Data loss gets personal

This year, hackers won’t wait for a misplaced laptop PC to get information — they’ll go straight for it, security experts say.

Data breaches and the loss of personally identifiable information was the big information technology security story in 2006. It began with the theft of a Department of Veterans Affairs employee’s laptop and external hard drive that held the personal information of 26.5 million people and continued as new Office of Management and Budget disclosure rules revealed information losses and data breaches throughout many agencies.

“If the headline in 2006 was incidental [data] loss, then the headline in 2007 is the intentional theft of information,” said Ted Julian, vice president of marketing at Application Security, a database security firm.

New tools and techniques and the ever-increasing amount of spam could pose a unique threat — both external and internal — to sensitive data and personal information. Combine the sheer volume of attacks with those sophisticated new techniques and data breaches at federal agencies are almost inevitable.

“Statistically, you’re going to have victims,” said Jerry Dixon, acting director of the Homeland Security Department’s National Cyber Security Division.

Reports from IT security company McAfee show that more than 100 million people had personal information stolen since February 2006. “The numbers are staggering,” said David Marcus, security research and communications manager at McAfee.

That information can be financially lucrative, which is why attackers are becoming more active. For example, spammers will search regularly circulated, interoffice information, such as headlines of office memos or names of colleagues and bosses, and include that data in their spam.

Such attacks are considered a new type of phishing scam, dubbed spear phishing for its specificity.  Many people won’t think an e-mail message is spam if they see familiar information on it, Marcus said. A successful attack could trick users into clicking on a link to a Web site that steals their password or installs malware such as trojans, viruses or keyloggers on their computers.

Spear phishing has already hit federal agencies. The Joint Task Force-Global Network Operations informed the Defense Department last fall that spear phishing attacks had affected all ranks and services.

Dixon said those attacks will only increase because of mounting spam campaigns. He said agencies should watch for the blending of spam techniques and phishing methods.

Spam filters can also be bypassed using images. Image spam uses embedded JPEG or GIF image files as the body of the e-mail message. The textless e-mail message bypasses standard e-mail filters.

Image spam techniques aren’t just an external threat.

“The same techniques you use for…image spam are the same techniques you use for doing outbound data leakages,” said Matt Galligan, vice president of the federal sales division at Secure Computing. Just as image spam evades e-mail filters, insiders can simply take a digital photo of sensitive data and e-mail it, bypassing extrusion-detection techniques.