Data loss gets personal

Security experts say hackers are going straight for information in 2007

This year, hackers won’t wait for a misplaced laptop PC to get information — they’ll go straight for it, security experts say.

Data breaches and the loss of personally identifiable information was the big information technology security story in 2006. It began with the theft of a Department of Veterans Affairs employee’s laptop and external hard drive that held the personal information of 26.5 million people and continued as new Office of Management and Budget disclosure rules revealed information losses and data breaches throughout many agencies.

“If the headline in 2006 was incidental [data] loss, then the headline in 2007 is the intentional theft of information,” said Ted Julian, vice president of marketing at Application Security, a database security firm.

New tools and techniques and the ever-increasing amount of spam could pose a unique threat — both external and internal — to sensitive data and personal information. Combine the sheer volume of attacks with those sophisticated new techniques and data breaches at federal agencies are almost inevitable.

“Statistically, you’re going to have victims,” said Jerry Dixon, acting director of the Homeland Security Department’s National Cyber Security Division.

Reports from IT security company McAfee show that more than 100 million people had personal information stolen since February 2006. “The numbers are staggering,” said David Marcus, security research and communications manager at McAfee.

That information can be financially lucrative, which is why attackers are becoming more active. For example, spammers will search regularly circulated, interoffice information, such as headlines of office memos or names of colleagues and bosses, and include that data in their spam.

Such attacks are considered a new type of phishing scam, dubbed spear phishing for its specificity.  Many people won’t think an e-mail message is spam if they see familiar information on it, Marcus said. A successful attack could trick users into clicking on a link to a Web site that steals their password or installs malware such as trojans, viruses or keyloggers on their computers.

Spear phishing has already hit federal agencies. The Joint Task Force-Global Network Operations informed the Defense Department last fall that spear phishing attacks had affected all ranks and services.

Dixon said those attacks will only increase because of mounting spam campaigns. He said agencies should watch for the blending of spam techniques and phishing methods.

Spam filters can also be bypassed using images. Image spam uses embedded JPEG or GIF image files as the body of the e-mail message. The textless e-mail message bypasses standard e-mail filters.

Image spam techniques aren’t just an external threat.

“The same techniques you use for…image spam are the same techniques you use for doing outbound data leakages,” said Matt Galligan, vice president of the federal sales division at Secure Computing. Just as image spam evades e-mail filters, insiders can simply take a digital photo of sensitive data and e-mail it, bypassing extrusion-detection techniques.
McAfee’s top IT security concerns for 20071. Password-stealing Web sites: Links and spam leading to fake sign-in pages for popular online services are increasing, endangering secure log-in information.
2. Video on the Internet: Streamed videos on the Internet can support embedded content, which can include malicious software.
3. Mobile phones: Cell phones will be hit by Bluetooth spam and text message phishing.
4. Spam and image spam: A tactic that now encompasses 40 percent of all spam, image spam bypasses e-mail filters by placing messages in embedded image files.
5. Adware: Adware is spyware that checks browsing history for the purpose of advertising. Many adware cookies can capture personal information and transmit it to third parties.
6. Botnets: Bots are computer programs that perform automated tasks, usually across a large network of computers.
7. Parasitic malware: Parasitic malware takes advantage of malicious software already present on a computer.
8. Rootkits: These software tools conceal running processes, effectively making the installation of dangerous programs undetectable.
9. Vulnerabilities: Disclosed vulnerabilities in software applications rose considerably in 2006 compared with 2005, and McAfee says even more will be found in 2007. Fuzzers, or tools that allow large-scale testing of
programs, will give researchers the ability to find more vulnerabilities more quickly than before.
10. Identity theft: The theft of personal information  that criminals then use to victimize people exacts a high toll.

Source: McAfee

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above