Archive for the 'Industry News' Category
Thursday, June 19th, 2008
Nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place, according to a comprehensive report issued by Verizon Business. The study also provides key recommendations to help businesses protect themselves and urges them to be proactive.
The ‘2008 Data Breach Investigations Report’ spans four years and more than 500 forensic investigations involving 230 million records, and analyzes hundreds of corporate breaches including three of the five largest ones ever reported. This first-of-its-kind study, conducted by Verizon Business Security Solutions investigative experts, also found that 73 percent of breaches resulted from external sources versus 18 percent from insider threats, and most breaches resulted from a combination of events rather than a single hack or intrusion.
Some of the findings may be contrary to widely held beliefs, such as that insiders are responsible for most breaches. Key findings include:
- Most data breaches investigated were caused by external sources. Thirty-nine percent of breaches were attributed to business partners, a
number that rose five-fold during the course of the period studied.
- Most breaches resulted from a combination of events rather than a single action. Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. For breaches that were deliberate, 59 percent were the result of hacking and intrusions.
- Of those breaches caused by hacking, 39 percent were aimed at the application or software layer. Attacks to the application, software and services layer were much more commonplace than operating system platform exploits, which made up 23 percent. Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.
- Nine of 10 breaches involved some type of ‘unknown’ including unknown systems, data, network connections and/or account user privileges. Additionally, 75 percent of breaches are discovered by a third party rather than the victimized organization and go undetected for a lengthy period.
- In the modern organization, data is everywhere and keeping track of it is an extremely complex challenge. The fundamental principle, however, is quite simple - if you don’t know where data is, you certainly can’t protect it.
The breaches investigated represent a broad spectrum of industries. The retail and food and beverage industries account for more than half of all cases investigated. By contrast, financial services - an industry with great monetary assets that are also typically well-protected, especially when compared to other sectors - accounted for 14 percent of breaches studied.
The study’s findings show a marked increase in the number and type of international incidents. For example, attacks from Asia, particularly in China and Vietnam, often involve application exploits leading to data compromise, while defacements frequently originate from the Middle East. Internet protocol (IP) addresses from Eastern Europe and Russia are commonly associated with the compromise of point-of-sale systems.
Pointing to the psychology behind breaches, the reports suggests that data compromise is the easiest, safest and most lucrative way to steal the information necessary to commit identity fraud. By breaking into restricted computer systems and compromising sensitive information stored within them, criminals are able to access systems that contain information on tens of thousands of victims versus just a handful through non-electronic means.
Making this crime even more attractive is the lucrative black market for stolen data. This social network enables criminals to work with one another to find vulnerable systems, compromise data and commit large-scale identity fraud. Within this network, the report finds, criminal conglomerates maintain access to hackers, fraudsters and other organized crime groups.
Recommendations for enterprises
Simple actions, when done diligently and continually, can reap big benefits, the study notes. Key recommendations include:
- Align process with policy. In 59 percent of data breaches, the organization had security policies and procedures established for the system, but these measures were never implemented. Implement,
implement, implement.
- Create a data retention plan. With 66 percent of all breaches involving data that a company did not even know was on their system, it’s critical that an organization knows were data flows and where it resides. Identify data and prioritize its risk to the organization.
- Control data with transaction zones. Investigators concluded that network segmentation can help prevent, or at least partially mitigate, an attack. In other words, wall off data when and where appropriate.
- Monitor event logs. Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Data logs should be continually and systemically monitored and responded to when events are discovered.
- Create an incident response plan. If and when a breach is suspected, the organization must be ready to respond, not only to stop the data compromise but to collect evidence that enables the business to pursue prosecution when necessary.
- Increase awareness. Only 14 percent of data breaches were discovered by employees of the victimized organization, even though employees are the first line of defense in safeguarding data. Educate them to be aware.
- Engage in mock-incident testing: Making sure employees are well-trained to respond to a breach. Run drills and test people’s abilities, judgments and actions during a mock crisis.
Posted in Compliance Management, Industry News | No Comments »
Wednesday, May 14th, 2008
May 13, 2008 By Jaikumar Vijayan (Computerworld) In the third data theft incident of its kind to come to light since March, Dallas-based restaurant chain Dave & Buster’s Inc. today disclosed that credit and debit card numbers were stolen last year from the computer systems at 11 of its locations during the card verification process.
The thefts at Dave & Buster’s took place during a four-month period from May through August of last year and have resulted in fraudulent payment card transactions worth at least $600,000 using data stolen from one of the restaurants alone, according to a federal grand jury indictment of three individuals that was unsealed yesterday at U.S. District Court in Central Islip, N.Y.
The U.S. Department of Justice said in a statement (download PDF) that the three alleged perpetrators — two of whom are listed as living in Eastern Europe — have all been arrested in connection with the case and that they are charged with various crimes as part of the indictment.
The DOJ identified the arrested individuals as Maksym Yastremskiy, a resident of Ukraine, and Aleksandr Suvorov, of Estonia. The 27-count indictment against the two includes charges of computer fraud, wire fraud, aggravated identity theft and interception of electronic communications.
Yastremskiy, who also goes by the name Maksik, was arrested last July in Turkey, the DOJ said, adding that the U.S. government has made a formal request to have him extradited. Suvorov, who uses the online handle JohnnyHell, was arrested in March in Germany at the request of U.S. officials and remains in jail there while the German government acts on a formal extradition request, the DOJ said.
The third individual charged in the Dave & Buster’s case was identified as Albert Gonzalez, a Miami resident who faces one count of wire fraud. The DOJ said that Gonzalez, who uses the alias Segvec, was arrested this month by the U.S. Secret Service.
In a statement sent via e-mail in response to a request for comment, Dave & Buster’s said that the alleged thieves stole the so-called Track 2 data from the magnetic stripes on the back of credit and debit cards, including the card numbers and expiration dates. The company said that the information hadn’t been stored on its systems and was taken while the data was being transmitted to authorize transactions. It noted that the thieves didn’t get any other personal data, such as names, addresses, PINs, or bank account and Social Security numbers.
In the statement, which was posted on the Restaurant News Resource Web site, Dave & Buster’s said that it "was alerted to the potential data intrusion" late last August and that it "immediately" notified Secret Service officials. The company added that it notified the credit card companies of affected cardholders last September. But the data thefts weren’t publicly disclosed until after the unsealing of the grand jury indictment.
Dave & Buster’s, which operates 49 restaurants, said data was stolen from outlets in New York, Illinois, Michigan, Florida, Ohio, Colorado and Texas. Following the discovery of the data thefts, the chain "implemented additional security measures to prevent any such incident from occurring in the future," it said. But the company didn’t elaborate on what those additional measures were.
According to a description of the heist in the grand jury’s indictment, Yastremskiy and Suvorov allegedly managed to gain remote access to point of sale (POS) servers at the affected Dave & Buster’s locations — apparently by falsely representing that they were authorized to access the systems. The two then allegedly installed packet-sniffing software designed to capture Track 2 data as it was transferred from compromised POS servers to a central system for transmission to the chain’s payment processor.
The software stored the captured data in a log file, from which it was later collected by Yastremskiy and Suvorov, according to the indictment. The document says that a defect in the packet sniffer caused it to deactivate each time an infected server was booted up. But each time that happened, Yastremskiy and Suvorov allegedly went back into the compromised systems and reactivated the malware.
As an example of the thefts, the indictment says that a log file retrieved from one store contained data on about 5,000 credit and debit cards. The stolen data allegedly was later sold to other individuals, who used the information or resold it themselves — eventually causing losses of $600,000 or more to the financial institutions that issued the affected cards.
The disclosure by Dave & Buster’s follows similar ones in March by Hannaford Bros. Co. and Okemo Mountain Resort. In Hannaford’s case, the Scarborough, Maine-based supermarket chain said that up to 4.2 million credit and debit card numbers and their expiration dates were stolen by a packet-sniffing tool while the information was being transmitted to its external payment processor to authorize transactions. The malware was planted on servers at nearly 300 grocery stores in New England, New York and Florida, Hannaford said.
The Hannaford breach was one of the first confirmed data thefts in which such a large amount of information was stolen while it was in transit, as opposed to being stored on a company’s systems. Hannaford also said it was fully compliant with the requirements of the Payment Card Industry Data Security Standard, which is known informally as PCI. That claim has raised questions about how useful the security standard is in protecting companies against such thefts, although PCI officials in turn have questioned whether Hannaford really was compliant.
Two weeks after Hannaford made its disclosure, Ludlow, Vt.-based Okemo reported a breach involving the theft of data as payment cards were being swiped at the ski area’s cash registers. An Okemo spokeswoman said law enforcement authorities who were investigating the breach told the resort that they were are looking into about 50 reported incidents of the same sort in the Northeast alone.
The disclosure by Dave & Buster’s is another indication that data thieves are increasingly targeting retail POS systems, said Rosen Sharma, chief technology officer at Solidcore Systems Inc., a vendor of change management software in Cupertino, Calif.
The focus of efforts such as PCI has been on strengthening security at the network perimeter and at the points where payment card data is centrally pooled by retailers and then forwarded to payment processors, Sharma said. He added that in contrast, a lower priority has been placed on securing POS systems, making them a relatively soft target for attackers to go after.
At many retail locations, there are few restrictions on access to POS servers, Sharma claimed. "You can walk right up to these machines and stick a USB device into them," he said. The POS servers may not yield a large volume of payment card data at one time, he noted — but over a longer period, they can prove extremely valuable to data thieves.
Posted in Industry News, Information Security | No Comments »
Monday, April 7th, 2008
By Colin Barker, ZDNetUK
Following the loss of the personal records of some 25 million child benefit recipients by Her Majesty’s Revenue & Customs this month, the UK government will be acutely aware of how quickly mismanagement of technology can lead to serious problems.
While technology wasn’t to blame per se in the HMRC data loss, there are plenty of recorded examples where faulty hardware and software have cost the organizations concerned dearly, both financially and in terms of reputation—and resulted in some near misses for the public.
Here’s our considered list of some of the worst IT-related disasters and failures. The order is subjective, with number one being the worst. (Note: We have purposely omitted incidents that resulted in loss of life.)
1. Faulty Soviet early warning system nearly causes WWIII (1983)
The threat of computers purposefully starting World War III is still the stuff of science fiction, but accidental software glitches have brought us too close in the past. Although there have been numerous alleged events of this ilk, the secrecy around military systems makes it hard to sort the urban myths from the real incidents.
However, one example that is well recorded happened back in 1983, and was the direct result of a software bug in the Soviet early warning system. The Russian system told them that the United States had launched five ballistic missiles. But the duty officer for the system, one Lt Col Stanislav Petrov, claims he had a "funny feeling in my gut," and reasoned if the U.S. was really attacking, it would launch more than five missiles.
The trigger for the near apocalyptic disaster was traced to a fault in software that was supposed to filter out false missile detections caused by satellites picking up sunlight reflections off cloud-tops.
2. The AT&T network collapse (1990)
In 1990, 75 million phone calls across the U.S. went unanswered after a single switch at one of AT&T’s 114 switching centers suffered a minor mechanical problem and shut down the center. When the center came back up soon afterward, it sent a message to other centers, which in turn caused them to trip, shut down, and reset.
The culprit turned out to be an error in a single line of code—not hackers, as some claimed at the time—that had been added during a highly complex software upgrade. American Airlines alone estimated this small error cost it 200,000 reservations.
3. The explosion of the Ariane 5 (1996)
In 1996, Europe’s newest and unmanned satellite-launching rocket, the Ariane 5, was intentionally blown up just seconds after taking off on its maiden flight from Kourou, French Guiana. The European Space Agency estimated that total development of Ariane 5 cost more than $8bn (£4bn). On board Ariane 5 was a $500 million (£240 million) set of four scientific satellites created to study how the Earth’s magnetic field interacts with Solar Winds.
According to a piece in the New York Times Magazine, the self-destruction was triggered by software trying to stuff "a 64-bit number into a 16-bit space."
"This shutdown occurred 36.7 seconds after launch, when the guidance system’s own computer tried to convert one piece of data—the sideways velocity of the rocket—from a 64-bit format to a 16-bit format. The number was too big, and an overflow error resulted. When the guidance system shut down, it passed control to an identical, redundant unit, which was there to provide backup in case of just such a failure. But the second unit had failed in the identical manner a few milliseconds before. And why not? It was running the same software," the article stated.
4. Airbus A380 suffers from incompatible software issues (2006)
The Airbus issue of 2006 highlighted a problem many companies can have with software: What happens when one program doesn’t talk to the another. In this case, the problem was caused by two halves of the same program, the CATIA software that is used to design and assemble one of the world’s largest aircraft, the Airbus A380. This was a major European undertaking and, according to Business Week, the problem arose with communications between two organizations in the group: French Dassault Aviation and a Hamburg factory.
Put simply, the German system used an out-of-date version of CATIA and the French system used the latest version. So when Airbus was bringing together two halves of the aircraft, the different software meant that the wiring in one did not match the wiring in the other. The cables could not meet up without being changed.
The problem was eventually fixed, but only at a cost that nobody seems to want to put an absolute figure on. But all agreed it cost a lot and put the project back a year or more.
5. Mars Climate Observer metric problem (1998)
Two spacecraft, the Mars Climate Orbiter and the Mars Polar Lander, were part of a space program that, in 1998, was supposed to study the Martian weather, climate, and water and carbon dioxide content of the atmosphere. But a problem occurred when a navigation error caused the lander to fly too low in the atmosphere and it was destroyed.
What caused the error? A subcontractor on the NASA program had used imperial units (as used in the U.S.), rather than the NASA-specified metric units (as used in Europe).
6. EDS and the Child Support Agency (2004)
Business services giant EDS waded in with this spectacular disaster, which assisted in the destruction of the U.K.’s Child Support Agency (CSA) and cost the taxpayer more than a billion pounds.
EDS’s CS2 computer system somehow managed to overpay 1.9 million people and underpay around 700,000, partly because the Department for Work and Pensions (DWP) decided to reform the CSA at the same time as bringing in CS2.
Edward Leigh, chairman of the Public Accounts Committee, was outraged when the National Audit Office subsequently picked through the wreckage: "Ignoring ample warnings, the DWP, the CSA and IT contractor EDS introduced a large, complex IT system at the same time as restructuring the agency. The new system was brought in and, as night follows day, stumbled and now has enormous operational difficulties."
7. The two-digit year-2000 problem (1999/2000)
Many IT vendors and contractors did very well out of the billions spent to avoid what many feared would be the disaster related to the Millennium Bug. Rumors of astronomical contract rates and retainers abounded. And the sound of clocks striking midnight in time zones around the world was followed by… not panic, not crashing computer systems, in fact nothing more than New Year celebrations.
So why include it here? That the predictions of doom came to naught is irrelevant, as we’re not talking about the disaster that was averted, but the original disastrous decision to use and keep using for longer than was either necessary or prudent double digits for the date field in computer programs. A report by the House of Commons Library pegged the cost of fixing the bug at £400 billion. And that is why the Millennium Bug deserves a place in the top 10.
8. When the laptops exploded (2006)
It all began simply, but certainly not quietly, when a laptop manufactured by Dell burst into flames at a trade show in Japan. There had been rumors of laptops catching fire, but the difference here was that the Dell laptop managed to do it in the full glare of publicity, and video captured it in full color.
(Unfortunately, the video capturing the incident appears to have vanished from the Web. If you happen to own a copy, please send it to us, as it should make interesting viewing again.)
"We have captured the notebook and have begun investigating the event," Dell spokeswoman Anne Camden reported at the time, and investigate Dell did. At the end of these investigations the problem was traced to an issue with the battery/power supply on the individual laptop that had overheated and caught fire.
It was an expensive issue for Dell to sort out. As a result of its investigation Dell decided that it would be prudent to recall and replace 4.1m laptop batteries.
Company chief executive Michael Dell eventually laid the blame for the faulty batteries with the manufacturer of the battery cells—Sony. But that wasn’t the end of it. Apple reported issues with iPods and Macbooks, and many PC suppliers reported the same. Matsushita alone has had to recall around 54 million devices. Sony estimated at the time that the overall cost of supporting the recall programs of Apple and Dell would amount to between ¥20 billion (£90m) and ¥30 billion.
9. Siemens and the passport system (1999)
It was the summer of 1999, and half a million British citizens were less than happy to discover that their new passports couldn’t be issued on time because the Passport Agency had brought in a new Siemens computer system without sufficiently testing it and training staff first. Hundreds of people missed their holidays and the Home Office had to pay millions in compensation, staff overtime and umbrellas for the poor people queuing in the rain for passports. But why such an unexpectedly huge demand for passports? The law had recently changed to demand, for the first time, that all children under 16 had to get one if they were traveling abroad.
Tory MP Anne Widdecombe summed it up well while berating the then home secretary, Jack Straw, over the fiasco: "Common sense should have told him that to change the law on child passports at the same time as introducing a new computer system into the agency was storing up trouble for the future."
10. LA Airport flights grounded (2007)
Some 17,000 planes were grounded at Los Angeles International Airport earlier this year because of a software problem. The problem that hit systems at United States Customs and Border Protection (USCBP) agency was a simple one caused in a piece of lowly, inexpensive equipment.
The device in question was a network card that, instead of shutting down as perhaps it should have done, persisted in sending the incorrect data out across the network. The data then cascaded out until it hit the entire network at the USCBP and brought it to a standstill. Nobody could be authorized to leave or enter the U.S. through the airport for eight hours. Passengers were not impressed.
Posted in Compliance Management, General, Industry News | No Comments »
