24. November 2009 · Comments Off on Massive T-Mobile UK trade secret theft perpetrated by insider · Categories: Breaches, Data Loss Prevention, Trade Secrets Theft · Tags: , , ,

Last week T-Mobile UK admitted to the theft of millions of customer records by one or more insiders. These customer records which included contract expiration dates were sold to T-Mobile competitors or third party brokers who "cold called" the T-Mobile customers when their contracts were about to expire to get them to convert.

While this is a privacy issue from the customer perspective, from T-Mobile's perspective it's also theft of trade secrets.

And this is about as basic as theft of trade secrets gets. According to the article in the Guardian, in the UK this type of crime is only punishable by fine, not jail time, although the Information Commissioner's Office "is pushing for stronger powers to halt the unlawful trade in personal data…"

So if you steal a car, you can go to jail, but if you steal millions of customer records, you can't. Clearly the laws must be changed. Or, not being a lawyer, I am missing something.

Based on some research I've done, the same is true in the United States, i.e. no jail time. Here are some good links that cover trade secret law in the US:

Regardless of the laws and their need for change, organizations must invest in trade secret theft prevention appropriate to the associated level of risk.

Let's take a look at the components of Risk – Threat, Asset Value, Likelihood and Economic Loss -  in the context of trade secret theft.

The overall Threat is increasing as the specific methods of theft of digital Assets constantly evolve. Economic loss, depending on the Value of the trade secret Asset, can range from
significant to devastating, i.e. wiping out much or all of an organization's value.

It's hard to imagine the Likelihood of theft of any trade secret in digital form could ever be rated as low. Unfortunately we do not have well accepted quantitative metrics for measuring the degree to which administrative and technical controls can reduce Likelihood.

Therefore trade secret theft risk
mitigation is really a continuous process rather than a one time effort. New threats are always appearing. New administrative and technical controls must constantly be reviewed and where appropriate implemented in order to minimize the risk of trade secret theft.

22. November 2009 · Comments Off on OWASP Top Ten 2010 Release Candidate 1 available for review · Categories: Application Security, IT Security 2.0 · Tags: ,

The OWASP Top Ten 2010 Release Candidate 1 is now available for review. Security Ninja has comprehensive summary of the vulnerability list and excellent comments.

OWASP is far and away the most comprehensive information source for secure web application development guidance. And it's free!!

22. November 2009 · Comments Off on Microsoft IE8 XSS prevention feature enables XSS attacks · Categories: Application Security · Tags: , , , , ,

Dan Goodin at The Register reports that Microsoft's IE 8's Cross Site Scripting prevention feature can be used to create an XSS attack.

IE8 attempts to block XSS attacks by modifying the response, i.e. the content of the web page generated by the web server coming to the browser in response to a request. The NoScript Firefox add-on, takes the opposite approach by modifying the content of the request from the browser to the web server. Here is more information. It appears that this vulnerability is not easily fixed because it's a design flaw rather than a coding flaw.

BTW, NoScript is the second most popular Firefox Privacy & Security add-on.

22. November 2009 · Comments Off on Koobface botnet creates fake Facebook accounts to lure you to fake Facebook or YouTube page · Categories: Botnets, IT Security 2.0, Malware, Network Security, Next Generation Firewalls, Risk Management, Security Policy · Tags: , ,

TrendMicro's Malware Blog posted information about a new method of luring Facebook users to a fake Facebook or Youtube page to infect the user with the Koobface malware agent. 

The Koobface botnet has pushed out a new component that automates the following routines:

  • Registering a Facebook account
  • Confirming an email address in Gmail to activate the registered Facebook account
  • Joining random Facebook groups
  • Adding Facebook friends
  • Posting messages to Facebook friends’ walls

Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. 

Here is yet another example of the risks associated with allowing Facebook to be used within the enterprise. However simply blocking Facebook may not be an option either because (1) it's demotivating to young employees used to accessing Facebook, or (2) it's a good marketing/sales tool you want to take advantage of.

Your network security solution, for example a next generation firewall, must enable you to implement fine grained policy control and threat prevention for social network sites like Facebook.

03. November 2009 · Comments Off on The new insider threat – lifestyle hackers · Categories: IT Security 2.0 · Tags: , ,

CSO Online published an article yesterday called Lifestyle Hackers. It simply points out that younger employees who are very active with Web 2.0 applications like Facebook and peer-to-peer, like to use these applications while at work in the name of productivity enhancement.

The use of these Web 2.0 applications by insiders increases the risk of security breaches. In most cases, these breaches are not malicious, rather inadvertent, but nevertheless damaging. 

It's a well written article but not news. I have written about the increased IT Security risk due to Web 2.0 applications several times:

Social Networking's Promise and Peril

Block Facebook?

Empirical evidence show that the top cyber security risks are related to Web 2.0

How to leverage Facebook and minimize risk 

Two more high profile Web 2.0 exploits – NY Times, RBS Worldpay

If Web 2.0, then IT Security 2.0