Register in its Hardware section. It’s a camera-based system that analyses veins in people’s fingers. This new technology also comes with it’s own name: Mofiria.
How does the new biometric tech work?
Here’s the explanation given by the Register:
The user first lays one side of their index finger down on a small pad, after which a series of LEDs shine infrared light onto it. A CMOS sensor sat on the other side of the finger then picks up light scattered off of the veins inside the user’s finger.
Why is this better than other technologies in the biometrics field?
I found the answer to this question in Sony’s official press release. I’m still waiting for some comparative reviews and tests. If you happen to run across one, feel free to share it in the comment box.
Compared to the other biometric authentication techniques, vein authentication technology achieves higher accuracy on personal identification and forgery resistance because it uses the veins inside the human body. Finger vein patterns differ from person to person, each finger to finger, and it is said that they do not change over the years.
I am looking forward to an action movie depicting a breach of this new technology 
US 2008 data breach growth blamed on insiders
Apart from the economic downturn, the year 2008 brought another critical issue to US companies: a nearly 50% increase in data breaches, leading them to lose considerably more sensitive data. According to an Identity Theft Resources Center (ITRC) study quoted by the Register, last year 35 million data records were exposed in 656 admitted incidents, amounting to a 47% increase compared to the 446 data loss incidents reported in 2007.
ITRC also states that about 40% of security breaches are never reported, thus the true number of exposed confidential records is most likely to be far greater than the study suggests.
Computer malware, hacking, and insider theft accounted for 29.6 per cent of recorded breaches, where the root cause of the attack is known. One in six breaches (15.7 per cent) were blamed to insider theft, a figure that’s more then doubled between 2007 and 2008.
The good news is that as education regarding data loss prevention reached more companies, the number of incidents caused by human errors has decreased. But that is a very small light in a highly untrained corporate world, where most reported data breaches involved data unprotected by either encryption or the simplest password protection. Let’s hope for a better protected 2009!
Security, More Important than Recession
According to recently released data, US mid-sized companies are more concerned about information security than cutting down costs. The survey conducted by Arrow Electronics Inc collected data from 200 US companies with annual revenues from less than $ 100 million to over 1 billion. 80% identified security as a top business issue, while only 60% referred to cost reduction and 64% target improving their customer service.
Although they admit IT security is of utmost importance, few are satisfied with the level of security already implemented in their mid-sized businesses. Only 32 percent of respondents said their company is properly handling all threats. That leaves 68% of companies concerned, yet highly vulnerable.
Yet the 32% might also be quite vulnerable to all kinds of threats, as shown by David Vellante, co-founder and principal contributor of the Wikibon user group. His statement, quoted by Dark Reading, shown these respondents are only unaware of what’s really at stake.
”I believe that the 32 percent of respondents that are ‘very satisfied’ with how their company is addressing security concerns are deluding themselves — they should wake up and smell the coffee,” wrote Vellante. “As an industry, since 2000 we’ve spent billions on security in the form of virus protection, network security, firewalls and other infrastructure… do you feel more secure? No way!”
BBC Admits Loss of Children’s Data, Rejects Any Responsibility
Allowing your offspring to take part in a kids cooking show hosted by the BBC might not be as safe as you imagine. 250 children who applied for BBC1’s “Gastronauts” had to provide the television with a number of personal details which were later lost by an independent production company BBC was working with.
The children’s names, phone numbers, addresses and dates when parents were planning to be away were stored on a memory stick which was left unattended in a car belonging to an Objective Productions employee.
Although it has announced all those involved of the data loss, BBC tried to push the production company to take the fall for the breach as an attempt not to share responsibility. Yet security experts quoted by Vnunet.com state otherwise, showing both companies are responsible for the safety of data they are entrusted with. BBC should have reviewed its own security protocols and those of the company they shared the private records with. I wonder who they’ll blame next .
Endpoint Security Strategies for SMBs
SMBs have specific requirements when it come to IT security in general and endpoint security in particular: they need comprehensive policies, high-end technology, all downsized at a larger scale and a fair price. They don’t need cheap and unreliable solutions, they just need the best there is, adjusted to their size.
If you’d like to know more about what the IT security market has to offer, what challenges arise from the current business environment, which are the real threats SMBs face, how to properly asses the costs of a security breach, how easy it is to lose data or have it stolen, read the latest white paper published by CoSoSys, Easy Guide to Comprehensive IT Security Strategies for SMBs – High-End Endpoint Security, Data Loss Prevention and Portable Device Management at a Reduced Scale.
Data Watchdog Warns of Poor Data Protection in UK Institutions
Data protection watchdog, the Information Commissioner’s Office has recently confirmed that it has served enforcement notices on two UKgovernmental institutions, HM Revenue and Customs and the Ministry of Defence. The decision, made public in the Information Commissioner Richard Thomas’ annual report comes as a response to high profile data breaches occurring within the twe organizations.
According to IT Week, both departments will be compelled to provide progress reports detailing how they are improving data governance practices.
This piece of news comes shortly after the same office called for European data protection laws to be reformed to make them more business-friendly. The recommendation was made by the same Richard Thomas at the annual Privacy Laws and Business conference in Cambridge. Thomas said existing legislation was out-dated and increasingly ill-suited to the internet age.
CoSoSys in the Balkans through Inter Engineering
Inter Engineering, one of the main players on the data security market in the Balkans, and CoSoSys, vendor of network endpoint security and portable storage device enhancement solutions, announce today their strategic partnership to distribute the Endpoint Protector 2008 solution and additional support services in Greece, Cyprus and Malta. The distribution agreement between Inter Engineering and CoSoSys comes as a natural response to the increasing demand in Balkan countries for the numerous business and technical benefits that CoSoSys technology delivers.
“The developments in enterprise needs make Endpoint Security an indisputable part of a solid Policy” said Josmaarten Swinkels, CEO of Inter Engineering. “CoSoSys provides solutions which combine quality with flexibility and an attractive pricing model fitting extremely well in Inter Engineering’s solutions portfolio. We are happy to work with CoSoSys and optimistic about the future.”
“Inter Engineering has proven to be an absolute first-rate partner committed to the success of our customers,” said Roman Foeckl, director of CoSoSys. “We are pleased to have such a reputable and experienced company representing us in their home market.”
See more in the official press release available on the CoSoSys site.
Hospitals, a Danger to Your Personal Data
According to a recently released study carried out by research firm HIMSS Analytics and risk management company Kroll Fraud Solutions, from 2006-2007, over 1.5 million patients’ personal information was exposed through hospitals alone, allowing them to be threatened by identity thefts. The survey however does not take into account insurance companies, pharmaceutical companies or individual doctors’ offices, which would have meant a significant increase in the total number.
According to Dark Reading, we should keep in mind that these numbers are based on reporter breaches only. About 44 percent of hospitals that experienced a breach in 2007 didn’t inform the patients whose records were affected, as shown in the study.
Hospitals are not paying enough attention to security issues, and the steps they are taking are often ineffective, the HIMSS/Kroll study says. While there is a high awareness of the security requirements described in Health Information Portability and Accountability Act (HIPAA) among hospital IT professionals, most hospitals are putting too much emphasis on compliance and not enough on real security vulnerabilities, the study says.
This lack of attention could lead to real problems for individuals down the road, the study warns. Hospitals are often a source for birth, health, and death records that can be very valuable to criminals, and patient data breaches are among the most difficult to clean up, because compromises or changes can affect insurance eligibility or even patient safety if the data is manipulated.
