Data loss gets personal

Security experts say hackers are going straight for information in 2007

This year, hackers won’t wait for a misplaced laptop PC to get information — they’ll go straight for it, security experts say.

Data breaches and the loss of personally identifiable information was the big information technology security story in 2006. It began with the theft of a Department of Veterans Affairs employee’s laptop and external hard drive that held the personal information of 26.5 million people and continued as new Office of Management and Budget disclosure rules revealed information losses and data breaches throughout many agencies.

“If the headline in 2006 was incidental [data] loss, then the headline in 2007 is the intentional theft of information,” said Ted Julian, vice president of marketing at Application Security, a database security firm.

New tools and techniques and the ever-increasing amount of spam could pose a unique threat — both external and internal — to sensitive data and personal information. Combine the sheer volume of attacks with those sophisticated new techniques and data breaches at federal agencies are almost inevitable.

“Statistically, you’re going to have victims,” said Jerry Dixon, acting director of the Homeland Security Department’s National Cyber Security Division.

Reports from IT security company McAfee show that more than 100 million people had personal information stolen since February 2006. “The numbers are staggering,” said David Marcus, security research and communications manager at McAfee.

That information can be financially lucrative, which is why attackers are becoming more active. For example, spammers will search regularly circulated, interoffice information, such as headlines of office memos or names of colleagues and bosses, and include that data in their spam.

Such attacks are considered a new type of phishing scam, dubbed spear phishing for its specificity.  Many people won’t think an e-mail message is spam if they see familiar information on it, Marcus said. A successful attack could trick users into clicking on a link to a Web site that steals their password or installs malware such as trojans, viruses or keyloggers on their computers.

Spear phishing has already hit federal agencies. The Joint Task Force-Global Network Operations informed the Defense Department last fall that spear phishing attacks had affected all ranks and services.

Dixon said those attacks will only increase because of mounting spam campaigns. He said agencies should watch for the blending of spam techniques and phishing methods.

Spam filters can also be bypassed using images. Image spam uses embedded JPEG or GIF image files as the body of the e-mail message. The textless e-mail message bypasses standard e-mail filters.

Image spam techniques aren’t just an external threat.

“The same techniques you use for…image spam are the same techniques you use for doing outbound data leakages,” said Matt Galligan, vice president of the federal sales division at Secure Computing. Just as image spam evades e-mail filters, insiders can simply take a digital photo of sensitive data and e-mail it, bypassing extrusion-detection techniques.
McAfee’s top IT security concerns for 20071. Password-stealing Web sites: Links and spam leading to fake sign-in pages for popular online services are increasing, endangering secure log-in information.
2. Video on the Internet: Streamed videos on the Internet can support embedded content, which can include malicious software.
3. Mobile phones: Cell phones will be hit by Bluetooth spam and text message phishing.
4. Spam and image spam: A tactic that now encompasses 40 percent of all spam, image spam bypasses e-mail filters by placing messages in embedded image files.
5. Adware: Adware is spyware that checks browsing history for the purpose of advertising. Many adware cookies can capture personal information and transmit it to third parties.
6. Botnets: Bots are computer programs that perform automated tasks, usually across a large network of computers.
7. Parasitic malware: Parasitic malware takes advantage of malicious software already present on a computer.
8. Rootkits: These software tools conceal running processes, effectively making the installation of dangerous programs undetectable.
9. Vulnerabilities: Disclosed vulnerabilities in software applications rose considerably in 2006 compared with 2005, and McAfee says even more will be found in 2007. Fuzzers, or tools that allow large-scale testing of
programs, will give researchers the ability to find more vulnerabilities more quickly than before.
10. Identity theft: The theft of personal information  that criminals then use to victimize people exacts a high toll.

Source: McAfee

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group