|
Security Breaches 2004/2005
The DTI Information Security Breaches Survey 2004 included the following findings:
“Two thirds of UK businesses had a premeditated or malicious incident compared with just under half two years ago”
“Unsolicited email (spam) is growing rapidly and is becoming a significant issue for a third of UK businesses”
“New adopters of remote access, Internet email and web access tend to have done so without implementing any controls”
“A small reinsurer had difficulties when an employee was dismissed for visiting midly pornographic websites at work. At an employment tribunal he claimed that this was not breaking the law. Since the company did not have a clear policy on such matters, he argued that his dismissal was unfair. The company decided to agree a settlement rather than pursue the matter.”
“One business commissioned an outside company to carry out social engineering tests. It was incredible how much information they were able to access. They were also able to gain access to what the business thought were its most secure buildings. Their favourite trick to get past security guards was to pretend to be delivering a birthday cake from a member of staff’s wife or partner. The results really focussed the finds of senior management on improving security.”
Here are a sample of those IT Security breaches against business that were published. In all cases, having an IT Security framework would reduce the incidence and likely impact of these breaches.
“Phishing” attack emails impacts large banks
Four of the UK’s largest banks have started delaying the time it takes to make an online bank transfer in an attempt to clamp down on phishing fraud.
At the weekend, The Times named four banks - Barclays, NatWest, HBOS, and the Royal Bank of Scotland - as having introduced new procedures for transfers between bank accounts at the same bank. There are already natural delays for transfers between different banks, so it is believed phishers had started using local accounts to speed the theft of funds before fraud could be detected. (Techworld 17/5/2005) top of page
Vulnerability with Secure protocol
Secure business networks are at risk thanks to a vulnerability in a fundamental protocol, according to security researchers at the Massachusetts Institute of Technology (MIT).
Researchers have highlighted the increasing danger of attacks exploiting weaknesses in SSH (Secure Shell), and warned that such attacks are likely to be automated in the near future. The risks are not theoretical - SSH weaknesses were involved in a spate of attacks last year, including the theft of source code from Cisco Systems and a series of compromises affecting major universities, corporations, national laboratories, super-computing centres and military institutions, the researchers said. (Techworld 16/5/2005) top of page
Malicious Software Interrupts Financial Organisation
Reuters was temporarily forced to shut down its instant messaging service Thursday after a computer worm spread across its network. The culprit - Kelvir-U - is a variant of a worm family that targets MSN and Windows Messenger clients and previously posed no risk to Reuters' tightly-controlled messaging network. This is the first incident where a virus has targeted a privately controlled user community, IM security firm IMlogic reports. (Theregister.co.uk 15/4/2005)
Unauthorised monitoring equipment
A former claims adjuster for a US insurance company is the first to be charged under federal wiretap law for the covert use of a hardware keystroke logger, after he was caught using the device while secretly helping consumer attorneys gather information to use against his own company (SecurityFocus 25/3/2004) top of page
Disclosure of Bulk Confidential Data
A customer database and the current access codes to the supposedly secure Intranet of one of Europe's largest financial services group was left on a hard disk offered for sale on eBay. The disc was subsequently purchased for just £5 by mobile security outfit Pointsec Mobile Technologies.
According to Pointsec, one of the hard discs contained "highly sensitive information from one of Europe's largest financial services groups with pension plans, customer databases, financial information, payroll records, personnel details, login codes, and admin passwords for their secure Intranet site. There were 77 Microsoft Excel documents of customers email addresses, dates of birth, their home addresses, telephone numbers and other highly confidential information, which if exposed publicly could cause irrevocable damage to the company." Pointsec isn't prepared to name the careless company. (reported by the register 7/6/2004) top of page
Web Attack by disgruntled ex-employee
An unnamed 17-year-old clerk who was given his marching orders from UK insurance company Domestic & General responded by bombarding his former employers with 5m emails, the Sun reports.
The youth was sacked for failing to fill in a time sheet and promptly downloaded an email "bomber" which he used to unleash the attack over a three-day period. Domestic & General had to shut down its website and reportedly lost £18,000 as the a result of the teen's alleged attack.
The youth said: "All the emails were harmless - just classic lines from films. I only had to pay for my internet connection. Everything else was free. I just wanted to cause them a bit of inconvenience." (theregister.co.uk 12/7/2004) top of page
|
