Oops, I accidently copied the Goldman Sachs “secret sauce”!
There has been much noise about the Goldman Sachs ex-employee who managed to leave the company with their secret solution to be faster and better than their financial services competitors. At first, the name of the company reporting the data breach was unclear, then more started whispering Goldman Sachs. Let’s sink into the juicy details.
It all started when a computer programmer was arrested for stealing classified application code that powerd his former employer’s, later identified as Goldman Sachs, high-speed financial trading platform. The programmer’s name, along with more details on the incident, were reproduced from an FBI affidavit by DarkReading:
According to an affidavit (PDF) filed by the arresting FBI officer and subsequently posted by news media, the programmer, Sergey Aleynikov, copied “proprietary trade code” from his company and uploaded it to a Website in Germany. He later quit his job at the New York firm and moved to a new company in Chicago that “intended to engage in high-volume automated trading” — and paid him around three times his old salary of $400,000, according to the affidavit.
The programmer says it was all a mistake. Apparently, he only wanted some open sourced files he was working on and ended up with the entire shabang. The fact he never sold the code or tried to otherwise use it plays in his favor. The fact he tried to hide all traces of the data transfer, doesn’t. But that’s somehting to be settled in a court.
What’s fascinating, as ZDNet’s Larry Dignan explained on one of the network’s blogs, is that Goldman Sachs, “a master at gauging risk”, was able to overlook the danger of inside threats. Especially when it’s something all security experts have been talking about for a long while.
When you think about it, nothing happened to Goldman Sachs. Other than a much needed wake up call. What could have happened? The competition actually improving their own platforms and taking over more and more clients from Goldman Sachs. I have a feeling adding up the numbers of this potential loss would make us all dizzy!.
T-Mobile USA – Was it or wasn’t it a data breach?
Did a data breach occur at T-Mobile USA? According to a group of hackers it did. They claimed to have gained access to all customer information of the company and posted network scans to prove it on the Full Disclosure web site. They also said they were trying to sell all the private records to T-Mobile’s competitors, who wouldn’t take them on the offer. Yet they’re still doing their best to sell all stolen info to the highest bidder.
T-Mobile has a different view on the story though. They said, and were quoted by ChannelWeb, that there is no proof whatsoever of any breach. And although the document posted online did in fact belong to T-Mobile, it contained to sensitive date, nor was it obtained while their system had been hacked into.
“The document in question has been determined to be a T-Mobile document, though there is no customer information contained in the document,” the company said in a statement. “There is no evidence to indicate that the T-Mobile security system was hacked into nor any evidence of a breach.”
While ChannelWeb seems to incline to believe T-Mobile on this one, their security experts say large mobile carriers often fall pray to hackers who harest their confidential customer records for their own benefit, mostly because the security systems they’re using are outdated. If I were T-Mobile right now, I’d make sure to check everything 100 times and find out exactly how the harmless file get posted online. Cause you can never know, can you?
Verizon: Application logs monitoring helps prevent data breaches. Really?
“Given the nature of data breaches today, organizations are better off saving money and doing ‘lightweight’ security testing across more of their infrastructure than conducting deep assessments across a few systems,” this is what Peter Tippet, vice president of innovation and technology for Verizon Business stated at a the CSI/SX held in Las Vegas, according to a DarkReading quote.
Tippet thinks application logs are more effective than logs of signature based devices and firewalls. He’s probably right. But only for the scenarios he has chosen: data theft caused by outside attacks, most frequently using stolen, but valid passwords and attacking idle, old and forgotten machines.
While Tippet’s method might just prove effective for those using Verizon software and fearing outside attacks, what happens to unencrypted and stolen or lost hardware? What about insiders who can copy/paste an entire database on a thumb drive? Yes, ongoing attacks or failed attempts can be discovered. But that gets businesses nowhere near a comprehensive and effective data loss prevention solution!
Months later, consequensces knocking on breached door
One might think that if several months have passed since an embarrsing data breach and nothing has happened, it’s all cool. One can relax, mind their own business and forget all about security.
That’s not the case if we’re talking UK health authority. Namely, London-based Camden Primary Care Trust. They thought, sometime last August, that dumping PCs containing 2,500 patients’ names, addresses and medical histories beside a skip inside the grounds of St Pancras Hospital was a good idea. They might reconsider now, as the Information Commissioner’s Office has given Camden Primary Care Trust until the end of the month to improve security, consequence of its breaching the Data Protection Act.
According to the Register, “data on the obsolete computers was left unencrypted. The machines were subsequently swiped without authorisation and never recovered”. Given such gross negligence and obvious proof of being completely irresponsible, I cannot help being extremely happy they are forced to do something about their security!
CoSoSys uses humor to teach about security threats
As you’ve probably seen on this blog, there are news about security breaches, people who’ve been affected by identity theft and fraud, billions of dollars in losses every single day. More a day in really bad cases. Although there’s a ton of information out there, individuals and companies still fail at protecting themselves against such breaches and at keeping their private data safe.
CoSoSys, leading developer of endpoint security and data loss prevention solutions, has chosen a different approach to raise awareness about the risks we face everyday: humor, namely a series of comic strips showing what can really happen. As CNET puts it, they put the fun back in security threats.
The first comic, originally published on CoSoSys’ EndpointProtector.com site shows how easy it is for an employee to copy your entire data base and take it to your main competitor. A simple thumb drive, three minutes left alone in the office, and that’s it!
But as fun and laughing are not the only goals of the strip, each of them also helps you find out what to do and how you do it. Designed to promote the company’s most popular DLP, endpoint security and device management solution, Endpoint Protector, each issue will show how everything can be prevented.
“Recent research performed in both the US and the UK shows a troubling trend: data breaches are rising in numbers and in costs as well. Millions of people have their data exposed to identity theft or fraud each year and few of those affected or those responsible of the incidents know that most of these instances could easily be prevented. Making sure that your private records and all endpoints in your network are secured is not a difficult task. That is why we are committed to put our best efforts into raising awareness and educating the public about staying safe without making any lifestyle compromises”, explained Roman Foeckl, CoSoSys CEO.
The next issues of the strip will be published each Thursday for the next 7 weeks. You can see them here or register to get them on your email. Easier if you asked me, as remembering to visit a link every week is not something I usually do.
Romanian Petty officer stole military secrets on a USB stick
I don’t know what’s wrong with the military around the world, but the armies and the defense systems seem to be the most vulnerable to the feablest attempts to breach security. Word’s out on a petty officer of the Romanian Ministry of Defense who used an USB stick to steal classified information, including radar frequency and standard NATO maps between 2001 and 2006.
At least that’s what he’s been arrested for! He also confessed for more data thefts occuring in 2008 and 2009. He transferred the data to a Bulgarian liason who then sold them to foreign government representatives, including an Ukrainian. How much was the information worth? 800-1000 american dollars for each “shipment”.
One word for you: audit! How about having an endpoint security solution that monitors data transfers and records them, plus it blocks unauthorized devices? It doesn’t cost much, I am sure the Ministery of Defense can afford it!
[links to the story are from Romanian papers at this time. Once we get English coverage for them, we'll update this entry]
Laptop Facial Recognition Takes Hard Blow
Facial recognition is one of the very well known methods employed by biometric security systems. It’s used in different complicated security systems, but also on more day-to-day devices, such as laptops.
A group of white hat security researchers have recently managed to bypass the facial recognition systems employed by several laptops. According to the Register, the laptops that have had their biometric security breached are developed by Lenovo, Asus and Toshiba. The researchers’ team includes and they have also detailed their findings in a presentation called Your Face is NOT your Password during the Blackhat security conference in Washington.
You might wonder if it was hard to breach the facial recognition systems. The team responsible for this breaches used images of laptop owners or photoshopped images:
Nguyen and his team created a large number of images to run what they described a “fake face bruteforce” attack to fool the systems, which in fairness are still in their infancy, into allowing a log-on. The approach can be compared to trying out a huge number of possible text passwords until the right combination is stumbled upon as part of a conventional brute-force dictionary attack.
While trying to find a practical security use for biometric traits, the developers at Lenovo, Asus and Toshiba should reconsider the efficiency of their facial recognition software. We admire the fact that they lead research and implementation in the field, but we’d appreciate safer systems more 
US Data Breach Cost Up, Response Cost Down
According to a recent Ponemon Institute study, the costs of data breaches rose in the USA to $6.6 million per incident in 2008, although companies put increased efforts in better handling such incidents.
The study, funded by data security firm PGP Corp. and quoted by Security Focus, analyzed data breaches experienced by 43 US-based companies from 17 different industry sectors. The breaches involved a number of records ranging from about 4,200 to more than 113,000. The findings showed the average costs of data breaches are about 2.5 percent higher in 2008, amounting to $202 per record, up from $197 per record in 2007 and $182 per record in 2006. An average breach would require a company to spend $6.6 million in 2008, up from $6.3 million in 2007 and $4.7 million in 20006.
To calculate the total cost of a data breach, the institute added the costs of detecting and responding to the loss of data, legal and administrative expenses, customer defections and opportunity loss. The response costs decrease was a result of businesses learning how to cost effectively handle such incidents:
While legal fees and customer losses moved breach costs higher, companies reduced the costs of dealing with breaches, signaling that firms and their third-party providers are becoming more cost effective in responding to data breaches, the Ponemon Institute stated in the report.
NetBooks and the surprises they come with
Portable storage device applications and endpoint security solution provider CoSoSys has just risen the red flag regarding Netbooks. As they explain, although treandy gift and excellent PC replacement for all offices, netbooks embed serious threats to corporate and individual security. While their seamless connectivity and increasingly large solid state disks (SSD) or traditional HDD capacities can help everyone of us increase productivity while considerably decreasing the weight we carry around, they are also the perfect means for both intentional and unintentional data breaches.
“Corporate IT departments needs to consider Netbooks as a serious issue when it comes to Endpoint Security and they are advised to take control over them as they enter their networks rather than waiting for the first data breaches to happen. Enforcing Endpoint Security policies with Endpoint Protector allows IT administrators to fully control all ports and data transfers from endpoints, including Netbooks, to any other portable device such as USB Flash Drives or External HDDs to prevent data loss” said Roman Foeckl, CoSoSys CEO.
While the CD or DVD drive is no longer a threat, netbooks come with almost immediate access to any data through wireless networks, USB Ports, SD Card readers and other ports, making it extremely easy for confidential details to be transferred in and out of unsecured networks. And if you run a search through our blog to see how many laptops have been lost, stolen and misplaced in the past, we have to also wonder about how much easier it is to steal or lose a much smaller version.
So take this warning seriously and stay trendy and safe at the same time!
US 2008 data breach growth blamed on insiders
Apart from the economic downturn, the year 2008 brought another critical issue to US companies: a nearly 50% increase in data breaches, leading them to lose considerably more sensitive data. According to an Identity Theft Resources Center (ITRC) study quoted by the Register, last year 35 million data records were exposed in 656 admitted incidents, amounting to a 47% increase compared to the 446 data loss incidents reported in 2007.
ITRC also states that about 40% of security breaches are never reported, thus the true number of exposed confidential records is most likely to be far greater than the study suggests.
Computer malware, hacking, and insider theft accounted for 29.6 per cent of recorded breaches, where the root cause of the attack is known. One in six breaches (15.7 per cent) were blamed to insider theft, a figure that’s more then doubled between 2007 and 2008.
The good news is that as education regarding data loss prevention reached more companies, the number of incidents caused by human errors has decreased. But that is a very small light in a highly untrained corporate world, where most reported data breaches involved data unprotected by either encryption or the simplest password protection. Let’s hope for a better protected 2009!
