Data Breaches Up Almost 50 Percent, 35.7 Million Americans Affected
According to the Identity Theft Resource Center of San Diego some 656 data breaches were reported in the U.S. in 2008, up from 446 in the previous year. Nearly 37 percent of the breaches occurred at businesses, while schools and government entities accounted for the rest.
All told, businesses, governments and educational institutions reported nearly 50 percent more data breaches last year than in 2007, exposing the personal records of at least 35.7 million Americans, according to the Washington Post in its reporting of the Center’s findings. Also according to the Post, the Center also found that the percentage of breaches attributed to data theft from current and former employees more than doubled from 7 percent in 2007 to nearly 16 percent in 2008.
"This may be reflective of the economy, or the fact that there are more organized crime rings going after company information using insiders," said the Center's co-founder. "As companies become more stringent with protecting against hackers, insider theft is becoming more prevalent."
Yet, the largest single cause of data loss or compromise was human error. Lost or stolen laptops were named as the cause for more than 35 percent of reported incidents. Hackers and malware (software that steals data) were blamed for only 14 percent of breaches.
While only five states do not require that consumers be notified of a loss or theft of their personal data, multiple notification exceptions and frequent noncompliance lead to many breaches not being reported at all or accurately. According to the Center’s report, nearly 42 percent of organizations that disclosed a data breach or loss last year did not divulge the number of consumer records that were compromised.
New Malware Threats for 2009
 Malware is malicious software designed to disrupt, harm or control a computer without the knowledge or permission of its owner. MessageLabs, now a part of Symantec, recently revealed some of the new forms of malware we can look forward to in 2009:
Mash-up malware
Web 2.0 provides the perfect environment for malware which is able to morph depending upon the intentions and desires of its user. Individually, its components may be harmless, but when properly combined, they are able to mount a malicious attack. Mash-ups allow users to combine technologies and deploy them in a synchronized fashion known as Malware-as-a-Service (MaaS). MaaS allows attacks to be automated and quickly modified making some undetectable even to the very best anti-virus solutions.
Personal social network phishing
Last year was the first time that criminals began using social networking sites such as Facebook to collect personal information. The phishing done at these sites will become increasingly sophisticated as the criminals learn the way members use them. While routine email phishing will continue to be a problem, targeted emails are becoming more common as it becomes easier for anybody to phish using MaaS.
The battle to CAPTCHA
You have likely noticed that CAPTCHA letters are becoming more difficult to read. This is because botnets have been advanced enough to break them thanks to CAPTCHA-breaking software. Users of CAPTCHA technologies have fought back using enhanced CAPTCHA schemes, but, like many aspects of computer security, it is often an arms race between the CAPTCHA provider and the CAPTCHA breaker–to see who has the best ability to protect or attack.
Increased reputation hijacking
Thanks to the discovery of a fundamental flaw in the design of the internet DNS (Domain Name Service) protocol, it is, in theory, possible to poison a cache and cause somebody to be given the wrong IP address when using email or Web-surfing. If criminals successfully manage to exploit this defect, they would be able to masquerade as a legitimate host and create legitimate looking websites and trick individuals into divulging their personal information. The implications of this vulnerability could be staggering.
The new botnet generation
MessageLabs recently described a particularly sophisticated type of botnet using hypervisor technology. This form of malware can exist as a virtualization layer running directly on the victim’s hardware and while there, intercept key operating system calls. Using this scheme, the real operating system would remain unaware of the existence of underlying malware which is actually controlling it and the computer it is residing on.
Quote of the Month
"Success is getting what you want—happiness is wanting what you get."
–Rose Leader (HR professional)
Who Knew?
 It seems the FBI has begun using a new form of electronic surveillance in criminal investigations. The technology allows law enforcement to remotely activate a mobile phone's microphone and use it to eavesdrop on anyone talking near the phone. According to unconfirmed reports, the technique is called a roving bug and was approved by top U.S. Department of Justice officials for use against members of a New York organized crime family who were wary of conventional surveillance techniques such as tailing a suspect or wiretapping him.
According to the unconfirmed report, Nextel cell phones owned by two alleged mobsters, John Ardito and his attorney Peter Peluso, were used by the FBI to listen in on nearby conversations. The FBI views Ardito as one of the most powerful men in the Genovese crime family, a component of the national Mafia.
The surveillance technique came to light in an opinion published by U.S. District Judge Lewis Kaplan. He ruled that the roving bug was legal because federal wiretapping law is broad enough to permit eavesdropping even of conversations that take place near a suspect's cell phone. Kaplan's opinion concluded that the eavesdropping technique "functioned whether the phone was powered on or off." Some handsets cannot be fully powered down without removing the battery; for instance, some Nokia models will wake up when turned off if an alarm is set.
While the Genovese crime family prosecution appears to be the first time a remote-eavesdropping mechanism has been used in a criminal case, the technique has been discussed in security circles for years.
Research shows that Nextel and Samsung handsets and the Motorola Razr are especially vulnerable to software downloads that activate their microphones, said a source who has worked closely with government agencies. "They can be remotely accessed and made to transmit room audio all the time," he said. "You can do that without having physical access to the phone."
The source further said, "If a phone has in fact been modified to act as a bug, the only way to counteract that is to peel the battery off the phone.”
Security-conscious corporate executives might want to remove the batteries from their cell phones next time they have a “one-on-one” with a peer.
Cool Fact
Every day our politicians are using bigger and bigger numbers. It seems that only larger and larger sums of taxpayer money will solve our ever-increasing economic problems. A quick poll of several clients revealed that no one seemed to know with any degree of certainty what number came after a trillion (a one followed by 12 zeros, more correctly described as 10 to the 12th). Being the investigators we are, we set out to learn more. Here is what we found.
Large numbers, those past a trillion, in ascending order are as follows: quadrillion (it contains 15 zeros), quintillion, sextillion, septillion, octillion, nonillion, decillion, undecillion, duodecillion, tredecillion, quattuordecillion, and quindecillion (that's 10 to the 48th, or a one followed by 48 zeros).
But wait—there's more. The highest real number we could find is a milli-millillion–that’s not a typo. A milli-millillion is 10 to the 3000003rd (that’s 10 followed by 3,000,003 zeros). For a number a little more comprehensible is a centillion, a mere 10 to the 303rd. However, interestingly enough, some mathematicians argue that the googolplex is the largest named number. If a googol, a misspelling of which became the famed name Google, is ten to the one hundredth, then a googolplex is one followed by a googol of zeroes. Here is how it is written: 10googol
Just in case you are interested, an addition of a trillion dollars in new federal debt represents a new expense of $3,030 for every man, woman and child in America. But who’s counting?
BCInsights Moves to Quarterly Publication
BCInsights has transitioned from a monthly newsletter to a quarterly. The editorial content will now be provided by Business Controls’ Founder and CEO, Eugene Ferraro. BCInsights will continue to bring timely insights on a wide range of topics related to employee misconduct and upcoming legislation that affects our readers.
BCInsights is sent to over 80,000 professionals ranging from security and human resources to legal and corporate governance. We look forward to any feedback and thank you for your loyal readership.
|
