Security

Looming questions for managing your data protection services

Should midmarket companies consider using outside providers to manage their data protection services? For companies with smaller staffs and budgets, using a third-party provider to manage their data protection services can pay off, as long as certain issues, including security, are addressed up front.

For a story I did this week on a Houston-based nonprofit moving from tape backup to an online data backup and recovery service, I asked analysts to give me some sense of the enthusiasm out there on the degree to which companies are using outside providers to manage their data protection services.

The resistance to using outside providers for data protection services has fallen from near 70% a few years ago to 32% now, according to Gartner analyst Adam Couture.

Burton Group analyst Gene Ruth told me there are a number of “enterprise-ready” online backup and data protection service providers out there who are growing and are particularly suited for midmarket or small companies that may not have the staff or capital to handle automated data backup and storage and disaster recovery facilities. They include the IBM/Arsenal Digital solution used by the Houston nonprofit profiled in my story, as well as EVault, AmeriVault and EMC’s Mozy service.

As with any newish technology, however, there are lots of questions that don’t yet have standard answers. Let’s go through some of them. Continued »

Recent FBI vishing scam warning an old issue

Last Friday, the FBI issued a warning about a security vulnerability that could be used by cybercriminals to make vishing telephone scams.

Vishing (combining phishing and voice) uses Voice over IP (VoIP) features to gain access to company information. In this case, the flaw was found in a free and widely used open source toolkit – Asterisk.

According to a posting on the Internet Crime Complaint Center, hackers who gain access and exploit the Asterisk flaw can potentially auto-dial thousands of people in an hour.

Security risk news spreads like wildfire and the FBI vishing warning was no exception — bloggers everywhere began weighing in. It was quickly learned, however, that the security scuttlebutt was actually an old issue.

According to a Digium blog post, the bug was originally found in March (AST-2008-03, a SIP guest permissions problem) and was patched for 1.2 and 1.4 versions of the software (1.6 releases were not vulnerable). The bug did not allow the arbitrary setting of caller ID and would work in only a limited set of circumstances.

It sounds quite similar to the telephone scams already known, no VoIP hacking necessary! The Federal Communications Commission already warns us about everything from the Mexico Collect Call Scam to the 90# Telephone scam.

Just another reminder to keep your information safe by making your passwords safer … and do your homework before going off on new exploits.

Bank of America rolls out new secure online banking tool

Bank of America has introduced a new security feature for customers – the SafePass Card. Adding more protection to transactions, the SafePass Card is Bank of America’s next layer of secure online banking.

Smartphones are being used as digital wallets, mobile online banking is occurring more frequently and Wi-Fi access points are turning into cybercrime hotbeds. The Georgia Tech Information Security Center’s Emerging Cyber Threats Report for 2009 cited malware, botnets, cyberwarfare and threats to VoIP and mobile devices as the top security threats to be aware of – all of which aim to steal your data.

It’s no wonder one of our largest banks is looking to provide more online peace of mind. With keystroke loggers infesting email, IM and (the recently popularized) infected links on social networking sites, cybercriminals can steal your two-step login information and gain access to your account. For customers wanting added protection, the SafePass Card generates a six-digit, one-time pass code, necessary to complete online transactions. Customers can either receive the pass code via text message or by purchasing a wallet-sized card ($19.95) that generates the code (think chip and pin meets Magic 8 Ball)

And who wouldn’t want more secure online banking? Malicious programs are on the rise and many companies are not prepared for them. Naspera Networks recently issued the results of a corporate network security survey. Two hundred small and medium-sized enterprises answered a series of questions probing them on network security and potential threats. According to the results, most companies surveyed were not as secure as they could be (or wanted to be). What were the networks’ weakest links? Respondents cited as the primary offenders computers not kept up to date, Wi-Fi security and encryption practices, unknown threats from mobile workers and laptops, an increased need to provide guest access and an overall lack of policy governing endpoint security.

The SafePass is a step in the right direction. Just don’t lose the card … or your mobile phone.

Protect that Facebook profile: The risks of social networking sites

Facebook is keeping people linked together both personally and professionally. Knowing that, it’s important to keep an eye on the security of your accounts on social networking sites — and the integrity of your online persona.

Facebook won an $873 million judgment against Adam Guerbuez of Montreal, after suing him for spamming Facebook users with sexually explicit messages. Guerbuez hacked into member profiles using phishing tricks to get users to give up their login details. Once in, Guerbuez used the compromised profiles to send out mass messages (4 million) to friends of friends.

My first thought when I heard about this: What if my account had been compromised and, as a result, my boss (and Facebook friend) received messages from my account touting male enhancement pills? That would certainly not be cool, Guerbuez. No poke for you.

One may ask why I would be Facebook friends with my boss — Facebook, the sacred, secret window into my personal life, littered with an assortment of pictures, wall posts and (dare I say it) “bumper stickers?” I keep it clean on my Facebook profile and usually follow the “don’t friend me, I’ll friend you” credo. I have noticed more and more people opting to have two Facebook accounts (although Facebook expressly forbids multiple profiles) – a personal one and a professional one. I have considered this myself but then thought, don’t I have a LinkedIn account for that? Furthermore, if someone searches for someone and finds two Facebook profiles (one with a Sears-style profile picture and one including a tequila shot-athon — both pictures clearly of that person) it may look a bit sketchy. Or smart?

Today, it’s especially important to keep it clean on Facebook – 22% of hiring managers check social networking sites before hiring someone. This number has doubled since 2006 and will continue to increase as an additional 9% of hiring managers plan on screening applicants online in the future. On top of that, 34% of the managers who screen have dropped candidates from their lists based on what was found in their profiles.

Recession or not, we can still give thanks for technology

Years ago, writing a “grateful” journal was all the rage. Helps to keep things in perspective (at least, that’s what Oprah told us). So, given that it’s been such a tough year for business, I thought I’d step back and see what I could find to be thankful for. Here’s my list.

5. I’m thankful for the idea of a Microsoft-free world (not that it would ever happen.) But, finally I see business ready for some changes in the technological hierarchy, experimenting with open source applications and operating systems. Mozilla Firefox and Google Chrome are fiercely competing with Internet Explorer – and are holding their own. It may be a long road, because legacy programs die hard, but the possibility is on the horizon.

4. I’m thankful for GOOGLE and its ability to just keep getting it right. The search engine giant with incredible apps (for both business and pleasure) introduced the G1 Google phone this year. Google is taking on Apple and Microsoft with browsers and search engines – and is now competing in the mobile device ring, welcoming open source applications. I must also thank the company for providing us with small-talk topics (“So, have you tried out the new Google Goggles?”) and connecting us with our peers on GTalk.

3. I’m thankful that we had a real example of how Web 2.0 and social networking could change the world. We saw the impact social networking and the Web generation had when it came to the election. Text messaging, Facebooking, blogging and Twittering were used by the masses to connect and promote – creating quite a stir and forever changing the way candidates campaign. From online health records to wikis, we are using the Web to manage our lives and keep us informed.

2. I’m thankful we’re all more aware of security risks. This year we’ve experienced everything from the San Francisco network lockout to concerns about VoIP and unified communications. The Emerging Cyber Threats Report for 2009 warns us of an even rockier future – estimating that 15% of online computers will be botnet-affected this year. There are no rose-colored glasses for looking at security – we know the risks.

1. I’m thankful that despite the economy, technology continues to flourish and companies continue to innovate. Even though budgets are getting cut and IT innovation is becoming more difficult, people are making it work. Costs can be cut by moving to green IT, virtualization and SaaS applications. Not too shabby

If my glass-half-full approach didn’t satisfy your appetite, check out this year’s list of tech turkeys compiled by Rachel Lebeaux, associate editor of SearchCIO.com.

Microsoft hosts midmarket CIOs – Vote for the biggest CIO challenge

A midmarket CIO’s challenges are many, and I’m always amazed by the stories I hear when I’m out on the road meeting many of you.

This week I touched down in Redmond for Microsoft’s US Midsize Business CIO Summit, an invitation-only event for about 400 midmarket CIOs. It’s a press-free conference, but I was privileged to be a speaker and thus join the technology glitterati on site.

My conversations covered a lot of topics, but what I’ll share with you here is a sampling of the folks I met. If you think your job is tough, consider those of these CIOs – then I’ll ask you to vote or share your story of trying circumstances.

- The CIO for a firm that conducts clinical trials. He has five staff in the U.S. and 25 in Europe. Based on the West Coast, he had just spent over a week on the road, first in London and then in Russia, then came directly to the conference. At home he’s on calls early in the morning and late in the evening, syncing up with staff around the world. Challenges? Language, culture. … He absolutely wasn’t griping about the travel or the hours (he didn’t even look tired!) and I know he’s hardly alone in living such a global lifestyle. But to me that seemed the most challenging part.

- The CIO who was hired to bring a food distributor into the 21st century. The company had all sorts of aging or aged systems – but the hard part was when this maverick CIO announced capabilities he wanted to roll out to the employee base. The CEO told him that sales reps were not going to use computers. Period.

- The CIO who had endured several offshoring contracts (some negotiated by his parent company), all with ill effects. In one case, employees at a provider hacked into his systems; in another, a key offshore contact left for another firm just after completing his Oracle training in the U.S. Meanwhile, he grappled with undeveloped infrastructure – he couldn’t get a switch for a new plant he was building — and bureaucrats who promised fixes and then didn’t deliver.

Do you relate to any of these experiences or have your own story of obstacles to share? Vote below for the one that seems most challenging and feel free to offer advice to the CIOs in question.

2009 cybersecurity threats revealed – wah waaah

You know that new iPhone you got? Or the Android order you put in? Well, not to get all Debbie Downer on you, but your sexy smartphone is a security threat.

The Georgia Tech Information Security Center (GTISC) announced the release of the Emerging Cyber Threats Report for 2009. A big help in our overall awareness and protection, the report outlines security concerns and risks for consumer and enterprise Internet users. So what’s your mobile device got to do with it? Cell phones will become members of botnets.

In the GTISC report, Patrick Traynor, an assistant professor of computer science at Georgia Tech and member of the GTISC, delves into the “digital wallet” smartphone concept (smartphones store personal identity and payment information). He says smartphones will be injected with malware — when this happens, “large cellular botnets could then be used to perpetrate a DoS attack against the core of the cellular network.” The good news? Traynor goes on to say it will provide an opportunity to design security properly for the quickly evolving mobile communications sector.

The overall threat areas to be aware of, according to the report, are malware, botnets, cyberwarfare, threats to VoIP and mobile devices and the evolution of the cybercrime economy. The driving force behind all the attacks? The data.

The cybercrime community (a mafia of sorts, if you will) will be utilizing our recent advancements in social networking to cloak malcode. One example given in the report: Facebook wall links posted by a friend prompting users to install Flash Player updates. When the unaware user clicks to install the update, a piece of malware is installed on the machine. And just like that, the computer is involved in a botnet.

Other stats to be aware of? Botnets have become worse in 2008 and GTISC researchers estimate 15% of online computers will be botnet-affected this year. Cyberwarfare and attempts to “subvert the US economy and infrastructure” will accompany military interaction more often. And the already vulnerable VoIP? Cybercriminals will look to engage in voice fraud, data theft and other scams.

Are we all too busy?

Do your users pay attention to dialog box pop-ups? If you’re thinking, “yes, of course,” read on.

A recent study by members of the psychology department at North Carolina State University shows most people do not pay any attention to these dialog boxes – even when presented with information indicating potential malware.

The authors created four fake dialog boxes – one of them was indistinguishable from standard Windows dialog systems. From subtle (moving the mouse over the “OK” button would cause the cursor to turn to a hand — typical of browser control) to blatant (alternating between black text and a white background to white text on a black background), the dialog boxes should have been a tip-off to users that something wasn’t right.

The study was conducted by loading a series of medical websites to a panel of 42 college students, who were told to watch the sites and expect questions to follow. The fake dialog boxes were loaded randomly and the responses of the users were tracked. The response time showed the users did not spend any time evaluating the fakes. During the follow-up questions, students found “any dialog box a distraction from their assigned task; nearly half said that all they cared about was getting rid of these dialogs.”

Is there just no time for “dialog box speed bumps?” With the quick-answer Web-search service ChaCha growing in popularity, are we all too busy to even search for answers on the Web? Wasn’t that the point of the Web in the first place – a place to access information from all over the globe?

Are your users too busy to pay attention? Should you rethink the use of dialog boxes and consider another venue for that information?

Subway fail, Freedom fail

Two weeks ago three MIT students were forbidden by a judge to give a presentation on how susceptible Boston’s subway fare system is to fraud.

Now another judge has allowed them to give the presentation. The problem is said presentation was scheduled for a hacker convention held two weeks ago. Funny how that works out.

Last week I commended the three students for their work and blasted the Massachusetts Bay Transportation Administration for its consistent incompetence in all matters related to running a transportation system. Continued »

Hackers on the MBTA, or: Why Boston’s subway system deserves to be compromised

Well, this is embarrassing. Three MIT students write a paper on how to hack the greater Boston subway fare cards.

Said students are given an ‘A’ for their work and are booked to present at the annual DEFCON hacker conference in Las Vegas last weekend. The Massachusetts Bay Transportation Authority (known as the MBTA, the state agency that runs the subway) sues to keep the trio from presenting.

Filed in court to stop the presentation: Instructions on how to hack the MBTA fare system. Still available on MIT’s servers: The slide presentation to accompany the talk. This is really worth flipping through.

So not only did the MBTA’s lawsuit completely defeat its own purpose, it has also logged yet another example of the agency’s complete incompetence.

And this is why it deserves to be hacked. Continued »