Archive for April, 2013

Legislation on Data Breach notification is needed

April 8th, 2013

According to a recently published report by Paul smith, The Australian Bankers Association made an attempt to defend the potentiality of the IT security processes in place across the banking system of Australia. Following the revelation of the data privacy of Reserve Bank of Australia invaded by Chinese computer hackers, ABA strives for computer protection.

Despite this, security experts had a view that the incident highlighted the need for Australian data breach notification laws which can be tightened to force organizations when they get to hear any such news against data security being hacked.

Chief Executive officer of ABA, Steven Münchenbergin told in an interview with The Australian Financial Review that there were no such reports of data breach attacks found on other local banks, and that the effective processes were already in place to coordinate the fraud investigations with federal as well as the state police.

Technology security experts along with the former head of investigations at the Federal Police’s Australian Hi-Tech Crime Centre, Nigel Phair, warned about the data breach that most of the businesses were vulnerable to computer hackers, and many such attacks were being ­resolved to divert the negative publicity of the organization.

“The Australian Bankers Association is not aware of any successful ­hacking attempts on Australian banks,” Mr Münchenberg said. According to him, “Banks have systems in place to protect customer information and accounts – such as employee training, employee accountability, strict privacy policies, rigorous security standards, encryption and fraud detection software.”

CYBER ATTACKS – DAILY OCCURRENCE

The data breach risks are invariably assessed by the security teams within banks posed by the computer hackers, said Mr Münchenberg and then implementing the additional security levels accordingly.

At an event of National Australia Bank investor day, bank’s outgoing technology chief, Gavin Slater said that the cyber attacks were a daily occurrence for banks.

In the recent scenario, it goes without saying that these cyber attacks are daily happening in US banks. “Just a couple of weeks ago, 11 such banks were targeted by the terrorist organizations and the criminals attacked banks in response to something that happened in the Middle East regions.

“Not a day goes by when somebody is not attempting to hack into any of the banks around Australia,” Mr Slater said.

LEGISLATION ON DATA BREACH NOTIFICATION IS NEEDED

The Director of the Centre for Internet Safety, Mr Phair at the University of Canberra, said it was important to reveal the breach took place at the Reserve Bank of Australia. He also drew attention towards the need for a long-planned legislation on data breach notification to be passed by the government.

“The RBA story was hugely important, because the attack happened some time ago, and we only found out about it because of a freedom of information request,” Mr Phair said.

“We desperately need data breach legislation; we are quite behind in ­global terms on that, to force businesses to disclose when sensitive data is breached. I don’t know what is holding it up, and I would like to think it is achievable. It will help other government agencies and businesses, to be aware that it is not just them being ­targeted, that the threats are pretty wide ranging.”

CODE OF SILENCE – AN AID TO CYBER ATTACKERS

Phair said, “In the beginning of such attacks, the companies tried to keep it purely confidential and kept silent on the data loss news of the intellectual property and customer details, particularly the listed ones until hit by the spooked company investors. But he said, the current code of silence is making it easier for the cyber criminals.

According to a study by the Ponemon Institute, KPMG estimated 75% of the 1000 largest Australian companies went through material data breach, which reported to amount an estimated $2.16 million per company per year to Australian companies.

A spokesperson for Attorney-General, Mark Dreyfus said in an interview that there were voluntary guidelines made on how Australian companies and organizations should report to a security breach, but growing risks need for tougher laws to be enforced.

The spokeswoman preceded by saying, “The Australian Institute of Criminology has highlighted the increasing risk of identity fraud and theft. As more consumers put personal details into websites and use their credit cards online, the risk of privacy breaches will increase.”

“The Attorney-General is considering proposals that would require companies to report to consumers and the Commonwealth Privacy Commissioner when a data breach occurs, to improve privacy, bolster the security culture within organizations and bring Australia into line with international jurisdictions.”

Mr Phair cautioned that a significant number of Australian businesses including the government agencies were unprepared for the social engineering attacks that were taking place, which were penetrating into the Reserve Bank of Australia. For such attacks, it was only required to trick the internal staffs by causing them to click on a fake email asserting to be from management.

He concluded, “Lots of organizations like the RBA have great perimeter and other security mechanisms in place, but this was basically just a phishing, social engineering attack. If I was one of the decent cybercriminals, that is what I would be doing.”

“People are the most susceptible and the weakest link, so you target them with what looks like a bona fide email, with an executable file in an attachment, and that is how you gain a weakness.”

According to Mr Phair, RBA’s consequent claims are that the attacks had been contained and that no sensitive data had been stolen were to a great extent, a public relations move to calm fears in the market.

He said that it is impossible to estimate what exactly people do once they gain access to various networks.

It was also believed by him that the case was much widespread than it was needed to report, as a very large number of victims of computer hacking remain unaware of the fact.

He also believed the problem was much wider spread than is ever reported, because a large number of hacking victims remain ignorant of the fact. And it was very appropriate for RBA to come out with its response publicly.

A security specialist named Raymond Choo, based at the University of South Australia, said that in order to encourage organizations to come forward, it was necessary to simplify the process of security data breach reporting.

Dr Choo also said, introducing the citizens as well as the business companies of a one-stop 24/7 reporting website which will report about malicious cyber crime activities taking place online would increase openness about the cyber crime too, and it could also lead to further collaboration of the community as well as the authorities.

He also said that it has become very vital to engender better data sharing and information among the public sector and private sectors as well as the association of researchers and other key stakeholders.

“The 2011 revised NATO policy on cyber defence sets out a clear vision of how the alliance plans to bolster its cyber efforts. . . which includes working with partners, international organizations, academia and the private sector in a way that promotes complementarity and avoids duplication,” Dr Choo said.

“This would allow co-ordinated action by government and law enforcement agencies, and enable all stakeholders to have a better understanding of the frequency and extent of cyber crime incidents and be better equipped to respond to them.””

Encryption software prevents data breaches

Traditional antivirus approaches don’t work any more and a new approach to endpoint security is required to better protect your company from malicious threats.

The above threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial

Alertsec further offers computer protection software from Check Point as a fully customizable and pre-packaged data encryption software solution. It can help you dramatically reduce your cost of ownership for encrypting your laptops.

Enhanced by Zemanta

Hardware giant narrowly averts PC security nightmare

April 6th, 2013

American Megatrends, a company that specializes in PC hardware and firmware, has attempted to calm the rising trend of the panic attacks over the cryptographic signing keys leak as well as the source code for its UEFI (Unified Extensible Firmware Interface) BIOS, the code that starts up millions of computers around the world. On account of the code leak that took place, a security researcher and penetration tester Adam Caudill from United States received a warning from his research partner Brandon Wilson regarding a Taiwanese vendor who had left a FTP (File Transfer Protocol) server open for public browsing and downloading. This called for again new challenge regarding the computer protection which was more baneful after this security leak as by keeping the encryption software they could have easily averted such mishaps.

The take-off also included few more things among internal emails and other data – those were the source code for American Megatrends Incorporated’s UEFI BIOS and cryptographic signing keys used for verification of it. Therefore it was in the keen interest of the American Megatrends company to enable the proper encryption software for their computer protection in order to stop the security leak threatening them, every now and then. The company was afraid to access the source code for the UEFI BIOS and the cryptographic signing keys to verify the absolute binary programs, this led researchers to the development of the fear that attackers might create and/ or disseminate malicious updates which in turn, could be used to compromise and control millions and millions of computers worldwide for a long time to come. According to the researcher Caudill, “this kind of leak is a dream come true for advanced corporate espionage or intelligence operations. The ability to create a nearly undetectable, permanent hole in a system’s security is an ideal scenario for covert information collection,” He continued.

BIOS or the basic input/output system is a code stored in read-only memory which is non-volatile on personal computers as well as on other similar devices. It is assumed to run only when devices start up and loads operating systems, initialising of the hardware such as their keyboard, storage and videos beforehand. The company started developing a Unified Extensible Firmware Interface since 2005 to overcome the limitations of the original Basic Input Output System (BIOS) specifications – which was designed to suit the basic 16-bit computers decades ago, also to provide further features such as the cryptographic security for booting up. The hardware company, American Megatrends claims to the largest BIOS vendor in the world. It said so in response to the researchers Caudill and Wilson’s findings when it was revealed that the security keys on the FTP server were in fact meant for the testing and not used for the production systems.

Chief Executive and Co-founder of the American Megatrends, Subramonian Shankar stated in an interview after the security that “while today’s news is certainly distressing, AMI would like to reassure its customers and partners in no uncertain terms that this should not be a security concern for them.” Security Researcher Caudill after whatever happened noted that while AMI instructed all its vendors regarding the usage of its UEFI BIOS to change the key initially, before building a production environment, and it is not known till now that if the customer with the open FTP server was following that practice or not. Caudill did not reveal that which Taiwanese vendor had leaked the information.

Get your personal as well as office laptops encrypted by Alertsec

With so much vulnerability on public networks Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen. Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta