Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

While no major new flaws emerged this week, recent data
compromises emphasize the importance of creating strong security policies when
it comes to outsourcing and acquisitions.


As no major vulnerabilities have surfaced this week, I want
to focus on recent incidents that affect policy, rather than breaking
vulnerability news—although you can find some vulnerability information at the
end of this article.

If you needed another reason to warn management against
outsourcing, recent news coming from India about Citibank should provide plenty
of ammunition. To bring you up to speed, a group of local
workers at a Citibank-outsourced call center
in the city of Pune talked
customers out of their PIN numbers, resulting—unsurprisingly—in a number of
fraudulent purchases to the tune of $425,000. Authorities have arrested 16
people so far. (For the Indian viewpoint on this, check out this story from The Indian
Express Web site

Of course, the point isn’t that Indian call-center workers
will steal while U.S.-based workers won’t—there are crooks everywhere. Rather,
this incident only highlights the fact that outsourcing overseas is no safer
than using local workers.

That’s important to remember because the laws for protecting
a company from fraud and for punishing criminals who engage in fraud can vary a
great deal from country to country. In other words, something illegal in the
United States might not be a crime at all in another country.

I’m not writing this column to focus on India in particular.
In fact; Indian authorities have aggressively pursued this fraud and may have
all the legal tools necessary to punish the wrongdoers. But this isn’t an
isolated issue either: The use of foreign workers is expanding, as third-world
countries realize they can get a piece of this rich and growing outsourcing

It’s difficult enough to sue a local company for damages
related to a security breach. How hard do you think it will be to get
compensation from a company or individual in another country with a completely
different legal system?

On the other hand, some managers may see the fast action by
the Indian authorities and the speedy discovery of the fraud as a plus,
considering some high-profile cases in the United States that may never have
come to light if they hadn’t involved some California residents, which fell
under the state’s powerful identity theft legislation.

If your company is doing business in India or is contemplating
outsourcing critical tasks, you should take a quick look at Indian cyberlaws; check
out this report on Naavi.org.
As far as I can tell, it is not yet clear just what financial liability the
Indian call-center company has in this case, but I’ll bet the legal costs
involved for Citibank will be bigger than the actual customer losses.

Meanwhile, in an unrelated story, it turns out that the
recent LexisNexis security breach was about 10 times
than the company initially reported. At first, the company downplayed
the threat, which followed closely on the heels of the ChoicePoint
. LexisNexis initially reported that lax security procedures led to
the compromise of a little more than 30,000 personal records. However, on April
12, the company admitted in a press release that the number of U.S. residents
affected was closer to 310,000.

The most troubling part of this isn’t that the security
procedures were too weak—that’s hardly big news considering most security
procedures are too weak in most companies. No, the big news here is that the
company either didn’t realize the scope of the problem, or it knew but didn’t
notify the public for several weeks.

For those who don’t know, the particular mistake LexisNexis
made was failing to properly screen the existing customer base of an acquired
data warehouse company, Florida-based Seisint. This oversight points to an
important vulnerability that more than likely affects many companies. Organizations
can’t be complacent about back-checking the security procedures of any acquired
database merely because their own security procedures are solid.

(Personal disclaimer: LexisNexis is a massive commercial
information and legal database. I used to work for the parent company, Reed
Elsevier LLC, but no longer do, and I have never had any connection with
LexisNexis itself.)

Final word

Keep in mind that I’m not picking on India’s outsourcing
call centers in particular. I’m merely emphasizing that the legal and financial
aspects of outsourcing can be more complex than merely asking if it will save

Any company that’s integrating either data or customer lists
because of a database purchase or corporate acquisition needs to take the
LexisNexis report to heart. You simply can’t know how good or how bad the
security was at the company that originated the authorized customer list.

Also watch for …

  • I want
    to begin with a brief reminder to government and government contractor
    Webmasters who read this column. A major
    hacker arrest
    took place earlier this month in Miami when the FBI
    picked up visiting Venezuelan national Rafael Nunez-Aponte (“RaFa”).
    RaFa has embarrassed the U.S. Air Force and has a lot of friends in the
    hacker community, leading to the possibility that a surge in coordinated
    attacks on government sites as well as those closely tied to the
    government through consulting and other contracts could occur.
  • One of
    the top computer schools in the world and the home of CERT, Carnegie
    Mellon University in Pittsburgh
    , has reported a compromise of school databases
    that store personal data. Included were records for 1,600 current graduate
    students, graduate-degree alumni from 1997 to 2004, applicants to the
    master’s degree program from September 2002 through May 2004, applicants
    to the doctorate program since 2003, and the Tepper School of Business
    administrative staff.
  • On
    April 15, Microsoft quietly released a fix for a well-known vulnerability
    in Windows Media Player by posting an update to Knowledge Base article 892313.
    The threat, which applied to versions 9 and 10, could let hackers
    penetrate a system via the digital rights management feature.
  • The
    software giant has also updated Security
    Bulletin MS05-002
    to version 2.0, reflecting problems with the update
    provided for Windows 98, Windows SE, and Windows ME. Check out the newest
    version of the bulletin to see if this affects you.
  • In
    addition, Microsoft has updated Security
    Bulletin MS05-009
    to version 2.0. The update for Windows Messenger (Windows XP SP 1 only)
    fails to install when using SMS or AutoUpdate.
  • Microsoft
    has modified Security
    Bulletin MS05-010
    with a minor revision (1.2) to include new
    information about mitigating factors.
  • Microsoft
    security bulletins MS05-017,
    and MS05-023
    have also received minor revisions.
  • IBM
    has released patches for multiple new vulnerabilities in Lotus Notes and
    Domino, the worst of which was a buffer overrun that could result in a
    denial-of-service event—or, at least that’s IBM’s spin. Next Generation
    Security Software (NGSS), which discovered the threat and reported it to
    IBM, said the threat could allow execution of arbitrary code, which is, of
    course, far more serious. For the sake of security, NGSS is withholding
    details on the six vulnerabilities for several months, but Secunia already rates them as
    highly critical
  • Hacker
    malware blogs are apparently proliferating because they are completely
    unchecked, free, and anonymous. According to several reports, such as this
    one from Vulnet.com,
    cybercriminals are turning to blogs to store malicious code of nearly any
    size for access by any Trojans the hackers are able to plant.
  • According to
    , more serious Mozilla Firefox vulnerabilities have surfaced,
    and Secunia rates them as
    highly critical
    . The nine vulnerabilities addressed in the latest
    release (Firefox
    ) include cross-site scripting and security bypass
    vulnerabilities, along with one permitting complete system compromise. I
    believe these are actually new problems, but it’s difficult to be certain
    considering all the recent flaws popping up in Firefox.
  • Commander
    of the U.S. Strategic Command (STRATCOM), General James Cartwright, recently
    announced an
    elite hacker unit under his command
    to Congress. Named The Joint
    Functional Component Command For Network Warfare, the group will be
    responsible for protecting the Pentagon’s systems, but it also seems to be
    building a hacker capability for use against foreign military or
    government targets.

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.