Archive for RB

| January 19, 2010
Comments Off on Zeus Raids School

Zeus Raids School

Zeus Raids SchoolA New York school district was a victim of an apparent Zeus trojan attack which appears to have netted nearly $500,000. InformationWeek is reporting that the FBI and New York State Police Cyber Crime and Critical Infrastructure Unit are investigating an attempt last month to steal about $3.8 million from the Duanesburg Central School District near Schenectady, New York.

According to the January 6 article, online thieves made a series of unauthorized funds transfers from the school district’s NBT Bank account to an overseas bank between December 18 and 22, 2009. The third transfer during this period was flagged as abnormal activity by the bank, which began blocking pending transactions after the school district confirmed the transfers had not been authorized. Working with foreign banks, NBT Bank recovered about $2.5 million out of $3 million stolen during the four-day period, but two previous unauthorized transactions were discovered.

Thanks to NBT Bank’s aggressive pursuit of the stolen funds, we are fortunate that the vast majority of the money has been recovered,” wrote Superintendent Christine Crowley in a letter on Monday to district parents and community members. “However, $497,200 of Duanesburg taxpayers’ money is still missing, and we are committed to doing everything in our power to recover the remaining funds.

The district website says, “At this time, we do not have any more information on how this happened and do not expect to have any more information to share until the investigation concludes.

Security researchers at Trusteer point out in a recent DarkReading article that Zeus is detected only 23 percent of the time by up-to-date anti-virus applications. The massive Zbot botnet is made up of 3.6 million PCs in the U.S., according to Damballa data  The malware steals users’ online financial credentials and moves them to a remote server, where it can inject HTML onto pages rendered by the victim’s browser to display its own content mimicking, for instance, a bank’s Web page.

Zeus’ infection rate is higher than that of any other financial Trojan. We are seeing actual fraud linked to Zeus — accounts being compromised, [and] money transferred from accounts of customers infected with Zeus,Mickey Boodaei, founder and CEO of Trusteer told DarkReading. “When we investigate some of our banking customers’ [machines infected by it], we find evidence of abuse on the computer, so we know this crime ring is very active and dangerous.

The security blog says that organizations can’t control the transmission vectors, which are increasingly social networking and/or webmail applications. Given the high degree of user trust and huge user populations, malware developers have been targeting social networks aggressively (webmail is a well-established transmission vector). Some of the threats come in the form of social network-specific threats (e.g., koobface, fbaction), but many times they’re re-using existing or older threats delivered in a new, hybrid way – exploiting the trust associated with social networks – which has given threats like Zeus a huge boost. If you can’t control the transmission vector, it’s much harder to manage the threat…especially when users click first, and think later.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| January 17, 2010
Comments Off on AT&T Asks to Drop POTS

AT&T Asks to Drop POTS

EweekAT&T Asks to Drop POTS is reporting that in order to extend broadband access to all Americans AT&T has told the FCC that it needs to get out of the land-line business. AT&T wants to get out of the land-line business so it can focus funds on broadband and IP-based communications. In the 32 page report, in response to a FCC Request for Comment on Transition form Circuit-Switched to All IP Network.

ATT logoAT&T called Congress’ 100 percent broadband goal “auspicious,” writing, “Broadband is dramatically changing the way Americans live, work, obtain health care and interact with the government. Congress and the Commission have rightly made universal broadband access a core national priority.” AT&T said this goal would be within reach if the resources of the FCC and its stakeholders were put toward developing and executing a strategy that included an “orderly transition away from, and retirement of, the PSTN.

AT&T wants to shut down its analog PSTN

AT&T has asked the FCC to create a timetable that would allow the company to shut down its analog public switched telephone network (PSTN) so more investment would flow to its IP-based initiatives.  “That transition is underway already,” AT&T wrote to the FCC in the Dec. 21, 2009 communication. “With each passing day, more and more communications services migrate to broadband and IP-based services, leaving the public switched telephone network (PSTN) and plain-old telephone service (POTS) as relics of a bygone era.” AT&T also said that less than 20 percent of Americans rely exclusively on POTS for voice service, while 25 percent of households have abandoned POTS. It noted that some 700,000 lines are being turned off each month.

Federal Communications CommissionThe telecommunications giant argues that having to maintain and invest in two networks broadband and the PSTN means Congress’ goal “will not be met in a timely or efficient manner.” The company said that while 90 percent of Americans have access to broadband services, reaching that last 10 percent would require an investment of about $350 billion. “Due to technological advances, changes in consumer preference, and market forces, the question is when, not if, POTS service and the PSTN over which it is provided will become obsolete,” AT&T wrote to the FCC.

AT&T outlined steps for shutting down the PSTN and wants the FCC to swiftly follow them.

rb-

Some of the issues that AT&T’s plan raises are life-safety issues. A POTS line maintains a dial tone and the ability to make and receive calls during catastrophes and emergencies. When large catastrophes strike, there can be no power for days, or even weeks in some areas. No power means no broadband Internet, which means VoIP phone services don’t work. No power to cell towers means no bars on your cell signal and no wireless service.

The ability to place 911 calls will also be an issue under an all IP system. With a POTS land-line, it is easy to match a phone number with a physical address, but with broadband VoIP, the 911 operators can’t tell where the call originates from.

Most importantly, as DSLReports points out, it is important to realize that AT&T’s objective is to move all broadband regulation to the more-easily lobbied federal level, revamping the Universal Service Fund so it works more in AT&T’s favor, and whatever other regulatory perks they can squeeze out of the FCC.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| January 15, 2010
Comments Off on Paper Based Data Breaches Growing

Paper Based Data Breaches Growing

Paper Based Data Breaches GrowingBrian Krebs at the Washington Post’s Security Fix points out that paper-based data breaches on the rise. Krebs cites statistics for the Identity Theft Resource Center, a San Diego-based nonprofit which says at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that was lost, stolen, inadvertently distributed, or improperly disposed of.

The ITRC has logged 125 paper breaches of the 463 incidents they recorded in 2009. These breaches were across all sectors, with businesses having the most followed by the government sector.

“Computers were supposed to take us to a paperless society, yet computers probably create more paper than before we had them because now we want a hard copy as well as what’s on the computer,” ITRC co-founder Linda Foley told Security Fix. “It’s a double danger of course because paper – especially when it’s just tossed in a dumpster somewhere – is not like data on a hard drive. It’s ready to use, it often contains the consumer’s handwriting and signatures, which can be very useful when you’re talking about forging credit card and mortgage applications.”

Stuart Ingis, a partner with the law firm Venable LLP in Washington, told Security Fix that many clients he deals with strictly speaking do not have a legal obligation to report paper-based breaches, but that most of his clients err on the side of caution.

Experts say that paper data breach incidents come to light in large part due to a proliferation of state data breach notification laws. Some 45 states and the District of Columbia have enacted laws requiring companies that lose control over sensitive consumer data such as Social Security or bank account numbers to alert affected consumers and in some cases state authorities. Concerned about the mounting costs of complying with so many state breach regulations, businesses often find it easier and cheaper to adhere to the strictest state laws. The current federal data breach notification proposals will preempt state measures and will allow paper-based breaches to go unreported because they would require notification only when data stored electronically is lost or stolen and are largely silent on paper breaches. Only Massachusetts and North Carolina currently require notification whether the data breach is in electronic or paper form.

rb-
When we talk to clients about information security and not just information technology security, we ask them to consider that lost paper documents are just as damaging to a company’s reputation should they get into the wrong hands as electronic data stored in an Excel spreadsheet or database server? But data on paper is just another form of data that needs to be protected by information security policies.

Related articles
  • Identity theft and data breaches increased in 2010 (lexingtonlaw.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| January 6, 2010
Comments Off on Digital Food for Dinner

Digital Food for Dinner

Digital Food for DinnerThe Fluid Interfaces Group at MIT has developed a “personal food factory.” The scientists have created a prototype 3D printer that stores, mixes, deposits, and cooks layers of ingredients that will rival your grandmother’s multi-layered lasagna according to Globalspec.

The project called Cornucopia is a concept design for a personal food factory that brings the versatility of the digital world to the realm of cooking.

MIT 3D Food Printer, Virtuoso Mixer and Robotic Chef

MIT says Cornucopia’s cooking process starts with an array of food canisters, which refrigerate and store a user’s favorite ingredients. These are piped into a mixer and extruder head that can accurately deposit elaborate combinations of food. While the deposition takes place, the food is heated or cooled by Cornucopia’s chamber or the heating and cooling tubes located on the printing head. This fabrication process not only allows for the creation of flavors and textures that would be completely unimaginable through other cooking techniques, but it also allows the user to have ultimate control over the origin, quality, nutritional value, and taste of every meal.

rb-

Will work for food

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| January 2, 2010
Comments Off on Personal Laptops at Work?

Personal Laptops at Work?

Personal Laptops at Work? CIO.com is reporting on a recent survey by Gartner which claims that 10% of a firm’s laptop computers are employee-owned. The research firm says that companies are starting to let employees use privately owned laptops for work purposes, according to a  survey of 500 IT managers in the U.S., U.K., and Germany. The IT managers said they expect that percentage to creep higher next year.

Gartner says that some employees like the trend because it means they can have more powerful laptops and newer designs than their companies’ IT departments offer. The survey found that 47% of workplaces have banned employee-owned PCs, 43% have policies that allow the use of employee-owned PCs for work-related purposes, and 10% have no policy on the matter.

Gartner believes this trend is popular with employers because of cost. When employees bring their own hardware to work, and the employer doesn’t pay for it or support it.

rb-

Who was Gartner interviewing? What regulated firm (SOX, PCI, HIPPA, etc.) would allow unknown devices on their internal network. This trend needlessly exposes the company to malware and data theft risks. We encourage our clients to go in the opposite direction. We talk to them, write and enforce policies to ban personal devices like USB drives and iPods for the data theft risk. We also suggest they get control of their remote access and private email on the corporate network.

This really seems to be a lax policy in this age of cyber-crime because privately owned hardware could open the door for a hacker.

What do you think?

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
« Older Entries   Recent Entries »