Making and breaking security is dependent on good planning, which takes time that most people won’t devote. There are however, 4 quick ways to enhance the security of any office; home, small, or Fortune 500.

• Lock your screen every time you get up - Set your computer to automatically initiate a password-enabled screensaver when your machine is inactive for 10 minutes. Got to tinkle? Lock your screen first (Vista/XP users > Hold the Windows key [] and press L).


• Buy a good shredder – A shredder that can destroy mail in its envelopes, CDs, and DVDs is an effective way to keep your confidential information safe.


• Invest in an alarm system and door lock - You’d be surprised at how many small companies don’t lock their front doors or have basic alarm systems on their windows. Keeping doors locked, even when the office is occupied will stop most opportunistic thieves.


• Enable Automatic Updates on your operating systems and applications - Or at least update notification so you can test patches before they are released into production. Don’t rely on an administrator to check for updates from time to time.

Successful security doesn’t require every component to be complex, this list could have much more added to it. I’d also recommend you take a page out of the crime book and train your users to think like the mafia.

What do you think is missing from this list?

IBM’s X-Force R&D has sent out a report( pdf ) detailing computer security statistics collected over the first six months of 2008.

Among the results of this report, we find the following (compared to last year’s figures):

• Decreased time between disclosure and public exploit


• Further shift from OS and multimedia exploits to web browser exploits


• Further shift from browser core to browser plugins

What this tells us is that attackers are keeping a steady eye on the disclosure process itself, quickly adapting the details into POC code. It also shows that attackers are recognizing and taking advantage of the browser as an attack vector—a trend that has been steadily increasing over the past few years.

Another interesting trend that caught my eye was the most commonly used web browser plugin exploits… most attacks exploited vulnerabilities that were between 1 and 2 years old. On one hand, I would say that an improvement has been made—no longer are people getting exploited by 4 or 5 year old bugs. But at the same time, we have a long way to go before people constantly address the security issues of software that is regularly exposed to the dangers of web browsing.

The rest of the report ( pdf ) is a very solid read—they cover everything from spam, to phishing, and even the relatively fresh vulnerability frontier of virtualization.

Another lost laptop story, this time from the UK. The details of the theft aren’t too unique – laptops with sensitive patient data were stolen from a hospital and a doctor’s house, and while the files were supposed to be encrypted, they weren’t. This story, much like every other data leak story, brings up the same arguments for why it isn’t a big deal:

• “The data, which also cannot be accessed without passwords, contained patients’ names, postcodes, hospital numbers and dates of birth.” (Emphasis added)
  Passwords are ridiculously weak forms of security, and, if the files aren’t encrypted, chances are the statement that access is impossible without a password is most likely just flat-out wrong


• “However they insisted there was no reason to believe the computers had been targeted for the information they contained, merely for their monetary value.”
  Targeted or otherwise, the data is now freely accessible to the thief. There’s equally no reason to believe that this will not be exploited. While historically, thieves are just in it for the quick score, that’s not really a guarantee.


• “However he insisted that only someone with ‘specialist computer knowledge’ would be able to crack the passwords and access it.”
  It’s not too hard to find people who know their way around a computer. And, thanks to the internet, specialist-type information is ridiculously easy to find.


• “‘We believe the data will almost certainly be wiped by the thief so he can get a quick sale. “
  Without any evidence that this is the case, you can believe whatever you want. I’m sure that’s really comforting to the people whose data is at risk.


• “The hospital has stressed that the data was only a copy of information stored centrally, so no details of appointments or treatment have been irreparably lost.”
  Well, thank goodness the people responsible for the data didn’t get hurt.

Every story about a data leak, regardless of the source (hospital, bank, etc), always seems to contain the same PR spin. “Well, the files are password protected anyway, and the person who stole them probably isn’t even going to notice, and it doesn’t matter because they probably just want to wipe the hard drive and sell the machine anyway, so, no hard feelings, okay? We’re sorry we weren’t adhering to the applicable laws and data protection standards, but this probably isn’t a big deal anyway.”

I understand the desire to try to mitigate the problem and reassure customers that things will “be alright”. But, these arguments are at best wishful thinking and at worst outright lying. If someone’s data could have been compromised, they need to understand the steps they need to take to protect themselves, not be reassured that it’s probably not a big deal.

In a recent case in Arkansas, a registered nurse has pleaded guilty to violating HIPAA rules by disclosing confidential patient information for personal gain. No one should be surprised that things like this happen.

Every industry has laws, regulations and penalties set up for the purpose of consumer (and business) protection. In the health care industry, there is and has been an enormous amount of money spent to bring processes and systems into compliance with regulations like HIPAA to try to protect patient confidentiality. You can lock down electronic systems as much as you want, but nothing can ever be truly secured, because of one simple fact – these systems are owned and operated by people.

A “weakest link” analogy that’s popular in the security industry is the concept of putting deadbolts, latches, chains, and bars on a door while leaving the window next to it open. This is usually used to make a case to bring an insecure area up to par, or to discourage spending a lot of money on one aspect of a system when there’s another module in dire need of attention. Social engineering attacks, like the one in the article, are the “unclosable window” in the proverbial computer security house.

Now, this isn’t an argument against trying to secure electronic systems as much as reasonable or possible, or that laws and regulations are a waste of time. Keeping out as many attackers as possible from as many angles as possible is a “good thing”. Social engineering is just one of those things that makes a security professional occasionally throw their hands up in the air and wonder why they’re trying at all. It’s an insidious type of attack that no one can ever plan for, and, despite all efforts to the contrary, will never, ever go away. Unfortunately, despite the lofty goals that legislation like HIPAA aspires to accomplish, nobody’s data will ever be truly safe.

According to Bruce Schneier it is and it might not be fixable.

It’s expensive to investigate, and it’s cross-jurisdictional. It might not be fixable. A lot of [the solution] is going to be making the things that criminals are going after harder to get. You’re not going to stop the criminals [from trying]. But in the United States, it’s really easy to get a credit card in someone else’s name. The credit card companies like it that way.

Isn’t any fraud, stealing, trespassing online a crime? Of course it’s the biggest problem, and no it’s not fixable – just manageable. A long as people try to commit crimes, there will be crimes.

The Post has another article on an NIH laptop stolen from someone’s car. The interesting part is that the Post points out that the laptop should have been encrypted:

The information was not encrypted, in violation of the government’s data-security policy.

At least there are policies about this now, but as we all know, most security policies aren’t followed because they’re annoying. Luckily, laptop encryption is not as difficult as it once was. TrueCrypt, SecureDoc, heck, even BitLocker, make hard drive encryption fairly easy.

The last paragraph in that story also goes on to say that personally identifiable information would not be located on laptops. I want to know how they’re going to manage that. People want to be able to work form home, they want to be able to work on the plane, or the airport. Perhaps in this specific instance, the personally identifiable information is not required for these people to do their job, but in many cases, some kind of identifying information is required. The only good option is full hard disk encryption – or at least all data directories/drives.

According to a DHS Analyst, foreign hackers are after your health care records.

Mark Walker, who works in DHS’ Critical Infrastructure Protection Division, told a workshop audience at the National Institute of Standards and Technology that the hackers’ primary motive seems to be espionage.
“They’ve been focused on the [Department of Defense] – the military – but now are spreading out into the health care private sector,” Walker said.

Bruce Schneier thinks it has to be a joke.

I’m not so sure. The expenses related to clearing a company’s good name, after privacy breaches and violations of HIPAA have degraded public trust, would be huge. It could be true economic warfare, 21st century style. All the more reason to create and follow strong security policies, perform risk analysis and mitigation, and put technologies in place such as identity management and strong encryption.

Or, you can instead believe it’s just a joke.

Fascinating.

You can read more here.

Let’s say your laptop sustains a minor injury and you decide to take advantage of that expensive extended warranty you purchased. You take it back to where you bought it for repairs, and they give you the standard ball-park figure of how long it’ll take; 2-6 weeks. So far so good, right?

Sure… until a few weeks later when you are informed that your laptop was lost. Although the cost of the hardware can be easily calculated, what value would you attach to the lost data and the personal information that might be floating around on the Internets?

Raelyn Campbell figures $54 million should just about cover it…

From the way things were handled by Best Buy, this doesn’t seem to be the first time a customer’s laptop had been “permanently misplaced.” Perhaps the other victims were content with getting a refund— they might have even been happy since they could put that refund towards buying a brand new shiny computer…

In addition to a shady compensation offer, it seems that some laws were sidestepped as well:

Campbell was informed that she had a bigger problem than a lost computer – the potential for identity theft. She also learned that Best Buy was in violation of the district’s security breach notification law, which requires companies that have lost a consumer’s data to tell them. To date, she has not received that notification.

Although nobody is really expecting a $54 million settlement to be awarded, the extra attention might convince some companies to take the privacy and security of their customers as serious as they take their own.

Members of the Xbox Live community are losing their accounts and possibly more to hackers who are able to fool support personnel.

The hackers frequently will call the toll-free [Xbox Live support] number and pretend to be the owner of the account they want to take over. They will provide the Xbox Live ID and then ask for the physical address that’s associated with the account. Later, they’ll call back and ask for the phone number. Eventually, the hackers assemble enough information to convince a support person they are the rightful owners of the account.

The article goes on to report that this is not an uncommon occurrence. In fact, a search of Microsoft’s Xbox forums reveals just how frequently accounts are stolen, and given that Xbox live accounts contain information such as the user’s home address and credit card number, these attacks can prove very costly to customer privacy.

This should remind us that the strongest measures to secure data can be easily circumvented if appropriate policies and procedures are not in place to prevent employees from simply giving it away. Everyone who has access to sensitive information should have the means and the training to differentiate between thief and paying customer.