Tech & Work

Recent compromises highlight the need for strong security practices and policies

No major vulnerabilities have surfaced in the past week, so John McCormick's taking the opportunity to focus on a couple of recent data compromises. Find out how these incidents highlight the importance of creating strong security policies, and see what else has recently emerged in the security world.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

While no major new flaws emerged this week, recent data compromises emphasize the importance of creating strong security policies when it comes to outsourcing and acquisitions.

Details

As no major vulnerabilities have surfaced this week, I want to focus on recent incidents that affect policy, rather than breaking vulnerability news—although you can find some vulnerability information at the end of this article.

If you needed another reason to warn management against outsourcing, recent news coming from India about Citibank should provide plenty of ammunition. To bring you up to speed, a group of local workers at a Citibank-outsourced call center in the city of Pune talked customers out of their PIN numbers, resulting—unsurprisingly—in a number of fraudulent purchases to the tune of $425,000. Authorities have arrested 16 people so far. (For the Indian viewpoint on this, check out this story from The Indian Express Web site.)

Of course, the point isn't that Indian call-center workers will steal while U.S.-based workers won't—there are crooks everywhere. Rather, this incident only highlights the fact that outsourcing overseas is no safer than using local workers.

That's important to remember because the laws for protecting a company from fraud and for punishing criminals who engage in fraud can vary a great deal from country to country. In other words, something illegal in the United States might not be a crime at all in another country.

I'm not writing this column to focus on India in particular. In fact; Indian authorities have aggressively pursued this fraud and may have all the legal tools necessary to punish the wrongdoers. But this isn't an isolated issue either: The use of foreign workers is expanding, as third-world countries realize they can get a piece of this rich and growing outsourcing pie.

It's difficult enough to sue a local company for damages related to a security breach. How hard do you think it will be to get compensation from a company or individual in another country with a completely different legal system?

On the other hand, some managers may see the fast action by the Indian authorities and the speedy discovery of the fraud as a plus, considering some high-profile cases in the United States that may never have come to light if they hadn't involved some California residents, which fell under the state's powerful identity theft legislation.

If your company is doing business in India or is contemplating outsourcing critical tasks, you should take a quick look at Indian cyberlaws; check out this report on Naavi.org. As far as I can tell, it is not yet clear just what financial liability the Indian call-center company has in this case, but I'll bet the legal costs involved for Citibank will be bigger than the actual customer losses.

Meanwhile, in an unrelated story, it turns out that the recent LexisNexis security breach was about 10 times worse than the company initially reported. At first, the company downplayed the threat, which followed closely on the heels of the ChoicePoint debacle. LexisNexis initially reported that lax security procedures led to the compromise of a little more than 30,000 personal records. However, on April 12, the company admitted in a press release that the number of U.S. residents affected was closer to 310,000.

The most troubling part of this isn't that the security procedures were too weak—that's hardly big news considering most security procedures are too weak in most companies. No, the big news here is that the company either didn't realize the scope of the problem, or it knew but didn't notify the public for several weeks.

For those who don't know, the particular mistake LexisNexis made was failing to properly screen the existing customer base of an acquired data warehouse company, Florida-based Seisint. This oversight points to an important vulnerability that more than likely affects many companies. Organizations can't be complacent about back-checking the security procedures of any acquired database merely because their own security procedures are solid.

(Personal disclaimer: LexisNexis is a massive commercial information and legal database. I used to work for the parent company, Reed Elsevier LLC, but no longer do, and I have never had any connection with LexisNexis itself.)

Final word

Keep in mind that I'm not picking on India's outsourcing call centers in particular. I'm merely emphasizing that the legal and financial aspects of outsourcing can be more complex than merely asking if it will save money.

Any company that's integrating either data or customer lists because of a database purchase or corporate acquisition needs to take the LexisNexis report to heart. You simply can't know how good or how bad the security was at the company that originated the authorized customer list.


Also watch for …

  • I want to begin with a brief reminder to government and government contractor Webmasters who read this column. A major hacker arrest took place earlier this month in Miami when the FBI picked up visiting Venezuelan national Rafael Nunez-Aponte ("RaFa"). RaFa has embarrassed the U.S. Air Force and has a lot of friends in the hacker community, leading to the possibility that a surge in coordinated attacks on government sites as well as those closely tied to the government through consulting and other contracts could occur.
  • One of the top computer schools in the world and the home of CERT, Carnegie Mellon University in Pittsburgh, has reported a compromise of school databases that store personal data. Included were records for 1,600 current graduate students, graduate-degree alumni from 1997 to 2004, applicants to the master's degree program from September 2002 through May 2004, applicants to the doctorate program since 2003, and the Tepper School of Business administrative staff.
  • On April 15, Microsoft quietly released a fix for a well-known vulnerability in Windows Media Player by posting an update to Knowledge Base article 892313. The threat, which applied to versions 9 and 10, could let hackers penetrate a system via the digital rights management feature.
  • The software giant has also updated Security Bulletin MS05-002 to version 2.0, reflecting problems with the update provided for Windows 98, Windows SE, and Windows ME. Check out the newest version of the bulletin to see if this affects you.
  • In addition, Microsoft has updated Security Bulletin MS05-009 to version 2.0. The update for Windows Messenger 4.7.0.2009 (Windows XP SP 1 only) fails to install when using SMS or AutoUpdate.
  • Microsoft has modified Security Bulletin MS05-010 with a minor revision (1.2) to include new information about mitigating factors.
  • Microsoft security bulletins MS05-017, MS05-021, and MS05-023 have also received minor revisions.
  • IBM has released patches for multiple new vulnerabilities in Lotus Notes and Domino, the worst of which was a buffer overrun that could result in a denial-of-service event—or, at least that's IBM's spin. Next Generation Security Software (NGSS), which discovered the threat and reported it to IBM, said the threat could allow execution of arbitrary code, which is, of course, far more serious. For the sake of security, NGSS is withholding details on the six vulnerabilities for several months, but Secunia already rates them as highly critical.
  • Hacker malware blogs are apparently proliferating because they are completely unchecked, free, and anonymous. According to several reports, such as this one from Vulnet.com, cybercriminals are turning to blogs to store malicious code of nearly any size for access by any Trojans the hackers are able to plant.
  • According to News.com, more serious Mozilla Firefox vulnerabilities have surfaced, and Secunia rates them as highly critical. The nine vulnerabilities addressed in the latest release (Firefox 1.0.3) include cross-site scripting and security bypass vulnerabilities, along with one permitting complete system compromise. I believe these are actually new problems, but it's difficult to be certain considering all the recent flaws popping up in Firefox.
  • Commander of the U.S. Strategic Command (STRATCOM), General James Cartwright, recently announced an elite hacker unit under his command to Congress. Named The Joint Functional Component Command For Network Warfare, the group will be responsible for protecting the Pentagon's systems, but it also seems to be building a hacker capability for use against foreign military or government targets.

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks

Free Newsletters, In your Inbox