Is it just me, or these results are scary (pardon the Halloween-theme lead)? A study commissioned by Cisco Systems on the habits of workers who telecommute (and this access company systems remotely) interviewed 1,000 teleworkers in 10 countries and resulted in some interesting results. My favorite,

One in 10 users noted that they have used, without permission, their neighbor’s wireless Internet connection when working remotely.

Ten percent of telecommuters putting their company accounts and most likely extremely sensitive company information out in the open in plain text for anybody to see? This is troubling, especially for IT managers who support a growing number of telecommuters. Although the survey doesn’t detail how many users use secondary encryption such as VPN tunnel or a secure proxy, my feel is that this number is close to zero. Thus, after spending millions to secure your corporate network from intruders, your company information is flowing in a distant neighborhood’s airwaves for anybody to see in plain text. Scary.

Other results from the survey,

• nearly 40 percent of remote workers stated that they use their work computers for Internet shopping;
• some 21 percent of remote workers admit that they allow friends and family members to use their work computers because "they don’t see anything wrong with it";
• almost 50 percent of remote workers said they used their own personal electronic devices, even when they did not have anti-virus or security software on the devices, to access corporate resources; and
• 38 percent of remote workers report that they click on e-mail messages of unknown origin.

Scary stuff. Happy Halloween!

Symantec has released its annual Internet Security Threat Report. Its coverage of Internet attacks, vulnerabilities, malware, phishing, spam, and trend in the Internet security area is a must read for security and legal professionals. Here are some of the highlights.

Phishing, Spam, and Security Risks

• The Symantec Probe Network detected 157,477 unique phishing messages, an increase of 81%.
• Financial services was the most heavily phished sector, accounting for 84% of phishing activity.
• Spam made up 54% of all monitored email traffic, up from 50% in the last period.
• The most common type of spam detected in the first six months of 2006 was related to health services and products.
• Fifty-eight percent of all spam detected worldwide originated in the United States
• Eight of the top ten reported security risks were adware programs.
• Three of the top ten new security risks are what Symantec calls “misleading applications.

Attack Trend Highlights

• Microsoft Internet Explorer was the most frequently targeted Web browser, accounting for 47% of all Web browser attacks.
• Symantec observed an average of 6,110 DoS attacks per day.
• The United States was the target of the most DoS attacks, accounting for 54% of the worldwide total.
• The Internet service provider (ISP) sector was the most frequently targeted by DoS attacks.
• China had the highest number of bot-infected computers during the first half of 2006, accounting for 20% of the worldwide total.
• The United States had the highest percentage of bot command-and-control servers with 42%.
• Beijing was the city with the most bot-infected computers in the world.
• The United States ranked as the top country of attack origin, accounting for 37% of the worldwide total.
• The home user sector was the most highly targeted sector, accounting for 86% of all targeted attacks.

Read the full report (120 pages).

An InformationWeek article cites and discusses a recent research done by BIOS maker Phoenix Technologies saying that 8 out of every 10 computer attacks against businesses could be stopped if enterprises checked the identify of not only the user but the machine logging onto its network. The study, conducted for Phoenix by a California research firm, looked at data from cases prosecuted by federal authorities between 1999 and 2006 to reach its conclusion that attacks based on logging in with stolen or hijacked credentials cost businesses far more, on average, than the typical worm or virus assault. According to the research, when a privileged account is penetrated by an unauthorized user, the average damage is $1.5 million, while the average damage from a single virus attack is under $2,400.

The study and the conclusion are valuable in what they show - that enterprises should take extra measures not only to secure their infrastructure, but also to educate their users to protect their credentials better. But the research methods are inherently flawed.

First, the research was based on data obtained from prosecuted federal cases. Usually such cases are brought under the Computer Fraud and Abuse Act (CFAA, 18 U.S.C. 1030) which criminalizes unauthorized access to protected computer (quite broadly defined) and conduct varying from hacking to employees copying data before leaving the company. The problem with relying on such data is that the government, with its limited resources, can criminally prosecute only the cases with highest damages or with the biggest public outrage (which is ultimately related to damages.) Also, often unauthorized access cases relate to misappropriation of secret information, which value is usually very high.  Relying on such cases to show high damages is circular.

Second, the federal prosecutors very rarely prosecute authors of worms or viruses. Usually the authors cannot be caught, are in a foreign jurisdiction, or otherwise able to avoid section 1030 criminal prosecution. Also, over the past 6 or seven years (the date range used in the study) the worm or virus attacks have had a relatively minor damage factor - disabling computers, displaying foul messages, or formatting hard drives. For many enterprises, the damage is usually limited to the cost of lost productivity and restoring the computer (usually from a ghosted hard drive image).

The research, although based on a flawed method and data, nonetheless confirms an important aspect of enterprise information security - people are usually the weakest link.  Regardless of how good your firewall and network settings are, one employee’s weak or stolen password can provide an open highway to an attacker. To solve this, businesses should have strong password policies and, most importantly, educate their employees on how to safeguard their (and their employer’s) online identity.

The National Institute of Standards and Technology (NIST) has issued a draft publication to provide guidance to home users, including federal workers engaged in telework, on improving the security of home computers that run on the Windows XP Home Edition operating system.

Although in draft, this is still an extremely useful guide to home users on how to secure their machines.

Draft Special Publication 800-69, "Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist."

A recent research presented at the Workshop on Economics of Information Security at the University of Cambridge suggested that 46 percent of almost 2,5000 access points in Indianapolis were not running any form of encryption.

So far so good, and let’s assume that Indianapolis is fairly representative area for the rest of the country when it comes to securing Wi-Fi. Most of the researchers participating in the workshop criticized the default settings of Wi-Fi routers which leaves networks running without security and without encrypting traffic, "People just really don’t care about Wi-Fi security, and open Wi-Fi at home is a nice big target," said Matthew Hottell, lecturer in informatics at Indiana University. "Defaults (settings) are king."

What troubles this author is comments from some security experts that as long as people’s devices were secure, having a secured network is unnecessary. Here is what "security expert" Bruce Schneier said, 

I have a completely open Wi-Fi network. Firstly, I don’t care if my neighbors are using my network. Secondly, I’ve protected my computers. Thirdly, it’s polite. When people come over they can use it.

Really? Many in the security field would claim that no networked machine is 100% secure. How would Mr. Schneier guarantee that his device is 100% secure? What happened to the layered security models requiring adequate protection at each level? Just because we want to be polite to our neighbors does not mean that we should encourage people lifting the security of their networks hoping that they know how to secure the devices inside their networks and praying that security vulnerabilities would not be discovered and exploited faster than they can be patched. Thank you, Mr. Schneier, but I’d rather secure my network AND device. As far as my neighbors - you are not downloading illegal movies on my bandwidth!

Good passwords are critical to good security. Which usually keeps regulators, journalists, and plaintiff lawyers away. Do you know how long your password will stand up using a brute force? You can check here.

Another laptop theft. Another identity theft risk. This time it is Verizon.

A theft of two laptop computers has put a "significant number" of Verizon Communications’ employees at risk of having their identities stolen, the company said Wednesday.

According to the report, two laptops were stolen from a Verizon facility and may contain personal information, such as Social Security Numbers. Verizon has assured its employees in a March 1st letter that this incident appears to be a random criminal act and that the laptops were password protected.

It is interesting that Verizon has underscored that laptops were password protected. Are they trying to imply that because there is a password on the laptop any data stored inside is protected? Many of our readers know that having a Windows password is hardly any deterrent against obtaining access to the laptop information. Is having a relatively weak login password protection on a laptop sufficient to protect that data inside?

[Via Wall Street Journal (paid subscription required)]

A report conducted by the Australian Consumers’ Association found that most new PCs come packaged only with very basic trial (and not up-to-date) anti-virus software.

Most computers connect to the internet and we think all computers should be sold with a full internet security package rather than a couple of months’ protection against viruses and worms.

Considering that it takes only a few minutes to "zombify" an unprotected networked PC, this report underscores a major threat to the security of the Internet - as long as vendors to not provide adequately protected PC to new users, there will always be a pool of proud new PC owners who would provide easy targets to botnet operators.

[Via CNET.com.au, Australia -]

How much is a major Windows exploit worth? Market says $4,000.

Competing hacker groups in Russia were peddling the exploit code responsible for the Windows Meta File attacks last December for $4,000, according to security company Kaspersky Lab.

Competing hacker groups? Imagine how much the exploit code would have cost had there been no competition among the hacker groups in Russia. Thank god for the market economy in Russia.

[Via CNET News.com]

Because ISPs are directly affected by their customers’ infected computers "running crazy" around the Internet, some providers are starting to be more aggressive in their customer relations.

Easynet, a UK Internet Service Provider (ISP), is contacting customers it believes may be infected with the Nyxem virus. When a computer is infected by Nyxem, it visits an online Web counter that counts how many PCs have been infected. Easynet is monitoring traffic to this Web counter and sending a warning to every user that visits it, explaining that their machine could be infected.

Although it seems like a nice idea, the number of new viruses and the number of infections every day suggests that an ISP can do only so much to notify and help its customers. No ISP can afford to keep a force on its payroll to react to malware attacks against its customers. While individual attacks, such asa the Nyxem virus, may deserver particular attention, this method of fighting malware is unefficient.

« Previous entries Next entries »