Various news media are reporting that over 30,000 email accounts belonging to users of web based email providers such as Gmail, Yahoo! Mail, Hotmail and Aol (to name a few) have been compromised. It is unclear yet as to the exact nature of the compromise. Some reports state that the accounts were compromised by a phishing attack. Others state, and some of the sources I have spoken to, state the accounts were compromised as the result of a trojan or keylogger software infecting the victims machines.
Either way if you use a webmail based service you should change your password. Also make sure you do not use the same password across different systems because if your email password has been compromised then those other systems could be accessed by the criminals. If you are responsible for managing the security of your organisation then consider that some of your users may use the same password for their personal email and their corporate account. You should monitor your access logs and if you detect any suspicious activity, such as logins from countries your users are not based in, then react accordingly. The CyberCrime & Doing Time blog have a good post on the topic which analyses how they believe the attack may have happened.
From a security point of view I have to admit that I do have concerns over the growing “beta culture”. The problem is compounded by what is now acceptable to release to consumers. In many cases tagging the phrase “beta” to your product seems to be like a get out of jail card free. But in spite of that tag a lot of these products are snapped up by the public without any consideration as to the potential risks. Would you buy a Micro Wave, car or gas boiler if you were told it is not fully tested? Yet for electronic gadgets, computer systems and application software the general public seems to be comfortable entrusting their “digital life” to untried and untested solutions.
Look at Google’s range of applications. Gmail is still beta, as is Google docs. Yet millions of people and businesses are entrusting sensitive and personal data to these applications. Another good example is the Google Chrome browser. This is still a beta product yet when released it created a buzz and many people downloaded it onto their systems. Within days a number of security bugs were found within Chrome and Google had to rush out patches.
The challenge many of the vendor companies face is that they have commercial deadlines to meet in order to satisfy shareholders and customers. To compete, products are becoming more and more sophisticated and complex. It used to be all you used your mobile phone for was making and receiving phone calls. Now your phone is a mini-computer that can take pictures, videos, record and play music and browse the Internet. But complex systems are very difficult to secure properly. The problem is that criminals and hackers actively look to exploit bugs in these systems. Badly designed and/or complex systems that are not properly tested will result in those criminals being successful.
Consumers also seem to be not aware of the risks. They want the latest and greatest gadgets or applications to show off to their friends or workmates, yet do not worry if the products they are using could result in their data being lost, corrupted or accessed by others.
The above is compounded by the fact that companies often have in their license agreements clauses that protect them from legal action from the customer should their device or application fail in such a way to cause them damages. So if your sensitive financial details are stolen from your shiny new phone by criminals due to a bug in the phone’s software then you have little or no recourse with the manufacturer.
Consumers need to be more cognisant of the risks they take with new systems and not rush out to buy the latest gadgets until they have been properly proven. But with the appetite for newer and shinier toys ever increasing this may not happen.
Me I still stick by my trusty Nokia 6310i mobile phone.
I was interviewed about this vulnerability on this evening’s Last Word Show on Today FM by Matt Cooper. A podcast of the show is available here, my piece is about 5 minutes in from the beginning.
I found it interesting to see how today a security vulnerability is getting press attention, whereas a few years ago it would be computer viruses. Have we moved on to realise that the threat landscape is changing?
Marie Boran from The SiliconRepublic.com challenged me recently to steal her identity. I had to work within the following parameters;
I could do nothing illegal
I could only use information gleaned from online sources
I could not contact or collaborate with any of her friends or colleagues.
So to this end our keyboards at dawn challenge began and I fired up Google to see what I could find out about Marie. Suffice it to say that after much searching and cross referencing I was able to gather enough information to build up a false identity in her name. The information I got included
Her date of birth
Her father’s name
Her Mother’s name
Her home address
Her education details
Her professional details
Personal information on what her likes and hobbies were and also what blusher she likes to wear.
Today’s Sunday Independent ran a piece in their business supplement on what companies should be doing to protect the data stored on various devices such as PCs and laptops. I am quoted in the article and highlight that companies need to develop their data classification and handling policy and educate their staff in same before rushing out to solve the problem using technology alone. I have said it before and I will say it again, technology is only part of the solution, people and processes are equally, if not, more important.
By the way in case you read the article and are wondering what document I am holding in the picture, it is the ISO 27001 Information Security Standard. Quite appropriate for the topic being discussed.
Marie Boran from The SiliconRepublic.com published a good article on the upcoming Cyber Crime seminar being run next Wednesday at 14:00 in Jury’s Hotel Croke Park. There are still places available so if you are interested in how cyber crime can impact you or how to prevent you, your family or your company becoming victims of cyber crime then contact me to register.
The Summer 2008 edition of our sister publication, the Security Watch Newsletter, is now available online. For those of you who do not subscribe to our newsletter, you may find it a useful read as we highlight issues and stories that may not be applicable to our Blog
Today’s Irish Independent has an article “The Perils of Identity Theft” citing me on some of the issues that staff need to be aware of when dealing with sensitive personal information belonging to the customers of their employer. We all need to be careful with the data we access in order to do our job and we need to handle that data accordingly.
When it comes to cash companies are quick to ensure staff know exactly what they are and are not supposed to do when handling that cash. Unfortunately when it comes to data many companies do not take the time to either identify what data is sensitive, how they should protect that data, who should have access to it and how those with access should treat that data. Very often companies rely on employees to “do the right thing” or that IT will have that covered.
Without a comprehensive, unambiguous and well communicated data handling and classification policy your company will be doomed to have a data breach at some stage. If you are a manager reading this and your company does not have such a policy in place then I recommend you look into this as soon as possible. Take it one step further and consider implementing the ISO 27001 Information Security Standard in your organisation. A key element of the standard is data classification and handling. By implementing the standard you will also have the confidence that your company has taken appropriate steps to make that data more secure.
If you are an employee and you are not sure what your company’s data classification and handling policy is then you should ask. If there is not one in place then insist that you are told exactly what you are supposed to do with the information you are working with.
Remember that some industries have regulatory and/or legal requirements for certain types of data and in any event the Data Protection Act places certain obligations on how companies deal with data.