Here's a new way to attack spyware: embarrass its purveyors.
A free website (StopBadware.org) launching Wednesday plans to provide a list of programs that contain spyware and other malicious software. It will also identify companies that develop the programs and distribute them on the Internet.
Consumers can then decide if a program is safe to download.
"For too long, these companies have been able to hide in the shadows of the Internet," says John Palfrey, who heads the Berkman Center of Internet & Society at Harvard Law School and is spearheading the project. "What we're after is a more accountable Internet."
The initiative is being run by Harvard and the Oxford Institute and is backed by high-tech heavyweights including Google and Sun Microsystems. Consumer Reports' WebWatch is serving as a special adviser.
Spyware invades PCs without users' knowledge when they download applications such as music file-sharing programs or screen savers, or visit certain websites. Often, spyware tracks Web-surfing habits and bombards victims with related pop-up ads. More nefarious versions monitor keystrokes to steal Social Security numbers or passwords for identity theft.
Also on the hit list of the StopBadware coalition are malicious "adware" programs that serve up onslaughts of pop-up ads or software that contains hidden viruses and worms.
At least 60% of home PCs are infected with one or more of these "badware" programs, says Forrester Research analyst Natalie Lambert.
The prevalence of the programs has spawned a booming industry of anti-spyware and anti-virus software. Internet providers such as America Online and EarthLink include the software free with service. But such programs typically can't identify all the rogue software on a PC and might not be able to eradicate a deeply embedded program even if they do, says Ferris Research analyst Fred Berlack.
By checking StopBadware.org, its organizers say, consumers can choose, in the first place, not to download a program containing the malicious software. The coalition is encouraging consumers to visit the website to log their experiences with harmful programs.
It will then use that information to compile reports on suspect programs, websites and companies that foist the software on consumers without getting their consent. The worst offenders will be spotlighted. It will take several months to gather a significant-size database, Palfrey says.
Some websites already provide information on spyware. Others identify suspect software for a fee. But the StopBadware group says it aims to be the biggest free clearinghouse.
Berlack is skeptical that many consumers will use the service. "I don't think the average Joe has the time or inclination to check every time he opens up a new website or downloads a program," he says.
But Te Smith of consultants FFW Partners, says, "Anything that helps people be more informed is useful. I applaud these companies for using their market presence and reach to try to educate consumers."
Written by: By Paul Davidson, USA TODAY
Wednesday, January 25, 2006
The Worst-Case Hack Scenario
A flurry of data breaches at major corporations late last year seemed to confirm a growing consensus among computer-security experts that 2005 was the worst year yet for such transgressions. Incidents at Marriott International, Ford Motor Company, and ABN Amro Mortgage Group served as eerie reminders to CIOs that they could be the next victims of thieves looking to poach
Social Security and credit-card numbers, or of business-process breakdowns that cause sensitive information to fall into the wrong hands.
Most CIOs will tell you that getting hacked is inevitable. But there is getting hacked, and then there is getting sacked.
As the volume of information increases and criminals grow more brazen, the chances of companies suffering a worst-case scenario seem less remote every day. Part of any CIO's duty is to convince the boss that the company is ready for the very worst security crisis imaginable.
Tales of Tech Terror
An example of just how easily a security problem can hit a company is the data breach Ford Motor Company reported in the first week of January. Ford officials reported the theft of a computer with files that have the names and Social Security numbers of approximately 70,000 current and former employees of the company.
Adding insult to significant injury, that theft had nothing to do with network intrusion or social-engineering tricks typically employed by data thieves. Neither did the disappearance in December of a box containing information on some two million customers of ABN Amro Mortgage Group, one of the nation's largest mortgage lenders.
ABM Amro's customers learned that their Social Security numbers and other personal information were lost by a DHL courier on the way to the credit bureau Experian. A month later, a DHL worker found the unlabeled carton of data in the same DHL facility where it had been lost.
Meanwhile, someone at the corporate offices of Marriott Vacation Club International, in Orlando, Florida, either misplaced or removed computer backup tapes containing data about some 206,000 associates, timeshare owners, and customers. The company reported the missing tapes in late December.
Marriott officials mailed notifications to the affected people. In an effort to quell panic about possible identity theft, corporate officials said that the tapes require specialized equipment to read their content. Marriott is investigating how the tapes went astray and will monitor for unusual activity or possible misuse of the data.
We Have a Situation
Data security is a topic most corporate CIOs are reluctant to discuss. The consensus is, the less said, the better for the corporate image. But that does not mean CIOs are sitting around with their hands in their pockets wondering how to convince their bosses that the sky is not about to fall.
"Actually, believe it or not, many CIOs do already have a worst-case scenario list," said Ed Moyle, manager of Information Security Services at CTG and an analyst at Illuminata. "The specific terminology varies from firm to firm, but a situation report is one common way that a CIO can keep an eye on how the firm's I.T. infrastructure is impacted by developments in the outside world such as worms, viruses, and fraud activity."
The situation report might be prepared by CIO staff and contain high-level information about threats in the environment and the company's position with respect to each threat. Moyle said the staff might draw on data from Web sites like the SANS Internet Storm Center, which actively monitors and warns of attacks, or they might collaborate with peers to gauge the effectiveness of their security measures.
Keeping a list of threats is only the first step in crisis management, Moyle said. Most large companies also are likely to have an incident-response plan that details how I.T. personnel will respond to particular types of threats, including information about whom to call when a threat occurs and how to make sure the right people are involved.
Opening It Up
At General Motors, the approach to crisis management is very different than it was a few years ago. Back then, responding to worst-case scenarios was much like applying triage to a catastrophe, said Eric Litt, chief information security officer for Global Information Security at GM Information Systems and Services.
"Now we try to assess threats and decide how to handle them before the crisis hits," he said.
GM is unique in that it outsources 100 percent of its I.T. By necessity, the global operation requires around-the-clock scrutiny, and that includes preparation for nightmare scenarios. "We operate 24-7 so computer security incidents and events are handled no differently than other kinds of incidents," Litt said.
GM follows a model that aligns Litt with each sector of the corporate structure while allowing him oversight of the operations and support of the I.T. department. Because the company is always functioning at multiple locations worldwide, the data security infrastructure is more expansive, and concerns over data breaches are not treated as a separate entity linked only to I.T.
Litt said that this is a big change in the way he approaches his job. "I no longer worry about what could go wrong," he said.
Assessing Risk Clearly
Today's CIOs are more keyed in than ever on the risks that hackers pose, said Paul Stamp, an analyst at Forrester Research. That focus has strengthened the defenses around company perimeters and shifted focus somewhat to threats from within.
"CIOs are now better equipped to stay ahead of the security curve," said Stamp. "The feeling now is that the perimeter holes have been licked." In fact, he said, studies have shown that most security breaches in the last two years have come fairly consistently from inside corporations.
Despite this recent success against outside threats, CIOs are still struggling with how to communicate specific threat information to the bosses, said Moyle. "That's where the situation gets tricky," he said.
Since CEOs are focused on increasing the profitability of the firm, he said, many of them regard security as an expense that draws money away from investment in the business. To win over the CEO, information officers must demonstrate how activities within their purview affect the bottom line.
"By using data from their threat-tracking efforts, the CIO can demonstrate how I.T. investment impacted the bottom line in terms of cost savings," said Moyle. In other words, if a CIO can prove that money spent resulted in money saved, it could ease the pain involved in outlining a worst-case scenario.
"Granted, it is very difficult to get anything but a rough estimate from these metrics," Moyle said, "but a rough estimate is better than no estimate at all."
As to the degree of worry that CIOs have, Moyle conceded that quite a few CIOs are worried about attacks, incidents, and other types of security threats. And to him that is not a good sign.
"Worry in a CIO reflects uncertainty in the management process," said Moyle. For example, in a well-prepared company, a CIO might have metrics to help predict how likely an incident is to occur and how much it is likely to cost the company. He or she can then look at the balance sheet and make a considered determination as to how much to spend.
But if CIOs are panicked, it's a sign that their confidence in that process is not there for one reason or another, Moyle said. "The metrics might be so skewed as to be useless. They might not have metrics at all. They might have no way of tracking threats, or they might not have a defined response process, and so on."
The Best Defense
Moyle likened the role of the CIO in handling risk management to having flood insurance. Financial officers do not stay up late at night worrying whether there will be a flood, and adequately prepared CIOs shouldn't lose any sleep either.
The CIOs who manage risks effectively have become successful in showing their bosses the need to build computer systems from the ground up rather than to bolt on fixes, according to Forrester's Stamp. "[Risk management] is now a laundry list of things to do. Security is no longer a separate department. Rather, it is integrated into business practices," he said.
That integration seems to be the key to understanding and preparing for a worst-case scenario. Instead of having a plan waiting behind a pane of glass, to be broken out only in case of emergency, CIOs would seem to be best served telling their bosses that the systems are already in place to respond to a data-security crisis.
Besides, as GM's Litt sees it, a worst-case scenario, in the truest sense of the term, is one that is not survivable. The best CIOs can do is to have a plan in place to mitigate attacks effectively and be ready to follow it whenever needed.
"That doesn't mean an attack will never have an impact on the business," Litt said. "There is no such thing as a perfect security plan."
Written by: Jack M. Germain, cio-today.com
Social Security and credit-card numbers, or of business-process breakdowns that cause sensitive information to fall into the wrong hands.
Most CIOs will tell you that getting hacked is inevitable. But there is getting hacked, and then there is getting sacked.
As the volume of information increases and criminals grow more brazen, the chances of companies suffering a worst-case scenario seem less remote every day. Part of any CIO's duty is to convince the boss that the company is ready for the very worst security crisis imaginable.
Tales of Tech Terror
An example of just how easily a security problem can hit a company is the data breach Ford Motor Company reported in the first week of January. Ford officials reported the theft of a computer with files that have the names and Social Security numbers of approximately 70,000 current and former employees of the company.
Adding insult to significant injury, that theft had nothing to do with network intrusion or social-engineering tricks typically employed by data thieves. Neither did the disappearance in December of a box containing information on some two million customers of ABN Amro Mortgage Group, one of the nation's largest mortgage lenders.
ABM Amro's customers learned that their Social Security numbers and other personal information were lost by a DHL courier on the way to the credit bureau Experian. A month later, a DHL worker found the unlabeled carton of data in the same DHL facility where it had been lost.
Meanwhile, someone at the corporate offices of Marriott Vacation Club International, in Orlando, Florida, either misplaced or removed computer backup tapes containing data about some 206,000 associates, timeshare owners, and customers. The company reported the missing tapes in late December.
Marriott officials mailed notifications to the affected people. In an effort to quell panic about possible identity theft, corporate officials said that the tapes require specialized equipment to read their content. Marriott is investigating how the tapes went astray and will monitor for unusual activity or possible misuse of the data.
We Have a Situation
Data security is a topic most corporate CIOs are reluctant to discuss. The consensus is, the less said, the better for the corporate image. But that does not mean CIOs are sitting around with their hands in their pockets wondering how to convince their bosses that the sky is not about to fall.
"Actually, believe it or not, many CIOs do already have a worst-case scenario list," said Ed Moyle, manager of Information Security Services at CTG and an analyst at Illuminata. "The specific terminology varies from firm to firm, but a situation report is one common way that a CIO can keep an eye on how the firm's I.T. infrastructure is impacted by developments in the outside world such as worms, viruses, and fraud activity."
The situation report might be prepared by CIO staff and contain high-level information about threats in the environment and the company's position with respect to each threat. Moyle said the staff might draw on data from Web sites like the SANS Internet Storm Center, which actively monitors and warns of attacks, or they might collaborate with peers to gauge the effectiveness of their security measures.
Keeping a list of threats is only the first step in crisis management, Moyle said. Most large companies also are likely to have an incident-response plan that details how I.T. personnel will respond to particular types of threats, including information about whom to call when a threat occurs and how to make sure the right people are involved.
Opening It Up
At General Motors, the approach to crisis management is very different than it was a few years ago. Back then, responding to worst-case scenarios was much like applying triage to a catastrophe, said Eric Litt, chief information security officer for Global Information Security at GM Information Systems and Services.
"Now we try to assess threats and decide how to handle them before the crisis hits," he said.
GM is unique in that it outsources 100 percent of its I.T. By necessity, the global operation requires around-the-clock scrutiny, and that includes preparation for nightmare scenarios. "We operate 24-7 so computer security incidents and events are handled no differently than other kinds of incidents," Litt said.
GM follows a model that aligns Litt with each sector of the corporate structure while allowing him oversight of the operations and support of the I.T. department. Because the company is always functioning at multiple locations worldwide, the data security infrastructure is more expansive, and concerns over data breaches are not treated as a separate entity linked only to I.T.
Litt said that this is a big change in the way he approaches his job. "I no longer worry about what could go wrong," he said.
Assessing Risk Clearly
Today's CIOs are more keyed in than ever on the risks that hackers pose, said Paul Stamp, an analyst at Forrester Research. That focus has strengthened the defenses around company perimeters and shifted focus somewhat to threats from within.
"CIOs are now better equipped to stay ahead of the security curve," said Stamp. "The feeling now is that the perimeter holes have been licked." In fact, he said, studies have shown that most security breaches in the last two years have come fairly consistently from inside corporations.
Despite this recent success against outside threats, CIOs are still struggling with how to communicate specific threat information to the bosses, said Moyle. "That's where the situation gets tricky," he said.
Since CEOs are focused on increasing the profitability of the firm, he said, many of them regard security as an expense that draws money away from investment in the business. To win over the CEO, information officers must demonstrate how activities within their purview affect the bottom line.
"By using data from their threat-tracking efforts, the CIO can demonstrate how I.T. investment impacted the bottom line in terms of cost savings," said Moyle. In other words, if a CIO can prove that money spent resulted in money saved, it could ease the pain involved in outlining a worst-case scenario.
"Granted, it is very difficult to get anything but a rough estimate from these metrics," Moyle said, "but a rough estimate is better than no estimate at all."
As to the degree of worry that CIOs have, Moyle conceded that quite a few CIOs are worried about attacks, incidents, and other types of security threats. And to him that is not a good sign.
"Worry in a CIO reflects uncertainty in the management process," said Moyle. For example, in a well-prepared company, a CIO might have metrics to help predict how likely an incident is to occur and how much it is likely to cost the company. He or she can then look at the balance sheet and make a considered determination as to how much to spend.
But if CIOs are panicked, it's a sign that their confidence in that process is not there for one reason or another, Moyle said. "The metrics might be so skewed as to be useless. They might not have metrics at all. They might have no way of tracking threats, or they might not have a defined response process, and so on."
The Best Defense
Moyle likened the role of the CIO in handling risk management to having flood insurance. Financial officers do not stay up late at night worrying whether there will be a flood, and adequately prepared CIOs shouldn't lose any sleep either.
The CIOs who manage risks effectively have become successful in showing their bosses the need to build computer systems from the ground up rather than to bolt on fixes, according to Forrester's Stamp. "[Risk management] is now a laundry list of things to do. Security is no longer a separate department. Rather, it is integrated into business practices," he said.
That integration seems to be the key to understanding and preparing for a worst-case scenario. Instead of having a plan waiting behind a pane of glass, to be broken out only in case of emergency, CIOs would seem to be best served telling their bosses that the systems are already in place to respond to a data-security crisis.
Besides, as GM's Litt sees it, a worst-case scenario, in the truest sense of the term, is one that is not survivable. The best CIOs can do is to have a plan in place to mitigate attacks effectively and be ready to follow it whenever needed.
"That doesn't mean an attack will never have an impact on the business," Litt said. "There is no such thing as a perfect security plan."
Written by: Jack M. Germain, cio-today.com
Nyxem Worm Programmed to Erase Files
Antivirus vendors are warning of a rapidly-spreading worm that is carrying a potentially destructive set of instructions. The Nyxem worm--also nicknamed the Kama Sutra worm--is programmed to overwrite all of the files on computers it infects on February 3, says Mikko Hypponen, chief research officer at F-Secure.
F-Secure researchers found the worm truncates files to 20 bytes and causes an error message when one is opened, he says.
"We are expecting to see problems in two weeks' time," Hypponen says.
The worm appears to be programmed to overwrite all files on the third day of every month, Hypponen says. So far, there's no indication where Nyxem originated.
While most antivirus vendors have issued updates for their software, Nyxem is spreading quickly, and its creators have posted a counter on a Web site that records new infections. According to F-Secure's security blog, the counter was showing around 510,000 infections as of Sunday night.
Nyxem infections may be rising because it is taking advantage of computers that have already had their antivirus software disabled by some other virus such as Bagle, Hypponen says.
Dated Technique
The worm, which is spread through e-mail, uses a dated technique to entice users by promising pornography, says Graham Cluley, senior technology consultant, at Sophos. Nyxem lacks the sophistication of recent Trojan horse-style viruses that are more targeted and less prevalent in order to evade detection, Cluley says.
Nonetheless, users appear to still be clicking, and the worm was accounting for about 35 percent of virus traffic as of Monday morning, he says.
"It's a bit of a throwback to an old trick," Cluley says.
The worm harvests e-mail addresses and then sends itself out again. The e-mail subject line may contain text that says "Miss Lebanon 2006" or "School girl fantasies gone bad," according to Sophos.
Written by: Jeremy Kirk, IDG News Service
F-Secure researchers found the worm truncates files to 20 bytes and causes an error message when one is opened, he says.
"We are expecting to see problems in two weeks' time," Hypponen says.
The worm appears to be programmed to overwrite all files on the third day of every month, Hypponen says. So far, there's no indication where Nyxem originated.
While most antivirus vendors have issued updates for their software, Nyxem is spreading quickly, and its creators have posted a counter on a Web site that records new infections. According to F-Secure's security blog, the counter was showing around 510,000 infections as of Sunday night.
Nyxem infections may be rising because it is taking advantage of computers that have already had their antivirus software disabled by some other virus such as Bagle, Hypponen says.
Dated Technique
The worm, which is spread through e-mail, uses a dated technique to entice users by promising pornography, says Graham Cluley, senior technology consultant, at Sophos. Nyxem lacks the sophistication of recent Trojan horse-style viruses that are more targeted and less prevalent in order to evade detection, Cluley says.
Nonetheless, users appear to still be clicking, and the worm was accounting for about 35 percent of virus traffic as of Monday morning, he says.
"It's a bit of a throwback to an old trick," Cluley says.
The worm harvests e-mail addresses and then sends itself out again. The e-mail subject line may contain text that says "Miss Lebanon 2006" or "School girl fantasies gone bad," according to Sophos.
Written by: Jeremy Kirk, IDG News Service
Subscribe to:
Posts (Atom)
