New Flaws in Wireless Security Exposed
The Wi-Fi Protected Access or WPA is aone of the most popular forms of security used by wireless networks. Yet the potential risk and ease of breaching it might trigger some alarms for a lot of poeple especially if they were at PacSec 2008 confefence in Tokyo.
A week before the conference, the Register announced two German researchers, Martin Beck and Erik Tews, were going to expose a vulnerability exposing WPA protected networds to an attack that could compromise certain communications in less than 15 minutes. If anyone reding our blog attended the conference, we’d love to hear how it all went.
But this is far from being the first vunlerability to go public.
In 2001, three researchers found a way to reliably break the previous wireless security protocol, known as Wired Equivalent Privacy (WEP), in less than two hours. By 2007, the latest refinement in attacks against WEP – found by Tews and two other researchers – reduced the time to recover a WEP key to less than a minute of calculations.
While those discovering how to tear security systems apart, those actually depending on them seem to be learning one thing: you’re never really safe! So if any extra security is at hand, apply it asap!
Self-encrypting laptop from Dell
One of the most common causes of security breaches is stolen hardware. And I’m sure you’ve all heard of the thousands and thousands of laptops stolen in airports, from parking lots and other public places. And as most companies fail to implement a comprehensive endpoint security solution, a stolen laptop means trouble. For the end users, a laptop sometimes stores most of their documents, personal and business, memories from trips and other important events and everything that is private and dear to them. Picturing everything lost to a stranger’s hand is hard to cope it.
Dell states there’s a new way to prevent such bad things from happening: a self-encrypting laptop. Your data is still lost, but at least no one can acess it. The drives with self-encryption features are produced by Seagate and embedded in the new Dell product. And apparently, the Seagate hardware will soon be shipped by IBM and LSI as well. Let’s hope no one breaks the encryption system!
Breach Revealed after Extortion Threat
Express Script, a pharmacy benefits-management firm, has recently revealed a data theft that took place in early October. The information was made public after being threatened the stolen data will be made public if a certain amount of money had not been paid.
The threat was made within a letter from the thieves who claimed they had beached Express Script’s network security and gotten their hands on millions of customer records. According to SecurityFocus, the letter listed personal details on 75 of Express Script’s, including their names, dates of birth, social security numbers, and in some cases, their prescription information. Although it’s only recently been released to the public, the data theft had been reported by Express Scripts to the FBI. The Bureau is currently running a full investigation on the incident.
The company is also notifying all those affected by the breach so that they can take the neccessary precaution to prevent and identity theft. SecurityFocus has not released the sum of money requested by the thieves.
Is Sarbanes-Oxley Evil?
TechCrunch definitely seems to think so. So what’s Sarbanes-Oxley? Also known as Public Company Accounting Reform and Investor Protection Act of 2002, SOX or Sarbox, enacted on July 30, 2002. It’s purpose was to prevent major disasters such as Enron or WorldCom. Through its stipulation it also enforces some specific requirements on security policies, thus most endpoint security solutions try to help cover this aspect, some better than others.
While complying with SOX is mandatory in the US, it also works as a marketing tool for endpoint security solutions on other markets. This positioning, as legally and international standard compliant, helps developers sell their product easily.
So what’s wrong with SOX? According to TechCrunch, all flaws are related with business strategy aspects and not with security policies. The main problem is that SOX affects the way companies can prepare and have their initial public offering (IPO), fact that causes them to turn to either mergers instead of IPOs or to getting listed on foreign stock exchanges. They can always wait for 12 years to get listed or entirely give up the going public idea. All these because of huge compliance costs that most businesses can’t really afford.
It would be interesting to see if there other voices will rise agains SOX and how it will be changed in the future, business and security wise.
Security, More Important than Recession
According to recently released data, US mid-sized companies are more concerned about information security than cutting down costs. The survey conducted by Arrow Electronics Inc collected data from 200 US companies with annual revenues from less than $ 100 million to over 1 billion. 80% identified security as a top business issue, while only 60% referred to cost reduction and 64% target improving their customer service.
Although they admit IT security is of utmost importance, few are satisfied with the level of security already implemented in their mid-sized businesses. Only 32 percent of respondents said their company is properly handling all threats. That leaves 68% of companies concerned, yet highly vulnerable.
Yet the 32% might also be quite vulnerable to all kinds of threats, as shown by David Vellante, co-founder and principal contributor of the Wikibon user group. His statement, quoted by Dark Reading, shown these respondents are only unaware of what’s really at stake.
”I believe that the 32 percent of respondents that are ‘very satisfied’ with how their company is addressing security concerns are deluding themselves — they should wake up and smell the coffee,” wrote Vellante. “As an industry, since 2000 we’ve spent billions on security in the form of virus protection, network security, firewalls and other infrastructure… do you feel more secure? No way!”
Breach Disclosure Laws are Pointless
Researchers at the Carnegie Mellon University have just released data showing information security breach laws enforced in the US have failed to reduce identity theft. According to the Register, these findings come at a time when there’s an increased demand for similar laws in Europe that would oblige organizations to notify customers in cases where their personal details become exposed.
Research findings were based on a state-by-state analysis of data from the US Federal Trade Commission (FTC). They analyzed identity theft complaints made to the FTC from 2002 to 2006, trying to spot differences after states introduced data breach disclosure laws. California was the first state to introduce such regulations and 43 other states have since followed its lead.
The researchers determned that factors such as changes in average income and population in a state or overall levels of fraud had a much greater impact on fraud rates than these laws, as a Register reproduction of the abstract to the paper shows:
We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices.
“There doesn’t seem to be any evidence that the laws actually reduce identity theft,” Sasha Romanosky, a PhD student at Carnegie Mellon and one of three authors of the study, told Computerworld.
Builders of London Olympics Site – Biometricaly Authenticated
All workers involved in building the London Olympic site for the 2010 games will go through a thorough biometric authentication process. The biometric screening will consist of a two-tier process, reports the Times, palm-print reading and face recognition. A total of 100,000 workers will have to comply with this security requirement until the completion of the Olympic site. If the system works, it might also be used for stadium ticket holders.
The biometric screening project is on the other hand already rising serious questions about the level of protection it can provide for private data:
The use of biometrics is part of a £354 million strategy to secure the 500-acre Olympic Park during its construction, which starts in June. But it has raised concerns about data protection among unions and civil liberty groups.
Alan Ritchie, general secretary of Ucatt, the main construction union, said: “We do not foresee a problem, providing the ODA [Olympic Delivery Authority] guarantee that the biometric data will not be passed on to any third parties and will be wiped once the project is complete.”
The methods employed to prevent data losses, theft or security breaches aren’t clear for now. I’d recommend a thorough analysis of what endpoint security and DLP solution will be chosen to make sure biometric data is not lost or stolen before its final deletion at the end of the project.
US Government Agencies Have Higher Security Levels
Although US government agencies fall short when it comes to protecting private data, apparently their level of security has been improved throughout 2007 according to their compliance analysis to the Federal Information Security Management Act (FISMA) of 2002. This is the core finding of a report recently issued by the Office of Management and Budget and quoted by ScurityFocus.
The Inspectors General for 22 of the 25 agencies required to comply with FISMA inventoried at least 80 percent of their systems in 2007, compared with 20 agencies that had reached that milestone in 2006. While an improvement over the previous year, only two-thirds of the IGs claimed that their auditing processes were rated “satisfactory” or better.
The increased awareness of their systems have also caused the agencies to report more attacks, the report stated. In 2007, incidents reported to the US Computer Emergency Readiness Team (US-CERT) jumped to 12,986, an increase of 150 percent over the previous year. While nearly a third of the incidents were alarms created by the US-CERT’s EINSTEIN network monitoring system and remain uncategorized, about a quarter were classified as improper usage and about 15 percent classified as unauthorized access, according to the OMB report.
OMB identified the four stars of the compliance efforts as being the National Aeronautics and Space Administration (NASA) and the Departments of State, Treasury and Defense, all doing a great job at complying to FISMA. The Department of Defense however did not do that great. It looks like security policies and compliances fall short for this particularly important agency.
Security Experts Run Scarce
A survey recently published by the Computing Technology Industry Association (CTIA) and quoted by DarkReading shows that companies do not find the IT security skills they need in the experts they hire. CTIA surveyed 3500 technology professionals from three continents, Europe, North America and Asia, and concluded most of them hold security expertise as a top of the game skill when looking for techies to hire. Yet the skill set of existing IT professionals does not match their demands.
Among organizations surveyed in nine countries with established IT industries (Australia, Canada, France, Germany, Italy, Japan, the Netherlands, U.K., and U.S.), 73 percent identified security, firewalls, and data privacy as the IT skills most important to their organizations. But just 57 percent said their IT employees are proficient in these security skills, a gap of 16 percentage points.
The gap is even wider in five countries where the IT industry is still emerging (China, India, Poland, Russia, and South Africa). Among respondents in these countries, 76 percent identified security as the top skill their organization needs; but just 57 percent said their current tech staff is proficient in security. That’s a difference of 19 percentage points, CompTIA noted.
Data Breaches Change Customer Behavior
According to a Gartner report interpreted on InformationWeek’s Security Weblog, consumers affected by the large number of data breaches occurring lately are more apt to alter their online payment behavior.
In fact, according to this report, shoppers — who are already online at the merchant’s Web site — are more likely to pick up the phone to provide payment information. So much for convenience always trumping security.
This only goes to show that security matters. And that it’s time for merchants to stop treating security as a necessary burden, and as the responsible cost of business it is, and as the competitive differentiator that it can be.
The date in the report called U.S. Consumer Secure Payment Preferences Create Opportunities for Nonbanks was published after analyzing the results of a survey of 4,500 online U.S. adults conducted last year in August. It shows that customers switching to payment methods that they find safer will eventually lead to less profits for banks handling online payments.
The same Gartner report showed that over 33% of all adult Internet users have decided to completely ignore the Internet retail channel as a result of ongoing data breaches.
This not only shows that good security pays, but that online shoppers will reward merchants that go the extra mile to provide a safer shopping environment, communicate those efforts to them, and also make available payment options that shoppers feel to be more secure.
