Category: Statistics

A University of Glamorgan (UK) study found more than half the hard drives they saw still contained sensitive information. It is feared some of the information could be used by criminals. The Information Commissioner’s Office, which monitors data disposal, has said it will be tough on any organisations breaching the Data Protection Act.

The study examined 105 hard drives which had been purchased on internet auction sites and was able to access 92 of them. The data recovered by the university team included staff passwords and national insurance numbers, a template to print a university degree and even detailed information about school children.

Dr Andrew Blyth, principal lecturer at the university’s School of Computing, said companies needed to have a “cradle-to-grave” approach to computer security. He said organised crime now saw e-crime – including identify theft – as a source of revenue.

“We’re not just talking about organised crime, about hackers, we’re also talking about extortionists, blackmailers, even conceivably, paedophiles. Companies need to wake up to the fact that under the Data Protection Act, they have a duty of care towards personal data. They can’t just take hard disks and throw them in the bin and say we have disposed of them, they have a duty to make sure that data is disposed off a sound manner. The advice we always give is take a six inch nail and stick it through your hard drive – physical destruction of the hard drive is the only way to be sure that you have got rid of that data.”

Dr Blyth added there were software programmes, some of which were freely available, which offered users the chance to clear their hard drives for re-use by others. “The only way to be sure if you are really paranoid about your data is to physically destroy your device,” he told BBC Wales’ news website.

http://news.bbc.co.uk/1/hi/wales/4272395.stm

The report, published by IBM Security Intelligence Services, a consulting arm of the world’s largest computer company, paints a picture of rampant, albeit controllable, security dangers. The survey combines data from big business customers, government security statistics and observations from some 2,000 IBM security consultants, detailing the proliferation of computer security threats in 2004 and likely next moves.

Watch out for viruses that spread to mobile phones, handheld computers, wireless networks and embedded computers which are increasingly used to run basic automobile functions, the 2004 year-end “Security Threats and Attack Trends Report” report warns.

Then again, the readiness of individuals and companies to confront these challenges has also evolved, the study said. “It’s difficult to say whether we are moving to a steady state,” Stuart McIrvine, director of IBM’s security strategy, said in an interview. “The threats are increasing, but consumers and businesses are getting a lot smarter.”

IBM’s report draws on data from 500,000 electronic devices. It details a range of challenges that computer users faced in 2004 and extrapolates from early warning signs what sort of new threats electronics users are likely to face this year.

Known computer viruses grew by 28,327 in 2004 to bring the number of old and new viruses to 112,438, the report said.

Of 147 billion e-mails scanned by IBM for customers in 2004, one in 16, or 6 percent, contained a virus. During 2002, just 0.5 percent of e-mail scanned had viruses.

The average amount of spam circulating on global networks was 75 percent, the survey found. But during peak periods, spam accounted for as much as 95 percent of e-mail traffic.

http://abcnews.go.com/Technology/wireStory?id=483417

The U.S. Federal Trade Commission said it received 635,000 consumer complaints in 2004 as criminals sold nonexistent products through online auction sites like eBay Inc. or went shopping with stolen credit cards.

Internet-related fraud accounted for more than half of the remaining complaints as scammers found victims through Web sites or unsolicited e-mail, the FTC said.

Auction fraud was the most common Internet scam, the FTC said in its annual fraud report, followed by complaints about online shopping and Internet access service.

The number of incidents was up across nearly every category from 2003, but it was unclear whether that represented an actual increase in fraud or simply a greater awareness of the FTC’s Consumer Sentinel fraud program.

Consumers likely lost significantly more than the amount reported, as fewer than half were able to pin a dollar figure on their losses.

A recent report by the Better Business Bureau found that most cases of identity theft occurred through the theft of a checkbook or other offline methods.

http://www.cnn.com/2005/TECH/02/01/id.theft.scams.reut/index.html

Three quarters of CROs in financial services firms report to their chief executive or the board of directors, says Deloitte, in accordance with a 25% increase in board-level oversight of risk management over the last two years.

While 38% of respondents claim to have the right organisational structure in place to cope with the demands of global risk management, only 15-16% report progress in integrating methodology, data, and systems.

http://207.234.191.209/?q=node/view/2089

The charts on the following pages reflect first results from the Security Capability Model, a survey tool codeveloped by CSO and Carnegie Mellon University’s CERT Coordination Center (CERT/CC) to help respondents compare their security processes—particularly pertaining to information security—with those of other organizations.

The Security Capability Model obviously draws some inspiration from the Capability Maturity Model (CMM), a rigorous tool for process management in software application development created by CMU’s well-known Software Engineering Institute (SEI).

They don’t yet feel there’s a long enough history” to clearly state what constitutes “mature” information security practices.

Methodology The Security Capability Model survey was posted online at CSO’s website and at the CERT website.

The industries most heavily represented in the response base were finance/banking/accounting (14%), health care/pharmaceutical (12%), manufacturing (11%) and government (10%).

In lieu of attempting an absolute standard for correct or mature practices (though a variety of those already exist elsewhere, ranging from ISO standards to SEI’s own Octave risk management methodology), the model provides the opportunity to benchmark against others in 22 specific practices.

One chart presents the full survey results, grouping the practices under four headings: managing risks, setting policies, securing systems and networks, and handling corporate security.

Looking at the first practice area on the chart, 60 percent of the total response base said they have a process in place for conducting regular vulnerability assessments.

For comparison, the model also measures corporate security capability in a few areas outside of infosec: facility access, business continuity plans, employee awareness training and background checks.

Allen says more capable—and successful—organizations are those treating security as a business objective; these companies achieve regulatory compliance by documenting existing processes, rather than by scrambling to jury-rig new processes to meet the letter of the law.

http://www.csoonline.com/read/010105/survey.html

And while technology to combat such threats has improved, experts concede that’s not enough to address what’s bound to emerge in the coming year.

“The bottom line is, there is no silver bullet technology,” said Gregg Mastoras, senior security analyst at security vendor Sophos Inc. “I just don’t think users are educated enough when they are on machines and what they are doing with it.”

The past year saw more industry attention to security: Microsoft Corp. upgraded its flagship Windows XP operating system, closing many loopholes and turning on a built-in firewall to thwart attacks. America Online Inc. gave away free security tools, and computer makers began installing software to combat spyware.

Dozens of products and services were developed to attack “phishing” — e-mail pretending to be from trusted names such as Citibank or Paypal, but directing recipients to rogue sites.

But developers of malicious code have gotten better at automating their tools, as well as sharing information about vulnerabilities and techniques to exploit them through underground message boards and chat rooms, said Mark Rasch, chief security counsel for Solutionary Inc.

No longer are bragging rights the primary motive.

“It used to be cool to bring down sites, almost (like) graffiti for the 21st century,” said Arthur Coviello Jr., chief executive for RSA Security Inc. “Today’s worms and viruses are far more detailed, and specific attacks are directed at individuals and businesses for the purpose of economic, ill-gotten gains.”

Virus writers have found new ways to infiltrate computers and networks, bypassing the protections inspired by their earlier methods of attack.

For instance, with more network administrators blocking attachments to stop viruses from spreading via e-mail, hackers managed in June to covert popular Web sites into virus transmitters by taking advantage of known flaws with Microsoft products.

They’ve also used viruses like “Mydoom” to deposit programs that let them take over infected PCs — and then use them to relay spam or launch attacks on Web sites like Microsoft’s. Ninety percent of viruses in 2004 carried a “backdoor” mechanism, compared with less than half in 2003, said Alfred Huger of Symantec Corp.

And once they’ve commandeered such PCs, they form networks of “zombies.” Spammers buy access to these networks so they can send e-mail that appears to come from legitimate home computers, making them harder to tag as junk. “They are well organized on the black market,” said John Levine, co-author of “The Internet for Dummies.”

Much of the malicious code appears to originate in countries without adequate laws to prosecute, experts say. Meanwhile, law enforcement agencies and service providers are only beginning to establish guidelines for jointly chasing suspects who can move about with stealth in a medium that knows no borders.

Security experts rank phishing and spyware as the greatest threats for 2005, given how clever their developers have gotten in the past year. Unlike spam pitching relatively cheap products like Vioxx, phishing scams can quickly drain entire bank accounts of unsuspecting users. The number of rogue sites used for such scams grew sevenfold in just four months — to 1,518 in November, from 221 in July — according to Websense Inc

http://www.securityfocus.com/news/10215