August 23,Network Computing — The Importance of Being Encrypted
A study conducted by Forrester Consulting, "The State of Data Security in North America", which was commissioned RSA, shows that in many companies encryption and key management programs are under developed. Mobile access to data and collaboration with partners are on the top of executives minds. A previous report by the Ponemon Institute found that while 66% of enterprises use some type of encryption, only 16% have a strategy.
Source:http://www.networkcomputing.com/showArticle.jhtml?articleID=201802076
July 31, Federal Computer Week — DoD mandates data encryption for mobile devices.
Pentagon officials must ensure certain data stored on mobile devices is encrypted in compliance with the National Institute of Standards and Technology's Federal Information Processing Standard 140−2, according to a new Department of Defense (DoD) policy. The policy, signed on July 3 by Pentagon Chief Information Officer John Grimes, mandates that all unclassified data not approved for public release should be treated as sensitive and must be encrypted. The policy does not apply to information cleared for public release. The term mobile devices describes laptop PCs and personal digital assistants, as well as removable storage media, like thumb drives and compact discs, Grimes wrote in a memo. The policy instructs Pentagon officials to pay particular attention to the encryption of mobile devices used by senior DoD officials, like flag officers and senior executives, who travel frequently outside the continental
United States. According to Grimes, the loss or theft of mobile devices storing U.S. defense information abroad is especially severe.
Source: http://www.fcw.com/article103374−07−31−07−Web
July 26, InfoWorld — IT pros fear iPod data theft.
A new study foundthat 67 percent of the 323 IT workers surveyed consider the iPod to be a potential data securityrisk. However, short of some sort of major disaster that links the Apple devices to data leakage,49 percent of those surveyed said they likely wouldn't do anything new to protect againstmisuse of the gadgets. Some 46 percent said that their companies have already establishedpolicies dictating acceptable use of the media players. Truthfully, the Credant survey highlightsthe continued disregard among companies in dictating the use of USB−capable storage devicesin general, of which the iPod is clearly just one of the most popular. When asked to rank whichUSB devices they considered to be most dangerous in terms of potential corporate data loss, avast majority (86 percent) of respondents still ranked traditional handheld storage drives, andSD−card carrying smartphones (13 percent) ahead of the iPod (10 percent).Source: http://weblog.infoworld.com/zeroday/archives/2007/07/it_pros _fear_ip.html
July 20, Network Computing — FIPS 140-2 and You
The Federal Information Processing Standards are good enough for government work, and they're gaining in popularity among security-conscious enterprises as well.
Vendors and NIST say there are indications that even the general public is realizing the value in FIPS 140-2. And, even though FIPS 140-2 is a requirement for only sensitive unclassified documents (the encryption standards for classified documents are themselves classified) maintained by the federal government or contractors, its influence extends beyond the United States and Canada, judging by the fact that there are testing laboratories outside of North America.
Source: http://www.networkcomputing.com/showArticle.jhtml?articleID=201200310 |
July 18, InformationWeek — Boeing Employee Charged With Stealing 320,000 Sensitive Files
A quality assurance inspector faces 16 charges of computer trespass for allegedly loading sensitive data on his thumb drive and walking out with it over the course of more than two years.
Eastman was arrested at his desk while at work on June 29. Police reported finding a thumb drive that was connected to his computer terminal via a USB cord that ran along the back of the terminal to the storage device that was "hidden in a drawer" in his desk. He was downloading data onto the thumb drive when he was arrested, according to the complaint.
The complaint noted that Eastman told detectives he was disgruntled with Boeing because he had brought several issues related to parts inspections to the attention of both the company and the FAA. He said none of his concerns had been addressed to his satisfaction. The report contends he said he collected data to back up his claims that there were problems with the inspection process.
Source: http://www.informationweek.com/security/showArticle.jhtml?articleID=201000820
July 18, ComputerWorld — Dumpster−diving for e−data.
Dumpster−diving −− going through trash bins in hopes of finding paper records with valuable information like customer names or future product plans −− is alive and well in the age of USB flash drives and portable music players. Every user who throws away (or loses) a keychain−size flash drive could be unintentionally leaking critical information to a competitor. Any of the tens of millions of desktop and notebook computers disposed of each year in landfills, junkyards and yard sales could be a rich trove of corporate data left on a hard drive by lazy users or IT departments .
Dumpster−diving remains "an extremely effective way of gathering a lot of information
quickly," says Dennis Szerszen, senior vice president at patch management and security
software vendor PatchLink Corp. As an estimated 50 million or more PCs, notebooks and
servers are disposed of each year, the information they hold also poses a new and growing risk for their former owners. New portable storage devices, such as USB flash drives and portable music players, can store gigabytes of data and make it easier for a disgruntled insider to download and walk out the door with sensitive information.
Source:http://www.computerworld.com/action/article.do?command=viewA
rticleBasic&articleId=9027213&intsrc=hm_ts_head
June 28, InformationWeek — Hackers make off with personal info on applicants at
University of California−Davis.
The University of California−Davis (UC−Davis) Police
Department and Sacramento Valley High Tech Crimes Task Force are investigating the
possible theft and misuse of records containing information on about 1,120 aspiring
veterinarians who'd applied to UC−Davis School of Veterinary Medicine for the school year starting this fall. Law enforcement was alerted to the intrusion on June 15, after applicants admitted into the School of Veterinary Medicine attempted to set up campus computer accounts but were notified that accounts had already been established in their names. This led law enforcement to discover that the records of 375 veterinary medical school applicants for the 2004−2005 school year also might have been compromised. Even professionals who long ago traded in their books for briefcases aren't safe. Bowling Green State University is notifying current and former students of a certain accounting professor that a computer flash drive with information about them has been lost. Files on the portable storage device contained Social Security numbers for 199 students from the professor's classes in 1992, and the names, grades, and university identification numbers −− although not the Social Security numbers −− for about another 1,600 other students.
Source: http://www.informationweek.com/security/showArticle.jhtml;js
essionid=A1PK5RAA5NNU0QSNDLPCKHSCJUNN2JVN?articleID=20000137
4&articleID=200001374
May 31 2007 ComputerWorld — Cyberthieves steal $449K from city coffers
Most of the money is recovered, but thieves still at large
The incidents occurred last Wednesday and Thursday, when City Treasurer Karen Avilla noticed that $90,500 was transferred out of the city's general fund bank account to an unknown recipient, according to police reports filed by the Los Angeles County Sheriff's Department.
Avilla hadn't made or authorized the transfer, so she contacted officials at City National Bank in Beverly Hills, who told her that the money had been transferred to a person named Deado Smith using BT&T North Carolina Bank.
The second unauthorized transaction, for $358,500, was made the next day, when a transfer was made to a company called Broadbase Financial using National City Bank, according to the sheriff's department report. Again, Avilla said she did not authorize or make the transfer.
Avilla said today that she discovered both illegal transfers when she made her daily inspections of the city's bank account balances online.
Once she reported the thefts to the banks, a computer forensics team at the city's bank looked at the hard drives from her city-issued laptop computer and identified the likely entry point for the thefts as a Trojan horse virus that had been placed on the machine, she said.
Source :http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=17&articleId=9022498&intsrc=hm_topic
May 22 2007 SC Magazine — Los Alamos beefs up security in wake of data breach
The theft of classified information by a contractor's former employee has forced the Los Alamos National Laboratory to implement a variety of tactical and strategic security policies commonly found in a private enterprise.
The lab has disabled all ports, including USB ports, on classified computers — some via physically gluing the port shut, others with locking devices or software — and has begun encrypting personal information on laptop hard drives.
Meanwhile, Jessica Lynn Quintana pleaded guilty in U.S. District Court in Albuquerque, N.M., last week. Hired by the northern New Mexico laboratory to archive classified information, Quintana faces up to one year in jail, five years of probation and a $100,000 fine.
Quintana admitted in her plea that when she was working in a secure area at the lab on July 27, 2006, she printed pages of classified documents and downloaded other classified data onto a USB drive, then carried the data home in a backpack, according to the U.S. Department of Justice. The government didn't say why she took the information. http://scmagazine.com/us/news/article/659068/los−alamos−beef2
May 10, InformationWeek — Study: 45 percent of workers steal data when changing jobs.
Nearly half of professionals from across a wide range of industries admit they have taken data with them −− everything from documents and lists to sales proposals and contracts −− when they've changed jobs. According to the international Information Security Survey, users polled said they don't see their companies' IT security practices as obstacles to accessing data from outside company walls or to walking out the door with it in their bag or thumb drive. They're also aware that if they're capable of taking critical information home with them, others are, too.
The survey showed that 39 percent of workers have printed a document out rather than forward it on electronically to try to minimize the number of paths it could take out of the building. The study was conducted by online survey services provider Zoomerang. More than 900 professionals, with 84 percent in the United States, were polled over a one−month period earlier this year.
Source: http://www.informationweek.com/news/showArticle.jhtml?articl eID=199500629
March 06, Federal Computer Week — VA to control, restrict use of mobile storage devices.
In the next month, the Department of Veterans Affairs (VA) will let employees plug into its network only those mobile storage devices issued by the chief information officer’s office. Robert Howard, the department’s CIO, said Tuesday, March 6, he will issue only 1G and 2G thumb drives and will not allow anything larger onto the network unless he approves it. The mobile storage devices also must be certified under the National Institute of Standards and Technology’s Federal Information Processing Standard 140−2, he added. Besides controlling thumb drives, Howard aims to have a standard configuration for smart phones and personal digital assistants, eliminate unencrypted messages that travel on the VA’s network and reduce the number of virtual private networks by the end of fiscal 2007. The department also is relying 12
more on public−key infrastructure (PKI) and Microsoft’s rights management system (RMS) in its Outlook e−mail system to do a better job of securing e−mail and documents.
Source: http://www.fcw.com/article97837−03−06−07−Web
"Portable PC drives security issue for U.S."
Most people who use e-mail now know enough to be on guard against "phishing" messages that pretend to be from a bank or business but are actually attempts to steal passwords and other personal information.
But there is evidence that among global cybercriminals, phishing may already be passé. In some countries, like Brazil, it has been eclipsed by an even more virulent form of electronic con — the use of keylogging programs that silently copy the keystrokes of computer users and send that information to the crook
...more>>
|
