Credit card numbers of Argos customers were exposed in emails sent to them.

An email snafu by an online catalogue company is a good example of why both inbound and outbound electronic correspondence should be filtered not only to ensure that nasty payloads aren’t delivered to an organization but also to prevent sensitive information from being exposed to unsavory elements.

The email blunder involved a company called Argos. It is a multi-channel retailer, based in the United Kingdom, of merchandise for the home. During its last financial year, it had more than $6.4 billion in sales, 26 percent of it from the Internet.

After a probe by PC Pro magazine, it was discovered that the High Street retailer was sending out the credit card numbers of their online customers in plaintext emails confirming purchases. Should the emails be intercepted in transit or otherwise hijacked, the credit card information could be used for fraudulent charges.

What’s worse, the emails also contain an Internet link, or URL, that contains the recipient’s name, address and credit card details. If the customer clicks on the link, the URL containing the personal information would become part of the customer’s browser history, where it could be vulnerable to cyber snoopers. Moreover, the URL would be stored in the service logs of whomever is providing the customer with Internet service–his or her employer or ISP–as well as in Argos’s web analytics software which captures URLs used to access its Web site.

Two victims of the security lapse by Argos were cited by PC pro. Paul Lomax, chief technology officer at Dennis Publishing, and Tony Graham, reader of the publication. Both reported their credit card details stolen after receiving the vulnerable emails from the retailer.

Graham discovered the gaff when searching through his email for the last four digits of his credit card number. When he checked a message from Argos that appeared in the search results, he was puzzled. No credit card numbers appeared in the text of the correspondence. It was only when he opened up the source code behind the email that he discovered the URL bursting with personal and sensitive information.

Continue reading Solid email security requires inbound and outbound filtering

The most prevalent vulnerability by overall frequency identified by the report is cross-site scripting (XSS).

Most software used by large companies in critical business applications is insecure, according to a report released by a company that tests programs for security vulnerabilities.

In a report titled “State of Software Security,” the company, Veracode, of Burlington, Mass. disclosed that when it first tested some 1600 business critical applications, 58 percent of them failed to achieve an acceptable security score.

The worst culprits were programs developed by companies for internal use. Failure rates for those applications were as high as 88 percent, the report said.

“Extrapolating from the application sample set, more than half of the software deployed in enterprises today is potentially susceptible to an application layer attack similar to that used in the recent Heartland or Google security breaches,” it noted.

The most secure software submitted to Veracode for testing originated with the financial industry or government sector. More than half the applications from those industries passed muster on their first go-round with testers, which placed them at the top of the list of 15 industries represented in the study’s data set.

The report also plugged open source software as a viable solution for businesses. The failure rate for open source programs was on par with their commercial counterparts–39 percent for open source, 38 percent for commercial wares.

What’s more, the speed at which security vulnerabilities were addressed in open source programs was far better than their competitors–36 days for open source, 48 days for internal software and 82 days for commercial apps.

In addition, open source programs contained the fewest vulnerabilities that could potentially be converted into backdoors which could be exploited by crackers for havoc. “The relative absence of potential backdoors is apparent testimony to the positive effect of transparency in the Open Source community,” the report reasoned.

Continue reading 58% of critical apps insecure

The FTC is raising the red flag over data breaches caused by P2P software.

A growing problem with the inadvertent disclosure of sensitive information through peer-to-peer (P2P)networks was exposed this week by the U.S. Federal Trade Commission (FTC). In a letter sent to almost 100 organizations, the agency raised the red flag that sensitive customer and employee information from those entities was being shared on public P2P networks where anyone could see it. It warned the organizations that the data could be used by unscrupulous parties to steal identities or perpetrate fraud.

“Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk,” FTC Chairman Jon Leibowitz said in a statement.

“For example,” he continued, “we found health-related information, financial records, and drivers’ license and social security numbers–the kind of information that could lead to identity theft.”

“Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure,” he added. “Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

The FTC’s letter went to both public and private organizations ranging in size from as small as eight employees to publically traded companies with 10,000 or more workers.

Although receipt of the letter doesn’t mean that an organization has broken any laws, the agency cautioned recipients, “It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers.” It added that failure to prevent sensitive information from being shared on a P2P network could violate federal law.

It went on to note that if customer and employee confidential information was exposed on a P2P network, an organization should consider notifying the affected parties. In some cases, it added, such notification is required by state or federal law. Continue reading P2P networks sharing sensitive data

With token architecture, tokens are substituted for sensitive information on the network.

Encryption has become increasingly important as a means of protecting sensitive information from poachers. As widely publicized data breaches have brought information security under closer scrutiny by governments and industry consumer protection agencies, encryption is no longer an option for many companies but a necessity.

While encryption offers a strong measure of protection for a company’s data, it also imposes additional burdens. For example, encrypted data takes up more space than unencrypted data. that means encrypted data bumps up the demands on a concern’s storage systems. In addition, broad use of encryption can, in some industries, increase the cost of compliance audits, as all systems using encryption must meet the standards of regulators both public and private.

One way to relieve the burden encryption places on organizations that’s gaining popularity is tokenization. Not only does this technology reduce the storage requirements created by encrypting data, but it improves security and curbs compliance costs. The fewer the places that sensitive data is stored in a system, the fewer the places subject to compliance audits.

Tokenization saves space by substituting tokens for encrypted information within a system. Typically when a piece of information is encrypted, it is returned to its original location–a record in a database, for example–in encrypted, or cybertext, form. With tokenization, after information is encrypted, it’s stored in a central location, typically a data vault, and a token representing that data is returned to the original location. That token, which takes up less space than its encrypted analog, can be used anywhere the original information would be used. So if the data is used in multiple locations, space is saved because encrypted forms of it need not be stored at those locations. What’s more, the encrypted data is stored at only one location making it easier to secure.

Continue reading Tokens offer more than token resistance to crackers

Average per-record cost of a data breach has increased from $138 per victim in 2005 to $204 in 2009.

The customer cost to companies who suffer data breaches increased slightly over the last year, as did the average cost per incident, according to a recent report.

Compared to 2008, when the average per victim cost for a data breach was $202, the cost last year was $204, it was reported in the fifth annual U.S. Cost of a Data Breach study conducted by the Ponemon Institute, of North Traverse City, Mich. and sponsored by the PGP Corporation, of Menlo Park, Calif.

Also increasing a tad was the average cost per incident, to $6.75 million from $6.65 million in 2008. Although the cost of each incident climbed, the actual number of incidents declined by 24 percent, to 498 from 657 in 2008.

Although the direct costs attributed to data breaches declined in 2008, they showed a significant increase in 2009, according to the study, which analyzed 45 cases in 15 industries including financial, retail, healthcare, services, education, technology, manufacturing, transportation, consumer, hotels, leisure, entertainment, marketing, pharmaceutical, communications, research, energy and defense. Cases involved as few as 5000 records to as many as 101,000 records.

Direct, or ex-post, costs atributed to breaches, the researchers found, jumped to $60 from $50 in 2008. “One of the main reasons for an increase in ex-post response costs is due to the increase in legal defense costs,” they maintained. “This can be attributed to increasing fears of successful class actions resulting from customer, consumer or employee data loss.”

Continue reading Data breeches increase, legal costs soar

20 percent of accounts could be compromised in 5000 attempts.

A recent study of some 32 million pilfered passwords has exposed some revealing lessons on how computer users choose their watchwords.

The analysis conducted by the iMperva Applications Defense Center discovered that 60 percent of users picked passwords from a limited set of alpha-numeric characters. What’s more, 50 percent of the watchwords were names, slang, dictionary words or trivial passwords, such as 123456 or “Password.”

What distinguishes this study from similar research in the past is that, rather than being based on user surveys, this analysis is based on a database of actual user passwords, which were stolen by a hacker and posted to the Internet as plain text.

“The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks,” the researchers wrote in their white paper.

“Ironically,” they added, “the problem has changed very little over the past 20 years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords.”

When scrutinizing the purloined passwords, the researchers used standards published by NASA for the creation of strong watchwords. Here’s how the words fared against those benchmarks.

NASA recommends that passwords be at least eight characters long. The researchers found that nearly half (49.4 percent) of the filched watchwords contained seven characters or less. What’s more, more than 30 percent of them were six characters or less. By comparison, more than 28 percent of the passwords in the mix were greater than eight characters in length.

Continue reading Survey identifies worst password practices

Zimuse leverages an IQ test to infect its victims.

An oddball hybrid malware program grabbed some electronic headlines this week. The bad app combines the activity of a worm with the infectious  properties of a virus. There appears to be two variants of it: Win32.Worm.Zimuse.A and Win32.Worm.Zimuse.B.

What makes the pernicious program queer is its destructive properties. These days, Black Hats tend to concentrate their efforts on programming schemes that have a cash payoff. When that’s your line of business, stealth, not havoc, is your modus operandi. Zimuse’s creators, through, don’t seem to care about monetary gain. Proliferation and mayhem appear to be their game.

Given the putative origin of the malware, it’s easy to understand why it departs from the malware mainstream. According to security experts, the black app was originally written to infect fans of a motorcycle club in the Liptov region of Slovakia. As can be the case with computer pranks, however, the malware started spreading wildly and soon began infecting corporate networks. Now badware watchers say the majority of the machines infected by the Zimuse variants are in the United States, followed by Slovakia, Thailand and Spain.

The malware is a two trick pony. First, it infects a machine and looks for ways to propagate itself. Then, after a defined number of days, it trashes its host’s Windows operating system and cripples it.

One way Zimuse distributes itself is by compromising legitimate Web sites. It’s planted as a self-unpacking zip file that contains an IQ test. When the IQ test installs itself on a machine, it also installs the malware. The IQ test is a legitimate application and serves to obfuscate what Zimuse is doing under the compromised computer’s hood.

Continue reading Hybrid malware spreading via USB devices

As often happens with electronics trends, the proliferation of a consumer device soon results in that gadget knocking on the door to the enterprise.  That’s the case with smartphones. The trend started with the Blackberry, was supercharged by the iPhone and will continue to grow with phones running Google’s Android operating system.

What’s worrisome about these devices is that they run applications… far too many applications that any IT department could vet for security purposes. Jupiter Research, purchased by Forrester research in 2008, estimates that by 2014, 20 billion apps will be downloaded annually to smartphones.

That is a nightmare in the making for network administrators, who see legions of unknown programs touching their enterprises. Such apps already exist for the iPhone to directly access enterprise programs like SAP and Oracle. And with more apps on the way, the potential for them to spread malware or facilitate unauthorized access to precious data is a sobering thought for gatekeepers.

One way to get a handle on mobile devices invading an enterprise is to impose tough policies on employee use of their mobiles when performing office tasks. Monitoring policy compliance manually, though, can be an overwelming task for overtaxed IT departments. There are automated systems for ensuring compliance, but they can be expensive to implement.

There are also some drawbacks to keeping a tight rein on smartphone use. By limiting an employee’s choices on how he or she must work, a policy could adversely impact the worker’s productivity. Then there’s the problem with exceptions to the rule. If someone higher up on the corporate food chain than an IT gatekeeper wants to use a particular application, whether it’s risky or not, an exception to its use will likely be made.

Continue reading Protecting the enterprise from mobile devices

A fix for a flaw in an important Internet security protocol is ready for prime time but it will be many months before the patch is fully implemented, according to technical experts.

The authentication vulnerability in TSL/SSL, which is the most common security code on the Net, could be exploited by hackers for all kinds of mischief. Built into browsers and Web servers to protect high-value information, the flaw impacts a wide scope of technologies including online banking, back-office systems using Web-based protocols, non-HTTP applications such as mail and database servers, mobile phones, wireless access points, DECT phones and home security systems.

The vulnerability was discovered last September by researchers at PhoneFactor, a security service provider in Overland Park, Kansas, but was kept under wraps until November when another security expert, working independently, made the flaw public on a mailing list sponsored by the Internet Engineering Task Force (IETF).

With the cat out of the bag, PhoneFactor decided to push out a press release on the subject. In it CTO Steve Dispensa, who, along with Marsh Ray, initially unearthed the flaw, stated,

“Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching. All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL.”

“The discovery of this vulnerability speaks to a larger issue with single channel authentication protocols,” he added. “While this vulnerability is larger in scope than many, man-in-the-middle attacks have been a known threat for some time. Out-of-band protocols should be considered when possible to help mitigate the risk of these attacks.””

Continue reading Net security hole could take year to fix

Does the security of your company’s WiFi networks keep you awake at night? Would you like to test the strength of the passwords to that network but can’t afford to tie up a computer for days or weeks to do it? Then a new service called WPA Cracker might be for you.

The recently launched pay-as-you-go service is aimed at “penetration testers.” It links some 400 computers in “the cloud” to accomplish in minutes what would take days or weeks for a single desktop or laptop.

Designed to crack WPA or WPA2 passwords when PSK is used, the service uses massive compilations of words to mount dictionary attacks on a wireless network. It will also crack passwords to zip archives.

The main dictionary used by the service contains 135 million English password possibilities tailored to networks protected by WPA or WPA2. In addition, there’s a 284 million word extended dictionary and 100 million digit dictionary. The extended dictionary is not a superset of the standard dictionary. That is, words in the extended dictionary are not found in the standard one. The digit dictionary contains permutations of passwords composed eight-character-long numbers. Each dictionary can be run against a network separately or in aggregate as a mammoth 520 million password resource. A German dictionary is also offered by the service.

Continue reading Act like a hacker with WPA Cracker