October 25, 2006

Data Security: Still An Oxymoron

Richard Kuper
The Kuper Report

I have written several times here about how data security is an oxymoron, and have given presentations on the subject. Here are excerpts from and links to two current ComputerWorld articles about some of the latest sad examples.

Identity thieves hit customers at TD Ameritrade, E-Trade

Overseas hackers broke into customer accounts at two popular online stock brokerages, TD Ameritrade Holding Corp. and E-Trade Financial Corp., in a "pump and dump" stock-trading scheme that led to at least $22 million in losses.

The attacks, which took place during the last three months, were launched by identity thieves in Eastern Europe and Asia who primarily used keylogging software delivered via Trojan horses or other malware to steal users' confidential information as they logged onto public computers or their own infected machines, TD Ameritrade CIO Jerry Bartlett said in an interview today.

The hackers then logged into existing customer accounts -- or created dummy accounts -- to buy shares in little-traded stocks, driving prices up so they could sell their own previously purchased shares for a profit.

8,500 victims in international data theft

British electronic-crime detectives are investigating a massive data theft operation that stole sensitive information from 8,500 people in the U.K. and others in some 60 countries, officials said Tuesday.

In total, cybercriminals targeted 600 financial companies and banks, according to U.K. authorities, who have worked over the past week to identify and notify victims.

The data was collected by a malicious software program nicknamed Haxdoor that infected victims' computers. Some 2,300 machines were located in the U.K. McMurdie said.

Haxdoor is a powerful program that can collect passwords and send them to another e-mail address plus disable a computer's firewall, among other functions, according to a description posted on security vendor F-Secure Corp.'s Web site. Symantec Corp., another security company, wrote it first detected Haxdoor in November 2003.

Computers can get infected with Haxdoor if they don't have security patches or up-to-date antivirus software. London police said it's believed many victims were infected through instant message programs.

August 04, 2006

Data Security: An Oxymoron - continued

Richard Kuper
The Kuper Report

Just a couple of the latest news items, reported by ComputerWorld, showing the continued disregard for data security. I've excerpted and consolidated the main points of both articles below, and provided the links to the full articles. Sadly this continues to support my presentation and summarized article "Data Security - An Oxymoron".

E-voting security under fire in San Diego lawsuit

The suit requests that a special election be invalidated. You see, rather than ensuring that all voting machines were secured prior to and after the election, the machines were given to poll workers to take home, which they did, from three days to more than a week! In addition, keys for touch-screen voting machines were released to poll workers -- which is a violation of state and federal law. And, if that were not enough, there is a switch in the circuitry of the Diebold TS touch-screen system that allows the machine to boot from an external source, which would circumvent the software and safeguards inside completely.

Two IT execs at Ohio University fired after data breaches

The first breach involved a server containing patent data and intellectual property files at the university's Innovation Center. That breach was discovered when the FBI told the university it had been provided with disk drives from the server.

A server supporting alumni relations and development was compromised and was being used to launch distributed denial-of-service attacks against an external target. The personal data on 137,000 alumni was exposed.

A system belonging to its Hudson Health Center had been broken into, potentially exposing Social Security numbers, dates of birth, patient IDs and clinical information on nearly 60,000 current and past students and faculty.

The discovery of the three break-ins prompted the school's IT organization to bring in outside experts to conduct a sweeping review of systems housed in the school's Computer Services Center. The review led to the discovery of two more breaches: One involved a computer that contained IRS 1099 forms for nearly 2,500 vendors and contractors that had done work for the university in 2004 and 2005; the other involved a computer that hosted a variety of Web-based forms, including some that processed online business transactions.

May 25, 2006

Data Security: An Oxymoron

Richard Kuper
The Kuper Report

On May 9th I gave a presentation on Data Security at the NYC Software Process Improvement Network (NYC SPIN) annual Ten Minute Madness Event. In my presentation titled: "Data Security: An Oxymoron?" I highlighted news that had come out over the prior several weeks:

-Laptops stolen with unsecured data from financial firms

-CDs distributed with private data by, in this case, the Republican

-University systems getting hacked

-State and local governments posting private data on the internet

-A breach allowing Retail Credit Card holder information to be accessed

-Unauthorized access to data by insiders

-The Federal Government hiring a firm that allowed criminals to set up
fake ids and access private data to guard the security of data for the

-A company not validating the practices of the firm they hired to
securely scrub data from recycled hard drives and finding the
unscrubbed hard drives on ebay

In the past week, there has been news about a stolen laptop that contained names, addresses, social security numbers and more on over 26 million veterans and news about a Red Cross employee having improper access to sensitive data such as social security numbers of over 1 million blood donors.

In my presentation, I pointed out that if all of the government agencies, colleges, retail stores, major corporations, and others had good




-Standards, and

-Best Practices

(and enforced them), then perhaps much of this could have been avoided.