Attack Targets Shift Again

B-spyC-level executives might seem like the perfect target for an attacker. They have privileged access, hold confidential data, and are usually well paid.  According to Symantec’s latest Internet Security Threat Report, the percentage of targeted attacks focusing on chief executive or board level employees fell from 25% in 2011 to 17% in 2012.
The most targeted role currently belongs to employees in the R&D area, hit with 27% of attacks, up from 9% in 2011.  The next most targeted group was the sales department, which saw 24% of attacks in 2012 compared to 12% in 2011.
To me, this is an indicator that targets are shifting back to a larger pool, and also to employees who may not be considered ‘high profile’, but have considerable access.  These employees are less likely to be suspicious, tend to take greater risks, and are not always presented with or interested in security awareness materials.

Canadian Breach Notification Laws Coming Soon

A first attempt at proposing an amendment at the federal level to add a breach notification obligation to PIPEDA privacy legislation was initially introduced through Bill C-29 in May 2010.  It died when the election was called in spring 2011. Bill C-12, identical to C-29, was introduced in September 2011 but has not been moved forward.

A new proposal which has received the support of key industry players was introduced in February. The private member’s Bill C-475 adds clear and mandatory security breach disclosure requirements to the PIPEDA federal law along with significant penalties for compliance failures.

Under Bill C-475, an organization having personal information under its control would have to notify the Commissioner of any incident involving the loss or disclosure of, or unauthorized access, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the security breach.


Anonymous ‘FFF’ Attack Schedule

Oh, for crying out loud.  Why don’t these guys just go away?   According to Wired, Anonymous is giving itself a weekly deadline now, a new attack every Friday.  How entertaining.  Following the Tuesday compromise of tear gas maker Combined Systems’ website, Antisec attacked a Federal Trade Commission webserver which hosts 3 FTC websites.  They claim this hack was in opposition of the controversial international ACTA copyright treaty, widely protested around the world for its potential impact on freedom of expression.

Those responsible for this week’s attacks spoke with Wired, and claimed that the attacks renewed a promise, previously noted in the defacement of CSI, and reiterated on the FTC websites, “every Friday will bring a new attack against government and corporate sites under the theme of #FFF” (‘F’ the Feds Friday).

They’ve decided try to balance between protest defacements like these two most recent ones, and posting material that can damage firms and agencies.   Jerry Irvine of the National Cyber Security Task Force told the New York Times last week that attacks would become more frequent, describing the collective as “unstoppable,” because of the poor state of online security.

-=[ Busted ]=- Six Trillion In Fake Bonds

On the other side of the pond, a record $6 trillion of fake US Treasury bonds were seized by Italian anti-mafia prosecutors.  The bonds were uncovered in hidden compartments in three safety deposit boxes in Zurich.  Bloomberg reports that Italian authorities arrested eight people in connection with the probe, dubbed Operation Vulcanica.

The Italian authorities also uncovered fraudulent checks issued through HSBC Holdings in London, and another $2 billion of fake bonds in Rome.  Those involved in the financial fraud case were apparently planning to buy plutonium from Nigeria, according to police monitored phone conversations.

Good work guys.  I hope they round up all involved, especially those with the plutonium.  You know that stuff isn’t going to be used to power wind up toys.

North American Medical Records At Risk

While you are sitting patiently during your typical 5-6 hour emergency room visit, ever wonder just how safe your records are at the doctor’s office?  Are ya ready to puke?

91% of small healthcare practices (less than 250 employees) in North America say they have suffered a data breach in the past 12 months.

The Ponemon Institute recently conducted a survey, commissioned by MegaPath, asking more than 700 healthcare organizations’ IT and administrative staff about breaches.  Among the findings:

  • 70% say their organizations either don’t have or are unsure if they have, sufficient budget to meet governance, risk, and compliance requirements.
  • 55% of respondents had to notify patients of a data breach in the previous 12 months.
  • 52% of respondents rated their security technology plans as “ineffective”.
  • 43% of respondents had experienced medical identity theft in their organizations.
  • 31% say management considers data security and privacy a top priority.  (69% not so much?)
  • 29% say breaches have resulted in medical identity theft.
  • More than a third have not assigned responsibility for patient data protection to anyone in particular.
  • Approximately half say less than 10% of IT’s budget goes to data security tools.

Data breaches of patient information cost healthcare organizations nearly $6 billion annually, and many breaches go undetected.  Protecting patient data appears to remain a low priority for hospitals and doctors’ offices, and these organizations have little confidence in their ability to secure patient records.  They are putting individuals at increased risk for medical identity theft, financial theft, and exposure of private information.

Are ya feeling warm and fuzzy yet?  Read the whole report.

Canadian’s Online Privacy At Risk

From the “I can’t believe this is Canada” file, the government is pushing a new “lawful access” bill, basically granting the police and government officials the rights and means to freely and on a hunch, spy on your internet usage.  Assuming that if you have nothing to hide, you should have no fear of arbitrary search and seizure, of course.

Michael Geist has a good article about the bill and why it is crazy.  The insanity first becomes evident when Public Safety Minister Vic Toews tells people “You can stand with us, or you can stand with the child pornographers“.   As if everyone with a desire for online privacy and against widespread internet surveillance is somehow automatically “for” child pron!  Yep, there is no middle ground here.  Line up with the rest of ’em, mate.

I agree with Tech Dirt’s post, this is totally ridiculous, and a cynical political move that assumes the Canadian public is stupid and will just roll over.  I sincerely hope that is not true, that there is enough outcry against this bill that it is thrown out faster than last week’s Metro.  Yes, it may be difficult and time consuming to obtain a judge’s consent in the form of a warrant, but you don’t just subtract an individual’s rights from the equation in the name of expediancy and convenience for law enforcement.  You cannot and should not assume that the entire public is suspect, and then launch a witch hunt to see who floats and who sinks! Continue reading

HSBC Under Investigation For Money Laundering?

Things are not looking good for HSBC bank.  A former employee in New York has 1,000 pages of account records he claims are evidence of an international money-laundering scheme involving hundreds of billions of dollars.  HSBC is reportedly under investigation by a US Senate committee.

John Cruz delivered the customer account records to WND that he says he pulled from the HSBC computer system (uh-oh, I do believe that this may constitute a crime as well) before he was fired after two years at the bank, for “poor performance”.  John claims that he was let go because he insisted on pursuing a personal investigation.  Apparently the police were not interested.

The scheme purportedly involved moving money from accounts belonging to fake and real businesses opened in current and previous customer names that the customers were not aware of.  Businesses doing thousands of dollars of business annually were transfering millions of dollars through these accounts.  Oh I hope this turns out to be something else.  John is writing a book about it.  We really don’t need another banking scandal right now…