Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!
While no major new flaws emerged this week, recent data
compromises emphasize the importance of creating strong security policies when
it comes to outsourcing and acquisitions.
As no major vulnerabilities have surfaced this week, I want
to focus on recent incidents that affect policy, rather than breaking
vulnerability news—although you can find some vulnerability information at the
end of this article.
If you needed another reason to warn management against
outsourcing, recent news coming from India about Citibank should provide plenty
of ammunition. To bring you up to speed, a group of local
workers at a Citibank-outsourced call center in the city of Pune talked
customers out of their PIN numbers, resulting—unsurprisingly—in a number of
fraudulent purchases to the tune of $425,000. Authorities have arrested 16
people so far. (For the Indian viewpoint on this, check out this story from The Indian
Express Web site.)
Of course, the point isn’t that Indian call-center workers
will steal while U.S.-based workers won’t—there are crooks everywhere. Rather,
this incident only highlights the fact that outsourcing overseas is no safer
than using local workers.
That’s important to remember because the laws for protecting
a company from fraud and for punishing criminals who engage in fraud can vary a
great deal from country to country. In other words, something illegal in the
United States might not be a crime at all in another country.
I’m not writing this column to focus on India in particular.
In fact; Indian authorities have aggressively pursued this fraud and may have
all the legal tools necessary to punish the wrongdoers. But this isn’t an
isolated issue either: The use of foreign workers is expanding, as third-world
countries realize they can get a piece of this rich and growing outsourcing
It’s difficult enough to sue a local company for damages
related to a security breach. How hard do you think it will be to get
compensation from a company or individual in another country with a completely
different legal system?
On the other hand, some managers may see the fast action by
the Indian authorities and the speedy discovery of the fraud as a plus,
considering some high-profile cases in the United States that may never have
come to light if they hadn’t involved some California residents, which fell
under the state’s powerful identity theft legislation.
If your company is doing business in India or is contemplating
outsourcing critical tasks, you should take a quick look at Indian cyberlaws; check
out this report on Naavi.org.
As far as I can tell, it is not yet clear just what financial liability the
Indian call-center company has in this case, but I’ll bet the legal costs
involved for Citibank will be bigger than the actual customer losses.
Meanwhile, in an unrelated story, it turns out that the
recent LexisNexis security breach was about 10 times
worse than the company initially reported. At first, the company downplayed
the threat, which followed closely on the heels of the ChoicePoint
debacle. LexisNexis initially reported that lax security procedures led to
the compromise of a little more than 30,000 personal records. However, on April
12, the company admitted in a press release that the number of U.S. residents
affected was closer to 310,000.
The most troubling part of this isn’t that the security
procedures were too weak—that’s hardly big news considering most security
procedures are too weak in most companies. No, the big news here is that the
company either didn’t realize the scope of the problem, or it knew but didn’t
notify the public for several weeks.
For those who don’t know, the particular mistake LexisNexis
made was failing to properly screen the existing customer base of an acquired
data warehouse company, Florida-based Seisint. This oversight points to an
important vulnerability that more than likely affects many companies. Organizations
can’t be complacent about back-checking the security procedures of any acquired
database merely because their own security procedures are solid.
(Personal disclaimer: LexisNexis is a massive commercial
information and legal database. I used to work for the parent company, Reed
Elsevier LLC, but no longer do, and I have never had any connection with
Keep in mind that I’m not picking on India’s outsourcing
call centers in particular. I’m merely emphasizing that the legal and financial
aspects of outsourcing can be more complex than merely asking if it will save
Any company that’s integrating either data or customer lists
because of a database purchase or corporate acquisition needs to take the
LexisNexis report to heart. You simply can’t know how good or how bad the
security was at the company that originated the authorized customer list.
Also watch for …
- I want
to begin with a brief reminder to government and government contractor
Webmasters who read this column. A major
hacker arrest took place earlier this month in Miami when the FBI
picked up visiting Venezuelan national Rafael Nunez-Aponte (“RaFa”).
RaFa has embarrassed the U.S. Air Force and has a lot of friends in the
hacker community, leading to the possibility that a surge in coordinated
attacks on government sites as well as those closely tied to the
government through consulting and other contracts could occur.
- One of
the top computer schools in the world and the home of CERT, Carnegie
Mellon University in Pittsburgh, has reported a compromise of school databases
that store personal data. Included were records for 1,600 current graduate
students, graduate-degree alumni from 1997 to 2004, applicants to the
master’s degree program from September 2002 through May 2004, applicants
to the doctorate program since 2003, and the Tepper School of Business
April 15, Microsoft quietly released a fix for a well-known vulnerability
in Windows Media Player by posting an update to Knowledge Base article 892313.
The threat, which applied to versions 9 and 10, could let hackers
penetrate a system via the digital rights management feature.
software giant has also updated Security
Bulletin MS05-002 to version 2.0, reflecting problems with the update
provided for Windows 98, Windows SE, and Windows ME. Check out the newest
version of the bulletin to see if this affects you.
addition, Microsoft has updated Security
Bulletin MS05-009 to version 2.0. The update for Windows Messenger
188.8.131.529 (Windows XP SP 1 only)
fails to install when using SMS or AutoUpdate.
has modified Security
Bulletin MS05-010 with a minor revision (1.2) to include new
information about mitigating factors.
security bulletins MS05-017,
have also received minor revisions.
has released patches for multiple new vulnerabilities in Lotus Notes and
Domino, the worst of which was a buffer overrun that could result in a
denial-of-service event—or, at least that’s IBM’s spin. Next Generation
Security Software (NGSS), which discovered the threat and reported it to
IBM, said the threat could allow execution of arbitrary code, which is, of
course, far more serious. For the sake of security, NGSS is withholding
details on the six vulnerabilities for several months, but Secunia already rates them as
malware blogs are apparently proliferating because they are completely
unchecked, free, and anonymous. According to several reports, such as this
one from Vulnet.com,
cybercriminals are turning to blogs to store malicious code of nearly any
size for access by any Trojans the hackers are able to plant.
- According to
News.com, more serious Mozilla Firefox vulnerabilities have surfaced,
and Secunia rates them as
highly critical. The nine vulnerabilities addressed in the latest
1.0.3) include cross-site scripting and security bypass
vulnerabilities, along with one permitting complete system compromise. I
believe these are actually new problems, but it’s difficult to be certain
considering all the recent flaws popping up in Firefox.
of the U.S. Strategic Command (STRATCOM), General James Cartwright, recently
elite hacker unit under his command to Congress. Named The Joint
Functional Component Command For Network Warfare, the group will be
responsible for protecting the Pentagon’s systems, but it also seems to be
building a hacker capability for use against foreign military or
John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.