ID Theft Statistics

 

    * Over 10 million identity theft victims in the US.

 

    * An identity is stolen every 4 seconds in the US.

 

    * The average cost to restore a stolen identity is $8,000.

 

    * Victims spend an average of 600 hours recovering from this crime.

827% Increase in Malware Sites with Password-Stealing Crimeware

According to the anti-phishing working group ^[1] the number of websites that contain malware/crimeware that can infect PCs with password stealing software reached an all time high of 31,173 in December which was an 827% increase from 12 months prior. December alone was nearly 3 times higher than any previous month on record.

 

Online crime is low risk, high reward.'

By Paul Marck, Canwest News ServiceMarch 11, 2009

 

Online credit card fraud is a growing worldwide epidemic, and experts warn if Canadians think they're less vulnerable because they only use secure transaction sites, they need to think again.

 

Gary McIntyre, lead security architect for IBM Canada, says e-commerce fraud that empties bank accounts, steals identities and hoists credit card information is easy and profitable for cybercriminals, wherever they are.

 

``Online crime is low risk, high reward,'' says McIntyre. ``Given that it occurs over multiple jurisdictions and across borders, it is difficult to prosecute.''

 

Last year, an estimated $4 billion was lost by U.S. merchants to Internet fraud, double the losses of only five years ago, according to an annual study by Cybersource Corp.

 

Many swindles come from spamming and phishing, where online criminals seek credit card and bank account information by posing as legitimate businesses, or masquerading as financial institutions.

 

By sending out thousands or even millions of phishing e-mails seeking people to part with their personal financial information, criminal hackers need only a tiny percentage of positive responses to rake in big bucks.

 

IBM's recently released X-Force Trend and Risk Report indicates several countries vied for the top spot as spam senders, with Russia, China and Brazil leading the way. China also held the distinction as the No. 1 host of malicious websites, surpassing the U.S., the X-Force report said.

 

Fear of hacking intrusions is scaring businesses into taking action. But it's not necessarily the right action. Another report, PricewaterhouseCoopers 2008 global study on international online security, says businesses are spending indiscriminately for online security technology.

 

``Our survey identified a worrying trend within many organizations who are throwing increasing resource dollars at technology solutions without fully understanding the threats they face,'' says Salim Hasham, vice-president of the advisory services practice for PwC.

 

Confused corporate priorities or a lack of vision aligning security spending and business needs compound the vulnerabilities, says Hasham.

 

A major example of online fraud in Canada last year was a malware application called XP Antivirus 2008. Thousands of gullible individuals and businesses were scammed. A pop-up banner ad claimed to execute a quick system scan, detecting that the user's computer was infested with viruses.

 

Users were directed to download an antivirus program for a fee. What people got was a piece of malware that searched the host computer for personal data - plus the user had already turned over credit card information to pay for the fake download.

 

``It was very professional and very slick,'' says IBM's McIntyre, who consults with clients across the country. ``I've had customers who fell for this hook, line and sinker.''

 

Financial institutions and their customers are by far the most popular targets for criminal hackers. Transaction sites are vulnerable and the X-Force report says that growing numbers of hackers implant undetected code in the back- office end of commercial databases, intercepting personal information and thus turning a legitimate business against its own customers.

 

Such intrusions, called ``spear phishing,'' play on a consumer's sense of trust. The aim is to gather enough data from a company that the hacker can send its customers personalized communications. These e-mails contain enough legitimate information to give customers a sense of authenticity and comfort, after which they will more likely follow links to bogus sites where they then divulge personal and financial information.

 

``Hackers are using ever more sophisticated attacks with a blend of technology and good old-fashioned social engineering in many cases to fool customers into giving up their personal data, such as access passwords to their bank accounts,'' says Hasham.

 

Financial loss is the main driver behind businesses trying to protect their e-commerce sites, but not the only one. PwC's survey, with more than 7,000 responses worldwide, said the main business impacts from illegal hacking include:

 

* Financial loss, 39 per cent

 

* Theft of intellectual property, 30 per cent

 

* Brand compromise or reputation loss, 27 per cent

 

* Fraud, 21 per cent

 

``This is indicative of a new breed of attack focused on stealing corporate resources or negatively impacting consumer confidence,'' says Hasham.

 

There is no single solution for businesses to protect themselves, says McIntyre. Filling that business need is the sweet spot for IBM and IT security consultants. They address the gap with a wide variety of services, products and third-party vendors to layer security protection across a corporate IT system.

 

``The important thing is to take advantage of all of these resources,'' says McIntyre.

 

But there are no guarantees.

 

Last year, a leading Canadian e-commerce site was compromised, with illicit disclosure of information happening ``frequently'' until the intrusion was detected and measures taken to fix processes, McIntyre says.

 

The company is well known, but never publicly disclosed that it had been hacked. Once criminal intrusion into a commercial website is detected, there is no onus on a Canadian business to report the crime, says McIntyre.

 

Between 30 and 40 U.S. states, led by tough legislation in California, make it mandatory for businesses to report incidences of data loss or compromise. No comparable law exists in Canadian jurisdiction.

 

But where governments in Canada are slow to act, the credit card companies have taken a carrot-and-stick approach. Known globally as the payment credit industry digital security standard (PCI DSS), Visa, MasterCard and American Express all put their business-service fees for e-commerce on a sliding scale, depending on the merchant's level of online security.

 

``Unlike a lot of legislation, it does not force compliance, but it does address the problem at a certain level,'' says McIntyre.

What's behind the rash of university data breaches?

Jay Cline

 

March 9, 2009 (Computerworld) Purdue University last month reported its seventh data breach in the past four years. But Purdue is hardly alone. According to my records, over 300 publicized privacy incidents have occurred at U.S. institutions of higher learning since 2001, with at least 53 colleges and universities experiencing multiple breaches (see table at end of article).

 

The regular stream of university data-breach reports has prompted Adam Dodge, assistant director for information security at Eastern Illinois University, to devote a blog — Educational Security Incidents  — to the topic.

 

When I last covered the issue four years ago (see "Security breaches challenge academia's 'open society' "), universities were the leading sector for publicized breaches. The same is true today.

 

What's going on? Why haven't things changed?

 

John Correlli of Los Angeles-based JMC Privacy Consulting Group has some answers. Correlli recently published a detailed analysis of the topic, "Breaches in the Academia Sector." Correlli identifies the top three root causes of university breaches: unauthorized access, usually inside jobs; accidental online exposures; and stolen laptops.

 

"Privacy governance in academia is far too frequently thrown into the laps of the IT folks, who are then told, implicitly or explicitly, that privacy isn't a priority until it's a problem," Correlli told me.

 

Correlli also points to unique threats and vulnerabilities in academia:

 

    *

      The open nature of the university physical and technical environment.

    *

      Department fiefdoms inhibiting central policy enforcement.

    *

      A customer user population that is relatively low paid, lives "on site" and experiences high turnover.

 

There is some debate over whether students perpetrating intentional breaches or staff making unintentional data disclosures are the principal source of data risk within universities. I think both are worth monitoring, but would pay special attention to students. Why? Twice a year, college students are under extreme duress to produce results that their futures depend on. The statistics appear to bear this out.

 

Looking at the months of the reported breaches, peak activity occurs during the traditional finals weeks of fall and spring semesters. In contrast, the fewest breaches are reported during months when students aren't around (see graph).

Elevated data risk during finals week?

A monthly breakdown of university data breaches reported since 2001 shows January and May as the peak months. Allowing for a few weeks to detect and report these incidents, the actual peak in incident activity may be occurring during the final weeks of the fall and spring semesters. Number of reported breaches at universities, by month:

September                   19

October                         29

November                    24

December                    29

January                         42

February                       25

March                            36

April                               39

May                               43

June                             36

July                               24

August                         23

Source: Minnesota Privacy Consultants

 

Susan Blair, chief privacy officer at the University of Florida, generally agrees with Correlli. In a presentation she shared with me, Blair lists these as the top reasons for university breaches:

 

    *

      Data-rich information systems creating a natural target.

    *

      Outdated and nonenforced data-security safeguards.

    *

      Sophisticated intruders, with potential criminal intent.

    *

      Careless or inattentive data systems management.

    *

      Negligent hiring practices or employee misuse of data.

    *

      Demonstrated opportunities for repeat access.

    *

      Business partners or research sponsors who fail to protect information.

 

"The typical academic network is a maelstrom of collaborative activities that generally precludes the kind of restrictions that a corporate network would impose," said Michael Corn, chief privacy and security officer at the University of Illinois at Urbana-Champaign. "We accept this risk as a precondition for academic endeavors.

 

"Universities are uniformly more forthcoming when data breaches occur due to a culture of transparency in these matters," Corn added.

 

Rodney Petersen, government relations officer and security task force coordinator at Washington-based EduCause, also believes there is a reporting bias that overestimates the data risk in academia. "It is not fair to conclude that higher-education environments are any less secure than their government or corporate counterparts," he told me. "Institutions of higher education have been disclosing security breaches long before they were required to do so under individual state laws because institutional officials err on the side of protecting their students, faculty and alumni.

 

"Corporations may be far more circumspect before deciding to report incidents because of concerns about consumer confidence or impact on shareholder value," he added.

 

Rachel Krinsky, assistant director of compliance and privacy at the University of Connecticut, agreed with Peterson. "Many universities are large and made up of multiple colleges, campuses and divisions. As a result, some universities have decentralized networks and systems without a centralized oversight function to monitor them in the same way as may be done in other sectors," she added.

 

"This means that a university may have multiple networks and systems to contend with," Krinsky continued, "and each one is managed differently and separately."

 

What's the outlook for data privacy in academia?

 

Several university privacy and security leaders told me off the record that the role of the chief privacy officer needs to be elevated in academia before major progress can be made. Indeed, in a sector regulated by the Health Information Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GBLA), Fair and Accurate Credit Transactions Act (FACTA) ID Theft Red Flags Rules, Payment Card Industry Data Security Standard (PCI DSS), and state-level laws on Social Security numbers and breach notification, it's surprising how few CPOs there are in academia. I was able to find just 20 to contact for this article.

Related Links

Other Columns by Jay Cline

 

"Top 5 mistakes of privacy awareness programs"

 

"It's Time for a Global Privacy Agreement"

 

"530M records exposed, and counting"

 

More will certainly be found attending the Academic Medical Centers Privacy and Security Conference, International Association of Privacy Professionals Privacy Summit, and EduCause/Internet2 Security Professionals Conference over the next two months.

 

But until university trustees and boards of regents fund more robust privacy programs and hold university presidents more accountable for their privacy status, don't expect another sector to overtake the lead in the reported-breach column.

 

Jay Cline is a former chief privacy officer at a Fortune 500 company and is now president of Minnesota Privacy Consultants. You can reach him at cwprivacy@computerworld.com.

Double trouble

Over 50 colleges and universities have experienced multiple reported privacy incidents since 2001. At a state level, California is home to seven doubly breached universities, while Ohio follows at four schools. At least eight universities have experienced four or more publicized privacy incidents.

University          Dates of reported incidents

Austin Peay State (Tennessee)   December 2008, July 2005

Cal Poly (California)        December 2008, August 2006, July 2005

California State – Dominguez Hills (California)       March 2006, July 2005

California State – Stanislaus       January 2008, May 2006, August 2005

Carnegie Mellon (Pennsylvania)   October 2007, April 2005

City University of New York         November 2007, September 2005

Duke University (North Carolina) December 2007, May 2005

East Carolina University (North Carolina) February 2007, June 2005

Florida International University     May 2006, April 2005

Georgetown University (District of Columbia)         January 2008, March 2006

Georgia Tech University June 2007, February 2007, November 2005, March 2003

Harvard University (Massachusetts)         November 2008, March 2008

Indiana University           November 2005, February 2001

Iowa State University      December 2005, July 2005

Kansas State University             January 2009, November 2007

Kent State University (Ohio)        September 2005, June 2005

Michigan State University           July 2005, April 2005

Middle Tennessee State University          February 2008, May 2005

Montana State University            November 2007, October 2007, December 2006

New Mexico State University       January 2008, April 2007

Northwestern University (Illinois) June 2007, May 2007, July 2006

Ohio University December 2008, June 2006, May 2006, May 2006, April 2006

Ohio State University      December 2008, May 2008, April 2007

Oklahoma State University          April 2005, February 2001

Purdue University (Indiana)          February 2009, September 2007, July 2007, April 2007, September 2006, April 2006, May 2005

Stanford University (California)     June 2008, May 2005

Tennessee Tech University         January 2008, September 2007

Texas A&M University    November 2008, February 2008, June 2007

University of Akron (Ohio)           January 2008, October 2007

University of Alabama     February 2009, June 2006

University of California, Los Angeles        December 2006, April 2004

University of California, Berkeley May 2006, March 2005

University of California, Davis       June 2007, March 2005

University of California, San Francisco     May 2008, April 2007, March 2005

University of Colorado     April 2008, May 2007, December 2006, August 2005

University of Delaware    May 2006, January 2006, November 2005

University of Florida        February 2009, January 2009, November 2008, June 2008, May 2008

University of Georgia      January 2008, September 2005, January 2004

University of Idaho          March 2007, January 2007

University of Iowa           October 2007, June 2007, September 2006, July 2006, May 2005

University of Kansas       September 2007, January 2006, April 2004

University of Kentucky    August 2006, August 2006, June 2006, June 2006

University of Michigan     September 2007, July 2007

University of Nebraska    July 2008, February 2007, March 2006

University of New Mexico            April 2007, January 2007

University of San Diego (California)          December 2005, July 2005, January 2005

University of South Carolina        June 2008, September 2007, August 2006

University of Tennessee July 2006, October 2005

University of Texas at Austin       November 2004, March 2004, March 2003

University of Toledo (Ohio)          April 2008, August 2007

University of Utah           June 2008, August 2005

University of Virginia       April 2008, June 2007, November 2006, April 2006

Virginia Commonwealth University           December 2006, September 2006

Source: Minnesota Privacy Consultants

Trojan Delivered Through Social Networking Site Toolbar

 

Researchers at McAfee, an online security solutions provider, have discovered a fresh online threat that conceals in a legitimate toolbar application for social networking. It launches an attack on the user's system to install a malicious backdoor Trojan.

 

In a post by Dennis Elser, a security researcher, on McAfee's Avert Team blog site on February 10, 2009, the researcher notes that the freshly uncovered attack aims at visitors to a German site using the Web 2.0 technology. When the attack takes place, the said toolbar pertaining to StudiVZ a student social networking medium is packed with the already familiar Backdoor-CEP Trojan variant.

 

Elser writes that among various malevolent acts, the backdoor intercepts everything appearing on a user's screen, capturing screenshots, and recording keyboard strokes are very critical functions, as reported by Security Watch on February 18, 2009. Elser adds that on an initial glance, the consciously changed installer appears perfectly innocuous, particularly because it rejects doing anything malicious.

 

However, behind the screen, there takes place a number of unacceptable activities, said Elser, as reported by McAfee on February 10, 2009. These include injection of the malicious code by the installer into processes running on the system or the same activating a legitimate process in a state of suspension. Subsequently, the installer un-maps all the content within the process and re-maps new malevolent content before resuming it again.

 

McAfee also cautions that antivirus software are unable to detect this malicious program, as it is decrypted and injected into the system's memory rather than getting it written onto its hard disk.

 

Furthermore, once the installer finishes its preliminary activities, it automatically executes Internet Explorer to access StudiVZ. Evidently, with the visibility of the freshly installed toolbar along with logos and controls on top, there arises a possibility that the user logs into the site.

 

Meanwhile, the Backdoor-CEP Trojan has already contaminated several running processes and installed its payload to tap and record the user's keystrokes, with its key purpose is to steal the credentials of the users of StudiVZ.

 

Identity in a crisis

 

Opportunistic data thieves are taking advantage of the recession to steal personal data from jobseekers, as well as glean data from the computers of bankrupt firms.

 

Criminals will always target the vulnerable. During a recession, one group most vulnerable to data theft is jobseekers; your CV builds up a detailed profile of your working life and contains information such as your date of birth and address. Should this fall into the wrong hands, your identity and credit rating are on the line.

 

Businesses are also at risk. As layoffs occur, discarded, redundant computers and exiting employees greatly increase the risk of data theft and possible abuse.

 

Firms with little or no policy regarding data protection are now in a high-risk category.

 

For jobseekers, a recent scam requiring the submission of personal details, including bank account details and PPSN numbers, in exchange for a job application resulted in the Data Protection Commissioner issuing an urgent warning.

 

"I am very concerned that in the current economic climate, criminals are trying to take advantage of job applicants. They seem to be seeking personal details for identity-fraud purposes," said Data Protection Commissioner Billy Hawkes.

 

Data criminals are putting pressure, not only on those seeking jobs, but also on job-recruitment firms and individual companies, whose duty it is to protect this information.

 

"As a jobseeker, you should first think about what you put on your CV," says James Galvin of Glandor Systems, a firm that provides behind-the-scenes technology called Resume Safe for job sites.

 

"There have been many warnings on the dangers of including personal details such as a social-security number or driver's licence number on your CV, but other information can also be used as a source of fraud.

 

"This could include the date of birth, which is sometimes used as a password reminder or an extra layer of security for logging in online, and can also be valuable to scammers as an important piece of information in the construction of your personal profile," he adds.

 

However, the CV itself is not the only risk – individuals need to be aware of where on the web they post it.

 

"In addition to the content of your CV, you must be careful about where you post your resume. There are over 60,000 job boards on the internet, and many of these do not have adequate security policies in place to protect your information.

 

"While there have been numerous high-profile privacy breaches among the larger job boards such as Monster.com or Jobs.ie, security flaws in smaller job boards often fail to make headlines and go unnoticed by their users," explains Galvin.

 

In addition to this, there are scam job sites out there populated with bogus job listings, which exist for the sole purpose of collecting as much information as you will supply.

 

"A legitimate employer would never look for detailed information so early on in a recruitment process, if at all. Beware of wild, unrealistic promises of work and never agree to pay for an offer of an interview," says Colm Murphy, technical director with IT security firm Espion.

 

"This is dependent on the kind of information you have included in your CV. Typically, fraudsters need three to four unique pieces of information to try to commit an identity theft or fraud.

 

"Name, address, date of birth, mother's maiden name, PPS number and bank account number are obvious candidates," he explains.

 

But what of data theft and the employed? A recent global survey from security firm McAfee revealed that 42pc of IT decision-makers feared for data security as a result of internal corporate espionage due to laid-off employees taking intellectual property (IP) with them.

 

A further 36pc worried that employees in financial dire straits would steal data while still working in the company.

 

"Fraud is always going to increase in a downturn. Organisations need to be more wary and more vigilant in such a climate," says Murphy.

 

"It is likely that ex-employees will look to set up competing businesses, or bear grudges.

 

"Organisations should have clear data classification policies to help identify important or sensitive information, and take appropriate steps to adequately secure and protect that data," he says.

 

When it comes to managing the data implications of staff redundancies, the dramatic and fast-moving nature of the downturn has left many businesses on the back foot, explains Martin Carey, managing director of computer forensics and data-recovery firm Kroll Ontrack.

 

While some companies are better prepared and better equipped than others, the key for all businesses is to have policies in place prior to events such as mass redundancies, he says.

 

"A period when the business is in major transition is clearly not an ideal time to be reviewing data-security strategies.

 

"Any sector dealing with large volumes of sensitive data is at risk if it fails to adequately secure information, be it on redundant computers or those still in active use.

 

"The financial sector has so far experienced the greatest number of redundancies, and so from the point of view of making devices no longer in use secure, it is currently very exposed," adds Carey.

 

Kroll Ontrack calculates that in the UK alone, by the end of 2009, just under a quarter of a million man hours will be required to back up data on computers in the financial sector.

 

Another issue companies must address surrounding data storage and backup is compliance, especially in light of recent data breaches.

 

Data-security scandals have affected organisations including Bank of Ireland, which suffered a 10,000-customer data breach, and the Irish Blood Transfusion Service, which had the records of some 175,000 patients taken on a stolen laptop.

 

"From a compliance angle, firms are increasingly required to make large-scale data disclosures. The Competition Commission, for example, is making such demands of large companies more and more frequently," explains Carey.

 

"If companies are unable to meet these demands, having not backed up data, they could face immediate fines and be disadvantaged in any ensuing legal process.

 

"Compliance covers many areas of business and practice, and can comprise all forms of data ranging from communications by email documents to accounting systems. Basically, it depends on the area with which you are complying," Carey says.

 

From a carelessly lost USB memory stick to a CV containing key personal information, we all have a lot to lose by failing to protect our data.

 

The USB memory stick could result in the devastating loss of a company's IP. The CV brimming with information could potentially be enough for data thieves to open a bank account in your name and destroy your credit rating.

 

A case in point: "An experiment staged last year in the UK during the national identity-fraud prevention week lured 107 people into submitting their CVs to a fake website," says Murphy.

 

"Of the 107 CVs, 61 contained enough information to apply for a credit card."

 

How my identity was stolen

 

It started with a challenge to steal my identity, equipped only with the Google search engine and my name. Brian Honan, security expert of online security consultancy BH Consulting, accepted the challenge with one condition: no illegal methods could be used to obtain information.

 

About a month later, I received a surprise in the post: my birth certificate with Honan's calling card attached.

 

Aside from being furious that I had lost the challenge, I was worried. I rang Honan immediately and asked him two questions: 'How did you do that?', and, 'What is the worst that could happen?'.

 

Honan said it was quite simple – all it required was a little patience and a little ingenuity. Googling my name brought up various pieces of information from social-networking sites, blogs, my Twitter account and bits of personal information buried deep within some of my writings.

 

Honan used this to slowly build up a complete profile of Marie Boran. From gathering mundane facts such as my favourite food, to all-important private data such as my father's name and date of birth, he was well on his way.

 

The final piece in the puzzle for Honan was to acquire a copy of my birth certificate. As long as you have some key pieces of information, you can source this through the General Register Office online at www.groireland.ie.

 

Or so Honan thought. It turns out that human error can play a big role in identity theft. While Honan had requested my birth certificate, he had incorrect details for my place of birth and mother's maiden name.

 

No worries. Someone from the office rang him back while processing the form and informed him of this, but still allowed him to be sent a copy.

 

With my birth cert, Honan said the next step in his bid to steal my identity would have been to have a hypothetical female accomplice visit a Garda station with my cert and her own photo ID to obtain a drivers licence in my name.

 

Bang, bang. My identity, as I knew it, would have been dead.

 

Oh, and the interesting part? Honan said my online information was better protected than the average web user.

 

So, how private is your data?

 

By Marie Boran

F-Secure survey finds people still insecure online

 

F-Secure's annual Online Wellbeing uncovered Internet users' feelings of personal online security with regards to online banking, children's safety while surfing the web, and credit card information when shopping online. Overall, 50% of respondents were confident about their security when banking online. However, only 6% of respondents felt secure in making credit card purchases online.

 

Web surfing and phishing e-mails

Phishing can appear in the form of what looks like an e-mail from a well-known bank, which in reality is a scam seeking personal information. On average, 54% felt fairly or very confident they would not fall for a phishing email. However, 27% of respondents do not know whether or not they can spot phishing emails.

 

In Hong-Kong, 26% of respondents feel they cannot spot phishing emails. Although in other countries such as the UK (68%), Canada (60%), and Italy (67%) respondents are far more confident in their ability to spot such emails.

 

Children and the Internet

At the core of F-Secure's "Online Wellbeing" is family security when using the Internet. Parents are increasingly worried about their children not being protected from unsuitable content including pornography and violent imagery. When asked the question, "My kids are safe when they are online", over a third of respondents across all countries could neither agree or disagree with the statement. Parents and guardians do not know whether children are safe online or not.

 

The vast majority (54%) of respondents did not agree that their children were safe online. Only 2% (strongly agree) of respondents in India feel their children are safe. In Germany, 69% strongly disagreed and disagreed with the statement.

 

Online banking

Surprisingly, respondents feel safer during online banking than when using their credit card for shopping online. In all eight surveyed countries, the majority agree that they are safe during online banking transactions. The countries that have the most confidence are France (62%) and the US (63%), but in Germany, 39% still do not have confidence in online banking. On a whole, 31% of all respondents were still unsure of their safety.

 

The survey was carried out by a third party in December 2008 across 2019 Internet users aged 20-40 in USA, Canada, France, Germany, UK, Italy, India and Hong Kong. There were approximately 200 respondents surveyed per country. F-Secure asked respondents a series of basic online security questions and, using a Likert scale, asked them to rate the extent to which they were confident in the security of given online activities.

Trend Micro Unveils 2008 Threat Report and Strategies to Penetrate Security Market in 2009

 

Trend Micro Incorporated unveiled the annual online security report for year 2008 and the forecast of online threats for year 2009 while introducing the new technology 'Smart Protection Network' for enterprise and medium businesses.

 

Rathasiri Kaikeaw, regional sales manager, Indochina of Trend Micro, remarked " This year, Trend Micro will focus on Total Solution Service which uses Smart Protection Network technology and introduce Trend Micro Message Archiver (TMMA) which features more compressed email storage to reduce storage space. The TMMA comes up with data encryption system for outgoing emails to prevent leakage of business data.            

 

This year, Trend Micro expects the growth rate at 20 % and will focus our business to enterprise and medium businesses."

 

Ratsiri concluded "The factors that stimulates the growth of security market in Thailand include 1) new threats that constantly emerge will cause users to adjust and seek new security products 2) The Computer Act year 2007 will alert and stimulate computer users to be more cautious on using computers and internet 3) the campaigns to prevent piracy software will stimulate government and private sectors to select the appropriate software and solution for their organizations."

 

Khongsak  Kortrakul , technical consultant of Trend Micro ( Thailand ) remarked " 2008 was a year of survival, exploration and innovation for cybercriminals. The past couple of years have blown the lid off the underground cyber-economy and how malware writers have shifted their motives toward financial gain. Tech-savvy users became more aware about Web threats. Cybercriminals on the other hand have used new avenues or improved on old ones to gain profit." 

 

TrendLabs tracked down detours, pitstops and newly formed superhighways while following the stories of the following threats : Botnets: Resident Evil -- Malware From January to November 2008, a staggering 34.3 million PCs were infected with malware under families that are commonly associated with bots. Spam Around 115 billion spammed messages are being sent every day, up from the average 75 billion in 2005 to 2006. Ninety-nine percent of spam comes from compromised computers, including those with malicious communication to and from remote users.

 

Black Hat SEO and FAKEAV -- poisoning search results is one notable trick used by malware writers in 2008-notable because throughout the year it refused to die down, owing perhaps to its effectiveness in tricking unsuspecting users. It works because of the popularity of search engines, which are integral in everyone's Net activities. Those who manipulate search results hinge on the trust users place on these search tools to lead them to their chosen website. Mass Compromises -- Compromised websites present a difficult problem for Web users. It works because users may think they are still accessing a trusted website, but in fact some malicious activity is already happening with their PCs.

 

Rootkits -- while rootkits are not necessarily harmful, some developments in rootkit technology were controversial. Blended Threat such as Malicious spam attachments While malicious attachments in spam have been infecting users even before this year, notable social engineering techniques were used in 2008. In January and February, there were targeted attacks that used malicious Microsoft word attachments . Non-traditional phishing This year there was a development in phishing that made use of other attack vectors. First was the prevalence of spy-phishing , or a blended threat that combines both phishing and information-stealing malware to prolong attacks beyond the point of availability of a phishing website.

 

The darker aspect of convergence is the inevitable carry-over of "digital hackability" to workaday devices. While Internet connectivity is by itself an open door, proof-of-concept attacks targeted at devices sporting this functionality effectively magnify the real-world effects of going digital/online.

 

In the threat landscape, cybercriminals use the reliability of existing infection methods, integrating them with new technological advancements. The results are hybrid-like Web threats that take advantage of the dependability of tested techniques and sophistication of new ones.

 

O   Vulnerabilities -- operating system vulnerabilities still served their purpose for malware authors in 2008. Windows vulnerabilities were exploited and used in illicit schemes  

 

O   Regional Threats -- leveraging on specific profiles of certain regions was still rampant and effective in 2008

 

O   Mobile Threats -- mobile threats in 2008 were mostly related to mobile phones, some of the most notable being those related to the Apple iPhone , and more recently, one targeting Windows Mobile PocketPC . Data loss caused by the theft or misplacement of mobile devices such as laptops and storage devices has proved more damaging in 2008.

 

O   Social Engineering -- the changing world rendered users with short attention spans, and has made the craft of captivating an audience such a nifty skill to master. Malware authors seem to never run out of tricks in doing this--constantly adapting to the current times and circumstances to search for an unfortunate audience to exploit. 

 

In 2009 antiquated propagation techniques such as file piggybacking, email, removable drives, peer-to-peer and instant messaging being used this year. This trend will continue as malware writers fully realize the potential of Web 2.0 for propagation. And cybercriminals will continue to take advantage of events, celebrities, and political figures, among others, as social engineering bait. More threats make money out of mobile technologies. And as mobile phones and other handheld devices become more and more interconnected with their desktop counterparts. Furthermore, spam has consistently risen over the years and it will continue to do so in 2009. United States will continue to be the country that sends out the most spam, while Europe the most spammed continent.

Cambridge security boffins slam banking card readers

 

'Optimised to fail'

By John Leyden

Posted in Crime, 26th February 2009 16:22 GMT

 

Card readers for online banking are inherently insecure, according to a new study by Cambridge security researchers.

 

Researchers Saar Drimer, Steven J Murdoch and Ross Anderson found a number of serious security shortcomings after reverse engineering the underlying protocol (called the Chip Authentication Programme or CAP) that underpins hand-held card readers. Readers are typically used alongside customer's debit cards to generate one-time codes for online banking login and transaction authentication.

 

The devices are designed to thwart online banking fraud, but cost-saving measures have resulted in design compromises that have left customers open to risk of fraud.

 

The researchers' paper, Optimised to Fail: Card readers for online banking, presented at the Financial Cryptography 2009 conference on Thursday, explains the efforts to reduce the cost to the banks and the amount of typing done by customers have created the sort of security shortcomings akin to the introduction of Chip & PIN.

 

    While the principle of CAP — two factor transaction authentication — is sound, the flawed implementation in the UK puts customers at risk of fraud, or worse.

 

    When Chip & PIN was introduced for point-of-sale, the effective liability for fraud was shifted to customers. While the banking code says that customers are not liable unless they were negligent, it is up to the bank to define negligence. In practice, the mere fact that Chip & PIN was used is considered enough. Now that Chip & PIN is used for online banking, we may see a similar reduction of consumer protection.

 

The research was carried out by reverse-engineer hand-held card readers from UK banks NatWest and Barclays. Cryptographic problems uncovered by the Cambridge team include "reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses".

 

The researchers' paper, which details suggestions for increasing the security of readers, can be found here (pdf (http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf)).

 

Previous work by the same Cambridge researchers including unpicking the security short-comings of Chip and PIN terminals, which are used to authorise card purchases in retail environments. This research highlighted the absence of encryption in the data exchanged between PIN entry devices and cards during transactions. ®