Attack Targets Shift Again

C-level executives might seem like the perfect target for an attacker. They have privileged access, hold confidential data, and are usually well paid.  According to Symantec’s latest Internet Security Threat Report, the percentage of targeted attacks focusing on chief executive or board level employees fell from 25% in 2011 to 17% in 2012.

 

The most targeted role currently belongs to employees in the R&D area, hit with 27% of attacks, up from 9% in 2011.  The next most targeted group was the sales department, which saw 24% of attacks in 2012 compared to 12% in 2011.

 

To me, this is an indicator that targets are shifting back to a larger pool, and also to employees who may not be considered ‘high profile’, but have considerable access.  These employees are less likely to be suspicious, tend to take greater risks, and are not always presented with or interested in security awareness materials.

 

Report:  http://www.symantec.com/security_response/publications/threatreport.jsp

Canadian Breach Notification Laws Coming Soon

A first attempt at proposing an amendment at the federal level to add a breach notification obligation to PIPEDA privacy legislation was initially introduced through Bill C-29 in May 2010.  It died when the election was called in spring 2011. Bill C-12, identical to C-29, was introduced in September 2011 but has not been moved forward.

A new proposal which has received the support of key industry players was introduced in February. The private member’s Bill C-475 adds clear and mandatory security breach disclosure requirements to the PIPEDA federal law along with significant penalties for compliance failures.

Under Bill C-475, an organization having personal information under its control would have to notify the Commissioner of any incident involving the loss or disclosure of, or unauthorized access, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the security breach.

Article:  http://www.mcmillan.ca/security-breach-notification-soon-becoming-mandatory-in-Canada

Happy 1st BaKtun!

I woke up this morning feeling the ravages of the common flu.  Pushing back the viral fog, I looked out my bedroom window, expecting to see the streets flooded with zombies, the skies dark with winged bodies of alien invaders, a maelstrom of clouds swirling and the blaring of trumpets.  December 21st, 2012 has passed, and still, the world spins upon its axis.  Hmmm, what about all this talk about he Mayan calendar, and the prophesied apocalypse?

Well, hold on tight, earthlings.  Our best and brightest may have mis-calculated by just a few days.  Apparently, the calculation should have pointed to the 23rd ’round midnight!  I’m hedging my bets, and shopping light this Christmas.  Ya never know, it might not happen at all.

The Mayans used calendars kind of like we do, and what happens when we run out of days on our calendar?  We get a new calendar!  That’s all.  That’s it.  The Mayans observed the cycles of nature and the universe.  The key to cycles is that they repeat.

I am truly blessed, as I got to see the shenanigans as the second hand swept across twelve in 1999, ushering in a new era where technology would fail us all, elevators would rocket through the roof, and nuclear plants would melt down.  And now I have seen (or will soon see) the end of time as we know it.

Interesting write up about all of this at the link provided in the image above, if you are interested in all this.  For me, it simply shines the light on what people will believe.  If a story is repeated long enough, if no better explanation can be quickly presented, rumors and myths will rule.

Doomsday in my opinion, will come, and far too soon I’m afraid.  However, it will be either by our own hand as a species, or by the laws of nature and luck.  I will be as prepared as I can be, as aware as I’m able, and as accepting as possible of the outcome.  Until then, I wish you all peace on earth, and goodwill to all mankind.  Happy 1st BaKtun, and stay secure!!

Where You At?

Some folks have noticed that the old curmudgeon that used to update this blog hasn’t been around much and has kind of left this blog alone for a while. Well, MadMark’s back, and you can expect to see more content here again starting in 2013. I may not be as prolific, but I will try and post at least something interesting each month.

I started a new job back in March, and it really has been dominating my time. When creating a brand new department, it is imperative to focus on defining the many tasks that need to be fleshed out; creating strategy, governance, services, processes, and of course staffing appropriately.

So the second year is all about building it out according to plan. I expect that the build will actually take more time, but less focus, as I have good people to rely on, above, under, and around me who can help.

I fall back to one of my favorite movie quotes: “What doesn’t kill me makes me stronger. Pissed off, but stronger.” Well, maybe that’s not an exact quote. I am now glad that I have had the painful experience of having done this exercise before, and know much of what to expect.

Happy holidays to all, and see you in 2013. You can find me in person at the Toronto Area Security Klatch (TASK) meetings, or at Federation of Security Professionals events.

Mark

Anonymous ‘FFF’ Attack Schedule

Oh, for crying out loud.  Why don’t these guys just go away?   According to Wired, Anonymous is giving itself a weekly deadline now, a new attack every Friday.  How entertaining.  Following the Tuesday compromise of tear gas maker Combined Systems’ website, Antisec attacked a Federal Trade Commission webserver which hosts 3 FTC websites.  They claim this hack was in opposition of the controversial international ACTA copyright treaty, widely protested around the world for its potential impact on freedom of expression.

Those responsible for this week’s attacks spoke with Wired, and claimed that the attacks renewed a promise, previously noted in the defacement of CSI, and reiterated on the FTC websites, “every Friday will bring a new attack against government and corporate sites under the theme of #FFF” (‘F’ the Feds Friday).

They’ve decided try to balance between protest defacements like these two most recent ones, and posting material that can damage firms and agencies.   Jerry Irvine of the National Cyber Security Task Force told the New York Times last week that attacks would become more frequent, describing the collective as “unstoppable,” because of the poor state of online security.

-=[ Busted ]=- Six Trillion In Fake Bonds

On the other side of the pond, a record $6 trillion of fake US Treasury bonds were seized by Italian anti-mafia prosecutors.  The bonds were uncovered in hidden compartments in three safety deposit boxes in Zurich.  Bloomberg reports that Italian authorities arrested eight people in connection with the probe, dubbed Operation Vulcanica.

The Italian authorities also uncovered fraudulent checks issued through HSBC Holdings in London, and another $2 billion of fake bonds in Rome.  Those involved in the financial fraud case were apparently planning to buy plutonium from Nigeria, according to police monitored phone conversations.

Good work guys.  I hope they round up all involved, especially those with the plutonium.  You know that stuff isn’t going to be used to power wind up toys.

North American Medical Records At Risk

While you are sitting patiently during your typical 5-6 hour emergency room visit, ever wonder just how safe your records are at the doctor’s office?  Are ya ready to puke?

91% of small healthcare practices (less than 250 employees) in North America say they have suffered a data breach in the past 12 months.

The Ponemon Institute recently conducted a survey, commissioned by MegaPath, asking more than 700 healthcare organizations’ IT and administrative staff about breaches.  Among the findings:

• 70% say their organizations either don’t have or are unsure if they have, sufficient budget to meet governance, risk, and compliance requirements.
• 55% of respondents had to notify patients of a data breach in the previous 12 months.
• 52% of respondents rated their security technology plans as “ineffective”.
• 43% of respondents had experienced medical identity theft in their organizations.
• 31% say management considers data security and privacy a top priority.  (69% not so much?)
• 29% say breaches have resulted in medical identity theft.
• More than a third have not assigned responsibility for patient data protection to anyone in particular.
• Approximately half say less than 10% of IT’s budget goes to data security tools.

Data breaches of patient information cost healthcare organizations nearly $6 billion annually, and many breaches go undetected.  Protecting patient data appears to remain a low priority for hospitals and doctors’ offices, and these organizations have little confidence in their ability to secure patient records.  They are putting individuals at increased risk for medical identity theft, financial theft, and exposure of private information.

Are ya feeling warm and fuzzy yet?  Read the whole report.

Canadian’s Online Privacy At Risk

From the “I can’t believe this is Canada” file, the government is pushing a new “lawful access” bill, basically granting the police and government officials the rights and means to freely and on a hunch, spy on your internet usage.  Assuming that if you have nothing to hide, you should have no fear of arbitrary search and seizure, of course.

Michael Geist has a good article about the bill and why it is crazy.  The insanity first becomes evident when Public Safety Minister Vic Toews tells people “You can stand with us, or you can stand with the child pornographers“.   As if everyone with a desire for online privacy and against widespread internet surveillance is somehow automatically “for” child pron!  Yep, there is no middle ground here.  Line up with the rest of ’em, mate.

I agree with Tech Dirt’s post, this is totally ridiculous, and a cynical political move that assumes the Canadian public is stupid and will just roll over.  I sincerely hope that is not true, that there is enough outcry against this bill that it is thrown out faster than last week’s Metro.  Yes, it may be difficult and time consuming to obtain a judge’s consent in the form of a warrant, but you don’t just subtract an individual’s rights from the equation in the name of expediancy and convenience for law enforcement.  You cannot and should not assume that the entire public is suspect, and then launch a witch hunt to see who floats and who sinks! Continue reading →

HSBC Under Investigation For Money Laundering?

Things are not looking good for HSBC bank.  A former employee in New York has 1,000 pages of account records he claims are evidence of an international money-laundering scheme involving hundreds of billions of dollars.  HSBC is reportedly under investigation by a US Senate committee.

John Cruz delivered the customer account records to WND that he says he pulled from the HSBC computer system (uh-oh, I do believe that this may constitute a crime as well) before he was fired after two years at the bank, for “poor performance”.  John claims that he was let go because he insisted on pursuing a personal investigation.  Apparently the police were not interested.

The scheme purportedly involved moving money from accounts belonging to fake and real businesses opened in current and previous customer names that the customers were not aware of.  Businesses doing thousands of dollars of business annually were transfering millions of dollars through these accounts.  Oh I hope this turns out to be something else.  John is writing a book about it.  We really don’t need another banking scandal right now…

Busy Day For Patches

Happy Valentines Day everyone.  Our vendors are bringing us the gifts of security vulnerability patches.  Lots of them.  Yes, it’s extra work for our IT teams, but removing these vulnerabilities could mean that we all get to keep our jobs, and remain in business.  I was hearing on the news today that Nortel is now coming clean regarding the fact that hackers 0wn3d their network for roughly 10 years, with full and complete access to everything.

Wonder how they got that?

Where is Nortel today?  Something to think about…

Microsoft released the expected batch of 9 patches:

• MS12-008: Critical Remote Code Execution Vulnerabilities in Windows Kernel-Mode Drivers
• MS12-009: Important Elevation of Privilege Vulnerabilities in Ancillary Function Driver
• MS12-010: Critical Cumulative Security Update for Internet Explorer
• MS12-011: Important Elevation of Privilege Vulnerabilities in Microsoft SharePoint
• MS12-012: Important Remote Code Execution Vulnerability in Color Control Panel
• MS12-013: Critical Remote Code Execution Vulnerability in C Run-Time Library
• MS12-014: Important Remote Code Execution Vulnerability in Indeo Codec
• MS12-015: Important Remote Code Execution Vulnerabilities in Microsoft Visio Viewer 2010
• MS12-016: Critical Remote Code Execution Vulnerabilities in .NET Framework and Silverlight  (This one I would recommend holding off on, as Microsoft is expected to re-release after identifying a “metadata (logic) error”.)

Microsoft has also released Update Rollup 1 for Exchange Server 2010 SP2 http://www.microsoft.com/download/en/details.aspx?id=28809 to the Download Center.

Adobe released 2 Security Bulletins:

• APSB12-02: Critical Security update available for Adobe Shockwave Player.  This update addresses critical vulnerabilities in Adobe Shockwave Player 11.6.3.633 and earlier versions on the Windows and Macintosh operating systems.  These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.
• APSB12-04: Important Security update available for RoboHelp for Word.  This update addresses an important vulnerability in RoboHelp 9 (or 8) for Word on Windows.  A specially crafted URL could be used to create a cross-site scripting attack on Web-based output generated using RoboHelp for Word.

There have also been vulnerabilities and patches announced for Mozilla Thunderbird, Firefox, and an as yet unpatched local exploit POC code release for Yahoo Instant Messanger 11.5.

UPDATE: Oracle released also patches fixing 14 vulnerabilities in:

•  JDK and JRE 7 Update 2 and earlier
• JDK and JRE 6 Update 30 and earlier
• JDK and JRE 5.0 Update 33 and earlier
• SDK and JRE 1.4.2_35 and earlier
• JavaFX 2.0.2 and earlier

http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

Start planning, testing, and patching, folks.