Category: breach


CAPTCHA – Being knowledgeable about security technology

Filed under: breach, infosecurity, securityLeave a comment
December 13, 2007

An early CAPTCHAAn early CAPTCHAAn early CAPTCHAAn early CAPTCHASo I ran across a blog post by Jeff Atwood, that talks about CAPTCHA which is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”.  These are those nice little images we have to decide what letters they contain.  I added a picture for reference.  An early CAPTCHAAn early CAPTCHAAn early CAPTCHAAn early CAPTCHAWikipedia has a great reference to this technology.  This blog talks about how new technology has been coming out and making these easier to break by computers.  One of the biggest websites with such a problem is Ticketmaster.  People have found a way to get around the CAPTCHAs.  One recent instance where this has been shown to be a problem is for the Hannah Montana concert “Best of Both Worlds”. Tickets were swept off Ticketmaster and started to be sold on e-Bay for on average of $237. 

This leads into talking about the necessity of Information Security employees to be tech savvy and tech forward.  Hackers and people are always looking for new and better ways to get around security features.  The security of five years ago is not as secure as it was five years ago.  Security hacks and vulnerabilities are being found everyday and circulated on-line.  (So make sure to update your software regularly.)  Being aware of these vulnerabilities is the first step.  As a security professional, you must then gauge the riskiness of the vulnerability and the cost of the fix.  (Will it be painless or will the fix have to be tweaked in order for it to keep from interfering with the current network?; will any equipment have to be replaced?; etc)   Then weigh the benefits against those costs. 

Ticketmaster should definitely re-evaluate their ticket security.  The Hannah Montana incident received a huge amount of  bad publicity.  The lack of good security may lead Ticketmaster to make more than they usually would due to overbuying by scalpers.  However, you have to weigh the increased revenues against the effects of the bad publicity when the lack of good security reaches mainstream media. Over 195 news articles show up on the subject at Google news.

Tags: , , ,
Comment

Security Risk Introduced by Temporary Users

Filed under: breach, business, infosecurity, security, UncategorizedLeave a comment
November 27, 2007

I stumbled upon a great article today about the risks associated with temporary employees. This is expecially important information during the christmas season due to the large increase in temporary employees.  The article outlines three main issues faced with the addition of temporary employees.

  1. Information Leakage
  2. Lack of Basic Data Security Management
  3. Exposure to External Threats

The article outlines the results from a survey given to temporary employees about their behavior and policies at these jobs.  There are some pretty interesting statistics in the article.  Here are just a few of them.

  • 87.7% of respondents were able to access documents from the company network drive or electronic folders that permanent staff use on a day to day basis
  • 52% used someone else’s e-mail account or a general company e-mail address
  • 78.9% of temporary workers said they did not have to sign a PC or Internet use policy
  • 97% said they either didn’t understand or had never heard of the Computer Misuse Act
  • 25.5% accessed download sites during work hours
  • 67% of temporary workers used social networking sites like Facebook during working hours

The complete set of statistics and article can be found at the following link. 
Businesses are ill-prepared for the security risk introduced by temporary workers

As hackers find new and different ways to use the information found on the internet at sites such as Facebook and Myspace, we will start seeing a whole different arena of ways to gain information that we must know about and be caution.

 Salesforce.com just ran into some trouble in October. On Oct. 19, Security Fix reported that payroll giant Automatic Data Processing (ADP) and several banks — including Suntrust — were among a number of institutions that were victimized by a series of highly-targeted phishing scams.  This was done through a spoofed email that asked employees to download a file which was most likely malware to gain passwords and usernames.  More Info

This is just one of the risks of which temporary employees and full-time employees  must be aware. Management must be aware of these threats and take steps to mitigate these risks.

Tags: , , ,
Comment

How Things DON’T Get Done In Real Life & Security Policy

Filed under: breach, business, infosecurity, planning, security, UncategorizedLeave a comment
November 14, 2007

I started this blog as a part of a independent study for my MBA and as you can see if you look at my archive, its been about 2 months since I’ve entered a blog entry.  Since this is my assignment for the semester, it can be said that I’m a little bit behind on the work for this class.  As the semester is coming to an end in less than 2 months and I realize that my time is slowly wittling away, I look into what I should be doing to jump start myself into finishing my work as well as looking into the past and analyzing why I am behind.  (I have to analyze everything i do…Thats what MBAs live and breath)   So, let’s start off with the past…

 THE PROBLEM
I have taken this independent study and have not completed the work over the summer as planned.

ANALYSIS OF THE PROBLEM
Why?

  • Stress of Moving to and from California for an Internship
  • Buying the wrong book on Half.com (delaying reading for 3 weeks)
  • On the backburner – Lack of presence in forefront of mind
  • No short term goals or milestones set for independent study
  • August – start of new semester & classes
  • Busy – work, classes, a few hours of sleep, interviews, need for down time (Value of Time & Effort)
  • September to November – interviews every week, behind on normal classes

Now you are probably wondering how this has anything to do with Information Security.  Well, don’t worry.  I’m going to go into that now.

In business, many things are happening at once.  Everyone has to multi-task and prioritize their lives in order to survive work as well as life.  Within business, many times security is put on the backburner.  Unless top executives make Info Security a priority,  businesses know they should be doing something but don’t take the time to do anything about it.  People look for ways to save time and money, and security can sometimes cost employees and the business alot of time AND money.  This link shows just one of the many ways that employees will find to short cut a system to save time while increasing risk to security. 

As I mentioned before, having top executives’ support can make or break some initiatives.  It is also important to set timelines, goals and milestones for progress.  I personnally did not do this and as you can see from the small number of blog posts, I am not accomplishing my work in this portion of my class.  By setting milestones in both Info Security and work goals, you can help to keep security work at the forefront of employees minds.

Lets move onto “Value of Time & Effort”.  In everyone’s life, they have to constantly make choices.  “Do I want to work out or do I want to watch TV”/ “Do I want to buy a new laptop or do I want to take a vacation to Hawaii?”, etc.   This happens in Info Security a great deal, just like with life.  Information Security, especially on the Internet, is an important aspect that needs to be addressed.  However, events in which data or information are comprimized are few and far between.  These events cost a great deal of money when they do happen however.  Many managers don’t want to spend that large amounts of capital needed to guard against an event in the future that may or may not even happen.  These managers sometimes don’t comprehend how expensive these types of breaches can cost.

 So I guess to sum up my key points, I believe that in life and info security, we need…

  1. senior executive prioritization
  2. key security milestones and goals
  3. complete understanding of potential risks
Tags:
Comment

Investigating the Monster.com Security Breach

Filed under: breach, business, infosecurity, monster.com, privacy, security2 Comments
September 10, 2007

During the week of August 27th, Monster.com had a major security breach.  More than 1.3 million records of resume contact information were found to have been pilfered off both the Monster.com site as well as the USAJobs.gov site.  While this information doesn’t include any highly secure informations such as financial and social security numbers, it is still information that can be used with phishing and spam email.  During the investigation, Monster found that this wasn’t the first time that information had been taken this way from their site.

 In response to this breach, Monster.com sent letters out to the victims informing them of the theft of their information.  One of my friends was one such user.  The letter is filled with corporate speech detailing their regret as well as the address to a part of the monster site that details about phishing and ways to avoid being a victim.

 Another action Monster took in response to this event was a promise to their users to step up site monitoring and to spend $80 to $100 million in site upgrades.  According to a Reuters news article, the site had lost between 200 to 300 job seekers’ support. Monster has set up a security center for people to learn more about email phishing and what happened with the security breach.

 Besides the impact this had on increased site security spending, the overall effect consumer effect does not seem to be that steep.  Losing 200 to 300 people out of 1.3 million is much less than 1%. As for internet feedback, most blog output on the matter seem to just be rehashing or adding facts about the incident as well as talking generally about the need in big business for more internet security spending.  The concensus seems to be “its happening again,…. drat”, and then they go back to their normally scheduled program.  Security breaches are becoming so common that the public is becoming less phased by the breaches and just deals with them. Is this a indication of a more tolerant public concerning internet information security?  Or is lack of large response due to the fact that only basic contact information was stolen.

Interesting indepth blog about the breach

Comment
Design a site like this with WordPress.com
Get started