Today there were several news reports about a new service "that makes it possible to encrypt or delete data even after a laptop has gone missing."  This sounds great!

Let’s read on…

"The new Everdream "Theft Recovery Managed Service" allows organizations to retain control over lost or stolen PCs and laptops, the Fremont, Calif., company said in a statement. The service also can assist law enforcement with the tracking, locating and recovery of computers, the company said.

When a missing PC is connected to the Internet, it automatically contacts Everdream. This triggers encryption or deletion of data on the computer, based on the customer’s setting, Everdream said.

At the same time, information on the Internet connection used by the lost computer is stored. This can help locate and recover the PC, Everdream said. The service won’t work, however, if the computer’s hard disk has been formatted, because the Everdream software resides on the hard disk, an Everdream representative said."

I’m really interested to see what type of configuration possibilities this "service" has available. 

The weakness in this system is, "The service won’t work, however, if the computer’s hard disk has been formatted, because the Everdream software resides on the hard disk"

Well, of course you can’t wish for technology miracles, and technology certainly has its weaknesses.  However, if the bad folks with their hands on stolen or lost computers know about this, it is likely they will first copy all the data, and not the Everdream software, onto a separate storage device and then reformat the hard drive, thus getting all that valuable data.  Of course, if the bad guys don’t keep up on this news, they will probably not know to do this, will they?  🙂

Sounds like a nice mobile computing device security possibility, though…worth looking into…

Technorati Tags
information security
personal computers
encrypt
laptop
computer crime

Wayne Sumida brought this story to my attention…thanks Wayne!

The Honolulu Advertiser reported on Saturday a case of a trusted FBI employee leaking sensitive information to drug traffickers.  This is a good example of the need for organizations to implement practices to help ensure trusted insiders can still be trusted.  In this case a secretary with the FBI had authorized access to the same information to which the FBI agents had access.  She  apparently subsequently gave this confidential information to her husband, who then passed it on to members of a drug ring.

This illustrates one of the many ways in which trusted insiders can present huge risks to confidential and sensitive information, and supports the findings of the annual CERT/Secret Service insider threat results. 

When you have trusted insiders with access to sensitive information, seriously consider doing the following, in addition to your other precautions, to help address the accompanying risks:

• Give individuals access to only the information they need to perform their job responsibilities.
• Establish formal grievance procedures and additional forums for employees to voice concerns about work practices; dissatisfied employees are the most likely to compromise security. 
• Train management, and really all personnel, how to identify red flags associated with personnel who experience negative work-related events.
• Provide ongoing awareness messages to personnel about the need to protect the sensitive information to which they have access, and remind them of the possible sanctions for information leaks.
• Provide ongoing targeted training and awareness for personnel with access to sensitive information.
• Perform regular background, criminal and credit checks on personnel with access to particularly sensitive information.
• Implement access logs to keep track of the individuals accessing sensitive information, and when they are accessing it. 

Of course, some people with trusted access will do bad things regardless.  However, being vigilent in your information security and awareness efforts will help to reduce the likelihood of such incidents.

Technorati Tags
information security
drug traffickers
FBI
insider threat
computer crime

I read with interest the story published yesterday about the San Francisco man arrested "on 53 felony counts of fraud and forgery for stealing hundreds of credit card numbers, many of which he stored on an iPod."

"Lee had been staying for months at first-class hotels on Nob Hill, using stolen identities and credit cards, The San Francisco Chronicle reported. Lee was arrested outside the Grosvernor Suites hotel after signing a receipt for the delivery of computers he ordered using the name of a San Francisco attorney whose wallet was reported stolen from his Mercedes a few days earlier.  A subsequent search of Lee’s hotel room turned up a list of more than 500 names and credit card numbers, police said.  Among the names were Nancy Pelosi, the House Democratic leader in Congress, and LaRae Quy, spokeswoman for the FBI’s San Francisco office."

I love my iPod…I’m trying to figure out the possible scenarios for how the information could have most easily been stored on the iPod…and the other scenarios for which the data could have been first input to his computer and then transferred to the iPod…very easy but very slow if he input one at a time from stolen wallets and purses.  A good possibility is that he was able to connect to a network and copy the data from an inadequately secured folder or file on the network…

This recalls the iPod slurping discussed a few weeks ago and how easily a software tool created by Abe Usher could be used to copy, quite quickly, files from a network if an iPod is attached to the network.

Perhaps Lee was actually able to connect to networks with his iPod and use this tool, or something similar?  Perhaps the hotel’s network?  Perhaps through a wireless AP?

Technorati Tags
information security
credit card fraud
iPod
privacy
identity theft

Bob Johnston provided a great pointer on the CISSPforum maillist for good, free information security resources from the United States Postal Service; 7 free fraud and information secuity awareness DVDs.  Thank you for the heads-up, Bob!

The free awareness DVDs include:

1. All the King’s Men: Picking Up the Pieces. This DVD is about fraud schemes and how to avoid becoming a victim, and how to recover from fraud.
2. Nowhere to Run: Cross-Border Fraud. This film illustrates how U.S. Postal Inspectors created task forces with Canadian law enforcement partners to stop "long distance" scams through long distance calls and the Internet.
3. Web of Deceit: Internet Fraud. This DVD tells the story of a scammer who uses the Internet to victimize unsuspecting consumers around the world until he gets caught in his own web of deceit.
4. Long Shot: Foreign Lottery Scams. This free DVD tells the story of a foreign lottery fraud victim and the con artist behind the scam.
5. Work-at-Home Scams: They Just Don’t Pay.  This film tells the story of a new type of work-at-home scam and how a mother gets caught up in it.
6. Identity Crisis: Protect Your Identity. This DVD tells the story of a couple whose credit is ruined and of the criminals who defrauded them.
7. Delivering Justice: Dialing for Dollars. This DVD tells the story of such a phone investment "opportunity " scam and the lives that are ruined by these criminals.

Technorati Tags
information security
security awareness
online fraud

Here’s a Vermont incident reported yesterday that includes many compliance and information privacy and security topics…

• Theft of a laptop from car
• Reasons why large databases of personal information should not be stored on mobile computing devices
• Unauthorized disclosure of personal information
• The need to report breaches of personal data quickly
• The ease with which emails can be spoofed
• The need to encrypt confidential information in storage as well as in transit

This indicident really did cover almost the gamut of security gone wrong.

Technorati Tags
e-mail security
email security
privacy
privacy breach
laptop theft
data breach
breach notification
encrypt

An IDG News report yesterday announced the availability of a free Better Business Bureau (BBB)customer data security kit through their "Security and Privacy — Made Simpler" website that was launched on Monday (3/27) for the benefit of small businesses, that typically do not have the resources to have a full information security program.  The report contained some interesting statistics:

• 56% of U.S. small businesses experienced data breaches in 2005.
• 20%  of small businesses do not use virus-scanning software for email.
• 60% of small businesses do not protect wireless networks with encryption.

The report did not define what a data breach, so that could be a very wide range of incidents.

The Small Business Association generally defines a small business as one that has 500 – 1000 (depending on the industry) employees.  Using 999 or fewer employees as my rule of thumb, according to the U.S. Census Bureau (their range broke at 999 or less employees) there were 5,775,535 small businesses in 2003.  If the number is still the same (I imagine there are more now though), this means that based on the given percentages:

• 3,234,300 small U.S. businesses had data breaches
• 1,155,107 small U.S. businesses do not use virus-protection software to scan emails
• 3,465,321 small U.S. businesses do not use encryption with their wireless networks (if all had wireless networks)

YIKES!!  However…

I’m not too surprised by these numbers; I’ve performed a large number of business partner security program reviews over the past few years, and it is still common to find small- to medium-sized organizations, as well as large organizations, with no documented information security policies or procedures, no encryption used anywhere, no wireless security, and…something missing from the report that is very common and critical…no documented business continuity (including backup and disaster recovery) plans. 

The BBB also plans to release an employee data protection toolkit later this year.

The BBB site is very new, but looking at the headings it could potentially contain very useful and interesting information as it becomes populated; e.g., "Data Breach Horror Stories" and "Current Security and Privacy News" (which are currently empty).

It would be helpful if the BBB and the others involved with the creation of the toolkit could provide some studies or statistics about the breaches that have occurred…considering how many there have been, there should be some data, even at least partial, available to learn from.

Technorati Tags
small business
data protection
data breach
privacy
encrypt
virus
better business bureau