Sunday, December 19, 2010
17 Dec Security Roundup on the week that was
Symantec, a leading security product vendor released the Global Intelligence Quarterly for June-Sept 10. There were two findings of special interest. The first was on the brands affected by phishing attacks. Phishing attacks are attempts to spoof company websites to fool consumers into entering their identity and authentication credentials such as banking and credit card details, which can later be used to make fraudulent purchases or transactions. At the top of the list, 73% of phishing attacks were directed towards financial institutions such as banks. What caught my attention was the number 2 position, which at 11% was taken up by ISP’s. This statistic attains great significance as ISP credentials provide access to an email account, which may in turn expose a wide range of other social networking, and financial accounts. All a hacker needs to do is to click on the “forgot” password option on company websites, which in turn conveniently mails a temporary password to the compromised email account.
The second was the report that 38% of data loss is caused due to theft of computers or flash drives (also commonly known as USB drives or pen drives). Annually, around 500 million external and internal hard drives and 300 million flash drives are sold each year.
How many of us actually remember where all our flash drives are and what information is on them?
Flash drives are very susceptible to theft, disposure without or with simple content deletion and inadvertent loss due to misplacement. Information on these flash drives may find their way to media, competitors or criminals. An important point to be aware of is that the use of the “Empty Recycle bin” functionality in Windows or deleting files using the 'Delete' button, doesn't really delete files from your computer, removable disks, USB-flash drives, memory sticks, or flash memory cards. The operation just removes the reference to the file but the file still exists and can be recovered with off the shelf software.
Besides theft, hard drives that contain an even greater amount of data are normally not properly erased before disposal. Disposal mechanism normally includes donation, and sale resulting in easy access to these drives. There is a much publicized BBC news report about NASA selling shuttle PC’s without wiping top secret data. An investigation unveiled 10 cases where PCs were sold despite failing data removal procedures and another four PCs - which were about to be sold - were found to contain data restricted under arms control rules. Many organizations do not have properly implemented hard disk disposal policies. For less than 100 dollars, one can purchase data recovery software, which recovers corporate and individual information from inadequately erased hard disks sold on auction sites.
Phishing attacks can be mitigated through self awareness. After all, it’s the user who loses the money. The simplest method is to verify websites is through the SSL certificate, seen as a lock icon in the browser bar and additional site authentication certificates like VeriSign Secured Seal A user needs to click on the browser icon or VeriSign Secured seal to verify the site url they authenticate. This is vital to the verification process.
Handle USB’s carefully, prevent misplacement, and securely erase all files prior to disposal. To securely erase a flash drive you may need to procure special purpose wiping software or you could exhaust the USB memory by copying non essential log data or large commonly available files downloaded from the Internet onto it. This process will make it quite difficult to recover over written data, but will become tedious as flash memory sizes increase.